Upload
dig-it
View
340
Download
2
Embed Size (px)
Citation preview
ACI in action
Fundamentals
François Couderc
CCIE #3435
Datacenter Consulting Systems Engineer Business & Solutions Expertise [email protected]
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
PreProdTierA PreProdTierB
10.0.0.1/24 20.0.0.2/2410.0.0.2/2420.0.0.1/24
Only Ping / HTTP
TierA-10-1 TierA-20-1 TierB-10-2 TierB-20-2
“I immediately need to put this new App in PreProduction …”
“Here are my VMs”
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
TierA-10-1
Vlan 10 - 10.0.0.0/24
10.0.0.254/24
Vlan 20 - 20.0.0.0/24
20.0.0.254/24
TierB-10-2 TierB-20-2 TierA-20-1
10.0.0.1/24 10.0.0.2/24 20.0.0.2/24 20.0.0.1/24
• Configure VRF on both Aggregation switches
• Configure VLANs on each switch
• Configure VLAN Interface on the VRF
• Create an IP address on each, configure HSRP
• Maintain VLAN <-> Server / Tenant Mapping
• Trunk VLANs on the links where they are needed
• Put ACLs to control the traffic flow
Physical Network
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
TierA-10-1
Vlan 10 - 10.0.0.0/24
10.0.0.254/24
Vlan 20 - 20.0.0.0/24
20.0.0.254/24
TierB-10-2 TierB-20-2 TierA-20-1
10.0.0.1/24 10.0.0.2/24 20.0.0.2/24 20.0.0.1/24Physical Network
Where are the VMs ? On which ESX ?
How to identify VMs belonging to each Application Tier ?
Per IP address ?
The App Project Manager only wants Ping, HTTP between
Tiers. ACL ?
What will happen when a third subnet will be used ? A new
ESX will be added ?
Network configuration on both ESXs and Access Ports ?
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
APIC
vCenter
ESX-1 ESX-2
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24192.168.123.200
192.168.123.100
OOB Network
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
Spine1
Leaf1
Spine2
Leaf2
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
I now have VMs visibility on the vCenter Domain
APIC
vCenter
ESX-1 ESX-2
OOB Network
192.168.123.200
192.168.123.100
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
Spine1
Leaf1
Spine2
Leaf2
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
APIC requested vCenter to create a DVS dedicated to ACI
APIC
vCenter
ESX-1 ESX-2
OOB Network
192.168.123.200
192.168.123.100
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24
Create new DVS
dedicated to ACI
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
Spine1
Leaf1
Spine2
Leaf2
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
APIC
vCenter
ESX-1 ESX-2
OOB Network
192.168.123.200
192.168.123.100
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
Spine1
Leaf1
Spine2
Leaf2
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
PN PreProduction
Tenant : ACI_Demo
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
BD 10.0.0.254/24
20.0.0.254/24
PN PreProduction
Tenant : ACI_Demo
PreProd_IP_Plan
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
BD 10.0.0.254/24
20.0.0.254/24
PN PreProduction
Tenant : ACI_Demo
AP : PreProdNewApp
PreProd_IP_Plan
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
BD 10.0.0.254/24
20.0.0.254/24
PN PreProduction
Tenant : ACI_Demo
PreProdTierAEPG
PreProdTierBEPG
AP : PreProdNewApp
PreProd_IP_Plan
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
APIC
vCenter
ESX-1 ESX-2
OOB Network
192.168.123.200
192.168.123.100
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24
Create new PortGroups
PreProdTierA
&
PreProdTierB
PreProdTierA PreProdTierB PreProdTierB PreProdTierA
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
Spine1
Leaf1
Spine2
Leaf2
PreProdTierA
PreProdTierB
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
APIC
vCenter
ESX-1 ESX-2
OOB Network
192.168.123.200
192.168.123.100
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24
PreProdTierA PreProdTierB
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
Spine1
Leaf1
Spine2
Leaf2
