Post on 08-Aug-2015
Policy-based Infrastructure Provisioning for Recover Point with Cisco ACI Carly Stoughton – Cisco Technical Marketing Engineer Thomas Scheibe – Cisco Senior Director Product Management
§ Group-Based Policy Concept in Cisco ACI § Integration of RecoverPoint for VMs and Cisco ACI § ACI Security/ Compliance Properties
Agenda
Enable the Cloud
2009 2014 2008
Consolidation Virtualization Automation Enabling the Cloud
LAN SAN
Network
Compute Storage Access
Network
Apps Policy
Today
Policy
Policy Cisco ACI
RAPID APPLICATION EVOLUTION
Policy
Vision: Scale, Security and Full Visibility
Physical Networking
Compute L4–L7 Services
Storage Hypervisors and Virtual Networking
Multi DC WAN and Cloud
Enabled by physical and virtual integration
Tenant Application
2
0
The Problem
DB APP ADC WEB F/W
ADC MGMT
Data Applications Infrastructure Applications
Management Applications
Challenges attempting to automate network configurations • Provisioning models are built around the device
• Build separate networks for the apps for policy, visibility, and security
• Legacy network security limits our ability to implement policy with mobility & cloud
VMOTION DNS
Group Based Policy Model Define Once – Deploy Consistently
COMPONENTS OF A Group Based Policy
Endpoint Group: A set of endpoints (VMs/servers) with the same policy
Contracts: A set of rules governing communication between endpoint groups
Service Chains: A set of network services between endpoint groups
OUTSIDE
WEB APP DB CRM APP
ADC F/W ADC
Contract Contract
Context-Aware Segmentation
Dynamic Content
User and Devices
Resources and Demands
Marking Traffic with Consistent Policy Context (Device, Group, Role) Immune to Network Changes
Abstracted Policy
Business Policy
X
Distributed Enforcement
End Point Group Tag TAG
Contract Contract Contract
DB APP WEB ADC F/W
ADC
Group Policy
OVS Driver
Neutron Networking
APIC Group Driver
Web
Web
Web
Web
App
App
DB
DB
HYPERVISOR HYPERVISOR HYPERVISOR
OpenStack extensions on top of Neutron exposing a policy API
Group-Based Policy And OpenStack
Group Policy Plugin
§ Group-Based Policy Concept in Cisco ACI § Integration of RecoverPoint for VMs and Cisco ACI § ACI Security/ Compliance Properties
Agenda
§ Automate network policies – define once/ deploy consistently
§ Pre-configure four network instances on the VMware vSphere ESXi Servers where RecoverPoint for VMs will be installed – LAN Network – WAN Network – iSCSI1 & iSCSI2 Network
§ Associate the four RecoverPoint for VMs network interfaces (i.e., LAN Interface, WAN Interface, iSCSI1 Interface and iSCSI2 Interface) to the pre-configured network instances
RecoverPoint for VMs & ACI - Objective
§ VMware ESXi has been installed on the servers that will be used for RecoverPoint for VMs and that all servers have been assigned an IP Address
§ The “VM Network” shown in the logical topology has been created.
§ VMware vCenter server has been installed and all servers (single or multiple vCenter instances are possible)
§ Cisco ACI has been physically installed and all leaf switches have been initialized and are visible in the APIC Fabric Topology view.
§ Servers running VMware ESXi have been physically cabled to the Cisco ACI leaf switches as shown in the physical topology diagram.
Assumptions
1. ACI Configuration
§ a. Configure Fabric
§ b. Add VMware vCenter to APIC
§ c. Verify connectivity
2. VMware vCenter Configuration
§ a. Configure the Distributed vSwitch in vcenter
3. Tenant (RP4VM network) Configuration
§ a. Create the RP4VM Networks via APIC
§ b. Modify iSCSI Port Groups to allow iSCSI via VMware vCenter
§ c. Configure vmknics and attach to iSCSI Port Groups via VMware vCenter
§ d. Install RP4VM Appliance via VMware vCenter
Overview of Configuration Steps
§ Group-Based Policy Concept in Cisco ACI § Integration of RecoverPoint for VMs and Cisco ACI § ACI Security/ Compliance Properties
Agenda
Security: P+V = C
VIRTUALIZATION CENTRIC
No Physical Support
Limited Visibility
Management Complexity
APPLICATION CENTRIC Any workload and any place Full Visibility Automated
PERIMETER CENTRIC Manual and Complex
Error-Prone Static Topology
Limited Places
+
=
PCI Compliant Network with Cisco ACI
• Simplifies audit based on higher level policy
• Secure network segmentation and isolation
• Defense in depth with advanced L4-7 security (NGFW, IDS/IPS, DDoS) integration
• Centralized Auditing and Security Monitoring
SECURE NETWORK
ACCESS CONTROL
SECURITY POLICY CENTRALIZED
AUDIT
MONITORING ACCESS
A C I - R E A D Y
VBLOCK SYSTEMS WITH ACI-READY NEXUS 9000 • Policy management enhances
operational simplicity • Use policies to accelerate
network configuration • ACI further reduces risk
through policy automation
Vblock Systems with ACI Further extend IT agility Vblock™ 340 and Vblock™ 720
Converged Infrastructure