managing hybrid cloud using cliqr cloud framework · understanding device package apic requires a...

Duc Le

June, 2016

Managing Hybrid Cloud using CliQr Cloud

Framework

Solution Architect – APJ

• ACI and CliQr Overview

• Apps Automation and Multi-Cloud Demo

Agenda

2

Web Servers

vLAN 666

L3

FW

SLB SSL

DB Servers

vLAN 111

vLAN 222

www www www

vLAN 444

App Servers

FW

SLB

app app

FW

db db

switch1(config)# switch1(config)# int eth 1/1

switch1(config)# switch mode acc

switch1(config)# switch acc vlan 666

switch1(config)# no shut

router(config)# router(config)# int eth 1

router(config)# ip add 6.6.6.1 255.255.255.0

router(config)# not shut

router(config)# int eth 2

router(config)# ip addr 1.1.1.1 255.255.255.0

router(config)# no shut

router(config)# router eigrp 100

router(config)# network 6.6.6.0 mask 255.255.255.0

router(config)# network 1.1.1.0 mask 255.255.255.0

router(config)# ip route 0.0.0.0 0.0.0.0 6.6.6.254

switch2(config)# switch2(config)# int eth 1/2 - 3




fw1(config)# fw1(config)# int eth 0/1

fw1(config)# nameif outside 0

fw1(config)# int eth 0/2

fw1(config)# nameif webfront 20

fw1(config)# object network webfront_vip

fw1(config)# host 6.6.6.6

fw1(config)# static (webfront,outside) 1.1.1.6

fw1(config)# access-list outside_web permit tcp any host 6.6.6.6 eq 80

fw1(config)# access-list outside_web permit tcp any host 6.6.6.6 eq 443

fw1(config)# access-group outside_web in interface outside





vLAN 333

switch4(config)# switch4(config)# int eth 1/6




switch4(config)# int eth 1/7 - 9




IDS/IPS

vLAN 555

IDS/IPS

vLAN 777





switch5(config)# int eth 1/11 - 15




switch5(config)# monitor session 1 source vlan 555

switch5(config)# monitor session 1 dest eth 1/16





switch6(config)# monitor session 1 source vlan

777

switch6(config)# monitor session 1 dest eth 1/20

slb1 (CONFIG) probe http http-probe

interval 30

expect status 200 200

rserver host websrvr1

description foo web server

ip address 3.3.3.1

inservice



ip address 3.3.3.2

inservice



ip address 3.3.3.3

inservice

serverfarm host FOOWEBFARM

probe http-probe

rserver websrvr1 80

inservice

rserver websrvr2 80

inservice

rserver websrvr3 80

inservice

crypto generate key 1024 fooyou.key

crypto csr-params testparms

country US

state California

locality San Jose

organization-name foo

organization-unit you

common-name www.fooyou.com

serial-number crisco123

crypto generate csr testparms fooyou.key

crypto import ftp 12.13.14.15 anonymous fooyou.cer

parameter-map type ssl SSL_PARAMETERS

cipher RSA_WITH_RC4_128_MD5

version TLS1

ssl-proxy service FOOWEB_SSL

key fooyou.key

cert fooyou.cer

class-map match-all FOOSSL_VIP_CLASS

2 match virtual-address 2.2.2.22 tcp eq https

policy-map type loadbalance first-match L7-SSL-MATCH

class L7_WEB

sticky-serverfarm sn_cookie

policy-map multi-match FOOWEB-VIP

class FOOWEB_VIP_CLASS

loadbalance vip inservice

loadbalance policy FOOWEB-MATCH

loadbalance vip icmp-reply

loadbalance vip advertise active

class FOOSSL_VIP_CLASS


loadbalance policy FOOSSL-MATCH



ssl-proxy server FOOWEB_SSL

interface vlan 222

service-policy input FOOWEB_SSL


fw2(config)# nameif webfront 20


fw2(config)# nameif appfront 50

fw2(config)# object network appfarm_vip


fw2(config)# nat (appfront,webfront) static 4.4.4.4

fw2(config)# access-list web_to_app permit tcp any host 4.4.4.4 eq 8081

slb2 (CONFIG) rserver host appsrvr1

description foo app server

ip address 5.5.5.1

inservice

rserver host appsrvr2


ip address 5.5.5.2

inservice

rserver host appsrvr3


ip address 5.5.5.3

inservice

serverfarm host FOOAPPFARM

probe http-probe

rserver appsrvr1 8081

inservice


inservice


inservice

class-map type http loadbalance match-any FOO_APP

2 match http virtual-address 4.4.4.44 tcp eq 8081

class-map match-all FOO_APP_VIP_CLASS

policy-map type loadbalance first-match FOO_APP-MATCH

class FOO_APP

sticky-serverfarm sn_cookie

policy-map multi-match FOO_APP-VIP

class FOO_APP_VIP_CLASS


loadbalance policy FOO_APP-MATCH




fw3(config)# nameif appfront 70


fw3(config)# nameif dbfront 90

fw3(config)# object network db_cluster


