Professional Documents
Culture Documents
Brkaci 2300
Brkaci 2300
Brkaci 2300
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKACI-2300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
f()
Service Microservice Function
Autonomous Single Purpose Single Action
Loosely-coupled Stateless Event Sourced
Independently Scalable Ephemeral
Automated
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
What are the consequences on the network?
25 years 22 years
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco ACI is a versatile
solution to address network
management AND SDN
challenges
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI is a Zero-touch VXLAN Fabric with associated Services
VLAN
POLICY
VXLAN VXLAN
Policies are applied VXLAN and VTEP Both spine and leaf Network Services or NFV
regardless of the instances are managed nodes leverage can be provided by 3rd
underlying topology by the fabric distributed functions party L4-7 devices
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Agenda
ESXi Host
• Defines a pool of VLANs that can be
manually allocated to Fabric access ports VLAN 100 – EPG Web VM# VM# VM#
for consumption
VM# VM# VM#
VLAN 200 – EPG App
• When EPG is created and associated to a
domain and a fabric access port, the admin
must choose a particular VLAN ID available
within this pool (dot1q). This allows the
VLAN to be effectively programmed in the
CAM vPC_SRV_01 vPC_SRV_02
(pool=100,200) (pool=100,200)
• In this scenario, ACI doesn’t make any
difference between virtual machines and VLAN 100 – EPG Web VLAN 200 – EPG App
bare metal servers
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Machine Manager Domain
Control Plane
VMM Domain
• The VMware Virtual Machine Manager Domain (VMM) defines a VLAN 1001 VLAN 2030
relationship between APIC and vCenter
• Each VMM map to a VDS that is pushed and configured to
vCenter by APIC
EPG EPG Configured
C Policy
• Each EPG maps to a port-group with dynamic VLAN allocation Web App
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Resolution vs Instrumentation Immediacy
• Resolution Immediacy – When is policy downloaded?
• Immediate: When hypervisor attached to VDS
• On-Demand: When VM is attached to Port-group
• Pre-provision: Not relying on LLDP, based on AAEP (solves chicken and egg problem
for vmkernel ports)
• NO-EFFECT on Physical Domain (always resolved immediately)
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
ACI can also control host configuration
vSwitch Policies
Attachable Access
Entity Profile vPC - PC - Access
Interface Interface
AAEP Policy Profile /
Group Selector
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI with Blade Architecture (UCS) and vCenter
• CDP/LLDP in vCenter identifies • CDP/LLDP in APIC also identifies
UCS Manager address UCS Manager, and associated ports
#fabric 101 show cdp nei det
…
Device ID:ucs-02-B(SSI161107TL)
APIC knows which ports need to be programmed with VMM related VLANs
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
ACI with Blade Architecture (UCS) and vCenter
• AAEP is linked to vPC policy group (IP Hash)
• ESXi blade needs load-balancing base on virtual port id or LBT
• vSwitch policies permit to override AAEP
VPC
CISCO UCS 6248UP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 CISCO UCS 6248UP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
ID ID
STAT STAT
UCS 5108
!
SLOT 1 ! 2 ! ! Reset Console 1 ! 2 ! ! Reset Console SLOT
1 2
A03-D0100SSD-LH
>> 100GB SSD SATA A03-D0100SSD-LH
>> 100GB SSD SATA A03-D0100SSD-LH
>> 100GB SSD SATA A03-D0100SSD-LH
>> 100GB SSD SATA
SLOT SLOT
3 1 ! 2 ! ! Console
1 ! 2 ! ! Reset Console 4
Reset
A03-D0100SSD-LH
>> 100GB SSD SATA A03-D0100SSD-LH
>> 100GB SSD SATA A03-D0100SSD-LH
>> 100GB SSD SATA A03-D0100SSD-LH
>> 100GB SSD SATA
A03-D0100SSD-LH
>> 100GB SSD SATA A03-D0100SSD-LH
>> 100GB SSD SATA
A03-D0100SSD-LH
>> 100GB SSD SATA A03-D0100SSD-LH
>> 100GB SSD SATA
MAC-PINNING or LBT
UCS B230 M1/M2
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
The Elephant in the Room…
What have been announced?
