《在 Catalyst 9000 上使用应用托管在边缘启用云服务.pdf》由会员分享,可在线阅读,更多相关《在 Catalyst 9000 上使用应用托管在边缘启用云服务.pdf(69页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveSai ZeyaTechnical Marketing EngineerBRKENS-1090Enabling Cloud Services at the edge with App Hosting on Catalyst 9000 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with
2、 the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or it
3、s affiliates.All rights reserved.Cisco PublicBRKENS-10903Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroductionApp Hosting Use CasesApp Hosting InfraApp Lifecycle ManagementApp Hosting FeaturesConclusionBRKENS-10904 2023 Cisco and/or its affiliates.All rights reserved.C
4、isco Public#CiscoLiveEnables hosting docker containers and 3rdparty appsx86 CPULinux-based OSMemory/StorageNetworking Today Catalyst 9000BRKENS-10905 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Application Framework(IoX)Cisco IOS XE KernelIOS XEEnterprise Applica
5、tionDocker ContainerDocker ContainerCatalyst 9000 Application Hosting InfraCisco DNA AdvantageBRKENS-10906 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNew strategic capabilities with App Hosting on C9K Switches IT Operations and Monitoring ToolsCustomer Specific Applic
6、ationsCloud Gateways with Serverless Edge ComputeSecurity Agentsand FunctionsConsolidate Physical InfrastructureEnhance Visibility&Security Enforcement3rdParty App HostingRich ecosystem partnership with 25+certified apps and 200+active customerExisting HardwareManaged via CLI or DNA-CLower LatencySa
7、ve Bandwidth“Reduce App Latency&Optimize App TrafficCybervisionCybervisionReal Time ProcessingASAcASAcBRKENS-10907ThousandEyes 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveService Assurance is beyond the enterprise domainUse cases for ThousandEyes Enterprise Agent9Branc
8、hBranchBranchBranchInternetInternet3 3Campus/DC to cloud IaaSCampus/DC to cloud IaaS1 1Overlay/underlay network performanceOverlay/underlay network performance2 2Campus/DC/branch to SaaSCampus/DC/branch to SaaSThousandEyes Enterprise AgentCampusCampusSaaS appsSaaS appsOffice 365Office 365BRKENS-1090
9、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive Run ThousandEyes agent natively on flash of 9300/9400 switches Out of the box access to ThousandEyes for new switches Includes 22 x ThousandEyes Units for a month Pool entitled test capacity to deploy anywhere within your n
10、etwork License to ThousandEyes SaaS-based management platform Access to Dashboards,alerts and reporting toolsApp hosting:no extra hardware Data Visualization*Choose from a menu of several networking,web and voice testsBrowser-based tests need the use of SSD and consume more ThousandEyes unitsDNA Adv
11、antageDNA EssentialsDNA PremierDNA subscription benefitsApplicationApplicationexperienceexperienceCampus Campus connectivityconnectivityModern WANModern WANThousandEyes now included with Cisco DNA licensesNew and existing Catalyst 9000 switches now include ThousandEyes service assuranceBRKENS-109010
12、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveService Assurance from Catalyst 9000Lightweight docker based agent easily installed on C9K switchesThousandEyesEnterprise AgentAgent installed in FlashTest Included:WebWeb HTTP Server,FTP Server DNSDNS-DNS Server,DNS Trace,D
13、NSSEC NetworkNetwork-Agent to Agent,Agent to Server VoiceVoice SIP Server,RTP Stream,Voice CallAgent installed in SSDTest Included:WebWeb HTTP Server,FTP Server DNSDNS-DNS Server,DNS Trace,DNSSEC NetworkNetwork-Agent to Agent,Agent to Server VoiceVoice SIP Server,RTP Stream,Voice Call BrowserBotBrow
14、serBot Page load&Transaction(IOS-XE 17.6.1 required)BRKENS-109011 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMultiple Interfaces with ThousandEyesThousandEyes Dashboard ViewApp Traffic ViewBRKENS-109012ASAc Firewall 2023 Cisco and/or its affiliates.All rights reserved
