Us navy virtual services 030316

Brenden BureshDC TSA – CCIE #[email protected] 3rd, 2016

Enabling Virtual Application Infrastructure Policies

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Agenda

• VACS Value Proposition• Container Options• What is VACS

• What’s in the latest version 2.1• Summary & Conclusion


Cisco Virtual Application Cloud Segmentation (VACS)

Secure segmentation in minutes on shared policy-

based infrastructure

Simplified virtual networking and

security

Unified virtual services licensing: cost-effective

solution


What is a VACS Container?

VACS

VACS Containers are:• Virtual Network & Security Services Templates for

Application Workloads

• Topology Configurations designed for logical secure

isolation and compliance

• Exposed through UCS-D GUI to allow rapid and

consistent provisioning of Secure Applications


VACS Business Relevance for Customers

• Logical Segmentation of Applications and Application Layers• Seamless integration of Best in Class Products• Built on Industry Leading platforms (IOS/NX-OS)• Ease of Container Spin-up/Spin-Down (VM’s and Services)• Ability to Customize based on application requirements• Virtual-only Services today, Adding Hardware Services• Keep same Secure Segmentation from Campus/Branch to the

Application Policy (SGT/SG-ACLs)• Unified licensing for all services, Less $$ than NSX• UCS Director for Policy Automation, also provides workflow-based

automation for other Virtual and Physical Infrastructure


• Rapid and consistent Deployment of Secure Application Environments• Virtualization density increases as Intel delivers on Moore's Law. The

resulting Higher VM:Host Ratio Increases Exposure• Maintaining Logical Secure Isolation and Compliance for co-hosted

applications becomes critical as economics drive consumption

• Re-use of Same IP Address Space so Development environment more closely mirrors Production

• Bring existing applications under control of an instantiated VACS template to Enable Consistency and Self-Documentation

VACS Drivers for Customers


Agenda




• Linux Containers• Docker• UCS Director – Fenced Containers• Virtual Application Cloud Segmentation

• Logical grouping of workloads using a common set of services in an easy to deploy method

Segmentation Options

“Containers Virtualize at the O/S level, Hypervisors virtualize at the Hardware level” – Greg Ferro


• Main and evolving components:• LXC – libraries, tools, templates – base of Containers, Docker• LXD – REST API for common CLI operations ~1yr since release• CGManager – manager for nested, unprivileged containers• LXCFS – user-space FileSystem (FUSE)

• “Our main focus is system containers. That is, containers which offer an environment as close to possible as the one you’d get from a VM but without all the overhead of running a separate kernel and simulating all the hardware.” – linuxcontainer.org

Linux Containers


• LXC Components:• liblxc• API interfaces – ruby, python2, Go, Haskell

• LXD Components:• lxc – CLI• lxd- REST API, definition of unprivileged containers w/ resource restrictions• nova-compute-lxd – OpenStack plug-in for lxd nodes as ComputeNode

Container Components, More Detail


• CGManager:• Central privileged daemon for cgroups via D-Bus API• Isolating nested containers from the Kernel and resolving GIDs/UIDs

• LXCFS Components:• Designed to work around traditional Kernel FS shortcomings• Container-aware cgroupfs tree, works with CGManager

LXC More Detail


• No requirement for Virtual Machine Manager (vCenter/SCVMM/etc.)• Can use Docker

Hub/Kubernetes/Cisco Container Hub

• Fast boot-up/down (500msec vs. 20sec for VM)• Use of etcd and fleet for

common services recognition within a cluster

• No North/South or East/West Segmentation

Docker

Host

App

/bin/lib

DockerEng

Host Kernel

App

/bin/lib

DockerEng …

Host

App

/bin/lib

GuestOS

Hypervisor

App

/bin/lib

GuestOS …

Host Kernel


• Defined within UCS Director• Only Edge Control• Multi-Homed Guests

• No Inter-VLAN Security• No VM-VM Security

• Feature available since Cloupia “inception”

