What

is Cisco ACI?

www.lumoscloud.com
courses@lumoscloud.com

Agenda
§  SDN/Overlay Networking Primer
§  Overview and Terminology
§  What Are We Solving?
§  Logical Model Overview
§  Concrete Model Overview
SDN/Overlay Networking Primer
 Industry Trends

DevOps

New opera1onal models are driving the need for infrastructure change.
SDN
Software Defined Networking
Still Don’t KNow
SDN

Control Plane

Network Virtualiza1on Programmability

Data Plane
 SoEware Overlays – Network VirtualizaIon
Virtual Network 1 VxLAN

Virtual Network 2
NVGRE

Virtual Network 3

L3 routed non- Encapsulated traffic

blocking ECMP carried over CLOS
Fabric fabric
 Cisco ACI

Overview and Terminology
 ACI
or
ApplicaIon Centric Infrastructure
ACI Introduces Logical Network Provisioning of Stateless
Hardware
Web App DB

QoS QoS QoS

Outside
(Tenant VRF) Filter Service Filter

APIC

ACI Fabric Applica1on Policy

Infrastructure
Integrated VXLAN Overlay Controller
 ACI Network Profile Applica1on Network Profile
Policy-Based Fabric Management
Storage Storage
Extend the principle of Cisco UCS® Manager Service
Profiles to the en1re fabric Web Tier App Tier DB Tier

•  Network profile: stateless definiIon of applicaIon

requirements The ANP fully describes the application connectivity
̶  ApplicaIon Iers requirements
̶  ConnecIvity policies ## Network Profile: Defines Application Level Metadata (Pseudo
Code Example)
̶  Layer 4 – 7 services <Network-Profile = Production_Web>
<App-Tier = Web>
̶  XML/JSON schema <Connected-To = Application_Client>
<Connection-Policy = Secure_Firewall_External>
•  Fully abstracted from the infrastructure <Connected-To = Application_Tier>
implementa1on <Connection-Policy = Secure_Firewall_Internal & High_Priority>
. . .
̶  Removes dependencies of the infrastructure <App-Tier = DataBase>
<Connected-To = Storage>
̶  Portable across different data center fabrics <Connection-Policy = NFS_TCP & High_BW_Low_Latency>
. . .
ApplicaIon Policy Model and InstanIaIon
Application Client
Applica1on policy model: Defines the
applica1on requirements (applica1on network
Storage Storage
profile)
Web
Tier App Tier DB Tier

Policy instan1a1on: Each device

dynamically instan1ates the required APIC
changes based on the policies
VM VM VM VM VM VM VM

10.2.4.7 10.9.3.37 10.32.3.7

All forwarding in the fabric is managed through the application network profile
•  IP addresses are fully portable anywhere within the fabric
•  Security and forwarding are fully decoupled from any physical or virtual network attributes
•  Devices autonomously update the state of the network based on configured policy requirements
ACI Fabric

ACI Spines

ACI Leafs
External L4–7
L2 / L3 Services
Servers

APIC Cluster APIC APIC APIC

OOB Managment
What are we solving?
Overloaded Network Constructs
Basic Network
Policy SLAs L4-7 Services

Subnet Subnet Subnet

VLAN VLAN VLAN

Network constructs are overloaded with unintended func1onality.

