Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | cisco-public-sector |
View: | 243 times |
Download: | 0 times |
2
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DATA CENTER TRANSITIONS – ROAD TO ACI/NEXUS 9K
VM Density and Server I/0
10G/25G LAN on
Motherboard2
Big Data
IP Traffic 25%
CAGR4
“Bare Metal”
30-40% physical
servers1
Multi-Cloud
~45% of DC
Multi-Hypervisor3
1. Morgan Stanley CIO Survey, 2013 2. HP 3. Information Week 2013 Virtualization Mgmt Survey, 2013 4. Cisco Global Cloud Index Forecast (2013-2017)
Lower TCO | Workload Flexibility | Agility | Compliance/Security
Cisco’s Approach to SDN Providing Choice with Automation and Programmability
Cisco ACI Programmable Network Programmable Fabric
VxLAN-BGP EVPN standard-based
Segment Routing with BGP
3rd party controller support
Cisco’s VTS / Nexus Fabric Manager for overlay
provisioning
Turnkey integrated solution
Embedded security, centralized management, and
scale
Automated application centric-policy model
Broad and deep ecosystem
Modern NX-OS with enhanced NX-APIs
Automation Ecosystem (Puppet, Chef, Ansible, etc.)
Common NX-API across N2K-N9K
DB DB
Web Web App Web App
Momentum Continues to Grow
6,000+ 50 1400+ Nexus 9K and ACI Customers Globally
Ecosystem Partners
ACI Customers
NEW ECOSYSTEM
8
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DATA CENTER TRANSFORMATION RESPONSE: BECOME APPLICATION CENTRIC
•
•
•
•
•
•
•
•
•
9
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DB APP ADC WEB f/w
ADC
Physical Networking L4–L7 Services
Multi DC WAN and Cloud
Compute Storage Hypervisors and Virtual Networking
APIC
APPLICATION CENTRIC POLICY MODEL
Network Automation
10
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Subject Matter Expert Define Policies
1
SYSTEMS APPROACH:
Rapid Deployment of Applications with Scale, Security and Full Visibility
Network SME
Security SME
Application SME
APIC
2
Policies Used To Create Application Network Profile Templates
3 Automated policy configuration across the infrastructure
Life cycle management for day 1, day 2 operations
4
Physical Networking
Compute L4–L7 Services
Storage Hypervisors and Virtual Networking
Multi DC WAN and Cloud
Nexus 2K
Nexus 7K
Integrated
WAN Edge
APPLICATION CENTRIC POLICY MODEL: BUILDING ON TRANSFORMATIVE APPROACH OF UCS
11
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DB APP ADC
WEB F/W
ADC
ESX
MGMT VMOTION
Bare
Metal
Linux
Container
ACI integrated security - open, flexible, policy-driven
VLAN = EPG
Application granularity
APPLICATION CENTRIC POLICY MODEL: SECURITY & MICRO-SEGMENTATION
12
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
PHYSICAL & VIRTUAL AGILITY
APP MOBILITY APP VISIBILITY
Latency
Health
Score
Isolation
Systems
Telemetry 25 Packets
dropped
Latency
Health
Score
Isolation
Systems
Telemetry 0 Packets
dropped
Tenant Application
Cisco Confidential 13
Centralized Compliance
and Auditing
Import / Export Policy via API
(Support for External Policy Engines)
Automated Services
Chaining
Engineering Legal Sales HR Finance Marketing
ACI SECURITY WITH MULTITENANCY
Complete Isolation with
Full Scalability and
Security
Policy Separated from
Network Forwarding
Policy
Engine
ENABLING A DYNAMIC ENTERPRISE WITHOUT COMPROMISE
APIC
Encrypted Controller
Communication
Advanced Role Based
Access Control
Cisco Confidential 14 © 2013-2015 Cisco and/or its affiliates. All rights reserved.
