Friday, August 30, 2013
Wednesday, August 28, 2013
4. What is DevOps all about?
Cloud Consumers want the following, and these are driving network virtualization:
- Ability to deploy apps at scale and with little preplanning (provisioning speed and efficiency)
- Mobility to move workloads between different geographies and providers (investment protection and choice)
- Flexibility to create more diverse architectures in a self service manner (rich L3-L7 network services)
- Management Plane = NSX Manager - programmatic web services api to define logical networks
- Control Plane = Control Cluster
- Clustered App runs on x86 servers, controls and manages 1000s of edge switching devices, does NOT sit in data plane
- Data Plane = OVS/NVS
- Open vSwitch (OVS) vmWare-led open source project
- NSX vSwitch (NVS) is a software vSwitch in ESXi kernel
- Switch software designed for remote control and tunneling installed in hypervisors, NSX gateways or hardware VTEP devices
- Can work with vSphere, KVM, XenServer
- vSwitch in each hypervisor controlled through API by Controller Cluster
- NSX manager uses this API, so does cloudstack, openstack, CMS/CMP, VMware
- To get between physical and virtual networks, Open vSwitch NSX Gateway or HW Partner VTEP Device is used
- NSX Controller Cluster establishes an overlay network
- Multiple tunneling protocols including STT, GRE, VXLAN
- Packets encapsulate with Logical Switch info
- The tunneling protocol is NOT network virtualization, rather, it is a component of it
- Automated network provisioning
- Inter rack or inter DC connectivity
- P2V and V2V migration
- Burst or migrate enterprise to cloud
The Whiteboard snapshot above was drawn to demonstrate the basic components of NSX and how VMs communicate using the virtual overlay netowrk
The example uses ESXi on left and KVM hypervisor on right (HV1 and HV2)
- Each connected to IP fabric
- 3 controllers drawn in the middle
- Intelligent Edge NVS installed on ESXi and OVS installed on KVM
- Controllers talk with ESXi on vmkernel management interface, something similar with KVM
- Addresses assigned that used for encapsulation and direct communication between hypervisors: 172.16.20.11/24 on left, 172.16.30.11/24 on right
- Customer A is green, they have a VM on each hypervisor (192.168.1.11 on left, 192.168.1.12 on right)
- Customer B is red, they have VM on each hypervisor with SAME IP ADDRESSES - logically separated similar to VRFs (I didn't get a picture of this--sorry)
- Controller cluster controls virtual ports, so they can programmatically control QoS, Security, Distributed Routing
Tuesday, August 27, 2013
Started out a productive day with my first-ever Fritatta and some delicious croissants at breakfast in Moscone South. Having seen the debacle of "breakfast" at last year's VMworld, the seating this year was at least an improvement with areas available in both Moscone South and West.
I went to the General Session at 9am, but as I was seated towards the back I couldn't see the bottom of the screens. There were no screens overhead, only 3 or 4 large screens up front. In addition, the vmworld2013 wireless SSID was nowhere to be seen. The Press SSID (vmwaremedia) was available but locked down. Attempts to use my AT&T MyFi were stifled due to the overwhelming RF interference in the area. And I had AT&T cell coverage but no throughput. Having seen how well wireless CAN be delivered at Cisco Live, even in this kind of space for 20,000+ people, I was very disappointed. I decided to go watch the Keynote from the Hang Space, but that was full to capacity with a line waiting to get in. I finally gave up and walked over to Moscone West, 3rd floor, and sat at a charging station watching the live stream while waiting for my first breakout session. (Kudos at least for the stream working.)
