© 2012 Cisco and/or its affiliates. All rights reserved. 1

Автоматизированое развертывание виртуализированной инфраструктуры с интегрированными сетевыми сервисами на базе Nexus 1000V и VSG с использованием UCS Director Виктор Пустошилов Системный инженер Cisco

Апрель, 2014

© 2012 Cisco and/or its affiliates. All rights reserved. 2

-  Cisco UCS Director overview

-  Virtual Network Services •  Virtual Network Services and vPath •  Cisco VSG and Nexus 1000v •  Cisco Prime Network Services Controller overview

-  Cisco UCS Director: PNSC and VSG Features •  Cisco PNSC Management •  Cisco VSG based Application Container support

© 2012 Cisco and/or its affiliates. All rights reserved. 3

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Развертывание на основе политик

vFiler

СХД Вирт. машины Сеть Вычислит.

платформа

Безопасные контейнеры для приложений

Self-Service Infrastructure

Единая точка управления

Сквозная

автоматизация и управление жизненным циклом

СХД

Сеть

Вычисления

Tenant B

Tenant C

Tenant A

A B C

Виртуализация

Storage Manager

B C A

Virtualization Manager

Network Manager

Compute Manager

Storage Manager

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Эксперты

задают политики

Политики применяются для создания профилей серверов и

конфигураций LAN, SAN, CХД

2

Nexus 1000v vSwitch

VI SME

Storage SME

Server SME

Network SME

Server Policy…

Storage Policy…

Network Policy…

Virtualization Policy…

Application Profiles…

Server Name UUID, MAC, WWN Boot Information LAN, SAN Config Firmware Policy SAN Zoning Create and MAP LUN

Развертывание физической и

виртуальной сред

3

Система готова к использованию

4

Имя сервера, UUID, MAC, WWN, политика загрузки, конфигурация

LAN, SAN прошивки и т.д.

Конфигурация СХД

Конфигурация виртуальной

инфраструктуры

Конфигурация сети

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

Портал самообслуживания

Cloupia  Unified  Infrastructure  Controller  Mul5-­‐tenant    &  integrated  cloud  pla9orm  

Консоль администратора

Dashboard

Виртуальная среда

Amazon,  Rackspace,  …  

VMware    

Hyper-­‐V  

vCenter SCVMM

Интеграция с внешними системами

IT  Admins  

End  Users  

IT  Opera5ons  

LDAP,  CMDB,  Metering  DB  

Blade Server

Managers Network Manager

Storage APIs

•  Модульная  система  •  Открыта  для  интеграции  •  Устанавливается  как  appliance  

Cisco UCS Director Integrated Multi-tenant Cloud Platform

Cloupia Network Services

Agent

Cloupia Network Services

Agent

Cloupia Network

Services Agent

 KVM  

Savvis  VPDC,  Terremark,  …  

Other  Providers  

Физическая среда «Облака»

Provider  API  

Mobile  Devices  

Roll-­‐based  Access  

RHEVM

Other   Other  

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

NetApp Storage

Virtualization (VMware/Hyper-V/KVM)

Cisco Nexus

Compute (UCS)

FlexPod

EMC Storage

Virtualization (VMware/Hyper-V)

Cisco Nexus/MDS

Compute (UCS)

VSPEX

Системы хранения

Сеть

Другие комбинации

Виртуализация

Одна система UCS Director может управлять несколькими «интегрированными стеками»

EMC Storage

Virtualization (VMware)

Cisco Nexus/MDS

Compute (UCS)

Vblock

Серверы

Поддержка CХД Hitachi – в следующих релизах

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

UCS Director позволяет из единого окна решать задачи по конфигурированию инфраструктуры: •  Cisco UCS: cоздание политик, профилей, пулов, шаблонов и другие необходимые для работы задачи

•  Дисковые массивы EMC и NetApp: создание томов и LUN-ов, регистрация инициаторов, LUN masking/mapping и пр.

