. .

• 11 1 111
CISCO

ACI-FE M01
AC I Overview

1
Agenda

ÿ
SDN/Overlay Networking Primer
ÿ
Cisco ACI Overview and Terminology
-
ÿ
Logical Model Overview
Concrete Model Overview

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

2
Mapping the ACI Logical Model to 7 Layer OSI for Network
Engineers
7 Layer OSI Model ACI Constructs that apply

Application

Presentation
Contracts, Graphs, ANP
Session

Transport

Network BD (SVI), Private Network (VRF lite)

Data Link EPG, BD, Policy Groups (VPC, PC, Interfaces),

Encapsulation (VLAN, VXLAN, NVGRE)
Physical Policy, AEP, Domains (Physical/VMM)

© 2013-2014 Cisco arid/or its affiliates. All rights reserved. Cisco Confidential 3

3
SDN/Overlay Networking
Primer

4
Industry Trends
amazon
web services
Or
lowsAzure
Windows ||
MAPR Greenplum

Koraclg
CLO* ,r>
Go gle tgr>
ybrcc.c com loudera #mongoD

eg
:::: fin
g
puppet

DevOps
Control Plane
ARISTA
Network Visualization || Programmability
Chef
cumulus networks
Data Plane

New operational models are driving the need for infrastructure change.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Consumption of data center resources is changing, placing pressure on the

operations teams to react quicker. New operational models are driving the need for
infrastructure change.

Cloud Computing drives the need for:

§  Automation
§  Orchestrated Application Deployment
§  Programmable Infrastructure
§  Cost optimized hardware

Big Data Drives the need for:

§  Availability
§  Burst Handling
§  Non-blocking architectures

Using standard programming and scripting capabilities IT organizations use

automation to orchestrate application deployments. “Dev/Ops” type IT organizations
that use AGILE development methods to facilitate the rapid development and
deployment of applications want to utilize the open programmatic interfaces to deploy
these applications onto the network.

5
SDN
Stit©®ir£t[Bÿi<Di«rd Networking

vmware
Control Plane
mora

Network Virtuahzation Programmabihty

n midoku
cumulus netuuorks
Data P ane PLUM

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

What is software defined networking?

•  OpenFlow is designed to provide separation of the data-plane and control-plane.
OpenFlow defines two controllers (a primary and secondary) to separate the
control from the ‘forwarding decisions’. This provides more sophisticated traffic
management versus traditional mechanisms used today to manage traffic (i.e.
ACLs, Load balacing, QoS). Developed by Stanford and Berkeley Universities,
OpenFlow is currently being implemented by major vendors with OpenFlow-
enabled switches now commercially available.
•  Network virtualization takes a physical construct and converts it into a virtual
switch, part of a hypervisor. Network Virtualization moves forwarding and
services into virtual machines providing tools for automation and encapsulated
network lanes which traverse underlying L3 networks and adds a secondary
management model requiring separate configuration and tools for virtual
networks and physical transport.
•  Programmability relates to vendors doing different things to provide
‘programmability’ to address the fact Networking has been a notoriously
rigid environment. Programmability is the idea of white-boxes, high-speed
switches based on off-the-shelf chips operated by a Linux OS such Cumulus.
Arista also promotes programmability in their products. Arista has begun to focus
on being more open and programmable and concentrated on software API to
make it easier for third parties to integrate their products. The 7150S also allows
enterprises to connect to third-party SDN controllers from Arista partners
including Big Switch, Nebula and VMware. Cumulus has developed a Linux-

6
 Software Overlays - Network Virtualization

Virtual Network 1 I i<

_
I Ou* I Qui*
VxLAN
JjLJ
I
ÿ
M< | JP | UOP ;r

Virtual Network 2
NVGRE
L| 7 I
- , UU
Virtual Network 3
k
L3 routed non- Encapsulated
blocking ECMP traffic carried over
Fabric CLOS fabric

© 2013-2014 Cisco arid/or its affiliates. All rights reserved. Cisco Confidential 7

SDN gets into this topic of underlays and overlays. We start with an L3 routed non-
blocking ECMP network that represents the ‘underlay’. In the case of SDN, most to
the time the overlay going to be encapsulation based.