ApplicaIon Language Barriers
Developers Infrastructure Teams

VLANs
Applica1on Tiers
Subnets

Protocols
Provider /
Consumer Ports
Rela1onships

Developer and infrastructure teams must translate between

disparate languages.
 router(config)#
switch1(config)# router(config)# int eth 1
switch1(config)# int eth 1/1 router(config)# ip add 6.6.6.1 255.255.255.0
vLAN 666 router(config)# not shut
switch1(config)# switch mode acc
switch1(config)# switch acc vlan 666 L3 router(config)# int eth 2
switch2(config)#
switch1(config)# no shut vLAN 111
router(config)# ip addr 1.1.1.1 255.255.255.0
switch2(config)# int eth 1/2 - 3 fw1(config)#
router(config)# no shut
switch2(config)# switch mode acc FW router(config)#
fw1(config)# introuter
eth 0/1eigrp 100
switch3(config)#
switch2(config)# switch acc vlan 111 router(config)#
fw1(config)# network
nameif 6.6.6.0
outside 0 mask 255.255.255.0
switch2(config)# int
switch3(config)# no shut
eth 1/4 - 5 vLAN 222 router(config)#
fw1(config)# intnetwork
eth 0/21.1.1.0 mask 255.255.255.0
switch3(config)# switch mode acc SSL router(config)#
fw1(config)# ip route
nameif 0.0.0.0
webfront 20 0.0.0.0 6.6.6.254
switch4(config)#
switch3(config)# switch acc vlan 222 SLB fw1(config)#
slb1 (CONFIG) object network webfront_vip
switch3(config)#
switch4(config)# no
intshut
eth 1/6 fw1(config)#
probe host 6.6.6.6
http http-probe
vLAN 333 fw1(config)#
switch4(config)# switch mode acc interval 30 static (webfront,outside) 1.1.1.6
switch4(config)# switch acc vlan 333 fw1(config)#
expect statusaccess-list
200 200 outside_web permit tcp any host 6.6.6.6 eq 80
switch4(config)# no shut fw1(config)#
rserver access-list outside_web permit tcp any host 6.6.6.6 eq 443
host websrvr1
Web
switch4(config)# int eth 1/7 - 9 fw1(config)#
description access-group outside_web in interface outside
foo web server
switch4(config)# switch mode acc www www www
Servers
switch4(config)# switch acc vlan 333
ip address 3.3.3.1
inservice
switch4(config)# no shut fw2(config)#
rserver host websrvr2
fw2(config)#foo intweb
ethserver
0/1
FW description
fw2(config)# nameif webfront 20
switch5(config)# ip address 3.3.3.2
fw2(config)# int eth 0/2
switch5(config)# int eth 1/10 - 11 vLAN 444 inservice
switch5(config)# switch mode acc fw2(config)#
rserver nameif appfront 50
host websrvr3
fw2(config)#
slb2 object
(CONFIG) network appfarm_vip
switch5(config)# switch acc vlan 444 SLB IDS/IPS description foo web server
switch5(config)# no shut fw2(config)#
ip address
rserver host host 5.5.5.5
3.3.3.3
appsrvr1
switch5(config)# int eth 1/11 - 15 fw2(config)#
descriptionnat
inservice foo(appfront,webfront)
app server static 4.4.4.4
fw2(config)# access-list web_to_app permit tcp any host 4.4.4.4 eq 8081
switch5(config)# switch mode acc vLAN 555 ip address
serverfarm host 5.5.5.1
FOOWEBFARM
switch5(config)# switch acc vlan 555 probe http-probe
inservice
switch5(config)# no shut rserver websrvr1 80
host appsrvr2
switch5(config)# monitor session 1 source vlan 555 inservice
description foo app server
switch5(config)# App
monitor session 1 dest eth 1/16
app app
rserver websrvr2
ip address 80
5.5.5.2
inservice
Servers rserver websrvr3 80
host appsrvr3
inservice
description foo app server
switch6(config)# fw3(config)#
crypto
ip generate key 1024 fooyou.key
address 5.5.5.3
switch6(config)# int eth 1/16 - 19 fw3(config)#
crypto int eth
csr-params
inservice 0/1
testparms
switch6(config)# switch mode acc FW IDS/IPS
fw3(config)#
countrynameif appfront 70
US FOOAPPFARM
serverfarm host
switch6(config)# switch acc vlan 777 fw3(config)#
state
probe int eth 0/2
California
http-probe
switch6(config)# no shut vLAN 777 fw3(config)# nameif
locality
rserver San dbfront
appsrvr1 8081 90
Jose
switch6(config)# monitor session 1 source vlan 777 fw3(config)# object network
organization-name
inservice foodb_cluster
switch6(config)# monitor session 1 dest eth 1/20 fw3(config)# host 7.7.7.7
organization-unit
rserver appsrvr2 you
8081
fw3(config)# nat (dbfront,appfront)
common-name
inservice www.fooyou.com static 5.5.5.50
fw3(config)# access-list web_to_app permit tcp any host 5.5.5.50 eq 1433
DB Servers db db serial-number
rserver
crypto
appsrvr3 crisco123
8081
generate csr testparms fooyou.key
Inservice
. . . .
 vLAN 666
L3
vLAN 111
FW
switch4(config)# vLAN 222
switch4(config)# int eth 2/7 - 9
SSL
switch4(config)# switch mode acc SLB
switch4(config)# switch acc vlan 333 vLAN 333
switch4(config)# no shut slb1 (ADDED CONFIG)
rserver host websrvr4
Web Servers www www www www www description foo web server
ip address 3.3.3.4
inservice
FW
rserver host websrvr5
vLAN 444
description foo web server
Let’s add a couple SLB IDS/IPS ip address 3.3.3.5
inservice
more web servers vLAN 555 serverfarm host FOOWEBFARM
rserver websrvr4 80
inservice
rserver websrvr5 80
App Servers app app
inservice