My first session was "Moving Enterprise Application Dev/Test to VMware’s internal Private Cloud -- Operations Transformation (OPT5194)." This was a great story of how leadership from the top pushed VMware to implement Infrastructure as a Service (IaaS). Kurt Milne (@kurtmilne) (VMware Director of CloudOps) and Venkat Gopalakrishnan (VMware Director of IT) shared lessons learned during VMware's internal implementation of a service catalog and the automation of processes which used to require manual intervention by cross-functional teams over the course of weeks. The process of standing up a new Software Development Life Cycle (SDLC) series of dev/test/uat/stage/prod environments has been greatly automated and provisioning time reduced from 4 weeks to 36 hours and they plan to reduce it to 24 hours in the near future. If you're going through a similar journey in your organization, this session is a must see when recordings and slides are released after the conference. I believe the session was also live-tweeted by @vmwarecloudops.
The other session I attended today was the very popular "What's New in VMware vSphere" presented by Mike Adams (http://blogs.vmware.com/vsphere/author/madams). We reviewed some of the new features released in vSphere 5.1 last year as well as some of the changes made for vSphere 5.5 this year. Some key takeaways for me (your mileage may vary):
- vSphere is now wrapped up with Operations Management, i.e., vCenter Operations Manager (vCOPS). Referred to as "vSphere with Operations Management" it's now available in the Standard, Enterprise, and Enterprise+ flavors, each of which includes vCOPS Standard. See snapshot of feature breakout and license cost.
- vCloud Suite variations all include vSphere Enterprise+, vCloud Director (vCD), and vCloud Networking and Security (vCNS). The individual flavors depend on the version of vCOPS and vCloud Automation Center (vCAC) which are Standard, Advanced, and Enterprise. In addition, the Enterprise SKU also includes vCenter Site Recovery Manager (vC SRM).
- vSphere Web Client is replacing vSphere Windows Client, so we "better get comfortable with it." If I understand correctly, vSphere 5.5 includes support for all functionality in the Web Client now but not the Windows Client.
- New features in vSphere 5.5 include: VMDK file support up to 62TB, 4TB memory per host, 4096 vCPUs per host.
- vSphere Replication allows full copying of workloads, including the VMFS files, without shared storage. This perhaps saves the cost of more expensive synchronous or asynchronous storage replication, but has a somewhat limited Recovery Point Objective (RPO) of about 15 minutes. Still, this may be a good fit for some organizations for DR (including mine).
In addition to the sessions I was able to complete three labs (between yesterday and today) all related to VMware's recently announced vCloud Hybrid Service (vCHS). HOL-HBD-1301, HOL-HBD-1302, and HOL-HBD-1303 give a good introduction to the components and steps necessary to migrate workloads from a vSphere or vCloud Director environment in your own datacenter to the vCHS environment, as well as networking & security components and managing the service.
One big announcement during the morning General Session/Keynote was the release of VMware's network virtualization product called NSX. This is the marriage of Nicira (an earlier VMware acquisition) and vCNS/vShield in a new product. As a network engineer by background and training, this is particularly interesting to me. I was able to start the NSX lab (HOL-SDC-1303) but couldn't yet finish as I ran out of time. I plan to finish tomorrow. More to come on that.
I have to give a big thumbs-down to VMworld's requirement that we all get our badges scanned as we enter lunch. I don't remember this last year, nor have I ever seen this at any other conference I've attended. What gives? It's hard to hold a herd of hungry humans back from the food!
Finally, I visited with some fine folks at the Rackspace booth in the Solutions Exchange, including Waqas Makhdum (@waqasmakhdum). I now understand that Rackspace's Openstack platform uses a different hypervisor solution than VMware or Amazon EC2, but they offer guaranteed uptime with a phone number to call for support and apparently pretty reasonable costs for running a VM you control or even hosting the VM and just having you run your application on it. Also, I learned they offer VMware-based Managed Virtualization to allow you to "Set up a single-tenant VMware environment at our data center, rapidly provision VMs, and retain full control using the orchestration tools you’re familiar with." (Ref: http://www.rackspace.com/managed-virtualization/)
I'm failing to mention all the great people I met and conversations but one would expect nothing less from a great conference!
Sunday, August 25, 2013
It's time for VMware's 10th Annual VMworld conference in beautiful San Francisco! This is my second trip to VMworld and I'm looking forward to making it my best one yet. As such, I'd like to share some of my goals for this week. I feel that publishing my objects tend to keep me motivated.
