Интеграция сервисных устройств в сеть ЦОД: интеграция сервисов 4-7 уровня

Download Интеграция сервисных устройств в сеть ЦОД: интеграция сервисов 4-7 уровня

Post on 31-Jul-2015

30 views

Category:

Technology

6 download

Embed Size (px)

TRANSCRIPT

1. 4-7 c , CCIE mkhavank@cisco.com 18 2015 2. Cisco Confidential 2 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI Cisco ASA Cisco NGIPS ACI 3. Cisco Confidential 3 2013-2014 Cisco and/or its affiliates. All rights reserved. 4. Cisco Confidential 4 2013-2014 Cisco and/or its affiliates. All rights reserved. L4-L7 , 5. Cisco Confidential 5 2013-2014 Cisco and/or its affiliates. All rights reserved. SNAT VLAN 10 10.0.10.0/28 VLAN 11 10.0.11.0/28 PBR VLAN 13 10.0.13.0/24 VLAN 12 10.0.12.0/24 6. Cisco Confidential 6 2013-2014 Cisco and/or its affiliates. All rights reserved. ? SNAT Configure Network to insert Firewall Configure firewall rules Virtual servers , , ? VXLAN 10 10.0.10.0/28 VXLAN 11 10.0.11.0/28 PBR VXLAN 13 10.0.13.0/24 VXLAN 12 10.0.12.0/24 Virtual router Virtual FW Virtual ADCVirtual router Virtual switch 7. Cisco Confidential 7 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI: 4 - 7 , APIC / Web Server App Tier A Web Web Server App Tier B App - Security 5 . begin endStage 1 .. Stage N Providers inst inst inst inst .. Security 5 8. Cisco Confidential 8 2013-2014 Cisco and/or its affiliates. All rights reserved. App DBWeb (Tenant VRF) QoS Filter QoS Service QoS Filter Filter Service Service ACI Application Policy Infrastructure Controller APIC ACI - , 9. Cisco Confidential 9 2013-2014 Cisco and/or its affiliates. All rights reserved. 10. Cisco Confidential 10 2013-2014 Cisco and/or its affiliates. All rights reserved. device package OpenDevice Package Policy Engine APIC Device Package Configuration Model Device Interface: REST/CLI APIC Script Interface Call Back Scripts Event Engine APIC Policy Manager Configuration Model (XML File) Call Back Script , Device Package APIC Device Package XML , Device scripts APIC API CLI API APIC 11. Cisco Confidential 11 2013-2014 Cisco and/or its affiliates. All rights reserved. integration package OpFlex , (, L4-L7 , ) OpFlex IETF: http://tools.ietf.org/html/draft-smith-opflex-00 OpFlex OpenDaylight: https://wiki.opendaylight.org/view/OpFlex:Main OpFlex OpFlex: ( ) L4-L7 ACI! OpFlex: an open declarative protocol 12. Cisco Confidential 12 2013-2014 Cisco and/or its affiliates. All rights reserved. Tenant: Tenant_001, 2: Service Graph Template: , , 3: Device cluster: c Firewall, 1-4 Tenant_001 / Service Function Profile Device cluster FirewallConcrete device ASA GigabitEhternet 0/1 Physical interface GigabitEthernet 0/0 Physical interface external Logical interface internal Logical interface Service Graph Template 3: Logical interface: 3: Concrete device: , ASA, 3: Physical interface: , 2: Service Function Profile: , .. . EPG Web EPG App EPG: 4: : zip- APIC 1: Device package 13. Cisco Confidential 13 2013-2014 Cisco and/or its affiliates. All rights reserved. 5. End-Point-Group (EPGs) VLAN, VMware AVS FCS. , DNS IP / (roadmap) EPG, ( QoS, c ACL, L4-L7 ) 14. Cisco Confidential 14 2013-2014 Cisco and/or its affiliates. All rights reserved. : 1. APIC 2. APIC 3. APIC VLAN , 4. APIC - VLAN, EPG 5. APIC Func%on Firewall Func%on SSLooad Func%on LoadBalancer :web-applica8on Firewall Func%on SSLooad Func%on LoadBalancer VLAN 1 2 3 VLAN 4 5 EPG Web EPG App 15. Cisco Confidential 15 2013-2014 Cisco and/or its affiliates. All rights reserved. 16. Cisco Confidential 16 2013-2014 Cisco and/or its affiliates. All rights reserved. Spine Leaf Port-channel? vPC? L3? : routed transparent? 