PreProdTierB PreProdTierA
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
BD 10.0.0.254/24
20.0.0.254/24
PN PreProduction
Tenant : ACI_Demo
10.0.0.1/24 20.0.0.2/2410.0.0.2/2420.0.0.1/24
TierA-10-1 TierA-20-1 TierB-10-2 TierB-20-2
PreProdTierAEPG
PreProdTierBEPG
AP : PreProdNewApp
PreProd_IP_Plan
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
End Points from same EPG can communicate without restriction
BD 10.0.0.254/24
20.0.0.254/24
PN PreProduction
10.0.0.1/24 20.0.0.2/2410.0.0.2/2420.0.0.1/24
TierA-10-1 TierA-20-1 TierB-10-2 TierB-20-2
PreProdTierAEPG
PreProdTierBEPG
AP : PreProdNewApp
PreProd_IP_Plan
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
End Points from same EPG can communicate without restriction
APIC
vCenter
ESX-1 ESX-2
OOB Network
192.168.123.200
192.168.123.100
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24
PreProdTierA PreProdTierB
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
Spine1
Leaf1
Spine2
Leaf2
PreProdTierB PreProdTierA
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
By default, no communication allowed between EPGs (White List model)
BD 10.0.0.254/24
20.0.0.254/24
PN PreProduction
10.0.0.1/24 20.0.0.2/2410.0.0.2/2420.0.0.1/24
TierA-10-1 TierA-20-1 TierB-10-2 TierB-20-2
PreProdTierAEPG
PreProdTierBEPG
AP : PreProdNewApp
PreProd_IP_Plan
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
APIC
vCenter
ESX-1 ESX-2
OOB Network
192.168.123.200
192.168.123.100
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24
By default, no communication allowed between EPGs (White List model)
PreProdTierA PreProdTierB
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
Spine1
Leaf1
Spine2
Leaf2
PreProdTierB PreProdTierA
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
BD 10.0.0.254/24
20.0.0.254/24
PN PreProduction
Tenant : ACI_Demo
10.0.0.1/24 20.0.0.2/2410.0.0.2/2420.0.0.1/24
TierA-10-1 TierA-20-1 TierB-10-2 TierB-20-2
PreProdTierAEPG
PreProdTierBEPG
AP : PreProdNewApp
CPreProd_TierA_TierB
(Ping / HTTP)
PreProd_IP_Plan
Consumer Provider
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
APIC
vCenter
ESX-1 ESX-2
OOB Network
192.168.123.200
192.168.123.100
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24
PreProdTierA PreProdTierB
C
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
Spine1
Leaf1
Spine2
Leaf2
PreProdTierB PreProdTierA
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
BD 10.0.0.254/24
20.0.0.254/24
PN PreProduction
Tenant : ACI_Demo
10.0.0.1/24 20.0.0.2/2410.0.0.2/2420.0.0.1/24
TierA-10-1 TierA-20-1 TierB-10-2 TierB-20-2
PreProdTierAEPG
PreProdTierBEPG
AP : PreProdNewApp
CPreProd_TierA_TierB
(Ping / HTTP)
PreProd_IP_Plan
Consumer Provider
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
APIC configuration effort is the same independently of the number of :
- Leafs,
- ESX Hosts
- VMs
=> Consistency, OPEX reduction
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
PreProdTierA PreProdTierB
10.0.0.1/24 20.0.0.2/2410.0.0.2/2420.0.0.1/24
Only Ping / HTTP
TierA-10-1 TierA-20-1 TierB-10-2 TierB-20-2
“I immediately need to put this new App in Production now and
switch my existing VMs in this environment…”
ProdTierA ProdTierBOnly Ping / HTTP
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
PreProdTierA PreProdTierB
10.0.0.1/24 20.0.0.2/2410.0.0.2/2420.0.0.1/24
Only Ping / HTTP
TierA-10-1 TierA-20-1 TierB-10-2 TierB-20-2
“I immediately need to put this new App in Production now and
switch my existing VMs in this environment…”
ProdTierA ProdTierBOnly Ping / HTTP
“Don’t destroy my PreProd environment I may need it at any time”
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
TierA-10-1
Vlan 10 - 10.0.0.0/24
10.0.0.254/24
Vlan 20 - 20.0.0.0/24
20.0.0.254/24
TierB-10-2 TierB-20-2 TierA-20-1
10.0.0.1/24 10.0.0.2/24 20.0.0.2/24 20.0.0.1/24
PreProdTierA PreProdTierB
Where are the VM ? On which ESX ?
