Post on 13-Jul-2020
transcript
Duc Le
June, 2016
Managing Hybrid Cloud using CliQr Cloud
Framework
Solution Architect – APJ
• ACI and CliQr Overview
• Apps Automation and Multi-Cloud Demo
Agenda
2
Web Servers
vLAN 666
L3
FW
SLB SSL
DB Servers
vLAN 111
vLAN 222
www www www
vLAN 444
App Servers
FW
SLB
app app
FW
db db
switch1(config)# switch1(config)# int eth 1/1
switch1(config)# switch mode acc
switch1(config)# switch acc vlan 666
switch1(config)# no shut
router(config)# router(config)# int eth 1
router(config)# ip add 6.6.6.1 255.255.255.0
router(config)# not shut
router(config)# int eth 2
router(config)# ip addr 1.1.1.1 255.255.255.0
router(config)# no shut
router(config)# router eigrp 100
router(config)# network 6.6.6.0 mask 255.255.255.0
router(config)# network 1.1.1.0 mask 255.255.255.0
router(config)# ip route 0.0.0.0 0.0.0.0 6.6.6.254
switch2(config)# switch2(config)# int eth 1/2 - 3
switch2(config)# switch mode acc
switch2(config)# switch acc vlan 111
switch2(config)# no shut
fw1(config)# fw1(config)# int eth 0/1
fw1(config)# nameif outside 0
fw1(config)# int eth 0/2
fw1(config)# nameif webfront 20
fw1(config)# object network webfront_vip
fw1(config)# host 6.6.6.6
fw1(config)# static (webfront,outside) 1.1.1.6
fw1(config)# access-list outside_web permit tcp any host 6.6.6.6 eq 80
fw1(config)# access-list outside_web permit tcp any host 6.6.6.6 eq 443
fw1(config)# access-group outside_web in interface outside
switch3(config)# switch3(config)# int eth 1/4 - 5
switch3(config)# switch mode acc
switch3(config)# switch acc vlan 222
switch3(config)# no shut
vLAN 333
switch4(config)# switch4(config)# int eth 1/6
switch4(config)# switch mode acc
switch4(config)# switch acc vlan 333
switch4(config)# no shut
switch4(config)# int eth 1/7 - 9
switch4(config)# switch mode acc
switch4(config)# switch acc vlan 333
switch4(config)# no shut
IDS/IPS
vLAN 555
IDS/IPS
vLAN 777
switch5(config)# switch5(config)# int eth 1/10 - 11
switch5(config)# switch mode acc
switch5(config)# switch acc vlan 444
switch5(config)# no shut
switch5(config)# int eth 1/11 - 15
switch5(config)# switch mode acc
switch5(config)# switch acc vlan 555
switch5(config)# no shut
switch5(config)# monitor session 1 source vlan 555
switch5(config)# monitor session 1 dest eth 1/16
switch6(config)# switch6(config)# int eth 1/16 - 19
switch6(config)# switch mode acc
switch6(config)# switch acc vlan 777
switch6(config)# no shut
switch6(config)# monitor session 1 source vlan
777
switch6(config)# monitor session 1 dest eth 1/20
slb1 (CONFIG) probe http http-probe
interval 30
expect status 200 200
rserver host websrvr1
description foo web server
ip address 3.3.3.1
inservice
rserver host websrvr2
description foo web server
ip address 3.3.3.2
inservice
rserver host websrvr3
description foo web server
ip address 3.3.3.3
inservice
serverfarm host FOOWEBFARM
probe http-probe
rserver websrvr1 80
inservice
rserver websrvr2 80
inservice
rserver websrvr3 80
inservice
crypto generate key 1024 fooyou.key
crypto csr-params testparms
country US
state California
locality San Jose
organization-name foo
organization-unit you
common-name www.fooyou.com
serial-number crisco123
crypto generate csr testparms fooyou.key
crypto import ftp 12.13.14.15 anonymous fooyou.cer
parameter-map type ssl SSL_PARAMETERS
cipher RSA_WITH_RC4_128_MD5
