Cisco ACI - революционная концепция сетевой … · Cisco Cisco ACI -...

Cisco

Cisco ACI -

Simplify IT

Viktor Podkorytov

Consulting Systems Engineer

[email protected]

+380 44 3913600

mailto:[email protected]

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco ACI

Cisco MS

ACI SP

Cisco Confidential 3 ©2014 Cisco and/or its affiliates. All rights reserved.

ACI

CIO CISO

• • • IT •

• • • •

• • • •

TCO

ACI

CEO


IT

IT

: IT

Cloud


Pace of Change Disruptions Opportunity

Cisco

Модель Бизнеса

Модель Сервиса

Операционная Модель

Модель Управления

Модель Потребления

ЭТО ВСЕ О ПРИЛОЖЕНИЯХ…

WEB ЭКОНОМИКА APP ЭКОНОМИКА

ЧАСТНЫЙ/

ТРАДИЦИОННЫЕ

IT СЕРВИСЫ

ИНФРАСТРУКТУРА

КАК СЕРВИС

РАЗРАБОТКА VS.

ЭКСПЛУАТАЦИЯ

УСТРОЙСТВО-

В ЦЕНТРЕ

ОБЛАЧНЫЕ

СЕРВИСЫ

ПРИЛОЖЕНИЕ

КАК СЕРВИС

DEV OPS

INTEGRATION

ПРИЛОЖЕНИЕ –

В ЦЕНТРЕ

TODAY FUTURE


.

. ACI .

“И Слон может танцевать”.

Nexus ACI IT


DC

Традиционная

СЕТЕВАЯ

МОДЕЛЬ

SDN МОДЕЛЬ

НОВОЕ ПОКОЛЕНИЕ

2

HW -

Software-Based Network Virtualization

APP-CENTRIC INFRASTRUCTURE

СЕТЬ КОРОБОК

Applications Drive Development Network


Cisco 9k/ACI

2,665+ Nexus 9K & ACI

Customers Globally

585+ APIC Customers

APIC

APPLICATION

COMPUTE NETWORK

CLOUD

STORAGE SECURITY

35 Ecosystem Partners


(ACI)

ЯЗЫК ПРИЛОЖЕНИЙ КОНТРОЛЛЕР NEXUS 9500, 9300

ACI

* Group-based security policy = includes physical and virtual, from Cisco and 3rd party, with embedded white-list security filtering. Superset of micro-segmentation


: Application Centric Infrastructure

+

+ +

.+

=


IT

• Application Tier Policy and Dependencies

• Security Requirements

• Service Level Agreement

• Application Performance

• Compliance

• Geo Dependencies

• VLAN

• IP Address

• Subnets

• Firewalls

• Quality of Service

• Load Balancer

• Access Lists


?

: VM 1.

: ACL) 2.

:

3.

OUTSIDE

WEB APP DB CRM APP

ADC F/W

ADC

Contract Contract


• ACI

WEB APP

1. where app lives in physical net

2.

3.

4. -

5.

6. QoS

7. Repeat every time app moves or needs more capacity

ACI


Контроллер

APIC

Nexus 9000

Сервера

Physical & Virtual

Physical Networking

Nexus 2K

Nexus 7K

Hypervisors and Virtual Networking

Compute L4 L7 Services

Storage Multi DC WAN and Cloud

Integrated WAN Edge

Сетевой Профиль

Приложения

L3 IP VXLAN 40Gb Fabric


SP

1 MILLION IPV4 / IPV6 END POINTS

64,000 TENANTS

ПОРТЫ

APIC

55296 44652 35860 27648 22584 18632 13824 11592 8598 6912 5260 4854 3456 2268 1286 288

8K MULTICAST GROUPS (PER LEAF)

60 TBPS CAPACITY (PER SPINE)


: Gb - MM

Экономия при переходе на 40G

(99% DC)

10G 40G 40G BiDi Optics

40G Over 10G Multimode Fiber


ACI Zero Trust

TRUST BASED ON LOCATION (Traditional DC Switch)

1 4 2 3

ZERO TRUST ARCHITECTURE (Nexus 9000 with ACI)

EPG 1

“WEB”

EPG 2

“APP”

1 2 3 4

Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2 allowing traffic between their members ACI architecture allows flexible EPG membership, enabling wide range of security policies


ACL / Firewall

•

•

• -

•

L4-7 Device Package

•

APIC

App Security Policy

Cisco ASA / ASAv и т.п.


