cisco application centric infrastructure application centric infrastruct… · application network...
TRANSCRIPT
Cisco Application Centric Infrastructure
• Stateless Hardware
• Overlays
• Forwarding
Use Cases
Introduction
Overview and Features
•
•
•
Agenda
industry trends
• Cloud services
- be it Amazon Web services, Microsoft Azure cloud, digital ocean
• big date
- Adobe, MapR (Map and Reduce), Mongo database.
• Automation tools.
- Ansible, chef, puppet, GitHub, Jenkins and continuous integration.
• SDN
Industry trends
• Cloud services
- be it Amazon Web services, Microsoft Azure cloud, digital ocean
• big date
- Adobe, MapR (Map and Reduce), Mongo database.
• Automation tools.
- Ansible, chef, puppet, GitHub, Jenkins and continuous integration.
• SDN
Software Defined Networking
• peoples describe this in different ways
• control plane and data plane are now being controlled by some sort of
centralized controller
- OpenFlow
• network virtualization functions
- Nuage, PLUM, Midokura
• pure programmability
- Arista, Cumulus
Software Overlay
• run a layer 3 routed, non-blocking ECMP fabric or “CLOS fabric” as our underlying infrastructure• on top of that we place multiple “virtual networks”
Application Centric Infrastructure
•
•
•
•
•
Is a network fabric for datacenters.• Leaf/Spine Topology
Uses VXLAN and Tunnel Endpoints asan underlay
All configuration is programed, provisioned
and initially controlled from the controller and
pushed to the network switches
Control plane and data place areseparate
APICs form a cluster for distributedComputing
What is ACI?
• Behaves like a Switch (Bridge Domain)
• Behaves like a Router (Unicast Routing)
• Utilizes VRFs (VRF)
• Utilizes VLANs (EPGs and SVIs)
• Utilizes VXLANs (Overlay)
• Behaves like an Orchestrator• Configures Hypervisors/Controllers• Configures L4-L7 devices
• Open North and South-bound API• Automation
What is ACI?
L/B
EPGAPP EPG DBF/W
EPG WEB
Application Network Profile
LegacyNetwork
Fabric Policies
Access Policies
Tenant Policies
What is ACI?
Application Network Profile
• everything is based on the application, but we need to map that to network
constructs
• ANP introduce stateless definition of the application requirement
- Application Tiers
- Connectivity Policies
- Layer 4-7 Services
• network profile is fully abstracted from the infrastructure
- removes all dependencies of the infrastructure
- portable across different data center fabrics
Applications Policy Model and instantiation
• application policy model and requirements defined based on the “network profile”
• Then, based on the Deployment model, APIC pushes and provision this down to
the fabric infrastructure
• all forwarding in the fabric is managed through this “application network profile”
- IP addresses are fully portable anywhere within the fabric
- Security and forwarding are fully decoupled from any physical or virtual network
attributes
- devices autonomously update the state of the network based on the configuration
policy requirements
ACI Fabric
What are we solving?
Overloaded Network Constructs
Subnet
VLAN
Subnet
VLAN
Subnet
VLAN
Basic NetworkPolicy
SLAs L4-7 Services
Network constructs are overloaded with unintended functionality.
Application Language Barriers
Developers
ApplicationTiers
Provider /
Consumer
Relationships
Infrastructure Teams
VLANs
Subnets
Protocols
Ports
Developer and infrastructure teams must translate between disparate languages.
What is an application to the network?
• collection of all the applications end-points
• layer 2 through L7 network policies
• The Relation between these Endpoint and
Their Policies
o so the idea of what we want to get to, is to
build teamwork to create a logical,
abstracted, stateless model that supports
the application
Applying policy to endpoints
1) endpoint attaches to the fabric.
2) the APIC detects endpoint and learns its source EPG.
3) APIC pushes the required policy down to the leaf switch
Policies
• Can be subdivided into two main categories:
• Access Policies = Define how a switch or switchport is configured. Specifically Ethernet
•
L/B EPGAPP
EPG DBF/W EPG
WEB
and link layer properties such as LLDP, LACP, CDP, speed/duplex, etc.
• Tenant Policies = Govern traditional networking. This is where Application connectivity isdefined.
Both work in tandem to define where and how endpoints or applications areconnected
Application Network ProfileLegacyNetwork
Access Policies
Tenant Policies
Access Policies
L/B
EPGAPP EPG DBF/W
EPG WEB
Application Network Profile
LegacyNetwork
Access Policies
Access Policies
?
