service containers on the isr 4400

Cisco Public 1© 2013 Cisco and/or its affiliates. All rights reserved.

An Introduction to Service Containers

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Traditional Network Services

Traditional Features

Cisco Network Operating System


FeatureFeature


What’s happening in the server world.

Feature or ApplicationFeature or Application



Ph

ysic

al S

erv

er

Ph

ysic

al S

erv

er

Ph

ysic

al S

erv

er

Ph

ysic

al S

erv

er

or

“Clo

ud

”


Co

nta

ine

rC

on

tain

er


Co

nta

ine

r


Co

nta

ine

r


Future Service DeliveryWrite once. Run anywhere.

ContainerContainer

Service Container


Cisco Network Operating System Feature or

ApplicationFeature or Application

ContainerContainer

Blade Hosting with Hypervisor




Bla

de

End-Point Hosting




Ext

ern

al S

erv

er


What is a Service Container?

Service Containers use virtualization technology to provide a hosting environment on Cisco routers & switches for applications which may be developed and released independent of platform release cycles.


Use Cases for Service Containers

Container

Network OS

Virtual Service

Service ContainersVirtualized environment on a cisco device.

Use Case Cisco Virtual Services:• Work/Appliance Consolidation• Example: ISR-WAAS on ISR4451-X

Use Case Cisco Agents:• Integral Router Features with decoupled release

cycles• Example: RESTFul API in the CSR1000v

Use Case Signed Third Party Services:• Container Hosted OnePK Applications


Where is this happening?

Catalyst 4500 Sup 7E• Wireshark and future services

ISR4451-X• WAAS and future services

Cloud Services Router 1000v• REST API for automated deployment

Nexus 3000, 5000, 6000 & 7000• 3rd Party Embedded Services


An aside on onePK versus Service Containers


Traditional Approach

IOS

Routing

Data Plane

Policy

Interface

Monitoring

Discovery

CLI

AAA

SNMP

HTML

XML

Syslog

Span

Netflow

CDP

Routing Protocols

OnePK Evolving How We Interact With the Network Operating System

New Paradigm

App

CJava

PythonEvents

ActionsApp

EEM (TCL)

Any

thin

g yo

u ca

n th

ink

of


Introducing One Platform Kit - onePK

Any CiscoRouter or

Switch

ApplicationsThat YOU

Create

onePK

Flexible development environment to:

• Innovate

• Extend

• Automate

• Customize

• Enhance

• Modify


Future Service DeliveryWrite once. Run anywhere.

ContainerContainer

Service Container


Cisco Network Operating System Feature or

ApplicationFeature or Application

ContainerContainer

Blade Hosting




Bla

de

End-Point Hosting




Ext

ern

al S

erv

er

onePK Interface


Now back to the presentation…


Platform Specific Data Plane

Linux OS

Example Architecture: ISR4451-X

IOSdControl Plane ISR-WAAS

Future Cisco Embedded Network Services

Common API (onePK)

AVC

Internal Services Blade (UCS E-

Series)

External Services Blade (UCS)

onePK onePK

AppNav Other Data Plane Features


ISR 4451-X Block Diagram

Control Plane (1 core) & Services Plane (3 cores)

Data Plane (10 cores)

FPGE

Multi Gigabit Fabric

SM-X

ISC

SM-XNIM

Service Containers Live Here


Terminology

Virtual-Service: This refers to the container service configuration object. It is sometimes also

called the Virtual Machine: (VM) or the container.

Host: The IOS-XE, NXOS system software

Guest: An instance of the foreign software being hosted. It is sometimes referred to as the

application.

OVA: The software package provided by the application writer which contains the application

and metafiles used to create the hosting environment. (Open Virtualization Archive)

Distribution: The complete set of software provided by the application development team.

KVM: Kernel Virtual Machine

LxC: Linux Container


Service Container TechnologiesKVM

Description: KVM is a virtual machine emulation of the underlying hardware. KVM runs as a Type 2 hypervisor on IOS-XE. IOS/VMAN provide VM management Services.

