Cisco APIC-EM – реализация концепции SDN в корпоративных...

Денис Коденцев Инженер-консультант, CCIE [email protected]

Cisco APIC-EM – реализация концепции SDN в корпоративных сетях 03.2015 CELC

© 2014 Cisco and/or its affiliates. All rights reserved.

План доклада

В этой презентации будет рассмотрена реализация идеи SDN в решениях Cisco для корпоративных сетей, сделан обзор APIC EM.

© 2014 Cisco and/or its affiliates. All rights reserved. 2

Network Function Virtualization (2013)

Software Defined Networking (2012)

Cloud (2008)

Open Daylight Project (2013)

Application Policy Infrastructure Controller (2014)

Industry trends


“A platform for developing new control planes”

“An open solution for VM mobility in the Data-Center”

“An open solution for customized flow forwarding control in the Data-Center”

“A means to do traffic engineering without MPLS”

“A way to scale my firewalls and loadbalancers”

“A solution to build a very large scale layer-2 network”

“A way to build my own security/encryption solution, avoiding RSA”

“A way to reduce the CAPEX of my network

and leverage commodity switches”

“A way to define virtual networks with specific topologies for my multi-tenant Data-Center”

“A means to scale my fixed/mobile gateways and optimize their placement”

“A solution to build virtual topologies with optimum multicast forwarding behavior”

“A way to optimize link utilization in my network, through new multi-path algorithms”

“A way to avoid lock-in to a single networking vendor”

“A way to distribute policy/intent, e.g. for DDoS prevention, in the network”

“A way to configure my entire network as a whole rather than individual devices”

“A solution to get a global view of the network – topology and state”

“With SDN I can develop solutions to my problems far faster – “at software speeds”. I don’t have to work with my network

vendor or go through length standardization”

SDN – Still Don’t kNow – Stanford Defined Networking Сколько людей – столько и мнений J

Определения


https://www.opennetworking.org/images/stories/downloads/white-papers/wp-sdn-newnorm.pdf

“…открытый стандарт, который позволяет исследователям запускать экспериментальные протоколы в кампусных сетях, маскируя внутреннюю работу устройств разных производителей…”

http://www.openflow.org/wp/learnmore/

“…В архитектуре SDN разделены уровень управления и уровень данных, интеллект сети и ее состояние логически централизованы, и базовая сетевая инфраструктура абстрагирована от приложений…”

SDN подход не обязателен для программируемых сетей и для сетевой автоматизации

OF не обязателен для SDN

Терминология - II

6

Архитектура сети, в которой разделены уровни управления и передачи данных и при этом интеллект сети и контроль ее состояния централизованы Реализация возможности абстрагирования нижележащей сети от использующих сеть приложений [сетевая виртуализация] Концепция использования программных интерфейсов для участия внешних систем в управлении сетевыми сервисами и мониторинге состояния сети

О чем спрашивают заказчики Cisco Customer Focus Group, SDN Survey, Dec ‘13

Основные проблемы Что имеет значение?

В чем помогает SDN?

0% 100% Уровень важности 0% 100% 0% 100%

Вся польза от SDN – в реализации практических задач

Сложность IT Безопасность

BYOD Cloud

Мобильность Big Data

Visibility & Control, End-to-End Real-time

Automation Agility

Efficiency

Уровень важности Уровень важности


Плоскость управления

Плоскость Передачи данных

Контроллер

Плоскость передачи данных

Приложения

Частный API

OpenFlow

2a Классические SDN

Частный API (пример: onePK)




Частный API

OpenFlow, PCEP, I2RS


2b Гибридные “SDN” Приложения

Виртуальное управление

Виртуальная плоскость ПД

Оверлейные сетевые протоколы (.VXLAN/VPLS/LISP/…)

Частный API

3 Оверлеи, сетевая виртуализация



Частный API


1 Программируемые через APIs





Openstack и сетевые оверлеи применимы ко всем моделям (физическим/ виртуальным). Возможно создание специальных польз. функций

CLI, SNMP, …

Программируемые сети Развитие архитектуры управления

Частный API


4 Управление на основе политик



Контроллер политик

Плоскость политик

Сервер политик

Агент

Подтвержденные практикой надежность и возможности масштабирования

Распределенные сетевые протоколы работают

Распределенные сетевые протоколы работают

?

Распределенные протоколы увеличивают сложность управления/понимания

!!

!