•  Сетевое оборудование: создание VLAN-ов, конфигурация trunk, port-channel и др.

•  Среды виртуализации: управление кластерами, виртуальными машинами и др.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

Более 400 преднастроенных шаблонов для управления различными устройствами: •  Платформа Cisco UCS •  СХД NetApp и EMC •  Сетевое оборудование •  Среды виртуализации •  Служебные задачи – утверждение заявок, скрипты и пр.

Создание собственных сценариев с помощью «Drag ‘n drop»

UCS Tasks •  Select UCS Server •  Reset UCS Server •  Power On UCS Server •  Power Off UCS Server •  Create UCS Service Profile from Template •  Create UCS Service Profile •  Select UCS Service Profile •  Modify UCS Service Profile Boot Policy •  Delete UCS Service Profile •  Associate UCS Service Profile •  Disassociate UCS Service Profile •  Create UCS Boot Policy •  Modify UCS Boot Policy LUN ID •  Clone UCS Boot Policy •  Modify UCS Boot Policy WWPN •  Add VLAN •  Delete UCS Boot Policy •  Delete UCS VLAN •  Add VLAN to Service Profile •  Add iSCSI vNIC to Service Profile •  Add vNIC to Service Profile •  Delete vNIC from Service Profile •  Create Service Profile iSCSI Boot Policy •  Modify Service Profile Boot Policy to Boot from iSCSI

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

•  Автоматическое выделение ресурсов

•  Запуск процесса в один «клик»

•  Контроль всех операций

Быстрое и простое предоставление ИТ сервисов

Минуты

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

•  Набор ресурсов (сетевых, вычислительных, СХД), выделяемых пользователю на общей инфраструктуре ЦОД

•  В рамках VDC осуществляется взаимодействие физических и виртуальных сред

•  Выделение ресурсов для VDC как правило осуществляется на основе политик в рамках POD (Point of Delivery)

•  VDC также может включать выделенные сетевые сервисы – FW, Load Balancing и тд

•  VDC является основой для развертывания многоуровневых приложений в облаке

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

•  Самостоятельный запрос / получение ресурсов •  Доступ к ресурсам / функционалу на основании профилей пользователей

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

Self-Service

•  Что?

•  Как?

•  Для кого?

Запрос на сервис Автоматизация выполнения запроса на

сервис

Автоматизация значит:

ü  Быстро

ü Целостно

Сеть

Серверы

СХД

«Хочу!»

© 2012 Cisco and/or its affiliates. All rights reserved. 16

© 2012 Cisco and/or its affiliates. All rights reserved. 17

Сценарий 1: Сервисы на физических устройствах

vPath: VSN Data Path

VM VM VM VM

Физические

Сервисные узлы

Физическая сеть

Виртуальные коммутаторы

Плюсы -  Сеть работает, как мы привыкли. Старые-добрые ASA, FWSM J

-  Выделенные производительные системы для сервисных задач

Минусы -  Физические устройства ничего не знают о виртуализации

-  Трафик ходит извилистыми путями

© 2012 Cisco and/or its affiliates. All rights reserved. 18

Сценарий 2: Сервисы на отдельных виртуальных машинах

vPath: VSN Data Path

VM VM VM VM

Виртуальные

Сервисные узлы

Физическая сеть

Виртуальные коммутаторы

Плюсы -  VSN управляются из общей среды виртуализации

-  Выделенные системы для сервисных задач

-  Виртуальные узлы легко создавать и удалять

-  Снижение стоимости

-  Меньше проблем с логистикой

VSN

VSN

© 2012 Cisco and/or its affiliates. All rights reserved. 19

Cisco Cloud Network Services (CNS) Multi-Hypervisor

(VMware, Microsoft, RedHat*)

Nexus 1000V vPath

Virtual Security Gateway

Cloud Services Router 1000V

Prime virtual NAM

ASA 1000V

Virtual WAAS

Citrix NetScaler

1000V

Imperva SecureSphere

WAF

Nexus 1000V (Dist. Virtual Switch)

