techadvantage webinar - closer look into dynamic fabric automation (dfa)

1 © 2013 Cisco and/or its affiliates. All rights reserved.

Cisco TechAdvantage Webinars Closer Look into Dynamic Fabric Automation (DFA) Patrick Warichet

Follow us @GetYourBuildOn

We’ll get started a few minutes past the top of the hour.

Note: you may not hear any audio until we get started.

© 2013 Cisco and/or its affiliates. All rights reserved. 2

•  Submit questions in Q&A panel and send to “All Panelists” Avoid CHAT window for better access to panelists

•  Please complete the post-event survey

•  For WebEx audio, select COMMUNICATE > Join Audio Broadcast

•  Where can I get the presentation? Or send email to: [email protected]

•  Join us for upcoming TechAdvantage Webinars: www.cisco.com/go/techadvantage

•  For WebEx call back, click ALLOW phone button at the bottom of participants side panel


Panelists Speaker

Patrick Warichet Technical Marketing Engineer

[email protected]

John Ng

Product Manager [email protected]

Sudhir Modali Product Manager

[email protected]

Vipul Shah Product Manager

[email protected]


•  DC Networks from the very small to the very large

•  Environments with Virtual and Non-Virtual workloads

•  Looking to integrate with 3rd party Orchestration Tools

•  Seeking Flexibility on Workload Placement Any Application - Anywhere

•  Looking for the Stability of Small Failure Domains

Cisco Dynamic Fabric Automation applies to any customer looking for solution to:


N1KV/OVS N1KV/OVS N1KV/OVS Services WAN/Core

Virtual Machines Physical Machines FEXs 3rd Party Switches UCS FIs Blade Switches Storage

Firewalls Load Balancers 3rd Party Appliance

Routers Switches 3rd Party Devices

Note: the different leaf roles are logical and not physical. The same leaf can perform all three functions (regular, services and border leaf)

spine leaf

border leaf

service leaf

virtual leaf


Fabric Management

Workload Automation

Optimized Network

Multi-Cloud Fabric

DFA is a set of Functions that Simplify Optimize and Automate the Unified Fabric!


Advantages •  Device Auto-Configuration

•  Cabling Plan Consistency Check

•  Automated Network Provisioning

•  Common point of fabric access

•  Network, vFabric & Host Visibility

TFTP Services

DHCP Services

XMPP Server

LDAP

Message Broker

DCNM (CPoM)


•  DFA Centralized Point of Management (CPoM)

DCNM 7.0 Release DHCP-Server TFTP XMPP LDAP Message Broker

•  Virtual Appliance for vSphere

•  All Functions packaged and pre-installed in ONE single OVA!


Welcome Screen provides easy access to •  Licensing •  POAP •  Performance Collection •  Documentation

Menu structure with access to CPOM Functions, Configuration and Administration


Health Status and Event Overview

Summary Dashboard showing all Health, Inventory, Topology and Performance Collection Information

Automatic Discovered Topology with Load and Health information

Detailed Performance Collection for Top Access-Port, ISL/Trunk-Port & CPU


Detailed Port Information available on Mouse-Over

DFA Dashboard showing Leaf/Spine Topology incl. Status and active Links

Selected Node with all active Links and Status

Search for Switch and discovered Server (virtual and physical)

Pull-down to change view to selected virtual Fabric


•  Full CPOM integrated POAP Engine

•  DHCP Scope-Definition Own DHCP-Daemon

•  Image & Configuration Repository Embedded TFTP- & SCP-Server

•  Pre-Defined as well as fully scriptable Configuration Templates

•  Easy POAP Switch Definition Workflow


Pre-Defined Configuration Template Repository

Template Creator supporting scripting Language and Form-Creation

Templates covering Switch Name, Management, VPC, FEX, DFA, everything …..


Workflow to for POAP-Definitions

First Step to create POAP-Definitions: Switch S/N for clear identification during POAP Process! Choose from Switch Type, Image Server, System Image, Kickstart Image and Config Server.

