CCNA4 Chapter 7 Network Evolution
Software as a Service (SaaS)
delivers applications over the web to the end users.
Cloud Computing versus Data Center
he terms data center and cloud computing are often incorrectly used. These are the correct definitions of data center and cloud computing: Data center: Typically a data storage and processing facility run by an in-house IT department or leased offsite. Cloud computing: Typically an off-premise service that offers on-demand access to a shared pool of configurable computing resources. These resources can be rapidly provisioned and released with minimal management effort. Cloud computing is possible because of data centers. A data center is a facility used to house computer systems and associated components. A data center can occupy one room of a building, one or more floors, or an entire building. Data centers are typically very expensive to build and maintain. For this reason, only large organizations use privately built data centers to house their data and provide services to users. Smaller organizations that cannot afford to maintain their own private data center can reduce the overall cost of ownership by leasing server and storage services from a larger data center organization in the cloud. Cloud computing is often a service provided by data centers, as shown in the figure. Cloud service providers use data centers to host their cloud services and cloud-based resources. To ensure availability of data services and resources, providers often maintain space in several remote data centers.
Cisco Application Centric Infrastructure (ACI)
or skill to program the network using SDN tools. However, the majority of organizations want to automate the network, accelerate application deployments, and align their IT infrastructures to better meet business requirements. Cisco developed the Application Centric Infrastructure (ACI) to meet these objectives in more advanced and innovative ways than earlier SDN approaches. ACI is a data center network architecture that was developed by Insieme and acquired by Cisco in 2013. Cisco ACI is a purpose-built hardware solution for integrating cloud computing and data center management. At a high level, the policy element of the network is removed from the data plane. This simplifies the way data center networks are created.
Platform as a Service (PaaS)
tools and services used to delver the applications.
Type 2 Hypervisors
A hypervisor is software that creates and runs VM instances. The computer, on which a hypervisor is supporting one or more VMs, is a host machine. Type 2 hypervisors are also called hosted hypervisors. This is because the hypervisor is installed on top of the existing OS, such as Mac OS X, Windows, or Linux. Then, one or more additional OS instances are installed on top of the hypervisor, as shown in the figure. A big advantage of Type 2 hypervisors is that management console software is not required. Type 2 hypervisors are very popular with consumers and for organizations experimenting with virtualization. Common Type 2 hypervisors include: Virtual PC VMware Workstation Oracle VM VirtualBox VMware Fusion Mac OS X Parallels Many of these Type 2 hypervisors are free. Some offer more advanced features for a fee. Note: It is important to make sure that the host machine is robust enough to install and run the VMs, so that it does not run out of resources.
Control Plane and Data Plane
A network device contains the following planes: Control plane - This is typically regarded as the brains of a device. It is used to make forwarding decisions. The control plane contains Layer 2 and Layer 3 route forwarding mechanisms, such as routing protocol neighbor tables and topology tables, IPv4 and IPv6 routing tables, STP, and the ARP table. Information sent to the control plane is processed by the CPU. Data plane - Also called the forwarding plane, this plane is typically the switch fabric connecting the various network ports on a device. The data plane of each device is used to forward traffic flows. Routers and switches use information from the control plane to forward incoming traffic out the appropriate egress interface. Information in the data plane is typically processed by a special data plane processor, such as a digital signal processor (DSP), without the CPU getting involved. The example in Figure 1 illustrates how Cisco Express Forwarding (CEF) uses the control plane and data plane to process packets. CEF is an advanced, Layer 3 IP switching technology that enables forwarding of packets to occur at the data plane without consulting the control plane. In CEF, the control plane's routing table pre-populates the CEF Forwarding Information Base (FIB) table in the data plane. The control plane's ARP table pre-populates the adjacency table. Packets are then forwarded directly by the data plane based on the information contained in the FIB and adjacency table, without needing to consult the information in the control plane. To virtualize the network, the control plane function is removed from each device and is performed by a centralized controller, as shown in Figure 2. The centralized controller communicates control plane functions to each device. Each device can now focus on forwarding data while the centralized controller manages data flow, increases security, and provides other services.
