Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Openshift. A powerful policy-based management that makes networking on large scale easy. We will see some code examples, use cases and an easy tutorial on the web. This session is a follow up to the successful sessions at Codemotion Rome and Amsterdam in 2016: we'll go deeper into the architecture and the use cases.

1. CODEMOTION MILAN - SPECIAL EDITION
10 – 11 NOVEMBER 2017
Cisco Contiv:
Network Policies for Microservices
Luca Relandini @lucarelandini

2. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
100% Open Source
The Most Powerful Container Networking Fabric
L2, L3, Overlay or ACI
Rich Policies
DevOps IT Admin
Any NetworkingAny Platform
Any Infrastructure
Application
Intent
Rich Policy Model
Declarative
Simple Install
GUI + CLI
LDAP/RBAC
Contiv – an industry leading (open source) project

3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Integration

4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Networking In The New Container World
Physical Network
HypervisorHypervisor
Physical Network
Virtual Switching or
Overlay Network
C1 Cn
Guest OS -
Bridged
Overlay Network -
VXLAN
Physical Network
Hypervisor Hypervisor
Host 1 Host 2
Host 2Host 1
VM1
C1 Cn
Guest OS -
Bridged
VM2
C1 Cn
Guest OS -
Bridged
Overlay Network -
VXLAN
C1 Cn
Guest OS -
Bridged
Issues from having many layers:
Connectivity: Network services, e.g., Load balancer, Firewall
Performance: Encapsulation over encapsulation over encapsulation affects performance
HW integration: Can not leverage performance and security by natively integrating with HW
VM1 VM2
Bare Metal VM Containers in VM

5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Incollare contiv ui e k8s
GUI
Example Application

7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12Presentation ID

8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• DevOps Workflow
• Contiv:
• Create tenant
• Create network
• Create policy
• Create group
• K8s
• Create Pods and Services (using labels like “io.contiv.net-group: web”)
• Manage Services lifecycle and resources
• User interface
• Contiv to monitor and manage networking and security
• Kubernetes to monitor and manage applications and services
Contiv and Kubernetes

13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv info in K8s yaml files

14. • Incollare contiv ui e k8s
GUI

15. • Incollare contiv ui e k8s
GUI

16. • Incollare contiv ui e k8s
GUI

17. • Incollare contiv ui e k8s
GUI

18. • Incollare contiv ui e k8s
GUI

19. This example explores Contiv's ability to provide network isolation between two kubernetes pods:
netctl policy create web-policy
netctl net create contiv-net --subnet=20.1.1.0/24 --gateway=20.1.1.1
netctl group create contiv-net web-group -policy=web-policy
create 2 Kubernetes pods: kubectl create -f
https://raw.githubusercontent.com/DevNetSandbox/sbx_contiv/master/yaml/alpine.yaml
kubectl get pods
kubectl exec <pod_1_name> -- ping -c 3 $(kubectl describe pod <pod_2_name> | grep IP | awk '{print $2}')
netctl policy rule-add web-policy 1 -direction=in -protocol=icmp -action=deny
kubectl exec <pod_1_name> -- ping -c 3 $(kubectl describe pod <pod_2_name> | grep IP | awk '{print $2}')
Use the UI to remove the ICMP deny rule and re-test the ping command!
HelloWorld demo in the DevNet Sandbox
Kubernetes – Contiv demo

20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
K8s demo 1 – Contiv tenants
Tenant: Default Tenant: Blue
Network: contiv-net
10.10.10.0/24
Tenant: Red
Network: contiv-net
10.10.10.0/24
Networks:
• default-net
• contiv-net
• whatever-net

22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
K8s demo 2 – Contiv groups and policies
Tenant: Default
wget OK
Network: default-net
20.1.1.0/24
Group: clients Group: intranet
Policy: intranet
(deny all,
allow from group clients)

23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
kubectl run nginx-intra --image nginx --port=80 -l='io.contiv.network=default-
net, io.contiv.net-group=intranet-group' -r=2
kubectl run client --image alpine -l='io.contiv.network=default-net,
io.contiv.net-group=clients'
kubectl run client-web -it --image contiv/alpine -l='io.contiv.network=default-
net,io.contiv.net-group=web-group' sh
kubectl exec -it client-web sh
Ping, wget nginx-intra: KO
kubectl exec -it client sh
Ping, wget nginx-intra: OK (now... go to lab)
K8s demo 2 – Contiv groups and policies

24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenant: Default
wget OK
Network: contiv-net
10.10.10.0/24
Group: dmz
Docker Swarm demo – Contiv groups and policies
Group: clients Group: intranet
Policy: intranet
(deny all,
allow from group clients)

25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Docker Swarm demo – Contiv groups and policies
Groups Policies* Rules Containers Ip address
clients - - client 10.10.10.1
intranet intranet deny all
allow all from group clients
nginx-intranet 10.10.10.2
dmz web deny tcp
deny icmp
allow tcp 80
nginx-dmz
rogue
10.10.10.3
10.10.10.4
tests
nginx-intranet nginx-dmz
client ping OK
wget OK
ping KO
wget OK
rogue ping KO
wget KO
ping OK
wget OK
* Any group could have more policies,
e.g. backup, monitoring, ...

26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Docker Swarm demo – Contiv groups and policies
# create groups in contiv, with tags
netctl group create -p intranet-policy -tag intranet contiv-net intranet-group
netctl group create -p web-policy -tag web contiv-net dmz-group
# create 3 docker networks with contiv-tag corresponding to the 3 groups (intranet, dmz, clients)
docker network create intranet -o contiv-tag=intranet -d contiv/v2plugin:1.1.6 --ipam-opt contiv-tag=intranet --ipam-driver contiv/v2plugin:1.1.6
docker network create dmz -o contiv-tag=web -d contiv/v2plugin:1.1.6 --ipam-opt contiv-tag=web --ipam-driver contiv/v2plugin:1.1.6
docker network create clients -o contiv-tag=clients -d contiv/v2plugin:1.1.6 --ipam-opt contiv-tag=clients --ipam-driver contiv/v2plugin:1.1.6
# create docker services on contiv-net (in two of the epg)
docker service create --name webserver-intranet --replicas 2 --network intranet nginx
docker service create --name webserver-dmz --replicas 2 --network dmz nginx
(now... go to lab)

27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Value Proposition

28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Go and test it (easy!): http://contiv.github.io
Contiv releases - github.com/contiv/install
Join Contiv Slack - contiv.herokuapp.com
Contiv Blogs - blogs.cisco.com/tag/contiv
Recorded demo - https://www.youtube.com/watch?v=55s4wAVbTM4
Cisco DevNet community - https://developer.cisco.com/site/contiv/videos/index.gsp
Contiv on Docker Store - https://store.docker.com/plugins/803eecee-0780-401a-a454-e9523ccf86b3?tab=description

29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
If you are interested, please go to the (very short) survey at:
https://it.surveymonkey.com/r/TW8SDRS
We are considering to create a Meetup for Contiv and run periodical
updates, labs, exchange of experience
Contiv Community in Italy?