What is Cisco ACI?

www.lumoscloud.com
[email protected]
Agenda
 SDN/Overlay Networking Primer
 Overview and Terminology
 Logical Model Overview
SDN/Overlay Networking Primer
 Industry Trends

DevOps

New operational models are driving the need for infrastructure change.
SDN
Software Defined Networking
Still Don’t KNow
SDN

Control Plane
OpenFlow
Policy Controller Network Virtualization Programmability

Data Plane
 Control, Data, Policy
No packet is sent to the
Configuration of control plane controller, forwarding is
• Control Plane: CP protocols
protocols (OSPF, LACP, etc.) done in-fabric
distributed through leafs
and(i.e.,
dataOSPF,
plane forwarding is immediately
iBGP, LACP, LLDP) done on the APIC cluster
• Data Plane: All in-line, no packets
are punted to the controller
• Policy Controller: Centralized OSFP OSFP
network policy LLDP
OSPF processes run
on leafs that routers REST
are connected to, API
not controller APIC APIC APIC

APIC Cluster
 Control, Data, Policy
No packet is sent to the
Configuration of control plane controller, forwarding is
• Control Plane: CP protocols
protocols (OSPF, LACP, etc.) done in-fabric
distributed through leafs
and(i.e.,
dataOSPF,
plane forwarding is immediately
iBGP, LACP, LLDP) done on the APIC cluster
• Data Plane: All in-line, no packets
are punted to the controller
• Policy Controller: Centralized OSFP OSFP
network policy LLDP LLDP

OSPF and other processes run on REST

leafs that routers are connected API
to, not controller
APIC APIC APIC

APIC Cluster
 Distributed Configuration
One switch1 (config)#
switch1(config)# int eth 1/1
switch2 (config)#
switch1(config)# switch mode acc

SINGLE SOURCE OF
switch1(config)# int eth 1/1
switch3(config)#
switch1(config)# switch acc vlan 666
switch1(config)# switch mode acc
switch1(config)# int eth 1/1

Truth
switch4(config)#
switch1(config)# no
switch1(config)#
shut
switch acc vlan 666
switch1(config)# switch mode acc
switch1(config)#
switch1(config)# int eth 1/1
no shut
switch1(config)# switch acc vlan 666
switch1(config)# switch mode acc
switch1(config)# no shut
switch1(config)# switch acc vlan 666
switch1(config)# no shut

Switch12(config)# switch13(config)#
switch1(config)# int eth 1/1 switch1(config)# int eth 1/1
switch1(config)# Switch14(config)#
switch mode acc switch1(config)# switch mode acc
switch1(config)# switch1(config)#
switch acc vlan 666 int eth switch1(config)#
1/1 switch acc vlan 666
switch1(config)# switch1(config)#
no shut switch1(config)# switch mode acc no shut
switch1(config)# switch acc vlan 666
switch1(config)# no shut

Orchestrator Other Automation

(UCS Director) VMware
vCenter
 Network Controller
REST APIC APIC APIC

API
APIC Cluster

Orchestrator
(UCS Director) REST
API
VMware
vCenter
 Software Overlays – Network Virtualization
Virtual networks created with
Virtual Network 1
VXLAN encapsulation. Networks are
ephemeral, and highly dynamic.
Virtual Network 2 Configuration changes can be
frequent (many times per day)
VxLAN
Virtual Network 3

The underlay network runs as a Clos network and

carries the encapsulated packets. The underlay is
static and changes are typically very infrequent.

(pronounced “clo”,
Underlay network rhymes with “glow”)
 Cisco ACI

Overview and Terminology

 ACI
or
Application Centric Infrastructure
What is ACI?
• Behaves like a switch (Bridge Domain)
• Behaves like a router (Unicast Routing)
• Utilizes Virtual Routing and Forwarding Tables
(VRFs)
• Utilizes VLANs (EPGs and SVIs)
• Utilizes VXLANs (EPGs and Overlays)
• Behaves like an orchestrator
• Configures Hypervisors and controllers
• Configures L4-7 Devices
• Open North and South-bound API
• Automation
Application Centric Infrastructure
• Is a network fabric for datacenters.
• Leaf/Spine Topology(no more
access/aggregation/core)

