Intuit Application Centric ACI Deployment Case...

Intuit Application Centric ACI Deployment Case Study

Joon Cho, Principal Network Engineer, Intuit

Lawrence Zhu, Solutions Architect, Cisco

CCSACI-2002

• Introduction

• Architecture / Principle

• Design

• Rollout

• Key Highlights

• Outlook

• Conclusion

Agenda

Introduction

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5CCSACI-2002

Who We AreMaker of small business software


Who We Are

• Customer driven innovation

• Heavily focused on cloud and mobile

• Multiple application suites

• Application / developer centric

Company and Business Strategy


Who We Are

• Critical to offer following features and functions

• Agility

• Expose API to end user

• Allow end user control

• Infrastructure abstraction

• Enable East-West traffic growth

IT / Network Strategy

Architecture / Principles


Legacy Data Center Design

• North – South traffic pattern application

• Layer 2 segmentation

• 3-Tier design

• Security classification by trust and execution level


Data Center Network Design Principles

• Application Aware

• Integrate application and network to interact with event or pattern-driven changes

• Simplified Security

• Security policies centrally managed and logged

• Security zones flattened (compliance treated separately)

• Abstracting the security policies from infrastructure

• Hybrid Cloud capable

• Ability to leverage the private/public cloud; not tied to a datacenter dependency

• Location agnostic policy-driven configurations

• Visibility

• Single dashboard that provides end-to-end visibility around health and performance

• Simplified

• Migration, ease of operation, associating metadata and associating the policy with the application vsthe infrastructure

• Predictable Performance

• Consistent, predictable performance

• Flexible

• Purpose-built modular environments with smaller layer 3 domains allowing for expansion (spine leaf)

• Availability

• Network resiliency appropriate to the tier and aligned with app resiliency

• Programmable

• Common workflows via APIs for self-service consumption


Intuit Data Center Architecture - Fabric

S S S S

SL SL L L

C C

BR BR

SP1 SP2

BR BR

MPLS MPLS

BR

P2P

BR

P2P

BR

P-Cloud

BR

P-Cloud

BL BL

L L L L

S S S S

SL SL L L

Service

BL BL

L L

StorageCompute

L L

Compliance

Fabric Backbone

BL BL

BL BL x N

ComplianceService StorageCompute


Selection of ACI

• Interviewing multiple SDN platforms in the market focusing on principles

• Abstraction of underlying infrastructure

• Management and visibility of physical infrastructure

• Compute agnostic (BM / VM)

• Supporting incumbent hypervisor (vCenter/ESX 5.5 at the time of deployment)

• Fully supported restful API

Design

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Tenant: Common

100+ Tenants with RBAC

Default VRF Web EPG App EPG DB EPG

Web EPG App EPG DB EPG

App: Prod

App: Pre-Prod

Management

External Connectivity

Web EPG App EPG DB EPG

App: Compliance

Storage

Compliance VRF

• Secure multi-tenancy

• App, Compute and Network Visibility

• DC Operations, DC Automation

• Network Capacity and Bandwidth

• Any Workload, Any VLAN, Any Where

Storage VRF

ACI Fabric Design Overview

CCSACI-2002 14


ACI Fabric Design Highlights

• Application centric multi-tenant approach

• Tenants, application profiles and EPGs are created based on execution /functional segments

• Context/VRFs and bridge domains(BD) are created in tenant common for shared external access and BD subnets can be advertised out through BGP

• Three (3) major context/VRFs

• one for compliance zone, one for non-compliance zone, and one for storage network

• All accesses in and out of the compliance zone pass through ASA firewall for stateful access control. Access between EPGs within compliance zone is controlled by regular contracts/filters

Tenants / Contexts

CCSACI-2002 15


ACI Fabric Design Highlights – Cont’d

• Fewer bridge domains with larger subnet shared by EPGs from multiple user tenants

• Decouple BD/IP from application

• Endpoints can be moved from EPG to EPG without changing their IP addresses

• Allow ease of application deployment through the app env lifecycle

• Leveraging unidirectional TCP contract/filers and vzAny contract/filters for optimized policy TCAM resource use

• IP storage vNIC/endpoints and IP storage filers are contained in their isolated context and fully utilize benefit of vzAny contracts

Bridge Domain / Storage / Contracts

CCSACI-2002 16


Network Service Design

• ASA with two logical interfaces, one to compliance context and one to default context, acts as a router between the two contexts

• Centralized access policy control/configuration through APIC Restful API, same automation tool for configuring fabric contracts and ASA ACEs

• Leveraging dynamic EPG feature in device package, ACEs can be configured based on EPG name

