BRKDCT-2642 Migration From Classic Design To ACI Fabric

Migration from Classic Design to ACI Fabric
BRKDCT-2642
Kannan Ponnuswamy
Solution Architect
Cisco Advanced Services
Acronyms
IOS vPC
VDC
AAA
VRF PaaS SaaS
STP IaaS XaaS
ISE
FTP ToR
UCS MTIaaS SECaaS
FEX
OTV
QoS
BGP
PIM
TAC RIP ARP
VSG CDP Network Programmability
CPU ACI
ASA
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Icons and Terms
APIC
Cisco Nexus 9500 Cisco Nexus 9300

Application Policy Infrastructure Controller
(APIC)
Nexus 7000 Nexus 5000 Nexus 1000 Router Load Balancer Firewall
Nexus 2000 / FEX
VMware
Storage Virtual Machine vCenter
Agenda
 Application Centric Infrastructure (ACI) Overview
 Planning for the future with Nexus 9000
 Migration to ACI APIC

 Network Centric
 Hybrid Approach
 Application Centric
ACI Overview
External WEB DB
POLICY POLICY APP POLICY
Network
Application
Policy Driven
APIC
Merchant+
Virtualisation
Networking
Physical
HYPERVISOR HYPERVISOR HYPERVISOR
Nexus 9000 Series
Network Ops Driven, Switch User Driven, Policy Based Fabric
Automation Automation
Per-Box Open, Flexible, & Choice Policy Controller,

Programmability of Programmability Centralised Fabric
Modes Programmability
APIC
1/10/40/100GE
Common Platform
Migration Paths to ACI
Classic mode
• Growth – Addition
• Network refresh
Current DC ACI Integration

• New environments
Infrastructure
• Service Chaining
• Dev, Test
ACI Fabric
ACI Migration
• Business drivers
• Security, Compliance, TCO,
Programmability, Operations etc.
Agenda

 Network Centric
 Hybrid Approach
Classic Mode Adoption – Nexus 9000 Series
Aggregation Catalyst New access POD or New Aggregation,
Replacement Catalyst Replacement Access POD
N9500
Layer 3 Layer 3 Layer 3
N9500
C6500 N7K
Layer 2 Layer 2 Layer 2
vPC vPC
vPC
N5K N9300
N9300
vPC
N2K N2K
N2K
vPC
vPC vPC
VM VM VM
#2 #3 #4 VM VM VM VM VM VM
#2 #3 #4 #2 #3 #4
Classic Mode Adoption - VxLAN on Nexus 9000 Series
 Workload mobility
 L2 Multipathing
 VXLAN Gateway (VXLAN to VLAN)
 VXLAN Bridging (VXLAN to VXLAN at L2)
 VXLAN Routing
 Routing between VXLANs and VLAN to VXLAN
 Anycast Gateway for vPC setup
VXLAN Overlay
Classic Mode Tools for Nexus 9000 Series
On CCO: Catalyst 6500/4500 IOS to Nexus 9000 NX-OS Configuration Converter
Open Source for Nexus 9000 Series
https://github.com/datacenter/nexus9000/tree/master/nx-os
 Community contributed code and samples
 Sample scripts for automation, operations and

general use
 Python Modules to aid in rapid development
 For custom use cases, development could be

done by your in-house team

Nexus Deployment Assistant
POD builder questionnaire

Cisco AS • Select technology you would like to deploy
Best • Select aggregation, access devices, line cards
Practices
• Select connectivity requirements
• Select protocol settings and other configuration
Nexus Deployment and Migration Tool
Nexus Deployment Assistant + Selective Catalyst IOS to Nexus 9000 config migration
Current Device Module Selected Interfaces

