Professional Documents
Culture Documents
• 11 1 111
CISCO
ACI-FE M01
AC I Overview
1
Agenda
ÿ
SDN/Overlay Networking Primer
ÿ
Cisco ACI Overview and Terminology
-
ÿ
Logical Model Overview
Concrete Model Overview
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
2
Mapping the ACI Logical Model to 7 Layer OSI for Network
Engineers
7 Layer OSI Model ACI Constructs that apply
Application
Presentation
Contracts, Graphs, ANP
Session
Transport
© 2013-2014 Cisco arid/or its affiliates. All rights reserved. Cisco Confidential 3
3
SDN/Overlay Networking
Primer
4
Industry Trends
amazon
web services
Or
lowsAzure
Windows ||
MAPR Greenplum
Koraclg
CLO* ,r>
Go gle tgr>
ybrcc.c com loudera #mongoD
eg
:::: fin
g
puppet
DevOps
Control Plane
ARISTA
Network Visualization || Programmability
Chef
cumulus networks
Data Plane
New operational models are driving the need for infrastructure change.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
5
SDN
Stit©®ir£t[Bÿi<Di«rd Networking
vmware
Control Plane
mora
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6
Software Overlays - Network Virtualization
Virtual Network 2
NVGRE
L| 7 I
- , UU
Virtual Network 3
k
L3 routed non- Encapsulated
blocking ECMP traffic carried over
Fabric CLOS fabric
© 2013-2014 Cisco arid/or its affiliates. All rights reserved. Cisco Confidential 7
SDN gets into this topic of underlays and overlays. We start with an L3 routed non-
blocking ECMP network that represents the ‘underlay’. In the case of SDN, most to
the time the overlay going to be encapsulation based.
7
Cisco ACI
Overview and Terminology
8
ACI Introduces Logical Network Provisioning of Stateless
Hardware
f \
Web App DB
_
r
> QoS
Outside
(Tenant VRF) ÿai
*0
r
ACI Fabric Application Policy
Infrastructure
ntegrated VXLAN Overlay Controller
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Here we see an overview of a typical 3-tier application. As data comes from the
outside, we filter it, apply some QoS before sending to the Web-tier. Similarly, this
occurs as the data flows to the App-tier, apply QoS parameters or services it allows
here, then the App-tier has to talk to the DB. With ACI we build the relationship
between these objects at the network. We define this in a logical matter and we want
the HW to be stateless.
9
AC I Network Profile Application Network Profile
Policy-Based Fabric Management *Ti
Extend the principle of Cisco UCS® Manager
Service Profiles to the entire fabric
• Network profile: stateless definition of
application requirements The ANP fully describes the application connectivity
- Application tiers requirements
- Connectivity policies ## Network Profile: Defines Application Level Metadata (Pseudo
Code Example)
- Layer 4-7 services <Network-Prof ile = Production_Web>
<App-Tier = Web>
- XML/JSON schema <Connected-To = Application_Client>
CConnection-Policy = Secure_Firewall_External>
• Fully abstracted from the infrastructure <Connected-To = Application Tier>
<Connection-Policy = Secure Firewall Internal & High Priority>
implementation
<App-Tier = DataBase>
- Removes dependencies of the infrastructure <Connected-To = Storage>
- Portable across different data center fabrics <Connection-Policy = NFS_TCP & High_BW_Low_Latency>
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Service Profiles employed in Cisco UCS virtualize the identity and behavior of a bare-
metal server. Application Network Profiles (ANP) in ACI are similar in concept. ANPs
define who can talk to who across the network.
10
Application Policy Model and Instantiation
Application Client
Application policy model: Defines the
application requirements (application
network profile)
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requireiMrJia
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The slide is an attempt to illustrate APIC rendering policy into the hardware. The
switch nodes are stateless and with ACI we have the ability to populate the ASICs on
an as needed basis.
• There are no saved configurations on the switch platforms.
• The only thing that connects to spines is leaves; all other network attached
devices plug into the leaves.
• Overlays which allow us treat IP addresses differently: identity (for a server),
location (a VLAN), or filter (ACL).
