ACI Hands-on Lab

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1

Cisco ACI Hands-on LabAzeem Suleman - Principal Engineer, Insieme Business Unit Nadir Lakhani – Systems Engineer, Sales

18th May 2016

In collaboration with

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Housekeeping notesThank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.

• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed during the session

• You should have laptop or device that can access to dCloud for the lab

• Have enough power or energy to live for 4 hours


Global Traction Across All Market Segments

6,000+ 50+1400+Nexus 9K and ACI

Customers GloballyEcosystemPartners

ACICustomers

NEW ECOSYSTEM

Cisco Confidential 4© 2015 Cisco and/or its affiliates. All rights reserved.

Evolution of Data Center


Accelerating Convergence DisruptionsThrough Innovation…

2005 2010 2014 2016+

Innovation Timeline

Data Voice Video

ComputeNetworkStorage

Application NetworkScale & Security

AnalyticsHyperConvergence

Cloud Scale

IPConvergence

Virtualization

ApplicationEconomy

Hybrid Cloud


Security Everywhere9

Analytics Everywhere10

8 Policy Everywhere

Policy-Driven Integrated Infrastructure Answers Customers’ Request

1

Modernize Infrastructure:Open and Programmable

Network / L4-7ComputeStorageSecurity

Data Center

5

Move Data and Workloads Securely

6

Self-Service Portal(IT as a Service)

7

Extend Policy Model

2

Automateand Simplify

POLICY

3

Build Your Hybrid Cloud

Private Cloud Stack

Integrated Infrastructure

4

Choose any Other Cloud

Managed

Public

Private


A Generation Ahead:Leapfrogging the Competition

2012 2014 2015 20172016 2018

Feat

ures

and

Cap

abili

ties

Competition

2 Year Dev Cycle

Cisco

18 Month Dev Cycle

N9K Gen1 ASICs28nm

T240nm

TH28nm

N9K Gen2 ASICs16nm

New Switches every 18 months

Jericho28nm


Next Gen Foundation with 2 Year Advantage

Fabric Wide Cloud Scale and Services

P O W E R E D B Y C I S C O ASIC innovation using 16nm technology

Cloud Scale Technology

Cost Advantage25G/100G at price of 10/40G

Investment Protectionfor the next decade

Non-blocking Performance Pervasive Visibility at Line Rate

Embedded Security at cloud scale

Enhanced Fabric Performance

50% Lower system cost, better reliability, lower power

Multi-speed ports 100M -100GIP storage, FCOE/FC ready

36p 100G line rate w/ single chip—25% more

Wire rate NetFlow

50% faster application completion time

8x more network segmentation vs competitionCloud scale endpoint density 6-7x12x IPv6 routesNexus 9200

Nexus 9300EX Nexus 9500


Modular Cloud Scale Platform for Spine/Aggregation

Cloud Economics: Starts at $1,500 US List per 100G Port

Cloud Network Requirements

Shift to scale-out architectures based on Spine/Leaf routed designs

Support for workload mobility and dynamic traffic flow optimization

Granular control and telemetry at tenant and application level

Automation at scale

Available NowNexus 9500

Build for generations

Best Price-Performance Available TodayFull Internet Route Table – 1M+Up to 512 line rate 100G ports per chassisConverged Fabric for IP storage

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1010© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Organizational Transformation with ACI

Ultimate Goal: Achieve Application Agility with Minimal RiskPolicy-driven Framework Across All Elements of the Infrastructure, Private and Public Cloud

• Deploy a modern, programmable infrastructure

• Train/upgrade the skillset of your team on programmable APIs

Step 1:Network Automation

Step 2:Services Automation

Step 3: Application Based Automation

• Integrate additional L4-L7 services

• Deploy applications based on policy templates


Application Centric Infrastructure (ACI)Rapid Deployment of Applications onto

Networks with Scale, Security and Full Visibility

ACI

APPLICATION CENTRIC POLICY CONTROLLERNEXUS 9500 AND 9300


Architecture

Service Producers EPG “Users”EPG “Files”

Leaf Nodes

Spine Nodes

EPG “Internet”

AVS

Service Consumers


Application Policy Model and Instantiation

All forwarding in the fabric is managed through the application network profile• IP addresses are fully portable anywhere within the fabric• Security and forwarding are fully decoupled from any physical or virtual network attributes• Devices autonomously update the state of the network based on configured policy requirements

