Cisco
Cisco ACI -
Simplify IT
Viktor Podkorytov
Consulting Systems Engineer
+380 44 3913600
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ACI
Cisco MS
ACI SP
Cisco Confidential 3 ©2014 Cisco and/or its affiliates. All rights reserved.
ACI
CIO CISO
• • • IT •
• • • •
• • • •
TCO
ACI
CEO
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Pace of Change Disruptions Opportunity
Cisco
Модель Бизнеса
Модель Сервиса
Операционная Модель
Модель Управления
Модель Потребления
ЭТО ВСЕ О ПРИЛОЖЕНИЯХ…
WEB ЭКОНОМИКА APP ЭКОНОМИКА
ЧАСТНЫЙ/
ТРАДИЦИОННЫЕ
IT СЕРВИСЫ
ИНФРАСТРУКТУРА
КАК СЕРВИС
РАЗРАБОТКА VS.
ЭКСПЛУАТАЦИЯ
УСТРОЙСТВО-
В ЦЕНТРЕ
ОБЛАЧНЫЕ
СЕРВИСЫ
ПРИЛОЖЕНИЕ
КАК СЕРВИС
DEV OPS
INTEGRATION
ПРИЛОЖЕНИЕ –
В ЦЕНТРЕ
TODAY FUTURE
Cisco Confidential 7 ©2014 Cisco and/or its affiliates. All rights reserved.
.
. ACI .
“И Слон может танцевать”.
Nexus ACI IT
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
DC
Традиционная
СЕТЕВАЯ
МОДЕЛЬ
SDN МОДЕЛЬ
НОВОЕ ПОКОЛЕНИЕ
2
HW -
Software-Based Network Virtualization
APP-CENTRIC INFRASTRUCTURE
СЕТЬ КОРОБОК
Applications Drive Development Network
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco 9k/ACI
2,665+ Nexus 9K & ACI
Customers Globally
585+ APIC Customers
APIC
APPLICATION
COMPUTE NETWORK
CLOUD
STORAGE SECURITY
35 Ecosystem Partners
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
(ACI)
ЯЗЫК ПРИЛОЖЕНИЙ КОНТРОЛЛЕР NEXUS 9500, 9300
ACI
* Group-based security policy = includes physical and virtual, from Cisco and 3rd party, with embedded white-list security filtering. Superset of micro-segmentation
Cisco Confidential 11 ©2014 Cisco and/or its affiliates. All rights reserved.
: Application Centric Infrastructure
+
+ +
.+
=
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
IT
• Application Tier Policy and Dependencies
• Security Requirements
• Service Level Agreement
• Application Performance
• Compliance
• Geo Dependencies
• VLAN
• IP Address
• Subnets
• Firewalls
• Quality of Service
• Load Balancer
• Access Lists
Cisco Confidential 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
?
: VM 1.
: ACL) 2.
:
3.
OUTSIDE
WEB APP DB CRM APP
ADC F/W
ADC
Contract Contract
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• ACI
WEB APP
1. where app lives in physical net
2.
3.
4. -
5.
6. QoS
7. Repeat every time app moves or needs more capacity
ACI
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Контроллер
APIC
Nexus 9000
Сервера
Physical & Virtual
Physical Networking
Nexus 2K
Nexus 7K
Hypervisors and Virtual Networking
Compute L4 L7 Services
Storage Multi DC WAN and Cloud
Integrated WAN Edge
Сетевой Профиль
Приложения
L3 IP VXLAN 40Gb Fabric
Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
SP
1 MILLION IPV4 / IPV6 END POINTS
64,000 TENANTS
ПОРТЫ
APIC
55296 44652 35860 27648 22584 18632 13824 11592 8598 6912 5260 4854 3456 2268 1286 288
8K MULTICAST GROUPS (PER LEAF)
60 TBPS CAPACITY (PER SPINE)
Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
: Gb - MM
Экономия при переходе на 40G
(99% DC)
10G 40G 40G BiDi Optics
40G Over 10G Multimode Fiber
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI Zero Trust
TRUST BASED ON LOCATION (Traditional DC Switch)
1 4 2 3
ZERO TRUST ARCHITECTURE (Nexus 9000 with ACI)
EPG 1
“WEB”
EPG 2
“APP”
1 2 3 4
Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2 allowing traffic between their members ACI architecture allows flexible EPG membership, enabling wide range of security policies
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACL / Firewall
•
•
• -
•
L4-7 Device Package
•
APIC
App Security Policy
Cisco ASA / ASAv и т.п.