The Security Pillar
All networks need to be secured. However, the IoT introduces new attack vectors not typically encountered with normal enterprise networks. The Cisco IoT security pillar offers scalable cybersecurity solutions, enabling an organization to quickly and effectively discover, contain, and remediate an attack to minimize damage. These cybersecurity solutions include: Operational Technology (OT) specific security - OT is the hardware and software that keeps power plants running and manages factory process lines. OT security includes the ISA 3000 industrial security appliance (Figure 1) and Fog data services. IoT Network security - Includes network and perimeter security devices such as switches, routers, ASA Firewall devices, and Cisco FirePOWER Next-Generation Intrusion Prevention Services (NGIPS) (Figure 2). IoT Physical security - Cisco Video Surveillance IP Cameras (Figure 3) are feature-rich digital cameras that enable surveillance in a wide variety of environments. Available in standard and high definition, box and dome, wired and wireless, and stationery and pan-tilt-zoom (PTZ) versions, the cameras support MPEG-4 and H.264, and offer efficient network utilization while providing high-quality video.
The Converged Network and Things
Cisco estimates that 99 percent of things in the physical world are currently unconnected. Therefore, the IoT will experience tremendous growth as we connect more of the unconnected. Many things are currently connected using a loose collection of independent, use-specific networks, as shown in the figure. For example, today's cars have multiple proprietary networks to control engine function, safety features, and communications systems. Converging these systems alone onto a common network would save over 50 lbs. (23 kg) of cable in a modern full-size sedan. Other examples include commercial and residential buildings, which have various control systems and networks for heating, ventilation, and air conditioning (HVAC), telephone service, security, and lighting. These dissimilar networks are converging to share the same infrastructure. This infrastructure includes comprehensive security, analytics, and management capabilities. The connection of the components into a converged network that uses IoT technologies increases the power of the network to help people improve their daily lives.
Cloud Overview
Cloud computing involves large numbers of computers connected through a network that can be physically located anywhere. Providers rely heavily on virtualization to deliver their cloud computing services. Cloud computing can reduce operational costs by using resources more efficiently. Cloud computing supports a variety of data management issues: Enables access to organizational data anywhere and at any time. Streamlines the organization's IT operations by subscribing only to needed services Eliminates or reduces the need for onsite IT equipment, maintenance, and management Reduces cost for equipment, energy, physical plant requirements, and personnel training needs. Enables rapid responses to increasing data volume requirements. Cloud computing, with its "pay-as-you-go" model, allows organizations to treat computing and storage expenses more as a utility rather than investing in infrastructure. Capital expenditures are transformed into operating expenditures.
SDN Types
Device based enables programmers to build applications using C, and java with python to integrate and interact with Cisco devices. Devices are programmable by applications running on the device itself or on a server in the network. Policy based it uses built in applications that automate advanced configuration tasks via workflow and user friendly GUI with no programming skills required. Cisco APIC-EN is an example of this type. Device based does not contain a SDN controller. Similar to policy based SDN but without the additional policy layer.
Cloud and Virtualization
Cloud service providers like Cisco, or Amazon Web Services or Microsoft Azure offer their services out of data centers. There are two basic types of clouds: public clouds and private clouds. Public clouds offer services and applications to the general population, whereas private clouds are intended for specific organizations or entities, such as governments and are only accessed by those private organizations. There are different categories of cloud services. SaaS, or software as a service, refers to on demand software, or a subscription model where the license and delivery of the software happens through the cloud. You'll find this with things like Office 365 or Adobe Creative Cloud or even computing gaming software in which access to the software happens typically through a web browser. The software is typically not owned but rather leased. PaaS, or platform as a service, is where the cloud service provider provides the platform, like the Java or dot net platform for a developer to develop an application or app. This oftentimes involves providing databases and tools to the developer so that they can quickly develop an app. Infrastructure as a service refers to virtual computing that can be provided over the internet on demand. This includes virtual computing, such as virtual servers as well as virtualized storage, and virtualized networking capabilities that can be provisioned, allocated and supplied on demand on an as needed basis. Virtualization is the ability to abstract or separate the operating system from the physical hardware. To create a virtual computer, the dedicated physical hardware needs to be shared with the virtual computer. In