Вы находитесь на странице: 1из 129

Policy defined Data Center with

Application Centric Infrastructure


(ACI)

Ulrich Hamm
Technical Solution Architect

February 2015
Policy defined Data Center with
Application Centric Infrastructure
(ACI)

Josip Zimet
Cloud PSS SEE-12

February 2015
Agenda:
ACI Introduction
ACI Policy Model
Live Demo

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
What is the problem? (i) The network
industry is
here today

And this is
where we
must go

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
What is the problem? (II)

1995 2014

Server Provisioning
And Configuration

Network Provisioning
And Configuration
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Application owner’s perspective of the network

App owner Network admin

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
What is the problem? (iiI)

Application Network
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
“I am almost sure this rule is not in use”
•  Rule management in L4-L7 devices (like
firewalls or load balancers) has become a full-
time job
•  Besides, it is a constant source of problems
and headaches in regulatory environments

•  Imagine a world, where rules configure


automatically when servers connect to the
network, and disappear when servers are
decommissioned…

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
So what does the
solution look like?

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
ACI Benefit: Deep Telemetry — Application and Tenant

Tenant
Tenant 1 Tenant 2

APIC
Tenant 3 Tenant 4
TENANT

APP
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
•  Cisco Application Centric Infrastructure Momentum
Download@ http:/www.unleashingit.com/aci

Nexus 9000/ACI APIC Open ACI Ecosystem

580+
33
Ecosystem
60+ Customers Partners and
Customers… in 30 Days! Counting!

•  Customers Across Different


Geos + Segments STORAGE SECURITY

•  Rapid Channel Partner Scale

APIC
COMPUTE NETWORK

APPLICATION CLOUD

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Application Service Profiles Enterprise Class Production ready
Cloud Infrastructure
SIM Card
Identity for a Phone

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Applications typically start on a white board

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Data Center Trends Cause Disruptions
Application Trends

Applications Web 2.0 / DevOps Public/Private Clouds

InterCloud

25% CAGR—Big Data1 45% Multi-Hypervisor4 2/3rd of all Workloads in


10G LoM3 Cloud by 2017
Linux Containers
75% Bare-Metal2
Impact on IT Infrastructure

A Scale
Design and New Application Centric
OperationsInfrastructure
Model is Required
Consumption Model
1 Cisco Global Cloud Index 4 Information week 2013 Virtualization Management Survey
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
2 IDC Worldwide Virtual Machine 2013-2017 Forecast
3 HP
INFRASTRUCTURE TREND: 10 -> 40GIG Transition
10GE LAN on Motherboard, VM density, Big Data

New Server Platforms Virtual Machine Big Data


Enabling Higher I/0 Density Driving Increasing East
Throughput I/0 Performance West Traffic

VM VM VM VM VM VM

HYPERVISOR

10G LOM/ DATA CENTER


11
Avg.
Upto 12 Cores 25% CAGR
FlexLoM IP TRAFFIC
per Socket *2 VMs Server*1 (2012-2017)*3
Shipping *4 GROWTH

*2 Intel Xeon E5 Spec

*4
http://h30507.www3.hp.com/t5/Coffee-Coaching-HP-
and-Microsoft/HP-FlexibleLOM-for-Gen8/ba-p/
108515

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
*1 IDC Worldwide Virtual Machine 2013-2017 Forecast *3 Cisco Global Cloud Index: Forecast (2012-2017)
Multi Tenant Multy Hypervisor VMM Domains

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
ACI Goal: Common Policy and Operations Framework

Cloud

Cloud Admin

Web App DB
Tier Tier Tier

APPLICATION
Application Admin
External
Zone

DMZ Trusted
DB
Zone
Tier

Security Admin SECURITY

Network Admin
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
ACI Goal: Common Policy and Operations Framework

Cloud

APIC Cloud Admin

Application Admin APPLICATION


External Zone

Trusted
DMZ DB
Zone
Tier
Security Admin
SECURITY

Network Admin
COMMON POOL OF RESOURCES

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
What’s Application Network Profiles ?

Application Network Profile

Inbound/Outbound Policies Inbound/Outbound Policies

Application Network profiles are a group of EPGs and the policies that define the
communication between them.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

19
Tenant Model

Tenant& Customer/$BU/$Group$

Context& Context& VRF$

Bridge& Bridge& Bridge&


L2$Boundary$
Domain& Domain& Domain&
Subnet&A& Subnet&B&
Subnet&D&
Subnet&B& Subnet&F& IP$Space(s)$
EPG$ Groups$of$endA
EPG$ EPG$ A$ EPG$ points$and$the$
A$ EPG$ C$ B$ policies$that$define$
EPG$
B$ C$ their$connecFon$

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

20
Defining EPG Relationships Via Contracts
EPG&Web&
EP& EP&
1& 2&
Contract&
Subject&1& Filter&&&|&&AcAon&&|&Label&

Subject&2&
EPG&App&
EP& EP&
1& 2&

EPG$communicaFon$is$defined$by$mapping$EPGs$to$one$another$via$contracts.$
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

21
ACI adds an Abstraction Layer between
Network and Application…
Application

Port, VLAN, IP, ACL, FW, LB, QoS, NAT,


Routing, etc.

