Application Centric Infrastructure

Similar documents
Cisco Application Centric Infrastructure and Microsoft SCVMM and Azure Pack

Integration of Hypervisors and L4-7 Services into an ACI Fabric. Azeem Suleman, Principal Engineer, Insieme Business Unit

MP-BGP VxLAN, ACI & Demo. Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017

ACI Terminology. This chapter contains the following sections: ACI Terminology, on page 1. Cisco ACI Term. (Approximation)

Cisco ACI Terminology ACI Terminology 2

Hybrid Cloud Solutions

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

Cisco SDN 解决方案 ACI 的基本概念

Integration of Multi-Hypervisors with Application Centric Infrastructure

Segmentation. Threat Defense. Visibility

The Next Opportunity in the Data Centre

Layer 4 to Layer 7 Design

Cisco Virtual Networking Solution Nexus 1000v and Virtual Services. Abhishek Mande Engineer

Integration of Hypervisors and L4-7 Services into an ACI Fabric

Cisco HyperFlex Systems

Cisco Application Centric Infrastructure

Service Graph Design with Cisco Application Centric Infrastructure

Data Center and Cloud Automation

Cisco ACI Virtual Machine Networking

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

Migration from Classic DC Network to Application Centric Infrastructure

Cisco Application Centric Infrastructure (ACI) - Endpoint Groups (EPG) Usage and Design

Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003

Cisco UCS Director Tech Module Cisco Application Centric Infrastructure (ACI)

Cisco ACI Multi-Site Fundamentals Guide

F5 Demystifying Network Service Orchestration and Insertion in Application Centric and Programmable Network Architectures

Cisco ACI Virtual Machine Networking

Integrating Cisco UCS with Cisco ACI

Automate Application Deployment with F5 Local Traffic Manager and Cisco Application Centric Infrastructure

Integration of Hypervisors & L4-7 Services with ACI

Building NFV Solutions with OpenStack and Cisco ACI

Virtual Machine Manager Domains

Running RHV integrated with Cisco ACI. JuanLage Principal Engineer - Cisco May 2018

believe in more SDN for Datacenter A Simple Approach

ACI Multi-Site Architecture and Deployment. Max Ardica Principal Engineer - INSBU

Cisco CloudCenter Solution with Cisco ACI: Common Use Cases

BRKACI-2504 Cisco Security on ACI, MicroSegmentation, ASA, FirePower. Brenden Buresh DC Technical Solutions Architect

Deploying Cloud Network Services Prime Network Services Controller (formerly VNMC)

Cisco Application Policy Infrastructure Controller Data Center Policy Model

2018 Cisco and/or its affiliates. All rights reserved.

Cisco ACI Virtual Machine Networking

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Service Insertion with ACI using F5 iworkflow

5 days lecture course and hands-on lab $3,295 USD 33 Digital Version

VXLAN Overview: Cisco Nexus 9000 Series Switches

Microsegmentation with Cisco ACI

Title DC Automation: It s a MARVEL!

DELL EMC VSCALE FABRIC

2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Intuit Application Centric ACI Deployment Case Study

Virtualization Design

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

DevNet Technical Breakout: Introduction to ACI Programming and APIs.

Real World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601

Multi-Site Use Cases. Cisco ACI Multi-Site Service Integration. Supported Use Cases. East-West Intra-VRF/Non-Shared Service

Modeling an Application with Cisco ACI Multi-Site Policy Manager

Real World ACI Deployment and Migration

Cisco ACI vpod. One intent: Any workload, Any location, Any cloud. Introduction

Huawei CloudFabric and VMware Collaboration Innovation Solution in Data Centers

Policy Driven Data Centre with ACI

Cisco Unified Data Center Strategy

Cisco Enterprise Cloud Suite Overview Cisco and/or its affiliates. All rights reserved.

