Beruflich Dokumente
Kultur Dokumente
#CLMEL
Agenda
• Day 1: Why ACI?
• Day 2: Infrastructure and Policies
• Day 3: Forwarding Overview
• Day 4: Network Centric Migrations
• Day 5: Multi Location Deployments
• Day 6: Troubleshooting Tools
• Day 7: Additional Resources
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKACI-1001
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Reference Slide Icon ➔
Acronyms/Definitions
Acronyms Definitions Acronyms Definitions
ACI Application Centric Infrastructure SVI Switch Virtual Interface
EP Endpoint
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Day 1: Why ACI?
Challenges of Traditional Network
Complicated Core/Dist/Access
Topology layer separation
CLI Harder
to every Device as we scale
Static Configuration Coordination between Network
Lots of copy and paste No Automation and Server Team
7
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
No such challenges with ACI !!
Spine1# show module
Mod Ports Module-Type Model Status
--- ----- ----------------------------------- --------------- ------
2 32 32p 40/100G Ethernet Module N9K-X9732C-EX ok
Spine
22 0 Fabric Module N9K-C9504-FM-E ok
Complicated Simple
Core/Dist/Access 23 0 Fabric Module N9K-C9504-FM-E ok
Topology 24 0 Fabric Module N9K-C9504-FM-E ok
Topology
layer separation 26 0 Fabric Module N9K-C9504-FM-E ok
27 0 Supervisor Module N9K-SUP-A Active
28 0 Supervisor Module N9K-SUP-A Standby
Leaf
SPINE/LEAF Spanning Tree for No default
Loop Free Topology security isolation
Leaf4# show module
8
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
No such challenges with ACI !!
Spine
Infra
Simple VRF No STP
Topology
Leaf
SPINE/LEAF Spanning
ECMP Tree
Routing for
between No default
Loop Free
LEAF & Topology
SPINE security isolation
CLI Harder
to every Device as we scale
Static Configuration Coordination between Network
Lots of copy and paste No Automation and Server Team
9
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
No such challenges with ACI !!
Spine
Infra EPG EPG
Simple VRF No STP
Topology
Leaf
SPINE/LEAF Spanning
ECMP Tree
Routing for
between No List
White default
Model
Loop Free
LEAF & Topology
SPINE security isolation
with contracts
CLI Harder
to every Device as we scale
Static Configuration Coordination between Network
Lots of copy and paste No Automation and Server Team
10
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
No such challenges with ACI !!
Spine
Infra EPG EPG
Simple VRF No STP
Topology
Leaf
SPINE/LEAF Spanning
ECMP Tree
Routing for
between No List
White default
Model
Loop Free
LEAF & Topology
SPINE security isolation
with contracts
11
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
No such challenges with ACI !!
Spine
Infra EPG EPG
Simple VRF No STP
Topology
Leaf
SPINE/LEAF ECMP Routing between No List
White default
Model
LEAF & SPINE security isolation
with contracts
12
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
No such challenges with ACI !!
Spine
Infra EPG EPG
Simple VRF No STP
Topology
Leaf
SPINE/LEAF ECMP Routing between White List Model
LEAF & SPINE with contracts
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
R L3 Routing
ACI Overview V VLAN
Fabric Discovery GW Gateway (SVI)
T Infra IP (Tunnel Endpoint: TEP)
T T
ISIS/BGP Overlay
T T T T T T
T T T
APIC
GW
GW APIC
V APIC
R External
L2 & L3
Bare Metal Network
APIC Cluster Hypervisors
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
T Tunnel Endpoint (TEP) R Routes from L3OUT
ACI overlay network RR BGP Route Reflector
RR RR
T T
VxLAN VNID
WAN
T T T R R R (L3OUT)
• APIC assigns TEP • APIC assigns RR (Route Reflector) • APIC assigns VNID
• Automatically establish ISIS • Automatically establish BGP
No manual ISIS config. No manual config is required. No manual VxLAN config.
