aci et datacenternetwork til alle - cisco€¦ · each application profile will contain a graphical...

Cisco ConnectDanmark • 4 April 2019

Cisco ACI –Et Datacenter til alle.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ACI – Et datacenter netværk til alle

Det er nemt at komme i gang med ACI, også for kunder med små og mellemstore datacentre. ACI er nemt at implementere, og integrere med det virtuelle servermiljø. Opstart, drift, udvidelse og integration med andre miljøer er simplere end nogensinde – tidligere tiders kompleksitet i driften af et datacenter er afløst af overblik, hurtig reaktion og kort vej fra beslutning til drift.


ACI Introduktion


Single chassis (e.g. Nexus 7000)Single VXLAN Network

Evolution from Nexus 5000 and Nexus 7000

The DC network beforeClassic modular switching

The DC network NOWACI

APICs(1, 3 or more)

SPINE(1 to 6)

LEAVES(1 to 200 or more*)

Zero-touch L2 VXLANNo STP

* > 200 Leaves with MultiPod/Multi-Site

Supervisors (1 or 2)

Up to 1

8 R

Us

Scale

-up

Scale as you need

Fabric Modules (3- 5)

Linecards (Copper, Fiber, 1/10G)


ACI: Consistent, automated and simpler networking

VM VM VMVM

WAN Legacy Networks

(N5K/N7K)

Spine LayerNexus 9000

Leaf LayerNexus 9000

L4-L7 Services

Point of management for all your Physical, Virtual, Container-based and Cloud Networking1

ACIThe network made simple


ACI: The elements

SPINES

LEAVESVirtual/Container networking integration

included (except vPod)

APICs3 Recommended for ProductionAt least 1 physical APIC required

Physical VirtualL-Size (Recommended for

1000+ physical leaf ports)

M-size (Recommended

for <1000 physical leaf ports)

VMWare VMs(Recommended for 2-4 leaves, 2 VMs + 1 Physical APIC)

ModularFixed(NX-OS Capable)

Fixed(NX-OS Capable)

Nexus 9500(w/9700 LCs)

Nexus 9300(9332C, 9364C)

Nexus 9300(100M/1/10/25/40/50/100G)


VMLeaf 1 – 48 ports

Leaf 2 – 48 ports

Spine 1

Spine 2

APIC

No. of EPGs

No. of Tenants

No. of Spines

No. of Leafs

Cloud

Optimized Physical Footprint – 5 RU System

ACI Fabric For Small Scale Deployments

VM

No. of BDs

No. of EPs

No. of VRFs

1000

25

2

2-4

1000

20,000

25

Virtual APIC

Physical APIC

2

1

ACI: Mini Fabric


Simpel ACI Installation


ACI: How difficult is it to bring it up?Let’s start with a single site




Connect all leaves to spines1 Connect APIC(s) to any leaf or leaves


ACI: How difficult is it to bring it up?Let’s start with a single site



Console into to each of the APICs2 Follow the initial configuration wizard



ACI: How difficult is it to bring it up?Initial configuration wizard

ACIThe network

made simple


ACI: How difficult is it to bring it up?Adding elements to the ACI Fabric and automating VXLAN

ACIThe network

made simple


ACI: How difficult is it to bring it up?What tasks & configuration did ACI just saved me from doing manually on every switch

Underlay Routed Network (IS-IS)

Overlay Network (VXLAN)

External to Internal Route redistribution (MBGP)

Multicast and Control Plane (MBGP)

Switch management (Inband or Out-of-Band options)

SSH to every switch, Assign IP Address, Enable Telnet/SSH, Add users on every switch/Create ACLs

(optional)

(Times X Switches & Y VNIs)

ACI Automated tasks

From HOURS to minutes!

BEFORE NOW


ACI: What are the benefits?Simple fabric upgrade - firmware

ACIThe network

made simple


ACI: What are the benefits?Single and simpler management for “All-things Networking”

ACIThe

networkmade simple


ACI versus Traditionel DC


ACI: What changes?Easy as 1-2-3-4-5

Create TenantsYou can ”partition” your ACI Fabric & have up to 3000 Tenants even

using the same IP subnets with no conflict

Physical Networks/VRFsWe would purchase separate networks and assign

different IP subnets to each (Prod, Test, etc)

BEFORE NOW

Test2.2.2.0

Production1.1.1.0IP Change

Tenant Test

1.1.1.0

Tenant Prod

1.1.1.0

ACIThe network

made simple



Create TenantYou can ”partition” your ACI Fabric & have up to 3000

Tenants even using the same IP subnets with no conflict

NOW

Tenant Test Tenant Prod

ACIThe network

made simple

1



Create Application ProfilesAn Application Profile is a graphical representation of our network configuration. Think of it as a “folder of VLANs” at the Fabric level.

