inside cisco it: secure and simplified cloud services with aci

Inside Cisco IT: Secure and Simplified Cloud Services with ACI

COCACI-2000

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Agenda

• ACI Technology Overview

• Cisco IT’s Data Centers

• Cisco IT’s ACI DC Architecture

• Cisco IT’s Cloud and ACI

• Light Weight Applications

• Cisco IT’s Cloud Vision

3

ACI Technology

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Application Centric InfrastructureACI Vision: Rapid deployment of applications onto networks with Scale,

Security and Full Visibility

ACI

• OPEN RESTFUL APIS• CENTRALIZED POLICY MODEL• OPEN SOURCE

CONTROLLER POLICY MODEL NEXUS 9500 and 9300

A C I B u i l d i n g B l o c k s

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Central ControllerNorthbound and Southbound

• OPEN RESTFUL APIS• CENTRALIZED POLICY MODEL• OPEN SOURCE

Sou

thbo

und

Nor

thbo

und

vCenter

VMware

CIAC

Easier ConfigurationVisibilityTroubleshooting

Integration -Compute controllers-Cloud orchestration systems (automation)APIC

6

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Central ControllerNorthbound and Southbound

• OPEN RESTFUL APIS• CENTRALIZED POLICY MODEL• OPEN SOURCE

Sou

thbo

und

Nor

thbo

und

vCenter

VMware

CIAC

APIC

OPFLEX

SOFTWARE POLICY

EXTENSIONS

INSIDE + OUTSIDE

OF THE DC

7

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Tenant

EPGDB

EPGAPP

EPG WEB

What’s an Application Profile ?

External Network

End Points End PointsEnd Points

QoS

Filter

QoS

ServiceFW/SLB

Filter

QoS

ServiceSLB

Filter

Contract

Service Graph

Application Profile

8

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Network Enhancementsless planned and unplanned application downtime

Network Enhancements

40 Gig (100 Gig Future)

Network Virtualization (Vxlan)

L2 enhancements L3 only No FloodingZTD True traffic loadbalancing

(Flowlets)

9

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Fab

ric

(AC

I)

No changeMigration

from Standalone to Fabric Mode is possible

Sta

nd

alo

ne No change

Code adjustments

Topology

Forwarding

Enhancements

Change

Change

Data Model Policy Model

Topology

Forwarding(Enhancements)

Major Change

Standalone Mode‘devices’

controlled separately

Mode

Fabric ModeCentral

ControllerMode

ACI(Application Centric

Infrastructure)

Common Hardware

40 Gig (100Gig future)

93xx

9504

9508

Nexus:

9516

Nexus 9000 product line

10

Cisco IT’s Data Centers

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Global Data Centers

A BTier-III

(Redundant)Tier-II

(Less Redundant)

2x TexasBB

1x Amsterdam

1 x Singapore

B

B

Globally Centralized:Business Apps

Continental Hub:Order Processing, Comms

Continental Hub:Communications

Cloud Services availablePrivate Cloud, self Service capabilities:IaaS / PaaS

B

B

B

B

Latency-SensitiveSoftware Development

Cisco IT’s ACI Data Center Architecture

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

ACI Topology View Flexible Topology

Virtual Boundaries

Physical and Virtual Services

Highly Converged Infrastructure

Easier to Manage

Vxlan

Leaf to Hypervisor

Vxlan Spine to Leaf

14

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

New Virtual Compute DesignVmware only

traditional virtual compute design virtual compute design on ACI

VMM DomainVMotion VMotion VMotion VMotion

15

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Mapping of existing network aspects & applications to ACI Model

Contracts

Bridge Domain

Context(VRFs)

ACI

Subnet(s)

IP to IP Communication

Tenant(s)

ANP(s)

EPG(s)

Fabric External

EPG(s)

EPG(s)

SLB and FW config

Context(VRFs)

Current DC Network

Subnet

ACLs(Permitted / Denied flows)

