Brkaci 2300

BRKACI-2300
ACI for VMware Admins

Nicolas Vermandé, Technical Marketing Engineer - INSBU
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKACI-2300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• Solutions for vSphere Integration

• Zero-trust Network for Virtual Machines
• VMware Admins as API Consumers for Infrastructure Automation
• Containers as First-Class Citizens
• Overlays Inception?
• Extending the Virtual Datacenter
Application Architectural Evolution
f()
Service Microservice Function
Autonomous Single Purpose Single Action
Loosely-coupled Stateless Event Sourced
Independently Scalable Ephemeral
Automated
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
What are the consequences on the network?
25 years 22 years
Cisco ACI is a versatile
solution to address network
management AND SDN
challenges
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI is a Zero-touch VXLAN Fabric with associated Services
Policy Driven Overlay Normalization Traffic Optimization Service Insertion
VLAN
POLICY
VXLAN VXLAN
Decoupling of: Normalization of ingress Default Gateway Service Graph

encapsulation: Distributed at ToR Policy Based Redirection
• Endpoint identity
• VLAN No Flooding for IP Control
• Location
Plane
• Associated policy • VXLAN
Policies are applied VXLAN and VTEP Both spine and leaf Network Services or NFV
regardless of the instances are managed nodes leverage can be provided by 3rd
underlying topology by the fabric distributed functions party L4-7 devices
Agenda

ACI domains define where and how to
deploy policies
Physical Domain
vPC_ESXi_01
Physical Domain
(pool=100,200)
ESXi Host
• Defines a pool of VLANs that can be
manually allocated to Fabric access ports VLAN 100 – EPG Web VM# VM# VM#
for consumption
VM# VM# VM#
VLAN 200 – EPG App
• When EPG is created and associated to a
domain and a fabric access port, the admin
must choose a particular VLAN ID available
within this pool (dot1q). This allows the
VLAN to be effectively programmed in the
CAM vPC_SRV_01 vPC_SRV_02
(pool=100,200) (pool=100,200)
• In this scenario, ACI doesn’t make any
difference between virtual machines and VLAN 100 – EPG Web VLAN 200 – EPG App
bare metal servers
Virtual Machine Manager Domain
Control Plane
VMM Domain
• The VMware Virtual Machine Manager Domain (VMM) defines a VLAN 1001 VLAN 2030
relationship between APIC and vCenter
• Each VMM map to a VDS that is pushed and configured to
vCenter by APIC
EPG EPG Configured
C Policy
• Each EPG maps to a port-group with dynamic VLAN allocation Web App
• APIC reports full vCenter inventory Resolved Policy
• Host Teaming and Failover Policy is automatically configured dot1q trunk

(1001,2030)
ESXi Host
• Policies are deployed on-demand. (other option is immediate)
VM# VM# VM# CDP/LLDP enabled
• Enables the use of ACI vCenter Plugin

VM# VM# VM#
Resolution vs Instrumentation Immediacy
• Resolution Immediacy – When is policy downloaded?
• Immediate: When hypervisor attached to VDS
• On-Demand: When VM is attached to Port-group
• Pre-provision: Not relying on LLDP, based on AAEP (solves chicken and egg problem
for vmkernel ports)
• NO-EFFECT on Physical Domain (always resolved immediately)
• Deployment Immediacy – When is policy implemented in TCAM?