Design it

Procure it

Install it

Configure it

Secure it

Is it ready?

Architect it

Design it

Is procured

Is installed

Is configured

Is secured

It is ready

Architect it

ACI Policy Driven

ARCHITECT DESIGN COMPUTE Service Request SERVICES SECURITY NETWORK

Application Available ARCHITECT DESIGN

Service Request

Application Available

QA it


ACI: Cisco IT

open standards approach makes ACI even stronger. We

delivered everything we expected, and

Nik Weidenbacher Principal Engineer, SunGard

open, future-proofed data center architecture that can continue to grow as we enhance client

Chuck Crane

Network and Security Architect, Axciom (Transitioning from AWS to Private Cloud)

This will enable Telstra to deliver service agility, security and performance that our customers expect

Erez Yarkoni

Executive Director, Telstra

10-20%

58%

21%

45%

25%

CAPEX

CAPEX

/

PEX

Source: Cisco IT


ACI

»

VM


OPEN SOURCE

OPEN STANDARDS

OPEN INTERFACES

OpFlex NSH VXLAN

JSON XML

WITH ADVANCED SECURITY

Auditing

Policy

RBAC

Encryption

Tenant Isolation

+

OpFlex REST

Cisco APIC

Cisco

OPERATION DESIGN

OPERATION DESIGN

OPERATION DESIGN

VLAN / EPG

/ /

EPG

/ /

VLAN / EPG

2

1

3


QoS?

TENANT APPLICATION

Latency

Isolation

Systems Telemetry

0 Packets dropped

Health Score

Latency

Health Score

Isolation

Systems Telemetry 25 Packets

dropped

0 0 0 7 0 0 0 6


InterCloud

Secure Connection

AP

P F/W L/B

WE

B L/B DB APP

F/W ADC WEB ADC DB

AP

P F/W L/B

WE

B L/B APP

F/W ADC WEB ADC

AP

P F/W L/B

WE

B L/B APP

F/W ADC WEB ADC

AP

P F/W L/B

WE

B L/B APP

F/W ADC WEB ADC

IT

APIC


, ,


OPEN SOURCE

OPEN STANDARDS

OPEN INTERFACES

OpFlex NSH VXLAN

JSON XML

WITH ADVANCED SECURITY

Auditing

Policy

RBAC

Encryption

Tenant Isolation

+

OpFlex REST


- Tom Edsall, CTO Insieme Networks

Cisco

ACI L4-L7

ASA

Citrix

F5

A10

Embrane

Check Point

Fortinet

Juniper SRX

Kemp

Palo Alto Networks

Radware

Riverbed

Symantec

Cisco

“Users” “Files”

Интеллектуальная Фабрика ACI

Logical Endpoint

Groups by Role

Heterogeneous clients, servers,

external clouds; fabric controls

communication

Every device is one hop away,

microsecond latency, no power or

port availability constraints, ease of

scaling

ГИБКОСТЬ ПОДКЛЮЧЕНИЯ

ACI Controller manages all

participating devices, change

control and audit capabilities

СЕТЕВЫЕ L4-L7

СЕРВИСЫ

Fabric Port Services

Hardware filtering and bridging;

seamless service insertion, “service

farm” aggregation

«ПЛОСКАЯ» СЕТЬ ЦОД

Full abstraction, de-coupled

from VLANs and Dynamic

Routing, low latency, built-in

QoS

ЦЕНТРАЛИЗОВАННОЕ

УПРАВЛЕНИЕ

Cisco

Service Producers EPG “Users” EPG “Files”

