application centric infrastructure (aci)
TRANSCRIPT
Ross Adams ([email protected]) Systems Engineer
May 4, 2016
Application Centric Infrastructure (ACI)
2
Network View of the World
Application
Presentation
Session
Transport
Network
Datalink
Physical
IDC
3
Most other people’s….
API Default Gateway
4
Configure Firewall Rules as Required by the Application
Configure Network to Insert Firewall
Configure Firewall Network Parameters
Configure Load Balancer as Required by the Application
Configure Load Balancer Network Parameters
Configure Router to Steer Traffic to/from Load Balancer
How we do things today….
Service insertion takes days
Network configuration is time consuming and error prone
Difficult to track configuration on
services
Compliance Risk (Left behind ACLs) Server
vFW Switch
Router
FW
Router
LB
Service Insertion in Traditional Networks
5
“On-Boarding” Applications is Still Slow Performance Security Availability Scale
Physical Servers
Physical, Virtual Servers
Physical, Virtual Servers
Firewall
Firewall
Application Delivery Controller
Intrusion Detection
Application Delivery Controller
Firewall
Web Security Appliance
Firewall
Firewall
Application Delivery Controller
Intrusion Detection
Storage
Web cache
Storage
IT Organization
Web App Tier DB Tier
Application Team
Compute Team
Storage Team
Network Team
Security Team
Compute Team
Storage Team
Network Team
Security Team
6
Network Automation
7
Automating the Data Center Network Cisco’s DC SDN Strategy
Programmable Network
Open programmable NXOS
Programmable Fabric
Open Standards BGP EVPN
Cisco ACI
Open policy API
Multi-cloud Ecosystem
9
Cisco Application Centric Infrastructure
The Most Comprehensive SDN
Solution
• A SINGLE architecture to deliver performance, programmability, agility and Reduced Complexity
• An Application Centric Policy Model that dynamically defines the network fabric by means of the application requirements
• An AUTOMATED network fabric for virtual AND bare-metal workloads and services (hypervisor agnostic, container ready, etc.)
• Enterprise Scale and Performance requires hardware acceleration
10
Understanding ACI Building Blocks
11
ACI Fabric
12
OPEN RESTFUL APIS CENTRALIZED POLICY MODEL
OPEN SOURCE
CONTROLLER
APIC
ACI Building Blocks Next Generation Nexus — Traditional Networks
POLICY MODEL
ACI >_ >_
50% SIMPLER CODE BASE
FUTURE PROOF UPGRADABLE
TO ACI
PROGRAMMABILITY AND AUTOMATION
NETWORK VIRTUALIZATION
SUPPORT
RESILIENCY: IN SERVICE PATCHING,
UPGRADE, FAST RESTART
ACI Building Blocks Future Proof — Software Upgradable To ACI
NEXUS 9500 and 9300 INNOVATIONS IN SOFTWARE HARDWARE AND SYSTEM DESIGN
PRICE POWER EFFICIENCY PROGRAMMABILITY PORT DENSITY PERFORMANCE
13
§ 40G IP fabric supporting routing to the edge (100G capable) § Scale to 6 spines, 200 leafs, 10k physical servers *
§ Automated power-on provisioning to boot leaf and spine nodes
IP Fabric with integrated overlay
Physical Spine & Leaf Topology
* https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/verified-scalability/b_Verified_Scalability_1_3_x.html
14
§ Fabric leverages IS-IS for infrastructure topology routing § Advertises loopback and VTEP addresses
§ Responsible for generating the multicast trees in the fabric § IS-IS tuned for a densely connected fabric
IS-IS Level 1
IS-IS LSP’s IP un-numbered
IS-IS Fabric Infrastructure Routing
15
Logical Topology
15
ACI Spine Nodes
ACI Leaf Nodes
§ Integrated VXLAN routing and bridging § Logical topologies are decoupled from the physical topology
§ Distributed GW routing § Standard bridging and routing without location constraints (any IP address anywhere) § Removal of flooding requirements for IP control plane (ARP/GARP) § Multi Tenant support for overlapping addresses
IP Fabric with integrated overlay
16
ACI Fabric Load-Balancing Focus on the Application Response Time
• ACI Fabric tracks the congestion along the full path between the ingress leaf and the egress leaf through the data plane
• real-time measurements
• Fabric load-balances traffic on a ‘flowlet’ basis
• Fabric prioritizes small (and early) flowlets
17
Application Policy Infrastructure Controller
Policies API
à Distributed policy enforcement à Just in-time resolution
Performed by embedded policy enforcement agents (PEs)
Spine
Leaf
18
Implementing Policy
19
appl
icat
ion
What is an Application? More than just a VM
Interconnected components
VM
VM
…
web
VM
VM
…
app
DB
DB
…
db internet
External Private Network
How do we define the network for the application?
