larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure

eBook

  • Your Price: $46.39
  • List Price: $57.99
  • Includes EPUB and PDF
  • About eBook Formats
  • This eBook includes the following formats, accessible from your Account page after purchase:

    ePub EPUB The open industry format known for its reflowable content and usability on supported mobile devices.

    Adobe Reader PDF The popular standard, used most often with the free Acrobat® Reader® software.

    This eBook requires no passwords or activation to read. We customize your eBook by discreetly watermarking it with your name, making it uniquely yours.

Also available in other formats.

  • Description
  • Sample Content
  • Updates
  • Copyright 2018
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 704
  • Edition: 1st
  • eBook
  • ISBN-10: 0-13-466055-2
  • ISBN-13: 978-0-13-466055-4

Use ACI fabrics to drive unprecedented value from your data center environment


With the Cisco Application Centric Infrastructure (ACI) software-defined networking platform, you can achieve dramatic improvements in data center performance, redundancy, security, visibility, efficiency, and agility. In Deploying ACI, three leading Cisco experts introduce this breakthrough platform, and walk network professionals through all facets of design, deployment, and operation. The authors demonstrate how ACI changes data center networking, security, and management; and offer multiple field-proven configurations.


Deploying ACI is organized to follow the key decision points associated with implementing data center network fabrics. After a practical introduction to ACI concepts and design, the authors show how to bring your fabric online, integrate virtualization and external connections, and efficiently manage your ACI network.


You’ll master new techniques for improving visibility, control, and availability; managing multitenancy; and seamlessly inserting service devices into application data flows. The authors conclude with expert advice for troubleshooting and automation, helping you deliver data center services with unprecedented efficiency.

  • Understand the problems ACI solves,and how it solves them
  • Design your ACI fabric, build it, and interface with devices to bring it to life
  • Integrate virtualization technologieswith your ACI fabric
  • Perform networking within an ACI fabric (and understand how ACI changes data center networking)
  • Connect external networks and devices at Layer 2/Layer 3 levels
  • Coherently manage unified ACI networks with tenants and application policies
  • Migrate to granular policies based on applications and their functions
  • Establish multitenancy, and evolve networking, security, and services to support it
  • Integrate L4–7 services: device types, design scenarios, and implementation
  • Use multisite designs to meet rigorous requirements for redundancy and business continuity
  • Troubleshoot and monitor ACI fabrics
  • Improve operational efficiency through automation and programmability

