Cisco Super Container content
This topic describes the Cisco Super Container architecture, which is one of the Cisco reference architectures delivered with the BMC Network Automation system.
Logical topology
The following figure shows the logical topology for the Super Container.
Key
E2: Internet
E1: Customer MPLS network
Zones
A container configured with customer segments in all zones enabled will have five VRFs:
- PRIV1-Tid
- PRIV2-Tid
- PUB-Tid
- PUB1-Tid
- PUB2-Tid
Each zone has a load balancer configured in one arm mode and three customer VLAN segments.
Private 1 Zone (Intranet Edge): PRIV1-Tid
- Customer VMs are not behind Firewall
- Customer VLANs and load balancer VIP IP addresses are from Private IP pools. These addresses are defined as provisioning Address Spaces in the container blueprint. These address spaces can be overridden.
- Firewall interface security level 90.
- No NAT required for communication with Private 2, Public 1, Public 2, and E1.
- No communication path between this zone and Internet (E2) or vice versa.
Private 2 Zone (Application): PRIV2-Tid
- Firewall interface security level 100.
- Customer VLANs and load balancer VIP IP addresses are from Private IP pools. These addresses are defined as provisioning address spaces in the container blueprint. These address spaces can be overridden.
- No NAT required for communication with Private 1, Public 1, Public 2, and E1.
- Requires dynamic NAT to communicate with Internet (E2).
Public 1 Zone (Internet Edge 1): PUB1-Tid
- Firewall interface security level 30.
- Customer VLANs and load balancer VIP IP address are from Public IP pools defined as an Address range at Pod Level. The address pool cannot be overridden.
- No NAT required for communication with any zone/segment.
Public 2 Zone (Internet Edge 2): PUB2-Tid
- Firewall interface security level 40.
- Customer VLANs and load balancer VIP IP address are assigned from Private IP pools. These addresses are defined as address spaces in the container blueprint. These address spaces can be overridden.
- Needs static NAT to communicate with Internet (E2). Customer specified NAT IP address pool.
- No NAT required for communication with Private 1, Private 2, Public 1, and E1.
Public (Internet): PUB-Tid
- Firewall security Level 0.
Routes on the firewall
Routes for the individual customer segments are added during container provisioning, if the zone is enabled. For example, the route for the customer segment 1 for each zone would be as follows
route private1 <customer vlan 1> <mask> <private 1 agg IP address>
route private2 <customer vlan 1> <mask> <private 2 agg IP address>
route public1 <customer vlan 1> <mask> <public 1 agg IP address>
route public2 <customer vlan 1> <mask> <public 2 agg IP address>These routes would be added assuming that the customer's network would have private IP addresses. Routes for RFC 1918 addresses.
route private1 10.0.0.0 255.0.0.0 <private 1 agg IP address>
route private1 172.16.0.0 255.224.0.0 <private 1 agg IP address>
route private1 192.168.0.0 255.255.0.0 <private 1 agg IP address>When either of the public zones are enabled a default route to the Internet is added on the _outside_ interface of the firewall.route OUTSIDE 0.0.0.0 0.0.0.0 <Pub agg IP address>
Naming convention
The following naming conventions are found in the notes from the blueprint.
Resource elements are abbreviated with no white space and all upper case. For example, "COMMON_CORE" for an address). All other names are verbose with white space and mixed case. For example, "Common Agg 1 to Agg 2" for an address pool.
Names are prefixed with the basic condition necessary for it to be used. For example, "PRIV1_SEG1" for a customer address to be acquired when Private 1 zone is enabled. Names are suffixed (and offset via a dash) with an additional conditional necessary for it to be used, if any. For example, "Private 1 Configure Agg 1 - VLB" for an action to configure Agg 1 if both a basic condition of Private 1 being enabled is true and an additional condition of its VLB being enabled is also true).
Template group names include the phrase Configure or Unconfigure, but action names do not. For example, "Private 1 Configure Agg 1 - VLB" would be a template group name, while "Private 1 Agg 1 - VLB" would be an action name.
Assumptions:
- If Private 2, Public 1, or Public 2 zones are enabled, the perimeter VFW will always be enabled as well.
- If VLB is enabled in a zone then at least one NIC segment also enabled in that zone.
Basic conditional tagging
The following table describes basic conditional tagging.
| Tag name | Meaning | Expression |
|---|---|---|
Common | Unconditionally needed * | none |
Private 1 | Only use the tagged entity if Private 1 zone is being used. |
|
Private 2 | Only use the tagged entity if Private 2 zone is being used. |
|
Private | Only use the tagged entity if at least one private zone is being used. |
|
Public | Only use the tagged entity if at least one public zone is being used. |
|
Public 1 | Only use the tagged entity if Public 1 zone is being used. |
|
Public 2 | Only use the tagged entity if Public 2 zone is being used. |
|
Private Service | Only use the tagged entity if the VSS is needed for processing FW/LB |
|
Private 1 Bridge | Only use the tagged entity if you need to bridge the perimeter VFW needs to be connected to Private 1, either for communication between other zones and the Private 1 zone, or other zones and the MPLS. |
|
Note
Since there is no ability to toggle external network segments (that is, customer network), one cannot specify whether the connection to the segment is required by VMs in public zones. The assumption is it always needs to be enabled, hence it is tagged as {{"Common"}}.
Comments