Professional Documents
Culture Documents
Administrator
Steve Sharman – Technical Solutions Architect
BRKACI-2005
Session Objectives
6,000+ 1400+ 50
Nexus 9K and ACI ACI Ecosystem
Customers Globally Customers Partners
Turnkey or DIY solution
Application Centric
Programmable Fabric Programmable Network
Infrastructure
Connection
Creation Expansion
VTS
Security External
Performance Tools
External
Accounting
Integrated Tools
Tools
Fault Integrated
Tools
Configuration
Enough Marketing, what do
networking teams really
spend their time doing?
What does ACI typically
mean to a Network Admin?
In reality ACI is all about
networking and how you deploy
applications onto the network!
At a very basic level ACI is really
just a CLOS network of Nexus
9k switches with a management
platform
The network management
platform (APIC) provides you
with a single place from which to
manage the network
ACI is a Software Defined Network
which uses VXLAN to transport
packets between switches across
an automated IP fabric with end to
end header visibility
IETF Draft
ACI can transport any IP traffic
including “Overlay” networks
based on VXLAN*, NVGRE*
etc.
APIC
APIC
Concrete Model
Logical Model
Policy Defined Network
APIC
APIC
APIC
Concrete Model
Logical Model
What “function” do
I want to allocate
VLANs for?
Policy Defined Network
APIC
APIC
APIC
Concrete Model
Logical Model
VLAN/VXLAN
(Pools)
vCenter-01-vDS-01
UCS-phys-svrs
Outside-Fabric
Policy Defined Network
APIC
APIC
APIC
Which vDS do I
want to configure?
Concrete Model
Logical Model
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Logical Model
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Which interfaces
should be Logical Model
configured?
APIC
APIC
Virtual Machine
Domains
(vSwitches)
vCenter-01-vDS-01
Concrete Model
Target Interfaces ID
(Profiles) Logical Model
vPC_to_UCS_FI_A
SVI_to_outside
APIC
APIC
Concrete Model
Target Interfaces ID
(Profiles) Logical Model
vPC_to_UCS_FI_A
SVI_to_outside
APIC
APIC
Concrete Model
Target Interfaces ID
(Profiles) Logical Model
vPC_to_UCS_FI_A
SVI_to_outside
APIC
APIC
Concrete Model
ESX Hosts OpenStack Hosts ASA F5 Outside_L3
Switches 1,3,5 Switch 1-6 Switches 1,2 Switches 1,2 Switches 1,2
Logical Model
Comparing ACI and Traditional
Network Building Blocks
Traditional Network – Limited Multi Tenancy
Box by box configuration
APIC
apic1#
APIC
APIC
Tenant: Common
Multiple VRFs allow overlapping IP address space and
Integration with External Devices
APIC
APIC
APIC
Tenant: Common
Looking under the covers at VRFs
apic1# show vrf Leaf-1# show vrf
APIC
APIC
Tenant: Common
Display all Bridge Domains
apic1# show bridge-domain
Tenant Interface MAC Address MTU Description Multi-Dest Action Unknown Mcast Action Unknown MAC Ucast Action
---------- ---------- ------------------ -------- ------------ ----------------- -------------------- ----------------------
VM-tenant BD-02 00:22:BD:F8:19:FF inherit encap-flood flood flood
VM-tenant vcenter_de 00:22:BD:F8:19:FF inherit encap-flood flood flood
fault_bd
common outside_in 00:22:BD:F8:19:FF inherit bd-flood flood flood
fra-
ssharman
common outside_in 00:22:BD:F8:19:FF inherit bd-flood flood flood
fra-
teoyenug
ssharman 192.168.65 00:22:BD:F8:19:FF inherit bd-flood flood proxy
.0
ssharman 192.168.66 00:22:BD:F8:19:FF inherit bd-flood flood proxy
.0
ssharman 192.168.67 00:22:BD:F8:19:FF inherit bd-flood flood proxy
.0
ssharman 192.168.68 00:22:BD:F8:19:FF inherit bd-flood flood proxy
.0
ssharman 192.168.69 00:22:BD:F8:19:FF inherit bd-flood flood proxy
.0
ssharman 192.168.70 00:22:BD:F8:19:FF inherit bd-flood flood proxy
.0
ssharman 192.168.71 00:22:BD:F8:19:FF inherit bd-flood flood proxy
