APIC - Agenda INFN
Download
Report
Transcript APIC - Agenda INFN
Data Center e Cloud: soluzioni
avanzate e open per
l'orchestrazione dei servizi
Luca Relandini
30 Giugno 2014
Agenda
Declarative vs Imperative model
Stateless vs pre provisioned
Cisco ACI (Application Centric Infrastructure)
Cisco and the Open Source
Automation and Cloud
DevOps
Cisco Confidential
2
Why Network Provisioning is Slow
Application Language Barriers
Infrastructure Teams
Developers
Application
Tiers
VLANs
Subnets
Provider /
Consumer
Relationships
Protocols
Ports
Cisco Confidential
3
Declarative vs Imperative model
What
How
Imperative
Declarative
Cisco Confidential
4
Cisco (2009):
“Stateless hardware will change computing”
Admin creates policies and profiles
Admin does NOT program the hardware
UCS Manager
UCS Manager configures the stateless HW
CISCO UCS 6248UP
1
2
3
4
5
6
7
8
9
10 11
12 13
14 15
16
17
18 19
20 21
22 23
24 25
26 27
28 29
30 31
32
1/10 GIGABIT ETHERNET
CISCO UCS 6248UP
1/2/4/8G FIBRE CHANNEL
ID
UCS 2204XP
UCS 2204XP
FAN STATUS
FAN STATUS
UCS 2204XP
FAN STATUS
1
1
2
2
FAN STATUS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
FAN STATUS
3
4
1
2
2
CHS A56
FAN 5
FAN 2
FAN STATUS
FAN 6
FAN STATUS
FAN 7
FAN 4
4
5
6
7
8
9
10 11
12 13
14 15
16
17
18 19
20 21
22 23
24 25
26 27
28 29
30 31
32
1/10 GIGABIT ETHERNET
UCS E16UP
1
2
3
4
5
6
7
1/2/4/8G FIBRE CHANNEL
8
9
10
FAN STATUS
FAN STATUS
CHS A56
FAN 5
FAN 2
FAN STATUS
FAN 6
1
2
2
FAN 7
FAN 4
13
14
15
16
FAN STATUS
UCS 2204XP
FAN STATUS
FAN STATUS
FAN STATUS
1
1
2
2
FAN STATUS
!
3
4
FAN 3
FAN STATUS
12
UCS 2204XP
FAN STATUS
1
3
4
FAN 1
FAN 8
FAN STATUS
11
UCS 2204XP
FAN STATUS
3
4
FAN 3
FAN STATUS
3
!
3
4
FAN 1
FAN STATUS
2
STAT
UCS 2204XP
FAN STATUS
1
!
3
16
UCS 2204XP
FAN STATUS
!
1
ID
UCS E16UP
STAT
3
4
FAN 1
FAN 8
FAN STATUS
FAN STATUS
FAN 5
FAN 2
FAN STATUS
FAN 6
3
4
FAN 3
FAN STATUS
FAN 7
FAN 4
CHS A56
4
FAN 1
FAN 8
FAN STATUS
FAN STATUS
FAN 5
FAN 2
FAN STATUS
FAN 6
FAN 3
FAN 7
FAN STATUS
FAN 4
FAN 8
FAN STATUS
CHS A56
Policy Driven System
Cisco Confidential
5
Cisco (2013):
“Stateless hardware will change NETWORKING”
Admin creates policies and profiles
Admin does NOT program the hardware
APIC pushes policies and profiles to HW
APIC
HW programs itself!
Policy Driven System
Cisco Confidential
6
Software Architecture Principles
of the Application Centric Infrastructure
Configuration-driven
Policy-based
Infrastructure-centric
Application-centric
Element management
Network-wide management
Cisco Confidential
7
Application Centric Infrastructure Components
Open API’s, Complete Automation, and Application Focused
OPEN RESTFUL API
CENTRALIZED POLICY MODEL
OPEN SOURCE
APIC
CONTROLLER
POLICY MODEL
NEXUS 9500 and 9300
ACI
Cisco Confidential
8
Agility: Any Application, Anywhere
Physical And Virtual - Common Application Network Profile
WEB
F/W
ADC
APP
ADC
DB
Extensible APIC
Scripting Model
SLA
CONNECTIVIT
Y POLICY
QoS
SECURITY
Security
POLICIES
Load
Balancing
QOS
BANDWIDTH
RESERVATION
AVAILABILITY
APPLICATION
L4-L7
SERVICES
STORAGE
AND
COMPUTE
APPLICATION
NETWORK PROFILE
HYPERVISOR
HYPERVISOR
HYPERVISOR
The Power of Integrated Overlay
Cisco Confidential
9
ACI: Three Game-changing Differentiators
1
APPLICATIONCENTRIC POLICY
MODEL
2
•
•
•
Operationally Simple
Lowest TCO
Zero-touch provisioning
•
•
•
Cisco Confidential
PHYSICAL +
VIRTUAL
Health Metrics
Visibility / Telemetry
Troubleshooting
3
•
•
•
OPEN AND
SECURE
Open API / Open Source
Advanced Security
3rd Party Integration
10
Two Operational Models
Which do you want your network admin using?