Table of Contents

    Introduction xxiv
Chapter 1 You’ve Purchased ACI. Now What? 1
    Industry Trends and Transitions 1
    Next-Generation Data Center Concepts 2
        New Application Types 2
        Automation, Orchestration, and Cloud 3
        End-to-End Security 4
    Spine-Leaf Architecture 5
        Existing Infrastructure and ACI (Places in the Network) 8
    ACI Overview 9
    ACI Functional Components 10
        Nexus 9500 10
        Nexus 9300 10
        Application Centric Infrastructure Controllers 11
    Protocols Enabling the ACI Fabric 11
        Data Plane Protocols 11
        Control Plane Protocols 12
    Interacting with ACI 13
        GUI 13
        NX-OS CLI 14
        Open REST API 14
    Introduction to the Policy Model 14
        Application Network Profiles and Endpoint Groups 14
        VRFs and Bridge Domains 15
    Fabric Topologies 15
        Single-Site Model 15
        Multi-Pod Model 16
        Multi-Site Model 16
    Summary 17
Chapter 2 Building a Fabric 19
    Building a Better Network 19
        Fabric Considerations 20
        Phased ACI Migration 33
        Evolution to Application-Centric Mode 41
    Virtual Machine Manager (VMM) Integration 46
        AVS 46
        VMware 48
        Microsoft 50
    OpenStack 51
    Layer 4-7 Services 51
        Managed Mode 52
        Unmanaged Mode 53
    Additional Multisite Configurations 54
        Cisco ACI Stretched Fabric 55
        Cisco ACI Multi-Pod 56
        Cisco ACI Multi-Site 57
        Cisco ACI Dual-Fabric Design 57
        Pervasive Gateway 57
        VMM Considerations 58
    Summary 59
Chapter 3 Bringing Up a Fabric 61
    Out of the Box 61
        Suggested Services 62
        Management Network 64
    Logging In to the GUI for the First Time 73
        Basic Mode vs. Advanced Mode 74
        Discovering the Fabric 77
        Fabric Extenders 79
    Required Services 79
        Basic Mode Initial Setup 80
        Advanced Mode Initial Setup 84
        Management Network 92
        Fabric Policies 94
    Managing Software Versions 96
        Firmware Repository 97
        Controller Firmware and Maintenance Policy 98
    Configuration Management 101
        Configuration Snapshots 101
        Configuration Backup 102
    Summary 105
Chapter 4 Integration of Virtualization Technologies with ACI 107
    Why Integrate Cisco ACI with Virtualization Technologies? 107
    Networking for Virtual Machines and Containers 108
        Benefits of Cisco ACI Integration with Virtual Switches 111
        Comparing ACI Integration to Software Network Overlays 112
        Virtual Machine Manager Domains 115
        EPG Segmentation and Micro-Segmentation 121
        Intra-EPG Isolation and Intra-EPG Contracts 129
        Cisco ACI Integration with Virtual Switches in Blade Systems 132
        OpFlex 134
        Deployments over Multiple Data Centers 136
    VMware vSphere 137
        Cisco ACI Coexistence with the vSphere Standard Switch 138
        Cisco ACI Coexistence with the vSphere Distributed Switch 139
        Cisco ACI Integration with the vSphere Distributed Switch 139
        vCenter User Requirements 141
        Micro-Segmentation with the VDS 142
        Blade Servers and VDS Integration 142
        Cisco ACI Integration with Cisco Application Virtual Switch 143
        Cisco AVS Installation 147
        Blade Servers and AVS Integration 147
        Distributed Firewall 148
        Virtual Network Designs with VDS and AVS 150
        Cisco ACI Plug-in for vSphere vCenter Server: Configuring ACI from vCenter 154
        Cisco ACI Coexistence with VMware NSX 157
    Microsoft 158
        Introduction to Microsoft Hyper-V and SCVMM 159
        Preparing for the Integration 159
        Micro-Segmentation 161
        Blade Servers and SCVMM Integration 161
    OpenStack 162
        ML2 and Group-Based Policy 163
        Installing Cisco ACI Integration with OpenStack 164
        Cisco ACI ML2 Plug-in for OpenStack Basic Operations 164
        Cisco ACI ML2 Plug-in for OpenStack Security 166
        Cisco ACI ML2 Plug-in for OpenStack and Network Address Translation 167
    Cisco ACI GBP Plug-in for OpenStack 168
        Docker: Project Contiv 170
    Docker Networking 170
        Kubernetes 174
        Kubernetes Networking Model 175
        Isolation Models 176
        Creating a New EPG for Kubernetes Pods 178
        Assigning a Deployment or a Namespace to an EPG with Annotations 179
        Visibility in ACI for Kubernetes Objects 180