Select previous created or pre-defined Template Complete Form – form was created thru scripting language within Template Creator (very easy and intuitive)

Form can support list values like IP Address Ranges (192.168.32.10-100) Easy to create definition for multiple Switches in one Step!


•  Detects Cabling anomalies Incorrect Connectivity (ErrC) Link Not present (Unkn) Unexpected Connections (Enp)

•  Flexible supports DFA and Non-DFA platforms Cable plan can be deployed global or device-specific Enforcement on one side

•  Auto Generation, Import, Export

•  Granular – Per port Validation


= Spine (Tier Level 2) = Leaf (Tier Level 1)

2 2

1 1 1 1


2 2

1 1 1 1 ✗

✓

Consistency Check OK based on Cable Plan/Tier Definition

✗

Consistency Check FAILED based on Cable Plan/Tier Definition

Spine-Tier2 Leaf-Tier1 Spine-Tier2 Leaf-Tier1



2 2

1 1 1 1

feature cable-management feature lldp ! fabric connectivity tier 2 fabric connectivity cable-plan enforce

nexus# dir bootflash:/// | include cableplan.xml 906 May 28 06:43:52 2011 cableplan.xml nexus#

Individual Cable-Plan-File generated and uploaded thru CPOM (DCNM)

errdisable recovery interval 300 errdisable detect cause miscabling no errdisable recovery cause miscabling

Error Disable detect ON by default Error Disable recovery OFF by default

Everything configured by the pre-defined Base-Leaf/Spine Templates of CPOM

feature cable-management feature lldp ! fabric connectivity tier 1 fabric connectivity cable-plan enforce

Spine-Tier2 Leaf-Tier1



2 2

1 1 1 1

2011 May 31 02:37:40 n6k-leaf-2018 %$ VDC-1 %$ %CMM-2-MISCBL_TIERERR: Miscabling: Port Ethernet1/47 Error detected on peer tier check. Local: Tier 1 System n6k-leaf-2018 Chassis 002a.6a27.27d6 Port Eth1/47 Neighbor: Tier 1 System n6k-leaf-2017 Chassis 002a.6a22.a416 Port Eth1/47

Log Message on Cable Plan Consistency Check failure Error detected on peer tier check

n6k-leaf-2018# show interface eth1/47 Ethernet1/47 is down (Miscabled)

n6k-leaf-2018# show fabric connectivity neighbors ------------------------------------------------------------------------------- Local System: Device Tier Config: Enabled Device Tier Level: 1 Mismatch Delay Config: Disabled Mismatch Delay Timeout: 0 Cable-Plan Enforce: Enabled DeviceID: n6k-leaf-2018 ChassisID: 002a.6a27.27d6 ------------------------------------------------------------------------------- Codes: (Ok) Normal, (ErrT) Tier error , (ErrC) Cable-Plan error, (V) VPC Peer connection, (S) Stale entry, (Unkn) Unknown, (Enp) Entry not present in Cable-Plan, (Tl) Tier level Neighbor Table: ------------------------------------------------------------------------------- Local DeviceID PortID Tl Cable-Plan Status Intf Entry Eth1/37 n6k-spine-2016 Eth1/37 2 n6k-spine-201,Eth1/37 Ok Eth1/38 n6k-spine-2015 Eth1/38 2 n6k-spine-201,Eth1/38 Ok Eth1/47 n6k-leaf-2017 Eth1/47 1 Enp ErrT,S Total entries displayed: 3



2 2

1 1 1 1

n6k-leaf-2018# show fabric connectivity neighbors ------------------------------------------------------------------------------- Local System: Device Tier Config: Enabled Device Tier Level: 1 Mismatch Delay Config: Disabled Mismatch Delay Timeout: 0 Cable-Plan Enforce: Enabled DeviceID: n6k-leaf-2018 ChassisID: 002a.6a27.27d6 ------------------------------------------------------------------------------- Codes: (Ok) Normal, (ErrT) Tier error , (ErrC) Cable-Plan error, (V) VPC Peer connection, (S) Stale entry, (Unkn) Unknown, (Enp) Entry not present in Cable-Plan, (Tl) Tier level Neighbor Table: ------------------------------------------------------------------------------- Local DeviceID PortID Tl Cable-Plan Status Intf Entry Eth1/37 n6k-spine-2016 Eth1/37 2 n6k-spine-201,Eth1/37 Ok Eth1/38 n6k-spine-2015 Eth1/38 2 n6k-spine-201,Eth1/38 Ok Eth1/47 n6k-leaf-2017 Eth1/47 1 Enp ErrT,S Total entries displayed: 3