.0
Tenant : ssharman
Interface : Internal_Fabric_02
MAC Address : 00:22:BD:F8:19:FF
MTU : inherit
Description :
Multi-Destination Action : bd-flood
Unknown Multicast Action : opt-flood
Unknown MAC Unicast Action : proxy
APIC
APIC
Tenant: Common
VXLANs require VTEPs
APIC
APIC
APIC
Known unicast traffic forwarded directly Multicast and any allowed broadcast
between Leaf VTEP’s traffic is forwarded to a Group VTEP that
exists on any leaf with membership for
Unknown unicast traffic is forwarded to
that specific group
anycast spine proxy VTEP’s BD: 01
Hardware Proxy: Yes
ARP Flooding: No VTEP’s may exist in physical or virtual
Logical vPC switch is represented by Unknown Unicast Flooding: No
switches
anycast Leaf vPC VTEP’s IP Routing: Yes
Tenant: Common
A Bridge Domain uses a locally significant VLAN ID
underneath
apic1# fabric 101 show vlan
----------------------------------------------------------------
Node 101 (Leaf-1)
----------------------------------------------------------------
Leaf 101
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
9 infra:default active Eth1/1, Eth1/21, Eth1/22, Po3, Po4
11 common:outside_infra-robvand active Eth1/11, Eth1/21, Eth1/22, Po3,
14 fgandola:www-zone1 active Eth1/33, Po2
15 ssharman:192.168.66.0 active Eth1/21, Eth1/22, Po3, Po4
26 common:outside_infra-ssharman active Eth1/11, Eth1/21, Eth1/22, Po3, Po4, Po8
Leaf 102
apic1# fabric 102 show vlan
----------------------------------------------------------------
Node 102 (Leaf-2)
----------------------------------------------------------------
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
9 infra:default active Eth1/1, Eth1/21, Eth1/22, Po1, Po2
11 ssharman:L2-to-outside:Group-05 active Eth1/21, Eth1/22, Po1, Po2
14 fgandola:app-zone2 active Eth1/33, Po8
15 -- active Eth1/69, Po7
35 common:outside_infra-ssharman active Eth1/11, Eth1/21, Eth1/22, Po1, Po2, Po4
APIC
APIC
BD: 01
Hardware Proxy: Yes
ARP Flooding: No
Unknown Unicast Flooding: No
IP Routing: 192.168.10.1/24
Tenant: Common
ACI Bridge Domains can be configured with multiple
subnets/default gateways (secondary)
APIC
APIC
APIC
BD: 01
Hardware Proxy: Yes
ARP Flooding: No
Unknown Unicast Flooding: No
IP Routing: 192.168.10.1/24
: 192.168.20.1/24
Tenant: Common
Display details of a single Bridge Domain
apic1# show bridge-domain outside_infra-ssharman apic1# show ip interface bridge-domain outside_infra-ssharman
Tenant : common ----- IPv4 Bridge-Domain Information: -----
Interface : outside_infra-ssharman Tenant : common
MAC Address : 00:22:BD:F8:19:FF Interface : outside_infra-ssharman VRF name
MTU : inherit VRF Member : outside_vlans
Description : IP Addresses : 192.168.29.254/24
Multi-Destination Action : bd-flood 192.168.30.254/24
Unknown Multicast Action : flood
Unknown MAC Unicast Action : flood
Bridge Domain + SVI
Tenant : ssharman
Interface : Internal_Fabric_02
MAC Address : 00:22:BD:F8:19:FF
MTU : inherit
Description :
Multi-Destination Action : bd-flood
Unknown Multicast Action : opt-flood
Unknown MAC Unicast Action : proxy
2.
3.
Application Network Profiles and
Endpoint Groups
New concept: Application Network Profiles
Application Network Profiles are “containers” which group together one or more EPGs and their
associated connectivity policies – this is how we can view the “Health” of an application!
Application Network Profiles are used to describe either a Network service or an Application e.g.
• ESX-Hosts
Are all my ESX Hosts in a
• Host-mgmt
heathy state?
• vMotion
• IP-storage
What’s the health of my IP
• NSX-transport
Storage network?
• iExpenses
• SSO What’s the health of my
iExpenses application?
