Brkaci-2000 (2018)

Introduction to ACI
Welkin Tiantang He – Technical Leader

BRKACI-2000
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Applications Are Evolving
Agent Smith The Matrix 1999-2003
Faster Deployment Anywhere Anytime Programmability Security
BRKACI-2000 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Legacy Infrastructure Slows Readiness for Apps
Network ACCESS
Segmentation by VLAN CONTROL
LIST
Agenda
• System Building Blocks

• Forwarding Packets
• More Than Switching
• Wrap Up
Application Centric Infrastructure
Declarative Intent-based Automation

Logical Network Provisioning of Stateless Hardware
Rapid Deployment of Applications onto Networks with Scale, Security and Full Visibility
INTEGRATED VXLAN OVERLAY

(GROUP-BASED)
APPLICATION POLICIES CONTROLLER
ACI FABRIC
ACI
Phone Box – Entry from Matrix to Spaceship
The Matrix
Phone Box Spaceship
VxLAN Overview
IP Network
VNID (Representing Segment)
VTEP-1 VTEP-2
IP Interface IP Interface
Local LAN Segment Local LAN Segment
Sever-1 ServerA Server-2 ServerB
• VXLAN tunnel endpoint (VTEP)

• Virtual network identifier (VNID) or VXLAN segment ID
ACI Fabric
Which Leaf has the Destination MAC/IP?
VTEP-201 VTEP-202
IP Network
VTEP-101 VTEP-102 VTEP-103 VTEP-104
40G/100G, Layer 3 Link, isis and BGP

P P
10G Layer 2 Link
APIC1-2 APIC3
P Policies
Quiz Time
A Controller For The Fabric

Let’s Imagine a Network Switch …
… at the Moment, Largely Configured on the CLI
How Traditional Networks are Managed
All nodes are managed and operated
independently, and the actual topology
dictates a lot of configuration
• Device basics: AAA, syslog, SNMP,default routing
protocol bandwidth …
• Interface and/or Interface Pairs: UDLD, BFD,

MTU, interface route metric, channel hashing,
Queuing, LACP, …
• Switch Pair/Group: HSRP/VRRP, VLANs, vPC,

STP, HSRP sync with vPC, Routing peering,
Routing Policies, …
• Application specific: ACL, PBR, static routes, QoS,

...
How ACI Fabric is Built - Zero Touch
ACI Fabric
Spine-201 Spine-202
LLDP LLDP
Leaf-101 Leaf-102 Leaf-103
LLDP
LLDP LLDP
APIC1 APIC2 APIC3
How ACI Fabric is Managed
• Configuration
• Resource Management
• Operations
ACI resolved all problems…
Quiz Time
The Policy Model

What Do We Mean by Policy ?
Application Language
Common Network Language
• Application tier policy and Policy
dependencies
• Security requirements Policy-Driven
App
Networ
USC
Servic
Decouple Application and
k e
Policy From Profile
Underlying Infrastructure
Profile
• Service-level agreement Infrastructure
Infrastructure Compute/Storage
• Application performance Language
• Compliance
• Geo dependencies
Security Language
This is what we call Policy

Policies
• Access Policies = Define how a switch or switch port is configured. Specifically
Ethernet and link layer properties such as LLDP, LACP, CDP, speed/duplex, etc.
• Tenant Policies = Govern traditional networking. This is where logical
connectivity is defined.
• Access policies and Tenant policies work in tandem to define where and how
endpoints or applications are connected
Tenant Policies
Access Policies
Access Policies
Interface Polices
Link level
Global Polices Fibre Channel interface policy

Slow Drain policy
vlan-pool (100-400)
CDP Interface
Phy/VMM/ Domain
LLDP interface
AEP Port Channel