this slide, we see a Windows 7 virtual computer that is sharing the physical dedicated resources of the host computer. This is done through a hypervisor. There are two types of hypervisors used in virtualization: a Type 1 hypervisor known as a bare metal hypervisor and a Type 2 hypervisor known as a hosted hypervisor. A Type 1 bare metal hypervisor is a virtualization server. The hypervisor is an operating system that's installed unto the hardware directly, after which, virtual computers can be created. There are different types of Type I hypervisors: KVM, Red Hat Enterprise Virtualization, Xen, Citrix XenServer, VMware ESXi, VMware vSphere and Microsoft Hyper-V. A Type 2 hypervisor is known as a hosted hypervisor. In this situation, the hypervisor is an application or program that is installed on top of the host operating system. In other words, you install the hypervisor, like Virtualbox, or VMware Workstation, Parallels, Virtual OC on top of the host computer. You install Virtualbox, let's say, on top of the Windows operating system. Then you can create virtual computers. In addition to virtual computing, we can also virtualize switching and routing. In this slide, we can see two VMware EXSi hypervisors. The virtual computers are all networked together with a Cisco Nexus 1000v virtual switch. The virtual switch brings the power of a Cisco switch to the virtualized network environment
cloud services
Cloud services are available in a variety of options, tailored to meet customer requirements. The three main cloud computing services defined by the National Institute of Standards and Technology (NIST) in their Special Publication 800-145 are as follows: Software as a Service (SaaS): The cloud provider is responsible for access to services, such as email, communication, and Office 365 that are delivered over the Internet. The user is only needs to provide their data. Platform as a Service (PaaS): The cloud provider is responsible for access to the development tools and services used to deliver the applications. Infrastructure as a Service (IaaS): The cloud provider is responsible for access to the network equipment, virtualized network services, and supporting network infrastructure. For businesses, ITaaS can extend the capability of IT without requiring investment in new infrastructure, training new personnel, or licensing new software. These services are available on demand and delivered economically to any device anywhere in the world without compromising security or function.
Control Plane and Data Plane Characteristics
Control plane Information sent here is processed by CPU Contains routing protocol neighbour tables and topology tables The brains of a device. Makes forward traffic flows. Contains IPv4 and IPv6 routing tables. Data Plane Typically the switch fabric connecting the various network ports on a device. Used to forward traffic flows. Information in this plane is typically processed by a special prosecutor. Also called the forwarding plane.
Dedicated Servers
Dedicated ed Servers To fully appreciate virtualization, it is first necessary to understand some of the history of server technology. Historically, enterprise servers consisted of a server operating system (OS), such as Windows Server or Linux Server, installed on specific hardware, as shown in the figure. All of a server's RAM, processing power, and hard drive space were dedicated to the service provided (e.g., Web, email services, etc.) The major problem with this configuration is that when a component fails, the service that is provided by this server becomes unavailable. This is known as a single point of failure. Another problem was that dedicated servers were underused. Dedicated servers often sat idle for long periods of time, waiting until there was a need to deliver the specific service they provide. These servers wasted energy and took up more space than was warranted by their amount of service. This is known as server sprawl.
APIC-EM Features
Each type of SDN has its own features and advantages. Policy-based SDN is the most robust, providing for a simple mechanism to control and manage policies across the entire network. Cisco APIC-EM provides the following features: Discovery - Supports a discovery functionality that is used to populate the controller's device and host inventory database. Device Inventory - Collects detailed information from devices within the network including device name, device status, MAC address, IPv4/IPv6 addresses, IOS/Firmware, platform, up time, and configuration. Host Inventory - Collects detailed information from hosts with the network including host name, user ID, MAC address, IPv4/IPv6 addresses, and network attachment point. Topology - Supports a graphical view of the network (topology view). The Cisco APIC-EM automatically discovers and maps devices to a physical topology with detailed device level data. In addition, auto-visualization of Layer 2 and 3 topologies on top of the physical topology provides a granular view for design planning and simplified troubleshooting. The figure shows an example of a topology view generated by the Cisco APIC-EM. Policy - Ability to view and control policies across the entire network including QoS. Policy Analysis - Inspection and analysis of network access control policies. Ability to trace application specific paths between end devices to quickly identify ACLs in use and problem areas. Enables ACL change management with easy identification of redundancy, conflicts and incorrect ordering of access control entries. Incorrect ACL entries are known as shadows.