Application ClientApplication policy model: Defines

the application requirements (application network profile)

Policy instantiation: Each device dynamically instantiates the required changes based on the policies

VM VMVM

10.2.4.7

VM

10.9.3.37

VM

10.32.3.7

VMVM

App Tier DB Tier

Storage Storage

Web Tier


Access Methodology• CLI (Command-line interface)

Means of interacting with a computer program where user issues commands to the program in the form of successive lines of text (command lines)

• GUI (Graphical user interface)Interface that allows users to interact with devices through graphical icons and visuals

• Programmable interfaceSoftware components / objects exposed to be called directly by other programs

• Open Source Tool ACI Toolkit – Configuration Roll Back, Endpoint Tracker and other applications


ACI Toolkit• Simple toolkit built on top of APIC API

• Set of simple python classesPython LibraryUsed to generate REST API callsRuns locally

• Small number of classes~30 currently“Intuitive” names

• Not full functionality, most commonFocused primarily on configuration

• Preserves the ACI basic conceptsTenants, EPGs, Contracts, etc.

APIC

ACI Toolkit

LinuxCommands

NX-OS likeCLI

CustomPython Scripts


ACI Release Timeline

A (11.0)Aug’14

CY14

11.0 MR1Nov’14

11.0 MR2Feb’15

11.0 MR3May’15

CY15

B (11.1)Jun’15

11.1 MR1Aug’15

CY16

11.2Dec’15

CongoQ3CY16

11.2. MR1Feb’16

11.1 MR3Nov’15

11.2 MR2Q2CY16

11.1 MR2Sep’15

16


Overloaded Network Constructs

VLAN VLAN VLAN

Subnet Subnet Subnet

Basic Network Policy SLAs L4-7 Services

Network constructs are overloaded with unintended functionality.17


Some new (or not so new) terms: Tenants, VRF (Context), Bridge Domains, Application Network Profiles, Endpoint Groups, Contracts/Filters

18


Bridge Domain (BD)• Unique layer 2 (L2) or layer 3 (L3) forwarding domain

• Can contain one or more subnets (if unicast routing is enabled)

• Each bridge domain must be linked to a context (VRF)

Equivalent Network Construct:

• If a BD is configured as L2 forwarding domainIt will have one or more associated VLANsEach VLAN will be equal to EPG

• If a BD is configured as L3 forwarding domainThis is equivalent to a SVI with one or more subnets per BD

NOTE: BD can span across multiple switches

19


Bridge Domain (BD) ModesL2 Unknown Unicast ARP Flooding Unicast Routing Unknown Multicast

Flooding

Flood – packet is flooded within a BD

Enabled: ARP Packets are flooded in the BD Enabled: define subnets

Flood:• Ingress TOR: Flood• Egress TOR

• If router port exists on any BD: Flood to FP ports

• If transit: Send to fabric

Hardware Proxy – packet sent only to Proxy Spine

Disabled:• ARP Packets undergo L3

unicast lookup for Target IP in VRF

• ARP behaves like L3 unicast packet until it reaches egress TOR

Disabled: no subnets defined

Optimized Flood (Up to ~75 BDs per TOR)

Sent only to Router Ports in the Fabric

20


Object RelationshipTenant

Context

BD

Subnet A

Subnet B

BD

Subnet C

Context

BD

Subnet B Subnet C

21


End Point Group (EPG)• Set of host(s) that behave the same

• Behavior describes as all host(s) representing application or application components independent of other network constructs

HTTPS Service

HTTPS Service

HTTPS Service

HTTPS Service

HTTP Service

HTTP Service

HTTP Service

HTTP Service

EPG - Web

POLICY MODEL

22


Application Network Profile (ANP)• Application Network Profile(s) are group of EPGs and the policies that define the

communication between them

Inbound/Outbound Policies

Inbound/Outbound Policies

Application Network Profile

POLICY MODEL

=

EPG - WEB EPG - APP EPG - DB

23


Contracts• Defines the way in which EPGs interact

EPG A

EPGB

EPG CContract 02

The policy model allows for both unidirectional and

bidirectional policies.

