Aci breakout session

Cisco Application Centric Infrastructure (ACI)

C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

6,000+ 50 1400+ Nexus 9K and ACI Customers Globally

Ecosystem Partners

ACI Customers

NEW


Providing Choice in Automation and Programmability

Cisco ACI Programmable Network Programmable Fabric

VxLAN-BGP EVPN standard-based

3rd party controller support (Openflow/NETCONF/OVSDB, etc.)

VTS for overlay provisioning

Nexus Fabric Manager (NFM)

L2/L3 VXLAN

Turnkey integrated solution

Embedded security, centralized management, and scale

Automated application or network centric-policy model

Broad and deep ecosystem

Modern NX-OS with enhanced NX-APIs

Automation Ecosystem (Puppet, Chef, Ansible, etc.)

Common NX-API across N2K-N9K

L2/L3 VXLAN

DB DB

Web Web App Web App

C97-730020 -01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Designed from the Ground-Up to be Application Centric

Application Velocity. Any Workload.

Anywhere.

Common Platform—Integration of Physical, Virtual,

and Cloud

Common Policy, Management and

Operations (Network, Integrated

Security, and Applications)

Systems Approach

Open APIs, Open Source,

Open Standards

Lowest Total Cost of Ownership

1 2 3 4 5 6



The Status Quo Variety of users: cars, trucks, ambulances, buses, pedestrians, two-wheelers, etc. No Policy: No Lights, No Lanes, No Rules, No Governance, No Enforcement, Best Effort

MeskelSquare[Source:Reddit.com]

Deploying Applications on Shared Infrastructure



SDN is about network automation.


Expansion and rolling out new applications

Common Scenario 1

Monitoring existing applications

Common Scenario 2

Why does it take weeks/months/years to respond to business needs?


WebServers

vLAN666

L3

FW

SLBSSL

DBServers

vLAN111

vLAN222

www www www

vLAN444

AppServers

FW

SLB

app app

FW

db db

switch1(config)# switch1(config)# int eth 1/1 switch1(config)# switch mode acc switch1(config)# switch acc vlan 666 switch1(config)# no shut

router(config)# router(config)# int eth 1 router(config)# ip add 6.6.6.1 255.255.255.0 router(config)# not shut router(config)# int eth 2 router(config)# ip addr 1.1.1.1 255.255.255.0 router(config)# no shut router(config)# router eigrp 100 router(config)# network 6.6.6.0 mask 255.255.255.0 router(config)# network 1.1.1.0 mask 255.255.255.0 router(config)# ip route 0.0.0.0 0.0.0.0 6.6.6.254

switch2(config)# switch2(config)# int eth 1/2 - 3 switch2(config)# switch mode acc switch2(config)# switch acc vlan 111 switch2(config)# no shut

fw1(config)# fw1(config)# int eth 0/1 fw1(config)# nameif outside 0 fw1(config)# int eth 0/2 fw1(config)# nameif webfront 20 fw1(config)# object network webfront_vip fw1(config)# host 6.6.6.6 fw1(config)# static (webfront,outside) 1.1.1.6 fw1(config)# access-list outside_web permit tcp any host 6.6.6.6 eq 80 fw1(config)# access-list outside_web permit tcp any host 6.6.6.6 eq 443 fw1(config)# access-group outside_web in interface outside

switch3(config)# switch3(config)# int eth 1/4 - 5 switch3(config)# switch mode acc switch3(config)# switch acc vlan 222 switch3(config)# no shut

vLAN333

switch4(config)# switch4(config)# int eth 1/6 switch4(config)# switch mode acc switch4(config)# switch acc vlan 333 switch4(config)# no shut switch4(config)# int eth 1/7 - 9 switch4(config)# switch mode acc switch4(config)# switch acc vlan 333 switch4(config)# no shut

IDS/IPS

vLAN555

IDS/IPS

vLAN777

switch5(config)# switch5(config)# int eth 1/10 - 11 switch5(config)# switch mode acc switch5(config)# switch acc vlan 444 switch5(config)# no shut switch5(config)# int eth 1/11 - 15 switch5(config)# switch mode acc switch5(config)# switch acc vlan 555 switch5(config)# no shut switch5(config)# monitor session 1 source vlan 555 switch5(config)# monitor session 1 dest eth 1/16

switch6(config)# switch6(config)# int eth 1/16 - 19 switch6(config)# switch mode acc switch6(config)# switch acc vlan 777 switch6(config)# no shut switch6(config)# monitor session 1 source vlan 777 switch6(config)# monitor session 1 dest eth 1/20

