You are on page 1of 36

In collaboration with

Cisco ACI Hands-on


Lab
Azeem Suleman - Principal Engineer, Insieme Business Unit
Nadir Lakhani Systems Engineer, Sales
18th May 2016

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Housekeeping notes
Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes
to ensure we all enjoy the session today.
Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed

during the session


You should have laptop or device that can access to dCloud for the lab
Have enough power or energy to live for 4 hours

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Global Traction Across All Market Segments

6,000+
Nexus 9K and ACI
Customers Globally
NEW

2016 Cisco and/or its affiliates. All rights reserved.

1400+

50+

ACI
Customers

Ecosystem
Partners
ECOSYSTEM

Cisco Confidential

Evolution of Data Center

2015 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Accelerating Convergence Disruptions


Through Innovation
Application
Economy
IP
Convergence
Data
Voice
Video

2005

Hybrid Cloud

Virtualization

Compute
Network
Storage

2010

Application
Network
Scale &
Security

Analytics
HyperConvergence
Cloud Scale

2014

2016+

Innovation Timeline
2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Policy-Driven Integrated Infrastructure Answers


Customers Request
1

Modernize Infrastructure:
Open and Programmable

Automate
and Simplify

Build Your
Hybrid Cloud

Move Data and


Workloads Securely

Choose any
Other Cloud

Data Center
Network / L4-7
Compute
Storage
Security

POLICY

Private Cloud
Stack

Self-Service Portal
(IT as a Service)

Managed

Integrated Infrastructure
7

Extend Policy
Model
8

Policy Everywhere

Security Everywhere

10

Analytics Everywhere

2016 Cisco and/or its affiliates. All rights reserved.

Private

Public

Cisco Confidential

A Generation Ahead:
Leapfrogging the Competition
Cisco

New Switches every


18 months

18 Month Dev Cycle

Features and Capabilities

N9K Gen2 ASICs


16nm
N9K Gen1 ASICs
28nm

Competition
TH Jericho
28nm 28nm

T2
40nm
2 Year Dev Cycle

2012
2016 Cisco and/or its affiliates. All rights reserved.

2014

2015

2016

2017

2018
Cisco Confidential

Next Gen Foundation with 2 Year Advantage


Fabric Wide Cloud Scale and Services
Pervasive Visibility at Line Rate

Non-blocking Performance
36p 100G line rate w/
single chip25% more

Wire rate NetFlow

Nexus 9300EX

Nexus 9500

Investment Protection

at cloud scale

for the next decade


Multi-speed ports 100M -100G
IP storage, FCOE/FC ready

Cost Advantage
25G/100G at price of 10/40G

Embedded Security

Nexus 9200

Cloud Scale
Technology

8x more network segmentation vs competition


Cloud scale endpoint density 6-7x
12x IPv6 routes

Enhanced Fabric
Performance
50% faster application completion
time

POWERED BY CISCO
ASIC innovation using 16nm technology

2016 Cisco and/or its affiliates. All rights reserved.

50% Lower system cost, better reliability, lower power

Cisco Confidential

Modular Cloud Scale Platform for Spine/Aggregation


Nexus 9500

Cloud Network Requirements

Build for generations

Available
Now

Shift to scale-out architectures based on


Spine/Leaf routed designs
Support for workload mobility and dynamic
traffic flow optimization
Granular control and telemetry at tenant
and application level
Best Price-Performance Available Today
Full Internet Route Table 1M+
Up to 512 line rate 100G ports per chassis
Converged Fabric for IP storage

Automation at scale

Cloud Economics: Starts at $1,500 US List per 100G Port


2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Organizational Transformation with ACI


Step 1:
Network Automation

Step 2:
Services Automation

Step 3: Application
Based Automation

Deploy a modern,

Integrate additional

Deploy applications

programmable
infrastructure

L4-L7 services

based on policy
templates

Train/upgrade the skillset

of your team on
programmable APIs

Ultimate Goal: Achieve Application Agility with Minimal Risk


Policy-driven Framework Across All Elements of the Infrastructure, Private and Public Cloud

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

10

Application Centric Infrastructure (ACI)


Rapid Deployment of Applications onto
Networks with Scale, Security and Full Visibility

NEXUS 9500 AND 9300

APPLICATION CENTRIC
POLICY

CONTROLLER

ACI
2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

11

Architecture
Spine Nodes

Leaf Nodes

AVS

EPG Internet Service Producers

EPG Users

EPG Files

Service Consumers
2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

12

Application Policy Model and Instantiation


Application
Client

Application policy model: Defines


the application requirements
(application network profile)