fw3(config)# nat (dbfront,appfront) static 5.5.5.50

fw3(config)# access-list web_to_app permit tcp any host 5.5.5.50 eq 1433

Application Centric Infrastructure

CLOUD

APPLICATION

COMPUTE NETWORK STORAGE SECURITY

IT TEAMS COLLABORATION

ANP

APPLICATION

COMPUTE NETWORK

CLOUD

STORAGE SECURITY

Data Center Network

switch1(config)# switch1(config)# xxx

switch1(config)# xxx



Spines

virtu

al m

achin

e

virtu

al m

achin

e

Leaf Leaf Leaf Leaf

Spines Spines

Virtual switch

ACI = “one big modular switch”

Leaf

L4-L7 Services (FW,LB,…)

INNOVATIONS IN SOFTWARE, HARDWARE, ASICS AND SYSTEMS

NEXUS 9500 PRICE

POWER EFFICIENCY PROGRAMMABILITY PORT DENSITY PERFORMANCE

PRICE COST STRUCTURE for 1G to 1/10GT and 10G to 40G migration 50% less ASICS

PERFORMANCE

INDUSTRY LEADING PRICE / LINE CARD BANDWIDTH 1.92 Tbps per slot 100G ready

PORT DENSITY 20% HIGHER Non-blocking Density

PROGRAMMABILITY JSON/XML API Linux Container for customer apps

2 Operation Modes

POWER EFFICIENCY STATE OF THE ART BACKPLANE FREE DESIGN 15% greater power and cooling efficiency

MERCHANT+ ASIC APPROACH Innovation in Cisco ASICs

• Apps + Infra

• Open: Multi-hypervisor with 50 Eco-system partners

• Security: Built-in and integrated with 10 Security Vendors

• Physical and Virtual

• Automation and Auto-provisioning

• Underlay and Overlay: Single Management Plane.

• Operational efficient / zero touch deployment and de-commissioning

• Simplified day-2 troubleshooting and visibility

• Saving OPEX and CAPEX

ACI Key Business Benefits

Customer Acceptance Continues

13,700+ 50+ 7,200+ Nexus 9K and Nexus 3K

Customers Globally Ecosystem Partners

ACI-Ready Customers

NEW ECOSYSTEM

$2.2B Run Rate for Cisco SDN Solutions

© 2014 Cisco and/or its affiliates. All rights reserved.

Broad Customer Base Adopting Cisco ACI and Nexus 9K

DU Telecom DC Fabric Topology

Single Cloud Management Platform

Manage Full Lifecycle

•

•

One to Many, New and Existing Apps

Simple or Complex Multi-Tier

Component/VM, Container, PaaS

One to Many Datacenters, Private or Public Clouds

Comprehensive Management, Administration and Governance

Enterprise-Class

•

What CliQr Does…

Broad Application Support

OS Services & PaaS Custom 3rd Party

Broad Cloud Support

Private Public

Simple to Complex

Many Applications, Clouds, Users

One Server One Cloud

CliQr: It’s All About the Application

• Common Application Profile

Capture Topology & Dependencies

Simple to Complex

• One-Click 1. End-to-End Provisioning of Infrastructure

2. Deployment of Full Application Stack

• Any Datacenter, Private, Public Cloud

• Portable – Manageable

• Full Lifecycle Management

VM’s – OS’s – Services - Application

What Makes CliQr’s Approach Unique ?

• Application-Centric

• Cloud-Agnostic

• On-Board Once… Run Anywhere

Script / Workflows

• Labor /Services Intensive

• Infrastructure-Centric

• Workflows / Scripting Required Each Cloud

CliQr with Cisco ACI

Full Power of Software Defined Networking

Landscape of Nexus 9K and ACI Partners

Automation

Security &

Governance

Big Data &

Analytics

Security &

Services

Open Infra.

Northbound Partners

Operations Orchestration

Analytics

Southbound Partners

Enterprise Monitoring

L4-L7 Services

Fabric Attached Devices

Cloud Orchestration and Management

Security ADC

Security

PaaS

Virtualization

Application Centric

Management Application Centric

Infrastructure

Full Power of

Software Defined

Networking (SDN) + =

Cisco ACI

Northbound API

CliQr CloudCenter


Two Powerful Products

Model Based approach

Policy Based Approach


No-touch Automation

CliQr creates and instantiates Policy Objects via fully configured XML

• Deploy

• Scale out

• Terminate

End-point

Group

Application Network Profile

Contract

End-point

Group

End-point

Group Contract


Working Together: End-to-end Orchestration

• ACI and CliQr Overview

• Apps Automation and Multi-Cloud Demo

Agenda

2

5

Option 1: 3rd party ADC Integration

• Simple Client-Server Web Apps.

• LB insertion for load balancing traffic from clients to Many Web

Servers.

• Auto-Provisioning by APIC Policy with Auto Attach and Detach

Notification.