• Immediate: As soon as policy is downloaded
• On-demand: When first packet hits the leaf
ACI can also control host configuration
vSwitch Policies
Attachable Access
Entity Profile vPC - PC - Access
Interface Interface
AAEP Policy Profile /
Group Selector
ESX Teaming and Failover policy is

VMM determined based on this information
What happens if host is not directly
connected???
ACI with Blade Architecture (UCS) and vCenter
• CDP/LLDP in vCenter identifies • CDP/LLDP in APIC also identifies
UCS Manager address UCS Manager, and associated ports
#fabric 101 show cdp nei det
…
Device ID:ucs-02-B(SSI161107TL)
System Name: ucs-02-BInterface address(es):

IPv4 Address: 10.52.249.6
Platform: UCS-FI-6248UP, Capabilities: Switch

IGMP Filtering Supports-STP-Dispute Interface:
Ethernet1/22, Port ID (outgoing port):

Ethernet1/22
APIC knows which ports need to be programmed with VMM related VLANs
ACI with Blade Architecture (UCS) and vCenter
• AAEP is linked to vPC policy group (IP Hash)
• ESXi blade needs load-balancing base on virtual port id or LBT
• vSwitch policies permit to override AAEP
VPC
CISCO UCS 6248UP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 CISCO UCS 6248UP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
ID ID
STAT STAT
UCS B230 M1/M2 UCS B230 M1/M2
UCS 5108
!
SLOT 1 ! 2 ! ! Reset Console 1 ! 2 ! ! Reset Console SLOT
1 2
A03-D0100SSD-LH
>> 100GB SSD SATA A03-D0100SSD-LH
>> 100GB SSD SATA
UCS B230 M1/M2 UCS B230 M1/M2
SLOT SLOT
3 1 ! 2 ! ! Console
1 ! 2 ! ! Reset Console 4
Reset
A03-D0100SSD-LH
>> 100GB SSD SATA
UCS B230 M1/M2

UCS B230 M1/M2
SLOT 1 ! 2 ! ! Console SLOT

5 1 ! 2 ! ! Reset Console Reset
6
A03-D0100SSD-LH
>> 100GB SSD SATA
A03-D0100SSD-LH
>> 100GB SSD SATA
UCS B230 M1/M2
MAC-PINNING or LBT
UCS B230 M1/M2
SLOT 1 ! 2 ! ! Reset Console SLOT

7 1 ! 2 ! ! Reset Console 8
A03-D0100SSD-LH
>> 100GB SSD SATA
A03-D0100SSD-LH
>> 100GB SSD SATA
OK FAIL OK FAIL OK FAIL OK FAIL
The Elephant in the Room…
What have been announced?
1 March 2017:
VMware announces discontinuation of the “3rd Party Virtual 3
Switch Program” from vSphere 6.5U2 August 24, 2017:
- forcing a major operational change upon customers Follow up to May 2 blog. Posted in the week prior to VMworld:
- Reinforce earlier commitment to customers
- Announce “ACI Virtual Edge” (AVE) as about to enter EFT
2
May 2, 2017:
Cisco makes ‘Customer First Commitment’ with Next Generation of AVS
and Nexus 1000v solutions:
- Removing the VMware imposed ‘short runway’
- Easy transition/migration
- Maintain existing processes/procedures—operational wholeness
Current AVS implementation
Northbound APIs
APIC • APIC Controller
• ACI Policy Model
Policy Manager (PM)
• REST, GUI, CLI
• Scale-out architecture
Leaf
• 500*256 hosts
PE + OE • Main features
500+
• uSeg + DFW
• VXLAN with Fabric
ESXi OpFlex Library
AVS Agent • Local Switching
User space
Kernel space
AVS VEM
256
AVE is the user space equivalent of AVS
The virtual leaf for ACI
• Closer to the workloads
• Introduces new capabilities
• VXLAN termination on HV
• Software-only Overlay
• Connection tracking
• Micro-Segmentation
• Local switching VXLAN tunnel
The virtual leaf for ACI
• Closer to the workloads
• Introduces new capabilities
• VXLAN termination on HV
• Software-only Overlay
• Connection tracking
• Micro-Segmentation FTEP 10.0.0.32
• Local switching VXLAN tunnel
AVS/AVE Switching Modes
AVS/AVE Use Case #1
• UCS and blade switches

