思科在OpenStack的雲端技術創新及貢獻如何利用Cisco ACI快速 … · • Operational...

11/7/16

1

思科在OpenStack的雲端技術創新及貢獻如何利用Cisco ACI快速部署高效能、高透明度和容易排錯的OpenStack網絡平台

July 12th, 2016 Taipei

Philip Wong, Technical Solution Architecture, Cisco Greater China

2 © 2015 Cisco and/or its affiliates. All rights reserved.

Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco Systems, and Cisco Systems will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document. All material shared during this session is presented in strict confidence and covered by any and all Non Disclosure Agreements you have with Cisco Systems Inc.

Legal Disclaimer

11/7/16

2


•  Cisco’s commitment to OpenStack •  A new network model for Cloud Application

Deployment •  Benefits of Cisco ACI for OpenStack deployment •  Technical Architecture Overview •  Live Demonstration •  Partner/Customer engagements

議題


Cisco’s Commitment to OpenStack

•  Cisco Validated Designs for production deployments

•  Work closely and jointly with customers to design and build their OpenStack environment

• OpenStack based Global Intercloud hosted across Cisco and partner data centers

• Cisco Webex Service running on OpenStack

•  Automation (Puppet) and architectures (HA) for production deployment and operational support

•  Neutron/Nova Plug-ins for Cisco product lines – Nexus, CSR, ACI, UCS

• Code contributions across several services – Network Compute, Dashboard, Storage

• Foundation Board member Community Participation

Engineering/ Automation

Partners/

Customers

Cloud Services

11/7/16

3


SaaS

PaaS IaaS

Applications in the Connected World

Traditional Applications

ERP, Financial, Client/Server, CRM, email, …

Cloud Native Applications

IoT, Big Data, Analytics,

Gaming, ...

Data Center Cloud Edge / IoT



What may be further enhanced with OpenStack Networking Today?

Service B Service C

Service A

•  No broadcast or multicast •  Resilient and fault tolerant •  Scalable tiers •  Built around loosely coupled services •  Does not care about IP addresses

•  Layer 2 and broadcast is the base API •  Network, routers, and subnets •  Based on existing networking models •  No concept of dependency

mapping or intent

External Network Router

Network and

subnet

Network and subnet

Cloud Application Model Neutron Model

MySQL MySQL

11/7/16

4

7 © 2015 Cisco and/or its affiliates. All rights reserved. ap

p gu

y neutron

detailed abstraction

nova


cinder


swift


glance


Heat Orchestration

Domain Details

收集用戶應用需求需要轉換

轉換過程用戶的目的不免流失

User intent may be lost!

My app looks like this:

Intent


傳統的數據中⼼網絡部署

Application owners provide the network requirements of application environment

System/Network team translates the requirements into infrastructural specifications

Network architect/engineers perform configurations on the network equipment (CLI, GUI)

應用溝通需求網絡語⾔

Web界面應用程序認證系統数据库ACL，VLAN，QOS，SVI

應用速度慢——應用問題？網絡問題？——如何快速排错？

翻譯

網絡分區安全定義負載均衡

11/7/16

5


•  A 100% open source, Apache-licensed

•  Interface for capturing application intent, including network service requirements

•  Model inspired by APIC but available for any hardware / software platform

•  Networking today, plans to cover compute, storage

•  Growing number of contributors and ecosystem partners

Group-Based Policy for OpenStack

Policy Rules Set Web Group

Classifier Action

FIREWALL

DB Group

Classifier Action

Service Chain

Group-Based Policy Model


Group-Based Policy Model Policy Group: Set of endpoints with the same properties. Often a tier of an application.

Policy RuleSet: Set of Classifier / Actions describing how Policy Groups communicate.

Policy Classifier: Traffic filter including protocol, port and direction.

Policy Action: Behavior to take as a result of a match. Supported actions include “allow” and “redirect”

Service Chains: Set of ordered network services between Groups.

L2 Policy: Specifies the boundaries of a switching domain. Broadcast is an optional parameter

L3 Policy: An isolated address space containing L2 Policies / Subnets

L3 Policy

Policy Rule Set

Policy Rule Policy Rule

Service Chain

Classifier Action

Classifier Action

L2 Policy

Policy Group

Policy Target

Policy Target

Policy Target

Policy Group

Policy Target

Policy Target

Policy Target

L2 Policy

provide consume

Node Node

11/7/16

6


ACI + OpenStack – With OpFlex Support Full Policy Based Network Automation Extended to the Linux Hypervisor

Group-based Policy •  Open Source OpFlex agent extends ACI into Linux hypervisor •  OpFlex Proxy exposes new open API in ACI fabric

•  Fully distributed Neutron network functions, including NAT •  Integrated, centrally managed overlay and underlay fabric •  Operational visibility integrating OpenStack, Linux, and APIC •  Choice of virtual network (standard Neutron ML2) or Group-

based Policy driven networking Hypervisor OVS

OpFlex for OVS

OpenStack Feature Highlights

APIC Ml2 Driver

Solutions with Major OpenStack Distributions Available Now!

