Professional Documents
Culture Documents
LG PDF
LG PDF
LTRACI-2226
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• ACI Service Insertion
• L4-L7 Lab
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Introduction
Deploying Services in a Traditional Network
slb1 (CONFIG)
fw1(config)#
Internet Front switch1(config)#
probe http http-probe
fw1(config)#
switch1(config)#
intervalint
fw1(config)#
slb2
switch1(config)#
int
30 eth
nameif
(CONFIG)
switch
eth 0/1
1/1
outside
mode
router1(config)#
router1(config)# int eth 1/1
0
200 acc
End
expect status 200
fw1(config)# int eth router1(config)# ip address 1.1.1.0 255.255.255.0
switch1(config)# switch
rserver host acc 0/2
appsrvr1
websrvr1 vlan 999
fw1(config)# nameif
description app webfrontrouter1(config)#
web server 20 router bgp 1000
slb3
switch1(config)#
fw1(config)# (CONFIG)
no shut
object router1(config)# network 1.1.1.0 mask 255.255.255.0
network webfront_vip
Firewall
ip address 5.5.5.1
3.3.3.1
rserver
fw1(config)#hosthost
inservice dbsrvr16.6.6.6 router1(config)# network 2.2.2.0 mask 255.255.255.0
description db server
Load Balancing
rserver
fw1(config)#hoststatic
appsrvr2
websrvr2 router1(config)#
(webfront,outside) ...
1.1.1.6
Web Tier
ip address
description 6.6.6.1
app
web server outside_web permit tcp any host 6.6.6.6 eq 80
fw1(config)#
inservice access-list
switch2(config)#
ip address 5.5.5.2
fw1(config)#
rserver host
inservice
3.3.3.2
access-list
dbsrvr2 outside_web permit tcp any host 6.6.6.6 eq 443
fw1(config)#
switch1(config)# int access-group
description
rserver host eth 2/3-5 outside_web in interface outside
db server
appsrvr3
websrvr3
ip address
switch1(config)# switch
description 6.6.6.2
app
webmode acc
server
inservice
switch1(config)# switch
ip address acc vlan 80
5.5.5.3
3.3.3.3
fw2(config)#
rserver host
inservice dbsrvr3
switch1(config)# no shut
description dbeth
server
fw2(config)#
serverfarm int
host 0/1
APPFARM
FWEBFARM
Firewall ip address
fw2(config)#
probe 6.6.6.3
nameif
http-probe
inservice
webfront 20
Application
rserver appsrvr1
fw2(config)# int eth 8081
websrvr1 0/2
80
Load Balancing serverfarm
probe
host DBFARM
inservice
fw2(config)# nameif appfront 50
http-probe
rserver appsrvr2
websrvr2 8081
80
fw2(config)#
rserver object 1531
dbsrvr1 network appfarm_vip
inservice
Tier switch3(config)#
fw2(config)# host 5.5.5.5
inservice
rserver appsrvr3
websrvr3 8081
80
rserver
fw2(config)# dbsrvr2 1531
intnat
inservice
switch1(config)#
inservice
eth(appfront,webfront)
3/3-5 static 4.4.4.4
fw2(config)#
class-map
switch1(config)# access-list
type http accweb_to_app
modeloadbalance
match-all
switch SSL_VIP_CLASS permit
match-any APP tcp any host 4.4.4.4 eq 8081
rserver
2 2
match dbsrvr3
match 1531
http virtual-address
virtual-address 4.4.4.44
2.2.2.22 tcp eq tcp eq 8081
https
switch1(config)#
class-map
class
switch
inservice acc
match-all
match-all
vlan 90
APP_VIP_CLASS
SSL_VIP_CLASS
Firewall fw3(config)#
switch1(config)#
class-mapnotype
policy-map shut
type http loadbalance
loadbalance match-any
first-match DB
APP-MATCH
SSL-MATCH
Database Tier
2 match
fw3(config)#
class
class http
int virtual-address
APP eth
L7_WEB 0/1 5.5.5.55 tcp eq 1531
Load Balancing class-map
fw3(config)#
policy-map
match-all
nameif
type
DB_VIP_CLASS
sticky-serverfarm
sticky-serverfarmwebfront
loadbalance
sn_cookie
sn_cookie
20
first-match DB-MATCH
policy-map int
fw3(config)# multi-match
eth 0/2APP-VIP
WEB-VIP
class
class DB
APP_VIP_CLASS
class SSL_VIP_CLASS
fw3(config)# nameif appfront
sticky-serverfarm 50
sn_cookie
switch3(config)#
fw3(config)#
loadbalance
loadbalance
policy-map object
vip vip inservice
inservice
network
multi-match appfarm_vip
DB-VIP
loadbalance
loadbalance policy
policy APP-MATCH
SSL-MATCH
switch1(config)# int
class
fw3(config)# ethvip
host
loadbalance
4/3-5
DB_VIP_CLASS
5.5.5.5
loadbalance vip icmp-reply
icmp-reply
switch1(config)#
fw3(config)# switch mode
loadbalance
loadbalance
loadbalance vip vip
vipacc
inservice
nat (appfront,webfront)
advertise
advertise static 4.4.4.4
active
active
switch1(config)# loadbalance
switch
interface vlan acc
222 policy
vlan DB-MATCH
100
fw3(config)# access-list
loadbalance
web_to_app
vipWEB-VIP
icmp-reply
permit tcp any host 4.4.4.4 eq 8081
switch1(config)# no shut input
service-policy
loadbalance vip advertise active
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Service Insertion
Traditional Service Insertion Inserting additional
VRF Route pcTag Flags
Service devices
V1 S1 1 proxy
significantly increases
V1 S2 FW1 Enforce Policy
contracts & VLANs to
V2 S1 FW2 Enforce Policy
manage
V2 S2 1 proxy
EP1 EP2
Contract VRF Action Src Dst Filter
C1 V1 permit EPG1 FW1 HTTP
V1 permit FW1 EPG1 HTTP Consumer Provider
implicit V1 deny any any all BD1, EPG1 BD2, EPG2
C1 V2 permit EPG2 FW2 HTTP Subnet S1 Subnet S2
V2 permit FW2 EPG2 HTTP
implicit V2 deny any any all
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
The Networking Challenge
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
The Application Challenge
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
ACI Service
Insertion
A Unified Approach to Service Insertion
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Contract Structure
• A contract contains:
• One or more subjects. A subject points to:
• One or more filters. A filter contains:
• One or more entries. The entry defines the sport/dport.
