1、 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential1Cisco Confidential1Cisco Confidential1 2012 Cisco and/or its affiliates.All rights reserved.ACI方案 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential2互联网电商大数据 2012 Cisco and/or its affiliates.All rights rese
2、rved.Cisco Confidential3应用程序应用服务器文件文件服务器数据库数据库服务器 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential4 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential5 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential6基础架构应用系统业务需求 2012 Cisco and/or i
3、ts affiliates.All rights reserved.Cisco Confidential7应用系统 语言人工翻译由于相互之间的不熟悉,如何确保需求翻译的正确性?高并发,大流量高可用:7*24海量数据用户分布广泛安全:网站受攻击,密码泄露需求快速变更,发布频繁基础架构 语言端口数量核心层、接入层带宽速率VLAN划分IP地址规划防火墙QoS 负载均衡CPU、内存、网卡、存储 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential8应用系统团队应用系统团队Application TiersProv
4、ider/Consumer Relationships基础架构团队基础架构团队VLANsSubnetsProtocolsPorts应用系统应用系统 和和 基础架构人员必须相互翻译自己的语言基础架构人员必须相互翻译自己的语言 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential9如何跨越这个障碍?架构师架构师懂业务熟系统熟悉网络、服务器、防火墙在哪里?2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential10有其他的办法
5、吗?2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential11Soni Jiandani他们创建继而他们创建继而被收购的公司被收购的公司时间时间价格价格 USD最终变成的产品线最终变成的产品线Crescendo199394MCat5500/6500Andiamo2002750MMDS9000/Nexus7000Nuova 2009678MN5K2K/UCSInsieme20131BillionACIApplication Centric Infrastucture以应用为中心的基础架构 2012 Cisco
6、 and/or its affiliates.All rights reserved.Cisco Confidential12高带宽高带宽安全保护安全保护负载均衡负载均衡与数据库相连与数据库相连与中间件相与中间件相连连低延迟低延迟应用需求应用需求ACI将应用的语言翻译成网络的语言将应用的语言翻译成网络的语言网络需求网络需求VM 1,Server 1LXC 1Server 2,Server 1VM 2 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential13全系列产品线全系列产品线一览一览应用策略架构控制应
7、用策略架构控制器器开放标准,拥抱开源NEXUS 9000 系列交换机系列交换机业界领业界领先的合作伙伴先的合作伙伴 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential14 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential15Web ServersvLAN 666L3FWSLBSSLDB ServersvLAN 111 vLAN 222 wwwwwwwwwvLAN 444App ServersFWSLBappap
8、pFWdbdbswitch1(config)#switch1(config)#int eth 1/1switch1(config)#switch mode accswitch1(config)#switch acc vlan 666switch1(config)#no shutrouter(config)#router(config)#int eth 1router(config)#ip add 6.6.6.1 255.255.255.0router(config)#not shutrouter(config)#int eth 2router(config)#ip addr 1.1.1.1 2
9、55.255.255.0router(config)#no shutrouter(config)#router eigrp 100router(config)#network 6.6.6.0 mask 255.255.255.0router(config)#network 1.1.1.0 mask 255.255.255.0router(config)#ip route 0.0.0.0 0.0.0.0 6.6.6.254 switch2(config)#switch2(config)#int eth 1/2-3switch2(config)#switch mode accswitch2(con
10、fig)#switch acc vlan 111switch2(config)#no shutfw1(config)#fw1(config)#int eth 0/1fw1(config)#nameif outside 0fw1(config)#int eth 0/2fw1(config)#nameif webfront 20fw1(config)#object network webfront_vipfw1(config)#host 6.6.6.6fw1(config)#static(webfront,outside)1.1.1.6fw1(config)#access-list outside
11、_web permit tcp any host 6.6.6.6 eq 80fw1(config)#access-list outside_web permit tcp any host 6.6.6.6 eq 443fw1(config)#access-group outside_web in interface outsideswitch3(config)#switch3(config)#int eth 1/4-5switch3(config)#switch mode accswitch3(config)#switch acc vlan 222switch3(config)#no shutv
12、LAN 333 switch4(config)#switch4(config)#int eth 1/6switch4(config)#switch mode accswitch4(config)#switch acc vlan 333switch4(config)#no shutswitch4(config)#int eth 1/7-9 switch4(config)#switch mode accswitch4(config)#switch acc vlan 333switch4(config)#no shutIDS/IPSvLAN 555IDS/IPSvLAN 777switch5(con
13、fig)#switch5(config)#int eth 1/10-11switch5(config)#switch mode accswitch5(config)#switch acc vlan 444switch5(config)#no shutswitch5(config)#int eth 1/11-15switch5(config)#switch mode accswitch5(config)#switch acc vlan 555switch5(config)#no shutswitch5(config)#monitor session 1 source vlan 555switch
