Автоматизированое развертывание виртуализированной...
TRANSCRIPT
© 2012 Cisco and/or its affiliates. All rights reserved. 1
Автоматизированое развертывание виртуализированной инфраструктуры с интегрированными сетевыми сервисами на базе Nexus 1000V и VSG с использованием UCS Director Виктор Пустошилов Системный инженер Cisco
Апрель, 2014
© 2012 Cisco and/or its affiliates. All rights reserved. 2
- Cisco UCS Director overview
- Virtual Network Services • Virtual Network Services and vPath • Cisco VSG and Nexus 1000v • Cisco Prime Network Services Controller overview
- Cisco UCS Director: PNSC and VSG Features • Cisco PNSC Management • Cisco VSG based Application Container support
© 2012 Cisco and/or its affiliates. All rights reserved. 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Развертывание на основе политик
vFiler
СХД Вирт. машины Сеть Вычислит.
платформа
Безопасные контейнеры для приложений
Self-Service Infrastructure
Единая точка управления
Сквозная
автоматизация и управление жизненным циклом
СХД
Сеть
Вычисления
Tenant B
Tenant C
Tenant A
A B C
Виртуализация
Storage Manager
B C A
Virtualization Manager
Network Manager
Compute Manager
Storage Manager
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Эксперты
задают политики
Политики применяются для создания профилей серверов и
конфигураций LAN, SAN, CХД
2
Nexus 1000v vSwitch
VI SME
Storage SME
Server SME
Network SME
Server Policy…
Storage Policy…
Network Policy…
Virtualization Policy…
Application Profiles…
Server Name UUID, MAC, WWN Boot Information LAN, SAN Config Firmware Policy SAN Zoning Create and MAP LUN
Развертывание физической и
виртуальной сред
3
Система готова к использованию
4
Имя сервера, UUID, MAC, WWN, политика загрузки, конфигурация
LAN, SAN прошивки и т.д.
Конфигурация СХД
Конфигурация виртуальной
инфраструктуры
Конфигурация сети
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Портал самообслуживания
Cloupia Unified Infrastructure Controller Mul5-‐tenant & integrated cloud pla9orm
Консоль администратора
Dashboard
Виртуальная среда
Amazon, Rackspace, …
VMware
Hyper-‐V
vCenter SCVMM
Интеграция с внешними системами
IT Admins
End Users
IT Opera5ons
LDAP, CMDB, Metering DB
Blade Server
Managers Network Manager
Storage APIs
• Модульная система • Открыта для интеграции • Устанавливается как appliance
Cisco UCS Director Integrated Multi-tenant Cloud Platform
Cloupia Network Services
Agent
Cloupia Network Services
Agent
Cloupia Network
Services Agent
KVM
Savvis VPDC, Terremark, …
Other Providers
Физическая среда «Облака»
Provider API
Mobile Devices
Roll-‐based Access
RHEVM
Other Other
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
NetApp Storage
Virtualization (VMware/Hyper-V/KVM)
Cisco Nexus
Compute (UCS)
FlexPod
EMC Storage
Virtualization (VMware/Hyper-V)
Cisco Nexus/MDS
Compute (UCS)
VSPEX
Системы хранения
Сеть
Другие комбинации
Виртуализация
Одна система UCS Director может управлять несколькими «интегрированными стеками»
EMC Storage
Virtualization (VMware)
Cisco Nexus/MDS
Compute (UCS)
Vblock
Серверы
Поддержка CХД Hitachi – в следующих релизах
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
UCS Director позволяет из единого окна решать задачи по конфигурированию инфраструктуры: • Cisco UCS: cоздание политик, профилей, пулов, шаблонов и другие необходимые для работы задачи
• Дисковые массивы EMC и NetApp: создание томов и LUN-ов, регистрация инициаторов, LUN masking/mapping и пр.
• Сетевое оборудование: создание VLAN-ов, конфигурация trunk, port-channel и др.
• Среды виртуализации: управление кластерами, виртуальными машинами и др.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Более 400 преднастроенных шаблонов для управления различными устройствами: • Платформа Cisco UCS • СХД NetApp и EMC • Сетевое оборудование • Среды виртуализации • Служебные задачи – утверждение заявок, скрипты и пр.
