The following sections emphasize system solution design considerations.
Introduction to Cisco ACI
Cisco Application Centric Infrastructure (ACI) technology provides the capability to insert Layer 4 through Layer 7 (L4-L7) functions using an approach called service graph. The industry normally refers to the capability to add L4-L7 devices in the path between endpoints as “service insertion”. Cisco ACI service graph technology can be considered a superset of service insertion.
This document describes the service graph concept and how to design for service insertion with the service graph.
As Figure 3-1 shows, Layer 4 through Layer 7 services can be physically located anywhere in the fabric, and they can be running as physical appliances or as virtual appliances.
Figure 3-1 Cisco ACI Fabric with Layer 4 Through Layer 7 Services
Cisco ACI Benefits
The main purpose of a data center fabric is to move traffic from physical and virtualized servers and forward it to its destination, and while doing so apply meaningful Layer 4 through Layer 7 services such as: firewalls, load balancing, traffic inspection, SSL offloading, and application acceleration.
The main benefits of using a Cisco ACI fabric to provision Layer 4 through Layer 7 services include:
- Single point of provisioning through the GUI, the Representational State Transfer (REST) API, or Python scripts
- Powerful scripting and programming environment with a Python software development kit (SDK)
- Capability to provision very complex topologies instantaneously
- Capability to add and remove workloads from the load balancers or firewall configurations without human intervention
- Capability to create a logical flow of functions instead of just a sequence of Layer 4 through Layer 7 devices
- Multitenancy (network slicing) on the fabric and on the service devices
- Capability to create portable configuration templates
- Intuitive and easy configuration process
One of Cisco ACI’s several innovations in the area of service insertion is that Cisco ACI allows you to concatenate functions offered by individual Layer 4 through Layer 7 devices instead of simply connecting discrete boxes in sequence.
Citrix NetScaler SDX Overview
The Citrix® NetScaler® SDX platform optimizes delivery of applications over the Internet and private networks, combining application-level security, optimization, and traffic management into a single, integrated appliance. After installing NetScaler SDX appliances in a data center, all connections to managed servers can be routed through it to control incoming and outgoing network traffic.
The Citrix NetScaler SDX platform delivers fully isolated NetScaler instances hosted on a single physical appliance (Figure 3-2). Each instance is a full-blown NetScaler VPX environment that optimizes application delivery. Each NetScaler instance performs configured application-level security, optimization, and traffic management functions. For SharePoint environments, NetScaler instances provide application load balancing, SSL offloading of encryption/decryption operations to hardware, content switching, and database load balancing, application firewall, and Global Server Load Balancing (GSLB).
Figure 3-2 A Citrix NetScaler SDX Appliance Hosts Multiple Virtual NetScaler VPX Instances
Each NetScaler VPX instance runs as a separate virtual machine with its own dedicated NetScaler kernel, CPU resources, memory, address space, and bandwidth allocations. Network I/O is done in a way that not only maintains aggregate system performance but also enables complete segregation of each tenant's data and management-plane traffic.
NetScaler VPX features include Layer 4 through Layer 7 traffic management (L4 load balancing, L7 content switching, database load balancing), application acceleration, application security/firewall, and network integration.
The NetScaler SDX appliance is equipped with 10 Gbps Ethernet (10GE) and 1 Gbps Ethernet (1GE) ports—the type and number of ports varies according to the specific NetScaler SDX model. The connections can form an EtherChannel bundle that is desirable for an appliance-based service design in the Cisco InterCloud Data Center ACI architecture.
This system solution uses the NetScaler SDX 11542 that features eight 10GE ports and four 1GE ports (fiber or copper). This model has 16 SSL cores to accelerate SSL encryption and decryption offloading in hardware. The NetScaler SDX 11542 can support up to 20 NetScaler virtual instances. On this NetScaler SDX model, pay-as-you-grow licensing delivers from 15 Gbps at the entry level and up to 42 Gbps at the highest level for HTTP traffic with a single instance.
Cisco Intercloud DC ACI 1.0 Architecture
The Cisco Intercloud Data Center ACI 1.0 Implementation Guide describes the underlying Silver Tenant container, including the network fabric and infrastructure design, used for this system solution. This guide (available through your Cisco account team or partner) gives procedures to construct a Silver Tenant container.
Cisco Intercloud Fabric is a software solution that enables customers to manage and access their workloads across multiple public clouds in a heterogeneous environments, giving customers choice and flexibility to place their workloads where it benefits the most and according to a technical (capacity, security, etc.) or business (compliance, etc.) needs.
With Cisco Intercloud Fabric, customers can choose what networks can be securely extended to the public cloud, and consistent network configuration and security policies can be enforced throughout the hybrid cloud. Intercloud Fabric mechanism to enforce security goes beyond the secure tunnel between private and public clouds, and extends the security all the way to the Virtual Machines (VMs) running in the cloud, so the communication between these VMs in the cloud can be secured as well. This mechanism is explained later in this document.
Figure 3-3 shows the solution footprint for enterprise customers, where Cisco Intercloud Fabric for Business can be deployed in the private cloud in heterogeneous environments. This software solution gives IT an admin portal that allows management of workloads, security policies, and network extension to the cloud, and includes northbound API capabilities to allow integration with existing private cloud management solutions. IT customers, including enterprise lines of businesses, can take advantage of Intercloud Fabric for Business embedded self-service catalog to create new workloads in multiple clouds, and manage workload lifecycle and migration through its end-user portal.
Figure 3-3 Cisco Intercloud Fabric Solution
Cisco Intercloud Fabric for Provider is a multi-tenant software appliance that is installed and managed by the cloud providers that are part of the Intercloud Fabric ecosystem. This virtual appliance creates Cloud API uniformity across different cloud providers and abstracts the complexity of supporting heterogeneous Cloud APIs. In the future Intercloud Fabric for Provider will help to build Cisco infrastructure-specific differentiation for all Cisco Powered Cloud Providers.
Cisco Intercloud Fabric gives customers multiple choices of cloud providers, including the ecosystem of Cisco Powered Cloud Providers and the hyper scale public clouds such as Amazon EC2 and Microsoft Azure. Cisco believes that business customers also want choices of hypervisors for their virtualized environment, so it is important for the solution that enables hybrid cloud to be hypervisor-agnostic. The scenario with multiple choices of hypervisors on premises and off premises can make workload mobility and portability difficult, but Cisco Intercloud Fabric resolves this problem and makes this transparent for customers, allowing workloads to be moved to multiple clouds and back to the enterprise.
In summary, Cisco Intercloud Fabric aims to provide greater agility in response to business needs and addresses many potential challenges for hybrid cloud deployments. Benefits include:
- Workload security throughout resulting hybrid clouds.
- Consistent operations and workload portability across clouds. Cisco Intercloud Fabric delivers unified hybrid cloud management for end users and IT administrators, enabling workload mobility to and from service provider clouds for physical and virtual workloads.
- To protect critical business assets and meet compliance requirements, Cisco Intercloud Fabric provides highly secure, scalable connectivity to extend private clouds to service provider clouds.
- Self-service consumption of hybrid resources with end-user and IT portals
- Workload provisioning and bidirectional migration
- End-to-end security with consistent policy enforcement
- A single point of management and control for physical and virtual workloads
- A choice of cloud providers and hypervisors
Cisco Intercloud DC ACI 1.0 Architecture with Silver Cloud Consumer Model
The Cisco Intercloud DC ACI 1.0 architecture with the Silver cloud consumer model is defined by describing the container and its layout.
Silver Tenant Container
While providing Infrastructure as a Service (IaaS) solutions cloud providers look for a tiered model that can support a variety of applications. Based on customer requirements, services can be differentiated into a multi-tier infrastructure. Such a model provides flexibility in expanding services by adding resources. The Silver Tenant is one such container, which provides application availability with a dedicated load balancing service.
Silver Tenant Container Layout
As described in the Cisco Intercloud Data Center ACI 1.0 Implementation Guide, a Silver Tenant Container has the capability to provide various application services with Layer 3 (L3) support. It maintains a logical separation from other network containers in a shared infrastructure. Dedicating a unique VRF for each silver tenant helps to maintain the logical isolation. Figure 3-4 shows an overview of the Silver Tenant model.
Figure 3-4 Silver Tenant Model
Each tenant can host different applications based on customer requirements. This may require a number of application tiers of virtual machines (VMs) to be implemented such as web, application, and database. In the implementation guide, the Silver Tenant Container is defined with three application tiers. Each tier has a unique VLAN assigned and hosts web, application and database services. The Silver Tenant also provides load-balancing services for the application tiers using Citrix NetScaler SDX appliances. The SDX units are deployed in a physical 1-arm mode but in a logical 2-arm mode. This section covers the following topics:
- Physical Topology
- Logical Topology
- Tenant Construction
Solution Topology and Design Principles
Appliances don’t need to be placed in any particular place in the fabric. They can run as physical appliances connected to any leaf, or as virtual appliances running on any virtualized server.
Physical appliances can run with multiple virtual instances as well. Cisco ACI can model this concept in the construction of the policy.
Figure 3-5 shows the Silver tenant physical topology. Tiers hosting applications are deployed on Cisco UCS B-Series Servers. NetScaler VPX instances are deployed on NetScaler SDX appliances. Cisco ASR 1000 Series Routers (specifically ASR 1004s) provide external connectivity to the applications.
Figure 3-5 Physical Topology for an ACI Silver Tenant
In this section, the physical topology is translated into a logical layout. Figure 3-6 shows how the Silver container is constructed logically. The logical topology can be divided into two sections: first, ACI Fabric to Application Servers; and second, ACI Fabric to the Internet.
Figure 3-6 Logical Topology for an ACI Silver Tenant
A unique VRF is assigned to each Silver Tenant which is defined in the access leafs in the fabric. Each of the application tier and load balancers is assigned a specific VLAN, which are a part of the VRF assigned to the Silver Tenant. The fabric serves as the default gateway for each of the tiers and the NetScalers. In this document, a single EPG is used to host a tier that serves web and database functionality.
With the ACI Fabric being the default gateway, it has the capability to route packets from one tier to another for both load balanced and non-load balanced flow. For external connectivity two leafs in the fabric are used as border leafs to connect to ASR 1000 routers using port channels. Switched virtual interfaces (SVI) are configured on the leaf switches and static routes help to route the packets to the edge router. Interior BGP (IBGP) is configured between the two devices to advertise the routes for traffic to reach the application tiers. Loopback interfaces are configured for the same.
APIC Tenant Construction
The previous section supplies details on how the Silver Tenant is constructed physically and logically. It can be mapped to a tenant in APIC by putting a number of pieces together. Figure 3-7 shows the different pieces put together to create a tenant through APIC.
Figure 3-7 Silver Tenant—APIC
User Roles and Security Domain
Authentication, Access and Accounting (AAA) functions for the ACI Fabric is managed by APIC policies. User privileges, roles and security domain put together provides this functionality. By assigning read/write access to users the administrator can restrict a tenant from seeing any other tenant details. This enables isolation among the tenants. A set of roles are defined in the ACI Fabric such as aaa, access-admin, fabric-admin, admin, tenant-admin, vmm-admin, and so on. These roles have no-access, read-only and read-write privileges associated with them. By assigning specific privileges to a user, access to functions in the system can be restricted. Security domain is a tag used in the ACI MIT object tree. A tenant can be linked to a security domain. Thus the access to a tenant object can be restricted to a particular security domain and thus to the users that are a part of the security domain. This can be configured in the GUI or the REST API as well.