No ISIS knowledge is required. (except for RR) No VxLAN knowledge is required
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
APIC Controller
APIC
ACI
Fabric OOB
MGMT
A
S
A S
APIC Controller
(UCS C220)
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Infrastructure and Services
Required Addressing
1. Infra Subnet
2. Infra VLAN
3. BD Multicast Range
1 4. OOB Network IP’s (CIMC
included)
2
3
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Management - Required Addressing
Planning
Requirements Notes
Infra VLAN VLAN will be reserved for internal ACI communication. Cannot be 3967
deployed toward user servers
APIC OOB IP 1 IP per APIC, has to be out of band. Inband can be configured later.
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Infrastructure and Services
APIC UI
APIC Management
APIC
API
APIC Cluster
APIC
CLI (ssh)
APIC
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Take a first look at APIC Controller (Inventory)
APIC
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Take a first look at APIC Controller (Inventory)
APIC
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Take a first look at APIC Controller (Dashboard)
APIC
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Take a first look at APIC Controller (Dashboard)
APIC
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Take a first look at APIC Controller (Dashboard)
APIC
Faults
Faults are indications of mis-config or any
issues on ACI Fabric
※ This is a lab setup. Try to clear all faults whenever
a new one is raised in production.
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Take a first look at APIC Controller (Dashboard)
APIC
Looks like we
had an issue!
Health Score
Health scores are based on faults and events
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Day 2: Infrastructure and
Policies
Checklist
❑ CIMC
❑ Management
❑ NTP
❑ AAA/RBAC
❑ Backups
Infrastructure and Services
CIMC
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Infrastructure and Services
CIMC
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Checklist
✓ CIMC
❑ Management
❑ NTP
❑ AAA/RBAC
❑ Backups
Infrastructure and Services spine 1 spine 2
Switch Management
ACI Fabric
APIC
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/basic-configuration/Cisco-APIC-Basic-
Configuration-Guide-401/Cisco-APIC-Basic-Configuration-Guide-401_chapter_011.html
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Infrastructure and Services
AAA / RBAC AAA Server
mgmt IP reachability
Config/Policy
Spine
Leaf
Which AAA server?
etc
APIC
Cluster APIC APIC APIC
Each node (both APIC and Switch) still needs their own
management
#CLMEL
IP reachability to an AAA server
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Infrastructure and Services
AAA jristain@apic1:~> moquery -c aaaModLR | grep -C 12 "2017-02-13T15"
<snip>
# aaa.ModLR
“Oh no! We lost connectivity to id : 8589940567
affected : uni/tn-Joey-Tenant/BD-Joey-BD3
servers on February 12th at 3pm EST!?” cause : transition
changeSet : arpFlood (Old: no, New: yes), unkMacUcastAct (Old: proxy, New: flood)
childAction :
clientTag :
code : E4206171
created : 2017-02-13T15:06:07.249+00:00
descr : BD Joey-BD3 modified
dn : subj-[uni/tn-Joey-Tenant/BD-Joey-BD3]/mod-8589940567
ind : modification
modTs : never
rn : mod-8589940567
sessionId : Ld0sxAcCRfmb2Qb+W+XbUg==
severity : info
status :
trig : config
txId : 4611686018449066821
user : remoteuser-jristain
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Checklist
✓ CIMC
✓ Management
✓ NTP
✓ AAA/RBAC
❑ Backups
Infrastructure and Services
Backups – Configuration Export
• The current fabric configuration/policy in JSON/XML
• Best practice for DISASTER RECOVERY
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Infrastructure and Services
Backups - Snapshots
Changed From
Changed To
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Infrastructure and Services
CIMC, NTP, AAA, and Backup Planning
Requirements Notes
CIMC IP per Unique IP address used for IP KVM built into APIC. Must
APIC use dedicated port
