BRKACI-1601 Policy Driven Data Centre With ACI

Policy Driven Data Centre with ACI
BRKACI-1601
Chris Gascoigne
Technical Solutions Architect
#clmel
Agenda
• Introduction
• What is policy
• Network policy
• Application policy
• Conclusion
BRKACI-1601 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
Traditional Data Centre Networking Issues
Lack of agility
• Configuration is complex
• Configuration is error-prone Services Services
L3
• Configuration changes require
careful planning
• Many touch points L3
• Restricted workload placement / L2
mobility
L2
Traditional Networking Issues
Not cost effective
• Expensive hardware in
core/distribution Services Services
L3
• Intelligence/state centralised at
core/distribution
• Big CapEx upgrades required to L3
scale up L2
L2
ACI Changes The Game
A better network
• Simplify the topology
• Self configuring
vPC • Host mobility
• Scale out
vPC • Penalty free fabric
• Cost effective
vPC
ACI Changes The Game
F/W WEB APP DB

ADC
ADC
vPC
vPC Policy
• Centralised provisioning
vPC
• Build policy, not configuration
• Profile driven
• Abstracted from topology, fowarding
• Simplify operations
Imperative Control
• Controller has full intelligence/state
A320-200 commands:
• Controlled entities follow • Turn rudder +5deg left
rules/instructions B737-800 commands: • Set flaps 10%
• Set throttle 30%
• Controller knows how to control all • Turn rudder 30deg left
entity types
• Good for:
– Small systems
– Simple problems
– All controlled entities are the same Dash 8 Q400 commands:
• Decrease throttle by 10%
• Set flaps 20%
Declarative Control
• Controller stores/distributes desired
state Generic commands:
• Ascend to 10,000ft
• Controlled entities receive desired Generic commands: • Set heading 230deg
state and make changes • Taxi to runway 3
• Take off to the west
• Good for:
– Large scale
– Complex problems
– Disparate controlled entities
Generic commands:
• Descend to 1,000ft
• Prepare to land on runway
2 to the west
Declarative vs Imperative
Puppet (declarative) Shell script (imperative)
user { ‘cgascoig’ : #!/bin/bash
ensure => present,
gid => ‘admin’, if ! getent group sysadmin >/dev/null
} then
echo "Group sysadmin does not exist, creating"
group { ‘admin’ : groupadd sysadmin
ensure => present, fi
}
if ! getent passwd chris >/dev/null
then
echo "User chris does not exist, creating"
useradd --gid sysadmin chris
fi
USERGROUPID=`getent passwd chris | awk -F: '{print $4}'`

USERGROUPNAME=`getent group $USERGROUPID | awk -F: '{print
$1}'`
if [ "$USERGROUPNAME" != "sysadmin" ]
then
echo "Primary group of user chris is not
sysadmin, updating"
usermod --gid sysadmin chris
fi
Network Provisioning Today
Start an Build a 3-tier Create Subnet X, Y, Z

online store web app Create VRF
Create VLAN X, Y, Z
Business IT Management Infrastructure

admin
Declarative
Imperative
Intent Driven Provisioning
Start an Build a 3-tier Create 3-tier web

online store web app app instance
Business IT Management Infrastructure

admin
Declarative
Policy Layers in ACI
Web App DB
Outside
QoS
Application Policies
QoS QoS
(Tenant VRF) Filter

(Logical Networking)
Service Filter
APIC
ACI Fabric Application Policy

Infrastructure
Fabric Policies Controller
Access Policies
Network Policy
Network Policy
• Fabric Policies
– Fabric interface policies
– Pod policies
– Fabric load balancing policies
– Firmware / maintenance policies
– …
• Access Policies
– Interface policies
– vPC
– Attachable Access Entity Profiles
– Quality of Service Classes
– DHCP Policies
Switch / Interface Policy
• Ports 1-10: SC management
• Ports 1-40: Hyper-V hosts • Ports 1-40: Hyper-V hosts • Ports 1-40: Hyper-V hosts • Ports 11-20: Virtual services
• Ports 41-48: Scale-out file • Ports 41-48: Scale-out file • Ports 21-30: Portal, etc
• Ports 41-48: Scale-out file
servers servers servers
Compute Compute Compute Infrastructure

