Policy Defined DC ACI Slovenija

Policy defined Data Center with
Application Centric Infrastructure

(ACI)
Ulrich Hamm
Technical Solution Architect
February 2015
Policy defined Data Center with
Application Centric Infrastructure
(ACI)
Josip Zimet
Cloud PSS SEE-12
February 2015
Agenda:
ACI Introduction
ACI Policy Model
Live Demo
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
What is the problem? (i) The network
industry is
here today
And this is
where we
must go
What is the problem? (II)
1995 2014
Server Provisioning
And Configuration
Network Provisioning
And Configuration
Application owner’s perspective of the network
App owner Network admin
What is the problem? (iiI)
Application Network
“I am almost sure this rule is not in use”
•  Rule management in L4-L7 devices (like
firewalls or load balancers) has become a full-
time job
•  Besides, it is a constant source of problems
and headaches in regulatory environments
•  Imagine a world, where rules configure

automatically when servers connect to the
network, and disappear when servers are
decommissioned…
So what does the
solution look like?
ACI Benefit: Deep Telemetry — Application and Tenant
Tenant
Tenant 1 Tenant 2
APIC
Tenant 3 Tenant 4
TENANT
APP
•  Cisco Application Centric Infrastructure Momentum
Download@ http:/www.unleashingit.com/aci
Nexus 9000/ACI APIC Open ACI Ecosystem
580+
33
Ecosystem
60+ Customers Partners and
Customers… in 30 Days! Counting!
•  Customers Across Different

Geos + Segments STORAGE SECURITY
•  Rapid Channel Partner Scale
APIC
COMPUTE NETWORK
APPLICATION CLOUD
Application Service Profiles Enterprise Class Production ready
Cloud Infrastructure
SIM Card
Identity for a Phone
Applications typically start on a white board
Data Center Trends Cause Disruptions
Application Trends
Applications Web 2.0 / DevOps Public/Private Clouds
InterCloud
25% CAGR—Big Data1 45% Multi-Hypervisor4 2/3rd of all Workloads in

10G LoM3 Cloud by 2017
Linux Containers
75% Bare-Metal2
Impact on IT Infrastructure
A Scale
Design and New Application Centric
OperationsInfrastructure
Model is Required
Consumption Model
1 Cisco Global Cloud Index 4 Information week 2013 Virtualization Management Survey
2 IDC Worldwide Virtual Machine 2013-2017 Forecast
3 HP
INFRASTRUCTURE TREND: 10 -> 40GIG Transition
10GE LAN on Motherboard, VM density, Big Data
New Server Platforms Virtual Machine Big Data

Enabling Higher I/0 Density Driving Increasing East
Throughput I/0 Performance West Traffic
VM VM VM VM VM VM
HYPERVISOR
10G LOM/ DATA CENTER

11
Avg.
Upto 12 Cores 25% CAGR
FlexLoM IP TRAFFIC
per Socket *2 VMs Server*1 (2012-2017)*3
Shipping *4 GROWTH
*2 Intel Xeon E5 Spec
*4
http://h30507.www3.hp.com/t5/Coffee-Coaching-HP-
and-Microsoft/HP-FlexibleLOM-for-Gen8/ba-p/
108515
*1 IDC Worldwide Virtual Machine 2013-2017 Forecast *3 Cisco Global Cloud Index: Forecast (2012-2017)
Multi Tenant Multy Hypervisor VMM Domains
ACI Goal: Common Policy and Operations Framework
Cloud
Cloud Admin
Web App DB
Tier Tier Tier
APPLICATION
Application Admin
External
Zone
DMZ Trusted
DB
Zone
Tier
Security Admin SECURITY
Network Admin
ACI Goal: Common Policy and Operations Framework
Cloud
APIC Cloud Admin
Application Admin APPLICATION

External Zone
Trusted
DMZ DB
Zone
Tier
Security Admin
SECURITY
Network Admin
COMMON POOL OF RESOURCES
What’s Application Network Profiles ?
Application Network Profile
Inbound/Outbound Policies Inbound/Outbound Policies
Application Network profiles are a group of EPGs and the policies that define the
communication between them.
19
Tenant Model
Tenant& Customer/$BU/$Group$
Context& Context& VRF$
Bridge& Bridge& Bridge&