2011 May 31 02:37:40 n6k-leaf-2018 %$ VDC-1 %$ %CMM-2-MISCBL_TIERERR: Miscabling: Port Ethernet1/47 Error detected on peer tier check. Local: Tier 1 System n6k-leaf-2018 Chassis 002a.6a27.27d6 Port Eth1/47 Neighbor: Tier 1 System n6k-leaf-2017 Chassis 002a.6a22.a416 Port Eth1/47

Log Message on Cable Plan Consistency Check failure Error detected on peer tier check

n6k-leaf-2018# show interface eth1/47 Ethernet1/47 is down (Miscabled)

CPOM Shows same information: -  Failure on Node and how many -  Interface Miscabling -  Interface Status


Advantages •  Any workload, anywhere, anytime

•  Open Integration: orchestration

•  Automated scalable provisioning

•  Workload aware fabric Services Controller

Fabric Mgmt Provisioning

Open APIs

Published Schemas

Network & Network Services Policies

Cloud Stacks

Compute & Storage Policies


•  Network Administrator Configures Manually the physical Network VLAN, SVI, Forwarding-Mode and the VLAN to Segment-ID mapping

•  No Automatic trigger to enable the configuration pre-defined as per a traditional Operating Model or pulled from CPOM repository

•  CPOM provides Switch bring-up and Monitoring functionality

28

DCNM (CPoM)

N1kv/OVS

Physical Machines Virtual Machines


•  Network Administrator prepares Auto-Config Profiles in CPOM & Virtual-Switch Port-Profiles/Port-Groups Virtual Switch configuration is manual Non VDP-capable Devices need to belong to a Mobility-Domain (for example: all VMs belonging to a vCenter)

•  On Workload start, VDP or MAC learn will trigger auto-config installation Switch (DFA Leaf) downloads pre-defined Auto-Config Profile from CPOM

•  CPOM provides Switch bring-up, Leaf Auto-Configuration and Monitoring functionality Auto-Config Profiles stored in LDAP VDP as Bottom-Up signalization for Auto-Config trigger MAC learn as alternative trigger for non-VDP capable Devices

29

DCNM (CPoM)

N1kv/OVS

VDP DHCP/ARP-ND


Auto-config Triggers

Data Packet Driven Programmatic

*VDP (VSI Discovery and Configuration Protocol) is IEEE 802.1Qbg Clause 41


•  Name-Space (VLAN) managed by a DFA external entity (eg. vCenter, Openstack etc.)

•  Port-Profile, Port-Group or Network definition is completely independent from CPOM

•  Auto-Config Profiles of CPOM will use this Name-Space for serving Network Instantiation

Segment-ID for Fabric Forwarding is automatically assigned based on a CPOM owned range (configurable)

© 2013 Cisco and/or its affiliates. All rights reserved. 31 31

Network & Services Orchestration

Compute & Storage Orchestration Orchestration Stack

UCS Director (Cloupia), OpenStack, vCloud Director

DCNM (CPoM)

N1kv/OVS

VDP DHCP/ARP-ND




*VDP (VSI Discovery and Configuration Protocol) is IEEE 802.1Qbg Clause 41

© 2013 Cisco and/or its affiliates. All rights reserved. 32 32

Network & Services Orchestration

Compute & Storage Orchestration Orchestration Stack

UCS Director (Cloupia), OpenStack, vCloud Director

DCNM (CPoM)

