Cisco Blogs


Cisco Blog > Perspectives

A Summary of Cisco VXLAN Control Planes: Multicast, Unicast, MP-BGP EVPN

With the adoption of overlay networks as the standard deployment for multi-tenant network, Layer2 over Layer3 protocols have been the favorite among network engineers. One of the Layer2 over Layer3 (or Layer2 over UDP) protocols adopted by the industry is VXLAN. Now, as with any other overlay network protocol, its scalability is tied into how well it can handle the Broadcast, Unknown unicast and Multicast (BUM). That is where the evolution of VXLAN control plane comes into play.

The standard does not define a “standard” control plane for VXLAN. There are several drafts describing the use of different control planes. The most commonly use VXLAN control plane is multicast. It is implemented and supported by multiple vendors and it is even natively supported in server OS like the Linux Kernel.

This post tries to summarize the three (3) control planes currently supported by some of the Cisco NX-OS/IOS-XR. My focus is more towards the Nexus 7k, Nexus 9k, Nexus 1k and CSR1000v.

Each control plane may have a series of caveats in their own, but those are not covered by this blog entry. Let’s start with some VXLAN definitions:

(1) VXLAN Tunnel Endpoint (VTEP): Map tenants’ end devices to VXLAN segments. Used to perform VXLAN encapsulation/de-encapsulation.
(2) Virtual Network Identifier (VNI): identify a VXLAN segment. It hast up to 224 IDs theoretically giving us 16,777,216 segments. (Valid VNI values are from 4096 to 16777215). Each segment can transport 802.1q-encapsulated packets, theoretically giving us 212 or 4096 VLANs over a single VNI.
(3) Network Virtualization Endpoint or Network Virtualization Edge (NVE): overlay interface configured in Cisco devices to define a VTEP

VXLAN with Multicast Control Plane
VXLAN1

Read More »

Tags: , , , , , ,

Ready, Set…Cloud! Vblock, VxBlock and Cisco ACI usher in operational simplicity and software defined innovation for the cloud era

Complexity is easy. Simplicity is hard. Solving operational complexity has been one of the hardest challenges in data center and cloud build-outs. For customers, the challenge of interfacing with different infrastructure vendors and driving integration has been a significant hurdle in the past, slowing application rollouts. The success of the integrated Infrastructure approach has largely been due to focused efforts on behalf of multiple vendors to come together to solve this challenge, resulting in a new hyper-growth market category being created. According to IDC’s Q3CY2014 integrated infrastructure tracker, the integrated infrastructure market has grown to ~$5.5B annually and most analysts have this market growing at 30+ percent YoY.

A shining example of solving this huge challenge has been VCE’s Vblock offerings that have been on a stellar growth path. Nothing speaks better of this than customer success and market traction it enjoys –

  • VCE surpassed a $2 billion annualized demand run-rate for Vblock and Vblock-related products and services exiting Q3 2014.
  • Its sixth consecutive quarter of greater than 50% year-over-year demand growth.
  • Clear leader in integrated infrastructure systems according to Gartner and IDC
  • A leader in the Gartner, Inc. Magic Quadrant for Integrated Systems, based on an evaluation of VCE’s completeness of vision and ability to execute.

With its UCS Integrated Infrastructure solution approach Cisco has been literally in the midst of all of this action. Cisco UCS, Nexus and MDS switches have been key components of the integrated offering along with innovations from the other companies.  Customers have loved the operational benefits as they scale their cloud build outs. Last October next-generation “ACI-ready” Vblocks were introduced allowing customers to further accelerate their journey to SDN and cloud.

And now it is time to raise the bar even further. As VCE introduces VxBlocks in addition to the flagship Vblock offering, as well as vScale architectures and VCE Vision 3.0, Cisco and VCE are together committed to build on the past success as we align our sights to the future –

  • VCE and Cisco are committed to drive open, future proof converged infrastructure solutions through the GA shipments of ACI-Ready Nexus 9K enabled Vblocks and Cisco UCS. We already have 100+ joint customers in production.
  • VxBlocks will be featuring Nexus 9K as their default networking platform to support all their different flavors of SDN within their integrated infrastructure, even as Cisco UCS will continue to be their default compute platform. As of Cisco’s last fiscal quarter, there were over 1700+ Nexus 9000 and Cisco ACI customers, making the Nexus 9000 one of the highest growth products within the company even as new Cisco APIC customers shot up to over 300+ within two quarters. Cisco UCS has been on a tear in terms of market share worldwide and has continued to set world record benchmarks.
  • The Vscale Fabric is ACI enabled and includes the Nexus 9000s as the networking component of the fabric.  This  allows customers to choose ACI and get the added benefits of such.  If a customer chooses to deploy ACI in the fabric then the APIC would be a deployed as an add-on.   The Vscale architecture also uses MDS as the SAN fabric enhancing the convergence capabilities.

