Post on 19-Jul-2015
Денис Коденцев Инженер-консультант, CCIE dkodents@cisco.com
Cisco APIC-EM – реализация концепции SDN в корпоративных сетях 03.2015 CELC
© 2014 Cisco and/or its affiliates. All rights reserved.
План доклада
В этой презентации будет рассмотрена реализация идеи SDN в решениях Cisco для корпоративных сетей, сделан обзор APIC EM.
© 2014 Cisco and/or its affiliates. All rights reserved. 2
Network Function Virtualization (2013)
Software Defined Networking (2012)
Cloud (2008)
Open Daylight Project (2013)
Application Policy Infrastructure Controller (2014)
Industry trends
© 2014 Cisco and/or its affiliates. All rights reserved. 4
“A platform for developing new control planes”
“An open solution for VM mobility in the Data-Center”
“An open solution for customized flow forwarding control in the Data-Center”
“A means to do traffic engineering without MPLS”
“A way to scale my firewalls and loadbalancers”
“A solution to build a very large scale layer-2 network”
“A way to build my own security/encryption solution, avoiding RSA”
“A way to reduce the CAPEX of my network
and leverage commodity switches”
“A way to define virtual networks with specific topologies for my multi-tenant Data-Center”
“A means to scale my fixed/mobile gateways and optimize their placement”
“A solution to build virtual topologies with optimum multicast forwarding behavior”
“A way to optimize link utilization in my network, through new multi-path algorithms”
“A way to avoid lock-in to a single networking vendor”
“A way to distribute policy/intent, e.g. for DDoS prevention, in the network”
“A way to configure my entire network as a whole rather than individual devices”
“A solution to get a global view of the network – topology and state”
“With SDN I can develop solutions to my problems far faster – “at software speeds”. I don’t have to work with my network
vendor or go through length standardization”
SDN – Still Don’t kNow – Stanford Defined Networking Сколько людей – столько и мнений J
Определения
© 2014 Cisco and/or its affiliates. All rights reserved. 5
https://www.opennetworking.org/images/stories/downloads/white-papers/wp-sdn-newnorm.pdf
“…открытый стандарт, который позволяет исследователям запускать экспериментальные протоколы в кампусных сетях, маскируя внутреннюю работу устройств разных производителей…”
http://www.openflow.org/wp/learnmore/
“…В архитектуре SDN разделены уровень управления и уровень данных, интеллект сети и ее состояние логически централизованы, и базовая сетевая инфраструктура абстрагирована от приложений…”
SDN подход не обязателен для программируемых сетей и для сетевой автоматизации
OF не обязателен для SDN
Терминология - II
6
Архитектура сети, в которой разделены уровни управления и передачи данных и при этом интеллект сети и контроль ее состояния централизованы Реализация возможности абстрагирования нижележащей сети от использующих сеть приложений [сетевая виртуализация] Концепция использования программных интерфейсов для участия внешних систем в управлении сетевыми сервисами и мониторинге состояния сети
О чем спрашивают заказчики Cisco Customer Focus Group, SDN Survey, Dec ‘13
Основные проблемы Что имеет значение?
В чем помогает SDN?
0% 100% Уровень важности 0% 100% 0% 100%
Вся польза от SDN – в реализации практических задач
Сложность IT Безопасность
BYOD Cloud
Мобильность Big Data
Visibility & Control, End-to-End Real-time
Automation Agility
Efficiency
Уровень важности Уровень важности
© 2014 Cisco and/or its affiliates. All rights reserved. 8
Плоскость управления
Плоскость Передачи данных
Контроллер
Плоскость передачи данных
Приложения
Частный API
OpenFlow
2a Классические SDN
Частный API (пример: onePK)
Контроллер
Плоскость передачи данных
Приложения
Частный API
OpenFlow, PCEP, I2RS
Плоскость управления
2b Гибридные “SDN” Приложения
Виртуальное управление
Виртуальная плоскость ПД
Оверлейные сетевые протоколы (.VXLAN/VPLS/LISP/…)
Частный API
3 Оверлеи, сетевая виртуализация
Плоскость управления
Плоскость передачи данных
Частный API
Приложения
1 Программируемые через APIs
Плоскость управления
Плоскость передачи данных
Частный API (пример: onePK)
Частный API (пример: onePK)
Openstack и сетевые оверлеи применимы ко всем моделям (физическим/ виртуальным). Возможно создание специальных польз. функций
CLI, SNMP, …
Программируемые сети Развитие архитектуры управления
Частный API
Приложения
4 Управление на основе политик
Плоскость управления
Плоскость передачи данных
Контроллер политик
Плоскость политик
Сервер политик
Агент
Подтвержденные практикой надежность и возможности масштабирования
Распределенные сетевые протоколы работают
Распределенные сетевые протоколы работают
?
