Professional Documents
Culture Documents
BRKDCT-2642 Migration From Classic Design To ACI Fabric
BRKDCT-2642 Migration From Classic Design To ACI Fabric
BRKDCT-2642
Kannan Ponnuswamy
Solution Architect
Cisco Advanced Services
Acronyms
IOS vPC
VDC
AAA
VRF PaaS SaaS
STP IaaS XaaS
ISE
FTP ToR
UCS MTIaaS SECaaS
FEX
OTV
QoS
BGP
PIM
TAC RIP ARP
VSG CDP Network Programmability
CPU ACI
ASA
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Icons and Terms
APIC
Nexus 7000 Nexus 5000 Nexus 1000 Router Load Balancer Firewall
Nexus 2000 / FEX
VMware
Storage Virtual Machine vCenter
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
ACI Overview
External WEB DB
POLICY POLICY APP POLICY
Network
Application
Policy Driven
APIC
Merchant+
Virtualisation
Networking
Physical
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Nexus 9000 Series
Network Ops Driven, Switch User Driven, Policy Based Fabric
Automation Automation
APIC
1/10/40/100GE
Common Platform
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Migration Paths to ACI
Classic mode
• Growth – Addition
• Network refresh
ACI Migration
• Business drivers
• Security, Compliance, TCO,
Programmability, Operations etc.
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Agenda
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Classic Mode Adoption – Nexus 9000 Series
Aggregation Catalyst New access POD or New Aggregation,
Replacement Catalyst Replacement Access POD
N9500
Layer 3 Layer 3 Layer 3
N9500
C6500 N7K
Layer 2 Layer 2 Layer 2
vPC vPC
vPC
N5K N9300
N9300
vPC
N2K N2K
N2K
vPC
vPC vPC
VM VM VM
#2 #3 #4 VM VM VM VM VM VM
#2 #3 #4 #2 #3 #4
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Classic Mode Adoption - VxLAN on Nexus 9000 Series
Workload mobility
L2 Multipathing
VXLAN Gateway (VXLAN to VLAN)
VXLAN Bridging (VXLAN to VXLAN at L2)
VXLAN Routing
Routing between VXLANs and VLAN to VXLAN
Anycast Gateway for vPC setup
VXLAN Overlay
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Classic Mode Tools for Nexus 9000 Series
On CCO: Catalyst 6500/4500 IOS to Nexus 9000 NX-OS Configuration Converter
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Open Source for Nexus 9000 Series
https://github.com/datacenter/nexus9000/tree/master/nx-os
Nexus Deployment
Catalyst Environments
VSS
Si Si
Si Si
Deployment
Assistant
Si Si
Si Si
BRKDCT-2642
Cisco Advanced Services
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Agenda
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Deploying an ACI POD
ACI Fabric Initialisation
ACI Fabric
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
ACI Forwarding Model
Tenant • A Tenant refers to one or more VRFs/Contexts
• A Context/VRF is referred to by one or more
VRF_Context_One
Bridge Domains (BD)
Bridge Domain One
• Bridge Domains identify properties influencing
10.10.0.0/16
EPG_1 EPG_N
forwarding behaviour. One or more subnets,
ARP handling, Multicast etc.
VRF_Context_N • A collection of end-points form an end-point
Bridge Domain One group(EPG). EPG associates to a BD.