Access Policies
• Consist of named selectors and profiles for the:
• Switches where a device is connected
• Interface on that switch where the device is connected
• L1 and L2 configuration for that interface such as:
• CDP, LLDP, LACP
• Attachable Access Entity Profile(AAEP) to tie the switch and interface to a set of VLANs
and the Domain used to reference the set under the Tenant. Represents a group ofexternal entities with similar infrastructure policy requirements.
• VLAN Pool to describe the group of possible VLANs the device will possibly use atsome point
• A Domain to tie the VLANs and switch/interface together as well as give the Tenantsomething to reference and validate the configuration is correct.
L/B EPGAPP
EPG DBF/W EPG
WEB
Application Network Profile
LegacyNetwork
Tenant Policies
L/B EPGAPP
EPG DBF/W
EPGWEB
Application Network Profile
LegacyNetworkTenant Policies
Tenant Policies
• Govern traditional networking configuration
• What VLAN goes on what interface as trunk or access
• Creates SVIs and VRFs
• Creates router configuration (OSPF, EIGRP, Static, etc.)
L/B EPGAPP
EPG DBF/W EPGWEB
Application Network Profile
LegacyNetworkTenant Policies
Tenant Policies
•
•
Logical container for set of policies
Main Components:
• Application Profiles = Container of similar applications that are somehow related• Application Profile has any number of Endpoint Groups (EPGs) inside
• Networking = Container for Network Infrastructure related items
•
•
•
•
Bridge DomainsVRFs
External Bridged Networks
External Routed Networks
• Security Policies• Contain the Contracts used between EPGs to enable communication
Tenant Model
Tenant
Bridge
DomainVRF
Subject
ApplicationProfile
Outside
Network
Subnet
EndpointGroup
Contract Filter
VRF
• Layer 3 forwarding domain.
•
•
•
Nothing fancy here, contains all routes for the particular VRF
Routes will usually point to the local leaf SVI VLAN or via the overlay-1 VRF to adestination leaf VTEP
VRF scope is where communication policy is enforced.
Tenant
VRF
Comprehensive look
VRF
Bridge Domain
•
•
Ties to a VRF
Defines L2 forwarding characteristics and boundaries.• L2 Unknown Unicast (Flood | Hardware Proxy)
• Forwarding for unknown L2 destinations• L3 Unknown multicast(Flood | Optimized Flood)
• Multi-Destination Flooding(Flood in BD | Drop | Flood in Encapsulation)• Multicast-Frame/MAC
• ARP Flooding(On | Off)
•
•
•
Similar to a VLAN but not tied to a single VLAN
Unicast Routing
Subnets
Tenant
BridgeDomain
VRF
Comprehensive look
Tenant
BD1
BD2
BD3
VRF
Subnets
• HSRP Evolved
•
•
•
•
Subnet under the BD creates an SVI only on the switches where there is anendpoint that needs it.
Known as a distributed default gateway
Gateway inside the fabric is good, flood is always answered in a single hop.
This SVI can be advertised externally through a routing protocol
Tenant
VRFBridgeDomain
Subnet
Comprehensive look
Tenant
VRF
BD1
10.0.1.1/24
BD2
10.0.2.1/24
BD3
10.0.3.1/24
Distributed Gateway
10.0.1.1/24 10.0.1.1/24
•
•
EP Move: SVI will be removed from the original leaf and programmed on the new leaf/location
Gateway is always one hop away. Decouple identity and location
10.0.1.1/24 10.0.2.1/24
Unicast Routing
•
•
Enables Routing
Route between all BDs inside a VRF without configuring a routing protocol
• The subnet configured under the BD will be the SVI and Default Gateway for endpoints
•
• SVI is only programmed on the switches that have endpoints in that BD/EPG
Traffic from inside a BD will hit the Distributed default gateway MAC and thefabric will handle routing to the destination BD
Application Profile & Endpoint Groups
•
•
•
Endpoint Groups are used to group similar endpoints connected to the fabric.This is where policy is defined.