NTP Server NTP Server which all nodes inside fabric will use
User TACAS/ RBAC or RADIUS Server for accounting. Custom
Management local user account can be used too
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Checklist
✓ CIMC
✓ Management
✓ NTP
✓ AAA/RBAC
✓ Backups
Fabric and Tenant Policies
Tenant and Fabric Policies • port-channel
• I/F speed
• Fabric Policy – Physical Concept • LLDP/CDP etc
• VLAN trunk
• EPG/BD/VRF
• Tenant Policy – Network Logical Concept • Contract etc
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric and Tenant Policies
Access Policies
S10 S20
L1 L2 L3 L4
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Fabric and Tenant Policies
vPC Domain Policy
• No Peer-Link
• No Peer-Keepalive
• Uses Fabric Links for
Communication
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Fabric and Tenant Policies
Access Policies
S10 S20
101-102 vPC 103-104 vPC
L1 L2 L3 L4
vPC Port-Channel
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Fabric and Tenant Policies
Port-Channels
interface port-channel10
switchport mode trunk
vpc 10
interface Ethernet1/10
speed 10000
lldp transmit
lldp receive
channel-group 10 mode active
L1 L2 L3 L4
Server BareMetal-vPC
Server Nexus 7000
N7000-vPC
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
AEP
The AEP is used to associate a domain to one or more interface policy groups. In
most deployments it is recommended to use a single AEP if VMM integration is
not being used. If the ACI Fabric will be integrated with n VMM domains, use 1 +
n to determine how many AEPs are needed
The Domain is used to specify what type of path (vlan) can be deployed on a
interface. If a AEP does not contain a “External Routed Domain”, the interface
can not be used to deploy a L3Out.
In Most deployments a single VLAN pool can be used with 1 Physical Domain and
1 External Routed Domain.
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Relationship View
Access Policies Workflow Example
Switch Profile Leaf-101 vPC-101-102
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Management - Required Addressing
Planning
Requirements Notes Example
AEP 1 AEP for all Policy groups. Map all domains to this Policy group Prod_AEP
Switch Profile 1 Profile per switch for Orphan Ports, 1 Profile per vPC Domain vPC-101-102, Leaf101, Leaf102
(Containing both switches)
Interface Profile Create a 1 to 1 mapping to switch Profile vPC-101-102, Leaf101, Leaf102
Policy Group 1 Policy Group per Port-Channel/ vPC. Policy Groups can be reused for N7710-vPC
access ports. Assign AEP to Policy Group
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Global Policy
Pools (Vlan / VXLAN) Pool1 Pool2
A resource pool of encapsulations that can be
allocated within the fabric.
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Global Policy - Attachable Entity Profiles
Configuration:
• Create a VLAN/VXLAN pool with a range of
encapsulations Pool1 Pool2 Pool3 Pool4
• Create a domain (physical, l2/l3 external, or DomPhy1 DomVm1 DomL2 DomL3
VMM) and associate pool
• Associate domain to AEP AEP AEP AEP
• Associate interface policy group to AEP Statics VMs External
switch/interface selectors will apply the config
through the interface policy group assign to
specific ports
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
What have we accomplished?
• Specified what domains and corresponding
pools are allowed per interface in the fabric!
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Access Policies SWITCH POLICY
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Interface Policy Groups
Used to specify which interface policies to be applied to a particular interface type.
It also associates an AEP (which defines which domains are allowed on the interface).
Types:
VPC Domain 1
Access port (EP1)
Access Bundle Groups
• Virtual Port-channel (EP2)
• Port-channel (EP3)
Note: Separate policy groups should be created for each port-channel (standard or VPC) that you need to
configure. All interfaces on leaf that are associated with a particular access bundle group reside in same channel.