Characteristics: • Isolates Guest Operating System from Host OS• Takes advantage of CPU hardware extensions found on

server-class processors (e.g., Intel’s VT-x technology)• Provides the highest level of guest/host isolation.

LXCDescription:

This is an operating system virtualization technology (not a hypervisor) that shares the host kernel with the guest but provides isolation through namespace extensions to the Linux kernel.

Characteristics: • Native Performance, no device emulation or CPU specific

requirements• Support across Processor Architectures (MIPs, PPC, Intel)• More easily allows sharing of host services/libraries into guest• Host has direct visibility into resource usage and contention• Guest applications run on the same OS kernel and thus

there’s less isolation and fault separation

Host OS (Linux Kernel)

Hardware Resource

Application

Guest Root File System

Host OS (Linux Root File System)IO

S &

Hos

t Ser

vice

Host OS (Linux Kernel)

Hardware Resource

Guest OS Kernel

Application

Guest Root File System

Host OS (Linux Root File System)

IOS

& H

ost S

ervi

ce


Application Signing

Platforms with Service Containers• Trust Level Defined

per platform• Some platforms might

allow unsigned applications

Cisco Application Signature• Applied to identify

trusted applications• Securely signed and

identified Service Container OVA

Cisco and 3rd Party Applications• Submitted to Cisco

Developer Network for certification and signing

Trusted Application Signatures


Cisco Prime Infrastructure 2.0Full Service Container Lifecycle Management

Point-and-Click deployment of Service Containers

Automated and scheduled provisioning.

Simplified Templates and Configuration Advice

Full Life-Cycle Management

Role-Based Access

Support for a wide range of Service Container Types

Automated management for Containers across the network

Automated Point-and-Click Life-Cycle Management for Service

Containers


Virtual Service Deployment WorkflowHosted Service Deployment Model

router#interface VirtualPortGroup1 ip address 3.3.3.1 255.255.255.0

router#virtual-service <app-name> interface virtualPortGroup1 ip address 3.3.3.2 profile app-model-1

Install Service (package)

Configure Service

Start Service

Monitor Service

Manage Service

Upgrade Service (Host

Initiated)

Un-Install Service

router#virtual-service install name <app_name> package <file_uri>

router#virtual-service <app-name> activate

router#show virtual-service globalrouter#show virtual-service listrouter#show virtual-service detail name <app-name> router#show virtual-service utilization name <app-name>

router#virtual-service uninstall name <app_name>

router#virtual-service upgrade name <app_name> package <file_uri>

router#show virtual-service connectrouter#show logrouter#copy core


Install Virtual Service Software Package

router#virtual-service install name WAAS package harddisk:ISR4451X-WAAS-5.2.0-b27.ova [media harddisk:]Package "harddisk:/ISR4451X-WAAS-5.2.0-b27.ova" is currently being installed for virtual service “WAAS". Once the install is finished, please activate the VM to run the VM.router#

Feb 14 19:37:09.886: %VIRT_SERVICE-5-INSTALL_STATE: Successfully installed virtual service WAASrouter#

Install command specifies the following…• User selected name of virtual service• Location of the OVA package file• [optional] destination media

On ASR1K and ISR4451-X platforms we support installation to harddisk only.


Configure Virtual Service

br0(subnet 10.10.10.x)

br1(subnet 10.10.20.x)

Container-1 Container-2 Container-3 Container-4

10.10.10.2

10.1

0.10

.3

10.1

0.20

.2

10.10.20.3 10.10.20.4

interface VirtualPortGroup1 ip address 10.10.10.1

interface VirtualPortGroup2 ip address 10.10.20.1

interface VirtualPortGroup1 ip address 10.10.10.1 255.255.255.0 load-interval 30! interface VirtualPortGroup2 ip address 10.10.20.1 255.255.255.0

virtual-service Container-2 interface VirtualPortGroup1 interface VirtualPortGroup2


