Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Vancouver
February 27, 2020
Robert ZalobinskiTechnical Solutions Architect
February 2020
Everything you need to know about deploying your first ACI Fabric*
Vancouver
*but were afraid to ask
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Part I - Fundamentals of ACI• DC Architecture and ACI Anywhere
• Initial Standup
Part II - Designing and Deploying your first App Profile
• ACI Basics
• Networking Domains
• Network Centric vs App Centric
• AP Deployment
Part III - Operating ACI
• Visibility, Management and Tools
Part IV – Next Steps
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved.© 2019 Cisco and/or its affiliates. All rights reserved.
Part I
Fundamentals of ACI
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Core
Dist
Access
Challenges of TodayManagement• CLI to every Device
• Manual Configuration – Takes Time
• Coordination between Network and Server Team
• Harder as we scale!
Functionality• Static Configuration
• Allow all Traffic by Default
• Spanning Tree to Prevent Loops
DC Architecture
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What is ACI?ACI Overview
Management• FCAPS ITIL mgmt model
• Fabric is managed by APIC
• All configuration exposed via API
• Switches join fabric in a few clicks!
Functionality• No spanning Tree – ECMP Routing
• Dynamic Configuration
• Whitelist Model (customizable)
APIC Cluster
Leafs
Spines
APICAPIC APIC
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Why ACI?Management Overview
• GUI gives full visibility into the entire system
• Controller status shows state of the APIC Cluster.
• “Fully Fit” means all APIC’s are in sync and communicating
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Why ACI?Management Overview
• Faults are raised for various reasons to warn user of issues in the environment.
• Faults are classified based on severity of the error
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Why ACI?Management Overview
• Health scores are driven based on faults and events
• Can be viewed system wide or per object
Looks like we had an issue!
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Why ACI?Management Overview
• Fabric Inventory and Topology are centrally managed.
Clicking on Objects will drill down further
© 2019 Cisco and/or its affiliates. All rights reserved.© 2019 Cisco and/or its affiliates. All rights reserved.
• Operational Simplicity: Same “look and feel” as On-Premise
• Automated Policy Translation: Consistency across the entire data center
• Common Governance: End-to-end discovery, visibility and troubleshooting
ACI Anywhere
IOT Edge
Data Center
Cloud Exchange
ACI Anywhere
On Premises Cloud
Containers Hypervisor
Accelerates Journey to Multicloud
© 2019 Cisco and/or its affiliates. All rights reserved.
Virtual ACIVirtual POD extends an
Availability Zone (Fabric) to remote locations on
standard VMs
ACI 4.0
Cloud ACIACI Extensions to AWS and Azure
Public Cloud
ACI 4.1
ACI Multi-POD
Multiple Networks (Pods) in a single Availability Zone
(Fabric)
ACI 2.0
ACI Remote-Leaf
Physical Remote Leaf extends an Availability
Zone (Fabric) to remote locations
ACI 3.1ACI Multi-Site
Multiple Availability Zones (Fabrics) in a Single Region ’and’ Multi-Region Policy
Management
ACI 3.0
ACI Anywhere – Accelerate Multicloud“Evolving our multicloud journey by extending ACI everywhere”
Accelerates Journey to Multicloud
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Part I - Fundamentals of ACI• DC Architecture and ACI Anywhere
• Initial Standup
Part II - Designing and Deploying your first App Profile
• ACI Basics
• Networking Domains
• Network Centric vs App Centric
• AP Deployment
Part III - Operating ACI
• Visibility, Management and Tools
Part IV – Next Steps
© 2019 Cisco and/or its affiliates. All rights reserved.
6 Routable IP addresses (APIC OOB management & APIC CIMC)
NTP Server
Serial Numbers (Leaf & Spines)
Optional:
1 additional IP per Leaf & Spine (OOB)
SCP / FTP / HTTP Server
Console / Terminal Server
Infrastructure VLAN
vCenter IP address & credentials
Prerequisites
© 2019 Cisco and/or its affiliates. All rights reserved.
Basic ACI Fabric
APIC
Spine
Leaf
Spine
Leaf
• Minimum of two Spines
• Spines can be Fixed or Modular
• Every Leaf is connected to every Spine
• Three APIC Controllers for Production
• One APIC Controller for Labs
• APIC connect directly to Leafs
• All other hardware connects to Leafs
• Servers
• Firewall
• ADC
• External networks
© 2019 Cisco and/or its affiliates. All rights reserved.