15、.Cisco Public#CiscoLiveIndustry Trends Driving the need for Distributed Firewall Architectures Industry 4.0OT to leverage the power of IT&cloudDigital Transformation and Smart Manufacturing have accelerated the convergence of IT&OTaccelerated the convergence of IT&OT domains in the process industryS
16、mart Building/Consumer IoTProliferation of IoTIncreased presence of IoT in IT Networks:HVAC,lighting,alarms,and security converge into a single IT managed network infrastructure single IT managed network infrastructure to build smarter and safer workspacesBRKENS-109014 2023 Cisco and/or its affiliat
17、es.All rights reserved.Cisco Public#CiscoLiveIT at constant risk due to OT vulnerabilitiesOT Endpoints have Limited security&crypto capabilities,prone to hacksPerimeter Security ineffective with APT1 1Malware Propagation2Botnet creation/Privilege Escalation3DDoS Attack/Data Exfiltration4Initial Comp
18、romiseITITOTOTITITOTOTNeed for Stateful InspectionStateful Inspection of IOT traffic at the Edge BRKENS-109015 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveASAc Firewall hosted on C9K SwitchesBringing Cisco EN and Security solutions together for improved OperationsUse C
19、aseUse CaseStateful inspection of OT traffic at the EdgeNo need of Physical FirewallNo need to change network architectureNo waste of network bandwidthAutomation to scale operationsCDOCDOCisco Defense OrchestratorCisco Cisco DNADNA-CenterCenterApp LifecycleApp LifecycleManagementManagementSecurity P
20、olicySecurity PolicyManagementManagementCisco Secure Firewall ASAc Powerful Stateful Inspection FirewallPowerful Stateful Inspection Firewall Separation of SecOps and NetOpsSeparation of SecOps and NetOps L3 Firewall(Routed Mode only)L3 Firewall(Routed Mode only)Support for SGTSupport for SGT 100M 1
21、00M-300M(IMIX)300M(IMIX)ASAcASAc Throughput for IT Throughput for IT&OT Convergence&OT ConvergenceCatalyst 9300X/9300/9300LOT endpointIT endpoint App Deployment App Lifecycle Management Networking to App Deploy&Manage sec policies Config and Audit logging Meets needs of Compliance&Sec auditsBRKENS-1
22、09016Codilime App 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCodilime:IPsec delivered via App-HostingCisco IOS Cisco IOS XE 17.10XE 17.10IPsec VPN Application hosted on Cat9kRuns in Docker containerInteractive Web UI for IPsec configHW&SW IPsec-C9300XSW IPsec-C9300/93
23、00LWill be available on Cisco DEVNETCatalyst 9300X/9300/9300LCatalyst 9300X/9300/9300LBranch/DC/HQBranch/DC/HQIPsec IKEv2Authentication using PSK or x509VRF AwareNATNAT-TYANG model with REST APIAWS,GCP,AzureCisco Umbrella,ZscalerC8K,ISR/ASR,JuniperSecurityProtocol SupportAutomationInteroperabilityAp
24、p Resources Memory(RAM)Memory(RAM):409 MB:409 MBDisk(SSD)Disk(SSD):10 MB:10 MB CPUCPU:1480 units:1480 unitsCPUCPU-percentpercent:20%of 1Core:20%of 1CoreBRKENS-109018 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication DesignC9300/L/XC9300/L/Xeth0eth0eth1eth1IPsec t
25、unnelIPsec tunnelGigabitethernet0/0Gigabitethernet0/0InterfaceInterfaceVlan GWVlan GWWEB ServerAppGigabitethernet1/0/1AppGigabitethernet1/0/1eth2eth2Path to InternetManagement Management InterfaceInterfaceInterface through which encrypted traffic travelsIPsecencryptionInterface used to talk to all u
26、sers on different VLANs InterfaceInterfaceCisco Umbrella Cisco Umbrella Cloud Cloud Windows Client MachineBRKENS-109019IoT Gateway App 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCatalyst 9K expands value for Smart buildings21BRKENS-1090*Source:Cisco Smart building TCO
27、 calculatorNext:DNA-spaces gateway for Catalyst 9K will expand outcomes New use casesoSustainable buildingsoEmployee health&SafetyoProductivity ImprovementoBuilding AnalyticsUnified MarketplaceoLargest choice of IoT devicesoUnmatched solution scaleoCisco validatedLower TCOoAutomated workflowsoNo ven