?
20
web app db
The Outside
a collection of end-points connecting to the network
End Point Group Or VMware Port Group
a set of network requirements specifying how application components communicate with each other
Policy Access Control QoS L4 – L7 Services
rules of how application communicates to the external private or public networks
appl
icat
ion
web
VM
VM
…
VM
VM
…
app
DB
DB
…
db
Application Network Profile application-centric network policy
Application Level Metadata Describes Application infrastructure dependencies
21
ACI Application Network Profile (ANP) Policy-Based Fabric Management • Application Network profile: stateless
definition of application requirements Application tiers, Zones,
Connectivity policies
Layer 4 – 7 services
XML/JSON schema
• Fully abstracted from the infrastructure implementation Removes dependencies of the infrastructure
Portable across different data center fabrics
## App Network Profile: Defines Application Level Metadata (Pseudo Code Example) <Network-Profile = Production_Web> <App-Tier = Web> <Connected-To = Application_Client> <Connection-Policy = Secure_Firewall_External> <Connected-To = Application_Tier> <Connection-Policy = Secure_Firewall_Internal & High_Priority> . . . <App-Tier = DataBase> <Connected-To = Storage> <Connection-Policy = NFS_TCP & High_BW_Low_Latency> . . .
App Tier DB Tier
Storage Storage
Web Tier
Application
The network profile fully describes the application connectivity requirements
22
ACI End-Point Group (EPG)
HTTPS Service HTTPS Service
HTTPS Service HTTPS Service
HTTP Service HTTP
Service
HTTP Service HTTP
Service
EPG - Web
EPGs are a grouping of end-points representing application or application components independent of other network constructs.
POLICY MODEL
24
EPGs, Subnets and Policy
EPGs separate the addressing of an application from it’s mapping and policy enforcement on the network.
10.10.10.x
10.10.11.x
Policy/Security enforcement occurs at
the EPG level
HTTPS Service HTTPS Service
HTTPS Service HTTPS Service
HTTP Service HTTP
Service
HTTP Service HTTP
Service
EPG Web
25
ACI Network Logical Constructs Tenant
VRF - Context
VRF - Context
Bridge Domain
Bridge Domain
Bridge Domain
EPG EPG
EPG
EPG EPG
• A tenant can have a single or multiple VRF’s or Contexts
• Each VRF can have a single or multiple Bridge Domains (BD)
• An End Point Group (EPG) is defined as a member of a VRF
• Forwarding policies rendered by the network reference an EPG’s associated BD and VRF/Context
EPG EPG
EPG
26
ACI Network Logical Constructs and IP Addressing
• Bridge-Domains support multiple subnets
• Address blocks do not need to be divided into per rack, per pod ranges
• Per Bridge-Domain support for flooding behavior
• non IP traffic, broadcast based applications
Tenant
VRF - Context
VRF - Context
Bridge Domain
Bridge Domain
Bridge Domain Broadcast Application Flooding Allowed
192.168.0.0/16
10.10.0.0/16
10.0.0.0/16 Subnet
Subnet
Subnet
27
ACI End Point Group Contracts
EPG WEB
EPG APP SERVER
contract provider
consumer
Allows to specify rules and policies on groups of physical or virtual end-points without understanding of specific identifiers and regardless of physical location. … …
…
filter action
filter action
filter action
filter action
Subject classifiers to apply actions to L4 port ranges TCP options …
identifies actions applied to the subject QoS Log Redirect into SVC graph …
End points in EPG WEB can access end-points in EPG APP SERVER according to rules specified in the contract
29
29
Extending Policy & Automation to L4-L7 Devices
Building blocks of ACI
Application Centric Infrastructure Building Blocks
CONTROLLER POLICY MODEL NEXUS 9300 AND 9500
APPLICATION NETWORK PROFILE
Traditional 3-Tier Application
FW ADC WEB ACC APP DB
L4-L7 Device
Physical + Virtual
Policy extended to L4-L7
Application: 3 tier application (WEB-APP-DB) è This may use ADC, FW services End point Group (EPG): Grouping of application Components Application Policy model: Define QOS, Security, Network, L4-L7 etc. to be applied to EPG
30
Scalable, Consistent Approach to ACI Integration: Solution Partner Device Package for Cisco ACI
APIC - Policy Manager
Configuration Model (XML File)
Script Engine APIC - Script Interface
Python Scripts
Cisco® Application Policy Infrastructure Controller (APIC) provides extensible policy model through device package
APIC administrator can import Partner device package
Device package is an XML file defining device configuration model and parameters required for Layer 4-7 use cases
After it has been imported, APIC can configure Device functions and parameters
Device scripts translate APIC and Cisco API™ callouts to device-specific callouts
Device Package
31
Opflex – A flexible, extensible policy protocol OPFLEX is a new extensible policy resolution protocol designed for declarative control of any datacenter infrastructure. OPFLEX was designed to offer:
1. Abstract policies rather than device-specific configuration
2. Flexible, extensible definition of using XML / JSON
3. Support for any device – vswitch, physical switch, network services, servers, etc.
APIC
Opflex Agent Opflex Agent Opflex Agent Opflex Agent
Opflex Proxy
Hypervisor Switch
Opflex Agent
Firewall
Opflex Agent
ADC
Opflex Agent
Legacy API
Policies à Who can talk to whom à What about à Topology control à Ops stuff
32
ADC APP DB F/W ADC
WEB
HYPERVISOR HYPERVISOR HYPERVISOR
CONNECTIVITY POLICY
SECURITY POLICIES QOS
STORAGE AND
COMPUTE
APPLICATION L4..7
SERVICES
SLA QoS Security Load Balancing
APP PROFILE
Application Network Profiles (ANP) & ACI: how it works ?
32
33
Application Awareness Application-Level Visibility
Actions: No new hosts or VMs Evacuate hypervisors Re-balance clusters
PetStore Event
PetStore Dev • Leaf 1 and 2 • Spine 1 – 3 • Atomic counters
PetStore Prod • Leaf 2 and 3 • Spine 1 – 2 • Atomic counters
PetStore QA • Leaf 3 and 4 • Spine 2 – 3 • Atomic counters
VXLAN Per-Hop Visibility
Physical and Virtual as One
ACI Fabric provides the next generation of analytic capabilities
Per application, tenants, and infrastructure: Health scores Latency Atomic counters Resource consumption
Integrate with workload placement or migration
Triggered Events or Queries
34
ACI Development
35
ACI Policy Extended to Docker Containers Project Contiv Offers Open Source Docker Integration for APIC
Docker
Kubernetes
Mesos
Container Management
Future
Unified Policy Automation and Enforcement Across Physical, Virtual, and Containers
• Open source project for defining operational policies for container deployment
• Includes Docker networking plugin and APIC API integration
• ACI policies can be extended across physical, virtual machines, and Docker containers
• Open source Project Contiv can be used to integrate Docker containers with ACI
Project Contiv
Solution Highlights
Contiv Master
Contiv APIC Plugin
OVS Contiv Plugin HYPERVISOR HYPERVISOR HYPERVISOR Docker Host
36
ACI Multi-Site Multi-Floor, Multi-Building, Cross Campus, Multiple Data Centers Over Distance
L3 Network
Stretched Fabric (Available Now!) Multi-Site (with ACI Toolkit)
Policy Extended to WAN Multi-Pod / Multi-Site
SITE 1 Datacenter
SITE 2 Datacenter
Single Management and Policy Domain Across Multiple Fabric Instances Consistent Policy Application Mobility Disaster Recovery Application Availability
Q4 CY 2015 Futures
DB App
Multisite App
ACI Toolkit
Multisite App
ACI Toolkit
DB App
37
Conclusion
38
• Simplified, Single Architecture performing both overlay and underlay functions
• Provides benefits of SDN + Policy without the
complexity of a separate overlay and underlay
• Reduces Complexity and adds operational simplicity
• Distributed fabric Intelligence reduces engineering
• Pre-Architected, Pre-Validated, Pre-Hardened
• Optimal Traffic forwarding • Location Independent Forwarding • Congestion Monitoring • Flowlet Switching • Fabric Load Balancing • Anycast Gateway
• Full Real-time Visibility
• Tenant Level • Network Level • Application Level • Atomic Counters
A Network A Network. Not a Network Emulation
Full Visibility of Overlay and Underlay for telemetry and troubleshooting
APIC
39
• Penalty Free, Low Latency network fabric • <5 microsecond Latency port to port • Inherent Line-rate stateless firewall • Line-rate L2/L3 services implemented at the
leaf • Line-rate VXLAN integrated overlay
• 128,000 Endpoints Supported • 6000 Physical Servers Supported • Declarative Policy Model is highly scalable
compared to imperative SDN Models • Spine – Leaf penalty free fabric
Penalty Free, Low Latency Fabric Scale Out Performance
Enterprise Class network performance and scale built on integrated software and hardware
40
• Abstracted Policy model based on application requirements
• Declarative model based on the scalable
control of intelligent objects • Infrastructure operates as single system
providing specific connectivity and services based on Application definitions
• Allows application developers to succinctly
and easily describe Infrastructure as Code
• Policy allows Infrastructure and Dev Teams to use common requirements language to accelerate application deployment
• Every Software and Hardware component is a
programmatic object • Policy integration northbound with automation
toolsets (e.g. OpenStack) and southbound with 3rd party network services vendors (e.g. F5)