Однако

Но использует контроллер

для маскирования сложности

Сеть

Поведение сети определяет сетевой администратор…

WWW СЕТЬ

Web Admin

Network Admin

Сравнение подходов Оба админа имеют прямой доступ к управлению одновременно

Web Dev GUI

WWW Network

WWW Admin

Network Admin

Controller

Абстрагирование от сложности Пример для сетевого управления - Web -разработка

Фокус на Что? И не на Как?

2005 Power Technologist

2013 Non Technical Users

2010 Application Developers

2014 Intent Networking

2018 Self Healing

2015 Partial Automation

Абстрагирование на примере обычной политики безопасности

Обычная модель

ЧТО? «Политика

безопасности для филиала А»

КАК? «Изменить списки

доступа на указанных

элементах…»”

ЧТО? «Политика

безопасности для филиала А»

КАК?

Политика ACI Задача админа

Задача админа

Northbound API

APIC EM

Политика ACI

ACI абстрагирует системное управление и использует программирование на уровне политик

«Изменить списки доступа на указанных

элементах…»”

Policy à способ упрощения за счет абстракции

Инфра- структура


Бизнес приложения

u  Новая модель абстракции сетевой среды от приложений

u  Есть выбор протоколовl/API для взаимодействия уровней

u  Интеллект сети и управление сетью централизованы

u  Архитектура сети, близкая к другим системам ИТ

SDN – архитектура управления Гибкие «программируемые» интерфейсы

•  CLI •  SNMP •  Web UI •  NETCONF •  XML •  onePK •  Openstack

•  Web UI •  YANG •  REST API

Intent Policies

High Level Constructs

Translation

Network Control Functions

QoS ACL Configuration

Трансляция высокоуровневых конструкций в сетевые функции – как способ сократить пробелы во

взаимодействии между средой бизнес-приложений и сетевой

средой

Cisco Intent Policy Management

Задачи для SDN Автоматизация управления сетью, объединение доменов управления

17

Классика SDN

Пользовательская обработка трафика (аналитика, шифрование)

Маршрутизация по произвольным критериям (SLA, стоимость,

задержка, и т.д.)

Внедрение последовательных сетевых политик, политик безопасности и методик предотвращения вторжений

Объединение различных точек управления инфраструктурой (DC-‐WAN-‐LAN, Virtual-‐Physical, Layer-‐1-‐3, IaaS+VPN)

Сетевая виртуализация, построение сервисных последовательностей

Виртуализация сетевых сервисов (NfV)

Результат – создание быстро адаптируемой ИТ инфраструктуры.

Автоматизация сетевого управления и настройки физических и виртуальных

устройств

Разные функции для разных потребителей

18

Пользовательская обработка трафика (аналитика, шифрование)

Маршрутизация по произвольным критериям (SLA, стоимость, задержка…)

Внедрение последовательных сетевых политик, политик безопасности и методик предотвращения вторжений

Объединение различных точек управления инфраструктурой (DC-‐WAN-‐LAN, Virtual-‐Physical, Layer-‐1-‐3, IaaS+VPN)

Сетевая виртуализация, построение сервисных последовательностей

Виртуализация сетевых сервисов (NfV)

Результат – создание быстро адаптируемой ИТ инфраструктуры.

Автоматизация сетевого управления и настройки физических и виртуальных устройств

Разработчик сетевых сервисов

Разработчик Приложений, Системный Администратор, Оператор Сетевой Инфраструктуры

Создание новых и модификация существующих

сетевых функций

Использование новой функциональности сети и интеграция с новыми или существующими программными системами (прикладное ПО и ПО для

управления)

Подробнее об APIC-EM

20.03.15


Управление на основе политик: Application Centric Infrastructure (ACI)

Появилась в ноябре 2013 в продукте Application Policy Infrastructure Controller (APIC) Первоначально разработана для ЦОД Сейчас – развитие политики ACI для использования в корпоративных сетях

Недостающий элемент – контроллер, который может управлять политиками применительно к разным доменам управления

Архитектура APIC

APIC APIC EM

Data Center WAN Access

Controllers

Infrastructure

Network Aware Applications

Endpoints

SECURITY COLLABORATION ORCHESTRATION SERVICES IoE

API API

DC - Controller Policy ENT - Controller Policy

DC = CAMPUS/WAN?