• Non-directly connected workloads
• UCS traditionally requires admins to
provision VLANs for all VMs Port-groups
• With VXLAN termination at the host, only
ACI infra VLAN is required
• Applies to all blades environments, or

where ESXi is not directly connected to
VXLAN the leaf
between Leaf
and AVS
OpFlex
ACI Infra VLAN

extension
AVS/AVE Use Case #2
Complete visibility
In VXLAN w/ no local switching mode, all
traffic (including intra-EPG traffic that is
otherwise locally switched by AVS) is
forwarded to the leaf for switching
ACI gets full visibility to traffic in the virtual

infrastructure and can provide real-time
telemetry
Data Broker/Matrix Switch
All traffic sent
to leaf
Monitoring
Tools
AVS/AVE Use Case #3
Distributed Firewall
Offers Stateful Connection Tracking when
VM’s move across the DC
Stateful filters are limited to checking if the

ACK bit is set in the packets from the provider
to the consumer without any TCP flow state
tracking
Cisco AVS maintains a connection table to

track TCP flows and creates a TCP flow table
entry on receiving the first TCP SYN packet
A TCP packet is permitted to establish a

connection only if a corresponding flow entry
exists and dropped otherwise
AVS/AVE Use Case #4
Micro-Segmentation
vCenter
User creates regular EPG without VM
attributes in the tenant
User creates “Attribute based EPG” and

Leaf Nodes associates it to the same VMM Domain
A new encapsulation id (VLAN/VXLAN) is
allocated for this EPG
(NO Port-Group created)
AVS/AVE
Attribute based EPG system dynamically puts
1 2 VMs from “Base EPG” to new “Attribute
EPG based EPG” if VMs match criterion (attribute)
PROD
VM# VM# VM#
!EPG Web
TCP 5432
2
!EPG DB
Policy Consistency with Opflex
Spines
APIC Data path
Leaf1 Leaf2 Leaf3

Policy DB Policy DB Policy DB
PE Data path PE Data path PE Data path
Blade Switch FEX
vPC Also valid for traditional

Opflex
Agent Opflex Opflex switch
Agent Agent
Data path
Data path
Data path
Datapath
Agent Datapath Datapath
Agent Agent
Virtualization vLeaf1 vLeaf2 vLeaf3
Manager
AVS vs AVE - Different Architectures
AVE Architecture
Physical NICs
VDS
vmkernel port i/o
Portgroups mapped to Isolated PVLANs (management, vMotion, NFS,
Isolated PVLAN based on etc) does not transit AVE
EPG configuration forcing vmkernel
ports
inter-VM E-W traffic via AVE VM VM VM
AVE
Inside trunk Outside trunk

configured in for traffic to/from the ACI fabric
Promiscuous Mode with Configured with infra VLAN or APIC
Primary and Secondary VLAN pool depending upon AVE
VLANs mode (VXLAN/VLAN)
AVE Architecture
AVE runs on CentOS with DPDK
User space scheduler is similar to kernel

AVE Scheduler DPDK mode scheduler
AVE receives on Secondary VLAN and

forwards on Primary VLAN
Kernel
Support VXLAN and VLAN
vmxnet3 vmxnet3 vmxnet3
Future support for PCI-Pass through

VLAN-10 VLAN-20
Internal External Mgmt
VDS
AVE Architecture
AVE runs on CentOS with DPDK
User space scheduler is similar to kernel

AVE Scheduler External
DPDKPort-group can be
mode scheduler
backed by VLAN Pool or ACI
Infra VLAN AVE receives on Secondary VLAN and
forwards on Primary VLAN
Kernel
Support VXLAN and VLAN
vmxnet3 vmxnet3 vmxnet3
Future support for PCI-Pass through

