Professional Documents
Culture Documents
Infrastructure
Agenda
• Introduction
• Overview and Features
• Stateless Hardware
• Overlays
• Forwarding
• Use Cases
industry trends
• Cloud services
- be it Amazon Web services, Microsoft Azure cloud, digital ocean
• big date
- Adobe, MapR (Map and Reduce), Mongo database.
• Automation tools.
- Ansible, chef, puppet, GitHub, Jenkins and continuous integration.
• SDN
Industry trends
• Cloud services
- be it Amazon Web services, Microsoft Azure cloud, digital ocean
• big date
- Adobe, MapR (Map and Reduce), Mongo database.
• Automation tools.
- Ansible, chef, puppet, GitHub, Jenkins and continuous integration.
• SDN
Software Defined Networking
Fabric Policies
Access Policies
What is ACI?
Application Network Profile
• application policy model and requirements defined based on the “network profile”
• Then, based on the Deployment model, APIC pushes and provision this down to
the fabric infrastructure
• all forwarding in the fabric is managed through this “application network profile”
- IP addresses are fully portable anywhere within the fabric
- Security and forwarding are fully decoupled from any physical or virtual network
attributes
- devices autonomously update the state of the network based on the configuration
policy requirements
ACI Fabric
What are we solving?
Overloaded Network Constructs
Basic Network
SLAs L4-7 Services
Policy
Application VLANs
Tiers
Subnets
Provider / Protocols
Consumer
Ports
Relationships
Access Policies
Access Policies
Access Policies
Access Policies
?
Access Policies Application Network Profile
EPG DB
Legacy
Network
F/W EPG
WEB L/B EPGA
PP
Tenant
Subnet
Subject
Endpoint
Group
Tenant
VRF
VRF
• Layer 3 forwarding domain.
• Nothing fancy here, contains all routes for the particular VRF
• Routes will usually point to the local leaf SVI VLAN or via the overlay-1 VRF to a
destination leaf VTEP
• VRF scope is where communication policy is enforced.
Comprehensive look
VRF
Tenant
Bridge Domain
Bridge VRF
• Ties to a VRF Domain
VRF
BD1
BD2
BD3
Tenant
Subnets
Bridge VRF
Domain
• HSRP Evolved
Subnet
• Subnet under the BD creates an SVI only on the switches where there is an
endpoint that needs it.
• Known as a distributed default gateway
• Gateway inside the fabric is good, flood is always answered in a single hop.
• This SVI can be advertised externally through a routing protocol
Comprehensive look
Tenant
VRF
BD1
10.0.1.1/24
BD2
10.0.2.1/24
BD3
10.0.3.1/24
Distributed Gateway
• EP Move: SVI will be removed from the original leaf and programmed on the new leaf/location
• Gateway is always one hop away. Decouple identity and location
Unicast Routing
• Enables Routing
• Route between all BDs inside a VRF without configuring a routing protocol
• The subnet configured under the BD will be the SVI and Default Gateway for endpoints
• SVI is only programmed on the switches that have endpoints in that BD/EPG
• Traffic from inside a BD will hit the Distributed default gateway MAC and the
fabric will handle routing to the destination BD
Application Profile & Endpoint Groups
• Endpoint Groups are used to group similar endpoints connected to the fabric.
This is where policy is defined.