version TLS1
ssl-proxy service FOOWEB_SSL
key fooyou.key
cert fooyou.cer
class-map match-all FOOSSL_VIP_CLASS
2 match virtual-address 2.2.2.22 tcp eq https
policy-map type loadbalance first-match L7-SSL-MATCH
class L7_WEB
sticky-serverfarm sn_cookie
policy-map multi-match FOOWEB-VIP
class FOOWEB_VIP_CLASS
loadbalance vip inservice
loadbalance policy FOOWEB-MATCH
loadbalance vip icmp-reply
loadbalance vip advertise active
class FOOSSL_VIP_CLASS
loadbalance vip inservice
loadbalance policy FOOSSL-MATCH
loadbalance vip icmp-reply
loadbalance vip advertise active
ssl-proxy server FOOWEB_SSL
interface vlan 222
service-policy input FOOWEB_SSL
fw2(config)# fw2(config)# int eth 0/1
fw2(config)# nameif webfront 20
fw2(config)# int eth 0/2
fw2(config)# nameif appfront 50
fw2(config)# object network appfarm_vip
fw2(config)# host 5.5.5.5
fw2(config)# nat (appfront,webfront) static 4.4.4.4
fw2(config)# access-list web_to_app permit tcp any host 4.4.4.4 eq 8081
slb2 (CONFIG) rserver host appsrvr1
description foo app server
ip address 5.5.5.1
inservice
rserver host appsrvr2
description foo app server
ip address 5.5.5.2
inservice
rserver host appsrvr3
description foo app server
ip address 5.5.5.3
inservice
serverfarm host FOOAPPFARM
probe http-probe
rserver appsrvr1 8081
inservice
rserver appsrvr2 8081
inservice
rserver appsrvr3 8081
inservice
class-map type http loadbalance match-any FOO_APP
2 match http virtual-address 4.4.4.44 tcp eq 8081
class-map match-all FOO_APP_VIP_CLASS
policy-map type loadbalance first-match FOO_APP-MATCH
class FOO_APP
sticky-serverfarm sn_cookie
policy-map multi-match FOO_APP-VIP
class FOO_APP_VIP_CLASS
loadbalance vip inservice
loadbalance policy FOO_APP-MATCH
loadbalance vip icmp-reply
loadbalance vip advertise active
fw3(config)# fw3(config)# int eth 0/1
fw3(config)# nameif appfront 70
fw3(config)# int eth 0/2
fw3(config)# nameif dbfront 90
fw3(config)# object network db_cluster
fw3(config)# host 7.7.7.7
fw3(config)# nat (dbfront,appfront) static 5.5.5.50
fw3(config)# access-list web_to_app permit tcp any host 5.5.5.50 eq 1433
Application Centric Infrastructure
CLOUD
APPLICATION
COMPUTE NETWORK STORAGE SECURITY
IT TEAMS COLLABORATION
ANP
APPLICATION
COMPUTE NETWORK
CLOUD
STORAGE SECURITY
Data Center Network
switch1(config)# switch1(config)# xxx
switch1(config)# xxx
switch1(config)# xxx
switch1(config)# xxx
Spines
virtu
al m
achin
e
virtu
al m
achin
e
Leaf Leaf Leaf Leaf
Spines Spines
Virtual switch
ACI = “one big modular switch”
Leaf
L4-L7 Services (FW,LB,…)
INNOVATIONS IN SOFTWARE, HARDWARE, ASICS AND SYSTEMS
NEXUS 9500 PRICE
POWER EFFICIENCY PROGRAMMABILITY PORT DENSITY PERFORMANCE
PRICE COST STRUCTURE for 1G to 1/10GT and 10G to 40G migration 50% less ASICS
PERFORMANCE
INDUSTRY LEADING PRICE / LINE CARD BANDWIDTH 1.92 Tbps per slot 100G ready
PORT DENSITY 20% HIGHER Non-blocking Density
PROGRAMMABILITY JSON/XML API Linux Container for customer apps
2 Operation Modes
POWER EFFICIENCY STATE OF THE ART BACKPLANE FREE DESIGN 15% greater power and cooling efficiency
MERCHANT+ ASIC APPROACH Innovation in Cisco ASICs
• Apps + Infra
• Open: Multi-hypervisor with 50 Eco-system partners
• Security: Built-in and integrated with 10 Security Vendors
• Physical and Virtual
• Automation and Auto-provisioning
• Underlay and Overlay: Single Management Plane.
