Download - Us navy virtual services 030316
Brenden BureshDC TSA – CCIE #[email protected] 3rd, 2016
Enabling Virtual Application Infrastructure Policies
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
• VACS Value Proposition• Container Options• What is VACS
• What’s in the latest version 2.1• Summary & Conclusion
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Virtual Application Cloud Segmentation (VACS)
Secure segmentation in minutes on shared policy-
based infrastructure
Simplified virtual networking and
security
Unified virtual services licensing: cost-effective
solution
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is a VACS Container?
VACS
VACS Containers are:• Virtual Network & Security Services Templates for
Application Workloads
• Topology Configurations designed for logical secure
isolation and compliance
• Exposed through UCS-D GUI to allow rapid and
consistent provisioning of Secure Applications
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS Business Relevance for Customers
• Logical Segmentation of Applications and Application Layers• Seamless integration of Best in Class Products• Built on Industry Leading platforms (IOS/NX-OS)• Ease of Container Spin-up/Spin-Down (VM’s and Services)• Ability to Customize based on application requirements• Virtual-only Services today, Adding Hardware Services• Keep same Secure Segmentation from Campus/Branch to the
Application Policy (SGT/SG-ACLs)• Unified licensing for all services, Less $$ than NSX• UCS Director for Policy Automation, also provides workflow-based
automation for other Virtual and Physical Infrastructure
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Rapid and consistent Deployment of Secure Application Environments• Virtualization density increases as Intel delivers on Moore's Law. The
resulting Higher VM:Host Ratio Increases Exposure• Maintaining Logical Secure Isolation and Compliance for co-hosted
applications becomes critical as economics drive consumption
• Re-use of Same IP Address Space so Development environment more closely mirrors Production
• Bring existing applications under control of an instantiated VACS template to Enable Consistency and Self-Documentation
VACS Drivers for Customers
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
• VACS Value Proposition• Container Options• What is VACS
• What’s in the latest version 2.1• Summary & Conclusion
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Linux Containers• Docker• UCS Director – Fenced Containers• Virtual Application Cloud Segmentation
• Logical grouping of workloads using a common set of services in an easy to deploy method
Segmentation Options
“Containers Virtualize at the O/S level, Hypervisors virtualize at the Hardware level” – Greg Ferro
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Main and evolving components:• LXC – libraries, tools, templates – base of Containers, Docker• LXD – REST API for common CLI operations ~1yr since release• CGManager – manager for nested, unprivileged containers• LXCFS – user-space FileSystem (FUSE)
• “Our main focus is system containers. That is, containers which offer an environment as close to possible as the one you’d get from a VM but without all the overhead of running a separate kernel and simulating all the hardware.” – linuxcontainer.org
Linux Containers
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• LXC Components:• liblxc• API interfaces – ruby, python2, Go, Haskell
• LXD Components:• lxc – CLI• lxd- REST API, definition of unprivileged containers w/ resource restrictions• nova-compute-lxd – OpenStack plug-in for lxd nodes as ComputeNode
Container Components, More Detail
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• CGManager:• Central privileged daemon for cgroups via D-Bus API• Isolating nested containers from the Kernel and resolving GIDs/UIDs
• LXCFS Components:• Designed to work around traditional Kernel FS shortcomings• Container-aware cgroupfs tree, works with CGManager
LXC More Detail
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• No requirement for Virtual Machine Manager (vCenter/SCVMM/etc.)• Can use Docker
Hub/Kubernetes/Cisco Container Hub
• Fast boot-up/down (500msec vs. 20sec for VM)• Use of etcd and fleet for
common services recognition within a cluster
• No North/South or East/West Segmentation
Docker
Host
App
/bin/lib
DockerEng
Host Kernel
App
/bin/lib
DockerEng …
Host
App
/bin/lib
GuestOS
Hypervisor
App
/bin/lib
GuestOS …
Host Kernel
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Defined within UCS Director• Only Edge Control• Multi-Homed Guests
• No Inter-VLAN Security• No VM-VM Security
• Feature available since Cloupia “inception”
• Use IP Tables for L3
UCS Director – Fenced Container
VM-1
VM-n
Network 110.10.10.0/28
Network 220.20.20.0/28
Container Firewall
ExternalNetworks
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
• VACS Value Proposition• Container Options• What is VACS
• What’s in the latest version 2.1• Summary & Conclusion
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS – Secure Segmentation in MinutesShared Policy Based Infrastructure
Secure segmentation in mins on shared infrastructure
Simplified virtual networking and security
Unified virtual services licensing: cost-effective
solution
Physical segmentation can result in longer provision time and under-utilized resources, non-optimal traffic paths
Procure, rack, stack and provision individual devices
Current Manually Segmented
Architecture
Enforced by best in class virtual networking
and security services
Policy-based Virtual Segmentation
with VACS
Virtual segmentation– independent of physical topology
VACS VACS
Vcenter Vcenter
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS – Simplified Virtual Networking and Security Shared Policy-Based Infrastructure
Current provisioning model Wizard based provisioning model with full life cycle mgmt.