Leaf Nodes

Spine Nodes

ACI ФАБРИКА

EPG “Internet”

Virtual Leaf

Service Consumers

APPLICATION CENTRIC INFRASTRUCTRE (ACI)

Service Consumer

Cisco

“Users” “Files”

КОНТРАКТ

“Users → Files”

ACI Fabric

ГРУППЫ ОБЪЕКТОВ

Any endpoints anywhere within

the fabric, virtual or physical

ВХОДЯЩЕЕ ACL из

КОНТРАКТА

Hardware rules on each port, security

in depth, embedded QoS

ФАЕРВОЛ

Security administrator

defines generic templates

in APIC, availed to contract

creation

КОНТРОЛЛЕР

Different administrative

groups use same interface,

high level of object sharing

Application Policy

Infrastructure Controller

(APIC)

КОНТРАКТ

Port-level rules: drop, prioritize, push

to service chain; reusable templates

ACI Прохождение Трафика В соответствии с КОНТРАКТОМ

ВИРТУАЛЬНЫЕ

СЕРВИСЫ

Cisco

EPG

“Web”

Группа объектов “Web”

EPG

“Database”

Subnet Default Gateway

192.168.0.0/24 192.168.0.1

192.168.1.0/24 192.168.1.1

Группа объектов

"Database”

Subnet Default Gateway

10.1.1.0/24 10.1.1.1

Контракт “Web → Database”

Service Actions

TCP/23 Deny

TCP/22 Allow

TCP/1400 Redirect to

“Web → Database”

Any Deny СЕРВИСНАЯ ЦЕПОЧКА

“Web → Database”

Коммуникация между Группами объектов (EPG)

Cisco

ACI

SSL FW

Policy rules, NAT, Inspection IPS

Analyzer

EPG

“Users”

EPG

“Web”

EPG

“Files”

ACI – внедрение цепочки сервисов

Cisco

APIC

Role Based Access Control (RBAC)

УНИФИЦИРОВАННОЕ УПРАВЛЕНИЕ И ВИДИМОСТЬ

APIC

Cisco

ACI Stretched Fabric Design

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_kb-aci-stretched-fabric.html

Cisco

ACI

Cisco

Nexus 7000

ACI Fabric

EPG Ext

Граф

EPG Ext

ACI

ASA

EPG Web

Физически Логически

EPG Web EPG DB

ASA Cluster

ASA

ACI , VLAN,

Пример: Инспекция вертикального трафика

Cisco

ASAv

ACI , VLAN, VxLAN

API ASAv

ACI Fabric

Graph

Physical

Logical

EPG Web ACI ASA EPG DB

EPG Web ASAv

standby ASAv active EPG DB

Пример: Инспекция горизонтального трафика

Cisco

192.168.1.1 192.168.1.100 10.1.1.1

172.16.1.1

192.168.100.1

HTTP (TCP/80)

HTTPS (TCP/443)

SSH (TCP/22)

SMTP (TCP/25)

ICMP access-list OUT permit tcp host 192.168.1.1 host 10.1.1.1 eq 80

access-list OUT permit tcp host 192.179.1.1 host 10.1.1.1 eq 443

[…]

access-list OUT permit icmp host 192.168.1.100 host 192.168.100.1

30 ACL Rules

172.18.20.13



[…]

access-list OUT permit icmp host 172.18.20.13 host 192.168.100.1

15 ACL Rules

45 ACL Rules

Network Admin Security Admin

Add client

172.18.20.13, call

Security Admin to

enable access

Remove client

192.168.1.1, “no other

action necessary”

Add ASA rules for

client

172.18.20.13

Original ASA rules

never change 4

1

2

2

3

4

Servers

Clients

Традиционная модель ASA

Cisco

10.1.1.1

172.16.1.1

192.168.100.1

Servers

192.168.1.1

192.168.1.100

172.18.20.13

HTTP (TCP/80)

HTTPS (TCP/443)

SSH (TCP/22)

SMTP (TCP/25)

