Cisco Live Aci

Evolve your Datacenter
with ACI
Lilian Quan – Principle Engineer, INSBU
Tim Garner – TME, INSBU
Erum Frahim – Technical Leader, Services
LTRACI-1210
This session will help the participants to understand the key concepts
of new SDN based datacenter solution "Application Centric
Infrastructure(ACI)". Using API Controller (APIC), this session will help
the participants to how to transition the traditional networks into the
ACI. Students of this class will learn how to configure, deploy the ACI
Application Network Profile and integrate services such as Firewalls in
addition able to learn how to program it using Python/API and scale the
environment.
The presentation is downloadable at: https://cisco.box.com/ltraci-1210-presentation
3
Agenda
• Cisco ACI Overview
• ACI Application Network Profile
• ACI Multi-Tenancy Construct
• ACI Policy Contract
• ACI Layer4-7 Service Integration
• Hypervisor Integration
• ACI Adoption Model
• Migration to ACI
• Lab Introduction
4
Agenda
5
ACI and Nexus 9000 Breaking Away
6000+ 1400+ 50+

Nexus 9K and ACI APIC Customers Ecosystem Partners
Customers Globally
STORAGE SECURITY
COMPUTE NETWORK
APPLICATION CLOUD
6
Application Centric Infrastructure
Cisco’s SDN Solution for Data Center Networking
Rapid Deployment of Applications onto Networks with Scale, Security and Full Visibility
Integrated GBP VXLAN Overlay
GROUP-BASED
ACI FABRIC CONTROLLER
POLICIES
Best SDN Controller
Interop 2015
ACI
7
Logical Provisioning of Stateless Hardware
Power of Abstraction
UCS
Mobile Phone Service Profile
SIM Card Identity for a Server
Identity for a Phone
UCS Service Profile
Unified Device Management
Network Policy
Storage Policy
Server Policy
8
ACI Fabric:
Logical Provisioning of Stateless Network
ACI Fabric • Extend the principle of Cisco UCS®
Application Profile Manager service profiles to the entire
Identity for the Network fabric
• Network profile: stateless definition of
application requirements
− Application tiers
− Connectivity policies
− Layer 4 – 7 services
− XML/JSON schema
• Fully abstracted from the infrastructure
implementation
− Removes dependencies of the infrastructure
− Portable across different data center fabrics
9
Application Policy Model and Instantiation
Application
Client
Application policy model: Defines
the application requirements Storage Storage
(application network profile)
Web Tier App Tier DB Tier
Policy instantiation: Each device

dynamically instantiates the required
changes based on the policies
VM VM VM VM VM VM VM
10.2.4.7 10.9.3.37 10.32.3.7
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
10
ACI Fabric – Application Agility & Visibility
Application
Tenant
Health Health
Score Score
Systems Systems Packets

0 Packets 25 dropped
Telemetry dropped Telemetry
Latency Latency
Isolation Isolation
APP
APP VISIBILITY
MOBILITY
11
Agenda
12
Cisco ACI Fabric Multi-Tenancy Construct
Tenants
Pepsi-Tenant Coke-Tenant A Tenant is a container for all

network, security,
troubleshooting and L4 – 7
service policies.
Tenant resources are isolated

from each other, allowing
management by different
administrators.
13
Private Networks
Pepsi-Tenant Coke-Tenant
Private Network 1 Private Network 1 Private networks (also called
VRFs or contexts) are defined
within a tenant to allow
isolated and potentially
overlapping IP address space.
Private Network 2 Private Network 2
14
Bridge Domains
Pepsi-Tenant Coke-Tenant Within a private network, one

or more bridge domains must
be defined.
Bridge Domain 1 Bridge Domain 1
Bridge Domain 2 Bridge Domain 2 A bridge domain is a L2

forwarding construct within the
Private Network 2 Private Network 2 fabric, used to constrain
broadcast and multicast traffic.
15
End Point Groups (EPGs)
Pepsi-Tenant Coke-Tenant
Bridge Domain 1 EPG Bridge Domain 1 EPG EPGs exist within a single
Bridge Domain 2
bridge domain only – they do
EPG Bridge Domain 2 EPG
not span bridge domains.