VLAN-10 VLAN-20
Internal External Mgmt
VDS
VM sends traffic in
Internal AVE Port-group Secondary
is Promiscuous Trunk Isolated VLAN
AVE Data-path
VMs Port-groups are defined as secondary
ESXi isolated PVLANs with (P,S) derived from
AVE-SVM
internal pool
Promiscuous VTEP Infra VLAN
Trunk (50-100) (3967)
VXLAN Inside trunk is in promiscuous mode and is
VDS vmnic
uplink
encapsulation
configured to allow internal VLAN pool
inside
(P,S)=50,51 (P,S)=52,53
Outside trunk is configured to allow infra
VLAN in AVE VXLAN mode, or external
VLAN pool in AVE VLAN mode
ESXi Mixed mode is also possible

AVE-SVM
Promiscuous Promiscuous
Trunk (50-100)
VTEP
Trunk (101-150) Outside Port-group is the only one
vmnic
VLAN
encapsulation configured with physical uplinks
VDS uplink
(P,S)=50,51 (P,S)=52,53 VMs send traffic on Secondary VLAN

AVE sends traffic on Primary VLAN
AVE Native (by-pass) mode
VMKernel AVE-SVM
(eg. Storage, Mgmt)
inside outside
vmnic
uplink
VDS
AVE Installation GUI
2
1
3
All AVE version uploaded to the content libraries

4
5
All portgroups common to the hosts selected
Agenda

Reduce attack surface of ESXi hosts
10.10.10.0/16
SSH Ext EPG VLAN 100
EPG NFS
vSphere Client Consumer
DHCP
Server
Provider
….
NFS Server
Provider Consumer
EPG EPG EPG NFS

vMotion mgmt Client
intra-EPG isolation
Simplify network by flattening IP subnets
Contract Contract
Cluster 01 Cluster 02
vMotion Network vMotion Network
Mgmt Network Mgmt Network
vMotion Subnet: 192.168.100.0/24
Management Subnet: 192.168.200.0/24
EPG classification can leverage VM attributes
• !EPG defines a security zone that includes VMs with common attribute set
VLAN 1500 / VXLAN 346500 EPG
VM# VM# VM# VM# VM# VM# VM# VM# VM#
TEST
Zone = Web !EPG !EPG !EPG Zone = DB

Web App internet
DB
Zone = App
• IPS can place infected VMs into isolated containers

Service Insertion
VLAN 1500 / VXLAN 346500 EPG
VM# VM# VM# VM# VM# VM# VM# VM# VM#
PROD Ext EPG
!EPG Remediation
Quarantine = True infected ports
Attribute Precedence
Attribute Precedence Operator Precedence
Mac Sets 1 Equals 1
IP Sets 2 Contains 2
VNIC (DN) 3 Starts With 3
VM (ID) 4 Ends With 4
VM Name 5
Hypervisor 6
Domain (DVS) 7
Datacenter 8
Custom Attribute 9
Guest OS 10
Tag 11
Logical Operators
• Logical operators OR/AND enable multiple rules to match various attributes.
• Rules can be combined into blocks.
• Blocks are sequentially matched using Logical Operators.
RULE 1 AND RULE 2 AND RULE 3 Match ALL
RULE 1 AND RULE 2 AND RULE 3

OR
Match
ANY RULE 1 AND RULE 2 AND RULE 3
OR
!Seg is available with VDS, AVS and AVE
1
• Supported with AVE (ACI 3.1) Allow !Seg
2
• Supported with VDS and EX/FX 4
based leaf. (ACI >= 1.3) Proxy-ARP
Steps:
1. APIC connects to vCenter and fetches VM
inventory including the attributes. Any changes in
VM attribute are synced based on VC events.
2. When user configures “EPG PROD” with ‘Allow VDS
Micro-Segmentation’, APIC pushes it as isolated-
PVLAN based port-group to steer traffic to the leaf
3. VMs attached to the port-group are pushed to the (P:100,S:200)
leaf as mac EPG
4. User creates a new uSeg EPG with Attributes
EPG
5. APIC does the attribute matching to MAC-list
PROD
VM# VM# VM# 3
6. APIC updates MAC-list to uSeg EPG on the leaf !EPG Web
MAC = A, B,
B C Zone = Web
5 MAC = C
Agenda

