Application Centric Infrastructure. Future network architecture - from reasoning to business
For the past few years, Cisco has been actively promoting a new data network architecture in the data center - Application Centric Infrastructure (or ACI) . Some are already familiar with it. And someone even managed to implement it at their enterprises, including in Russia. However, for most IT professionals and IT managers, ACI is still either an obscure abbreviation, or just a discussion about the future.
In this article we will try to bring this future closer. To do this, we will talk about the main architectural components of ACI, as well as illustrate how to use it in practice. In addition, in the near future, we will organize a visual demonstration of the work of ACI, to which every interested IT specialist can enroll.
It will be possible to learn more about the new network building architecture in St. Petersburg in May 2019. All the details - by reference . Sign up!
The traditional and most popular network building model is a three-level hierarchical model: the core -> distribution (aggregation) -> access. Over the years, this model has been the benchmark; for it, manufacturers have produced various network devices with corresponding functionality.
')
Previously, when information technologies were a kind of necessary (and, frankly, not always desirable) appendage to a business, this model was convenient, very static and reliable. However, now that IT is one of the drivers of business development, and in many cases by the business itself, the static nature of this model has become a major problem.
Modern business generates a large number of different complex network infrastructure requirements. From the timing of the implementation of these requirements directly depends on the success of the business. Delay in such conditions is unacceptable, and the classical model of building a network often does not allow to meet all business needs in a timely manner.
For example, the emergence of a new complex business application involves network administrators to perform a large number of similar routine operations on a large number of different network devices at different levels. Besides the fact that it takes a lot of time, it also increases the risk of making a mistake that can lead to serious IT service downtime and, as a result, to financial damage.
The root of the problem is not even the deadlines themselves or the complexity of the requirements. The fact is that these requirements must be “translated” from the language of business applications to the language of the network infrastructure. As you know, any translation is always a partial loss of meaning. When an application owner talks about the logic of his application, the network administrator understands a set of VLANs, the Access list — on dozens of devices that need to be maintained, updated, and documented.
The accumulated experience and constant communication with customers allowed Cisco to design and implement new data center network design principles that meet current trends and are based primarily on the logic of business applications. Hence the name - Application Centric Infrastructure.
The ACI architecture is most correctly viewed not from the physical side, but from the logical one. It is based on a model of automated policies, whose objects at the top level can be divided into the following components:
Consider each level in more detail - in this case we will move from simple to complex.
The network in the ACI factory is similar to the traditional hierarchical model, but it is much easier to build. For networking, the Leaf-Spine model is used, which has become a generally accepted approach for implementing new-generation networks. This model consists of two levels: Spine and Leaf, respectively.
Spine level is only responsible for performance. The total performance of the Spine switches is equal to the performance of the entire factory, so at this level you should use switches with ports 40G or higher.
Spine switches connect to all switches of the following level: Leaf switches to which end hosts are connected. The main role of Leaf switches is port capacity.
Thus, scaling issues are easily solved: if we need to increase the capacity of the factory, we add Spine switches, and if we need to increase the port capacity, Leaf.
For both levels, the Cisco Nexus 9000 series switches are used, which for Cisco are the main tool for building data center networks, regardless of their architecture. For the Spine level, Nexus 9300 or Nexus 9500 switches are used, and for Leaf only Nexus 9300 switches are used.
The model range of Nexus switches used in the ACI factory is shown in the figure below.
APIC controllers are specialized physical servers, while for small deployments it is allowed to use a cluster of one physical APIC controller and two virtual ones.
APIC controllers perform management and monitoring functions. It is important that the controllers never participate in data transfer, that is, if even all the cluster controllers fail, then the stability of the network will not affect it at all. It should also be noted that with the help of APICs, the administrator manages absolutely all the physical and logical resources of the factory, and in order to make any changes, you no longer need to connect to this or that device, since ACI uses a single management point.
We now turn to one of the main components of ACI - application profiles.
The Application Network Profile is the logical basis of ACI. It is application profiles that determine the interaction policies between all network segments and describe the network segments themselves. ANP allows you to abstract from the physical layer and, in fact, to imagine how to organize the interaction between different network segments from the point of view of the application.
An application profile consists of end-point groups (EPG). A connection group is a logical group of hosts (virtual machines, physical servers, containers, etc.) that are in the same security segment (not the network, but security). End hosts that belong to a particular EPG can be determined by a large number of criteria. The following are commonly used:
An entity called contracts is provided for the interaction of various EPGs. The contract defines the relationship between different EPGs. In other words, the contract determines which service one EPG provides to another EPG. For example, we create a contract that allows traffic to go through the HTTPS protocol. Next, we connect this contract, for example, EPG Web (group of web servers) and EPG App (group of application servers), after which these two terminal groups can exchange traffic via the HTTPS protocol.