DC = ENT Стратегическое направление – унификация политик

DC - Controller ENT - Controller

API API

Policy Policy

Application Intent User Intent

Common Namespace

APIC-EM

Ранее - ENG контроллер FCS – первая половина 2015 года. Встроенные функции – ACL management, Network Policy Deployment/Compliance Check, QoS mgmt, Network Topology Visualization, ZTD. Приложения – iWAN, Security, Collaboration (TBD) –планы на 2015 Использует CLI. Платформы (FCS) – ASR, ISR, CSR, Catalyst product line Монетизация – за счет приложений

20.03.15


APIC – EM Постановка задачи

Автоматизация ручных процедур эксплуатации сети

Визуализация сети, объектно-ориентированный интерфейс

Поддержка существующей инсталлированной базы– без необходимости замены оборудования и ПО

Ключевые приложения – для управления QoS, ACL, реализация Zero Touch Deployment, поддержка IWAN, измеримый эффект от внедрения (OPEX, ROI)

Эластичность сервисной инфраструктуры – возможность наращивания мощности по мере внедрения

Автоматическая трансляция с высокоуровневого языка бизнес-задач в сетевые инструкции

Расширенная аналитика – для быстрого реагирования на изменения в реальном времени

Архитектура APIC-EM

Эластичные Сервисы APIC EM Service Abstarction Layer (SAL)

REST APIs

Сервисы APIC EM

Inventory and Topology

Identity and Location

Application Awareness

Policy Translation

QoS Visualizer

Policy Management

ZTD Visualizer

ACL Visualizer

Controller Infrastructure

CLI

Advanced Topology Visualizer

Automated Provisioning

ПриложенияAPIC EM

Analysis and Compliance

Network Infrastructure Management

Для горизонтального

масштабирования

Сервисы для приложений Day 0/ Day 1

Приложения Day0 / Day 1

Меньше программирования

типовых задач

IWAN

APIC-EM Controller

NIB

DAS

REST API

Pxgrid Client + LDAP client

AD Client + LDAP client

Radius Proxy + LDAP client

Inventory

Topology

QoS Compliance

ACL Analysis

Statistics Manager

NetFlow Collector

ZTD

Application Visibility

User Identity Helper Services

Application Identity Helper Services

Basic Services

Policy Creation Services

Policy Helper Services

Network Information Base

Legacy Support Services Inventory Visualizer

APIC

-EM

Ser

vice

s AP

IC-E

M A

pps

Topology Visualizer

Application Visualizer

Discovery

NETWORK - Catalyst, ASR, ISR, WLC

Easy QoS Visualizer

Network Discovery

Network Programmer

Policy Programmer (QoS, ACL)

Network Tapping

Easy QoS

Network Events

Compliance Check

ACL Visualizer ZTD

Network Tapping

Visualizer

Policy Engine

Conflict Detection and Resolution

(BI and NI)

Business Intent to Network Intent

Conversion

Policy Manager Policy Analysis Services

APIC-EM Сервисы и приложения

IWAN (PfR, WaaS)

IWAN Services

wol

fgan

g@ci

sco.

com

[email protected] © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

VM

VM VM

VM VM

Message Bus /MQ

Data Store

AuthNZ/Auth

ODL/ MD-SAL

CLI Plugin

OnePK Plugin

OF Plugin

Tasks/Events

Grapevine Root Service

Manager Capacity Manager

Load Monitor Service Catalog

Topology

GV Lib

Load Balancer/Reverse Proxy

Inventory

GV Lib

Grapevine Client

Service Monitor

Download Manager

VM

Policy Manager

GV Lib

Network Element

Network Element

Network Element

… Network Element

APIC-EM Service Architecture Detail

GV Logs, Audits, Configs,

Images, NE & Service Data

Grapevine Client

Service Monitor

Download Manager

Identity Manager

GV Lib … …

Grapevine Client

… DAS …

RPC

Grapevine Client

GV Lib GV Lib GV Lib GV Lib

Grapevine Client

GV Lib

APIC-EM - Policy Infrastructure

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

Consumes App DB

Contract

DB Contract MSSQL MySQL HTTP:

Provides

EPG EPG

Filter Named collection of L4 port ranges - HTTP = [TCP],[80, 443] - MSSQL = [UDP],[1433-1434] - MySQL = [TCP],[3306, 25565]