• Uses VXLAN and Tunnel Endpoints as

an underlay – IS-IS

• All configuration is done from a controller

and pushed to the network switches

• Control plane and data place are separate – SDN

• APICs form a cluster for distributed computing

Zero Touch Fabric Discovery
• LLDP
• Discovers connectivity

• DHCP
• Automatically assigns TEP addresses

• ISIS
• Underlay TEP-to-TEP Connectivity

• SSL / Certificate
• Ensures device identity
 Standalone VXLAN Configuration:
standalone-sw1(config)# feature ospf
standalone-sw1(config)# router ospf 1
standalone-sw1(config-router)# router-id 200.200.8.8
standalone-sw1(config)# interface loopback0
standalone-sw1(config-if)# ip address 200.200.8.8/32
standalone-sw1(config-if)# ip router ospf 1 area 0.0.0.0
standalone-sw1(config)# interface e2/1
standalone-sw1(config-if)# ip address 20.1.1.1/30
standalone-sw1(config-if)# ip router ospf 1 area 0.0.0.0
standalone-sw1(config-if)# ip pim sparse-mode
standalone-sw1(config)# feature nv overlay
standalone-sw1(config)# feature vn-segment-vlan-based
standalone-sw1(config)# interface e1/1
standalone-sw1(config-if)# switchport
standalone-sw1(config-if)# switch port mode trunk
standalone-sw1(config-if)# switch port allowed vlan 11-12
standalone-sw1(config-if)# no shutdown
standalone-sw1(config)# vlan 11
* VXLAN on its own is complex, manually building the underlay network takes some
time, subject to error. ACI does this automatically right out of the box
standalone-sw1(config-vlan)# vn-segment 10011
standalone-sw1(config)# vlan 12
standalone-sw1(config-vlan)# vn-segment 10012
standalone-sw1(config)# interface nve1
standalone-sw1(config-if)# no shutdown
standalone-sw1(config-if)# source-interface loopback0
standalone-sw1(config-if)# member vni 10011
standalone-sw1(config-if)# ingress-replication protocol static
standalone-sw1(config-if)# peer_ip 200.200.9.9
standalone-sw1(config-if)# member vni 10012
standalone-sw1(config-if)# ingress-replication protocol static
standalone-sw1(config-if)# peer_ip 200.200.9.9
standalone-sw1(config-vlan)# exit
…......................
........
...
Logical Network Provisioning of Stateless Hardware

Web App DB

Outside
QoS QoS QoS
SVI/VLAN SVI/VLAN SVI/VLAN
(Tenant Filter
Servic
Filter
VRF)
e

App-Centric Network-Centric

APIC

ACI Fabric Application Policy

Infrastructure
Integrated VXLAN Overlay Controller
 Cisco ACI: Open Platform
APIC Policy Controller
APIC APIC APIC
 Open REST API
 HTML5 GUI
APIC Cluster  NX-OS CLI

ACI Fabric
Built-In VMM Integration
vSwitch L2 Switch
 VMware vCenter Router
(AVS/DVS) External Routers
External Switches/vSwitches
 Hyper-V (Azure  OSPF (v2/v3)
 IETF Standard VXLAN
Pack/SCVMM)  EIGRP
 IEEE Standard 802.1Q (VLAN)
 OpenStack (ML2/GPB)  e/iBGP
 IEEE Ethernet
 Kubernetes (v 3.0)  Static routes
 IETF OpFlex (control plane)
 ACI Network Profile Network Profile
Policy-Based Fabric Management
Storage Storage
Extend the principle of Cisco UCS® Manager Service
Profiles to the entire fabric Web Tier App Tier DB Tier

 Network profile: stateless definition of

application requirements
The ANP fully describes the network constructs
 Application tiers
 Traditional network constructs (SVI/VLAN) ## Network Profile: Defines Application Level Metadata (Pseudo
Code Example)
 Connectivity policies <Network-Profile = Production_Web>
<App-Tier = Web>
 Layer 4 – 7 services <Connected-To = Application_Client>
<Connection-Policy = Secure_Firewall_External>
 XML/JSON schema <Connected-To = Application_Tier>

Fully abstracted from the infrastructure

<Connection-Policy = Secure_Firewall_Internal & High_Priority>
 . . .
implementation <App-Tier = DataBase>
<Connected-To = Storage>
 Removes dependencies of the infrastructure <Connection-Policy = NFS_TCP & High_BW_Low_Latency>
. . .
 Portable across different data center fabrics
ACI Policies
ACI Policies
• Can be subdivided into three main categories:
• Fabric Policies: Define settings for how the fabric members talk to other fabric members
such as MTU, ISIS and BGP settings, COOP, etc.

Fabric Policies
ACI Policies
• Access Policies: Define how a switch or a front panel switchport is configured. Settings
that can be applied to the physical ports such as LLDP, CDP, Port-Channeling,
speed/duplex, etc.