L2$Boundary$
Domain& Domain& Domain&
Subnet&A& Subnet&B&
Subnet&D&
Subnet&B& Subnet&F& IP$Space(s)$
EPG$ Groups$of$endA
EPG$ EPG$ A$ EPG$ points$and$the$
A$ EPG$ C$ B$ policies$that$deﬁne$
EPG$
B$ C$ their$connecFon$
20
Defining EPG Relationships Via Contracts
EPG&Web&
EP& EP&
1& 2&
Contract&
Subject&1& Filter&&&|&&AcAon&&|&Label&
Subject&2&
EPG&App&
EP& EP&
1& 2&
EPG$communicaFon$is$deﬁned$by$mapping$EPGs$to$one$another$via$contracts.$
21
ACI adds an Abstraction Layer between
Network and Application…
Application
Port, VLAN, IP, ACL, FW, LB, QoS, NAT,

Routing, etc.
Network Infrastructure
…and replaces complex Configurations by Application
centric Networking Policies
Application
ACI Network Policy
Network Infrastructure
Cisco ACI Introduces Logical Network Provisioning of
Stateless Hardware
Web App DB
QoS Filter QoS

Outside
(Tenant VRF) Filter Service Filter
Cisco® ACI Fabric

Cisco Application
Policy Infrastructure
Scale-Out Penalty-Free Overlay Controller (APIC)
Cisco ACI Network Profile
Policy-Based Fabric Management
•  Extend the principle of Cisco UCS® Application
Manager service profiles to the entire
fabric
•  Network profile: stateless definition of Storage Storage
application requirements
Web Tier App Tier DB Tier
−  Application tiers
−  Connectivity policies The Network Profile Fully Describes the Application
−  Layer 4 – 7 services Connectivity Requirements
−  XML/JSON schema ## Network Profile: Defines Application Level Metadata (Pseudo Code Example)
•  Fully abstracted from the infrastructure <Network-Profile = Production_Web>

<App-Tier = Web>
implementation <Connected-To = Application_Client>
<Connection-Policy = Secure_Firewall_External>
−  Removes dependencies of the infrastructure <Connected-To = Application_Tier>
−  Portable across different data center fabrics <Connection-Policy = Secure_Firewall_Internal & High_Priority>
...
<App-Tier = DataBase>
<Connected-To = Storage>
<Connection-Policy = NFS_TCP & High_BW_Low_Latency>
...
Application Policy Model and Instantiation
Application
Client
Application policy model: Defines
the application requirements Storage Storage
(application network profile)
Web Tier App Tier DB Tier
Policy instantiation: Each device

dynamically instantiates the required
changes based on the policies
VM VM VM VM VM VM VM
10.2.4.7 10.9.3.37 10.32.3.7
All forwarding in the fabric is managed through the application network profile
•  IP addresses are fully portable anywhere within the fabric
•  Security and forwarding are fully decoupled from any physical or virtual network attributes
•  Devices autonomously update the state of the network based on configured policy requirements
Application Awareness
Application-Level Visibility
Actions:
Cisco® ACI Fabric provides the next Triggered Events No new hosts or VMs
PetStore Event or Queries Evacuate hypervisors
generation of analytic capabilities Re-balance clusters
Per application, tenants, and infrastructure:

•  Health scores
•  Latency PetStore Dev PetStore Prod PetStore QA
•  Leaf 1 and 2 •  Leaf 2 and 3 •  Leaf 3 and 4
•  Atomic counters •  Spine 1 – 3 •  Spine 1 – 2 •  Spine 2 – 3
•  Atomic counters •  Atomic counters •  Atomic counters
•  Resource consumption
Integrate with workload placement or

VXLAN Physical and
migration
Per-Hop Visibility Virtual as One
Cisco ACI Layer 4 - 7 Service Integration
Centralized and Automated and Supports Existing Model
•  Elastic service insertion architecture for Web Tier
Policy Redirection
App Tier
physical and virtual services A B
Web Web
App
Web
Server Server
•  Helps enable administrative separation Application
Server Server
between application-tier policy and Admin Chain

