Cisco ACI - Application Policy Enforcement Using APIC Azeem Suleman Solutions Architect
House Keeping Notes Tuesday April 15, 2014 Thank you for attending Cisco Connect Toronto 2014, here are a few housekeeping notes to ensure we all enjoy the session today. Please ensure your cellphones / Laptops are set on silent to ensure no one is disturbed during the session A power bar is available under each desk in case you need to charge your laptop You have RDP client and JAVA support on your laptops All the lab task will be done on a jump box 3
What Are We Solving? 4
Overloaded Network Constructs Basic Network Policy SLAs L4-7 Services Subnet Subnet Subnet VLAN VLAN VLAN Network constructs are overloaded with unintended functionality.
Application Language Barriers Developers Infrastructure Teams Application Tiers Provider / Consumer Relationships VLANs Subnets Protocols Ports Developer and infrastructure teams must translate between disparate languages.
Who is insieme? $100M+ INVESTED BY CISCO 250+ EMPLOYEES 20 YEAR EXECUTION HISTORY IN SOFTWARE AND ASIC S INSIEME
What is ACI? OPEN RESTFUL API S CENTRALIZED POLICY MODEL OPEN SOURCE CONTROLLER POLICY MODEL NETWORK CONNECTS TO ALL COMPONENTS OF DATA CENTER POLICY MODEL CONTROLS NETWORK AND INFORMATION FLOW ACI
Two types of language NETWORK LANGUAGE APP LANGUAGE VLAN Subnets Bridging Routing IP Addresses Human Translator WEB APP DB
APP-Centricity for access control WEB APP DB CLEAR, SIMPLE DESCRIPTION OF HOW TIERS ARE ALLOWED TO COMMUNICAT E
APP-Centricity for Service deployment F/W ADC WEB ADC APP DB ANY SERVICE CAN BE ADDED BETWEEN TIERS
App-centricity for troubleshooting and Monitoring HEALTH SCORE 82% The Network Knows the App Structure and Components LATENCY Easy to Follow 3-Tier Apps Around Application the DC Traditional 10 Microsecond(s) APPLICATION NETWORK PROFILE Visibility into the Health of the Infrastructure for the App DROP COUNT 25 Packets Dropped VISIBILITY VMs Servers APPLICATION NETWORK PROFILE APPLICATION NETWORK PROFILE APPLICATION NETWORK PROFILE Ports Switches Services Faults
Application policy infrastructure controller (APIC) Single API/ Open/ Restful XML/JSON Reliable Application Centric Scalable ENABLES THE APPLICATION CENTRIC INFRASTUCTURE
ACI Policy Model 15
Defining Terms Tenant - Logical separator for: Customer, BU, group etc. separates traffic, admin, visibility, etc. Private-L3 - Equivalent to a VRF, separates routing instances, can be used as an admin separation Bridge Domain - NOT A VLAN, simply a container for subnets, CAN be used to define L2 boundary End-Point Group - (EPG) Container for objects requiring the same policy treatment, i.e. app tiers, or services
Logical Model Overview root\uni Tenant A Tenant B Private-L3 A Private-L3 B Private-L3 A Bridge Domain Bridge Domain Bridge Domain Bridge Domain Subnet A Subnet B Subnet A Subnet B Subnet C Private-L3 and subnets are independent between tenants
Logical Model Overview (cont.) root\uni Coke Pepsi Dev/Test Prod Web Services Dev/Test-BD Prod-BD Web-BD App-BD 10.1/24 20.1/24 100.1/16 20.1/24 L2 Enabled = Yes 21.1/24 L2 Enabled = Yes L2 Enabled = Yes Private-L3 and subnets are independent between tenants
Defining Terms Contract - Definition of policy. Defines how an EPG communicates with other EPGs. Subject - Something being discussed. Used to build definitions of communication between EPGs. Contains: filter, action, and optional label. Filter - Identifier for a subject, i.e. the traffic do you want to take action on. Required within a subject. Action - Action to be taken on the filtered traffic with a subject. Required within a subject.
Applications and Conversations Application communication can be defined as who is allowed to talk to whom. Users Web Farm App Servers DB Farm Communication between objects on the network can be thought of as one or two way conversations (monologue/dialogue.)
The Provider Consumer Relationship Users Provides Web Services Web Farm Provides App Services App Servers Consumes Web Services Consumes App Services Provider consumer relationships define application connectivity in application terms. All objects can provide, consume, or both.
Contracts for Policy Contracts are used to define relationships.
Policy Definition Current Policy Definition Policy Based on Contracts Rules SLAs Actions L4-7 Security QoS
Defining Provider Consumer Relationships DB Farm
Defining Provider Consumer Relationships DB Farm
LAB TIME 26
How to access Pod URL: https://labops-out.cisco.com/labops/ilt/ Register your username and select Pod. Classname: azesulem_v6399 Once Login to RDP you should see a PDF lab guide on the desktop Follow the instructions on the lab guide. 27
Call to Action Visit:- Cisco Campus Technical Solutions Clinics Meet the Engineer 28
Complete Your Paper Session Evaluation Tuesday April 15th Give us your feedback and you could win 1 of 2 fabulous prizes in a random draw. Complete and return your paper evaluation form to the Room Attendant at the end of the session. Winners will be announced today at the end of the session. You must be present to win! See the Room monitor to redeem your prize
Questions? 30
Thank you