Attributes Based Intra-EPG Based EPG Based
Cisco ACI Delivers Flexible, Granular, Consistent Microsegmentation
Attributes Based Micro-segmentation
VMware VDS, Microsoft Hyper-V, KVM*, Cisco AVS, Physical
ACI Benefits
PROD
POD DMZ
SHARED
SERVICES
Basic DC Segmentation
DEV
TEST
PROD
Application Lifecycle
Segmentation
WEB
APP
DB
Service Level
Segmentation
Network-Centric
Segmentation
VLAN 1 VXLAN 2
VLAN 3
FW
OS
‘Linux’
IP
‘1.1.1.1’
FW
Name
‘Video’
Intra-EPG Isolation
All Workloads Can
Communicate
Application Tier Policy
Group
Isolate Workloads within
Application Tier
Application Tier Policy
Group
Quarantine Compromised Workloads
Isolate
VMware VDS Microsoft Hyper-V KVM* Cisco AVS
Policy Driven Micro-segmentation for Any Workload
Physical
*Future
L4-7 PARTNERS ADC AND FIREWALL
se
rvic
e p
rofile
pro
vid
ers
inst
inst
…
Firewall
inst
inst
…
Virtual ADC
Serv
ice
Gra
ph
….
begin end stage
1
….. stage
N
Web
Serve
r
App Tier
A
App
Serve
r
App Tier
B
Chain
“Security 5”
Service
Insertion
CENTRAL CONTROL
POINT FOR NETWORK
AND L4-7 SERVICES
PHYSICAL &
VIRTUAL
APPLIANCES
VISIBILITY,
ANALYTICS,
FORENSICS
AUTOMATE
COMPLIANCE,
CENTRALIZED AUDIT
L4-7 Services Partners
APIC
Attributes Based Intra-EPG Based EPG Based
Cisco ACI Delivers Flexible, Granular, Consistent Microsegmentation
Attributes Based Micro-segmentation
VMware VDS, Microsoft Hyper-V, KVM*, Cisco AVS, Physical
ACI Benefits
PROD
POD DMZ
SHARED
SERVICES
Basic DC Segmentation
DEV
TEST
PROD
Application Lifecycle
Segmentation
WEB
APP
DB
Service Level
Segmentation
Network-Centric
Segmentation
VLAN 1 VXLAN 2
VLAN 3
FW
OS
‘Linux’
IP
‘1.1.1.1’
FW
Name
‘Video’
Intra-EPG Isolation
All Workloads Can
Communicate
Application Tier Policy
Group
Isolate Workloads within
Application Tier
Application Tier Policy
Group
Quarantine Compromised Workloads
Isolate
VMware VDS Microsoft Hyper-V KVM* Cisco AVS
Policy Driven Micro-segmentation for Any Workload
Physical
*Future
ASIC Portfolio For Nexus 3000/9000
Merchant
Merchant + Cisco
1st Gen Switches: 2013–2015
40nm
28nm
Trident T2
ASE, ALE
Merchant
2nd Gen Switches: 2016+
28nm
16nm
Tomahawk
Trident 2+
LSE, ASE2
40nm
Scale
• Route/ Host tables
• Encap normalization
• EPG/ SGT/ NSH
Telemetry
• Analytics
• Atomic Counters
Optimization
• Smart Buffers
• DLB/ Flow Prioritization
Driving Innovation to Deliver Choice Next-Gen Nexus 9K Portfolio With Cloud Scale Technology
25G at Price of
10G; 100G at
Price of 40G
2.5x Bandwidth at
Same Price
Cloud Scale
Technology
Up to 12x Scale
of Competition
Embedded
Security,
Analytics, and
Telemetry
at 100G Wire Rate
Open
Choices
for SDN
and Network
Automation
Nexus 9000 Migration Flexibility
SCALE PERFORMANCE INVESTMENT PROTECTION
Convergence of ACI Spine and NX-OS Aggregation in one line card
Flexible path from 40G to 100G
Larger route tables and buffer (Cisco ASIC)
Density with Choice (144Gx10G, 144x25G, 72x50G per card)
Larger route tables and buffers (Cisco ASIC)
Analytics/ Netflow* support (Cisco ASIC)
High Density Designs
Up to 72p fixed w/ Cisco ASIC
40G ACI Spine
40G NX-OS Agg.
10G Server Access
10G/40G FEX Agg.
Unified 40/50/100G
10G/25G/40G/50G
Server Access
10G/40G/100G FEX
Agg.