Network Infrastructure
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
…and replaces complex Configurations by Application
centric Networking Policies
Application

ACI Network Policy

Network Infrastructure
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Cisco ACI Introduces Logical Network Provisioning of
Stateless Hardware
Web App DB

QoS Filter QoS


Outside
(Tenant VRF) Filter Service Filter

Cisco® ACI Fabric


Cisco Application
Policy Infrastructure
Scale-Out Penalty-Free Overlay Controller (APIC)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Cisco ACI Network Profile
Policy-Based Fabric Management
•  Extend the principle of Cisco UCS® Application
Manager service profiles to the entire
fabric
•  Network profile: stateless definition of Storage Storage

application requirements
Web Tier App Tier DB Tier
−  Application tiers
−  Connectivity policies The Network Profile Fully Describes the Application
−  Layer 4 – 7 services Connectivity Requirements
−  XML/JSON schema ## Network Profile: Defines Application Level Metadata (Pseudo Code Example)

•  Fully abstracted from the infrastructure <Network-Profile = Production_Web>


<App-Tier = Web>
implementation <Connected-To = Application_Client>
<Connection-Policy = Secure_Firewall_External>
−  Removes dependencies of the infrastructure <Connected-To = Application_Tier>
−  Portable across different data center fabrics <Connection-Policy = Secure_Firewall_Internal & High_Priority>
...
<App-Tier = DataBase>
<Connected-To = Storage>
<Connection-Policy = NFS_TCP & High_BW_Low_Latency>
...
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Application Policy Model and Instantiation
Application
Client
Application policy model: Defines
the application requirements Storage Storage
(application network profile)
Web Tier App Tier DB Tier

Policy instantiation: Each device


dynamically instantiates the required
changes based on the policies
VM VM VM VM VM VM VM

10.2.4.7 10.9.3.37 10.32.3.7

All forwarding in the fabric is managed through the application network profile
•  IP addresses are fully portable anywhere within the fabric
•  Security and forwarding are fully decoupled from any physical or virtual network attributes
•  Devices autonomously update the state of the network based on configured policy requirements
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Application Awareness
Application-Level Visibility
Actions:
Cisco® ACI Fabric provides the next Triggered Events No new hosts or VMs
PetStore Event or Queries Evacuate hypervisors
generation of analytic capabilities Re-balance clusters

Per application, tenants, and infrastructure:


•  Health scores
•  Latency PetStore Dev PetStore Prod PetStore QA
•  Leaf 1 and 2 •  Leaf 2 and 3 •  Leaf 3 and 4
•  Atomic counters •  Spine 1 – 3 •  Spine 1 – 2 •  Spine 2 – 3
•  Atomic counters •  Atomic counters •  Atomic counters
•  Resource consumption

Integrate with workload placement or


VXLAN Physical and
migration
Per-Hop Visibility Virtual as One
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Cisco ACI Layer 4 - 7 Service Integration
Centralized and Automated and Supports Existing Model
•  Elastic service insertion architecture for Web Tier
Policy Redirection
App Tier
physical and virtual services A B
Web Web
App
Web
Server Server
•  Helps enable administrative separation Application
Server Server

between application-tier policy and Admin Chain


“Security 5”
service definition
•  Cisco® APIC as central point of network
control with policy coordination “Security 5” Chain Defined

•  Automation of service bring-up/tear-down

Service
Graph
begin Stage 1 ….. Stage N end
through programmable interface
•  Supports existing operational model

Service Profile
inst inst

Providers
when integrated with existing services


Service ……..
Admin inst inst
•  Service enforcement assured, regardless Firewall Load Balancer
of endpoint location
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Multihypervisor-Ready Fabric

Network
Admin
Hypervisor Integration

Cisco® ACI Fabric


•  Integrated gateway for VLAN,
VXLAN, and NVGRE networks from
virtual to physical
VLAN VLAN VLAN VLAN
•  Normalization for NVGRE, VXLAN, VXLAN NVGRE VXLAN

and VLAN networks


ESX Hyper-V KVM
•  Customer not restricted by a choice VMware
VMware Microsoft Red Hat

of hypervisor Microsoft PHYSICAL


SERVER

•  Fabric is ready for multiple Red Hat

hypervisors Application Hypervisor


Admin Management
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
The ACI Policy Model