Распределенные протоколы увеличивают сложность управления/понимания
!!
!
Однако
Но использует контроллер
для маскирования сложности
Сеть
Поведение сети определяет сетевой администратор…
WWW СЕТЬ
Web Admin
Network Admin
Сравнение подходов Оба админа имеют прямой доступ к управлению одновременно
Web Dev GUI
WWW Network
WWW Admin
Network Admin
Controller
Абстрагирование от сложности Пример для сетевого управления - Web -разработка
Фокус на Что? И не на Как?
2005 Power Technologist
2013 Non Technical Users
2010 Application Developers
2014 Intent Networking
2018 Self Healing
2015 Partial Automation
Абстрагирование на примере обычной политики безопасности
Обычная модель
ЧТО? «Политика
безопасности для филиала А»
КАК? «Изменить списки
доступа на указанных
элементах…»”
ЧТО? «Политика
безопасности для филиала А»
КАК?
Политика ACI Задача админа
Задача админа
Northbound API
APIC EM
Политика ACI
ACI абстрагирует системное управление и использует программирование на уровне политик
«Изменить списки доступа на указанных
элементах…»”
Policy à способ упрощения за счет абстракции
Инфра- структура
Контроллер
Бизнес приложения
u Новая модель абстракции сетевой среды от приложений
u Есть выбор протоколовl/API для взаимодействия уровней
u Интеллект сети и управление сетью централизованы
u Архитектура сети, близкая к другим системам ИТ
SDN – архитектура управления Гибкие «программируемые» интерфейсы
• CLI • SNMP • Web UI • NETCONF • XML • onePK • Openstack
• Web UI • YANG • REST API
Intent Policies
High Level Constructs
Translation
Network Control Functions
QoS ACL Configuration
Трансляция высокоуровневых конструкций в сетевые функции – как способ сократить пробелы во
взаимодействии между средой бизнес-приложений и сетевой
средой
Cisco Intent Policy Management
Задачи для SDN Автоматизация управления сетью, объединение доменов управления
17
Классика SDN
Пользовательская обработка трафика (аналитика, шифрование)
Маршрутизация по произвольным критериям (SLA, стоимость,
задержка, и т.д.)
Внедрение последовательных сетевых политик, политик безопасности и методик предотвращения вторжений
Объединение различных точек управления инфраструктурой (DC-‐WAN-‐LAN, Virtual-‐Physical, Layer-‐1-‐3, IaaS+VPN)
Сетевая виртуализация, построение сервисных последовательностей
Виртуализация сетевых сервисов (NfV)
Результат – создание быстро адаптируемой ИТ инфраструктуры.
Автоматизация сетевого управления и настройки физических и виртуальных
устройств
Разные функции для разных потребителей
18
Пользовательская обработка трафика (аналитика, шифрование)
Маршрутизация по произвольным критериям (SLA, стоимость, задержка…)
Внедрение последовательных сетевых политик, политик безопасности и методик предотвращения вторжений
Объединение различных точек управления инфраструктурой (DC-‐WAN-‐LAN, Virtual-‐Physical, Layer-‐1-‐3, IaaS+VPN)
Сетевая виртуализация, построение сервисных последовательностей
Виртуализация сетевых сервисов (NfV)
Результат – создание быстро адаптируемой ИТ инфраструктуры.
Автоматизация сетевого управления и настройки физических и виртуальных устройств
Разработчик сетевых сервисов
Разработчик Приложений, Системный Администратор, Оператор Сетевой Инфраструктуры
Создание новых и модификация существующих
сетевых функций
Использование новой функциональности сети и интеграция с новыми или существующими программными системами (прикладное ПО и ПО для
управления)
Подробнее об APIC-EM
20.03.15
© 2014 Cisco and/or its affiliates. All rights reserved. 19
Управление на основе политик: Application Centric Infrastructure (ACI)
Появилась в ноябре 2013 в продукте Application Policy Infrastructure Controller (APIC) Первоначально разработана для ЦОД Сейчас – развитие политики ACI для использования в корпоративных сетях
Недостающий элемент – контроллер, который может управлять политиками применительно к разным доменам управления
Архитектура APIC
APIC APIC EM
Data Center WAN Access
Controllers
Infrastructure
Network Aware Applications
Endpoints
SECURITY COLLABORATION ORCHESTRATION SERVICES IoE
API API
DC - Controller Policy ENT - Controller Policy
DC = CAMPUS/WAN?