An Application Profile(AP) is a logical container for Endpoint Groups (EPGs)
An AP should logically group related EPGs, such as the 3-tierd Applicationexample:• Application Profile “My Web App”
Website – EPG•
Application – EPG•
• DB – EPG
Tenant
BridgeDomain
ApplicationProfile
Comprehensive look
Application Profile: My-Web-App
EPG1 – Web-Servers
IISServer
Drupal
ApacheServer
VLANS
• In ACI, what is define as the encapsulation VLAN isused as an identification for classifying traffic into EndPoint Groups ( EPGs )
• The definition this classification of packets into anEPG is done via static bindings or dynamic bindingsassociated to VMM domains
• Once a packet has been identified as pertaining to anEPG, it is tagged into specific, locally significantVLANs or and globally unique VXLANs inside the leafnode to identify for fabric policy enforcement
• Known as encapsulation normalization
1
2
3
4
5
6
vlan100
vlan100
TenantYankees
TenantRedsox
EPG1
EPG2
EPG3
Comprehensive look
Tenant
AP VRF
BD1
10.0.1.1/24
BD2
10.0.2.1/24
BD3
10.0.3.1/24
Security Policies
•
•
•
ACI is whitelist based network
Use contracts to define policy for which EPGs can talk to which other EPGs andexternal EPGs
Contracts are built with the following objects:• Contract - Name
• Subject – Direction and Options
• Filter – Name and groups of filter entries
• Filter Entry – Specific protocol and ports and in which direction
Contracts
• One EPG is Providing the other is Consuming
• Think client/server relationship. One EPG is a server providing a service the client isconsuming the service
• Bi-Directional Communication is allowed by default
• Once again, do not confuse bi-directional communication with a provider/consumer role
• Pro-Tip: Only the client/consumer is allowed to initiate communications
Tenant
Contract
Subject
Filter
ACI Provider/Consumer
Web-ServerEPG
Web-ClientEPG
HTTP Contract
HTTP Subject
HTTP Filter
Source X
Dest 80
Provide 80Consume 80
Sport = X Dport = 80 Sport = 80
Sport = X
Dport = X
Dport = 80
EPG1
EPG2
EPG3
Comprehensive look with Contracts
Tenant
AP VRF
BD1
10.0.1.1/24
BD2
10.0.2.1/24
BD3
10.0.3.1/24
Consume
ICMP
Provide
VLAN 10 VLAN 20
EPG1 EPG3ICMP Contract
VRF
BD3 10.0.3.1/24BD110.0.1.1/24
ContractICMP
What can one do with ACI?
Monitoring
• ACI offers a slew of monitoring and troubleshooting tools
• Event and Audit logs at numerous levels
•
• Ongoing as well as on-demand counters
• Graphs for statistics at numerous levels (vm, port, PC, vPC, BD, EPG, VRF)
Troubleshooting Wizard for end to end traffic between two endpoints
•
•
• Shows counters, Contracts, traceroute, Topology
Endpoint Tracker• History, per endpoint, of all moves
Capacity Dashboard• Shows usage of different policies and scale
Stats - Port
Policy upgrade
•
•
•
•
•
Ability to upgrade all switches and controllers in the fabric from one place, with asingle click
Requires the upload of the new controller and switch image
Then, create a firmware group
Finally, Create Maintenance groups as needed to define which switches getupgrade at what time
Controllers are upgraded through a different “Controller Firmware” Policy• Controllers are kicked off at the same time (sort of like a single maintenance group) and
upgrade sequentially.
Group2
Group3
Group4
Group5
Group6
Maintenance Group Logic - Safest
Group1
What is a fault ?
•
•
Faults, events and audit logs are essential tools for monitoring the administrative andoperational state of an ACI fabric as well as troubleshooting current and past issues
They are the first thing to check when something is not behaving as expected!
EPG2
EPG1
EPG3
Fault
Tenant
AP VRF
BD1
10.0.1.1/24
BD2
10.0.2.1/24
BD3
10.0.3.1/24
How does ACI work?
How Does it All Work?
What is ACI?
•
•
Interaction from a user through an Application Program Interface (API) createsor modifies the objects in the model with the end goal of a policy to allocate orconfigure resources.
This interaction is done throughData Management Engines (DMEs)communicating with each other.
Conf t
Int e1/25
Switchport mode access
Switchport access vlan 3
No shut
Logical Resolved Concrete HardwareNGINX/
API
APIC NXOSPM/PE
Types of Objects
• Logical, resolved, and concrete
• Logical = configured in the GUI by the user
• Resolved = created by the APIC as a unit/object to communicate and pass informationto the switches
• Concrete = objects used by the switches to program hardware
Logical Resolved Concrete Hardware
Flow
•
•
•
Process flow
Sequential
Use to your advantage
Logical Resolved Concrete HardwareNGINX/
API
APIC PM/PE
NXOS
APIC Switch
Flow
APIC SW
NGINX Policy
Manager
Policy
ElementNXOS Hardware
Logical MO Concrete
fvTenant
fvAp
fvAEPg
fvCtx
fvBD
Resolved
fvEpP
fvCtxDef
fvBDDef
Concrete
vlanCktEp
l3Ctx
l2BD
Stateless Hardware
• Just like UCSB/UCSM…just applied to networking!