1 March 2017:
VMware announces discontinuation of the “3rd Party Virtual 3
Switch Program” from vSphere 6.5U2 August 24, 2017:
- forcing a major operational change upon customers Follow up to May 2 blog. Posted in the week prior to VMworld:
- Reinforce earlier commitment to customers
- Announce “ACI Virtual Edge” (AVE) as about to enter EFT
2
May 2, 2017:
Cisco makes ‘Customer First Commitment’ with Next Generation of AVS
and Nexus 1000v solutions:
- Removing the VMware imposed ‘short runway’
- Easy transition/migration
- Maintain existing processes/procedures—operational wholeness
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Current AVS implementation
Northbound APIs
APIC • APIC Controller
• ACI Policy Model
Policy Manager (PM)
• REST, GUI, CLI
• Scale-out architecture
Leaf
• 500*256 hosts
PE + OE • Main features
500+
• uSeg + DFW
• VXLAN with Fabric
ESXi OpFlex Library
AVS Agent • Local Switching
User space
Kernel space
AVS VEM
256
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
AVE is the user space equivalent of AVS
The virtual leaf for ACI
• Closer to the workloads
• Introduces new capabilities
• VXLAN termination on HV
• Software-only Overlay
• Connection tracking
• Micro-Segmentation
• Local switching VXLAN tunnel
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
The virtual leaf for ACI
• Closer to the workloads
• Introduces new capabilities
• VXLAN termination on HV
• Software-only Overlay
• Connection tracking
• Micro-Segmentation FTEP 10.0.0.32
• Local switching VXLAN tunnel
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
AVS/AVE Switching Modes
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
AVS/AVE Use Case #1
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
AVS/AVE Use Case #2
Complete visibility
In VXLAN w/ no local switching mode, all
traffic (including intra-EPG traffic that is
otherwise locally switched by AVS) is
forwarded to the leaf for switching
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
AVS/AVE Use Case #3
Distributed Firewall
Offers Stateful Connection Tracking when
VM’s move across the DC
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
AVS/AVE Use Case #4
Micro-Segmentation
vCenter
User creates regular EPG without VM
attributes in the tenant
TCP 5432
2
!EPG DB
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Policy Consistency with Opflex
Spines
Data path
Data path
Datapath
Agent Datapath Datapath
Agent Agent
Virtualization vLeaf1 vLeaf2 vLeaf3
Manager
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
AVS vs AVE - Different Architectures
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
AVE Architecture
Physical NICs
VDS
vmkernel port i/o
Portgroups mapped to Isolated PVLANs (management, vMotion, NFS,
Isolated PVLAN based on etc) does not transit AVE
EPG configuration forcing vmkernel
ports
inter-VM E-W traffic via AVE VM VM VM
AVE
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
AVE Architecture
AVE runs on CentOS with DPDK
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
AVE Architecture
AVE runs on CentOS with DPDK
VM sends traffic in
Internal AVE Port-group Secondary
is Promiscuous Trunk Isolated VLAN
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
AVE Data-path
VMs Port-groups are defined as secondary
ESXi isolated PVLANs with (P,S) derived from
AVE-SVM
internal pool
Promiscuous VTEP Infra VLAN
Trunk (50-100) (3967)
VXLAN Inside trunk is in promiscuous mode and is
VDS vmnic
uplink
encapsulation
configured to allow internal VLAN pool
inside
(P,S)=50,51 (P,S)=52,53
Outside trunk is configured to allow infra
VLAN in AVE VXLAN mode, or external
VLAN pool in AVE VLAN mode
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
AVE Native (by-pass) mode
VMKernel AVE-SVM
(eg. Storage, Mgmt)
inside outside
vmnic
uplink
VDS
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
AVE Installation GUI
2
1
3
5
All portgroups common to the hosts selected
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Agenda
10.10.10.0/16
SSH Ext EPG VLAN 100
EPG NFS
vSphere Client Consumer
DHCP
Server
Provider
….
NFS Server
Provider Consumer
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Simplify network by flattening IP subnets
Contract Contract
Cluster 01 Cluster 02
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
EPG classification can leverage VM attributes
• !EPG defines a security zone that includes VMs with common attribute set
VLAN 1500 / VXLAN 346500 EPG
VM# VM# VM# VM# VM# VM# VM# VM# VM#
TEST
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Logical Operators
• Logical operators OR/AND enable multiple rules to match various attributes.
• Rules can be combined into blocks.