    Public Cloud Integration 180
    Summary 180
Chapter 5 Introduction to Networking with ACI 183
    Exploring Networking in ACI 184
        Groups and Contracts 184
        VRFs and Bridge Domains 197
        Connecting External Networks to the Fabric 208
    Network-Centric VLAN=BD=EPG 227
        Applying Policy to Physical and Virtual Workloads 230
        Moving Devices to the Fabric, VLAN by VLAN 232
        Unenforced vs. Enforced VRF 236
        L3 Connections to the Core 236
        Migrating the Default Gateway to the Fabric 242
    Summary 246
Chapter 6 External Routing with ACI 247
    Layer 3 Physical Connectivity Considerations 247
        Routed Ports Versus Switched Virtual Interfaces 249
        Outside Bridge Domains 250
        Bidirectional Forwarding Detection 251
        Access Port 252
        Port Channel 252
        Virtual Port Channel 254
        Gateway Resiliency with L3 Out 256
        Hot Standby Routing Protocol 256
    Routing Protocols 259
        Static Routing 259
        Enhanced Interior Gateway Routing Protocol 260
        Open Shortest Path First 261
        Border Gateway Protocol 265
    External Endpoint Groups and Contracts 268
        External Endpoint Groups 268
        Contracts Between L3 Out EPGs and Internal EPGs 269
    Multitenant Routing Consideration 269
        Shared Layer 3 Outside Connection 271
        Transit Routing 273
        WAN Integration 278
        Design Recommendations for Multitenant External Layer 3Connectivity 280
        Quality of Service 280
    Multicast 282
        Multicast Best-Practice Recommendations 283
        Multicast Configuration Overview 286
    Summary 287
Chapter 7 How Life Is Different with ACI 289
    Managing Fabrics versus Managing Devices 290
        Centralized CLI 290
        System Dashboard 291
        Tenant Dashboards 292
        Health Scores 294
        Physical and Logical Objects 295
        Network Policies 296
    Maintaining the Network 300
        Fault Management 300
        Configuration Management 304
        Upgrading the Software 313
    Breaking the Shackles of IP Design 317
        Access Control Lists Without IP Addresses 317
        QoS Rules Without IP Addresses 317
        QoS Rules Without TCP or UDP Ports 317
    Physical Network Topology 318
        ACI as a Clos Fabric and Design Implications 318
        Fabric Topology and Links 320
        Individual Device View 320
        Port View 322
    Changing the Network Consumption Model 322
    Summary 324
Chapter 8 Moving to Application-Centric Networking 325
    “Network-Centric” Deployments 326
        Removing Packet Filtering in Network-Centric Deployments 328
        Increasing Per-Leaf VLAN Scalability 328
        Looking at the Configuration of a Network-Centric Design 329
    “Application-Centric” Deployment: Security Use Case 332
        Whitelist vs. Blacklist Models 333
        Enforced vs. Unenforced: ACI Without Contracts 333
        Endpoint Groups as a Zone-Based Firewall 334
        Contract Security Model 336
        Stateful Firewalling with Cisco Application Virtual Switch 344
        Intra-EPG Communication 346
        Any EPG 348
        Contract Definition Best Practices to Efficiently Use Resources 350
    “Application-Centric” Deployment: Operations Use Case 351
        Application-Centric Monitoring 351
        Quality of Service 352
    Migrating to an Application-Centric Model 355
        Disable Bridge Domain Legacy Mode 355
        Disable VRF Unenforced Mode 356
        Create New Application Profiles and EPGs 357
        Move Endpoints to the New EPGs 357
        Fine-Tune Security Rules 358
    How to Discover Application Dependencies 358
        Focus on New Applications 359
        Migrate Existing Applications 360
    Summary 364
Chapter 9 Multi-Tenancy 365
    The Need for Network Multi-Tenancy 366
        Data-Plane Multi-Tenancy 366
        Management Multi-Tenancy 366
    Multi-Tenancy in Cisco ACI 367
        Security Domains 368
        Role-Based Access Control 369
        Physical Domains 373
        Logical Bandwidth Protection Through Quality of Service 376
        What Is a Tenant? What Is an Application? 377
    Moving Resources to Tenants 382
        Creating the Logical Tenant Structure 382
        Implementing Management Multi-Tenancy 382
        Implementing Data-Plane Multi-Tenancy 386
        When to Use Dedicated or Shared VRFs 388
        Multi-Tenant Scalability 390
    External Connectivity 390