IoT Pillars
Fog Computing - enables devices to connect to a local integrated computing, networking and storage systems. security - enabled an organization to quickly and effectively deliver, contain, and remediate an attack to minimize damage. data analytics - consists of distributed network infrastructure components IoT specific application-specific interfaces. Management and Automation -includes management tools such as the Cisco IoT Field Network Director Network connectivity - identified devices that can be used to provide IoT connectivity to various industries. Application Enablement Platform - provides the infrastructure for application hosting and application mobility between cloud and Fog computing.
Infrastructure as a Service (IaaS)
Hardware and software power servers, storage networks and operating systems
Cloud Computing Terminology
Hybrid Cloud - Two or more clouds where each part remains a distinctive object but both are connected using a single architecture. PaaS - access to the development tools and services used to deliver applications. Private cloud - applications and services are intended for a specific organisation or entity such as the government. Custom clouds - clouds build to meet a specific industry, such as as healthcare or media. IaaS - Access to the network equipment virtualised network services, and supporting network infrastructure. Public cloud - applications and services are made available to to the general public. Cloud - large numbers of computers connected though a network that can be physically located anywhere. SaaS - Access to services such as email commutation and office 365 that are delivered over the internet.
IT as a Service (ITaaS)
IT professionals supports applications, platforms and infrastructure.
SDN Architecture
In a traditional router or switch architecture, the control plane and data plane functions occur in the same device. Routing decisions and packet forwarding are the responsibility of the device operating system. Software defined networking (SDN) is a network architecture that has been developed to virtualize the network. For example, SDN can virtualize the control plane. Also known as controller-based SDN, SDN moves the control plane from each network device to a central network intelligence and policy-making entity called the SDN controller. The two architectures are shown in Figure 1. The SDN controller is a logical entity that enables network administrators to manage and dictate how the data plane of virtual switches and routers should handle network traffic. It orchestrates, mediates, and facilitates communication between applications and network elements. The SDN framework is illustrated in Figure 2. Note the use of Application Programming Interfaces (APIs) within the SDN framework. An API is a set of standardized requests that define the proper way for an application to request services from another application. The SDN controller uses northbound APIs to communicate with the upstream applications. These APIs help network administrators shape traffic and deploy services. The SDN controller also uses southbound APIs to define the behavior of the downstream virtual switches and routers. OpenFlow is the original and widely implemented southbound API. The Open Networking Foundation is responsible for maintaining the OpenFlow standard. Note: Traffic in a modern data center is described as North-South (going between external data center users and the data center servers) and East-West (going between data center servers).
What is IoT?
Internet of Things (IoT) is the collection of devices that can communicate over the Internet with each other or with a control console in order to affect and monitor the real world. IoT devices might be labeled as smart devices or smart home equipment.
Fog Computing Pillar
Networking models describe how data flows within a network. Networking models include: Client-Server model - (Figure 1) This is the most common model used in networks. Client devices request services of servers. Cloud computing model - (Figure 2) This is a newer model where servers and services are dispersed globally in distributed data centers. Cloud computing is discussed in more detail later in the chapter. Fog computing - (Figure 3) This IoT network model identifies a distributed computing infrastructure closer to the network edge. It enables edge devices to run applications locally and make immediate decisions. This reduces the data burden on networks as raw data does not need to be sent over network connections. It enhances resiliency by allowing IoT devices to operate when network connections are lost. It also enhances security by keeping sensitive data from being transported beyond the edge where it is needed. These models are not mutually exclusive. Network administrators can use any combination of the three models to address the needs of the network users. The Fog computing pillar basically extends cloud connectivity closer to the edge. It enables end devices, such as smart meters, industrial sensors, robotic machines, and others, to connect to a local integrated computing, networking, and storage system. Applications that use Fog computing can monitor or analyze real-time data from network-connected things and then take action such as locking a door, changing equipment settings, applying the brakes on a train, and more. For example, a traffic light can interact locally with a number of sensors that can detect the presence of pedestrians and bikers, and measure the distance and speed of approaching vehicles. The traffic light also interacts with neighboring lights providing a coordinated effort. Based on this information, the smart light sends warning signals to approaching vehicles and modifies its own cycle to prevent accidents. The data collected by the smart traffic light system is processed locally to do real-time analytics. Coordinating with neighboring smart traffic light systems in the Fog allows for any modification of the cycle. For example, it can change the timing of the cycles in response to road conditions or traffic patterns. The data from clusters of smart traffic light systems is sent to the cloud to analyze long-term traffic patterns. Cisco predicts that 40% of IoT-created data will be processed in the Fog by 2018.