slb1 (CONFIG) probe http http-probe interval 30 expect status 200 200 rserver host websrvr1 description foo web server ip address 3.3.3.1 inservice rserver host websrvr2 description foo web server ip address 3.3.3.2 inservice rserver host websrvr3 description foo web server ip address 3.3.3.3 inservice serverfarm host FOOWEBFARM probe http-probe rserver websrvr1 80 inservice rserver websrvr2 80 inservice rserver websrvr3 80 inservice crypto generate key 1024 fooyou.key crypto csr-params testparms country US state California locality San Jose organization-name foo organization-unit you common-name www.fooyou.com serial-number crisco123 crypto generate csr testparms fooyou.key crypto import ftp 12.13.14.15 anonymous fooyou.cer parameter-map type ssl SSL_PARAMETERS cipher RSA_WITH_RC4_128_MD5 version TLS1 ssl-proxy service FOOWEB_SSL key fooyou.key cert fooyou.cer class-map match-all FOOSSL_VIP_CLASS 2 match virtual-address 2.2.2.22 tcp eq https policy-map type loadbalance first-match L7-SSL-MATCH class L7_WEB sticky-serverfarm sn_cookie policy-map multi-match FOOWEB-VIP class FOOWEB_VIP_CLASS loadbalance vip inservice loadbalance policy FOOWEB-MATCH loadbalance vip icmp-reply loadbalance vip advertise active class FOOSSL_VIP_CLASS loadbalance vip inservice loadbalance policy FOOSSL-MATCH loadbalance vip icmp-reply loadbalance vip advertise active ssl-proxy server FOOWEB_SSL interface vlan 222 service-policy input FOOWEB_SSL

fw2(config)# fw2(config)# int eth 0/1 fw2(config)# nameif webfront 20 fw2(config)# int eth 0/2 fw2(config)# nameif appfront 50 fw2(config)# object network appfarm_vip fw2(config)# host 5.5.5.5 fw2(config)# nat (appfront,webfront) static 4.4.4.4 fw2(config)# access-list web_to_app permit tcp any host 4.4.4.4 eq 8081

slb2 (CONFIG) rserver host appsrvr1 description foo app server ip address 5.5.5.1 inservice rserver host appsrvr2 description foo app server ip address 5.5.5.2 inservice rserver host appsrvr3 description foo app server ip address 5.5.5.3 inservice serverfarm host FOOAPPFARM probe http-probe rserver appsrvr1 8081 inservice rserver appsrvr2 8081 inservice rserver appsrvr3 8081 inservice class-map type http loadbalance match-any FOO_APP 2 match http virtual-address 4.4.4.44 tcp eq 8081 class-map match-all FOO_APP_VIP_CLASS policy-map type loadbalance first-match FOO_APP-MATCH class FOO_APP sticky-serverfarm sn_cookie policy-map multi-match FOO_APP-VIP class FOO_APP_VIP_CLASS loadbalance vip inservice loadbalance policy FOO_APP-MATCH loadbalance vip icmp-reply loadbalance vip advertise active

fw3(config)# fw3(config)# int eth 0/1 fw3(config)# nameif appfront 70 fw3(config)# int eth 0/2 fw3(config)# nameif dbfront 90 fw3(config)# object network db_cluster fw3(config)# host 7.7.7.7 fw3(config)# nat (dbfront,appfront) static 5.5.5.50 fw3(config)# access-list web_to_app permit tcp any host 5.5.5.50 eq 1433


Subject Matter Expert Define Policies

1

SYSTEMS APPROACH: Rapid Deployment of Applications with Scale, Security and Full Visibility

Network SME

Security SME

Application SME

APIC

2 Policies Used To Create Application Network Profile Templates

3 Automated policy configuration across the infrastructure

Life cycle management for day 1, day 2 operations

4

Physical Networking

Compute L4–L7 Services

Storage Hypervisors and Virtual Networking

Multi DC WAN and Cloud

Nexus 2K

Nexus 7K

Integrated WAN Edge


§  Tenant (VDC)

§  Logical separator for customer, business unit, group etc.

§  Separates traffic, admin, visibility, etc.

§  vRF (vRF)

§  vRF as we all know it to be

§  Separates routing instances, can be used as an admin separation

§  Bridge Domain (Subnet)

§  A container for subnets

§  Can be used to define L2flooding boundary/scope

§  End Point Group (VLAN)

§  Container for end-points (VM and bare-metal) requiring the same policy treatment

§  Contract (Secure inter-VLAN communication)

§  Defines communication between EPGs

§  No contract = no inter-VLAN communication (white-list default policy)


App DB Web

Outside (Tenant VRF)

QoS

Filter

QoS

Service

QoS

Filter

ACI Fabric

Non-Blocking Penalty Free Overlay

Application Policy Infrastructure Controller

APIC


Centralized Compliance and

Auditing

Import / Export Policy via API (Support for External Policy Engines)