DC = ENT Стратегическое направление – унификация политик
DC - Controller ENT - Controller
API API
Policy Policy
Application Intent User Intent
Common Namespace
APIC-EM
Ранее - ENG контроллер FCS – первая половина 2015 года. Встроенные функции – ACL management, Network Policy Deployment/Compliance Check, QoS mgmt, Network Topology Visualization, ZTD. Приложения – iWAN, Security, Collaboration (TBD) –планы на 2015 Использует CLI. Платформы (FCS) – ASR, ISR, CSR, Catalyst product line Монетизация – за счет приложений
20.03.15
© 2014 Cisco and/or its affiliates. All rights reserved. 24
APIC – EM Постановка задачи
Автоматизация ручных процедур эксплуатации сети
Визуализация сети, объектно-ориентированный интерфейс
Поддержка существующей инсталлированной базы– без необходимости замены оборудования и ПО
Ключевые приложения – для управления QoS, ACL, реализация Zero Touch Deployment, поддержка IWAN, измеримый эффект от внедрения (OPEX, ROI)
Эластичность сервисной инфраструктуры – возможность наращивания мощности по мере внедрения
Автоматическая трансляция с высокоуровневого языка бизнес-задач в сетевые инструкции
Расширенная аналитика – для быстрого реагирования на изменения в реальном времени
Архитектура APIC-EM
Эластичные Сервисы APIC EM Service Abstarction Layer (SAL)
REST APIs
Сервисы APIC EM
Inventory and Topology
Identity and Location
Application Awareness
Policy Translation
QoS Visualizer
Policy Management
ZTD Visualizer
ACL Visualizer
Controller Infrastructure
CLI
Advanced Topology Visualizer
Automated Provisioning
ПриложенияAPIC EM
Analysis and Compliance
Network Infrastructure Management
Для горизонтального
масштабирования
Сервисы для приложений Day 0/ Day 1
Приложения Day0 / Day 1
Меньше программирования
типовых задач
IWAN
APIC-EM Controller
NIB
DAS
REST API
Pxgrid Client + LDAP client
AD Client + LDAP client
Radius Proxy + LDAP client
Inventory
Topology
QoS Compliance
ACL Analysis
Statistics Manager
NetFlow Collector
ZTD
Application Visibility
User Identity Helper Services
Application Identity Helper Services
Basic Services
Policy Creation Services
Policy Helper Services
Network Information Base
Legacy Support Services Inventory Visualizer
APIC
-EM
Ser
vice
s AP
IC-E
M A
pps
Topology Visualizer
Application Visualizer
Discovery
NETWORK - Catalyst, ASR, ISR, WLC
Easy QoS Visualizer
Network Discovery
Network Programmer
Policy Programmer (QoS, ACL)
Network Tapping
Easy QoS
Network Events
Compliance Check
ACL Visualizer ZTD
Network Tapping
Visualizer
Policy Engine
Conflict Detection and Resolution
(BI and NI)
Business Intent to Network Intent
Conversion
Policy Manager Policy Analysis Services
APIC-EM Сервисы и приложения
IWAN (PfR, WaaS)
IWAN Services
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
VM
VM VM
VM VM
Message Bus /MQ
Data Store
AuthNZ/Auth
ODL/ MD-SAL
CLI Plugin
OnePK Plugin
OF Plugin
Tasks/Events
Grapevine Root Service
Manager Capacity Manager
Load Monitor Service Catalog
Topology
GV Lib
Load Balancer/Reverse Proxy
Inventory
GV Lib
Grapevine Client
Service Monitor
Download Manager
VM
Policy Manager
GV Lib
Network Element
Network Element
Network Element
… Network Element
APIC-EM Service Architecture Detail
GV Logs, Audits, Configs,
Images, NE & Service Data
Grapevine Client
Service Monitor
Download Manager
Identity Manager
GV Lib … …
Grapevine Client
… DAS …
RPC
Grapevine Client
GV Lib GV Lib GV Lib GV Lib
Grapevine Client
GV Lib
APIC-EM - Policy Infrastructure
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
Consumes App DB
Contract
DB Contract MSSQL MySQL HTTP:
Provides
EPG EPG
Filter Named collection of L4 port ranges - HTTP = [TCP],[80, 443] - MSSQL = [UDP],[1433-1434] - MySQL = [TCP],[3306, 25565]
ACI Model will be extended for APIC EM Utilization
APIC-DC Policy Model Recap: EPGs and Contract
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
Actions Action Properties
• User-identifier (tenant/user) • Application • Device Type • Location
• Permit • Deny • Copy • Monitor • Redirect (L3, L4, L7) • No copy • No redirect
• Priority Level • Resource Level • Experience Level • Trust Level • Destination • Sample Rate
Resources
• User-identifier (tenant/user) • Application • Device Type • Location
Network Users
• Policy Creator • Policy Name • Policy Scope • Policy Priority • Policy Time:
• Start Time • End Time • Hard timeout • Idle timeout • recurrence
Policy Properties
Event Triggers
