Intuit Application Centric ACI Deployment Case Study
Joon Cho, Principal Network Engineer, Intuit
Lawrence Zhu, Solutions Architect, Cisco
CCSACI-2002
• Introduction
• Architecture / Principle
• Design
• Rollout
• Key Highlights
• Outlook
• Conclusion
Agenda
Introduction
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5CCSACI-2002
Who We AreMaker of small business software
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6CCSACI-2002
Who We Are
• Customer driven innovation
• Heavily focused on cloud and mobile
• Multiple application suites
• Application / developer centric
Company and Business Strategy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7CCSACI-2002
Who We Are
• Critical to offer following features and functions
• Agility
• Expose API to end user
• Allow end user control
• Infrastructure abstraction
• Enable East-West traffic growth
IT / Network Strategy
Architecture / Principles
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9CCSACI-2002
Legacy Data Center Design
• North – South traffic pattern application
• Layer 2 segmentation
• 3-Tier design
• Security classification by trust and execution level
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10CCSACI-2002
Data Center Network Design Principles
• Application Aware
• Integrate application and network to interact with event or pattern-driven changes
• Simplified Security
• Security policies centrally managed and logged
• Security zones flattened (compliance treated separately)
• Abstracting the security policies from infrastructure
• Hybrid Cloud capable
• Ability to leverage the private/public cloud; not tied to a datacenter dependency
• Location agnostic policy-driven configurations
• Visibility
• Single dashboard that provides end-to-end visibility around health and performance
• Simplified
• Migration, ease of operation, associating metadata and associating the policy with the application vsthe infrastructure
• Predictable Performance
• Consistent, predictable performance
• Flexible
• Purpose-built modular environments with smaller layer 3 domains allowing for expansion (spine leaf)
• Availability
• Network resiliency appropriate to the tier and aligned with app resiliency
• Programmable
• Common workflows via APIs for self-service consumption
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11CCSACI-2002
Intuit Data Center Architecture - Fabric
S S S S
SL SL L L
C C
BR BR
SP1 SP2
BR BR
MPLS MPLS
BR
P2P
BR
P2P
BR
P-Cloud
BR
P-Cloud
BL BL
L L L L
S S S S
SL SL L L
Service
BL BL
L L
StorageCompute
L L
Compliance
Fabric Backbone
BL BL
BL BL x N
ComplianceService StorageCompute
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12CCSACI-2002
Selection of ACI
• Interviewing multiple SDN platforms in the market focusing on principles
• Abstraction of underlying infrastructure
• Management and visibility of physical infrastructure
• Compute agnostic (BM / VM)
• Supporting incumbent hypervisor (vCenter/ESX 5.5 at the time of deployment)
• Fully supported restful API
Design
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant: Common
100+ Tenants with RBAC
Default VRF Web EPG App EPG DB EPG
Web EPG App EPG DB EPG
App: Prod
App: Pre-Prod
Management
External Connectivity
Web EPG App EPG DB EPG
App: Compliance
Storage
Compliance VRF
• Secure multi-tenancy
• App, Compute and Network Visibility
• DC Operations, DC Automation
• Network Capacity and Bandwidth
• Any Workload, Any VLAN, Any Where
Storage VRF
ACI Fabric Design Overview
CCSACI-2002 14
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Fabric Design Highlights
• Application centric multi-tenant approach
• Tenants, application profiles and EPGs are created based on execution /functional segments
• Context/VRFs and bridge domains(BD) are created in tenant common for shared external access and BD subnets can be advertised out through BGP
• Three (3) major context/VRFs
• one for compliance zone, one for non-compliance zone, and one for storage network
• All accesses in and out of the compliance zone pass through ASA firewall for stateful access control. Access between EPGs within compliance zone is controlled by regular contracts/filters
Tenants / Contexts
CCSACI-2002 15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Fabric Design Highlights – Cont’d
• Fewer bridge domains with larger subnet shared by EPGs from multiple user tenants
• Decouple BD/IP from application
• Endpoints can be moved from EPG to EPG without changing their IP addresses
• Allow ease of application deployment through the app env lifecycle
• Leveraging unidirectional TCP contract/filers and vzAny contract/filters for optimized policy TCAM resource use
• IP storage vNIC/endpoints and IP storage filers are contained in their isolated context and fully utilize benefit of vzAny contracts
Bridge Domain / Storage / Contracts
CCSACI-2002 16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Service Design
• ASA with two logical interfaces, one to compliance context and one to default context, acts as a router between the two contexts
• Centralized access policy control/configuration through APIC Restful API, same automation tool for configuring fabric contracts and ASA ACEs
• Leveraging dynamic EPG feature in device package, ACEs can be configured based on EPG name
• L4-L7 service parameters are configured under application profile level, one centralized place per tenant for configuring and updating service policies
• One main ASA service graph template for all tenants
Firewall Service Insertion