Создание собственных сценариев с помощью «Drag ‘n drop»
UCS Tasks • Select UCS Server • Reset UCS Server • Power On UCS Server • Power Off UCS Server • Create UCS Service Profile from Template • Create UCS Service Profile • Select UCS Service Profile • Modify UCS Service Profile Boot Policy • Delete UCS Service Profile • Associate UCS Service Profile • Disassociate UCS Service Profile • Create UCS Boot Policy • Modify UCS Boot Policy LUN ID • Clone UCS Boot Policy • Modify UCS Boot Policy WWPN • Add VLAN • Delete UCS Boot Policy • Delete UCS VLAN • Add VLAN to Service Profile • Add iSCSI vNIC to Service Profile • Add vNIC to Service Profile • Delete vNIC from Service Profile • Create Service Profile iSCSI Boot Policy • Modify Service Profile Boot Policy to Boot from iSCSI
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• Автоматическое выделение ресурсов
• Запуск процесса в один «клик»
• Контроль всех операций
Быстрое и простое предоставление ИТ сервисов
Минуты
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Набор ресурсов (сетевых, вычислительных, СХД), выделяемых пользователю на общей инфраструктуре ЦОД
• В рамках VDC осуществляется взаимодействие физических и виртуальных сред
• Выделение ресурсов для VDC как правило осуществляется на основе политик в рамках POD (Point of Delivery)
• VDC также может включать выделенные сетевые сервисы – FW, Load Balancing и тд
• VDC является основой для развертывания многоуровневых приложений в облаке
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• Самостоятельный запрос / получение ресурсов • Доступ к ресурсам / функционалу на основании профилей пользователей
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Self-Service
• Что?
• Как?
• Для кого?
Запрос на сервис Автоматизация выполнения запроса на
сервис
Автоматизация значит:
ü Быстро
ü Целостно
Сеть
Серверы
СХД
«Хочу!»
© 2012 Cisco and/or its affiliates. All rights reserved. 16
© 2012 Cisco and/or its affiliates. All rights reserved. 17
Сценарий 1: Сервисы на физических устройствах
vPath: VSN Data Path
VM VM VM VM
Физические
Сервисные узлы
Физическая сеть
Виртуальные коммутаторы
Плюсы - Сеть работает, как мы привыкли. Старые-добрые ASA, FWSM J
- Выделенные производительные системы для сервисных задач
Минусы - Физические устройства ничего не знают о виртуализации
- Трафик ходит извилистыми путями
© 2012 Cisco and/or its affiliates. All rights reserved. 18
Сценарий 2: Сервисы на отдельных виртуальных машинах
vPath: VSN Data Path
VM VM VM VM
Виртуальные
Сервисные узлы
Физическая сеть
Виртуальные коммутаторы
Плюсы - VSN управляются из общей среды виртуализации
- Выделенные системы для сервисных задач
- Виртуальные узлы легко создавать и удалять
- Снижение стоимости
- Меньше проблем с логистикой
VSN
VSN
© 2012 Cisco and/or its affiliates. All rights reserved. 19
Cisco Cloud Network Services (CNS) Multi-Hypervisor
(VMware, Microsoft, RedHat*)
Nexus 1000V vPath
Virtual Security Gateway
Cloud Services Router 1000V
Prime virtual NAM
ASA 1000V
Virtual WAAS
Citrix NetScaler
1000V
Imperva SecureSphere
WAF
Nexus 1000V (Dist. Virtual Switch)
• Distributed switch
• NX-OS consistency
VSG (Zone-based FW)
• VM-level controls
• Zone-based FW
ASA 1000V (Cloud FW)
• Edge firewall, VPN
• Protocol Inspection
vWAAS (WAN Optimization)
• WAN optimization
• Application traffic
CSR 1000V (Cloud Router)
• WAN L3 gateway
• Routing and VPN
Partner Services
• Citrix NetScaler 1000V virtual ADC
• Imperva Web App. FW
vNAM (Network Analytics)
• App Visibility (L2-L7)
• Overlay Intelligence (OTV, VXLAN, FP**)
• Широкий набор сервисов
• Технология vPath для traffic stearing
• Мультигипервизорная платформа
© 2012 Cisco and/or its affiliates. All rights reserved. 20
• Виртуальная машина на каждом хосте, использующая API гипервизора для перехвата трафика
Гипервизор
VM VM VSN
• Виртуальная машина на несколько хостов, использующая распределенный коммутатор для перехвата трафика
Гипервизор
VM VM VM
Гипервизор
VM VM VM
Гипервизор
VM VM VSN
vSwitch
vSwitch vSwitch Гипервизор
VM VM VSN
Гипервизор
VM VM VSN
© 2012 Cisco and/or its affiliates. All rights reserved. 21
Архитектура для интеграции виртуальных сервисов
• Пакет перенаправляется на VSN
• VSN принимает решение об обработке пакета
• Правило по обработке пакета устанавливается в VEM
Nexus 1000V VEM
Nexus 1000V VEM
VM VM VM VM VM VM VM VSN VSN VSN VSN
vPath vPath vPath Nexus 1000V VEM
© 2012 Cisco and/or its affiliates. All rights reserved. 22
Production VMs Virtual Service Nodes
Виртуальные сервисы + VPath
Nexus 1000V VEM
Nexus 1000V VEM
Nexus 1000V VEM
VM VM VM VM VM VM VM VSN VSN VSN VSN