• Dynamic Resource monitoring and provisioning

• Auto-Removing configuration.

Physical Setup for 3rd party ADC Integration (Physical Appliance)

Spine

Leaf 1 Leaf 2

ACI Fabric

40G Interfaces

10G Interfaces

2/1

1/2

2/1

1/1

1/48

1/5-6

2/1

vNIC connection

1G Interfaces

2/3

Understanding Device Package APIC requires a Device Package to configure and monitor a service devices. A device package manages a class of service devices.

A Device Package is a zip file containing three parts

Device Specification - Is an XML file that defines

Functions provided by a device – Like Load Balancing, Content-Switching, SSL termination etc

Parameters required for configuring each function

Interfaces and Network connectivity information for each function

Device Script – Is a Python script. The integration between the APIC and a Device is performed by a Device Script

APIC events are mapped to function calls defined in Device Script

A Device Package can be provided by device vendor or can be created by Cisco, advanced services, customer, etc.

Supporting Files – Provides image files and other supporting files

Device Script

Supporting Image and Text files

Device Model

Service Insertion Using Service Graph

• Service graph is an ordered set of functions between a set of terminals

A Service Graph can be defined through GUI, CLI or through APIC API

• A function has one or more connectors

Network connectivity like VLAN/VNID tag is assigned to these connectors

• A function within a graph may require one or more parameters

Parameters can be scoped by an EPG or an application profile or tenant context

Parameters could also be assigned at the time of defining a service graph. Parameter values can be locked from further changes

Function Firewall

Function SSL offload

Function Load Balancer

Terminal Terminal

Firewall params Permit ip tcp * dest-ip <vip> dest-port 80 Deny ip udp *

Load-Balancer params Virtual-ip <vip> Port 80 Lb-aglorithm: round-robin

SSL params Ipaddress <vip> port 80

Connectors

Service Graph: “web-application”

Consumer Provider

Prepare the Environment for L4-L7 • 3rd Party ADC can be deployed only in Go-to mode in Cisco APIC, where 3rd Party ADC serves

as a default gateway to all traffic in both one-arm and two-arm modes. In two-arm mode, either two interfaces are used for the input and output flow of traffic, or single interface can be used with separate VLANs indicating the input and output flow

3rd Party ADC in Two-arm Mode

VIP: 10.122.231.100

External

10.122.231.91

Internal

10.100.1.100

10.122.231.111

10.100.1.50-53

Policy Define

Physical Setup for ASAv Integration

Spine

Leaf 1 Leaf 2

ACI Fabric

40G Interfaces

10G Interfaces

2/1

1/2

2/1

1/1

1/48

1/5-6

vNIC connection

1G Interfaces

UCS FI

1/1-2

1/15-16

ASAv

Prepare the Environment for L4-L7 • Cisco ASA can be deployed either in Go-to (Routed) mode or Go-Through (Transparent) mode

in Cisco APIC.

External

192.168.1.1

Internal

11.1.1.1

192.168.1.100

11.1.1.100

Policy Define

11.1.1.101 Cisco ASAv

Purpose of Micro-segmentation

Evil Genius Hacker Person

2

1

Evil Genius Hacker Person

1

3 4

2

3

4

ACI Micro-Segmentation – Two Parts

Intra-EPG Isolation Attribute-based

Micro-Segmentation

Intra-EPG Isolation

All Workloads Can Communicate

Isolate Workloads within Application Tier

APP EPG

ACI Benefits

FW

OS

‘Linux’

IP ‘10.1.1.1’

FW

Name

‘Finance’

uSeg with

VM Attribute

OS=‘Linux’

uSeg EPG isolates

EPs from base EPG

APP EPG

vDS Cisco AVS IP/MAC EPG Hyper-V vSwitch Open vSwitch Open vSwitch

VLAN or

VXLAN

VLAN or

VXLAN

VLAN or

VXLAN VLAN VLAN VLAN

Micro-Segmentation with ACI

Attributes

Guest OS

VM Name

VM (id)

VNIC (id)

DVS

DVS Port-group

Datacenter

MAC

IP Address Prefix

EPG-Web

Micro-Segmentation Across any Workload

ACI Micro-segmentation with vCenter and HyperV Demo

Client 1 - Microsoft

Client 2 - VMware

Infect

Policy


User self-service deploy with automated network

policy objects

Multi-site, multi-pod, topologies

N-Tier Application with Multi-Cloud support

Cliqr and ACI Integration - Three Use Cases

Deploy - N-tier Application Stretched – Application

Deployment Multi Cloud Application


Multi Tier – Single Site Deployment

1. 2. 3.


Multi Site Deployment

1. 2. 3.


1.

On-Premise

Database Application

Public Cloud

2. 3.

Multi Cloud Deployment

Full Lifecycle Management

•

•

•

Cloud Independent

•

•

Enterprise-Class

•

Fast Time-to-Value

•

Summary

Start Simple and Grow

managing hybrid cloud using cliqr cloud framework · understanding device package apic requires a...

Documents