1. Gain better understanding of NSX (came from vCNS/vShield and Nicira) and dive more into details of VMware networking
2. Better understand OpenStack and maybe take a test drive
3. Learn some basic functions of PowerCLI
4. What is DevOps all about?
5. Set up vCloud Director and/or vCenter Orchestrator and try it out
6. Learn about VMware's Internal Private Cloud for dev/test workloads
7. What is Cloud Foundry and how does it relate to my company?
If you have insights or can point me in the right direction please do! Comment below or find me on Twitter (@swackhap).
Thursday, June 27, 2013
- Can only stack up to 4 currently (should be updated in Fall 2013)
- Not every feature supported by 3750X is supported by 3850 yet
- The 3850 runs IOS XE whereas the 3750X runs IOS
- .@JimmyRay_Purser did a great job moderating this panel #clus #noc
- Applause for question managers that have been answer questions in the #clus app #noc
- Q: How many boxes got stolen this year? A: 1 classroom switch and an AP and switch loaned to vendor #clus #noc
- Question: was there a noticeable uptick in HTTPS over HTTP over last year? Answer: Yes #clus #noc
- They used @Splunk to help with security analysis of firewall logs, etc. #clus #noc
- The esteemed #clus #noc panel http://t.co/ho2jPjDpZg
- Mobile app developed outside of Cisco, delay due to CA cert used and not the network (maybe a cert check?) #clus #noc
- Things were rushed with the mobile app, lessons learned, they plan to make experience smoother next year #clus #noc
- HTTP data is still being processed for top websites used, NetMan might publish blogpost about it when done #clus #noc
- All other controllers for session rooms and hallways ran v7.3MR #clus #noc
- WoS controllers started on v7.3, needed more tweaks based on devices seen, so moved down to v7.2 to gave the “knob” needed #clus #noc
- They have months of WebEx sessions in advance to prep for show #clus #noc
- Collaboration done over Google Docs in many cases to share IP address info, etc; used Push-to-talk radio to communicate on-site #clus #noc
- IPv4 used exclusively for NetMan, IPv6 only used for DHCP #clus #noc
- no IPv4 was provided in WoS wireless to ensure stability and reduce the load that would have been needed for IPv6 multicast #clus #noc
- Jimmy-Ray is taking questions. Anybody? #clus #noc
- “Thank you for exercising our network and attending Cisco Live” #clus #noc
- Network was 100% reliable for the duration of the show #clus #noc #applause
- video streaming exceeded HTTP for traffic breakdown #clus #noc
- Vendors would sometimes shut off things, including switches in rooms, to help save power #oops #clus #noc
- Intelligent Automation - allowed users to use web portal to switch a port to a particular vlan without knowing details #clus #noc
- switches would use EEM to figure out themselves what VLAN they were on by pinging all possible gateways then self-configure #clus #noc
- Used EEM to set port descriptions based on CDP neighbors plugged in (embedded automation) #clus #noc
- used Cisco Prime LMS to help provision IDF and room switches #clus #noc
- …Prime Infrastructure, StealthWatch, Plixer; syslog also sent to FreeBSD and forwarded to interested parties #clus #noc
- Flex Netflow sent from 6500 core and dist switches to FreeBSD VM “exploder” which forwarded to other collectors… #clus #noc
- SNMPv3 authPriv (SHA/DES) with ACLs, NAM 2304 appliance used to traffic volume and utilization #clus #noc
- Joe Clarke - Network Mgmt - very impressed with a lot of Network Academy folks he worked with #clus #noc
- peak 10k IOPs, peak data rate 140MB/s #clus #noc
- Colo storage: Sunnyvale NetApp FAS2240-4 26 TB total cap, mirrored to it from local DC each night for backups #clus #noc
- 12 TB provisioned to VMware x2 mirrored to HA partner, 28% saved on dedup, 8.6TB used on disk #clus #noc