of virtual services
Provisions subnet / NAT /
Routing
Provisions VIP
Provision FW rules /
GW
VACSVACS
Vcenter Vcenter
No longer have to configure individual components.
VACS does it for you.
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS – Unified Virtual Services LicensingBased on Per Server Model
UnifiedLicensing Per Server Based
Create as many instances as you need and with 10G throughput!
Automated Provisioning and OrchestrationUCS director
Load-balancerHA Proxy
• Every vendor has different licensing schema
• Per instance based
• Expensive as throughput increases RoutingCSR 1000V
Virtual FabricNexus 1000V Platform for Distribute FW
Zone based FWVirtual Security Gateway
Edge FWCSR 1000V
Current pricing schema makes virtual services cost prohibitive
VACS
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VM V
M
VM
VACS
VM V
M
VM
VACS
VACS – Choice of Virtual/PhysicalBuild Containers with Gateway of Choice
VM V
M
VM
VACS
External Virtual GWASAv, vGW, vPAN
Physical GWASA, Checkpoint, PAN
Virtual GWCSR 1000v
Built-In Gateway Physical Gateway Other Virtual Gateway
VACS Enables Choice of Virtual/Physical to Meet Application RequirementsInstallation/Upgrade/Configuration of gateways is performed only for CSR1000v, VSG, HA Proxy
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS Deployment OptionsTypes of Logical Segmentation Templates
3 Tier - Internal Access 3 Tier - External Access Custom Container
VACS VACS VACS
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deeper View: VACS Containers – 3-Tier
App Zone
Upstream RouterRouting – EIGRP or OSPF or Static
CSR 1000V VLAN 1/ VXLAN 101
• NAT (Optional)• L3 Routing – EIGRP or OSPF
(P2) • Edge FW• Monitoring Features
Web Zone DB Zone
VSG Zone based FW
HA Proxy HTTP(s) LB
VACS – 3 Tier App Container (Internal)
Closed Door(Blocked)
Open Door(Pass)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS Enhanced Security: Secure Group Tags
App Zone
CSR 1000V • NAT (Optional)• L3 Routing – EIGRP or OSPF
(P2) • Edge FW• Monitoring Features
Web Zone DB Zone
VSG Zone based FW
HA Proxy HTTP(s) LB
VACS – 3 Tier App Container (Internal)
• SGTs from Campus TrustSec on VEM
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS Enhanced Security: Adding ASAv
App Zone
CSR 1000V • NAT (Optional)• L3 Routing – EIGRP or OSPF
(P2) • Edge FW• Monitoring Features
Web Zone DB Zone
VSG Zone based FW
HA Proxy HTTP(s) LB
VACS – 3 Tier App Container (Internal)
• NAT (Optional)• L3 Routing – EIGRP or OSPF • Full FW• Monitoring Features
ASAv
FirePowerV• Next Gen IPS
• SGTs from Campus TrustSec on VEM
Roadmap
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS Enhanced Security: Add Physical ASA55xx
App Zone
CSR 1000V • NAT (Optional)• L3 Routing – EIGRP or OSPF
(P2) • Edge FW• Monitoring Features
Web Zone DB Zone
VSG Zone based FW
HA Proxy HTTP(s) LB
VACS – 3 Tier App Container (Internal)
• NAT (Optional)• L3 Routing – EIGRP or OSPF • Full FW• Next-Gen IPS• Monitoring Features
ASA55xx w/FirePower
• SGTs from Campus TrustSec on VEM
Roadmap
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS Enhanced Security: Add FirePOWER
App Zone
CSR 1000V • NAT (Optional)• L3 Routing – EIGRP or OSPF
(P2) • Edge FW• Monitoring Features
Web Zone DB Zone
VSG Zone based FW
HA Proxy HTTP(s) LB
VACS – 3 Tier App Container (Internal)
• NAT (Optional)• L3 Routing – EIGRP or OSPF • Full FW• Next-Gen IPS• Monitoring Features• High Scalability
FirePower Threat DefenceVirtual
• SGTs from Campus TrustSec on VEM
FTDv
Roadmap
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Micro-Segmentation with VACS
www
www
Web application Web-1