FW IDS/IPS

vLAN 777

DB Servers db db
 What is an ApplicaIon to the Network?
It is More than just a VM or Server
ü  It is collec1on of all the Applica1on’s End Points
v  ‘plus’
ü  The Applica1on’s L2 – L7 Network Policies
v  ‘plus’
ü  The Rela1onship between these End Points and their Policies
Web Tier App Tier DB Tier
QoS End Points QoS End Points QoS End Points
External
Service Service Service
Network
Filter Filter Filter
 Outside EPG

Web Servers
FW
App Servers SLB
IDS/IPS
DB Servers

Define End Point Groups Service Node Integra1on

Teamwork: Create the Logical Model to support the app

WEB_contract APP_contract
Consumer: Outside EPG Consumer: Web EPG
Provider: Web EPG Provider: App EPG DB_contract
Filter: TCP ports 80 and 443 Filter: TCP port 8081 Consumer: App EPG
Contract: use firewall Contract: Provider: DB EPG
NAT + SLB + SSL offload use firewall NAT Filter: TCP port 1433
use SLB Contract:
copy pkt to IDS/IPS use firewall+NAT
copy to IDS/IPS
Define Service Policies .
 Outside EPG

Web Servers
FW
App Servers SLB
IDS/IPS
DB Servers

Define End Point Groups Service Node Integra1on

Configure: Define Logical Constructs in APIC APIC

WEB_contract APP_contract
Consumer: Outside EPG Consumer: Web EPG
Provider: Web EPG Provider: App EPG DB_contract
Filter: TCP ports 80 and 443 Filter: TCP port 8081 Consumer: App EPG
Contract: use firewall Contract: Provider: DB EPG
NAT + SLB + SSL offload use firewall NAT Filter: TCP port 1433
use SLB Contract:
copy pkt to IDS/IPS use firewall+NAT
copy to IDS/IPS
Define Service Policies .
 Outside EPG Outside EPG

Web Servers Outside EPG à Web EPG

TCP ports 80 and 443
use firewall NAT
FW
use SLB + SSL offload
App Servers FW SLB
SSL
SLB IDS/IPS
DB Servers Web Servers www www www

Define End Point Groups Service Node Integra1on

Web EPG à App EPG
TCP port 8081
use firewall NAT
Deployment use SLB
copy to IDS/IPS
FW
SLB
IDS/IPS

App Servers app app

WEB_contract APP_contract
Consumer: Outside EPG Consumer: Web EPG
Provider: Web EPG App EPG à DB EPG
Provider: App EPG
TCP port 1433 DB_contract
Filter: TCP ports 80 and 443 Filter: TCP port 8081
use firewall+NAT Consumer: App EPG
Contract: use firewall Contract:
copy to IDS/IPS
NAT + SLB + SSL offload FW Provider: DB EPG
use firewall NAT
SLB Filter: TCP port 1433
use SLB IDS/IPS Contract:
copy pkt to IDS/IPS use firewall+NAT
Define Service Policies .
DB Servers db db copy to IDS/IPS
 Outside EPG