“Security 5”
service definition
•  Cisco® APIC as central point of network
control with policy coordination “Security 5” Chain Defined
•  Automation of service bring-up/tear-down
Service
Graph
begin Stage 1 ….. Stage N end
through programmable interface
•  Supports existing operational model
Service Profile
inst inst
Providers
when integrated with existing services
…
Service ……..
Admin inst inst
•  Service enforcement assured, regardless Firewall Load Balancer
of endpoint location
Multihypervisor-Ready Fabric
Network
Admin
Hypervisor Integration
Cisco® ACI Fabric

•  Integrated gateway for VLAN,
VXLAN, and NVGRE networks from
virtual to physical
VLAN VLAN VLAN VLAN
•  Normalization for NVGRE, VXLAN, VXLAN NVGRE VXLAN
and VLAN networks

ESX Hyper-V KVM
•  Customer not restricted by a choice VMware
VMware Microsoft Red Hat
of hypervisor Microsoft PHYSICAL

SERVER
•  Fabric is ready for multiple Red Hat
hypervisors Application Hypervisor

Admin Management
The ACI Policy Model
Defining Terms
!  Tenant - Logical separator for: Customer, BU, group etc.

separates traffic, admin, visibility, etc.
!  Private-L3 - Equivalent to a VRF, separates routing instances,
can be used as an admin separation
!  Bridge Domain - NOT A VLAN, simply a container for subnets, CAN
be used to define L2 boundary
!  End-Point Group - (EPG) Container for objects requiring the same policy
treatment, i.e. app tiers, or services
Logical Model Overview
root\uni
Tenant A Tenant B
Private-L3 A Private-L3 B Private-L3 A
Bridge Bridge Bridge Bridge

Domain Domain Domain Domain
Subnet A Subnet B Subnet A Subnet A
Subnet C
Private-L3 and subnets are independent between tenants

Logical Model Overview (cont.)
root\uni
Coke Pepsi
Dev/Test Prod Web Services
Dev/Test-BD Prod-BD Web-BD App-BD
10.1/24 20.1/24 100.1/16 20.1/24
L2 Enabled = Yes
21.1/24 L2 Enabled = Yes L2 Enabled = Yes
Private-L3 and subnets are independent between tenants

Contracts for Policy
Contracts are used to define relationships.

Defining Terms
!  Contract - Definition of policy. Defines how an EPG communicates with
other EPGs.
!  Subject - Something being ‘discussed.’ Used to build definitions of
communication between EPGs. Contains: filter, action, and optional label.
!  Filter - Identifier for a subject, i.e. the traffic do you want to take
action on. Required within a subject.
!  Action - Action to be taken on the filtered traffic with a subject.
Required within a subject.
!  Label - Optional advanced identifier, when used labels allow for
more complex definition of relationships within the policy model
Applications and Conversations
Application communication can be defined as who is allowed to talk to whom.
App
Users Web Farm Servers DB Farm
Communication between objects on the network can be thought of as one or two

way conversations (monologue/dialogue.)
The Provider Consumer Relationship
Provides Web Provides App

Services Services
App
Users Web Farm Servers
Consumes Consumes
Web Services App Services
Provider consumer relationships define application connectivity in application

terms. All objects can provide, consume, or both.
Defining Provider Consumer Relationships
DB Farm
Defining Provider Consumer Relationships
DB Farm
Contracts and Subjects
External-Web Contract
Subject
!  Subjects define a topic of communication
and the rules to apply Subject
!  Contracts contain one or more subjects
Subject
Contracts define the policies for EPG communication

Subjects
External-Web Contract
Subject Subject
Subject
Filter Action Label
Subject
In/out Drop, mark, Optional

port, etc. redirect, etc. label
Subjects contain: filters, actions and labels

Taboos
Web Services App Services
Explicit Denies Never
allow stated traffic for
Subject Subject
any EP in the group
Subject Subject
Taboos
Provide Consume
Filter
Filter
Contract Bundles
MGMT Services Bundle
AD Contract DNS Contract DHCP Contract
Subject Subject Subject

Subject Subject Subject
Contracts can be bundled for reuse.

