Over the past few years, Cisco has been actively promoting a new architecture for building a data transmission network in the data center - Application Centric Infrastructure (or ACI). Some of you are already familiar with it. And someone even managed to introduce it at their enterprises, including in Russia. However, for most IT professionals and CIOs, ACI is either an obscure acronym or just a speculation about the future.
In this article we will try to bring this future closer. To do this, we will describe the main architectural components of ACI, as well as illustrate how it can be applied in practice. In addition, we will soon be hosting a demonstration of ACI's work, which any interested IT professional can sign up for.
You can learn more about the new network architecture in St. Petersburg in May 2019. All details are on . Sign up!
prehistory
The traditional and most popular network building model is a three-level hierarchical model: core -> distribution (aggregation) -> access. For many years, this model has been the standard, for which manufacturers have produced various network devices with the corresponding functionality.
Previously, when information technology was a kind of necessary (and, to be honest, not always desirable) appendage to business, this model was convenient, very static and reliable. However, now that IT is one of the drivers of business development, and in many cases the business itself, the static nature of this model has become a big problem.
Modern business generates a large number of different complex requirements for network infrastructure. The success of the business directly depends on the timing of the implementation of these requirements. Delay in such conditions is unacceptable, and the classical model of building a network often does not allow meeting all business needs in a timely manner.
For example, the emergence of a new complex business application involves the performance of a large number of network administrators of the same type of routine operations on a large number of different network devices at different levels. In addition to being time consuming, it also increases the risk of making a mistake that can lead to serious downtime for IT services and, as a result, to financial damage.
The root of the problem is not even the timing or the complexity of the requirements themselves. The fact is that these requirements must be "translated" from the language of business applications into the language of the network infrastructure. As you know, any translation is always a partial loss of meaning. When an application owner talks about the logic of their application, the network administrator understands the set of VLANs, Access lists on dozens of devices that need to be maintained, updated and documented.
The accumulated experience and constant communication with customers allowed Cisco to design and implement new principles for building a data transmission network of a data processing center that meet modern trends and are based primarily on the logic of business applications. Hence the name - Application Centric Infrastructure.
ACI architecture.
The ACI architecture is most correctly considered not from the physical side, but from the logical side. It is based on a model of automated policies, whose objects at the top level can be divided into the following components:
- Network based on Nexus switches.
- Cluster of APIC controllers;
- Application profiles;
Let's consider each level in more detail - in this case, we will move from simple to complex.
Network based on Nexus switches
The network in an ACI fabric is similar to the traditional hierarchical model, but it is much simpler to build. For networking, the Leaf-Spine model is used, which has become a generally accepted approach for implementing next-generation networks. This model consists of two levels: Spine and Leaf, respectively.
The Spine level is only responsible for performance. The combined performance of spine switches is equal to the performance of the entire fabric, so switches with 40G ports or higher should be used at this level.
Spine switches connect to all switches in the next layer: Leaf switches to which end hosts connect. The main role of leaf switches is port capacity.
Thus, scaling issues are easily solved: if we need to increase the throughput of the factory, we add Spine switches, and if we need to increase the port capacity - Leaf.
For both levels, Cisco Nexus 9000 series switches are used, which for Cisco are the main tool for building data center networks, regardless of their architecture. For the Spine layer, Nexus 9300 or Nexus 9500 switches are used, and for Leaf only Nexus 9300.
The lineup of Nexus switches that are used in the ACI factory is shown in the figure below.
APIC (Application Policy Infrastructure Controller) Cluster
APIC controllers are specialized physical servers, while for small implementations it is allowed to use a cluster of one physical APIC controller and two virtual ones.
APIC controllers perform control and monitoring functions. It is important that the controllers never participate in data transfer, that is, even if all the cluster controllers fail, this will absolutely not affect the stability of the network. It should also be noted that with the help of APICs, the administrator manages absolutely all the physical and logical resources of the factory, and in order to make any changes, you no longer need to connect to a particular device, since ACI uses a single point of control.
Now let's move on to one of the main components of ACI - application profiles.
Application Network Profile is the logical foundation of ACI. It is the application profiles that define the interaction policies between all network segments and directly describe the network segments themselves. ANP allows you to abstract from the physical layer and, in fact, imagine how you need to organize the interaction between different network segments from the point of view of the application.
An application profile consists of connection groups (End-point groups - EPG). A connection group is a logical group of hosts (virtual machines, physical servers, containers, etc.) that are in the same security segment (not a network, but a security one). End hosts that belong to an EPG can be determined by a large number of criteria. The following are commonly used:
- Physical port
- Logical port (port-group on virtual switch)
- VLAN ID or VXLAN
- IP address or IP subnet
- Server attributes (name, location, OS version, etc.)
For the interaction of various EPGs, an entity called contracts is provided. The contract defines the relationship between different EPGs. In other words, the contract defines what service one EPG provides to another EPG. For example, we create a contract that allows traffic to go over the HTTPS protocol. Next, we connect, for example, EPG Web (a group of web servers) and EPG App (a group of application servers) with this contract, after which these two terminal groups can exchange traffic using the HTTPS protocol.
The figure below describes an example of setting up the communication of various EPGs through contracts within the same ANP.
There can be any number of application profiles within an ACI factory. In addition, contracts are not tied to a specific application profile, they can (and should) be used to connect EPGs in different ANPs.
In fact, each application that needs a network in one form or another is described by its own profile. For example, the diagram above shows the standard architecture of a three-tier application, consisting of the Nth number of external access servers (Web), application servers (App) and DBMS servers (DB), and also describes the rules for interaction between them. In a traditional network infrastructure, this would be a set of rules written on various devices in the infrastructure. In the ACI architecture, we describe these rules within a single application profile. ACI using an application profile makes it much easier to create a large number of settings on various devices by grouping them all into a single profile.
The figure below shows a more realistic example. Microsoft Exchange application profile made from multiple EPGs and contracts.
Central control, automation and monitoring is one of the key benefits of ACI. ACI factory saves administrators from the routine work of creating a large number of rules on various switches, routers and firewalls (while the classic manual configuration method is allowed and can be used). Settings for application profiles and other ACI objects are automatically applied throughout the ACI fabric. Even when physically switching servers to other ports of the fabric switches, there is no need to duplicate settings from old switches to new ones and clean up unnecessary rules. Based on the host's EPG membership criteria, the factory will make these settings automatically and clean up unused rules automatically.
Integrated ACI security policies are whitelisted, meaning that what is not explicitly allowed is denied by default. Together with automatic updating of network equipment configurations (removal of "forgotten" unused rules and permissions), this approach significantly increases the overall level of network security and narrows the potential attack surface.
ACI allows you to organize networking not only of virtual machines and containers, but also of physical servers, hardware ITUs and third-party network equipment, which makes ACI a unique solution at the moment.
Cisco's new approach to building a data network based on application logic is not only about automation, security and centralized management. It is also a modern horizontally scalable network that meets all the requirements of modern business.
The implementation of a network infrastructure based on ACI allows all departments of the enterprise to speak the same language. The administrator is guided only by the logic of the application, which describes the required rules and relationships. As well as the logic of the application, the owners and developers of the application, the information security service, economists and business owners are guided.
Thus, Cisco is putting into practice the concept of a new generation data center network. Want to see for yourself? Come to the demonstration Application Centric Infrastructure in St. Petersburg and work with the data center network of the future now.
You can register for the event .
Source: habr.com