Brkaci 2005

ACI for the Network
Administrator
Steve Sharman – Technical Solutions Architect
BRKACI-2005
Session Objectives
• Understand ACI through the eyes of the network administrator

• Understand ACI building blocks
• Understand external and services integration
Agenda
• ACI in the market

• Role of the Network Manager
• ACI is all about Applications isn’t it?
• Comparing ACI and Traditional Network Building Blocks
• VMware Integration
• External Connectivity
• Service Graph Integration
• Getting Started
Momentum Continues to Grow
6,000+ 1400+ 50
Nexus 9K and ACI ACI Ecosystem
Customers Globally Customers Partners
Turnkey or DIY solution
Application Centric
Programmable Fabric Programmable Network
Infrastructure
Connection
Creation Expansion
VTS
Reporting Fault Mgmt
Turnkey integrated solution with security, centralized

management, compliance and scale Integrated stack Modern NX-OS with enhanced NX-APIs
Or
Automated application centric-policy model with A-la-carte Automation DevOps toolset used for Network Management
embedded security (Puppet, Chef, Ansible etc.)
Streamlined Workflow Management
Customer Script based Operations and Workflows
Broad and deep ecosystem
Security External
Performance Tools
External
Accounting
Integrated Tools
Tools
Fault Integrated
Tools
Configuration
Enough Marketing, what do
networking teams really
spend their time doing?
What does ACI typically
mean to a Network Admin?
In reality ACI is all about
networking and how you deploy
applications onto the network!
At a very basic level ACI is really
just a CLOS network of Nexus
9k switches with a management
platform
The network management
platform (APIC) provides you
with a single place from which to
manage the network
ACI is a Software Defined Network
which uses VXLAN to transport
packets between switches across
an automated IP fabric with end to
end header visibility
IETF Draft
ACI can transport any IP traffic
including “Overlay” networks
based on VXLAN*, NVGRE*
etc.
* ACI has visibility of the outer header

Comparing ACI and
Traditional Network
Management
Traditional Networking
Management options: Limitations:

• CLI • Box by box approach
• Cut/Paste • Lack of consistent configuration (no
• Limited automation network wide policies)
• Disparate management platforms • Leftover/unknown configuration
• Open “any to any” connectivity*
• Lack of traffic visibility
• Separate virtual and physical networks
• Separate L4-7 device management
ACI Networking
APIC
APIC
APIC
Management options: Benefits:

• GUI (basic/advanced) • Distributed, Centralised Management
• CLI • Full traffic visibility*
• XML/JSON • Self documenting
• Scripting • Integrated virtual and physical network
• Open API • Integrated L4-7 device management
• Automation • Policy defined network
A Policy Defined Network –
Lighting up switch interfaces
Policy Defined Network
APIC
APIC
APIC
Concrete Model
Logical Model
APIC
APIC
APIC
Concrete Model
Logical Model
What “function” do
I want to allocate
VLANs for?
APIC
APIC
APIC
Concrete Model
Logical Model
VLAN/VXLAN
(Pools)
vCenter-01-vDS-01
UCS-phys-svrs
Outside-Fabric
APIC
APIC
APIC
Which vDS do I
want to configure?
Concrete Model
Logical Model
VLAN/VXLAN Where do I want

(Pools) to use my VLANs?
vCenter-01-vDS-01
UCS-phys-svrs
Outside-Fabric
APIC
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
VLAN/VXLAN VLAN mgmt

(Pools) (Phy/Out Domain)
vCenter-01-vDS-01 UCS-phys-svrs
UCS-phys-svrs Outside-Fabric
Outside-Fabric
APIC
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
VLAN/VXLAN VLAN mgmt Group my VLANs

(Pools) (Phy/Out Domain) together to allow
vCenter-01-vDS-01 UCS-phys-svrs them on an interface
UCS-phys-svrs Outside-Fabric
Outside-Fabric
APIC
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
VLAN/VXLAN VLAN mgmt Allowed VLANs

(Pools) (Phy/Out Domain) (AAEP)
vCenter-01-vDS-01 UCS-phys-svrs vCenter-01-vDS-01
UCS-phys-svrs Outside-Fabric UCS-phys-svrs
Outside-Fabric Outside-Fabric
APIC
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
VLAN/VXLAN VLAN mgmt Allowed VLANs What interface

(Pools) (Phy/Out Domain) (AAEP) settings do I want
vCenter-01-vDS-01 UCS-phys-svrs vCenter-01-vDS-01 to configure?
UCS-phys-svrs Outside-Fabric UCS-phys-svrs
APIC
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
VLAN/VXLAN VLAN mgmt Allowed VLANs Interface Parameters

(Pools) (Phy/Out Domain) (AAEP) (Policies)
vCenter-01-vDS-01 UCS-phys-svrs vCenter-01-vDS-01 CDP_enabled
UCS-phys-svrs Outside-Fabric UCS-phys-svrs LACP_Active
APIC
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
VLAN/VXLAN VLAN mgmt Allowed VLANs What type of Interface Parameters

(Pools) (Phy/Out Domain) (AAEP) interface do I want (Policies)
vCenter-01-vDS-01 UCS-phys-svrs vCenter-01-vDS-01 to configure, and what CDP_enabled
UCS-phys-svrs Outside-Fabric UCS-phys-svrs device do I want to LACP_Active
Outside-Fabric Outside-Fabric connect to it?
APIC
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
VLAN/VXLAN VLAN mgmt Allowed VLANs Interface Usage Interface Parameters

(Pools) (Phy/Out Domain) (AAEP) (Policy Groups) (Policies)
vCenter-01-vDS-01 UCS-phys-svrs vCenter-01-vDS-01 vPC_to_UCS_FI_A CDP_enabled
UCS-phys-svrs Outside-Fabric UCS-phys-svrs SVI_to_outside LACP_Active
APIC
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Which interfaces
should be Logical Model
configured?

