Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure, Rough Cuts
- By Frank Dagenhardt, Jose Moreno, Bill Dufresne
- Published Jan 2, 2018 by Cisco Press.
Rough Cuts
- Available to Safari Subscribers
- About Rough Cuts
Rough Cuts are manuscripts that are developed but not yet published, available through Safari. Rough Cuts provide you access to the very latest information on a given topic and offer you the opportunity to interact with the author to influence the final publication.
Also available in other formats.
- Copyright 2018
- Dimensions: 7-3/8" x 9-1/8"
- Pages: 704
- Edition: 1st
- Rough Cuts
- ISBN-10: 0-13-466105-2
- ISBN-13: 978-0-13-466105-6
This is the Rough Cut version of the printed book.
Use ACI fabrics to drive unprecedented value from your data center environment
With the Cisco Application Centric Infrastructure (ACI) software-defined networking platform, you can achieve dramatic improvements in data center performance, redundancy, security, visibility, efficiency, and agility. In Deploying ACI, three leading Cisco experts introduce this breakthrough platform, and walk network professionals through all facets of design, deployment, and operation. The authors demonstrate how ACI changes data center networking, security, and management; and offer multiple field-proven configurations.
Deploying ACI is organized to follow the key decision points associated with implementing data center network fabrics. After a practical introduction to ACI concepts and design, the authors show how to bring your fabric online, integrate virtualization and external connections, and efficiently manage your ACI network.
You’ll master new techniques for improving visibility, control, and availability; managing multitenancy; and seamlessly inserting service devices into application data flows. The authors conclude with expert advice for troubleshooting and automation, helping you deliver data center services with unprecedented efficiency.
- Understand the problems ACI solves,and how it solves them
- Design your ACI fabric, build it, and interface with devices to bring it to life
- Integrate virtualization technologieswith your ACI fabric
- Perform networking within an ACI fabric (and understand how ACI changes data center networking)
- Connect external networks and devices at Layer 2/Layer 3 levels
- Coherently manage unified ACI networks with tenants and application policies
- Migrate to granular policies based on applications and their functions
- Establish multitenancy, and evolve networking, security, and services to support it
- Integrate L4–7 services: device types, design scenarios, and implementation
- Use multisite designs to meet rigorous requirements for redundancy and business continuity
- Troubleshoot and monitor ACI fabrics
- Improve operational efficiency through automation and programmability
Table of Contents
Introduction xxiv
Chapter 1 You’ve Purchased ACI. Now What? 1
Industry Trends and Transitions 1
Next-Generation Data Center Concepts 2
New Application Types 2
Automation, Orchestration, and Cloud 3
End-to-End Security 4
Spine-Leaf Architecture 5
Existing Infrastructure and ACI (Places in the Network) 8
ACI Overview 9
ACI Functional Components 10
Nexus 9500 10
Nexus 9300 10
Application Centric Infrastructure Controllers 11
Protocols Enabling the ACI Fabric 11
Data Plane Protocols 11
Control Plane Protocols 12
Interacting with ACI 13
GUI 13
NX-OS CLI 14
Open REST API 14
Introduction to the Policy Model 14
Application Network Profiles and Endpoint Groups 14
VRFs and Bridge Domains 15
Fabric Topologies 15
Single-Site Model 15
Multi-Pod Model 16
Multi-Site Model 16
Summary 17
Chapter 2 Building a Fabric 19
Building a Better Network 19
Fabric Considerations 20
Phased ACI Migration 33
Evolution to Application-Centric Mode 41
Virtual Machine Manager (VMM) Integration 46
AVS 46
VMware 48
Microsoft 50
OpenStack 51
Layer 4-7 Services 51
Managed Mode 52
Unmanaged Mode 53
Additional Multisite Configurations 54
Cisco ACI Stretched Fabric 55
Cisco ACI Multi-Pod 56
Cisco ACI Multi-Site 57
Cisco ACI Dual-Fabric Design 57
Pervasive Gateway 57
VMM Considerations 58
Summary 59
Chapter 3 Bringing Up a Fabric 61
Out of the Box 61
Suggested Services 62
Management Network 64
Logging In to the GUI for the First Time 73
Basic Mode vs. Advanced Mode 74
Discovering the Fabric 77
Fabric Extenders 79
Required Services 79
Basic Mode Initial Setup 80
Advanced Mode Initial Setup 84
Management Network 92
Fabric Policies 94
Managing Software Versions 96
Firmware Repository 97
Controller Firmware and Maintenance Policy 98
Configuration Management 101
Configuration Snapshots 101
Configuration Backup 102
Summary 105
