cisco tech insights · brian kvisgaard [email protected] technical solutions specialist 2019...

Brian Kvisgaard [email protected]

Technical Solutions Specialist

2019

Visibility - ACI

Cisco Tech Insights

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

It’s a multi-access world – DC VisibilityWith trust boundary’s and a cloud edge function

Cloud EdgeTrust boundary

Mobile Licensed + unlicensed

Wired

Wireless

SD-WAN

SD-ACI

SDA

Internet

SaaSPublic Cloud(IaaS)

Cloud EdgeTrust boundary


Public Cloud

Private Cloud

A new operating model and growth of cloud native apps

5G Telco Edge

New apps are creating new BW demands

Enterprise DCThis is where we began,

and it’s here to stay

There is Nothing

“CENTER-ED”About Data Anymore

Colo

Enterprise Edge

Data processing needs to be closer to the sources of demand

IoT EdgeSignificant amounts of data are being generated remotely which need to be analyzed, processed, and consumed.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Achieve automation, security, mobility, and visibility, required for successful digital transformation, through tighter full stack integration.

Any Platform

Anywhere

Any Cloud

Any Application


ACI AnywhereAny Cloud, Any Application, Any Platform, Anywhere

ACI Anywhere

On PremiseRemote Location Public Cloud

Remote Leaf / Virtual PoD APIC / Multi-Site Multicloud ExtensionsIP WAN IP WAN

Automation Security Mobility Visibility


• Operational Simplicity: Same “look and feel” as On-Premise

• Automated Policy Translation: Consistency across the entire data center

• Common Governance: End-to-end discovery, visibility and troubleshooting

ACI Anywhere

IOT Edge

Data Center

Cloud Exchange

ACI Anywhere

On Premises Cloud

Containers Hypervisor

Accelerates Journey to Multicloud



• Under Fabric

• Inventory

• Spine

• Protocols

• COOP

• Endpoint Database

Where to see the spine-proxy mapping database?





ACI Anywhere

IOT Edge

Data Center

Cloud Exchange

ACI Anywhere

On Premises Cloud



SPRITE tenant

APIC

APIC

APIC

Tennant = SPRITE

VRF: VRF_SPRITE

BD: VLAN200IP Routing: Yes, 10.101.9.1/24

ANP: WEBAPP

EPG: MYSQL

MySQL DB

10.101.9.2

vCenter

EPG: SHARED

DVS_WEB

10.101.9.12WEB_HypV

10.101.9.11

POD2_WEB

10.101.9.10

tcp/3306

Containers - What does Cisco have to offer?

https://github.com/containernetworking/cni

https://github.com/containernetworking/cni

Native Support for Container Application Platforms

ProgrammableInfrastructure

Fast. Secure and Scalable Networking

Intent based Automation

Application Container Orchestration

Cisco ACI

Any Cloud

Kubernetes

Perv

asiv

e Se

curi

ty

Perv

asiv

e A

nal

ytic

s

Docker Openshift

Physical Virtual Private

CNIOpflex

ACI CNI Benefits for Customers

Visibility: Live statistics in APIC per container and health metrics

Hardware-accelerated: Integrated load balancing

Enhanced Multitenancy and unified networking for

containers, VMs, bare metal

Flexible policy: Native platform policy API and

ACI policies

Fast, easy, secure and scalable networking for your Application Container Platform

Turnkey solution for node and container

connectivity

VMM domain helps to bridge the gap between Kubernetes admin and network operations

© 2017 Cisco and/or its affiliates. All rights reserved.

Kubernetes Architecture

• At a very high level, Kubernetes has the following main components:

• One or more Master Nodes

• One or more Worker Nodes

• Distributed key-value store, like etcd.

16


• A pod is a group of one or more containers with shared storage and network, and a specification for how to run the containers.

• A pod models an application-specific “logical host” - it contains one or more application containers which are relatively tightly coupled — in a pre-container world, they would have executed on the same physical or virtual machine.

• Containers within a pod share an IP address and port space, and can find each other via localhost

Kubernetes PODs

nginx

cgroup(cpu, mem)

confd

cgroup(cpu, mem)

Hostname (for the POD)

Network Namespace(POD vEth and IP address)

A POD with two containers,

‘nginx’ and ’confd’.


Mapping Network Policy and EPGsCluster Isolation Namespace Isolation Deployment Isolation

Single EPG for entire cluster.

(Default behavior)

No need for any internal contracts.

Each namespace is mapped to its own EPG.

Contracts for inter-namespace traffic.

Each deployment mapped to an EPG

Contracts tightly control service traffic

EPG NetworkPolicyKey Map Contract


DEMO VMM Integration


Container to Non-Container Communications

• In production environments certain services like high performance databases will be running as VMs or Bare Metal Servers

• This calls for the ability to easily provide communication between Kubernetes PODs and VMs/Bare Metal endpoints

• Simply deploy a contract between your EPGs, ACI will do the rest!

• This works for any VMM domain and Physical Domains, for example you can have a Container Domain using VXLAN speaking with a Microsoft SCVMM Domain using VLAN.


Deployment: frontend

Container10.51.0.17

Frontend_6b44….

Namespace web-spriteExt-Service

10.101.36.142:80

Container10.51.0.222

Frontend_6b44….

Container10.51.0.74

Frontend_6b44….

Container10.51.0.20

Frontend_6b44….

Container10.51.0.80

Frontend_6b44….

Container10.51.0.84

Frontend_6b44….

SPRITE tenant

APIC

APIC

APIC

Tennant = SPRITE

VRF: VRF_SPRITE

BD: VLAN200IP Routing: Yes, 10.101.9.1/24

ANP: WEBAPP

EPG: MYSQL

MySQL DB

10.101.9.2

EPG: SHARED

DVS_WEB

10.101.9.12WEB_HypV

10.101.9.11

POD2_WEB

10.101.9.10

tcp/3306

tcp/3306

Demo SPRITE WEB


Cloud ACI - Extensions to AWS/AzureConsistent Security Posture

Automated policy translation to native AWS/Azure

constructs

Consistent Policy Extensions across sites

ACI MSO as single point of policy management

and orchestration

Lifecycle management of CSR1000v

February 2019ACI 4.1

On-Prem DC Public Cloud DC

EPG Web

Contract EPG App

EPG DBContract SG Web SG Rule SG App SG DBSG Rule

Multi-site





ACI Anywhere

IOT Edge

Data Center

Cloud Exchange

ACI Anywhere

On Premises Cloud



cisco tech insights · brian kvisgaard [email protected] technical solutions specialist 2019...

Documents