February 27, 2020 - Cisco...Everything you need to know about deploying your first ACI Fabric 3/5/2020 3:18:44 PM

Vancouver

February 27, 2020

Robert ZalobinskiTechnical Solutions Architect

February 2020

Everything you need to know about deploying your first ACI Fabric*

Vancouver

*but were afraid to ask

© 2019 Cisco and/or its affiliates. All rights reserved.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Part I - Fundamentals of ACI• DC Architecture and ACI Anywhere

• Initial Standup

Part II - Designing and Deploying your first App Profile

• ACI Basics

• Networking Domains

• Network Centric vs App Centric

• AP Deployment

Part III - Operating ACI

• Visibility, Management and Tools

Part IV – Next Steps

Agenda

© 2019 Cisco and/or its affiliates. All rights reserved.© 2019 Cisco and/or its affiliates. All rights reserved.

Part I

Fundamentals of ACI


© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

Core

Dist

Access

Challenges of TodayManagement• CLI to every Device

• Manual Configuration – Takes Time

• Coordination between Network and Server Team

• Harder as we scale!

Functionality• Static Configuration

• Allow all Traffic by Default

• Spanning Tree to Prevent Loops

DC Architecture



What is ACI?ACI Overview

Management• FCAPS ITIL mgmt model

• Fabric is managed by APIC

• All configuration exposed via API

• Switches join fabric in a few clicks!

Functionality• No spanning Tree – ECMP Routing

• Dynamic Configuration

• Whitelist Model (customizable)

APIC Cluster

Leafs

Spines

APICAPIC APIC



Why ACI?Management Overview

• GUI gives full visibility into the entire system

• Controller status shows state of the APIC Cluster.

• “Fully Fit” means all APIC’s are in sync and communicating




• Faults are raised for various reasons to warn user of issues in the environment.

• Faults are classified based on severity of the error




• Health scores are driven based on faults and events

• Can be viewed system wide or per object

Looks like we had an issue!




• Fabric Inventory and Topology are centrally managed.

Clicking on Objects will drill down further


• Operational Simplicity: Same “look and feel” as On-Premise

• Automated Policy Translation: Consistency across the entire data center

• Common Governance: End-to-end discovery, visibility and troubleshooting

ACI Anywhere

IOT Edge

Data Center

Cloud Exchange

ACI Anywhere

On Premises Cloud

Containers Hypervisor

Accelerates Journey to Multicloud


Virtual ACIVirtual POD extends an

Availability Zone (Fabric) to remote locations on

standard VMs

ACI 4.0

Cloud ACIACI Extensions to AWS and Azure

Public Cloud

ACI 4.1

ACI Multi-POD

Multiple Networks (Pods) in a single Availability Zone

(Fabric)

ACI 2.0

ACI Remote-Leaf

Physical Remote Leaf extends an Availability

Zone (Fabric) to remote locations

ACI 3.1ACI Multi-Site

Multiple Availability Zones (Fabrics) in a Single Region ’and’ Multi-Region Policy

Management

ACI 3.0

ACI Anywhere – Accelerate Multicloud“Evolving our multicloud journey by extending ACI everywhere”




Part I - Fundamentals of ACI• DC Architecture and ACI Anywhere

• Initial Standup

Part II - Designing and Deploying your first App Profile

• ACI Basics

• Networking Domains

• Network Centric vs App Centric

• AP Deployment

Part III - Operating ACI

• Visibility, Management and Tools

Part IV – Next Steps


6 Routable IP addresses (APIC OOB management & APIC CIMC)

NTP Server

Serial Numbers (Leaf & Spines)

Optional:

1 additional IP per Leaf & Spine (OOB)

SCP / FTP / HTTP Server

Console / Terminal Server

Infrastructure VLAN

vCenter IP address & credentials

Prerequisites


Basic ACI Fabric

APIC

Spine

Leaf

Spine

Leaf

• Minimum of two Spines

• Spines can be Fixed or Modular

• Every Leaf is connected to every Spine

• Three APIC Controllers for Production

• One APIC Controller for Labs

• APIC connect directly to Leafs

• All other hardware connects to Leafs

• Servers

• Firewall

• ADC

• External networks


1. APIC initial configuration(APIC #1) [only the 1 st one for now]

• 1st Leaf discovery*

• Spine discovery*

• Leaf discovery*

2. Remaining APIC 2 and 3 configuration

3. OOB mgmt. IP’s for leafs and spines

4. NTP configuration

5. Route reflector

* - Power on Auto-provisioning

Build Fabric Topology - in 5 easy steps


Configure APIC CIMC


Initial Configuration for APIC1

Change this value if the Infrastructure VLAN is to be extended outside of the fabric over Nexus