PSOACI Why ACI: An overview and a customer (BBVA) perspective. Technology Officer DC EMEAR Cisco

Integrating the Cisco ASA with Cisco Nexus 9000 Series Switches and the Cisco Application Centric Infrastructure

Virtual Security Gateway Overview

F5 BIG-IP Local Traffic Manager Service Insertion with Cisco Application Centric Infrastructure

Cisco IT Compute at Scale on Cisco ACI

Design Guide for Cisco ACI with Avi Vantage

Manage Hybrid Clouds with a Cisco CloudCenter, Cisco Application Centric Infrastructure, and Cisco UCS Director Solution

Configuring Policy-Based Redirect

APPLICATION CENTRIC INFRASTRUCTURE

Cisco VTS. Enabling the Software Defined Data Center. Jim Triestman CSE Datacenter USSP Cisco Virtual Topology System

Introduction to Cisco Virtual Topology System DP Ayyadevara, Product Manager, Cloud Virtualization Cisco PSOSDN-1050

Configuring Policy-Based Redirect

Cisco ACI vcenter Plugin

ACI 3.0 update. Brian Kvisgaard, System Engineer - Datacenter Switching

Cisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH

Design Guide: Deploying NSX for vsphere with Cisco ACI as Underlay

Security Overview and Cisco ACE Replacement

Pasiruoškite ateičiai: modernus duomenų centras. Laurynas Dovydaitis Microsoft Azure MVP

SDN Security BRKSEC Alok Mittal Security Business Group, Cisco

Taming the Multi-Cloud With Simplicity and Openness. Minh Dang Cisco Systems Vietnam 2018 January

Cisco ACI Virtual Machine Networking

Provisioning Overlay Networks

DC: Le Converged Infrastructure per Software Defined e Cloud Cisco NetApp - Softway. Luigi MARCOCCHIA SOFTWAY

Introducing VMware Validated Designs for Software-Defined Data Center

Intra-EPG Isolation Enforcement and Cisco ACI

Cisco Application Centric Infrastructure (ACI) Simulator

PSOACI Tetration Overview. Mike Herbert

Cisco UCS Director and ACI Advanced Deployment Lab

Cisco Virtual Networking Solution for OpenStack

Applications of SDN in Cisco

Deploy Microsoft SQL Server 2014 on a Cisco Application Centric Infrastructure Policy Framework

Cisco ACI - Application Policy Enforcement Using APIC

Build application-centric data centers to meet modern business user needs

Question No: 3 Which configuration is needed to extend the EPG out of the Cisco ACI fabric?

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

Verified Scalability Guide for Cisco APIC, Release 3.0(1k) and Cisco Nexus 9000 Series ACI-Mode Switches, Release 13.0(1k)

CHARTING THE FUTURE OF SOFTWARE DEFINED NETWORKING

Transcription:

Application Centric Infrastructure Design pro řešení na zelené louce i do stávajícího DC DCA4 Miroslav Brzek, Systems Engineer

Agenda Modern DC infrastructure Customer requirements What s Application Centric Infrastructure (ACI) How ACI affects / enhances Data Center Infrastructure Network fabric Hypervisors L4-L7 Services How ACI affects Applications Security Automation / Orchestration Migration to ACI Application Centric Infrastructure

Modern DC infrastructure Customer s Requests 1 2 3 5 4 Modernize Infrastructure: Open and Programmable Automate and Simplify Build Your Hybrid Cloud Move Data and Workloads Securely Choose any Other Cloud Data Center Network / L4-7 Compute Storage Security POLICY Private Cloud Stack Integrated Infrastructure 6 Self-Service Portal (IT as a Service) 7 Extend Policy Model Private Public Managed 8 Policy Everywhere 9 10 Security Everywhere Analytics Everywhere

Cisco Data Center Networking Strategy Providing Choice in Automation and Programmability Programmable Network Programmable Fabric Application Centric Infrastructure Connection Creation Reporting Expansion Fault Mgmt VTS DB DB Web Web App Web App Modern NX-OS with enhanced NX-APIs DevOps toolset used for Network Management (Puppet, Chef, Ansible etc.) VxLAN-BGP EVPN standard-based 3 rd party controller support Cisco Controller for software overlay provisioning and management across N2K-N9K Turnkey integrated solution with security, centralized management, compliance and scale Automated application centric-policy model with embedded security Broad and deep ecosystem Automation, API s, Controllers and Tool-chain s