Port Channel Member
Interface Policy Group
Spanning Tree Interface
Switch Policies Interface Profile
Storm control
Switch Profile Interface Selector(1-48)
Data Plane Policing
Switch IDs(100-199)
MCP Interface
L2 Interface
Switch 100 – 199
Port Security
Interface 1- 48
Firewall
Allowed to Use VLAN 100-199, VxLAN 8300-8399
With the default interface level settings
Tenant Policies
Tenant ≈ VDC
VRF ≈ VRF
Bridge Domain ≈Broadcast Dom/Subnet/SVI
End Point Group : VLAN/IP/MAC/OS/VM

attributes
Application Profiles
Application profiles are a group of EPGs and the policies that
define the communication between them.
Application Profile
EPG - WEB EPG - DB
EPG - APP
POLICY MODEL
=
Inbound/Outbound Inbound/Outbound
Policies Policies
Contract - Intent for Inter-EPG Communication
Tenant - Scope
VRF - Scope
Applicant Profile - Scope
Contract
EPG-Web Subject: web
EPG-Client
Filters:
Action
HTTP Permit
HTTPS Permit
Contract = EPG based ACL + Routing Co-ordinations
Network Centric Or Application Centric
Network Centric Configuration
Tenant Connect
To External
Switch
VRF/Routing Table
VLAN 10 BD VLAN 20 BD VLAN 30 BD

10.10.10.1/24 10.10.20.1/24 10.10.30.1/24
L2 External
(802.1q Trunk)
VLAN 10 EPG VLAN 20 EPG VLAN 30 EPG
L3 External
(Routed Interface)
Any-Any Contract Any-Any Contract
Application Centric Configuration
VRF VRF
Bridge Domain – Single Subnet
172.16.0.0/12
WEB EPG APP EPG DB EPG
Extending to External - L2/L3 Out
L3/L2 out - External Connection
ACI Fabric
Border Leaf Border Leaf Compute Leaf Border Leaf Compute Leaf Border Leaf
BGP EIGRP OSPF/Static 802.1Q Trunk
L2 Out
VRF/Routing Table
Bridge Domain Bridge Domain L2 Out EPG External EPG-1

10.10.10.1/24 20.20.20.1/24
leaf-101
VLAN EPG VLAN EPG
int1/8
trunk vlan-100
L3 out Routing
30.30.30.0/24 - connected
VRF/Routing Table 10.10.10.0/24 - BD 10.10.10.0/24 - ACI
20.20.20.0/24 - BD 20.20.20.0/24 - ACI
30.30.30.0/24 - L3-Out
External EPG-1
Bridge Domain 30.30.30.1/24
Bridge Domain L3 Out
10.10.10.1/24 20.20.20.1/24
leaf-102
VLAN EPG VLAN EPG int1/8, routed,
ip 10.10.9.2/24
Subnet 30.30.30.1/24
Shared L3 Out - Flexibility in Routing
30.30.30.0/24 - connected
10.10.10.0/24 - ACI
VRF-1 VRF-2 Common VRF 20.20.20.0/24 - ACI
10.10.10.0/24 - BD 20.20.20.0/24 - BD
30.30.30.0/24 - L3-Out 30.30.30.0/24 - L3-Out
External EPG-1
30.30.30.1/24
Bridge Domain Bridge Domain L3 Out
10.10.10.1/24 20.20.20.1/24
leaf-102
VLAN EPG VLAN EPG
int1/8, routed,
ip 10.10.9.2/24
Subnet 30.30.30.1/24
Agenda

• Wrap Up
IP and MAC Forwarding
IP Forwarding: MAC Forwarding:

DMAC is pervasive gateway MAC DMAC is another EP
Lookup in VRF by DIP Lookup in BD by DMAC
HW learning of Source IP,MAC HW learning of Source MAC Only
Publish IP,VTEP to Spine for Proxy Publish MAC,VTEP to Spine for Proxy
172.16.1.11 10.1.2.11 10.6.3.2 10.6.3.17