APIC
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Target Interfaces ID
(Profiles) Logical Model
vPC_to_UCS_FI_A
SVI_to_outside

APIC
APIC
APIC
Virtual Machine Which switches

Domains should be
(vSwitches) configured?
vCenter-01-vDS-01
Concrete Model
vPC_to_UCS_FI_A
SVI_to_outside

APIC
APIC
APIC
Virtual Machine Target Switches

Domains (Profiles)
(vSwitches) vPC_Leaf_1_and_2
vCenter-01-vDS-01 Leaf_3
Concrete Model
vPC_to_UCS_FI_A
SVI_to_outside

Policy Defined Network – Simple, Consistent
Configuration
APIC
APIC
APIC
Concrete Model
ESX Hosts OpenStack Hosts ASA F5 Outside_L3
Switches 1,3,5 Switch 1-6 Switches 1,2 Switches 1,2 Switches 1,2
ESX Hosts OpenStack Hosts ASA F5 Outside_L3

Ports 1-20 Ports 21-40 Port 46 Port 47 Port 48
Logical Model
Comparing ACI and Traditional
Network Building Blocks
Traditional Network – Limited Multi Tenancy
Box by box configuration
VDCs and VRFs configured on a per Manual inter switch configuration

switch basis
ACI Tenants are network wide administrative containers
APIC
APIC
Objects created in “Common” can be APIC

consumed by other Tenants
VRF: A VRF: B VRF: C
BD: 01 BD: 02 BD: 03
AD DNS DHCP VRF: A

Tenant: Common
BD: 01 BD: 02 BD: 03
Tenant: Production Tenant: Pre-Production Tenant: ESX-Hosts

Looking under the covers at Tenants
apic1# show tenant
Tenant Tag Description
--------------- --------------- ----------------------------------------
avanker
common
fgandola
hyper-v
infra
mgmt
nickmart
nvermand
nvermand-vRA-01 vRA Tenant
openstack
robvand
rwhitear
ssharman
vmware
apic1#
New NX-OS CLI in 1.2.1i

Traditional L3 Networking
VRF configuration is performed on

a switch by switch basis
VRF: VRF-01 (HSRP gateway)

ACI VRFs (aka Private Networks, aka Contexts) provide
the routing function within a given Tenant
APIC
APIC
APIC
VRF: VRF-01 (Anycast gateway)
Tenant: Common
Multiple VRFs allow overlapping IP address space and
Integration with External Devices
APIC
APIC
APIC
VRF: VRF-01 (Anycast gateway) VRF: VRF-02 (Anycast gateway)
Tenant: Common
Looking under the covers at VRFs
apic1# show vrf Leaf-1# show vrf
Tenant Vrf VRF-Name VRF-ID State Reason

---------- ---------- black-hole 3 Up --
common:default 26 Up --
common default common:outside_ospf 5 Up --
common inside_enforced common:outside_vlans 7 Up --
common inside_unenforced management 2 Up --
common outside_ospf mgmt:inb 15 Up --
common outside_static nickmart:nickmart 8 Up --
common outside_vlans nvermand:VRF-01 12 Up --
fgandola VRF-01 nvermand:VRF-AVS 9 Up --
mgmt inb nvermand:VRF-int-NSX-EDGE 19 Up --
mgmt oob nvermand:VRF-Mig 13 Up --
nickmart nickmart nvermand:VRF-NSX 16 Up --
nvermand VRF-01 overlay-1 4 Up --
nvermand VRF-02 robvand:VRF-01 33 Up --
nvermand VRF-AVS ssharman:VRF-01 31 Up --
VM-tenant:vcenter_default_pvn 14 Up --
vmware:VRF-01 18 Up --
Traditional L2 Networking
VLAN configuration is performed

on a switch by switch basis
Layer 2 VLAN: VLAN10

ACI Bridge Domains are pervasive layer 2 boundaries
with defined forwarding characteristics
APIC
APIC
APIC
The Bridge Domain to VRF

association is always required,
even if the VRF is not routing
Bridge Domain: BD-01
BD: 01 BD: 02 BD: 03
Hardware Proxy: No Hardware Proxy: No Hardware Proxy: No
ARP Flooding: Yes ARP Flooding: Yes ARP Flooding: Yes
Unknown Unicast Flooding: Yes Unknown Unicast Flooding: Yes Unknown Unicast Flooding: Yes
IP Routing: No IP Routing: No IP Routing: No
Tenant: Common
Display all Bridge Domains
apic1# show bridge-domain
Tenant Interface MAC Address MTU Description Multi-Dest Action Unknown Mcast Action Unknown MAC Ucast Action
---------- ---------- ------------------ -------- ------------ ----------------- -------------------- ----------------------
VM-tenant BD-02 00:22:BD:F8:19:FF inherit encap-flood flood flood
VM-tenant vcenter_de 00:22:BD:F8:19:FF inherit encap-flood flood flood
fault_bd
common outside_in 00:22:BD:F8:19:FF inherit bd-flood flood flood
fra-
ssharman
common outside_in 00:22:BD:F8:19:FF inherit bd-flood flood flood
fra-
teoyenug
ssharman 192.168.65 00:22:BD:F8:19:FF inherit bd-flood flood proxy
.0
.0
.0
.0
.0
.0
.0

Display details of a single Bridge Domain
apic1# show bridge-domain outside_infra-ssharman
Tenant : common
Interface : outside_infra-ssharman
MAC Address : 00:22:BD:F8:19:FF
MTU : inherit
Description :
Multi-Destination Action : bd-flood
Unknown Multicast Action : flood
Unknown MAC Unicast Action : flood
Tenant : ssharman
Interface : Internal_Fabric_02
MTU : inherit
Description :
Unknown Multicast Action : opt-flood
Unknown MAC Unicast Action : proxy

A Bridge Domains use a locally significant VLAN ID on
each Leaf which dynamically maps to a VXLAN ID
APIC
APIC
APIC
Layer 2 Bridge Domain

carried over VXLAN The Bridge Domain to VRF
association is always required,
even if the VRF is not routing
Bridge Domain: outside_infra-ssharman
Leaf 101 Leaf 102
Tenant: Common Tenant: Common
BD: outside_infra-ssharman BD: outside_infra-ssharman
Tenant: Common
VXLANs require VTEPs
APIC
APIC
APIC
VTEP VTEP VTEP VTEP
VRF: 01 (Anycast gateway) VTEPs are dynamically

created as required
VTEP VTEP VTEP VTEP VTEP VTEP
Known unicast traffic forwarded directly Multicast and any allowed broadcast
between Leaf VTEP’s traffic is forwarded to a Group VTEP that
exists on any leaf with membership for
Unknown unicast traffic is forwarded to
that specific group
anycast spine proxy VTEP’s BD: 01
Hardware Proxy: Yes
ARP Flooding: No VTEP’s may exist in physical or virtual
Logical vPC switch is represented by Unknown Unicast Flooding: No
switches
anycast Leaf vPC VTEP’s IP Routing: Yes
Tenant: Common
A Bridge Domain uses a locally significant VLAN ID
underneath
apic1# fabric 101 show vlan
----------------------------------------------------------------
Node 101 (Leaf-1)
----------------------------------------------------------------
Leaf 101
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
9 infra:default active Eth1/1, Eth1/21, Eth1/22, Po3, Po4
11 common:outside_infra-robvand active Eth1/11, Eth1/21, Eth1/22, Po3,
14 fgandola:www-zone1 active Eth1/33, Po2
15 ssharman:192.168.66.0 active Eth1/21, Eth1/22, Po3, Po4
26 common:outside_infra-ssharman active Eth1/11, Eth1/21, Eth1/22, Po3, Po4, Po8
Leaf 102
apic1# fabric 102 show vlan
----------------------------------------------------------------
Node 102 (Leaf-2)
----------------------------------------------------------------
---- -------------------------------- --------- -------------------------------
9 infra:default active Eth1/1, Eth1/21, Eth1/22, Po1, Po2
11 ssharman:L2-to-outside:Group-05 active Eth1/21, Eth1/22, Po1, Po2
14 fgandola:app-zone2 active Eth1/33, Po8
15 -- active Eth1/69, Po7
35 common:outside_infra-ssharman active Eth1/11, Eth1/21, Eth1/22, Po1, Po2, Po4