Advantages of Virtualization
One major advantage of virtualization is overall reduced cost: Less equipment is required - Virtualization enables server consolidation, which requires fewer physical servers, fewer networking devices, and less supporting infrastructure. It also means lower maintenance costs. Less energy is consumed - Consolidating servers lowers the monthly power and cooling costs. Reduced consumption helps enterprises to achieve a smaller carbon footprint. Less space is required - Server consolidation with virtualization reduces the overall footprint of the data center. Fewer servers, network devices, and racks reduce the amount of required floor space. These are additional benefits of virtualization: Easier prototyping - Self-contained labs, operating on isolated networks, can be rapidly created for testing and prototyping network deployments. If a mistake is made, an administrator can simply revert to a previous version. The testing environments can be online, but isolated from end users. When testing is completed, the servers and systems can be deployed to end users. Faster server provisioning - Creating a virtual server is far faster than provisioning a physical server. Increased server uptime - Most server virtualization platforms now offer advanced redundant fault tolerance features, such as live migration, storage migration, high availability, and distributed resource scheduling. Improved disaster recovery - Virtualization offers advanced business continuity solutions. It provides hardware abstraction capability so that the recovery site no longer needs to have hardware that is identical to the hardware in the production environment. Most enterprise server virtualization platforms also have software that can help test and automate the failover before a disaster does happen. Legacy Support - Virtualization can extend the life of OSs and applications providing more time for organizations to migrate to newer solutions.
APIC-EM ACL Analysis
One of the most important features of the APIC-EM controller is the ability to manage policies across the entire network. Policies operate at a higher level of abstraction. Traditional device configuration applies to one device at a time, whereas SDN policies apply to the entire network. APIC-EM ACL Analysis and Path Trace provide tools to allow the administrator to analyze and understand ACL policies and configurations. Creating new ACLs or editing existing ACLs across a network to implement a new security policy can be challenging. Administrators are hesitant of changing ACLs for fear of breaking them and causing new problems. ACL Analysis and Path Trace allows the administrator to easily visualize traffic flows and discover any conflicting, duplicate, or shadowed ACL entries. APIC-EM provides the following tools to troubleshoot ACL entries: ACL Analysis - This tool examines ACLs on devices, searching for redundant, conflicting, or shadowed entries. ACL Analysis enables ACL inspection and interrogation across the entire network, exposing any problems and conflicts. An example screenshot of this tool is shown in Figure 1. ACL Path Trace - This tool examines specific ACLs on the path between two end nodes, displaying any potential issues. An example screenshot of this tool is
Virtualizing the Network
Over a decade ago, VMware developed a virtualizing technology that enabled a host OS to support one or more client OSs. Most virtualization technologies are now based on this technology. The transformation of dedicated servers to virtualized servers has been embraced and is rapidly being implemented in data center and enterprise networks. Two major network architectures have been developed to support network virtualization: Software Defined Networking (SDN) - A network architecture that virtualizes the network. Cisco Application Centric Infrastructure (ACI) - A purpose-built hardware solution for integrating cloud computing and data center management. These are some other network virtualization technologies, some of which are included as components in SDN and ACI: OpenFlow - This approach was developed at Stanford University to manage traffic between routers, switches, wireless access points, and a controller. The OpenFlow protocol is a basic element in building SDN solutions. Click here to learn more about OpenFlow. OpenStack - This approach is a virtualization and orchestration platform available to build scalable cloud environments and provide an infrastructure as a service (IaaS) solution. OpenStack is often used with Cisco ACI. Orchestration in networking is the process of automating the provisioning of network components such as servers, storage, switches, routers, and applications. Click here to learn more about OpenStack. Other components - Other components include Interface to the Routing System (I2RS), Transparent Interconnection of Lots of Links (TRILL), Cisco FabricPath (FP), and IEEE 802.1aq Shortest Path Bridging (SPB).