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Defining Terms

!  Tenant - Logical separator for: Customer, BU, group etc.


separates traffic, admin, visibility, etc.
!  Private-L3 - Equivalent to a VRF, separates routing instances,
can be used as an admin separation
!  Bridge Domain - NOT A VLAN, simply a container for subnets, CAN
be used to define L2 boundary
!  End-Point Group - (EPG) Container for objects requiring the same policy
treatment, i.e. app tiers, or services

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Logical Model Overview
root\uni

Tenant A Tenant B

Private-L3 A Private-L3 B Private-L3 A

Bridge Bridge Bridge Bridge


Domain Domain Domain Domain
Subnet A Subnet B Subnet A Subnet A
Subnet C

Private-L3 and subnets are independent between tenants


© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Logical Model Overview (cont.)
root\uni

Coke Pepsi

Dev/Test Prod Web Services

Dev/Test-BD Prod-BD Web-BD App-BD

10.1/24 20.1/24 100.1/16 20.1/24

L2 Enabled = Yes
21.1/24 L2 Enabled = Yes L2 Enabled = Yes

Private-L3 and subnets are independent between tenants


© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Contracts for Policy

Contracts are used to define relationships.


© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Defining Terms
!  Contract - Definition of policy. Defines how an EPG communicates with
other EPGs.
!  Subject - Something being ‘discussed.’ Used to build definitions of
communication between EPGs. Contains: filter, action, and optional label.
!  Filter - Identifier for a subject, i.e. the traffic do you want to take
action on. Required within a subject.
!  Action - Action to be taken on the filtered traffic with a subject.
Required within a subject.
!  Label - Optional advanced identifier, when used labels allow for
more complex definition of relationships within the policy model
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Applications and Conversations

Application communication can be defined as who is allowed to talk to whom.

App
Users Web Farm Servers DB Farm

Communication between objects on the network can be thought of as one or two


way conversations (monologue/dialogue.)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
The Provider Consumer Relationship

Provides Web Provides App


Services Services

App
Users Web Farm Servers

Consumes Consumes
Web Services App Services

Provider consumer relationships define application connectivity in application


terms. All objects can provide, consume, or both.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Defining Provider Consumer Relationships

DB Farm

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Defining Provider Consumer Relationships

DB Farm

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Contracts and Subjects

External-Web Contract

Subject
!  Subjects define a topic of communication
and the rules to apply Subject
!  Contracts contain one or more subjects
Subject

Contracts define the policies for EPG communication


© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Subjects
External-Web Contract

Subject Subject

Subject
Filter Action Label
Subject

In/out Drop, mark, Optional


port, etc. redirect, etc. label

Subjects contain: filters, actions and labels


© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Taboos
Web Services App Services
Explicit Denies Never
allow stated traffic for
Subject Subject
any EP in the group
Subject Subject

Taboos
Provide Consume
Filter
Filter

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Contract Bundles

MGMT Services Bundle

AD Contract DNS Contract DHCP Contract

Subject Subject Subject


Subject Subject Subject

Contracts can be bundled for reuse.


© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Using Bundles

Consume AD Contract Consume Bundle Provide Bundle

MGMT

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Shared Services
Route leaking, etc. configured automatically

Provide DNS
MGMT
AD Contract
Consume
Providers are abstracted
Subject away by the contract
Consume Subject DHC
MGMT
P
Provide

Providing/Consuming EPGs can be in different L3-Context (VRF)


© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Live Demo

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Multi Tenant Multy Hypervisor VMM Domains

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Multi Tenant Multy Hypervisor VMM Domains

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Explore APIC Dashboard & Fabric Topology

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Single Tennant Multy Hypervisor VMM Domains

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Explore VMWare

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Explore Hyper V

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Multy Hypervisor on APIC

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Encapsulation Normalization

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Encapsulaiton Normalization

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Web to Web (10.11" 20.11, vlan" vxlan)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Esx 1 to esx 3

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
vCenter access Web 1

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Web to Web (10.11" 20.11, vlan " vxlan)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Encapsulation normalization

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Data Path App to App (30.12"10.12, vlan " vxlan)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Hyper V to ESX

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
HyperV access App2

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Data Path App to App (30.12"10.12, vlan " vxlan)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
App to app operational

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Data Path App to Web (30.12" 10.11/20.11, vlan" vlan/
vxlan)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Hyper V to ESX

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Data Path App to Web (30.12" 10.11/20.11, vlan " vlan/
vxlan)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Data Path App to DB (30.12 " 10.13/20.13/30/13, vlan "
vlan/vxlan/ethernet)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Hyper V to ESX and physical

