Container Networking with Contiv

Transcript

1. Chris Gascoigne Technical Solutions Architect July 2017 Melbourne Container Meetup

   Container Networking

2. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential • Container networking introduction • CNM • CNI • Cisco Contiv Agenda

3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Proposed by Docker • Used by Docker Engine, Swarm, Compose, etc. • Driver APIs for • IPAM • Networks Container Networking Model (CNM)

4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential libnetwork 4 BRKCLD-2022 Remote Drivers Contiv, Calico, Weave…. Native Drivers none, bridge, overlay, macvlan Docker Engine Libnetwork (CNM) IPAM • Service Discovery • Distributed Key Value Store • IP Address Mgmt • Gossip Protocol • Encryption “batteries included, but removable”

5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential Built-in network drivers Driver Model Bridge Host-only bridge NAT to expose services Host Host network namespaces All containers use same interfaces Overlay VXLAN encapsulation Docker control plane MACVLAN IP per container No NAT, No encapsulation

6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential Docker Bridge Driver docker0 Container veth pair ns eth0 vethXXX

7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential Docker Bridge Driver

8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential Docker MACVLAN Driver

9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

   Confidential Docker Overlay Driver

10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Proposed by CoreOS • Used by Kubernetes • No separate IPAM driver Container Networking Interface (CNI)

11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Networking challenges for containers

12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential HW Integration Can not leverage performance and security by natively integrating with HW Networking in the new container world Physical Network Hypervisor Hypervisor Physical Network Virtual Switching or Overlay Network C1 Cn Guest OS - Bridged Overlay Network - VXLAN Physical Network Hypervisor Hypervisor Host 1 Host 2 Host 2 Host 1 VM1 C1 Cn Guest OS - Bridged VM2 C1 Cn Guest OS - Bridged Overlay Network - VXLAN C1 Cn Guest OS - Bridged Connectivity Network services e.g. Load balancer, Firewall Performance Encap over encap over encap suffers performance VM1 VM2

13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Contiv

14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 100% Open Source The Most Powerful Container Networking Fabric L2, L3, Overlay or ACI Rich Policies DevOps IT Admin Any Networking Any Platform Any Infrastructure Application Intent Rich Policy Declarative Simple Install GUI + CLI LDAP/RBAC Cisco Contiv TEC 1 4

15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Production-Grade Network and Security Policies Multi-Tenant, Multi-Host Network Connectivity Network Security and Isolation (White/Black List Rules) Traffic Prioritization and Bandwidth Allocation Network Monitoring (Live Connectivity Graphs and Stats) Integration with External Network (Cloud | Nexus | Cisco ACI) Micro-Services Load Balancing Integrated IPAM, Service Discovery Performance and Scale Available at https://github.com/contiv/netplugin

16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Contiv Architecture Operational Policy Management Developer Operations Application Scheduler Node 1 Node 2 Node-n Contiv Distributed Policy Layer ... Contiv Elements Contiv UI to manage/ monitor policies/usage Distributed policy enforcement for compute, network, and storage Integration with physical infrastructure Integrated with popular container schedulers Contiv Automatically Integrates and Enforces Developer and Operations Policies 16

17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Contiv Architecture

18. What is Policy? Connectivity Security QoS L4-7 Services APPLICATION NETWORK

    PROFILE Contract Contract Contract OUTSIDE DB APP WEB ADC F/W ADC What is a group policy? An API to capture user intent Group: A set of VMs / servers with the same policy 1. Contracts: A set of rules governing communication between groups 2. Service Chains: A set of network services between groups 3.

19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Scaling Policy http://contiv.github.io/articles/2016/03/06/scaling-microservices.html

20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 20 TECDCT-2020 Container Networking Approaches L3 Routed Host A Host B Host C Docker0 Docker0 Docker0 10.1.1.0/24 10.1.2.0/24 10.1.3.0/24 BGP BGP BGP .1 .1 .1 .5 .2 .3 .11 .2 .3 .4

21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 21 TECDCT-2020 Container Networking Approaches Layer 2

22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 22 TECDCT-2020 Container Networking Approaches VXLAN Overlay Host A Host B Host C gwbridge gwbridge gwbridge 10.5.5.4 vtep vtep 10.5.5.5

23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Demo

24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Outside Web App DB ACI Policy ACI Fabric Application Policy Infrastructure Controller APIC 8080/tcp 1433/tcp 80/tcp

25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential 25 TECDCT-2020 Container Networking Approaches ACI Fabric Integration Host A Host B Host C net1 net1 net1 .1 .1 .1 .5 .2 .3 .11 .2 .3 .4 Policy Defined Secure Connectivity with ACI Application Profiles

26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Contiv Network Integration Choices Cloud L2+ L3 Native L3 EVPN Overlays Cisco ACI Every Container needs external access No Additional IPs As many IPs As many IPs As many IPs As many IPs Scale (#Containers) Very High High Very High High Very High Multi-Destination Traffic No Yes No No Yes Performance (throughput/latency) Not Good Very Good Good Not Good (Host VTEP) Leaf VTEP is good Very good Automated Multi-tenancy Yes No No Yes Yes Ease of External Access Not Good Good Good Good Good Greenfield Deployment Not Good OK Good Good Good Scale (#Nodes) OK Not Good Very Good Will need BGP RR Very Good Favorable Physical Topology All Look Same Access/Agg regation L3 CLOS L3 Underlay + VXLAN overlay ACI 26 TECDCT-2020

27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Docker Certified Plugin 27 https://store.docker.com/plugins/contiv

28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential Demo

29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco

    Confidential • Use the network model that suits the infrastructure • Contiv provides flexibility on the network side with consistency on the application side • References: • https://github.com/contiv/netplugin • https://github.com/contiv/install Summary
30. None