Post on 21-Jan-2018
Networking Policies Across Containers and VMsSanjeev Rampal & Himanshu RajContainer team, Cloud Platform and Services GroupOpenStack Summit 2017@sr2357, @rajhimanshu
Mixed Mode Application Deployments
VM VMWeb
App
DB
Policy
Policy
Challenges• Application Level Policy Enforcement Across
Deployment• End-to-end Monitoring• High Performance
Challenges
• Encap over encap (over encap) suffers performance• Obscures visibility, makes diagnostics/monitoring difficult• Harder to integrate with HW appliances
Networking In The Container World
Physical NetworkHypervisorHypervisor
Physical Network
Virtual Switching or Overlay Network
C1 Cn
Overlay Network - VXLAN
Overlay Network -VXLAN
Physical Network
Hypervisor Hypervisor
Host 1 Host 2 Host 2Host 1
VM1
C1 Cn
Overlay Network - VXLAN
VM2
C1 Cn
Overlay Network - VXLAN
Overlay Network -VXLAN
C1 Cn
Overlay Network - VXLAN
VM1 VM2
Agenda• Hybrid Deployment Challenges
• Intro to Contiv Container Networking
• Cisco ACI + Contiv Integration• E2E policy enforcement• Monitoring• Performance
• Demo
100% Open Source The Most Powerful Container Networking Fabric L2, L3, Overlay or ACI Rich Policy Model
DevOps IT Admin
Any NetworkingAny Platform
Any Infrastructure
Application Intent
Rich Policy
Connectivity
ACI integration
Containers, VM, BM
LDAP/RBAC
Introduction to Contiv
Contiv Policy Management System
Node 1 Node-nNode 2
Contiv Distributed Policy Enforcement Layer
Policy Distribution
Policy Manager
Manage/Monitor Policies/Usage/Quotas
Policy Distribution Framework Integrated with Schedulers
Policy Enforcement Points
Integration with Cisco Infrastructure (Nexus/ACI/UCS)
Micro-services With Contiv
Micro-services isolated within the network of a tenant
Web Group
AppGroup
DB Group
Allow grouping of containers/pods
1
Specify policies between groups or from outside the network
2
Ability to Provide Granular Micro-service based Policies in a Scalable Way
Application Centric Infrastructure (ACI)External Network
App DBWeb
QoS
Filter
QoS
Service
QoS
Filter
ACI Fabric
APICAPIC
Benefits of Integrating Contiv with ACI
• Uniform policies for any workload• VMs | Bare-Metal | Container
• Policy automation for mix-mode workloads
• Scale: IPs, EPGs, Networks
• Performance: 40G and 100G optimized fabrics
• Telemetry/Diagnostics• Container location aware physical network
Contiv ACI IntegrationContainer
Management
Unified Policy Automation and Enforcement Across BM, VM, and Containers
Contiv Master
Contiv APIC Gateway
OVS Contiv PluginHYPERVISORHYPERVISORHYPERVISOR Container/Pod Host
Bare Metal
Services
Web
Contiv Plugin
Host-1 Host-n
DB Web DB
Container Scheduler
Contiv Plugin
Application Intent
Tenant-1:External à Web:80 àDB:Port
Tenant-2:External à Web:80 àDB:Port
2
Launching Apps across Cluster
4
DevOps Intent => ACI Policy
Policy Instantiation5
Contiv Tenant/Network Creation1
Physical Network Prep0
3
Example Workflow
Network AdminDevOps Admin
ContivNetMaster
Demo
Host-1 Host-2 Host-nCloud A
Cloud B
Demo Physical Topology
C11 (nginx) C12 (nginx)
C21 (alpine) C22 (alpine)
L7 Load balancer/ web reverse proxy
(HAProxy)
VM ‘Z’
Containers Cloud ‘A’Openshift/Kubernetes
VMs Cloud ‘B’Openstack/vSphere
Service 1“default-group”
Service 2“privileged-group”
Service 3 E.g. database VM
Demo Application
Host-1 Host-2 Host-nCloud A
Cloud B
Demo Physical Topology
Getting More Information / Getting Started
http://contiv.io/
Available on SlideShare
Cisco on SlideSharehttps://www.slideshare.net/Cisco/
@sr2357@rajhimanshu