How to identify VMs belonging to each Application Tier ? Per IP address ?
The App project Manager only wants Ping, HTTP between Tiers. ACL ?
What will happen when a third subnet will be used ? A new ESX will be added ?
Network configuration on both ESXs and Access Ports ?
Repeat the same complexity
with VRFs
Vlan Reuse ?
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Prod_TierA_TierB
(Ping / HTTP)
PreProdNewApp
Tenant : ACI_Demo
PreProduction Production
PreProd_IP_Plan10.0.0.254/24
20.0.0.254/24
PreProdTierA PreProdTierBC
ProdNewApp
Production
Prod_IP_Plan10.0.0.254/24
20.0.0.254/24
ProdTierA ProdTierBC
PreProd_TierA_TierB
(Ping / HTTP)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
APIC
Spine1
vCenter
ESX-1 ESX-2
OOB Network
192.168.123.200
192.168.123.100
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24
PreProdTierA PreProdTierB
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
I’m here (using Web Gui)
REST API
When clicking to create
a new EPG …
.. JSON Post to APIC
NorthBound Interface
« Create new EPG »
Leaf1
Spine2
Leaf2
PreProdTierB PreProdTierA
@
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
APIC
vCenter
ESX-1 ESX-2
OOB Network
192.168.123.200
192.168.123.100
10.0.0.1/24 20.0.0.2/24 10.0.0.2/24 20.0.0.1/24
PreProdTierA PreProdTierB
TierA-10-1 TierB-20-2 TierB-10-2 TierA-20-1
I’m here
REST API
JSON/XML Post to APIC
NorthBound Interface
« Create new EPG »
Spine1
Leaf1
Spine2
Leaf2
PreProdTierB PreProdTierA
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Tenant : ACI_Demo
Bridge
Domain
Contract
Application
ProfileEPG
EPG
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Web FormPOST http://___IP@___/api/mo/uni.xml
RAW :
<fvTenant name="___tenant___">
<fvCtx name="___vrf___"/>
<fvBD name="BD-___vrf___-Vlan-___VlanA___">
<fvRsCtx tnFvCtxName="___vrf___"/>
<fvSubnet ip="___subnetA___"/>
</fvBD>
<fvBD name="BD-___vrf___-Vlan-___VlanB___">
<fvRsCtx tnFvCtxName="___vrf___"/>
<fvSubnet ip="___subnetB___"/>
</fvBD>
<fvAp name="___vrf___-Network">
<fvAEPg name="___vrf___-Vlan-___VlanA___">
<fvRsBd tnFvBDName="BD-___vrf___-Vlan-___VlanA___"/>
<fvRsPathAtt encap="vlan-___tagA-1___" mode="native" tDn="topology/pod-1/paths-___leafA-1___/pathep-[eth___portA-1___]"/>
<fvRsPathAtt encap="vlan-___tagA-2___" mode="native" tDn="topology/pod-1/paths-___leafA-2___/pathep-[eth___portA-2___]"/>
<fvRsDomAtt tDn="uni/vmmp-VMware/dom-___VMM_domainA___"/>
<fvRsProv tnVzBrCPName=”PERMIT-ANY-ANY"/>
<fvRsCons tnVzBrCPName=”PERMIT-ANY-ANY"/>
</fvAEPg>
<fvAEPg name="___vrf___-Vlan-___VlanB___">
<fvRsBd tnFvBDName="BD-___vrf___-Vlan-___VlanB___"/>
<fvRsPathAtt encap="vlan-___tagB-1___" mode="native" tDn="topology/pod-1/paths-___leafB-1___/pathep-[eth___portB-1___]"/>
<fvRsPathAtt encap="vlan-___tagB-2___" mode="native" tDn="topology/pod-1/paths-___leafB-2___/pathep-[eth___portB-2___]"/>
<fvRsDomAtt tDn="uni/vmmp-VMware/dom-___VMM_domainB___"/>
<fvRsProv tnVzBrCPName=”PERMIT-ANY-ANY"/>
<fvRsCons tnVzBrCPName=”PERMIT-ANY-ANY"/>
</fvAEPg>
</fvAp>
</fvTenant>