0000.1721.6111 0000.1011.1211 0000.1616.3232 0000.1616.1717
Location Independent Forwarding
Pervasive Gateway and ARP Unicast
GW:10.1.3.1 GW:10.6.3.1 GW:10.2.3.1 GW:10.1.3.1
10.1.3.11 10.1.3.35
10.1.3.11 10.6.3.2 10.2.3.35 10.1.3.35
ARP Unicast
Pervasive Gateway
Host Routing IPv4 and IPv6 10.1.3.35 Leaf 3
Inline Hardware Mapping DB - 1,000,000+ hosts 10.1.3.11 Leaf 1 COOP Database
fe80::8e5e Leaf 4 contains addresses
fe80::5b1a Leaf 6 of ‘all’ hosts attached
Remote endpoint and Proxy Proxy
to the fabric
its VTEP are cached for
5 minutes by default
10.2.3.35 Leaf 3
* Proxy A
10.1.3.11 Port 9
10.1.3.11 10.2.3.35 fe80::462a:60ff:fef7:8e5e fe80::62c5:47ff:fe0a:5b1a
local endpoints are cached

for 15 minutes by default
External Subnet Routing
Proxy Proxy
External EPG-1
10.1.3.11 10.1.3.35
30.30.30.1/24
Forwarding Scope
Tenant Inter-VRF Leaking

IP Forwarding
VRF1 VRF2
IP Forwarding
IP - Forwarding Contract
BD1 BD2 BD3

BD-SVI BD-SVI (2ndary) BD-SVI
192.168.0.254/24 192.168.1.254/24 5.0.0.254/24 BD-SVI
0022.bdf8.19ff 0022.bdf8.19ff 0022.bdf8.19ff 10.0.0.254/24
0022.bdf8.19ff
MAC fwding Contract Contract Contract
Mac fwd
EPG1 EPG2 EPG3 EPG4 EPG5
EP-A EP-B EP-C EP-D EP-E EP-F

192.168.0.1 192.168.0.2 192.168.0.3 192.168.1.1 5.0.0.1 10.0.0.1
0000.0000.1111 0000.0000.2222 0000.0000.3333 0000.1111.1111 0000.5555.5555 0000.1010.1010
High Level Packet Walk (Information Only)
L6 VTEP VXLAN IP Payload S1 VTEP VXLAN IP Payload
APIC
If the ingress Leaf has learned the APIC If the ingress Leaf has NOT learned the
destination IP to egress VTEP binding destination IP to egress VTEP binding
3a it will set required destination VTEP
APIC
3b it will set required destination VTEP to
address and forward the Spine Proxy VTEP
VRF: 01 (Anycast gateway)

BD: ESXi
L1 VTEP VXLAN IP Payload Hardware Proxy: Yes L6 VTEP VXLAN IP Payload
ARP Flooding: No
Unknown Unicast Flooding: No
Leaf swaps ingress encapsulation with VXLAN IP Routing: Yes Leaf removes ingress VXLAN (EPG) ID and
2 4
(EPG) ID and performs any required policy functions performs any required policy functions
IP Payload IP Payload
Leaf-101/1/10 Leaf-102/1/10 Leaf-103/1/10 Leaf-104/1/10 Leaf-105/1/10 Leaf-106/1/10

Packet Sourced from Packet Delivered to
1 vlan-8 vlan-8 vlan-8 vlan-8 vlan-8 vlan-8 5 physical server
physical server
ANP: EPG: Host-Mgmt
ESXi-Hosts Security Zone
Communication allowed within EPG There is no requirement to use
the same VLAN on every Leaf
Tenant: ESXi-Hosts
Endpoints identified by
Interface and VLAN ID
Quiz Time
Security – Segmentation
ACI Whitelist Policy Supports “Zero Trust” Model
TRUST BASED ON LOCATION ZERO TRUST ARCHITECTURE
(Traditional DC Switch) (Nexus 9K with ACI)
1 2 3 4
1 2 3 4
EPG 1 EPG 2
“WEB” “APP”
Servers 2 and 3 can
communicate unless blacklisted No communication allowed between
Servers 2 and 3 unless there is a whitelist policy
ACI Delivers Hypervisor-Agnostic Micro Segmentation
EPG Based Attributes Based Intra-EPG Based
PROD
POD
DMZ VLAN 1 VXLAN 2 Quarantine Compromised Workloads
Isolate Workloads within Application
Tier
SHARED
SERVICES VLAN 3
Basic DC Segmentation Network-Centric Application Tier Policy Group