A Bridge Domain uses a VXLAN to Transport data
between Leaf switches
apic1# fabric 101 show vlan id 26 extended
----------------------------------------------------------------
Node 101 (Leaf-1)
----------------------------------------------------------------
Leaf 101
---- -------------------------------- --------- -------------------------------
26 common:outside_infra-ssharman active Eth1/11, Eth1/21, Eth1/22, Po3,
Po4, Po8
VLAN Type Vlan-mode Encap
---- ----- ---------- -------------------------------
26 enet CE vxlan-15433637
apic1# fabric 102 show vlan id 35 extended

----------------------------------------------------------------
Node 102 (Leaf-2)
----------------------------------------------------------------
Leaf 102
---- -------------------------------- --------- -------------------------------
35 common:outside_infra-ssharman active Eth1/11, Eth1/21, Eth1/22, Po1,
Po2, Po4
VLAN Type Vlan-mode Encap
---- ----- ---------- -------------------------------
35 enet CE vxlan-15433637

Traditional Networking – SVI

Interface VLAN10
IP Address 192.168.10.1/24

ACI SVIs are configured on a given Bridge Domain and
instantiated on the associated VRF
APIC
APIC
APIC
BD: 01
Hardware Proxy: Yes
ARP Flooding: No
Unknown Unicast Flooding: No
IP Routing: 192.168.10.1/24
Tenant: Common
ACI Bridge Domains can be configured with multiple
subnets/default gateways (secondary)
APIC
APIC
APIC
BD: 01
Hardware Proxy: Yes
ARP Flooding: No
IP Routing: 192.168.10.1/24
: 192.168.20.1/24
Tenant: Common
Display details of a single Bridge Domain
apic1# show bridge-domain outside_infra-ssharman apic1# show ip interface bridge-domain outside_infra-ssharman
Tenant : common ----- IPv4 Bridge-Domain Information: -----
Interface : outside_infra-ssharman Tenant : common
MAC Address : 00:22:BD:F8:19:FF Interface : outside_infra-ssharman VRF name
MTU : inherit VRF Member : outside_vlans
Description : IP Addresses : 192.168.29.254/24
Multi-Destination Action : bd-flood 192.168.30.254/24
Unknown Multicast Action : flood
Unknown MAC Unicast Action : flood
Bridge Domain + SVI
Tenant : ssharman
Interface : Internal_Fabric_02
MTU : inherit
Description :
Unknown Multicast Action : opt-flood
Unknown MAC Unicast Action : proxy

Traditional Networking – Any to Any Communication

Interface VLAN10
IP Address 192.168.10.1/24
192.168.10.11/24 192.168.10.13/24 192.168.10.15/24 192.168.10.17/24

192.168.10.12/24 192.168.10.14/24 192.168.10.16/24
Any to Any Communication on a given segment*

How do devices (Endpoints)
communicate on an ACI fabric?
1.
2.
3.
Application Network Profiles and
Endpoint Groups
New concept: Application Network Profiles
Application Network Profiles are “containers” which group together one or more EPGs and their
associated connectivity policies – this is how we can view the “Health” of an application!
Application Network Profiles are used to describe either a Network service or an Application e.g.
• ESX-Hosts
Are all my ESX Hosts in a
• Host-mgmt
heathy state?
• vMotion
• IP-storage
What’s the health of my IP
• NSX-transport
Storage network?
• iExpenses
• SSO What’s the health of my
iExpenses application?
• Intranet
• Database
The Lights are on – let’s add an Application Network
Profile
ANP: My_App
EPG: Web
EPG: App
EPG: DB
Virtual Machine Target Switches
Domains (Profiles)
(vSwitches) ANP: ESX-Mgmt vPC_Leaf_1_and_2
vCenter-01-vDS-01 EPG: Host-Mgmt Leaf_3
EPG: vMotion
EPG: IP-Storage Concrete Model
vPC_to_UCS_FI_A
SVI_to_outside

vCenter-01-vDS-01 UCS-phys_svrs vCenter-01-vDS-01 vPC_to_UCS_FI_A CDP_enabled
UCS-phys-svrs Outside_Fabric UCS-phys-svrs SVI_to_outside LACP_Active
New concept: Endpoint Groups
Endpoint Groups are quite simply groups of endpoints on the network.
The endpoints are identified by their connectivity Domain (virtual/physical/outside) and their connectivity method e.g.
• Virtual machine portgroups (VLAN, VXLAN)
• Physical interfaces / VLANs inc (v)port channels
• External VLANs
• External subnets
Devices within the same Endpoint group can communicate irrespective of their VLAN/VXLAN backing/ID,
provided that they have IP reachability.
Communication between Endpoint groups is, by default, not permitted (similar to PVLAN).
How do Endpoints (and Groups) use VLANs?
• ACI uses the concept of both Static and Dynamic VLAN Pools
• A single VLAN Pool can contain ranges of both Static and Dynamic VLANs
• VLANs are significant to the switch port meaning they can be reused across the fabric
Static VLANs Dynamic VLANs

• Allocated manually to EPGs • Allocated dynamically to EPGs in VMM
Domains representing Port Groups
• Bound to an interface
• Allocated dynamically to the (shadow) EPGs
representing FW or SLB interfaces as part of a
service graph
• Bound to an interface
Secure Networking with ACI End Point Groups
APIC
APIC
APIC
VRF: 01 (Anycast gateway)

BD: storage BD: vMotion BD: Host-Mgmt
Hardware Proxy: No Hardware Proxy: No Hardware Proxy: No
ARP Flooding: Yes ARP Flooding: Yes ARP Flooding: Yes
Unknown Unicast Flooding: Yes Unknown Unicast Flooding: Yes Unknown Unicast Flooding: Yes
IP Routing: No IP Routing: No IP Routing: No Endpoints in EPG identified by
Interface and VLAN ID
vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b

vlan-12 vlan-12 vlan-10 vlan-10 vlan-8 vlan-8
ANP: EPG: vmk-storage EPG: vMotion EPG: Host-Mgmt