Cisco Confidential 20 ©2014 Cisco and/or its affiliates. All rights reserved.
Design it
Procure it
Install it
Configure it
Secure it
Is it ready?
Architect it
Design it
Is procured
Is installed
Is configured
Is secured
It is ready
Architect it
ACI Policy Driven
ARCHITECT DESIGN COMPUTE Service Request SERVICES SECURITY NETWORK
Application Available ARCHITECT DESIGN
Service Request
Application Available
QA it
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI: Cisco IT
open standards approach makes ACI even stronger. We
delivered everything we expected, and
Nik Weidenbacher Principal Engineer, SunGard
open, future-proofed data center architecture that can continue to grow as we enhance client
Chuck Crane
Network and Security Architect, Axciom (Transitioning from AWS to Private Cloud)
This will enable Telstra to deliver service agility, security and performance that our customers expect
Erez Yarkoni
Executive Director, Telstra
10-20%
58%
21%
45%
25%
CAPEX
CAPEX
/
PEX
Source: Cisco IT
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
OPEN SOURCE
OPEN STANDARDS
OPEN INTERFACES
OpFlex NSH VXLAN
JSON XML
WITH ADVANCED SECURITY
Auditing
Policy
RBAC
Encryption
Tenant Isolation
+
OpFlex REST
Cisco Confidential 26 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
QoS?
TENANT APPLICATION
Latency
Isolation
Systems Telemetry
0 Packets dropped
Health Score
Latency
Health Score
Isolation
Systems Telemetry 25 Packets
dropped
0 0 0 7 0 0 0 6
Cisco Confidential 27 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
InterCloud
Secure Connection
AP
P F/W L/B
WE
B L/B DB APP
F/W ADC WEB ADC DB
AP
P F/W L/B
WE
B L/B APP
F/W ADC WEB ADC
AP
P F/W L/B
WE
B L/B APP
F/W ADC WEB ADC
AP
P F/W L/B
WE
B L/B APP
F/W ADC WEB ADC
IT
APIC
Cisco Confidential 29 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
OPEN SOURCE
OPEN STANDARDS
OPEN INTERFACES
OpFlex NSH VXLAN
JSON XML
WITH ADVANCED SECURITY
Auditing
Policy
RBAC
Encryption
Tenant Isolation
+
OpFlex REST
Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
- Tom Edsall, CTO Insieme Networks
Cisco
ACI L4-L7
ASA
Citrix
F5
A10
Embrane
Check Point
Fortinet
Juniper SRX
Kemp
Palo Alto Networks
Radware
Riverbed
Symantec
Cisco
“Users” “Files”
Интеллектуальная Фабрика ACI
Logical Endpoint
Groups by Role
Heterogeneous clients, servers,
external clouds; fabric controls
communication
Every device is one hop away,
microsecond latency, no power or
port availability constraints, ease of
scaling
ГИБКОСТЬ ПОДКЛЮЧЕНИЯ
ACI Controller manages all
participating devices, change
control and audit capabilities
СЕТЕВЫЕ L4-L7
СЕРВИСЫ
Fabric Port Services
Hardware filtering and bridging;
seamless service insertion, “service
farm” aggregation
«ПЛОСКАЯ» СЕТЬ ЦОД
Full abstraction, de-coupled
from VLANs and Dynamic
Routing, low latency, built-in
QoS
ЦЕНТРАЛИЗОВАННОЕ
УПРАВЛЕНИЕ
Cisco
Service Producers EPG “Users” EPG “Files”
Leaf Nodes
Spine Nodes
ACI ФАБРИКА
EPG “Internet”
Virtual Leaf
Service Consumers
APPLICATION CENTRIC INFRASTRUCTRE (ACI)