Automated Services Chaining

Engineering Legal Sales HR Finance Marketing

Complete Isolation with Full Scalability and

Security

Policy Separated from Network Forwarding

Policy Engine

Enabling a Dynamic Enterprise Without Compromise

Encrypted Controller Communication

Advanced Role Based Access Control APIC


PROD POD DMZ

SHARED SERVICES

Basic DC Segmentation

Flexible Segmentation

DEV

TEST

PROD

Application Lifecycle Segmentation

WEB

APP

DB

Service Level Segmentation

Network-Centric Segmentation

VLAN 1 VXLAN 2

VLAN 3

Hypervisor Agnostic Micro-segmentation For Any Virtual Workload

Quarantine Infected VMs With Guest OS = Linux

Hypervisor

Virtual Switch

Attributes Based Micro-Segments (DVS, AVS, Hyper-V Switch, KVM*)

FW

OS = Linux Name = Video-* IP = 1.1.1.x

FW

Intra-EPG Isolation + Micro-segmentation For Any Workload (Physical, Virtual)

Intra-EPG Isolation

Local switching

Micro-Segmentation

Web EPG DB EPG

DB EPG

Intra=EPG Isolation + Micro-Segmentation

DB EPG

Local switching

Intra-EPG Isolation

FW

EPG Isolation + Micro-Segmentation

Web EPG

Intra-EPG Isolation

Quarantine Infected VMs


Quickly Detect and Mitigate Application Issues

APP APP APP APP APP APP

ACI Monitoring


ACI Operational Simplicity

Capacity Dashboard Visibility & Troubleshooting


Application Policy

Infrastructure Controller

ACI Spine Nodes

ACI Leaf Nodes

•  ACI Fabric provides:

‒  Decoupling of endpoint identity, location, and associated policy, all of which are independent from the underlying topology

‒  Full normalization of the ingress encapsulation mechanism used: 802.1Q VLAN, IETF VXLAN, IETF NVGRE

‒  Distributed Layer 3 gateway to ensure optimal forwarding for Layers 3 and 2

‒  Support for standard bridging and routing semantics without standard location constraints (any IP address anywhere)

‒  Service insertion and redirection

‒  Removal of flooding requirements for IP control plane (ARP, GARP)

APIC


•  ACI Fabric is based on an IP fabric supporting routing to the edge with an integrated overlay for host routing ‒  All end-host (tenant) traffic within the fabric is carried through the overlay

•  The fabric is capable of supporting an arbitrary number of tiers and/or partial mesh if required

•  Why choose an integrated overlay?

‒  Mobility, scale, multi-tenancy, and integration with emerging hypervisor designs

‒  Data traffic can now carry explicit meta data that allows for distributed policy (flow-level control without requiring flow-level programming)

IP fabric with integrated

overlay Each node will be

assigned loopback IP address(es) advertised

through IS-IS

IP un-numbered 40 Gb links

APIC


VXLAN VNID = 5789

VXLAN VNID = 11348

NVGRE TNI= 7456

Any to Any

802.1Q VLAN 50

Normalized Encapsulation

Localized Encapsulation

IP Fabric Using VXLAN Tagging

Payload IP VXLAN VTEP

•  All traffic within the ACI Fabric is encapsulated with a VXLAN header •  External VLAN, VXLAN, NVGRE tags are mapped at ingress to an internal VXLAN

tag •  Forwarding is not limited to, nor constrained within, the encapsulation type or

encapsulation ‘overlay’ network •  L2 and L3 VXLAN capabilities at every leaf switch

Payload

Payload

Payload

Payload

Payload

Eth IP VXLAN Outer

IP

IP NVGRE Outer IP

IP 802.1Q

Eth IP

Eth MAC

Normalization of Ingress Encapsulation

APIC


vSwitch (VMWare) vSwitch (MSFT)

Payload IP

Packet Sourced from VM attached to Ingress Port Group or directly from physical server

1

Payload IP VXLAN VTEP

vSwitch encapsulates frame and forwards to Leaf VTEP

2

If Leaf has learned the Inner IP to egress VTEP binding it will set required VTEP address and forward directly to egress Leaf

4a

Payload IP VXLAN aVTEP

Leaf maps ingress encapsulation with VXLAN and performs any required policy functions

3

Payload IP VXLAN aVTEP

Egress Leaf will swap outer VXLAN with correct egress encapsulation and perform any required policy

5

Payload IP NVGRE GRE IP

Leaf forwards frame to vSwitch or directly to physical server

6

Payload IP

Packet transmitted on vSwitch port 7

Payload IP VXLAN aVTEP If ingress iLeaf does not contain cache entry for IP to egress VTEP binding set VTEP address as anycast VTEP which will perform inline HW lookup and perform egress VTEP rewrite. No additional latency nor any decrease in throughput due to lookup