Web application Web-2
Public Design App-1 (VM3)
Confidential Design App-2 (VM4)
Perimeter Firewall
Web-1 zone
Web-2 zone
App-1 zone
App-2 zone
Source Destination Policy
Web-1 App-1 Allow
Web-2 App-2 Allow
Web-1 App-2 Drop
Web-2 App-1 Drop
Micro-segmentation in Three Clicks
Define Zones
Add VMs
Apply zone based policies
Detailed VACS Container
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Key assumptions:• Cisco solution = Cisco ONE Enterprise Cloud Suite + vSphere Enterprise Plus
with Operations Management• VMware solution = vCloud Suite Enterprise + NSX • TCO calculation include Product Licenses + 3 year Service
• Simple TCO Excel Tool:
http://go2.cisco.com/vacs_vs_nsx_tco
Cisco VACS Offers a Lower TCO Than VMware Alternative
27% lower
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Plan, design, and implementation expertise to bring VACS into production in less than a week
• Deploy UCSD• Install VACS workflows• Configure VMware virtual infrastructure• Deploy PNSC• Deploy VSUM for N1K• Deploy N1K
• Creation of virtual compute, network, and storage policies
• Definition of Global Resource Pools
• Rapid go-live of application containers
• Publication of containers to self-service UCS Director catalog
• Knowledge transfer and training
Cisco Plan and Build Service for VACSAS-Fixed Service Description
VACS Plan and Build
ASF-DCV1-G-VACS
o Workshop to Review Customer Environment o Implementation Plan o Software Installationo Configuration and Provisioningo Test Supporto Knowledge Transfero As Built Documentation
Activities and Deliverables
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS Licensing
A la carteSKU’s
• CUIC-VACS-01 - $4500(US)
• CUIC-VACS-OFFERS – volume discounts
• CUIC-VACS-SVR-PROM - $6000(US) (includes VACS & UCSD)
• Cisco ONE Enterprise Cloud Suite
• SKU: C1-UCS-M• Requires Qty(x):
C1F2PUC(x)K9
C1A1PUCS(x)K9CUIC-BASE-K9
• Total - $9856(US)
Key Licensing Points:VACS Licensing same as UCSD
License per Server for 50 VMs
Includes all component product license
• N1Kv
• VSG
• CSR 1000V (VACS functionality only)
• HAProxy
Cisco ONE forData Center
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco VACS Advantage over 3 Year Period27% lower TCO than NSX
VMware vCloud Suite and NSX
Cisco ONE ENT and vSphere with Ops
2,000 Virtual Machines (20 per host), one vCenter 10,000 Virtual Machines (20 per host), two vCenters
Discounts: considering 65% on licenses, 10% on services for both Cisco and VMware
VMware vCloud Suite and NSX
Cisco ONE ENT and vSphere with Ops
28% Lower 27% Lower
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Link to the N1K Statement of Direction - https://cisco.box.com/s/ntpb5dn5nrzf6wbcncdrk5niy0pm8qas
• Will be posted to CCO soon
• Please forward internally and externally
Customer Facing Nx-1Kv Statement of Direction
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nexus 1000V has been supported since vSphere 4.0 in 2009
Cisco and VMware have agreed to extend support of Nexus 1000V in vSphere 6.x and future releases Nexus 1000V releases - 5.2(1)SV3(1.4) & up supports VMware vSphere 6.0 started shipping 4/17/2015
VSUM supports vCenter 6.x and vSphere 6.x
Nexus 1000V and VMware vSphere Support
vSphere 4.x
vSphere 5.0 and 5.1
vSphere 5.5
vSphere 6.x
EOS 2014
EOS 2016
EOS 2018
Note: End of Technical Guidance is 2 years after End of Support (EOS) date
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VMware vSphere 6.0 Release Notes: https://www.vmware.com/support/vsphere6/doc/vsphere-esxi-vcenter-server-60-release-notes.html
VMware Support Matrix: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2109760