7
Cisco ACI
Overview and Terminology

8
ACI Introduces Logical Network Provisioning of Stateless
Hardware
f \
Web App DB

_
r
> QoS
Outside
(Tenant VRF) ÿai
*0
r
ACI Fabric Application Policy
Infrastructure
ntegrated VXLAN Overlay Controller

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

Here we see an overview of a typical 3-tier application. As data comes from the
outside, we filter it, apply some QoS before sending to the Web-tier. Similarly, this
occurs as the data flows to the App-tier, apply QoS parameters or services it allows
here, then the App-tier has to talk to the DB. With ACI we build the relationship
between these objects at the network. We define this in a logical matter and we want
the HW to be stateless.

9
 AC I Network Profile Application Network Profile
Policy-Based Fabric Management *Ti
Extend the principle of Cisco UCS® Manager
Service Profiles to the entire fabric
• Network profile: stateless definition of
application requirements The ANP fully describes the application connectivity
- Application tiers requirements
- Connectivity policies ## Network Profile: Defines Application Level Metadata (Pseudo
Code Example)
- Layer 4-7 services <Network-Prof ile = Production_Web>
<App-Tier = Web>
- XML/JSON schema <Connected-To = Application_Client>
CConnection-Policy = Secure_Firewall_External>
• Fully abstracted from the infrastructure <Connected-To = Application Tier>
<Connection-Policy = Secure Firewall Internal & High Priority>
implementation
<App-Tier = DataBase>
- Removes dependencies of the infrastructure <Connected-To = Storage>
- Portable across different data center fabrics <Connection-Policy = NFS_TCP & High_BW_Low_Latency>

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Service Profiles employed in Cisco UCS virtualize the identity and behavior of a bare-
metal server. Application Network Profiles (ANP) in ACI are similar in concept. ANPs
define who can talk to who across the network.

10
Application Policy Model and Instantiation
Application Client
Application policy model: Defines the
application requirements (application
network profile)

Policy instantiation Each device

dynamically instantiates the required
changes based on the policies

10.2.4.7 10.9.3.37 10.32.3.7

All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requireiMrJia

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The slide is an attempt to illustrate APIC rendering policy into the hardware. The
switch nodes are stateless and with ACI we have the ability to populate the ASICs on
an as needed basis.
•  There are no saved configurations on the switch platforms.
•  The only thing that connects to spines is leaves; all other network attached
devices plug into the leaves.
•  Overlays which allow us treat IP addresses differently: identity (for a server),
location (a VLAN), or filter (ACL).

11
ACI Fabric

ACI Spines

ACI Leafs
External /saa L4-7
L2 / L3 Services
r
APIC Cluster j \

\ OOB Managment
©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ACI operates as an object based model – totally differently from NXOS that has been
seen before. The switches running in ACI mode are only programmable via an object
based Policy Engine operating in the APIC controller. The controller now becomes an
integrated part of the network, and holds the profiles containing the policies for
programming the switches centrally. The switches themselves do no hold a CLI
configuration file as previously used in NXOS based systems. The configuration is
held on the APIC and is an object oriented schema written in XML/JSON and stored
in a profile to implement the policies. The policy itself consists of application centric
information for connectivity, L1-3 IDs, L4-7 services.

•  2 Tier Spine and Leaf Topology – With a leaf-spine network, every server on the
network is exactly the same distance away from all other servers – three port hops,
to be precise.
•  Leaf Switches – The Leaf switches provide external connectivity into the Fabric.
Multiple SKUs with usually 10 Gig for connected devices and 40 Gig into the fabric.
Combination of Merchant and Custom silicon. Leaf switches are the policy
enforcement points.
•  Spine Switches – Multiple SKUs - 40Gig switches. Do not do policy enforcement.
•  APIC Controllers – Centralized point of management for managing fabric
configuration and observing the summary operational state. It is implemented
using a distributed framework across a cluster of appliances. From a policy
perspective, the APIC is the primary point of contact for configuration and acts as
the policy repository.