• Operational efficient / zero touch deployment and de-commissioning
• Simplified day-2 troubleshooting and visibility
• Saving OPEX and CAPEX
ACI Key Business Benefits
Customer Acceptance Continues
13,700+ 50+ 7,200+ Nexus 9K and Nexus 3K
Customers Globally Ecosystem Partners
ACI-Ready Customers
NEW ECOSYSTEM
$2.2B Run Rate for Cisco SDN Solutions
© 2014 Cisco and/or its affiliates. All rights reserved.
Broad Customer Base Adopting Cisco ACI and Nexus 9K
DU Telecom DC Fabric Topology
Single Cloud Management Platform
Manage Full Lifecycle
•
•
One to Many, New and Existing Apps
Simple or Complex Multi-Tier
Component/VM, Container, PaaS
One to Many Datacenters, Private or Public Clouds
Comprehensive Management, Administration and Governance
Enterprise-Class
•
What CliQr Does…
Broad Application Support
OS Services & PaaS Custom 3rd Party
Broad Cloud Support
Private Public
Simple to Complex
Many Applications, Clouds, Users
One Server One Cloud
CliQr: It’s All About the Application
• Common Application Profile
Capture Topology & Dependencies
Simple to Complex
• One-Click 1. End-to-End Provisioning of Infrastructure
2. Deployment of Full Application Stack
• Any Datacenter, Private, Public Cloud
• Portable – Manageable
• Full Lifecycle Management
VM’s – OS’s – Services - Application
What Makes CliQr’s Approach Unique ?
• Application-Centric
• Cloud-Agnostic
• On-Board Once… Run Anywhere
Script / Workflows
• Labor /Services Intensive
• Infrastructure-Centric
• Workflows / Scripting Required Each Cloud
CliQr with Cisco ACI
Full Power of Software Defined Networking
Landscape of Nexus 9K and ACI Partners
Automation
Security &
Governance
Big Data &
Analytics
Security &
Services
Open Infra.
Northbound Partners
Operations Orchestration
Analytics
Southbound Partners
Enterprise Monitoring
L4-L7 Services
Fabric Attached Devices
Cloud Orchestration and Management
Security ADC
Security
PaaS
Virtualization
Application Centric
Management Application Centric
Infrastructure
Full Power of
Software Defined
Networking (SDN) + =
Cisco ACI
Northbound API
CliQr CloudCenter
© 2014 Cisco and/or its affiliates. All rights reserved.
Two Powerful Products
Model Based approach
Policy Based Approach
© 2014 Cisco and/or its affiliates. All rights reserved.
No-touch Automation
CliQr creates and instantiates Policy Objects via fully configured XML
• Deploy
• Scale out
• Terminate
End-point
Group
Application Network Profile
Contract
End-point
Group
End-point
Group Contract
© 2014 Cisco and/or its affiliates. All rights reserved.
Working Together: End-to-end Orchestration
• ACI and CliQr Overview
• Apps Automation and Multi-Cloud Demo
Agenda
2
5
Option 1: 3rd party ADC Integration
• Simple Client-Server Web Apps.
• LB insertion for load balancing traffic from clients to Many Web
Servers.
• Auto-Provisioning by APIC Policy with Auto Attach and Detach
Notification.
• Dynamic Resource monitoring and provisioning
• Auto-Removing configuration.
Physical Setup for 3rd party ADC Integration (Physical Appliance)
Spine
Leaf 1 Leaf 2
ACI Fabric
40G Interfaces
10G Interfaces
2/1
1/2
2/1
1/1
1/48
1/5-6
2/1
vNIC connection
1G Interfaces
2/3
Understanding Device Package APIC requires a Device Package to configure and monitor a service devices. A device package manages a class of service devices.
A Device Package is a zip file containing three parts
Device Specification - Is an XML file that defines
Functions provided by a device – Like Load Balancing, Content-Switching, SSL termination etc
Parameters required for configuring each function
Interfaces and Network connectivity information for each function
Device Script – Is a Python script. The integration between the APIC and a Device is performed by a Device Script
APIC events are mapped to function calls defined in Device Script
A Device Package can be provided by device vendor or can be created by Cisco, advanced services, customer, etc.