• VMware Admins as API Consumers for Infrastructure Automation
Central API and consistency are key to
SDN
In ACI, everything is an object
• Objects are hierarchically organized
• dMIT (Distributed Management REST
Information Tree) contains
comprehensive system information
• discovered components
• system configuration
• operational status including statistics and
faults
• Class identifies object type
• Card, Port, Path, EPG…
• Class Inheritance
• Access port is a subclass of port.
• A leaf node is a subclass of fabric node.
One Object Model, Multiple Trees
Example: Create a port-group and subnet
What if I tell you ”You don’t have to
leave vCenter to configure ACI”?
ACI vCenter plugin
• Stateless, does not store any vCenter Plugin

information: fetch everything
VMM Domain
from APIC
• VMM must already exist
vSphere Web Client
ACI vCenter plugin
No in-depth Create EPGs, Implement Insert L4-7

knowledge of subnets and distributed Service
ACI required default gateways security
Automatic VLAN creation and network stitching for Service Insertion
Network is still under control
CRUD Operations External Connectivity, Troubleshooting
• Can configure, read, update or • Limited Operations on L2/L3Outs

delete: • Can consume existing external
• Tenant EPGs
• Application Profile • Can’t create, edit, delete
• EPG / MicroEPG • L4-7 Service Graphs
• Contract • Can use existing Service Graph
• Filter • Can’t create Service Graph
template
• VRF
• Can edit empty mandatory
• Bridge Domain
parameters of a function profile
• Troubleshooting Tools
Now let’s move to the cloud
vRO/vRA plugin for ACI
Service Blueprints
• Day 0/1 Operations
Event Broker Subscription Integration
vRA Blueprint
payload
Event triggered Contextual variables
(provisioning, (OS, system generated
decommissioning) variables, custom variables)
Events
RabbitMQ Message Bus
Subscriptions
Execute workflow
upon event vRO
Subscription to ACI
plugin blueprint events
payload
Agenda

• VMware Admins as API consumers for Infrastructure Automation
Containers in VMs?
Management tools:
- Change management granularity
- Single Management Interface for VMs and container
hosts across multiple locations (centralized
SSO,vCenter Templates)
- Take advantage of vSphere high-availability and
resource scheduling capabilities (HA, DRS)
Security
- VM encapsulation as logical boundary
- Better isolation
Storage
- HCI integration (Hyperflex)
- Storage optimization (SIOC, storage DRS)
Kubernetes Concepts
Outside
Network
Cluster: An entire Kubernetes installation
Service Service Namespace: A scoping for different names

(does not imply security or isolation)
Deployment Deployment
Pod
Deployment: A replicated set of pods
Pod
Pod Pod
Pod Pod Service: An abstraction representing a set
of pods and a way of accessing them
Pod: A ”container”
Namespace
Cluster
K8s Network Policy namespace-a
namespace-b
• Fine-grained specification of how selections of

pods are allowed to communicate with each
other and other network endpoints
• Network namespace isolation using defined
labels
• directional: allowed ingress pod-to-pod traffic
• filters traffic from pods in other projects
Policy applied to namespace: namespace-a
• can specify protocol and ports (e.g. tcp/80) kind: NetworkPolicy
apiVersion: extensions/v1beta1
metadata:
name: allow-orange-to-blue-same-ns
spec:
podSelector:
matchLabels:
type: blue
ingress:
- from:
- podSelector:
matchLabels:
type: red
Dual Level Policy Enforcement
Native API Default deny all traffic

apiVersion: networking.k8s.io/v1
Both Kubernetes Network Policy and ACI kind: NetworkPolicy
metadata:
Contracts are enforced in the Linux kernel name: default-deny
spec: podSelector: {}
of every server node that containers run on. policyTypes:
- Ingress
- Egress
Containers are mapped to EPGs and