11
ACI Fabric
ACI Spines
ACI Leafs
External /saa L4-7
L2 / L3 Services
r
APIC Cluster j \
\ OOB Managment
©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI operates as an object based model – totally differently from NXOS that has been
seen before. The switches running in ACI mode are only programmable via an object
based Policy Engine operating in the APIC controller. The controller now becomes an
integrated part of the network, and holds the profiles containing the policies for
programming the switches centrally. The switches themselves do no hold a CLI
configuration file as previously used in NXOS based systems. The configuration is
held on the APIC and is an object oriented schema written in XML/JSON and stored
in a profile to implement the policies. The policy itself consists of application centric
information for connectivity, L1-3 IDs, L4-7 services.
• 2 Tier Spine and Leaf Topology – With a leaf-spine network, every server on the
network is exactly the same distance away from all other servers – three port hops,
to be precise.
• Leaf Switches – The Leaf switches provide external connectivity into the Fabric.
Multiple SKUs with usually 10 Gig for connected devices and 40 Gig into the fabric.
Combination of Merchant and Custom silicon. Leaf switches are the policy
enforcement points.
• Spine Switches – Multiple SKUs - 40Gig switches. Do not do policy enforcement.
• APIC Controllers – Centralized point of management for managing fabric
configuration and observing the summary operational state. It is implemented
using a distributed framework across a cluster of appliances. From a policy
perspective, the APIC is the primary point of contact for configuration and acts as
the policy repository.
12
What Are We Solving?
©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
13
Overloaded Network Constructs
Basic Network
Policy SLAs L4-7 Services
SSL
Log WAF
Offload
L. A L. A L A
It is fair to say that today we use VLANs and IP subnets as policy boundaries (i.e.
ACLs, QoS, load-balancing); VLANs have a lot of significance. When you define a
VLAN, it is usually associated with an IP address; which could automatically imply
some security policy because of the way we use IPs. An IP address can represent an
identity, a subnet (location), or a filter (ACL entry). All those things tied together is
really based on this idea a VLAN represents a subnet, which can discombobulate the
original intent of the OSI model.
14
Application Language Barriers
Developers Infrastructure Teams
VLANs
Subnets
Protocols
Provider I
Consumer Ports
Relationships
15
router (config) #
switchl (config) # router (config) # int eth 1
router (config) # ip add 6.6.6.1 255.255.255.0
switchl (config) # int eth 1/1
swi 1rhl (rnnf int # switch mnde arc _ router (config) # not shut
_
router (config) # int eth 2
switch2 (config) #
switch2 (config) t int eth 1/2 - _
3 fwl (config) #
fwl (config)# int eth 0/1
switch3 (config) # fwl (config) # nameif outside 0
switch3 (config) # int eth 1/4 - _
5 fwl (config) # int eth 0/2
This slide illustrates all the components someone must configure to control a
packet’s journey across the data center. From the cloud we have switches and the
router configurations – how many switches depends on your topology. We hit a
Firewall where an administrator configured various filters (ACLs). Another
administrator configured virtual IPs on the Load-balancers; add in SSL-offload. To the
most casual observer, the obvious point is that a lot has to be done on many devices
to control application traffic. The hidden message is the application teams may not
necessarily understand that all this has to be done; they don’t grasp the magnitude of
the process.
This is the paradigm your customers function in today. It is a very manual-intensive,
box-by-box process that typically requires multiple administrative teams. When you
consider change-management, how many other entities are involved? It is typical to
have multiple administrators involved in the change notification process. Adding a
VLAN is a relatively simple process on a switch, but in an effort to stay compliant,
corporate ‘change management procedures’ may dictate approval from several
administrators. This has the effect of extending your implementation time-frame for
deployment.
That is the prevailing sentiment – the Network is too slow; takes too long to get things
setup and deployed. Today it’s a manually intensive process that’s error prone.
