Policy-based Infrastructure Provisioning for Recover Point with Cisco ACI Carly Stoughton – Cisco Technical Marketing Engineer Thomas Scheibe – Cisco Senior Director Product Management

§ Group-Based Policy Concept in Cisco ACI § Integration of RecoverPoint for VMs and Cisco ACI § ACI Security/ Compliance Properties

Agenda

Enable the Cloud

2009 2014 2008

Consolidation Virtualization Automation Enabling the Cloud

LAN SAN

Network

Compute Storage Access

Network

Apps Policy

Today

Policy

Policy Cisco ACI

RAPID APPLICATION EVOLUTION

Policy

Vision: Scale, Security and Full Visibility

Physical Networking

Compute L4–L7 Services

Storage Hypervisors and Virtual Networking

Multi DC WAN and Cloud

Enabled by physical and virtual integration

Tenant Application

2

0

Automation through Policy

Physical, Virtual and Containers

Open, Standards and Embedded Security

The Problem

DB APP ADC WEB F/W

ADC MGMT

Data Applications Infrastructure Applications

Management Applications

Challenges attempting to automate network configurations •  Provisioning models are built around the device

•  Build separate networks for the apps for policy, visibility, and security

•  Legacy network security limits our ability to implement policy with mobility & cloud

VMOTION DNS

Group Based Policy Model Define Once – Deploy Consistently

COMPONENTS OF A Group Based Policy

Endpoint Group: A set of endpoints (VMs/servers) with the same policy

Contracts: A set of rules governing communication between endpoint groups

Service Chains: A set of network services between endpoint groups

OUTSIDE

WEB APP DB CRM APP

ADC F/W ADC

Contract Contract

Context-Aware Segmentation

Dynamic Content

User and Devices

Resources and Demands

Marking Traffic with Consistent Policy Context (Device, Group, Role) Immune to Network Changes

Abstracted Policy

Business Policy

X

Distributed Enforcement

End Point Group Tag TAG

Contract Contract Contract

DB APP WEB ADC F/W

ADC

Group Policy

OVS Driver

Neutron Networking

APIC Group Driver

Web

Web

Web

Web

App

App

DB

DB

HYPERVISOR HYPERVISOR HYPERVISOR

OpenStack extensions on top of Neutron exposing a policy API

Group-Based Policy And OpenStack

Group Policy Plugin

§ Group-Based Policy Concept in Cisco ACI § Integration of RecoverPoint for VMs and Cisco ACI § ACI Security/ Compliance Properties

Agenda

§  Automate network policies – define once/ deploy consistently

§  Pre-configure four network instances on the VMware vSphere ESXi Servers where RecoverPoint for VMs will be installed –  LAN Network –  WAN Network –  iSCSI1 & iSCSI2 Network

§  Associate the four RecoverPoint for VMs network interfaces (i.e., LAN Interface, WAN Interface, iSCSI1 Interface and iSCSI2 Interface) to the pre-configured network instances

RecoverPoint for VMs & ACI - Objective

§  VMware ESXi has been installed on the servers that will be used for RecoverPoint for VMs and that all servers have been assigned an IP Address

§  The “VM Network” shown in the logical topology has been created.

§  VMware vCenter server has been installed and all servers (single or multiple vCenter instances are possible)

§ Cisco ACI has been physically installed and all leaf switches have been initialized and are visible in the APIC Fabric Topology view.

§  Servers running VMware ESXi have been physically cabled to the Cisco ACI leaf switches as shown in the physical topology diagram.

Assumptions

Logical Topology View

Physical Topology View

1. ACI Configuration

§  a. Configure Fabric

§  b. Add VMware vCenter to APIC

§  c. Verify connectivity

2. VMware vCenter Configuration

§  a. Configure the Distributed vSwitch in vcenter

3. Tenant (RP4VM network) Configuration

§  a. Create the RP4VM Networks via APIC

§  b. Modify iSCSI Port Groups to allow iSCSI via VMware vCenter

§  c. Configure vmknics and attach to iSCSI Port Groups via VMware vCenter

§  d. Install RP4VM Appliance via VMware vCenter

Overview of Configuration Steps

§ Group-Based Policy Concept in Cisco ACI § Integration of RecoverPoint for VMs and Cisco ACI § ACI Security/ Compliance Properties

Agenda

Security: P+V = C

VIRTUALIZATION CENTRIC

No Physical Support

Limited Visibility

Management Complexity

APPLICATION CENTRIC Any workload and any place Full Visibility Automated

PERIMETER CENTRIC Manual and Complex

Error-Prone Static Topology

Limited Places

+

=

PCI Compliant Network with Cisco ACI

•  Simplifies audit based on higher level policy

•  Secure network segmentation and isolation

•  Defense in depth with advanced L4-7 security (NGFW, IDS/IPS, DDoS) integration

•  Centralized Auditing and Security Monitoring

SECURE NETWORK

ACCESS CONTROL

SECURITY POLICY CENTRALIZED

AUDIT

MONITORING ACCESS

A C I - R E A D Y

VBLOCK SYSTEMS WITH ACI-READY NEXUS 9000 • Policy management enhances

operational simplicity • Use policies to accelerate

network configuration • ACI further reduces risk

through policy automation

Vblock Systems with ACI Further extend IT agility Vblock™ 340 and Vblock™ 720

Converged Infrastructure