ESXi-Hosts Security Zone Security Zone Security Zone
Communication allowed within EPG Communication allowed within EPG Communication allowed within EPG
Tenant: ESXi-Hosts
Secure Networking with ACI End Point Groups
APIC
APIC
APIC

BD: ESXi
Hardware Proxy: Yes
ARP Flooding: No
IP Routing: Yes Endpoints in EPG identified by
vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b

vlan-12 vlan-12 vlan-10 vlan-10 vlan-8 vlan-8
ANP: EPG: vmk-storage EPG: vMotion EPG: Host-Mgmt

ESXi-Hosts Security Zone Security Zone Security Zone
Communication allowed within EPG Communication allowed within EPG Communication allowed within EPG
Tenant: ESXi-Hosts
The simple answer is, how many Layer 2 Segments do you want
to have?
For example, if you have 10x external VLANs you will need 10x
Bridge Domains – a Bridge Domain is a Layer 2 Segment.
If you have a Transparent Firewall you will need a 2x Bridge

Domains, one either side of the Firewall – it’s just networking!!
Lets have a quick look at EPG to
EPG traffic flows
Where are IP/Mac Addresses stored?
10.1.3.35 Leaf 3
APIC
10.1.3.11 Leaf 1
APIC
fe80::8e5e Leaf 4
APIC fe80::5b1a Leaf 6
Leaf Global Station Table
contains a local cache of the
fabric endpoints Proxy Proxy Proxy Proxy
10.1.3.35 Leaf 3
* Proxy A
Spine Proxy Station Table contains
FIB FIB FIB FIB FIB FIB addresses of ‘all’ hosts attached to the
10.1.3.11 Port 9
fabric
Leaf Local Station Table

contains addresses of ‘all’ VRF: 01 (Anycast gateway)
hosts attached directly to the
Leaf
BD: 01
Hardware Proxy: Yes
ARP Flooding: No
IP Routing: Yes
Tenant: Common
High Level Packet Walk
L6 S1
VXLAN IP Payload VXLAN IP Payload
VTEP APIC VTEP
If the ingress Leaf has learned the APIC If the ingress Leaf has NOT learned the
destination IP to egress VTEP binding destination IP to egress VTEP binding
3a it will set required destination VTEP
APIC
3b it will set required destination VTEP to
address and forward the Spine Proxy VTEP

L1 BD: ESXi L6
VXLAN IP Payload Hardware Proxy: Yes VXLAN IP Payload
VTEP ARP Flooding: No VTEP
Leaf swaps ingress encapsulation with VXLAN IP Routing: Yes Leaf removes ingress VXLAN (EPG) ID and
2 4
(EPG) ID and performs any required policy functions performs any required policy functions
IP Payload IP Payload
Leaf-101/1/10 Leaf-102/1/10 Leaf-103/1/10 Leaf-104/1/10 Leaf-105/1/10 Leaf-106/1/10
Packet Sourced from Packet Delivered to
1 vlan-8 vlan-8 vlan-8 vlan-8 vlan-8 vlan-8 5 physical server
physical server
ANP: EPG: Host-Mgmt
ESXi-Hosts Security Zone
Communication allowed within EPG There is no requirement to use
the same VLAN on every Leaf
Tenant: ESXi-Hosts
Endpoints identified by
Lets look at which VLANs/VXLANs have been used by
Bridge Domains and EPGs on a given Leaf
Alternate command:
apic1# fabric 101 show system internal epm vlan all show vlan extended BD_CTRL_VLAN: The infrastructure vlan which was configured during the
APIC setup script.
+----------+---------+-----------------+----------+------+----------+---------
VLAN ID Type Access Encap Fabric H/W id BD VLAN Endpoint BD_EXT_VLAN: Bridge Domain to represent external VLAN
(Type Value) Encap Count
+----------+---------+-----------------+----------+------+----------+--------- BD_VLAN: An internal Bridge Domain construct which is represented by
9 Infra BD 802.1Q 3967 16777209 11 9 3 the grouping of multiple FD_VLANs/VXLANs – i.e many FD_VLANs can
10 Ext. BD 802.1Q 2050 15269816 12 10 0 map to one BD_VLAN
11 Ext. BD 802.1Q 49 15531935 111 11 2
12 Tenant BD NONE 0 15662984 14 12 0 FD_VLAN: A VLAN backed EPG identified by the “Access encap” VLAN
13 FD vlan 802.1Q 2022 8814 15 12 2 ID mapped to the Bridge Domain – a FD_VLAN can only map to a single
14 Ext. BD 802.1Q 2020 14909414 16 14 0 BD_VLAN
15 Tenant BD NONE 0 15171524 17 15 0
16 FD vlan 802.1Q 33 8324 19 15 1 FD_VXLAN: Used to communicate with hosts behind hypervisors using
17 FD vlan 802.1Q 2131 9023 20 15 0 VXLAN
18 Tenant BD NONE 0 15138760 18 18 0
19 FD vlan 802.1Q 2125 9017 21 18 0 Access encap: The Access_enc is significant outside the ACI network as
20 FD vlan 802.1Q 47 8338 22 18 4 it is the VLAN that is programmed on a front panel port mapping inbound
34 Tenant BD NONE 0 15302581 29 34 0 frames to an EPG (FD_VLAN)
35 FD vlan 802.1Q 14 8305 40 34 4
36 Tenant BD NONE 0 15400873 30 36 0 Fabric Encap: The VXLAN ID for a given EPG/BD
37 FD vlan 802.1Q 8 8299 41 36 19
38 Ext. BD 802.1Q 115 15269817 31 38 1 HW_VlanId: The VLAN used to encapsulate incoming traffic from
Access_enc to send to the ALE
Remember for troubleshooting use
the Internal VLAN ID not the VlanId: The VlanId is significant for troubleshooting, most (if not all) show
Access Encap VLAN ID commands use the VlanId not the Access_enc VLAN ID
Host-mgmt EPG –
Access Encap VLAN 8
Display the Mac Addresses contained in the EPG
apic1# fabric 101 show mac address-table vlan 37
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 37 0000.0c07.ac08 dynamic - F F po2
* 37 001a.a2d5.c080 dynamic - F F po2
* 37 02a0.981c.b2be dynamic - F F po2
* 37 0026.0bf1.f002 dynamic - F F po2
* 37 0014.384e.26e1 dynamic - F F po2
* 37 0016.355b.ddda dynamic - F F po2
* 37 0060.1646.97da dynamic - F F po2
* 37 0010.18cf.c318 dynamic - F F po2
* 37 0018.74e2.1540 dynamic - F F po2
* 37 0004.02f6.1f13 dynamic - F F po2
* 37 0025.b506.006d dynamic - F F po2
* 37 001b.21be.fa68 dynamic - F F po2
* 37 0025.b501.04af dynamic - F F po2
* 37 0025.b501.049f dynamic - F F po2
* 37 0025.b501.04bf dynamic - F F po2
* 37 0025.b506.007c dynamic - F F po2
* 37 0025.b501.04df dynamic - F F po2
* 37 0025.b506.0027 dynamic - F F po2
* 37 0025.b506.0068 dynamic - F F po2
Displaying the Endpoints on the network
apic1# show endpoints
Tenant Application AEPg End Point MAC IP Address Node Interface Encap
---------- ----------------- ---------------------------------------- ---------- ------------------------------ ----------
vmware ESXi- Host-mgmt 00:25:B5:06:00:1F 192.168.29.43 101 102 vpc 1Gbps_vPC_to_ucs-02-b vlan-8
ssharman
vmware ESXi- Host-mgmt 00:25:B5:06:00:3E 192.168.29.44 101 102 vpc 1Gbps_vPC_to_ucs-02-b vlan-8
ssharman
vmware ESXi- Host-mgmt 00:25:B5:06:00:47 192.168.29.46 101 102 vpc 1Gbps_vPC_to_ucs-02-b vlan-8
ssharman
vmware ESXi- Host-mgmt 00:50:56:86:81:1D 192.168.29.102 101 102 vpc 1Gbps_vPC_to_ucs-02-b vlan-8
ssharman
vmware ESXi- Host-mgmt 00:50:56:86:F7:6A 192.168.29.106 101 102 vpc 1Gbps_vPC_to_ucs-02-b vlan-8
ssharman