OpFlex Agent

OpFlex Proxy

OpenStack Controller


Cisco ACI乃應對數據中⼼SDN的解決⽅案結合先進開放軟體與硬體技術

Rapid Deployment of Applications onto Networks with Scale, Security and Full Visibility

ACI

APPLICATION CENTRIC POLICY CONTROLLER NEXUS 9500 AND 9300

Spine 0

Spine 1

Leaf 0 Leaf 1

11/7/16

7


DC Architecture evolves towards Fabric

AVS/OVS WAN/Core Services

Spine Leaf Border Leaf Services Leaf Virtual Leaf*

AVS/OVS

AVS/OVS

•  No more spanning Tree

•  L3 Routing – Host Based

•  High Bandwidth Multi-path enabled

•  Eliminate L2 Flooding

•  Facilitate Mobility VM

MP-BGP


思科ACI提供⼀個創新的Hybrid部署⽅案… A Policy Driven Network Provisioning

DB Tier

Storage Storage

Application Client

Web Tier

App Tier

Application policy model: Defines the application requirements (application network profile)

Policy instantiation: Each device dynamically instantiates the required changes based on the policies

VM VM VM

10.2.4.7

VM

10.9.3.37

VM

10.32.3.7

VM VM

APIC

11/7/16

8


Benefits of OpenStack on ACI

•  Fully managed underlay network through APIC controller

•  Ability to connect physical servers and multiple hypervisors to overlay networks

Integrated Overlay and Underlay

Distributed, Scalable Virtual Networking

•  Fully distributed L2, anycast gateway, DHCP, metadata

•  Distributed NAT / Floating IP

•  Choice of Group Policy or Neutron API

•  Support for L3 or L2 service insertion and chaining

•  Device package ecosystem for 3rd party devices or Group-Based Policy service chaining

Service Chaining

Hardware Performance

•  Automatic VXLAN tunnels at top-of-rack

•  No wasted CPU cycles for tunneling

•  Virtual network isolation is maintained even when a hypervisor is compromised

Secure Multi-tenancy

Operations and Telemetry

•  Troubleshooting across physical and virtual environments

•  Health scores, atomic counters, capacity planning per tenant network


Two OpenStack Plugin Options

Router

Security Group

Network

OpenStack Controller APIC ML2

Neutron API / ML2 Group-Based Policy

Plugin performs conversion from Neutron to APIC policy model

Ruleset

Policy Group

Policy Group F/W ADC

OpenStack Controller

GBP APIC Driver

Group-Based Policy

Group-Based Policy native drivers interfaces directly with APIC policy model

* Only one model is supported in a given OpenStack deployment

11/7/16

9


Available NOW: OpFlex Support

•  GBP or APIC ML2 •  Operations / Troubleshooting / Visibility

•  Endpoint statistics, health, faults in APIC

•  Hypervisor local enforcement security policies

•  Security Groups (ML2 driver) via IP Tables

•  GBP via OpenFlow in Open vSwitch •  Distributed NAT support on each compute node

•  Floating IP

•  sNAT (via hypervisor host IP)

•  Distributed Neutron services per compute node

•  L3 / Anycast gateway, metadata, DHCP •  Multiple VRF support

OpFlex Offers:

Hypervisor

vm4

Project 1 Project 2 Project 3

vm5 vm3

vm5 vm6

OpFlex Agent

OpFlex Proxy

V(X)LAN

OpenStack Controller Group-Based

Policy (optional) APIC ML2


APIC VMM Integration OpenStack

VMM Domain

Per Hypervisor / Per Group

View KVM Hypervisor Operational Data

Per EP stats, Health scores,

faults

11/7/16

10


Architecture Guide;

•  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/OpenStack/b_ACI_with_OpenStack_OpFlex_Architectural_Overview.html

Datasheets:

•  http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/OpenStack-at-cisco/datasheet-c78-734181.html

•  http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/OpenStack-at-cisco/datasheet-c78-732353.html

Deployment Guides:

•  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/OpenStack/b_ACI_with_OpenStack_OpFlex_Deployment_Guide_for_Red_Hat.html

•  http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/OpenStack/b_ACI_with_OpenStack_OpFlex_Deployment_Guide_for_Ubuntu.html

Useful Information for Further Reading

思科在OpenStack的雲端技術創新及貢獻如何利用Cisco ACI快速 … · • Operational...

Documents

Transcript of 思科在OpenStack的雲端技術創新及貢獻如何利用Cisco ACI快速 … · • Operational...

思科在OpenStack的雲端技術創新及貢獻 如何利用Cisco ACI快速 … · • Operational...

Documents

Transcript of 思科在OpenStack的雲端技術創新及貢獻 如何利用Cisco ACI快速 … · • Operational...

思科在OpenStack的雲端技術創新及貢獻如何利用Cisco ACI快速 … · • Operational...

Transcript of 思科在OpenStack的雲端技術創新及貢獻如何利用Cisco ACI快速 … · • Operational...