Beruflich Dokumente
Kultur Dokumente
is Cisco ACI?
www.lumoscloud.com
courses@lumoscloud.com
Agenda
§ SDN/Overlay Networking Primer
§ Overview and Terminology
§ What Are We Solving?
§ Logical Model Overview
§ Concrete Model Overview
SDN/Overlay Networking Primer
Industry Trends
DevOps
New opera1onal models are driving the need for infrastructure change.
SDN
Software Defined Networking
Still Don’t KNow
SDN
Control Plane
Data Plane
SoEware Overlays – Network VirtualizaIon
Virtual Network 1 VxLAN
Virtual Network 2
NVGRE
Virtual Network 3
APIC
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
ACI Fabric
ACI Spines
ACI Leafs
External L4–7
L2 / L3 Services
Servers
OOB Managment
What are we solving?
Overloaded Network Constructs
Basic Network
Policy SLAs L4-7 Services
VLANs
Applica1on Tiers
Subnets
Protocols
Provider /
Consumer Ports
Rela1onships
FW IDS/IPS
vLAN 777
DB Servers db db
What is an ApplicaIon to the Network?
It is More than just a VM or Server
ü It is collec1on of all the Applica1on’s End Points
v ‘plus’
ü The Applica1on’s L2 – L7 Network Policies
v ‘plus’
ü The Rela1onship between these End Points and their Policies
Web Tier App Tier DB Tier
QoS End Points QoS End Points QoS End Points
External
Service Service Service
Network
Filter Filter Filter
Outside EPG
Web Servers
FW
App Servers SLB
IDS/IPS
DB Servers
Web Servers
FW
App Servers SLB
IDS/IPS
DB Servers
WEB_contract APP_contract
Consumer: Outside EPG Consumer: Web EPG
Provider: Web EPG Provider: App EPG DB_contract
Filter: TCP ports 80 and 443 Filter: TCP port 8081 Consumer: App EPG
Contract: use firewall Contract: Provider: DB EPG
NAT + SLB + SSL offload use firewall NAT Filter: TCP port 1433
use SLB Contract:
copy pkt to IDS/IPS use firewall+NAT
copy to IDS/IPS
Define Service Policies .
Outside EPG Outside EPG
DB Servers db db
DEV Outside EPG TEST Outside EPG PROD Outside EPG
Copy
Outside EPG à Web EPG Outside EPG à Web EPG Copy Outside EPG à Web EPG
TCP ports 80 and 443 Profile TCP ports 80 and 443 TCP ports 80 and 443
use firewall NAT
use SLB + SSL offload
use firewall NAT
use SLB + SSL offload
Profile use firewall NAT
use SLB + SSL offload
FW FW FW
SSL SSL SSL
SLB SLB SLB
Web EPG à App EPG Web EPG à App EPG Web EPG à App EPG
TCP port 8081 TCP port 8081 TCP port 8081
use firewall NAT use firewall NAT use firewall NAT
use SLB use SLB use SLB
copy to IDS/IPS copy to IDS/IPS copy to IDS/IPS
FW FW FW
SLB SLB SLB
IDS/IPS IDS/IPS IDS/IPS
App Servers app app App Servers app app App Servers app app
• Stateless filtering between EPGs is implicitly provided by the ACI fabric that may be
able to eliminate the need for some firewalls within the datacenter.
• Contracts define what an EPG exposes to other applica1on 1ers and ‘how’.
Defining Terms
§ End-Point Group - (EPG) Container for objects requiring the same policy treatment, i.e.
app Iers, or services
§ Tenant - Logical separator for: Customer, BU, group etc. Separates traffic, admin,
visibility, etc.
§ Private-Network (L3) - Equivalent to a VRF, separates rouIng instances, can be used as
an admin separaIon
§ Bridge Domain (BD) - NOT A VLAN, simply a container for subnets. CAN be used to
define L2 boundary
§ Contract - Contracts represent policies between EPGs. Contracts are “provided”
by one EPG and “consumed” by another.
Management InformaIon Model
TENANT
1
n n n n n n
L2/L3 Applica1on
Bridge Contexts
Outside Network Contracts Filters
Domains n 1 (VRF)
Networks Profiles
1 1 1 1 n
n n
Subnets n
Subjects
n n
Ø Solid lines indicate objects below contained
EPGs n Ø Dashed lines indicate a rela1onship
Ø 1:n indicates one to many
Ø n:n indicates many to many
ApplicaIon Network Profile
provide
provide
provide
subnet
subnet
bd bd bd
L3 context
Concrete Model Overview
Applying Policy to End-Points
1) End Point alaches to fabric
2) APIC detects End Point and
derives its EPG
• Designated as source EPG
3) APIC pushes required policy
APIC to leaf switch
VM
• Policies require both source
and des1na1on EPG
APIC manages pushing of policy to leaf
enforcement point when EPs connect.
APIC Policy Model