Service Graphs

Filters / Labels / Bundles / Interfaces

Inner ANP Contract

Inner Tenant, Inter ANP Contract

Inter Tenant Contract

Fabric External Contract

Flexible building blocks

Grouping Separation

Security /Contract Management Framework

ANP(s)

16

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Tenant CommonTenant 3Tenant 2Tenant 1

Cisco IT ACI Architecture: Logical View (networking elements)EPG to BD to Subnets to VRFs to External

EPG-12

EPG-11

EPG-13

EPG-22

EPG-21

EPG-23

EPG-32

EPG-31

EPG-33

VRF-dmz

VRF-Int

EPG-Corp

EPG-Other-DC

1.1.1.0/242.2.2.0/24

3.3.3.0/24

BD-Ext-2

BD-Ext-1

93969396

DC Core(External)

DC Core(Internal)

Internet

5.5.5.0/24

BD-int-2

4.4.4.0/24

BD-int-1

EPG-DMZ

EPG-Internet

17

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Tenant CommonTenant 3Tenant 2Tenant 1

EPG-11

EPG-13

EPG-21

EPG-23

EPG-31

EPG-33

Internet

Infra

Se

rvices

EPG-NTP

EPG-DNS

EPG-Monitoring

EPG-…

EPG-12 EPG-22 EPG-32

Cisco IT ACI Architecture: Security to Infrastructure ServicesEGPs and Contracts

EPG-Corp

EPG-Internet

DC Core(External)

DC Core(Internal)

18

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Tenant CommonTenant 3Tenant 2Tenant 1

EPG-11

EPG-13

EPG-21

EPG-23

EPG-31

EPG-33

Internet

AP

P M

W S

ervice

s

EPG-OAM

EPG-LDAP

EPG-OCM

EPG-…

EPG-12 EPG-22 EPG-32

Cisco IT ACI Architecture: Security to Application Middleware ServicesEGPs and Contracts

EPG-Corp

EPG-Internet

DC Core(External)

DC Core(Internal)

19

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Tenant CommonTenant 3Tenant 2Tenant 1

EPG-11

EPG-13

EPG-21

EPG-23

EPG-31

EPG-33

EPG-Corp

DC Core(External)

DC Core(Internal)

Internet

EPG-Internet

EPG-12 EPG-22 EPG-32

Cisco IT ACI Architecture: Security to outside the ACI FabricEGPs and Contracts

20

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Tenant CommonTenant 3Tenant 2Tenant 1

EPG-11

EPG-13

EPG-21

EPG-23

EPG-31

EPG-33

Internet

FW

SLB

SLB

FW

SLB

FW

EPG-12 EPG-22 EPG-32

Cisco IT ACI Architecture: Client level Security and ServicesEGPs and Contracts and Services (SLB, FW)

EPG-Corp

EPG-Internet

DC Core(External)

DC Core(Internal)

21

Cisco IT: ACI and Automation (Cloud)

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Delivering Infrastructure for Applicationsand what can we automate ?

Physical Build in the DC

• Racking• Stacking• patching

Basic configuration ofDC Infrastructure

Client/App specifics

ACI for network items ACI for networkand network security items

ACI & Automation

Application Code

Specifics

Foundational Aspects

• UCS • Switches• Storage• SLB • FW

Functional Aspects(IaaS / PaaS)

• xVMs• CPU/Mem per VM/BM• Storage per VM/BM• SLB setup• FW setup• OS• Apache/Oracle … basic code

BuildHandover to APP teams

1 2 3 4

High Integrity Automation Systems Reduction of extensive (change management) processes

23

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

The Future: Private Cloud modelWe all want to an End-to-End Programmable Infrastructure

Block Storage

Compute

IP File/ IP Block/ IP

Object Storage

vCenter

ControllersResource Managers

Orchestration

(Cloud)