CY13-15 CY15/16+
* Hardware Ready, Check software roadmap for enablement timelines
Nexus 9000
Cisco Cloud Scale
Technology
Scale 5x host scale (750k vs. 120k)
15x IPv6 routes (384k vs. 20k)
2x MAC address scale (512 vs. 288k)
Price/
Performance 25G at the cost of 10G
100G at the cost of 40G
Visibility Flow-let based
congestion detection
Per-flow Visibility (5x
of NetFlowv9)
Security Any Encap (VXLAN, MPLS)
VxLAN single-pass
Multi-Speed 10/25/40/50/100G
w/ investment protection
Network Automation – Zero Touch Provisioning
Automated Topology Discovery
Plug & Play Device Attach
Automated Image Management
Policy Based Upgrade
Automated Fabric Configuration
and Addressing
150 Nodes Deployed, < 1 Hour - Large Service Provider
Network
Automation
Enterprise Software Company
L4-L7 Services Automation
Automated Addition/Removal
of ACL rules when an
Application is Created/Deleted
Automation delivers better
security - Denial log will help
us what type of traffic is hitting
the policy
Automation - Dynamic
Endpoint Attachment helps
identify new host detection
and assignment to right EPG
16X Reduction in Access Lists
Many Data Center customers use multiple firewalls and
its hard for them to keep up with ACL changes
Cisco Confidential
25
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI SOLVES REAL CUSTOMER CHALLENGES
Reduce Network Provisioning
58% Reduce
Management Costs
21% Reduce Power
and Cooling Costs
45% CAPEX
Reduction
25% Compute and
Storage Optimization
10 – 20%
Greater
Business
Agility
Lower
Capital
Expenses
Reduced
Costs /
Complexity
Lower
Operating
Cost
Resource
Optimization
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Customer Needs VXLAN Delivered
Any workload anywhere – VLANs limited by L3 boundaries
Any Workload anywhere- across Layer 3 boundaries
VM Mobility Seamless VM Mobility
Scale above 4k Segments (VLAN limitation) Scale up to 16M segments
Secure Multi-tenancy Traffic & Address Isolation
VTEP VTEP VTEP VTEP VTEP
VXLAN Overlay
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
LIMITED SCALE
Flood and learn (BUM)- Inefficient Bandwidth Utilization
Resource Intensive – Large MAC Tables
LIMITED WORKLOAD MOBILITY
Centralized Gateways – Traffic Hair-pining
Sub-Optimal Traffic Flow
VTEP VTEP VTEP VTEP VTEP
VXLAN Overlay
Barrier for Scaling out Large Data Centers and Cloud Deployments
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
INCREASED SCALE
Eliminates Flooding
Conversational Learning
Policy-Based Updates
OPTIMIZED MOBILITY
Distributed Anycast Gwy
INTEROPERABLE
Standards Based
BGP-EVPN
VXLAN
VTEP VTEP VTEP VTEP VTEP
Route
Reflector
Route
Reflector
BGP-EVPN VXLAN Overlay
BGP Peers
Breaking the VXLAN Fabric Scale Barriers
OPERATIONAL
FLEXIBILITY
Layer 2 or Layer 3
Controller Choice
VXLAN Fabric with BGP-EVPN Control Plane
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
VTEP
Local LAN Local LAN Local LAN Local LAN
IP Transport Network
VTEP
VTEP VTEP
VXLAN VNI
LAN Segment
Underlay Network:
• IP routing – proven, stable, scalable
• ECMP – utilize all available network paths
Overlay Network:
• Standards-based overlay
• Layer-2 extensibility and mobility
• Expanded Layer-2 name space
• Scalable network domain
• Multi-Tenancy
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overlay services
– Layer-2
– Layer-3
– Layer-2 + Layer-3
Tunnel
Encapsulation
Underlay transport network
• Peer discovery mechanism • Overlay L2/L3 Unicast traffic
• Route learning and distribution mechanism
– Local learning
– Remote learning
Control Plane
• Overlay Broadcast, Unknown (Layer-2)
traffic, Multicast traffic (BUM traffic)
forwarding
Data Plane