12
What Are We Solving?

©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

13
Overloaded Network Constructs
Basic Network
Policy SLAs L4-7 Services

Permit Deny SLB Firewall

Mark Redirect QoS Availability IDS IPS

SSL
Log WAF
Offload
L. A L. A L A

Subnet Subnet Subnet

VLAN VLAN VLAN

Network constructs are overloaded with unintended functionality.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

It is fair to say that today we use VLANs and IP subnets as policy boundaries (i.e.
ACLs, QoS, load-balancing); VLANs have a lot of significance. When you define a
VLAN, it is usually associated with an IP address; which could automatically imply
some security policy because of the way we use IPs. An IP address can represent an
identity, a subnet (location), or a filter (ACL entry). All those things tied together is
really based on this idea a VLAN represents a subnet, which can discombobulate the
original intent of the OSI model.

14
Application Language Barriers
Developers Infrastructure Teams

VLANs

Subnets

Protocols
Provider I
Consumer Ports
Relationships

Developer and infrastructure teams must translate

between disparate languages.
©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

Developer teams and infrastructure teams speak different languages. Developers

talk about this provider-consumer relationship; this group of components will provide
a function, which is consumed by another group of objects. Network teams must
translate the developers’ vernacular into VLANs, subnet, switch-port settings, etc.
Network teams care about ports and protocols; there is typically not much awareness
on their part of the devices touching the network.
ACI provides a host-centric fabric. ACI attempts to shrink the timeframe from
Application-development to QA to implementation and production.

15

switchl (config) #
switchl (config) # int eth 1/1
swi 1rhl (rnnf int # switch mnde arc
switch2 (config) #
switch2 (config) t int eth
switch3 (config) #
switch3 (config) # int eth 1/4
router (config) #
router (config) # int eth 1
router (config) # ip add 6.6.6.1 255.255.255.0
_ router (config) # not shut
_
router (config) # int eth 2
1/2 - _
3 fwl (config) #
fwl (config)# int eth 0/1
fwl (config) # nameif outside 0
- _
5 fwl (config) # int eth 0/2

switch4 (config) # slbl (CONFIG)

switch4 (config) # int eth 1/6 probe http http-probe
switch4 (config) # switch mode acc interval 30
switch4 (config) # switch acc vlan 333 expect status 200 200 .6 eq 80
switch4 (config) # no shut 6 eq 443
rserver host websrvrl
switch4 (config) # int eth 1/7 9 - description foo web .
switch4 (config) # switch mode acc
switch4 (config) # switch acc vlan 333
switch4 (config) # no shut fw2 (config) #
fw2 (config)# int eth 0/1
fw2 (config)# nameif webfront 20
switch5 (config) #
fw2 (config) # int eth 0/2
switch5 (config) # int eth 1/10 - 11
switch5 (config) # switch mode acc
switch5 (config) # switch acc vlan 444 slb2 (CONFIG)
switch5 (config) # no shut rserver host appsrvrl
switch5 (config) # int eth 1/11 15 - description foo app i

switch5 (config) # switch mode acc ip address 5.5.5.1

switch5 (config) # switch acc vlan 555
switch5 (config) # no shut rserver host appsrvr2
switch5 (config) # monitor : description foo app
switch5 (config) # monitor i th 1/16 ip address 5.5.5.2

switch6 (config) # fw3 (config) #

switch6 (config) # int eth 1/16 19 - fw3 (config) # int eth 0/1
switch6 (config) # switch mode acc fw3 (config)# nameif appfront 70
switch6 (config) # switch acc vlan 777 fw3 (config) # int eth 0/2
switch6 (config) # no shut fw3 (config)# nameif dbfront 90
switch6 (config) # monitor session 1 source vlan 777 fw3 (config)# object network db_cluster
switch6 (config) # monitor session 1 dest eth 1/20 fw3 (config)# host 7.7.7.7
fw3 (config)# nat (dbfront, appfront) static 5.5.5.50
fw3 (config)# access-list web_to_app permit tcp any host 5.5.5.50 eq 1433
© 2013-2014 Cisco and/or its affiliate DB Servers db db
Inservice

This slide illustrates all the components someone must configure to control a
packet’s journey across the data center. From the cloud we have switches and the
router configurations – how many switches depends on your topology. We hit a
Firewall where an administrator configured various filters (ACLs). Another
administrator configured virtual IPs on the Load-balancers; add in SSL-offload. To the
most casual observer, the obvious point is that a lot has to be done on many devices
to control application traffic. The hidden message is the application teams may not
necessarily understand that all this has to be done; they don’t grasp the magnitude of
the process.
This is the paradigm your customers function in today. It is a very manual-intensive,
box-by-box process that typically requires multiple administrative teams. When you
consider change-management, how many other entities are involved? It is typical to
have multiple administrators involved in the change notification process. Adding a
VLAN is a relatively simple process on a switch, but in an effort to stay compliant,
corporate ‘change management procedures’ may dictate approval from several
administrators. This has the effect of extending your implementation time-frame for
deployment.
That is the prevailing sentiment – the Network is too slow; takes too long to get things
setup and deployed. Today it’s a manually intensive process that’s error prone.