14、5(config)#monitor session 1 dest eth 1/16 switch6(config)#switch6(config)#int eth 1/16-19switch6(config)#switch mode accswitch6(config)#switch acc vlan 777switch6(config)#no shutswitch6(config)#monitor session 1 source vlan 777switch6(config)#monitor session 1 dest eth 1/20 slb1(CONFIG)probe http ht
15、tp-probe interval 30 expect status 200 200rserver host websrvr1 description foo web server ip address 3.3.3.1 inservicerserver host websrvr2 description foo web server ip address 3.3.3.2 inservicerserver host websrvr3 description foo web server ip address 3.3.3.3 inserviceserverfarm host FOOWEBFARM
16、probe http-probe rserver websrvr1 80 inservice rserver websrvr2 80 inservice rserver websrvr3 80inservicecrypto generate key 1024 fooyou.keycrypto csr-params testparms country US state California locality San Jose organization-name foo organization-unit you common-name serial-number crisco123crypto
17、generate csr testparms fooyou.keycrypto import ftp 12.13.14.15 anonymous fooyou.cerparameter-map type ssl SSL_PARAMETERS cipher RSA_WITH_RC4_128_MD5 version TLS1ssl-proxy service FOOWEB_SSL key fooyou.key cert fooyou.cerclass-map match-all FOOSSL_VIP_CLASS 2 match virtual-address 2.2.2.22 tcp eq htt
18、ps policy-map type loadbalance first-match L7-SSL-MATCH class L7_WEB sticky-serverfarm sn_cookie policy-map multi-match FOOWEB-VIP class FOOWEB_VIP_CLASS loadbalance vip inservice loadbalance policy FOOWEB-MATCH loadbalance vip icmp-reply loadbalance vip advertise active class FOOSSL_VIP_CLASS loadb
19、alance vip inservice loadbalance policy FOOSSL-MATCH loadbalance vip icmp-reply loadbalance vip advertise active ssl-proxy server FOOWEB_SSLinterface vlan 222 service-policy input FOOWEB_SSLfw2(config)#fw2(config)#int eth 0/1fw2(config)#nameif webfront 20fw2(config)#int eth 0/2fw2(config)#nameif app
20、front 50fw2(config)#object network appfarm_vipfw2(config)#host 5.5.5.5fw2(config)#nat(appfront,webfront)static 4.4.4.4fw2(config)#access-list web_to_app permit tcp any host 4.4.4.4 eq 8081slb2(CONFIG)rserver host appsrvr1 description foo app server ip address 5.5.5.1 inservicerserver host appsrvr2 d
21、escription foo app server ip address 5.5.5.2 inservicerserver host appsrvr3 description foo app server ip address 5.5.5.3 inserviceserverfarm host FOOAPPFARM probe http-probe rserver appsrvr1 8081 inservice rserver appsrvr2 8081 inservice rserver appsrvr3 8081inserviceclass-map type http loadbalance
22、 match-any FOO_APP 2 match http virtual-address 4.4.4.44 tcp eq 8081class-map match-all FOO_APP_VIP_CLASSpolicy-map type loadbalance first-match FOO_APP-MATCH class FOO_APP sticky-serverfarm sn_cookiepolicy-map multi-match FOO_APP-VIP class FOO_APP_VIP_CLASS loadbalance vip inservice loadbalance pol
23、icy FOO_APP-MATCH loadbalance vip icmp-reply loadbalance vip advertise activefw3(config)#fw3(config)#int eth 0/1fw3(config)#nameif appfront 70fw3(config)#int eth 0/2fw3(config)#nameif dbfront 90fw3(config)#object network db_clusterfw3(config)#host 7.7.7.7fw3(config)#nat(dbfront,appfront)static 5.5.5
24、.50fw3(config)#access-list web_to_app permit tcp any host 5.5.5.50 eq 143315ppt课件 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential16Web ServersvLAN 666L3FWSLBSSLDB ServersvLAN 111 vLAN 222 wwwwwwwwwvLAN 444App ServersFWSLBappappFWdbdbswitch1(config)#switch1(config)#int eth 1/1
25、switch1(config)#switch mode accswitch1(config)#switch acc vlan 666switch1(config)#no shutrouter(config)#router(config)#int eth 1router(config)#ip add 6.6.6.1 255.255.255.0router(config)#not shutrouter(config)#int eth 2router(config)#ip addr 1.1.1.1 255.255.255.0router(config)#no shutrouter(config)#r
26、outer eigrp 100router(config)#network 6.6.6.0 mask 255.255.255.0router(config)#network 1.1.1.0 mask 255.255.255.0router(config)#ip route 0.0.0.0 0.0.0.0 6.6.6.254 switch2(config)#switch2(config)#int eth 1/2-3switch2(config)#switch mode accswitch2(config)#switch acc vlan 111switch2(config)#no shutfw1