N1kv/OVS

VDP DHCP/ARP-ND




•  Orchestration Administrator defines logical Organization Network Mapping the Auto-Config Profile “Name” to the logical Organization Network Name-Space (Segment-IDs) resources are administrated within the Orchestrator Orchestrator (for example vCD, Openstack) directly interacts with the Virtual Switch

•  Network Administrator prepares Auto-Config Profiles in CPOM Virtual Switch are configured through Orchestrator (like in vCD) or pre-populated Port-Groups/Port-Profiles

•  When new Virtual-Machine get created and Network CPOM gets polled for Auto-Config Profile Based on MAC learn or VDP signalization Network gets instantiated Dynamic VLAN gets chosen and mapped to the Segment-ID (based on Dynamic VLAN range and Segment-ID Namespace, managed by Orchestrator) Auto-Config Profile gets installed (VLAN, SVI, VRF, Segment-ID) VLAN ID gets exchanged via VDP to the Virtual Switch (no, not VTP) Leaf receives 802.1q tagged frames and associates them to the segment-ID


•  What are the Auto-Config trigger for the Leaf-Switch?

•  Control-Plane based – VDP Signalization Nexus 1000v on vSphere* & OVS Bare-Metal Server with VDP capable CNA (only Data VLANs)

•  Packet based –MAC Learn Every Bare-Metal or virtualized Server with Mobility Domain

•  CLI based – Manual Download of Auto-Config Profile to Leaf-Switch Every Bare-Metal or virtualized Server

•  Static Configuration Every Bare-Metal or virtualized Server

•  Note: Your Server can have Static or Dynamic IP Addressing – you choose

*Other virtualized Switches tbd (Nexus 1000v on other Hypervisors)


Advantages •  Any subnet, anywhere, rapidly

•  Reduced Failure Domains

•  Extensible Scale & Resiliency

•  Profile Controlled Configuration

!  Any/all subnets on any leaf

!  Any/all Leaf Distributed Default Gateways

!  Full bisectional bandwidth (N spines)

" Network Config profile " Network Services Profile n1000v# show port-profile name WebProfile port-profile WebServer-PP description: status: enabled system vlans: port-group: WebServers config attributes: switchport mode access switchport access vlan 110 no shutdown security-profile Protected-Web-Srv evaluated config attributes: switchport mode access switchport access vlan 110 no shutdown assigned interfaces: Veth10

Licensing Requirements: N6k & N7k - LAN Base - LAN Enterprise - Enhanced Layer-2 N5k - Enhanced Layer-2 N1kv - Essentials Edition


•  Provides distributed default gateway on each Leaf

•  Leverages proxy-ARP

•  Intra- and Inter-Subnet forwarding based on Routing

•  Contain floods and failure domains to the Leaf

interface vlan 123 vrf member Coke fabric forwarding mode proxy-gateway ip address 10.1.1.1/24 ip dhcp relay address 200.200.200.100 no shutdown

L3 L2

H1: 10.1.1.10/24 H3: 10.1.2.10/24 H2: 10.1.1.20/24

vSwitch vSwitch

N7k-S1 N7k-S2 N6k-S1 N6k-S2

N6k-1 N6k-4 N6k-2 N6k-3 N6k-6

vlan 123 mode fabricpath vn-segment 30000


•  Provides distributed default gateway on each Leaf

•  Intra-Subnet forwarding based on FabricPath Layer-2 lookup is performed at the leaf Data-plane based conversational learning for endpoints MAC addresses

•  ARP is flooded across the fabric

interface vlan 123 vrf member Coke fabric forwarding mode anycast-gateway ip address 10.1.1.1/24 ip dhcp relay address 200.200.200.100 no shutdown

L3 L2

H1: 10.1.1.10/24 H3: 10.1.2.10/24 H2: 10.1.1.20/24

vSwitch vSwitch


N6k-1 N6k-4 N6k-2 N6k-3 N6k-6



•  No default gateway presence on N5k-Leaf

•  No Segment-ID support All Nexus 5500 involved VLANs are non-Segment-ID enabled across all DFA-Leafs