• Use IP Tables for L3

UCS Director – Fenced Container

VM-1

VM-n

Network 110.10.10.0/28

Network 220.20.20.0/28

Container Firewall

ExternalNetworks


Agenda




VACS – Secure Segmentation in MinutesShared Policy Based Infrastructure

Secure segmentation in mins on shared infrastructure

Simplified virtual networking and security

Unified virtual services licensing: cost-effective

solution

Physical segmentation can result in longer provision time and under-utilized resources, non-optimal traffic paths

Procure, rack, stack and provision individual devices

Current Manually Segmented

Architecture

Enforced by best in class virtual networking

and security services

Policy-based Virtual Segmentation

with VACS

Virtual segmentation– independent of physical topology

VACS VACS

Vcenter Vcenter


VACS – Simplified Virtual Networking and Security Shared Policy-Based Infrastructure

Current provisioning model Wizard based provisioning model with full life cycle mgmt.

of virtual services

Provisions subnet / NAT /

Routing

Provisions VIP

Provision FW rules /

GW

VACSVACS

Vcenter Vcenter

No longer have to configure individual components.

VACS does it for you.


VACS – Unified Virtual Services LicensingBased on Per Server Model

UnifiedLicensing Per Server Based

Create as many instances as you need and with 10G throughput!

Automated Provisioning and OrchestrationUCS director

Load-balancerHA Proxy

• Every vendor has different licensing schema

• Per instance based

• Expensive as throughput increases RoutingCSR 1000V

Virtual FabricNexus 1000V Platform for Distribute FW

Zone based FWVirtual Security Gateway

Edge FWCSR 1000V

Current pricing schema makes virtual services cost prohibitive

VACS


VM V

M

VM

VACS

VM V

M

VM

VACS

VACS – Choice of Virtual/PhysicalBuild Containers with Gateway of Choice

VM V

M

VM

VACS

External Virtual GWASAv, vGW, vPAN

Physical GWASA, Checkpoint, PAN

Virtual GWCSR 1000v

Built-In Gateway Physical Gateway Other Virtual Gateway

VACS Enables Choice of Virtual/Physical to Meet Application RequirementsInstallation/Upgrade/Configuration of gateways is performed only for CSR1000v, VSG, HA Proxy


VACS Deployment OptionsTypes of Logical Segmentation Templates

3 Tier - Internal Access 3 Tier - External Access Custom Container

VACS VACS VACS


Deeper View: VACS Containers – 3-Tier

App Zone

Upstream RouterRouting – EIGRP or OSPF or Static

CSR 1000V VLAN 1/ VXLAN 101

• NAT (Optional)• L3 Routing – EIGRP or OSPF

(P2) • Edge FW• Monitoring Features

Web Zone DB Zone

VSG Zone based FW

HA Proxy HTTP(s) LB

VACS – 3 Tier App Container (Internal)

Closed Door(Blocked)

Open Door(Pass)


VACS Enhanced Security: Secure Group Tags

App Zone

CSR 1000V • NAT (Optional)• L3 Routing – EIGRP or OSPF


Web Zone DB Zone

VSG Zone based FW

HA Proxy HTTP(s) LB


• SGTs from Campus TrustSec on VEM


VACS Enhanced Security: Adding ASAv

App Zone



Web Zone DB Zone

VSG Zone based FW

HA Proxy HTTP(s) LB


• NAT (Optional)• L3 Routing – EIGRP or OSPF • Full FW• Monitoring Features

ASAv

FirePowerV• Next Gen IPS


Roadmap


VACS Enhanced Security: Add Physical ASA55xx

App Zone



Web Zone DB Zone

VSG Zone based FW

HA Proxy HTTP(s) LB


• NAT (Optional)• L3 Routing – EIGRP or OSPF • Full FW• Next-Gen IPS• Monitoring Features

