Contiv provides a higher level of networking abstraction for microservices: it provides built-in service discovery and service routing for scale out services, working with schedulers like Docker Swarm, Kubernetes, Mesos and Nomad. We will see some code examples, basic use cases and an easy tutorial on the web.

1. Cisco Contiv:
Network Policies for Microservices
Luca Relandini @lucarelandini
ROME 24-25 MARCH 2017

2. Introduction:
Microservices and Containers...
Though you already know them

3. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Containers and Microservices
container
Your code
Your startup scripts
Code dependencies
Should deploy with exactly
the same behavior on any
host/VM that can run
containers
Orders
Wishlist
Payment

4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Native
FROM
TO
Microservices - Impact on IT Operations
DevOps
Shared Responsibility
Common Incentives,
Tools, Process and Culture
Not My Problem
Separate Tools,
Varied Incentives, Opaque Process
Continuous Delivery
Release Early and Often
Higher Quality of Code
Release Once Every 6 Months
More Bugs in Production
Microservices
Loosely Coupled Components
Automated Deploy Without Waiting on Individual
Components
Tightly Coupled Components
Slow Deployment Cycles Waiting
on Integrated Tests Teams
Traditional IT

5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Containers Help to Achieve Agile App Development
Stage/
Production
TestDevelopment
Version
Control
SysAdmin
QA/QEDeveloper
BRKDCT-2023 7
Different players in the game

6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
But... There are Concerns in Containers Adoption
What slows an organization’s use of containers?
75% 71% 64% 62% 61%
Security Networking Performance Integration Management
Source: n= 124 to-date, IDC custom survey, study commissioned by Cisco
Need for production-grade infrastructure

7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HW Integration
Can not leverage performance
and security by natively
integrating with HW
Networking In The New Container World
Physical Network
HypervisorHypervisor
Physical Network
Virtual Switching or
Overlay Network
C1 Cn
Guest OS -
Bridged
Overlay Network - VXLAN
Physical Network
Hypervisor Hypervisor
Host 1 Host 2
Host 2Host 1
VM1
C1 Cn
Guest OS -
Bridged
VM2
C1 Cn
Guest OS -
Bridged
Overlay Network - VXLAN
C1 Cn
Guest OS -
Bridged
Connectivity
Network services, e.g.
Load balancer, Firewall
Performance
Encap over encap over encap
affects performance
VM1 VM2
9
Bare Metal VM Containers in VM

8. Container Networking Abstractions:
only 3 slides 

9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
VM or BM
Basics of Container Networking
Minimally it provides:
- IP Connectivity in Container’s
Network Namespace
- IPAM, and Network Device
Creation (eth0)
- Route Advertisement or Host
NAT for external connectivity
Container
eth0
Container
eth0
Physical Network
Linux/Windows OS Networking
ensp0

10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Container Network Model (CNM)
Docker Container
Endpoint
Network
Sandbox
Green Network
Docker Container
Endpoint
Network
Sandbox
Blue Network
• Proposed by Docker to provide
networking abstractions/API for container
networking
• Sandbox contains configuration of a
container's network stack (Linux network
namespace)
• An endpoint is a container's interface into
a network (veth pair)
• A network is collection of arbitrary
endpoints that can communicate with
each other
• A container can belong to multiple
endpoints (and therefore multiple
networks)
CNM provides Driver APIs for IPAM and
Endpoint creation/deletion
IPAM Driver APIs:
- Create/Delete Pool,
- Allocate/Free IP Address
Network Driver APIs:
- Network Create/Delete,
- Endpoint Create/Delete/Join/Leave
eth0 eth1

11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Container Network Interface (CNI)
• Proposed by CoreOS as part of appc
specification, used also by Kubernetes
• Common interface between container run time
and network plugin
• Gives driver freedom to manipulate network
namespace
• Network described by JSON config
• Plugins support two commands:
- Add Container to Network
- Remove Container from Network
Container
Network
namespace
Driver
plumbing
Differences (from CNM):
- Gives Driver freedom to manipulate network namespace
- Provide Container Id, Params to drivers
- Just 2 API: Add Container to Network, Delete Container from Network