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Port-Channel Policies
Classical vPC Domain configuration ACI Port-Channel Policies
Required configuration of domain, peer-link, and Specify mode, minimum / maximum links, and related
peer-keepalive link on both devices in domain protocol options (relating to LACP)
interface Ethernet1/5-6
lacp port-priority 32768
lacp rate normal
channel-group 10 mode on
interface Ethernet1/10-11
lacp port-priority 32768
lacp rate fast
channel-group 20 mode active
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Access Policy Example
General Configuration (reused for many interfaces): AEP Pool1
1) Configure a physical domain and vlan pool CiscoLive
DomPhy1
2) Create an AEP and associate physical domain
3) Create switch/interfaces profiles for leaf (LEAF101) Switch Profile
• very easy to apply configurations if you create a
switch/interface profile for each leaf and one for each VPC LEAF101
domain pair
Leaf_101
4) Configure Interface policies (LACP / LLDP)
Interface Profile
LACP Active LEAF101
Policies
LLDP Rx / Tx enabled
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Creating Physical Domain / AEP / Vlan Pool
In dropdown:
Click Create Attachable Entity Profile
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Creating Physical Domain / AEP / Vlan Pool
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Creating Physical Domain / AEP / Vlan Pool
In dropdown:
Click Create VLAN Pool
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Create Interface Profile for each leaf / VPC domain
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Create Switch Profile for each leaf / VPC domain
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Create Switch Profile for each leaf / VPC domain
Enter name
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Create common protocol configurations
Example demonstrates a common lacp port-channel policy
Configure options/knobs
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Access Policy Example
Interface specific (each time you add a new interface): AEP Pool1
1) Create policy group for device (VPC / PC / Access) CiscoLive
DomPhy1
2) Within the policy group, select the desired policies / AEP
3) Associate interfaces to policy group via desired leaf profile Switch Profile
• use specific leaf profile if access or PC
LEAF101
• use VPC leaf profile if policy group is VPC
Leaf_101
Interface Profile
LACP Active PC_Server_1 LEAF101
Policies Policy Groups blk_1/1-2
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Create policy groups
Note:
A separate policy group
Descriptive name
should be created for
each PC/VPC that you
will deploy
Associate your desired
interface policies (otherwise
default)
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Create interface selectors / associate policy group
Specify interface/range
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Example policy scheme
Switch Profile Leaf101 Leaf101_102
1/1-4
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
vPC Protection Group Policy
vPC Domain 1
vPC Domain 1 vPC Domain 2
Classical vPC Domain configuration ACI vPC Domain configuration
Required configuration of domain, peer-link, and Specify the Domain ID and the two Leaf switch IDs that
peer-keepalive link on both devices in domain form the domain pair
vpc domain 1
peer-keepalive destination 172.168.1.2 / VPC Protection Group
source 172.168.1.1 vrf vpc-keepalive
peer-gateway
Name: vPC-Domain100
ip arp synchronize
ID: 100
interface port-channel 20 Switch1: 101
vpc peer-link
Switch2: 102
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
VPC Protection Group (example configuration)
GUI sequence:
Tabs:
Fabric -> Access Policies
Navigation Tree:
Switch Policies -> Policies ->
VPC Domain -> Default
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Fabric and Tenant Policies
Tenant Policies
Static Binding VMM Integration WAN Connectivity
ACI Fabric ACI Fabric ACI Fabric
Extend VLAN to legacy Net Extend VLAN to legacy Net Extend VLAN to legacy Net
Legacy WAN
baremetal Hypervisor Cluster baremetal baremetal
server server server
endpoints behind
legacy network
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Fabric and Tenant Policies
Tenant Policies (Static Binding)
S10 S20
Server
Server Nexus 7000
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Fabric and Tenant Policies
Tenant Policies – Key concepts
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Fabric and Tenant Policies
Tenant Policies – Key concepts one EPG to another