- 18TB provisioned to VMs (mostly thick provisioned); 6TB saved by thin provisioning; 14TB physical capacity avail #clus #noc
- Self-paced labs used virtual desktops running on NetApp storage with UCS #clus #noc
- All recordings from all sessions go to this storage, higher workload than last year, video surveillance stored on UCS local disk #clus #noc
- NetApp FAS31240 HA Pair, 2x DS2246 Disk Shelves, same equipment as last year #clus #noc
- Patrick Strick - NetApp in Datacenter #clus #noc
- Physical safety and security - 6001 events consumed, 12 physec tickets, monitoring based on motion detection #clus #noc
- security analytics: 1.2B events sysloged; 12 events resulted in FW blocks #clus #noc
- Adam Baines - remote monitoring services: core fault mgmt, security event, physical safety and security video #clus #noc
- Bus cams used DMVPN over LTE, worked very well #clus #noc
- He has some interesting footage of us coming back from CAE last night on the buses #clus #noc
- Able to analyze lines of people to help optimize for future events #clus #noc
- 6TB data storage consumed for video surveillance, 35 mobile cams on hotel shuttles, running on UCS in DC #clus #noc
- Physical Security with Lionel Hunt, worked with John Chambers head of security, 45 cameras deployed, 2Mbps per camera #clus #noc
- Some people doing call-home to botnets - check your stuff #clus #noc
- maxed around 1000 conns/sec, FWs never passed 7% CPU #clus #noc
- 26.5 TB transferred through firewalls through the week #clus #noc
- No firewall failover even when cables were removed and replaced during full production at 800Mbps of throughput #clus #noc
- Secure Edge Architecture, ASAs deployed in transparent mode active/standby HA, failover only occurs when 2 ints failed #clus #noc
- ASA5585X SSP-60, 2 pair, IPS-SSP-60 (4) for IPv4; ASA5585-X SSP-20, 1 pair, IPS-SSP-20 (2), for IPv6 #clus #noc
- Security - Per Hagen; CSM 4.4, Cisco Cyber Threat Defense #clus #noc
- Apple 6K clients, Intel 2k clients, Samsung 953 clients total for week #clus #noc
- 60% clients on 2.4GHz, 1 on 802.1b, 171 802.11a, 300 802.11g #noc #clus
- Peaked at 13.4K clients Tues and Wed, today crossed 10K clients on wireless, 293 per AP for the big rooms #clus #noc
- 180x3502P w/Air-ANT25137NP-R stadium antennas to cover keynote and WoS #clus #noc
- 300x3602 APs in hallways/sessions rooms in OCCC, 110x3602 APs in Peabody, 87 in-house APs for some cove ration in OCCC #clus #noc
- 7x58 controllers for session rooms, hallways, and Peabody; 3x5508 controllers for Keynote and WoS areas; 4xMSE 7.5 for Location #clus Noc
- Mir Alami - wireless - TME, very happy about how well things went this year #clus #noc
- EEM scripts and Twitter’s API were used to tweet from @CiscoLive2013 account for distribution Switch #clus #noc
- Quad redundancy with Quad Sup SSO, new feature as of May, 15.7K unique IPv4 macs, 7.8K unique IPv6 macs #clus #noc
- …Flex Netflow on Sup2T for IPv4 and IPv6 traffic; 1TB of multicast traffic during show #clus #noc
- VSS Quad-Sup SSO and Multichassis Etherchannel, OSPF and BGP for IPv4 and IPv6, SNMPv3, CoPP, Syslog, etc for NetMan…#clus #noc
- Connection was also provided to Peabody’s 4500 switch(es) for their meeting rooms #clus #noc
- 2x6509E VSS, Sup2T, 40G backbone; Dist: 2x6513E + 2x6504E, Sup2T, 40G Ethernet #clus #noc
- Divya has done several shows last few years including Interop core #clus #noc
- Next up: Divya Rao, Switching Backbone #clus #noc
- Multi-hop FCOE used in DC with N7004 pair but ran into problems…solution was multiple VDC #clus #noc cc/ @drjmetz @ccie5851
- IPv4 220K PPS Denver, 74K PPS Sunnyvale; IPv6 12.7K PPS…8% traffic was IPv6 on avg #clus #noc
- Local AS 64726…”thank you for stressing my network”…940Mbps from Denver, 615Mbps from Sunnyvale peaks #clus #noc