•  Distributed switch

•  NX-OS consistency

VSG (Zone-based FW)

•  VM-level controls

•  Zone-based FW

ASA 1000V (Cloud FW)

•  Edge firewall, VPN

•  Protocol Inspection

vWAAS (WAN Optimization)

•  WAN optimization

•  Application traffic

CSR 1000V (Cloud Router)

•  WAN L3 gateway

•  Routing and VPN

Partner Services

•  Citrix NetScaler 1000V virtual ADC

•  Imperva Web App. FW

vNAM (Network Analytics)

•  App Visibility (L2-L7)

•  Overlay Intelligence (OTV, VXLAN, FP**)

•  Широкий набор сервисов

•  Технология vPath для traffic stearing

•  Мультигипервизорная платформа

© 2012 Cisco and/or its affiliates. All rights reserved. 20

•  Виртуальная машина на каждом хосте, использующая API гипервизора для перехвата трафика

Гипервизор

VM VM VSN

•  Виртуальная машина на несколько хостов, использующая распределенный коммутатор для перехвата трафика

Гипервизор

VM VM VM

Гипервизор

VM VM VM

Гипервизор

VM VM VSN

vSwitch

vSwitch vSwitch Гипервизор

VM VM VSN

Гипервизор

VM VM VSN

© 2012 Cisco and/or its affiliates. All rights reserved. 21

Архитектура для интеграции виртуальных сервисов

•  Пакет перенаправляется на VSN

•  VSN принимает решение об обработке пакета

•  Правило по обработке пакета устанавливается в VEM

Nexus 1000V VEM

Nexus 1000V VEM

VM VM VM VM VM VM VM VSN VSN VSN VSN

vPath vPath vPath Nexus 1000V VEM

© 2012 Cisco and/or its affiliates. All rights reserved. 22

Production VMs Virtual Service Nodes

Виртуальные сервисы + VPath

Nexus 1000V VEM

Nexus 1000V VEM

Nexus 1000V VEM

VM VM VM VM VM VM VM VSN VSN VSN VSN

vPath vPath vPath

Трафик обрабатывается локально

Вычислительные ресурсы тратятся экономно Требуется меньше VSN

© 2012 Cisco and/or its affiliates. All rights reserved. 23

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

vCenter

Port Profile VM Context Security Profile

24

Серверный администратор

Среда управления

VSM

Среда управления

Сетевой администратор

Объекты управления

VM VM VM

Объекты управления

Администратор ИБ

Средство управления Средство управления

PNSC

Среда управления

Объекты управления

Средство управления

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

Сетевой администратор регистрирует VSN на Nexus 1000v VSM(config)# vservice node vsg1 type vsg VSM(config-vservice-node)# ip address 192.168.21.9 VSM(config-vservice-node)# adjacency l2 vlan 21

VSM(config)# port-profile WevSrv VSM(config-port-prof)# vservice node vsg-tenant1 profile Web-Sec-profile VSM(config-port-prof)# end

Сетевой администратор добавляет профиль безопасности к профилю порта

Администратор ИБ добавляет профиль безопасности

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

Обработка трафика с VPath

Nexus 1000V Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

VM

vPath

PNSC

Log/Audit

Первый пакет сессиии

VSG

1 Проверка политики безопасности

2

Установка правила 3

4

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

Performance Acceleration with vPath

Nexus 1000V Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

VM

vPath

Оставшиеся пакеты потока

Политика загружена на Nexus 1000v

PNSC

Log/Audit

VSG

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 28

© 2014 Cisco and/or its affiliates. All rights reserved. 29

•  Address cloud management networking challenges –  Network virtualization

–  New operational models –  Multitenancy

•  Virtual and physical services support

•  Hybrid cloud management

•  Multivendor, multiplatform, multiservice

•  Ecosystem – integration point to northbound management and orchestration systems

