securing the dc by integrating cisco aci in a …...securing the dc by integrating cisco aci in a...
TRANSCRIPT
Securing the DC by integrating Cisco ACI in a VMware vSphere and NSX-v environment
Arjan van der Valk – Systems Engineer Cisco
Jan Heijdra – Product Specialist Cisco
19 maart 2015
Jan Heijdra
•
1.What is Cisco ACI for VMware
Basics of Application Centric Infrastructure
Abstract
Simplify
NetworkAutomate
Policy
Controller
Programming Fabric and Services
vs.
Manual Configuration Box by Box
Standard protocols and L3, Physcial, Virtual and Containers behave like one system vs.
Many protocols, L2 and L3
Leverage Best Practices
vs.
Re-invent System Control
Workload/ Tenant Semantics
vs.
Low Level Network Semantics
1 2
3
4
POLICY: Centralized Application-Level Policy
SECURE: Security and Performance @ Scale
VISIBILITY: System-Wide Visibility, Telemetry, Health
OPENESS: Open Source / APIs / Standards
EXTENSIBLE: Hypervisors, L4-7, Storage, Compute
Centralized Point of Management
Physical/Virtual/C
ontainer
INFRASTRUCTURE
BRING UP &
MONITORING
• Switch Auto Discovery
• Zero Touch
Provisioning (Image,
Config)
• Device status roll-up
• Switch
configurations w/o
manual intervention
based on network
profiles & endpoint
identity
SERVICE PROVISIONING SERVICE MONITORING
• Real-time Aggregation
and correlation of
network events to user
relevant abstraction level
(per tenant, per app, per
fabric, …)
APIC = Policy based
network managerAPIC = Policy based
connectivity/ security/ L4-7
services manager
APIC = Monitoring/
Troubleshooting tool
AN INNOVATIVE APPROACH TO POLICY EPG = VLAN
Contract Contract Contract
OUTSIDEVLANVLANVLAN
ADCF/W
ADC
What is an application Network policy?
End Point Group (EPG) = ZONE / VLAN1.
Contracts: A set of rules governing communication between ZONES2.
Service Chains: A set of network services between ZONES3.
AN INNOVATIVE APPROACH TO POLICY - APP
Contract Contract Contract
OUTSIDEDBAPPWEB
ADCF/W
ADC
What is an application policy?
End Point Group (EPG) A set of VMS / servers with the same policy 1.
Contracts: A set of rules governing communication between groups2.
Service Chains: A set of network services between groups3.
Subject Matter Expert Define Policies1
NetworkSME
SecuritySME
Application SME
APIC
2
Policies Used To Create Application Network Profile Templates
3Automated policy configuration across the infrastructure
Life cycle management for day 1, day 2 operations
4
Physical Networking
Compute L4–L7Services
StorageHypervisors and Virtual Networking
Multi DC WAN and Cloud
Nexus 2K
Nexus 7K
Integrated WAN Edge
12
Integrated gateway for VLAN,
VxLAN, and NVGRE networks
from virtual to physical
Normalization for NVGRE,
VXLAN, and VLAN networks
Customer not restricted by a
choice of hypervisor
Fabric is ready for multi-
hypervisor
Virtual Integration
Network
Admin
Application
Admin
PHYSICAL
SERVER
VLAN
VXLAN
VLAN
NVGRE
VLAN
VXLAN
VLAN
ESX Hyper-V KVM
Hypervisor
Management
ACI Fabric
APIC
APIC
VMware
Microsoft
Red Hat
XenServer
VMware Microsoft Red Hat
2. How does Cisco ACI integrate with VMware vCenter and VMware vDS
• ACI Fabric as an IP-Ethernet Transport
• Encapsulations manually allocated
• Separate Policy domains for Physical and Virtual
VLAN 10 VLAN 10 VXLAN 10000
Non-Integrated Mode
• ACI Fabric as a Policy Authority
• Encapsulations Normalized and dynamically provisioned
• Integrated Policy domains across Physical and Virtual
APP WEB DB
Integrated Mode
DB
vCenter DVS SCVMM
Relationship is formed between APIC and Virtual Machine Manager (VMM)
Multiple VMMs likely on a single ACI Fabric
Each VMM and associated Virtual hosts are grouped within APIC
Called VMM Domain
There is 1:1 relationship between a Virtual Switch and VMM Domain
VMM Domain 1
vCenter AVS
VMM Domain 2 VMM Domain 3
+
Distributed Virtual Switch
(DVS)vCenter + vShield
Application Virtual Switch
(AVS)
• Encapsulations: VLAN
• Installation: Native
• VM discovery: LLDP
• Software/Licenses: vCenter with Enterprise+ License
• Encapsulations: VLAN, VXLAN
• Installation: Native
• VM discovery: LLDP
• Software/Licenses: vCenter with Enterprise+ License, vShield Manager with vShield License
• Encapsulations: VLAN, VXLAN
• Installation: VIB through VUM or Console
• VM discovery: OpFlex
• Software/Licenses: vCenter with Enterprise+ License
Port Group – Web VXLAN 5001
Port Group – App VXLAN 5002
Port Group – DB VXLAN 5003
Virtual Distributed Switch EPG Web
Policy
EPG App
Policy
EPG DB
APIC
ACI Fabric
Scale-Out Penalty Free Overlay
App DBWeb
Outside
(Tenant VRF)
QoSFilter
QoSService
QoS
Filter
Application Policy
