Cisco Application Centric Infrastructure. Silvo Lipovšek Sistemski inženjer slipovse@cisco.com

Cisco Application Centric Infrastructure Silvo Lipovšek Sistemski inženjer slipovse@cisco.com

277X Data created by IoE devices v. end-user 30M New devices connected every week 180B Mobile apps downloaded in 2015 78% Workloads processed in Cloud DCs by 2018 5TB+ of data per person by 2020 4.2B Web filtering blocks per day Digitization is Disrupting Business and Reshaping IT

Traditional IT Struggles To Deliver Applications At The Speed Of Business Application Deployment Time Minutes What Business Wants Weeks What Traditional IT Delivers

Let s talk about the elephant in the room Current networks are not inflexible nor expensive. Operational process can makes them just that. ACI simplifies IT and becomes an enabler.

Two Types of Languages Infrastructure Language App Language VLAN IP Address Subnets Firewalls Quality of Service Load Balancer Access Lists Human Translator Application Tier Policy and Dependencies Security Requirements Service Level Agreement Application Performance Compliance Geo Dependencies

A new common language to describe desired state is needed.

Abstraction, the real objective of SDN But, How to Avoid Death by Micromanagement Networks are traditionally controlled in a micromanaged, high touch, interactive manner First Generation SDN is no different 2014 Cisco and/or its affiliates. All rights reserved. 8

Industry Solutions: Software Only Overlay Supports Virtual Resources Over Traditional Networks Advantage Increased Agility For Virtual Devices Faster configuration and provisioning of virtual devices Overlay - Virtual Devices Disadvantage Partial Solution Embedded support only for virtual devices Operational Complexity Two networks Two Networks Gateway No Traffic Visibility Limited troubleshooting Limited Scale Centralized gateways, sub-optimal traffic flow Physical Physical and Resources Virtual Resources

Industry Solutions: Integrated Hardware and Software Overlay Supports Virtual and Physical Resources Over Optimized Network Advantage Highest Agility Consistent policy across physical and virtual Open Multi-hypervisor/vendor support Operational Efficiency Single network Deep Traffic Visibility Simplified analysis and troubleshooting Highly Scalable Integrated gateways, optimized traffic flow Two Networks Overlay - Virtual Devices Gateway One Integrated Network for Physical Resources Physical and Virtual Resources

Overloaded Network Constructs ACI directly maps the application connectivity requirements onto the network and services fabric Redirect and Load Balance Connectivity IP Address, VLAN, VRF Control & Audit Connectivity Application Requirements (Security Firewall, ACL, ) IP Address, IP Addressing VLAN, VRF Enable Connectivity (The Network) Application Requirements Dynamic provisioning of connectivity explicitly defined for the application Application Specific Connectivity 2014 Cisco and/or its affiliates. All rights reserved. 11

Abstraction, the real objective of SDN How to Avoid Death by Micromanagement You can not mask complexity with complexity Less Networks, Not More 2014 Cisco and/or its affiliates. All rights reserved. 12

What does an application need from the Network? An Application is more than just a VM Interconnected components application? web db How Internet do we define the network VM VM VM for the VM VM VM External Private Network application 2014 Cisco and/or its affiliates. All rights reserved. 13

ACI - Application Network Profile rules of how application communicates to the external private or public networks a set of network requirements specifying how application components communicate with each other Contract Access Control QoS Network Services web app db Application VM Network VM Profile VM The Outside VM VM VM application-centric network policy application a collection of end-points connecting to the network VMs, physical compute, Component Tier End Point Group Or VMware Port Group 2014 Cisco and/or its affiliates. All rights reserved. 14

UCS Service Profiles Configuration Portability SIM Card Identity for a Phone Service Profile Identity for a Server UCS Service Profile Unified Device Management Network Policy Storage Policy Server Policy 2014 Cisco and/or its affiliates. All rights reserved.

Pillars of ACI Rapid Deployment of Applications onto Open Networks with Scale, Security and Full Visibility Application Centric Infrastructure Industry Leading Technology Partnerships ACI Fabric/Nexus 9000 Application Centric Policy Open Ecosystem

Cisco ACI Fabric Nexus 9500 Modular Switches Nexus 9300 Fixed Switches Innovations in Hardware and System Design Performance Port Density Power Efficiency Programmability Price Innovations in Cisco NX-OS Software Improved Application Performance Integrated Overlay Capabilities Programmability and Automation

Modular and Fixed Portfolio Modular Fixed Nexus 9500 Nexus 9300 2014 Cisco and/or its affiliates. All rights reserved.

