Detailed technical case study of SDN implementation in one of the world's largest private cloud environment. This is a multi-vendor, best-of-breed implementation based on FlexPod (Cisco UCS Compute and NetApp Storage), VMware Server Virtualization, and Cisco SDN. Microsegmentation, extensive automation, and multi-tenancy are the key use cases.
Architecture overview: One of the world's largest enterprise private clouds
1. Detailed Technical Case Study On
Software-defined Networking (SDN)
Prepared by: Feng Meng, Technologist, Cisco Systems
Source: Symantec Cloud Services Team, VMware, NetApp, Cisco
2. About This Case Study
Based on technical details provided by Symantec, NetApp, and Cisco.
Focuses on describing the value of SDN provided by Cisco ACI.
For a more complete description of the entire case study beyond Cisco ACI,
including FlexPod and VMware vCloud Suite, please refer to this case study
here, written by Symantec and NetApp.
3. “It is complex. It is heterogeneous. It’s
modern in some areas.
We have a number of cloud deployments,
most significantly, our ‘Granite Labs’ cloud,
which we have built over the last 2 ½ years.
‘Granite Labs’ has been a great learning
experience in what automation brings to IT
operations.
Now we need to bring the success of
“Granite Labs” to our the rest of our IT
infrastructure, our lines of business apps.”
“Our IT environment is like
that of any other
customers who’ve been
building things out for the
last 25 years.”
– Sean Doherty, Vice President,
Alliances, Symantec
Symantec IT Environment
4. Background on “Granite Labs”
Symantec maintains the world’s largest civilian security
threat analysis database.
Customers rely on Symantec security solutions.
They expect Symantec to support & enhance these
solutions 24x7.
To meet these expectations, Symantec has traditionally
maintained:
• Hundreds of lab environments dedicated to customer
support, R&D, and education services
• Labs hosted at 25 locations around the world.
“Traditional methods to
duplicate customer
environments for tech
support, R&D, or services
were too costly and time-
consuming.”
– Jason Puig, Senior Manager,
Cloud Services, Symantec
5. “Symantec internal and external customers had to wait
weeks for lab infrastructure.
Many similar or identical lab environments were created:
• For multiple teams & technical support engineers
• For different projects supporting the same Symantec
products.
Because labs could not be efficiently reused, they often
had to be re-deployed all over again on different
hardware.
• When new projects or support issues arose
This means additional delays and redundant work.”
“Each new lab took
approximately two weeks
to create.”
– Jason Puig, Senior Manager,
Cloud Services, Symantec
$
Challenges
6. “In the past, these labs existed in silos that were built and
maintained by separate product groups.
As Symantec grew, this approach was no longer effective
or efficient.
Symantec had to reduce global data center footprint.
And streamline product support and undertake R&D
capacity improvement initiatives.”
“At the same time, we
received a directive from
our CEO to reduce our
global data center
footprint.”
– Jason Puig, Senior Manager,
Cloud Services, Symantec
$
Directive from the CEO
Cost Governance Agility
7. “We recognized that the scale, speed, and challenges
that we had to meet also applied to many of our global
enterprise customers.
We would prove the validity of our ‘Agile Data Center’
customer initiative.
Combine elastic infrastructures, trusted clouds, and IT
intelligence.
Deliver the right resources, in the right way, to the right
users.
Accomplish through our own internal IT practice.”
Started with a lighthouse project - “Granite Labs”
“We saw an opportunity to
build a best-practice
virtual private cloud on a
converged infrastructure.”
– Jason Puig, Senior Manager,
Cloud Services, Symantec
Vision: Virtual Private Cloud
8. Embrace next-generation data center software and
architecture.
Combine elastic infrastructure with an as-a-service model.
Allow end users to deploy virtual labs quickly with a few
clicks and contribute lab templates for others to reuse.
Scale this architecture to spark a company-wide IT
transformation.
“Granite Labs could have
been viewed as shadow IT,
but executive management
trusted our ability to
innovate.”
– Jason Puig, Senior Manager,
Cloud Services, Symantec
Architecture
10. Virtualized Apps
A lot of
Unix servers
Future:
Business apps
Symantec Apps:
NetBackup, Backup
Exec, Enterprise
Vault, and security
products such as
Data Loss
Prevention and Data
Center Security
Physical Apps and Endpoints
Storage Foundation High
Availability for Microsoft®
Windows® and Linux®
Physical
storage
clusters
(NetApp NFS)
Future: A lot of
other bare metal
servers
In minutes, allow any IP endpoint, to be connected, moved and de-commissioned
Via a consistent policy controller, with zero downtimeSeamlessly integrate
virtual and physical world
Cisco Nexus 9000 ACI Enabled Switches
Requirements for the SDN Layer
11. App Types
vSphere
Unix
Physical
Business
Apps
VM-to-VM MicrosegmentationVM-to-Physical
The Scope and Consistency of
Cisco ACI Policy
Physical-to-Physical
East-West and North-South
What app types, and what communication paths
between them can be secured consistently,
automatically and granularly?
Symantec
Apps
Scope of Competing
Microsegmentation
Solution
Defend All Cyber Attack Surfaces
12. “Operating in Cisco NX-OS or in ACI™ mode, the Nexus
9000 switches are ideal for traditional or fully automated
data center deployments.
When coupled with Cisco ACI, NetApp clustered Data
ONTAP provides rapid application provisioning, reducing
the time required to deploy applications while meeting
application-specific service levels.