Bridge Domain 3 EPG EPG Bridge Domain 3 EPG EPG
Bridge Domain 4 EPG Bridge Domain 4 EPG
16
Mapping the Configuration to the Packet Coke-Tenant
• ACI Fabric leverages VXLAN Encapsulation to build Private Network 1
network overlay
Bridge Domain 1 EPG
• VXLAN Source Group is used as a tag/label to identify the
specific end point for each application function (EPG) Bridge Domain 2 EPG
• Policy is enforced between an ingress or source application

tier (EPG) and an egress or destination application tier
(EPG) Private Network 2
• Policy can be enforced at source or destination Bridge Domain 3 EPG EPG
Bridge Domain 4 EPG
Flags/DR
Flags Source Class ID == EPG VNID == BD/VRF M/LB/SP
E
17
Agenda
18
Tenant “Coke”
Infrastructure
Bridge Domain 172 Bridge Domain 10 Bridge Domain 100

Subnet 172.1.1.0/24
Subnet 10.1.1.0/24 Subnet 10.1.1.0/24
Subnet 172.1.2.0/24 Subnet 10.1.2.0/24
… …
Subnet 172.20.1.0/24
EPG web
EPG WEB EPG DB Policy “HTTP”
Apps
Policy “HTTP” EPG db
Policy “SQL”
EPG APP Policy “SQL”
EPG app
19
Defining Application Logic Through Policy
Applications and Conversations
App
Users Web Servers DB
Farm Farm
• Application communication can be defined as who is allowed to talk to whom.
• Communication between objects on the network can be thought of as one or

two way conversations (monologue/dialogue.)
20
Defining Application Logic Through Policy
The Provider Consumer Relationship
Provides Web Services Provides App Services
App
Users Web Farm Servers
Consumes Web Services Consumes App Services
Provider consumer relationships define application connectivity in application

terms. All objects can provide, consume, or both.
21
Building ACI Contracts
Filter Action Label
TCP Port 80 Permit Web Access
Subjects are a combination of

Subject Filter | Action | Label A filter, an action and a label
Contract 1 Actions are policy options:

 Permit the traffic
Subject 1  Block the traffic
Subject 2  Redirect the traffic
 Log the traffic
Subject 3
 Copy the traffic
 Mark the traffic (DSCP/CoS)
Contracts define communication between source and destination EPGs.
The defined policy encompasses traffic handling, quality of service,
security monitoring and logging.
22
Agenda
23
Cisco ACI Layer 4-7 Service Integration (1)
Application Profile
EXTERNAL Policy WEB Policy

APP Policy
APP
APP
DB
APP APP APP DB DB DB
WEB WEB WEB
Terminal: Input1 Terminal: Output1
Service Graph: “WebGraph” Service Graph:

“appGraph”
Func: Func: Func:

Firewall Load Balancer Load Balancer
24
Cisco ACI Layer 4-7 Service Integration (2)
Policy Enforcement
Web Tier App Tier
• Elastic service insertion architecture for A B
Web Web
physical and virtual services Web
Server
App
Server
Server
Server
Application
• APIC as central point of network control Admin Chain
“Security 5”
with policy coordination
• Automation of service bring-up/tear-down
through programmable interface “Security 5” Chain Defined
• Supports existing operational model
Service
Graph
begin Stage 1 ….. Stage N end
when integrated with existing services
• Service enforcement assured, regardless
Service Profile
inst inst
Providers
of endpoint location
…
Service ……..
Admin inst inst
Firewall Load Balancer
25
Agenda
26
Hypervisor Integration with ACI
 Relationship is formed between APIC and
APIC Virtual Machine Manager (VMM)
 ACI Fabric implements policy on Virtual
Networks by mapping Endpoints to EPGs
 Endpoints in a Virtualized environment are
represented as the vNICs
 VMM applies network configuration by placing
Application Network Profile vNICs into:
EPG EPG EPG
F/W WEB L/B APP DB  Port Groups (VMWare),
 VM Networks (Hyper-V)
WEB PORT GROUP APP PORT GROUP DB PORT GROUP  Networks (OpenStack)
 EPGs are exposed to the VMM as a 1:1
mapping to Port Groups, VM Networks or
VM VM VM
OpenStack Networking.
27
Agenda
28
ACI Fabric Powered with Group-Based Policies
Policies Web Policies App Policies DB
Connectivity
Firewall Filter QoS

