Академический Документы
Профессиональный Документы
Культура Документы
Walk through the various pre-configured policies that will later be used in the creation of the Secure Application Container
template
Create a Secure Application Container template and publish it for consumption by the Service End User.
Deploy a Secure Application Container using the Self-Service Portal interface of UCS Director.
Configure static NAT and verify functionality of the 3-tier application created in the previous steps
This lab was designed to be completed in sequential order. As some steps rely on the successful completion of previous steps, you
are required to complete all steps before moving on.
The individual lab scenarios are:
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 34
Cisco dCloud
Requirements
The table below outlines the requirements for this preconfigured lab.
Table 1.
Requirements
Required
Optional
Laptop
Topology
The diagram below represents the logical setup of a demo environment. For simplicity of the setup, the external and the
management network are the same. Although this is not best practice for production systems, it does not impact the functionality of
the VACS solution for demo purposes.
At demo start, the container is not present; it will be deployed as part of the demonstration steps.
Figure 1.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 34
Cisco dCloud
Figure 2.
One Cisco Nexus 1000V Virtual Supervisor Module, reachable at 198.18.133.40 via SSH.
Two ESXi nodes with Nexus1000V VEMs reachable at 198.18.133.31 and 198.18.133.32.
All necessary applications used within this lab are available on the desktop of the control center machine, to which you are
connected via Remote Desktop Protocol (RDP).
Get Started
BEFORE PRESENTING
We strongly recommend that you go through this document and work with an active session before presenting in front of a live
audience. This will allow you to become familiar with the structure of the document and content.
PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.
Follow the steps to schedule a session of the content and configure your presentation environment.
1.
Browse to dcloud.cisco.com, select the location closest to you, and log in with your Cisco.com credentials.
2.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 34
Cisco dCloud
3.
Register and configure your router if this is the first time you will use the router with dCloud. [Show Me How]
4.
5.
Verify that the status of your session is Active in My Dashboard > My Sessions.
7.
For best performance, connect to your session with Cisco AnyConnect VPN [Show Me How] and to your workstation (wkst1)
with the local RDP client on your laptop [Show Me How]
NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction.
8.
Figure 3.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 4 of 34
Cisco dCloud
Scenario 1.
Resource Pools such as Management IP Pool, Container Edge Gateway Uplink/NAT Pool, Container VLANs and
Container Subnet Pool on UCS Director.
UCS Director is configured with vCenter, Nexus1000V VSM and PNSC access details
The Nexus1000V has also been pre-configured with uplink port-profiles, uplink VLANs and VSG data and HA VLANs.
PNSC is installed and VM Manager is configured. VNM Policy Agent on VSM is configured to communicate with PNSC.
Lab Steps
Understanding VACS Resource Pools and System Policies
Four primary resource pools are required in order to create a container template. These resource pools are:
Management IP Pool: The management IP addresses for various infrastructure components for a container (such as
Edge Gateway CSR, App Firewall/VSG) will be derived from this pool. The IP addresses in this pool must be routable
within the Datacenter network.
Container Edge Gateway Uplink/NAT IP Pool: The Edge Gateway/CSR will have an interface on the Datacenter uplink
switch/network. This pool will provide an IP address to the uplink interface. The IP addresses in this pool must be routable
within the Datacenter network.
Container IP Subnet Pool: This is a pool of subnets that will be assigned to the container inside network. The Pool will
be defined by providing a Super-net address and then dividing it internally into smaller subnets. The IP Subnet Pools may
be routable or non-routable in the Datacenter. If the IP addresses in this pool are non-routable, then the container will be
of the private type and NAT policies will be configured on the Container Edge Gateway. If the IP addresses in this pool
are routable in the Datacenter, then the Edge Gateway can be configured for Static or Dynamic Routing protocol. See
Section Creating a Secure Application Container Template for more details on Routing Policy.
Container VLAN Pool: The VLAN for the inside network of the application containers will be derived from this pool. The
VLAN IDs must be unique in the Datacenter.
System Policy: A system policy defines the system specific information such as the VM template to use, VM Naming
convention, time zone, OS specific information, and any other customization to be done.
Compute Policy: Computing policies determine the computing resources used during provisioning that satisfy group or
workload requirements. Administrators can define advanced policies by mixing and matching various conditions in the
computing policy.
Storage Policy: A Storage Policy defines resources such as the datastore scope, type of storage to use, minimum
conditions for capacity, latency, and so on. The Storage Policy also provides options to configure additional disk policies
for multiple disks, and to provide datastore choices for use during a service request creation.
