Securing the DC by integrating Cisco ACI in a VMware vSphere and NSX-v environment

Arjan van der Valk – Systems Engineer Cisco

Jan Heijdra – Product Specialist Cisco

19 maart 2015

Jan Heijdra

•

1.What is Cisco ACI for VMware

Basics of Application Centric Infrastructure

Abstract

Simplify

NetworkAutomate

Policy

Controller

Programming Fabric and Services

vs.

Manual Configuration Box by Box

Standard protocols and L3, Physcial, Virtual and Containers behave like one system vs.

Many protocols, L2 and L3

Leverage Best Practices

vs.

Re-invent System Control

Workload/ Tenant Semantics

vs.

Low Level Network Semantics

1 2

3

4

POLICY: Centralized Application-Level Policy

SECURE: Security and Performance @ Scale

VISIBILITY: System-Wide Visibility, Telemetry, Health

OPENESS: Open Source / APIs / Standards

EXTENSIBLE: Hypervisors, L4-7, Storage, Compute

Centralized Point of Management

Physical/Virtual/C

ontainer

INFRASTRUCTURE

BRING UP &

MONITORING

• Switch Auto Discovery

• Zero Touch

Provisioning (Image,

Config)

• Device status roll-up

• Switch

configurations w/o

manual intervention

based on network

profiles & endpoint

identity

SERVICE PROVISIONING SERVICE MONITORING

• Real-time Aggregation

and correlation of

network events to user

relevant abstraction level

(per tenant, per app, per

fabric, …)

APIC = Policy based

network managerAPIC = Policy based

connectivity/ security/ L4-7

services manager

APIC = Monitoring/

Troubleshooting tool

AN INNOVATIVE APPROACH TO POLICY EPG = VLAN

Contract Contract Contract

OUTSIDEVLANVLANVLAN

ADCF/W

ADC

What is an application Network policy?

End Point Group (EPG) = ZONE / VLAN1.

Contracts: A set of rules governing communication between ZONES2.

Service Chains: A set of network services between ZONES3.

AN INNOVATIVE APPROACH TO POLICY - APP

Contract Contract Contract

OUTSIDEDBAPPWEB

ADCF/W

ADC

What is an application policy?

End Point Group (EPG) A set of VMS / servers with the same policy 1.

Contracts: A set of rules governing communication between groups2.

Service Chains: A set of network services between groups3.

Subject Matter Expert Define Policies1

NetworkSME

SecuritySME

Application SME

APIC

2

Policies Used To Create Application Network Profile Templates

3Automated policy configuration across the infrastructure

Life cycle management for day 1, day 2 operations

4

Physical Networking

Compute L4–L7Services

StorageHypervisors and Virtual Networking

Multi DC WAN and Cloud

Nexus 2K

Nexus 7K

Integrated WAN Edge

12

Integrated gateway for VLAN,

VxLAN, and NVGRE networks

from virtual to physical

Normalization for NVGRE,

VXLAN, and VLAN networks

Customer not restricted by a

choice of hypervisor

Fabric is ready for multi-

hypervisor

Virtual Integration

Network

Admin

Application

Admin

PHYSICAL

SERVER

VLAN

VXLAN

VLAN

NVGRE

VLAN

VXLAN

VLAN

ESX Hyper-V KVM

Hypervisor

Management

ACI Fabric

APIC

APIC

VMware

Microsoft

Red Hat

XenServer

VMware Microsoft Red Hat

2. How does Cisco ACI integrate with VMware vCenter and VMware vDS

• ACI Fabric as an IP-Ethernet Transport

• Encapsulations manually allocated

• Separate Policy domains for Physical and Virtual

VLAN 10 VLAN 10 VXLAN 10000

Non-Integrated Mode

• ACI Fabric as a Policy Authority

• Encapsulations Normalized and dynamically provisioned

• Integrated Policy domains across Physical and Virtual

APP WEB DB

Integrated Mode

DB

vCenter DVS SCVMM

Relationship is formed between APIC and Virtual Machine Manager (VMM)

Multiple VMMs likely on a single ACI Fabric

Each VMM and associated Virtual hosts are grouped within APIC

Called VMM Domain

There is 1:1 relationship between a Virtual Switch and VMM Domain

VMM Domain 1

vCenter AVS

VMM Domain 2 VMM Domain 3

+

Distributed Virtual Switch

(DVS)vCenter + vShield

Application Virtual Switch

(AVS)

• Encapsulations: VLAN

• Installation: Native

• VM discovery: LLDP

• Software/Licenses: vCenter with Enterprise+ License

• Encapsulations: VLAN, VXLAN

• Installation: Native

• VM discovery: LLDP

• Software/Licenses: vCenter with Enterprise+ License, vShield Manager with vShield License

• Encapsulations: VLAN, VXLAN

• Installation: VIB through VUM or Console

• VM discovery: OpFlex

• Software/Licenses: vCenter with Enterprise+ License

Port Group – Web VXLAN 5001

Port Group – App VXLAN 5002

Port Group – DB VXLAN 5003

Virtual Distributed Switch EPG Web

Policy

EPG App

Policy

EPG DB

APIC

ACI Fabric

Scale-Out Penalty Free Overlay

App DBWeb

Outside

(Tenant VRF)