• High Level Business Intent Policies • Automatically converted to Network Language • Conflict Detection and Resolution • Extensible • Supports different patterns of policies:
• Access Policies • Event – Condition – Action • Includes Collections (Ex: a group of userids, a group of applications, etc.) • Choose custom tags for policies • Choose multiple attributes in each category
APIC-EM Policy Construct
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC DC + ENT Our Vision for a common policy Intent framework
DC - Controller ENT - Controller
API API
Policy Policy
Application Intent User Intent
Common Namespace for
Business Intent
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Modifications for Enterprise Use cases
• Accommodation for Groups – Every EP is part of multiple groups in real-life – Groups are sometimes overlapping – Groups could be defined from multiple context-attributes
• Finer grain access – involves combination of consumer EP attributes and producer EP – implies overlapping rules. Resolution TBD
• Contract extensions – Need to extend contracts to include DPI-based application/groups. – Need rich set of actions such as Permit, Monitor, Permit with Warning, etc. – Actions include additional rule profiles such as: IPS-profile, File-filter-profile, QOS-profile etc.
• Question about implicit deny: q explicit ‘permit’ action q explicit ‘deny’ action
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Model extensions
Circumstance
Identity
Groups
Users
Location
Sub-location
Host
Network Object-group
Network Object
URL
Categories
URLs
Posture Device-type
Groups
• It has been extended to add hierarchies to model enterprise use cases : • EPGs can contain EPGs • Contracts can contain Contracts • Circumstances can contain Circumstances
• Context Parameters are required to represent enterprise use case: Circumstances
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
Groups and Circumstances functional
group
consumable
attached ep
group
user ep
User group
ep circumstance
resource ep
resource group ep group
relator
n
n
n
n n
APIC-EM extensions
APIC-DC
APIC-EM – Auto Scale Architecture
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine Why do we need a "Platform for Service Elasticity”? • In the real world, distributed service behavior is both unpredictable and dissimilar.
• A "one size fits all" approach to service scaling and management lacks the comprehension to manage both the autonomic and bespoke requirements of a service ecosystem.
• Service groups can be managed by monitoring the container (the virtual machine), events as common as log overflows, memory leaks, and runaway processes will quickly fool any system lacking both service introspection and strong policy into generating all of the classic distributed system failure conditions: storms, flaps, unmanaged contention, and deadlocks.
• Additionally, services themselves require support for: – specialized policies for scaling in both directions – inter-instance communication for building quorum and consensus on scale events – unified security for access and authorization – unified model and data views for elements managed by multiple services
• Remember Cacti – Spine – Poller issues? – output: Time:42.6984 Method:spine Processes:8 Threads:32 Hosts:79 HostsPerProcess:10 DataSources:8985 RRDsProcessed:2616
– Poller[0] Maximum runtime of 58 seconds exceeded. Exiting.
37
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine What is Grapevine? • Is a PaaS (Platform as a Service) with an associated SDK with which SDN developers can use to write their
"services" (similar to a Google AppEngine or VMware Cloud Foundry model). – Grapevine's SDK will include client libraries for a set of "common services" (which themselves are under Grapevine control) that service
developers can utilize for data persistence, authentication/authorization, tasks, notification, etc. • Is a simplified refinement of the PaaS model provided by both Amazon and Google for their cloud services. While you
can run any program you like on their IaaS, using the PaaS requires adherence to a framework. • The major difference is that Grapevine introspects at the service level and autoscales at the VM level rather than
breaking scaled resources down to the level of compute, block storage, network, etc. – Grapevine will be responsible for spinning up instances of the service (leveraging server virtualization to provide on-demand capacity) in
the presence of increased load, and likewise, spin down instances in the presence of decreased load.