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Data Path App to DB (30.12 " 10.13/20.13/30/13, vlan "
vlan/vxlan/ethernet)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Connect VMM and APIC through External Routed networks

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Create tennant, VRF, Bridge Domain

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Create contract Filters

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
Create EPG or Port Groups

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Import Device Package

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Add Service Graph

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Deploy Service Graph

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Deploy Service Graph

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Design Service

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Add Apache Web Server

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Add Node Application

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
Add MySQL Database

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
Publish Service in Catalogue

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
Order Service form Catalogue

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
Add Tenant – Private Layer 3 Network – Bridge Domain

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92
Tennant – Add private Layer 3 Network – Bridge Domain

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
Tennant – Private Layer 3 Network – Add Bridge Domain

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94
Tennant – Private Layer 3 Network – Add 2nd Bridge
Domain

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 95
Tennant – Private Layer 3 Network – Add 2nd Bridge
Domain

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 96
created a tenant with a basic network VRF and a couple of
bridge domains

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 97
Tenant " Security Policies " Filters " ACTIONS " Create
Filter

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98
Web Filter

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99
Tenant " Security Policies " Filters " ACTIONS " Create
Filter

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 100
App Filter

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 101
Tenant " Security Policies " Filters " ACTIONS " Create
Filter

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 102
DB Filter

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 103
Web, App DB Filters

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 104
Tenant " Security Policies " Contracts " ACTIONS "
Create Contract

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 105
Web Server Contracts

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 106
Tenant " Security Policies " Contracts " ACTIONS "
Create Contract

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 107
App Contract

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108
Tenant " Security Policies " Contracts " ACTIONS "
Create Contract

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 109
DB Contract

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110
Web, App, DB Contracts

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 111
Tenant " Application Profiles " ACTIONS " Create
Application Profile

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 112
Application Profile + Web EPG + Bridge Domain

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 113
Application Profile + App EPG + Bridge Domain

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 114
Application Profile + DB EPG + Bridge Domain

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 115
Add Provided & Consumed Contract for Web EPG

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 116
Add provided/Consumed Contract for App EPG

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 117
Add Provided Contract for DB EPG & Complete

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 118
Topology View of 3Tier Application Profile

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119
Execute Python Script which insert Service Graph into
tenant

• Import ASA Device Package


• Create Device Cluster
o Create Logical Interfaces
o Create Concrete Device • Create Service Graph
o Attach Contract Service Graph

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 120
user01@tools:~$ ./request.py Scripts/Build_Lab6.cfg
Hit return to upload Scripts/asa-device-pkg-1.0.1.35.zip
This script will import the ASAv device package.
To verify that the device package is imported, go to L4-L7 Services --> Packages and expand Device Types. Hit return to
process Scripts/CreateLDevVip.xml
This script will create a Device Cluster for the ASAv.
To verify the creation of the Device Cluster, go to Tenants --> ACILab. Then expand L4-L7 Services --> Device Clusters.
Hit return to process Scripts/CreateLIf.xml
This script will create the logical interfaces for the Device Cluster name Firewall.
To verify the creation of the logical interfaces, expand Device Clusters --> Firewall.
Hit return to process Scripts/CreateCDev.xml
This script will create the concrete device of the ASAv for the Device Cluster name ASAv.
To verify the creation of the concrete device, go to Tenants --> ACILab. Then expand L4-L7 Services --> Device Clusters -->
Firewall.
Hit return to process Scripts/CreateGraphWithParams.xml
This script will create the Service Graph AppGraph.
To verify the creation of the service graph, go to Tenants --> ACILab and then expand L4-L7 Services -->
Service Graphs.
Hit return to process Scripts/AttachGraphToContract.xml
This script will attach the App Contract to the App Service Graph.
To verify the attachment of the contract to the service graph, go to Tenant --> ACILab. Then expand L4-L7 Services --> Graph Instances.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 121
Tenant " ACILab " L4-L7 Services " Device Clusters "
Firewall

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 122
Tenant " ACILab " L4-L7 Services " Service Graph"
FWGraph

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 123
Tenant " ACILab " Security Policies " Contracts "
Web_Con " web_subj " Service Graph " ACILAB/
FWNode

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 124
how to create a Layer 3 External Routed network using
OSPF

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 125
Add Spines as BGP route Reflectors : Fabric – Fabric Policies
" PodPolicies " Policies " BGP Route Reflectors default +

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 126
Fabric – Fabric Policies " Policy Groups " Actions
" Create POD Policy Group

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 127
Tenants " ACILab " Networking " External Routed Networks " Created
Routed Outside/Node Profile/Border Node

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 128
Thank you.