1. APIC initial configuration(APIC #1) [only the 1 st one for now]
• 1st Leaf discovery*
• Spine discovery*
• Leaf discovery*
2. Remaining APIC 2 and 3 configuration
3. OOB mgmt. IP’s for leafs and spines
4. NTP configuration
5. Route reflector
* - Power on Auto-provisioning
Build Fabric Topology - in 5 easy steps
© 2019 Cisco and/or its affiliates. All rights reserved.
Configure APIC CIMC
© 2019 Cisco and/or its affiliates. All rights reserved.
Initial Configuration for APIC1
Change this value if the Infrastructure VLAN is to be extended outside of the fabric over Nexus
5/6/7k as this is a reserved VLAN ID
<3915
© 2019 Cisco and/or its affiliates. All rights reserved.
Connect to GUI
© 2019 Cisco and/or its affiliates. All rights reserved.
Initial System View
© 2019 Cisco and/or its affiliates. All rights reserved.
Register Switches to the APIC
© 2019 Cisco and/or its affiliates. All rights reserved.
Verify Internal VTEP Addresses
© 2019 Cisco and/or its affiliates. All rights reserved.
Complete Fabric Discovery
© 2019 Cisco and/or its affiliates. All rights reserved.
Verify Topology
© 2019 Cisco and/or its affiliates. All rights reserved.
Acronyms/DefinitionsAcronyms Definitions Acronyms Definitions
ACI Application Centric Infrastructure SVI Switch Virtual Interface
ACL Access Control List VIC Virtual Interface Card
API Application Programming Interface VNID Virtual Network Identifier
APIC Application Policy Infrastructure Controller VPC Virtual Port-Channel
BD Bridge Domain VRF Virtual Routing and Forwarding
COOP Council of Oracle Protocol VTEP VXLAN Tunnel Endpoint
ECMP Equal Cost Multi Pathing VXLAN Virtual Extensible LAN
EP Endpoint
EPG Endpoint Group
KVM Keyboard, Video, and Mouse
MP-BGP Multi Protocol BGP
pcTag Policy Control Tag
Reference Slide Icon ➔
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Part II
Designing and Deploying your first Application Profile (AP)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Endpoint Group
End Point Group (EPG)
VM
• Group of Virtual Machines, Physical Servers and Containers
• Similar Connectivity Requirements
• Independent of Network Constructs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Logical Model
Bridge Domain (BD)
Endpoint Group (EPG)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Security
ContractEndpoint
Group (EPG)
• Contracts control traffic between EPGs
• Filter based on L2 to L4 attributes
• Apply an action to traffic:
• Permit
• Mark
• Redirect
• Log
• Copy
• Block
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI External Network Connections
• L3 connection
• Provide L3 external connectivity for tenants
• VRF-lite for tenant isolation
• OSPF ,BGP, EIGRP & static routes
ACI Fabric
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI External Network Connections
• L2 connection
• Extend L2 domain outside of ACI fabric
• Legacy network migration
• VLAN and VXLAN for tagging
• vPC and STP connections
ACI Fabric
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI EPG Extended to External L2 Network
EPG
VMACI Fabric
VM
• L2 domain extended outside of ACI
• External VLAN mapped to EPG
• Internal Domain (VMM or Physical) can use same or different VLAN
• ACI provides tag encap normalization
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VMM Domain
Physical Domain
L3 Domain
ACI Networking Domains
External Router
External L2 Switch
Server
Hypervisor ManagerContainer Manager
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Network vs Application Centric
Network Centric Application Centric
EPG = BD = Subnet (VLAN)EPG = specific application layer eg.