Nx-1Kv is Part of the Compatibility Matrix for vSphere
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
• VACS Value Proposition• Container Options• What is VACS
• What’s in the latest version 2.1• Summary & Conclusion
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What’s New in VACS 2.1• Overlapping IP Subnet Pools• CSR delegated licensing• Add/Delete VNICs to VMs• Adding VM from OVF• Service VM password management• REST API enhancements
• APIs for STATIC NAT, ERSPAN ADD/DELETE VM FIREWALL POLICY Retrieval of all container details
• REST API for bypassing templates and creating a fully parametrized container• Reporting
• Resource history report, Secure Container reports• Resubmit for container deployment
• VACS 2.1 supports resubmit of failed/interrupted container deployment workflows• UI Localization: French language support
Now Available
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Overlapping IP Subnet Pools
Prior to 2.1, VACS contained a global IP Subnet Pool and did not allow for overlapping IP addresses
With 2.1 not only do we enable overlapping IP Subnet Pools, we offer it on three levels: Global (a subnet allocated cannot be
reallocated) Tenant (overlap between
tenants/groups) Container (overlap between containers)
Supported by enhancements to the GUI and internal allocation logic.
Global
Tenant
Container
Overlapping AllocationAllocation Scope
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Service VM Password Management
Service VMs (i.e., CSR, VSG or SLB) deployed by VACS are assigned randomly generated passwords for admin access.
VACS stores these in a database table to enable any automatic re-configuration actions Any changes made through direct access to the service
VMs are NOT updated in the database table
In VACS 2.1 users can override the random passwords with new passwords based on their company standards Any changes made through the new GUI and Logic
enhancements are updated in the database table maintaining system level consistency
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Add/Delete VNICs to VMs
Starting in VACS 2.1 vNICs can be dynamically added to or deleted from application workload VMs Does not apply to service VMs Involves power off/on for
reconfiguration Each application VM by default has
exactly one vNIC connected to the GW. This vNIC cannot be deleted
Additional vNICs can be added/deleted onto secondary portgroup networks
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Adding VM from OVF
VACS allows adding application VMs to be added either through template parameters or post container operations Prior versions of VACS required the use of
VM templates defined in vCenter VACS 2.1 allows these additions from
arbitrary OVFs in addition to VM templates Pre-loading OVFs in UCS Director is required With OVFs you can specify global availability
or restricted to a group or specific user
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Viewing Resource History Report
Provides a transaction history of all pool allocations and de-allocations
This includes VLAN, VXLAN, IP addresses and IP subnets
The report includes timestamp and context information for each allocation/de-allocation event
The columns of the report can be customized
Filters can be defined for restricting to specific subsets of events
Reports can be exported as PDFs, CSV or Excel formats
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CSR 1000V VACS Delegated Licensing CSR 1000V deployed in VACS no longer use
licensing based on smart licensing. VACS functionality is not dependent on active smart license account for CSRs.