Overview of the Cisco ACI Fabric Industry s most efficient fabric 1/10-Gbps edge High-density 40-Gbps spine (100-Gbps capable) 1 million+ IPv4 and IPv6 endpoints 64,000+ tenants 220,000+ 1/10-Gbps hosts in a single tier 3:1 oversubscribed fabric Routed fabric optimal IP forwarding Bridging (Layer 2) and routing (Layer 3) of VXLAN, NVGRE, and VLAN at scale No x86 gateways physical and virtual Application agility place and join without limits in the fabric Full visibility into virtual and physical Common operations from hypervisor to computing, to fabric, to WAN Spine Inline overlay hardware database 288 x 40-Gbps ports Higher capacity and lower cost Fabric Optimization Improved utilization1588 timing and Latency ECMP-based approaches Scale Intelligent caching Overlay hardware offload Improved analytics

Overview of the Cisco ACI Fabric Cisco ACI Fabric provides: Decoupling of endpoint identity, location, and associated policy, all of which are independent from the underlying topology Full normalization of the ingress encapsulation mechanism used: 802.1Q VLAN, IETF VXLAN, and IETF NVGRE Distributed Layer 3 gateway to help ensure optimal forwarding for Layers 3 and 2 Support for standard bridging and routing semantics without standard location constraints (any IP address anywhere) Service insertion and redirection Removal of flooding requirements for IP control plane (ARP, GARP, DHCP, and Unknown Unicast)

Cisco ACI Fabric Decoupled Identity, Location, and Policy VTEP VXLAN IP Payload VTEP VTEP VTEP VTEP VTEP VTEP Cisco ACI fabric decouples the tenant endpoint address - its identifier - from the location of that endpoint, which is defined by its locator, or VTEP address Forwarding within the fabric is between VTEPs (VXLAN tunnel endpoints) and takes advantage of an extended VXLAN header format, which makes use of the Reserved Bits in the VXLAN header The mapping of the internal tenant MAC or IP address to the location is performed by the VTEP, using a distributed mapping database

Cisco ACI Fabric Load Balancing Focus on the Application Response Time Cisco ACI fabric tracks the congestion along the full path between the ingress leaf and the egress leaf through the data plane (real-time measurements) Congestion on switch-to-switch ports (external wires) Congestion on internal ASIC-to-ASIC connections (internal wires) Fabric load-balances traffic on a flowlet basis Dynamic shedding of active flows from congested to less congested paths Fabric prioritizes small (and early) flowlets Provides DC-TCP behavior without having to modify host stacks Ramps up large TCP flows faster

Application Awareness Application-Level Visibility Cisco ACI Fabric provides the next generation of analytic capabilities PetStore Event Triggered Events or Queries Actions: No new hosts or VMs Evacuate hypervisors Re-balance clusters Per application, tenants, and infrastructure: Health scores Latency Atomic counters Resource consumption PetStore Dev Leaf 1 and 2 Spine 1 3 Atomic counters PetStore Prod Leaf 2 and 3 Spine 1 2 Atomic counters PetStore QA Leaf 3 and 4 Spine 2 3 Atomic counters Integrate with workload placement or migration VXLAN Per-Hop Visibility Physical and Virtual as One

Multihypervisor-Ready Fabric Hypervisor Integration Network Admin Integrated gateway for VLAN, VXLAN, and NVGRE networks from virtual to physical Cisco ACI Fabric Normalization for NVGRE, VXLAN, and VLAN networks Customer not restricted by a choice of hypervisor Fabric is ready for multiple hypervisors Application Admin VMware Microsoft Red Hat Hypervisor Management VLAN VXLAN VLAN NVGRE ESX Hyper-V KVM VMware Microsoft Red Hat VLAN VXLAN PHYSICAL SERVER VLAN

Hypervisor Interaction with Cisco ACI Nonintegrated Mode Integrated Mode VLAN 10 VLAN 10 VXLAN 10000 APP WEB DB DB Cisco ACI fabric as an IP-Ethernet transport Encapsulations manually allocated Separate policy domains for physical and virtual Cisco ACI fabric as a policy authority Encapsulations normalized and dynamically provisioned Integrated policy domains across physical and virtual