• It is important to note that Grapevine controls elasticity at the granularity of "services" rather than at the more coarse-grained, virtual machine granularity.
• Some advantages of controlling elasticity at the service granularity are: – Avoids including VM boot up / shutdown time in the time to start / restart a service – Allows us to better determine whether or not a service is indeed healthy and is working as expected vs just knowing whether or not a VM
is running or not – Allows us to better utilize a VM's capacity by running instances of different services within the same VM instance (useful in the case where a
given service doesn't fully utilize the full capacity of a VM) – Allows us to perform service-specific monitoring to better determine whether an instance is "under heavy load" (especially in cases where
a service's load may not manifest in an increase in cpu/memory/storage IO)
38
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine Grapevine, the 20,000 foot view
39
• With Grapevine you would define "service bundles”. Each “service bundle” deployed on Grapevine runs as a separate process. • Grapevine can deploy a single instance of these services or multiple instances of these services, on the same server or across
multiple servers. You can add, remove, start, stop, update these services at runtime without downtime • Services can be written in pretty much any programming language (Java, C/C++, Go, Python, Ruby, Perl, Tcl, Bash, etc) and would
communicate with each other via remote able APIs based on HTTP, AMQP, Thrift, etc. • Given this, you can easily deploy services like OSGi within Grapevine • Grapevine will monitor the load of these services • Grapevine will provide scale for these services
• In the presence of increased load, Grapevine will "grow" multiple instances of the services to provide horizontal scale. • In the presence of decreased load, Grapevine will "harvest" service instances
• Grapevine will provide HA for these services. In the presence of software/hardware failures Grapevine will grow replacement service instances to take over the workload of those instances that have failed
• Grapevine will provide "rolling upgrades" for these services. • You can deploy new services, or updates to existing services to the cloud. • Grapevine would periodically poll the cloud for updates and would download and deploy them onto the Grapevine cluster
when they're available with minimal to no downtime. • Grapevine and APIC-EM are de-coupled from a technical perspective.
Grapevine is the scale *platform* on which *services* such as those for APIC-EM run • Cisco groups wanted to create a new solution XYZ (that was completely unrelated to APIC-EM) that needed scale, HA, rolling-
upgrades, service life-cycle management, etc... could use Grapevine (as long as they adhere to the Grapevine service design requirements) without needing to deploy/use any of the APIC-EM services
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine How do Services Scale Horizontally?
40
Aspects to Consider When Scaling • Location of State • Method for Scaling (Up / Out)
• Request Routing
• Method for Scaling Down • Fault Tolerance
• Exposing Services Externally
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine How Grapevine Helps Services Scale
41
• Grapevine Common Services – Provides a set of “common” services for which Grapevine
handles scaling, so that service developers won’t have to: 1. “Remote” data persistence for service state
(home grown DAS: Data Access Service) 2. Reverse proxy / load balancer for HTTP and TCP traffic
(haproxy) 3. Authentication and Authorization for northbound REST APIs
(Openstack Keystone) -> CAS 4. Message queue
(RabbitMQ) 5. Task Service
(home grown)
• Grapevine Scale Policies – Provides a way for service developers to define
when to add more (scale-up) / remove (scale-down) instances of a service
– Policies are based on the aggregated scale metrics reported by the service’s implementation of Grapevine’s “status” interface
• Grapevine Service Registry – Get a list of instances of a given service that are
currently running in the grapevine (includes IPs of the VMs currently running the instances)
– Be notified when an instance of a given service joins or leaves the grapevine (includes VM IP of the instance)
– Can be used to help: – kick off scale up/down/HA logic in services – service-specific routing logic
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine Grapevine Goals
42
• Goal: Development – Developers can concentrate on writing services – Grapevine will handle the scaling…
• Goal: Customer Deployment – Cisco customer installs SDN appliance and provides
“capacity” – Appliance will deploy services on available capacity to
run SDN
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine Grapevine Services
