LEARN WORK IT

INFORMATION TECHNOLO GY (NE T WORK )

C I S C O ACI BLO GS VMWARE N SX BLO G S CISCO ROUT ING B LO G

C I S CO SW ITCHIN G BLO G IT INS TITU TES CONTACT US

TERMS & CONDIT ION

2. ACI Basic
 JUNE 14, 2021  LEAVE A COMMENT

ACI -Application
Centric
Infrastructure
basic
ACI is an automated (VXLAN) overlay network running
over an automated (ISIS) underlay network

ACI can transport any IP traf�c including “Overlay”

networks based on VXLAN, NVGRE etc.

•ACI is a network fabric for datacenters.

•Leaf/Spine Topology
•Uses VXLAN and Tunnel Endpoints as an underlay
•All con�guration is done from a controller and pushed
to the network switches
•Control plane and data place are separate
•APICs form a cluster for distributed computing

ACI Componets
Tenant

•Logical container for a set of policies

•Main Components:
•Application Pro�les = Container of similar applications
that are somehow related
•Application Pro�le has any number of Endpoint Groups
(EPGs) inside
•Networking = Container for Network Infrastructure
related items
•Bridge Domains
•VRFs
•External Bridged Networks
•External Routed Networks
•Security Policies
•Contain the Contracts used between EPGs to enable
communication

VRF

•Layer 3 forwarding domain.

•Contains all routes for the particular VRF
•Routes will usually point to the local leaf SVI VLAN or
via the overlay-1 VRF to a destination leaf VTEP
•VRF scope is where communication policy is enforced.

Bridge Domain

•Ties to a VRF
•De�nes L2 forwarding characteristics and boundaries.
•L2 Unknown Unicast (Flood | Hardware Proxy)
•Forwarding for unknown L2 destinations
•L3 Unknown multicast(Flood | Optimized Flood)
•Multi-Destination Flooding(Flood in BD | Drop | Flood in
Encapsulation)
•Multicast-Frame/MAC
•ARP Flooding(On | Off)
•Similar to a VLAN but not tied to a single VLAN
•Unicast Routing
•Subnets

Subnets

•HSRP Evolved
•Subnet under the BD creates an SVI only on the
switches where there is an endpoint that needs it.
•Known as a distributed default gateway
•Gateway inside the fabric is good, �ood is always
answered in a single hop.
•This SVI can be advertised externally through a routing
protocol.

Unicast Routing

•Enables Routing
•Route between all BDs inside a VRF without
con�guring a routing protocol
•The subnet con�gured under the BD will be the SVI and
Default Gateway for endpoints
•SVI is only programmed on the switches that have
endpoints in that BD/EPG
•Traf�c from inside a BD will hit the Distributed default
gateway MAC and the fabric will handle routing to the
destination BD

Application Pro�le & Endpoint

Groups

•Endpoint Groups are used to group similar endpoints

connected to the fabric. This is where policy is de�ned.
•An Application Pro�le(AP) is a logical container for
Endpoint Groups (EPGs)
•An AP should logically group related EPGs, such as the
3-tier Application example:
•Application Pro�le “My Web App”
•Website –EPG
•Application –EPG
•DB –EPG

Security Policies
•ACI is a whitelist based network
•Use contracts to de�ne policy for which EPGs can talk
to which other EPGs and external EPGs
•Contracts are built with the following objects:
•Contract -Name
•Subject –Direction and Options
•Filter –Name and groups of �lter entries
•Filter Entry –Speci�c protocol and ports and in which
direction

Contracts

•One EPG is Providing the other is Consuming

•Think client/server relationship. One EPG is a server
providing a service the client is consuming the service
•Bi-Directional Communication is allowed by default
•Pro-Tip: Only the client/consumer is allowed to initiate
communications

Comprehensive look of ACI

Monitoring

•ACI offers a slew of monitoring and troubleshooting

tools
•Event and Audit logs at numerous levels
•Ongoing as well as on-demand counters
•Graphs for statistics at numerous levels (vm, port, PC,
vPC, BD, EPG, VRF)
•Troubleshooting Wizard for an end to end traf�c
between two endpoints
•Shows counters, Contracts, traceroute, Topology
•Endpoint Tracker
•History, per endpoint, of all moves
•Capacity Dashboard
•Shows usage of different policies and scale

Fault Triggers

•Four types of fault triggers:

1.speci�c conditions described in the model by fault
rules
2.counters crossing thresholds speci�ed in user-
programmable policies
3.task or FSM failures
4.object resolution failures
•Faults are raised and managed on the node (switch or
controller) where the condition is detected
•Faults are raised and cleared automatically by the
system
APIC Health Score

•Health Score provides a quick overview of the health of

the system/module
•It is based on the Faults generated in the fabric
•Range: 0 to 100 (100 is perfect health score)
•Each fault reduces the health score based on the
severity of the fault
•Health Score is propagated to container and related
MOs
•Health Score policies can control the penalty values,
propagation, health Records.