Hypervisor Integration with Cisco ACI Cisco ACI fabric implements policy on virtual networks by mapping endpoints to EPGs Endpoints in a virtualized environment are represented as the vnics VMM applies network configuration by placement of vnics into port groups or VM networks EPGs are exposed to the VMM as a 1:1 mapping to port groups or VM networks F/W Application Network Profile EPG WEB L/B EPGA PP EPG DB WEB PORT GROUP APP PORT GROUP DB PORT GROUP VM VM VM

Policy, Policy, Policy,

Policy is Business Relevant Application Centric Infrastructure (ACI) allows the entire infrastructure to take commands in a business-relevant language. ACI Policy Aligned with Applications Traditional Policy Aligned with.? Let my app servers talk to my web servers. 1. Figure out where app lives in physical net 2. Trunk VLAN 112 to switch 22. 3. Add route. 4. Plumb ports 7-12 5. Configure ACL 6. Apply QoS 2013-2014 Cisco and/or its affiliates. All rights reserved. 7. Repeat every time app moves or needs more capacity Cisco Confidential 28

An Innovative Approach to Policy Provided Contract Provided Contract Provided Contract OUTSIDE F/W ADC WEB ADC APP DB What is an application policy? 1. 2. 3. Group: A set of virtual or physical workloads with the same policy Contracts: A set of rules governing communication between groups Service Chains: A set of network services between groups 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

Cisco ACI Network Profile Policy-Based Fabric Management Extend the principle of Cisco UCS Manager service profiles to the entire fabric Network profile: stateless definition of application requirements Application tiers Connectivity policies Layer 4 7 services XML/JSON schema Fully abstracted from the infrastructure implementation Removes dependencies of the infrastructure Portable across different data center fabrics Web Tier Application Storage App Tier The Network Profile Fully Describes the Application Connectivity Requirements ## Network Profile: Defines Application Level Metadata (Pseudo Code Example) <Network-Profile = Production_Web> <App-Tier = Web> <Connected-To = Application_Client> <Connection-Policy = Secure_Firewall_External> <Connected-To = Application_Tier> <Connection-Policy = Secure_Firewall_Internal & High_Priority>... <App-Tier = DataBase> <Connected-To = Storage> <Connection-Policy = NFS_TCP & High_BW_Low_Latency>... Storage DB Tier

Application Policy Model and Instantiation Application policy model: Defines the application requirements (application network profile) Web Tier Application Client App Tier Storage DB Tier Storage Policy instantiation: Each device dynamically instantiates the required changes based on the policies VM VM VM VM VM VM VM 10.2.4.7 10.9.3.37 10.32.3.7 All forwarding in the fabric is managed through the application network profile IP addresses are fully portable anywhere within the fabric Security and forwarding are fully decoupled from any physical or virtual network attributes Devices autonomously update the state of the network based on configured policy requirements

Cisco ACI Layer 4-7 Service Integration Centralized and Automated and Supports Existing Model Elastic service insertion architecture for physical and virtual services Helps enable administrative separation between application-tier policy and service definition Cisco APIC as central point of network control with policy coordination Automation of service bring-up/tear-down through programmable interface Supports existing operational model when integrated with existing services Service enforcement assured, regardless of endpoint location Application Admin Service Admin Web Tier A Web Web Server Server begin Policy Redirection Chain Security 5 Security 5 Chain Defined Stage 1.. Stage N inst inst Firewall.. inst inst Load Balancer Providers end App Tier B Web App Server Server Service Graph Service Profile

Cisco ACI Plus Citrix NetScaler: Service Automation Device Package Device Specification <dev type= f5 > <service type= slb > <param name= vip > <dev ident= 210.1.1.1 <validator= ip <hidden= no > <locked= yes > Cisco Application Policy Infrastructure Controller (APIC) provides extensible policy model through device package NetScaler Device Package APIC administrator can import Citrix NetScaler device package Device package is an XML file defining device configuration model and parameters required for Layer 4-7 use cases APIC - Policy Manager Configuration Model (XML File) After it has been imported, APIC can configure NetScaler functions and parameters Script Engine APIC - Script Interface Python Scripts Device scripts translate APIC and Cisco API callouts to device-specific callouts