CCSACI-2002 17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Inter-Site Access Policy Consistency
• Preserving ACI group based policy model between sites
• EPGs stretched for policy extension across fabric/DCs
• L3out ExtEPG in site2 for EPG in site 1 and vise versa
• Dynamically sync endpoints for stretched EPGs between sites
• Using existing L4-L7 service graphs between the DCs
ACI Toolkit Application
18
DC#1 DC#2
IP NetworkWeb
DBApp
Extension using
Layer3 Out
CCSACI-2002
Rollout
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20CCSACI-2002
How We Did This
• More time allocated for POC than traditional deployment
• Four months in POC lab, one and a half months for two data center production deployment
• Management support
• Resources from cross functional teams for POC and post-deployment WAR Room
• Platform team for vCenter / vmm integration
• Storage team for storage build out
• Application teams for EPG, contract build out
• Security team for compliance requirements review
• Network operations team for monitoring and general operational support
• Automation team for scripting and integration portal
Project plan and logistics
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21CCSACI-2002
Production Fabric Deployment
• Complete replica of the production in the lab
• Multiple iteration of POC rebuild until dual data center build
• Full integration testing of applications during POC
• Leverage SVS lab for design / scaling verification
• Unenforced mode for initial application on-boarding and validation
• Script to build out production
• Discovery / registering of switches
• Deployment of BD, EPG, contracts
• Reduce deployment schedule
• Leveraged scripts
Project plan
Key Highlights
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23CCSACI-2002
Automation Tools
• Leverage Graphite tool
• Python based polling script
• Trend data as well as status
Dashboard
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24CCSACI-2002
Automation Tools
• Python based
• Subscribing to classes of configuration over websocket
• ex: fvAEPg for application end point group
• Leverage separate DB
• Contract
• End point profile search
Rango
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25CCSACI-2002
Automation Tools
• Python based
• Standard tool to deploy contract (ACL), EPG, and static binding
• No direct access to APIC GUI
• Network team only for exception
• Series of Validation
• Service chained to CMDB and change request
Loom
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26CCSACI-2002
Network Changes - Legacy vs Fabric Change rate
0
500
1000
1500
2000
2500
3000
3500
Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16
Legacy Fabric
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27CCSACI-2002
Network Changes – Manual vs AutomatedAutomation rate
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
120.00%
Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16
Automated Network Changes - ACI Fabric vs Legacy
Non-Fabric Automated Fabric Automated
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28CCSACI-2002
Customer TestimonyFrom BU Leaders
“On top of that, many network tasks that are required can now be
automated or executed directly from my team leading to even
more efficiency. This again saves us days waiting for a central
network team to complete our requests.”
“The most important gain for us is in the Contract vs ACL difference. Though it
requires some initial setup that is comparable to our legacy environments, all
subsequent deployments into an application automatically have the necessary
network access.
This means a savings of anywhere from 1 to 7 days or more on every deployment,
depending on size and complexity. We can provision a server in a matter of
minutes, execute post-provisioning via Chef, and hand it off to the requesting
business unit in a matter of hours instead of days.”
Outlook
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 30CCSACI-2002
Future Plan
• Expansion of existing fabric
• 196 more leafs within next 18 months
• More BU / applications
• Upgrade of APIC for leveraging new features
• ingress only policy
• SGT (security tag) based policy on ASA
• Distributed / software based load balancing
• Micro-segmentation of fabric
Plans and projection
Challenges
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32CCSACI-2002
ACI Network Design
• Understanding of ACI as programmatic approach vs legacy network device
• Multi-Fabric and contract enforcement
• Inter-site tool
• Compatibility to legacy
• How to handle contract to legacy ACL mapping – IP group, security Tag
• Operational learning curve
• Engage Cisco services as early as possible
• TCAM
• Scale test revealed the potential resource constraint in border leaf
• Added new pairs of border leafs and policy based routing
Technical challenges
Conclusion
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34CCSACI-2002
Conclusion
• Leverage programmability and automation
• Team members who knows REST and scripting
• Planning is the key
• Application team and platform team integration and input from beginning design stage
• Must fully understand the application traffic flow
• Spend enough time to lab, POC to understand ACI
• Joint project planning with Cisco team is must
• work closely with Cisco AS team, leverage Cisco Solution Validation Services(SVS)
Key Takeaways
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
35CCSACI-2002
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
36CCSACI-2002
Thank you