Before ACI:
1.
“Trunk VLAN 112 to switch 22.”
2.
“Add route….”
3.
“Plumb ports 7-12…”
4.
Break for snack. See if there’s any
leftover cake in the coffee room.
5.
“Configure ACL…”
6.
“Apply QoS…”
7.
Repeat.
With ACI:
1.
“Let my app servers talk to my web
servers.”
2.
There is no step 2. Go do something
interesting.
Cisco Confidential
11
ACI - Key Takeaways
ACI Policy Model forms the foundation of our Controller Strategy
Starting in the Datacenter, moving to Campus and Beyond
Northbound APIs
Common abstractions
Fully published and consistent
Southbound APIs
Moving to OpFlex
Bringing concepts to the industry
Standards
Open Source projects
Cisco Confidential
12
What Cisco ACI brings to Openstack
1
•
•
•
PHYSICAL +
VIRTUAL
NETWORKING
Zero-touch operations •
Performance at scale
Physical server, multi- •
hypervisor
2
APPLICATIONCENTRIC
POLICY MODEL
Easy for app
developers
Self-documenting /
automation
3
•
•
•
4
TELEMETRY
Health Metrics
Visibility / Telemetry
Troubleshooting
•
•
ADVANCED
CAPABILITIES
Service chaining
App Acceleration
Cisco Confidential
13
Extending Policies to the Open Source
Contract
Connectivity
Security
QoS
L4-7 Services
OUTSIDE
F/W
ADC
WEB
ADC
Contract
Contract
APP
DB
APPLICATION
NETWORK PROFILE
What is an application policy?
1. Group: A set of VMs / servers with the same policy
2.
Contracts: A set of rules governing communication between groups
3. Service Chains: A set of network services between groups
Cisco Confidential
14
Two Options for OpenStack API
Neutron API
Tenant
NEUTRON NETWORK
Group Policy API
Tenant
Contract
NEUTRON ROUTER
Port
Port
SECURITY
GROUP
NEUTRON
NETWORK
GROUP
Use Existing Neutron API
with APIC and Cisco ACI
GROUP
SERVICE
CHAIN
Group Policy introduces a new API
that maps to the ACI policy model
Cisco Confidential
15
OpenStack - ACI Integration
APIC PLUGIN
GROUP POLICY PLUGIN
Contract
NEUTRON
NETWORK
NEUTRON
ROUTER
SECURITY
GROUP
WEB
F/W
ADC
ADC
Neutron
Networking
APIC
APIC
Driver
Plugin
Contract
Contract
APP
DB
Neutron
Networking
Group Policy Extensions
OVS Driver
APIC Group Driver
OVS Driver
APIC
APIC
We
b
Ap
p
HYPERVISOR
We
b
Ap
p
DB
HYPERVISOR
We
b
We
b
DB
We
b
Ap
p
We
b
Ap
p
DB
We
b
We
b
DB
HYPERVISOR
HYPERVISOR
HYPERVISOR
HYPERVISOR
Cisco Confidential
16
OpenStack APIC Plugin - Detail
Neutron
Networking
APIC
APIC
Driver
Plugin
ML2-based APIC driver maps via REST:
• Network :: EPG
• Router :: Contract
OVS Driver
APIC
OVS driver configures VLAN / VXLAN ports
on OVS.
