More Related Content Similar to Cloud = Application Enablement and Innovation ≠ IaaS (Cloud Foundry Summit 2014) (20) More from VMware Tanzu (20) Cloud = Application Enablement and Innovation ≠ IaaS (Cloud Foundry Summit 2014)2. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud ≠ IaaS
•Complexity
•Commodity
•Focus
3. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why Compromise?
•Would you fly in
this?
• Scale
• Reliability
• Security
4. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Platform for Enablement & Agility
•Leverage ready built
components
•Applications are not
VM Templates
• Configuration
Management tools
are Complex &
Brittle
5. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud = Application Enablement + Innovation
• Service-oriented architectures and APIs aren’t new ideas
Art to building platforms comprised of loosely coupled services
• Its all about the Data, Data Virtualization, & Data Mobility
Building multi-tiered data architectures that assume scale and unstructured data
• Data Centers and cloud providers become an interconnected and
federated platform of deployable services and containers that are
distributed and loosely coupled
• Open-Source is mainstream, driving innovation, and now is its 4th
generation of tools to tackle scalability, performance, and diagnostics
• Devops is no longer shadow IT, it is the way for application
development, integration, and deployment - Period
7. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Guiding Principles
• Open standard foundational cloud platform
• Services building blocks at all layers of the stack to enable developers
• Everything available “as a Service” through both APIs and UI
• Single platform across all Data Centers
– Continuous deployment model
– Any app deployable to any DC globally
8. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collaboration
• All Development on Openstack,
Cloud Foundry, and Openshift
• Model
– Application Independent
– Application Integrated
– Application Containerized
• Cloud Foundry
– Abstracting application deployment,
health checking, application routing,
and monitoring
– Partnerships and Ecosystem are key
to enabling innovation
– Flexibility
• Test, try, fail, pivot
• BOSH
– Does not work in all providers
– CF is just another app
9. 9
ACI - GROUP-BASED POLICY ACROSS OPENSTACK
Any existing
network plugin
ACI Fabric
Compute Networking Storage
Dashboard Automation
Group-Based Policy Model Extensions
Neutron Subgroup
Members
GROUP POLICY MODEL
10. © 2014 Cisco - Cisco INTERNAL only – All Rights
Reserved 10
Controller
Datastore
Deny 10.0.0.0/8
Network .
Element 2
Datastore
Verifying the Domain in Real Time
• Small consistency applications to verify status
and values of specific objects
• Built on OpenDaylight MD-SAL
• Object change invoked → NOT polling based
• Can cover multiple types of misconfiguration
• CLI/programmatic errors
• Multiple controllers thrashing on a shared
object
Rules
Engine
Deny 10.0.0.0/8
Datastore
ACL
Allow 10.1.0.0/16
Node
Deny 10.0.0.0/8
Change made here
Datastore
Allow 10.1.0.0/16
Deny 10.0.0.0/8
NE 2
Running Config
Domain Policy
No Private Subnets
Network
ACL
NE 1
Running Config
ACL
Deny 10.0.0.0/8
(Mounted)
Mount Client
Mount Server
• Can support customer specific consistency rules
11. © 2014 Cisco - Cisco INTERNAL only – All Rights
Reserved 11
Controller
DatastoreDatastore
Network .
Element 2
Datastore
Automated Domain Reconciliation in Real Time
• Which rule has precedence?
Rules
Engine
ACL
Allow 10.1.0.0/16
Node
Deny 10.0.0.0/8
Deny 10.0.0.0/8
NE 2
Running Config
Domain Policy
No Private Subnets
Network
ACL
NE 1
Running Config
ACL
Deny 10.0.0.0/8 Allow 10.1.0.0/16
(Mounted)
Mount Client
Mount Server
With a Rules Engine, the
self repair is possible.
• Open Source Rules Engines & Tools can be applied for
Domain or Device
Existing DevOps Applicable from Web 3.0
12. © 2014 Cisco - Cisco INTERNAL only – All Rights
Reserved 12
Verifying & Reconciling Network Elements in Real Time
• Auto-discovery of link, group, or area misconfigurations. No controller necessary.
Network .
Element 2
Network .
Element 1
Rules
Engine
Datastore
1500
Datastore
1500
Datastore
CLI Change made
Datastore
NE 1
Running Config
Ethernet 1
Frame Size 1500 Frame Size
NE 2
Running Config
Ethernet 2
Frame Size
NE 2
Running Config
Ethernet 2
Ethernet 1 Ethernet 2
JumboJumbo
• Options
• Automated error correction
• Automated change propagation
• Custom resolution
13. © 2014 Cisco - Cisco INTERNAL only – All Rights
Reserved 13
Data Center
Controller
Datastore
Deny 210.51.109.0/24
Domain
Rules
Engine
Datastore
Network Wide Rules
Network
NE (South Korea)
Allow from China Netcom
Asserted Config
Allow 210.51.0.0/16
SP WAN
Controller
DatastoreNetwork
Element
(South Korea)
Deny 210.51.109.0/24
Datastore
Datastore
Deny 210.51.109.0/24
Network Wide Rules
Network
NE (South Korea)
Drop any North Korean
traffic in South Korea
Asserted Config
Deny 210.51.109.0/24
Domain
Rules
Engine
Datastore
Interplay of Centralized and Distributed Conflict Resolution Logic
Data Center
Policy Domain
SP WAN
Policy Domain
Allow 210.51.0.0/16
Allow 210.52.0.0/16
Deny 210.52.190.0/24
Asserted Config
Running Config
Device
Rules
Engine
Running Config
Allow 210.51.0.0/16
Running Config
Allow 210.51.0.0/16
• Device logic can
mediate between
controllers with
conflicting Intent
• Pushing the
reconciliation to the right
place
• Overlapping controller
domains will need
reconciliation logic
Click to see above implemented with Web 3.0 tools
14. © 2014 Cisco - Cisco INTERNAL only – All Rights
Reserved 14
Network
Element
(USA)
Device
Rules
Engine
Interplay of Centralized and Distributed Conflict Resolution Logic
Data Center
Policy Domain
SP WAN
Policy Domain
• All Intents may be met
automatically even when
some config fails
• Domain logic can react
to Device logic, finding
alternative ways to meet
intent
Data Center
Controller
Datastore
Domain
Rules
Engine
Network
NE (South Korea)
Allow from China Netcom
Asserted
Allow 210.51.0.0/16
SP WAN
Controller
DatastoreNetwork
Element
(South Korea)
Deny 210.51.109.0/24
Datastore
Deny 210.51.109.0/24
Network Wide Rules
Network
NE (South Korea)
Drop any North Korean
traffic in South Korea
Asserted Config
Deny 210.51.109.0/24
Domain
Rules
Engine
Deny 210.52.190.0/24
Asserted Config
Running Config
Device
Rules
Engine
Running
Running Config
Deny 210.51.0.0/16
Click to see above implemented with Web 3.0 tools
Datastore
Allow 210.51.0.0/16
Allow 210.52.0.0/16
Asserted Config
Running Config
Asserted
Allow 210.51.0.0/16
Running
Allow 210.51.0.0/16
Allow 210.52.0.0/16
NE (USA)
• Zero Touch
Reconciliation
Editor's Notes North Korea has one known block of 1,024 IPv4 addresses: 175.45.176.0 – 175.45.179.255. But they also have 254 China Netcom addresses: 210.52.109.0 – 210.52.109.255 North Korea has one known block of 1,024 IPv4 addresses: 175.45.176.0 – 175.45.179.255. But they also have 254 China Netcom addresses: 210.52.109.0 – 210.52.109.255