Agenda Modern DC infrastructure Customer requirements What s Application Centric Infrastructure (ACI) How ACI affects / enhances Data Center Infrastructure Network fabric Hypervisors L4-L7 Services How ACI affects Applications Security Automation / Orchestration Migration to ACI Application Centric Infrastructure

ACI: Policy-Driven DC Infrastructure Answers customer s requests Agile App Requirements Drive Network Deployment/Operation Open Secure Policy Automation Visibility Scale and Performance Open API s Partner Ecosystem Multi-Tenant Compliance Security Speed through Automation Physical and Virtual Endpoints with Consistent Policy Application Health Monitoring Open APIs, Open Source and Open Standards Customer Choice And Interoperability Drives Innovation Whitelist Approach Multitenant Aware Simplified Compliance

Modern Data Center Network It s All About the Application application An Application is more than just a VM Interconnected components How do we define the network for the application? Internet External Private Network web VM VM app? VM VM db VM VM

How do we define the network for the application today? Group applications by VLAN to segment them and to control the path between them Map IP subnets to those VLANs Policy boundary Security identifier Application identifier Apply connectivity, policies (security, QoS) and network services based on those constructs Security SLAs Network Services Subnet Subnet Subnet VLAN VLAN VLAN This leads to restrictions on how applications can be grouped and how policy can be applied