•  SDK

–  Infrastructure to support third-party network services

–  Increased feature customization and velocity

DHCP

NAT DNS

IPSec VPN

Fire-wall

Virtualization

ACL OSPF

Static EIGRP LB

BGP

IKE

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

Amazon

Azure

Terremark

Cisco Intelligent Automation for Cloud

Cisco UCS Director

N1KV InterCloud

VSG (Zone-Based

Firewall)

Virtual ASA(Edge Firewall)

CSR1000V (L3 Router)

Third-Party Load

Balancers (VPX)

Image Management

Policy Management

Service Configuration

System Administration

License Management

Cisco Prime Network Services Controller

Service Chaining Config Archive VM Lifecycle Change Audit Monitoring

Single API

IP Address Management

Capacity Management

Performance Management

vSphere HyperV KVM Xen

Multi-Hypervisor

OpenStack CloudStack

BMC CLM Other

Policy Driven, Template Based

3rd Party vSwitch

Nexus 1000v

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

Tenant

Virtual Datacenter

Tier

•  Up to 5 levels can be created in the Org hierarchy •  Configuration Objects can be attached at any level •  Segregate VMs and Scales to SP grade

Universe

DC1 DC2

T2

root

Z2 Z1

T2 T1

T1

Zone

vApp across levels …etc

© 2012 Cisco and/or its affiliates. All rights reserved. 32

© 2012 Cisco and/or its affiliates. All rights reserved. 33

-  PNSC Management •  Add PNSC account

•  Collect PNSC inventory and provide inventory reports

•  Actions and workflow task support

-  VSG based Application Container support •  Integrate VSG into existing Applications Containers

© 2012 Cisco and/or its affiliates. All rights reserved. 34

-  PNSC Account management involves 1.  Add PNSC account

2.  Collect PNSC object inventory

3.  Provide PNSC object inventory reports

4.  Support PNSC object actions

5.  Support for PNSC object workflow tasks

© 2012 Cisco and/or its affiliates. All rights reserved. 35

Administration -> Physical Account

© 2012 Cisco and/or its affiliates. All rights reserved. 36

Physical -> Network -> Network Accounts The PNSC accounts added will be visible in this location.

© 2012 Cisco and/or its affiliates. All rights reserved. 37

Drilldown into PNSC account to view the inventory reports.

© 2012 Cisco and/or its affiliates. All rights reserved. 38

Tenants Report •  Select a Tenant to see the supported actions on the tenant

© 2012 Cisco and/or its affiliates. All rights reserved. 39

vDCs

© 2012 Cisco and/or its affiliates. All rights reserved. 40

VM Mangers

© 2012 Cisco and/or its affiliates. All rights reserved. 41

Clients

© 2012 Cisco and/or its affiliates. All rights reserved. 42

Drilldown vDC to see the vDC child objects. Like Compute Firewall, Zones, Compute Security Profile, ACL Policy Sets & ACL Policies.

© 2012 Cisco and/or its affiliates. All rights reserved. 43

Drilldown the Zone to see the Zone conditions configured for the Zone.

© 2012 Cisco and/or its affiliates. All rights reserved. 44

Drilldown ACL Policy to see the ACL Rules configured for the ACL Policy

© 2012 Cisco and/or its affiliates. All rights reserved. 45

The PNSC supported workflow tasks can be found at Physical Network Tasks -> PNSC Tasks

© 2012 Cisco and/or its affiliates. All rights reserved. 46

©  2013  Cisco  and/or  its  affiliates.  All  rights  reserved.   Cisco  Confiden<al   47  

Firewall GW

(Firewall)

Public / External Network

Application Container

Network-1 10.10.10.x

Network-2 10.10.20.x

VM-n VM-1

©  2013  Cisco  and/or  its  affiliates.  All  rights  reserved.   Cisco  Confiden<al   48  

Application Container

Network-1 10.10.10.x

Network-2 10.10.20.x

VM-n VM-1

Public / External Network

Firewall GW

(Firewall)