ASA55xx w/FirePower


Roadmap


VACS Enhanced Security: Add FirePOWER

App Zone



Web Zone DB Zone

VSG Zone based FW

HA Proxy HTTP(s) LB


• NAT (Optional)• L3 Routing – EIGRP or OSPF • Full FW• Next-Gen IPS• Monitoring Features• High Scalability

FirePower Threat DefenceVirtual


FTDv

Roadmap


Micro-Segmentation with VACS

www

www

Web application Web-1

Web application Web-2

Public Design App-1 (VM3)

Confidential Design App-2 (VM4)

Perimeter Firewall

Web-1 zone

Web-2 zone

App-1 zone

App-2 zone

Source Destination Policy

Web-1 App-1 Allow

Web-2 App-2 Allow

Web-1 App-2 Drop

Web-2 App-1 Drop

Micro-segmentation in Three Clicks

Define Zones

Add VMs

Apply zone based policies

Detailed VACS Container


• Key assumptions:• Cisco solution = Cisco ONE Enterprise Cloud Suite + vSphere Enterprise Plus

with Operations Management• VMware solution = vCloud Suite Enterprise + NSX • TCO calculation include Product Licenses + 3 year Service

• Simple TCO Excel Tool:

http://go2.cisco.com/vacs_vs_nsx_tco

Cisco VACS Offers a Lower TCO Than VMware Alternative

27% lower

http://go2.cisco.com/vacs_vs_nsx_tco


• Plan, design, and implementation expertise to bring VACS into production in less than a week

• Deploy UCSD• Install VACS workflows• Configure VMware virtual infrastructure• Deploy PNSC• Deploy VSUM for N1K• Deploy N1K

• Creation of virtual compute, network, and storage policies

• Definition of Global Resource Pools

• Rapid go-live of application containers

• Publication of containers to self-service UCS Director catalog

• Knowledge transfer and training

Cisco Plan and Build Service for VACSAS-Fixed Service Description

VACS Plan and Build

ASF-DCV1-G-VACS

o Workshop to Review Customer Environment o Implementation Plan o Software Installationo Configuration and Provisioningo Test Supporto Knowledge Transfero As Built Documentation

Activities and Deliverables


VACS Licensing

A la carteSKU’s

• CUIC-VACS-01 - $4500(US)

• CUIC-VACS-OFFERS – volume discounts

• CUIC-VACS-SVR-PROM - $6000(US) (includes VACS & UCSD)

• Cisco ONE Enterprise Cloud Suite

• SKU: C1-UCS-M• Requires Qty(x):

C1F2PUC(x)K9

C1A1PUCS(x)K9CUIC-BASE-K9

• Total - $9856(US)

Key Licensing Points:VACS Licensing same as UCSD

License per Server for 50 VMs

Includes all component product license

• N1Kv

• VSG

• CSR 1000V (VACS functionality only)

• HAProxy

Cisco ONE forData Center


Cisco VACS Advantage over 3 Year Period27% lower TCO than NSX

VMware vCloud Suite and NSX

Cisco ONE ENT and vSphere with Ops

2,000 Virtual Machines (20 per host), one vCenter 10,000 Virtual Machines (20 per host), two vCenters

Discounts: considering 65% on licenses, 10% on services for both Cisco and VMware

VMware vCloud Suite and NSX

Cisco ONE ENT and vSphere with Ops

28% Lower 27% Lower


• Link to the N1K Statement of Direction - https://cisco.box.com/s/ntpb5dn5nrzf6wbcncdrk5niy0pm8qas

• Will be posted to CCO soon

• Please forward internally and externally

Customer Facing Nx-1Kv Statement of Direction

https://cisco.box.com/s/ntpb5dn5nrzf6wbcncdrk5niy0pm8qas

https://cisco.box.com/s/ntpb5dn5nrzf6wbcncdrk5niy0pm8qas


Nexus 1000V has been supported since vSphere 4.0 in 2009

Cisco and VMware have agreed to extend support of Nexus 1000V in vSphere 6.x and future releases Nexus 1000V releases - 5.2(1)SV3(1.4) & up supports VMware vSphere 6.0 started shipping 4/17/2015