• Service Profiles allow a blade to fail and to be redeployed immediately.
• Templates and Policies abstract configuration from hardware. Reusability!
• Application Profile is equivalent to Service Profile
Service Profile
NetworkStorage
Server
Overlays and Tunnels
•
•
•
•
When first discovering the fabric, each switch that is registered is dynamicallyassigned an IP address out of the Tunnel End Point (TEP) range specifiedduring the APIC setup script.
The TEP range defines the Overlay-1 VRF.
The IP address every switch receives is known as a virtual TEP and is used tobuild tunnels between the leafs and spines
Overlay-1 VRF contains /32 routes to each VTEP, VPC Virtual IP, APIC andSpine Proxy IP
Overlays and Tunnels
•
•
Infra-VLAN=3967
TEP-Pool:10.0.0.0/16
• Multicast Range:255.1.1.1
• Admin Password:ciscoLive16!
10.0.0.1 10.0.0.2 10.0.0.3
10.0.64.1 10.0.64.2
10.0.128.310.0.128.210.0.128.1
Forwarding
•
•
•
The most important thing any router or switch can do
ACI does it too
Uses a fancy mix of IS-IS, enhanced VXLAN encapsulation, special VLANtranslation and a splash of policy
Policy
VLAN
xlate
IS-IS
iVXLAN
Tunnel
L3iPayload L2i iVXLAN L3o L2o
IP-A
MAC-A
IP-B
MAC-B
DIP=IP-BSIP=IP-A
DMAC=MAC-BSMAC=MAC-A
DIP=TEP-3SIP=TEP1
DMAC=TEP3SMAC=TEP1
Forwarding and Learning
• Acts as a regular switch, learns and forwards based on MACs
• Also capable of learning IP addresses for a comprehensive endpoint
• Leafs learn remote endpoints as well for quicker lookup and directed forwardingto a destination leaf.
• Not just an outgoing port
•
•
Spines have a global (fabric wide) database of all endpoints and can forward toany destination if needed
BD settings determine learning and forwarding behavior
MAC IP VTEP
MAC-A IP-A VTEP-1
MAC-B IP-B VTEP-2
MAC-C IP-C VTEP-3
•
•
Spine looks up endpoint in global database/COOP and forward to leaf VTEP. If not found, packet is dropped.
Optimization to traditional networking to cut down on unnecessary flooding.
L2 Unknown Unicast: Flood
• Uses multicast tree rooted in the spine for a specific BD(illustrated in red computers) all leafs
that have the BD are part of the multicast tree
• Imitates traditional networks, helpful for integrating an external gateway for migration
VLAN 10 VLAN 10 VLAN 20
• Option One for dealing with some flooded traffic. The most traditional. Flood everywhere, everyencapsulation in the BD
VLAN 10 VLAN 10 VLAN 20
• Option Two: Disallow floods entirely
VLAN 10 VLAN 10 VLAN 20
• Option Three: Only allow the flood to propagate inside its own encapsulation, not the BD
Unicast Routing/DirectedARP. InspectARP frame for Destination IP and unicast to that leaf/Endpoint
Standard, TraditionalARP Flooding
MAC IP Interface
MAC-B IP-B 1/25
MAC-A IP-A Tunnel31
MAC IP Interface
MAC-A IP-A 1/15
MAC-B IP-B Tunnel13
MAC IP Interface
MAC-A IP-A Tunnel1
MAC-B IP-B Tunnel3
Conversational Learning
IP-A
MAC-A
IP-B
MAC-B
Connecting to External Switches
•
•
•
Just like other switches can be trunked together, ACI can trunk to any existingswitch in your datacenter
The benefit is that ACI allows you to decide where to apply policy and where theexternal endpoints are classified/learned
ACI offers two options to connect to external switches:• Extending the EPG outside of the fabric
• Extending the BD outside of the fabric
External Switches / Legacy Network
Gateway
Gateway
•
•
Gateway can start outside of the fabric for migration purposes. Services on the Fabric will send theirtraffic and floods outside
Gateway can then be migrated into the fabric. External services can flood into the fabric
Connecting to External Routing Instances
•
•
•
•
ACI can participate in routing as well, via static or dynamic protocols.
Advertising subnets and learning external subnets just like any other router
This is done through an External Routed Network in ACI
The benefit is that policy can be applied at a subnet/prefix level toward a specificEPG• Known as a prefix-based EPG
External Routing Instances / Legacy Network
• ACI and External Legacy network will exchange routing tables
Connect to Servers
•
•
ACI can accept any sort of server connected to a leaf, just like a traditionalswitch can take any physical connection from an endpoint.