In this scenario we will review the resource pools and policies that have been defined for this container template.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 5 of 34
Cisco dCloud
1.
NOTE: There may be a delay of up to a few minutes while UCS Director starts.
2.
From the top menu, click Policies > Virtual/Hypervisor Policies > Network.
Figure 4.
3.
Click the Static IP Pool Policy tab to view the Static IP Pool Policy table. Both the Management IP Pool and Edge
Gateway/CSR Uplink Pool are defined in this table.
Figure 5.
4.
Figure 6.
5.
Click
to display details of the Device Management Pool. Note the IP start-end range allocated to this pool, the subnet
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 6 of 34
Cisco dCloud
Figure 7.
6.
7.
Figure 8.
8.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 7 of 34
Cisco dCloud
1.
Click the IP Subnet Pool Policy tab. The containers internal IP address are defined in this table
Figure 9.
2.
Figure 10.
3.
Click the VLAN Pool Policy tab. The containers inside VLAN ID pool is defined in this table.
Figure 11.
2.
Double click VACS-Container-VLAN-Pool. The VLAN Range of 21-24 is defined in this pool.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 8 of 34
Cisco dCloud
Figure 12.
3.
VM Name Template: Naming Convention of the Created VM variables such as $GROUP_NAME and $SR_ID will be
substituted with the Service End Users group name and the Service Request ID.
1.
From the top menu, click Policies > Virtual/Hypervisor Policies > Service Delivery. The VMWare System Policy tab is the
default landing screen.
Figure 13.
2.
Service Delivery
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 9 of 34
Cisco dCloud
Figure 14.
3.
System Policy
Cloud Name: Your vCenter details. (In our lab, the vCenter was already added to UCS Director as a Cloud Provider.)
Host Node / Cluster Scope: This setting specifies the Host or Cluster selection criteria as shown below
Figure 15.
Selected Host Node: The hosts that would be used to deploy the workload. In our case we have selected dCloudCluster. This will force the workload VMs to be deployed on this host.
Resource Pool: Resource Pool defined on that ESXi host. For this lab we have selected the corresponding resource pool
for the cluster we selected.
Other settings remain as the default, but can be customized to add more conditions before choosing the host for VM placement.
1.
From the top menu, click Policies > Virtual/Hypervisor Policies >Computing. VMWare Compute Policy is the default
landing screen.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 10 of 34
Cisco dCloud
Figure 16.
2.
Double-click VACS Container Computing Policy for Containers to display the policy settings.
Figure 17.
3.
Data Stores Scope: Narrow the scope of deployment, choose whether to use all, included selected data stores, or
exclude selected data stores.
Additional Disk Policies allow users to specify policies for alternate storage. Cisco UCS Director supports VM provisioning with
multiple disks on multiple datastores. Disks are classified into five types: system, data, database, swap, and log. The system disk
policy is configured first, and the other disks can be configured depending on requirements. You can configure the disk policy
individually for each disk type or choose the default system disk policy for each disk.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 11 of 34
Cisco dCloud
1.
From the main menu, click Policies > Virtual/Hypervisor Policies > Storage.
Figure 18.
2.
Figure 19.
3.
Double-click VACS Storage Policy to display the Storage Policy settings. The System Disk policies are shown on the landing
screen.
Figure 20.
4.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 12 of 34
Cisco dCloud
Figure 21.
5.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 13 of 34
Cisco dCloud
Scenario 2.
In this scenario, the user (in the role of Cloud Admin) creates a new Secure Application Container Template, which will be used by
a Service End User to deploy an application container.
1.
Double-click the UCSD Login shortcut, and login to UCS Director if you have not already done so (admin/C1sco12345).
2.
Figure 22.
3.
Figure 23.
4.
In the resulting Add Virtual Application Container Services wizard, enter/select the following fields:
Figure 24.
Template Specification
5.
6.
For the Container Application Size, click Select and choose Small.
7.
Click Select.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 14 of 34
Cisco dCloud
Figure 25.
8.
High Availability: No
Figure 26.
9.
Deployment Size
Management IP Pool: The IP pool for Container Edge Gateway and Container App Firewall
Router Uplink IP Pool: The IP Pool for Container Edge Gateway Uplink
Router Type: Private or Public, depending on the Container IP Subnet Pool type
10. Click the Select button for the Management IP Pool. In the resulting dialog box, select Device Management Pool and click
Select.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 15 of 34
Cisco dCloud
Figure 27.