Storage
Web Tier

Storage
DB Tier

App Tier

Policy instantiation: Each device


dynamically instantiates the required
changes based on the policies
VM

VM

VM

VM

VM

VM

10.2.4.7 10.9.3.37

VM

10.32.3.7

All forwarding in the fabric is managed through the application network profile
IP addresses are fully portable anywhere within the fabric
Security and forwarding are fully decoupled from any physical or virtual network attributes
Devices autonomously update the state of the network based on configured policy requirements

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

13

Access Methodology
CLI (Command-line interface)
Means of interacting with a computer program where user issues commands to the program in the form of
successive lines of text (command lines)
GUI (Graphical user interface)
Interface that allows users to interact with devices through graphical icons and visuals

Programmable interface
Software components / objects exposed to be called directly by other programs
Open Source Tool

ACI Toolkit Configuration Roll Back, Endpoint Tracker and other applications

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

14

ACI Toolkit
Simple toolkit built on top of APIC API
Set of simple python classes

Python Library

NX-OS
like
CLI

Linux
Commands

Custom
Python
Scripts

Used to generate REST API calls


Runs locally

ACI Toolkit

Small number of classes

~30 currently
Intuitive names
Not full functionality, most common

Focused primarily on configuration

APIC

Preserves the ACI basic concepts

Tenants, EPGs, Contracts, etc.

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

15

ACI Release Timeline


Congo
Q3CY16

B (11.1)
Jun15

11.0 MR1

11.0 MR2

11.0 MR3

Nov14

Feb15

May15

11.2

11.2. MR1

11.2 MR2

Dec15

Feb16

Q2CY16

11.1 MR2

11.1 MR3

Sep15

Nov15

11.1
MR1
Aug15

A (11.0)
Aug14

CY14

2016 Cisco and/or its affiliates. All rights reserved.

CY15

CY16

Cisco Confidential

16

Overloaded Network Constructs


Basic Network
Policy

SLAs

Subnet

Subnet

Subnet

VLAN

VLAN

VLAN

L4-7 Services

Network constructs are overloaded with unintended functionality.


2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

17

Some new (or not so new) terms: Tenants, VRF


(Context), Bridge Domains, Application Network
Profiles, Endpoint Groups, Contracts/Filters

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

18

Bridge Domain (BD)


Unique layer 2 (L2) or layer 3 (L3) forwarding domain
Can contain one or more subnets (if unicast routing is enabled)
Each bridge domain must be linked to a context (VRF)

Equivalent Network Construct:


If a BD is configured as L2 forwarding domain
It will have one or more associated VLANs
Each VLAN will be equal to EPG
If a BD is configured as L3 forwarding domain
This is equivalent to a SVI with one or more subnets per BD

NOTE: BD can span across multiple switches

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

19

Bridge Domain (BD) Modes


L2 Unknown
Unicast

ARP Flooding

Flood packet is flooded


within a BD

Enabled: ARP Packets are


flooded in the BD

Hardware Proxy packet


sent only to Proxy Spine

Disabled:
ARP Packets undergo L3
unicast lookup for Target
IP in VRF
ARP behaves like L3
unicast packet until it
reaches egress TOR

2016 Cisco and/or its affiliates. All rights reserved.

Unicast Routing

Unknown Multicast
Flooding

Enabled: define subnets

Flood:
Ingress TOR: Flood
Egress TOR
If router port exists on
any BD: Flood to FP
ports
If transit: Send to
fabric
Optimized Flood (Up to ~75
BDs per TOR)

Disabled: no subnets
defined

Sent only to Router Ports in


the Fabric

Cisco Confidential

20

Object Relationship
Tenant

Context

BD

Subnet
A
2016 Cisco and/or its affiliates. All rights reserved.

Context

BD

Subnet
B

Subnet
C

BD

Subnet
B

Subnet
C
Cisco Confidential

21

End Point Group (EPG)


Set of host(s) that behave the same
Behavior describes as all host(s) representing application or application components

independent of other network constructs

EPG - Web

2016 Cisco and/or its affiliates. All rights reserved.

HTTPS
Service

HTTPS
Service

HTTPS
Service

HTTPS
Service

HTTP
Service

HTTP
Service

HTTP
Service

HTTP
Service

Cisco Confidential

22

Application Network Profile (ANP)


Application Network Profile(s) are group of EPGs and the policies that define the

communication between them


Application Network Profile
EPG - WEB

EPG - APP

EPG - DB

=
Inbound/Outbound
Policies
2016 Cisco and/or its affiliates. All rights reserved.