27、(config)#fw1(config)#int eth 0/1fw1(config)#nameif outside 0fw1(config)#int eth 0/2fw1(config)#nameif webfront 20fw1(config)#object network webfront_vipfw1(config)#host 6.6.6.6fw1(config)#static(webfront,outside)1.1.1.6fw1(config)#access-list outside_web permit tcp any host 6.6.6.6 eq 80fw1(config)#
28、access-list outside_web permit tcp any host 6.6.6.6 eq 443fw1(config)#access-group outside_web in interface outsideswitch3(config)#switch3(config)#int eth 1/4-5switch3(config)#switch mode accswitch3(config)#switch acc vlan 222switch3(config)#no shutvLAN 333 switch4(config)#switch4(config)#int eth 1/
29、6switch4(config)#switch mode accswitch4(config)#switch acc vlan 333switch4(config)#no shutswitch4(config)#int eth 1/7-9 switch4(config)#switch mode accswitch4(config)#switch acc vlan 333switch4(config)#no shutIDS/IPSvLAN 555IDS/IPSvLAN 777switch5(config)#switch5(config)#int eth 1/10-11switch5(config
30、)#switch mode accswitch5(config)#switch acc vlan 444switch5(config)#no shutswitch5(config)#int eth 1/11-15switch5(config)#switch mode accswitch5(config)#switch acc vlan 555switch5(config)#no shutswitch5(config)#monitor session 1 source vlan 555switch5(config)#monitor session 1 dest eth 1/16 switch6(
31、config)#switch6(config)#int eth 1/16-19switch6(config)#switch mode accswitch6(config)#switch acc vlan 777switch6(config)#no shutswitch6(config)#monitor session 1 source vlan 777switch6(config)#monitor session 1 dest eth 1/20 slb1(CONFIG)probe http http-probe interval 30 expect status 200 200rserver
32、host websrvr1 description foo web server ip address 3.3.3.1 inservicerserver host websrvr2 description foo web server ip address 3.3.3.2 inservicerserver host websrvr3 description foo web server ip address 3.3.3.3 inserviceserverfarm host FOOWEBFARM probe http-probe rserver websrvr1 80 inservice rse
33、rver websrvr2 80 inservice rserver websrvr3 80inservicecrypto generate key 1024 fooyou.keycrypto csr-params testparms country US state California locality San Jose organization-name foo organization-unit you common-name serial-number crisco123crypto generate csr testparms fooyou.keycrypto import ftp
34、 12.13.14.15 anonymous fooyou.cerparameter-map type ssl SSL_PARAMETERS cipher RSA_WITH_RC4_128_MD5 version TLS1ssl-proxy service FOOWEB_SSL key fooyou.key cert fooyou.cerclass-map match-all FOOSSL_VIP_CLASS 2 match virtual-address 2.2.2.22 tcp eq https policy-map type loadbalance first-match L7-SSL-
35、MATCH class L7_WEB sticky-serverfarm sn_cookie policy-map multi-match FOOWEB-VIP class FOOWEB_VIP_CLASS loadbalance vip inservice loadbalance policy FOOWEB-MATCH loadbalance vip icmp-reply loadbalance vip advertise active class FOOSSL_VIP_CLASS loadbalance vip inservice loadbalance policy FOOSSL-MAT
36、CH loadbalance vip icmp-reply loadbalance vip advertise active ssl-proxy server FOOWEB_SSLinterface vlan 222 service-policy input FOOWEB_SSLfw2(config)#fw2(config)#int eth 0/1fw2(config)#nameif webfront 20fw2(config)#int eth 0/2fw2(config)#nameif appfront 50fw2(config)#object network appfarm_vipfw2(
37、config)#host 5.5.5.5fw2(config)#nat(appfront,webfront)static 4.4.4.4fw2(config)#access-list web_to_app permit tcp any host 4.4.4.4 eq 8081slb2(CONFIG)rserver host appsrvr1 description foo app server ip address 5.5.5.1 inservicerserver host appsrvr2 description foo app server ip address 5.5.5.2 inser
38、vicerserver host appsrvr3 description foo app server ip address 5.5.5.3 inserviceserverfarm host FOOAPPFARM probe http-probe rserver appsrvr1 8081 inservice rserver appsrvr2 8081 inservice rserver appsrvr3 8081inserviceclass-map type http loadbalance match-any FOO_APP 2 match http virtual-address 4.