4b

VTEP VTEP

VTEP

Overview of ACI Fabric Unicast Forwarding


10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35 10.1.1.10 10.1.3.11 10.6.3.2 10.1.3.35

•  ACI Fabric supports full Layer 2 and Layer 3 forwarding semantics; no changes required to applications or endpoint IP stacks

•  ACI Fabric provides optimal forwarding for Layer 2 and Layer 3 ‒  Fabric provides a pervasive SVI, which allows for a distributed default gateway ‒  Layer 2 and Layer 3 traffic are directly forwarded to the destination endpoint

•  IP ARP and GARP packets are forwarded directly to the target endpoint address contained within ARP or GARP header (elimination of flooding)

Distributed Default Gateway Directed ARP Forwarding

APIC APIC


•  The forwarding table on the Leaf switch is divided between local (directly attached) and global entries

•  The Leaf global table is a cached portion of the full global table

•  If an endpoint is not found in the local cache the packet is forwarded to the ‘default’ forwarding table in the spine switches (1,000,000+ entries in the spine forwarding table)

10.1.3.11 fe80::462a:60ff:fef7:8e5e 10.1.3.35

Proxy A Proxy A Proxy B Proxy B

fe80::62c5:47ff:fe0a:5b1a

10.1.3.35 Leaf 3 10.1.3.11 Leaf 1

Leaf 4 Leaf 6

fe80::8e5e fe80::5b1a

10.1.3.35 Leaf 3

Proxy A *

10.1.3.11 Port 9

Global station table contains a local cache of the fabric endpoints

Local station table contains addresses of

all hosts attached directly to the iLeaf

Proxy station table contains addresses of all hosts attached

to the fabric


•  Elastic service insertion architecture for physical and virtual services

•  Helps enable administrative separation between application tier policy and service definition

•  APIC as central point of network control with policy coordination

•  Automation of service bring-up/tear-down through programmable interface

•  Supports existing operational model when integrated with existing services

•  Service enforcement guaranteed, regardless of endpoint location

Web Server

App Tier A

Web Server

Web Server

App Tier B

App Server

Chain “Security 5”

Policy Redirection

Application Admin

Service Admin

Ser

vice

G

raph

begin end Stage 1 …..

Stage N

Pro

vide

rs inst

inst

…

Firewall

inst

inst

…

Load Balancer

……..

Ser

vice

Pro

file

“Security 5” Chain Defined


•  Service automation requires a vendor device package. It is a zip file containing

•  Device specification (XML file)

•  Device scripts (Python)

•  APIC interfaces with the device using device Python scripts

•  APIC uses the device configuration model provided in the package to pass appropriate configurations to the device scripts

•  Device script handlers interface with the device using its REST or CLI interface

Device Package Device Specification <dev type= “f5”> <service type= “slb”> <param name= “vip”> <dev ident=“210.1.1.1” <validator=“ip” <hidden=“no”> <locked=“yes”>

APIC – Policy Element Device Model

Device-Specific Python Scripts

APIC Script Interface

Script Engine

APIC Node

Device Interface: REST/CLI

Service Device

APIC


vSwitch (VMWare) vSwitch (MSFT)

vSwitch encapsulates packets associated with an EPG using assigned VLAN/VXLAN/NVGRE identifier

2

If Leaf knows the egress EPG associated with the inner packet destination it will check policy rules and implement the required function, if invoked policy bits set to indicate ingress policy invoked.

4

Based on classification Leaf populates the matching Source Group field of the eVXLAN header

3

Payload IP NVGRE GRE IP

Leaf forwards frame to vSwitch to be forwarded to VM or directly to physical server. Any egress vSwitch policy is enforced based on port group

7

Packets identified as belonging to a specific end point group (EPG) based on ingress classification (port group, physical port, IP address, VLAN)

1

Payload VNID Flags aVTEP SRC Group

If Application policy indicates that service chaining is required fabric will set destination VTEP for next hop in chain until all steps in chain are complete

5

Egress Leaf examines policy flags in eVXLAN header and if required will implement required policy function

6

Overview of ACI Fabric Policy Mechanisms

Payload VNID Flags aVTEP SRC Group


Partner ACI Integration ETA

F5 (Big IP physical and virtual) •  Service policy automation, service chaining & insertion, health score Now

Cisco ASA (5585 8.4 and ASAv 9.2.1) •  Service policy automation, service chaining & insertion, health score Now

Citrix (NetScaler MPX, SDX, VPX, NetScaler 1000v)

•  Service policy automation, service chaining & insertion, health score Now

Palo Alto Network •  Automation of security policies and central point of mgmt through APIC - Now