Service Consumer
Cisco
“Users” “Files”
КОНТРАКТ
“Users → Files”
ACI Fabric
ГРУППЫ ОБЪЕКТОВ
Any endpoints anywhere within
the fabric, virtual or physical
ВХОДЯЩЕЕ ACL из
КОНТРАКТА
Hardware rules on each port, security
in depth, embedded QoS
ФАЕРВОЛ
Security administrator
defines generic templates
in APIC, availed to contract
creation
КОНТРОЛЛЕР
Different administrative
groups use same interface,
high level of object sharing
Application Policy
Infrastructure Controller
(APIC)
КОНТРАКТ
Port-level rules: drop, prioritize, push
to service chain; reusable templates
ACI Прохождение Трафика В соответствии с КОНТРАКТОМ
ВИРТУАЛЬНЫЕ
СЕРВИСЫ
Cisco
EPG
“Web”
Группа объектов “Web”
EPG
“Database”
Subnet Default Gateway
192.168.0.0/24 192.168.0.1
192.168.1.0/24 192.168.1.1
Группа объектов
"Database”
Subnet Default Gateway
10.1.1.0/24 10.1.1.1
Контракт “Web → Database”
Service Actions
TCP/23 Deny
TCP/22 Allow
TCP/1400 Redirect to
“Web → Database”
Any Deny СЕРВИСНАЯ ЦЕПОЧКА
“Web → Database”
Коммуникация между Группами объектов (EPG)
Cisco
ACI
SSL FW
Policy rules, NAT, Inspection IPS
Analyzer
EPG
“Users”
EPG
“Web”
EPG
“Files”
ACI – внедрение цепочки сервисов
Cisco
ACI Stretched Fabric Design
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/kb/b_kb-aci-stretched-fabric.html
Cisco
Nexus 7000
ACI Fabric
EPG Ext
Граф
EPG Ext
ACI
ASA
EPG Web
Физически Логически
EPG Web EPG DB
ASA Cluster
ASA
ACI , VLAN,
Пример: Инспекция вертикального трафика
Cisco
ASAv
ACI , VLAN, VxLAN
API ASAv
ACI Fabric
Graph
Physical
Logical
EPG Web ACI ASA EPG DB
EPG Web ASAv
standby ASAv active EPG DB
Пример: Инспекция горизонтального трафика
Cisco
192.168.1.1 192.168.1.100 10.1.1.1
172.16.1.1
192.168.100.1
HTTP (TCP/80)
HTTPS (TCP/443)
SSH (TCP/22)
SMTP (TCP/25)
ICMP access-list OUT permit tcp host 192.168.1.1 host 10.1.1.1 eq 80
access-list OUT permit tcp host 192.179.1.1 host 10.1.1.1 eq 443
[…]
access-list OUT permit icmp host 192.168.1.100 host 192.168.100.1
30 ACL Rules
172.18.20.13
access-list OUT permit tcp host 172.18.20.13 host 10.1.1.1 eq 80
access-list OUT permit tcp host 172.18.20.13 host 10.1.1.1 eq 443
[…]
access-list OUT permit icmp host 172.18.20.13 host 192.168.100.1
15 ACL Rules
45 ACL Rules
Network Admin Security Admin
Add client
172.18.20.13, call
Security Admin to
enable access
Remove client
192.168.1.1, “no other
action necessary”
Add ASA rules for
client
172.18.20.13
Original ASA rules
never change 4
1
2
2
3
4
Servers
Clients
Традиционная модель ASA
Cisco
10.1.1.1
172.16.1.1
192.168.100.1
Servers
192.168.1.1
192.168.1.100
172.18.20.13
HTTP (TCP/80)
HTTPS (TCP/443)
SSH (TCP/22)
SMTP (TCP/25)
ICMP Source EPG
Leaf 1, port 1 Users
Leaf 1, port 10 Users
Destination EPG
Leaf 3, port 2 Servers
Leaf 4, port 8 Servers
Leaf 5, port 12 Servers
Service Action
TCP/80 Redirect, ASA1
TCP/443 Redirect, ASA1
TCP/22 Redirect, ASA1
TCP/25 Redirect, ASA1
ICMP Redirect, ASA1 Leaf 2, port 12 Users
Port Rules
Network Admin
Add client 172.18.20.13,
use standard ASA
template