• An Application Profile(AP) is a logical container for Endpoint Groups (EPGs)
• An AP should logically group related EPGs, such as the 3-tierd Application
example:
• Application Profile “My Web App” Tenant
• Website – EPG
• Application – EPG
• DB – EPG Application Bridge
Profile Domain
Comprehensive look
Application Profile: My-Web-App
EPG1 – Web-Servers
Drupal
IIS
Server
Apache
Server
VLANS Tenant
Tenant
Redsox
Yankees
• In ACI, what is define as the encapsulation VLAN is
used as an identification for classifying traffic into End
Point Groups ( EPGs )
• The definition this classification of packets into an
EPG is done via static bindings or dynamic bindings
5
associated to VMM domains 1 3
2 4 6
• Once a packet has been identified as pertaining to an
EPG, it is tagged into specific, locally significant
VLANs or and globally unique VXLANs inside the leaf
node to identify for fabric policy enforcement
• Known as encapsulation normalization vlan100
vlan100
Comprehensive look
Tenant
AP VRF
EPG1 BD1
10.0.1.1/24
EPG2 BD2
10.0.2.1/24
EPG3 BD3
10.0.3.1/24
Security Policies
• ACI is whitelist based network
• Use contracts to define policy for which EPGs can talk to which other EPGs and
external EPGs
• Contracts are built with the following objects:
• Contract - Name
• Subject – Direction and Options
• Filter – Name and groups of filter entries
• Filter Entry – Specific protocol and ports and in which direction
Contracts
• One EPG is Providing the other is Consuming
• Think client/server relationship. One EPG is a server providing a service the client is
consuming the service
• Bi-Directional Communication is allowed by default
• Once again, do not confuse bi-directional communication with a provider/consumer role
• Pro-Tip: Only the client/consumer is allowed to initiate communications
Tenant
Contract Filter
Subject
ACI Provider/Consumer
HTTP Contract
HTTP Subject
Web-Client HTTP Filter Web-Server
EPG Consume 80 Provide 80 EPG
Source X
Dest 80
Sport = X Dport = 80
Comprehensive look with Contracts
Tenant
AP VRF
Consume
EPG1 BD1
10.0.1.1/24
EPG2 BD2
ICMP 10.0.2.1/24
EPG3 BD3
Provide
10.0.3.1/24
VRF
VLAN 10 VLAN 20
Group3 Group5
Group4 Group6
What is a fault ?
• Faults, events and audit logs are essential tools for monitoring the administrative and
operational state of an ACI fabric as well as troubleshooting current and past issues
• They are the first thing to check when something is not behaving as expected!
Fault
Tenant
AP VRF
EPG1 BD1
10.0.1.1/24
EPG2 BD2
10.0.2.1/24
EPG3 BD3
10.0.3.1/24
How does ACI work?
How Does it All Work?
What is ACI?
• Interaction from a user through an Application Program Interface (API) creates
or modifies the objects in the model with the end goal of a policy to allocate or
configure resources.
• This interaction is done through
Data Management Engines (DMEs)
communicating with each other.
Conf t
NGINX/
API
Logical Resolved Concrete Hardware Int e1/25
Switchport mode access
Switchport access vlan 3
No shut
Types of Objects
• Logical, resolved, and concrete
• Logical = configured in the GUI by the user
• Resolved = created by the APIC as a unit/object to communicate and pass information
to the switches
• Concrete = objects used by the switches to program hardware
APIC Switch
APIC PM/
PE NXOS
Resolved Concrete
fvTenant
fvAp
fvEpP
fvAEPg
fvCtxDef vlanCktEp
fvCtx
fvBDDef l3Ctx
fvBD
l2BD
APIC SW
NGINX Policy Policy NXOS Hardware
Manager Element
Stateless Hardware
• Just like UCSB/UCSM…just applied to networking!
• Service Profiles allow a blade to fail and to be redeployed immediately.
• Templates and Policies abstract configuration from hardware. Reusability!
• Application Profile is equivalent to Service Profile
Service Profile
Network
Storage
Server
Overlays and Tunnels
• When first discovering the fabric, each switch that is registered is dynamically
assigned an IP address out of the Tunnel End Point (TEP) range specified
during the APIC setup script.
• The TEP range defines the Overlay-1 VRF.
• The IP address every switch receives is known as a virtual TEP and is used to
build tunnels between the leafs and spines
• Overlay-1 VRF contains /32 routes to each VTEP, VPC Virtual IP, APIC and
Spine Proxy IP
Overlays and Tunnels
10.0.64.1 10.0.64.2
• Infra-VLAN=3967
• TEP-
Pool:10.0.0.0/16
• Multicast Range: 10.0.128.1 10.0.128.2 10.0.128.3
255.1.1.1
• Admin Password:
ciscoLive16!
Policy
VLAN
xlate
IS-IS
iVXLAN
Tunnel
IP-A IP-B
MAC-A MAC-B
• Leafs learn remote endpoints as well for quicker lookup and directed forwarding
to a destination leaf.
• Not just an outgoing port
• Spines have a global (fabric wide) database of all endpoints and can forward to
any destination if needed
• BD settings determine learning and forwarding behavior
MAC IP VTEP
MAC-A IP-A VTEP-1
MAC-B IP-B VTEP-2
MAC-C IP-C VTEP-3
• Spine looks up endpoint in global database/COOP and forward to leaf VTEP. If not found, packet is dropped.
