Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256

Container Networking
Deep Dive with Docker
Enterprise Edition and
Cisco Contiv
Mark Church – Solutions Architect, Docker
@churchofmark
Sanjeev Rampal – Principal Engineer, Cisco
@sr2357
BRKSDN-2256

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
Cisco Spark spaces will be
available until July 3, 2017.
cs.co/ciscolivebot#BRKSDN-2256

Agenda
• Docker in 2017
• Evolution of Docker (from open source to Enterprise)
• Docker Networking
• Contiv Architecture & Overview
• Contiv & Docker Demo!

Docker: An Ecosystem Explosion
BRKSDN-2256 6

Docker is in the Enterprise
BRKSDN-2256 7
Service
Provider
Tech
Public
Sector
Insurance
Healthcare
& Science
Financial
Services

Broader Use-Cases with Docker
BRKSDN-2256 8
MICROSERVICES
AGILE TRADITIONAL
APPS
TRADITIONAL APPS
Cloud or New
Infrastructure
Old Infrastructure

Pre-Docker Period (2000 – 2013)
10BRKSDN-2256

Evolution of Docker (2013)
11
Docker Container
Runtime
• cgroups
• Linux namespaces
• Container image format
BRKSDN-2256

Evolution of Docker (2013 - 2015)
12
Container Runtime
• Docker Volumes – Persistent storage outside of the container
image
• Container Network Model – Abstraction for pluggable container
networking
Network
Container Runtime
Volumes
BRKSDN-2256

Evolution of Docker (2015 - 2016)
13
Container Runtime
• Docker Swarm – Built-in Orchestration for container scheduling
and resource management
• Security – Kernel capabilities, Built-in PKI, Built-in network
encryption
Network
Container Runtime
VolumesSecurity
Distributed State
Network
Container Runtime
Volumes
Orchestration
BRKSDN-2256

Evolution of Docker (2016 – 2017)
14
• Private image registry – securely store container images on-
prem
• Automated image vulnerability scanning
• Image content trust system to guarantee source, integrity, and
freshness
Security
Distributed State
Network
Container Runtime
Volumes
Orchestration
Image Scanning and
Monitoring
Private Image Registry Image Content Trust
BRKSDN-2256

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
• Cluster multi-tenancy
• Built-in L4 and Application load balancing
• Ability to deploy application stacks with simple application
manifests
Security
Distributed State
Network
Container Runtime
Volumes
Orchestration
Multi-tenancy
Image Scanning and
Monitoring
L7/L4 Load Balancing
Private Image Registry
Application Stack
Management
Image Content Trust
Evolution of Docker (2016 – 2017)
BRKSDN-2256

Security
Distributed State
Network
Container Runtime
Volumes
Orchestration
Multi-tenancy
Image Scanning and
Monitoring
Application Stack
Management
Image Content Trust
Certified Containers Certified Plugins Validated Designs
Technical Support Long Term Software Support
Docker Enterprise Edition (2017)
Docker Enterprise
Edition
Docker Community
Edition
BRKSDN-2256

Security
Distributed State
Network
Container Runtime
Volumes
Orchestration
Multi-tenancy
Image Scanning and
Monitoring
Application Stack
Management
Image Content Trust
Certified Containers Certified Plugins Validated Designs
Technical Support Long Term Software Support
Cisco UCS Converged Infrastructure
+
BRKSDN-2256

Cisco and Docker Partnership
+
Stronger Together
Best of breed infrastructure & container platform with enterprise-
class support
Joint Engineering,
Sales and Marketing
Docker Enterprise Edition
On FlexPod CVD
Contiv Docker
Network Plugin
Modernizing Traditional
Apps (MTA) Program
18
BRKSDN-2256

Docker Networking Design Philosophy
Batteries
included but
swappable
Portable
20
BRKSDN-2256

Container Network Model
Container Network Model
Docker Engine
Native Network Driver
Native IPAM Driver
Remote Network Driver
Remote IPAM Driver
Load Balancing
Service Discovery
Network Control Plane
21
BRKSDN-2256