28、dor lock-insoCloud based as-a-serviceDNA-spacesGateway for C9KBLE sensorsApplication partnersPoE sensorsCatalyst 9K 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUser ExperienceSafety&ComplianceReal Estate UtilizationAutomation&OptimizationDensity TriggersDevice/People C
29、ountingEnvironmental Monitoring&Asset locationConference Room BookingCisco SpacesCisco Catalyst 9KCisco Catalyst WirelessLAN ControllerCisco Catalyst WirelessLAN ControllerPOE sensors/HVACPoE lights&SensorsGAUse CasesBRKENS-109022 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis
30、coLiveCisco Spaces cloudCisco Spaces cloudIoT Market place and Partner Apps.Firehose APICisco Spaces ConnectorCisco Spaces ConnectorInterfaces between Cisco Spaces Cloud&on prem devicesCollects sensor dataCatalyst 9300/9400Catalyst 9300/9400UPOE/UPOE+ConnectivityIoT GW AppPoE SensorsPoE SensorsWired
31、 PoE SensorsPowered by UPOE/UPOE+port on the switchIoT Gateway on C9KPoE sensorsApplication partnersFirehose APIIndoor IoT Services OverviewBRKENS-109023 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIndoor IoT Services with IoT Gateway App24BRKENS-1090Vendor Wired Senso
32、rVendor Wired SensorVendor Wired SensorVendor PoE nodeERSPANIOX APPNetconfTDLgRPCNetconfTDLOn-PremCloudWired EndpointsCatalyst SwitchCisco SpacesConnectorCisco Spaces and PartnersTraffic between the Sensors Including telemetry will be sent to the IoT Gateway(IOX App)using ERSPANThe gateway encodes a
33、nd sends IoT Wired Telemetry data to connector which forwards the telemetry to the cloudCisco Spaces processes the wired telemetry and Firehose API sends the data to needed partner apps to enable outcomesCyber Vision App 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisc
34、o Cyber VisionVisibility&detection built into your network infrastructureVisibility&detection built into your network infrastructureMonitoring at the edgeMonitoring at the edgeCyber Vision Sensors embedded into industrial network equipmentNo additional hardware needed No need for an out-of-band moni
35、toring networkNo impact on performanceApplicationApplication-FlowFlowLightweightMetadataICSnetworkCyber Vision CenterSensorSensorSensorSensorSensorSensorThe Cisco industrial network lets you see everything that connects to itBRKENS-109026 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu
36、blic#CiscoLiveCyber Vision architectureApplicationApplication-FlowFlowLightweightMetadataCyber Vision CenterCyber Vision CenterSensorSensorSensorSensorICSNetworkSensorNonNon-CiscoCiscoSwitchesSwitchesSPAN based solutions incur huge additional hidden-costs during deploymentVisibility to access layer
37、requires cost prohibitive cable dropsSPAN collection requires new expensive out-of-band monitoring networkNetwork-Sensors eliminate the need for SPANThe application-flow is streamed through existing network enabling lowest TCOHardware-sensor to support brownfield only requires one-hop SPAN IC3000IC3
38、000IE3400IE3400Other solutionsOther solutionsPurdue level 3Purdue level 2Purduelevel 0-1ICSNetworkExpensiveExpensiveSPANSPANcablingcablingOutOut-ofof-BandBandSPAN SPAN collectioncollectionnetworknetworkMassiveMassiveincrease in increase in traffic due to traffic due to SPANSPANBRKENS-109027 2023 Cis
39、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCatalyst 9000 deploymentLeverages ERSPAN to receive traffic from switchSupports up to 30000 ppsCatalyst 9300,9400,9500 and 9600(must support application hosting)Requires SSDCan be deployed as access,aggregation,core or as an out of b
40、and span aggregation sensorISA3000 firewallSensorIE switchHMIPLC/RTU/IEDCatalyst 9300AggregationBRKENS-109028DNS,DHCP,&IPAM(DDI)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDistributed model with centralized cloud controlDevOps Ready FrameworkGranular control over DDI s