• Intranet
• Database
The Lights are on – let’s add an Application Network
Profile
ANP: My_App
EPG: Web
EPG: App
EPG: DB
Virtual Machine Target Switches
Domains (Profiles)
(vSwitches) ANP: ESX-Mgmt vPC_Leaf_1_and_2
vCenter-01-vDS-01 EPG: Host-Mgmt Leaf_3
EPG: vMotion
EPG: IP-Storage Concrete Model
Target Interfaces ID
(Profiles) Logical Model
vPC_to_UCS_FI_A
SVI_to_outside
Devices within the same Endpoint group can communicate irrespective of their VLAN/VXLAN backing/ID,
provided that they have IP reachability.
Communication between Endpoint groups is, by default, not permitted (similar to PVLAN).
How do Endpoints (and Groups) use VLANs?
• ACI uses the concept of both Static and Dynamic VLAN Pools
• A single VLAN Pool can contain ranges of both Static and Dynamic VLANs
• VLANs are significant to the switch port meaning they can be reused across the fabric
APIC
APIC
Tenant: ESXi-Hosts
Secure Networking with ACI End Point Groups
APIC
APIC
APIC
Tenant: ESXi-Hosts
The simple answer is, how many Layer 2 Segments do you want
to have?
For example, if you have 10x external VLANs you will need 10x
Bridge Domains – a Bridge Domain is a Layer 2 Segment.
* Proxy A
Spine Proxy Station Table contains
FIB FIB FIB FIB FIB FIB addresses of ‘all’ hosts attached to the
10.1.3.11 Port 9
fabric
Tenant: Common
High Level Packet Walk
L6 S1
VXLAN IP Payload VXLAN IP Payload
VTEP APIC VTEP
If the ingress Leaf has learned the APIC If the ingress Leaf has NOT learned the
destination IP to egress VTEP binding destination IP to egress VTEP binding
3a it will set required destination VTEP
APIC
3b it will set required destination VTEP to
address and forward the Spine Proxy VTEP
IP Payload IP Payload
Leaf-101/1/10 Leaf-102/1/10 Leaf-103/1/10 Leaf-104/1/10 Leaf-105/1/10 Leaf-106/1/10
Packet Sourced from Packet Delivered to
1 vlan-8 vlan-8 vlan-8 vlan-8 vlan-8 vlan-8 5 physical server
physical server
ANP: EPG: Host-Mgmt
ESXi-Hosts Security Zone
Communication allowed within EPG There is no requirement to use
the same VLAN on every Leaf
Tenant: ESXi-Hosts
Endpoints identified by
Interface and VLAN ID
Lets look at which VLANs/VXLANs have been used by
Bridge Domains and EPGs on a given Leaf
Alternate command:
apic1# fabric 101 show system internal epm vlan all show vlan extended BD_CTRL_VLAN: The infrastructure vlan which was configured during the
APIC setup script.
+----------+---------+-----------------+----------+------+----------+---------
VLAN ID Type Access Encap Fabric H/W id BD VLAN Endpoint BD_EXT_VLAN: Bridge Domain to represent external VLAN
(Type Value) Encap Count
+----------+---------+-----------------+----------+------+----------+--------- BD_VLAN: An internal Bridge Domain construct which is represented by
9 Infra BD 802.1Q 3967 16777209 11 9 3 the grouping of multiple FD_VLANs/VXLANs – i.e many FD_VLANs can
10 Ext. BD 802.1Q 2050 15269816 12 10 0 map to one BD_VLAN
11 Ext. BD 802.1Q 49 15531935 111 11 2
12 Tenant BD NONE 0 15662984 14 12 0 FD_VLAN: A VLAN backed EPG identified by the “Access encap” VLAN
13 FD vlan 802.1Q 2022 8814 15 12 2 ID mapped to the Bridge Domain – a FD_VLAN can only map to a single
14 Ext. BD 802.1Q 2020 14909414 16 14 0 BD_VLAN
15 Tenant BD NONE 0 15171524 17 15 0
16 FD vlan 802.1Q 33 8324 19 15 1 FD_VXLAN: Used to communicate with hosts behind hypervisors using