Containers and the CNM
Container C1 Container C2 Container C3
Network A Network B
NetworkEndpointContainer Sandbox
22
BRKSDN-2256

Docker Networking is Linux (and Windows)
Networking
Host
Linux Bridge
eth0
OVS
VXLAN iptables veth
net namespaces
eth1
TCP/IP
Docker
Engine
Devices
Kernel
User Space
Network
Driver
23
BRKSDN-2256

Built-In Docker Network Drivers
Driver Deployment Model
Bridge
Host-only L2 software bridge
Utilizes NAT to expose services externally
Host
Host network namespaces
All containers use same interfaces
Overlay
Encap provided by kernel VXLAN interfaces
Control plane provided by Docker
MACVLAN
IP per container
No NAT, no encap
Less portable, requires some host configuration
BRKSDN-2256

• Docker Remote/Plug-in Network Driver
• Granular and Flexible Policy Control
• Policy across virtual, container, and physical workloads
• ACI Integration
• Multiple Dataplane Modes
Cisco Contiv Network Driver
100% Open Source L2, L3, Overlay or ACI Rich Policy Model
BRKSDN-2256

Types of Container Networking Designs
Networking
Models
Overlay Non-Overlay
IP per
container/pod
NATed
BRKSDN-2256

Docker host 1
Bridge Driver Network Architecture
192.168.2.17 192.168.1.25
veth
eth0
eth0172.18.0.2
Docker host 2
veth
eth0
eth0 172.18.0.2
veth
eth0 172.18.0.3
Linux Bridge
iptables
Linux Bridge
iptables
27
BRKSDN-2256

Cntnr2Cntnr1
eth0:
10.0.0.30
Docker host 1
10.0.0.910.0.0.8
Cntnr4Cntnr3
eth0:
10.0.0.40
Docker host 2
10.0.0.3410.0.0.33
Cntnr6Cntnr5
eth0:
10.0.0.50
Docker host 3
10.0.0.6610.0.0.65
MACVLAN Driver Network Architecture
L2/L3 physical underlay (10.0.0.0/24)
V
10.0.0.68
P
10.0.0.25
28
BRKSDN-2256

Deploying Applications
on Docker EE

Application Stack Deployment with Docker
compose.yml
Docker
Network
Swarm
Manager
Swarm
Workers
appA appB appC
Network
Driver
Network Policy
BRKSDN-2256

Application Topology
LB
Internal Network
BRKSDN-2256

Contiv Overview &
Architecture

100% Open Source
The Most Powerful Container Networking Fabric
L2, L3, Overlay or ACI
Rich Policy Model
DevOps IT Admin
Any NetworkingAny Platform
Any Infrastructure
Application
Intent
Rich Policy
Declarative
Simple Install
GUI + CLI
Containers, VM, BM
LDAP/RBAC
Introduction to Contiv
33BRKSDN-2256

Containerized Apps on Shared Infrastructure
Application
Intent
Compute Compute
Operational
Intent
Contiv Is an Open Source Solution to Define and
Enforce Distributed Policies Across Infrastructure
NETWORK
Compute
34BRKSDN-2256

Application Intent with Operation Intent
PLACEHOLDER
version: '2'
services:
web:
build: .
label:
- tier: web
volumes:
- .:/code
networks:
- front-tier
- back-tier
db:
image: mysql
App Intent
PLACEHOLDER
web:
environment: prod
networks:
security: -
allow ports: 5000, 443
bandwidth: 5gbps
lb selector:
- tier: web
db:
networks:
security:
allow ports: 3306 from web
Ops Intent (e.g. Contiv Intent*)
Operation Intent Provides Operational Requirements and Policies for Applications
* Shown in yaml for better visualization
35BRKSDN-2256

Contiv: How everything fits together
Operational Policy Management
Developer Operations
Application
Scheduler
Node 1 Node 2 Node-n
Contiv Distributed Policy Layer
...
Contiv Elements
Contiv UI to manage/
monitor policies/usage
Distributed policy enforcement for
network
Integration with physical
infrastructure
Integrated with popular
container schedulers
Contiv Automatically Integrates and Enforces Developer and Operations Policies
36BRKSDN-2256

Contiv Integration with Underlying DC Infrastructure
Application-Centric Infrastructure (ACI)
• Containers integrated with APIC policies
• Physical services integration
Nexus Standalone or Any Network
• VLAN handoff
• BGP interop (standard routing protocol)
Contiv Leverages Underlying Infrastructure Capabilities
Requires Cisco
ACI hw
Does not require
Cisco hw
(any vendor ok)
BRKSDN-2256 37

Introducing Contiv 1.0
What’s New:
LDAP+
RBAC
All New User
Experience
and Workflow
Kubernetes
1.4 Support
Docker 1.12
Support
OpenShift
Integration
Simple Install
1
Commercially
Supported Contiv
will be announced shortly
Cisco Advances
Services
Cisco Solutions
Support
100% Open Source at contiv.github.io
BRKSDN-2256 38

Mixed Mode Application Deployments
VM VMWeb
App
DB
Policy
Policy
Challenges
• Application Level Policy Enforcement Across
Deployment
• End-to-end Monitoring
• High Performance BRKSDN-2256 39

Challenges
• Encap over encap (over encap) suffers performance
• Obscures visibility, makes diagnostics/monitoring difficult
• Harder to integrate with HW appliances
Networking In The Container World
Physical Network
HypervisorHypervisor
Physical Network
Virtual Switching or
Overlay Network
C1 Cn
Overlay Network
- VXLAN
Overlay Network - VXLAN
Physical Network
Hypervisor Hypervisor
Host 1 Host 2
Host 2Host 1
VM1
C1 Cn
Overlay Network
- VXLAN
VM2
C1 Cn
Overlay Network
- VXLAN
Overlay Network - VXLAN
C1 Cn
Overlay Network
- VXLAN
VM1 VM2
BRKSDN-2256 40

Micro-services With Contiv
Micro-services isolated within
the network of a tenant
Web
Group
App
Group
DB
Group
Allow grouping of
containers/pods
1
Specify policies between
groups or from outside the
network
2
Ability to Provide Granular Micro-service based Policies in a Scalable Way
BRKSDN-2256 41

Networking Challenges Due to Containers
Scale Speed Layer of Network Application-Centric
Shared Resources Hybrid Cloud Security Telemetry/Diagnostics
42BRKSDN-2256

Contiv’s Approach to Containers
Scale
Route and
Policy Distribution
Speed
Automated Scale-Out
Layer of Network
Flat Networks
High Performance
Application-Centric
Integrated with
App Blueprint
Shared Resources
Policies for
Resource Acquisition
Hybrid Cloud
Consistent Policies
Security
Tenant Isolation
Security Policies
Telemetry/Diagnostics
Application Statistics
Data Export
43BRKSDN-2256

Contiv Network Components
Contiv CLI/UI
Node 1
Contiv Agent
...Node 2
Contiv Agent
Node-n
Contiv Agent
Contiv Elements
Container networking for:
• Kubernetes, Mesos, Nomad, and Swam
Route distribution using BGP or JSON RPC
Custom OpenFlow pipeline for host networking
• Allows implementing various features (details later)
Exports data about: App connectivity, stats, peer
Distributed, cluster-wide function
Stateless: Useful in node failure/restart, upgrade
Implements cluster-wide network and policy
Manage global resources: IPAM, VLAN/VXLAN pools
Tools to manipulate Contiv objects
Implements CRUD using REST I/F
Expected to be used by infra/ops teams
44BRKSDN-2256

Contiv Network
High-Level Architecture
Host-1
.…
Host Plug-In
Distributed
KV Store
Plug-In Logic
Contiv Host Agent
Host-n
Linux Host Routing/Switching
To Physical Network
ARP/DNS
Responder
Service LB
Route Distribution
[ BGP | RPC ]
Container Runtime
(e.g., Docker)
[ K8s| Swarm | Mesos | Nomad ]
Master-DB
Policy EngineREST Server
IPAM/
Resource-Mgmt
HA Heartbeat
Distributed
KV Store
[ Etcd | Consul ]
REST User I/F (e.g., netctl | contivctl)
API Calls to External
Orchestration Systems
e.g,. ACI, Schedulers
Health Monitoring
Contiv Master Cluster
.……
.…
45BRKSDN-2256

Contiv Network Deployment Options
Cloud L2+ L3 Native L3 EVPN (Future) Cisco ACI
IP Address Requirements #Hosts #Containers #Containers #Containers #Containers
Control Plane Scale High High Very High High High–Very High
Multi-Destination Traffic No Yes No/Maybe No Yes
Performance (Throughput) Not Good Very Good Good
Not Good (Host VTEP)
Leaf VTEP Is Good
Good (VLAN EPG)
Automated Multi-Tenancy Yes No No Yes Yes
Ease of External Access Not Good Good Good Good Good
Greenfield Deployment No difference As per Scale Very Good Good Recommended
Scale (#Nodes) Good Agg Device Very Good Will Need BGP RR Very Good
Favorable Physical Topology All Look Same Access/Agg. L3 CLOS
L3 Underlay +
VXLAN Overlay
ACI
Choices
Only if One Size Would Fit All…
46BRKSDN-2256

Cloud Deployment
VXLAN Overlay
Overlay Network:
Inter-Container
Connectivity
External Connectivity:
Host-NATing for
Outbound Traffic
Cloud
(e.g., AWS/OpenStack/Laptop/etc.)
Host-n
V M V MV M V MV M V MV M V M
Host-2
V M V M
Host-1
V M V M
Contiv Host Networking
BRKSDN-2256 47

Cloud Deployment
VXLAN Overlay
Each container gets an IP accessible
natively by other containers
Routing on the host: All traffic is
IP routed
Flood avoidance with managed
(i.e., not learned) addresses
Policies applied on the host
(by Contiv host agent)
Standard, over-the-top virtual
networking
Hybrid-cloud friendly: Allows
workloads to be on premise and
in the cloud
Cookie-cutter virtualized
deployment
VXLAN Encap (without
offload) will reduce
performance and visibility
Layer of Networks: VXLAN on
VMs may reduce performance
further
Largely suitable for IP unicast
traffic
Pros Cons
Networking
BRKSDN-2256 48

Physical Network (Underlay Integration Options)
Native Connectivity
Infra Policy: [ Bridged | Routed ]
VLAN | IP (BGP) Handoff to Access Node
APP1 APP2APP3 APP4
Host-1 Host-n
.…
Overlay Connectivity
Infra Policy: [ Overlay ] [ Bridge | Routed ]
Overlays for Inter-Container Traffic
APP1 APP2APP3 APP4
Host-1 Host-n
.…
Any Network Topology and Container Visibility Across Physical Network
Use Case:
Private Cloud
Use Case:
Private Cloud
Public Cloud
49

Access-Aggregation Topology
L2+
Networking
A small set of VLANs preconfigured once
for containers
Each container gets an IP, i.e. natively
accessible from anywhere
ARP broadcasts are responding on the
host
Flood avoidance with managed
(i.e., not learned) addresses
All configuration on physical devices
static: SVIs, VPC, VLANs
Policies applied on the host (by Contiv
host agent)
Good old, well understood and
widely deployed
No changes to network design
topology. Minimal configuration
Native visibility: Container
workloads visible/accessible
on/to rest of the network
Works with FEX/blade-
switch/DVS
Limited by Scale of Aggregation
Layer: MACs, IPs, ARPs
Flooding and broadcasts reduced
but not eliminated
Pros Cons
BRKSDN-2256 50

L2+
Configuration: Ease of L2, Benefits of L3: Avoids Flooding
Access: N5k/N9k+N2k
Optional: VMware DVS
L2 Network:
Statically Configured
with VLAN(s)Contiv Host Networking
Agg Layer: e.g., N7k/N9k SVIs Boundary
DC Core
L2 VPC Network
.…
Host-n
.….…
Host-2Host-1
ESX/Hyperversior Layer
Contiv Host Plug-Ins
51

10.1.1.1 10.1.1.310.1.1.2
Packet Flow (Case-1)
10.1.1.4 10.1.1.610.1.1.5
Data Packet from One Container to Another Container Within Same Host
Access: N5k/N9K (+N2k)
Agg Layer: e.g., N7k/N9k VLAN 100 SVI
DC Core
L2 VPC Network
Node-1 Node-2
L2 Lookup
Result: Local Port
Do Policy Lookup
Forward to Local Port
1
52

10.1.1.1 10.1.1.310.1.1.2 10.1.1.4 10.1.1.610.1.1.5
ARP Requests from a Container to Any Other Container’s IP Within Cluster
DC Core
L2 VPC Network
Node-1 Node-2
No Flooding Because
All MAC/IP Address
Are Known
1
Intercept ARP
Look Up Target IP
Result: Found
Respond with MAC
2
Sends GARP Upon
Container Coming Up
3
53

10.1.1.1 10.1.1.310.1.1.2 10.1.1.4 10.1.1.610.1.1.5
Data Packet from One Container to Another Container in Different Host
DC Core
L2 VPC Network
Node-1 Node-2
Packet Lookup
Result: Remote Port
Insert vlan-tag
Policy Lookup
Send to Upstream Switch
1
L2 Switching Happens
as Usual in the Network
Native Visibility for
Container Traffic
2
Forwarding Lookup
Result: Local Port
Do Policy Lookup
3
54

10.1.1.1 10.1.1.310.1.1.2 10.1.1.4 10.1.1.610.1.1.5
Data Packet to/from Container to Outside
Agg Layer: e.g., N7k/N9k VLAN’s SVI
DC Core
L2 VPC Network
Node-1 Node-2
Packet Lookup
Result: Remote Port
Insert vlan-tag
Policy Lookup
1
L2 Switching or
Routing at Aggregation
Layer Towards External
Traffic
2
55

Container Networking Options
L3 Native
Leaf: N3k/N9k
Host BGP Peers
with Leaf
L3 Routing on Host
Spine Layer: e.g., N9k
DC Core
L3 CLOS Network
.…
Host-n
V M V MV M V M
.…
V M V MV M V M
.…
Host-2
V M V M
Host-1
V M V M
Scalable, Distributed Layer 3 Fabric
56

L3 Native
Contiv Networking
Each container gets at least an IP
in the network
• One large subnet pool for all containers
in the entire cluster
BGP peering between host and leaf
switch (N9k)
All connectivity is learned on via
BGP node’s reachability
Routing happens on the host (based
on destination IP and reachability)
Routing on the host: No VLANs/
subnets, ARP Broadcasts, MAC
addresses
Route advertisement via
BGP  scalable
No tunneling, native visibility of
container routes in the fabric
Works largely for unicast IP-based
applications
Automating multi-tenancy on
Physical/Virtual devices
Pros Cons
BRKSDN-2256 57

10.1.1.1 10.1.1.310.1.1.2
L3 CLOS Topology
10.1.1.4 10.1.1.610.1.1.5
Data Packet from One Container to Another Container Within Same Host
Agg Layer: e.g., N7k/N9k
DC Core
L3 CLOS Fabric
Node-1 Node-2
IP Lookup
Result: Local Port
Do Policy Lookup
1
Advertise Container
IP Out to ToR Upon
Container Interface
Creation
2
58

L3 CLOS Topology
10.1.1.1 10.1.1.310.1.1.2 10.1.1.4 10.1.1.610.1.1.5
ARP Requests from a Container to Any Other Container’s IP or Gateway (ToR)
ToR: N5k/N9K (+N2k)
DC Core
L3 CLOS Fabric
Node-1 Node-2
No Flooding in L3
Mode Forwarding
1
Intercept ARP
Look Up Target IP
Result: Local Port
Respond with Gateway MAC
2
59

L3 CLOS Topology
10.1.1.1 10.1.1.310.1.1.2 10.1.1.4 10.1.1.610.1.1.5
Data Packet from One Container to Another Container in Different Host
ToR: N5k/N9K (+N2k)
DC Core
L3 CLOS Fabric
Node-1 Node-2
IP Lookup
Result: Remote Port
Policy Lookup
Send to ToR
1
L3 Routing Within
Fabric as Usual
Native Visibility for
Container Traffic
2
IP Lookup
Result: Local Port
Policy Lookup
3
60

L3 CLOS Topology
10.1.1.1 10.1.1.310.1.1.2 10.1.1.4 10.1.1.610.1.1.5
Data Packet to/from Container to Outside
ToR: N5k/N9K (+N2k)
DC Core
L2 VPC Network
Node-1 Node-2
IP Lookup
Result: Remote Port
1
L3 Routing at the Edge
Towards DC Core for
External Traffic
2
61

L3 EVPN Overlay
Leaf: N3k/N9k
EVPN Control Plane
L3 Routing on Host
Spine Layer: e.g., N9k
DC Core
L3 CLOS Network
.…
Host-n
.….…
Host-2Host-1
BRKSDN-2256 62

Container Networking Options (Future)*
L3 EVPN Overlay
Contiv Networking
Each container gets at least an IP in
the network
• One large subnet pool for all containers
in the entire cluster
BGP peering between host and leaf
switch (N9k) or via BGP route reflectors
All connectivity is learned on via BGP
node’s reachability
Routing happens on the host (based on
destination IP and reachability)
EVPN control plane can be run from
central point (cluster-wide)
Routing on the host: No VLANs/
subnets, ARPs, MAC addresses
Route advertisement via
BGP  scalable
No tunneling, native visibility of
container routes in the fabric
Consistent solution for VMs,
BMs, container workloads
Multi-VRF (tenancy) support
with VRF-aware route
propagation to border leafs
• Tenant configuration required on
border leaf, however
Works only for unicast IP-based
applications
Tunneling on the host might be
inefficient
Tunnel termination with routing,
require specific hardware (only
Nexus 5600s or Nexus 9ks)
Pros Cons
BRKSDN-2256 63

Containers
Why ACI?
Policy Automation for
Container/Microservices
Workloads
Uniformity for Any Workload Feature Richness:
Service Chaining, Micro-
Segmentation, Multi-PoD,
Inter-DC, etc.
Scale and Performance
Variety of Container
Workloads: IP Unicast,
IP Multicast, L2
BRKSDN-2256 64

Application Centric Infrastructure (ACI)
External
Network
App DBWeb
QoS
Filter
QoS
Service
QoS
Filter
ACI Fabric
APIC
APIC
BRKSDN-2256 65

Benefits of Integrating Contiv with ACI
• Uniform policies for any workload
• VMs | Bare-Metal | Container
• Policy automation for mix-mode workloads
• Scale: IPs, EPGs, Networks
• Performance: 40G and 100G optimized fabrics
• Telemetry/Diagnostics
• Container location aware physical network
BRKSDN-2256 66

Contiv ACI Integration
Container
Management
Unified Policy Automation and Enforcement Across BM, VM, and Containers
Contiv Master
Contiv APIC Gateway
OVS Contiv Plugin
HYPERVISORHYPERVISORHYPERVISOR
Container/Pod Host
Bare
Metal
Services
67BRKSDN-2256

Web
Contiv Plugin
Host-1 Host-n
DB Web DB
Container
Scheduler
Contiv Plugin
Application Intent
Tenant-1:
External  Web:80 
DB:Port
Tenant-2:
DB:Port
2
Launching Apps
across Cluster
4
DevOps Intent => ACI Policy
Policy Instantiation5
Contiv Tenant/Network Creation1
Physical Network
Prep
0
3
Example Workflow
Network
Admin
DevOps Admin
Contiv
NetMaster
68

Containers
Why ACI?
Policy Automation for
Container/Microservices
Workloads
Uniformity for Any Workload Feature Richness:
Service Chaining, Micro-
Segmentation, Multi-PoD,
Inter-DC, etc.
Scale and Performance
Variety of Container
Workloads: IP Unicast,
IP Multicast, L2
BRKSDN-2256 69