Unidirectional Communication

Bidirectional CommunicationContract 01

Ex: ACI Logical Model applied to the “3-Tier App” ANP

24


Infrastructure Virtualization, Operations

Multi-PoD WAN Integration (GOLF)

VXLAN EVPN BGP (iBGP and eBGP) for IPv4 and IPv6

Opflex Push to N7K, ASR9K QSA Support on –EX Spine/Leaf FCoE NPV, PFC (802.1Qbb)

Routing & Switching PBR and Policy Based Service

Insertion Symmetric Multipath Load

Balancing & Redirection Mcast Routing PIM Support

(PIM-SM/SSM/Bidir) on –EX HW

ACI vCenter Plugin Multiple vCenter per fabric (50) AVS

vRealize VEM Commands from

APIC EPG health score

WAP 2.0 + Service Chaining

OpenStack ‘Liberty’ Support Hierarchical VLANs VMware Hypervisor integration GBP + ML2 Unified Plugin

Routing & Switching OSPF in-bound area filtering BGP limit maximum AS (maxas-

limit) 64 way ECMP

Visibility and Analytics Analytics support on –EX HW Copy Service

Security Permit logging

Congo Release – 2.x Execute Committed

Target Q3 CY 2016

Hardware : DC48V Support(Fixed and

Modular Spine) DOM on ACI Mode


Multiple ACI Pods connected by an IP Inter-PodL3 network, each Pod consists of leaf and spinenodesManaged by a single APIC Cluster

Single Management and Policy Domain

Forwarding control plane (IS-IS, COOP)fault isolationData Plane VXLAN encapsulation betweenPods

End-to-end policy enforcement

ACI Multi-Pod SolutionOverview

Inter-Pod Network

Pod ‘A’

MP-BGP - EVPN

…

Single APIC ClusterIS-IS, COOP, MP-BGP

Pod ‘n’

IS-IS, COOP, MP-BGP


L3 core>2 interconnected sites

ACI Multi-Pod SolutionUse Cases

Handling 3-tiers physicalcabling layout

Cable constrain (multiplebuildings, campus, metro)requires a second tier of “spines”Preferred option when comparedto ToR FEX deployment

Evolution of Stretched Fabricdesign

Metro Area (dark fiber, DWDM),

Inter-POD And

WAN/DCI

ACI Fabric ‘B’

ACI Fabric ‘A’

ACI Fabric ‘E’

ACI Fabric ‘D’

ACI Fabric ‘C’


ACI Integration with WAN at Scale‘Project GOLF’ Overview

Addresses both control plane and dataplane scale

VXLAN data plane between ACI spines andWAN RoutersBGP-EVPN control plane between ACI spinesand WAN routersOpFlex for exchanging config parameters (VRFnames, BGP Route-Targets, etc.)

Consistent policy enforcement on ACI leafnodes (for both ingress and egressdirections)

‘GOLF’ Router support (Q3CY16)Nexus 7000, ASR9000 and ASR1000 (not yetcommitted)


ACI Integration with WAN at ScaleSupported Topologies


New Automation: Cisco Nexus Fabric ManagerSingle Point, Fabric-Wide Management

Build and self-manage VXLAN-based fabricFully deploy in three stepsZero-touch provisioning

Dynamically configure switches Simplify management with point-and-click user interface

Fabric Management Lifecycle

Creation Expansion

Fault MgmtReporting

Connection

NFM

Automate


Traditional Script-Based Approaches

• Hard-Wired

• Workflow

• Custom Scripting

• Rigid

• Change PaaS ?...

• Breaks System

• Re-Scripting Required

• Change Cloud ?...

• Breaks System

• Re-Scripting Required


CliQr CloudCenter:Any App, Any Cloud, One Platform

Private Clouds

Datacenters

Public Clouds

Model

Manage

Deploy

Profile

NFS


Working Together: End-to-End OrchestrationBusiness (ITSM)

Prime Service Catalog, ServiceNow, CustomDevelopment (DevOps)

CliQr, Jenkins

Application-Centric Lifecycle Management

Model Benchmark Deploy Manage

Application Profiles

UCS Director ACI

NexusSwitchingStorageUCS

Datacenter Private Cloud Public CloudProfileProfile

Hyper-V


34

How to access lab

URL: http://dcloud.cisco.com/

Username: CiscoLiveStudent1 – 24

Password: C1sc0123live

http://dcloud.cisco.com/



Thank you.

In collaboration with