The figure below describes an example of setting up communication between different EPGs through contracts within the same ANP.
Application profiles within the ACI factory can be any number. In addition, contracts are not tied to a specific application profile, they can (and should) be used to connect EPGs in different ANPs.
In fact, every application that needs a network in one form or another is described by its own profile. For example, the diagram above shows the standard architecture of a three-tier application consisting of an N-th number of external access servers (Web), application servers (App) and DBMS servers (DB), and also describes the rules of interaction between them. In a traditional network infrastructure, this would be a set of rules written on various devices in the infrastructure. In the ACI architecture, we describe these rules within a single application profile. ACI using the application profile allows you to significantly simplify the creation of a large number of settings on different devices by grouping them all into a single profile.
The figure below shows a more vital example. A Microsoft Exchange application profile made from several EPGs and contracts.
Central management, automation and monitoring is one of the key benefits of ACI. The ACI factory relieves administrators of the routine work of creating a large number of rules on various switches, routers, and firewalls (the classic manual configuration method is allowed and can be used). Settings for application profiles and other ACI objects are automatically applied across the entire ACI factory. Even if you physically switch servers to other ports of the factory switches, you do not need to duplicate the settings from the old switches to the new ones and clean up unnecessary rules. Based on the criteria of the host EPG, the factory will make these settings automatically and automatically clear the unused rules.
Integrated ACI security policies are implemented on the principle of whitelisting; that is, that which is not explicitly allowed is not allowed by default. Combined with the automatic update of network equipment configurations (removal of “forgotten” unused rules and permissions), this approach significantly increases the overall level of network security and narrows the surface of a potential attack.
ACI allows you to organize network interaction not only of virtual machines and containers, but also of physical servers, ITU hardware and third-party network equipment, which makes ACI a unique solution at the moment.
A new approach by Cisco to building a data communications network based on application logic is not only automation, security, and centralized management. It is also a modern horizontally scalable network that meets all the requirements of modern business.
The implementation of the network infrastructure based on ACI allows all business units to speak the same language. The administrator is guided only by the logic of the application, which describes the required rules and relationships. As well as the logic of the application, the owners and developers of the application, the information security service, economists and business owners are guided.
Thus, in practice, Cisco is implementing the new generation data center network concept. Want to see for yourself? Come to the demonstration of Application Centric Infrastructure in St. Petersburg and work with the data center network of the future now.
Sign up for the event can be link .
In this article we will try to bring this future closer. To do this, we will talk about the main architectural components of ACI, as well as illustrate how to use it in practice. In addition, in the near future, we will organize a visual demonstration of the work of ACI, to which every interested IT specialist can enroll.
It will be possible to learn more about the new network building architecture in St. Petersburg in May 2019. All the details - by reference . Sign up!
Prehistory
The traditional and most popular network building model is a three-level hierarchical model: the core -> distribution (aggregation) -> access. Over the years, this model has been the benchmark; for it, manufacturers have produced various network devices with corresponding functionality.
')
Previously, when information technologies were a kind of necessary (and, frankly, not always desirable) appendage to a business, this model was convenient, very static and reliable. However, now that IT is one of the drivers of business development, and in many cases by the business itself, the static nature of this model has become a major problem.
Modern business generates a large number of different complex network infrastructure requirements. From the timing of the implementation of these requirements directly depends on the success of the business. Delay in such conditions is unacceptable, and the classical model of building a network often does not allow to meet all business needs in a timely manner.
For example, the emergence of a new complex business application involves network administrators to perform a large number of similar routine operations on a large number of different network devices at different levels. Besides the fact that it takes a lot of time, it also increases the risk of making a mistake that can lead to serious IT service downtime and, as a result, to financial damage.
The root of the problem is not even the deadlines themselves or the complexity of the requirements. The fact is that these requirements must be “translated” from the language of business applications to the language of the network infrastructure. As you know, any translation is always a partial loss of meaning. When an application owner talks about the logic of his application, the network administrator understands a set of VLANs, the Access list — on dozens of devices that need to be maintained, updated, and documented.
The accumulated experience and constant communication with customers allowed Cisco to design and implement new data center network design principles that meet current trends and are based primarily on the logic of business applications. Hence the name - Application Centric Infrastructure.
ACI Architecture
The ACI architecture is most correctly viewed not from the physical side, but from the logical one. It is based on a model of automated policies, whose objects at the top level can be divided into the following components:
- Network based on Nexus switches.
- APIC controller cluster;
- Application profiles;
Consider each level in more detail - in this case we will move from simple to complex.
Network based on Nexus switches
The network in the ACI factory is similar to the traditional hierarchical model, but it is much easier to build. For networking, the Leaf-Spine model is used, which has become a generally accepted approach for implementing new-generation networks. This model consists of two levels: Spine and Leaf, respectively.