Outside EPG à Web EPG

TCP ports 80 and 443
use firewall NAT
use SLB + SSL offload
FW
SSL
SLB

Web Servers www www www

Web EPG à App EPG

TCP port 8081
use firewall NAT
use SLB
copy to IDS/IPS
FW
SLB
IDS/IPS

App Servers app app

App EPG à DB EPG

TCP port 1433
use firewall+NAT
copy to IDS/IPS
FW
SLB
IDS/IPS

DB Servers db db
DEV Outside EPG TEST Outside EPG PROD Outside EPG
Copy
Outside EPG à Web EPG Outside EPG à Web EPG Copy Outside EPG à Web EPG
TCP ports 80 and 443 Profile TCP ports 80 and 443 TCP ports 80 and 443
use firewall NAT
use SLB + SSL offload
use firewall NAT
use SLB + SSL offload
Profile use firewall NAT
use SLB + SSL offload
FW FW FW
SSL SSL SSL
SLB SLB SLB

Web Servers www www www

Web Servers
www www www www www
Web Servers
www
www
www
www
www
www
www
www
www
www

Web EPG à App EPG Web EPG à App EPG Web EPG à App EPG
TCP port 8081 TCP port 8081 TCP port 8081
use firewall NAT use firewall NAT use firewall NAT
use SLB use SLB use SLB
copy to IDS/IPS copy to IDS/IPS copy to IDS/IPS
FW FW FW
SLB SLB SLB
IDS/IPS IDS/IPS IDS/IPS

App Servers app app App Servers app app App Servers app app

App EPG à DB EPG App EPG à DB EPG App EPG à DB EPG

TCP port 1433 TCP port 1433 TCP port 1433
use firewall+NAT use firewall+NAT use firewall+NAT
copy to IDS/IPS copy to IDS/IPS copy to IDS/IPS
FW FW FW
SLB SLB SLB
IDS/IPS IDS/IPS IDS/IPS

DB Servers db db DB Servers db db db db DB Servers db db

Logical Model Overview
 Remember UCS & Stateless CompuIng?
Service Profile

Storage Server Network

Optional Disk usage Identity (UUID) Uplinks
SAN settings Adapters LAN settings
•  LUNs •  Number •  VLAN
•  Persistent Binding •  Type: FC, Ethernet •  QoS
SAN settings •  Identity •  etc…
•  vSAN •  Characteristics Firmware
Firmware Firmware •  Revisions
•  Revisions •  Revisions
•  Configuration settings
 Stateless Networking
Applica1on Network Profile

Contracts define “what” an EPG exposes to TCP Ports,

Protocols,
other app 1ers and “how” Redirects etc

C EPG Web C EPG App C EPG DB

•  Stateless filtering between EPGs is implicitly provided by the ACI fabric that may be
able to eliminate the need for some firewalls within the datacenter.
•  Contracts define what an EPG exposes to other applica1on 1ers and ‘how’.
Defining Terms
§  End-Point Group - (EPG) Container for objects requiring the same policy treatment, i.e.
app Iers, or services
§  Tenant - Logical separator for: Customer, BU, group etc. Separates traffic, admin,
visibility, etc.
§  Private-Network (L3) - Equivalent to a VRF, separates rouIng instances, can be used as
an admin separaIon
§  Bridge Domain (BD) - NOT A VLAN, simply a container for subnets. CAN be used to
define L2 boundary
§  Contract - Contracts represent policies between EPGs. Contracts are “provided”
by one EPG and “consumed” by another.
Management InformaIon Model
TENANT
1

n n n n n n
L2/L3 Applica1on
Bridge Contexts
Outside Network Contracts Filters
Domains n 1 (VRF)
Networks Profiles
1 1 1 1 n
n n
Subnets n
Subjects
n n
Ø  Solid lines indicate objects below contained
EPGs n Ø  Dashed lines indicate a rela1onship
Ø  1:n indicates one to many
Ø  n:n indicates many to many
ApplicaIon Network Profile

Outside EPG WEB consume

EPG APP consume
EPG DB
EP EP EP EP EP EP
web java sql
Public consume contract contract contract
EP EP EP

provide

provide

provide
subnet
subnet

bd bd bd
L3 context
Concrete Model Overview
 Applying Policy to End-Points
1)  End Point alaches to fabric
2)  APIC detects End Point and
derives its EPG
•  Designated as source EPG
3)  APIC pushes required policy
APIC to leaf switch
VM
•  Policies require both source
and des1na1on EPG
APIC manages pushing of policy to leaf
enforcement point when EPs connect.
APIC Policy Model