17 FD vlan 802.1Q 2131 9023 20 15 0 VXLAN
18 Tenant BD NONE 0 15138760 18 18 0
19 FD vlan 802.1Q 2125 9017 21 18 0 Access encap: The Access_enc is significant outside the ACI network as
20 FD vlan 802.1Q 47 8338 22 18 4 it is the VLAN that is programmed on a front panel port mapping inbound
34 Tenant BD NONE 0 15302581 29 34 0 frames to an EPG (FD_VLAN)
35 FD vlan 802.1Q 14 8305 40 34 4
36 Tenant BD NONE 0 15400873 30 36 0 Fabric Encap: The VXLAN ID for a given EPG/BD
37 FD vlan 802.1Q 8 8299 41 36 19
38 Ext. BD 802.1Q 115 15269817 31 38 1 HW_VlanId: The VLAN used to encapsulate incoming traffic from
Access_enc to send to the ALE
Remember for troubleshooting use
the Internal VLAN ID not the VlanId: The VlanId is significant for troubleshooting, most (if not all) show
Access Encap VLAN ID commands use the VlanId not the Access_enc VLAN ID
Host-mgmt EPG –
Access Encap VLAN 8
Display the Mac Addresses contained in the EPG
apic1# fabric 101 show mac address-table vlan 37
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 37 0000.0c07.ac08 dynamic - F F po2
* 37 001a.a2d5.c080 dynamic - F F po2
* 37 02a0.981c.b2be dynamic - F F po2
* 37 0026.0bf1.f002 dynamic - F F po2
* 37 0014.384e.26e1 dynamic - F F po2
* 37 0016.355b.ddda dynamic - F F po2
* 37 0060.1646.97da dynamic - F F po2
* 37 0010.18cf.c318 dynamic - F F po2
* 37 0018.74e2.1540 dynamic - F F po2
* 37 0004.02f6.1f13 dynamic - F F po2
* 37 0025.b506.006d dynamic - F F po2
* 37 001b.21be.fa68 dynamic - F F po2
* 37 0025.b501.04af dynamic - F F po2
* 37 0025.b501.049f dynamic - F F po2
* 37 0025.b501.04bf dynamic - F F po2
* 37 0025.b506.007c dynamic - F F po2
* 37 0025.b501.04df dynamic - F F po2
* 37 0025.b506.0027 dynamic - F F po2
* 37 0025.b506.0068 dynamic - F F po2
Displaying the Endpoints on the network
apic1# show endpoints
Tenant Application AEPg End Point MAC IP Address Node Interface Encap
---------- ----------------- ---------------------------------------- ---------- ------------------------------ ----------
vmware ESXi- Host-mgmt 00:25:B5:06:00:1F 192.168.29.43 101 102 vpc 1Gbps_vPC_to_ucs-02-b vlan-8
ssharman
vmware ESXi- Host-mgmt 00:25:B5:06:00:3E 192.168.29.44 101 102 vpc 1Gbps_vPC_to_ucs-02-b vlan-8
ssharman
vmware ESXi- Host-mgmt 00:25:B5:06:00:47 192.168.29.46 101 102 vpc 1Gbps_vPC_to_ucs-02-b vlan-8
ssharman
vmware ESXi- Host-mgmt 00:50:56:86:81:1D 192.168.29.102 101 102 vpc 1Gbps_vPC_to_ucs-02-b vlan-8
ssharman
vmware ESXi- Host-mgmt 00:50:56:86:F7:6A 192.168.29.106 101 102 vpc 1Gbps_vPC_to_ucs-02-b vlan-8
ssharman
dn: uni/epp/br-[uni/tn-common/l2out-outside_infra-robvand/instP-EPG_outside_infra-robvand]/node-102/stpathatt-
[1Gbps_vPC_to_n5548]/conndef/conn-[vlan-47]-[0.0.0.0]
dn: uni/epp/br-[uni/tn-common/l2out-outside_infra-robvand/instP-EPG_outside_infra-robvand]/node-101/stpathatt-
[1Gbps_vPC_to_n5548]/conndef/conn-[vlan-47]-[0.0.0.0]
dn: uni/epp/br-[uni/tn-common/l2out-outside_infra-anvanker/instP-EPG_outside_infra-anvanker]/node-102/stpathatt-
[1Gbps_vPC_to_n5548]/conndef/conn-[vlan-13]-[0.0.0.0]
dn: uni/epp/br-[uni/tn-common/l2out-outside_infra-anvanker/instP-EPG_outside_infra-anvanker]/node-101/stpathatt-
[1Gbps_vPC_to_n5548]/conndef/conn-[vlan-13]-[0.0.0.0]
How do I control Endpoint Group
communication?
