This document discusses integrating RecoverPoint for VMs with Cisco Application Centric Infrastructure (ACI). It describes how ACI allows defining network policies once and deploying them consistently using group-based policies. The integration pre-configures four network instances for RecoverPoint's network interfaces and associates them using ACI policies. This provides automation, security and visibility for workloads running on RecoverPoint. The document also outlines the configuration steps and assumptions required to set up this integration.

1. Policy-based Infrastructure Provisioning for Recover
Point with Cisco ACI
Carly Stoughton – Cisco Technical Marketing Engineer
Thomas Scheibe – Cisco Senior Director Product Management

2. § Group-Based Policy Concept in Cisco ACI
§ Integration of RecoverPoint for VMs and Cisco ACI
§ ACI Security/ Compliance Properties
Agenda

3. Enable the Cloud
2009 20142008
Consolidation Virtualization Automation
Enabling
the Cloud
LAN SAN
Network
Compute
Storage
Access
Network
Apps Policy
Today
Policy
PolicyCisco ACI
RAPID APPLICATION EVOLUTION
Policy

4. Vision: Scale, Security and Full Visibility
Physical
Networking
Compute L4–L7
Services
StorageHypervisors
and Virtual
Networking
Multi DC
WAN and Cloud
Enabled by physical and virtual integration
Tenant Application
2
0

5. Automation through Policy
Physical, Virtual and Containers
Open, Standards and Embedded Security

6. The Problem
DBAPP
ADC
WEBF/W
ADC
MGMT
Data Applications
Infrastructure
Applications
Management
Applications
Challenges attempting to automate network configurations
• Provisioning models are built around the device
• Build separate networks for the apps for policy, visibility, and security
• Legacy network security limits our ability to implement policy with mobility & cloud
VMOTION
DNS

7. Group Based Policy Model
Define Once – Deploy Consistently
COMPONENTS OF A
Group Based Policy
Endpoint Group:
A set of endpoints (VMs/
servers) with
the same policy
Contracts:
A set of rules governing
communication between
endpoint groups
Service Chains:
A set of network services
between endpoint groups
OUTSIDE
WEBAPPDBCRM
APP
ADC
F/W
ADC
ContractContract

8. Context-Aware Segmentation
Dynamic Content
User and Devices
Resources and Demands
Marking Traffic with Consistent Policy Context
(Device, Group, Role) Immune to Network Changes
Abstracted Policy
Business Policy
X
Distributed Enforcement
End Point Group TagTAG

9. Contract Contract Contract
DBAPPWEB
ADC
F/W
ADC
Group Policy
OVS Driver
Neutron Networking
APIC Group Driver
W
eb
W
eb
W
eb
W
eb
Ap
p
Ap
p
D
B
D
B
HYPERVISOR HYPERVISOR HYPERVISOR
OpenStack extensions on top of Neutron exposing a policy API
Group-Based Policy And OpenStack
Group Policy Plugin

10. § Group-Based Policy Concept in Cisco ACI
§ Integration of RecoverPoint for VMs and Cisco ACI
§ ACI Security/ Compliance Properties
Agenda

11. § Automate network policies – define once/ deploy consistently
§ Pre-configure four network instances on the VMware vSphere ESXi Servers
where RecoverPoint for VMs will be installed
– LAN Network
– WAN Network
– iSCSI1 & iSCSI2 Network
§ Associate the four RecoverPoint for VMs network interfaces (i.e., LAN
Interface, WAN Interface, iSCSI1 Interface and iSCSI2 Interface) to the pre-
configured network instances
RecoverPoint for VMs & ACI - Objective

12. § VMware ESXi has been installed on the servers that will be used for
RecoverPoint for VMs and that all servers have been assigned an IP Address
§ The “VM Network” shown in the logical topology has been created.
§ VMware vCenter server has been installed and all servers (single or multiple
vCenter instances are possible)
§ Cisco ACI has been physically installed and all leaf switches have been
initialized and are visible in the APIC Fabric Topology view.
§ Servers running VMware ESXi have been physically cabled to the Cisco ACI
leaf switches as shown in the physical topology diagram.
Assumptions

13. Logical Topology View

14. Physical Topology View

15. 1. ACI Configuration
§ a. Configure Fabric
§ b. Add VMware vCenter to APIC
§ c. Verify connectivity
2. VMware vCenter Configuration
§ a. Configure the Distributed vSwitch in vcenter
3. Tenant (RP4VM network) Configuration
§ a. Create the RP4VM Networks via APIC
§ b. Modify iSCSI Port Groups to allow iSCSI via VMware vCenter
§ c. Configure vmknics and attach to iSCSI Port Groups via VMware vCenter
§ d. Install RP4VM Appliance via VMware vCenter
Overview of Configuration Steps

16. § Group-Based Policy Concept in Cisco ACI
§ Integration of RecoverPoint for VMs and Cisco ACI
§ ACI Security/ Compliance Properties
Agenda

17. Security: P+V = C
VIRTUALIZATION
CENTRIC
No Physical
Support
Limited
Visibility
Management
Complexity
APPLICATION CENTRIC Any workload and any place Full VisibilityAutomated
PERIMETER CENTRIC Manual and
Complex
Error-ProneStatic
Topology
Limited
Places
+
=

18. PCI Compliant Network with Cisco ACI
• Simplifies audit based on higher level
policy
• Secure network segmentation and
isolation
• Defense in depth with advanced L4-7
security (NGFW, IDS/IPS, DDoS)
integration
• Centralized Auditing and Security
Monitoring
SECURE
NETWORK
ACCESS
CONTROL
SECURITY
POLICY
CENTRALIZED
AUDIT
MONITORING
ACCESS

20. A C I- R E A D Y
VBLOCK SYSTEMS
WITH ACI-READY
NEXUS 9000
• Policy management enhances
operational simplicity
• Use policies to accelerate
network configuration
• ACI further reduces risk
through policy automation
Vblock Systems with ACI
Further extend IT agility Vblock™ 340 and Vblock™ 720
Converged Infrastructure