Connecting to the MulticloudConsistent Policies Across Multicloud

Duc Le

DC Technical Solutions Architect

Cisco Systems ASEAN

Moving to Cloud is real…

“Over the next few years, we will begin to migrate some systems onto the cloud, gain experience in this mode of operation, and take bolder steps in light of what we can learn,”

..Singapore prime minister Lee Hsien Loong

Security Threat is real…

Managing Cloud ..

Cisco Multicloud Portfolio — Objectives

MulticloudPortfolio

CloudConnect

CloudProtect

CloudAdvisory

CloudConsume

Design, plan, accelerate,and de-risk your multicloud migrations

Deploy, monitor and optimize applications in multicloud and container environments

Securely extend your private networks into public clouds and ensure the application experience

Protect multicloud identities, direct-to-cloud connectivity, data, and applications including SaaS

ACI Evolution

Application CentricEnd Points Group and Contracts..

End Point Groups End Point GroupsContracts

Controlling User Access to DC Resources

FMC to APIC Rapid Threat ContainmentFMC Remediation Module for APIC

DB EPG

ACI Fabric

App EPG

Infected App1

Step 4: APIC quickly contains/quarantines the infected App1 workload into an isolated

uSeg EPG

Step 1: Infected End Point launches an attack that NGFW(v), FirePOWER Services in ASA, or

FirePOWER appliance blocks inline

Step 2: Intrusion event is generated and sent to FMC revealing information about the infected host

Step 3: Attack event is configured to trigger remediation module for APIC that uses NB APIC to

contain the infected host in ACI fabric

1

FMC

App2

2

34

Virtual ACIVirtual POD extends an

Availability Zone (Fabric) to remote locations on

standard VMs

ACI 4.0

Cloud ACIACI Extensions to AWS and Azure

Public Cloud

ACI 4.1

ACI Multi-POD

Multiple Networks (Pods) in a single Availability Zone

(Fabric)

ACI 2.0

ACI Remote-Leaf

Physical Remote Leaf extends an Availability Zone

(Fabric) to remote locations

ACI 3.1ACI Multi-Site

Multiple Availability Zones (Fabrics) in a Single Region ’and’ Multi-Region Policy

Management

ACI 3.0

NEW !

ACI Anywhere – Accelerate Multicloud“Evolving our multicloud journey by extending ACI everywhere”

Accelerates Journey to Multicloud

Inter-Pod IP Network

ACI MultiPodSingle APIC Cluster Extends Network Virtualization, Policy, Services to Multiple PODs

Site A Site B

Active-Active Datacenters Virtual Metro Clusters Stretch VRF, EPG, BD Across PoDs with VXLAN

Up to 50ms Latency

Site A

Site B

Site C

Site D

ACI Multi-Site Multi-SiteConsistent Policy across sites

Single Point of Orchestration

Fault Isolation

Scale

VMVMVM

Geographically Dispersed Active/Active Data Centers

Active/Standby Data Centers For Disaster Recovery

Stretch VRF, EPG, BD Across Sites with VXLAN

Up to One sec Latency

VMVMVM

VMVMVM

VMVMVM

IP Network

ACI: Physical Remote Leaf Extend ACI to Satellite Data Centers

Site A Remote Location

Zero Touch Auto Discovery of Remote Leaf

Two Remote Leafs Up To 20 Remote Locations

Stretch EPG, BD, VRF, Tenant, Contract

Health Scores, EPG Stats

VMVMVM VMVMVMVMVMVMVM VMVMVMVM

Cisco ACI Virtual EdgeDecoupled From Hypervisor Kernel API Dependencies

Maintain Existing Operational Models

Simple Transition/Migration AVS => AVE

Policy Consistency Across Multiple Hypervisors

AVS/AVE Feature Parity

Q2 FY18Q1 CY18

Policy Enforcement, Services, Telemetry

ACI Virtual Edge

VMVMVM VMVMVMVM

ACI Virtual Edge (AVE)

vSpine

vLeafvLeaf

ACI Virtual Edge

IP Network

ACI: Virtual PoDExtend ACI To Bare-metal Cloud

On-Premise Remote Location

Bare Metal Clouds (IBM

BlueMix, AWS Elastic Metal etc.)Remote Data Centers Colo Facilities

(Equinix, CoreSite etc.)

BrownFieldDeployments

VMVMVM VMVMVMVMVMVMVM VMVMVMVM

Virtual Pod

Hypervisor

Logical Connection To Spine

(BGP-EVPN/ VXLAN)

VMVMVM

Site A

Site B

Site C

Site D

VMVMVM

ACI Extensions To Multicloud

ACI Multi-Site Appliance

Consistent Network and Policy across clouds

Common Governance Single Point of Orchestration

Secure Automated Connectivity

MultiSite Orchestrator Demo

Cloud APIC

Extending ACI to the Cloud

IP Network

AWS RegionEPG

Web

EPG

APPContract Contract

EPG

DB

SG

Web

SG

APPSG Rule SG Rule

SG

DB

ACI for On-Premise

VMVMVM

Cloud ACI for Public Cloud

Monitoring & Troubleshooting

Common Governance

Operational Consistency

Single Point Of Orchestration

Discovery & Visibility

Policy Translation

Azure Region

ASG

Web

ASG

APPNSG NSG

ASG

DB

IP Network

ACI Multisite Orchestrator

Cloud APIC (cAPIC)

cAPIC

Virtual Form Factor of APIC

Translates ACI Policy to Cloud Native Policy Constructs

Automates the deployment and configuration of Infrastructure components in the Cloud