Supporting Files – Provides image files and other supporting files
Device Script
Supporting Image and Text files
Device Model
Service Insertion Using Service Graph
• Service graph is an ordered set of functions between a set of terminals
A Service Graph can be defined through GUI, CLI or through APIC API
• A function has one or more connectors
Network connectivity like VLAN/VNID tag is assigned to these connectors
• A function within a graph may require one or more parameters
Parameters can be scoped by an EPG or an application profile or tenant context
Parameters could also be assigned at the time of defining a service graph. Parameter values can be locked from further changes
Function Firewall
Function SSL offload
Function Load Balancer
Terminal Terminal
Firewall params Permit ip tcp * dest-ip <vip> dest-port 80 Deny ip udp *
Load-Balancer params Virtual-ip <vip> Port 80 Lb-aglorithm: round-robin
SSL params Ipaddress <vip> port 80
Connectors
Service Graph: “web-application”
Consumer Provider
Prepare the Environment for L4-L7 • 3rd Party ADC can be deployed only in Go-to mode in Cisco APIC, where 3rd Party ADC serves
as a default gateway to all traffic in both one-arm and two-arm modes. In two-arm mode, either two interfaces are used for the input and output flow of traffic, or single interface can be used with separate VLANs indicating the input and output flow
3rd Party ADC in Two-arm Mode
VIP: 10.122.231.100
External
10.122.231.91
Internal
10.100.1.100
10.122.231.111
10.100.1.50-53
Policy Define
Physical Setup for ASAv Integration
Spine
Leaf 1 Leaf 2
ACI Fabric
40G Interfaces
10G Interfaces
2/1
1/2
2/1
1/1
1/48
1/5-6
vNIC connection
1G Interfaces
UCS FI
1/1-2
1/15-16
ASAv
Prepare the Environment for L4-L7 • Cisco ASA can be deployed either in Go-to (Routed) mode or Go-Through (Transparent) mode
in Cisco APIC.
External
192.168.1.1
Internal
11.1.1.1
192.168.1.100
11.1.1.100
Policy Define
11.1.1.101 Cisco ASAv
Purpose of Micro-segmentation
Evil Genius Hacker Person
2
1
Evil Genius Hacker Person
1
3 4
2
3
4
ACI Micro-Segmentation – Two Parts
Intra-EPG Isolation Attribute-based
Micro-Segmentation
Intra-EPG Isolation
All Workloads Can Communicate
Isolate Workloads within Application Tier
APP EPG
ACI Benefits
FW
OS
‘Linux’
IP ‘10.1.1.1’
FW
Name
‘Finance’
uSeg with
VM Attribute
OS=‘Linux’
uSeg EPG isolates
EPs from base EPG
APP EPG
vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch
VLAN or
VXLAN
VLAN or
VXLAN
VLAN or
VXLAN VLAN VLAN VLAN
Micro-Segmentation with ACI
Attributes
Guest OS
VM Name
VM (id)
VNIC (id)
DVS
DVS Port-group
Datacenter
MAC
IP Address Prefix
EPG-Web
Micro-Segmentation Across any Workload
ACI Micro-segmentation with vCenter and HyperV Demo
Client 1 - Microsoft
Client 2 - VMware
Infect
Policy
© 2014 Cisco and/or its affiliates. All rights reserved.
User self-service deploy with automated network
policy objects
Multi-site, multi-pod, topologies
N-Tier Application with Multi-Cloud support
Cliqr and ACI Integration - Three Use Cases
Deploy - N-tier Application Stretched – Application
Deployment Multi Cloud Application
© 2014 Cisco and/or its affiliates. All rights reserved.
Multi Tier – Single Site Deployment
1. 2. 3.
© 2014 Cisco and/or its affiliates. All rights reserved.
Multi Site Deployment
1. 2. 3.
© 2014 Cisco and/or its affiliates. All rights reserved.
1.
On-Premise
Database Application
Public Cloud
2. 3.
Multi Cloud Deployment
Full Lifecycle Management
•
•
•
Cloud Independent
•
•
Enterprise-Class
•
Fast Time-to-Value
•
Summary
Start Simple and Grow