 What Cisco Application Centric Infrastructure (ACI) Brings to Vblocks and VxBlocks:

Cisco ACI is all about operational flexibility and choice. For example, customers can enjoy the  benefits of the Nexus 9396 in a standalone mode, or deploy it as an ACI leaf configuration. This is called “ACI-ready”. They can also be “ACI-enabled”, which means the Nexus 9396s are ACI leafs connected to spines and APIC clusters all part (provisioned and supported) of a Vblock or VxBlock.

Read More »

Tags: , , , , , , , , , , ,

Cisco ACI and Nexus 9000 Activities at Cisco Live Milan 2015

Interested in learning more about Cisco Application Centric Infrastructure and Nexus 9000? We are hosting a myriad of activities here at Cisco Live Milan 2015! With Meet the Expert sessions and Demos at the World of Solutions, DevNet Zone labs, a plethora of breakout sessions, and customer whisper suite sessions, there is a wide range of content available throughout the week at the MiCo. Check out the highlights below.

DEVNET ZONE:

  • “Let’s Discuss: Cisco’s Controllers – Why, What, How, When”

Wednesday, January 28 • 2:30pm – 3:30pm

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=9522&tclass=popup

  • “API Deep Dive: APIC DC”

Monday, January 26 • 3:30 PM – 4:30 PM

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=9502&tclass=popup

  • “API Deep Dive: APIC DC APIs”

Thursday, January 29 • 11:00 AM – 12:00 PM

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=9529&tclass=popup

BREAKOUTS:

1.TECACI-2009 – Intermediate – Application Centric Infrastructure (ACI) – The Policy Driven Data Center

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=5795&tclass=popup

2.BRKAPP-9000 – Introduction to Application Centric Infrastructure.

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=5698&tclass=popup

3.BRKACI-2001 – Intermediate – Integration and Interoperation of existing Nexus networks into an ACI architecture

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=5699&tclass=popup

4.TECDCT-2002 – Intermediate – Next Generation Data Center Infrastructure

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=5807&tclass=popup

5.BRKAPP-9004 – Intermediate – Data Center Mobility, VXLAN & ACI Fabric Architecture

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=5861&tclass=popup

6.BRKACI-3456 – Advanced – Mastering OpenStack and ACI

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=6561&tclass=popup

7.TECDCT-2002 – Intermediate – Next Generation Data Center Infrastructure

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=5807&tclass=popup

8.BRKACI-2006 – Intermediate – Integration of Hypervisors and L4-7 Services into an ACI Fabric

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=5700&tclass=popup

9.LTRDCT-1224 – Intermediate – Implementing VXLAN in Datacenter

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=6111&tclass=popup

10.BRKDCT-1302 – APIC and Nexus 9000: Network Programmability and Automation

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=5714&tclass=popup

11.BRKVIR-2931 – Intermediate – End-to-End Application-Centric Data Center

https://www.ciscolivemilan.com/connect/sessionDetail.ww?SESSION_ID=5493&tclass=popup

Cisco ACI/N9K Whisper Suites

Please visit https://cisco.jifflenow.com/livedcmilan2015 to register a request. Please note a Cisco domain name is required.

Whisper suites are being held offsite at:

Melia Milano Hotel

Via Masaccio, 19

We hope you will enjoy the show.

Tags: , , , , , , ,

Software Defined Networks with L4-L7 ADC Policy Automation

It appears only a short time ago we introduced Cisco ACI to the market, but it is already the one-year anniversary time. In this one-year period, we have seen tremendous momentum on customer adoption and partner eco-system for both the Nexus 9k hardware platform and the ACI software. To date there are more than 1,000 plus Nexus 9k hardware customers and 200 plus ACI software customers. And don’t forget the growing eco-system of partners that now stands at an impressive 34.

To commemorate this one-year anniversary of ACI and its success, we have planned a grand Data Center Webcast to be broadcast on Jan 13 at 9 AM PST. Click here to register for the webcast. Attendees of the webcast will have the opportunity to hear from our ACI ecosystem partners how their solutions integrate to help customize and extend ACI deployments. The audience will also hear from Cisco customers all over the world about the benefits they’ve discovered with our ACI architecture. Check out Cisco exec Shashi Kiran’s blog for more details on the webcast.

For the remainder of this blog I am going to focus on the ACI L4-L7 partner eco-system momentum. Since August 2014, major L4-L7 Application Delivery Controller (ADC) vendors have collaborated with our Insieme Business Unit to build, test, certify joint integrated solutions and introduce publicly downloadable device packages for customers to seamlessly deploy ACI in existing ADC deployments.

servicechainnew

What makes the ACI integration with L4-L7 ADC vendors’ devices so seamless and easy? Well, the answer lies in the flexible and open service policy management inherent in ACI. The highly open and programmable nature of Cisco APIC and the ability to selectively associate service chains with specific applications and data flows, and the flexibility of applying application delivery policies to different applications (Figure-1). This far exceeds that of a traditional network based ADC. To date F5, Citrix, A10 Networks have built FCS versions of device packages for Cisco ACI. I want to take you on a quick tour of each of these ACI joint solutions, and the benefits they uniquely bring to existing customer deployments.