Virtualization Terminology
Redundancy - protect from a single point of failure. Dedicated server - when all of a servers ram processing power and hard drive space are devoted to the service provided. host machine - is installed on top of the existing OS, such as Mac OS X, Windows, or Linux is supporting one or more VMs. Cloud computing - separate the applications from hardware. hypervisor - a program, firmware, or hardware that adds an abstraction layer on top of the real physical hardware. Server virtualization - takes advantage of idle resources and consolidates the number of required servers. virtualization - separates the OS from the hardware. Laws of abstraction - services, , OS, Firmware and hardware.
network virtualization
Server virtualization hides server resources (for example, the number and identity of physical servers, processors, and OSs) from server users. This practice can create problems if the data center is using traditional network architectures. For example, Virtual LANs (VLANs) used by VMs must be assigned to the same switch port as the physical server running the hypervisor. However, VMs are movable, and the network administrator must be able to add, drop, and change network resources and profiles. This process is difficult to do with traditional network switches. Another problem is that traffic flows differ substantially from the traditional client-server model. Typically, a data center has a considerable amount of traffic being exchanged between virtual servers (referred to as East-West traffic). These flows change in location and intensity over time, requiring a flexible approach to network resource management. Existing network infrastructures can respond to changing requirements related to the management of traffic flows by using Quality of Service (QoS) and security level configurations for individual flows. However, in large enterprises using multivendor equipment, each time a new VM is enabled, the necessary reconfiguration can be very time-consuming.
server virtualization
Server virtualization takes advantage of idle resources and consolidates the number of required servers. This also allows for multiple operating systems to exist on a single hardware platform. For example, in the figure, the previous eight dedicated servers have been consolidated into two servers using hypervisors to support multiple virtual instances of the operating systems. The hypervisor is a program, firmware, or hardware that adds an abstraction layer on top of the real physical hardware. The abstraction layer is used to create virtual machines which have access to all the hardware of the physical machine such as CPUs, memory, disk controllers, and NICs. Each of these virtual machines runs a complete and separate operating system. With virtualization, enterprises can now consolidate the number of servers they require. For example, it is not uncommon for 100 physical servers to be consolidated as virtual machines on top of 10 physical servers that are using hypervisors. The use of virtualization normally includes redundancy to protect from a single point of failure. Redundancy can be implemented in different ways. If the hypervisor fails, the VM can be restarted on another hypervisor. Also, the same VM can be run on two hypervisors concurrently, copying the RAM and CPU instructions between them. If one hypervisor fails, the VM continues running on the other hypervisor. The services running on the VMs are also virtual and can be dynamically installed or uninstalled, as needed.
Application Enablement Platform Pillar
The Application Enablement Platform pillar provides the infrastructure for application hosting and application mobility between cloud and Fog computing. The Fog environment allows for multiple instances of the application across different end devices and sensors. These instances can communicate with each other for redundancy and data-sharing purposes to create business models such pay-as-you-go consumption for objects, machines, and products. For example, Cisco IOx which is a combination of Cisco IOS and Linux, allows routers to host applications close to the objects they need to monitor, control, analyze, and optimize. Cisco IOx services are offered on multiple hardware devices that are customized for various industry needs and can therefore support applications specific to those industries.
