Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Форум Cisco
Автоматизация ЦОД от начала до конца. ACI + OpenStack
Виктор Подкорытов
Инженер консультант
+ 380 67 449 11 21
2
Форум Cisco
!
OpenStack, an Open Source Cloud Management Platform
3 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Group-Based Policy
4
Форум Cisco
What’s Wrong with OpenStack Networking Today?
Service A
Service B Service C
Cloud Application Model Neutron Model
Network / subnet
Router External Network
Network / subnet
• L2 / Broadcast is the base API! • Network / routers / subnets • Based on existing networking models • No concept of dependency mapping or
intent
• No broadcast / multicast • Resilient / Fault Tolerant • Scalable Tiers • Built around loosely coupled services • Don’t care about IP addresses
5
Форум Cisco Where Can We Do Better
§ Build self-documenting dependency maps of tiers of an application
§ Define network service chains between tiers of an application without low level configuration
§ Separate application requirements from low level APIs
§ Separate tenant from operator
Separation of Concerns Enable Network Services
Dependency Mapping
Service A
Service C
Abstract Application API
Low level / Detailed API Service
A Service
C
Service A consumes service B and Service C
Service B
Service A
Service C
FIREWALL
Operator / Admin
OpenStack Tenant
6
Форум Cisco Group-Based Policy Model
Policy Group: Set of endpoints with the same properties. Often a tier of an application.
Policy RuleSet: Set of Classifier / Actions describing how Policy Groups communicate.
Policy Classifier: Traffic filter including protocol, port and direction.
Policy Action: Behavior to take as a result of a match. Supported actions include “allow” and “redirect”
Service Chains: Set of ordered network services between Groups.
L2 Policy: Specifies the boundaries of a switching domain. Broadcast is an optional parameter
L3 Policy: An isolated address space containing L2 Policies / Subnets
L3 Policy
Policy Rule Set
Policy Rule Policy Rule
Service Chain
Classifier Action
Classifier Action
L2 Policy
Policy Group
Policy Target
Policy Target
Policy Target
Policy Group
Policy Target
Policy Target
Policy Target
L2 Policy
provide consume
Node Node
7 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
APIC OpenStack Integration
8
Форум Cisco
Contract Contract Contract
DB APP WEB ADC F/W
ADC
Group Policy
OVS Driver
Neutron Networking
APIC Group Driver
Web
Web
Web
Web
App
App
DB
DB
HYPERVISOR HYPERVISOR HYPERVISOR
• OpenStack extensions on top of Neutron exposing a policy API
• Supports policy API to APIC • Backwards compatible with existing neutron
plug-ins (works with Nexus 9000 standalone)
• Available for Openstack Juno (Q1 CY 15)
• Open approach – Other vendor drivers available
• Enables Openstack customers to deploy, scale and modify policy across teams fast
Group-Based Policy Group Policy Plugin
9
Форум Cisco
VIRTUAL
HYPERVISOR HYPERVISOR HYPERVISOR
WEB APP WE
B APP DB WEB APP DB
APIC Admin
NOVA NEUTRON
OpenStack Tenant
ACI FABRIC COMPUTE STORAGE
Cisco APIC Offers Tenant Automation and Operational Administration
Policy Rules Set Web Group Classifier Action
FIREWALL
DB Group
Classifier Action
Service Chain
10
Форум Cisco Group-Based Policy Demo
GBP Object APIC Object
1 Project Tennant
2 L3 Policy Context (VRF)
3 L2 Policy Bridge Domain (BD)
4 Policy Action --
5 Policy Classifier Filter Subject
6 Policy Rule Filter
7 Policy Ruleset Contract
8 Policy Group Endpoint Group (EPG)
9 Policy Target/VM Endpoint
Cisco Confidential 11 C97-732424-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Thank You