To support zero-downtime, we deployed a 12-node
NetApp storage cluster and a separate 4-node NetApp
cluster with Cisco ACI, which we plan to scale out as
demand for services increases.
A Cisco APIC™ cluster provides a single point of control,
a centralized API framework, and a central application
policy repository for Cisco ACI and the whole data center.”
“NetApp and Cisco have
demonstrated a shared
commitment to FlexPod, and
their common vision of a
unified data center is aligned
with Symantec’s goal of
maximizing business agility
with Agile Data Centers. One
example of this commitment
is FlexPod integration with
Cisco ACI.”
– Jason Puig, Senior Manager,
Cloud Services, Symantec
The Value of SDN Integration with FlexPod
13. “We saved 700 years of
valuable time – and that’s
only the beginning. ”
– Jason Puig, Senior Manager,
Cloud Services, Symantec
Time reduction to deploy test lab environments.
Users can provision in minutes, selecting from a
library of virtual machine templates.
Freed up 70% of staff time for customer service,
satisfaction and time to resolution
• vs. working on infrastructure issues
We have eliminated 37,000 weeks of efforts – more
than 700 years of valuable time
Outcomes: Speed of the Business
14. “It’s very gratifying
when a large
enterprise customer
flies hundreds of its
IT employees to our
facility to learn best
practices from our
29-person team.”
– Jason Puig, Senior
Manager, Cloud
Services, Symantec
Capacity Scalability
Growth in Usage
(# of active users)
Outcomes: Do More with Less
15. More about
Granite Labs
More About
Symantec IT
More
Technical Details
Click here to watch a
video produced by
Symantec TV
Click here to watch
a video featuring
Symantec VP
of Alliances
Click here to read a
detailed technical
case study
Notes de l'éditeur
In the past, these labs existed in silos that were built and maintained by separate product groups. As Symantec grew, this approach was no longer effective or efficient. Traditional methods to duplicate customer environments for technical support, troubleshooting, or education were difficult and time-consuming, which hindered our ability to deliver the service levels and response times that our business requires. At the same time, we received a directive from our CEO to reduce our global data center footprint. However, we had to accomplish this while streamlining product support and undertaking R&D capacity improvement initiatives
As the global leader in information protection, Symantec protects more data than any other company on the planet and maintains the largest civilian security threat analysis database in the world. Customers deploy Symantec™ solutions as the bedrock of their organizations, and they expect Symantec to support and enhance the world’s leading technology implementations. To meet these expectations, Symantec has traditionally maintained hundreds of lab environments dedicated to customer support, product development, and education services, hosted at 25 locations around the world.
For some time, internal customers of Global Symantec Labs (GSL) had been asking for greater agility in deploying lab environments. Each new lab took approximately two weeks to create, and an overwhelming majority of GSL staff time was spent deploying and supporting lab infrastructure, rather than on customer service and support tasks. Many similar or even identical lab environments were created to support multiple teams and technical support engineers working on different projects for the same Symantec products. Because labs could not be efficiently reused, they often had to be redeployed all over again on different hardware when new projects or support issues arose, resulting in time delays and redundant work.
In the past, these labs existed in silos that were built and maintained by separate product groups. As Symantec grew, this approach was no longer effective or efficient. Traditional methods to duplicate customer environments for technical support, troubleshooting, or education were difficult and time-consuming, which hindered our ability to deliver the service levels and response times that our business requires. At the same time, we received a directive from our CEO to reduce our global data center footprint. However, we had to accomplish this while streamlining product support and undertaking R&D capacity improvement initiatives
As we considered our options, we recognized that the scale, speed, and challenges that we had to meet also applied to many of our global enterprise customers. We saw an opportunity to build a best-practice virtual private cloud on a converged infrastructure that would prove the validity of our “Agile Data Center” customer initiative—combining elastic infrastructures, trusted clouds, and IT intelligence to deliver the right resources in the right way to the right users—through our own internal IT practice. The result is Symantec Granite Labs, an internal “lighthouse project” that has saved Symantec tens of millions of dollars and has grown to become one of the world’s largest private clouds. At Symantec, we use the term “lighthouse” to describe projects that we build for customers that illuminate best practices for emerging technologies. Granite Labs has become an internal lighthouse for large-scale private cloud deployments.
Cisco ACI is the only solution providing a common, consistent policy model for all your apps. It doesn’t matter if you have modern container apps, physical apps such as a Hadoop cluster, OpenStack KVM-based virtual apps, Hyper-V, and of course VMware vSphere-based workloads. Cisco ACI can provide granular microsegmentation for each app, and movements between any virtual and physical machine. And yes, not just east-west but also north-south movements. Other alternatives, such as network virtualization, does a solid job restricting VM-to-VM moves. But did you know that’s for a vSphere environment only? And did you know, a move between vSphere VM to a physical host, or between a ESXi host’s physical management port and your management subnet, and VM storage backend might not be protected at all by such a solution?
Cisco ACI is the only solution providing a common, consistent policy model for all your apps. It doesn’t matter if you have modern container apps, physical apps such as a Hadoop cluster, OpenStack KVM-based virtual apps, Hyper-V, and of course VMware vSphere-based workloads. Cisco ACI can provide granular microsegmentation for each app, and movements between any virtual and physical machine. And yes, not just east-west but also north-south movements. Other alternatives, such as network virtualization, does a solid job restricting VM-to-VM moves. But did you know that’s for a vSphere environment only? And did you know, a move between vSphere VM to a physical host, or between a ESXi host’s physical management port and your management subnet, and VM storage backend might not be protected at all by such a solution?