41、ervicesDeployment on Scale with Cisco DNA CenterCapabilitiesCapabilitiesAccess devicesAccess devicesDHCP AgentDHCP AgentMaking Network Edge more IntelligentDNS AgentDNS AgentAccess devicesAccess devicesUsersUsersUsersUsersScale and reliably deliver DHCP,DNS,and IPAM(DDI)services when you need themSc
42、ale and reliably deliver DHCP,DNS,and IPAM(DDI)services when you need themBRKENS-109030 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNS1 DDI ArchitectureCampusBranchBRKENS-109031 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive 2023 Cisco and/
43、or its affiliates.All rights reserved.Cisco Public#CiscoLiveCatalyst enabled DDI aaService with NS1Scale and reliably deliver DDI servicesCampusCloud/Data CenterResourceResource typetypeCatalyst 9300/LCatalyst 9300/LCatalyst 9300XCatalyst 9300XCatalyst 9400Catalyst 9400Memory2GB8GBup to 8GBCPU1 core
44、(25%)2 core(25%)1 core(25%)Storage120/240 GB(USB3.0/SSD)240GB(USB3.0/SSD)240-960GB(SATA)Can individually host DNS and DHCP containers in C9300 and C9400Other DDI Containers can flexibility host on Sever or Cloud.NS1 Enterprise DDI Installation GuideBRKENS-109032 2023 Cisco and/or its affiliates.All
45、rights reserved.Cisco Public#CiscoLiveNS1 deployment on C9KFlexible Deployments via Cisco DNAFlexible Deployments via Cisco DNA-C/CLI/C/CLI/WebUIWebUIOne Container per C9K switch.One Container per C9K switch.IP reachability is required for Control Services Containers.IP reachability is required for
46、Control Services Containers.Docker run options:Docker run options:DNS Container:DNS Container:-v$(APP_DATA):/data-p 3301:3300-p 53:53/udp-p 53:53/tcp-e CONFIG_PORT=3301-core_host=x.x.x.xDHCP Container:DHCP Container:-v$(APP_DATA):/data-p 67:67/udp-e CONFIG_PORT=3300-core_host=x.x.x.x-service_def_id=
47、2Integrated into the Ciscos Umbrella ArchitectureIntegrated into the Ciscos Umbrella ArchitectureAlready on the Global Price List Already on the Global Price List For More details:For More details:https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveValidated Apps-DevNe
48、t Eco System ExchangeCisco will not provide any support to third-party apps and open source apps unless specifically called out.Such apps,however,will be validated for compatibility on Cisco Catalyst 9000 switches.DevNet ecosystem will indicate the partners who have worked on Cisco Catalyst 9000 swi
49、tches.ISC DHCP ServertsharkiPerfMore DevNet Eco System ExchangeBRKENS-109034App Hosting Infra 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHW resources for App HostingResourceResource typetypeCatalystCatalyst93009300CatalystCatalyst93009300-X XCatalyst 9400Catalyst Cata
50、lyst 94009400-X XCatalyst Catalyst 95009500CatalystCatalyst95009500-X XCatalyst Catalyst 96009600Catalyst Catalyst 96009600-X XNetworkingNetworkingAppGig Port 1x1G2x10G2x10G1x1G2x10G2x10GMgmt Port*2x10G2x10GMgmt Port*Mgmt Port*(2x10G CPU ports)ResourcesResourcesMemory2GB8GB8GB8GB8GB8GB8GB8GB8GBCPU1
51、core2 core2 core1 core1 core 1 core1 core1 core1 coreStorage240GB(USB3.0/SSD)240GB(USB3.0/SSD)480-960GB(SATA)480-960GB(SATA)480-960GB(SATA)480-960GB(SATA)480-960GB(SATA)480-960GB(SATA)Catalyst 9300Catalyst 9300-X XUSB 3.0USB 3.0240GBBack panelCatalyst 9400Catalyst 9400-X XM2 SATAM2 SATA480/960GBPlug
52、 into removable SUPCatalyst 9500Catalyst 9500-X XM2 SATAM2 SATA480/960GBBack panelCatalyst 9600Catalyst 9600-X XM2 SATAM2 SATA480/960GBPlug into removable SUP*Using loopback with any external portsBRKENS-109036 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAppGigEthernet
53、 Port37BRKENS-1090An internal hardware data port which is hardware-switched to the front-panel data ports.Introduced on Catalyst 9300 Series switches with Cisco IOS XE 16.12.1 release and Catalyst 9400 with Cisco IOS XE 17.1.1 release.What is AppGigEthernet Port?Trunk10,20Eth0AppGigEthernet 1/0/1Doc
54、kerTMEth11G 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMultiple AppGigEthernet Interface with C9000XUse 2x 10G AppGig port individuallyEtherChannel is not supportMix stack with 9300 switches will disable AppGigEthernet 1/0/2Trunk/Access10Eth0AppGigEthernet 1/0/1Docker