• Blocks are sequentially matched using Logical Operators.
Match
ANY RULE 1 AND RULE 2 AND RULE 3
OR
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
!Seg is available with VDS, AVS and AVE
1
• Supported with AVE (ACI 3.1) Allow !Seg
2
• Supported with VDS and EX/FX 4
based leaf. (ACI >= 1.3) Proxy-ARP
Steps:
1. APIC connects to vCenter and fetches VM
inventory including the attributes. Any changes in
VM attribute are synced based on VC events.
2. When user configures “EPG PROD” with ‘Allow VDS
Micro-Segmentation’, APIC pushes it as isolated-
PVLAN based port-group to steer traffic to the leaf
3. VMs attached to the port-group are pushed to the (P:100,S:200)
leaf as mac EPG
4. User creates a new uSeg EPG with Attributes
EPG
5. APIC does the attribute matching to MAC-list
PROD
VM# VM# VM# 3
6. APIC updates MAC-list to uSeg EPG on the leaf !EPG Web
MAC = A, B,
B C Zone = Web
5 MAC = C
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Agenda
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
One Object Model, Multiple Trees
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Example: Create a port-group and subnet
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
What if I tell you ”You don’t have to
leave vCenter to configure ACI”?
ACI vCenter plugin
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI vCenter plugin
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Network is still under control
CRUD Operations External Connectivity, Troubleshooting
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Now let’s move to the cloud
vRO/vRA plugin for ACI
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service Blueprints
• Day 0/1 Operations
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Event Broker Subscription Integration
vRA Blueprint
payload
Event triggered Contextual variables
(provisioning, (OS, system generated
decommissioning) variables, custom variables)
Events
RabbitMQ Message Bus
Subscriptions
Execute workflow
upon event vRO
Subscription to ACI
plugin blueprint events
payload
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Agenda
Storage
- HCI integration (Hyperflex)
- Storage optimization (SIOC, storage DRS)
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Kubernetes Concepts
Outside
Network
Pod
Deployment: A replicated set of pods
Pod
Pod Pod
Pod Pod Service: An abstraction representing a set
of pods and a way of accessing them
Pod: A ”container”
Namespace
Cluster
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
K8s Network Policy namespace-a
namespace-b
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Dual Level Policy Enforcement
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
ACI and K8S Integration Deployment Architecture
• Integration supported for K8S nodes as bare metal host or VM
ACI VMware VMM 0 Check pre-req
Provision
1 VDS 3
VMware VMM
Trunk Portgroup
OOB
(auto-created)
Objects get
created in APIC
VTEP
VTEP
VXLAN
Deploy CNI Plugin 2 Container Host
Infra VLAN
ACI CNI Plugin Pod Subnet
- Container Controller External Service Subnet
- Host agent + Opflex Node Service Subnet
- OVS
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Agenda
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI provides mgmt-
plane visibility and
What about VMware NSX-V? adds L3 capabilities
ACI provides
the overlay
Security
+ Ecosystem Partners
Web HTTPS App 3306 DB
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Option 1
• Use Micro-segmentation and Network Services:
• No need for Controllers, Edge Gateways and Edge Racks
• Substantial savings for compute resources
• Take advantage of ACI policies virtual, physical and containers domain knowledge
• Single API shared across multiple teams to orchestrate application deployment and
infrastructure
• No connectivity island
• E/W stateful security for VMs, while ACI brings service insertion capabilities for N/S
• Dedicated Security API, security tags can be used for automation
• Network services can be provisioned on demand: SLB or NAT, FW
• ACI can do service insertion to facilitate network service deployment
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Redirect HTTP/HTTPS Permit ANY
VRF CTX-01
10.10.1.0/24 192.168.1.0/24
L3 Out
.1 .1
Ext EPG EPG Web
VIP: 10.10.1.100
BD-WEB
C Permit
Any
192.168.2.0/24
BD-ESG SLB
.1
On-demand EPG App
load-balancing PBR – Service Graph
BD-App
EPG A EPG B
TZ – Cluster A TZ – Cluster B
BD 10.30.0.1/16
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
S1 S2 SVI or
L2 ext Subinterface
L2 ext Core
Benefits vs non-ACI L3 Fabrics*
WAN/
DCI
• No need for Edge Racks:
L1 L2 L3 L4 L5 L6 L7 L8 o Perimeter ESG for Tenant/Customer is
part of the tenant.
o Edge physical failure domain is
independent from other tenants.