North Bound Rest Interface to configure cloud deployments

Similar look and feel as APIC

cAPIC cluster can manage one or more regions

Security Group

Virtual Private Cloud

Security Group Rule

Outbound rule

Inbound rule

User Account

Source/Destination: Subnet or IP or Any or ‘Internet’ProtocolPort

Network Adapter

Tenant

VRF

BD Subnet

EP to EPG Mapping

Contracts, Filters

Consumed contracts

Provided contracts

EC2 Instance

VPC subnet

EPG

Tag / Label

End Point (fvCEp)

Network Access List Taboo

Policy Mapping - AWSFor your info & reference

On-Premises

Multi-Site Orchestrator (MSO)

Public Cloud

Site B

Infra VPC

User VPC -2

AZ-1 AZ-2

VGW

User VPC - 1

VGW

IPSec Tunnel

AWS config services

IPSec Tunnel

SG-1

Region 1

CSR-1000V AWS Internet Gateway (IGW)

Cloud APIC

Security Group (SG)

CSR CSR

Availability Zone (AZ)

AWS Virtual Private Gateway (VGW)

• INFRA Tenant

• cAPIC

• CSR

• Based on the policies (EPG’s and Contracts) the correct security group (SG) is attached to the instance

• User Tenants

• Workload

• VPC, Subnets provisioned by cAPIC

cAPIC Building Blocks

Site A

Cloud EPGMapping Endpoints by Tags

Site B

US-East-1 US-West-1

Subnet-S1 – 10.1.1.0/24

Subnet-S2 – 10.1.2.0/24

Subnet-S3 – 10.1.3.0/24

Subnet-S4 – 10.1.4.0/24

• Web-EPG associated to tag: “EPG: WEB”

• DB-EPG associated to tag: “EPG:DB”

• Web-EPG has endpoints across Us-East-1 & Us-West-1 regions and multiple subnets

• DB-EPG has endpoints across Us-East-1 & Us-West-1 regions and multiple subnets

WEB EPG DB EPG

Use case 1: Tenant / VRF stretching

Use case 2: EPG stretching / Cloud Bursting

Use case 3: cross-site shared services

Use case 4: secure internet access

Internet

Use case 5: cloud-only tenants

Demo 2 : Implementing Policies in MultiCloud

WWW

DB

APP

WWW

DB

APP

AWSOn Prem

PIN

G

SSH

On-PremisesSite A

Multi-Site Orchestrator (MSO)

Public Cloud

AWS Region 1

Site B

Internet

Infra VPC

AZ-1 AZ-2

CSR CSRIGW

BGP EVPN Control Plane

VXLAN TUNNEL (DATA PLANE)

Simple Extension to AWS Cloud Infrastructure

SG Web SG APPSG Rule SG Rule SG DB

ACI Extensions to AWSOn Premises Connectivity to AWS VPC Through IPSec VPN

33

On-Premise Public Cloud

Site BSite A

Multisite

Orchestrator

VMVMVM

ACI – On PremiseVMVMVM

InternetCustomer

Premise

Router

CSR

1000v

IPSec VPN Tunnel (Underlay)

BGP-EVPN

VXLAN

Connect and Visibility

Secure & Seamless Migration of Applications to Cloud

Cisco Tetration : A better way to know the network

Analytics engine

Third-party sources (configuration data)

Web GUI REST APIEvent

notificationCisco

Tetration apps

Cisco Tetration

Data collection layer

Software sensor and enforcement(Virtual/Bare metal/Containers)

Embedded network sensors(telemetry only)

ERSPAN sensors(telemetry only)

Netflow sensors(Augmentation for telemetry)

Cisco Anyconnect NVM(Endpoint visibility)

Provides correlation of data sources across entire application infrastructure

Enables identification of point events and provides insight into overall systems behavior

Monitors end-to-end lifecycle of application connectivity

Application Discovery with Cisco Tetration

Cisco Tetration™

Application workspaces

ApplicationDiscovery

Public cloud

Private cloud

On-premise

There is more..

Cisco Data Center Reference Architecture

Infra. Manager

Infra. ops

Developer

Cloud Admin

LOB/IT Apps

Security Admin

Tetr

atio

nan

alyt

ics

Cis

co s

ecu

rity

po

rtfo

lio

Ap

pD

ynam

ics

Cis

co w

ork

load

o

pti

miz

atio

n m

anag

erU

CS

per

form

ance

M

anag

erApplication and business performance monitoring

Workload optimization and placement

Infrastructure health and performance monitoring

CiscoCloudCenter

Nexus UCS HyperFlex

ACI Cisco Intersight

Cisco Prime ServiceCatalog (PSC/CPO)

3rd Party ITSM

Multicloud

MulticloudPortfolio

CloudConnect

CloudProtect

CloudAdvisory

CloudConsume

Find out more

• Full Day Business Outcome Workshop

• DC Security

• Network Analytics

• Business Continuity/Disaster Recovery

• MultiCloud

Hanoi. 4 April 2019

#CiscoConnectVN