CIAC

ASA

Client

Security Admin

ComputeNetworkStorageAdmins

PaaS

Resources

PrimeEman

InfraPortal

eACLm

Network

Integrated

Security

Application Code

Portal

Application/Data Policy

Network Security Policy

24

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

ACI Program – Quarterly Objectives: FY15

FY14Q3 FY14Q4 FY15Q1 FY15Q2 FY15Q3 FY15Q4

1

2

3

4

5

6

SJC-K Engineering DC on N9K(standalone)

ACI Design and ACI Automation (finalization)

FY15: +/- 4000 VMs on ACIAll workloads on ACI: migration of 2-3 years

Migrate SJC-K to FabricCisco IT Private Cloud on ACIRTP1 DC

Cisco IT Private Cloud on ACIAllen DCRTP1: Traditional Application Migration (non-prod)

Allen & RCDN9: Traditional Application Migration to ACI(production apps wave 1)

Allen & RCDN9:production apps wave 2

25

Cisco IT: Citeis and ACI

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

SaaS

PaaS

IaaS

Client #3 (requires IaaS services only)

“Give me the VMs and Storage and I’ll manage everything above the OS to build my application”

Clients order higher order services.

E.g. app. development stack, databases, etc.

These internally use infrastructure APIs to provision compute/storage/network.

Client #2(requires IaaS & PaaS services)

“My needs are mixed. I’ll take all the goodies I can get, and build the ones that I can’t”

Client #1(requires PaaS services only)

“Give me all the standard goodies, and leave me just to manage my application”

Same as use case #1

Same as use case #3

“builder” of SaaS services

What do the clients want from the infrastructure providers ?

27

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

TraditionalNetwork

Continuous Delivery

Lightweight App. Containers

API enabled Standard IaaS

Application Centric Infra. (ACI)

DedicatedPlatforms LAE

ACI Fabric

PaaS

IaaS

SDaaS

Mobile Workload XaaSOrder Mgmt Pricing

Waterfall / AgileDevelopment

Stationary Applications

Application Centric Cloud

Policy ControlUnified Infrastructure

ScalabilityAPIsIntercloud

Adaptive ScalingFeature Rich

DevOpsOpen sourceQuality Releases

Distributed ServicesCloud Scale

28

Cisco IT: Light Weight Applications

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Disparate, Disjointed, Processes & Systems

Limited / Restricted set of choices

Closed Source

WhatLong Lead Times

(Provisioning)

Complete Framework(for ALM)

Flexibility of Choices

Open Source

WhatRapid / Self-serve

Hundreds of Applications

10s of Thousandsof Applications

Why Lightweight Application Environment (LAE)?

30

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Continuous DeliveryDevelopment + Quality End to End Workflow

TBD

Client InvolvementViable Product

Cloud, ERP, and Mobile Application Development

Prioritized Sprint

Commit & PushCode Review, Merge

Static / Dynamic, Progression / RegressionUnit / Integration, Functional / Performance / Security

Build, Test, ReportOn-demand, Scheduled

Product Mgr.

Scrum Master

Developers

Plan Develop Source Control Management

Continuous Build

Deploy & Release

Adapt & Scale

Automated Testing

Group components Application SnapshotGroup ApplicationsRelease Control Gates

Development

Staging

Production

DeployableArtifact

32

Cisco IT: Cloud Vision

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Self-Optimizing Cloud

Policy based on observed norms

35

CISCO IT DEMO: Emerging Cloud Capabilities – ACI, OpenStack

World of Solutions, Booth #735 Today 2:30pm – 2:50pm

Join Us!We will demonstrate a few of the emerging cloud capabilities enabled for Cisco IT Elastic Infrastructure Services (CITEIS) using technologies like ACI, OpenStack and OpenShift.

We will describe how application policy controls, and programmable infrastructure can enable elasticity, agility and continuous delivery of business capabilities.

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Complete Your Online Session Evaluation

37

• Give us your feedback and youcould win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile appor visit one of the interactive kiosks located throughout the convention center.

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

© 2014 Cisco and/or its affiliates. All rights reserved.COCACI-2000 Cisco Public

Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

38

Thank you.