16
 switch4 (conf ig) #
switch4 (conf ig) # int eth 2/7 - 9
switch4 (conf ig) # switch mode acc
switch4 (conf ig) # switch acc vlan 333
switch4 (conf ig) # no shut slbl (ADDED CONFIG)
rserver host websrvr4
description foo web server
ip address 3.3.3.4
inservice
rserver host websrvr5
description foo web server
Let's add a couple ip address 3.3.3.5
inservice
more web servers serverfarm host FOOWEBFARM
rserver websrvr4 80
inservice
rserver websrvr5 80
App Servers inservice

DB Servers
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

If it has been determined that we do NOT have the necessary capacity in the Web-
tier, an easy solution may be to spin-up a couple more VMs. The slide illustrates
adding a couple of Web Servers and what has to happen in that event. On the switch
you would need to configure the VLANs and interfaces. The load-balancer may need
to be made aware it has a couple more devices. The point of this slide is any change
will require some configuration updates to multiple devices.

17
 What is an Application to the Network?
It is More than just a VM or Server
S It is collection of all the Application's End Points
ÿ 'plus'
V The Application's L2 - L7 Network Policies
ÿ 'plus'
V The Relationship between these End Points and their Policies

r QoS
Web Tier 1
End Points - End
, App Tier
Points
QoS
I
>
QoS II
DB Tier
End Points
ÿi Service
1 — - ir"*
Service i Service 1 -!
I
v.i Filter Filter i
l!
Filter 1
V w v

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

To most network administrators, everything is an IP packet and end-points are NICs

connected to a switch.
We define an application is in ACI s having these things:
•  Collection of End-points. Which are not just applications, an end-pt can be a
network construct, it could be a VLAN, or L3-device; L4-7 service. We have four
end-pts depicted in the illustration: External NW & the three app-tiers.
•  End-pts by themselves do nothing for us; so we use Policies. Similar to how
we use policies in UCS, in ACI we apply attributes and other properties to the end-
pts. End-pts have definitions. Different end-pts have different properties and
behavior.
•  Relationship definitions are achieved with what we call Contracts. Several
things go into a contract, and depending on the end-pts the contract sits between,
the elements of a contract can get very granular its terms of what it’s binding.

ACI is an attempt to put things closer to the ‘Application terms’: traffic enters the fabric
where it is directed through various services and filters (ACLs) before it hits the Web
tier; more filters and actions are applied as the packets travel from the Web-tier to the
Application tier; all this is repeated as the App-tier accesses the database.

18
 Outside EPG

Web Servers

App Servers
IDS/IPS
DB Servers

Define End Point Groups Service Node Integration

Teamwork: Create the Logical Model to support the app

WEB_contract
Consumer: Outside EPG
Provider: Web EPG
Filter: TCP ports 80 and 443
Contract: use firewall
NAT + SLB + SSL offload
APP_contract
Consumer: Web EPG
Provider: App EPG
Filter: TCP port 8081
Contract:
use firewall NAT
use SLB
copy pkt to IDS/IPS
ÿ-4
DB_contract
Consumer: App EPG
Provider: DB EPG
Filter: TCP port 1433
Contract:
use firewall+NAT
copy to IDS/IPS

Define Service Policies

©2013-2014 Cisco ' Cisco Confidential

Data center administration is definitely a team-sport. In ACI you build a logical model
to support the application by defining End-point groups (EPGs). End-point Groups are
a collection of end-points that require the same policy treatment. It is to the EPG
where ACI applies policy, not individual end-points. Once you have configured your
EPGs, policy application is dictated by inserting contracts between the EPGs.
ACI can integrate service nodes by installing Device Packages – a term we’ll revisit in
the L4-7 lesson.