A10 •  SLB policy automation, service chaining & insertion, health score Now

Check Point •  Automation of security policies and central point of mgmt through APIC Now

Cisco Sourcefire •  Automation of IPs policies and central point of mgmt through APIC Now

Radware •  Automation of ADC and DDoS policies, with central point of mgmt through APIC - Now

Cisco CSR •  Automation of NAT and SGT policies (under discussion), with central point of mgmt Future

Cisco WAAS •  Automation of WAN Optimization policies, with central point of mgmt through APIC Future

Fortinet •  Automation of security policies and central point of mgmt through APIC Now

Kemp •  Automation of ADC policies and central point of mgmt through Future

McAfee •  Automation of security policies and central point of mgmt through APIC Now

Riverbed •  Automation of virtual ADC & WAN Opt policies, with central point of mgmt through APIC Future

Symantec •  Symantec security automation, backup and recovery, infrastructure compliance Now

Avi Networks •  Virtual L4-L7 service automation , service chaining and insertion, analytics Now

CatBird •  Virtual security policy automation, PCI compliance, health score Future



VMware •  ESX, vCenter, vShield: Integrated Overlay, VLAN & VXLAN •  App visibility, Mobility

Now

Canonical •  OpenStack : Ubuntu •  Automation, Telemetry, and Distributed L2/L3 behavior

Now

Red Hat •  KVM/OpenStack: RHEL 7, RH OpenStack 5 •  Automation, Telemetry, and L2/L3

Now

Microsoft •  SCVMM & Azure Pack Integration: VM Networks, VLAN, NVGRE •  App visibility, Mobility

Now

EMC Storage •  EMC SMARTS: Fault and Performance Mgmt, Config & Compliance, Flow Monitoring

•  EMC VIPER: Automated storage provisioning (File+block), Monitoring & Troubleshooting

•  EMC Isilon: App policy Mgmt, network Load Balancing, Template based provisioning, Monitoring and Troubleshooting

•  EMC Pivotal: Network Load Balancing, Template based provisioning

Now

Nutanix •  Integration with Nutanix Prism •  Integrated App visibility: Compute + Storage + Network

Now



Cisco Prime Infrastructure •  Fabric and application monitoring •  Correlate Nexus data with storage, OS, applications, and virtual and physical infrastructure for

enterprise-wide visibility.

Now

CA Technologies •  CA Nolio – Support of DevOps Use cases, secure cloning of application profiles •  CA Nimsoft – Fault and Performance Management integration

Now

Cisco UCS Director •  Cloud Management with Unified Infrastructure management •  Support for FlexPod with ACI

Now

Splunk

•  Proactively monitor performance, Visualize network telemetry •  Correlate ACI Application data with storage, OS, applications, and virtual and physical infrastructure for

enterprise-wide visibility.

Now

Zenoss •  Unified Infrastructure Management across compute (UCS), network (ACI) and storage (NetApp, EMC) •  Application Dependency Mapping, Fabric health score and application health scores

Now

IBM Smart Cloud Orchestrator

•  Cloud Management with integration with ACI OpenStack plugin Now

Cisco NAM and NGA •  Application Dependency mapping •  Migration from existing DC networks to ACI, 100% NetFlow Visibility

Now

IBM Tivoli •  Fault Management with SNMP and syslog messages Now

BMC •  Cloud Management with BMC Cloud Life Cycle Management Now *

Cisco IAC •  Use cases defined, CC to be completed Future

CloudStack •  Cloud Management offering Now

vRA •  Cloud Management offering Now



EMC VSPEX •  Extension of ACI policies to EMC storage, with converged stack offering, Now

Hitachi Data systems •  Extension of ACI policies and automation to Hitachi converged stack ETA Now

Cloudera •  Acceleration and visibility of Hadoop/big data. Now

NetApp FlexPod •  Integrated stack with Standalone N9K + NetApp Storage Now

VCE Vblock •  Integrated stack with Vblock + N9K Now

SAP •  SAP Business Warehouse on SAP HANA + ACI + VBlock •  Accelerate App deployment, App visibility

Now

mapR •  Acceleration and visibility of Hadoop/big data. Now

HortonWorks •  Acceleration and visibility of Hadoop/big data Now


•  Integrated gateway for VLAN, VXLAN, and NVGRE networks from virtual to physical