•  Reverts back to traditional FabricPath for forwarding

•  L2 lookup is performed at the Leaf Data-Plane based conversational learning for endpoints MAC addresses

•  ARP is flooded across the fabric

L3 L2

H1: 10.1.1.10/24 H3: 10.1.2.10/24 H2: 10.1.1.20/24

vSwitch vSwitch


N5k-1 N5k-4 N5k-2 N5k-3 N6k-6

vlan 123 mode fabricpath



L3 L2

H1: 10.1.1.10/24 H3: 10.1.2.10/24 H2: 10.1.1.20/24

vSwitch vSwitch


N5k-1 N6k-4 N5k-2 N6k-3 N6k-6

vlan 123 mode fabricpath

As long as Nexus 5500 are present; Gateways for Nexus 5500 served VLANs need to have “Anycast-Gateway” Mode



L3 L2

H1: 10.1.1.10/24 H3: 10.1.2.10/24 H2: 10.1.1.20/24

vSwitch vSwitch


N5k-1 N6k-4 N6k-2 N6k-3 N6k-6

vlan 421 mode fabricpath vn-segment 30531 vlan 123 mode fabricpath

interface vlan 421 vrf member Pepsi fabric forwarding mode proxy-gateway ip address 40.2.1.1/24 ip dhcp relay address 200.200.200.100 no shutdown


Segment-IDs can ALWAYS be used for VLANs with no Nexus 5500 participation

For VLANs with full DFA-Leaf only, all Forwarding-Modes can be chosen as per your preference


L3 L2

H1: 10.1.1.10/24 H3: 10.1.2.10/24 H2: 10.1.1.20/24

vSwitch vSwitch


N6k-1 N6k-4 N6k-2 N6k-3 N6k-6


interface vlan 123 vrf member Coke fabric forwarding mode proxy-gateway ip address 10.1.1.1/24 ip dhcp relay address 200.200.200.100 no shutdown

Proxy-Gateway could be used after last Nexus 5500 Leaf was removed

Segment-ID based forwarding available when last Nexus 5500 is remove


Proxy-Gateway Anycast-Gateway Non DFA Mode*

VLAN/Subnets stretched between leaves ✓ ✓ ✓

(requires anchor Leaf)

Common Anycast GW IP across leaves ✓ ✓ ✗

Common Anycast GW MAC across leaves ✓ ✓ ✗

Use Proxy-ARP/ND ✓

(respond to ARP/ND only if the destination is available in the RIB)

✗ ✗

ARP Flooding in Layer-2 Domain ✗ ✓

(floods also across DFA Fabric) ✓

(local flood only)

Intra-Subnet forwarding Always routed (TTL decrement) Bridged Bridged

Silent Host Discovery ✗ ✓ ✓

* VLANs/IP Subnets are only locally defined behind a DFA leaf (or a pair of vPC peer leaves)


•  Forwarding mode is configurable at a subnet (SVI) level

•  In both cases host routes are advertised between DFA leaf nodes

•  Important: L2 non-IP packets are always bridged across the Vinci fabric, regardless of the specific forwarding mode deployed


Advantages •  Any workload, any vFabric, rapidly

•  Scalable Secure vFabrics

•  vFabric Tenant Visibility

•  Routing/Switching Segmentation

HR Finance

Manufacturing Sales


Network CPOM

VRF

Segment/VLAN

Segment/VLAN

Segment/VLAN

Segment/VLAN

VRF Partition

Network Network Network Network

Partition

Organization …

… …

Example Shown: Multiple Organizations and Partition per Organization possible

VRF Org:Part


Orchestrator CPOM

Virtual DataCenter


Virtual DataCenter Partition


Partition

Organization …

… …

Tenant …

… …

Closely aligned with Orchestrator hierarchies!