Access Switch #1 WS-X6548-GE-TX GigabitEthernet1/1
Target Target
GigabitEthernet1/2 Module
Device Interfaces
GigabitEthernet1/3
vPC Pair N9K-X9564TX Ethernet1/1
GigabitEthernet1/4 NewAccess1
NewAccess2 Ethernet1/2
Access Switch #2 WS-X6748-GE-TX GigabitEthernet3/1
Ethernet1/3
GigabitEthernet3/2
GigabitEthernet3/3 Ethernet1/4
GigabitEthernet3/4
Nexus Deployment and Migration Tool
• Automate Nexus 9000 deployment and configuration
Cisco AS • Catalyst and Nexus 9000 integration and end device migration
Best • Migrate any Catalyst 6500 topology to any Nexus 9000 topology
Practices
Nexus Deployment
Catalyst Environments
VSS
Si Si
Si Si
Deployment
Assistant
Si Si
Si Si
BRKDCT-2642
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Agenda

 Network Centric
 Hybrid Approach
Deploying an ACI POD
ACI Fabric Initialisation
ACI Fabric
ACI Fabric supports discovery, boot, inventory

and systems maintenance processes via the APIC
• Fabric Discovery and Addressing
• Image Management
• Topology validation through wiring diagram
and systems checks
APIC APIC APIC
ACI Forwarding Model
Tenant • A Tenant refers to one or more VRFs/Contexts
• A Context/VRF is referred to by one or more
VRF_Context_One
Bridge Domains (BD)
Bridge Domain One
• Bridge Domains identify properties influencing
10.10.0.0/16
EPG_1 EPG_N
forwarding behaviour. One or more subnets,
ARP handling, Multicast etc.
VRF_Context_N • A collection of end-points form an end-point
Bridge Domain One group(EPG). EPG associates to a BD.
192.168.1.0/24
10.10.0.0/16 • EndPoints Identified by:
EPG_1 EPG_N • Physical or Virtual Switch ports, VLAN ID, VNID
• Future - NVGRE (VSID), DNS hostname, IP address
Bridge Domain N
Non-IP, L2 forwarding only
EPG_Legacy
ACI Policy Model
C Contracts define what an EPG EPG MGMT
exposes to other EPGs and how
C
Tenant
Application Profile
C EPG Web C EPG App C EPG DB
C
Contracts are reusable for
multiple EPGs and EPGs
EPG NFS can inherit multiple
contracts
ACI Policy Model – What is a Contract
C
filter action
filter action
identifier to which identifies actions to
actions will be
filter action
be applied
Allows to specify rules and policies on applied
groups of physical or virtual end-points Permit
…
QoS
without understanding of specific L4 port ranges
Log
TCP options
identifiers and regardless of physical … Redirect to Services …
location. filter action
defined bi-directionally in the “provider” centric way
No Such Thing as Enough Security
http://www.pcworld.com/article/2031580/mcafee-warns-of-malware-targeting-point-of-sale-systems.html
McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf
ACI Adoption Strategies
ACI Fabric Model = New OPERATIONS Model + DESIGN Model
Leverage Known
APPLICATIONS
Constructs (decoupled OPERATIONS DESIGN
from Network) HYBRID: Leverage BOTH

APPLICATIONS &
NETWORKING OPERATIONS DESIGN
Centric Constructs
Leverage Known
NETWORKING
OPERATIONS DESIGN
Constructs
ACI Fabric
BRKDCT-2642
New ACI Fabric Operational Model
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Agenda

 Network Centric
 Hybrid Approach
Network Centric Deployment Example
1 VRF + 1 VLAN
Classic mode shown here for Reference ACI Fabric
APIC
1.1.1.12/30
1.1.1.0/30
Blue Tenant
and Context
Policies
VRF Blue Bridge Domain Blue_1
Exchange
•Routing 10.10.10.1/24
External EPG Routes (Blue)
•VLAN 10 EPG blue_1
•HSRP
.101
1.1.1.12/30
10.10.10.1/24 •Access List
1.1.1.0/30
.2 .3
•QoS etc.
VLAN 10 Classic
Access Switches Tag 10
.101 .102
.102
Tag could be VLAN ID
or VNID
1 VRF + 2 VLANs – Option 1
Classic mode shown here for Reference ACI Fabric
APIC
1.1.1.12/30
1.1.1.0/30
Blue Tenant
and Context
Policies
Exchange
BD Blue_1
(10.10.10.1/24)
BD Blue_2
(10.10.11.1/24)
Routes (Blue)
EPG External EPG
Vlan 10,11 blue_1
EPG
blue_2
1.1.1.12/30
1.1.1.0/30
VLAN 10 Classic Access
(10.10.10.0/24)
Tag 10 Tag 11
VLAN 11
(10.10.11.0/24)
Classic mode shown here for Reference 1. Policies are based on EPG ACI Fabric
2. Forwarding is based on BD attributes
What if different policies between two