ACI can seamlessly integrate with existing hypervisor environments
• The APIC will communicate to the hypervisor controller and create a virtual switch,dynamically assign VLANs and create portgroups/networks for the VMs
• ACI will dynamically configure the interfaces with the appropriate VLANs
Servers, Hypervisors, FEX
What are Domains and why I need them?
• Domains tie together the Access Policy model to the Tenant/EPG model.
• When a domain is associated VLANs and interfaces are associated to an EPG
•
•
Static Paths and Static VLAN pools work together with Domains to properlyprogram interfaces
Imperative to have domains associated to EPGs when mixing VMM dynamicdomains and any other Domains
Static vs Dynamic Configuration
• Static implies manually configuring which interfaces have which VLANs from thepool defined under access policies
• Used with a physical domain and a static VLAN pool
•
• Static configuration is done under the EPG by associating the physical domain andcreating a static path to a port and specifying a VLAN
Dynamic implies that the VLAN is allocated automatically, randomly from thepool
• Used with a VMM domain and a dynamic VLAN pool.
• Associating the VMM domain to the EPG creates a port-group/network in the VMenvironment and based on CDP/LLDP adjacencies that are reported, VLANs areprogrammed on the interface.
Static Deployment
•
•
•
•
•
Compared to dynamic deployment, physical workloads are defined statically
A Physical domain is needed on the EPG
The second requirement is to configure a static path
A static path specifies an interface on a switch, a port-channel on a switch, or avPC interface between a pair of switches as well as the VLAN that the enddevice will be communicating on
This VLAN can be:
• tagged• untagged (access/native)
• 802.1p (still access/native but with QoS at MAC layer)
Static Deployment
Dynamic Configuration
•
•
Used for VMM Domain Integration
ACI and the controller exchange information such as
• Number and name of Hypervisors
• vmnic adjacencies to the leaf ports• Requires CDP or LLDP
• VMs added to port-groups
•
• VMM domain associated to an EPG programs a port-group on the Controller
With the goal of dynamically programming VLANs on the leaf interfaces.
Cisco ACI Hypervisor Integration
ObjectsVMM
Controller
VM
EPG
VM Portgroup
VM NIC
Hypervisor
Hypervisor NIC
Adjacency
Leaf Interface
ACI
VM
Hypervisor
APIC
VMM Domain
Route Leaking and Inter-Tenant Communications
•
•
•
In ACI, it is possible to have inter-VRF or inter-tenant communications
This is accomplished by route leaking from one VRF to another using route-maps and prefix-lists in the fabric
Route leaking is enabled by a contract applied to an EPG where one EPG isproviding, the other EPG is in another Tenant or VRF and consuming.
Inter-Tenant Inter-VRF
Connecting ACI to Existing L4-L7 ServiceAppliances
• Connecting to a Service appliance can beaccomplished in several ways:
1. Manual configuration of bridge domains andEPGs (static)
• Someone needs to configure the device
2. Using the service graph feature of ACI in an
•
unmanaged mode / network-only stitchingmode (dynamic)Someone needs to configure the device
3. Using the service graph feature of ACI with adevice package to dynamically configure theservice appliance as well as the network
Device Model
Service Device
APIC Scripting Interface
Device-Specific Python Scripts
Device Interface: REST or CLI
Cisco ACI Service InsertionExtending ACI Policy Model to L4-L7 Services
Application Centric Infrastructure Building Blocks
F5 BIG-IPCONTROLLER POLICY MODEL NEXUS 9300 AND 9500
APPLICATIONNETWORK PROFILE
Traditional3-TierApplication
FWADC WEB ACC APP DB
Physical + Virtual
Policy Model Extended to L4-L7
Building blocks of ACI
Application: 3 tier application (WEB-APP-DB) This may use ADC, FW services
End point Group (EPG): Grouping of application Components
Policy model: Define QOS, Security, Network, L4-L7 etc. to be applied to EPG
ACI L4-L7 Service Automation thru Device Package
F5 Device Package
Device Package contains
Configuration Model (XML File)
Python Scripts
Configuration Model (XML File)
Script Engine
APIC Script Interface
Python Scripts
APIC Script Interface
BIG-IP
PolicyEngine
APIC– Policy Manager
APIC provides extendable policy model throughDevice Package
Device Package contains XML file definingDevice Configuration Model
Provider Administrator can upload a DevicePackage
Device scripts translatesAPIC API callouts todevice specific callouts
F5
Synth
esisF
abric
ACI Fabric Virtual Edition Appliance Chassis
Deploy F5 iWorkflow Dynamic Device Package in ACI