39、4.4.44 tcp eq 8081class-map match-all FOO_APP_VIP_CLASSpolicy-map type loadbalance first-match FOO_APP-MATCH class FOO_APP sticky-serverfarm sn_cookiepolicy-map multi-match FOO_APP-VIP class FOO_APP_VIP_CLASS loadbalance vip inservice loadbalance policy FOO_APP-MATCH loadbalance vip icmp-reply loadb
40、alance vip advertise activefw3(config)#fw3(config)#int eth 0/1fw3(config)#nameif appfront 70fw3(config)#int eth 0/2fw3(config)#nameif dbfront 90fw3(config)#object network db_clusterfw3(config)#host 7.7.7.7fw3(config)#nat(dbfront,appfront)static 5.5.5.50fw3(config)#access-list web_to_app permit tcp a
41、ny host 5.5.5.50 eq 1433wwwwww需要增加更多的WEB服务器switch4(config)#switch4(config)#int eth 2/7-9 switch4(config)#switch mode accswitch4(config)#switch acc vlan 333switch4(config)#no shutslb1(ADDED CONFIG)rserver host websrvr4 description foo web server ip address 3.3.3.4 inservicerserver host websrvr5 descr
42、iption foo web server ip address 3.3.3.5 inserviceserverfarm host FOOWEBFARM rserver websrvr4 80 inservice rserver websrvr5 80 inservice16ppt课件 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential17在这个传统案例中在这个传统案例中 每台相关的设备:路由器、交换机、防火墙、负载均衡都要去一一的进行配置 网络是一种层级拓扑,各类设备需要放在相关的位置 一旦发生变更,
43、例如增加应用服务器,相关网络设备也要发生配置变更 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential18 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential19APIC4-7层网络层网络服务器服务器虚拟机或者物理虚拟机或者物理服务器服务器APICAPICACI 核心核心交换机交换机ACI 接入接入交换机交换机APIC集群集群1)应用服务器,无论是WEB、中间件、数据库(VM或者物理机)连接进了ACI网络2)ACI
44、 接入交换机(或者是VMM,例如vCenter)检测到了有设备接入,于是将设备接入信息转发给APIC3)APIC 检测到接入的是一台WEB服务器,于是将WEB应用的策略和配置推送到Leaf交换机 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential20定义策略 .DB_contractConsumer:App EPGProvider:DB EPG Filter:TCP port 1433Contract:use firewall+NAT copy to IDS/IPS定义网络服务定义应用定义应用WEB服务
45、器数据库服务器中间件服务器入侵检测APP_contractConsumer:Web EPGProvider:App EPG Filter:TCP port 8081Contract:use firewall NAT use SLB copy pkt to IDS/IPS负载均衡防火墙WEB_contractConsumer:Outside EPGProvider:Web EPG Filter:TCP ports 80 and 443Contract:use firewall NAT+SLB+SSL offload ACI:抽象出一个逻辑模型来支持应用程序的部署20 2012 Cisco and
46、/or its affiliates.All rights reserved.Cisco Confidential21定义策略 .DB_contractConsumer:App EPGProvider:DB EPG Filter:TCP port 1433Contract:use firewall+NAT copy to IDS/IPS定义网络服务定义应用定义应用WEB服务器数据库服务器中间件服务器IDS/IPSOutside EPGAPP_contractConsumer:Web EPGProvider:App EPG Filter:TCP port 8081Contract:use fir
47、ewall NAT use SLB copy pkt to IDS/IPSSLBFWWEB_contractConsumer:Outside EPGProvider:Web EPG Filter:TCP ports 80 and 443Contract:use firewall NAT+SLB+SSL offload 在APIC中定义所有策略21 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential22定义策略DB_contractConsumer:App EPGProvider:DB EPG Filte
48、r:TCP port 1433Contract:use firewall+NAT copy to IDS/IPSAPP_contractConsumer:Web EPGProvider:App EPG Filter:TCP port 8081Contract:use firewall NAT use SLB copy pkt to IDS/IPSWEB_contractConsumer:Outside EPGProvider:Web EPG Filter:TCP ports 80 and 443Contract:use firewall NAT+SLB+SSL offload 定义网络服务定义
49、应用定义应用WEB服务器数据库服务器中间件服务器IDS/IPSOutside EPGSLBFW由APIC统一下发给基础架构WEB服务器数据库服务器wwwwwwwww中间件服务器appappdbdbIDS/IPSIDS/IPSOutside EPG Web EPG TCP ports 80 and 443use firewall NATuse SLB+SSL offload Outside EPGSLBSSLFWWeb EPG App EPG TCP port 8081use firewall NATuse SLBcopy to IDS/IPSSLBFWApp EPG DB EPG TCP po
50、rt 1433use firewall+NATcopy to IDS/IPSSLBFW22 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential23SLAQoSSecurityLoadBalancingAPPLICATION NETWORK PROFILE可扩可扩展的脚本语言模型展的脚本语言模型HYPERVISORHYPERVISORHYPERVISOR 2012 Cisco and/or its affiliates.All rights reserved.Cisco Confidential24DNS