vPath vPath vPath
Трафик обрабатывается локально
Вычислительные ресурсы тратятся экономно Требуется меньше VSN
© 2012 Cisco and/or its affiliates. All rights reserved. 23
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
vCenter
Port Profile VM Context Security Profile
24
Серверный администратор
Среда управления
VSM
Среда управления
Сетевой администратор
Объекты управления
VM VM VM
Объекты управления
Администратор ИБ
Средство управления Средство управления
PNSC
Среда управления
Объекты управления
Средство управления
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Сетевой администратор регистрирует VSN на Nexus 1000v VSM(config)# vservice node vsg1 type vsg VSM(config-vservice-node)# ip address 192.168.21.9 VSM(config-vservice-node)# adjacency l2 vlan 21
VSM(config)# port-profile WevSrv VSM(config-port-prof)# vservice node vsg-tenant1 profile Web-Sec-profile VSM(config-port-prof)# end
Сетевой администратор добавляет профиль безопасности к профилю порта
Администратор ИБ добавляет профиль безопасности
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Обработка трафика с VPath
Nexus 1000V Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
PNSC
Log/Audit
Первый пакет сессиии
VSG
1 Проверка политики безопасности
2
Установка правила 3
4
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Performance Acceleration with vPath
Nexus 1000V Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
Оставшиеся пакеты потока
Политика загружена на Nexus 1000v
PNSC
Log/Audit
VSG
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 28
© 2014 Cisco and/or its affiliates. All rights reserved. 29
• Address cloud management networking challenges – Network virtualization
– New operational models – Multitenancy
• Virtual and physical services support
• Hybrid cloud management
• Multivendor, multiplatform, multiservice
• Ecosystem – integration point to northbound management and orchestration systems
• SDK
– Infrastructure to support third-party network services
– Increased feature customization and velocity
DHCP
NAT DNS
IPSec VPN
Fire-wall
Virtualization
ACL OSPF
Static EIGRP LB
BGP
IKE
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Amazon
Azure
Terremark
Cisco Intelligent Automation for Cloud
Cisco UCS Director
N1KV InterCloud
VSG (Zone-Based
Firewall)
Virtual ASA(Edge Firewall)
CSR1000V (L3 Router)
Third-Party Load
Balancers (VPX)
Image Management
Policy Management
Service Configuration
System Administration
License Management
Cisco Prime Network Services Controller
Service Chaining Config Archive VM Lifecycle Change Audit Monitoring
Single API
IP Address Management
Capacity Management
Performance Management
vSphere HyperV KVM Xen
Multi-Hypervisor
OpenStack CloudStack
BMC CLM Other
Policy Driven, Template Based
3rd Party vSwitch
Nexus 1000v
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Tenant
Virtual Datacenter
Tier
• Up to 5 levels can be created in the Org hierarchy • Configuration Objects can be attached at any level • Segregate VMs and Scales to SP grade
Universe
DC1 DC2
T2
root
Z2 Z1
T2 T1
T1
Zone
vApp across levels …etc
© 2012 Cisco and/or its affiliates. All rights reserved. 32
© 2012 Cisco and/or its affiliates. All rights reserved. 33
- PNSC Management • Add PNSC account
• Collect PNSC inventory and provide inventory reports
• Actions and workflow task support
- VSG based Application Container support • Integrate VSG into existing Applications Containers
© 2012 Cisco and/or its affiliates. All rights reserved. 34
- PNSC Account management involves 1. Add PNSC account
2. Collect PNSC object inventory
3. Provide PNSC object inventory reports
4. Support PNSC object actions
5. Support for PNSC object workflow tasks
© 2012 Cisco and/or its affiliates. All rights reserved. 35
Administration -> Physical Account
© 2012 Cisco and/or its affiliates. All rights reserved. 36
Physical -> Network -> Network Accounts The PNSC accounts added will be visible in this location.
© 2012 Cisco and/or its affiliates. All rights reserved. 37
Drilldown into PNSC account to view the inventory reports.
© 2012 Cisco and/or its affiliates. All rights reserved. 38
Tenants Report • Select a Tenant to see the supported actions on the tenant
© 2012 Cisco and/or its affiliates. All rights reserved. 39
vDCs
© 2012 Cisco and/or its affiliates. All rights reserved. 40
VM Mangers
© 2012 Cisco and/or its affiliates. All rights reserved. 41
Clients
© 2012 Cisco and/or its affiliates. All rights reserved. 42
Drilldown vDC to see the vDC child objects. Like Compute Firewall, Zones, Compute Security Profile, ACL Policy Sets & ACL Policies.