Displaying the Endpoints on a Leaf
apic1# fabric 101 show endpoint
Legend:
O - peer-attached H - vtep a - locally-aged S - static
V - vpc-attached p - peer-aged L - local M - span
s - static-arp B - bounce
+-----------------------------------+---------------+-----------------+--------------+-------------+
VLAN/ Encap MAC Address MAC Info/ Interface
Domain VLAN IP Address IP Info
+-----------------------------------+---------------+-----------------+--------------+-------------+
common:outside_ospf 101.1.1.1 L
44/common:outside_ospf vxlan-15302582 0000.0c07.ac30 L eth1/96
44/common:outside_ospf vxlan-15302582 0018.74e2.1540 L eth1/96
44/common:outside_ospf vxlan-15302582 001a.a2d5.c080 L eth1/96
13 vlan-2022 0025.b506.0062 LV po3
common:outside_vlans vlan-2022 192.168.22.14 LV
13 vlan-2022 0025.b506.0002 LV po3
32 vlan-22 0000.0c07.ac16 LV po2
32 vlan-22 001a.a2d5.c080 LV po2
32/common:outside_vlans vlan-22 0018.74e2.1540 LV po2
32 vlan-22 0050.5699.9099 LV po2
32 vlan-22 0050.5699.7e05 LV po2
Advanced Query: How to find if/where any VLAN has
been used
apic1# moquery -c fvIfConn | grep dn | grep common | grep vlan
Managed Interface Distinguished Tenant

Class VLAN
Object Connection Name Name
dn: uni/epp/br-[uni/tn-common/l2out-outside_infra-robvand/instP-EPG_outside_infra-robvand]/node-102/stpathatt-
[1Gbps_vPC_to_n5548]/conndef/conn-[vlan-47]-[0.0.0.0]
dn: uni/epp/br-[uni/tn-common/l2out-outside_infra-robvand/instP-EPG_outside_infra-robvand]/node-101/stpathatt-
dn: uni/epp/br-[uni/tn-common/l2out-outside_infra-anvanker/instP-EPG_outside_infra-anvanker]/node-102/stpathatt-
dn: uni/epp/br-[uni/tn-common/l2out-outside_infra-anvanker/instP-EPG_outside_infra-anvanker]/node-101/stpathatt-
How do I control Endpoint Group
communication?
New concept: Contracts (ACLs)
Contracts are “directional” Access Lists between Provider and Consumer EPGs. They comprise
of one or more Filters (ACEs) to identify traffic, e.g:
• Contract: Web | Filter: 80, 443, 8000
• Contract: DNS | Filter: 53
Provider Consumer
EPG:
EPG: Web Contract: Clients-to-Web Clients
Filter: 80, 443 etc Filter: none
Flags: Flags:
• IP Protocol • Apply in both directions (single contract
which allows return traffic)
• Ports
• Reverse filter ports (dynamically permits
• Stateful return flow based on src/dst ports)
• Etc.
Contracts are required for inter EPG connectivity
APIC
APIC
APIC

BD: ESXi Primary Gateway:192.168.10.1/24
Hardware Proxy: Yes
ARP Flooding: No
Unknown Unicast Flooding: No Secondary Gateway: 192.168.20.1/24
IP Routing: 192.168.10.1/24
: 192.168.20.1/24
vPC Node104_105/1/50 vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b

vlan-40 vlan-30 vlan-30 vlan-8 vlan-8
192.168.20.10 192.168.20.11 192.168.20.12 192.168.10.11 192.168.10.10

ANP: ANP:
EPG: Shared-storage ESXi-Hosts EPG: vmk-storage EPG: Host-Mgmt
ESXi-Storage
Contract = Allow Communication No Contract = No Communication
Tenant: ESXi-Hosts
Contracts Scope
Contracts are “scoped” at:

• Global EPG: Web EPG: DB
• Tenant
EPG: App
• Context (aka Private Network, aka VRF)
ANP: 01 BD: 01
Hardware Proxy: Yes
Web_to_App IP Routing: Yes
• Application Profile
EPG: Web EPG: DB
App_to_DB
EPG: App
ANP: 02
VRF: 01
Tenant: Web_Hosting
What happens if I don’t know the
required Filter ports?
Filter discovery
• Ask the Application Owner – it’s their application, they will (ok should) know
• Ask the Security Admin for the firewall rules
• Use Wireshark
• Use an “any-any” Filter between EPGs  Most customers start here
• Configure “Unenforced” mode on the VRF
How does ACI integrate with
VMware’s virtual switches?
There are four choices to integrate with VMware
1. Manually configure the vSwitch/vDS as you do today

2. Dynamically configure the vDS (VMware) by pushing Port Groups
(VLAN) from APIC to vCenter
3. Dynamically configure the vDS (Cisco AVS) by pushing Port Groups
(VLAN/VXLAN) from APIC to vCenter
4. Build NSX overlay networks (VXLAN) between different hosts –
requires additional (costly) NSX licenses from VMware
Traditional Networking
SVI | VLAN | Port Group Relationship