Chapter 4 Integration of Virtualization Technologies with ACI 107
Why Integrate Cisco ACI with Virtualization Technologies? 107
Networking for Virtual Machines and Containers 108
Benefits of Cisco ACI Integration with Virtual Switches 111
Comparing ACI Integration to Software Network Overlays 112
Virtual Machine Manager Domains 115
EPG Segmentation and Micro-Segmentation 121
Intra-EPG Isolation and Intra-EPG Contracts 129
Cisco ACI Integration with Virtual Switches in Blade Systems 132
OpFlex 134
Deployments over Multiple Data Centers 136
VMware vSphere 137
Cisco ACI Coexistence with the vSphere Standard Switch 138
Cisco ACI Coexistence with the vSphere Distributed Switch 139
Cisco ACI Integration with the vSphere Distributed Switch 139
vCenter User Requirements 141
Micro-Segmentation with the VDS 142
Blade Servers and VDS Integration 142
Cisco ACI Integration with Cisco Application Virtual Switch 143
Cisco AVS Installation 147
Blade Servers and AVS Integration 147
Distributed Firewall 148
Virtual Network Designs with VDS and AVS 150
Cisco ACI Plug-in for vSphere vCenter Server: Configuring ACI from vCenter 154
Cisco ACI Coexistence with VMware NSX 157
Microsoft 158
Introduction to Microsoft Hyper-V and SCVMM 159
Preparing for the Integration 159
Micro-Segmentation 161
Blade Servers and SCVMM Integration 161
OpenStack 162
ML2 and Group-Based Policy 163
Installing Cisco ACI Integration with OpenStack 164
Cisco ACI ML2 Plug-in for OpenStack Basic Operations 164
Cisco ACI ML2 Plug-in for OpenStack Security 166
Cisco ACI ML2 Plug-in for OpenStack and Network Address Translation 167
Cisco ACI GBP Plug-in for OpenStack 168
Docker: Project Contiv 170
Docker Networking 170
Kubernetes 174
Kubernetes Networking Model 175
Isolation Models 176
Creating a New EPG for Kubernetes Pods 178
Assigning a Deployment or a Namespace to an EPG with Annotations 179
Visibility in ACI for Kubernetes Objects 180
Public Cloud Integration 180
Summary 180
Chapter 5 Introduction to Networking with ACI 183
Exploring Networking in ACI 184
Groups and Contracts 184
VRFs and Bridge Domains 197
Connecting External Networks to the Fabric 208
Network-Centric VLAN=BD=EPG 227
Applying Policy to Physical and Virtual Workloads 230
Moving Devices to the Fabric, VLAN by VLAN 232
Unenforced vs. Enforced VRF 236
L3 Connections to the Core 236
Migrating the Default Gateway to the Fabric 242
Summary 246
Chapter 6 External Routing with ACI 247
Layer 3 Physical Connectivity Considerations 247
Routed Ports Versus Switched Virtual Interfaces 249
Outside Bridge Domains 250
Bidirectional Forwarding Detection 251
Access Port 252
Port Channel 252
Virtual Port Channel 254
Gateway Resiliency with L3 Out 256
Hot Standby Routing Protocol 256
Routing Protocols 259
Static Routing 259
Enhanced Interior Gateway Routing Protocol 260
Open Shortest Path First 261
Border Gateway Protocol 265
External Endpoint Groups and Contracts 268
External Endpoint Groups 268
Contracts Between L3 Out EPGs and Internal EPGs 269
Multitenant Routing Consideration 269
Shared Layer 3 Outside Connection 271
Transit Routing 273
WAN Integration 278
Design Recommendations for Multitenant External Layer 3Connectivity 280
Quality of Service 280
Multicast 282
Multicast Best-Practice Recommendations 283
Multicast Configuration Overview 286
Summary 287
Chapter 7 How Life Is Different with ACI 289
Managing Fabrics versus Managing Devices 290
Centralized CLI 290
System Dashboard 291
Tenant Dashboards 292
Health Scores 294
Physical and Logical Objects 295
Network Policies 296
Maintaining the Network 300
Fault Management 300
Configuration Management 304
Upgrading the Software 313
Breaking the Shackles of IP Design 317
Access Control Lists Without IP Addresses 317
QoS Rules Without IP Addresses 317
QoS Rules Without TCP or UDP Ports 317
Physical Network Topology 318
ACI as a Clos Fabric and Design Implications 318
Fabric Topology and Links 320
Individual Device View 320
Port View 322
Changing the Network Consumption Model 322
Summary 324
Chapter 8 Moving to Application-Centric Networking 325
“Network-Centric” Deployments 326
Removing Packet Filtering in Network-Centric Deployments 328
Increasing Per-Leaf VLAN Scalability 328
Looking at the Configuration of a Network-Centric Design 329
“Application-Centric” Deployment: Security Use Case 332
Whitelist vs. Blacklist Models 333
Enforced vs. Unenforced: ACI Without Contracts 333
Endpoint Groups as a Zone-Based Firewall 334
Contract Security Model 336
Stateful Firewalling with Cisco Application Virtual Switch 344
Intra-EPG Communication 346
Any EPG 348
Contract Definition Best Practices to Efficiently Use Resources 350
“Application-Centric” Deployment: Operations Use Case 351
