Networking Policies Across Containers and VMsSanjeev Rampal & Himanshu RajContainer team, Cloud Platform and Services GroupOpenStack Summit 2017@sr2357, @rajhimanshu

Mixed Mode Application Deployments

VM VMWeb

App

DB

Policy

Policy

Challenges• Application Level Policy Enforcement Across

Deployment• End-to-end Monitoring• High Performance

Challenges

• Encap over encap (over encap) suffers performance• Obscures visibility, makes diagnostics/monitoring difficult• Harder to integrate with HW appliances

Networking In The Container World

Physical NetworkHypervisorHypervisor

Physical Network

Virtual Switching or Overlay Network

C1 Cn

Overlay Network - VXLAN

Overlay Network -VXLAN

Physical Network

Hypervisor Hypervisor

Host 1 Host 2 Host 2Host 1

VM1

C1 Cn

Overlay Network - VXLAN

VM2

C1 Cn

Overlay Network - VXLAN

Overlay Network -VXLAN

C1 Cn

Overlay Network - VXLAN

VM1 VM2

Agenda• Hybrid Deployment Challenges

• Intro to Contiv Container Networking

• Cisco ACI + Contiv Integration• E2E policy enforcement• Monitoring• Performance

• Demo

100% Open Source The Most Powerful Container Networking Fabric L2, L3, Overlay or ACI Rich Policy Model

DevOps IT Admin

Any NetworkingAny Platform

Any Infrastructure

Application Intent

Rich Policy

Connectivity

ACI integration

Containers, VM, BM

LDAP/RBAC

Introduction to Contiv

Contiv Policy Management System

Node 1 Node-nNode 2

Contiv Distributed Policy Enforcement Layer

Policy Distribution

Policy Manager

Manage/Monitor Policies/Usage/Quotas

Policy Distribution Framework Integrated with Schedulers

Policy Enforcement Points

Integration with Cisco Infrastructure (Nexus/ACI/UCS)

Micro-services With Contiv

Micro-services isolated within the network of a tenant

Web Group

AppGroup

DB Group

Allow grouping of containers/pods

1

Specify policies between groups or from outside the network

2

Ability to Provide Granular Micro-service based Policies in a Scalable Way

Application Centric Infrastructure (ACI)External Network

App DBWeb

QoS

Filter

QoS

Service

QoS

Filter

ACI Fabric

APICAPIC

Benefits of Integrating Contiv with ACI

• Uniform policies for any workload• VMs | Bare-Metal | Container

• Policy automation for mix-mode workloads

• Scale: IPs, EPGs, Networks

• Performance: 40G and 100G optimized fabrics

• Telemetry/Diagnostics• Container location aware physical network

Contiv ACI IntegrationContainer

Management

Unified Policy Automation and Enforcement Across BM, VM, and Containers

Contiv Master

Contiv APIC Gateway

OVS Contiv PluginHYPERVISORHYPERVISORHYPERVISOR Container/Pod Host

Bare Metal

Services

Web

Contiv Plugin

Host-1 Host-n

DB Web DB

Container Scheduler

Contiv Plugin

Application Intent

Tenant-1:External à Web:80 àDB:Port

Tenant-2:External à Web:80 àDB:Port

2

Launching Apps across Cluster

4

DevOps Intent => ACI Policy

Policy Instantiation5

Contiv Tenant/Network Creation1

Physical Network Prep0

3

Example Workflow

Network AdminDevOps Admin

ContivNetMaster

Demo

Host-1 Host-2 Host-nCloud A

Cloud B

Demo Physical Topology

C11 (nginx) C12 (nginx)

C21 (alpine) C22 (alpine)

L7 Load balancer/ web reverse proxy

(HAProxy)

VM ‘Z’

Containers Cloud ‘A’Openshift/Kubernetes

VMs Cloud ‘B’Openstack/vSphere

Service 1“default-group”

Service 2“privileged-group”

Service 3 E.g. database VM

Demo Application

Host-1 Host-2 Host-nCloud A

Cloud B

Demo Physical Topology

Getting More Information / Getting Started

http://contiv.io/

Available on SlideShare

Cisco on SlideSharehttps://www.slideshare.net/Cisco/

@sr2357@rajhimanshu