Using Bundles
Consume AD Contract Consume Bundle Provide Bundle
MGMT
Shared Services
Route leaking, etc. configured automatically
Provide DNS
MGMT
AD Contract
Consume
Providers are abstracted
Subject away by the contract
Consume Subject DHC
MGMT
P
Provide
Providing/Consuming EPGs can be in different L3-Context (VRF)

Live Demo
Explore APIC Dashboard & Fabric Topology
Single Tennant Multy Hypervisor VMM Domains
Explore VMWare
Explore Hyper V
Multy Hypervisor on APIC
Encapsulation Normalization
Encapsulaiton Normalization
Web to Web (10.11" 20.11, vlan" vxlan)
Esx 1 to esx 3
vCenter access Web 1
Web to Web (10.11" 20.11, vlan " vxlan)
Encapsulation normalization
Data Path App to App (30.12"10.12, vlan " vxlan)
Hyper V to ESX
HyperV access App2
Data Path App to App (30.12"10.12, vlan " vxlan)
App to app operational
Data Path App to Web (30.12" 10.11/20.11, vlan" vlan/
vxlan)
Hyper V to ESX
Data Path App to Web (30.12" 10.11/20.11, vlan " vlan/
vxlan)
Data Path App to DB (30.12 " 10.13/20.13/30/13, vlan "
vlan/vxlan/ethernet)
Hyper V to ESX and physical
Data Path App to DB (30.12 " 10.13/20.13/30/13, vlan "
vlan/vxlan/ethernet)
Connect VMM and APIC through External Routed networks
Create tennant, VRF, Bridge Domain
Create contract Filters
Create EPG or Port Groups
Import Device Package
Add Service Graph
Deploy Service Graph
Deploy Service Graph
Design Service
Add Apache Web Server
Add Node Application
Add MySQL Database
Publish Service in Catalogue
Order Service form Catalogue
Add Tenant – Private Layer 3 Network – Bridge Domain
Tennant – Add private Layer 3 Network – Bridge Domain
Tennant – Private Layer 3 Network – Add Bridge Domain
Tennant – Private Layer 3 Network – Add 2nd Bridge
Domain
Tennant – Private Layer 3 Network – Add 2nd Bridge
Domain
created a tenant with a basic network VRF and a couple of
bridge domains
Tenant " Security Policies " Filters " ACTIONS " Create
Filter
Web Filter
Filter
App Filter
Filter
DB Filter
Web, App DB Filters
Tenant " Security Policies " Contracts " ACTIONS "
Create Contract
Web Server Contracts
Create Contract
App Contract
Create Contract
DB Contract
Web, App, DB Contracts
Tenant " Application Profiles " ACTIONS " Create
Application Profile
Application Profile + Web EPG + Bridge Domain
Application Profile + App EPG + Bridge Domain
Application Profile + DB EPG + Bridge Domain
Add Provided & Consumed Contract for Web EPG
Add provided/Consumed Contract for App EPG
Add Provided Contract for DB EPG & Complete
Topology View of 3Tier Application Profile
Execute Python Script which insert Service Graph into
tenant
• Import ASA Device Package

• Create Device Cluster
o Create Logical Interfaces
o Create Concrete Device • Create Service Graph
o Attach Contract Service Graph
user01@tools:~$ ./request.py Scripts/Build_Lab6.cfg
Hit return to upload Scripts/asa-device-pkg-1.0.1.35.zip
This script will import the ASAv device package.
To verify that the device package is imported, go to L4-L7 Services --> Packages and expand Device Types. Hit return to
process Scripts/CreateLDevVip.xml
This script will create a Device Cluster for the ASAv.
To verify the creation of the Device Cluster, go to Tenants --> ACILab. Then expand L4-L7 Services --> Device Clusters.
Hit return to process Scripts/CreateLIf.xml
This script will create the logical interfaces for the Device Cluster name Firewall.
To verify the creation of the logical interfaces, expand Device Clusters --> Firewall.
Hit return to process Scripts/CreateCDev.xml
This script will create the concrete device of the ASAv for the Device Cluster name ASAv.
To verify the creation of the concrete device, go to Tenants --> ACILab. Then expand L4-L7 Services --> Device Clusters -->
Firewall.
Hit return to process Scripts/CreateGraphWithParams.xml
This script will create the Service Graph AppGraph.
To verify the creation of the service graph, go to Tenants --> ACILab and then expand L4-L7 Services -->
Service Graphs.
Hit return to process Scripts/AttachGraphToContract.xml
This script will attach the App Contract to the App Service Graph.
To verify the attachment of the contract to the service graph, go to Tenant --> ACILab. Then expand L4-L7 Services --> Graph Instances.
Tenant " ACILab " L4-L7 Services " Device Clusters "
Firewall
Tenant " ACILab " L4-L7 Services " Service Graph"
FWGraph
Tenant " ACILab " Security Policies " Contracts "
Web_Con " web_subj " Service Graph " ACILAB/
FWNode
how to create a Layer 3 External Routed network using
OSPF
Add Spines as BGP route Reflectors : Fabric – Fabric Policies
" PodPolicies " Policies " BGP Route Reflectors default +
Fabric – Fabric Policies " Policy Groups " Actions
" Create POD Policy Group
Tenants " ACILab " Networking " External Routed Networks " Created
Routed Outside/Node Profile/Border Node
Thank you.