Contracts are a collection of filters which allow traffic to pass between EPGs
Contacts are similar to access-lists. Consumer is Source, Provider is Destination
Filters contain a list of protocols and ports
EPG
Bridge VRF
ICMP Contract
Domain Tenant
EPG
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Fabric and Tenant Policies
Tenant View
EPGs
Bridge Domains
VRFs
Contracts
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Fabric and Tenant Policies
Deploying a VRF
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Fabric and Tenant Policies
Deploying a Bridge Domain
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Fabric and Tenant Policies N7710# configure terminal
N7710(config)# interface port-channel 1
N7710(config-if)# switchport trunk allowed vlan add 100
Deploying an EndPoint Group
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Fabric and Tenant Policies
Tenant Policies
S10 S20
L2 Path
Server
Server Nexus 7000
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Fabric and Tenant Policies
Planning
Requirements Notes Example
Tenant 1 Tenant can be used company. Tenants can also separate functions of a business. Prod/Dev
NOTE: Shorter names are easier when using CLI
VRF 1 or more VRFs per Tenant PROD-MAIN
DEV-TEST,DEV-PROD
Bridge Domain Recommended to have 1 BD per Legacy VLAN. For Network Centric Migrations, 1 BD VLAN_100,VLAN_101
should be used for each EPG. BD_vMotion
Application Profile Logical Container for EPGs. 1 AP is sufficient in most installations. NOTE: This is Prod-AP
strictly a management entity. No policies are defined on this object.
EndPoint Group Ports/VLANs (static path bindings) are added to EPGs to define what Endpoints get VLAN_100
defined in what EPGs. QOS/Contracts, etc are added to EPGs. For Network Centric VLAN_101
Migrations, 1 EPG should be used for each Legacy VLAN. vMotion
Contracts Contracts can be re-used across multiple EPGs. If we compare this to an ACL, the Web
Consumer is the Source, and the Provider is the Destination.
Filters Add Required Ports and Protocols to allow communication. Only what is specified in SRC: Any, DST:80
the filter → contract will be allowed between EPGs providing and consuming that SRC: Any, DST:443
contract.
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Fabric and Tenant Policies
Tenant Policies (VMM Integration)
S10 S20
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Cisco ACI Hypervisor Integration (vmware example)
Red - Manual Operation Create VMM Domain
1
VMM Domain vCenter A
9
Push Policy ACI Fabric
2
7
Cisco APIC and
VMware vCenter Automatically Map EPGs
Initial Handshake Learn location of ESXi Host
To Port Groups 5
through LLDP
Attach vmware ESXi
4
to VDS
ACI Layer 2
Server Layer 3
WAN/Core
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Basic Connectivity node-103 node-104
RID: # RID: #
IP: A IP: B
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Fabric and Tenant Policies
Creating a Layer 3 Out
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Fabric and Tenant Policies
Route Reflectors
Server
0.0.0.0/0
10.0.0.0/24
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Fabric and Tenant Policies
Route Reflectors S10 S20
L1 L2 L3 L4
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Fabric and Tenant Policies
Planning
BGP Route Reflector Use an AS Number not already in your environment. The AS number is only 65000
exposed to the external network when peering BGP with devices. Private AS
number can be used. NOTE: CHANGING THE AS NUMBER IS DISRUPTIVE!
External Routed This is your Layer 3 Object. It contains the entire Layer 3 path configuration. L3out-To-Core
Network
Node Profile Defines which nodes are part of the Layer 3 out Domain. Here is where you Leaf101, Leaf102
define your Router ID’s and Static Routes. Leaf101-102
Logical Interface Defines which interfaces are used for peering. Support Types are Routed Port10
Profile Interfaces, Routes Sub-Interfaces, and SVIs. This is also where you define the vPC-To-Core
IP/MTU/VLAN is SVI or Sub-Interface.
Networks (External This is where you define the external subnets you want to apply policy to. You Ext_EPG → 0.0.0.0/0 subnet
EPG) do this by listing the subnets and applying contracts. NOTE: multiple all 0’s
subnets should not be configured in the same VRF.
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Fabric and Tenant Policies
Layer 3 Connectivity
S10 S20
ACI Layer 2
Server Layer 3
WAN/Core
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Agenda
• Day 1: Why ACI?