• L4-L7 service parameters are configured under application profile level, one centralized place per tenant for configuring and updating service policies

• One main ASA service graph template for all tenants

Firewall Service Insertion

CCSACI-2002 17


Inter-Site Access Policy Consistency

• Preserving ACI group based policy model between sites

• EPGs stretched for policy extension across fabric/DCs

• L3out ExtEPG in site2 for EPG in site 1 and vise versa

• Dynamically sync endpoints for stretched EPGs between sites

• Using existing L4-L7 service graphs between the DCs

ACI Toolkit Application

18

DC#1 DC#2

IP NetworkWeb

DBApp

Extension using

Layer3 Out

CCSACI-2002

Rollout


How We Did This

• More time allocated for POC than traditional deployment

• Four months in POC lab, one and a half months for two data center production deployment

• Management support

• Resources from cross functional teams for POC and post-deployment WAR Room

• Platform team for vCenter / vmm integration

• Storage team for storage build out

• Application teams for EPG, contract build out

• Security team for compliance requirements review

• Network operations team for monitoring and general operational support

• Automation team for scripting and integration portal

Project plan and logistics


Production Fabric Deployment

• Complete replica of the production in the lab

• Multiple iteration of POC rebuild until dual data center build

• Full integration testing of applications during POC

• Leverage SVS lab for design / scaling verification

• Unenforced mode for initial application on-boarding and validation

• Script to build out production

• Discovery / registering of switches

• Deployment of BD, EPG, contracts

• Reduce deployment schedule

• Leveraged scripts

Project plan

Key Highlights


Automation Tools

• Leverage Graphite tool

• Python based polling script

• Trend data as well as status

Dashboard


Automation Tools

• Python based

• Subscribing to classes of configuration over websocket

• ex: fvAEPg for application end point group

• Leverage separate DB

• Contract

• End point profile search

Rango


Automation Tools

• Python based

• Standard tool to deploy contract (ACL), EPG, and static binding

• No direct access to APIC GUI

• Network team only for exception

• Series of Validation

• Service chained to CMDB and change request

Loom


Network Changes - Legacy vs Fabric Change rate

0

500

1000

1500

2000

2500

3000

3500

Oct-15 Nov-15 Dec-15 Jan-16 Feb-16 Mar-16 Apr-16

Legacy Fabric


Network Changes – Manual vs AutomatedAutomation rate

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

120.00%

Jan-16 Feb-16 Mar-16 Apr-16 May-16 Jun-16

Automated Network Changes - ACI Fabric vs Legacy

Non-Fabric Automated Fabric Automated


Customer TestimonyFrom BU Leaders

“On top of that, many network tasks that are required can now be

automated or executed directly from my team leading to even

more efficiency. This again saves us days waiting for a central

network team to complete our requests.”

“The most important gain for us is in the Contract vs ACL difference. Though it

requires some initial setup that is comparable to our legacy environments, all

subsequent deployments into an application automatically have the necessary

network access.

This means a savings of anywhere from 1 to 7 days or more on every deployment,

depending on size and complexity. We can provision a server in a matter of

minutes, execute post-provisioning via Chef, and hand it off to the requesting

business unit in a matter of hours instead of days.”

Outlook


Future Plan

• Expansion of existing fabric

• 196 more leafs within next 18 months

• More BU / applications

• Upgrade of APIC for leveraging new features

• ingress only policy

• SGT (security tag) based policy on ASA

• Distributed / software based load balancing

• Micro-segmentation of fabric

Plans and projection

Challenges


ACI Network Design

• Understanding of ACI as programmatic approach vs legacy network device

• Multi-Fabric and contract enforcement

• Inter-site tool

• Compatibility to legacy

• How to handle contract to legacy ACL mapping – IP group, security Tag

• Operational learning curve

• Engage Cisco services as early as possible

• TCAM

• Scale test revealed the potential resource constraint in border leaf

• Added new pairs of border leafs and policy based routing

Technical challenges

Conclusion


Conclusion

• Leverage programmability and automation

• Team members who knows REST and scripting

• Planning is the key

• Application team and platform team integration and input from beginning design stage

• Must fully understand the application traffic flow

• Spend enough time to lab, POC to understand ACI

• Joint project planning with Cisco team is must

• work closely with Cisco AS team, leverage Cisco Solution Validation Services(SVS)

Key Takeaways


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

35CCSACI-2002

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

36CCSACI-2002

Thank you

Intuit Application Centric ACI Deployment Case...

Documents

Transcript of Intuit Application Centric ACI Deployment Case...