12. Introduction – Why Contiv?

13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Today’s Infrastructure Needs
BRKDCT-2023
Mike, IT AdminSally, Dev/Test
1. Develop and test fast
2. Agility and Elasticity
3. Does not care about other users
1. Manage infrastructure
2. Stability and Security
3. Isolation and Compliance
Challenge: Conflicting goals and priorities

14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKDCT-2023
How can we achieve these goals?
Key: Policy-based Container Networking
Declarative Tags (simpler)
Manage Groups instead of single objects (faster)

15. What is Contiv?

16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Containerized Apps on Shared Infrastructure
Application
Intent
Compute Compute
Operational
Intent
Contiv Is an Open Source Solution to Define and
Enforce Distributed Policies Across Infrastructure
NETWORK
Compute

17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Intent with Operation Intent
PLACEHOLDER
version: '2'
services:
web:
build: .
label:
- tier: web
volumes:
- .:/code
networks:
- front-tier
- back-tier
db:
image: mysql
App Intent
PLACEHOLDER
web:
environment: prod
networks:
security: -
allow ports: 5000, 443
bandwidth: 5gbps
lb selector:
- tier: web
db:
networks:
security:
allow ports: 3306 from web
Ops Intent (e.g. Contiv Intent*)
Operation Intent Provides Operational Requirements and Policies for Applications
* Shown in yaml for better visualization

18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv: How everything fits together
Operational Policy Management
Developer Operations
Application
Scheduler
Node 1 Node 2 Node-n
Contiv Distributed Policy Layer
...
Contiv Elements
Contiv UI/CLI/API to manage
and monitor policies/usage
Distributed policy enforcement for
network
Integration with physical
infrastructure
Integrated with popular
container schedulers
Contiv Automatically Integrates and Enforces Developer and Operations Policies

19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
100% Open Source
The Most Powerful Container Networking Fabric
L2, L3, Overlay or ACI
Rich Policies
DevOps IT Admin
Any NetworkingAny Platform
Any Infrastructure
Application
Intent
Rich Policy Model
Declarative
Simple Install
GUI + CLI
LDAP/RBAC
Contiv

20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Integration with Underlying DC Infrastructure
Application-Centric Infrastructure (ACI)
• Containers integrated with APIC policies
• Physical services integration
Nexus Standalone or Any Network
• VLAN handoff
• BGP interop (standard routing protocol)
Contiv Leverages Underlying Infrastructure Capabilities

21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introducing Contiv 1.0
What’s New:
LDAP+
RBAC
All New User
Experience
and Workflow
Kubernetes
1.4 Support
Docker 1.12
Support
OpenShift
Integration
Simple Install
1
Commercially
Supported Contiv
will be announced shortly
Cisco Advances
Services
Cisco Solutions
Support
100% Open Source at contiv.github.io

22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv’s Approach to Containers
Scale
Route and
Policy Distribution
Speed
Automated Scale-Out
Layer of Network
Flat Networks
High Performance
Application-Centric
Integrated with
App Blueprint
Shared Resources
Policies for
Resource Acquisition
Hybrid Cloud
Consistent Policies
Security
Tenant Isolation
Security Policies
Telemetry/Diagnostics
Application Statistics
Data Export
25

23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Network Components
Contiv CLI/UI
Node 1
Contiv Agent
...Node 2
Contiv Agent
Node-n
Contiv Agent
Contiv Elements
Container networking for:
• Kubernetes, Mesos, Nomad, and Swam
Route distribution using BGP or JSON RPC
Custom OpenFlow pipeline for host networking
• Allows implementing various features (details later)
Exports data about: App connectivity, stats, peer
Distributed, cluster-wide function
Stateless: Useful in node failure/restart, upgrade
Implements cluster-wide network and policy
Manage global resources: IPAM, VLAN/VXLAN pools
Tools to manipulate Contiv objects
Implements CRUD using REST I/F
Expected to be used by infra/ops teams
RBAC
26

