Policy Driven Data Centre Designd2zmdbbm9feqrf.cloudfront.net/2014/anz/pdf/BRKAPP-9001.pdfAutomating...

Policy Driven Data Centre DesignBRKAPP-9001

Joe Onisick

Technical Marketing Engineer INSBU

© 2014 Cisco and/or its affiliates. All rights reserved.BRKAPP-9001 Cisco Public

Agenda

What is policy?

Policy and the network

Defining application logic through policy

Automating infrastructure through policy

ACI and Policy Based Provisioning

Advantages of policy driven data centre design

‟Virtualising complexity simply amplifies fragility.”

• Joe Onisick

• Cisco Systems

‟Only a real jerk would quote themselves during a presentation.”

• Joe Onisick

• Cisco Systems

What is Policy?


What is Policy?Policy in Broad Terms

pol·i·cy

A course or principle of action adopted or proposed by a government, party, business, or

individual.

Synonyms: plans, strategy, stratagem, approach, code, system, guidelines, theory…


What is Policy?Policy and Intentions

8

No smoking is the policy. It is the intention. It is up to individuals (objects) to follow that intention.

Enforcement and auditing of the policy is separate from policy definition.

Actions can be taking for violations of policy (faults.)

Policy can be thought of a set of rules defining desired state.


What is Policy?Policy and Desired State

9

A no parking sign is policy used to define the desired state of a section of road. The desire is, road free from parked

cars.

Desired state does not, in and of itself, enforce state. Drivers (objects) are expected to implement and adhere to

desired state.

Auditing can be performed against both desired and current state.

Desired state is the intended condition of an object which can be expressed via policy.

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&docid=vsDtEAQQVnsAuM&tbnid=nDNlO-eN3kjBzM:&ved=0CAUQjRw&url=http://usptopost-grant.com/2012/04/27/1328/&ei=32iuUu6AIJTmoATl-IC4BQ&bvm=bv.57967247,d.cGU&psig=AFQjCNEfj-hsR-9MFiq_2NrdLtmVEhayTw&ust=1387248212532252


What is Policy?Desired vs. Current State

10

Mismatches between desired and current state generates faults or exceptions.

Desired State

Expression of intent based on

policy

Current State

Actual implementation of desired state

Non-Compliance Alert

Report of current state exceptions

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&docid=vsDtEAQQVnsAuM&tbnid=nDNlO-eN3kjBzM:&ved=0CAUQjRw&url=http://usptopost-grant.com/2012/04/27/1328/&ei=32iuUu6AIJTmoATl-IC4BQ&bvm=bv.57967247,d.cGU&psig=AFQjCNEfj-hsR-9MFiq_2NrdLtmVEhayTw&ust=1387248212532252


What is Policy?The Goal of State

11

The goal is to minimize the gap between expectation and reality.

HAPPINESS =

Reality

------------------

Expectation

Disappointment (Non Compliance)

Expectation

(Intended State)

Reality

(Current State)

Policy and the Network


Policy and the NetworkWhat is network policy?

Permit Deny

Log

RedirectMark

Basic Network Policy

SLA Policy

QoS Availability

L4-7 Services

SLB Firewall

IDS IPS

SSL

OffloadWAF

Network policy involves all of the rules required for end-to-end application connectivity.


To MAC

From MAC

Payload

Policy and the NetworkTraffic Identification

14

To IP

From IP

Send Port

Receiver Port

Protocol

5 Tuple Match

Applications, users, groups, etc. must be identified based on network header information.


Policy and the NetworkApplication Language Barriers

15

Developers

Application

Tiers

Provider /

Consumer

Relationships

Infrastructure Teams

VLANs

Subnets

Protocols

Ports

Developer and infrastructure teams must translate between disparate languages.


Policy and the NetworkPolicy Definition on Today’s Networks

Construct Intended Purpose Current Usage

VLAN Flood DomainFlood Domain

Subnet demark

Subnet Forwarding address

Forwarding addressPolicy boundary

Security identifierApplication identifier

Subnet 192.168.10.1/24

VLAN 200

Subnet 192.168.11.1/24

VLAN 201

Subnet 192.168.12.1/24

VLAN 202

Policy demarcation

Policy demarcation


Policy and the NetworkOverloaded Network Constructs

17

VLAN VLAN VLAN

Subnet Subnet Subnet

Basic Network Policy

SLAs L4-7 Services

Network constructs are overloaded with unintended functionality.


Policy and the NetworkSimple Changes Cause Big Implications

18

192.168.10.10010.10.10.201

Intended IP change Unintended policy change requirements

Changes at any layer of the stack have effects throughout the stack.

