Introduction To ACI - BRKDCN-1001

#CiscoLive
Intro to ACI
Chris Merkel – Cross Solution DC TSA

BRKDCN-1001
#CiscoLive
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKDCN-1001
by the speaker until June 17, 2022.
#CiscoLive BRKDCN-1001 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Fabric Basics
• Policy Model
Agenda • Architectural Deployments
• Day 2 and beyond
Fabric Basics
ACI: One Network, any location
Virtual Networks Physical Switches

100M/1/10/25/40/50/100/400G
ACI
Cloud
Containers
* *
ACI Anywhere
Edge / Remote Core Data Centers Hybrid Cloud & Multicloud
IP WAN IP WAN
ACI ACI ACI ACI Cloud

Remote Leaf Single-POD Multi-POD Multisite ACI
The easiest Data Center and Cloud Interconnect Solution in the Market Try it today!
The DC network before The DC network NOW
Classic modular switching ACI
Supervisors (1 or 2)
APICs
(1, 3 or more)
Fabric Modules (3-6)
Up to 18 RUs Scale-up
SPINE
(1 to 6)
Linecards (Copper, Fiber, 1/10G)
Zero-touch VXLAN
No STP
LEAVES
(1 to 200 or more*) Scale as you need
Single VXLAN Network**

Single chassis (e.g. Nexus 7000) Evolution from Nexus 5000 and Nexus 7000
* > 500 Leaves with MultiPod/Multi-Site
** Other topologies available (e.g. 3-tier, etc) #CiscoLive BRKDCN-1001 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Application Centric Infrastructure Building Blocks
Built on the Nexus 9000
Centralized Policy Model,

Network Automation
Single Open API Flexible - Modular and Fixed

for Entire System Spine Options
(Terraform, Non-Blocking 40/100/400G
Ansible, Python, Fabric, CLOS Fabric
Etc) Integrated Overlay, Distributed Gateway
(Industry Leading: Price, Performance, Port-Density,
Programmability, Power Efficiency)
Integrated security - Built-in
Distributed Stateless Firewall,
Multi-Tenant Security
Physical, Virtual WAN IP Storage Network
and Container Interconnect Service
(Isilon, etc)
Workloads Appliances
(VMW, HyperV, (F5, ASA/FTD,
Hadoop, AIX, K8S Etc)
etc)
Traditionally, nodes are managed and operated
independently, and the actual topology dictates a
lot of configuration
• Device basics: AAA, syslog, SNMP, PoAP, hash
seed, default routing protocol bandwidth …
• Interface and/or Interface Pairs: UDLD, BFD,
MTU, interface route metric, channel hashing,
Queuing, LACP, …
• Fabric and hardware specific design: HW Tables,
…
• Switch Pair/Group: HSRP/VRRP, VLANs, vPC,
STP, HSRP sync with vPC, Routing peering,
Routing Policies, …
• Application specific: ACL, PBR, static routes,
QoS, ...
• Fabric wide: MST, VRF, VLAN, queuing,
CAM/MAC & ARP timers, COPP, route protocol
defaults
ACI: How difficult was it to bring up?
What tasks & configuration did ACI just saved me from doing manually on every switch
BEFORE
SSH to every switch, Assign IP Address, Enable

Telnet/SSH, Add users on every switch/Create ACLs
(optional)
BEFORE

Telnet/SSH, Add users on every switch/Create ACLs
(optional)
(Times X Switches & Y VNIs)
BEFORE NOW
External to Internal Route redistribution
& Control Plane (MP-BGP, QoS, etc)
Multicast (BD GIPo Addressing)
Overlay Network (VXLAN)
Underlay Routed Network (IS-IS)
Switch management & Best Practices

Telnet/SSH, Add users on every switch/Create ACLs ACI Automated tasks
(optional)
From HOURS to seconds!
(Times X Switches & Y VNIs)
Single Dashboard
ACI Policy Model
Simplified
The ACI Policy Model
Tenant ≈ VDC
VRF ≈ VRF Contracts ≈ Access Lists

Bridge Domain ≈ Subnet/SVI/Default GW
End Point Group ≈ Broadcast Domain/VLAN EPG1 EPG2

Any-Any (Replicates
Private VLAN a Traditional
Switch*)
L2 External EPG≈ 802.1q Trunk