groups mandated separate VLANs in APIC
Classic Networks.
Blue Tenant
1.1.1.12/30
1.1.1.0/30
and Context
Policies
Exchange
BD Blue_1
Routes (Blue)
10.10.10.1/23
EPG X EPG
External EPG
Vlan 10,11 blue_1 blue_2
1.1.1.12/30
1.1.1.0/30
Classic Access
Tag 10 Tag 11
VLAN 10
(10.10.10.0/24)
VLAN 11
(10.10.11.0/24)
1. Forwarding based on destination IP Address
Classic mode shown here for Reference for intra and inter subnet (Default Mode) ACI Fabric
2. Hardware based directed ARP forwarding
What if two VLANs was only due to
ARP broadcast concerns.
APIC
1.1.1.12/30
1.1.1.0/30
Blue Tenant
and Context
Policies
Exchange
BD Blue_1
Routes (Blue)
10.10.10.1/23
External EPG
Vlan 10,11
EPG blue_1
1.1.1.12/30
1.1.1.0/30
Classic Access
VLAN 10 Tag 10
(10.10.10.0/24)
VLAN 11
(10.10.11.0/24)
Network Centric ACI Migration
Network Centric Migration Example
VRF + 2 VLANs
Layer 3 Routing
Static, OSPF, BGP
APIC
1.1.1.12/30
1.1.1.0/30
Blue Tenant
and Context
Policies
Migration
BD Blue_1 BD Blue_2
Vlan 10,11 10.10.11.1/24
L2_
Out EPG EPG
L2_ External EPG
blue_1 Out
blue_2
Layer 2 vPC Trunk
VLAN 10 • STP compatibility with Classic Network

(10.10.10.0/24) • VLAN 10 maps to BD Blue_1
• VLAN 11 maps to BD Blue_2
VLAN 11 • Classic Devices are still the Default Gateway Access
(10.10.11.0/24) • Equally applicable to L4-7 services (FW/LB) Tag 100 Tag 101
in the Classic Network
.101 .102 • Flooding enabled on ACI BDs during
migration
• Once migration completed, insert needed
services and move Default Gateway ACI BDs Tag could be VLAN ID or VNID.
ACI Integration and Migration
ACI Fabric
10G/40G to ACI
Layer 3
Layer 2 - 1GE
Layer 2 - 10GE
10 GE DCB
10 GE FCoE/DCB
4/8 Gb FC
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
ACI Integration and Migration
ACI Fabric
Forwarding Flow L3
L2
• Default Gateway moves to ACI Leaf layer

• EPG = VLAN / Subnet (initial step)
• Host / FEX can migrate to Leaf (overtime)
Migration Path
10G/40G to ACI
Layer 3
Layer 2 - 1GE
Layer 2 - 10GE
10 GE DCB
10 GE FCoE/DCB
4/8 Gb FC
Many Migration Options
APIC
Option 1:
Migrate FEX to
9300
Option 2:
Option 3: Interconnect Migrate 5500 +
existing POD to Fabric FEX to 9300
Agenda