Defining Application Logic Through Policy


Defining Application Logic Through PolicyWarning!

20

Forget everything you know

about networking for the

remainder of this sessionBelieve!

‟The moment you doubt whether you can fly, you cease for ever to be able to do it.”

• J.M. Barrie

• Peter Pan


Defining Application Logic Through PolicyApplications and Conversations

Application communication can be defined as who is allowed to talk to whom.

DB FarmApp

ServersWeb FarmUsers

Communication between objects on the network can be thought of as one or two way conversations (monologue/dialogue.)


Defining Application Logic Through PolicyThe Provider Consumer Relationship

23

Users

Consumes Web Services

Web Farm

Provides Web Services

Consumes App Services

App Servers

Provides App Services

Provider consumer relationships define application connectivity in application terms. All objects can provide, consume, or both.


Defining Application Logic Through PolicyContracts for Policy

24

Contracts are used to define relationships.


Defining Application Logic Through PolicyPolicy Definition

25

Current Policy Definition Policy Based on Contracts

Rules

Actions

SLAs Security

L4-7

QoS


Defining Application Logic Through PolicyDefining Provider Consumer Relationships

26

DB Farm



27

DB Farm



28

DB Farm


Defining Application Logic Through PolicyObject Relationships

29

Relationships between objects/groups are defined by providing or consuming contracts.

Connectivity is ‘turned on’ by creating relationships.

Objects/groups can provide, consume, or both.

Consumer provider relationships define which objects or groups can communicate and the policy requirements for that connectivity.


Defining Application Logic Through PolicySimple Changes Remain Simple

30

192.168.10.10010.10.10.201

Intended IP change

Policy remains the same independent of

end-point change

Changes at any layer of the stack are independent of one another.

Defining and Instantiating Policy


Defining and Instantiating PolicyIntended State and Promise Theory

Promise theory relies on trust that a device will apply intended state and report non-compliance.


Defining and Instantiating PolicyDefining Infrastructure Policy

Policy can be defined in a reusable format. As a logical configuration of intended state.

Policy can be used to define the configuration state of logical, virtual and physical elements.

Used broadly policy is a reusable format for defining the intended state of objects.


Defining and Instantiating PolicyApplying Policy to Infrastructure

Policies can be defined logically then applied to infrastructure repeatedly where applicable.

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=FAeRZBmlAyie7M&tbnid=PI5NOEkVFAMtoM:&ved=0CAUQjRw&url=http://www.sandirect.com/whiptail-invicta-p-2063.html&ei=rMLMUqmBOsvzoATTuIKIAw&bvm=bv.58187178,d.cGU&psig=AFQjCNFwFnDFzF82QVNmM7peBm4t6sZ-Fg&ust=1389237256819450


Defining and Instantiating PolicyHandling Non-Compliance

When objects are unable to apply intended state, non-compliance is reported back to the object issuing intended state.

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=FAeRZBmlAyie7M&tbnid=PI5NOEkVFAMtoM:&ved=0CAUQjRw&url=http://www.sandirect.com/whiptail-invicta-p-2063.html&ei=rMLMUqmBOsvzoATTuIKIAw&bvm=bv.58187178,d.cGU&psig=AFQjCNFwFnDFzF82QVNmM7peBm4t6sZ-Fg&ust=1389237256819450

Automating Infrastructure Through Policy


Automating Infrastructure Through PolicyWhat is Automation?

Automation or automatic control, is the use of various control systems for operating

equipment such as machinery, processes in factories, boilers and heat treating

ovens, switching in telephone networks, steering and stabilisation of ships, aircraft

and other applications with minimal or reduced human intervention… – Wikipedia.org

Automation can speed up processes, but also reduce risk of human error.

Avoid This!Avoid This!

http://en.wikipedia.org/wiki/Automation

‟To err is human, to apply that error to 1000 servers at once is DevOps.”

• Unknown

38


Link Failure

Red

Policy

RedP

olicy

Red

Policy

FW

Pckg

FW

Pckg

FW

Pckg

Automating Infrastructure Through PolicyUsing Policy for Automation

APPLY APPLY

Triggered

Event


Automating Infrastructure Through PolicyPolicy and Automation

Policy can be used to:

Apply intended state configuration

Apply intended state change

Provide event based actions

Policy can be applied as a logical definition for automating configuration, state, and event handling.

ACI and Policy Based Provisioning


Defining Terms

Tenant - Logical separator for: Customer, BU, group etc.

separates traffic, admin, visibility, etc.