55、TMEth110GAppGigEthernet 1/0/210GTrunk/Access20BRKENS-109038 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Hosting support on Catalyst 9410 Sup 1Datapath ASIC.Mgmt Port(Gi0/0)IOSAPPSMgmt-BridgeSlot 4 Line CardAppGigabitEthernet1/0/1No extra physical port avail
56、able on ASIC1 Core 0 to service the AppGig port(Sup1 Only)Enabling AppGig port by disabling Slot 4 port 48.24 ports LC in Slot 4 dont require to disable port.Sup 2 dont have this limitation.CPUAppGigEthernet PortInterface AppGigEthernet 1/0/1enableConfigBRKENS-109039 2023 Cisco and/or its affiliates
57、.All rights reserved.Cisco Public#CiscoLiveApplication Hosting on C9500HUsing Front Panel PortDatapath ASIC.Mgmt Port(Gi0/0)IOSAPPSMgmt-BridgeExternal Connectionapp-hosting appid app-vnic AppGigabitEthernet port 0 trunkvlan 101 guest-interface 0guest-ipaddress 100.1.1.252 netmask 255.255.255.0app-de
58、fault-gateway 100.1.1.251 guest-interface 0app-resource dockerrun-opts 1-v$(APP_DATA):/dataname-server0 25.25.25.25ConfigInterface HundredGigE1/0/x switchport mode trunkIOS-XE 17.5.1BRKENS-109040 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Hosting on C9600U
59、sing Front Panel PortDatapath ASIC.Mgmt Port(Gi0/0)or(Ten 0/1)IOSAPPSMgmt-BridgeExternal ConnectionLine Cardapp-hosting appid app-vnic AppGigabitEthernet port 0 trunkvlan 101 guest-interface 0guest-ipaddress 100.1.1.252 netmask 255.255.255.0app-default-gateway 100.1.1.251 guest-interface 0app-resour
60、ce dockerrun-opts 1-v$(APP_DATA):/dataname-server0 25.25.25.25ConfigInterface HundredGigE1/0/x switchport mode trunkIOS-XE 17.5.1app-vnic AppGigabitEthernet port 0 trunk for G0/0app-vnic AppGigabitEthernet port 1 trunk for Te0/1BRKENS-109041App Security 2023 Cisco and/or its affiliates.All rights re
61、served.Cisco Public#CiscoLiveIOS XE performance and security protectionMemory and CPU usage for Apps are bounded using Control groups(cgroups).Process and files access for Apps are isolated and restricted(using user namespace)Disk usage is isolated using separate storage.BRKENS-109043 2023 Cisco and
62、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCgroups HW Resource SharingCgroups limits Application resources for:System Memory CPU resource System Memory:defines how much Memory available for Applications.CPU resource:defines dynamic CPU load sharing among 3 Cgroups.Linux OS processe
63、s(highest priority)IOS-XE Control PlaneApplicationsIf one cgroup is idle or under-utilizing allocation,other active cgroup(s)can be used extra CPU resources from that cgroup.If fully congested,each cgroup cannot exceed their CPU allocation.Cisco Application Framework(CAF)validates available HW resou
64、rces before activating Containers.CPURAMControl Groups43212143BRKENS-109044 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStorage SecuritySwitch#hw-module switch 1 usbflash1 security?disable disable security on USB3.0enable Enable security on USB3.0unlock Unlock USB3.0SS
65、D offers two layers of security:AES-256 Hardware encryption on SSD Passcode Authentication on the switch and SSDSwitch#conf tSwitch(config)#hw-module switch 1 usbflash1-passwordSwitch(config)#no hw-module switch 1 usbflash1-passwordMatchBRKENS-109045Application Development Workflow 2023 Cisco and/or
66、 its affiliates.All rights reserved.Cisco Public#CiscoLiveDockerfileDockerfile1dockerdocker build-t .Build Docker ImageBuild Docker Image2Deploy AppDeploy App3App DescriptorApp Descriptor(Optional)(Optional)dockerdocker save myapp myapp.tarDockerTMApplication Application FileFileFROM ubuntu:18.04 as
67、 base RUN apt-get update-yq&apt-get install-yq python COPY poll-temperature.py/usr/bin/poll-temperature.py RUN chmod 777/usr/bin/poll-temperature.py CMD/usr/bin/poll-temperature.py#!/usr/bin/Pythonimport time import osos.makedirs(/var/volatile/log)f=open(/var/log/poll-temp.log,w)while(1):s=%s%s poll