• Day 2: Infrastructure and Policies
• Day 3: Forwarding Overview
• Day 4: Network Centric Migrations
• Day 5: Multi Location Deployments
• Day 6: Troubleshooting Tools
• Day 7: Additional Resources
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Day 3: Forwarding
Overview
What is an Endpoint?
Traditional Endpoint
L3 – ARP Table
- IP / MAC
000a.000a.000a 000b.000b.000b
- Interface
192.168.1.100/24 192.168.2.100/24
- VRF
N5K# show mac address-table | grep 000a N5K# show mac address-table | grep 000b
• 10 000a.000a.000a dynamic 0 Eth1/1 • 20 000b.000b.000b dynamic 0 Eth1/2
N5K# show ip arp vrf default | grep 000a N5K# show ip arp vrf default | grep 000b
192.168.1.1 00:00:01 000a.000a.000a Vlan10 192.168.2.1 00:00:01 000b.000b.000b Vlan20
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
What is an Endpoint?
Eth1/1 Eth1/2
ACI Endpoint
10 20
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
What is an Endpoint?
Eth1/1 Eth1/2
ACI Endpoint
10 20
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Endpoint Learning - ARP
ACI Leafs learn via ARP!
Eth1/1 Eth1/2
Hdr/Opcode Hdr/Opcode
Frame Unicast Routing? EP Contents
Sender MAC 000a.000a.000a
ARP No MAC (Sender MAC)
Sender IP 192.168.1.100
ARP Yes MAC (Sender MAC), IP
Target MAC 0000.0000.0000 (Sender-IP)
Target IP 192.168.1.101
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Endpoint Learning– Routed Frames
Routed Frame triggers an EP Learn
Eth1/1 Eth1/2
000a.000a.000a 000b.000b.000b
DMAC BD MAC 192.168.1.100/24 192.168.2.100/24
EPG1 EPG2
SMAC 000a.000a.000a
Protocol 1
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Pervasive Gateway
S10 S20
• To work as a default gateway for
endpoints
• Gateway IP is programmed on all leafs
that need it
• Deterministic Traffic Flow to Gateway L1 L2 L3 L4
• Consistent Latency across all Devices BD1 BD2
BD1 BD1 BD2
Towards Gateway
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Proxy Routing
3 ✓ EP synced to
• Leafs report EP’s to spine other Spines
✓ EP published S10 S20
once Learnt to Spine
• Spines maintain a database 2
of all Endpoints Learnt in the
Fabric, and on what Leaf(s)
they exist.
• Used for “Hardware Proxy” ✓ EP L1 L2 L3 L4
BD Mode. learnt
on Leaf
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
ARP Flooding
EP1 ARP’s for EP2
• Behavior is the same as
Traditional Switches S10 S20 ✓ ARP is flooded
3 to all leafs that
• ARP is flooded using BD
Multicast Group to all Leafs have the BD
that have the BD 2 ✓ Flooded
ARP is
in
BD, copy to
Spine
✓ ARP L1 L2 L3 L4
1 Received
on L1 BD1 BD1 BD1
✓ L2 sends
4 ARP out
ports in BD
✓ L3 sends
ARP to EP2
000a.000a.000a 000b.000b.000b
192.168.1.100/24 192.168.1.101/24
EP1 - EPG1 EP2 - EPG1
BD1 BD1
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
ARP Optimization – Unicast Routing
EP1 ARP’s for EP2
• ACI can Unicast ARP to avoid
unnecessary Flood traffic. → S10 S20
Requires Unicast Routing on 3 ✓ Spine knows Target
BD IP is on L3, Unicast
2 ✓ L1 doesn’t to L3
know Target
IP → Send to ✓ L3 learns EP1 from
L1
Spine!