contracts between EPGs are also enforced
on all switches in the fabric where
applicable.
Both policy mechanisms can be used in conjunction.
ACI and K8S Integration Deployment Architecture
• Integration supported for K8S nodes as bare metal host or VM
ACI VMware VMM 0 Check pre-req
Provision
1 VDS 3
VMware VMM
Trunk Portgroup
OOB
(auto-created)
Objects get
created in APIC
VTEP
VTEP
VXLAN
Deploy CNI Plugin 2 Container Host
Infra VLAN
ACI CNI Plugin Pod Subnet
- Container Controller External Service Subnet
- Host agent + Opflex Node Service Subnet
- OVS
Agenda

Why Running Software Overlays over ACI?
• ACI is the best transport from a fabric connectivity
and network management perspective
• Some location may not have ACI-based equipment
(vPOD can help here!)
• It may not be possible to dissociate the overlay
from a particular solution (older Docker version for
Swarm, VMware vCloud Director etc)
• The software overlay was “already there”
ACI provides mgmt-
plane visibility and
What about VMware NSX-V? adds L3 capabilities
NSXv Mgr NSXv Ctrl

HW VTEP
VXLAN Overlay HW VTEP
Network
BM
Virtualization ToR ToR ToR ToR
ACI can still do VXLAN

ESXi ESXi ESXi
Service
Insertion Network
Services VPN NAT SLB Perimeter Firewall
ACI provides
the overlay
Security
+ Ecosystem Partners
Web HTTPS App 3306 DB
Option 1
• Use Micro-segmentation and Network Services:
• No need for Controllers, Edge Gateways and Edge Racks
• Substantial savings for compute resources
• Take advantage of ACI policies virtual, physical and containers domain knowledge
• Single API shared across multiple teams to orchestrate application deployment and
infrastructure
• No connectivity island
• E/W stateful security for VMs, while ACI brings service insertion capabilities for N/S
• Dedicated Security API, security tags can be used for automation
• Network services can be provisioned on demand: SLB or NAT, FW
• ACI can do service insertion to facilitate network service deployment
Redirect HTTP/HTTPS Permit ANY
Architecture example Ext EPG C EPG Web C EPG App
VRF CTX-01
10.10.1.0/24 192.168.1.0/24
L3 Out
.1 .1
Ext EPG EPG Web
VIP: 10.10.1.100
BD-WEB
C Permit
Any
192.168.2.0/24
BD-ESG SLB
.1
On-demand EPG App
load-balancing PBR – Service Graph
BD-App
Shadow EPG gets automatically created

with corresponding port-group
Option 2
• ACI as the underlay and L3 boundary
• All VTEP can be part of the same subnet
• ACI can further provide VTEP subnet segmentation with appropriate EPG mapping
EPG A EPG B
TZ – Cluster A TZ – Cluster B
BD 10.30.0.1/16
S1 S2 SVI or
L2 ext Subinterface
L2 ext Core
Benefits vs non-ACI L3 Fabrics*
WAN/
DCI
• No need for Edge Racks:
L1 L2 L3 L4 L5 L6 L7 L8 o Perimeter ESG for Tenant/Customer is
part of the tenant.
o Edge physical failure domain is
independent from other tenants.
VLAN
ESG
VXLAN • No L2 isolation at ToR for non-VM traffic:
o ACI provides L2 reachability between
DLR
Customers or Tenant racks.
o ESXi hosts network configuration is
drastically simplified. (No need for multiple
North/South Flow VMKernel TCP/IP Stacks or static routes
Tenant A (Rack 1-2) Tenant B (Rack 3-4)
for vmk network reachability).
VNI 5001 VNI 6001 • Enhanced Security with AAEP, Security Domains
VM# VM# VM# VM# VM# VM#
and fabric white-list model.
VNI 5002 VNI 6002
VM# VM# VM# VM# VM# VM#
*Example shows tenants limited to specific racks. BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
ACI Peering with Virtual Router VNF
Leaf 101 Leaf 102 Leaf 103 Leaf 104
L3Out
Routing adjacency
Host 1 Host 2 Host 3 Host 4
VMware VM#
DRS Cluster
Fabric-wide MAC: 0022.bdf8.19ff