43
• Services: Requirements – Horizontally scalable – Support for rolling upgrades
• Services: Bundles – Service bundles are what are deployed by the SDN
appliance
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine Grapevine Components: Services
Private Network
Common Services
SDN Service #1
Data Store
Load Balancer / Reverse Proxy
SDN Service #2
SDN Service #3
SDN Service #N …
SAL/PAL MQ Tasks / Events
Public Network
AuthN / AuthZ
UI Applications
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine Grapevine Components: Grapevine
Grapevine Root
Grapevine Client
Service Manager
Load Monitor
Capacity Manager
Service Catalog
Service Monitor
Download Manager
Starts, stops, monitors service instances across Grapevine…
Provides on demand capacity to run services…
Monitors load / health of services across Grapevine…
Repository of service bundles that can be deployed on Grapevine nodes…
Starts, stops, monitors service instances running on a single Grapevine node…
Downloads and deploys service bundle on Grapevine node…
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine Grapevine Deployment:
Physical Host
Virtual Machine
Grapevine Root
Virtual Machine
Grapevine Client
SDN Service CS
… Virtual Machine
Grapevine Client
SDN Service SDN
Service Service
Physical Host
Virtual Machine
Grapevine Root
Virtual Machine
Grapevine Client
SDN Service SDN
Service Service
Virtual Machine
Grapevine Client Proxy
Grapevine Root runs on all physical hosts and are clustered…
Grapevine Clients run in all virtual
machines that run services…
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
Physical Host Physical Host Physical Host
Cisco deploys new version of service to the cloud…
… and service catalogs are updated with new version…
APIC-EM Service Upgrades
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
Physical Host Physical Host Physical Host
Grapevine automatically deploys the new version of the service…
APIC-EM Service Upgrades
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine GV Deployment: Elastic Service Management Framework
• Mandatory Requirements: – Easy to adopt – Low cost of operation – Cloud-like user experience
• Goals: – Manages mix of physical / virtual machines – Balances service instances between containers – Services set elasticity policies – Admin sets service priority policy – Provides introspection of physical capacity – Provides intelligent service routing to ensure optimal utilization – Scales automatically into any provided resource – No operational overhead to user – Provides high-scale common services - data, queue, security, etc
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Grapevine GV Deployment: Platform Wide-Geo Deployment
LAN-Local Grapevine Network Control
“Admin Role” Grapevine Policy Generation
Metadata, Policy and Reporting Replication
Cloud Platform: Global Reporting, Backup, DR, Conflict and Split-Brain Resolution
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
APIC-EM Cloud Connect Support Model • Modern software uses cloud today
• Controller releases will be incremental (no big releases)
• Partially opt-in and fully auditable
• Core value is seamless, “never-touch-it” upgrade
• Data secured in Cisco cloud
• Single, global reporting system for your networks
• Config, state, and policy backup
• Split-brain resolution
• Push notification to mobile devices
APIC-EM Cloud Platform
wol
fgan
g@ci
sco.
com
wolfgang@cisco.com © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
wol
fgan
g@ci
sco.
com
wrie
del@
cisc
o.co
m
Приложения APIC-EM Что требуется заказчику
• Use Case: Path Trace One Click Host to Host connection analysis
• Use Case: Traffic Prioritization One Click QoS Policy Enforcement (Easy QoS)
• Use Case: Granular Control Per User Per Application Access Policy Enforcement
• Use Case: Next Generation Security Management Sourcefire and APIC-EM
• Use Case: DDoS Protection: Per User Network Traffic Redirection
• Use Case: Traffic Monitoring Per User Per Application Network Traffic Tapping
• Use Case: IWAN - Smart Routing Automated Provisioning of Routing Paths
• Use Case: Zero Touch Deployment (ZTD) Automated Provisioning and Deployment
Заключение SDN подход дает возможность сфокусироваться на целевой задаче ИТ для бизнеса – задание политик, бизнес-цели (ЧТО?)
§ Контроллеры SDN транслируют требования в сетевые настройки (КАК?) Контроллер – единая точка создания политик
§ Согласованность, предотвращение дубликатов и конфликтов правил API для показа возможностей сети:
§ Метод создания новых сетевых функций, § Комбинирование существующих возможностей без создания функции с нуля, § APIC EM – маскирует сложность сетевой инфраструктуры
APIC EM создан для работы с существующими сетями
На основе Cisco ASR/ISR/Catalyst
© 2015 Cisco and/or its affiliates. All rights reserved.
Спасибо!