The exciting L4-L7 eco-system ramp began in August 2014 when ADC market leader F5 announced the availability of its device package for ACI. Since then, our partnership has clicked into high gear. We had a very successful F5 Agility event at Copenhagen (June) and New York (early August) showcasing the Cisco ACI-F5 BIG-IP joint solution in breakout sessions, world of solutions Expo, and in keynotes Panels. Cisco also published a jointly written technical whitepaper, a solutions brief and a Design guide with F5. In the webcast planned for Jan 13, we have an exclusive partner panel session featuring F5 exec, Calvin Rowland, and Cisco Exec, Soni Jiandani. I urge you to tune in to this webcast to get the low-down on the customer traction and how customers are benefiting from the policy based automation and application centric approach of our joint solution.

The Citrix and Cisco strategic partnership dates back to early 2010 with a strategic alliance on the UCS-Citrix Desktop Virtualization front. Since then, our alliance has expanded to other technology areas, and in August we introduced the ACI-Citrix NetScaler joint solution to market with the availability of the Citrix device package for Cisco ACI. Citrix and Cisco ACI engineering teams are also actively working in IETF and ODL standards efforts to create thought leadership around NSH and the OpFlex protocols. I can vouch that it will be a rewarding experience for you to listen to Steve Shah of Citrix at the Jan 13 webcast, and get insights on how customers are benefiting from our joint solution featuring open policy model and a programmable infrastructure. Check out the solutions brief and whitepaper from our joint website to gather more details.

A10 Networks is the new kid on the ACI eco-system block. ACI’s SDN paradigm is a natural fit for A10 Networks’s vision and strategy to expose L4-L7 networking features programmatically. As a first step, A10 Networks has successfully certified their device package for ACI and is now available for download. The A10 device package is open source, and can be easily enhanced by customers to create custom value with near ubiquitous programmability. Exciting near term joint engagements include potentially collaborating on an OpFlex and NSH standards effort as well as some advanced ADC features such as WAF, SSL offload, GSLB, and device partitions among others. I do not want to steal all of the webcast’s thunder, so tune in on Jan 13 to get a 360 degree view from A10 CTO Raj Jalan.

As I am writing this blog there is more exciting news. Yes, Radware is also testing their ACI device package with the Insieme Business Unit now. Stay tuned to hear more outcomes on this engagement. The L4-L7 ACI eco-system momentum is truly on a fast track. In closing, I want to re-iterate, do not forget to register for Cisco’s ACI webcast set for Jan 13.

Related Links

http://blogs.cisco.com/datacenter/citrix-netscaler-device-package-for-cisco-aci-goes-fcs

http://blogs.cisco.com/datacenter/f5-device-package-for-cisco-apic-goes-fcs

http://blogs.cisco.com/datacenter/aci_webcast

 

Tags: , , , ,

Cisco Adds Check Point Next-Gen Security Gateway to Growing List of Strategic ACI Partners

Cisco is announcing another important strategic partner to its list of ACI-compliant vendors with the addition of the Check Point Next Generation Security Gateway to the ecosystem. A couple months ago I wrote about the inherent security architecture in ACI (Security for an Application Centric World), and now the Check Point solutions fit right into that framework as an alternative to Cisco security solutions. Essentially, this means that the ACI controller, APIC, can now configure the application network to include the insertion and provisioning of Check Point virtual and physical security gateways as it does other Layer 4-7 application services and security appliances. The availability of the Check Point solutions will offer customers greater choice and flexibility while underscoring the open, multi-vendor approach of ACI.

[Note: Check Point will be participating in our upcoming ACI Webcast event: “Is Your Data Center Ready for the Application Economy”, January 13, 2015, 9 AM PT, Noon ET, featuring ACI customers and several other key ACI technology partners. Register here.]

In scalable, multitenant cloud environments with flexible resource placement, almost every workload must be secured from every other workload, with detailed security policies enabled between workloads in an application network: a concept called micro-segmentation. This level of security policy detail can become tedious to manage on an application-by-application basis. It also can potentially restrict workload mobility and the ways that applications can be deployed in the cloud.

Cisco ACI policies abstract the network, devices, and services into a hierarchical, logical object model. In this model, administrators specify the Layer 4 through Layer 7 services (firewalls, load balancers, etc.) that are applied, the kind of traffic to which they are applied, and the traffic that is permitted. These services can be chained together and are presented to application developers as a single object with simple input and output. Connection of application-tier objects and server objects creates an application network profile (ANP). When this ANP is applied to the network, the devices are told to configure themselves to support it. Tier objects can be groups of hundreds of servers, or just one device; the same policies are applied to all the objects in a single configuration step (see below).

Check Point Integration

The Application Profile Defines Security and Application Policies for Application Networks, and Cisco APIC Manages and Provisions Security Resources in the Fabric, Such as a Check Point Firewall, with the Right Policies for Each Application, at the Right Location

The integration with Check Point Next Generation Security Gateway provides automated security provisioning and a full range of security protections and threat-prevention capabilities in a highly dynamic and agile Cisco ACI environment. Check Point Security Gateways can be deployed as physical or virtual solutions and address today’s ever-changing threat landscape with a modular and dynamic security architecture.

Read More »

Tags: , , , , , ,