Fabric Policies

Access Policies
ACI Policies
• Tenant Policies : Govern traditional networking such as VLAN encapsulation, flooding
domains, L3 Routing as well as defining Application Level Policy like contracts, preferred
groups, L4-7 services, PBR, etc.

• All of the policies work together to define where and how endpoints or applications are
connected

Tenant Policies Web Tier App Tier DB Tier

Fabric Policies

Access Policies
Policy Instantiation
Object Consumed Provided
Tenant Coke Sprite
VRF Main Main
Bridge Domain Coke_VL10 Pespsi_VL20
Subnet 10.0.10.1/24 10.0.20.1/24
EPG Web Web
Endpoint 10.0.10.10 10.0.20.10
Path Leaf101:e1/1:VL-10 Leaf102:e1/1:VL-20
 Policy Instantiation Leaf101:
1. Map VLAN-10 to a internal VLAN(say vlan 7) and VXLAN ID
leaf101(config)# vlan 10
leaf101(config-vlan)# vn-segment 10392
leaf101(config)# int e1/1
leaf101(config)# switchport mode trunk
leaf101(config)# switchport trunk allowed add vlan 7
Object Consumed Provided
Tenant Coke Sprite 2. Map VLAN 10 to a BD vlan(vlan 8) and VNID
VRF Main Main leaf101(config)# vlan 8
Bridge Domain Coke_VL10 Pespsi_VL20 leaf101(config-vlan)# vn-segment 15826917
leaf101(config)# interface vlan 8
Subnet 10.0.10.1/24 10.0.20.1/24
leaf101(config)# ip address 10.0.1.1/24
EPG Web Web leaf101(config)# no shut
Endpoint 10.0.10.10 10.0.20.10
3. Deploy the VRF
Path Leaf101:e1/1:VL-10 Leaf102:e1/1:VL-20
leaf101(config)# vrf Coke:Main

4. Leak the Coke-VL10 route from MP-BGP into VRF Sprite:Web

5. Deploy ACL to allow traffic between the two EPG (not based on IP
address, but on EPGs)
Application Policy Model and Instantiation
Application Client
Application policy model: Defines the application
requirements (application network profile) Storage
Storage
Web
Tier App Tier DB Tier

Policy instantiation: Each device dynamically

instantiates the required changes based on APIC
the policies
VM VM VM VM VM VM VM

10.2.4.7 10.9.3.37 10.32.3.7

All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
ACI Fabric

ACI Spines

ACI Leafs
External L2 L4–7
/ L3 Services
Servers

APIC Cluster APIC APIC APIC

OOB Managment
Logical Model Overview
 Remember UCS & Stateless Computing?
Service Profile

Storage Server Network

Optional Disk usage Identity (UUID) Uplinks
SAN settings Adapters LAN settings
• LUNs • Number • VLAN
• Persistent Binding • Type: FC, Ethernet • QoS
SAN settings • Identity • etc…
• vSAN • Characteristics Firmware
Firmware Firmware • Revisions
• Revisions • Revisions
• Configuration settings
 Stateless Networking
Logical Networking Constructs
Traditional networking constructs Application Centric (Microsegmentation)
subnets VLAN Web Tier App Tier DB Tier
Pervasive SVI

Physical ports and physical infrastructure

• Networking constructs are instantiated and configured in an abstracted form
• The APIC controller retains the policy for all fabric components
Defining Terms
 End-Point Group - (EPG) A network segmentation method for objects requiring the
same policy treatment, i.e. app tiers, or services.
 Tenant - Logical separator for: Customer, BU, group etc. Separates traffic, admin,
visibility, etc.
 VRF – A separate routing instance, can be used as an admin separation
 Bridge Domain (BD) - NOT A VLAN, simply a container for subnets. CAN be used to
define L2 boundary
 Contract - Contracts represent policies between EPGs. Contracts are “provided” by one
EPG and “consumed” by another.
Management Information Model
TENANT
1

n n n n n n
L2/L3 Application
Bridge Contexts
Outside Network Contracts Filters
Domains n 1 (VRF)
Networks Profiles
1 1 1 1 n
n n
Subnets n
Subjects
n n
 Solid lines indicate objects below contained
EPGs n  Dashed lines indicate a relationship
 1:n indicates one to many
 n:n indicates many to many
Application Network Profile

Outside EPG WEB consume

EPG APP consume
EPG DB
EP EP EP EP EP EP
web java sql
Public consume contract contract contract
EP EP EP

provide

provide

provide
subnet
subnet

bd bd bd
L3 context