ACI Model will be extended for APIC EM Utilization

APIC-DC Policy Model Recap: EPGs and Contract

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

Actions Action Properties

•  User-identifier (tenant/user) •  Application •  Device Type •  Location

•  Permit •  Deny •  Copy •  Monitor •  Redirect (L3, L4, L7) •  No copy •  No redirect

•  Priority Level •  Resource Level •  Experience Level •  Trust Level •  Destination •  Sample Rate

Resources

•  User-identifier (tenant/user) •  Application •  Device Type •  Location

Network Users

•  Policy Creator •  Policy Name •  Policy Scope •  Policy Priority •  Policy Time:

•  Start Time •  End Time •  Hard timeout •  Idle timeout •  recurrence

Policy Properties

Event Triggers

•  High Level Business Intent Policies •  Automatically converted to Network Language •  Conflict Detection and Resolution •  Extensible •  Supports different patterns of policies:

•  Access Policies •  Event – Condition – Action •  Includes Collections (Ex: a group of userids, a group of applications, etc.) •  Choose custom tags for policies •  Choose multiple attributes in each category

APIC-EM Policy Construct

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC DC + ENT Our Vision for a common policy Intent framework

DC - Controller ENT - Controller

API API

Policy Policy

Application Intent User Intent

Common Namespace for

Business Intent

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Modifications for Enterprise Use cases

•  Accommodation for Groups –  Every EP is part of multiple groups in real-life –  Groups are sometimes overlapping –  Groups could be defined from multiple context-attributes

•  Finer grain access –  involves combination of consumer EP attributes and producer EP –  implies overlapping rules. Resolution TBD

•  Contract extensions –  Need to extend contracts to include DPI-based application/groups. –  Need rich set of actions such as Permit, Monitor, Permit with Warning, etc. –  Actions include additional rule profiles such as: IPS-profile, File-filter-profile, QOS-profile etc.

•  Question about implicit deny: q explicit ‘permit’ action q explicit ‘deny’ action

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Model extensions

Circumstance

Identity

Groups

Users

Location

Sub-location

Host

Network Object-group

Network Object

URL

Categories

URLs

Posture Device-type

Groups

•  It has been extended to add hierarchies to model enterprise use cases : •  EPGs can contain EPGs •  Contracts can contain Contracts •  Circumstances can contain Circumstances

•  Context Parameters are required to represent enterprise use case: Circumstances

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

Groups and Circumstances functional

group

consumable

attached ep

group

user ep

User group

ep circumstance

resource ep

resource group ep group

relator

n

n

n

n n

APIC-EM extensions

APIC-DC

APIC-EM – Auto Scale Architecture

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine Why do we need a "Platform for Service Elasticity”? •  In the real world, distributed service behavior is both unpredictable and dissimilar.

•  A "one size fits all" approach to service scaling and management lacks the comprehension to manage both the autonomic and bespoke requirements of a service ecosystem.

•  Service groups can be managed by monitoring the container (the virtual machine), events as common as log overflows, memory leaks, and runaway processes will quickly fool any system lacking both service introspection and strong policy into generating all of the classic distributed system failure conditions: storms, flaps, unmanaged contention, and deadlocks.

•  Additionally, services themselves require support for: –  specialized policies for scaling in both directions –  inter-instance communication for building quorum and consensus on scale events –  unified security for access and authorization –  unified model and data views for elements managed by multiple services

•  Remember Cacti – Spine – Poller issues? –  output: Time:42.6984 Method:spine Processes:8 Threads:32 Hosts:79 HostsPerProcess:10 DataSources:8985 RRDsProcessed:2616

–  Poller[0] Maximum runtime of 58 seconds exceeded. Exiting.

37

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine What is Grapevine? •  Is a PaaS (Platform as a Service) with an associated SDK with which SDN developers can use to write their

"services" (similar to a Google AppEngine or VMware Cloud Foundry model). –  Grapevine's SDK will include client libraries for a set of "common services" (which themselves are under Grapevine control) that service

developers can utilize for data persistence, authentication/authorization, tasks, notification, etc. •  Is a simplified refinement of the PaaS model provided by both Amazon and Google for their cloud services. While you

can run any program you like on their IaaS, using the PaaS requires adherence to a framework. •  The major difference is that Grapevine introspects at the service level and autoscales at the VM level rather than

breaking scaled resources down to the level of compute, block storage, network, etc. –  Grapevine will be responsible for spinning up instances of the service (leveraging server virtualization to provide on-demand capacity) in

the presence of increased load, and likewise, spin down instances in the presence of decreased load.