VLAN
ESG
VXLAN • No L2 isolation at ToR for non-VM traffic:
o ACI provides L2 reachability between
DLR
Customers or Tenant racks.
o ESXi hosts network configuration is
drastically simplified. (No need for multiple
North/South Flow VMKernel TCP/IP Stacks or static routes
Tenant A (Rack 1-2) Tenant B (Rack 3-4)
for vmk network reachability).
VNI 5001 VNI 6001 • Enhanced Security with AAEP, Security Domains
VM# VM# VM# VM# VM# VM#
and fabric white-list model.
VNI 5002 VNI 6002
VM# VM# VM# VM# VM# VM#
*Example shows tenants limited to specific racks. BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
ACI Peering with Virtual Router VNF
L3Out
Routing adjacency
VMware VM#
DRS Cluster
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
ACI Peering with Virtual Router VNF
VMware VM#
DRS Cluster
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
ACI Peering with Virtual Router VNF
Routing occurs
at the directly
connected ToR
Leaf 101 Leaf 102 Leaf 103 Leaf 104
L3Out
Routing adjacency
VMware VM#
DRS Cluster
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Permit HTTP/HTTPS
VRF CTX-01
10.10.1.1/24 BD-ESG VXLAN / Geneve
L3 Out
*You can’t have ESG with NAT + ECMP: another routing layer is required for ECMP
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Agenda
…
ISE Multi-Site
Orchestrator
ACI 1.0 Single ACI 1.1 ISE 2.1 & ACI ACI 2.0 - Multiple ACI 3.0 - Multiple ACI 3.1/3.2
Leaf Spine Geographically 1.2 – Federation Networks (Pods) Availability Zones Remote Leaf
Fabric Stretch a single of Identity and in a single in a Single and vPod
fabric ‘and’ Interconnect Availability Zone Region ’and’ extends an
interconnect TrustSec and (Fabric) Multi-Region Availability
fabrics with IP ACI using IP Policy Zone (Fabric)
based EPG’s based EPG/SGT Management to remote
locations
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Multi-Pod
f Generic IP Network
p
os
POD 1 POD 2
VXLAN EVPN
APIC cluster
VDS
EPG App
VM# VM# VM# encap-vlan 2020
VM# VM# VM#
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-Pod
• Multiple ACI Pods connected by an IP Inter-Pod L3 network, each Pod consists
of leaf and spine nodes
• Managed by a single APIC Cluster
• Single Management and Policy Domain
• Forwarding control plane (IS-IS, COOP) fault isolation
• Data Plane VXLAN encapsulation between Pods
• End-to-end policy enforcement
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
ACI Evolution
Extend ACI Infrastructure, Policy and Management beyond Physical Multi-Pod
Extended Operations Domain
ACI Fabric
IP WAN L2 / L3
vSpine +
vLeaf
vSwitch vSwitch vSwitch vSwitch
Hypervisor Hypervisor Hypervisor Hypervisor
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
vPod
Existing N9K Data Center vPOD
ACI policies
IP
Network
iVXLAN Overlay
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
vSpine, vLeaf, and AVE
vSpine + vLeaf vPod
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
vPod
Multiple vPods eBGP Peering between
DME/PE COOP
Oracle
BGP
RR
‘spines’
iVXLAN Overlay
We
App DB
b
IP
Network
We
App DB
b
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
vPod
Multiple vPods
iVXLAN Overlay
iVXLAN Overlay
We
App DB
b
IP
Network
We
App DB
b
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Key Takeaways
• ACI provides the best overlay manager for VMware based solutions
• APIC is tightly integrated with VMware VDS and allows for flexible networking
designs
• ACI Open API enables easy integration with VMware vCenter and vRealize
Automation by means of plugins maintained by Cisco (available on CCO)
• VMware admins can consume ACI with their existing tools
• Network team keeps CONTROL over the physical AND the virtual network
• ACI accelerates VM provisioning and lifecycle management across multiple
locations without compromise on security and connectivity.
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
cs.co/ciscolivebot#BRKACI-2300
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Complete Your Online
Session Evaluations after each Session Evaluation
session
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
BRKACI-2300 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Thank you