68、ing temperature.n%(time.strftime(%d/%m/%Y),time.strftime(%I:%M:%S)f.write(s)f.flush()time.sleep(5)Docker Workflow-Custom AppBRKENS-109047 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePull Docker ImagePull Docker Image1Deploy AppDeploy App2dockerdocker save myapp myapp.t
69、ardockerdocker pull DockerTMDocker Workflow Docker HubBRKENS-109048App Lifecycle Management 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication ManagementCLIRESTRESTCustomAppDockerDockerCustom AppDockerDockerHost OS(IOS XE Kernel)Cisco Application FrameworkCisco DN
70、A-CCLICisco DNA Center3rdParty AppDockerDocker3rdParty AppDockerDocker3rdParty AppDockerDockerRESTWebUIRESTYANGBRKENS-109050 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApp Lifecycle Management State Transitions stopdeactivateuninstallinstallactivatestartapp-hosting in
71、stall appid myapp package usbflash1:myapp.tarapp-hosting activate appid myappapp-hosting start appid myappapp-hosting uninstall appid myappapp-hosting deactivate appid myappapp-hosting stop appid myappBRKENS-109051 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApp Resour
72、ces ConfigurationOnly cpu,memory,vcpu resource can be changedApplication config vnic and resource changes will only take effect by the next“app-hosting activate”command.Resource values are application specific,and any adjustments need to ensure that the app can run reliably with the new changes.Swit
73、ch#conf tSwitch(config)#app-hosting appid myappSwitch(config-app-hosting)#app-resource profile customSwitch(config-app-resource-profile-custom)#cpu 7400Switch(config-app-resource-profile-custom)#memory 2048Switch(config-app-resource-profile-custom)#vcpu 2Reserved resource specified in app package ca
74、n be overridden by setting a custom resource profileapp-resource profile customBRKENS-109052 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYANG Data Models for Application Hosting1.Cisco-IOS-XE-app-hosting-cfg.yang2.Cisco-IOS-XE-app-hosting-oper.yang3.Cisco-IOS-XE-rpc.ya
75、ngBRKENS-109053Catalyst 9000Containers Networking 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCatalyst 9000 Containers NetworkingL2 interfaceC9KC9KGig1/0/1Gig1/0/2Gig1/0/3IOS XEContainer10.0.0.2eth0eth0Container10.0.0.3eth0eth010.0.0.6Container10.0.0.5eth0eth0eth1eth1M
76、anagement VRFGig0/0BridgeContainereth0eth0eth1eth110.0.0.1172.19.0.23172.19.0.24Linux SW componentHW ForwardingBridgeLayer 2AppGigEthernet portAppGigEthernet portBRKENS-109055Application Hosting Features 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProvides cold restart
77、ability of application and the underlying app hosting framework Retain the last configured operational state of app in the event of system switchover or restart1+1 redundancy modeSame storage type(Flash*or SSD)required on both Active and StandbyEnabled by defaultApp Hosting High Availability with Au
78、to-RestartASSupported PlatformsSupported PlatformsReleaseRelease9300 StackWise(1+1 mode only)17.2.19400 Dual Sup(Single Chassis&StackWise Virtual)17.5.19500/H StackWise Virtual17.5.19600 Dual Sup(Single Chassis&StackWise Virtual)17.5.1App App Data Data SyncSyncSSDSSD*Flash is only for Cisco Singed a
79、ppBRKENS-109057 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMultiple Applications Support on Catalyst 9KCisco Signed Applications Only Cisco Signed Applications Only(ex.ThousandEyes,IoT Gateway)Must use SSD StorageEnough HW resources should be available to run all appl
80、icationsAppGigabitEthernet ports config must not create a conflict between the appsRequirements:Shared CPUShared RAMShared StorageTrunkHW resource can be customized via DNA-C and CLICatalyst 9000 SwitchBRKENS-10905817.5.1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApp
81、lication Auto Transfer from Flash to SSDCisco signed app run on FlashUser add SSDTransferring ThousandEyes App from Flash to SSD Help container as the same state as before the media change.Transfer all the persistent data and volumes attached to the application.Enabled by default Application partiti
82、on from flash will be deleted only transfer is completed.17.6.1BRKENS-109059 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTransfer StepsIf SSD has application partition already,it will be deleted before transfer.Insert SSDDisable iox(no iox)and re-enable iox(iox)(or reb
83、oot the system).IOX service will detect new SSD and will start transfer the app data.If transfer failed for any reason,an error log will be shown on console and IOx service will not be started.123IOX service will start once transfer is completed and delete application partition from flash.417.6.1BRK
84、ENS-109060 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveERSPAN on AppGigabit PortSome application required to get copy traffic from the switch for processing.i.e Application required IDS/IPS capability(Cisco Cyber Vision App)61BRKENS-1090ERSPAN Source vlan interfaceSwit
85、ch(config)#monitor session 2 type erspan-sourceSwitch(config-mon-erspan-src)#source interface vlan 10Switch(config-mon-erspan-src)#no shutSwitch(config-mon-erspan-src)#destinationSwitch(config-mon-erspan-src-dst)#ip address 10.1.1.5Switch(config-mon-erspan-src-dst)#origin ip address 10.1.1.1Switch(c
86、onfig-mon-erspan-src-dst)#erspan-id 5App Port Configuration(L2 Port)Switch(config)#int ap 1/0/1Switch(config-if)#switchport mode trunkSwitch(config-if)#exit10.1.1.510.1.1.2ERSPAN Source physical interface Switch(config)#monitor session 2 type erspan-sourceSwitch(config-mon-erspan-src)#source interfa
87、ce g 1/0/3Switch(config-mon-erspan-src)#no shutSwitch(config-mon-erspan-src)#destinationSwitch(config-mon-erspan-src-dst)#ip address 10.1.1.5Switch(config-mon-erspan-src-dst)#origin ip address 10.1.1.2Switch(config-mon-erspan-src-dst)#erspan-id 5App Port Configuration(L3 Port)Switch(config)#int ap 1
88、/0/1Switch(config-if)#no swSwitch(config-if)#ip address 10.1.1.2 255.255.255.017.10.1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMulticast support in AppGig interfaceBy Default,C9K switch dont allow the multicast packets to be forwarded on AppGig Port.Avoiding unneces
89、sary traffic to be forwarded to the application.Linux Linux BridgeBridgeEth 0Eth 0Eth 1Eth 1Docker Docker AppAppDedicated Core(s)CPUDedicated Core(s)CPUASICASICGi 1/0/1Gi 1/0/1Gi 1/0/48Gi 1/0/48AppGigAppGig1/0/11/0/1McastIGMP Snooping enabled(by default)17.11.1BRKENS-109062 2023 Cisco and/or its aff
90、iliates.All rights reserved.Cisco Public#CiscoLiveApp Hosting Configuration for MulticastMulticast Traffic is required for certain applications to function properly.63BRKENS-1090Allowing multicast traffic to an application based on applications configurationLinux Linux BridgeBridgeEth 0Eth 0Eth 1Eth
91、 1Docker Docker AppAppDedicated Core(s)CPUDedicated Core(s)CPUASICASICGi 1/0/1Gi 1/0/1Gi 1/0/48Gi 1/0/48AppGigAppGig1/0/11/0/1Mcastapp-hosting appid Media_Appapp-vnic AppGigabitEthernet trunkvlan 10 guest-interface 0guest-ipaddress 192.168.13.2 netmask 255.255.255.0mirroringmulticastapp-default-gate
92、way 192.168.13.1 guest-interface 0Per application interfacePer application interfaceAllow Multicast TrafficAllow Multicast Traffic17.11.1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdditional resourcesGet hands on and explore more about Application Hosting on DevNetht
93、tps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and
94、 increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKENS-109065 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your
95、 one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive68Gamify your Cisco Live experience!G
96、et points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123468 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-1090#CiscoLive