19
 Outside EPG

Web Servers

App Servers
IDS/IPS

Define End Point Groups Service Node Integration

Configure: Define Logical Constructs inAPIC

WEB_contract
Consumer: Outside EPG
Provider: Web EPG
Filter: TCP ports 80 and 443
Contract: use firewall
NAT + SLB + SSL offload
APPcontract
Consumer: Web EPG
Provider: App EPG DB_contract
Filter: TCP port 8081 Consumer: App EPG
Contract Provider: DB EPG
use firewall NAT Filter: TCP port 1433
use SLB Contract:
copy pkt to IDS/IPS use firewall+NAT
copy to IDS/IPS

Define Service Policies

©2013-2014 Cisco Cisco Confidential

All these constructs are defined in the APIC.

20
 Outside EP0*-
Outside EPG ¥_l
Web Servers EPG
TCP ports 80 and 443
use firewall NAT

EPG~rTApp~EFG
TCP port 8081
use firewall NAT
Deployme use SLB

WEBcontract
Consumer: Outside EPG
Provider: Web EPG App EPG -> DB EPG
TCP port 1433 DB contract
Filter: TCP ports 80 and 443
e firewall+NAT Consumer: App EPG
Contract: use firewall
NAT + SLB + SSL offload
fifl' Provider: DB EPG
use tire**- Filter: TCP port 1433
use SL Contract
use firewal
©2013-2014 Cisco an
DB Servers 5s/idc sco Confidential

Different pieces makeup the flow.

21
 Outside EPG

EPG
TCP ports 80 and 443
use firewall NAT

Web Servers

Web bPG -> App bHG ÿ

TCP port 8081

use firewall NAT
use SLB

App Servers

port 1433
firewall+NAT

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DB Servers

22
DEV Outside EPG TEST Outside EPG PROD Outside EPG
_ _
mmimm ÿCopy ÿ ÿCopy *
EPG EPG EPG
TCP ports 80 and 443 Profile V
TCP ports 80 and 443 V" TCP ports 80 and 443
use firewall NAT use firewall NAT V
Profile use firewall NAT
2

Web Servers

weo tKb App tru Web EPG 4 App EPG Web EPG 4 App EPG
TCP port 8081 TCP port 8081 TCP port 8081
use firewall NAT use firewall NAT use firewall NAT
use SLB use SLB use SLB

mws
port 1433 port 1433 TCP port 1433
dTepg .
firewall+NAT firewall+NAT firewall+NAT V
V

DB Servers DB Serv DB Se

Using ACI, you can architect and build the components in a Development
environment, then export or replicate to a Test environment. Here we test the
addition of more objects (ex:, adding more web servers). With stateless hardware
and policy-based configuration in ACI, there is no requirement to re-configure the
switch. If we’ve integrated those services properly, changes to the load-balancer or
firewall get pushed down from the APIC. No manual intervention beyond the first step
of adding the additional Web servers.
Regarding compliance (change control), the policies defined in ACI ensure
compliance; it is automatic. In essence, ACI integrates change control.

23
Logical Model Overview

©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

24
 Remember UCS & Stateless Computing?
Service Profile

Storage Server Network

Optional Disk usage Identity (UUID) Uplinks
SAN settings Adapters LAN settings
• LUNs • Number • VLAN
• Persistent Binding • Type: FC, Ethernet • QoS
SAN settings • Identity • etc...
• vSAN • Characteristics Firmware
Firmware Firmware • Revisions
• Revisions • Revisions
• Configuration settings
\© 2MO-20W.
CiM

UCS & Stateless Computing.

25
 Stateless Networking
Application Network Profile
O
Contracts define "what" an EPG exposes <=» o
TCP Ports,
Protocols,
to other app tiers and "how" 0

=> o
c
Redirects etc

(TP) (S pEPGWeb
I _ I
1 dCD [SEPG App j ifiD [g EPG DB

• Stateless filtering between EPGs is implicitly provided by the ACI fabric that
may be able to eliminate the need for some firewalls within the datacenter.
* Contracts define what an EPG exposes to other application tiers and 'how'.

© 2013-2014 Cisco arid/or its affiliates. All rights reserved. Cisco Confidential 26

Extend the principle of UCS service profiles to the entire fabric and we have the
Application Network Profile – which is a Stateless Definition of Application
Requirements.
ACI consists of :
§  Application Tiers

§  Connectivity policies

§  L4 – L7 Services

Stored in an XML or JSON Schema.