192.168.1.0/24
10.10.0.0/16 • EndPoints Identified by:
EPG_1 EPG_N • Physical or Virtual Switch ports, VLAN ID, VNID
• Future - NVGRE (VSID), DNS hostname, IP address
Bridge Domain N
Non-IP, L2 forwarding only
EPG_Legacy
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
ACI Policy Model
C Contracts define what an EPG EPG MGMT
exposes to other EPGs and how
C
Tenant
Application Profile
C EPG Web C EPG App C EPG DB
C
Contracts are reusable for
multiple EPGs and EPGs
EPG NFS can inherit multiple
contracts
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
ACI Policy Model – What is a Contract
C
filter action
filter action
identifier to which identifies actions to
actions will be
filter action
be applied
Allows to specify rules and policies on applied
groups of physical or virtual end-points Permit
…
QoS
without understanding of specific L4 port ranges
Log
TCP options
identifiers and regardless of physical … Redirect to Services …
location. filter action
defined bi-directionally in the “provider” centric way
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
No Such Thing as Enough Security
http://www.pcworld.com/article/2031580/mcafee-warns-of-malware-targeting-point-of-sale-systems.html
McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
ACI Adoption Strategies
Leverage Known
APPLICATIONS
Constructs (decoupled OPERATIONS DESIGN
Centric Constructs
Leverage Known
NETWORKING
OPERATIONS DESIGN
Constructs
ACI Fabric
BRKDCT-2642
New ACI Fabric Operational Model
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Agenda
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Network Centric Deployment Example
1 VRF + 1 VLAN
Classic mode shown here for Reference ACI Fabric
APIC
1.1.1.12/30
1.1.1.0/30
Blue Tenant
and Context
Policies
VRF Blue Bridge Domain Blue_1
Exchange
•Routing 10.10.10.1/24
External EPG Routes (Blue)
•VLAN 10 EPG blue_1
•HSRP
.101
1.1.1.12/30
10.10.10.1/24 •Access List
1.1.1.0/30
.2 .3
•QoS etc.
VLAN 10 Classic
Access Switches Tag 10
.101 .102
.102
Tag could be VLAN ID
or VNID
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Network Centric Deployment Example
1 VRF + 2 VLANs – Option 1
Classic mode shown here for Reference ACI Fabric
APIC
1.1.1.12/30
1.1.1.0/30
Blue Tenant
and Context
Policies
Exchange
BD Blue_1
(10.10.10.1/24)
BD Blue_2
(10.10.11.1/24)
Routes (Blue)
EPG External EPG
Vlan 10,11 blue_1
EPG
blue_2
1.1.1.12/30
1.1.1.0/30
VLAN 10 Classic Access
(10.10.10.0/24)
Tag 10 Tag 11
VLAN 11
(10.10.11.0/24)
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Network Centric Deployment Example
1 VRF + 2 VLANs – Option 2
Classic mode shown here for Reference 1. Policies are based on EPG ACI Fabric
2. Forwarding is based on BD attributes
Blue Tenant
1.1.1.12/30
1.1.1.0/30
and Context
Policies
Exchange
BD Blue_1
Routes (Blue)
10.10.10.1/23
EPG X EPG
External EPG
Vlan 10,11 blue_1 blue_2
1.1.1.12/30
1.1.1.0/30
Classic Access
Tag 10 Tag 11
VLAN 10
(10.10.10.0/24)
VLAN 11
(10.10.11.0/24)
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Network Centric Deployment Example
1 VRF + 2 VLANs – Option 3
1. Forwarding based on destination IP Address
Classic mode shown here for Reference for intra and inter subnet (Default Mode) ACI Fabric
2. Hardware based directed ARP forwarding
What if two VLANs was only due to
ARP broadcast concerns.
APIC
1.1.1.12/30
1.1.1.0/30
Blue Tenant
and Context
Policies
Exchange
BD Blue_1
Routes (Blue)
10.10.10.1/23
External EPG
Vlan 10,11
EPG blue_1
1.1.1.12/30
1.1.1.0/30
Classic Access
VLAN 10 Tag 10
(10.10.10.0/24)
VLAN 11
(10.10.11.0/24)
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Network Centric ACI Migration
Network Centric Migration Example
VRF + 2 VLANs
Layer 3 Routing
Static, OSPF, BGP
APIC
1.1.1.12/30
1.1.1.0/30
Blue Tenant
and Context
Policies
Migration
BD Blue_1 BD Blue_2
Vlan 10,11 10.10.11.1/24
L2_
Out EPG EPG
L2_ External EPG
blue_1 Out
blue_2
ACI Fabric
10G/40G to ACI
Layer 3
Layer 2 - 1GE
Layer 2 - 10GE
10 GE DCB
10 GE FCoE/DCB
4/8 Gb FC
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
ACI Integration and Migration
ACI Fabric
Forwarding Flow L3
L2
Migration Path
10G/40G to ACI
Layer 3
Layer 2 - 1GE
Layer 2 - 10GE
10 GE DCB
10 GE FCoE/DCB
4/8 Gb FC
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Many Migration Options
APIC
Option 1:
Migrate FEX to
9300
Option 2:
Option 3: Interconnect Migrate 5500 +
existing POD to Fabric FEX to 9300
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Agenda
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Deployment Example – Hybrid Approach
Classic mode shown here for Reference
External
Network
APIC
Blue Tenant
and Context
BD Blue_2
Policies
10.10.11.1/24
BD Blue_1
Exchange
EPG
EPG 11 EPG
10.10.10.1/24
Three-web
External Routes (Blue)
EPG
One-web EPG
Two-web
.2 .3
Access
VLAN 11
Tag 2011 Tag 101
(10.10.11.0/24 Tag 100
Tag 102
VLAN 10 (10.10.10.0/24)
AppTwo’s External
AppOne’s WebServer
WebServer
AppThree’s
Network
AppOne’s AppTwo’s AppThree’s WebServer
WebServer WebServer WebServer
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Hybrid (Network and Application Centric)
ACI Migration
ACI Migration for Hybrid Approach
Exchange
Routes (Blue) APIC
Blue Tenant
Policies and Context
External
EPG BD Blue_2
BD Blue_1 EPG
EPG 11 EPG EPG Three-web
One-web Two-web
Classic L2 Extension.