Filter
Contract …n
Subject
Subject Filter Filter
…n FilterEntry
from unspecified to port 80
…n
…n
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
How Service Graphs work The Device tells us how many
interfaces and logical
connectors on the Service
Service Graph Templates Devices
defines HOW traffic should
flow L1 L2
EP1 EP2
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Service Template and Graph Definition
Connectors (VLANs) Connectors (VLANs) Connectors (VLANs)
(Redirect?)
Service Graph: “web-application”
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
What are shadow EPGs? External and internal
interfaces
A ‘two armed’ example L1 L2
Cons Prov
Consumer Connector
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
How Service Graphs work
A quick review
• Devices
• Physical Device & interfaces it connects to in fabric. Converted to Consumer Connector and Provider
Connector
• Contract
• Places Contract between Consumer & Provider and the shadow EPG
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
So, What is Managed vs Unmanaged?
Service Policy mode vs Network Policy mode
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
What is L4-L7 Device Package?
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cloud Orchestrators + ACI : FW-aaS & LB-aaS
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Logical Devices and Concrete Devices
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Policy Based
Redirect (PBR)
Policy Based Redirect (PBR) EPG EPG
Client Web
Contract
Redirect
• Inspect all OR specific traffic by FW
• One-arm ADC w/o SNAT
• APIC 2.0 or later
Only HTTP traffic is redirected to FW, and Other traffic permitted by contract are
then forwarded onto Web endpoint by FW going to Web endpoint directly.
1
EP1 EP2
Service BD
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Path of Packet
3
1. EP1 sends packet to EP2 via Leaf 1
(L1)
2. L1 does policy lookup – Redirect to
Service BD/Service MAC. Send to
4
Proxy 2
L1 L2
5
1
EP1 EP2
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Path of Packet
3
1. EP1 sends packet to EP2 via Leaf 1
(L1)
2. L1 does policy lookup – Redirect to
Service BD/Service MAC. Send to
4
Proxy 2
3. MAC Proxy does MAC lookup in L1 L2
hardware COOP DB 5
4. Traffic is sent to Service Leaf (L2) &
L2 sends traffic to Service Device 1
EP1 EP2
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Path of Packet
3
1. EP1 sends packet to EP2 via Leaf 1
(L1)
2. L1 does policy lookup – Redirect to
Service BD/Service MAC. Send to
4
Proxy 2
3. MAC Proxy does MAC lookup in L1 L2
hardware COOP DB 5
4. Traffic is sent to Service Leaf (L2) &
L2 sends traffic to Service Device 1
5. Service Device sends traffic back EP1 EP2
to router MAC. Dest IP is EP2
Policy lookup is made
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
PBR Features
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Policy Based Redirect (PBR) EPG EPG
Client Web
Contract
Redirect
EPG EPG
BD-Out BD-In
Cons Prov
.250 .250
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Lab Time!
Lab Guide
• URL - http://bit.ly/cl20-2226
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Remote Desktop
173.36.211.5:443
Username:
studentXX@lab.test.local
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
SuperPuTTY
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Overall Lab Topology
• ACI Fabric
• Spines
• Leafs
• APICs
• Servers
• ASAv
• F5 Big-IP VE
• Ansible server
• Linux VMs
• ASA 5585-X
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Pre-Lab and Lab 1
RDP RDP
Server Server
External External
Router Router
lab1-l3out lab1-l3out
ASA H/A
Multi-CTX
svc-
web-bd web-bd bd
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Lab 2
RDP RDP
Server Server
External External
Router Router
lab2-l3out lab2-l3out
BIG-IP
vip-
web-bd web-bd bd
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
F5 ACI ServiceCenter – API driven native BIG-IP + ACI solution
Shipping
F5 Supported
Phase
Release
Quarterly Release Phase I
2
Future
Future
studentXX-vm04 studentXX-vm05
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
F5 Labs now available in dCloud
Available to all Cisco dcloud users today
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
CISCO LIVE EMEA
BOOTH NUMBER
24C
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Continue your education
LTRACI-2226 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Thank you