VSUM supports vCenter 6.x and vSphere 6.x

Nexus 1000V and VMware vSphere Support

vSphere 4.x

vSphere 5.0 and 5.1

vSphere 5.5

vSphere 6.x

EOS 2014

EOS 2016

EOS 2018

Note: End of Technical Guidance is 2 years after End of Support (EOS) date


VMware vSphere 6.0 Release Notes: https://www.vmware.com/support/vsphere6/doc/vsphere-esxi-vcenter-server-60-release-notes.html

VMware Support Matrix: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2109760

Nx-1Kv is Part of the Compatibility Matrix for vSphere


Agenda




What’s New in VACS 2.1• Overlapping IP Subnet Pools• CSR delegated licensing• Add/Delete VNICs to VMs• Adding VM from OVF• Service VM password management• REST API enhancements

• APIs for STATIC NAT, ERSPAN ADD/DELETE VM FIREWALL POLICY Retrieval of all container details

• REST API for bypassing templates and creating a fully parametrized container• Reporting

• Resource history report, Secure Container reports• Resubmit for container deployment

• VACS 2.1 supports resubmit of failed/interrupted container deployment workflows• UI Localization: French language support

Now Available


Overlapping IP Subnet Pools

Prior to 2.1, VACS contained a global IP Subnet Pool and did not allow for overlapping IP addresses

With 2.1 not only do we enable overlapping IP Subnet Pools, we offer it on three levels: Global (a subnet allocated cannot be

reallocated) Tenant (overlap between

tenants/groups) Container (overlap between containers)

Supported by enhancements to the GUI and internal allocation logic.

Global

Tenant

Container

Overlapping AllocationAllocation Scope


Service VM Password Management

Service VMs (i.e., CSR, VSG or SLB) deployed by VACS are assigned randomly generated passwords for admin access.

VACS stores these in a database table to enable any automatic re-configuration actions Any changes made through direct access to the service

VMs are NOT updated in the database table

In VACS 2.1 users can override the random passwords with new passwords based on their company standards Any changes made through the new GUI and Logic

enhancements are updated in the database table maintaining system level consistency


Add/Delete VNICs to VMs

Starting in VACS 2.1 vNICs can be dynamically added to or deleted from application workload VMs Does not apply to service VMs Involves power off/on for

reconfiguration Each application VM by default has

exactly one vNIC connected to the GW. This vNIC cannot be deleted

Additional vNICs can be added/deleted onto secondary portgroup networks


Adding VM from OVF

VACS allows adding application VMs to be added either through template parameters or post container operations Prior versions of VACS required the use of

VM templates defined in vCenter VACS 2.1 allows these additions from

arbitrary OVFs in addition to VM templates Pre-loading OVFs in UCS Director is required With OVFs you can specify global availability

or restricted to a group or specific user


Viewing Resource History Report

Provides a transaction history of all pool allocations and de-allocations

This includes VLAN, VXLAN, IP addresses and IP subnets

The report includes timestamp and context information for each allocation/de-allocation event

The columns of the report can be customized

Filters can be defined for restricting to specific subsets of events

Reports can be exported as PDFs, CSV or Excel formats


CSR 1000V VACS Delegated Licensing CSR 1000V deployed in VACS no longer use

licensing based on smart licensing. VACS functionality is not dependent on active smart license account for CSRs.

CSR licensing integrated with VACS licenses UI for collecting smart license account info and token

id is discontinued CSRs active in containers deployed by pre-2.1 sw

will not be re-licensed by VACS sw. They can continue to operate as they are.