Opening the ACI Policy with OpFlex OPFLEX PROTOCOL + ECOSYSTEM APIC OPEN SOURCE Open source implementation available to anyone OPFLEX STANDARD Upcoming OpFlex standard through IETF L4-7 DEVICE HYPERVISOR SWITCH ECOSYSTEM Broad, growing vendor support including hypervisor, network, and L4-7 2013-2014 Cisco and/or its affiliates. All rights reserved. DELIVERING INVESTMENT PROTECTION BY ALLOWING ANY DEVICE TO INTEGRATE WITH CISCO ACI Cisco Confidential 34

Open Ecosystem of Partners Delivering Agility, Openness & Security 35 Ecosystem Partners and Counting! Open and Standard APIs Published Data Model Open Source Open Standards AUTOMATION & ENTERPRISE SYSTEM VIRTUALIZATION L4-7 SERVICES SECURITY STORAGE ORCHESTRATION MONITORING MANAGEMENT

Cisco APIC: Delivering the Industry s Best SDN Solution APIC APPLIANCE Centralized Point of Management, Automation and Policy Enforcement Flexible Cluster Size Highest Scale Highest Resiliency (N+2) Engineered for Performance 2014 Cisco and/or its affiliates. All rights reserved.

Cisco ACI Security Overview

Right Architecture for Data Center Security? PERIMETER CENTRIC Manual and Complex Static Topology Error-Prone Limited Places VIRTUALIZATION CENTRIC No Physical Support Management Complexity Limited Visibility APPLICATION CENTRIC Any workload and any place Automated Full Visibility

ACI Fabric Provides L4 Distributed Firewall for East/West Traffic L4 Policy Enforcement in Leaf Switch Line rate Policy Enforcement Group based Policy (Managed via APIC) Servers (Physical or Virtual) Firewall at Each Leaf switch Scales independent of End-Points Policy Follows Workloads L4 Stateful Firewall with AVS Q2, CY 15 2014 Cisco and/or its affiliates. All rights reserved. 39

Micro-Segmentation for Physical and Virtual with ACI Virtual Virtual Physical DATA CENTER MICRO-SEGMENTATION WITH ACI POLICY MODEL Micro-segmentation provides security for east/west traffic Embedded L4 distributed stateless firewall Automates L4-7 security between application tiers for advanced protection Physical and Virtual Apps Full visibility of all traffic between segments 2014 Cisco and/or its affiliates. All rights reserved. 40

Customer Wins & Market Traction

Delivering Business Outcomes Example: Cisco IT with ACI (Based On Projections) Greater Business Agility Lower Capital Expenses Reduced Costs/ Complexity Lower Operating Cost Resource Optimization 58% 25% 21% 45% 10 20% Reduce Network Provisioning CAPEX Reduction Reduce Management Costs Reduce Power and Cooling Costs Compute and Storage Optimization *Based on Cisco IT Projections Cisco IT has already gained cost efficiencies through UCS. These are incremental savings with ACI.

ACI High Level Overview Cisco Provided System Management Config Management Orchestration Frameworks GUI EXTERNAL FW ADC WEB APP DB ACI Toolkit ACI Application Network Profile Unified API + Information Model (REST API) Spine Spine Hypervisor Integration Application Policy Infrastructure Controller (APIC) HYPERVISOR HYPERVISOR Leaf: ToR & EoR HYPERVISOR FEX Support UCS Remote Leaf over Existing Network APIC Cluster (3) L4-L7 Services Physical & Virtual DCI Internet Existing L2/L3 Applications Virtual Physical Workloads Workload Virtual Switch and Port Groups

Broad Customer Base Adopting Cisco ACI and Nexus 9K 2014 Cisco and/or its affiliates. All rights reserved.

Cisco SDN Solution: ACI by the Numbers* 4,100+ Nexus 9K and ACI Customers Globally 915+ Customers Globally STORAGE SECURITY 36+ Ecosystem Partners COMPUTE APIC NETWORK APPLICATION CLOUD *Status as of End of FYQ3 2015

Our Direction Data centers and cloud network infrastructures, both physical and virtual, will no longer be configured, will not be software defined (or programmed), but instead will be Policy Driven and Application Centric. 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46

Nagradna igra Ispunjavanjem e-upitnika sudjelujete u nagradnoj igri! Izvlačenje dobitnika nagrada na zatvaranju konferencije. 1. nagrada Lenovo Vibe X2, zlatni 2. nagrada Lenovo Vibe X2, bijeli 3. nagrada Lenovo Vibe X2, crni *Organizatori i sponzori Combis konferencije nemaju pravo sudjelovanja.

Hvala na pažnji! Thank you for your attention!