switch1(config)# switch1(config)# int eth 1/1 switch1(config)# switch mode acc switch1(config)# acc vlan 666 switch1(config)# switch2(config)# no shut switch2(config)# int eth 1/2-3 switch2(config)# switch mode acc switch2(config)# switch3(config)# acc vlan 111 switch2(config)# switch3(config)# no int shut eth 1/4-5 switch3(config)# switch mode acc switch3(config)# switch acc vlan 222 switch4(config)# switch3(config)# no shut switch4(config)# int eth 1/6 switch4(config)# switch mode acc switch4(config)# switch acc vlan 333 switch4(config)# no shut Web Servers switch4(config)# int eth 1/7-9 switch4(config)# switch mode acc switch4(config)# switch acc vlan 333 switch4(config)# no shut switch5(config)# switch5(config)# int eth 1/10-11 switch5(config)# switch mode acc switch5(config)# switch acc vlan 444 switch5(config)# no shut switch5(config)# int eth 1/11-15 switch5(config)# switch mode acc switch5(config)# switch acc vlan 555 switch5(config)# no shut switch5(config)# monitor session 1 source vlan 555 App Servers switch5(config)# monitor session 1 dest eth 1/16 switch6(config)# switch6(config)# int eth 1/16-19 switch6(config)# switch mode acc switch6(config)# switch acc vlan 777 switch6(config)# no shut switch6(config)# monitor session 1 source vlan 777 switch6(config)# monitor session 1 dest eth 1/20 DB Servers vlan 666 L3 vlan 111 FW vlan 222 SSL SLB vlan 333 www www www app db vlan 444 app db SLB vlan 555 vlan 777 FW FW IDS/IPS router(config)# router(config)# int eth 1 router(config)# ip add 6.6.6.1 255.255.255.0 router(config)# not shut router(config)# int eth 2 router(config)# ip addr 1.1.1.1 255.255.255.0 router(config)# fw1(config)# no shut slb1 router(config)# fw1(config)# (CONFIG) int router eth 0/1 eigrp 100 probe router(config)# fw1(config)# http http-probe nameif network outside 6.6.6.0 0 mask 255.255.255.0 router(config)# fw1(config)# interval 30 int network eth 0/21.1.1.0 mask 255.255.255.0 router(config)# fw1(config)# expect status 200 nameif ip 200 route webfront 0.0.0.0 20 0.0.0.0 6.6.6.254 rserver fw1(config)# host websrvr1 object network webfront_vip description foo web server fw1(config)# host 6.6.6.6 ip address 3.3.3.1 fw1(config)# inservice static (webfront,outside) 1.1.1.6 rserver fw1(config)# host websrvr2 access-list outside_web permit tcp any host 6.6.6.6 eq 80 fw1(config)# description foo access-list web server outside_web permit tcp any host 6.6.6.6 eq 443 fw1(config)# ip address 3.3.3.2 access-group outside_web in interface outside inservice rserver host websrvr3 description fw2(config)# foo web server ip address 3.3.3.3 inservice fw2(config)# int eth 0/1 serverfarm fw2(config)# host FOOWEBFARM nameif webfront 20 probe fw2(config)# http-probe int eth 0/2 rserver fw2(config)# websrvr1 nameif 80 appfront 50 fw2(config)# inservice object network appfarm_vip rserver slb2 websrvr2 (CONFIG) 80 fw2(config)# host 5.5.5.5 rserver inservice host appsrvr1 rserver fw2(config)# description websrvr3 foo nat 80 app (appfront,webfront) server static 4.4.4.4 inservice fw2(config)# ip address 5.5.5.1 access-list web_to_app permit tcp any host 4.4.4.4 eq 8081 crypto inservice generate key 1024 fooyou.key crypto rserver csr-params host appsrvr2 testparms description country US foo app server ip state address California 5.5.5.2 inservice locality San Jose rserver organization-name host appsrvr3 foo description organization-unit foo app you server ip common-name address 5.5.5.3 www.fooyou.com fw3(config)# inservice serial-number crisco123 crypto serverfarm generate host csr FOOAPPFARM testparms fooyou.key crypto fw3(config)# probe import http-probe ftp int 12.13.14.15 eth 0/1 anonymous fooyou.cer parameter-map fw3(config)# rserver appsrvr1 type nameif ssl 8081 SSL_PARAMETERS appfront 70 fw3(config)# cipher inservice RSA_WITH_RC4_128_MD5 int eth 0/2 fw3(config)# rserver version appsrvr2 TLS1 nameif 8081 dbfront 90 ssl-proxy fw3(config)# inservice object FOOWEB_SSL network db_cluster rserver key fooyou.key appsrvr3 8081 fw3(config)# host 7.7.7.7 inservice cert fooyou.cer class-map fw3(config)# class-map match-all type nat http FOOSSL_VIP_CLASS (dbfront,appfront) loadbalance match-any static FOO_APP 5.5.5.50 fw3(config)# 2 match 2 match virtual-address access-list http virtual-address web_to_app 2.2.2.22 4.4.4.44 tcp permit eq https tcp tcp eq 8081 any host 5.5.5.50 eq 1433 class-map policy-map match-all type loadbalance FOO_APP_VIP_CLASS first-match L7-SSL-MATCH policy-map class L7_WEB type loadbalance first-match FOO_APP-MATCH sticky-serverfarm class FOO_APP sn_cookie IDS/IPS

ACI policy model brings the concept of End-Point Group (EPG) EPG Web EPG App EPG DB EP1 EP2 EP1 EP2 EP1 EP2 EP3 EP4 EP3 EP4 EP3 EP4 EPGs are a grouping of end-points representing application or application components independent of other network constructs.

End-Points end EPG membership Device connected to network directly or indirectly Server VM Virtual Machine Storage Has address (identity), location, attributes (version, patch level) Can be physical or virtual End Point Group (EPG) membership defined by: Ingress physical port (leaf or FEX) VLAN ID VXLAN (VNID) IP address IP Prefix/Subnet (applicable to external/border leaf connectivity) VM Attribute Client

Applying Policy between EPGs: ACI Contracts Once we have our EPGs defined, we need to create policies to determine how they communicate with each other -> ACI Contract EPG Web EPG App EPG DB EP1 EP2 EP1 EP2 EP1 EP2 EP3 EP4 EP3 EP4 EP3 EP4