© 2012 Cisco and/or its affiliates. All rights reserved. 49

PNSC

UCS Director

© 2012 Cisco and/or its affiliates. All rights reserved. 50

- VSG Integration into Applications Container •  Upload OVA file into UCSD (One time task) •  Create PNSC Firewall policy •  Create Physical Infrastructure policy •  Create Application Container template

Application Container Template

Physical Infrastructure Policy

External Gateway Configuration

PNSC Firewall policy

© 2012 Cisco and/or its affiliates. All rights reserved. 51

Physical Infrastructure Policy

Inputs: •  Container Type (VSG) •  PNSC Account •  Physical Account •  PNSC FW Policy •  External GW

Application Container Template

Inputs: •  Compute Policy •  Storage Policy •  Network Policy •  Cost Model

Container Instances Container

Instances

PNSC FW Policy Inputs: •  PNSC Account •  Zones •  ACLs •  VSG details,

Template

© 2012 Cisco and/or its affiliates. All rights reserved. 52

- Upload OVA file into UCSD •  Administration -> Integration -> Upload Files

© 2012 Cisco and/or its affiliates. All rights reserved. 53

- Create PNSC Firewall policyPhysical -> Network -> Network Accounts -> PNSC Firewall Policy

© 2012 Cisco and/or its affiliates. All rights reserved. 54

- Create PNSC Firewall policy •  Physical -> Network -> Network Accounts -> PNSC Firewall Policy

Add Zones

© 2012 Cisco and/or its affiliates. All rights reserved. 55

- Create PNSC Firewall policy •  Physical -> Network -> Network Accounts -> PNSC Firewall Policy

Add ACL Rules

© 2012 Cisco and/or its affiliates. All rights reserved. 56

- Create PNSC Firewall policy •  Physical -> Network -> Network Accounts -> PNSC Firewall Policy

VSG Configuration

© 2012 Cisco and/or its affiliates. All rights reserved. 57

- Create Physical Infrastructure Policy •  Policies -> Application Containers -> Physical Infrastructure Policies

Provide container type and select Physical account

© 2012 Cisco and/or its affiliates. All rights reserved. 58

- Create Physical Infrastructure Policy •  Policies -> Application Containers -> Physical Infrastructure Policies

Provide the PNSC account and PNSC Firewall policy

© 2012 Cisco and/or its affiliates. All rights reserved. 59

- Create Physical Infrastructure Policy •  Policies -> Application Containers -> Physical Infrastructure Policies

Provide the External Gateway configuration

© 2012 Cisco and/or its affiliates. All rights reserved. 60

- Create Application Template •  Policies -> Application Containers -> Application Container Template

Template details

© 2012 Cisco and/or its affiliates. All rights reserved. 61

- Create Application Template •  Policies -> Application Containers -> Application Container Template

Physical Infrastructure policy selection

© 2012 Cisco and/or its affiliates. All rights reserved. 62

- Create Application Template •  Policies -> Application Containers -> Application Container Template

Gateway Internal network configuration. Only one network for VSG

Containers

© 2012 Cisco and/or its affiliates. All rights reserved. 63

- Create Application Template •  Policies -> Application Containers -> Application Container Template

Gateway VM Configuration

© 2012 Cisco and/or its affiliates. All rights reserved. 64

- Create Application Template •  Policies -> Application Containers -> Application Container Template

External Gateway security rules

© 2012 Cisco and/or its affiliates. All rights reserved. 65

- Create Application Template •  Policies -> Application Containers -> Application Container Template

UCSD Policies

© 2012 Cisco and/or its affiliates. All rights reserved. 66

- Create Application Template •  Policies -> Application Containers -> Application Container Template

Container Options

© 2012 Cisco and/or its affiliates. All rights reserved. 67

- Create Application Template •  Policies -> Application Containers -> Application Container Template

Container Setup Workflow selection

Спасибо!