•  Normalization for NVGRE, VXLAN, and VLAN networks

•  Customer not restricted by a choice of hypervisor

•  Fabric is ready for multi-hypervisor

Virtual Integration Network Admin

Application Admin

PHYSICAL SERVER

VLAN VXLAN

VLAN NVGRE

VLAN VXLAN

VLAN

ESX Hyper-V KVM

Hypervisor Management

ACI Fabric

APIC

APIC

VMware Microsoft

Red Hat Xen

VMware Microsoft Red Hat


•  Network policy coordination with virtualization managers

•  Automatic virtual endpoint detection and policy placement

•  Policies consistently implemented in virtual and physical

•  Network policy stays sticky with VM

Virtual Integration Hypervisor

Management

Web App DB

Application Profile

Network Policy Coordination

Web App DB

VM Attach/Detach

Notification PortGroup

VM Mobility Notification

PortGroups VM Networks

APIC

APIC VMware Microsoft Red Hat

Xen

VMware Microsoft


APIC Admin

VI/Server Admin Instantiate VMs, Assign to Port Groups

L/B

EPGAPP

EPG DB

F/W

EPG WEB

Application Network Profile

Create Application Policy

Web Web Web App

HYPERVISOR HYPERVISOR

VIRTUAL DISTRIBUTED SWITCH

WEB PORT GROUP

APP PORT GROUP

DB PORT GROUP

vCenter Server

8

5

1

9 ACI Fabric

Automatically Map EPG To Port Groups

Push Policy (On Demand)

Create VDS 2

Cisco APIC and VMware vCenter Initial

Handshake

6

DB DB

7 Create Port Groups

APIC

3

Attach Hypervisor to VDS

4 Learn location of ESX Host through LLDP



vSphere Web Client for vSphere 6.x

ACI Plugin

for vCenter

VI Admin

Network Compute Storage

VI Admin

vCenter

Manage

Empower Virtualization Admin to Define Network Connectivity

Establish connectivity to the ACI Fabric

Create/Manage Tenants, Subnets, Application Profiles

Create ACI Port Groups

Define Security Policies

Monitor Health Scores

Available now


Configuring a new ACI Fabric directly from vCenter

“Manage ACI Fabrics”


Microsoft Integration with ACI Two modes of Operation

•  Policy Management: Through APIC •  Software / License: Windows Server with

Hyper-V, SCVMM •  Encapsulations: VLAN •  Plugin Installation: Manual

Integration with SCVMM

APIC

Integration with Azure Pack

APIC

•  Superset of SCVMM •  Policy Management: Through APIC or through

Azure Pack •  Software / License: Windows Server with

Hyper-V, SCVMM, Azure Pack (free)

•  Encapsulations: VLAN, NVGRE •  Plugin Installation: Integrated

+

37


38


APIC Admin

SCVMM Admin Instantiate VMs, Assign to VM Networks

L/B

EPG APP

EPG DB F/W

EPG WEB

Application Network Profile

Create Application Policy

MSFT SCVMM

8

5

1

9 ACI Fabric

Automatically Map EPG To VM Networks

Push Policy

Create Virtual Switch

2

Cisco APIC and MSFT SCVMM Initial

Handshake

6

ACI Hypervisor Integration – Microsoft SCVMM

APIC

3 Attach Hypervisor to Virtual Switch

4 Learn location of HyperV Hosts

HYPERVISOR HYPERVISOR

HYPERV VIRTUAL SWITCH

7 Create VM Networks

WEB VM NETWORK

APP VM NETWORK

DB VM NETWORK

Web Web App App DB

39



OpenStack VMM Domain

KVM Hypervisor Operational Data

Per Hypervisor / Per Group

View

Per EP stats, Health scores,

faults



•  Unified point of data center network automation and management:

  Application-centric network policies

  Data model-based declarative provisioning

  Application, topology monitoring, and troubleshooting

  Third-party integration (Layer 4 - 7 services, storage, compute, WAN, etc.)

  Image management (Spine / Leaf)

  Fabric inventory

•  Single APIC cluster supports one million+ endpoints, 200,000+ ports, 64,000+ tenants

•  Centralized access to all fabric information - GUI, CLI, and RESTful APIs

•  Extensible to compute and storage management

Layer 4..7 System Management

Storage Management

Orchestration Management

Storage SME Server SME Network SME

Security SME App. SME OS SME

Open RESTful API

Policy-Based Provisioning

APIC


•  Applications fully use clustered and replicated controller (N+1, N+2, etc.)

•  Any node is able to service any user for any operation

•  Seamless APIC node adds and deletes

•  Fully automated APIC software cluster upgrade with redundancy during upgrade

•  Cluster size driven by transaction rate requirements

•  APIC is not in the control or data paths

Single Point of Management Without a Single Point of Failure

See What’s Inside

APIC Cluster Distributed, Synchronized, Replicated

APIC


...

API

C N

ode

API

C N

ode

API

C N

ode

API

C N

ode

...