ACI fabric acts a distributed router in
place of L3 agent and provides
distributed L2 functionality
VLAN or VXLAN segments
configured per network from server to
ToR
IP Tables on host used for security
group functionality
OVS
OVS
OVS
OVS
Network A
V(X)LAN 100
10.0.0.0/24
Network A
V(X)LAN 100
10.0.0.0/24
Network A
V(X)LAN 100
10.0.0.0/24
Network A
V(X)LAN 100
10.0.0.0/24
Network B
V(X)LAN 101
10.0.1.0/24
Network B
V(X)LAN 101
10.0.1.0/24
Network C
V(X)LAN 102
10.0.2.0/24
Network C
V(X)LAN 102
10.0.2.0/24
IPTables
IPTables
IPTables
IPTables
Host 3
Host 1
Host 2
Host 4
Cisco Confidential
17
Extending Policies To The Open Source
1
Group Policy API
Contributors
Group-Policy Information Model
Contributors
2
Group Policy API
OpFlex Southbound Plugin
OpFlex Agent Framework
3
Contributors
OpFlex Agent
Cisco Confidential
18
Cisco Intelligent Automation for Cloud: Analyst Ranking
Source: Forrester Wave™: Private Cloud Solutions, Q4 ‘13
Cisco Confidential
19
Four Feature Pillars of IAC 4.0
VMDC Certified Solution …
Out of the box support for VSA 1.0
(VMDC 4.0) and Services-enabled
VMDC 2.3
Advanced Multi-Tenancy “Out of the Box”…
End to end tenant management
Virtual &
Physical
Networking
Tenancy
Cloud
Platforms
Pricing
Hybrid Cloud management …
Multi cloud management across UCSD,
vCenter, vCloud, AWS and OpenStack
Tenant and Provider Business Admin
Personas
First class tenant and service pricing
models
Tenant Quotas
Cisco Confidential
20
Hybrid Cloud Management Platform
Unified Cloud Model
via CloudSynch
Amazon
OpenStack
VMware
UCSD
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
Clouds Your Way
Over 800 out of the box Services
and Workflows covering basic and
complex IaaS use cases
Over 500 extension
points for easy customization
Deploy cloud within existing IT
practices, policies and systems
Leverage pre-existing “run
books”
Cisco Confidential
22
Customer Management
Organization Specific
Service Levels + Pricing
Manage
Organizations
and Tenants
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
Multi-Cloud Health
Dashboard
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
Network Container Services – VSA 1.0
Container
Logical Topology
Devices
Services/Features
Gold
L2 Transport – Nexus 7000, 5000
L3 Routing Point – CSR1000v
Zone-Based Firewall – CSR1000v
Compute Firewall – VSG
Load Balancing – NetScaler VPX
Virtual Access – Nexus 1000v
FI – UCS 6200
Load Balancing
Perimeter Firewall
Compute Firewall
Public or Private Protected Zone
Unlimited VLANs per Zone
Silver
L2 Transport – Nexus 7000, 5000
L3 Routing Point – CSR1000v
Compute Firewall – VSG
Load Balancing – NetScaler VPX 1000v
Virtual Access – Nexus 1000v
FI – UCS 6200
Load Balancing
Compute Firewall
Public or Private Zone
Unlimited VLANs per Zone
Bronze
L2 Transport – Nexus 7000, 5000
L3 Routing Point – CSR1000v
Compute Firewall – VSG
Virtual Access – Nexus 1000v
FI – UCS 6200
Public or Private Zone
Compute Firewall
Unlimited VLANs per Zone
Cisco Confidential
25
Cisco Intelligent Automation for Cloud
Platform as a Service (DevOps Solution Accelerator)
Cisco Confidential
26
DevOps Solution Accelerator Process Flow
Stack Designer
Builds App
Model
Project Lead
Prime Service
Catalog
Project Team Member
Orders a Stack
Orders a VM
with App
Cisco Process
Orchestrator
Stack Model
Apps
Workload MACD
Middleware
Deploys VM
with Chef or
Puppet agent
OS
VM
Chef /Puppet
Repository and
Engine
Repository deploys the
middleware and application
components
Running System
Apps
Middleware
OS
VM
Running System
OS
VM
Cisco Confidential
27
Thank You
Network Container Services – VSA 1.0 (cont.)
Container
Logical Topology
Devices
Services/Features
Expanded Gold
L2 Transport – Nexus 7000, 5000
L3 Routing Point – CSR1000v
Zone-Based Firewall – CSR1000v
Compute Firewall – VSG
Load Balancing – NetScaler VPX
Virtual Access – Nexus 1000v
FI – UCS 6200
LB in each zone
Perimeter Firewall
Compute Firewall in each Zone
Public Protected Zone
Private Protected Zones
Unlimited VLANs per Zone
4-Zone
L2 Transport – Nexus 7000, 5000
L3 Routing Point – CSR1000v
Zone-Based Firewall – CSR1000v
Compute Firewall – VSG
Load Balancing – NetScaler VPX
Virtual Access – Nexus 1000v
FI – UCS 6200
Tenant Specific Public Zone
Private Zone
Public Protected Zone
Private Protected Zone
LB in each zone
Perimeter Firewall
Compute Firewall in each Zone
Cisco Confidential
29