•  Traditionally VLAN space is expressed over 12 bits (802.1Q tag)

•  Limits the maximum number of segments in a datacenter to 4096 VLANs (4k)

•  DFA leverages a double 802.1Q tag for a total address space of 24 bits

•  Support of ~16M L2 segment (10K targeted at FCS)

•  Segment-ID is hardware-based innovation offered by leaf and spine nodes part of the DFA Fabric

FabricPath Frame Format

Integrated Fabric Frame Format

Segment-ID = 802.1Q 802.1Q


•  Segment-IDs are utilized for providing isolation at Layer-2 and Layer-3 across the DFA Fabric

•  802.1Q tagged frames received at the Leaf nodes from edge devices must be mapped to specific Segments

•  The VLAN-Segment mapping can be performed on a Leaf device level

•  VLANs become locally significant on the Leaf node and 1:1 mapped to a Segment-ID

•  Segment-IDs are globally significant, VLAN IDs are locally significant

Fabric

Segment-IDs (Global)

VLANs VLANs

VLAN 10 <-> Segment-ID 5000 VLAN 11 <-> Segment-ID 5001

…………………….. VLAN 20 <-> Segment-ID 5020

VLAN 20 <-> Segment-ID 5000 VLAN 41 <-> Segment-ID 5001

…………………….. VLAN 70 <-> Segment-ID 5020

802.1q Trunks 802.1q Trunk


•  Each IP Subnet defined at the Leaf of the DFA Fabric is associated to a Layer-2 Domain, which is represented by a Segment-ID

•  Multiple Segments can be defined for a given Tenant, Those Segments can be mapped to a Layer-3 VRF and uniquely identify that Tenant

•  A dedicated Segment-ID value uniquely identifies each VRF defined in the DFA Fabric

Red Tenant VRF_Red segment-ID 6000

Segment-ID 5000 10.1.1.0/24

Segment-ID 5001 11.1.1.0/24

Segment-ID 5002 12.1.1.0/24


•  Each VLAN can be mapped to a Segment-ID A VLAN becomes significant only at the Leaf level This increases the overall Namespace from 4k to 16M unique IDs for the Fabric

•  A Virtual Fabric is basically a VRF!

•  Each VRF uses a dedicated Segment-ID Like a MPLS VPN-Label


Fabric Management

Workload Automation

Virtual Fabrics Optimized Networking

Bundled functions are Modular, Flexible and follows your Choice of Integration and Speed of Adoption!

DFA will FCS in Q1 CY’14 N5k/N6k 7.0(0)N1(1) N7k 6.2(2)/6.2(6) DCNM 7.0 Release


L3 L2

vSwitch N1kv


N5k-1 N6k-4 N6k-2 N6k-3 N6k-6

N2k

Nexus 7000 (F2/F2e) and Nexus 6000 as Full DFA-Spine – Full Co-Existence Support!

Nexus 6000 as Full DFA-Leaf; supporting all the Functionalities

Nexus 2000 FEX Support at every kind of DFA-Leaf (Full or L2-only)

Nexus 5500 as L2-Only DFA-Leaf (no Segment-ID support)

Nexus 1000v enhancing Virtual Workload with VDP-Signalization


Platform Fabric Management

Workload Automation

Optimized Networking

Virtualized Fabrics

Nexus 6000 ✓ ✓ ✓ ✓ Nexus 5500 ✓ ✗ ✓(1,3) ✓(1,3)

Nexus 7000 (M) ✓ ✗ ✗ ✗ Nexus 7k/7.7k

(F2/F2e) ✓ ✗ ✓(2) ✓(2)

Nexus 3000 ✗ ✗ ✗ ✗ Nexus 1000v ✓ ✓ ✓ ✗

1No Segment-IDs 2Spine 3Layer-2 only

Licensing: CPOM with all it’s functionality is FREE! Including DCNM Essential Edition


•  Thank you! •  Please complete the post-event survey •  Join us for upcoming webinars:

Register: www.cisco.com/go/techadvantage Follow us @GetYourBuildOn

techadvantage webinar - closer look into dynamic fabric automation (dfa)

Technology

cisco andor

cisco confidential7

template creator

server predefined

discovered server virtual

fabric management

virtual fabricselected

easy access