L1 L2 L3 L4
✓ BD1 BD1
ARP
1 Received
4 ✓ L3 sends
on L1
ARP to EP2
000a.000a.000a 000b.000b.000b
192.168.1.100/24 192.168.1.101/24
EP1 - EPG1 EP2 - EPG1
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Known Unicast – Layer 2
EP1 pings EP2
S10 S20 3 ✓ Packet is sent
Outer Outer ✓ L1 looks at the from L1 directly
DMAC and to L3 through
SIP L1 spines
2 knows it exists
DIP L3 on L3 in EPG1
VXLAN BD1
L1 L2 L3 L4
Inner Inner
BD1 BD1
BD1 BD2
✓ ICMP
1 ✓ L3 sends
EPG1
Received 5 ICMP to EP2
EPG2 on BD GW 3
ICMP ICMP
000a.000a.000a 000b.000b.000b
192.168.1.100/24 192.168.2.100/24
EP1 - EPG1 EP2 – EPG2
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Day 4:
Network Centric Migrations
Physical Layer
S10 S20
L1 L3 L4
L2
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Checklist
✓ Physical Layer ☺
❑ Layer 2
❑ Layer 3
Network Centric Design
L2 Migration Recommendations
BD_VLAN100
ARP Flooding
=
Each Legacy VLAN has a unique EPG
Legacy VLAN
100
What have we Accomplished?
Each Legacy VLAN maps to a unique Bridge Domain
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Conceptual View
Legacy ACI
VRF CiscoLive
SVI/VLAN:100
192.168.100.1
SVI/VLAN:101 L1 L3 L4
192.168.101.1
SVI/VLAN:102
192.168.102.1 L2
L2 Extension
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Verification
APIC GUI shows connected Endpoints (MAC and or IP) per EPG and Path
E.g.: 5C:83:8F:69:BB:C9 (N7K) connected via Nodes-101-102/N7710-vPC
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Checklist
✓ Physical Layer ☺
✓ Layer 2
❑ Layer 3
Network Centric Design
L3 Migration Requirements
Configure “Layer 3 Out” to create a routed connection to legacy network
Routed Interface
Routed subinterface Subnet
EPG
Switched Virtual Interface (SVI) Bride Domain VLAN_100
L3 Extension
SVI/VLAN:100
192.168.100.1
SVI/VLAN:101 L1 L3 L4
192.168.101.1
SVI/VLAN:102
192.168.102.1 L2
L2 Extension
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Verification
APIC GUI now shows IP information since UC Routing is enabled on BD
E.g.: 192.168.102.11 connected via Nodes-101-102/BareMetal02-vPC
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Verification
GUI
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Verification
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Checklist
✓ Physical Layer ☺
✓ Layer 2
✓ Layer 3
Common Pitfalls
Old Gateway still Active!
S10 S20
L3 Extension
SVI/VLAN:100 SVI/VLAN:100
192.168.100.1 192.168.100.1
SVI/VLAN:101 L1 L3 L4 SVI/VLAN:101
192.168.101.1 192.168.101.1
SVI/VLAN:102 SVI/VLAN:102
192.168.102.1 L2 192.168.102.1
L2 Extension
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Common Pitfalls
Windows Dynamic Load Balancing S10 S20
Problem:
Traffic is Sourced with the same IP but from
both NIC’s using different MACs
ACI Fabric sees frequent IP Move between L1 L2 L3 L4
MAC’s when Routing is Enabled!