CSR licensing integrated with VACS licenses UI for collecting smart license account info and token
id is discontinued CSRs active in containers deployed by pre-2.1 sw
will not be re-licensed by VACS sw. They can continue to operate as they are.
CSR 1000Vs deployed by VACS 2.1 (and later) software will use the new delegated mode of licensing
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Resubmit for Container Deployment
• VACS 2.1 supports resubmit of failed/interrupted container deployment workflows
• In previous releases resubmission was disabled. Invoking resubmit would elicit an error message
• If a container deployment workflow fails with an exception for reasons such as insufficient resources or network errors, it can be resubmitted after removing the cause of failure and will continue to completion if no further errors occur
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
REST API for Fully Parameterized Containers
• Prior to VACS 2.1 the only way to create a container was to create via a VACS template
• These templates could be published as catalog items for UCSD Self-service Portal
• Additionally, the template could be called using REST APIs from Prime Services Catalog (PSC) to create a container
• VACS 2.1 enables REST API for bypassing templates and creating a fully parameterized container
VACS Tenant
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Agenda
• VACS Value Proposition• Container Options• What is VACS
• What’s in the latest version 2.1• Summary & Conclusion
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS 2.2 (Planning)• vSphere 6.0 support• VACS w/ ASAv (ASAv as part of VACS container)• Bulk add of N1Kv hosts• Enhance VACS support for custom tasks (easily deploy 3rd party services )
Enhance VACS workflow tasks to save external meta data corresponding to a service request which then feeds into a custom UCSD task for its configuration of 3rd party LB or FW
• PSC Integration enhancements• New APIs
• Support of other routing protocols (OSPF, eBGP)• CECS 3.0 Requirements
Common installer, common user-groups and roles • Importing existing N1Kv customers to VACS• VACS User Interface update (HTML 5)• Enhancing container operations
Add/Modify zones after deployment, configuring resource limits
Target : Q1CY16 Roadmap
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VACS Brings Much Needed Agility to the DC
VACS makes you more productive
1. Do more in less time
2. Improved customer satisfaction
3. Onboard developers / customers / apps in hours
4. Simplify operations
Simplicity to provision
Consistent Deployments
Much needed Visibility and Compliance
On-Demand Provisioning
“creating templates makes it easy to deploy.”- Enterprise customer
“…right licensing model for Cloud.”- Global Retail Customer
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Now that we’re at the end of the session, you should have an improved understanding of:
• Some level of Container options• Why VACS had a name change • VACS including value proposition• How to use VACS against NSX Microsegmentation• What’s new in 2.1
Key Takeaways
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Please visit http://www.cisco.com/go/vacs for more information
Release Notes: http://www.cisco.com/c/en/us/support/switches/virtual-application-container-services-vacs/products-release-notes-list.html
Install & Upgrade Docs: http://www.cisco.com/c/en/us/support/switches/virtual-application-container-services-vacs/products-installation-guides-list.html
For internal questions email [email protected] or [email protected]
VACS with TrustSEC Whitepaper: https://cisco.box.com/s/kfllrnq7gjnulqx9172d1bzdprxe8g7d
For external questions email: [email protected]
Additional Resourceso BDM Presentation
o TDM Presentation
o Datasheet
o VACS FAQ ( Cisco Internal )
o Value Proposition
o VACS Sponsored Deployment
o Ordering Guide
o Cisco ONE Enterprise Cloud Suite ( ECS)
o Deployment Guide
o What’s New in VACS 2.0
o What’s New in VACS 2.0.1
o What’s New in VACS 2.1