•  It is important to note that Grapevine controls elasticity at the granularity of "services" rather than at the more coarse-grained, virtual machine granularity.

•  Some advantages of controlling elasticity at the service granularity are: –  Avoids including VM boot up / shutdown time in the time to start / restart a service –  Allows us to better determine whether or not a service is indeed healthy and is working as expected vs just knowing whether or not a VM

is running or not –  Allows us to better utilize a VM's capacity by running instances of different services within the same VM instance (useful in the case where a

given service doesn't fully utilize the full capacity of a VM) –  Allows us to perform service-specific monitoring to better determine whether an instance is "under heavy load" (especially in cases where

a service's load may not manifest in an increase in cpu/memory/storage IO)

38

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine Grapevine, the 20,000 foot view

39

•  With Grapevine you would define "service bundles”. Each “service bundle” deployed on Grapevine runs as a separate process. •  Grapevine can deploy a single instance of these services or multiple instances of these services, on the same server or across

multiple servers. You can add, remove, start, stop, update these services at runtime without downtime •  Services can be written in pretty much any programming language (Java, C/C++, Go, Python, Ruby, Perl, Tcl, Bash, etc) and would

communicate with each other via remote able APIs based on HTTP, AMQP, Thrift, etc. •  Given this, you can easily deploy services like OSGi within Grapevine •  Grapevine will monitor the load of these services •  Grapevine will provide scale for these services

•  In the presence of increased load, Grapevine will "grow" multiple instances of the services to provide horizontal scale. •  In the presence of decreased load, Grapevine will "harvest" service instances

•  Grapevine will provide HA for these services. In the presence of software/hardware failures Grapevine will grow replacement service instances to take over the workload of those instances that have failed

•  Grapevine will provide "rolling upgrades" for these services. •  You can deploy new services, or updates to existing services to the cloud. •  Grapevine would periodically poll the cloud for updates and would download and deploy them onto the Grapevine cluster

when they're available with minimal to no downtime. •  Grapevine and APIC-EM are de-coupled from a technical perspective.

Grapevine is the scale *platform* on which *services* such as those for APIC-EM run •  Cisco groups wanted to create a new solution XYZ (that was completely unrelated to APIC-EM) that needed scale, HA, rolling-

upgrades, service life-cycle management, etc... could use Grapevine (as long as they adhere to the Grapevine service design requirements) without needing to deploy/use any of the APIC-EM services

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine How do Services Scale Horizontally?

40

Aspects to Consider When Scaling •  Location of State •  Method for Scaling (Up / Out)

•  Request Routing

•  Method for Scaling Down •  Fault Tolerance

•  Exposing Services Externally

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine How Grapevine Helps Services Scale

41

•  Grapevine Common Services –  Provides a set of “common” services for which Grapevine

handles scaling, so that service developers won’t have to: 1.  “Remote” data persistence for service state

(home grown DAS: Data Access Service) 2.  Reverse proxy / load balancer for HTTP and TCP traffic

(haproxy) 3.  Authentication and Authorization for northbound REST APIs

(Openstack Keystone) -> CAS 4.  Message queue

(RabbitMQ) 5.  Task Service

(home grown)

•  Grapevine Scale Policies –  Provides a way for service developers to define

when to add more (scale-up) / remove (scale-down) instances of a service

–  Policies are based on the aggregated scale metrics reported by the service’s implementation of Grapevine’s “status” interface

•  Grapevine Service Registry –  Get a list of instances of a given service that are

currently running in the grapevine (includes IPs of the VMs currently running the instances)

–  Be notified when an instance of a given service joins or leaves the grapevine (includes VM IP of the instance)

–  Can be used to help: –  kick off scale up/down/HA logic in services –  service-specific routing logic

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine Grapevine Goals

42

•  Goal: Development –  Developers can concentrate on writing services –  Grapevine will handle the scaling…

•  Goal: Customer Deployment –  Cisco customer installs SDN appliance and provides

“capacity” –  Appliance will deploy services on available capacity to

run SDN

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine Grapevine Services

43

•  Services: Requirements –  Horizontally scalable –  Support for rolling upgrades

•  Services: Bundles –  Service bundles are what are deployed by the SDN

appliance

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine Grapevine Components: Services