 Network Centric
 Hybrid Approach
Deployment Example – Hybrid Approach
Classic mode shown here for Reference
External
Network
APIC
Blue Tenant
and Context
BD Blue_2
Policies
10.10.11.1/24
BD Blue_1
Exchange
EPG
EPG 11 EPG
10.10.10.1/24
Three-web
External Routes (Blue)
EPG
One-web EPG
Two-web
.2 .3
Access
VLAN 11
Tag 2011 Tag 101
(10.10.11.0/24 Tag 100
Tag 102
VLAN 10 (10.10.10.0/24)
AppTwo’s External
AppOne’s WebServer
WebServer
AppThree’s
Network
AppOne’s AppTwo’s AppThree’s WebServer
WebServer WebServer WebServer
Hybrid (Network and Application Centric)
ACI Migration
ACI Migration for Hybrid Approach
Exchange
Routes (Blue) APIC
Blue Tenant
Policies and Context
External
EPG BD Blue_2
BD Blue_1 EPG
EPG 11 EPG EPG Three-web
One-web Two-web
Classic L2 Extension.
VLAN 11 • STP compatibility with Classic Network Access
(10.10.11.0/24 • VLAN 10 maps to BD Blue_1 Tag 101
• VLAN 11 maps to BD Blue_2 Tag 2011 Tag 100
VLAN 10 (10.10.10.0/24) • Classic Devices are still the Default Tag 102
Gateway
• Flooding enabled on ACI BDs during
migration
• Equally applicable to L4-7 services
(FW/LB) in the Classic Network
• Once migration completed, insert
AppOne’s AppTwo’s AppThree’s
WebServer WebServer WebServer
needed services and move Default
Gateway ACI BDs
Virtual Environment Migration Example
L3 vCenter L3
vShield
L3
L2
N7K N7K
ACI Fabric
N5500 N5500
L2 L2 L3 L2 L2 L3
VMware vSwitch, DVS, N1kV
“APIC Created” VMware DVS / Cisco N1kV
“APIC Created” VMware DVS / Cisco N1kV
vMotion / Cold Migration

ACI Virtual Migration Assistant
• User and Workflow driven

• Multiple scenarios
• vSwitch  ACI
• DVS  ACI
• N1kv  ACI
• Any Combination  ACI
Agenda

 Network Centric
 Hybrid Approach
Application Centric Migration
Building the Application Profile – an Example
Oracle Internet Expenses
Other
Applications
TCP: *,443 C
Intranet EPG
@ Border Leaf
C
Intranet EPG
@ Border Leaf
Expenses EPG
Oracle
RAC DB
Extranet EPG
C
@ Border Leaf
ACI Deployments for Known Application Profiles
Internet WAN / DCI ACI POD for Greenfield or well
understood applications
L3 ACI Introduction
L2 N7K N7K
Spine
N9K N9K
Leaf N9300 N9300 N9300 N9300 N9300 N9300 N9300 N9300
V
Integrated L4-L7 Services
Physical & Virtual
Defining Profiles for Applications in Use
Common Customer Challenges
• Lack of confidence on existing information
• CMDB, Single Source of Truth (SSOT), IPAM etc.
• Not knowing End-Point (EP) details

• Identification
• In-use vs decommissioned
• Unsure on App ↔ Host association
• List of L4 ports: Client or Server
• EPs classification and Application grouping assignment

• Customer needs guidance
• Application End Point Groups and associated policies

Application Network Profile Discovery
Unknown Application Network Profiles
Web Tier App Tier DB Tier

F/W FW
LB LB
F/W WEB 1 FW APP 1 DB 1

LB LB

LB LB

LB LB
Application Network Profile Explorer Tool
(Post Network Centric Migration)
Analysis & User

ANP Proposal Changes

LB LB
Network Data Analysed:
• Device Configurations Commit APIC Profile changes
• Protocol State
• Traffic Capture
APIC

Application Network Profile Explorer Tool
(Pre Migration)
Analysis & User

ANP Proposal Changes

LB LB
Commit ANP
Network Data Analysed:
• Device Configurations
• Protocol State
• Traffic Capture
APIC

ACI Deployment Assistant
(Post Network Centric Migration)
• Comprehensive Application Dependencies
• Multiple Application Network Policies
• Application, Server Mapping
• Automate APIC Profile changes
Application Dependency Analysis APIC

