ModulesACIM11 - Integrating L4-7 With ACI_V1 0

ACI-FE M11 Integrating L4-7 Services with ACI Cisco Confidential 2 2013-2014 Cisco and/or its affiliates. All rights reserved. ! Application Profiles And Service Graphs ! Device Packages ! Service Insertion Overview ! APIC Service Graph Configuration ! Network Services Placement Agenda Cisco Confidential 3 2013-2014 Cisco and/or its affiliates. All rights reserved. Application Profiles and Service Graphs Cisco Confidential 4 2013-2014 Cisco and/or its affiliates. All rights reserved. Service Insertion on ACI VLAN/VRF “stitching” allowed Advanced automation available Automation requires taking control of the services appliance configuration API supports adding almost any services appliance API is published in open manner APPLICATION CENTRIC INFRASTRUCTURE Performance and Scale Security Simplicity Open Agility Automation and Visibility Cisco Confidential 5 2013-2014 Cisco and/or its affiliates. All rights reserved. EPG to EPG filtering ! Objects ! End Points (EP) ! End Point Groups (EPG) ! Contracts ! Filter/Action ! Whitelist or blacklist ! Service Nodes ! Service Group ! Service Graph ! Forwarding ! Pervasive gateway ! Drop unknown (Never spoken) ! Intra-EPG ! Open communication within EPG ! Optional PVLAN within an EPG (Post-FCS) ! Inter-EPG ! Fabric firewall with TCP flag checking ! Moving an EP is non-disruptive End Point Group (EPG) 1 EP1-A EP1-B EP1-C EP1-D EP1-E End Point Group (EPG) 2 EP2-A EP2-B EP2-C EP2-D EP2-E One Contract = 25 ACLs Per Port Cisco Confidential 6 2013-2014 Cisco and/or its affiliates. All rights reserved. Policy Contract Actions FCS$policy$op+ons$supported:$ ! Permit$the$traffi c$ ! Deny/Block$the$traffi c$ ! Redirect$the$traffi c$ ! Log$the$traffi c)$ Policy$encompasses$traffi c$handling,$quality$of$service,$ security$monitoring,$and$logging.$ Copy$ Packet$ Mark$ Packet$DSCP$ PostGFCS$op+ons$supported$ ! Copy$the$traffi c$ ! Mark$the$traffi c$(DSCP/CoS)$ Permit$Deny$ Redirect$ Log$ Cisco Confidential 7 2013-2014 Cisco and/or its affiliates. All rights reserved. Redirect Traffic to a services graph Redirect SRC, * DST, TCP 80 to FIREWALL_ADC_PROD Web Server End Point Group A App Server End Point Group B Application Construct providers inst inst firewall inst inst load balancer graph . start end stage 1 . stage N contract rule: redirect Packet match on a redirection rule sends the packet into a services graph. A Service Graph can be one or more service nodes pre-defined in a series. Automated and scalable L4-L7 service insertion Application-centric service graph simplifies and scales service operations Redirection to Multiple Services Cisco Confidential 8 2013-2014 Cisco and/or its affiliates. All rights reserved. Device Packages Cisco Confidential 9 2013-2014 Cisco and/or its affiliates. All rights reserved. ! Securely upload Device Package zip file to APIC ! Device Package consists of: ! DeviceSpecification (xml) ! DeviceScript (py) ! Device Packages created by: Cisco Business Units (ASA, Sourcefire, etc) 3rd party vendor (F5, Citrix, A10, etc.) Advanced services Customers Device Definition and Package Partner Device Partner Device Rest/CLI Device Specification dev ident=“” validator=“ip” Device Package DeviceSpec DeviceScript DeviceSpec是厂家提供的可以控制的功能 Cisco Confidential 10 2013-2014 Cisco and/or its affiliates. All rights reserved. ! Device Attachment ! Endpoint Attach/Detach ! Service Graph Rendering ! Health Monitoring ! Faults ! Counters Device Package Interactions Partner Device Partner Device Rest/CLI Device Specification dev ident=“” validator=“ip” Device Package DeviceSpec DeviceScript Cisco Confidential 11 2013-2014 Cisco and/or its affiliates. All rights reserved. Sample Device Specification - ADC#1 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! Cisco Confidential 12 2013-2014 Cisco and/or its affiliates. All rights reserved. Device Scripts Device APIs def deviceValidate( device, version ) def deviceModify( device, interfaces, configuration) def deviceAudit( device, interfaces, configuration ) def deviceHealth( device, interfaces, configuration ) def deviceCounters( device, interfaces, configuration ) Cluster APIs def clusterModify( device, configuration ) def clusterAudit( device, configuration ) Service APIs def serviceModify( device, configuration ) def serviceAudit( device, configuration ) def serviceHealth( device, configuration ) def serviceCounters( device, configuration ) Endpoint/Network Event handling APIs def attachEndpoint( device, configuration, connector, ep ) def detachEndpoint( device, configuration, connector, ep ) def