Routing occurs
at the directly
connected ToR L3Out
Routing adjacency
VMware VM#
DRS Cluster
Routing occurs
at the directly
connected ToR
L3Out
Routing adjacency
VMware VM#
DRS Cluster
Permit HTTP/HTTPS
ACI Integration with NAT VNF Ext EPG C EPG Web
VRF CTX-01
10.10.1.1/24 BD-ESG VXLAN / Geneve
L3 Out
Ext EPG EPG NAT

Data-plane invisible for
ACI
No need for extra

virtual routing layer*
EPG VTEP
BD-VTEP
10.10.2.1/24
*You can’t have ESG with NAT + ECMP: another routing layer is required for ECMP
Agenda

• Extending the Virtual Datacenter
ACI Network and Policy Domain Evolution
Simplify and Extend the Network
Site ‘A’ IP Site ‘n’

ACI Fabric
MP-BGP - EVPN
…
ISE Multi-Site
Orchestrator
ACI 1.0 Single ACI 1.1 ISE 2.1 & ACI ACI 2.0 - Multiple ACI 3.0 - Multiple ACI 3.1/3.2
Leaf Spine Geographically 1.2 – Federation Networks (Pods) Availability Zones Remote Leaf
Fabric Stretch a single of Identity and in a single in a Single and vPod
fabric ‘and’ Interconnect Availability Zone Region ’and’ extends an
interconnect TrustSec and (Fabric) Multi-Region Availability
fabrics with IP ACI using IP Policy Zone (Fabric)
based EPG’s based EPG/SGT Management to remote
locations
Multi-Pod
f Generic IP Network
p
os
POD 1 POD 2
VXLAN EVPN
APIC cluster
VDS
EPG App
VM# VM# VM# encap-vlan 2020
VM# VM# VM#
Multi-Pod
• Multiple ACI Pods connected by an IP Inter-Pod L3 network, each Pod consists
of leaf and spine nodes
• Managed by a single APIC Cluster
• Single Management and Policy Domain
• Forwarding control plane (IS-IS, COOP) fault isolation
• Data Plane VXLAN encapsulation between Pods
• End-to-end policy enforcement
ACI Evolution
Extend ACI Infrastructure, Policy and Management beyond Physical Multi-Pod
Extended Operations Domain
ACI Fabric
IP WAN L2 / L3
vSpine +
vLeaf
vSwitch vSwitch vSwitch vSwitch
Hypervisor Hypervisor Hypervisor Hypervisor
Remote Physical Leaf

(N9K)
vPod
vPod
Existing N9K Data Center vPOD
ACI policies
IP
Network
iVXLAN Overlay
AVE vSwitch vSwitch AVE AVE AVE

Hypervisor Hypervisor Hypervisor Hypervisor Hypervisor Hypervisor
Web App DB Web App DB
vSpine, vLeaf, and AVE
vSpine + vLeaf vPod
• Run as container services inside VMs at the vPod vSpine + vLeaf

location (collocated for availability)
COOP BGP
• vLeaf: Distribute APIC policies to AVE forwarders DME/PE Oracle RR
(DME/PE)
• vSpine: Centralized endpoint and LPM database IP Network
(COOP and BGP)
iVXLAN Overlay
• Not in forwarding data path
AVE AVE
Hypervisor
AVE
Hypervisor
AVE
Hypervisor
• Implements ACI data path functions

• Use iVXLAN for communication within Remote site Web App DB
as well as between the vPod and other Pods
vPod
Multiple vPods eBGP Peering between
DME/PE COOP
Oracle
BGP
RR
‘spines’
iVXLAN Overlay
AVE AVE AVE