CSR 1000Vs deployed by VACS 2.1 (and later) software will use the new delegated mode of licensing


Resubmit for Container Deployment

• VACS 2.1 supports resubmit of failed/interrupted container deployment workflows

• In previous releases resubmission was disabled. Invoking resubmit would elicit an error message

• If a container deployment workflow fails with an exception for reasons such as insufficient resources or network errors, it can be resubmitted after removing the cause of failure and will continue to completion if no further errors occur


REST API for Fully Parameterized Containers

• Prior to VACS 2.1 the only way to create a container was to create via a VACS template

• These templates could be published as catalog items for UCSD Self-service Portal

• Additionally, the template could be called using REST APIs from Prime Services Catalog (PSC) to create a container

• VACS 2.1 enables REST API for bypassing templates and creating a fully parameterized container

VACS Tenant


Agenda




VACS 2.2 (Planning)• vSphere 6.0 support• VACS w/ ASAv (ASAv as part of VACS container)• Bulk add of N1Kv hosts• Enhance VACS support for custom tasks (easily deploy 3rd party services )

Enhance VACS workflow tasks to save external meta data corresponding to a service request which then feeds into a custom UCSD task for its configuration of 3rd party LB or FW

• PSC Integration enhancements• New APIs

• Support of other routing protocols (OSPF, eBGP)• CECS 3.0 Requirements

Common installer, common user-groups and roles • Importing existing N1Kv customers to VACS• VACS User Interface update (HTML 5)• Enhancing container operations

Add/Modify zones after deployment, configuring resource limits

Target : Q1CY16 Roadmap


VACS Brings Much Needed Agility to the DC

VACS makes you more productive

1. Do more in less time

2. Improved customer satisfaction

3. Onboard developers / customers / apps in hours

4. Simplify operations

Simplicity to provision

Consistent Deployments

Much needed Visibility and Compliance

On-Demand Provisioning

“creating templates makes it easy to deploy.”- Enterprise customer

“…right licensing model for Cloud.”- Global Retail Customer


Now that we’re at the end of the session, you should have an improved understanding of:

• Some level of Container options• Why VACS had a name change • VACS including value proposition• How to use VACS against NSX Microsegmentation• What’s new in 2.1

Key Takeaways


Please visit http://www.cisco.com/go/vacs for more information

Release Notes: http://www.cisco.com/c/en/us/support/switches/virtual-application-container-services-vacs/products-release-notes-list.html

Install & Upgrade Docs: http://www.cisco.com/c/en/us/support/switches/virtual-application-container-services-vacs/products-installation-guides-list.html

For internal questions email [email protected] or [email protected]

VACS with TrustSEC Whitepaper: https://cisco.box.com/s/kfllrnq7gjnulqx9172d1bzdprxe8g7d

For external questions email: [email protected]

Additional Resourceso BDM Presentation

o TDM Presentation

o Datasheet

o VACS FAQ ( Cisco Internal )

o Value Proposition

o VACS Sponsored Deployment

o Ordering Guide

o Cisco ONE Enterprise Cloud Suite ( ECS)

o Deployment Guide

o What’s New in VACS 2.0

o What’s New in VACS 2.0.1

o What’s New in VACS 2.1

http://www.cisco.com/go/vacs

http://www.cisco.com/c/en/us/support/switches/virtual-application-container-services-vacs/products-release-notes-list.html



http://www.cisco.com/c/en/us/support/switches/virtual-application-container-services-vacs/products-installation-guides-list.html



mailto:[email protected]


https://cisco.box.com/s/kfllrnq7gjnulqx9172d1bzdprxe8g7d




http://iwe.cisco.com/c/document_library/get_file?p_l_id=975015529&groupId=975015518&folderId=975015651&name=DLFE-612518600.pptx


http://iwe.cisco.com/c/document_library/get_file?p_l_id=975015529&groupId=975015518&folderId=975015651&name=DLFE-624618411.pdf





http://iwe.cisco.com/c/document_library/get_file?p_l_id=975005048&groupId=975005037&folderId=976504109&name=DLFE-661918488.xls



https://cisco.box.com/s/jw1f24j6ynysfusei5hdpli3r8noen7v



Us navy virtual services 030316

Technology

Transcript of Us navy virtual services 030316