Applying Policy between EPGs: ACI Contracts A contract typically refers to one or more filters to define specific protocols & ports allowed between EPGs EPG Web EPG App EPG DB EP1 EP2 EP1 EP2 EP1 EP2 EP3 EP4 EP3 EP4 EP3 EP4 Filters TCP: 80 TCP: 443

ACI Service Graph Insertion of Layer 4-7 services with contracts EPG Web EPG App EPG DB EP1 EP2 EP1 EP2 EP1 EP2 EP3 EP4 EP3 EP4 EP3 EP4 App Contract HTTP: Accept, Service Graph In order to add L4-7 services such as security and Load balancing, you can add a Service Graph to a contract to redirect traffic to a Service Producer such as an ASA or F5 Consumer FW LB Provider

EPGs @ ACI bring true network abstraction Traditional Network Model Application Centric Infrastructure VLAN 100 10.10.10/24 Apps Coupled to Location Apps Decoupled from Location App 1 EPG 100 App 2 10.10.10/24 VLAN 200 10.10.20/24 Visibility At Network or VLAN Level Visibility At App or Group Level EPG 200 10.10.20/24 VLAN 300 10.10.30/24 ACL-based Policy Per Interface Policy Between Groups EPG 100 EPG 200 EPG 300 10.10.30/24 VLAN 400 10.10.40/24 No Address Independence or Policy Mobility Complete Address Independence & Policy Mobility EPG 400 10.10.40/24

Do I need to have a complete knowledge of my current application environment to fully use, benefit or leverage Cisco ACI? ABSOLUTELY NOT!!!

ACI Design Flexibility Network Centric or Application Centric Deployment EPG = VLAN EPG = Application Group Hybrid Case Align EPGs to a Traditional VLAN/Subnets Align EPGs to an Individual Components of one or more Applications

How can we define the network for the application? Defining Application Logic Through Policy SLA Provided Contract Provided Contract Provided Contract QoS WEB APP DB Security F/W Application OUTSIDE Network ADC Profile ADC Load Balancing APP PROFILE Application-centric network policy What is an application policy? 1. 2. 3. Group: A set of virtual or physical workloads with the same policy Contracts: A set of rules governing communication between groups Service Chains: A set of network services between groups

DEV Context Outside EPG Outside EPG Web EPG TCP ports 80 and 443 use firewall NAT use SLB + SSL offload FW SSL SLB Copy Profile TEST Context Outside EPG Outside EPG Web EPG TCP ports 80 and 443 use firewall NAT use SLB + SSL offload FW SSL SLB Copy Profile PROD Context Outside EPG Outside EPG Web EPG TCP ports 80 and 443 use firewall NAT use SLB + SSL offload FW SSL SLB Web EPG www www www Web EPG www www www www www Web EPG www www www www www www www www www www Web EPG App EPG TCP port 8081 use firewall NAT use SLB copy to IDS/IPS FW SLB IDS/IPS Web EPG App EPG TCP port 8081 use firewall NAT use SLB copy to IDS/IPS FW SLB IDS/IPS Web EPG App EPG TCP port 8081 use firewall NAT use SLB copy to IDS/IPS FW SLB IDS/IPS Tenant App Servers app app App Servers app app App Servers app app App EPG DB EPG TCP port 1433 use firewall+nat copy to IDS/IPS FW SLB IDS/IPS App EPG DB EPG TCP port 1433 use firewall+nat copy to IDS/IPS FW SLB IDS/IPS App EPG DB EPG TCP port 1433 use firewall+nat copy to IDS/IPS FW SLB IDS/IPS DB Servers db db DB Servers db db db db DB Servers db db

Cisco ACI Logical Network Provisioning of Stateless Hardware with ANP Admin creates policies and profiles Admin does NOT program the hardware Outside (Tenant VRF) QoS Filter Web QoS Service App QoS Filter DB APIC pushes policies and profiles to HW HW programs itself! Policy Driven System