QoSFilter

QoSService

QoS

Filter

Application Policy

Infrastructure

Controller

APIC

APIC Admin

VI/Server Admin Instantiate VMs,

Assign to Port Groups

L/B

EPG

APPEPG DB

F/W

EPG

WEB

Application Network Profile

Create Application Policy

WebWebWeb App

HYPERVISOR HYPERVISOR

VIRTUAL DISTRIBUTED SWITCH

WEB PORT GROUP APP PORT GROUP DB PORT GROUP

vCenter

Server / vShield

8

5

1

9ACI

Fabric

Automatically Map

EPG To Port Groups

Push Policy

Create VDS2

Cisco APIC and

VMware vCenter Initial

Handshake

6

DB DB

7Create Port

Groups

18

APIC

3

Attach Hypervisor

to VDS

4Learn location of ESX

Host through LLDP

Southbound

OpFlex API

VMVM VM VM

N1KV VEM

vSphere

Hypervisor Manager

OpFlex Control protocol

- Control channel

- VM attach/detach, link state notifications

VEM extension to the fabric

vSphere 5.0 and above

BPDU Filter/BPDU Guard

SPAN/ERSPAN

Port level stats collection

Remote Virtual Leaf Support (future)

19

APIC Admin

VI/Server Admin Instantiate VMs,

Assign to Port Groups

L/B

EPG

APP

EPG

DBF/W

EPG

WEB

Application Network Profile

Create Application Policy

WebWebWeb App

HYPERVISOR HYPERVISOR

Application Virtual Switch (AVS)

WEB PORT GROUP APP PORT GROUP DB PORT GROUP

vCenter

Server

8

5

1

9ACI

Fabric

Automatically Map

EPG To Port Groups

Push Policy

Create AVS

VDS2

Cisco APIC and

VMware vCenter Initial

Handshake

6

DB DB

7Create Port

Groups

APIC

3

Attach Hypervisor

to VDS

4Learn location of ESX

Host through OpFlex

OpFlex Agent OpFlex Agent

20

3. DEMO ACI – vCenter integration

22

4. Converged Infra (VCE) with ACI

Cisco Confidential© 2014 Cisco and/or its affiliates. All rights reserved. 24

A C I - R E A D Y

Vblock™ 340 and Vblock™ 720

• Available NOW

• Network Performance and Scale

• Energy Efficient

• Investment Protection and Rapid Technology Adoption

VBLOCK Systems with ACI

• Rapid Deployment of Infrastructure

• Broad Visibility and Dynamic Responsiveness to Real-time Events

• Optimize and Automate Application Performance and Operations

Vblock 540 and 740 will ship with N9396 as default

switch

5. Security in a multi tenant and segmented DC

Centralized Compliance and Auditing

Import / Export Policy via API

(Support for External Policy Engines)

Services Chaining Automated

Bio-Chemical UndergradHPC HR Finance Guests

ACI Security – Networking, Segmentation, Isolation

Complete Isolation with

Full Scalability and Security

Policy Separated from Network

Forwarding

Open APIs PolicyEngine

Undergrad and Guests

APPLICATION NETWORK PROFILE

6. Why is Cisco ACI the perfect Transport Network for NSX-v

Cisco ACI: your next-gen physical Transport Network• Advanced troubleshooting possibilities in the transport network

• L2/L3 fabric:• Simplified design for infrastructure vmknics, less coordination between VMware and

network departments required

• IP pools and tagged VLANs for VXLAN vmknics

• Any NSX gateway anywhere, any bare-metal anywhere, any ESR anywhere

• Network multi-tenancy out of the box:

• For example: “Storage” network view, “NSX cluster 2” network view

• Simplified routing design (no ESR), fewer physical servers

• Best performance in the market with Nexus 9000

•

•

•

•

•

See individual paths

If multiple NSX clusters, cluster-

specific views

High-level health summary

Always-on NSX-specific

statistics, faults, alerts, etc.

Find problems before the users

notice!

Ask your transport

network NSX-specific stats

iSCSI / NFShealthscores

Storage-specific QoS and

Monitoring

Dedicated audit log

Dedicated Faults / Events

view

Packets Received on Leaf #5 sent from Leaf #2

Path 1 2066

Path 2 2963

Path 3 2869

Path 4 2506

Difference

Path 1 2

Path 2 0

Path 3 -3

Path 4 0

Packets sent from Leaf #2to Leaf #5

Path 1 2068

Path 2 2963

Path 3 2866

Path 4 2506

Path1 Path2 Path3 Path4

APIC

APIC

Open REST APIs Support Integration With Any Software

AutomationEnterprise Monitoring

SystemsManagement

OrchestrationFrameworks

OVM

Hypervisor Management Applications

NORTHBOUND PROGRAMMABILITY LAYER

SOUTHBOUND PROGRAMMABILITY LAYER

OpFlex: Fabric Attached Device API Device Package API: L4-7 Scripting

…

SUBRSCIBE AT: Ciscoevents.nl/aci

40

Subscribe ACI Hands-on workshops - Amsterdam

Ciscoevents.nl/aci

Whitepaper integration VMware – ACI

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-729866.html

ACI Multi-Hypervisor + BareMetal Interop with VLAN & VXLAN Routing and Bridging Demo

https://www.youtube.com/watch?v=hz7zwd98rn4

Underlay vs Overlay Link failure detection

https://www.youtube.com/watch?v=yZu-JW-DEQ8

• Own the Next generation network conversation at your customer

• Get in contact with your ACI alliance peers (F5 / Citirx / A10 )

• Engage AS at every “ACI Fabric” opportunity