Application-Centric Monitoring 351
Quality of Service 352
Migrating to an Application-Centric Model 355
Disable Bridge Domain Legacy Mode 355
Disable VRF Unenforced Mode 356
Create New Application Profiles and EPGs 357
Move Endpoints to the New EPGs 357
Fine-Tune Security Rules 358
How to Discover Application Dependencies 358
Focus on New Applications 359
Migrate Existing Applications 360
Summary 364
Chapter 9 Multi-Tenancy 365
The Need for Network Multi-Tenancy 366
Data-Plane Multi-Tenancy 366
Management Multi-Tenancy 366
Multi-Tenancy in Cisco ACI 367
Security Domains 368
Role-Based Access Control 369
Physical Domains 373
Logical Bandwidth Protection Through Quality of Service 376
What Is a Tenant? What Is an Application? 377
Moving Resources to Tenants 382
Creating the Logical Tenant Structure 382
Implementing Management Multi-Tenancy 382
Implementing Data-Plane Multi-Tenancy 386
When to Use Dedicated or Shared VRFs 388
Multi-Tenant Scalability 390
External Connectivity 390
Shared External Network for Multiple Tenants 393
Inter-Tenant Connectivity 396
Inter-VRF External Connectivity 396
Inter-VRF Internal Connectivity (Route Leaking) 397
L4-7 Services Integration 400
Exporting L4-7 Devices 400
Multi-Context L4-7 Devices 401
Use Cases for Multi-Tenancy Connectivity 401
ACI as Legacy Network 401
Granting Network Visibility to Other Departments 401
Network Shared Across Organizations with Shared Services 402
External Firewall Interconnecting Multiple Security Zones 404
Service Provider 404
Summary 405
Chapter 10 Integrating L4-7 Services 407
Inserting Services 407
How We Do It Today 408
Managed vs. Unmanaged 415
Ecosystem Partners 420
Management Model 422
Functional Profiles 425
Security for All Hosts 430
Building an End-to-End Security Solution 431
Integrating Firewalls 438
Integrating Security Monitoring 452
Integrating Intrusion Prevention Systems 453
Integrating Server Load Balancing and ADC 457
Two-node Service Graph Designs 462
Summary 465
Chapter 11 Multi-Site Designs 467
Bringing Up a Second Site 468
Stretched Fabric Design 470
Multiple-Fabric Design 476
Multi-Pod Architecture 488
ACI Multi-Pod Use Cases and Supported Topologies 489
ACI Multi-Pod Scalability Considerations 492
Inter-Pod Connectivity Deployment Considerations 493
IPN Control Plane 494
IPN Multicast Support 496
Spines and IPN Connectivity Considerations 500
Pod Auto-Provisioning 505
APIC Cluster Deployment Considerations 507
Reducing the Impact of Configuration Errors with Configuration Zones 513
Migration Strategies 516
Multi-Site Architecture 517
APIC Versus Multi-Site Controller Functionalities 521
Multi-Site Schema and Templates 522
Multi-Site Use Cases 527
Multi-Site and L3 Out Considerations 533
Layer 3 Multicast Deployment Options 535
Migration of Cisco ACI Fabric to Cisco ACI Multi-Site 537
Summary 539
Chapter 12 Troubleshooting and Monitoring 541
You Have a Poor Health Score. Now What? 542
NX-OS CLI 543
Connecting to the Leaf Switches 546
Linux Commands 549
Mapping Local Objects to Global Objects 551
Some Useful Leaf Commands 556
ping 560
Troubleshooting Physical Issues 562
Troubleshooting Cabling 562
Troubleshooting Switch Outages 565
Replacing a Fabric Switch 566
Troubleshooting Contracts 567
Troubleshooting Tools in ACI 570
Hardware Diagnostics 570
Dropped Packets: Counter Synchronization 571
Atomic Counters 572
Traffic Mirroring: SPAN and Copy Services 572
Troubleshooting Wizard 581
Endpoint Tracker 588
Effectively Using Your Fabric Resources 590
Monitoring Policies and Statistics 596
SNMP Policies 596
Syslog Policies 598
Statistics 598
Third-Party Monitoring Tools with ACI Support 601
IBM Tivoli Netcool 601
SevOne 601
ScienceLogic 601
Splunk 601
Zenoss 601
Summary 602
Chapter 13 ACI Programmability 603
Why Network Programmability? Save Money, Make Money! 603
What Is Wrong with Previous Network Automation Concepts? 604
Programming Interfaces and SDKs 606
Cisco ACI Programming Interfaces 607
Cisco ACI REST API 607
Cisco ACI Object Model 609
Cisco ACI Software Development Kits 617
Where to Find Automation and Programmability Examples 619
Developing and Testing Your Code Without an ACI Fabric at Hand 620
Increasing Operational Efficiency Through Network Automation 622
Offering Visibility to the Network 622
Externalizing Network Configuration 623
Horizontal Automation Integrations 626
Automating the Generation of Network Documentation 630
Enabling Additional Business Models Through Network Automation 630
Agile Application Deployment and DevOps 631
Private Cloud and IaaS 634
Hybrid Cloud 638
Platform as a Service 639
ACI Integration with Apprenda 640
Mantl and Shipped 640
Cisco ACI App Center 642
Summary 644
9781587144745, TOC, 1/31/2018