Hypervisor Hypervisor Hypervisor
We
App DB
b
IP
Network
DME/PE COOP BGP

Oracle RR
AVE vSwitch vSwitch
iVXLAN Overlay
Web App DB AVE AVE AVE

We
App DB
b
vPod
Multiple vPods
iVXLAN Overlay
AVE AVE AVE

iVXLAN Overlay
We
App DB
b
IP
Network
AVE vSwitch vSwitch

iVXLAN Overlay
Web App DB AVE AVE AVE

We
App DB
b
Key Takeaways
• ACI provides the best overlay manager for VMware based solutions
• APIC is tightly integrated with VMware VDS and allows for flexible networking
designs
• ACI Open API enables easy integration with VMware vCenter and vRealize
Automation by means of plugins maintained by Cisco (available on CCO)
• VMware admins can consume ACI with their existing tools
• Network team keeps CONTROL over the physical AND the virtual network
• ACI accelerates VM provisioning and lifecycle management across multiple
locations without compromise on security and connectivity.
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKACI-2300
• Please complete your Online Complete Your Online
Session Evaluations after each Session Evaluation
session
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you

Brkaci 2300

Uploaded by

Copyright:

Available Formats

You might also like

Brkaci 2300

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkaci 2300

Uploaded by

Copyright:

Available Formats

BRKACI-2300

ACI for VMware Admins

• Solutions for vSphere Integration

Policy Driven Overlay Normalization Traffic Optimization Service Insertion

Decoupling of: Normalization of ingress Default Gateway Service Graph

• Solutions for vSphere Integration

• APIC reports full vCenter inventory Resolved Policy

• Host Teaming and Failover Policy is automatically configured dot1q trunk

• Enables the use of ACI vCenter Plugin

• Deployment Immediacy – When is policy implemented in TCAM?

ESX Teaming and Failover policy is

System Name: ucs-02-BInterface address(es):

Platform: UCS-FI-6248UP, Capabilities: Switch

Ethernet1/22, Port ID (outgoing port):

UCS B230 M1/M2 UCS B230 M1/M2

UCS B230 M1/M2 UCS B230 M1/M2

UCS B230 M1/M2

SLOT 1 ! 2 ! ! Console SLOT

UCS B230 M1/M2

SLOT 1 ! 2 ! ! Reset Console SLOT

OK FAIL OK FAIL OK FAIL OK FAIL

• UCS and blade switches

• Applies to all blades environments, or

ACI Infra VLAN

ACI gets full visibility to traffic in the virtual

Stateful filters are limited to checking if the

Cisco AVS maintains a connection table to

A TCP packet is permitted to establish a

User creates “Attribute based EPG” and

APIC Data path

Leaf1 Leaf2 Leaf3

PE Data path PE Data path PE Data path

Blade Switch FEX

vPC Also valid for traditional

Inside trunk Outside trunk

User space scheduler is similar to kernel

AVE receives on Secondary VLAN and

Future support for PCI-Pass through

User space scheduler is similar to kernel

Future support for PCI-Pass through

ESXi Mixed mode is also possible

(P,S)=50,51 (P,S)=52,53 VMs send traffic on Secondary VLAN

All AVE version uploaded to the content libraries

• Solutions for vSphere Integration

EPG EPG EPG NFS

vMotion Network vMotion Network

Mgmt Network Mgmt Network

vMotion Subnet: 192.168.100.0/24

Management Subnet: 192.168.200.0/24

Zone = Web !EPG !EPG !EPG Zone = DB

• IPS can place infected VMs into isolated containers

RULE 1 AND RULE 2 AND RULE 3 Match ALL

RULE 1 AND RULE 2 AND RULE 3

• Solutions for vSphere Integration

• Stateless, does not store any vCenter Plugin

vSphere Web Client

No in-depth Create EPGs, Implement Insert L4-7

Automatic VLAN creation and network stitching for Service Insertion