16
switch4 (conf ig) #
switch4 (conf ig) # int eth 2/7 - 9
switch4 (conf ig) # switch mode acc
switch4 (conf ig) # switch acc vlan 333
switch4 (conf ig) # no shut slbl (ADDED CONFIG)
rserver host websrvr4
description foo web server
ip address 3.3.3.4
inservice
rserver host websrvr5
description foo web server
Let's add a couple ip address 3.3.3.5
inservice
more web servers serverfarm host FOOWEBFARM
rserver websrvr4 80
inservice
rserver websrvr5 80
App Servers inservice
DB Servers
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
If it has been determined that we do NOT have the necessary capacity in the Web-
tier, an easy solution may be to spin-up a couple more VMs. The slide illustrates
adding a couple of Web Servers and what has to happen in that event. On the switch
you would need to configure the VLANs and interfaces. The load-balancer may need
to be made aware it has a couple more devices. The point of this slide is any change
will require some configuration updates to multiple devices.
17
What is an Application to the Network?
It is More than just a VM or Server
S It is collection of all the Application's End Points
ÿ 'plus'
V The Application's L2 - L7 Network Policies
ÿ 'plus'
V The Relationship between these End Points and their Policies
r QoS
Web Tier 1
End Points - End
, App Tier
Points
QoS
I
>
QoS II
DB Tier
End Points
ÿi Service
1 — - ir"*
Service i Service 1 -!
I
v.i Filter Filter i
l!
Filter 1
V w v
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
ACI is an attempt to put things closer to the ‘Application terms’: traffic enters the fabric
where it is directed through various services and filters (ACLs) before it hits the Web
tier; more filters and actions are applied as the packets travel from the Web-tier to the
Application tier; all this is repeated as the App-tier accesses the database.
18
Outside EPG
Web Servers
App Servers
IDS/IPS
DB Servers
Data center administration is definitely a team-sport. In ACI you build a logical model
to support the application by defining End-point groups (EPGs). End-point Groups are
a collection of end-points that require the same policy treatment. It is to the EPG
where ACI applies policy, not individual end-points. Once you have configured your
EPGs, policy application is dictated by inserting contracts between the EPGs.
ACI can integrate service nodes by installing Device Packages – a term we’ll revisit in
the L4-7 lesson.
19
Outside EPG
Web Servers
App Servers
IDS/IPS
20
Outside EP0*-
Outside EPG ¥_l
Web Servers EPG
TCP ports 80 and 443
use firewall NAT
EPG~rTApp~EFG
TCP port 8081
use firewall NAT
Deployme use SLB
WEBcontract
Consumer: Outside EPG
Provider: Web EPG App EPG -> DB EPG
TCP port 1433 DB contract
Filter: TCP ports 80 and 443
e firewall+NAT Consumer: App EPG
Contract: use firewall
NAT + SLB + SSL offload
fifl' Provider: DB EPG
use tire**- Filter: TCP port 1433
use SL Contract
use firewal
©2013-2014 Cisco an
DB Servers 5s/idc sco Confidential
21
Outside EPG
EPG
TCP ports 80 and 443
use firewall NAT
Web Servers
App Servers
port 1433
firewall+NAT
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DB Servers
22
DEV Outside EPG TEST Outside EPG PROD Outside EPG
_ _
mmimm ÿCopy ÿ ÿCopy *
EPG EPG EPG
TCP ports 80 and 443 Profile V
TCP ports 80 and 443 V" TCP ports 80 and 443
use firewall NAT use firewall NAT V
Profile use firewall NAT
2
Web Servers
weo tKb App tru Web EPG 4 App EPG Web EPG 4 App EPG
TCP port 8081 TCP port 8081 TCP port 8081
use firewall NAT use firewall NAT use firewall NAT
use SLB use SLB use SLB
mws
port 1433 port 1433 TCP port 1433
dTepg .
firewall+NAT firewall+NAT firewall+NAT V
V
DB Servers DB Serv DB Se
Using ACI, you can architect and build the components in a Development
environment, then export or replicate to a Test environment. Here we test the
addition of more objects (ex:, adding more web servers). With stateless hardware
and policy-based configuration in ACI, there is no requirement to re-configure the
switch. If we’ve integrated those services properly, changes to the load-balancer or
firewall get pushed down from the APIC. No manual intervention beyond the first step
of adding the additional Web servers.
Regarding compliance (change control), the policies defined in ACI ensure
compliance; it is automatic. In essence, ACI integrates change control.
23
Logical Model Overview
©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
24
Remember UCS & Stateless Computing?