- RPKI validation tested this year with SoBGP for IPv4 and IPv6 for full Internet routing table #clus #noc
- Sunnyvale, Denver uplink sites for Centurylink #clus #noc
- Networking Academy had 40 people here all week #clus #noc
- CenturyLink ISP had rep on-site all week. Savvis provided DC services #clus #noc
- Routing and DC: Patrick Warichet #clus #noc
- 8 panelists will each present for 7 mins #clus #NOC
- PNLNMS-3000 Cisco Live Network and NOC, with Jimmy-Ray Purser #clus
- Routes can be leaked between VRFs by enabling "feature pbr" and setting up route-maps with "match ip" statements and linking them with "set vrf" commands. (ref: slide 50)
- Routes can be leaked with VRF-lite without an MPLS license by redistributing IGP into BGP and using "route-target export" and "route-target import" commands under the BGP routing configuration of each VRF. (ref: slide 52)
- Auto-cost reference bandwidth by default is 100Mbps in IOS but 40Gbps in NX-OS.
- BGP best-practice is to use "aggregate-address a.b.0.0/16" under BGP routing configuration. Do NOT use "network a.b.0.0/16" under BGP routing configuration. Do NOT use "ip route a.b.0.0/16 Null0" under VRF. The reason is that if "network" statement matches a static route to null0, MPLS traffic to that route may be dropped. (ref: slide 92)
- Web Help Desk - automated ticketing, asset management, knowledge base, communication
- Network Configuration Manager (NCM) - automatic config backup, realtime change alerts, compliance reporting
- Firewall Security Manager (FSM) - Java-based, runs on workstation, automated security and compliance audits, firewall change impact modeling, rule/object cleanup and optimization, can download configs from firewalls directly or from NCM
- Network Topology Mapper (NTM) - successor to LanSurveyor - network discovery, mapping, reporting, can export maps to Orion and open them in Orion Atlas
- Interface discovery can be filtered for import - for instance, you can tell it to only select trunk ports and not access ports on switches, then it will show you a list of all ports and the devices they belong to so you can manually uncheck ones you don't want to import.
- Route monitoring - NPM will poll routes from the routing table. Although Michal said EIGRP isn't yet supported, I have actually seen EIGRP routes pulled from my IOS and NX-OS routers. The IOS routers showed them labeled as EIGRP (I think) and NX-OS showed them as "Cisco IGRP" in Orion. I'm pretty excited about the possible alerts we can set up with this type of monitoring.
Tuesday, June 25, 2013
- EIGRP is no longer proprietary. Cisco has published an IETF Open-EIGRP Informational Draft. This means other companies can now implement EIGRP into their products if/when customers demand it.
- Neighbor authentication done with MD5 is no longer secure enough, so they've implemented SHA2-256 Hash-based Message Authentication Code (HMAC) to protect EIGRP messages exchanged between routers.
- The advent of 10Gbps links made it necessary to change the formula used to compute EIGRP metrics, now referred to as Wide Metric Support. They mentioned this was supported as of EIGRP release 8 and that the "show eigrp plugin" command would show version, but I tried on an NXOS and IOS router in my network and those commands didn't seem valid.
- How many of us enterprise customers use EIGRP in the LAN and have to redistribute with BGP for MPLS circuits? The problems inherent in this redistribution (which I have personally experienced, sometimes painfully) led them to create a new feature called Over the ToP (OTP) which uses LISP to bridge two EIGRP-speaking "CE" routers across a provider's MPLS cloud. One of the CE routers acts as a "route reflector" (term stolen from BGP) to consolidate route sharing amongst multiple CE routers connected to the MPLS cloud. OTP is shipping this month or next for IOS XE, then IOS in November.