        Shared External Network for Multiple Tenants 393
    Inter-Tenant Connectivity 396
        Inter-VRF External Connectivity 396
        Inter-VRF Internal Connectivity (Route Leaking) 397
    L4-7 Services Integration 400
        Exporting L4-7 Devices 400
        Multi-Context L4-7 Devices 401
    Use Cases for Multi-Tenancy Connectivity 401
        ACI as Legacy Network 401
        Granting Network Visibility to Other Departments 401
        Network Shared Across Organizations with Shared Services 402
        External Firewall Interconnecting Multiple Security Zones 404
        Service Provider 404
    Summary 405
Chapter 10 Integrating L4-7 Services 407
    Inserting Services 407
        How We Do It Today 408
        Managed vs. Unmanaged 415
        Ecosystem Partners 420
        Management Model 422
        Functional Profiles 425
    Security for All Hosts 430
        Building an End-to-End Security Solution 431
        Integrating Firewalls 438
        Integrating Security Monitoring 452
        Integrating Intrusion Prevention Systems 453
        Integrating Server Load Balancing and ADC 457
        Two-node Service Graph Designs 462
    Summary 465
Chapter 11 Multi-Site Designs 467
    Bringing Up a Second Site 468
        Stretched Fabric Design 470
        Multiple-Fabric Design 476
    Multi-Pod Architecture 488
    ACI Multi-Pod Use Cases and Supported Topologies 489
        ACI Multi-Pod Scalability Considerations 492
        Inter-Pod Connectivity Deployment Considerations 493
        IPN Control Plane 494
        IPN Multicast Support 496
        Spines and IPN Connectivity Considerations 500
        Pod Auto-Provisioning 505
        APIC Cluster Deployment Considerations 507
        Reducing the Impact of Configuration Errors with Configuration Zones 513
        Migration Strategies 516
    Multi-Site Architecture 517
        APIC Versus Multi-Site Controller Functionalities 521
        Multi-Site Schema and Templates 522
        Multi-Site Use Cases 527
        Multi-Site and L3 Out Considerations 533
        Layer 3 Multicast Deployment Options 535
        Migration of Cisco ACI Fabric to Cisco ACI Multi-Site 537
    Summary 539
Chapter 12 Troubleshooting and Monitoring 541
    You Have a Poor Health Score. Now What? 542
    NX-OS CLI 543
        Connecting to the Leaf Switches 546
        Linux Commands 549
        Mapping Local Objects to Global Objects 551
        Some Useful Leaf Commands 556
        ping 560
    Troubleshooting Physical Issues 562
        Troubleshooting Cabling 562
        Troubleshooting Switch Outages 565
        Replacing a Fabric Switch 566
        Troubleshooting Contracts 567
    Troubleshooting Tools in ACI 570
        Hardware Diagnostics 570
        Dropped Packets: Counter Synchronization 571
        Atomic Counters 572
        Traffic Mirroring: SPAN and Copy Services 572
        Troubleshooting Wizard 581
        Endpoint Tracker 588
        Effectively Using Your Fabric Resources 590
    Monitoring Policies and Statistics 596
        SNMP Policies 596
        Syslog Policies 598
        Statistics 598
    Third-Party Monitoring Tools with ACI Support 601
        IBM Tivoli Netcool 601
        SevOne 601
        ScienceLogic 601
        Splunk 601
        Zenoss 601
    Summary 602
Chapter 13 ACI Programmability 603
    Why Network Programmability? Save Money, Make Money! 603
        What Is Wrong with Previous Network Automation Concepts? 604
        Programming Interfaces and SDKs 606
    Cisco ACI Programming Interfaces 607
        Cisco ACI REST API 607
        Cisco ACI Object Model 609
        Cisco ACI Software Development Kits 617
        Where to Find Automation and Programmability Examples 619
        Developing and Testing Your Code Without an ACI Fabric at Hand 620
    Increasing Operational Efficiency Through Network Automation 622
        Offering Visibility to the Network 622
        Externalizing Network Configuration 623
        Horizontal Automation Integrations 626
        Automating the Generation of Network Documentation 630
    Enabling Additional Business Models Through Network Automation 630
        Agile Application Deployment and DevOps 631
        Private Cloud and IaaS 634
        Hybrid Cloud 638
        Platform as a Service 639
        ACI Integration with Apprenda 640
        Mantl and Shipped 640
    Cisco ACI App Center 642
    Summary 644
9781587144745, TOC, 1/31/2018
    

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020