Service Profile
25
Stateless Networking
Application Network Profile
O
Contracts define "what" an EPG exposes <=» o
TCP Ports,
Protocols,
to other app tiers and "how" 0
=> o
c
Redirects etc
(TP) (S pEPGWeb
I _ I
1 dCD [SEPG App j ifiD [g EPG DB
• Stateless filtering between EPGs is implicitly provided by the ACI fabric that
may be able to eliminate the need for some firewalls within the datacenter.
* Contracts define what an EPG exposes to other application tiers and 'how'.
© 2013-2014 Cisco arid/or its affiliates. All rights reserved. Cisco Confidential 26
Extend the principle of UCS service profiles to the entire fabric and we have the
Application Network Profile – which is a Stateless Definition of Application
Requirements.
ACI consists of :
§ Application Tiers
26
Defining Terms
ÿ
End-Point Group - (EPG) Container for objects requiring the same policy
treatment, i.e. app tiers, or services
ÿ
Tenant - Logical separator for: Customer, BU, group etc. Separates traffic,
admin, visibility, etc.
ÿ
Private-Network (L3) - Equivalent to a VRF, separates routing instances, can be
used as an admin separation
ÿ
Bridge Domain (BD) - NOT A VLAN, simply a container for subnets. CAN be
used to define L2 boundary
ÿ
Contract - Contracts represent policies between EPGs. Contracts are
"provided" by one EPG and "consumed" by another.
© 2013-2014 Cisco arid/or its affiliates. All rights reserved. Cisco Confidential 27
Defining Terms
27
Management Information Model
TENANT
L2/L3 Application
Bridge Contexts
Outside Network Contracts Filters
Domains (VRF)
Networks Profiles
1 1 1
/
/ n
/
/
/ Subnets Subjects
/
n /n
> Solid lines indicate objects below contained
EPGs _ /
> Dashed lines indicate a relationship
> 1:n indicates one to many
> n:n indicates many to many
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Management Information Model – The fabric comprises the physical and logical
components as recorded in the Management Information Model (MIM), which can be
represented in a hierarchical management information tree (MIT). The information
model is stored and managed by processes that run on the APIC. Similar to the OSI
Common Management Information Protocol (CMIP) and other X.500 variants, the
APIC enables the control of managed resources by presenting their manageable
characteristics as object properties that can be inherited according to the location of
the object within the hierarchical structure of the MIT.
Each node in the tree represents a managed object (MO) or group of objects. MOs
are abstractions of fabric resources. An MO can represent a concrete object, such as
a switch, adapter, or a logical object, such as an application profile, endpoint group, or
fault. The diagram provides an overview of the MIT.
The hierarchical structure starts with the policy universe at the top (Root) and
contains parent and child nodes. Each node in the tree is an MO and each object in
the fabric has a unique distinguished name (DN) that describes the object and locates
its place in the tree.
28
Application Network Profile
subnet
L3 context
29
Concrete Model Overview
©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
30
Applying Policy to End-Points
31
_
APIC Policy Model
"X
Logical Model Policy
Application centric configurations, Policy Target Groups,
Rules. Configurations Controller
.
-- 7*
/
Policy Update
NXOS
(subset)
Logical
Model
Implicit
Subset of
Render
Ports. Cards. Network
Complete Interfaces. VLANs.
Nodes
Gear
Logical
Model
©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
The ACI Fabric policy model enables the specification of application requirements -
policies. The APIC automatically renders policies in the fabric infrastructure. When a
user or process initiates an administrative change to an object in the fabric, the APIC
first applies that change to the policy model and then applies the change to the actual
managed endpoint.
Policy updates to nodes is asynchronous; i.e. the REST call to APIC does not wait for
update to switches.
APIC decides which subset of the logical model to push based on explicit or implicit
registration of policies from switch.
On the node, the NXOS processes are notified of MO updates using MTS message;
which then reads the MO from shared memory (objecstore).
32
Agenda
ÿ
SDN/Overlay Networking Primer
ÿ
Cisco ACI Overview and Terminology
-
ÿ
Logical Model Overview
Concrete Model Overview
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
33
Thank you.
illlillli
9 9
CISCO
34