VLAN 11 • STP compatibility with Classic Network Access
(10.10.11.0/24 • VLAN 10 maps to BD Blue_1 Tag 101
• VLAN 11 maps to BD Blue_2 Tag 2011 Tag 100
VLAN 10 (10.10.10.0/24) • Classic Devices are still the Default Tag 102
Gateway
• Flooding enabled on ACI BDs during
migration
• Equally applicable to L4-7 services
(FW/LB) in the Classic Network
• Once migration completed, insert
AppOne’s AppTwo’s AppThree’s
WebServer WebServer WebServer
needed services and move Default
Gateway ACI BDs
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Virtual Environment Migration Example
L3 vCenter L3
vShield
L3
L2
N7K N7K
ACI Fabric
N5500 N5500
L2 L2 L3 L2 L2 L3
VMware vSwitch, DVS, N1kV
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Agenda
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Application Centric Migration
Building the Application Profile – an Example
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Application Centric Migration
Building the Application Profile – an Example
Other
Applications
TCP: *,443 C
Intranet EPG
@ Border Leaf
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Application Centric Migration
Building the Application Profile – an Example
C
Intranet EPG
@ Border Leaf
Expenses EPG
Oracle
RAC DB
Extranet EPG
C
@ Border Leaf
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
ACI Deployments for Known Application Profiles
Internet WAN / DCI ACI POD for Greenfield or well
understood applications
L3 ACI Introduction
L2 N7K N7K
Spine
N9K N9K
V
Integrated L4-L7 Services
Physical & Virtual
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Defining Profiles for Applications in Use
Common Customer Challenges
• Lack of confidence on existing information
• CMDB, Single Source of Truth (SSOT), IPAM etc.
APIC
Commit ANP
Network Data Analysed:
• Device Configurations
• Protocol State
• Traffic Capture
APIC
Network Discovery:
• Device
Configurations
• Protocol State
• Traffic Capture
HYPERVISOR HYPERVISOR HYPERVISOR
Server Discovery:
• Servers
• Process
• Network Stats
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
ACI Deployment Assistant (Pre Migration)
• Comprehensive Application Dependencies
• Multiple Application Network Policies
• Application, Server Mapping
Cisco Advanced Services
• Automate Physical, Virtual Migration
Network Discovery:
• Device
Configurations
• Protocol State
• Traffic Capture
HYPERVISOR HYPERVISOR HYPERVISOR
Server Discovery:
• Servers
• Process
• Network Stats
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
ACI Migration Summary
Thank You!!
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Q&A
Complete Your Online Session Evaluation
Give us your feedback and receive a
Cisco Live 2014 Polo Shirt!
Complete your Overall Event Survey and 5 Session
Evaluations.
Directly from your mobile device on the Cisco Live
Mobile App
By visiting the Cisco Live Mobile Site
www.ciscoliveaustralia.com/mobile
Visit any Cisco Live Internet Station located
throughout the venue
Learn online with Cisco Live!
Polo Shirts can be collected in the World of Solutions
on Friday 21 March 12:00pm - 2:00pm
Visit us online after the conference for full access
to session videos and presentations.
www.CiscoLiveAPAC.com
BRKDCT-2642 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 54