17. Cisco Confidential 17 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI Consumer Side Provider Side Concrete Device Logical Device consumer EPG Provider EPG L4-L7 17 18. Cisco Confidential 18 2013-2014 Cisco and/or its affiliates. All rights reserved. Spine Leaf 1: transparent Template 1 (Cdev1) vPC Transparent mode 19. Cisco Confidential 19 2013-2014 Cisco and/or its affiliates. All rights reserved. Bridge Domain Outside Bridge Domain Inside Client EPG Server EPG Service Graph Contract ProviderConsumer Provider SideConsumer Side IP 1: transparent ARP Flooding Unknown Unicast Flooding No IP Routing ARP flooding Uknown unicast flooding No IP Routing 19 20. Cisco Confidential 20 2013-2014 Cisco and/or its affiliates. All rights reserved. Spine Leaf 2: routed Template 2 (Cdev2) 2 Port Channel Routed mode 21. Cisco Confidential 21 2013-2014 Cisco and/or its affiliates. All rights reserved. Bridge Domain Outside Bridge Domain Inside Client EPG Server EPG Service Graph Contract ProviderConsumer ARP Flooding Unknown Unicast Flooding No IP Routing ARP flooding Uknown unicast flooding No IP Routing Provider SideConsumer Side Server EPG 2: routed L2 21 22. Cisco Confidential 22 2013-2014 Cisco and/or its affiliates. All rights reserved. Bridge Domain Outside Bridge Domain Inside L3Out L3InstP Server EPG Service Graph Contract ProviderConsumer VRF ARP Flooding Uknown Unicast Flooding No IP RoutingSubnet: L4-L7 Hardware Proxy Provider Side Consumer Side 2: routed L3 22 23. Cisco Confidential 23 2013-2014 Cisco and/or its affiliates. All rights reserved. 24. Cisco Confidential 24 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI Cisco ACI ACI Managing Service Producer Security Configurations and Visibility syslog CSM ASA Device Package FirePOWER Device Package ASA FirePOWER 25. Cisco Confidential 25 2013-2014 Cisco and/or its affiliates. All rights reserved. ASA5585 c SFR Etherchannel Po1.300 Po1.301 Vlan 100 Vlan 200 vPC4 VLAN 300 vPC4 Vlan 301 App1 DB providerconsumer class firepower_class_map sfr fail-close SFR NGIPS policy ASA ASA ( ), APIC ASA , redirection FirePOWER. L3 (GoTo) L2 (GoThrough) . FireSIGHT FirePOWER. ASA 1.2 Device Package ASA5585+SFR APIC Vlan 100 App2 VM 26. Cisco Confidential 26 2013-2014 Cisco and/or its affiliates. All rights reserved. C FirePOWER - LAG s1p1.300 s1p2.301 Vlan 100 Vlan 200 vPC4 Vlan 300 vPC4 Vlan 301 VLAN ID EPG . (L2,L3) . App DB consumer provider FirePOWER LAG (port-channel) vPC. Physical APIC FirePOWER Device package FireSIGHT Management Center NGIPS APIC 27. Cisco Confidential 27 2013-2014 Cisco and/or its affiliates. All rights reserved. ASAv FirePOWERv vNIC2 vNIC3 Vlan 100 Vlan 200 App DB providerconsumer ASAv NGIPSv . vNIC , consumer provider () . vNIC2 vNIC3 providerconsumer Vlan 302 Vlan 303Vlan 300 Vlan 301 APIC ASAv, FirePOWER FireSIGHT. APIC 28. Cisco Confidential 28 2013-2014 Cisco and/or its affiliates. All rights reserved. 29. Cisco Confidential 29 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI vSwitch vSwitch vSwitch 30. Cisco Confidential 30 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI 1 L3 OSPF BGP L2 VLAN 802.1Q L2 L3 40G ACI ADC 31. Cisco Confidential 31 2013-2014 Cisco and/or its affiliates. All rights reserved. Backbone ACI ACI vSwitch vSwitch vSwitch APIC Policy Controller Directory/Proxy Service Nodes Border Leaves ACI Enabled L4-7 Virtual and Physical Services ( / ) ACI , IP 1. ACI 2. L4-7 , APIC device package 3. VLAN == EPG ACI 4. ACI 5. APIC 32. Cisco Confidential 32 2013-2014 Cisco and/or its affiliates. All rights reserved. 33. Cisco Confidential 33 2013-2014 Cisco and/or its affiliates. All rights reserved. ACI ! 34. !

Recommended

View more >