Agenda Modern DC infrastructure Customer requirements What s Application Centric Infrastructure (ACI) How ACI affects / enhances Data Center Infrastructure Network fabric Hypervisors L4-L7 Services How ACI affects Applications Security Automation / Orchestration Migration to ACI Application Centric Infrastructure

Cisco ACI Fabric IP network with an integrated GBP VXLAN overlay Cisco Nexus 9000 ACI Spine Nodes Application Policy Infrastructure Controller Cisco Nexus 9000 ACI Leaf Nodes Cisco ACI Fabric provides: Full normalization of the ingress encapsulation mechanism used: 802.1Q VLAN, IETF VXLAN, and IETF NVGRE Distributed Layer 3 gateway to help ensure optimal forwarding for Layers 3 and 2 (No HSRP/VRRP required) Support for standard bridging and routing semantics without standard location constraints (any IP address anywhere) Service insertion and redirection Removal of flooding requirements for IP control plane (IP ARP and GARP packets are forwarded directly to the target endpoint address contained within ARP or GARP header)

Cisco ACI Fabric Multi-Tenancy Construct Tenant Coke Tenant is a container for all network, security and L4 7 service policies Tenant resources are isolated from each other Bridge Domain 172 Subnet 172.1.1.0/24 Subnet 172.1.2.0/24 Subnet 172.20.1.0/24 EPG WEB EPG APP Policy HTTP Private Network 1 Private Network 2 Bridge Domain 10 Subnet 10.1.1.0/24 EPG DB Policy SQL Bridge Domain 100 Subnet 10.1.1.0/24 Subnet 10.1.2.0/24 EPG web EPG app Policy HTTP EPG db Policy SQL Apps Infrastructure Private network (VRF or context) is used to allow isolated and potentially overlapping IP address space Bridge domain is a L2 forwarding construct within the fabric, used to constrain broadcast and multicast traffic EPGs exist within a single bridge domain only Policy (Contract) is used to determine how EPGs communicate with each other

Cisco ACI Fabric Multi-Tenancy Construct Mapping the Configuration to the Packet ACI Fabric leverages VXLAN Encapsulation to build network overlay The ACI VXLAN header is not associated with a specific L2 segment or L3 domain but provides a multi-function tagging mechanism used in ACI fabric. VXLAN Source Group/Source Class ID is used as a tag/label to identify the specific end point for each application function (EPG) Coke-Tenant Private Network 1 Bridge Domain 1 Bridge Domain 2 EPG EPG Policy is enforced between an ingress or source application tier (EPG) and an egress or destination application tier (EPG) Private Network 2 Bridge Domain 3 EPG EPG Policy can be enforced at source or destination Bridge Domain 4 EPG Flags Flags/DR E Source Class ID == EPG VNID == BD/VRF M/LB/SP 17

Cisco ACI Fabric Load Balancing Focus on the Application Response Time Cisco ACI fabric tracks the congestion along the full path between the ingress leaf and the egress leaf through the data plane (real-time measurements) Congestion on switch-to-switch ports (external wires) Congestion on internal ASIC-to-ASIC connections (internal wires) Fabric load-balances traffic on a flowlet basis Dynamic shedding of active flows from congested to less congested paths Fabric prioritizes small (and early) flowlets Provides DC-TCP behavior without having to modify host stacks Ramps up large TCP flows faster

Application Awareness Application-Level Visibility Cisco ACI Fabric provides the next generation of analytic capabilities Per application, tenants, and infrastructure: Health scores Latency Atomic counters Resource consumption Health Score 78% Latency 5 Microsecond(s) Drop Count 25 Packets Dropped Visibility 16 VMs 8 Physical Tenant Application Delivery Controller Firewall Health Score 96% Latency 2 Microsecond(s) Drop Count 0 Packets Dropped Visibility 16 VMs Application 8 Physical Application Delivery Controller Firewall Integrate with workload placement or migration VXLAN Per-Hop Visibility Physical and Virtual as One