Segmentation
DEV WEB Isolate Intra-EPG

Isolation
TEST APP All Workloads Can Communicate

FW FW
PROD DB
IP OS Name Application Tier Policy Group
ACI Benefits
Application Service Level
Lifecycle Segmentation ‘1.1.1.1’ ‘Linux’ ‘Video’
Segmentation
Agenda

• Wrap Up
ACI – Hypervisors (Information Only)
V(X)LAN OpFlex V(X)LAN OpFlex V(X)LAN OpFlex V(X)LAN OpFlex
KVM Open OpFlex ESXi VMware Cisco Hyper-V MSFT vSwitch Docker Open OpFlex
vSwitch Agent DVS AVE vSwitch Agent
VM VM VM VM VM VM VM VM VM Docker1 Docker2
1 2 1 1 2 1 1 2 1
Docker1 Docker1
ACI VMWare Integration – Manual to Automated
Application Network Profile
5 EPG EPG
EPG DB
WEB APP
F/W L/B
APIC Create Application Policy
APIC Admin
ACI
9
Fabric
Push Policy
1
6
Cisco APIC and Learn location of ESX
4
VMware vCenter Initial Automatically Map Host through LLDP
Handshake EPG To Port Groups
VIRTUAL DISTRIBUTED SWITCH

2 Create VDS
WEB PORT GROUP APP PORT GROUP DB PORT GROUP
Create Port
vCenter 7
Groups
Server / vShield
Web App DB Web Web DB
8 Attach Hypervisor
VI/Server Admin Instantiate VMs, to VDS
Assign to Port Groups 3
HYPERVISOR HYPERVISOR
Cisco ACI – Microsoft Integration
Microsoft System Centre/Azure Pack
Policy Management:
Azure Pack Portal APIC / Azure Pack
Websites, Apps, Consumer

Database, VMs, ACI
Provider Portal
Self-Service Portal VM Discovery:
OpFlex
Encapsulation:
ACI PROVIDER VLAN,
Websites VMs SQL Service Bus SERVICE
Zero touch network

Microsoft System Centre | R2 with Service Provider Foundation provisioning
Service Insertion
OpFlex Driver (Physical/Virtual)
ACI FABRIC
Quiz Time
Control of Layer 4/7 Services

Cisco ACI Service Insertion
Extending ACI Policy Model to L4-L7 Services
Application Centric Infrastructure Building Blocks

Physical + Virtual
Traditional
3-Tier FW
Application WEB ACC APP DB
ADC
APPLICATION
NETWORK PROFILE
CONTROLLER POLICY MODEL NEXUS 9300 AND 9500 F5 BIG-IP
Policy Model Extended to L4-L7
Building blocks of ACI
Application: 3 tier application (WEB-APP-DB)  This may use ADC, FW services

Policy model: Define QOS, Security, Network, L4-L7 etc. to be applied to EPG
Service Graph Overview EPG Contract EPG
ACI Fabric
Service Graph
APIC
Node-201 Node-202
VTEP-4 VTEP-5
L4-L7 configuration automation
Node 101 Node-103

VTEP-1 VTEP-3
EP2 EP3 EP4

• Network automation EP1 FW1
LB1
• L4-L7 configuration automation
47
BRKACI-2000 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Managed vs. Unmanaged mode
Network only switching feature adds the flexibility for customer to use only network
automation for service appliance. The configuration of the L4-L7 device is left to be done by
customer.
Customer can keep current L4-L7 device config administration.
1: configure ACI Fabric for

L4-L7 service appliance
2: configure L4-L7 service appliance
L4-L7 Admin
Quiz time
Visibility and Automation

ACI - Troubleshooting and Operation Tools
APPs Listed in ACI AppCenter
Agenda

• Wrap Up
ACI - The Matrix for Your Application
Network ACCESS
Segmentation by VLAN CONTROL
LIST
App Deployment – Any workload North-Bound APIs Whitelist Model