Rack 1 Rack 2 Rack 3 Rack
Switch / Interface Policy
compute-rack
Interface Profile
compute-rack Adding a new compute rack?
Switch Profile
1. Add the new leafs to the selector
2. There is no step 2
compute-rack compute-rack-hyperv compute-rack-sofs
Switch Selector Interface Selector Interface Selector
Leafs 101-106 1/1-40 1/41-48
hyperv sofs
Interface Policy Group Interface Policy Group
CDP off CDP off
LLDP on LLDP on
AEP: hyperv-vlans AEP: sofs-vlans
…. ….
Firmware Policy
spine-fw-group-a spine-fw-group-b
leaf-fw-group-a
leaf-fw-group-b
Firmware Policy
Maintenance Policy
spine-maint-group-a spine-maint-group-b
leaf-maint-group-a
leaf-maint-group-b
Maintenance Policy
leaf-maint-group-a leaf-maint-group-b spine-maint-group-a spine-maint-group-b

Window: Window: Window: Window:
Wed 22:00-23:59 Thur 22:00-23:59 Thur 00:00-01:59 Fri 00:00-01:59
Concurrent nodes: Concurrent nodes: Concurrent nodes: Concurrent nodes:
4 4 1 1
Application Policy
Application Policy
• Logical networking
• Application Network Profiles
• Service insertion and automation
Logical Networking
• How does A talk to B?
– Bridged?
– Routed?
– Intra-VRF? Inter-VRF?
– Inside to outside? Outside to inside?
Logical Networking
Tenant Engineering Tenant Finance
Private Network Engineering Private Network Common Private Network Finance

Bridge Domain Development Bridge Domain Public Bridge Domain Expenses
Subnet 192.168.1.1/24 Subnet 64.104.1.1/24 Subnet 192.168.1.1/24
Subnet 192.168.2.1/24 Subnet 64.104.2.1/24 Subnet 192.168.2.1/24
Subnet 192.168.3.1/24 Bridge Domain Payables

Subnet 192.168.3.1/24
Bridge Domain Build
Subnet 192.168.3.1/24
Subnet 192.168.4.1/24
Subnet 192.168.5.1/24
Logical Networking Terms
• Tenant – Logical separation for administrative domains (e.g. Business Unit,
Customers, Dev/Test/Prod)
• Private Network – Separate routing instances == VRF
• Bridge Domain – Layer 2 segment; analogous to a VLAN, but not tied to a
VLAN ID
• Subnet – Layer 3 address associated to a Bridge Domain == SVI
Application Network Profiles
• Logical network defines how A talks to B
• Application Network Profiles define should A talk to B?
– Which protocols?
– QoS?
– Additional L4-7 services required?
– Etc.
Application Network Profile
Application Network Profile 3-Tier Web Application
Endpoint Group Web Endpoint Group App Endpoint Group DB
Contract Contract
Application Network Profile - Contracts
Endpoint Group Web Contract Endpoint Group App