Cisco ACI - Multi-Hypervisor Fabric Virtual Integration APIC Network Admin APIC ACI Fabric Integrated gateway for VLAN, VxLAN, and NVGRE networks from virtual to physical Normalization for NVGRE, VLAN VXLAN VLAN NVGRE VLAN VXLAN VLAN VXLAN, and VLAN networks ESX Hyper-V KVM Customer not restricted by a choice of hypervisor Fabric is ready for multihypervisor Application Admin VMware Microsoft Red Hat XenServer Hypervisor Management VMware Microsoft Red Hat PHYSICAL SERVER

Hypervisor Integration with ACI F/W EPG WEB APIC Application Network Profile L/B VM VM VM EPG APP WEB PORT GROUP APP PORT GROUP DB PORT GROUP EPG DB ACI Fabric implements policy on Virtual Networks by mapping Endpoints to EPGs Endpoints in a Virtualized environment are represented as the vnics VMM applies network configuration by placement of vnics into: Port Groups (VMWare), VM Networks (Hyper-V) Networks or Policy groups (OpenStack) EPGs are exposed to the VMM as a 1:1 mapping to Port Groups, VM Networks or OpenStack Networking.

ACI Layer 4-7 Service Integration Centralized, Automated, and Supports Existing Model Providers Service Graph Service Profile Automated and scalable L4-L7 service insertion Elastic service insertion architecture for physical and virtual services Packet match on a redirection rule sends the packet into a services graph Service Graph can be one or more service nodes pre-defined in a series APIC as central point of network control with policy coordination Supports existing operational model when integrated with existing services Application Admin Service Admin App Tier A Web Server Server begin Policy Redirection Chain Security 5 Security 5 Chain Defined Stage 1 inst inst Firewall.... Stage N inst inst Load Balancer end App Tier B Web App Server Server

L4-L7 Service Automation: Support for All Devices Any Device and Cluster Manager Support L4-L7 Service Automation L4-L7 Services Cisco ACI Services Graph L4- L7 Device Package No Device Package Service Cluster Manager Centralized L4-L7 service configuration and management Full L4-L7 service automation (with device package) Large ecosystem and investment protection Automated service insertion and chaining Support for any L4-L7 device New support for L4-L7 cluster managers

Cisco Application Policy Infrastructure Controller Algorithmically Sharded Cluster Applications fully use clustered and replicated controller (N+1, N+2, etc.) Any node is able to service any user for any operation Seamless APIC node adds and deletes Single Point of Management Without a Single Point of Failure APIC Fully automated APIC software cluster upgrade with redundancy during upgrade See What s Inside Cluster size driven by transaction rate requirements APIC is not in the data path APIC Cluster Distributed, Synchronised, Replicated

Agenda Modern DC infrastructure Customer requirements What s Application Centric Infrastructure (ACI) How ACI affects / enhances Data Center Infrastructure Network fabric Hypervisors L4-L7 Services How ACI affects Applications Security Automation / Orchestration Migration to ACI Application Centric Infrastructure

ACI Security Whitelist, Multi-Tenant Isolation, Service Automation L4 Distributed Stateless Firewall L4-7 Security Via ACI Service Graph ACI Services Graph Servers (Physical or Virtual, Containers, Micro Services) Firewall at Each Leaf switch L4-7 Security Services (physical or virtual, location independent) Embedded Security Micro-Segmentation Security Automation White-list Firewall Policy Model (line rate) Authenticated Northbound API (X.509) Encrypted Management Plane (TLS 1.2) PCI, FIPS Intra End-Point-Group (EPG) isolation Attribute Based isolation and quarantine Dynamic Service Insertion and Chaining Security Policy follows workloads Centralized Security provisioning and visibility