Health Score Views

S y s t e m —aggregation of system-wide health, including

pod health scores, tenant health scores, system fault
counts by domain and type, and the APIC cluster health
state.
P o d —aggregation of health scores for a pod (a group of
spine and leaf switches), and pod-wide fault counts by
domain and type.
T e n a n t —aggregation of health scores for a tenant,
including performance data for objects such as
applications and EPGs that are speci�c to a tenant, and
tenant-wide fault counts by domain and type.
M a n a g e d O b j e c t —health score policies for managed
objects (MOs), which include their dependent and
related MOs. These policies can be customized by an
administrator.

ACI Dashboard
Overlays and Tunnels

•When �rst discovering the fabric, each switch that is

registered is dynamically assigned an IP address out of
the Tunnel End Point (TEP) range speci�ed during the
APIC setup script.
•The TEP range de�nes the Overlay-1 VRF.
•The IP address every switch receives is known as a
virtual TEP and is used to build tunnels between the
leafs and spines
•Overlay-1 VRF contains /32 routes to each VTEP, VPC
Virtual IP, APIC, and Spine Proxy IP

Forwarding and Learning

•Acts as a regular switch learns and forwards based on

MACs
•Also capable of learning IP addresses for a
comprehensive endpoint
•Leafs learn remote endpoints as well for quicker lookup
and directed forwarding to a destination leaf.
•Not just an outgoing port
•Spines have a global (fabric wide) database of all
endpoints and can forward to any destination if needed
•BD settings determine learning and forwarding
behavior

L2 Unknown Unicast: HW Proxy

•Spine looks up an endpoint in global database/COOP
and forwards to leaf VTEP. If not found, the packet is
dropped.
•Optimization to traditional networking to cut down on
unnecessary �ooding.

L2 Unknown Unicast: Flood

•Uses multicast tree rooted in the spine for a speci�c BD,

all leafs that have the BD are part of the multicast tree
•Imitates traditional networks, helpful for integrating an
external gateway for migration

ARP Flooding: Off

Unicast Routing/Directed ARP. Inspect ARP frame for

Destination IP and unicast to that leaf/Endpoint

ARP Flooding: ON

Standard, Traditional ARP Flooding

Static vs Dynamic VLAN

Con�guration

•Static implies manually con�guring which interfaces

have which VLANs from the pool de�ned under access
policies
•Used with a physical domain and a static VLAN pool
•Static con�guration is done under the EPG by
associating the physical domain and creating a static
path to a port and specifying a VLAN
•Dynamic implies that the VLAN is allocated
automatically, randomly from the pool
•Used with a VMM domain and a dynamic VLAN pool.
•Associating the VMM domain to the EPG creates a
port-group/network in the VM environment and based
on CDP/LLDP adjacencies that are reported, VLANs are
programmed on the interface.

Static VLAN Deployment

•Compared to dynamic deployment, physical workloads

are de�ned statically
•A Physical domain is needed on the EPG
•The second requirement is to con�gure a static path
•A static path speci�es an interface on a switch, a port-
channel on a switch, or a vPC interface between a pair
of switches as well as the VLAN that the end device will
be communicating on
•This VLAN can be:
•tagged
•untagged (access/native)
•802.1p (still access/native but with QoS at MAC layer)

Dynamic VLAN Con�guration

•Used for VMM Domain Integration

•ACI and the controller exchange information such as
•Number and name of Hypervisors
•vmnic adjacencies to the leaf ports
•Re quires CDP or LLDP
•VMs added to port-groups
•VMM domain associated to an EPG program a port-
group on the Controller
•With the goal of dynamically programming VLANs on
the leaf interfaces.

VMM Domain

•Requires a VLAN pool and AAEP association

•Requires the IP address of the Controller
•When a VMM Domain is associated with an EPG:
•API calls create a port-group or VM Networks