5/6/7k as this is a reserved VLAN ID

<3915


Connect to GUI


Initial System View


Register Switches to the APIC


Verify Internal VTEP Addresses


Complete Fabric Discovery


Verify Topology


Acronyms/DefinitionsAcronyms Definitions Acronyms Definitions

ACI Application Centric Infrastructure SVI Switch Virtual Interface

ACL Access Control List VIC Virtual Interface Card

API Application Programming Interface VNID Virtual Network Identifier

APIC Application Policy Infrastructure Controller VPC Virtual Port-Channel

BD Bridge Domain VRF Virtual Routing and Forwarding

COOP Council of Oracle Protocol VTEP VXLAN Tunnel Endpoint

ECMP Equal Cost Multi Pathing VXLAN Virtual Extensible LAN

EP Endpoint

EPG Endpoint Group

KVM Keyboard, Video, and Mouse

MP-BGP Multi Protocol BGP

pcTag Policy Control Tag

Reference Slide Icon ➔

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Part II

Designing and Deploying your first Application Profile (AP)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ACI Endpoint Group

End Point Group (EPG)

VM

• Group of Virtual Machines, Physical Servers and Containers

• Similar Connectivity Requirements

• Independent of Network Constructs


ACI Logical Model

Bridge Domain (BD)

Endpoint Group (EPG)


ACI Security

ContractEndpoint

Group (EPG)

• Contracts control traffic between EPGs

• Filter based on L2 to L4 attributes

• Apply an action to traffic:

• Permit

• Mark

• Redirect

• Log

• Copy

• Block


ACI External Network Connections

• L3 connection

• Provide L3 external connectivity for tenants

• VRF-lite for tenant isolation

• OSPF ,BGP, EIGRP & static routes

ACI Fabric


ACI External Network Connections

• L2 connection

• Extend L2 domain outside of ACI fabric

• Legacy network migration

• VLAN and VXLAN for tagging

• vPC and STP connections

ACI Fabric


ACI EPG Extended to External L2 Network

EPG

VMACI Fabric

VM

• L2 domain extended outside of ACI

• External VLAN mapped to EPG

• Internal Domain (VMM or Physical) can use same or different VLAN

• ACI provides tag encap normalization


VMM Domain

Physical Domain

L3 Domain

ACI Networking Domains

External Router

External L2 Switch

Server

Hypervisor ManagerContainer Manager


ACI Network vs Application Centric

Network Centric Application Centric

EPG = BD = Subnet (VLAN)EPG = specific application layer eg.

Web servers

Naming conventions for Network configurations

Can be used concurrentlyTenant: Classic

VRF: vrf-01

Application Profile: 192.168.10.x_24

EPG (VLAN)VLAN-10

Application Profile: Online-Banking

EPG (VLAN)

Web

EPG (VLAN)

App

EPG (VLAN)

DB

BD192.168.10.x_24


Legacy Network to ACI Mappingaka Network Centric Mode

Bridge DomainBD401

End Point GroupEPG401

Bridge Domain

BD417

End Point Group

EPG417

Bridge Domain

BD407

End Point Group

EPG407

Bridge Domain

BD400

End Point Group

EPG400

VLAN 401

VM

VM

Subnet 192.168.1.0/24

Gateway 192.168.1.254

VM

Gateway 192.168.1.254


VRF

ACI Network Centric Mode

Subnet 192.168.1.0/24

Bridge Domain

BD417

End Point Group

EPG417

Bridge Domain

BD407

End Point Group

EPG407

Bridge Domain

BD400

End Point Group

EPG400

Bridge Domain

BD401

End Point Group

EPG401

Subnet 192.168.2.0/24 Subnet 192.168.3.0/24 Subnet 192.168.4.0/24

Gateway 192.168.1.254 Gateway 192.168.2.254 Gateway 192.168.3.254 Gateway 192.168.4.254

VM

VM

VM

VM

VM

VM

VM

VM


ACI Application Centric Mode

Bridge Domain BD401

EPG Web EPG App EPG DB

VMVM

VM

Web Servers

VMVM

App Servers DB Servers

Gateway 192.168.1.254

Subnet 192.168.1.0/24


Application Profile AP

ACI Application Centric Profile

Bridge Domain BD401

Subnet 192.168.1.0/24

L3Out

ContractContractContract

EPG Web EPG DB

VMVM

VM

Web Servers DB Servers

EPG App

VMVM

App Servers


ACI L3Out Design

Configure “Layer 3 Out” to create a routed connection to legacy network

Routed Interface

Routed sub-interface

Switched Virtual Interface (SVI)

EPG has contract to L3Out Network

Bridge Domain with “Unicast Routing” enabled

Subnet defined on BD

L3Out associated with BD

Dynamic Routing

OSPF/ EIGRP/ BGP/ Static

L3OutLeaf 101 Leaf 102



Bridge DomainBDL2

End Point GroupACI_to_Legacy-DC

VM

VM

Subnet 172.17.130.0/24

Gateway 172.17.130.10

VM

VLAN 430

.200

.210


Legacy NX-OS DC


DVS – 01

VMVM

Subnet 172.17.130.0/24

Gateway 172.17.130.10

ACI Fabric

Leaf 101

Leaf 102

DVS – 02

.200 .210

Layer 2


Bridge Domain BD401

ACI AP Design for the Demo

Subnet 192.168.1.0/24

L3Out

Contract

EPG Web EPG DB

VM

Web Server DB Server

VM

Contract



Part III

Operating ACI


Faults

☺


EP Tracker

“We had a problem at 14:21!!!”