Simple, Scalable and Fast Common Policy Model
APPLICATION NETWORK PROFILE
Contract Contract
EPG
DB APP WEB ADC F/W ADC
EPG EPG
Software Define Infrastructure based on the Application Requirements
41
Physical
Virtual
• A Single Fabric that seamlessly supports both Virtual and Physical Workloads
• No requirement for dedicated Gateways to integrate physical and virtual worlds
• Expressive Policy Model that provides
complete Automation for Virtual and Physical L4-L7 services (Cisco and 3rd Party)
• Consistent policy enforcement across all
workloads irrespective virtual and physical
• Agnostic to Hypervisor • (ESX, Hyper-V, KVM, LXC)
• Agnostic to Host Based encapsulation • (VXLAN, NVGRE, VLAN…)
Not Everything is Virtual Physical and Virtual
ACI does not differentiate between the virtual and physical providing consistent policy and performance
42
• Single point of truth
• Health scores per application/tenant • Application centric telemetry • Self documenting network Fabric
• Real-time hop-by-hop visibility and telemetry
• Detailed information about the performance of individual endpoint groups and tenants
• Latency, packet drops, and traffic paths and can
be sliced at the group or tenant level
• Full workload discovery and mobility
• Availability & performance business reporting • Closed loop application performance feedback
for development and production environments
Full Infrastructure Visibility Application Visibility and Health Score
Full Visibility of Overlay and Underlay for telemetry and troubleshooting
Latency
Health Score
Isolation
Systems Telemetry 25 Packets
dropped
Latency
Isolation
Systems Telemetry 0 Packets
dropped
Health Score
0 0 0 7 0 0 0 6
43
• The entire ACI fabric is a firewall • ACI offers the ability to integrate with many firewall
vendors for more advanced inspection and filtering • White List forwarding policy model (zero trust
architecture) • Simplifies complex and hard to manage firewall rule
sets
• Automated Security Policy and Compliance
• Inherent Multi-Tenancy at scale
• Self Documenting Network • Policy-based compliance with industry regulations
(e.g. PCI, HIPAA) • Deep visibility and accelerated threat response based
on real-time and forensics network intelligence
• Security Policy extends to non-virtual workloads such as Databases, Mainframe, Unix systems, auto-scale clusters such as Hadoop
Ubiquitous Security Secure Workload Placement
Single network fabric providing full visibility increases security threat detection and reduces response time
44
• APIC manages the network as a single entity
• RBAC for infrastructure and architecture teams • Fully published Policy and Object model
through northbound REST API
• Consume ACI with any cloud management platform (e.g. UCSD, OpenStack, etc.)
• Simple management through APIC UI including
Policy Definition, Service Chaining, Telemetry and Application Health Scores
• Zero Touch Fabric Automation including Power
on Auto-provisioning and cable plan enforcement
• Automates Common practices such as
upgrades and configuration • Automate third party network services using
OpFlex or Device packages
Single API – Single Point of Control Full Network Automation
Single API for Network Policy, Network Services, Physical and Virtual Workloads
45
• Open Restful API Northbound • Open OpFlex Protocol Southbound
• (IETF Proposal) • Any Hypervisor • Any Cloud Management Platform
• OpFlex, transfers abstract policy between APIC and any device
• (Hypervisor switches, physical switches, and Layer 4 through 7 network services)
• Opflex allows Vendors innovate and expose
new features in their platforms to controllers
• 3rd Party Device Package allow integration with any vendor
• ACI Published SDK
• GitHub Repository for rich collaboration
OPEN and AGNOSTIC Open Architecture
Single API for Network Policy, Network Services, Physical and Virtual Workloads
APIC
47
Open Ecosystem Framework Full-Featured, Programmable API and Data Model
Object-Oriented Centralized Automation RESTful XML / JSON
Open Ecosystem Framework
Comprehensive Programmability and
System Access
Northbound API • Rapid integration with existing
management frameworks
• OpenStack
• Tenant- and application-aware
Southbound API • Publish data model • Open source • Enables application portability
System Management
Hypervisor Management
Automation Tools
Orchestration Frameworks