Private-L3 - Equivalent to a VRF, separates routing instances,

can be used as an admin separation

Bridge Domain - NOT A VLAN, simply a container for subnets, CAN

be used to define L2 boundary

End-Point Group - (EPG) Container for objects requiring the same

policy treatment, i.e. app tiers, or services


Logical Model Overview

root\uni

Tenant A Tenant B

Private-L3 A Private-L3 B Private-L3 A

Bridge

Domain

Subnet A

Bridge

Domain

Subnet B

Subnet C

Bridge

Domain

Subnet A

Bridge

Domain

Subnet B

Private-L3 and subnets are independent between tenants


Logical Model Overview (cont.)

root\uni

Coke Pepsi

Dev/Test Prod Web Services

Prod-BD

20.1/24

21.1/24

Private-L3 and subnets are independent between tenants

Dev/Test-BD

10.1/24

L2 Enabled = Yes

Web-BD

100.1/16

L2 Enabled = Yes

App-BD

20.1/24

L2 Enabled = Yes


Defining Terms

Contract - Definition of policy. Defines how an EPG communicates with other

EPGs.

Subject - Something being ‘discussed.’ Used to build definitions of

communication between EPGs. Contains: filter, action, and optional label.

Filter - Identifier for a subject, i.e. the traffic do you want to take action on.

Required within a subject.

Action - Action to be taken on the filtered traffic with a subject. Required

within a subject.

Label - Optional advanced identifier, when used labels allow for more

complex definition of relationships within the policy model


Defining Provider Consumer Relationships

DB Farm


Future End-PointsFCS End-Points

End-Point Groups

End-point groups are containers for objects that require like policy treatment

?DNS *DNSDHCP

PoolVM

AttributeSubnetVLANVxLANNVGR

E(v)Port


Contracts and Subjects

Contracts define the policies for EPG communication

External-Web Contract

Subject

Subject

Subject

Subjects define a topic of communication

and the rules to apply

Contracts contain one or more subjects


External-Web Contract

Subject

Subject

Subjects

Subjects contain: filters, actions and labels

Subject Subject

Filter Action Label

In/out

port, etc.

Drop, mark,

redirect, etc.

Optional

label


Taboos

Web Services

Subject

Subject

App Services

Subject

Subject

Provide Consume

Taboos

Filter

Filter

Explicit Denies Never

allow stated traffic for

any EP in the group


Contract Bundles

AD Contract

Subject

Subject

DNS Contract

Subject

Subject

DHCP Contract

Subject

Subject

MGMT Services Bundle

Contracts can be bundled for reuse.

Advantages of Policy Driven Data Centre Design


Advantages of Policy Driven Data Centre DesignAbstraction

Web App

Storage Storage

DBPolicy Policy Policy

Policy abstracted as a logical definition of

intended state.

Physical and virtual objects are responsible

for applying state.


Advantages of Policy Driven Data Centre DesignExtensibility

Web App DBPolicy Policy Policy

Policy used to describe connectivity can be extended as

requirements/capabilities change.

Policy

Policy used to describe configuration will be updated

with HW/SW capability.

Logical policy objects provided a common toolset for defining the intended policy state of objects.


Advantages of Policy Driven Data Centre DesignReuse

Web App 1 Web App 2 Web App 3

Policy definition can be reused at multiple levels.

‟ If you don’t like change, you’re going to like irrelevance even less.”

• General Eric Shinseki

• United States Army


Summary

Policy is a broad term that can be used to describe intended state

When intended state and current state do not match non-compliance alerts are generated.

The goal is to match intended state as closely as possible to actual state while allowing agility and scale.

Policy on the network encompasses many configurations and touch-points.

Contracts can be used to centralise policy for ease of use and reuse.

Policy can be used to automate infrastructure, and provide consistent deployments.


Complete Your Online Session Evaluation

Give us your feedback and receive a Cisco Live 2014 Polo Shirt!

Complete your Overall Event Survey and 5 Session Evaluations.

Directly from your mobile device on the Cisco Live Mobile App

By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile

Visit any Cisco Live Internet Station located throughout the venue

Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm

Learn online with Cisco Live!

Visit us online after the conference for full access

to session videos and presentations.

www.CiscoLiveAPAC.com

http://www.ciscoliveaustralia.com/mobile

http://www.ciscoliveapac.com/

Policy Driven Data Centre Designd2zmdbbm9feqrf.cloudfront.net/2014/anz/pdf/BRKAPP-9001.pdfAutomating...

Documents

Transcript of Policy Driven Data Centre Designd2zmdbbm9feqrf.cloudfront.net/2014/anz/pdf/BRKAPP-9001.pdfAutomating...