• Optimization to traditional networking to cut down on unnecessary flooding.
L2 Unknown Unicast: Flood
• Uses multicast tree rooted in the spine for a specific BD(illustrated in red computers) all leafs
that have the BD are part of the multicast tree
• Imitates traditional networks, helpful for integrating an external gateway for migration
VLAN 10 VLAN 10 VLAN 20
• Option One for dealing with some flooded traffic. The most traditional. Flood everywhere, every
encapsulation in the BD
VLAN 10 VLAN 10 VLAN 20
• Option Three: Only allow the flood to propagate inside its own encapsulation, not the BD
Unicast Routing/DirectedARP. InspectARP frame for Destination IP and unicast to that leaf/Endpoint
Standard, TraditionalARP Flooding
Conversational Learning
MAC IP Interface
MAC-A IP-A Tunnel1
MAC-B IP-B Tunnel3
IP-A IP-B
MAC-A MAC-B
Connecting to External Switches
• Just like other switches can be trunked together, ACI can trunk to any existing
switch in your datacenter
• The benefit is that ACI allows you to decide where to apply policy and where the
external endpoints are classified/learned
• ACI offers two options to connect to external switches:
• Extending the EPG outside of the fabric
• Extending the BD outside of the fabric
External Switches / Legacy Network
Gateway
Gateway
• Gateway can start outside of the fabric for migration purposes. Services on the Fabric will send their
traffic and floods outside
• Gateway can then be migrated into the fabric. External services can flood into the fabric
Connecting to External Routing Instances
• ACI can participate in routing as well, via static or dynamic protocols.
• Advertising subnets and learning external subnets just like any other router
• This is done through an External Routed Network in ACI
• The benefit is that policy can be applied at a subnet/prefix level toward a specific
EPG
• Known as a prefix-based EPG
External Routing Instances / Legacy Network
• Static Paths and Static VLAN pools work together with Domains to properly
program interfaces
• Imperative to have domains associated to EPGs when mixing VMM dynamic
domains and any other Domains
Static vs Dynamic Configuration
• Static implies manually configuring which interfaces have which VLANs from the
pool defined under access policies
• Used with a physical domain and a static VLAN pool
• Static configuration is done under the EPG by associating the physical domain and
creating a static path to a port and specifying a VLAN
• Dynamic implies that the VLAN is allocated automatically, randomly from the
pool
• Used with a VMM domain and a dynamic VLAN pool.
• Associating the VMM domain to the EPG creates a port-group/network in the VM
environment and based on CDP/LLDP adjacencies that are reported, VLANs are
programmed on the interface.
Static Deployment
• Compared to dynamic deployment, physical workloads are defined statically
• A Physical domain is needed on the EPG
• The second requirement is to configure a static path
• A static path specifies an interface on a switch, a port-channel on a switch, or a
vPC interface between a pair of switches as well as the VLAN that the end
device will be communicating on
• This VLAN can be:
• tagged
• untagged (access/native)
• 802.1p (still access/native but with QoS at MAC layer)
Static Deployment
Dynamic Configuration
• Used for VMM Domain Integration
• ACI and the controller exchange information such as
• Number and name of Hypervisors
• vmnic adjacencies to the leaf ports
• Requires CDP or LLDP
• VMs added to port-groups
• VMM domain associated to an EPG programs a port-group on the Controller
Hypervisor NIC
EPG
Adjacency VM NIC
Leaf Interface
ACI
VMM Domain
VM Portgroup VM
Hypervisor
Route Leaking and Inter-Tenant Communications
• In ACI, it is possible to have inter-VRF or inter-tenant communications
• This is accomplished by route leaking from one VRF to another using route-
maps and prefix-lists in the fabric
• Route leaking is enabled by a contract applied to an EPG where one EPG is
providing, the other EPG is in another Tenant or VRF and consuming.
Inter-Tenant Inter-VRF
Connecting ACI to Existing L4-L7 Service
Appliances Device Model
Service Device
Cisco ACI Service Insertion
Extending ACI Policy Model to L4-L7 Services
Application Centric Infrastructure Building Blocks
Physical + Virtual
Traditional
3-Tier FW
Application ADC WEB ACC APP DB
APPLICATION
NETWORK PROFILE
BIG-IP
Deploy F5 iWorkflow Dynamic Device Package in ACI
F5 Synthesis Fabric
ACI Fabric Virtual Edition Appliance Chassis