A Tenant may have multiple Application Profiles

Unclear network connectityShow VLAN would show all and every VLAN per-Switch

without understanding how they connect between each other

BEFORE NOW

ACIThe network

made simple

Switch 1

Switch 2

Switch 5

Switch 6

Application Profile SEVT App



Create End Point Groups (EPGs)We will create an EPG and name it just as we would with a VLAN. You may also add one Bridge Domain per EPG with an IP address (just like

an SVI) in case you want ACI Anycast Gateway functionality

Create VLANs per SwitchAdd VLANs per Switch, name each of them and then

configure trunks to extend connectivity. Additionally configure HSRP/VRRP for Gateways at the distribution/core layer

BEFORE NOW

ACIThe network

made simple

Collapsed Core

Access Layer

HSRP/VRRP

Gateways

802.1q

Switch(config)#vlan 1Switch(config-vlan)#name NetweaverSwitch(config)#vlan 2

Switch(config-vlan)#name HANA

Switch(config)#int e1/1

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport trunk allowed vlan 1-2

VXLAN

Anycast GW

EPG Netweaver

EPG HANA

Switch(config)#feature hsrpSwitch(config)#interface vlan 1Switch(config-if)#ip address 1.1.1.253 255.255.255.0Switch(config-if)#no shut

Switch(config-if)#hsrp 1

Switch(config-hsrp)#ip 1.1.1.1 255.255.255.0Switch(config-hsrp)#priority 100

Switch(config-hsrp)#preempt

Switch(config-hsrp)#no shut

Switch(config)#interface vlan 2

Switch(config-if)#ip address 2.2.2.253 255.255.255.0

Switch(config-if)#no shut

Switch(config-if)#hsrp 2

Switch(config-hsrp)#ip 2.2.2.1 255.255.255.0

Switch(config-hsrp)#priority 100

Switch(config-hsrp)#preempt

Switch(config-hsrp)#no shutBD 1.1.1.1 BD 2.2.2.1

Spine Layer

Leaf Layer



Create End Point GroupsEach application Profile will contain a graphical display of the network connectivity w/ EPGs & Contracts we will configure

NOW

ACIThe network

made simple

3

VXLAN

Anycast GW

EPG Netweaver

EPG HANA

BD 1.1.1.1 BD 2.2.2.1

Spine Layer

Leaf Layer

Tenant Production Application Profile SAP



Create ContractsWe will create a Contract to specify how 2 EPGs may talk between

each other. This contract will be pushed to the whole fabric (physical, virtual, etc) consistently. NO complex IP + Ports to specify like ACLs

Create ACLs per Switch/PortSpecify the type of traffic you want each switch to allow

BEFORE NOW

ACIThe network

made simple

Collapsed Core

Access Layer

HSRP/VRRP

Gateways

802.1q

Switch(config)#ip access-list extended name SAP_POLICYSwitch(config-acl)#10 permit icmp any anySwitch(config-acl)#20 permit tcp any any eq 80

Switch(config-acl)#30 permit tcp any eq 80 any

Switch(config)#int e1/1

Switch(config-if)#ip access-group SAP_POLICY in

Switch(config-if)#ip access-group SAP_POLICY out

VXLAN

Anycast GW

EPG Netweaver

EPG HANA

BD 1.1.1.1 BD 2.2.2.1

Spine Layer

Leaf Layer

Contract SAP_POLICYFilters

permit icmppermit tcp eq 80

(Bidirectional)

ICMP

SSH



Create ContractsWe will create an Contract to specify how 2 EPGs may talk

between each other

NOW

ACIThe network

made simple

4

VXLAN

Anycast GW

EPG Netweaver

EPG HANA

BD 1.1.1.1 BD 2.2.2.1

Spine Layer

Leaf Layer

Contract SAP_POLICYFilters

permit icmppermit http

Bidirectional

ICMP



Create L3 OutSpecify on which leaf and port of the fabric you want to enable external

routing. Those routes will be imported inside the ACI Fabric with BGP (auto-configured) and Spines will serve as Route Reflectors. L3 Outs need a

contract to communicate to EPGs and BDs need to be associated to L3 Outs

Configure IP RoutingConfigure the routing protocol you may need on each switch/router to learn routes coming from the outside

BEFORE NOW

ACIThe network

made simple

Collapsed Core

Access Layer

HSRP/VRRP

Gateways

802.1q

Switch(config)#router ospf 1Switch(config)#interface e1/1Switch(config)#ip address 221.221.221.2 255.255.255.0Switch(config-if)#ip ospf network point-to-point

Switch(config-if)#ip router ospf 1 area 0

Switch(config-if)#ip ospf mtu ignore

BGP RRs

EPG Netweaver

BD 1.1.1.1

Spine Layer

Leaf Layer

L3Out InternetLeaf 1 Int 1/15

ospf area 0network p2pmtu ignoreIP 221.221.221.2/24

Contract Internet (EPGL3Out)permit any (bidirectional) OSPF L3 Out

Router

RouterOSPF

1/15

Leaf 1


Hypervisor Integration


ACI: WMware IntegrationEasy as 1-2-3-4-5

ACIThe network

made simple


Migration tilACI


ACI: How do I start?Easy as 1-2-3-4-5

Nexus 7000 (or L2/L3 Boundary)

Nexus 5000(or L2 Access/ToR)