New concept: Contracts (ACLs)
Contracts are “directional” Access Lists between Provider and Consumer EPGs. They comprise
of one or more Filters (ACEs) to identify traffic, e.g:
• Contract: Web | Filter: 80, 443, 8000
• Contract: DNS | Filter: 53
Provider Consumer
EPG:
EPG: Web Contract: Clients-to-Web Clients
Filter: 80, 443 etc Filter: none
Flags: Flags:
• IP Protocol • Apply in both directions (single contract
which allows return traffic)
• Ports
• Reverse filter ports (dynamically permits
• Stateful return flow based on src/dst ports)
• Etc.
Contracts are required for inter EPG connectivity
APIC
APIC
APIC
Tenant: ESXi-Hosts
Contracts Scope
• Tenant
EPG: App
• Context (aka Private Network, aka VRF)
ANP: 01 BD: 01
Hardware Proxy: Yes
Web_to_App IP Routing: Yes
• Application Profile
EPG: Web EPG: DB
App_to_DB
EPG: App
ANP: 02
VRF: 01
Tenant: Web_Hosting
What happens if I don’t know the
required Filter ports?
Filter discovery
• Ask the Application Owner – it’s their application, they will (ok should) know
• Ask the Security Admin for the firewall rules
• Use Wireshark
• Use an “any-any” Filter between EPGs Most customers start here
• Configure “Unenforced” mode on the VRF
How does ACI integrate with
VMware’s virtual switches?
There are four choices to integrate with VMware
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
vDS-01
EPG to vDS Port Group Relationship
Service Request:
Create Application APIC
Create vDS Port Groups
APIC
APIC
Outside
vCenter
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
vDS-01
EPG: Web (Dynamic VLAN 2001)
ANP: My-App-01
Tenant: Tenant-01
Security Groups within a Subnet
Service Request:
Create Application APIC
Create vDS Port Groups
APIC
APIC
Outside
vCenter
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM PS PS
vDS-01
EPG: Web (Dynamic VLAN 2001) EPG: App (Dynamic VLAN 2002) EPG: DB (Dynamic VLAN 2003) (Eth1/50, 51 VLAN 3600)
No Contract = No Communication
Tenant: Tenant-01
NSX Overlay APIC Configures fabric with an NSX
Transport EPG (VLAN) across all hosts
APIC
APIC
APIC
Outside
Controllers push
routes to Hosts
VLAN 1000 VTEP 10.0.0.1 VTEP 10.0.0.2 VTEP 10.0.0.3 VTEP 10.0.0.4
DLR DLR B/U
ESG ESG B/U
vDS-01
(not managed by APIC) VM VM VM VM VM VM VM VM VM VM VM VM
OpFlex OpFlex
AVS AVS
VM VM VM VM VM VM
APIC
192.168.10.11 192.168.10.10
ANP:
ESXi-Hosts EPG: Host-Mgmt
Tenant: ESXi-Hosts
Option 2: Different VLANs Outside/Inside
(Contract Required)
APIC
vlan-10
APIC
APIC
APIC
OSPF Peering
Outside Outside
VRF: Production
BD: Inside
L3out Hardware Proxy: Yes L3out
ARP Flooding: No Subnet 100.1.1.0/24 can be
Unknown Unicast Flooding: No
IP Routing: 192.168.10.1/24
accessed via EPG
MP BGP
Tenant: Common
Transit Routing – Static Routes
60.1.1.0/24 100.1.1.0/24
Outside Outside
VRF: Production
MP BGP
Tenant: Common
Transit Routing – Multiple L3 Out per VRF
60.1.1.0/24
70.1.1.0/24
Outside Outside
80.1.1.0/24
VRF: Production
BD: Inside
L3out Hardware Proxy: Yes L3out Use a 0.0.0.0/0 subnet with
ARP Flooding: No
Unknown Unicast Flooding: No the ‘aggregate export’ option
IP Routing: 192.168.10.1/24 checked to export all routes
MP BGP
Tenant: Common
Import Route Control (BGP only)
60.1.1.0/24
70.1.1.0/24
Outside Outside
80.1.1.0/24
VRF: Production
BD: Inside
L3out Hardware Proxy: Yes L3out
ARP Flooding: No
Unknown Unicast Flooding: No
IP Routing: 192.168.10.1/24
MP BGP
Tenant: Common
Service Graphs and Service
Chains
Service Graph Contracts connect two
EPGs and optionally provide
configuration parameters to the FW and
SLB which sit between the EPGs