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
APIC is the Networking Resources Manager
APIC
Virtual Machines
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Networking
Manager
Central
Bare Metals Servers MiddlewareStorage
Orchestrator
App Server
Database Server
Web Server Portal
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
ProdTierA ProdTierB
10.0.0.1/24 20.0.0.2/2410.0.0.2/2420.0.0.1/24
Only Ping / HTTP / SSH
TierA-10-1 TierA-20-1 TierB-10-2 TierB-20-2
“I want to authorize SSH between my Tiers and include TierB-30-1”
30.0.0.1/24
TierB-30-1
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Prod_TierA_TierB
(Ping / HTTP / SSH)
AP : PreProdNewApp
Tenant : ACI_Demo
PreProduction Production
PreProd_IP_Plan10.0.0.254/24
20.0.0.254/24
PreProdTierA PreProdTierBC
AP : ProdNewApp
Production
Prod_IP_Plan10.0.0.254/24
20.0.0.254/24
30.0.0.254/24
ProdTierA ProdTierBC
PreProd_TierA_TierB
(Ping / HTTP)
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
ProdTierA ProdTierB
10.0.0.1/24 20.0.0.2/2410.0.0.2/2420.0.0.1/24
Only Ping / HTTP / SSH
TierA-10-1 TierA-20-1 TierB-10-2 TierB-20-2
“I have issues with TierB-30-1, please have a look …”
30.0.0.1/24
TierB-30-1
?
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Prod_TierA_TierB
(Ping / HTTP / SSH)
Tenant : ACI_Demo
Production
AP : ProdNewApp
Production
Prod_IP_Plan10.0.0.254/24
20.0.0.254/24
30.0.0.254/24
ProdTierA ProdTierBC
Tenant : Admin
Production
AP : IT_Stuff
Production
Prod_IP_Plan 100.0.0.254/24
Sniffer
10.0.0.1/24 20.0.0.1/24
TierA-10-1 TierA-20-1
10.0.0.1/24 20.0.0.1/24
TierB-10-2 TierB-20-2 TierB-30-1
30.0.0.1/24 100.0.0.1/24
Wireshark
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Prod_TierA_TierB
(Ping / HTTP / SSH)
Tenant : ACI_Demo
Production
AP : ProdNewApp
Production
Prod_IP_Plan10.0.0.254/24
20.0.0.254/24
30.0.0.254/24
ProdTierA ProdTierBC
Tenant : Admin
Production
AP : IT_Stuff
Production
Prod_IP_Plan 100.0.0.254/24
Sniffer
10.0.0.1/24 20.0.0.1/24
TierA-10-1 TierA-20-1
10.0.0.1/24 20.0.0.1/24
TierB-10-2 TierB-20-2 TierB-30-1
30.0.0.1/24 100.0.0.1/24
Wireshark
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Complete visibility on VMs locations. Ease of troubleshooting.
If desired, VMs are gathered by affinity not by subnets nor vlans (*)
Contracts are built without IP addresses dependencies
1 subnet is created in only one click and immediately available for the whole infrastructure
APIC configuration effort is the same independently of the number of Leaves, ESX, VMs, …
Use of APIC Open Northbound interface to ease automation, used as a Cloud connector, for tailor made operational jobs, …
Ease of monitoring by breaking the current Vlan/Subnet paradigm
Networking attributes are automatically pushed from APIC to Vcenter. VM admin has just to assign the right PortGroup to the VM.
(*) If needed, ACI can stick to a classical network centric approach where 1 BD = 1 subnet & 1 EPG = 1 Vlan
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
• dCloud
• ACI Simulator
• Channel ACI Starter kits
• ILM labs
• ACI mobile Rack