11. Click the Select button for the Router Uplink Pool. In the resulting dialog box, select Router Uplink Pool and click Select.
Figure 28.
12. Select Public from the Router IP Type drop-down to view additional configuration options. For this lab, we will not use the
Public IP Type, so do not click Next.
NOTE: This will expose additional configuration options for the Container Edge Gateway. The supported L3 Routing Protocols
are Static and EIGRP. Depending on the selected Routing Protocol option, additional configuration options such as
EIGRP Autonomous System Number, MTU are displayed.
Figure 29.
13. Select Private from the Router IP Type drop-down and click Next to proceed to the VM Networks screen and configure the
containers internal network.
Figure 30.
Select IP Type
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 16 of 34
Cisco dCloud
14. Click
to add a VM Network.
15. Type lan0 (or any other name) in the Network Name field.
16. Select VXLAN from the Network Type drop-down menu
17. Click Select to view the VXLAN Pool list. Select VACS-Container-VXLAN-Pool and click Select to define the VXLAN Pool
that will be used when the container is instantiated.
Figure 31.
18. Click Select to view the IP Subnet Pool list. Select VACS-Container-Inside-Subnet-Pool and click Select to define the IP
Subnet Pool that will be used as the Containers internal IP Subnet.
Figure 32.
Adding VM Networks
20. Click Submit, then OK to return to the VM Networks screen, where the newly created VM Network is now displayed.
Figure 34.
VM Networks
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 17 of 34
Cisco dCloud
NOTE: The following steps will add a VM to the WebZone security zone. When this is completed, you will repeat the procedure to
add a VM to the AppZone and the DBZone, ending up with one VM in each zone. Adding additional VMs to a security
zone is supported, but beyond the scope of this lab.
23. Configure the VM as follows:
a.
Security Zone: For the first VM, select WebZone, for the two subsequent VMs select AppZone and DBZone
b.
WebZone: frontend
AppZone: middle
DBZone: backend
c.
d.
e.
Uncheck the Use Network Configuration from Image checkbox. Failure to do so will result in incorrect IP address on
the VM.
f.
Click
Figure 35.
g.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 18 of 34
Cisco dCloud
Figure 36.
VM Parameters
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 19 of 34
Cisco dCloud
Figure 38.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 20 of 34
Cisco dCloud
Scenario 3.
In this scenario the user, acting as a Cloud Administrator, publishes the newly created container template to the catalog, where
Service End Users can utilize it to construct their own three-tier applications.
1.
Figure 40.
2.
Figure 41.
3.
Select Service Container from the Catalog Type drop-down and click Submit.
4.
In the resulting dialog box, enter the configuration parameters of the catalog in which the template will be deployed:
Catalog Name: This name will show up in the Service End Users Catalog screen (3-Tier-App is suggested).
Click the Select button next to Selected Groups, and select dCloud-group.
5.
6.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 21 of 34
Cisco dCloud
Figure 42.
7.
Summary of Catalog
Figure 43.
Log Out
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 22 of 34
Cisco dCloud
Scenario 4.
In this scenario, participants act as Service End Users and request the deployment of a pre-configured Secure Application
Container from a published catalog.
Demonstration Steps
Requesting a Secure Application Container
1.
Figure 44.
2.
3.
NOTE: To go through the process of creating a Secure Application Container template and publishing the catalog, please refer to
the Cisco Virtualized Application Container Services 2.0 v1 Lab and the associated lab guide.
Figure 45.
4.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 23 of 34
Cisco dCloud
Figure 46.
8.
NOTE: For more details on the 3-Tier Application Model used in this container, please check Appendix B.
Figure 47.
5.
Click Next to advance through the Catalog Selection screen (no changes.)
6.
In the Deployment Configuration screen, enter FirstApp as the Service Container Name and click Next to advance to the
Summary screen.
Figure 48.
7.
9.
Wait for the system to acknowledge the submission of the request, and click OK.
NOTE: It might take a few minutes before the system acknowledges the submission of the request. Please be patient.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 24 of 34
Cisco dCloud
Figure 49.
Click the Services tab to see the list of services submitted by the user.
2.
Click the recently created service request, then click the View Details button when it becomes live. This will bring up the
Service Request details.
Figure 50.
3.
Monitor the progress of the Service Request, clicking Refresh as necessary. While the service request is progressing,
proceed to the next section of this scenario. Monitor the request via vSphere and UCS Director simultaneously.