Web servers
Naming conventions for Network configurations
Can be used concurrentlyTenant: Classic
VRF: vrf-01
Application Profile: 192.168.10.x_24
EPG (VLAN)VLAN-10
Application Profile: Online-Banking
EPG (VLAN)
Web
EPG (VLAN)
App
EPG (VLAN)
DB
BD192.168.10.x_24
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Legacy Network to ACI Mappingaka Network Centric Mode
Bridge DomainBD401
End Point GroupEPG401
Bridge Domain
BD417
End Point Group
EPG417
Bridge Domain
BD407
End Point Group
EPG407
Bridge Domain
BD400
End Point Group
EPG400
VLAN 401
VM
VM
Subnet 192.168.1.0/24
Gateway 192.168.1.254
VM
Gateway 192.168.1.254
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VRF
ACI Network Centric Mode
Subnet 192.168.1.0/24
Bridge Domain
BD417
End Point Group
EPG417
Bridge Domain
BD407
End Point Group
EPG407
Bridge Domain
BD400
End Point Group
EPG400
Bridge Domain
BD401
End Point Group
EPG401
Subnet 192.168.2.0/24 Subnet 192.168.3.0/24 Subnet 192.168.4.0/24
Gateway 192.168.1.254 Gateway 192.168.2.254 Gateway 192.168.3.254 Gateway 192.168.4.254
VM
VM
VM
VM
VM
VM
VM
VM
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Application Centric Mode
Bridge Domain BD401
EPG Web EPG App EPG DB
VMVM
VM
Web Servers
VMVM
App Servers DB Servers
Gateway 192.168.1.254
Subnet 192.168.1.0/24
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Application Profile AP
ACI Application Centric Profile
Bridge Domain BD401
Subnet 192.168.1.0/24
L3Out
ContractContractContract
EPG Web EPG DB
VMVM
VM
Web Servers DB Servers
EPG App
VMVM
App Servers
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI L3Out Design
Configure “Layer 3 Out” to create a routed connection to legacy network
Routed Interface
Routed sub-interface
Switched Virtual Interface (SVI)
EPG has contract to L3Out Network
Bridge Domain with “Unicast Routing” enabled
Subnet defined on BD
L3Out associated with BD
Dynamic Routing
OSPF/ EIGRP/ BGP/ Static
L3OutLeaf 101 Leaf 102
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Legacy Network to ACI Mappingaka Network Centric Mode
Bridge DomainBDL2
End Point GroupACI_to_Legacy-DC
VM
VM
Subnet 172.17.130.0/24
Gateway 172.17.130.10
VM
VLAN 430
.200
.210
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Legacy NX-OS DC
Legacy Network to ACI Mappingaka Network Centric Mode
DVS – 01
VMVM
Subnet 172.17.130.0/24
Gateway 172.17.130.10
ACI Fabric
Leaf 101
Leaf 102
DVS – 02
.200 .210
Layer 2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bridge Domain BD401
ACI AP Design for the Demo
Subnet 192.168.1.0/24
L3Out
Contract
EPG Web EPG DB
VM
Web Server DB Server
VM
Contract
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved.© 2019 Cisco and/or its affiliates. All rights reserved.
Part III
Operating ACI
© 2019 Cisco and/or its affiliates. All rights reserved.
Faults
☺
© 2019 Cisco and/or its affiliates. All rights reserved.
EP Tracker
“We had a problem at 14:21!!!”
Attach/Detach events are logged for each EP
IP Was Moving???
© 2019 Cisco and/or its affiliates. All rights reserved.
Atomic Counters
Leaf Direction Filter Packet Count
L1 Tx ICMP 500
L2 Rx ICMP 500
L1 L2
S10
192.168.101.10 192.168.102.11
Tx Rx
Ping –c 500 192.168.102.11
• Used to measure packet loss in Overlay
• Logs packet count between EP’s on different Leafs
• Specific Filter can be set
• Requires NTP!
© 2019 Cisco and/or its affiliates. All rights reserved.
SPAN
SPAN Source SPAN Destination
EPG ERSPAN
Port ERPSAN/LocalPort
• ACI allows for SPAN of Entire EPG
• ERSPAN Destination must be an IP EP Learnt in ACI
• EP Can run Wireshark or Tshark
L1 L2
S10
10.10.10.10
ERSPAN
EP Learnt
Leaf101# show monitor session allsession 1
---------------description : Span session 1type : erspanversion : 2oper version : 1state : up (active)erspan-id : 1granularity :vrf-name : CiscoLive:VRF1acl-name :ip-ttl : 64ip-dscp : ip-dscp not specifieddestination-ip : 10.10.10.10/32origin-ip : 1.1.1.1mode : accesssource VLANs :
rx : 100tx : 100both : 100
filter VLANs : filter not specified
EPG 100
© 2019 Cisco and/or its affiliates. All rights reserved.