Interface VLAN10
IP Address 192.168.10.1/24
Host-01 Host-02 Host-03 Host-04

Port Group: Web
(VLAN 10)
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
vDS-01
EPG to vDS Port Group Relationship
Service Request:
Create Application APIC
Create vDS Port Groups
APIC
APIC
Outside
vCenter

BD: Apps
IP Routing: 192.168.10.1/24

Port Group: VMware|My-App-01|Web
(Dynamic VLAN 2001)
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
vDS-01
EPG: Web (Dynamic VLAN 2001)
ANP: My-App-01
Tenant: Tenant-01
Security Groups within a Subnet
Service Request:
Create Application APIC
Create vDS Port Groups
APIC
APIC
Outside
vCenter

BD: Apps
IP Routing: 192.168.10.1/24

Port Group: VMware|My-App-01|Web Port Group: VMware|My-App-01|App Port Group: VMware|My-App-01|DB
(Dynamic VLAN 2001) (Dynamic VLAN 2002) (Dynamic VLAN 2003)
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM PS PS
vDS-01
EPG: Web (Dynamic VLAN 2001) EPG: App (Dynamic VLAN 2002) EPG: DB (Dynamic VLAN 2003) (Eth1/50, 51 VLAN 3600)
ANP: My-App-01 Contract = Allow Communication Contract = Allow Communication
No Contract = No Communication
Tenant: Tenant-01
NSX Overlay APIC Configures fabric with an NSX
Transport EPG (VLAN) across all hosts
APIC
APIC
APIC
Outside
vCenter NSX Manager

Dedicated Hosts for
VRF: VRF-01 “Edge” Functionality
BD: NSX L3out

NSX Controller IP Routing: Yes Interface: VLAN 2000
Cluster IP: 192.168.30.1
IP: 192.168.30.2
Controllers push
routes to Hosts
VLAN 1000 VTEP 10.0.0.1 VTEP 10.0.0.2 VTEP 10.0.0.3 VTEP 10.0.0.4
DLR DLR B/U
ESG ESG B/U
vDS-01
(not managed by APIC) VM VM VM VM VM VM VM VM VM VM VM VM
EPG: NSX_Transport (VLAN 1000)

EPG
ANP: Overlay_Network
NSX Logical Switch:

Tenant: Tenant-01 Layer 2 segment carried over
NSX DLR informs NSX ESG Routers Peer
controllers of learnt routes with the Physical Network
VXLAN, carried over a
dedicated VLAN
Virtual Switching Comparison
Cisco AVS is a Partner Supported VIB
• Let’s look at vSphere 6.0 Official Documentation about kernel Virtual
Installation Bundles (VIB) - http://vmw.re/1Ta1Zz0
Customers call Cisco for AVS support
• Cisco AVS Statement of Support
http://www.cisco.com/c/dam/en/us/products/collateral/switches/application- Cisco APIC VMware vCenter
virtual-switch/avs-support-statement-an.pdf VMM Domain
OpFlex OpFlex
AVS AVS
VM VM VM VM VM VM
VMware ESXi Server VMware ESXi Server

How do I Provide External
Connectivity to the ACI Fabric?
Layer 2 connectivity
1 Bridge Domain = 1 Outside VLAN
Option 1: Same VLANs Outside/Inside
(No Contract Required)
APIC
vlan-10
APIC
APIC

BD: Inside
Hardware Proxy: No
ARP Flooding: Yes
Unknown Unicast Flooding: Yes
IP Routing: No
vPC_to_UCS_a vPC_to_UCS_b vPC_to_n5ks

vlan-10 vlan-10 vlan-10
192.168.10.11 192.168.10.10
ANP:
ESXi-Hosts EPG: Host-Mgmt
Tenant: ESXi-Hosts
Option 2: Different VLANs Outside/Inside
(Contract Required)
APIC
vlan-10
APIC
APIC

BD: Inside
Hardware Proxy: Yes
ARP Flooding: No
L2out
Interface: vPC_to_n5ks
VLAN: 10
IP Routing: 192.168.10.1/24
: 192.168.20.1/24
vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b

vlan-20 vlan-20 vlan-100 vlan-100
192.168.20.11 192.168.20.10 192.168.10.11 192.168.10.10

ANP:
ESXi-Hosts EPG: vMotion EPG: Host-Mgmt
Contract = Allow Communication EPG
Tenant: ESXi-Hosts No Contract = No Communication
Layer 3 connectivity
ACI only learns routes via “L3out’s” –
these are simply routed interfaces/sub
interfaces/SVIs
Layer 3 External
APIC Outside
APIC
APIC
OSPF Peering

BD: Inside L3out
Hardware Proxy: Yes Interface: 101/102 eth1/96
ARP Flooding: No IP: 192.168.30.1
Unknown Unicast Flooding: No IP: 192.168.30.5
IP Routing: 192.168.10.1/24
BD subnet control
Advertise, Private etc
Security Import Subnet*
i.e which external subnets can
be accessed through this EPG
vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b

vlan-20 vlan-20 vlan-100 vlan-100
192.168.20.11 192.168.20.10 192.168.10.11 192.168.10.10

ANP: EPG
ESXi-Hosts EPG: vMotion EPG: Host-Mgmt
Contract = Allow Communication
Tenant: ESXi-Hosts No Contract = No Communication

Looking under the covers at Routing
apic1# fabric 101 show ip route ospf vrf ssharman:VRF-01
----------------------------------------------------------------
Node 101 (Leaf-1)
----------------------------------------------------------------
IP Route Table for VRF "ssharman:VRF-01"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>
10.51.226.0/24, ubest/mbest: 1/0

*via 192.168.48.2, vlan59, [110/1], 02w18d, ospf-default, type-2
10.51.227.0/24, ubest/mbest: 1/0
10.52.204.112/28, ubest/mbest: 1/0
*via 192.168.48.2, vlan59, [110/5], 02w20d, ospf-default, inter
10.52.205.128/27, ubest/mbest: 1/0
10.52.205.160/27, ubest/mbest: 1/0
10.52.207.100/32, ubest/mbest: 1/0
10.52.248.0/26, ubest/mbest: 1/0
*via 192.168.48.2, vlan59, [110/5], 02w20d, ospf-default, inter
External Subnets for the External EPG
60.1.1.0/24 100.1.1.0/24
Outside Outside
VRF: Production
BD: Inside
L3out Hardware Proxy: Yes L3out
ARP Flooding: No Subnet 100.1.1.0/24 can be
IP Routing: 192.168.10.1/24
accessed via EPG
Subnet 60.1.1.0/24 can be

accessed via EPG EPG No Contract = No Communication EPG
MP BGP
Tenant: Common
Transit Routing – Static Routes
60.1.1.0/24 100.1.1.0/24
Outside Outside
VRF: Production
Static route to 60.1.1.0/24 via BD: Inside Static route to 100.1.1.0/24

next hop ARP Flooding: No via next hop
IP Routing: 192.168.10.1/24
Static Routes must be