attachNetwork( device, configuration, connector, nw ) def detachNetwork( device, configuration, connector, nw ) Cisco Confidential 13 2013-2014 Cisco and/or its affiliates. All rights reserved. Service Insertion Overview & Description Cisco Confidential 14 2013-2014 Cisco and/or its affiliates. All rights reserved. Service Insertion Using Service Graph Service graph is an ordered set of functions between a set of terminals A function has one or more connectors A function within a graph may require one or more parameters Function Firewall Function SSL offload Function Load Balancer Terminal$ Terminal$ Firewall$params$ Permit$ip$tcp$*$destGip$destGport$80$ Deny$ip$udp$*$ LoadGBalancer$params$ VirtualGip$ Port$80$ LbGaglorithm:$roundGrobin$ SSL$params$ Ipaddress$port$80$ Connectors$ Service$Graph:$“webGapplica+on”$ Consumer Provider Cisco Confidential 15 2013-2014 Cisco and/or its affiliates. All rights reserved. TenantX Service Automation Roles and Responsibilities Device$ Package$A$ Device$ Package$B$ Device$ Package$C$ Managed$Objects:$ Service$Graphs$ Device$and$Service$Confi gura+on$ Provider$Network$Administrator$ o Uploaddevicepackage o Registerdevices o Allocatedevicestoatenant o PublishServiceGraphs DeviceADeviceADeviceBDeviceBDeviceCDeviceC SelfGService$User$App$Ops$or$Tenant$Admin$ o PublishServiceGraphs o DeployServiceGraphs Cisco Confidential 16 2013-2014 Cisco and/or its affiliates. All rights reserved. Configuring device package Cisco Confidential 17 2013-2014 Cisco and/or its affiliates. All rights reserved. Importing A Device Package Into APIC Cisco Confidential 18 2013-2014 Cisco and/or its affiliates. All rights reserved. Device Information Extracted Out of Device Package Vendor Info, Software Version Info and Model Info of Service Device Info on how many interfaces types the appliance has (Inside, Outside and Mgmt for e.g.) Functions (Or Services) provided by the Service Device SLB, SSL, Responder Cisco Confidential 19 2013-2014 Cisco and/or its affiliates. All rights reserved. Function Information Extracted Out of Device Package A function has connectors that represents the network connectivity needed for function to work A function has configuration that needs to be provided to the function Cisco Confidential 20 2013-2014 Cisco and/or its affiliates. All rights reserved. Device Clusters Cisco Confidential 21 2013-2014 Cisco and/or its affiliates. All rights reserved. Logical Device Clusters Have one or more concrete devices Logical Interfaces (LIF) When a graph is instantiated, networking resources (VLAN for e.g.) are allocated to logical interfaces. LIF may have one or more concrete interface (CIF) mappings Has device configuration parameters Configuration is passed to Concrete Devices when a logical device is added to APIC Logical Device Cluster Concrete Devices 仅支持一主一备 Cisco Confidential 22 2013-2014 Cisco and/or its affiliates. All rights reserved. Service graph uses a specific device cluster as per admin defined device cluster selection policy. Using Service Device With Service Graphs Device Cluster Infra admin connects concrete Device to the fabric and assigns management IP. Infra admin registers device with APIC. APIC validates device using device specs from device package Concrete Device Concrete Device SLB Service$Graph$Func+on$Node$ Device cluster represents a device cluster that is used by graph FCS Limitation: Were only supporting device clusters with maximum of two concrete device in active-standby mode Cisco Confidential 23 2013-2014 Cisco and/or its affiliates. All rights reserved. Concrete Devices Represents an actual service device Firewall SLB/SSL IPS Etc. Is Physical or Virtual May only be a part of one logical device Has one or more concrete interfaces CIF may be part of one or more LIF Cisco Confidential 24 2013-2014 Cisco and/or its affiliates. All rights reserved. ! Defines how a service graph selects a specific device cluster ! Has three main selectors: - Graph name - Contract name - Function node name ! Allow admin to select different clusters inside: Graphs Contracts Functions within service graphs Device Cluster Selection Policy Cisco Confidential 25 2013-2014 Cisco and/or its affiliates. All rights reserved. Configuring Device Clusters Cisco Confidential 26 2013-2014 Cisco and/or its affiliates. All rights reserved. On the device: Configure Management IP address on the device Create username/password for APIC to manage the device On the APIC: Registering the device requires IP address Login credentials Attach the management interface to appropriate interface/port-group Register Concrete Devices