26
Defining Terms
ÿ
End-Point Group - (EPG) Container for objects requiring the same policy
treatment, i.e. app tiers, or services
ÿ
Tenant - Logical separator for: Customer, BU, group etc. Separates traffic,
admin, visibility, etc.
ÿ
Private-Network (L3) - Equivalent to a VRF, separates routing instances, can be
used as an admin separation
ÿ
Bridge Domain (BD) - NOT A VLAN, simply a container for subnets. CAN be
used to define L2 boundary
ÿ
Contract - Contracts represent policies between EPGs. Contracts are
"provided" by one EPG and "consumed" by another.

© 2013-2014 Cisco arid/or its affiliates. All rights reserved. Cisco Confidential 27

Defining Terms

27
Management Information Model
TENANT

L2/L3 Application
Bridge Contexts
Outside Network Contracts Filters
Domains (VRF)
Networks Profiles
1 1 1
/
/ n
/
/
/ Subnets Subjects
/

n /n
> Solid lines indicate objects below contained
EPGs _ /
> Dashed lines indicate a relationship
> 1:n indicates one to many
> n:n indicates many to many
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Management Information Model – The fabric comprises the physical and logical
components as recorded in the Management Information Model (MIM), which can be
represented in a hierarchical management information tree (MIT). The information
model is stored and managed by processes that run on the APIC. Similar to the OSI
Common Management Information Protocol (CMIP) and other X.500 variants, the
APIC enables the control of managed resources by presenting their manageable
characteristics as object properties that can be inherited according to the location of
the object within the hierarchical structure of the MIT.
Each node in the tree represents a managed object (MO) or group of objects. MOs
are abstractions of fabric resources. An MO can represent a concrete object, such as
a switch, adapter, or a logical object, such as an application profile, endpoint group, or
fault. The diagram provides an overview of the MIT.
The hierarchical structure starts with the policy universe at the top (Root) and
contains parent and child nodes. Each node in the tree is an MO and each object in
the fabric has a unique distinguished name (DN) that describes the object and locates
its place in the tree.

28
Application Network Profile

Outside EPG WEB consume

EPG APP consume
EPG DB
web java sql
Public consume contract contract contract

subnet

L3 context

29
Concrete Model Overview

©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

30
 Applying Policy to End-Points

1) End Point attaches to fabric

2) APIC detects End Point and
derives its EPG
• Designated as source EPG
3) APIC pushes required policy
APIC to leaf switch
• Policies require both source
and destination EPG
APIC manages pushing of policy to leaf
enforcement point when EPs connect.

© 2013-2014 Cisco arid/or its affiliates. All rights reserved.

Example shows a virtual machine (VM) assigned to a port-group, which is owned by

the APCI DVS. Upon detection of the end-point, the VM (part of the port-group
owned by APIC) is now a source. APIC will push the policy to the Leaf, where it is
rendered into the hardware (ASIC TCAM).

31
 _
APIC Policy Model
"X
Logical Model Policy
Application centric configurations, Policy Target Groups,
Rules. Configurations Controller
.
-- 7*
/

Policy Update

NXOS
(subset)
Logical
Model

Implicit
Subset of
Render
Ports. Cards. Network
Complete Interfaces. VLANs.
Nodes
Gear
Logical
Model

Policy Element Shared M<

©2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

The ACI Fabric policy model enables the specification of application requirements -
policies. The APIC automatically renders policies in the fabric infrastructure. When a
user or process initiates an administrative change to an object in the fabric, the APIC
first applies that change to the policy model and then applies the change to the actual
managed endpoint.
Policy updates to nodes is asynchronous; i.e. the REST call to APIC does not wait for
update to switches.
APIC decides which subset of the logical model to push based on explicit or implicit
registration of policies from switch.
On the node, the NXOS processes are notified of MO updates using MTS message;
which then reads the MO from shared memory (objecstore).

32
Agenda

ÿ
SDN/Overlay Networking Primer
ÿ
Cisco ACI Overview and Terminology
-
ÿ
Logical Model Overview
Concrete Model Overview

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

33
Thank you.
illlillli
9 9

CISCO

34