Capacity Dashboard
VLAN Capacity is Full!
Capacity Dashboard panel displays your usage by range and percentage.Use this to plan your fabric Scale.
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enhanced Endpoint TrackerTroubleshooting Endpoint Moves
Provides Historical Data of All Endpoints, including # of moves
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enhanced Endpoint TrackerTroubleshooting Endpoint Moves
Node and Interface Move history allows for easy issue isolation
Provides Exact Location of Endpoint
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enhanced Endpoint TrackerTroubleshooting Off Subnet Endpoints Any Endpoint which is off subnet is flagged.
Unexpected for Network Centric Deployment!
© 2019 Cisco and/or its affiliates. All rights reserved.© 2019 Cisco and/or its affiliates. All rights reserved.
Part IV
Next Steps
© 2019 Cisco and/or its affiliates. All rights reserved.
Network Insights
Platform
Apps
App hosting frameworkApp store
DCNM APIC
App Hosting FrameworkApp Store
Network Insights Resources Network Insights Advisor*
Data collection and ingestion
Data correlation and analysis
Data visualization and action
VisibilityLearn from your network and recognize anomalies
InsightsSee problems before your end users do
Proactive TroubleshootingFind root cause faster with granular details
* Network I nsights Advisor will be available in early June
Supported fromACI 4.2
September 2019CI 4.2
© 2019 Cisco and/or i ts affiliates. All rights reserved. Cisco Confidential G l o b a l
S a l e s T r a i n i n g
Deployment-specific recommendations & best practices, upgrade impact analysis/Experience*
Advisories
How Can NIA Help with Day 2 Operations?
Network
Insights
Advisor
Alert to known defects, PSIRTs,Forwarding state checksAnomalies
TAC assist, Tech support to Cloud, Fast StartDiagnostics
Inbox function/Smart Inbox*, proactive EOL/EOS announcements, new Field Notices, new software/SMUs
Notices
System hardening checks, version-specific scale limits monitoring (NIR -> NIA) to generate advisory *
Compliance
* Roadmap
© 2019 Cisco and/or i ts affiliates. All rights reserved. Cisco Confidential G l o b a l
S a l e s T r a i n i n g
Monitor fabric-wide and node-specific resource utilization Resources
How Can NIR Help with Day 2 Operations?
Network
Insights
Resources
Track CPU & memory consumption, monitor power and temperatureEnvironmental
Track flow paths, identify applications experiencing high latency or packet drops
Flows
Correlate changes to events, identify faultsEvents
Monitor network bandwidth utilization, packet drops, and network protocol statistics
Statistics
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco Network Assurance Engine
Comprehensive Network Modeling
Mathematically accurate models spanning underlay, overlay and
virtualization layers
5000+ domain knowledge-based error scenarios built-in, codified
remediation steps
Data Collection
Captures all non-packet data: intent, policy, state across data center
network
Intelligent Analysis
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Multi-layered protection — Defense in depthCisco recommended option for customers
Tetration
Operational flexibility/choice of enforcement points
Fine tuning of enforcement granularity in each layer
Open flexible policy model> any cloud – any INFRA
Multiple layers of segmentation enforcement
VM/BM Container
Host Switch
Cloud vSwitch
• Vulnerability assessment• Process whitelisting• Security forensics • Attack surface detection
Cisco ACI
• Network automation• Network segmentation/whitelisting• Assurance and insights
February 2019ACI 4.1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Operational Simplicity: Same “look and feel” as On-Premise
• Automated Policy Translation: Consistency across the entire data center
• Common Governance: End-to-end discovery, visibility and troubleshooting
ACI Anywhere
IOT Edge
Data Center
Cloud Exchange
ACI Anywhere
On Premises Cloud
Containers Hypervisor
Accelerates Journey to Multicloud
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ACI
Protect Your Business
Accelerate Multicloud
Optimize Your Network
Aligned with Your Digital Transformation
© 2019 Cisco and/or its affiliates. All rights reserved.
Scan this code if you would like to talk to Cisco
Specialist
Vancouver