Spine level is only responsible for performance. The total performance of the Spine switches is equal to the performance of the entire factory, so at this level you should use switches with ports 40G or higher.
Spine switches connect to all switches of the following level: Leaf switches to which end hosts are connected. The main role of Leaf switches is port capacity.
Thus, scaling issues are easily solved: if we need to increase the capacity of the factory, we add Spine switches, and if we need to increase the port capacity, Leaf.
For both levels, the Cisco Nexus 9000 series switches are used, which for Cisco are the main tool for building data center networks, regardless of their architecture. For the Spine level, Nexus 9300 or Nexus 9500 switches are used, and for Leaf only Nexus 9300 switches are used.
The model range of Nexus switches used in the ACI factory is shown in the figure below.
APIC (Application Policy Infrastructure Controller) Cluster
APIC controllers are specialized physical servers, while for small deployments it is allowed to use a cluster of one physical APIC controller and two virtual ones.
APIC controllers perform management and monitoring functions. It is important that the controllers never participate in data transfer, that is, if even all the cluster controllers fail, then the stability of the network will not affect it at all. It should also be noted that with the help of APICs, the administrator manages absolutely all the physical and logical resources of the factory, and in order to make any changes, you no longer need to connect to this or that device, since ACI uses a single management point.
We now turn to one of the main components of ACI - application profiles.
The Application Network Profile is the logical basis of ACI. It is application profiles that determine the interaction policies between all network segments and describe the network segments themselves. ANP allows you to abstract from the physical layer and, in fact, to imagine how to organize the interaction between different network segments from the point of view of the application.
An application profile consists of end-point groups (EPG). A connection group is a logical group of hosts (virtual machines, physical servers, containers, etc.) that are in the same security segment (not the network, but security). End hosts that belong to a particular EPG can be determined by a large number of criteria. The following are commonly used:
- Physical port
- Logical port (port group on the virtual switch)
- VLAN ID or VXLAN
- IP address or IP subnet
- Server attributes (name, location, OS version, etc.)
An entity called contracts is provided for the interaction of various EPGs. The contract defines the relationship between different EPGs. In other words, the contract determines which service one EPG provides to another EPG. For example, we create a contract that allows traffic to go through the HTTPS protocol. Next, we connect this contract, for example, EPG Web (group of web servers) and EPG App (group of application servers), after which these two terminal groups can exchange traffic via the HTTPS protocol.
The figure below describes an example of setting up communication between different EPGs through contracts within the same ANP.
Application profiles within the ACI factory can be any number. In addition, contracts are not tied to a specific application profile, they can (and should) be used to connect EPGs in different ANPs.
In fact, every application that needs a network in one form or another is described by its own profile. For example, the diagram above shows the standard architecture of a three-tier application consisting of an N-th number of external access servers (Web), application servers (App) and DBMS servers (DB), and also describes the rules of interaction between them. In a traditional network infrastructure, this would be a set of rules written on various devices in the infrastructure. In the ACI architecture, we describe these rules within a single application profile. ACI using the application profile allows you to significantly simplify the creation of a large number of settings on different devices by grouping them all into a single profile.
The figure below shows a more vital example. A Microsoft Exchange application profile made from several EPGs and contracts.
Central management, automation and monitoring is one of the key benefits of ACI. The ACI factory relieves administrators of the routine work of creating a large number of rules on various switches, routers, and firewalls (the classic manual configuration method is allowed and can be used). Settings for application profiles and other ACI objects are automatically applied across the entire ACI factory. Even if you physically switch servers to other ports of the factory switches, you do not need to duplicate the settings from the old switches to the new ones and clean up unnecessary rules. Based on the criteria of the host EPG, the factory will make these settings automatically and automatically clear the unused rules.
Integrated ACI security policies are implemented on the principle of whitelisting; that is, that which is not explicitly allowed is not allowed by default. Combined with the automatic update of network equipment configurations (removal of “forgotten” unused rules and permissions), this approach significantly increases the overall level of network security and narrows the surface of a potential attack.
ACI allows you to organize network interaction not only of virtual machines and containers, but also of physical servers, ITU hardware and third-party network equipment, which makes ACI a unique solution at the moment.
A new approach by Cisco to building a data communications network based on application logic is not only automation, security, and centralized management. It is also a modern horizontally scalable network that meets all the requirements of modern business.
The implementation of the network infrastructure based on ACI allows all business units to speak the same language. The administrator is guided only by the logic of the application, which describes the required rules and relationships. As well as the logic of the application, the owners and developers of the application, the information security service, economists and business owners are guided.
Thus, in practice, Cisco is implementing the new generation data center network concept. Want to see for yourself? Come to the demonstration of Application Centric Infrastructure in St. Petersburg and work with the data center network of the future now.
Sign up for the event can be link .
Source: https://habr.com/ru/post/450650/
All Articles