24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Network
High-Level Architecture
Host-1
.…
Host Plug-In
Distributed
KV Store
Plug-In Logic
Contiv Host Agent
Host-n
Linux Host
Routing/Switching
To Physical Network
ARP/DNS
Responder
Service LB
Route Distribution
[ BGP | RPC ]
Container
Runtime
(e.g., Docker)
[ K8s| Swarm | Mesos | Nomad ]
Master-DBPolicy Engine
REST
Server
IPAM/
Res-Mgmt
HA
Heartbeat
Distributed
KV Store
[ Etcd | Consul ]
REST client (e.g. netctl)
API Calls to
External
Orchestration
Systems e.g,.
ACI, Schedulers
Health Monitoring
Contiv Master Cluster
.……
.…

25. Demo

26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tutorial on Docker and Contiv - do it yourself ;-)
A normal docker network (without Contiv) looks like it:
It’s online at http://contiv.github.io

27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32Presentation ID

28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
33Presentation ID
Let’s create a Contiv network

29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How Docker sees a Contiv network
Let’s attach a new container to the new network:

30. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
35Presentation ID
Networks are isolated
Let’s create one more container on contiv-net:
We have many containers now (contiv-c1 and contiv-c5 are on the same network):
Ping works here
(same if the container is
on a different host/VM)
Ping does not work here

31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tenants in Contiv
Two different networks, they don’t communicate
Tenants are isolated worlds, to avoid conflicts.
They have separate namespaces for resources.

32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37Presentation ID
Applying policies between containers with Contiv
Contiv provide a way to apply isolation policies between containers groups
(regardless of the tenants, eventually within the tenants).
For this, we create a simple policy called db-policy, and add some rules to it to
define which ports are allowed.

33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policies are applied among Groups
Finally, we associate the policy with a group (a group is an arbitrary collection of
containers, e.g. a tier for a microservice) and then run some containers that
belong to db group
Let’s create two more containers:
The policy db-policy (ports open and closed) is applied to all the 3 containers:
Managing many end points as a single object makes it easy and fast, think about
auto-scaling (especially when integrated with Swarm, Kubernetes, etc.)

34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv is Microservices Ready
• Support for grouping Applications
• Allows scale-out instances of container applications to be grouped together
• Policies specified on a micro-service tier, rather than individual container workloads
• Efficient forwarding between Microservice tiers
• Allows a fixed (DNS published) VIP for a micro-service
• Containers within the micro-services can come and go
• Their IP addresses are mapped to the service IP for east-west traffic
• Eliminates single point of forwarding (proxy) between micro-service tiers
• Application visibility at service levels (across the cluster)
Web
Group
App
Group
DB
Group
Allow grouping of
containers/pods
Specify Policies
between groups
or from outside
the network

35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Elements of Contiv Networking
Cluster-wide Connectivity
Truly Multi-tenant
Network Isolation
Traffic Prioritization
App-Composers Integrated
Network Monitoring
Scalable
Physical Network Integration: ACI | Nexus Standalone
Micro Services Ready
Leverages NIC
IPAM, Service Discovery
Contiv
Networking
High Throughput

36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Contiv Value Proposition

37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Go and test it (easy!): http://contiv.github.io
Contiv releases - github.com/contiv/install/releases
Documents - contiv.github.io
Join Contiv Slack - contiv.herokuapp.com
Contiv Blogs - blogs.cisco.com/tag/contiv
Recorded demo - https://www.youtube.com/watch?v=55s4wAVbTM4
Cisco DevNet community - https://developer.cisco.com/site/contiv/videos/index.gsp
Contiv on Docker Store - https://store.docker.com/plugins/803eecee-0780-401a-a454-
e9523ccf86b3?tab=description