• Network and Server data
correlation
• Application fingerprinting
• Customer input
Network Discovery:
• Device
Configurations
• Protocol State
• Traffic Capture
Server Discovery:
• Servers
• Process
• Network Stats
ACI Deployment Assistant (Pre Migration)
• Comprehensive Application Dependencies
• Multiple Application Network Policies
• Application, Server Mapping
• Automate Physical, Virtual Migration
Application Dependency Analysis APIC

• Network and Server data
correlation
• Application fingerprinting
• Customer input
Network Discovery:
• Device
Configurations
• Protocol State
• Traffic Capture
Server Discovery:
• Servers
• Process
• Network Stats
ACI Migration Summary
• ACI designed from the ground-up to be Application Centric
• Flexible and customisable to fit your business needs
• A phased approach: Grow, Integrate, Migrate
• Solution flexible to be Network Centric, Application Centric or a Hybrid approach
Thank You!!
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2014 Polo Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
 Directly from your mobile device on the Cisco Live
Mobile App
 By visiting the Cisco Live Mobile Site
www.ciscoliveaustralia.com/mobile
 Visit any Cisco Live Internet Station located
throughout the venue
Learn online with Cisco Live!
Polo Shirts can be collected in the World of Solutions
on Friday 21 March 12:00pm - 2:00pm
Visit us online after the conference for full access
to session videos and presentations.
www.CiscoLiveAPAC.com

BRKDCT-2642 Migration From Classic Design To ACI Fabric

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKDCT-2642 Migration From Classic Design To ACI Fabric

Uploaded by

Copyright:

Available Formats

Migration from Classic Design to ACI Fabric

Cisco Nexus 9500 Cisco Nexus 9300

 Application Centric Infrastructure (ACI) Overview

 Planning for the future with Nexus 9000

 Migration to ACI APIC

HYPERVISOR HYPERVISOR HYPERVISOR

Per-Box Open, Flexible, & Choice Policy Controller,

Current DC ACI Integration

 Application Centric Infrastructure (ACI) Overview

 Planning for the future with Nexus 9000

 Migration to ACI APIC

 Community contributed code and samples

 Sample scripts for automation, operations and

 Python Modules to aid in rapid development

 For custom use cases, development could be

Cisco Advanced Services

POD builder questionnaire

Current Device Module Selected Interfaces

 Application Centric Infrastructure (ACI) Overview

 Planning for the future with Nexus 9000

 Migration to ACI APIC

ACI Fabric supports discovery, boot, inventory

APIC APIC APIC

ACI Fabric Model = New OPERATIONS Model + DESIGN Model

from Network) HYBRID: Leverage BOTH

 Application Centric Infrastructure (ACI) Overview

 Planning for the future with Nexus 9000

 Migration to ACI APIC

What if different policies between two

Layer 2 vPC Trunk

VLAN 10 • STP compatibility with Classic Network

• Default Gateway moves to ACI Leaf layer

 Application Centric Infrastructure (ACI) Overview

 Planning for the future with Nexus 9000

 Migration to ACI APIC

“APIC Created” VMware DVS / Cisco N1kV

“APIC Created” VMware DVS / Cisco N1kV

vMotion / Cold Migration

• User and Workflow driven

Cisco Advanced Services

 Application Centric Infrastructure (ACI) Overview

 Planning for the future with Nexus 9000

 Migration to ACI APIC

Oracle Internet Expenses

Leaf N9300 N9300 N9300 N9300 N9300 N9300 N9300 N9300

• Not knowing End-Point (EP) details

• EPs classification and Application grouping assignment

• Application End Point Groups and associated policies

Web Tier App Tier DB Tier

F/W WEB 1 FW APP 1 DB 1

F/W WEB 2 FW APP 2 DB 2

F/W WEB 3 FW APP 3 DB 3

Analysis & User

F/W WEB 2 FW APP 2 DB 2

Cisco Advanced Services

Analysis & User

F/W WEB 2 FW APP 2 DB 2

Cisco Advanced Services

Application Dependency Analysis APIC

Application Dependency Analysis APIC

• ACI designed from the ground-up to be Application Centric

• Flexible and customisable to fit your business needs

• A phased approach: Grow, Integrate, Migrate