with APIC Configuring A Logical Device Cisco Confidential 28 2013-2014 Cisco and/or its affiliates. All rights reserved. Configuring A Logical Device Device Package Single Tenant/Multi Tenant Physical /Virtual Cluster Management IP/Port Logical Interfaces. Function Node connectors are associated with logical interfaces Logical Device Configuration Parameter Cisco Confidential 29 2013-2014 Cisco and/or its affiliates. All rights reserved. Adding Concrete Device To Logical Device Concrete Interfaces and their connectivity information Concrete Device Configuration Parameter Concrete Device Management IP/Port Cisco Confidential 30 2013-2014 Cisco and/or its affiliates. All rights reserved. Using Virtual Service Appliance Logical Device type is selected as VIRTUAL APIC creates appropriate port groups for virtual service appliance and places the VNICs into the right port groups as needed by service graph. Concrete device has VM name, VCenter name and the VNIC name for each of the concrete interface Cisco Confidential 31 2013-2014 Cisco and/or its affiliates. All rights reserved. Configuring Logical Device Selection Policy A specific logical device can be selected based on a contract name, graph name or the function node name inside the graph Cisco Confidential 32 2013-2014 Cisco and/or its affiliates. All rights reserved. Script APIs For Device Creation & Modification Device APIs def deviceValidate( device, version )! ! def deviceModify( device, interfaces, configuration)! ! def deviceAudit( device, interfaces, configuration )! ! def deviceHealth( device, interfaces, configuration )! ! def deviceCounters( device, interfaces, configuration )! ! Cluster APIs def clusterModify( device, configuration)! ! def clusterAudit( device, configuration )! ! When Concrete device is added, APIC invokes validate API to validate the device as per the specification in Device package. Device must have appropriate software version and vendor Upon successful validation, APIC invokes deviceModify API to let script perform one time device configuration function. When Logical device is added, APIC invokes clusterModify API to let script perform one time cluster configuration function. Cisco Confidential 33 2013-2014 Cisco and/or its affiliates. All rights reserved. Create Service Graph ToContract FromContract Cisco Confidential 34 2013-2014 Cisco and/or its affiliates. All rights reserved. ServicegraphisanorderedsetoffuncEonsbetweenasetofterminals o AServiceGraphcanbedefi nedthroughGUI,CLIorthroughAPICAPI AfuncEonwithinagraphmayrequireoneormoreparameters o ParameterscanbescopedbyanapplicaEoncomponentoranapplicaEonprofi leortenantcontext o ParameterscouldalsobeassignedattheEmeofdefi ninganabstractgraph.Parametervaluescanbelockedfromfurtherchanges AfuncEonhasoneormoreconnectors.ConnectorslinkthefuncEonstogether. o TransientfuncEonswillhave2connectors.StublikeIDSwillhaveone. Service Graph Parameters Func: Firewall Func: SSLoffl oad Func: LoadBalancer Terminals Terminals Firewallparams Permitiptcp*destQipdestQport80 Denyipudp* LoadQBalancerparams VirtualQip Port80 LbQaglorithm:roundQrobin SSLparams Ipaddressport80 Connectors ServiceGraph:“webQapplicaEon” Cisco Confidential 35 2013-2014 Cisco and/or its affiliates. All rights reserved. Associate Graph to a Contract Cisco Confidential 36 2013-2014 Cisco and/or its affiliates. All rights reserved. Finished Graph Cisco Confidential 37 2013-2014 Cisco and/or its affiliates. All rights reserved. Anewwebserverisdeployed APICdetectsanewendQpointaYachedforawebapplicaEon component APICwalksthroughassociatedgraphandcallsdevice “endPointAach”eventhandlersforassociateddevices ALoadBalancerdevicecanimplementEPaYachfuncEonto dynamicallyaddanewserverandbindittoaLoadQBalancervirtual service WhendeviceisdeQcommissioned,APICcalls“endPointDetach“ event ALoadBalancerdevicecanuseEPdetachfuncEontoremoveserver confi guraEonandunbindserverfromloadbalancevirtualserver ADC Service Graph Changes Via EP Attach/Detach App Component: Web App Component: External Func: Firewall Func: SSLoffl oad Func: LoadBalancer ServiceGraph:“webQapplicaEon” Firewall Func: SSLoffl oad Func: LoadBalancer Web EPQ1 addserverEPQ addservicewebQserviceQHTTP80 bindlbvservervserverQwebwebQserviceQ1 unbindlbvservervserverQwebwebQserviceQ1 rmservicewebQserviceQHTTP80 rmserverEPQ Cisco Confidential 38 2013-2014 Cisco and/or its affiliates. All rights reserved. Audits And Compliance Application policy and state is stored within the APIC as metadata Contracts specify service insertion between EPGs Services configuration metadata associated with the contract and application profil