Solution:
Use “Hyper-V Port” to force single MAC to
IP Communication
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Day 5: Multi-Location
Deployment Options
Stretched Fabric IS-IS
L1 L2 L3 L4 L5 L6 L7 L8 L9 L10
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Stretched Fabric
Advantages
• All one Fabric
• No Additional Routed Infrastructure
• Simple Provisioning – If cabling is in
place S10 S20 S11 S21
Limitations
• Single APIC Failure Domain L1 L2 L3 L4 L5 L6 L7 L8 L9 L10
Sites
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
IPN MTU Requirements: 9150 Bytes
Multipod IS-IS
IPv4 Multicast
IPN IPN OSPF
Network
L1 L2 L3 L4 L7 L8 L9 L10
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Multipod
Advantages
• All one Fabric
• Policy Stretched across sites IPN IPN
• Separate Control Plane Instances per
site S10 S20 S11 S21
Limitations L1 L2 L3 L4 L7 L8 L9 L10
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
IPN MTU Requirements: 9150 Bytes
Remote Leaf
IS-IS
IPV4 “Inter-site” OSPF
ISN Network ISN
Primary Site Remote Office/ DC
L1 L2 L3 L4
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Remote Leaf
Advantages
• All one Fabric
• Easy Addition of small site to existing ISN ISN
APIC
• Spines not required in Remote Site. S10 S20 RL1 RL2
Limitations
• All traffic goes to “main” site before APIC APIC APIC
other sites.
• 140ms Latency Restriction
• Port Count
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
IPN MTU Requirements: 9150 Bytes
Multi-Site IS-IS
IPV4 “Inter-site” OSPF
ISN Network ISN
L1 L2 L3 L4 L1 L2 L3 L4
ACI
Multi-Site
ACI
Controller
Multi-Site
ACI
Controller
Multi-Site
Controller
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Multi-Site
Limitations
ACI
Multi-Site
ACI
Controller
Multi-Site
ACI
Controller
•
Multi-Site
500ms – 1s latency for OOB Controller
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Day 6:
Troubleshooting Tools
Faults Available in 2.2(2e)!
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
EP Tracker
“We had a
problem at
14:21!!!”
Attach/Detach events
are logged for each EP
IP Was Moving???
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Atomic Counters
S10
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Atomic Counters
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Atomic Counters
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
S10
SPAN
EP Learnt
• ACI allows for SPAN of EPG L1 L2
• ERSPAN Destination must be an IP EP ERSPAN
Learnt in ACI
10.10.10.10
• EP Can run Wireshark or Tshark Leaf101# show monitor session all
session 1
---------------
description : Span session 1
type : erspan
version : 2
oper version : 1
EPG 100 state : up (active)
erspan-id : 1
SPAN Source SPAN Destination granularity :
vrf-name : CiscoLive:VRF1
acl-name :
ip-ttl : 64
EPG ERSPAN ip-dscp
specified
: ip-dscp not
destination-ip : 10.10.10.10/32
origin-ip : 1.1.1.1
Port ERPSAN/Local mode : access
Port source VLANs
rx
:
: 100
tx : 100
both : 100
filter VLANs : filter not specified
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Troubleshooting Wizard - Faults
Shows Faults
in the Path
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Troubleshooting Wizard – Drop Stats
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Troubleshooting Wizard - Contracts
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Troubleshooting Wizard – Atomic Counters
No Drops!
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Troubleshooting Wizard – SPAN
Ability to SPAN to APIC or other devices
attached to the Fabric
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Capacity Dashboard
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
App Center
Enhanced Endpoint Tracker
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Enhanced Endpoint Tracker
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
App Center
Elam Assistant
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
ELAM Assistant
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
ELAM Assistant
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Day 7: Additional
Resources
Support Forums
https://supportforums.cisco.com/t5/application-centric/bd-p/12206936-discussions-aci
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Facebook Group
Great Community ☺
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Solutions Support
One TAC team to support all aspects of
ACI
Engineers are familiar with 3rd party
products like VMWare
Case does not get handed off when it
is a Switching vs. Routing issue.
ACI Team takes ownership
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
JumpStart
Program designed by TAC
#CLUS BRKACI-1001 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Continue
your Demos in
the Cisco
Walk-in
self-paced
Meet the
engineer
Related
sessions
education campus labs 1:1
meetings
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Complete your online session evaluation
#CLMEL BRKACI-1001 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Thank you
#CLMEL
#CLMEL