ACI Enables Segmentation Based on Business Needs Policy Driven Micro-Segmentation and Intra-EPG Isolation Intra=EPG Isolation + Micro-Segmentation Quarantine Infected VMs EPG Isolation + Micro-Segmentation Quarantine Infected VMs With Guest OS = Linux FW PROD POD DMZ VLAN 1 VXLAN 2 DB EPG SHARED SERVICES Basic DC Segmentation DEV VLAN 3 Network-Centric Segmentation WEB IP = 1.1.1.x FW OS = Linux FW Name = Video-* Micro-Segmentation Intra-EPG Isolation Web EPG Intra-EPG Isolation DB EPG TEST APP Attributes Based Micro-Segments (DVS, AVS, Hyper-V Switch, KVM*) Intra-EPG Isolation Local switching Local switching PROD Application Lifecycle Segmentation DB Application/Service Level Segmentation Virtual Switch Hypervisor Web EPG DB EPG Flexible Segmentation Hypervisor Agnostic Micro-segmentation For Any Virtual Workload Intra-EPG Isolation + Micro-segmentation For Any Workload (Physical, Virtual)

Attribute-Based EPG/uSeg EPG Isolate Malicious Virtual Machines Web App Web01 Linux App01 Linux Web02 Linux App02 Linux Web03 Win App03 Win X Windows EPG Criterion Attribute (OS = Windows) DB DB01 Linux DB02 Linux DB03 Win Problem: A vulnerability is detected in a particular type of operating system (for example, Microsoft Windows). The network security administrator wants to isolate all Windows virtual machines. Solution: Define a security EPG with a criterion such as Operating System = Windows. No contracts are provided or consumed by this EPG. It will stop all inter-epg communication for the matching virtual machines. No virtual machine attachment or detachment or placement in a different port group is needed.

Intra-EPG Segmentation Problem Intra-EPG Isolation Denies All Communication within an EPG Solution

Why ACI is best for Micro Segmentation Micro Segmentation works for all workloads (bare metal, virtual, containers, management, backup ) Same policy-model for vsphere, Hyper-V, OpenStack, Containers and Bare Metal. Works with standard virtual switch offerings, including VMware VDS, OVS, MSFT vswitch (AVS is optional for vsphere) Stateful firewall when using Cisco AVS on vsphere at no extra cost with better performance at the VMware environment

Application decommission & the compliance / audit demand Due to compliance regulations, when an application gets decommissioned, every IT resource associated with that must be removed and/or wiped out UCS allows one do dissociate service profile(s) associated with this application. Audit OK! Storage arrays can wipe-out the data or associated disks can be trashed. Audit OK! Current network approach and solutions don t have a way to map application workflow and remove it. Audit Fail ACI is the only one that can, inclusive programmatically and automated Audit OK!

Orchestration with ACI UCS Director vrealize SLA QoS Security Load Balancing APP PROFILE

ACI Open APIs and Ecosystem Automation Hypervisor Management OVM Enterprise Monitoring REST API Systems Management Orchestration Frameworks UCS Director NORTHBOUND PROGRAMMABILITY LAYER APIC Fabric-attached Device API L4-7 Orchestration Scripting API SOUTHBOUND PROGRAMMABILITY LAYER APIC SUPPORTS A RICH ECOSYSTEM BUILT AROUND OPEN NORTHBOUND AND SOUTHBOUND APIS

Agenda Modern DC infrastructure Customer requirements What s Application Centric Infrastructure (ACI) How ACI affects / enhances Data Center Infrastructure Network fabric Hypervisors L4-L7 Services How ACI affects Applications Security Automation / Orchestration Migration to ACI Application Centric Infrastructure

Migration to ACI Connecting Brownfield to new ACI network Deployment Design and deploy a new ACI Fabric Integration Connect ACI to the current infrastructure Migration Migrate workloads to use new ACI POD WAN - Core L3 Links L3 L2 L2 Trunk

Cisco ACI - Delivering the Next-Generation DC Infrastructure for an Application-Centric World 6,000+ Nexus 9K and ACI Customers Globally 1400+ ACI Customers 50 Ecosystem Partners

APP App Based Automation ACI Automated L4-7 Stitching Turn-key Network Automation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback