The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Cisco UCS Director is a unified infrastructure management solution that provides management from a single interface for compute, network, storage, and virtualization layers. Cisco UCS Director uses a workflow orchestration engine with workflow tasks that support the compute, network, storage, and virtualization layers. Cisco UCS Director supports multitenancy, which enables policy-based and shared use of the infrastructure.
Cisco Application Centric Infrastructure (ACI) allows application requirements to define the network. This architecture simplifies, optimizes, and accelerates the entire application deployment cycle.
Note | To use ACI 1.1(1*), ensure that TLSv1 is enabled in Cisco Application Policy Infrastructure Controller (APIC). In APIC, choose Fabric > Fabric Resources > Pod Polices > Communication > Default and enable TLSv1. |
The Cisco Application Policy Infrastructure Controller (APIC) is the unified point of automation, management, monitoring, and programmability for the Cisco Application Centric Infrastructure (ACI). The APIC supports the deployment, management, and monitoring of any application anywhere, with a unified operations model for physical and virtual components of the infrastructure. It is the central control engine for the broader cloud network. The APIC programmatically automates network provisioning and control, based on user-defined application requirements and policies. For more information about the Cisco APIC, see the Cisco UCS Director APIC Management Guide for this release.
The orchestration feature allows you to automate APIC configuration and management tasks in workflows. A complete list of the APIC orchestration tasks is available in the Workflow Designer, and in the Task Library. For more information about orchestration in Cisco UCS Director, see the Cisco UCS Director Orchestration Guide for this release.
Establish networks in a VMware environment.
Provision multiple VMs from a network.
Provide a way to isolate those networks using gateways (for example, Linux, ASAv).
Allow load balancing the container network using VPX or SDX load balancers.
Use a Cisco Application Centric Infrastructure Controller (APIC).
Provision a baremetal server and/or VMs.
You must perform the following Cisco UCS Director tasks before you can create an APIC application container. For additional information regarding these tasks refer to the Cisco UCS Director APIC Management Guide for this release.
Add and configure an APIC account.
Add a service offering.
Add a tenant profile.
Add a tag library. See the Cisco UCS Director Administration Guide for this release for information on creating tags.
Add a resource group.
Add a firewall policy (optional).
Cisco UCS Director APIC application containers have the following limitations:
Tenant onboarding must be done before container creation and usage.
Resource groups must contain the accounts necessary to manage a container's resources. This can be any combination of storage, compute, network, and virtual resources.
Only VMware hosts deployed on Cisco UCS blade servers can be included in resource groups.
The figure below illustrates the flow of the APIC Application Container creation process within Cisco UCS Director.
The ASAv brings full firewall functionality to virtualized environments in order to secure data center traffic and multi-tenant environments. The ASAv VM deployment policy is used in the Deploy ASAv VM from OVF task.
You can create a firewall policy rule that permits network traffic over specific ports between endpoints.
When creating an application profile, you can choose to use a firewall or load balancer for each tier in an application profile. When you create an L4-L7 policy, you can choose a firewall policy from one of the firewall policies that you created in Cisco UCS Director.
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||||
Step 2 | Click the APIC Firewall Policy tab. | ||||||||||||||||||||||||||
Step 3 | Click Add. | ||||||||||||||||||||||||||
Step 4 | In the
Create
Firewall Policy dialog box, complete the following fields:
| ||||||||||||||||||||||||||
Step 5 | Click Submit. |
The APIC network policy is an optional policy used in the network (tier) configuration of the application profile. The APIC network policy overrides the default settings used to provision an APIC application container. You can create a policy to specify tenant or container private networks, create subnetworks, and create end point groups (EPGs).
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||||||||||||||
Step 2 | Click the APIC Network Policy tab. | ||||||||||||||||||||||||||||||||||||
Step 3 | Click Add. | ||||||||||||||||||||||||||||||||||||
Step 4 | In the
Create
Network Policy dialog box, complete the following fields:
| ||||||||||||||||||||||||||||||||||||
Step 5 | Click Submit. |
The APIC has an open northbound API that allows you to not only provision services in the fabric, but also to provision Layer 4 to Layer 7 services, such as firewall and load balancer, that attach to the fabric.
Step 1 | On the menu bar, choose . | ||||||||||||||||||||
Step 2 | Click the L4 - L7 Service Policy tab. | ||||||||||||||||||||
Step 3 | Click Add. | ||||||||||||||||||||
Step 4 | In the
Add
L4-L7 Service Policy dialog box, complete the following fields:
| ||||||||||||||||||||
Step 5 | Click Submit. |
Network device system parameters policy sets the NTP and SNMP parameters that are needed to be configured on a load balancer (LB) device. The network device system parameters policy is optionally selected during creation of a Layer 4 to Layer 7 service policy to define the NTP and SNMP parameters for configuring a LB device.
While provisioning an APIC container, you have to choose the application profile with the created Layer 4 to Layer 7 service policy so that the corresponding NTP and SNMP parameters are set on device clusters in APIC and configured on the LB device.
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||||||
Step 2 | Click the Network Device System Parameters Policy tab. | ||||||||||||||||||||||||||||
Step 3 | Click Add. | ||||||||||||||||||||||||||||
Step 4 | In the
Add
Network Device Policy dialog box, complete the following fields:
| ||||||||||||||||||||||||||||
Step 5 | Click Submit. |
You choose the network device policy during creation of a Layer 4 to Layer 7 service policy to define the NTP and SNMP parameters for configuring a LB device.
An application profile is a description of the infrastructure required for the deployment of an application. These infrastructure requirements include baremetal configurations, virtual machines (VMs), L4-L7 policies, and connection policies.
Note | You can perform a container provisioning either in the VMware environment or Hyper-V environment. |
The following image explains the dependencies of the application profile:
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||
Step 2 | Click the
Application Profile tab.
The application profiles that are available in Cisco UCS Director appear. Choose an application profile and click View to view the name, description, and service offering of the application profile. When you choose an application profile and click View Details, the following tabs appear:
| ||||||||||||||||||||||||
Step 3 | Click Add. | ||||||||||||||||||||||||
Step 4 | In the
Add
Application Profile dialog box, complete the following fields:
| ||||||||||||||||||||||||
Step 5 | Click Next. | ||||||||||||||||||||||||
Step 6 | In the
Networks screen, complete the following fields:
| ||||||||||||||||||||||||
Step 7 | (Optional). In
the Network field of the
Networks screen, click the
+ icon to configure the tier for application.
In the Add Entry to Networks dialog box, complete the following fields:
| ||||||||||||||||||||||||
Step 8 | Click Next. | ||||||||||||||||||||||||
Step 9 | In the
Application screen, do the following:
| ||||||||||||||||||||||||
Step 10 | In the
Application screen, do the following:
| ||||||||||||||||||||||||
Step 11 | Click Next. | ||||||||||||||||||||||||
Step 12 | In the
Contracts screen, you can define the rule for
communication in multi-tier applications.
Contracts are policies that enable inter-End Point Group (inter-EPG) communication. These policies are the rules that specify communication between application tiers. If no contract is attached to the EPG, inter-EPG communication is disabled by default. No contract is required for intra-EPG communication because intra-EPG communication is always allowed. A contract can contain multiple subjects. A subject can be used to realize uni- or bidirectional filters. A unidirectional filter is a filter that is used in one direction, either from consumer-to-provider (IN) or from provider-to-consumer (OUT) filter. A bidirectional filter is the same filter that is used in both directions. It is not reflexive. A new contract is created for each source-to-destination network pair. For example, if there are multiple rules defined between Web tier as source and application tier as destination network, a single contract will be created on APIC to hold the contract information between Web tier as source and application tier as destination network. For a contract, a new subject is created if the rule defines unidirectional or bidirectional filter. A subject is reused for multiple rules under same contract depending on whether rule includes unidirectional or bidirectional filter. A new filter is created for a specific rule. A new filter rule is created for every rule defined between networks. Click the + icon to add the communication protocol details: | ||||||||||||||||||||||||
Step 13 | Click Next. | ||||||||||||||||||||||||
Step 14 | In the
Policy screen, do the following:
| ||||||||||||||||||||||||
Step 15 | In the
L4-L7
Service Policy screen, check the
Configure L4-L7 Service check box to configure the
Layer 4 to Layer 7 service in the application profile. If the
Configure L4-L7 Service check box is checked, the
following fields appear:
| ||||||||||||||||||||||||
Step 16 | Click Submit. |
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||
Step 2 | Click the Application Profile tab. | ||||||||||||||||||||||||
Step 3 | Choose an application profile. | ||||||||||||||||||||||||
Step 4 | Click Clone. | ||||||||||||||||||||||||
Step 5 | In the
Clone
Application Profile dialog box, complete the following fields:
| ||||||||||||||||||||||||
Step 6 | Click Next. | ||||||||||||||||||||||||
Step 7 | In the
Networks screen, complete the following fields:
| ||||||||||||||||||||||||
Step 8 | (Optional). In
the Network field of the
Networks screen, click the
+ icon to configure the tier for application.
In the Add Entry to Networks dialog box, complete the following fields:
| ||||||||||||||||||||||||
Step 9 | Click Next. | ||||||||||||||||||||||||
Step 10 | In the
Application screen, add VM-based application
components:
| ||||||||||||||||||||||||
Step 11 | In the
Application screen, add baremetal application
components:
| ||||||||||||||||||||||||
Step 12 | Click Next. | ||||||||||||||||||||||||
Step 13 | Click the
+ icon to add the communication protocol details.
| ||||||||||||||||||||||||
Step 14 | Click Next. | ||||||||||||||||||||||||
Step 15 | In the
Policy screen, do the following:
| ||||||||||||||||||||||||
Step 16 | In the
L4-L7
Service Policy screen, check the
Configure L4-L7 Service check box to configure the
Layer 4 to Layer 7 service in the application profile. If the
Configure L4-L7 Service check box is checked, the
following fields appear:
| ||||||||||||||||||||||||
Step 17 | Click Submit. |
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||
Step 2 | Click the Application Profile tab. | ||||||||||||||||||||||||
Step 3 | Choose an application profile. | ||||||||||||||||||||||||
Step 4 | Click Edit. | ||||||||||||||||||||||||
Step 5 | In the
Edit
Application Profile dialog box, complete the following fields:
| ||||||||||||||||||||||||
Step 6 | Click Next. | ||||||||||||||||||||||||
Step 7 | In the
Networks screen, complete the following fields:
| ||||||||||||||||||||||||
Step 8 | (Optional). In
the Network field of the
Networks screen, click the
+ icon to configure the tier for application.
In the Add Entry to Networks dialog box, complete the following fields:
| ||||||||||||||||||||||||
Step 9 | Click Next. | ||||||||||||||||||||||||
Step 10 | In the
Application screen, add VM-based application
components:
| ||||||||||||||||||||||||
Step 11 | In the
Application screen, add baremetal-based application
components:
| ||||||||||||||||||||||||
Step 12 | Click Next. | ||||||||||||||||||||||||
Step 13 | Click the
+ icon to add the communication protocol details.
| ||||||||||||||||||||||||
Step 14 | Click Next. | ||||||||||||||||||||||||
Step 15 | In the
Policy screen, do the following:
| ||||||||||||||||||||||||
Step 16 | In the L4-L7 Service Policy screen, edit the Layer 4 to Layer 7 service configuration. | ||||||||||||||||||||||||
Step 17 | Click Submit. |
Note | You cannot delete an application profile that is in use. |
Step 1 | On the menu bar, choose | ||||||||||
Step 2 | Click the Virtual Infrastructure Policies tab. | ||||||||||
Step 3 | Click Add Policy. | ||||||||||
Step 4 | In the
Virtual
Infrastructure Policy Specification screen, complete the following
fields:
| ||||||||||
Step 5 | Click Next. | ||||||||||
Step 6 | In the
Virtual
Infrastructure Policy - APIC Information screen, complete the
following fields.
| ||||||||||
Step 7 | Click Next. | ||||||||||
Step 8 | The Virtual Infrastructure Policy - Summary screen displays the current configuration. | ||||||||||
Step 9 | Click Submit. |
Before you can create an APIC application container you must create a template.
Create a virtual infrastructure policy.
Step 1 | On the menu bar, choose . | ||||||||||
Step 2 | Click the Application Container Templates tab. | ||||||||||
Step 3 | Click
Add
Template. The
Application Container Template screen appears.
Complete the following fields:
| ||||||||||
Step 4 | Click Next. | ||||||||||
Step 5 | The
Application Container Template - Select a Virtual infrastructure
policy screen appears. Complete the following selections:
| ||||||||||
Step 6 | Click Next. The
Application Container - Options screen appears.
Complete the following selections:
| ||||||||||
Step 7 | Click Next to view the Summary screen. | ||||||||||
Step 8 | Click Submit to complete the creation of the application container template. |
Once you create an application container template you can use the template administrator to initiate a service request that will create an application container.
Create an application container template.
Step 1 | Choose . | ||||||||||||||||||
Step 2 | Click the Application Container Templates tab. | ||||||||||||||||||
Step 3 | Choose an APIC template. | ||||||||||||||||||
Step 4 | Click Create Container. | ||||||||||||||||||
Step 5 | In the
Create
container from template dialog box, complete the following fields:
| ||||||||||||||||||
Step 6 | Click
Submit. The
Submit
Result dialog box appears.
| ||||||||||||||||||
Step 7 | Click
OK.
| ||||||||||||||||||
Step 8 | Click the
Application Containers tab.
The new
container appears in the
Application Containers pane.
|
APIC application containers support L4-L7 services. This procedure describes how to configure L4-L7 services for an existing container. You can add loadbalancer service using userAPIAddLBService API.
Create an APIC application container.
Note | This section describes how to add an L4-L7 service to an existing application container. You can instead configure L4-L7 services in an APIC application profile, where they will be deployed with every application container using that profile. For more information on configuring L4-L7 services in an application profile, see Layer 4 to Layer 7 Service Policy . |
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||||||||||||||||||||
Step 2 | Click the Application Container tab. | ||||||||||||||||||||||||||||||||||||||||||
Step 3 | Click on an existing application container. | ||||||||||||||||||||||||||||||||||||||||||
Step 4 | Click the Configure L4-L7 Services icon. | ||||||||||||||||||||||||||||||||||||||||||
Step 5 | In the
L4-L7
Configuration dialog box, complete the following fields:
| ||||||||||||||||||||||||||||||||||||||||||
Step 6 | Click Submit. |
Cisco UCS Director allows an administrator or end user to create an APIC application container with L4-L7 services.
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||||
Step 2 | Click the Application Container tab. | ||||||||||||||||||||||||||
Step 3 | Click an existing application container. | ||||||||||||||||||||||||||
Step 4 | Choose any L4-L7 service with Firewall service type. The Firewall Rules screen appears. | ||||||||||||||||||||||||||
Step 5 | Click the Add Rule (+) icon to add a new firewall rule. | ||||||||||||||||||||||||||
Step 6 | In the
Add
Firewall Rule dialog box, complete the following fields:
| ||||||||||||||||||||||||||
Step 7 | Click Submit. |
To make changes to a firewall rule, choose the firewall rule and click Modify Rule. To remove a firewall rule, choose the firewall rule and click Delete Rule.
Cisco UCS Director allows an administrator or end user to create an APIC application container with L4-L7 services.
Step 1 | On the menu bar, choose . |
Step 2 | Click the Application Container tab. |
Step 3 | Click an existing application container. |
Step 4 | Choose any L4-L7 service with Load Balancer service type. The LB Servers screen appears. |
Step 5 | In the Add Servers dialog box, choose any VM(s) from the table. |
Step 6 | In the Port field , enter the port number. The selected VMs are configured with this port number. |
Step 7 | Click Submit. |
To remove the load balancer server, click Remove Servers.
Create and deploy an existing application container with one or more L4-L7 services.
You can view the contract or security rules created for each application container in Cisco UCS Director. You can add the security rules between the tiers of a same container or different containers within that tenant.
Create an APIC application container.
Step 1 | On the menu bar, choose . | ||||||||||||||||||||||||||||||||||
Step 2 | Click the Application Container tab. | ||||||||||||||||||||||||||||||||||
Step 3 | Click an existing application container. | ||||||||||||||||||||||||||||||||||
Step 4 | Click the Contracts tab. | ||||||||||||||||||||||||||||||||||
Step 5 | Click the Add Contract (+) icon to add a new contract. | ||||||||||||||||||||||||||||||||||
Step 6 | In the
Add
Entry to Contracts dialog box, complete the following fields:
| ||||||||||||||||||||||||||||||||||
Step 7 | Click
Submit.
You can
drill down each contract to view the following reports:
|
You need to drill down each contract to view all the security rules created for each application container in Cisco UCS Director.
Cisco UCS Director allows an administrator and end user to create an APIC application container to add the security rules created for each application container.
Step 1 | Click Add to add a new security rule. | ||||||||||||||||||||||||||
Step 2 | In the
Add
Entry to Contracts dialog box, complete the following fields:
| ||||||||||||||||||||||||||
Step 3 | Click Submit. The security rule is created for the application container. |
Create an APIC application container.
In an APIC container, you can create both a firewall and a load balancer in series between two networks. This process is called L4-L7 service chaining, or just service chaining, and the resulting firewall - load balancer series is called a service chain.
There are two ways to create a service chain in an APIC container:
Create the service chain in an existing container. See Configuring L4-L7 Services.
Create both the firewall and the load balancer as part of a container's Application Profile. In this case, both services are provisioned when the container is created. See Adding an Application Profile and Adding a Layer 4 to Layer 7 Service Policy.
You can add VMs to an existing APIC container in the same way you add VMs to other types of containers. See Adding VMs.
Note | You can add only one network adapter when adding a VM to an existing container using an image. You can use a predefined template with multiple adapters if you created such a template in your application profile. |
Note | You cannot add the VMs to the container through the Add VMs to APIC Container workflow. You can add VMs only by clicking Add VMs or through API. |
Create an APIC application container.
Create an APIC application container.
Step 1 | On the menu bar, choose . | ||||||||||||||
Step 2 | Choose an existing application container. | ||||||||||||||
Step 3 | Click Add Tier/Network . | ||||||||||||||
Step 4 | In the
Add
Tier/Network
dialog box, complete the following fields:
| ||||||||||||||
Step 5 | Click Submit. The new tier or network is created. You can select a virtual machine and add vNIC to the container network. |
Create and deploy an existing application container with one or more VMs. Before adding the virtual network interface card (vNIC) to the VM, the VM provisioned in the container must run the VMware tools and the ethernet interfaces must be up.
Step 1 | On the menu bar, choose . | ||||||||||||||
Step 2 | Click the
Application Container tab.
Click an existing application container. | ||||||||||||||
Step 3 | Click the Virtual Machines tab. From the list of VMs, select a VM. | ||||||||||||||
Step 4 | Click Add vNICs. | ||||||||||||||
Step 5 | In the
Add
vNICs to Container Network dialog box, complete the following
fields:
| ||||||||||||||
Step 6 | Click Submit. The VM is powered OFF to add vNIC to the container VM. The VM is powered ON once the vNIC is added to the container network. |
Create and deploy an existing application container with one or more VMs.
Step 1 | On the menu bar, choose . |
Step 2 | Click the
Application Container tab.
Click an existing application container. |
Step 3 | Click the
Virtual
Machines tab.
From the list of VMs, select a VM of the vNIC that you want to delete. |
Step 4 | Click Delete vNICs. |
Step 5 | In the Delete VM vNICs dialog box, choose the vNIC that you want to delete. |
Step 6 | Click Submit. The VM vNIC is deleted. |
Note | Baremetal servers are supported only in APIC containers. |
Before adding baremetal servers to a container, you must add Baremetal Agent to Cisco UCS Director. See the Cisco UCS Director Baremetal Agent Installation and Configuration Guide for this release.
Step 1 | Choose . | ||||||||||||
Step 2 | Click the Application Containers tab. | ||||||||||||
Step 3 | Choose a container. | ||||||||||||
Step 4 | Click Add BMs. | ||||||||||||
Step 5 | In the Add BMs dialog box, click the Add (+) icon to add a new BM. | ||||||||||||
Step 6 | In the
Add
Entry dialog box, complete the following fields:
| ||||||||||||
Step 7 | Click Submit. | ||||||||||||
Step 8 | To add more BMs, repeat the procedure starting with Step 5. | ||||||||||||
Step 9 | When you have defined all the required BMs, click Submit in the Add BMs dialog. |
Create and deploy an existing application container with one or more baremetal servers.
Create and deploy an existing application container with one or more disks associated with a bare metal server.
Step 1 | On the menu bar, choose . |
Step 2 | Choose an application container. |
Step 3 | Click Bare Metals. |
Step 4 | Choose the baremetal server from which the disk is to be deleted . |
Step 5 | Click Delete Disk. |
Step 6 | Choose the BM LUNs identity number that you want to delete from the table. |
Step 7 | Click Submit. |
Step 8 | In the confirmation dialog box, click OK. |
Create and deploy an existing application container with one or more baremetal servers.