Язык

Добро пожаловать в Scribd!

Policy Defined DC ACI Slovenija

Загружено:

Сведения о документе

Описание:

Дата загрузки

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Описание:

Авторское право:

Доступные форматы

Policy Defined DC ACI Slovenija

Загружено:

Описание:

Авторское право:

Доступные форматы

Похожие издания

Policy defined Data Center with

Application Centric Infrastructure

App owner Network admin

• Imagine a world, where rules configure

Nexus 9000/ACI APIC Open ACI Ecosystem

• Customers Across Different

• Rapid Channel Partner Scale

Applications Web 2.0 / DevOps Public/Private Clouds

25% CAGR—Big Data1 45% Multi-Hypervisor4 2/3rd of all Workloads in

New Server Platforms Virtual Machine Big Data

10G LOM/ DATA CENTER

*2 Intel Xeon E5 Spec

Security Admin SECURITY

APIC Cloud Admin

Application Admin APPLICATION

Application Network Profile

Inbound/Outbound Policies Inbound/Outbound Policies

Context& Context& VRF$

Bridge& Bridge& Bridge&

Port, VLAN, IP, ACL, FW, LB, QoS, NAT,

ACI Network Policy

QoS Filter QoS

Cisco® ACI Fabric

• Fully abstracted from the infrastructure <Network-Profile = Production_Web>

Policy instantiation: Each device

10.2.4.7 10.9.3.37 10.32.3.7

Per application, tenants, and infrastructure:

Integrate with workload placement or

between application-tier policy and Admin Chain

• Automation of service bring-up/tear-down

Cisco® ACI Fabric

and VLAN networks

of hypervisor Microsoft PHYSICAL

• Fabric is ready for multiple Red Hat

hypervisors Application Hypervisor

! Tenant - Logical separator for: Customer, BU, group etc.

Private-L3 A Private-L3 B Private-L3 A

Bridge Bridge Bridge Bridge

Private-L3 and subnets are independent between tenants

Dev/Test Prod Web Services

Dev/Test-BD Prod-BD Web-BD App-BD

10.1/24 20.1/24 100.1/16 20.1/24

Private-L3 and subnets are independent between tenants

Contracts are used to define relationships.

Application communication can be defined as who is allowed to talk to whom.

Communication between objects on the network can be thought of as one or two

Provides Web Provides App

Provider consumer relationships define application connectivity in application

Contracts define the policies for EPG communication

In/out Drop, mark, Optional

Subjects contain: filters, actions and labels

MGMT Services Bundle

AD Contract DNS Contract DHCP Contract

Subject Subject Subject

Contracts can be bundled for reuse.

Consume AD Contract Consume Bundle Provide Bundle

Providing/Consuming EPGs can be in different L3-Context (VRF)

•  Imagine a world, where rules configure

•  Customers Across Different

•  Rapid Channel Partner Scale

•  Fully abstracted from the infrastructure <Network-Profile = Production_Web>

•  Automation of service bring-up/tear-down

•  Fabric is ready for multiple Red Hat

!  Tenant - Logical separator for: Customer, BU, group etc.