Attach/Detach events are logged for each EP

IP Was Moving???


Atomic Counters

Leaf Direction Filter Packet Count

L1 Tx ICMP 500

L2 Rx ICMP 500

L1 L2

S10

192.168.101.10 192.168.102.11

Tx Rx

Ping –c 500 192.168.102.11

• Used to measure packet loss in Overlay

• Logs packet count between EP’s on different Leafs

• Specific Filter can be set

• Requires NTP!


SPAN

SPAN Source SPAN Destination

EPG ERSPAN

Port ERPSAN/LocalPort

• ACI allows for SPAN of Entire EPG

• ERSPAN Destination must be an IP EP Learnt in ACI

• EP Can run Wireshark or Tshark

L1 L2

S10

10.10.10.10

ERSPAN

EP Learnt

Leaf101# show monitor session allsession 1

---------------description : Span session 1type : erspanversion : 2oper version : 1state : up (active)erspan-id : 1granularity :vrf-name : CiscoLive:VRF1acl-name :ip-ttl : 64ip-dscp : ip-dscp not specifieddestination-ip : 10.10.10.10/32origin-ip : 1.1.1.1mode : accesssource VLANs :

rx : 100tx : 100both : 100

filter VLANs : filter not specified

EPG 100


Capacity Dashboard

VLAN Capacity is Full!

Capacity Dashboard panel displays your usage by range and percentage.Use this to plan your fabric Scale.



Enhanced Endpoint TrackerTroubleshooting Endpoint Moves

Provides Historical Data of All Endpoints, including # of moves



Enhanced Endpoint TrackerTroubleshooting Endpoint Moves

Node and Interface Move history allows for easy issue isolation

Provides Exact Location of Endpoint



Enhanced Endpoint TrackerTroubleshooting Off Subnet Endpoints Any Endpoint which is off subnet is flagged.

Unexpected for Network Centric Deployment!


Part IV

Next Steps


Network Insights

Platform

Apps

App hosting frameworkApp store

DCNM APIC

App Hosting FrameworkApp Store

Network Insights Resources Network Insights Advisor*

Data collection and ingestion

Data correlation and analysis

Data visualization and action

VisibilityLearn from your network and recognize anomalies

InsightsSee problems before your end users do

Proactive TroubleshootingFind root cause faster with granular details

* Network I nsights Advisor will be available in early June

Supported fromACI 4.2

September 2019CI 4.2

© 2019 Cisco and/or i ts affiliates. All rights reserved. Cisco Confidential G l o b a l

S a l e s T r a i n i n g

Deployment-specific recommendations & best practices, upgrade impact analysis/Experience*

Advisories

How Can NIA Help with Day 2 Operations?

Network

Insights

Advisor

Alert to known defects, PSIRTs,Forwarding state checksAnomalies

TAC assist, Tech support to Cloud, Fast StartDiagnostics

Inbox function/Smart Inbox*, proactive EOL/EOS announcements, new Field Notices, new software/SMUs

Notices

System hardening checks, version-specific scale limits monitoring (NIR -> NIA) to generate advisory *

Compliance

* Roadmap

© 2019 Cisco and/or i ts affiliates. All rights reserved. Cisco Confidential G l o b a l

S a l e s T r a i n i n g

Monitor fabric-wide and node-specific resource utilization Resources

How Can NIR Help with Day 2 Operations?

Network

Insights

Resources

Track CPU & memory consumption, monitor power and temperatureEnvironmental

Track flow paths, identify applications experiencing high latency or packet drops

Flows

Correlate changes to events, identify faultsEvents

Monitor network bandwidth utilization, packet drops, and network protocol statistics

Statistics


Cisco Network Assurance Engine

Comprehensive Network Modeling

Mathematically accurate models spanning underlay, overlay and

virtualization layers

5000+ domain knowledge-based error scenarios built-in, codified

remediation steps

Data Collection

Captures all non-packet data: intent, policy, state across data center

network

Intelligent Analysis


Multi-layered protection — Defense in depthCisco recommended option for customers

Tetration

Operational flexibility/choice of enforcement points

Fine tuning of enforcement granularity in each layer

Open flexible policy model> any cloud – any INFRA

Multiple layers of segmentation enforcement

VM/BM Container

Host Switch

Cloud vSwitch

• Vulnerability assessment• Process whitelisting• Security forensics • Attack surface detection

Cisco ACI

• Network automation• Network segmentation/whitelisting• Assurance and insights

February 2019ACI 4.1

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Operational Simplicity: Same “look and feel” as On-Premise

• Automated Policy Translation: Consistency across the entire data center

• Common Governance: End-to-end discovery, visibility and troubleshooting

ACI Anywhere

IOT Edge

Data Center

Cloud Exchange

ACI Anywhere

On Premises Cloud

Containers Hypervisor



Cisco ACI

Protect Your Business

Accelerate Multicloud

Optimize Your Network

Aligned with Your Digital Transformation


Scan this code if you would like to talk to Cisco

Specialist

Vancouver

Documents

February 27, 2020 - Cisco...Everything you need to know about deploying your first ACI Fabric 3/5/2020 3:18:44 PM