Filters
QoS
Services
Application Network Profile - Contracts

Contract sql
Subject mysql
Endpoint Group App Endpoint Group DB
Filter mysql
Match: tcp/3306
Consumes Filter icmp Provides
Match: icmp
Service Graph
QoS
Application Network Profile Terms
• Endpoint Group (EPG) – Group of endpoints (servers/VMs) with the same
policy
• Contract – Encapsulates policy between endpoint groups
• Subject – Defines if (filters) and how (action) traffic can flow between endpoint
groups
• Filter – Selector of traffic, matching up to L4 attributes
• Action – Action to take on matched traffic, e.g. service graph, apply QoS, etc
• Provider – Provides the services defined in a contract
• Consumer – Consumes the services defined in a contract
Endpoint Group Membership
• Physical port
• VLAN Identifier on a port / switch • VM Attribute*
• VXLAN VNID on a port / switch • IP Address*
• NGVGE VSID on a port / switch • MAC Address*
• Subnet • …
• Virtual Machine Manager grouping
– Port Group (VMWare vCentre/vShield)
– VM Network (Microsoft Hyper-V/SCVMM)
– Neutron Network (OpenStack)
Service Graph
Service Graph
To consumer EPG To provider EPG
Service Graph – Data Plane
Service Graph
ASA / ASAv NetScaler
Consumer Endpoints Provider Endpoints
Service Graph – Configuration Plane
Service Graph
ASA / ASAv NetScaler
Citrix Configuration
Consumer Endpoints ASA Configuration Provider Endpoints
Conclusion
Abstraction
Redirect and Load Balance

Connectivity Application Requirements
IP Address, VLAN, VRF
Decoupled policy from
Control & Audit Connectivity connectivity
Application Requirements
(Security – Firewall, ACL, …)
IP IP
Address, VLAN,
Addressing Application Specific Connectivity
VRF
Enable Connectivity
(The Network)
Extensibility

Contract sql
Subject mysql
Endpoint Group App Endpoint Group DB
Filter mysql
Match: tcp/3306
Consumes Match: udp/3306 Provides
Service Graph
QoS
Reuse
Tenant Dev-Test
Endpoint Group Web Endpoint Group App Endpoint Group DB
Contract Contract
Tenant Dev-Test
Consistency
Web App DB
C C

Web App DB
C C

Web App DB
C C
Summary
• Traditional networking approaches
– not agile enough
– not cost effective
• Declarative, policy driven approach required:
– Abstracted
– Extensible
– Reusable logical components
– Consistency
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2015 T-Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
• Directly from your mobile device on the Cisco Live

Mobile App
• By visiting the Cisco Live Mobile Site
http://showcase.genie-connect.com/clmelbourne2015
• Visit any Cisco Live Internet Station located
throughout the venue Learn online with Cisco Live!
Visit us online after the conference for full
T-Shirts can be collected in the World of Solutions access to session videos and
on Friday 20 March 12:00pm - 2:00pm presentations. www.CiscoLiveAPAC.com
Thank you.

BRKACI-1601 Policy Driven Data Centre With ACI

Uploaded by

Copyright:

Available Formats

BRKACI-1601 Policy Driven Data Centre With ACI

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKACI-1601 Policy Driven Data Centre With ACI

Uploaded by

Copyright:

Available Formats

Policy Driven Data Centre with ACI

F/W WEB APP DB

USERGROUPID=`getent passwd chris | awk -F: '{print $4}'`

Start an Build a 3-tier Create Subnet X, Y, Z

Business IT Management Infrastructure

Start an Build a 3-tier Create 3-tier web

Business IT Management Infrastructure

(Tenant VRF) Filter

ACI Fabric Application Policy

Compute Compute Compute Infrastructure

leaf-maint-group-a leaf-maint-group-b spine-maint-group-a spine-maint-group-b

Tenant Engineering Tenant Finance

Private Network Engineering Private Network Common Private Network Finance

Subnet 192.168.2.1/24 Subnet 64.104.2.1/24 Subnet 192.168.2.1/24

Subnet 192.168.3.1/24 Bridge Domain Payables

Application Network Profile 3-Tier Web Application

Endpoint Group Web Endpoint Group App Endpoint Group DB

Application Network Profile 3-Tier Web Application

Endpoint Group Web Contract Endpoint Group App

Application Network Profile 3-Tier Web Application

To consumer EPG To provider EPG

To consumer EPG To provider EPG

ASA / ASAv NetScaler

Consumer Endpoints Provider Endpoints

To consumer EPG To provider EPG

ASA / ASAv NetScaler

Redirect and Load Balance

Application Network Profile 3-Tier Web Application

Application Network Profile 3-Tier Web Application

Application Network Profile 3-Tier Web Application

• Directly from your mobile device on the Cisco Live

You might also like