Configure Virtual Service (Profiles)

router(config)#virtual-service WAASrouter(config-virt-serv)#profile ? ISR-WAAS-1300 ISR-WAAS profile for 1300 TCP connections ISR-WAAS-2500 ISR-WAAS profile for 2500 TCP connections ISR-WAAS-750 ISR WAAS profile for 750 TCP connections

Profile Name Description CPU Memory DRE Disk

ISR-WAAS-750 WAAS Profile for 750 connections 25% 4G 150G



Example: ISR-WAAS Profiles


Activate Virtual Service

router#show virtual-service listVirtual Service List:

Name Status Package Name -------------------------------------------------------------------WAAS Installed ISR4451X-WAAS-5.2.0-b...

router(config)#virtual-service waasrouter(config-virt-serv)#activaterouter(config-virt-serv)#endrouter#Feb 14 19:53:02.070: %VIRT_SERVICE-5-ACTIVATION_STATE: Successfully activated virtual service WAASFeb 14 19:53:04.069: %LINK-3-UPDOWN: Interface VirtualPortGroup3, changed state to upFeb 14 19:53:05.070: %LINEPROTO-5-UPDOWN: Line protocol on Interface VirtualPortGroup3, changed state to uprouter#show virtual-service listVirtual Service List:

Name Status Package Name -------------------------------------------------------------------WAAS Activated ISR4451X-WAAS-5.2.0-b...


Show Virtual Service: Global Information

router#show virtual-service Virtual Service Global State and Virtualization Limits:

Infrastructure version : 1.2Total virtual services installed : 3Total virtual services activated : 2

Maximum memory for virtualization : 10240 MBMaximum HDD storage for virtualization : 381536 MBMaximum bootflash storage for virtualization : 7107 MBMaximum system CPU : 75%Maximum VCPUs per virtual service : 6

Committed memory : 6144 MBCommitted disk storage : 182939 MBCommitted system CPU : 25%

Available memory : 4096 MBAvailable disk storage : 202236 MBAvailable system CPU : 50% Machine types supported : KVM, LXCMachine types disabled : none


Show Virtual Service: Detail• Provides detailed view of Guest machine resources (verbose)

router#show virtual-service detail name WAASVirtual Service WAAS Detail:

Package metadata:Package name : ISR4451X-WAAS-5.2.0-b2.ovaApplication name : ISR-WAASApplication version : 1.0Application description : WAASCertificate type : N/ASigning method : SHA512Licensing name : ISR-WAASLicensing version : 1.0OVA path : /vol/harddisk/ISR4451X-WAAS-5.2.0-b2.ovaState : ActivatedDetailed guest status : Version: oe-vwaas-5.2.0.2The system has been up for 2 days, 23 hours, 35 minutes, 22 seconds.Interception-method: appnav-controllerCurrent Service Node state : OperationalTime Service Node entered current state : Mon Feb 11 20:25:07 2013System State: Running\<snip>


Show Virtual Service Profilesrouter#show virtual-service profile name WAAS Virtual Service WAAS profiles:

Name Description Allowed -----------------------------------------------------------------------------------ISR-WAAS-2500 ISR-WAAS profile for 2500 TCP connections Yes ISR-WAAS-1300 ISR-WAAS profile for 1300 TCP connections Yes ISR-WAAS-750 ISR WAAS profile for 750 TCP connections Yes

router#show virtual-service profile name WAAS detail Virtual Service WAAS Profile Details:

Profile name : ISR-WAAS-2500Description : ISR-WAAS profile for 2500 TCP connectionsLicense name : ISR-WAASLicense version : 1.0Resource admission : NoResource requirements : Disk space : 360879MB Memory : 8192MB CPU : 75% system CPU VCPUs : 6 (sockets:1 cores:6 threads:1) <SNIP>


Connect to Virtual Service

router#virtual-service connect name WAAS console Connected to appliance. Exit using ^c^c^c

Cisco Wide Area Application Engine Console

Username:


Show Virtual Service Log

router#show platform software trace message virt-manager rp active02/14 19:16:13.370 [vman]: (debug): Request content02/14 19:16:01.337 [vman]: (debug): Finished continuation of show_trace_msg_request02/14 19:16:01.334 [vman]: (debug): Request content02/14 19:16:01.334 [vman]: (debug): Continuing show_trace_msg_request02/14 19:16:01.334 [vman]: (debug): Finished continuation of show_trace_msg_request02/14 19:16:01.334 [vman]: (debug): Application registered continuation for show_trace_msg_request02/14 19:16:01.334 [vman]: (debug): Registering show_trace_msg_request for continuation02/14 19:16:01.334 [vman]: (debug): Request content


Upgrade Virtual Service

router#virtual-service upgrade name waas package ? bootflash: Appliance package cns: Appliance package flash: Appliance package harddisk: Appliance package null: Appliance package nvram: Appliance package system: Appliance package tar: Appliance package tmpsys: Appliance package

router#virtual-service upgrade name waas package harddisk:ISR4451X-WAAS-5.2.0-b2.ova


Un-install Virtual Service

router#virtual-service uninstall name WAASrouter#Feb 14 19:34:29.765: %VIRT_SERVICE-5-INSTALL_STATE: Successfully uninstalled virtual service WAASrouter#


Recent Service Container Applications

• ISR-WAAS Simplified Deployment• REST API for automated CSR1000v deployment• Nexus 3k, 5k, 6k & 7k support for open containers


“All in a box – simple to deploy”

FULL FEATURED WAAS ACCELERATOR INSIDE

• Tighter Integration• Service aware data plane – AppNav• Dedicated Resources

• 3 steps to setup within 10 minutes

• Up to 2500 connections 150Mbps optimized WAN• Embedded AppNav to expand w/ WAAS on UCS-E or externally

Native Simple Scalable

Key Benefits with ISR4451-X ISR-WAAS


Simplified Deployment- 3 steps, 10 minutesRouter# service waas enableStep 1: Choose WAAS Profile


Simplified Deployment- 3 steps, 10 minutes

Step 2: Choose WAN Interface


Simplified Deployment- 3 steps, 10 minutes

Step 3: Verify and Activate


Cisco Cloud Services Router (CSR) 1000VCisco IOS Software in Virtual Form-Factor

Physical Server

HypervisorVirtual Switch

VPC/ vDC

OS

App

OS

App

CSR 1000V

Programmability • RESTful APIs (leverages OnePK) for Automated

Management

Term and Usage-based Licenses • Elastic Capacity (10 Mbps and up Throughput, 2

to 8 GB RAM)

Single-tenant WAN Gateway• Small Footprint (reducing from 4 vCPU to 1), Low

Performance

IOS XE Cloud Edition• Selected Features of IOS XE primarily for Cloud

Use Cases

Infrastructure Agnostic• Server, Switch, Multi-Hypervisor (ESXi, KVM,

Xen)

Enterprise-class Networking with Rapid Deployment and Flexibility


Example: RESTful API for CSR1000v

IOS XE

onePK API Infrastructure

LXC Service Container

REST API Web Interface written in Python


Nexus OS Open Container Architecture

NXOS(Nexus Platforms)

onePK API Infrastructure

Open LxC Service Containers

User/3rd Party C, JAVA, Python Program

User/3rd Party C, JAVA, Python Program


What to Look For in the Future

Consistent, Powerful and Portable Network Applications

Flexible Services from Cisco

• Virtual Services Write once and run in many locations.

• Parity Across Devices Identical features and feel on appliances, virtual devices and service containers.

• Simplified Install Management tools and installation scripts to make working with services easier.

Additional Options for 3rd Party Services

• Partner Applications Applications from third parties tested and certified by Cisco

• Customer ApplicationsMore options per-platform for un-signed applications.

• Development AssistanceApplication Development Kits and assistance available as a service.

More Install Options

• PlatformsMore platforms being introduced with support for service containers.

• Modules Modules in several platforms that can run the same service containers.

• Development ServersService Container support within dedicated servers.

Thank you.

service containers on the isr 4400

Technology