L3 External EPG≈ L3 Routed Link
* Preferred group or vzAny achieve the

same outcome #CiscoLive BRKDCN-1001 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
The ACI Policy Model – Migrating into ACI
Tenant
Global VRF/Routing Table and Protocol
VLAN 10
VLAN 20BD
BD VLAN 30 BD
10.10.10.1/24
10.10.20.1/24 10.10.30.1/24
VLAN 10
VLAN 20EPG
EPG VLAN 30 EPG
Any-Any Contract Any-Any Contract
The ACI Policy Model – Migrating into ACI
Tenant
Global VRF/Routing Table and Protocol Connect
To External
Switch
VLAN 10 BD VLAN 20 BD VLAN 30 BD
10.10.10.1/24 10.10.20.1/24 10.10.30.1/24
L2 External
(802.1q Trunk)
VLAN 10 EPG VLAN 20 EPG VLAN 30 EPG
L3 External
(Routed Interface)
The ACI Policy Model – Extending the configuration
Tenant
Global VRF/Routing Table and Protocol Connect
To External
Switch
VLAN 10 BD
10.10.10.1/24
L2 External
AD_SVR Prod_SQL Print Svc (802.1q Trunk)
XenApp
VLAN 10 EPG
VM VM VM
VM VM VM L3 External
(Routed Interface)
VM VM
Advancing the ACI Configuration
AppApp
1 -1 - App 1 -
App Tier Web Tier External
Database EPG
To DB
Tier EPG
Only SQL
Only tcp/2048 Only HTTPS
IPS + Load Firewall + Load

Balancer Insertion Balancer Insertion
Contracts with Policy Based Redirect

ACI Deployment Options
ACI Anywhere
Edge / Remote Core Data Centers Hybrid Cloud & Multicloud
IP WAN IP WAN
ACI ACI ACI ACI Cloud

Remote Leaf Single-POD Multi-POD Multisite ACI
The easiest Data Center and Cloud Interconnect Solution in the Market Try it today!
ACI MultiPod
The evolution of a stretched fabric
Inter-Pod IP Network
Site A Site B
Active-Active Virtual Metro Stretch VRF, EPG, BD Up to 50ms

Datacenters Clusters Across PoDs with VXLAN Latency
ACI: Physical Remote Leaf
Extend ACI to Satellite Data Centers
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Port Speed:
1/10/40/100G
Site A Remote
Location
VM VM VM VM VM VM VM VM VM VM VM VM VM VM
Zero Touch Auto Two switches per site Stretch EPG, BD, VRF, DC Migration /
Discovery of Remote Leaf Up To 128 Remote Leaf Tenant, Contract OTV replacement
Switches
ACI Multi-Site Nexus Dashboard
Orchestrator Consistent Policy across sites
Single Point of Orchestration
Fault Isolation
Scale
Site A
Site D
Site B
VM VM VM
VM VM VM
VM VM VM
Policy Single Point Of Availability Scale

Consistency Orchestration Fault Isolation
ACI Multi-Site Nexus Dashboard
Cloud Integration Orchestrator Consistent Policy across sites
Single Point of Orchestration
Fault Isolation
Scale
Site A
Site C
Site D
Site B
VM VM VM
VM VM VM
VM VM VM
Policy Single Point Of Availability Scale

Consistency Orchestration Fault Isolation
Nexus
ACI Extension to Cloud Dashboard
Orchestrator
On-Premises DC Public Clouds
IP SG
Web
SG Rule
SG
APP
SG Rule
SG
DB
EPG
Contract
EPG
Contract
EPG Network
Web APP DB
AWS Region
IP
Network ASG ASG ASG
NSG NSG
Web APP DB
VM VM VM
Azure Region
Consistent Policy Enforcement Automated Inter-connect Simplified Operations

on-Premises & Public Cloud provisioning with end-to-end visibility
The network-admin challenge
Provisioning and monitoring complexity = Risk
NX-OS ACI
Subscription/
Separate Infrastructure + Tenant Account Account/Project
Resource Group
VXLAN
Data Center Site/Pod Region Region Region
VRF VRF VPC VNet VPC
Bridge Domain/
VLAN CIDR/Subnet Subnet Subnet
Subnet
EPG Security Groups Application/Network Firewall

VLAN Tag
Security Groups
Access-list (ACL) Contracts & Filters Security Group Rules Security Rules Firewall Rules
ACI
Day 2 and Beyond
Cisco Nexus Dashboard Powering automation
Simple to automate, simple to consume Unified agile platform
Insights* Data broker
Orchestrator Custom/third-
party
Private cloud Public cloud

NDFC
Consume all services in one place

* Includes Cisco Network Assurance Engine
Cisco Nexus Dashboard Powering automation
Simple to automate, simple to consume Unified agile platform
Cisco Nexus
Dashboard Orchestrator
party

NDFC

Cisco Nexus Dashboard Powerful analytics
Proactive operation
Simple to automate, simple to consume
Cisco Nexus
Dashboard Insights
party

NDFC

Cisco Nexus Dashboard Packet capture
Deep packet inspection
Cisco Nexus
Dashboard Data Broker
party

NDFC

Cisco Nexus Dashboard Infrastructure-as-code (IaC)
ITSM and SIEM integrations
third-party ecosystem apps

on Cisco DC app center
party

NDFC

Cisco Nexus Dashboard Insights
Use cases and benefits
Identify, locate, root Upgrade
cause, remediate impact advisories
Error detection,
Mitigate
latency, packet drops
Prevent outages
Control plane issue
Hardening checks
Automated alerts
Cisco Nexus Availability Software hardware
Explorer
Dashboard recommendations
Insights
Pre-change analysis PSIRT notices
Compliance alerts EoS/EoL notices
End-to-end workflows TAC assist