VLAN 1 1.1.1.0/24

EPG 1EPG 2

HSRP/VRRP

Gateways Nexus 9000Spine Layer

Nexus 9000Leaf Layer

APIC Cluster

VLAN 2 2.2.2.0/24

VXLAN802.1q

VLAN 1 EPG 1

VLAN 2 EPG 2

Your existing network Your new ACI Fabric

2) Connect server to EPG 2 – L2 forwarding in ACI

1) Redundant-NIC Server failover (disconnect standby NIC from legacy & connect to ACI)

Contractpermit ip any any

3) Migrate Gateway to ACI (Anycast Gateway) when ready. Repeat 1-3

L3Internet/WAN

Contract

Anycast GW


Nexus 7K/5K and legacy networking migration

Integrate virtual & cloud

Simplify & secure your DC network

Non-disruptive At your own pace

ACI: How do I start?Easy as 1-2-3-4-5

Nexus 7000 (or L2/L3 Boundary)

Nexus 5000(or L2 Access/ToR)

VLAN 1 1.1.1.0/24

EPG 1EPG 2

Nexus 9000Spine Layer

Nexus 9000Leaf Layer

APIC Cluster

2.2.2.0/24

802.1q

VLAN 1 EPG 1

VLAN 2 EPG 2

Your existing network Your new ACI Fabric

4) Once all servers are migrated to the ACI Fabric, you may remove your old gear

Internet/WANContract

1 1.1.1.0/24

If you add more leaves or spines, APIC will auto-discover and auto-configure them. It is that SIMPLE!

VXLAN

Anycast GW


ACI anywhere


ACI Multipod

Other Rooms/DCsActive-Active DCs Pod N

VMVMVM VMVMVMVM

Any Routed Network (IPN)

Multicast on IPN needed& Jumbo Frames (<=1550)

<= 50 ms RTT RequiredUp to 12 Pods, distributed gateway

Single central management (APIC)Automated L2 DCI VXLAN extension

VMVMVM VMVMVMVM

Pod 1 Pod 2

VMVMVM VMVMVMVM


ACI Multi-Site

Other Rooms/DCs

Site N

VMVMVM VMVMVMVM

Any Routed Network

No MulticastPhased Changes (Zones)

<= 1s RTT Required (MSO APIC)Up to 12 Sites, distributed gateway

Single central management (MSO)Automated L2 DCI VXLAN extension

VMVMVM VMVMVMVM

Site1 Site 2

VMVMVM VMVMVMVM

Multi-Site Orchestrator (MSO)

3 VM Cluster


ACI Remote Leaf

Satellite DC

Brownfield

Remote Location A

VM

VMVMVM VMVMVMVM

Any Routed IP Network

Telco/Co-lo

VMVMVM VMVMVMVM

Remote Location B

VMVMVM VMVMVMVM

Remote Location C

VMVMVM VMVMVMVM

Zero Touch Auto Discovery of Remote Leaf

<= 300 ms RTT RequiredUp to 20 Remote Locations

Single central managementAutomated L2 VXLAN extension

RL

RL

RL

Pod 1


ACI vPod

VMVMVM VMVMVMVM

Any Routed IP Network

Virtual Spine/Leaf Functionalityw/AVE integration

Up to 64 AVEs per vPodSingle central management

Automated L2 VXLAN extension

Bare Metal Cloud

Brownfield

Co-location/Remote DC

Data Center A

VM VM VM VM

Data Center B

Data Center C

ACI Virtual Edge

ACI VPod

ACI Virtual Edge

ACI VPod

ACI Virtual Edge

ACI VPod

Pod 1

Pod 2

Pod 3

Pod 4


IP Network

AWS Region

EPG

Web

EPG

APPContract Contract

EPG

DBSG

Web

SG

APPSG Rule SG Rule

SG

DB

On-Premise DC

VMVMVM

Public Cloud

CSR-1Kv/Direct-Connect integration

Operational Consistency

Single Point Of Orchestration

Discovery & Visibility

Policy Translation

Multi-SiteOrchestrator (MSO)

ACI Multicloud (AWS)

Site 1 Site 2

VXLAN


Remote Leaf/Virtual Pod Multi-Pod/Multi-Site Multi-Cloud Extensions

ACI Anywhere – VisionAny Workload, Any Location, Any Cloud

ACI Anywhere

IP WAN

IP WAN

Remote Location Public CloudOn Premises

Security Everywhere Policy EverywhereAnalytics Everywhere


The Cisco Data Center Architecture business valueSimplified Secure Networking

ACI Anywhere

UnifiedIP, FC & FCoE support means

less switches

3Second failure recovery with

ACI rollbacks

SecureMicro-segmentation anywhere & Multicloud consistent policy

2-200Physical Switches managed as 1 (+ thousands virtual/cloud)

ScalabilityACI supports any bandwidth

100M/1/10/25/40/50/100G

IntegratedData Center Interconnect (VXLAN) and Monitoring

(at no additional cost)

79%Less network provisioning time

AutomaticSwitch discovery &

configuration (even at remote sites)

Single & automated configuration and monitoringfor Physical, Virtual, Container and Cloud Networking1

aci et datacenternetwork til alle - cisco€¦ · each application profile will contain a graphical...

Documents