Infrastructure
Controller
APIC
APIC Admin
VI/Server Admin Instantiate VMs,
Assign to Port Groups
L/B
EPG
APPEPG DB
F/W
EPG
WEB
Application Network Profile
Create Application Policy
WebWebWeb App
HYPERVISOR HYPERVISOR
VIRTUAL DISTRIBUTED SWITCH
WEB PORT GROUP APP PORT GROUP DB PORT GROUP
vCenter
Server / vShield
8
5
1
9ACI
Fabric
Automatically Map
EPG To Port Groups
Push Policy
Create VDS2
Cisco APIC and
VMware vCenter Initial
Handshake
6
DB DB
7Create Port
Groups
18
APIC
3
Attach Hypervisor
to VDS
4Learn location of ESX
Host through LLDP
Southbound
OpFlex API
VMVM VM VM
N1KV VEM
vSphere
Hypervisor Manager
OpFlex Control protocol
- Control channel
- VM attach/detach, link state notifications
VEM extension to the fabric
vSphere 5.0 and above
BPDU Filter/BPDU Guard
SPAN/ERSPAN
Port level stats collection
Remote Virtual Leaf Support (future)
19
APIC Admin
VI/Server Admin Instantiate VMs,
Assign to Port Groups
L/B
EPG
APP
EPG
DBF/W
EPG
WEB
Application Network Profile
Create Application Policy
WebWebWeb App
HYPERVISOR HYPERVISOR
Application Virtual Switch (AVS)
WEB PORT GROUP APP PORT GROUP DB PORT GROUP
vCenter
Server
8
5
1
9ACI
Fabric
Automatically Map
EPG To Port Groups
Push Policy
Create AVS
VDS2
Cisco APIC and
VMware vCenter Initial
Handshake
6
DB DB
7Create Port
Groups
APIC
3
Attach Hypervisor
to VDS
4Learn location of ESX
Host through OpFlex
OpFlex Agent OpFlex Agent
20
3. DEMO ACI – vCenter integration
22
4. Converged Infra (VCE) with ACI
Cisco Confidential© 2014 Cisco and/or its affiliates. All rights reserved. 24
A C I - R E A D Y
Vblock™ 340 and Vblock™ 720
• Available NOW
• Network Performance and Scale
• Energy Efficient
• Investment Protection and Rapid Technology Adoption
VBLOCK Systems with ACI
• Rapid Deployment of Infrastructure
• Broad Visibility and Dynamic Responsiveness to Real-time Events
• Optimize and Automate Application Performance and Operations
Vblock 540 and 740 will ship with N9396 as default
switch
5. Security in a multi tenant and segmented DC
Centralized Compliance and Auditing
Import / Export Policy via API
(Support for External Policy Engines)
Services Chaining Automated
Bio-Chemical UndergradHPC HR Finance Guests
ACI Security – Networking, Segmentation, Isolation
Complete Isolation with
Full Scalability and Security
Policy Separated from Network
Forwarding
Open APIs PolicyEngine
Undergrad and Guests
APPLICATION NETWORK PROFILE
6. Why is Cisco ACI the perfect Transport Network for NSX-v
Cisco ACI: your next-gen physical Transport Network• Advanced troubleshooting possibilities in the transport network
• L2/L3 fabric:• Simplified design for infrastructure vmknics, less coordination between VMware and
network departments required
• IP pools and tagged VLANs for VXLAN vmknics
• Any NSX gateway anywhere, any bare-metal anywhere, any ESR anywhere
• Network multi-tenancy out of the box:
• For example: “Storage” network view, “NSX cluster 2” network view
• Simplified routing design (no ESR), fewer physical servers
• Best performance in the market with Nexus 9000
•
•
•
•
•
See individual paths
If multiple NSX clusters, cluster-
specific views
High-level health summary
Always-on NSX-specific
statistics, faults, alerts, etc.
Find problems before the users
notice!
Ask your transport
network NSX-specific stats
iSCSI / NFShealthscores
Storage-specific QoS and
Monitoring
Dedicated audit log
Dedicated Faults / Events
view
Packets Received on Leaf #5 sent from Leaf #2
Path 1 2066
Path 2 2963
Path 3 2869
Path 4 2506
Difference
Path 1 2
Path 2 0
Path 3 -3
Path 4 0
Packets sent from Leaf #2to Leaf #5
Path 1 2068
Path 2 2963
Path 3 2866
Path 4 2506
Path1 Path2 Path3 Path4
APIC
APIC
Open REST APIs Support Integration With Any Software
AutomationEnterprise Monitoring
SystemsManagement
OrchestrationFrameworks
OVM
Hypervisor Management Applications
NORTHBOUND PROGRAMMABILITY LAYER
SOUTHBOUND PROGRAMMABILITY LAYER
OpFlex: Fabric Attached Device API Device Package API: L4-7 Scripting
…
SUBRSCIBE AT: Ciscoevents.nl/aci
40
Subscribe ACI Hands-on workshops - Amsterdam
Ciscoevents.nl/aci
Whitepaper integration VMware – ACI
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-729866.html
ACI Multi-Hypervisor + BareMetal Interop with VLAN & VXLAN Routing and Bridging Demo
https://www.youtube.com/watch?v=hz7zwd98rn4
Underlay vs Overlay Link failure detection
https://www.youtube.com/watch?v=yZu-JW-DEQ8
• Own the Next generation network conversation at your customer
• Get in contact with your ACI alliance peers (F5 / Citirx / A10 )
• Engage AS at every “ACI Fabric” opportunity