Automated remediation Topology checker
How it works
Data
enrichment
Complex
correlation Cisco Nexus
Dashboard Insights
Artificial
intelligence and
machine learning
Software and
hardware telemetry
Key Takeaways
• Consistent SDN enabled network policy
across all the switches within a fabric
• The Multi-site architecture allows the

same network policy to be applied
across multiple sites, even cloud
• Nexus Dashboard Insights enabled

proactive day 2 operations for ACI to
give a better understanding of how the
applications interact with network
Technical Session Surveys
• Attendees who fill out a minimum of four
session surveys and the overall event
survey will get Cisco Live branded socks!
• Attendees will also earn 100 points

in the Cisco Live Game for every
survey completed.
• These points help you get on the

leaderboard and increase your chances
of winning daily and grand prizes.
Pay for Learning with
Cisco Learning Credits
Cisco Learning and Certifications (CLCs) are prepaid training
vouchers redeemed directly
From technology training and team development to Cisco certifications and learning with Cisco.
plans, let us help you empower your business and career. www.cisco.com/go/certs
Learn Train Certify

Cisco U. Cisco Training Bootcamps Cisco Certifications and
IT learning hub that guides teams Intensive team & individual automation Specialist Certifications
and learners toward their goals and technology training programs Award-winning certification
program empowers students
Cisco Digital Learning Cisco Learning Partner Program and IT Professionals to advance
Subscription-based product, technology, Authorized training partners supporting their technical careers
and certification training Cisco technology and career certifications
Cisco Guided Study Groups
Cisco Modeling Labs Cisco Instructor-led and 180-day certification prep program
Network simulation platform for design, Virtual Instructor-led training with learning and support
testing, and troubleshooting Accelerated curriculum of product,
technology, and certification courses Cisco Continuing
Cisco Learning Network Education Program
Resource community portal for Recertification training options
certifications and learning for Cisco certified individuals
Here at the event? Visit us at The Learning and Certifications lounge at the World of Solutions
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
BRKDCN-1001 © 2022 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Thank you
#CiscoLive
#CiscoLive

Introduction To ACI - BRKDCN-1001

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Introduction To ACI - BRKDCN-1001

Uploaded by

Copyright:

Available Formats

#CiscoLive

Chris Merkel – Cross Solution DC TSA

4 Enter messages/questions in the Webex space

Webex spaces will be moderated https://ciscolive.ciscoevents.com/ciscolivebot/#BRKDCN-1001

by the speaker until June 17, 2022.

Virtual Networks Physical Switches

Edge / Remote Core Data Centers Hybrid Cloud & Multicloud

ACI ACI ACI ACI Cloud

Single VXLAN Network**

Centralized Policy Model,

Single Open API Flexible - Modular and Fixed

SSH to every switch, Assign IP Address, Enable

SSH to every switch, Assign IP Address, Enable

Multicast (BD GIPo Addressing)

Overlay Network (VXLAN)

Underlay Routed Network (IS-IS)

Switch management & Best Practices

SSH to every switch, Assign IP Address, Enable

VRF ≈ VRF Contracts ≈ Access Lists

End Point Group ≈ Broadcast Domain/VLAN EPG1 EPG2

L2 External EPG≈ 802.1q Trunk

* Preferred group or vzAny achieve the

Any-Any Contract Any-Any Contract

Any-Any Contract Any-Any Contract

Any-Any Contract Any-Any Contract

IPS + Load Firewall + Load

Contracts with Policy Based Redirect

Edge / Remote Core Data Centers Hybrid Cloud & Multicloud

ACI ACI ACI ACI Cloud

Active-Active Virtual Metro Stretch VRF, EPG, BD Up to 50ms

IP Network (WAN Core – IPv4, MPLS, SR, etc …)

Policy Single Point Of Availability Scale

Policy Single Point Of Availability Scale

On-Premises DC Public Clouds

Consistent Policy Enforcement Automated Inter-connect Simplified Operations

Data Center Site/Pod Region Region Region

VRF VRF VPC VNet VPC

EPG Security Groups Application/Network Firewall

Insights* Data broker

Private cloud Public cloud

Consume all services in one place

Insights* Data broker

Private cloud Public cloud

Consume all services in one place

Insights* Data broker

Private cloud Public cloud

Consume all services in one place

Insights* Data broker

Private cloud Public cloud

Consume all services in one place

Insights* Data broker

third-party ecosystem apps

Private cloud Public cloud

Consume all services in one place

End-to-end workflows TAC assist

• The Multi-site architecture allows the

• Nexus Dashboard Insights enabled

• Attendees will also earn 100 points

• These points help you get on the

Learn Train Certify

• Book your one-on-one

• Attend the interactive education

your education • Visit the On-Demand Library