Topology

Policy Observer

Boot

shar

d

shar

d

shar

d

shar

d shar

d

shar

d

shar

d

shar

d

ACI Fabric

3-31

Nod

e C

lust

er

à Shard is a unit of data mgmt ¡  Data is placed into shards ¡  Each shard has 3 replicas ¡  Shards are evenly distributed

Allows horizontal (scale-out) scaling. Simplifies replications scope.

Each APIC Node has all APIC functions, however, processing is evenly distributed

¡  Shard data assignments are based on pre-determined hash function.

¡  Static shard layout determines the assignment of shards to appliances

APIC Clustering


•  APIC one time setup is via UCS console access

•  Cluster configuration Fabric Name Number of controllers [1..9] Controller ID [1..9] TEP Address pool [10.0.0.1/16] Infra VLAN ID [4093]

•  Out-of-band management configuration Management IP address [192.168.10.1/254] Default gateway [192.168.10.254]

•  Admin user configuration Enable strong passwords (Y/N) Password

After first time setup, APIC UI is accessible via URL https://<APIC-mgmt-IP>


•  ACI Fabric supports discovery, boot, inventory, and systems maintenance processes through the APIC

‒  Fabric discovery and addressing

‒  Image management

‒  Topology validation through wiring diagram and systems checks

APIC Cluster

Topology discovery through LLDP

Loopback and VTEP IP addresses allocated from “infra VRF” through DHCP

from APIC

APIC APIC APIC


DB EPG

ISE

ACI Fabric

Corp EPG

Marketing

Engineering

Corp→DB : Allow, Redirect to ASA All Other : Drop

APIC Policy Contract

Source Destination Action

Engineering Any Allow

Any Any Deny [SGT 333]

SXP

1. Corporate users on traditional Nexus 7000 in Corp EPG get assigned SGT values

by ISE

2. ASA learns SGT mappings OOB through

SXP

3. Coarse filtering: ACI Policy Contract allows all traffic from

corporate network to database, redirects to ASA

4. Fine filtering: ASA permits only Engineering to access database from corporate

based on SGT


Network is Simpler

Policy Model= Network

Constructs NX-OS CLI Standard Designs

Troubleshooting & Visiblity

Zero Touch Provisioning (LLDP, IS-IS)

CLOS Leaf-Spine Architecture

Automated Forwarding Plane (VXLAN)

Achieve faster infrastructure agility

EPG = VLAN, VXLAN

Bridge Domain, VRF

1:1 Parity between CLI, GUI and APIs

Stretched Fabric

Multi-pod, Multi-site

(Future directions)

Ping, Traceroute, Atomic Counters, SPAN

Outside

Tenant “Common”

Private Network (VRF)

Bridge Domain (Hardware Proxy)

SITE 1

Interconnect

SITE 2


APIC

ACI Toolkit

NX-OS like CLI

Custom Python Scripts

ACI toolkit

Now available @ http://datacenter.github.io/acitoolkit/

Simple toolkit built on top of APIC API

Scripts built with the toolkit are easy to read

Focused primarily on configuration

Preserves the ACI concepts


NX-API

52 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

UCS Director: Multi-vendor Support Agility and Simplicity for Virtualized and Bare-Metal IT Services

Centralized Lifecycle Management of Physical and Virtualization Infrastructure

Virtual Infrastructure

IT Admins IT Operations End Users

Physical Infrastructure UCS

Nexus

Open API for Integration

Self Service Portal

OS, VM, App Deployment

Admin / End User Console

Policy Manager

Service Request Approvals

Resource Pools Consumption Cost Model

Metering / Utilization

Cisco ASAv

ISE

Cisco VACS


CliQr


vRealize Automation


10-20% Compute and

Storage Optimization

58% Reduce Network

Provisioning

21% Reduce

Management Costs

45% Reduce

Power and Cooling Costs

25% CAPEX

Reduction

“Cisco’s open standards approach makes ACI even stronger. We conducted testing on ACI … it fully delivered everything we expected, and proved to be quite stable and mature.”

Nik Weidenbacher Principal Engineer, SunGard

“Cisco ACI is an open, future-proofed data center architecture that can continue to grow as we enhance client services.”

Chuck Crane Network and Security Architect, Axciom

“This will enable Telstra to deliver service agility, security and performance that our customers expect from an enterprise grade cloud.”

Erez Yarkoni Executive Director, Telstra

Greater Business Agility

Lower Capital Expenses

Reduced Costs/ Complexity

Lower Operating Cost

Resource Optimization

Nexus 9000 and ACI Delivering Business Outcomes


APIC


Architecture Design Implementation Operation

PEOPLE – PROCESS - TOOLS


Two Big Questions

58

“Is ACI a Closed System?” “Do I need to replace all of my existing infrastructure to begin leveraging ACI?”