ACI + Container Stack
Container Cluster Scheduler Cluster-Wide Intent Distribution
Ops Orchestration/PaaS (Provides Roles/Multi-Tenancy/Visibility/GUI) UI Plug-Ins Container Image Store
DevOps SysAdmin Developer
Cisco Hardware: UCS Compute, Nexus 9k, ACI
Host-1
Container Runtime (Docker, etc.)
Networking/Volume Agents
Container-Optimized OS
Host-n
OS
Agents
BRKSDN-2256 70

ACI Integration
Useful in fully automated DevOps
environments
Available for container workloads,
i.e., not for VMs and bare-metals
workloads
Provide a Way to Auto-Create
Policies from Templates
Policy templates are specified by
infrastructure owner
DevOps team utilizes the policy
templates in application compositions
(blueprints) for policies
• Between container/Microservices workloads
• To/from container/micro-services workloads to
external network
Applications are launched and
withdrawn using CI/CD process or by
DevOps team
• Policies, EPGs, rules, contracts are instantiated and
withdrawn accordingly
Containers/pods are scheduled by
Docker/Kubernetes cluster-wide
• Policies is used as specified by the templates
selected for workloads
How Does It Work?
Visibility to container workloads
Physical fabric management
L4–L7 services Integration
etc.
No Changes to
How ACI Provides
BRKSDN-2256 71

ACI Integration
Work Flow
Create a physical domain (pool of
VLANs/XVLAN IDs to be used for
container workloads)
APIC: Prepare APIC
$ netctl policy create prod_web –tenant=blue
$ netctl policy rule-add ... --tenant=blue
$ netctl group create contiv-net web –
policy=prod_web –tenant=blue
Contiv: Create Endpoint Groups, Policies
$ netctl global-set –fabric-mode aci –vlan-
range 1100-1200
$ netctl tenant create blue
$ netctl net create contiv-net --
subnet=20.1.1.0/24 --gateway=20.1.1.254 –
tenant=blue
Contiv: Set Global Mode to ACI,
Create Tenants, Networks
$ netctl app-profile create -g
prod_web,prod_db contiv-net –tenant-blue
Contiv: Create App Profile
(a Micro-Service)
$ docker run –itd –name=web_container –
net=“prod_web.contiv-net/blue” ubuntu
/bin/bash
$ docker run –itd --name=db_container –
net=“prod_db.contiv-net/blue” ubuntu /bin/bash
$ docker rm –f web_container
Scheduler (e.g., Docker/Nomad):
Start/Stop Jobs
$ netctl app-profile create ...
$ netctl policy rule-add ...
Contiv: Modify AppProfile, Rules
BRKSDN-2256 72

Image Store
ACI Integration (Opflex/ VMM mode – Future*)
DevOps (CI/CD) Infra Admin
Tenant-1:
DB:Port
Tenant-2:
DB:Port
Application Intent
Host-1
DBWeb
Host-n
DBWeb
Launching Apps
Across Cluster
5
3
Contiv
NetMaster
Plug-Ins Plug-Ins
Policy
Instantiation
6
Populate Infra1
Fetch EPG-Names
Within a
Container Domain
2
4
Container
Scheduler
BRKSDN-2256 73

Host-1 Host-2 Host-n
Cloud A
Cloud B
Demo Physical Topology
BRKSDN-2256 75

C11 C12
C21 C22
VM ‘Z’
Containers Cloud ‘A’
Swarm cluster
VMs Cloud ‘B’
Openstack/vSphere
Service 1
“app”
Service 2
“db”
Service 3
E.g. database VM
Demo Application
BRKSDN-2256 76

Host-1 Host-2 Host-n
Cloud A
Cloud B
Demo Physical Topology
BRKSDN-2256 77

Getting More Information / Getting Started
Web: http://contiv.io
Live chat: contiv.slack.com
BRKSDN-2256 78

• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
Complete Your Online
Session Evaluation
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Online.

Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
80BRKSDN-2256

Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256

Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256

Ähnlich wie Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256 (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Docker Enterprise Networking and Cisco Contiv - Cisco Live 2017 BRKSDN-2256