EPG Contract = Allow Communication EPG individually exported,
0.0.0.0/0 is not supported
MP BGP
Tenant: Common
Transit Routing – Multiple L3 Out per VRF
60.1.1.0/24
70.1.1.0/24
Outside Outside
80.1.1.0/24
VRF: Production
BD: Inside
L3out Hardware Proxy: Yes L3out Use a 0.0.0.0/0 subnet with
ARP Flooding: No
Unknown Unicast Flooding: No the ‘aggregate export’ option
IP Routing: 192.168.10.1/24 checked to export all routes
EPG Contract = Allow Communication EPG
MP BGP
Tenant: Common
Import Route Control (BGP only)
60.1.1.0/24
70.1.1.0/24
Outside Outside
80.1.1.0/24
VRF: Production
BD: Inside
ARP Flooding: No
IP Routing: 192.168.10.1/24
Which routes should be

imported to the fabric EPG Contract = Allow Communication
EPG
MP BGP
Tenant: Common
Service Graphs and Service
Chains
Service Graph Contracts connect two
EPGs and optionally provide
configuration parameters to the FW and
SLB which sit between the EPGs
Note: Normal L2/L3 rules still apply, you still have to direct the traffic to the FW/SLB
In “Managed” mode the APIC pushes the
required VLANs and configuration to the
FW/SLB
Note: Normal L2/L3 rules still apply, you still have to direct the traffic to the
FW/SLB
In “Unmanaged” mode the APIC only
pushes the required VLANs to the EPG
Note: Normal L2/L3 rules still apply, you still have to direct the traffic to the
FW/SLB
Service Chains are two L4-7 Devices
linked in a series
Note: Normal L2/L3 rules still apply, you still have to direct the traffic to the FW/SLB
It is possible to use L4-7 Devices without
Service Graphs, in this mode the fabric
only provides L2 connectivity
Transparent Firewall – Server’s Default Gateway is the
Bridge Domain on the ACI Fabric
VRF not used
Servers_Outside can L3out VRF: 01 VRF: 02

communicate externally via
the contract to the L3out Standard_Contract
BD: Outside BD: Inside

Hardware Proxy: No Hardware Proxy: No
ARP Flooding: Yes ARP Flooding: Yes
Unknown Unicast Flooding: Yes Unknown Unicast Flooding: Yes
IP Routing: Yes IP Routing: No
Server default
gateway
Connector type must Connector type must

be specified as L2 be specified as L2
192.168.10.x/24 192.168.10.x/24
ANP: My-App-01 EPG: Servers_Outside Service_Graph_Contract EPG: Servers_Inside
Servers_Outside can communicate

Tenant: Common with Servers_Inside via the Service
Graph Contract
Transparent Firewall – Server’s Default Gateway is the
Bridge Domain on the ACI Fabric
VRF not used
L3out VRF: 01 VRF: 02
BD: Outside BD: Inside

Hardware Proxy: No Hardware Proxy: No
ARP Flooding: Yes ARP Flooding: Yes
Unknown Unicast Flooding: Yes Unknown Unicast Flooding: Yes
IP Routing: Yes IP Routing: No
Server default Connector type must Connector type must

gateway be specified as L3 be specified as L2
192.168.10.x/24
192.168.10.x/24
ANP: My-App-01 Service_Graph_Contract EPG: Servers_Inside
Servers_Inside can communicate to

Tenant: Common the “outside world” via the Service
Graph Contract to the L3out
Routed Firewall – Server’s Default Gateway is the
Firewall attached to the ACI Fabric
VRF not used

Static
VRF route
has to firewall
Static route to
“inside”
firewall subnet
“inside” via
subnet
L3out ot Firewall
via L3out to Firewall
BD: Inside
Hardware Proxy: Yes
L3out ARP Flooding: Yes
Servers_Inside can communicate to IP Routing: No
the “outside world” via the Service

10.1.1.0/30
192.168.10.x/24
Tenant: Common Server default

gateway
Routed Firewall – Server’s Default Gateway is the Bridge
Domain on the ACI Fabric

Static route to firewall
VRFs peer with Firewall
BD: Inside
“inside” subnet via Hardware Proxy: Yes
via L3out ARP Flooding: No
L3out ot Firewall Unknown Unicast Flooding: No
IP Routing: Yes
10.1.1.0/30 10.1.2.0/30
L3out L3out Server default
gateway

192.168.10.x/24
Tenant: Common Servers_Inside can communicate to

the “outside world” via the Service
Service Graph Benefits
Install a L4-7 device once (e.g the ASA firewall) and deploy it multiple
times in different logical topologies
The benefits of the service graph are:

• Reusable configuration templates
• Automatic management of VLAN assignments
• Health score collection from the L4-7 device
• Statistics collection from the L4-7 device
• Automatic ACLs and Pools configuration with endpoint discovery
ADC Device Package Status (as of 09/02/2016)
Device Virtual Mode Function HA Multi-context on physical appliance Dynamic Dynamic IPv6 Feature Operational
Package and Profile Routing EPG model
Status physical
Citrix FCS Yes Go-To Yes No Yes Yes Yes Yes ADC Everything via
NetScaler (one-arm and (manual Create Virtual instance on SDX member of APIC
two-arm) OOB) manually pool for VIP
F5 FCS Yes Go-To Yes Yes Yes No Yes No ADC Everything via
BIG-IP LTM (one-arm and Create route-domain on physical LTM member of APIC
two-arm) automatically or create vCMP pool for VIP or BIG-IQ
manually (no HA)
F5 Q1CY16 Yes - - - - - - - - -
Big-IQ cloud
A10 FCS Yes Go-To No No No No No No ADC Everything via

Thunder (one-arm and (manual APIC
two-arm) OOB)
Radware FCS Physical Go-To No No No No No No ADC Everything via

Alteon APIC
Avi Networks FCS Virtual Go-To Yes Yes - No No No ADC Avi controller is
only required.
FW Device Package Status (as of 09/02/2016)
Device Virtual Mode Functio HA Multi-context on physical appliance Dynamic Dynamic EPG IPv6 Feature Operational
Package and n Routing model
Status physic Profile
al
Cisco FCS Yes Go-To Yes Yes Yes Yes Yes Yes FW, Everything
ASA Go-Through Create context on ASA5500X manually object-group for ACL,NAT via APIC
allocate-interface to each context is done ACE
by APIC
Palo Alto CA Yes Go-To Yes No No No No No FW Panorama is

1HCY16 required
planning
Cisco FCS Oct Yes Go-Through Yes No No - - - IPS Everything