© 2012 Cisco and/or its affiliates. All rights reserved. 43
Drilldown the Zone to see the Zone conditions configured for the Zone.
© 2012 Cisco and/or its affiliates. All rights reserved. 44
Drilldown ACL Policy to see the ACL Rules configured for the ACL Policy
© 2012 Cisco and/or its affiliates. All rights reserved. 45
The PNSC supported workflow tasks can be found at Physical Network Tasks -> PNSC Tasks
© 2012 Cisco and/or its affiliates. All rights reserved. 46
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confiden<al 47
Firewall GW
(Firewall)
Public / External Network
Application Container
Network-1 10.10.10.x
Network-2 10.10.20.x
VM-n VM-1
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confiden<al 48
Application Container
Network-1 10.10.10.x
Network-2 10.10.20.x
VM-n VM-1
Public / External Network
Firewall GW
(Firewall)
© 2012 Cisco and/or its affiliates. All rights reserved. 49
PNSC
UCS Director
© 2012 Cisco and/or its affiliates. All rights reserved. 50
- VSG Integration into Applications Container • Upload OVA file into UCSD (One time task) • Create PNSC Firewall policy • Create Physical Infrastructure policy • Create Application Container template
Application Container Template
Physical Infrastructure Policy
External Gateway Configuration
PNSC Firewall policy
© 2012 Cisco and/or its affiliates. All rights reserved. 51
Physical Infrastructure Policy
Inputs: • Container Type (VSG) • PNSC Account • Physical Account • PNSC FW Policy • External GW
Application Container Template
Inputs: • Compute Policy • Storage Policy • Network Policy • Cost Model
Container Instances Container
Instances
PNSC FW Policy Inputs: • PNSC Account • Zones • ACLs • VSG details,
Template
© 2012 Cisco and/or its affiliates. All rights reserved. 52
- Upload OVA file into UCSD • Administration -> Integration -> Upload Files
© 2012 Cisco and/or its affiliates. All rights reserved. 53
- Create PNSC Firewall policyPhysical -> Network -> Network Accounts -> PNSC Firewall Policy
© 2012 Cisco and/or its affiliates. All rights reserved. 54
- Create PNSC Firewall policy • Physical -> Network -> Network Accounts -> PNSC Firewall Policy
Add Zones
© 2012 Cisco and/or its affiliates. All rights reserved. 55
- Create PNSC Firewall policy • Physical -> Network -> Network Accounts -> PNSC Firewall Policy
Add ACL Rules
© 2012 Cisco and/or its affiliates. All rights reserved. 56
- Create PNSC Firewall policy • Physical -> Network -> Network Accounts -> PNSC Firewall Policy
VSG Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. 57
- Create Physical Infrastructure Policy • Policies -> Application Containers -> Physical Infrastructure Policies
Provide container type and select Physical account
© 2012 Cisco and/or its affiliates. All rights reserved. 58
- Create Physical Infrastructure Policy • Policies -> Application Containers -> Physical Infrastructure Policies
Provide the PNSC account and PNSC Firewall policy
© 2012 Cisco and/or its affiliates. All rights reserved. 59
- Create Physical Infrastructure Policy • Policies -> Application Containers -> Physical Infrastructure Policies
Provide the External Gateway configuration
© 2012 Cisco and/or its affiliates. All rights reserved. 60
- Create Application Template • Policies -> Application Containers -> Application Container Template
Template details
© 2012 Cisco and/or its affiliates. All rights reserved. 61
- Create Application Template • Policies -> Application Containers -> Application Container Template
Physical Infrastructure policy selection
© 2012 Cisco and/or its affiliates. All rights reserved. 62
- Create Application Template • Policies -> Application Containers -> Application Container Template
Gateway Internal network configuration. Only one network for VSG
Containers
© 2012 Cisco and/or its affiliates. All rights reserved. 63
- Create Application Template • Policies -> Application Containers -> Application Container Template
Gateway VM Configuration
© 2012 Cisco and/or its affiliates. All rights reserved. 64
- Create Application Template • Policies -> Application Containers -> Application Container Template
External Gateway security rules
© 2012 Cisco and/or its affiliates. All rights reserved. 65
- Create Application Template • Policies -> Application Containers -> Application Container Template
UCSD Policies
© 2012 Cisco and/or its affiliates. All rights reserved. 66
- Create Application Template • Policies -> Application Containers -> Application Container Template
Container Options
© 2012 Cisco and/or its affiliates. All rights reserved. 67
- Create Application Template • Policies -> Application Containers -> Application Container Template
Container Setup Workflow selection
Спасибо!