Note: Normal L2/L3 rules still apply, you still have to direct the traffic to the FW/SLB
In “Managed” mode the APIC pushes the
required VLANs and configuration to the
FW/SLB
Note: Normal L2/L3 rules still apply, you still have to direct the traffic to the
FW/SLB
In “Unmanaged” mode the APIC only
pushes the required VLANs to the EPG
Note: Normal L2/L3 rules still apply, you still have to direct the traffic to the
FW/SLB
Service Chains are two L4-7 Devices
linked in a series
Note: Normal L2/L3 rules still apply, you still have to direct the traffic to the FW/SLB
It is possible to use L4-7 Devices without
Service Graphs, in this mode the fabric
only provides L2 connectivity
Transparent Firewall – Server’s Default Gateway is the
Bridge Domain on the ACI Fabric
Server default
gateway
192.168.10.x/24 192.168.10.x/24
192.168.10.x/24
192.168.10.x/24
10.1.1.0/30
192.168.10.x/24
10.1.1.0/30 10.1.2.0/30
L3out L3out Server default
gateway
192.168.10.x/24
Citrix FCS Yes Go-To Yes No Yes Yes Yes Yes ADC Everything via
NetScaler (one-arm and (manual Create Virtual instance on SDX member of APIC
two-arm) OOB) manually pool for VIP
F5 FCS Yes Go-To Yes Yes Yes No Yes No ADC Everything via
BIG-IP LTM (one-arm and Create route-domain on physical LTM member of APIC
two-arm) automatically or create vCMP pool for VIP or BIG-IQ
manually (no HA)
F5 Q1CY16 Yes - - - - - - - - -
Big-IQ cloud
Avi Networks FCS Virtual Go-To Yes Yes - No No No ADC Avi controller is
only required.
FW Device Package Status (as of 09/02/2016)
Device Virtual Mode Functio HA Multi-context on physical appliance Dynamic Dynamic EPG IPv6 Feature Operational
Package and n Routing model
Status physic Profile
al
Cisco FCS Yes Go-To Yes Yes Yes Yes Yes Yes FW, Everything
ASA Go-Through Create context on ASA5500X manually object-group for ACL,NAT via APIC
allocate-interface to each context is done ACE
by APIC
APIC
APIC
vDS-01 vDS-02
Layer 3 (OSPF etc) to
existing network
EP EP EP EP EP EP EP EP EP EP EP EP
Routed traffic, silent hosts Yes ARP flooding (optional Yes Yes
since Subnet is present)
(*)
IP L2 switched traffic, silent hosts Yes ARP flooding (optional if Yes (for advanced Yes (for aging and ARP
Subnet is present) (*) functions and aging) gleaning)
IP L2 switched traffic, no silent hosts Yes no ARP flooding (if hosts Yes (for advanced Yes (for aging and ARP
send DHCP requests or functions and aging) gleaning)
gratuitous ARP)
(*) if the Subnet is configured ACI can do ARP gleaning so ARP flooding is not strictly needed
ACI Networking Rules!
1. You must have at least one Tenant or use the 8. Endpoint Groups map to a single Bridge Domain
Common Tenant
9. Endpoint Groups are security zones where
2. VRFs are constrained within Tenants communication is allowed
3. VRFs provide external L3 connectivity (with a 10. Communication between Endpoint Groups is
contract) allowed through contracts (ACLs)
4. You must have at least one Bridge Domain 11. Endpoint Groups must be bound to a virtual,
physical, or outside domain
5. Bridge Domains determine the L2 forwarding
characteristics 12. Endpoint Groups allow you to mix and match
VLANs/VXLANs/interfaces (access, port channel,
6. Bridge Domains provide internal L3 virtual port channel)
connectivity (default gateways)
13. Endpoints can only be a member of a single
7. Bridge Domains to outside VLANs must be Endpoint Group
mapped 1:1
14. AAEP’s allow VLANs on interfaces or VMM
domains
Call to Action
• Visit the World of Solutions for
• Cisco Campus
• Walk in Labs Technical Solution Clinics