Remove client
192.168.1.1
Security Admin Create standard
ASA advanced
policy templates in
APIC
Advanced policies,
limited ACL rules
Same 5 port–level
service rules and
actions
ASA1 Clients
ACI MODEL
Cisco
Embrane Confidential © 2014 Embrane, Inc. All Rights Reserved 44
100% software solution
Dedicated, virtual network services per
tenant/application
Embrane or 3rd party services
Elastic Services Manager - Single point of
management and orchestration
Rapid deployment of network services
Designed for automation via full REST
API
Aligned with existing operational models
(no vCenter etc)
Embrane Base Virtual Appliances
3rd Party Virtual Appliances
REST API
Embrane Embrane Embrane Embrane
Partner
Lifecycle Management
Controller Virtualized Server Resources
Cisco
Embrane Confidential © 2014 Embrane, Inc. All Rights Reserved 46
ACI Embrane
Embrane) APIC
Embrane REST API
Embrane Embrane
Ensures near 100% feature coverage
Embrane
Embrane
Cisco
Cisco Cloud Architecture Microsoft
Windows Azure Pack Services
Customer portal Customer portal
Hosting plans
Tenant Mgt Billing
Auto-mation Resource Clouds
Windows Azure Pack Services
Bringing Windows Azure Services to
Windows Server For Hosting Service Providers
Identity Services
Hosted Private Cloud
Desktop Hosting
DR as a Service CRM as a Service
Database Hosting
Cloud Storage as a Service
Physical Networking
Hypervisors and Virtual Networking
Computing L4 L7 Services Storage Multi DC WAN and Cloud
Integrated WAN Edge
Cisco Nexus® 7000 Series
Cisco Nexus 2000 Series
Cloud Service Portals Hyper-Automation Orchestrated Workloads
Library of Application Profiles and Cloud Service Profiles
Centralized Policy Management Open APIs, Open Standards Excellent for DevOps
Industry-Leading 10/40/100-Gbps Programmable Fabric
Infrastructure Endpoints Physical and Virtual
Cisco
ACI Infrastructure scalability
- (
) 40 Gb 10Gb - Capex
- 15+,
ACI : 2 Spines (9508) 144 ToRs (9396-PX) 3 APIC Clusters ASR9K for DCI Citrix SDX for Services Insertion NAM UC on UCS
Cisco
• IPTV , - SD
• IT ,
• Customer Relationship Management (CRM)
• Enterprise Resource Planning (ERP)
• Blackberry Enterprise Service (BES), Email, OSS etc.
• HMC • Microsoft Exchange SharePoint
•
• HCS Cisco Business Voice Services (BVS) .
• 2G (EDGE), 3G (HSPA) 4G (LTE) UAE
ACI
Cisco
Tenant: HMC
Application Network profile
EPGs
Layer3 Network
Fabric
Network Admin
Tenant: IT Corp
Application Network profile
EPGs
Layer3 Network
Tenant: IPTV
Application Network profile
EPGs
Layer2 Network
Tenant: IOC
Application Network profile
EPGs
Layer3 Network
Tenant: Telecom
Application Network profile
EPGs
Layer3 Network
Line cards
Fabric
Switch
Ports
Tenant: Shared Internet Security Tools
Application Network profile
EPGs
Layer3 Network
ACI
Cisco
, API,
L4-L7
Cisco ACI
Integration of Cisco® Fabric with Windows Azure Pack
10101010
Storage
Computing
Apps Azure pack
Network
Security
SDN
L4-L7
Cisco
Cisco Confidential 58 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
:
Software Defined,
.