ICMP Source EPG

Leaf 1, port 1 Users

Leaf 1, port 10 Users

Destination EPG

Leaf 3, port 2 Servers



Service Action

TCP/80 Redirect, ASA1




ICMP Redirect, ASA1 Leaf 2, port 12 Users

Port Rules

Network Admin

Add client 172.18.20.13,

use standard ASA

template

Remove client

192.168.1.1

Security Admin Create standard

ASA advanced

policy templates in

APIC

Advanced policies,

limited ACL rules

Same 5 port–level

service rules and

actions

ASA1 Clients

ACI MODEL

Cisco

Embrane Confidential © 2014 Embrane, Inc. All Rights Reserved 44

100% software solution

Dedicated, virtual network services per

tenant/application

Embrane or 3rd party services

Elastic Services Manager - Single point of

management and orchestration

Rapid deployment of network services

Designed for automation via full REST

API

Aligned with existing operational models

(no vCenter etc)

Embrane Base Virtual Appliances

3rd Party Virtual Appliances

REST API

Embrane Embrane Embrane Embrane

Partner

Lifecycle Management

Controller Virtualized Server Resources

Cisco


ACI Embrane

Embrane) APIC

Embrane REST API

Embrane Embrane

Ensures near 100% feature coverage

Embrane

Embrane


Cisco

Cisco Cloud Architecture Microsoft

Windows Azure Pack Services

Customer portal Customer portal

Hosting plans

Tenant Mgt Billing

Auto-mation Resource Clouds

Windows Azure Pack Services

Bringing Windows Azure Services to

Windows Server For Hosting Service Providers

Identity Services

Hosted Private Cloud

Desktop Hosting

DR as a Service CRM as a Service

Database Hosting

Cloud Storage as a Service

Physical Networking

Hypervisors and Virtual Networking

Computing L4 L7 Services Storage Multi DC WAN and Cloud

Integrated WAN Edge

Cisco Nexus® 7000 Series

Cisco Nexus 2000 Series

Cloud Service Portals Hyper-Automation Orchestrated Workloads

Library of Application Profiles and Cloud Service Profiles

Centralized Policy Management Open APIs, Open Standards Excellent for DevOps

Industry-Leading 10/40/100-Gbps Programmable Fabric

Infrastructure Endpoints Physical and Virtual

Cisco


Cisco ACI c Azure Pack

Cisco

ACI

Cisco

ACI Infrastructure scalability

- (

) 40 Gb 10Gb - Capex

- 15+,

ACI : 2 Spines (9508) 144 ToRs (9396-PX) 3 APIC Clusters ASR9K for DCI Citrix SDX for Services Insertion NAM UC on UCS

Cisco

• IPTV , - SD

• IT ,

• Customer Relationship Management (CRM)

• Enterprise Resource Planning (ERP)

• Blackberry Enterprise Service (BES), Email, OSS etc.

• HMC • Microsoft Exchange SharePoint

•

• HCS Cisco Business Voice Services (BVS) .

• 2G (EDGE), 3G (HSPA) 4G (LTE) UAE

ACI

Cisco

Cisco

Cisco

ACI

Cisco

Tenant: HMC

Application Network profile

EPGs

Layer3 Network

Fabric

Network Admin

Tenant: IT Corp


EPGs

Layer3 Network

Tenant: IPTV


EPGs

Layer2 Network

Tenant: IOC


EPGs

Layer3 Network

Tenant: Telecom


EPGs

Layer3 Network

Line cards

Fabric

Switch

Ports

Tenant: Shared Internet Security Tools


EPGs

Layer3 Network

ACI

Cisco

, API,

L4-L7

Cisco ACI

Integration of Cisco® Fabric with Windows Azure Pack

10101010

Storage

Computing

Apps Azure pack

Network

Security

SDN

L4-L7

Cisco


:

Software Defined,

.

Thank you.

Date post:	17-Jul-2020
Category:	Documents
Upload:	others
View:	51 times
Download:	0 times

Cisco ACI - революционная концепция сетевой … · Cisco Cisco ACI -...

Documents