Spine-Leaf Topology
The Cisco ACI fabric is composed of the APIC and the Cisco Nexus 9000 series switches using two-tier spine-leaf topology, as shown in the figure. The leaf switches always attach to the spines, but they never attach to each other. Similarly, the spine switches only attach to the leaf and core switches (not shown). In this two-tier topology, everything is one hop from everything else. The Cisco APICs and all other devices in the network physically attach to leaf switches. When compared to SDN, the APIC controller does not manipulate the data path directly. Instead, the APIC centralizes the policy definition and programs the leaf switches to forward traffic based on the defined policies. For virtualization, ACI supports multivendor hypervisor environments that would connect to the leaf switches, including the following: Microsoft (Hyper-V/SCVMM/Azure Pack) Red Hat Enterprise Linux OS (KVM OVS/OpenStack) VMware (ESX/vCenter/vShield)
SDN Types
The Cisco Application Policy Infrastructure Controller - Enterprise Module (APIC-EM) extends ACI aimed at enterprise and campus deployments. To better understand APIC-EM, it is helpful to take a broader look at the three types of SDN: Device-based SDN - In this type of SDN, the devices are programmable by applications running on the device itself or on a server in the network, as shown in Figure 1. Cisco OnePK is an example of a device-based SDN. It enables programmers to build applications using C, and Java with Python, to integrate and interact with Cisco devices. Controller-based SDN - This type of SDN uses a centralized controller that has knowledge of all devices in the network, as shown in Figure 2. The applications can interface with the controller responsible for managing devices and manipulating traffic flows throughout the network. The Cisco Open SDN Controller is a commercial distribution of OpenDaylight. Policy-based SDN - This type of SDN is similar to controller-based SDN where a centralized controller has a view of all devices in the network, as shown in Figure 3. Policy-based SDN includes an additional Policy layer that operates at a higher level of abstraction. It uses built-in applications that automate advanced configuration tasks via a guided workflow and user-friendly GUI. No programming skills are required. Cisco APIC-EM is an example of this type of SDN.
Challenges to Connecting Things
The IoT connects smart objects to the Internet. It connects traditional computer devices as well as untraditional devices. Within the IoT, the communication is Machine-to-Machine (M2M), enabling communication between machines without human intervention. For example, M2M occurs in cars with temperature and oil sensors communicating with an onboard computer.
SDN Controller and Operations
The SDN controller defines the data flows that occur in the SDN Data Plane. A flow is a sequence of packets traversing a network that share a set of header field values. For example, a flow could consist of all packets with the same source and destination IP addresses, or all packets with the same VLAN identifier. Each flow traveling through the network must first get permission from the SDN controller, which verifies that the communication is permissible according to the network policy. If the controller allows a flow, it computes a route for the flow to take and adds an entry for that flow in each of the switches along the path. All complex functions are performed by the controller. The controller populates flow tables. Switches manage the flow tables. In the figure, an SDN controller communicates with OpenFlow-compatible switches using the OpenFlow protocol. This protocol uses Transport Layer Security (TLS) to securely send control plane communications over the network. Each OpenFlow switch connects to other OpenFlow switches. They can also connect to end-user devices that are part of a packet flow. Within each switch, a series of tables implemented in hardware or firmware are used to manage the flows of packets through the switch. To the switch, a flow is a sequence of packets that matches a specific entry in a flow table.
The six pillars of the Cisco IoT System
The challenge for IoT is to securely integrate millions of new things from multiple vendors into existing networks. To help address these challenges, Cisco introduced the Cisco IoT System to help organizations and industries adopt IoT solutions. Specifically, the Cisco IoT System reduces the complexities of digitization for manufacturing, utilities, oil and gas, transportation, mining, and public sector organizations. The IoT system provides an infrastructure designed to manage large scale systems of very different endpoints and platforms, and the huge amount of data that they create. The Cisco IoT System uses a set of new and existing products and technologies to help reduce the complexity of digitization. The Cisco IoT System uses the concept of pillars to identify foundational elements.
Cloud Computing and Virtualization
The terms "cloud computing" and "virtualization" are often used interchangeably; however, they mean different things. Virtualization is the foundation of cloud computing. Without it, cloud computing, as it is most-widely implemented, would not be possible. Cloud computing separates the application from the hardware. Virtualization separates the OS from the hardware. Various providers offer virtual cloud services that can dynamically provision servers as required. For example, Amazon Elastic Compute cloud (Amazon EC2) web service provides a simple way for customers to dynamically provision the compute resources they need. These virtualized instances of servers are created on demand in Amazon's EC2.
Cloud Model's
There are four primary cloud models: Public clouds: Cloud-based applications and services offered in a public cloud are made available to the general population. Services may be free or are offered on a pay-per-use model, such as paying for online storage. The public cloud uses the Internet to provide services. Private clouds: Cloud-based applications and services offered in a private cloud are intended for a specific organization or entity, such as the government. A private cloud can be set up using the organization's private network, though this can be expensive to build and maintain. A private cloud can also be managed by an outside organization with strict access security. Hybrid clouds: A hybrid cloud is made up of two or more clouds (example: part private, part public), where each part remains a distinctive object, but both are connected using a single architecture. Individuals on a hybrid cloud would be able to have degrees of access to various services based on user access rights. Community clouds: A community cloud is created for exclusive use by a specific community. The differences between public clouds and community clouds are the functional needs that have been customized for the community. For example, healthcare organizations must remain compliant with policies and laws (e.g., HIPAA) that require special authentication and confidentiality.
