cisco tech insights · brian kvisgaard [email protected] technical solutions specialist 2019...
TRANSCRIPT
Brian Kvisgaard [email protected]
Technical Solutions Specialist
2019
Visibility - ACI
Cisco Tech Insights
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
It’s a multi-access world – DC VisibilityWith trust boundary’s and a cloud edge function
Cloud EdgeTrust boundary
Mobile Licensed + unlicensed
Wired
Wireless
SD-WAN
SD-ACI
SDA
Internet
SaaSPublic Cloud(IaaS)
Cloud EdgeTrust boundary
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Public Cloud
Private Cloud
A new operating model and growth of cloud native apps
5G Telco Edge
New apps are creating new BW demands
Enterprise DCThis is where we began,
and it’s here to stay
There is Nothing
“CENTER-ED”About Data Anymore
Colo
Enterprise Edge
Data processing needs to be closer to the sources of demand
IoT EdgeSignificant amounts of data are being generated remotely which need to be analyzed, processed, and consumed.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Achieve automation, security, mobility, and visibility, required for successful digital transformation, through tighter full stack integration.
Any Platform
Anywhere
Any Cloud
Any Application
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI AnywhereAny Cloud, Any Application, Any Platform, Anywhere
ACI Anywhere
On PremiseRemote Location Public Cloud
Remote Leaf / Virtual PoD APIC / Multi-Site Multicloud ExtensionsIP WAN IP WAN
Automation Security Mobility Visibility
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Operational Simplicity: Same “look and feel” as On-Premise
• Automated Policy Translation: Consistency across the entire data center
• Common Governance: End-to-end discovery, visibility and troubleshooting
ACI Anywhere
IOT Edge
Data Center
Cloud Exchange
ACI Anywhere
On Premises Cloud
Containers Hypervisor
Accelerates Journey to Multicloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Under Fabric
• Inventory
• Spine
• Protocols
• COOP
• Endpoint Database
Where to see the spine-proxy mapping database?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Operational Simplicity: Same “look and feel” as On-Premise
• Automated Policy Translation: Consistency across the entire data center
• Common Governance: End-to-end discovery, visibility and troubleshooting
ACI Anywhere
IOT Edge
Data Center
Cloud Exchange
ACI Anywhere
On Premises Cloud
Containers Hypervisor
Accelerates Journey to Multicloud
SPRITE tenant
APIC
APIC
APIC
Tennant = SPRITE
VRF: VRF_SPRITE
BD: VLAN200IP Routing: Yes, 10.101.9.1/24
ANP: WEBAPP
EPG: MYSQL
MySQL DB
10.101.9.2
vCenter
EPG: SHARED
DVS_WEB
10.101.9.12WEB_HypV
10.101.9.11
POD2_WEB
10.101.9.10
tcp/3306
Containers - What does Cisco have to offer?
https://github.com/containernetworking/cni
Native Support for Container Application Platforms
ProgrammableInfrastructure
Fast. Secure and Scalable Networking
Intent based Automation
Application Container Orchestration
Cisco ACI
Any Cloud
Kubernetes
Perv
asiv
e Se
curi
ty
Perv
asiv
e A
nal
ytic
s
Docker Openshift
Physical Virtual Private
CNIOpflex
ACI CNI Benefits for Customers
Visibility: Live statistics in APIC per container and health metrics
Hardware-accelerated: Integrated load balancing
Enhanced Multitenancy and unified networking for
containers, VMs, bare metal
Flexible policy: Native platform policy API and
ACI policies
Fast, easy, secure and scalable networking for your Application Container Platform
Turnkey solution for node and container
connectivity
© 2017 Cisco and/or its affiliates. All rights reserved.
Kubernetes Architecture
• At a very high level, Kubernetes has the following main components:
• One or more Master Nodes
• One or more Worker Nodes
• Distributed key-value store, like etcd.
16
© 2017 Cisco and/or its affiliates. All rights reserved.
• A pod is a group of one or more containers with shared storage and network, and a specification for how to run the containers.
• A pod models an application-specific “logical host” - it contains one or more application containers which are relatively tightly coupled — in a pre-container world, they would have executed on the same physical or virtual machine.
• Containers within a pod share an IP address and port space, and can find each other via localhost
Kubernetes PODs
nginx
cgroup(cpu, mem)
confd
cgroup(cpu, mem)
Hostname (for the POD)
Network Namespace(POD vEth and IP address)
A POD with two containers,
‘nginx’ and ’confd’.
© 2017 Cisco and/or its affiliates. All rights reserved.
Mapping Network Policy and EPGsCluster Isolation Namespace Isolation Deployment Isolation
Single EPG for entire cluster.
(Default behavior)
No need for any internal contracts.
Each namespace is mapped to its own EPG.
Contracts for inter-namespace traffic.
Each deployment mapped to an EPG
Contracts tightly control service traffic
EPG NetworkPolicyKey Map Contract
© 2017 Cisco and/or its affiliates. All rights reserved.
Container to Non-Container Communications
• In production environments certain services like high performance databases will be running as VMs or Bare Metal Servers
• This calls for the ability to easily provide communication between Kubernetes PODs and VMs/Bare Metal endpoints
• Simply deploy a contract between your EPGs, ACI will do the rest!
• This works for any VMM domain and Physical Domains, for example you can have a Container Domain using VXLAN speaking with a Microsoft SCVMM Domain using VLAN.
© 2017 Cisco and/or its affiliates. All rights reserved.
Deployment: frontend
Container10.51.0.17
Frontend_6b44….
Namespace web-spriteExt-Service
10.101.36.142:80
Container10.51.0.222
Frontend_6b44….
Container10.51.0.74
Frontend_6b44….
Container10.51.0.20
Frontend_6b44….
Container10.51.0.80
Frontend_6b44….
Container10.51.0.84
Frontend_6b44….
SPRITE tenant
APIC
APIC
APIC
Tennant = SPRITE
VRF: VRF_SPRITE
BD: VLAN200IP Routing: Yes, 10.101.9.1/24
ANP: WEBAPP
EPG: MYSQL
MySQL DB
10.101.9.2
EPG: SHARED
DVS_WEB
10.101.9.12WEB_HypV
10.101.9.11
POD2_WEB
10.101.9.10
tcp/3306
tcp/3306
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud ACI - Extensions to AWS/AzureConsistent Security Posture
Automated policy translation to native AWS/Azure
constructs
Consistent Policy Extensions across sites
ACI MSO as single point of policy management
and orchestration
Lifecycle management of CSR1000v
February 2019ACI 4.1
On-Prem DC Public Cloud DC
EPG Web
Contract EPG App
EPG DBContract SG Web SG Rule SG App SG DBSG Rule
Multi-site
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Operational Simplicity: Same “look and feel” as On-Premise
• Automated Policy Translation: Consistency across the entire data center
• Common Governance: End-to-end discovery, visibility and troubleshooting
ACI Anywhere
IOT Edge
Data Center
Cloud Exchange
ACI Anywhere
On Premises Cloud
Containers Hypervisor
Accelerates Journey to Multicloud