Private Network

Common Services

SDN Service #1

Data Store

Load Balancer / Reverse Proxy

SDN Service #2

SDN Service #3

SDN Service #N …

SAL/PAL MQ Tasks / Events

Public Network

AuthN / AuthZ

UI Applications

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine Grapevine Components: Grapevine

Grapevine Root

Grapevine Client

Service Manager

Load Monitor

Capacity Manager

Service Catalog

Service Monitor

Download Manager

Starts, stops, monitors service instances across Grapevine…

Provides on demand capacity to run services…

Monitors load / health of services across Grapevine…

Repository of service bundles that can be deployed on Grapevine nodes…

Starts, stops, monitors service instances running on a single Grapevine node…

Downloads and deploys service bundle on Grapevine node…

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine Grapevine Deployment:

Physical Host

Virtual Machine

Grapevine Root

Virtual Machine

Grapevine Client

SDN Service CS

… Virtual Machine

Grapevine Client

SDN Service SDN

Service Service

Physical Host

Virtual Machine

Grapevine Root

Virtual Machine

Grapevine Client

SDN Service SDN

Service Service

Virtual Machine

Grapevine Client Proxy

Grapevine Root runs on all physical hosts and are clustered…

Grapevine Clients run in all virtual

machines that run services…

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

Physical Host Physical Host Physical Host

Cisco deploys new version of service to the cloud…

… and service catalogs are updated with new version…

APIC-EM Service Upgrades

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

Physical Host Physical Host Physical Host

Grapevine automatically deploys the new version of the service…

APIC-EM Service Upgrades

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine GV Deployment: Elastic Service Management Framework

•  Mandatory Requirements: –  Easy to adopt –  Low cost of operation –  Cloud-like user experience

•  Goals: –  Manages mix of physical / virtual machines –  Balances service instances between containers –  Services set elasticity policies –  Admin sets service priority policy –  Provides introspection of physical capacity –  Provides intelligent service routing to ensure optimal utilization –  Scales automatically into any provided resource –  No operational overhead to user –  Provides high-scale common services - data, queue, security, etc

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Grapevine GV Deployment: Platform Wide-Geo Deployment

LAN-Local Grapevine Network Control

“Admin Role” Grapevine Policy Generation

Metadata, Policy and Reporting Replication

Cloud Platform: Global Reporting, Backup, DR, Conflict and Split-Brain Resolution

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

APIC-EM Cloud Connect Support Model •  Modern software uses cloud today

•  Controller releases will be incremental (no big releases)

•  Partially opt-in and fully auditable

•  Core value is seamless, “never-touch-it” upgrade

•  Data secured in Cisco cloud

•  Single, global reporting system for your networks

•  Config, state, and policy backup

•  Split-brain resolution

•  Push notification to mobile devices

APIC-EM Cloud Platform

wol

fgan

g@ci

sco.

com


wol

fgan

g@ci

sco.

com

wrie

del@

cisc

o.co

m

Приложения APIC-EM Что требуется заказчику

•  Use Case: Path Trace One Click Host to Host connection analysis

•  Use Case: Traffic Prioritization One Click QoS Policy Enforcement (Easy QoS)

•  Use Case: Granular Control Per User Per Application Access Policy Enforcement

•  Use Case: Next Generation Security Management Sourcefire and APIC-EM

•  Use Case: DDoS Protection: Per User Network Traffic Redirection

•  Use Case: Traffic Monitoring Per User Per Application Network Traffic Tapping

•  Use Case: IWAN - Smart Routing Automated Provisioning of Routing Paths

•  Use Case: Zero Touch Deployment (ZTD) Automated Provisioning and Deployment

Заключение SDN подход дает возможность сфокусироваться на целевой задаче ИТ для бизнеса – задание политик, бизнес-цели (ЧТО?)

§  Контроллеры SDN транслируют требования в сетевые настройки (КАК?) Контроллер – единая точка создания политик

§  Согласованность, предотвращение дубликатов и конфликтов правил API для показа возможностей сети:

§  Метод создания новых сетевых функций, §  Комбинирование существующих возможностей без создания функции с нуля, §  APIC EM – маскирует сложность сетевой инфраструктуры

APIC EM создан для работы с существующими сетями

На основе Cisco ASR/ISR/Catalyst

Cisco APIC-EM – реализация концепции SDN в корпоративных...

Technology

Transcript of Cisco APIC-EM – реализация концепции SDN в корпоративных...