ABSOLUTELY NOT !!! Let’s see WHY and HOW …


APIC APIC

2K-7K Fabric

AVS AVS

Hosts App

OS

App

OS

Virtual Physical

N9K ACI

9K

APIC

Hosts App

OS

App

OS

Virtual Physical

ACI Policy Engine

N2K FEX

WAN/DCI Or DC Core

APIC

ACI Leaf Overlay •  Full Policy & Management Model •  Seamless HW GWY integration

ACI Policy Engine •  Full Policy Model •  Zero impact to existing fabric •  Appliance style addition to fabric

N2K Integration in ACI Fabric •  Deploy N2K in ACI fabric

ACI Integrated DCI •  Automated DCI integration •  Large Scale Tenant Extension

2K-7K Fabric

Extend Integrate


•  WAN and L3 DCI Connection L3 connection between ACI and external WAN router Provide WAN/Internet connection for tenant. L3 DCI to remote Data Center

•  L2 DCI L2 handoff to external platform(N7K, ASR9K, ASR1K, etc.) External platform provide L2 DCI solution with OTV or VPLS

•  Connect to existing network to ACI Brownfield migration Connect existing workload to ACI fabric

Web

WAN

WAN L3 DCI L2DCI

VLAN

ACI Fabric


Backbone

vPC

vPC

vPC

•  Connect non-ACI networks to ACI leaf nodes •  Connect at L2 with VLAN trunks (802.1Q) •  Objective: Map VLANs to EPGs, extend policy model to non-ACI networks

Map VLAN to internal EPG

L2 outside from border leaf

VLAN Trunking


•  Border Leaf

•  Any leaf can be border leaf •  No limit for number of border leaf in the fabric •  Provide connectivity and policy enforcement for outside

traffic

•  Routing Protocols •  Static routes •  OSPF, IBGP, eBGP, EIGRP and IPv6 •  BGP-EVPN in the future (GOLF)

•  Choice of Interfaces •  L3 interfaces •  L3 sub-interface. VRF-lite for multi-tenancy •  SVI Interface. L2 and L3 outside connection on same

port

ACI Fabric


Single APIC Cluster/Single Domain Multiple APIC Clusters/Multiple Domains

Site 1 Site 2 ACI Fabric

Stretched Fabric

ACI Fabric 2 ACI Fabric 1

Dual-Fabric Connected (L2 and L3 Extension)

DB Web App L2/L3

POD ‘A’ POD ‘B’

Web/App DB Web/App APIC Cluster

MP-BGP - EVPN

Multi-POD (Q2CY16)

IP Network Site ‘A’ Site ‘B’

MP-BGP - EVPN

Web DB App

Multi-Site (Future)


ACI Stretched Fabric Site 2

Site 3

2x40G or 4x40G

Transit Leaf

Site 1

§ Transit leafs in all sites connect to the local and remote spines


ACI Multi-POD Solution Overview

POD ‘A’

IP Transport

Single APIC Cluster

§  Multiple ACI PODs connected by an IP Inter-POD L3 network, each POD consists of leaf and spine nodes

§  Managed by a single APIC Cluster

§  Single Management and Policy Domain §  End-to-end policy enforcement §  Forwarding control plane (IS-IS, COOP)

fault isolation

POD ‘n’

Inter-POD Network

…

IS-IS, COOP, MP-BGP IS-IS, COOP, MP-BGP


Multi-Site ACI Fabric

IP Network Site ‘A’ Site ‘B’

mBGP - EVPN

Web DB

App

•  Host Level Reachability Advertised between Fabrics via BGP

•  Transit network is IP network •  Host Routes do not need to be advertised into transit

network •  Policy Context is carried with packets as they traverse

the transit IP Network

•  Support advanced ACI forwarding features(Distributed GW, Spine proxy, ARP direct forwarding, etc.)

•  Support multiple Fabrics •  Great scalability(inter-fabric traffic doesn’t need

to traverse border leaf)


ACI Integration with WAN at Scale Project GOLF : Supported Topology and Design

IP Network IP Network

Directly Connected WAN Routers Remote WAN Routers Multi-POD + GOLF

MP-BGP EVPN

MP-BGP EVPN

MP-BGP EVPN


§  Policy Based Routing §  Permit Logging §  Security (DoD, CC, FIPS) §  Authentication of endpoint before

Admission into EPG §  Copy Service §  50 vCenter per Fabric §  Tetration §  Multi-Pod §  Project GOLF §  FCoE NPV

NOTE: Future and beyond are in planning stage

Next Future

§  Multi-Site §  Security (TrustSec) §  AzureStack §  IPAM Integration §  Converged ACI Stack §  MACSec §  2-Factor Authentication §  10G Breakout §  Hot and Cold Patching §  QinQ

Thank you.

Technology

Aci breakout session