The Network Connectivity Pillar
There are many different types of networks: home networks, public Wi-Fi networks, small business networks, enterprise networks, service provider networks, data center networks, cloud networks, and IoT networks. Regardless of network type, they all need devices to provide network connectivity. However, network connectivity equipment varies depending on the type of network. For example, home networks typically consist of a wireless broadband router, while business networks will have multiple switches, APs, a firewall or firewalls, routers, and more. The Cisco IoT network connectivity pillar identifies devices that can be used to provide IoT connectivity to many diverse industries and applications.
Core Components of ACI
These are the three core components of the ACI architecture: Application Network Profile (ANP) - An ANP is a collection of end-point groups (EPG), their connections, and the policies that define those connections. The EPGs shown in the figure, such as VLANs, Web services, and applications, are just examples. An ANP is often much more complex. Application Policy Infrastructure Controller (APIC) - The APIC is considered to be the brains of the ACI architecture. APIC is a centralized software controller that manages and operates a scalable ACI clustered fabric. It is designed for programmability and centralized management. It translates application policies into network programming. Cisco Nexus 9000 Series switches - These switches provide an application-aware switching fabric and work with an APIC to manage the virtual and physical network infrastructure. As shown in the figure, the APIC is positioned between the APN and the ACI-enabled network infrastructure. The APIC translates the application requirements into a network configuration to meet those needs.
Abstraction Layers
To help explain how virtualization works, it is useful to use layers of abstraction in computer architectures. A computer system consists of the following abstraction layers. Services OS Firmware Hardware At each of these layers of abstraction, some type of programming code is used as an interface between the layer below and the layer above. For example, the C programming language is often used to program the firmware that accesses the hardware. hypervisor is installed between the firmware and the OS. The hypervisor can support multiple instances of OSs.
Type 1 Hypervisors
Type 1 hypervisors are also called the "bare metal" approach because the hypervisor is installed directly on the hardware. Type 1 hypervisors are usually used on enterprise servers and data center networking devices. With Type 1 hypervisors, the hypervisor is installed directly on the server or networking hardware. Then, instances of an OS are installed on the hypervisor, Type 1 hypervisors have direct access to the hardware resources; therefore, they are more efficient than hosted architectures. Type 1 hypervisors improve scalability, performance, and robustness.
Installing a VM on a Hypervisor
When a Type 1 hypervisor is installed, and the server is rebooted, only basic information is displayed, such as the OS version, the amount of RAM, and the IP address. An OS instance cannot be created from this screen. Type 1 hypervisors require a "management console" to manage the hypervisor. Management software is used to manage multiple servers using the same hypervisor. The management console can automatically consolidate servers and power on or off servers as required. For example, assume that Server1 in the figure becomes low on resources. To make more resources available, the management console moves the Windows instance to the hypervisor on Server2. The management console provides recovery from hardware failure. If a server component fails, the management console automatically and seamlessly moves the VM to another server. The management console for the Cisco Unified Computing System (UCS) is shown in Figure 2. Cisco UCS Manager provides management for all software and hardware components in the Cisco UCS. It controls multiple servers and manages resources for thousands of VMs. Some management consoles also allow over allocation. Over allocation is when multiple OS instances are installed, but their memory allocation exceeds the total amount of memory that a server has. For example, a server has 16 GB of RAM, but the administrator creates four OS instances with 10 GB of RAM allocated to each. This type of over allocation is a common practice because all four OS instances rarely require the full 10 GB of RAM at any one moment.
Data Analytics Pillar
a pillar (component) in the Cisco IoT System that consists of distributed network infrastructure components and IoT-specific application interfaces (APIs)
Management and Automation Pillar
a pillar (component) in the Cisco IoT System that provides tools to support IoT management and automation capabilities