Outside
(Tenant VRF) Filter LB Filter
Application Network Profile
ACI Fabric
Scale-Out Penalty-Free Overlay
APIC APIC APIC

29
“Do I need to have a complete
knowledge of my current application
environment to fully use, benefit or
leverage Cisco ACI ?”
• ABSOLUTELY NOT !!!

• Let’s see WHY and HOW …
30
03 Approaches to EPG mapping on ACI
EPG = VLAN EPG = Application Group Hybrid Case
The same New New
New New New

31
Agenda
32
Co-Existence of ACI Hosted Applications With
Existing Application Components
Subnet ‘A’
Subnet ‘B’
Subnet ‘C’ Subnet ‘D’
Classical L2/L3
ACI - VXLAN
33
Lab Topology
Legacy DC ACI DC
Classical L2
L3 Links
Core1 Core2
ACI Infra
Agg1 Agg2
N5K-1 N5K-2 BL-1 BL-2 CS1 CS2
FI FI
UCS B Chassis
34
LAB Agenda
• Section I: Deploy ACI Fabric
• Create your Tenant
• Deploy the 3-Tier Application Policy
• Connect the Fabric to External Core
• Section II: Migration applications from Legacy DC

• Extend L2 domain from ACI Fabric to Legacy DC
• Migrate all the Hosts from Legacy DC
• Section III: Configure Contract and Filters

• Deploy Contracts and Filters
• Section IV: Integrate Firewall Services (Bonus)
35
LAB Migration Scenario
• Bring Up the ACI fabric
Classical L2
L3 Links
Core1 Core2
ACI Infra
Subnet ‘A’
Subnet ‘B’
Agg1 Subnet ‘C’ Agg2
Subnet ‘D’
FI FI
UCS B Chassis
36
Lab Migration
• Integrate the VMware Domain and Tenant Configuration
Classical L2
L3 Links
Core1 Core2
ACI Infra
Subnet ‘A’
Subnet ‘B’
Subnet ‘D’
FI FI
UCS B Chassis
37
Migration Planning: Provide External Connectivity
• Connect the Fabric to Outside via L3out
Classical L2
L3 Links
Core1 Core2
ACI Infra
Subnet ‘A’
Subnet ‘B’
Subnet ‘D’
FI FI
UCS B Chassis
38
Migration Planning: Fabric in L2 Mode
• Extent the Fabric to Legacy Datacenter via L2 Extension
Classical L2
L3 Links
Core1 Core2
ACI Infra
Subnet ‘A’
Subnet ‘B’
Subnet ‘D’
FI FI
UCS B Chassis
39
Migration Planning: Migrate the Default Gateway
• Start Migrating the Hosts
Classical L2
L3 Links
Core1 Core2
ACI Infra
Subnet ‘A’
Subnet ‘B’
Agg1 Agg2 Subnet ‘C’
Subnet ‘D’
FI FI
UCS B Chassis
40
Migration Planning: Migrate the Default Gateway
• Shut the SVI on N7ks and configure the BridgeDomains on the Fabric
Classical L2
L3 Links
Core1 Core2
ACI Infra
Subnet ‘A’
Subnet ‘B’
Agg1 Agg2 Subnet ‘C
Subnet ‘D’
FI FI
UCS B Chassis
41
Migration Complete
• Remove all the Server Connections and migrate them to ACI
Classical L2
L3 Links
Core1 Core2
ACI Infra
Subnet ‘A’
Subnet ‘B’
Agg1 Agg2 Subnet ‘C
Subnet ‘D’
FI FI
UCS B Chassis
42
APIC: Logical Tenant Layout
POD-X Tenant
Private Network 1
Bridge Domain Web-