FirePOWER 2015, in via APIC
controlled
introduction
Checkpoint Q2CY16 Yes Go-To Yes Yes Yes No No Yes FW Everything

Go-Through (manual via APIC
OOB)
Fortinet Q2CY16 Yes Go-To Yes Yes Yes No No Yes FW Everything

Go-Through via APIC
How should I get started
with ACI?
Choose your management method(s)
Connect the old to the new
Connect new workloads
APIC to the ACI fabric and
route out
APIC
APIC
Separate “border leafs”

shown for clarity
Separate “border leafs”

shown for clarity
vDS-01 vDS-02
Layer 3 (OSPF etc) to
existing network
Layer 2 vPC to existing

network
Key Takeaways
Managed Object Hierarchy
Tenant “Private” Tenant “Common”
Outside Outside
Private Network Private Network

(VRF) (VRF)
Bridge Domain Bridge Domain Bridge Domain

(Flood) (Hardware Proxy) (Hardware Proxy)
EPG EPG EPG EPG EPG EPG
EP EP EP EP EP EP EP EP EP EP EP EP
Application Network Profile

Bridge Domain Options
Requirements Hardware Proxy no ARP flooding IP Routing Subnet Check
Routed traffic, no silent hosts Yes Yes Yes Yes
Routed traffic, silent hosts Yes ARP flooding (optional Yes Yes
since Subnet is present)
(*)
non-IP switched traffic, silent hosts No N/A No No
non-IP switched traffic, no silent hosts Yes N/A No No
IP L2 switched traffic, silent hosts Yes ARP flooding (optional if Yes (for advanced Yes (for aging and ARP
Subnet is present) (*) functions and aging) gleaning)
IP L2 switched traffic, no silent hosts Yes no ARP flooding (if hosts Yes (for advanced Yes (for aging and ARP
send DHCP requests or functions and aging) gleaning)
gratuitous ARP)
(*) if the Subnet is configured ACI can do ARP gleaning so ARP flooding is not strictly needed
ACI Networking Rules!
1. You must have at least one Tenant or use the 8. Endpoint Groups map to a single Bridge Domain
Common Tenant
9. Endpoint Groups are security zones where
2. VRFs are constrained within Tenants communication is allowed
3. VRFs provide external L3 connectivity (with a 10. Communication between Endpoint Groups is
contract) allowed through contracts (ACLs)
4. You must have at least one Bridge Domain 11. Endpoint Groups must be bound to a virtual,
physical, or outside domain
5. Bridge Domains determine the L2 forwarding
characteristics 12. Endpoint Groups allow you to mix and match
VLANs/VXLANs/interfaces (access, port channel,
6. Bridge Domains provide internal L3 virtual port channel)
connectivity (default gateways)
13. Endpoints can only be a member of a single
7. Bridge Domains to outside VLANs must be Endpoint Group
mapped 1:1
14. AAEP’s allow VLANs on interfaces or VMM
domains
Call to Action
• Visit the World of Solutions for
• Cisco Campus
• Walk in Labs Technical Solution Clinics
• Meet the Engineer

• Lunch and Learn Topics
• DevNet zone related sessions
Complete Your Online Session Evaluation
• Please complete your online session
evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.
• All surveys can be completed via

the Cisco Live Mobile App or the
Communication Stations
Thank you
Thank You!

Brkaci 2005

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkaci 2005

Uploaded by

Copyright:

Available Formats

ACI for the Network

• Understand ACI through the eyes of the network administrator

• ACI in the market

Reporting Fault Mgmt

Turnkey integrated solution with security, centralized

* ACI has visibility of the outer header

Management options: Limitations:

Management options: Benefits:

VLAN/VXLAN Where do I want

VLAN/VXLAN VLAN mgmt

VLAN/VXLAN VLAN mgmt Group my VLANs

VLAN/VXLAN VLAN mgmt Allowed VLANs

VLAN/VXLAN VLAN mgmt Allowed VLANs What interface

VLAN/VXLAN VLAN mgmt Allowed VLANs Interface Parameters

VLAN/VXLAN VLAN mgmt Allowed VLANs What type of Interface Parameters

VLAN/VXLAN VLAN mgmt Allowed VLANs Interface Usage Interface Parameters

VLAN/VXLAN VLAN mgmt Allowed VLANs Interface Usage Interface Parameters

VLAN/VXLAN VLAN mgmt Allowed VLANs Interface Usage Interface Parameters

Virtual Machine Which switches

VLAN/VXLAN VLAN mgmt Allowed VLANs Interface Usage Interface Parameters

Virtual Machine Target Switches

VLAN/VXLAN VLAN mgmt Allowed VLANs Interface Usage Interface Parameters

ESX Hosts OpenStack Hosts ASA F5 Outside_L3

VDCs and VRFs configured on a per Manual inter switch configuration

Objects created in “Common” can be APIC

VRF: A VRF: B VRF: C

BD: 01 BD: 02 BD: 03

AD DNS DHCP VRF: A

Tenant: Production Tenant: Pre-Production Tenant: ESX-Hosts

New NX-OS CLI in 1.2.1i

VRF configuration is performed on

VRF: VRF-01 (HSRP gateway)

VRF: VRF-01 (Anycast gateway)

VRF: VRF-01 (Anycast gateway) VRF: VRF-02 (Anycast gateway)

Tenant Vrf VRF-Name VRF-ID State Reason

VLAN configuration is performed

Layer 2 VLAN: VLAN10

The Bridge Domain to VRF

New NX-OS CLI in 1.2.1i

New NX-OS CLI in 1.2.1i

Layer 2 Bridge Domain

VTEP VTEP VTEP VTEP

VRF: 01 (Anycast gateway) VTEPs are dynamically

VTEP VTEP VTEP VTEP VTEP VTEP

New NX-OS CLI in 1.2.1i

apic1# fabric 102 show vlan id 35 extended

New NX-OS CLI in 1.2.1i

VRF: VRF-01 (HSRP gateway)

Layer 2 VLAN: VLAN10

VRF: VRF-01 (Anycast gateway)

VRF: VRF-01 (Anycast gateway)

New NX-OS CLI in 1.2.1i

VRF: VRF-01 (HSRP gateway)

Layer 2 VLAN: VLAN10

192.168.10.11/24 192.168.10.13/24 192.168.10.15/24 192.168.10.17/24

Any to Any Communication on a given segment*

VLAN/VXLAN VLAN mgmt Allowed VLANs Interface Usage Interface Parameters

Static VLANs Dynamic VLANs

VRF: 01 (Anycast gateway)

vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b

ANP: EPG: vmk-storage EPG: vMotion EPG: Host-Mgmt

VRF: 01 (Anycast gateway)

vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b vPC_to_UCS_a vPC_to_UCS_b