Inbound/Outbound
Policies
Cisco Confidential

23

Contracts
Defines the way in which EPGs interact
Unidirectional
Communication

EPG
B

Contract 02

Bidirectional
Communication

Contract 01

EPG
A

EPG
C

The policy model allows for


both unidirectional and
bidirectional policies.

2016 Cisco and/or its affiliates. All rights reserved.

Ex: ACI Logical Model applied to the 3-Tier App ANP

Cisco Confidential

24

Congo Release 2.x

Execute
Committed

Target Q3 CY 2016

Virtualization, Operations

Infrastructure
Multi-PoD
WAN Integration (GOLF)
VXLAN EVPN BGP (iBGP and
eBGP) for IPv4 and IPv6
Opflex Push to N7K, ASR9K
QSA Support on EX Spine/Leaf
FCoE NPV, PFC (802.1Qbb)

Routing & Switching


PBR and Policy Based Service
Insertion
Symmetric Multipath Load
Balancing & Redirection
Mcast Routing PIM Support
(PIM-SM/SSM/Bidir) on EX HW

2016 Cisco and/or its affiliates. All rights reserved.

Routing & Switching


OSPF in-bound area filtering
BGP limit maximum AS (maxaslimit)
64 way ECMP

Visibility and Analytics


Analytics support on EX HW
Copy Service

ACI vCenter Plugin


Multiple vCenter per fabric (50)
AVS
vRealize
VEM Commands from
APIC
EPG health score
WAP 2.0 + Service Chaining

OpenStack

Security
Permit logging
Hardware :

DC48V Support(Fixed and


Modular Spine)
DOM on ACI Mode

Liberty Support
Hierarchical VLANs
VMware Hypervisor integration
GBP + ML2 Unified Plugin

Cisco Confidential

25

ACI Multi-Pod Solution


Overview
Inter-Pod Network

Pod n

Pod A

MP-BGP - EVPN

Single APIC Cluster


IS-IS, COOP, MP-BGP

IS-IS, COOP, MP-BGP

Multiple ACI Pods connected by an IP Inter-Pod


L3 network, each Pod consists of leaf and spine
nodes
Managed by a single APIC Cluster

Single Management and Policy Domain

2016 Cisco and/or its affiliates. All rights reserved.

Forwarding control plane (IS-IS, COOP)


fault isolation
Data Plane VXLAN encapsulation between
Pods
End-to-end policy enforcement
Cisco Confidential

26

ACI Multi-Pod Solution


Use Cases
Handling 3-tiers physical

ACI Fabric ACI Fabric ACI Fabric ACI Fabric ACI Fabric Inter-POD
And
A
B
C
D
E
WAN/DCI

cabling layout
Cable constrain (multiple
buildings, campus, metro)
requires a second tier of spines
Preferred option when compared
to ToR FEX deployment

Evolution of Stretched Fabric

design
Metro Area (dark fiber, DWDM),
L3 core
>2 interconnected sites

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

27

ACI Integration with WAN at Scale


Project GOLF Overview

Addresses both control plane and data

plane scale
VXLAN data plane between ACI spines and
WAN Routers
BGP-EVPN control plane between ACI spines
and WAN routers
OpFlex for exchanging config parameters (VRF
names, BGP Route-Targets, etc.)
Consistent policy enforcement on ACI leaf

nodes (for both ingress and egress


directions)
GOLF Router support (Q3CY16)

Nexus 7000, ASR9000 and ASR1000 (not yet


committed)
2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

28

ACI Integration with WAN at Scale


Supported Topologies

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

29

New Automation:
Cisco Nexus Fabric Manager
Single Point, Fabric-Wide Management

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

30

Traditional Script-Based Approaches

Hard-Wired

Change PaaS ?...

Change Cloud ?...

Workflow

Breaks System

Breaks System

Custom Scripting

Re-Scripting Required

Re-Scripting Required

Rigid

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

31

CliQr CloudCenter:
Any App, Any Cloud, One Platform
NFS

Profile

Datacenters
Manage

Private Clouds

Model
Deploy

Public Clouds

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

32

Working Together: End-to-End Orchestration


Business (ITSM)

Development (DevOps)

Prime Service Catalog, ServiceNow, Custom

CliQr, Jenkins

Application-Centric Lifecycle Management


Model

Benchmark

Deploy

Manage

Application Profiles
Profile

Datacenter

UCS
Director

UCS

2016 Cisco and/or its affiliates. All rights reserved.

Private Cloud

Profile

Public Cloud

ACI

Storage

Nexus
Switching

Hyper-V

Cisco Confidential

33

How to access lab


URL: http://dcloud.cisco.com/

Username: CiscoLiveStudent1 24
Password: C1sc0123live

2016 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

34

Thank you.