10.1X.1.1/24 Web EPG-VLAN-X1
10.1X.4.1/24
Bridge Domain APP

10.1X.2.1/24 App EPG-VLAN-X2
Bridge Domain DB
10.1X.3.1/24 DB EPG-VLANX3
43
Access to Lab
• RDP: vxlanlab.ciscolive.com:3390
• Username: acilab\podX <-- this is case sensitive
• Password: Provided by Proctor
• Manual:
• Manual is located inside the RDP session
• If it is already not opened, open the Chrome Browser
44
Call to Action
• Visit the World of Solutions for
• Cisco Campus
• Walk in Labs
• Technical Solution Clinics
• Meet the Engineer

• Lunch and Learn Topics
• DevNet zone related sessions
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
• All surveys can be completed via

the Cisco Live Mobile App or the
Communication Stations
Thank you
47

Cisco Live Aci

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cisco Live Aci

Transféré par

Droits d'auteur :

Formats disponibles

Evolve your Datacenter

The presentation is downloadable at: https://cisco.box.com/ltraci-1210-presentation

6000+ 1400+ 50+

Integrated GBP VXLAN Overlay

Policy instantiation: Each device

10.2.4.7 10.9.3.37 10.32.3.7

Systems Systems Packets

Pepsi-Tenant Coke-Tenant A Tenant is a container for all

Tenant resources are isolated

Pepsi-Tenant Coke-Tenant Within a private network, one

Bridge Domain 2 Bridge Domain 2 A bridge domain is a L2

Bridge Domain 4 Bridge Domain 4

Private Network 2 Private Network 2

Bridge Domain 4 EPG Bridge Domain 4 EPG

• Policy is enforced between an ingress or source application

Bridge Domain 4 EPG

Bridge Domain 172 Bridge Domain 10 Bridge Domain 100

• Application communication can be defined as who is allowed to talk to whom.

• Communication between objects on the network can be thought of as one or

Provides Web Services Provides App Services

Consumes Web Services Consumes App Services

Provider consumer relationships define application connectivity in application

Subjects are a combination of

Contract 1 Actions are policy options:

EXTERNAL Policy WEB Policy

Terminal: Input1 Terminal: Output1

Service Graph: “WebGraph” Service Graph:

Func: Func: Func:

• Supports existing operational model

Firewall Load Balancer

Policies Web Policies App Policies DB

Firewall Filter QoS

Application Network Profile

Scale-Out Penalty-Free Overlay

APIC APIC APIC

• ABSOLUTELY NOT !!!

EPG = VLAN EPG = Application Group Hybrid Case

The same New New

New New New

Subnet ‘C’ Subnet ‘D’

N5K-1 N5K-2 BL-1 BL-2 CS1 CS2

• Section II: Migration applications from Legacy DC

• Section III: Configure Contract and Filters

N5K-1 N5K-2 BL-1 BL-2 CS1 CS2

N5K-1 N5K-2 BL-1 BL-2 CS1 CS2

N5K-1 N5K-2 BL-1 BL-2 CS1 CS2

N5K-1 N5K-2 BL-1 BL-2 CS1 CS2

N5K-1 N5K-2 BL-1 BL-2 CS1 CS2

N5K-1 N5K-2 BL-1 BL-2 CS1 CS2

N5K-1 N5K-2 BL-1 BL-2 CS1 CS2

Bridge Domain Web-

Bridge Domain APP

• Meet the Engineer

• All surveys can be completed via

Vous aimerez peut-être aussi