NOTE: It will take approximately 40 minutes for the workflow to complete. Please keep in mind that we are automating a process
that usually takes weeks when done manually. Steps 9 and 10 on the workflow may appear frozen, please be patient and
wait for the workflow to complete.
Figure 51.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 25 of 34
Cisco dCloud
1.
2.
Check the Use Windows session credentials box to login with the Windows session credentials.
Figure 52.
on the desktop.
3.
Make sure you land on the default Home > Inventory > Host and Clusters screen.
4.
Click dCloud-Cluster to see the progress of the deployment on the Recent Tasks window, at the bottom of the screen.
Figure 53.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 26 of 34
Cisco dCloud
5.
Watch the application VMs drop into the dCloud-Cluster. Five VMs will be created:
FirstApp_WebZone_Webserver-1
FirstApp_AppZone_AppServer-1
FirstApp_DBZone_DBServer-1
FirstApp-primary-csr
FirstApp-primary-vsg
In the UCS Director window, click the Virtual Resources tab, then click Application Containers.
Figure 54.
2.
Figure 55.
3.
View Reports
Select Summary in the drop-down and click Submit to generate the Container Summary Report.
Figure 56.
4.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 27 of 34
Cisco dCloud
Figure 57.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 28 of 34
Cisco dCloud
Scenario 5.
In this scenario, the users will verify connectivity within the Secure Application Container. In order to achieve this, users will have to
request Static NAT configuration on the deployed CSR Router so access is granted from the external network (where the demo
workstation, wkst1 resides) to the containers web tier.
Demonstration Steps
In this section, you will request Static NAT on the deployed CSR to allow connectivity to the deployed container from the External
Network.
Login to the UCS Director portal if you are not already logged in (demouser/C1sco12345).
2.
Click the Virtual Resources tab, then click the Application Containers tab.
Figure 58.
3.
Click the newly created Application Container (FirstApp, if you used that name for your container). Click the Static NAT
button when it becomes live.
Figure 59.
4.
Select FirstApp_WebZone_WebServer-1 from the list to configure Static NAT on that VM, and then click Submit.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 29 of 34
Cisco dCloud
Figure 60.
5.
Click OK.
6.
Click the Services tab to monitor the status of this Service Request until it is completed.
Click Virtual Resources > Application Containers and click the FirstApp container.
2.
Figure 61.
3.
Select Detailed Report without Credentials from the Select Report Type drop-down.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 30 of 34
Cisco dCloud
Figure 62.
4.
Scroll to the bottom of the report and take note of the External IP Address. This is the IP address you will need to use in
order to test connectivity to the recently deployed Secure Application Container. If this is the first container you deploy in this
demonstration session, the IP should be 198.18.128.121.
Figure 63.
5.
Verify connectivity to the NATd web server by opening a browser and browsing to the External IP Address (in this case,
http://198.18.128.121).
NOTE: You may have to refresh the page a few times before it displays the contents. There are a few elements of the recentlydeployed container in the demo environment that need to stabilize for proper functionality.
Figure 64.
Keep in mind that although the external network has been granted access to the Web tier only, the Web tier requests data from the
App tier, which in turn requests additional data from the DB tier in accordance with the 3-Tier Internal Container policies.
This concludes the activities in this scenario.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 31 of 34
Cisco dCloud
Appendix A.
This section explains the 3-Tier Application Model that is the basis of this demo.
The 3-Tier Application model used in this demonstration involves a Web Tier, an App Tier and a Db Tier having each of them a
single workload VM. The protocols used for communication inside the 3-Tier Application model is HTTP (TCP 80) and MySQL
(TCP 3306)
Figure 65.
Once a browser sends the HTTP request to the Web Server Portal; this will pull data from the App Server (HTTP, TCP 80), which
in turns pulls data from the DB Server (MySQL, TCP 3306). When these ports are allowed, the 3-Tier App should be fully functional
as shown on the figure below.
Figure 66.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 32 of 34
Cisco dCloud
When traffic is blocked between the App Tier and the DB Tier, the 3 Tier Application will work only partially, failing to show the
content of the database on the DB Server.
Figure 67.
3 Tier Application Model: Web Portal, MySQL blocked between App and DB.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 33 of 34
Cisco dCloud
The same situation happens when traffic is blocked between the Web Tier and the App Tier, the 3-Tier Application will work
partially.
Figure 69.
3 Tier Application Model: HTTP blocked between Web and App Tier.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 34 of 34