application policy enforcement using apic
DESCRIPTION
Problems in current Data Center are mostly surrounding policy around applications. The presentation is designed to help students get a jump start on configuring and troubleshooting basic policy model as well as providing valuable hands-on experience with how the APIC integrates into existing network environmentsTRANSCRIPT
Cisco ACI - Application Policy Enforcement Using APIC TS-DC-06-I
Azeem Suleman
Solutions Architect
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
House Keeping Notes Tuesday April 15, 2014
Thank you for attending Cisco Connect Toronto 2014, here are a few housekeeping notes to ensure we all enjoy the session today.
Please ensure your cellphones / Laptops are set on silent to ensure no one is disturbed during the session
A power bar is available under each desk in case you need to charge your laptop
You have RDP client and JAVA support on your laptops
All the lab task will be done on a jump box
3
What Are We Solving?
4
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Overloaded Network Constructs
VLAN VLAN VLAN
Subnet Subnet Subnet
Basic Network Policy
SLAs L4-7 Services
Network constructs are overloaded with unintended functionality.
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Application Language Barriers
Developers
Application
Tiers
Provider /
Consumer
Relationships
Infrastructure Teams
VLANs
Subnets
Protocols
Ports
Developer and infrastructure teams must translate between disparate languages.
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Who is insieme?
$100M+ INVESTED BY CISCO
250+ EMPLOYEES
20 YEAR EXECUTION HISTORY
IN SOFTWARE AND ASIC’S
INSIEME
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
What is ACI?
OPEN RESTFUL API’S
CENTRALIZED POLICY MODEL
OPEN SOURCE
CONTROLLER POLICY MODEL
ACI
NETWORK CONNECTS TO ALL COMPONENTS OF DATA CENTER
POLICY MODEL CONTROLS NETWORK AND INFORMATION FLOW
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Two types of language
NETWORK LANGUAGE
VLAN
Subnets
Bridging
Routing
IP Addresses
APP LANGUAGE
WEB
APP
DB
Human
Translator
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
APP-Centricity for access control
CLEAR, SIMPLE DESCRIPTION OF HOW TIERS ARE ALLOWED TO COMMUNICATE
APP DB WEB
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
APP-Centricity for Service deployment
ANY SERVICE CAN BE ADDED BETWEEN TIERS
ADC APP DB F/W
ADC
WEB
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
App-centricity for troubleshooting and Monitoring
Easy to Follow Apps Around
the DC
Visibility into the Health of the
Infrastructure for the App
The Network Knows the App
Structure and Components
APPLICATION
NETWORK PROFILE
Traditional
3-Tier
Application
APPLICATION
NETWORK PROFILE APPLICATION
NETWORK PROFILE
APPLICATION
NETWORK PROFILE
APPLICATION
NETWORK PROFILE APPLICATION
NETWORK PROFILE
APPLICATION
NETWORK PROFILE
HEALTH SCORE
LATENCY
DROP COUNT
VISIBILITY
VMs
Servers
Ports
Switches
Services
Faults
Microsecond(s)
Packets Dropped
82%
10
25
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Application policy infrastructure controller (APIC)
Single API/
Open/
Restful
XML/JSON
Application
Centric
Reliable
Scalable
ENABLES THE APPLICATION CENTRIC INFRASTUCTURE
ACI Policy Model
15
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Defining Terms
Tenant - Logical separator for: Customer, BU, group etc.
separates traffic, admin, visibility, etc.
Private-L3 - Equivalent to a VRF, separates routing instances,
can be used as an admin separation
Bridge Domain - NOT A VLAN, simply a container for subnets, CAN
be used to define L2 boundary
End-Point Group - (EPG) Container for objects requiring the same
policy treatment, i.e. app tiers, or services
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Logical Model Overview
root\uni
Tenant A Tenant B
Private-L3 A Private-L3 B Private-L3 A
Bridge
Domain
Subnet A
Bridge
Domain
Subnet B
Subnet C
Bridge
Domain
Subnet A
Bridge
Domain
Subnet B
Private-L3 and subnets are independent between tenants
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Logical Model Overview (cont.)
root\uni
Coke Pepsi
Dev/Test Prod Web Services
Prod-BD
20.1/24
21.1/24
Private-L3 and subnets are independent between tenants
Dev/Test-BD
10.1/24
L2 Enabled = Yes
Web-BD
100.1/16
L2 Enabled = Yes
App-BD
20.1/24
L2 Enabled = Yes
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Defining Terms
Contract - Definition of policy. Defines how an EPG communicates
with other EPGs.
Subject - Something being ‘discussed.’ Used to build definitions of
communication between EPGs. Contains: filter, action, and
optional label.
Filter - Identifier for a subject, i.e. the traffic do you want to take action
on. Required within a subject.
Action - Action to be taken on the filtered traffic with a subject. Required
within a subject.
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Applications and Conversations
Application communication can be defined as who is allowed to talk to whom.
DB Farm App
Servers Web Farm Users
Communication between objects on the network can be thought of as one or two way conversations (monologue/dialogue.)
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
The Provider Consumer Relationship
Users
Consumes Web Services
Web Farm
Provides Web Services
Consumes App Services
App Servers
Provides App Services
Provider consumer relationships define application connectivity in application terms. All objects can provide, consume, or both.
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Contracts for Policy
Contracts are used to define relationships.
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Policy Definition
Current Policy Definition Policy Based on Contracts
Rules
Actions
SLAs Security
L4-7
QoS
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Defining Provider Consumer Relationships
DB Farm
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Defining Provider Consumer Relationships
DB Farm
LAB TIME
26
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
How to access Pod
URL: https://labops-out.cisco.com/labops/ilt/
Register your username and select Pod.
Classname: azesulem_v6399
Once Login to RDP you should see a PDF lab guide on the desktop
Follow the instructions on the lab guide.
27
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Call to Action…
Visit:-
Cisco Campus
Technical Solutions Clinics
Meet the Engineer
28
Cisco and/or its affiliates. All rights reserved. TS-DC-06-I Cisco Public
Complete Your Paper Session Evaluation – Tuesday April 15th
Give us your feedback and you could win 1 of 2
fabulous prizes in a random draw.
Complete and return your paper evaluation
form to the Room Attendant at the end of the
session.
Winners will be announced today at the end of
the session. You must be present to win!
See the Room monitor to redeem your prize
Questions?
30
Thank you