Weeks vs. Minutes Anywhere South Bound Orchestration Micro Segmentation
APAC ACI Solution Support Team
11 out of 13 holds at least one CCIE,

deep understanding in ACI, DCN,
Security, Server virtualization
ACI – we have the best engineering support
The 3 AM group at Sandy Bay Meeting
The best way to learn is teaching,

The best SDN solution is ACI,
The best engineering team is INSBU!
--ACI Solution Support Team
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Q&A
Complete Your Online
Session Evaluation
• Give us your feedback and
receive a Cisco Live 2018 Cap
by completing the overall event
evaluation and 5 session
evaluations.
• All evaluations can be completed
via the Cisco Live Mobile App.
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Global.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you

Brkaci-2000 (2018)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkaci-2000 (2018)

Uploaded by

Copyright:

Available Formats

Introduction to ACI

Welkin Tiantang He – Technical Leader

Agent Smith The Matrix 1999-2003

Faster Deployment Anywhere Anytime Programmability Security

• System Building Blocks

Declarative Intent-based Automation

INTEGRATED VXLAN OVERLAY

Phone Box Spaceship

Local LAN Segment Local LAN Segment

Sever-1 ServerA Server-2 ServerB

• VXLAN tunnel endpoint (VTEP)

VTEP-101 VTEP-102 VTEP-103 VTEP-104

40G/100G, Layer 3 Link, isis and BGP

A Controller For The Fabric

• Interface and/or Interface Pairs: UDLD, BFD,

• Switch Pair/Group: HSRP/VRRP, VLANs, vPC,

• Application specific: ACL, PBR, static routes, QoS,

Leaf-101 Leaf-102 Leaf-103

ACI resolved all problems…

The Policy Model

This is what we call Policy

Global Polices Fibre Channel interface policy

AEP Port Channel

Bridge Domain ≈Broadcast Dom/Subnet/SVI

End Point Group : VLAN/IP/MAC/OS/VM

Contract = EPG based ACL + Routing Co-ordinations

VLAN 10 BD VLAN 20 BD VLAN 30 BD

Any-Any Contract Any-Any Contract

WEB EPG APP EPG DB EPG

BGP EIGRP OSPF/Static 802.1Q Trunk

Bridge Domain Bridge Domain L2 Out EPG External EPG-1

• System Building Blocks

IP Forwarding: MAC Forwarding:

172.16.1.11 10.1.2.11 10.6.3.2 10.6.3.17

GW:10.1.3.1 GW:10.6.3.1 GW:10.2.3.1 GW:10.1.3.1

10.1.3.11 10.2.3.35 fe80::462a:60ff:fef7:8e5e fe80::62c5:47ff:fe0a:5b1a

local endpoints are cached

Tenant Inter-VRF Leaking

BD1 BD2 BD3

EP-A EP-B EP-C EP-D EP-E EP-F

VRF: 01 (Anycast gateway)

Leaf-101/1/10 Leaf-102/1/10 Leaf-103/1/10 Leaf-104/1/10 Leaf-105/1/10 Leaf-106/1/10

TRUST BASED ON LOCATION ZERO TRUST ARCHITECTURE

(Traditional DC Switch) (Nexus 9K with ACI)

EPG Based Attributes Based Intra-EPG Based

Basic DC Segmentation Network-Centric Application Tier Policy Group

DEV WEB Isolate Intra-EPG

TEST APP All Workloads Can Communicate

IP OS Name Application Tier Policy Group

• System Building Blocks

V(X)LAN OpFlex V(X)LAN OpFlex V(X)LAN OpFlex V(X)LAN OpFlex

VIRTUAL DISTRIBUTED SWITCH

Websites, Apps, Consumer

Zero touch network

Control of Layer 4/7 Services

Application Centric Infrastructure Building Blocks

CONTROLLER POLICY MODEL NEXUS 9300 AND 9500 F5 BIG-IP

Policy Model Extended to L4-L7

Building blocks of ACI

Application: 3 tier application (WEB-APP-DB)  This may use ADC, FW services

L4-L7 configuration automation

Node 101 Node-103

EP2 EP3 EP4