Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure, Rough Cuts

Rough Cuts

  • Available to Safari Subscribers
  • About Rough Cuts
  • Rough Cuts are manuscripts that are developed but not yet published, available through Safari. Rough Cuts provide you access to the very latest information on a given topic and offer you the opportunity to interact with the author to influence the final publication.

Not for Sale

Also available in other formats.

  • Description
  • Sample Content
  • Updates
  • Copyright 2018
  • Dimensions: 7-3/8" x 9-1/8"
  • Pages: 704
  • Edition: 1st
  • Rough Cuts
  • ISBN-10: 0-13-466105-2
  • ISBN-13: 978-0-13-466105-6

This is the Rough Cut version of the printed book.

Use ACI fabrics to drive unprecedented value from your data center environment


With the Cisco Application Centric Infrastructure (ACI) software-defined networking platform, you can achieve dramatic improvements in data center performance, redundancy, security, visibility, efficiency, and agility. In Deploying ACI, three leading Cisco experts introduce this breakthrough platform, and walk network professionals through all facets of design, deployment, and operation. The authors demonstrate how ACI changes data center networking, security, and management; and offer multiple field-proven configurations.


Deploying ACI is organized to follow the key decision points associated with implementing data center network fabrics. After a practical introduction to ACI concepts and design, the authors show how to bring your fabric online, integrate virtualization and external connections, and efficiently manage your ACI network.


You’ll master new techniques for improving visibility, control, and availability; managing multitenancy; and seamlessly inserting service devices into application data flows. The authors conclude with expert advice for troubleshooting and automation, helping you deliver data center services with unprecedented efficiency.

  • Understand the problems ACI solves,and how it solves them
  • Design your ACI fabric, build it, and interface with devices to bring it to life
  • Integrate virtualization technologieswith your ACI fabric
  • Perform networking within an ACI fabric (and understand how ACI changes data center networking)
  • Connect external networks and devices at Layer 2/Layer 3 levels
  • Coherently manage unified ACI networks with tenants and application policies
  • Migrate to granular policies based on applications and their functions
  • Establish multitenancy, and evolve networking, security, and services to support it
  • Integrate L4–7 services: device types, design scenarios, and implementation
  • Use multisite designs to meet rigorous requirements for redundancy and business continuity
  • Troubleshoot and monitor ACI fabrics
  • Improve operational efficiency through automation and programmability

Table of Contents

    Introduction xxiv
Chapter 1 You’ve Purchased ACI. Now What? 1
    Industry Trends and Transitions 1
    Next-Generation Data Center Concepts 2
        New Application Types 2
        Automation, Orchestration, and Cloud 3
        End-to-End Security 4
    Spine-Leaf Architecture 5
        Existing Infrastructure and ACI (Places in the Network) 8
    ACI Overview 9
    ACI Functional Components 10
        Nexus 9500 10
        Nexus 9300 10
        Application Centric Infrastructure Controllers 11
    Protocols Enabling the ACI Fabric 11
        Data Plane Protocols 11
        Control Plane Protocols 12
    Interacting with ACI 13
        GUI 13
        NX-OS CLI 14
        Open REST API 14
    Introduction to the Policy Model 14
        Application Network Profiles and Endpoint Groups 14
        VRFs and Bridge Domains 15
    Fabric Topologies 15
        Single-Site Model 15
        Multi-Pod Model 16
        Multi-Site Model 16
    Summary 17
Chapter 2 Building a Fabric 19
    Building a Better Network 19
        Fabric Considerations 20
        Phased ACI Migration 33
        Evolution to Application-Centric Mode 41
    Virtual Machine Manager (VMM) Integration 46
        AVS 46
        VMware 48
        Microsoft 50
    OpenStack 51
    Layer 4-7 Services 51
        Managed Mode 52
        Unmanaged Mode 53
    Additional Multisite Configurations 54
        Cisco ACI Stretched Fabric 55
        Cisco ACI Multi-Pod 56
        Cisco ACI Multi-Site 57
        Cisco ACI Dual-Fabric Design 57
        Pervasive Gateway 57
        VMM Considerations 58
    Summary 59
Chapter 3 Bringing Up a Fabric 61
    Out of the Box 61
        Suggested Services 62
        Management Network 64
    Logging In to the GUI for the First Time 73
        Basic Mode vs. Advanced Mode 74
        Discovering the Fabric 77
        Fabric Extenders 79
    Required Services 79
        Basic Mode Initial Setup 80
        Advanced Mode Initial Setup 84
        Management Network 92
        Fabric Policies 94
    Managing Software Versions 96
        Firmware Repository 97
        Controller Firmware and Maintenance Policy 98
    Configuration Management 101
        Configuration Snapshots 101
        Configuration Backup 102
    Summary 105
Chapter 4 Integration of Virtualization Technologies with ACI 107
    Why Integrate Cisco ACI with Virtualization Technologies? 107
    Networking for Virtual Machines and Containers 108
        Benefits of Cisco ACI Integration with Virtual Switches 111
        Comparing ACI Integration to Software Network Overlays 112
        Virtual Machine Manager Domains 115
        EPG Segmentation and Micro-Segmentation 121
        Intra-EPG Isolation and Intra-EPG Contracts 129
        Cisco ACI Integration with Virtual Switches in Blade Systems 132
        OpFlex 134
        Deployments over Multiple Data Centers 136
    VMware vSphere 137
        Cisco ACI Coexistence with the vSphere Standard Switch 138
        Cisco ACI Coexistence with the vSphere Distributed Switch 139
        Cisco ACI Integration with the vSphere Distributed Switch 139
        vCenter User Requirements 141
        Micro-Segmentation with the VDS 142
        Blade Servers and VDS Integration 142
        Cisco ACI Integration with Cisco Application Virtual Switch 143
        Cisco AVS Installation 147
        Blade Servers and AVS Integration 147
        Distributed Firewall 148
        Virtual Network Designs with VDS and AVS 150
        Cisco ACI Plug-in for vSphere vCenter Server: Configuring ACI from vCenter 154
        Cisco ACI Coexistence with VMware NSX 157
    Microsoft 158
        Introduction to Microsoft Hyper-V and SCVMM 159
        Preparing for the Integration 159
        Micro-Segmentation 161
        Blade Servers and SCVMM Integration 161
    OpenStack 162
        ML2 and Group-Based Policy 163
        Installing Cisco ACI Integration with OpenStack 164
        Cisco ACI ML2 Plug-in for OpenStack Basic Operations 164
        Cisco ACI ML2 Plug-in for OpenStack Security 166
        Cisco ACI ML2 Plug-in for OpenStack and Network Address Translation 167
    Cisco ACI GBP Plug-in for OpenStack 168
        Docker: Project Contiv 170
    Docker Networking 170
        Kubernetes 174
        Kubernetes Networking Model 175
        Isolation Models 176
        Creating a New EPG for Kubernetes Pods 178
        Assigning a Deployment or a Namespace to an EPG with Annotations 179
        Visibility in ACI for Kubernetes Objects 180
    Public Cloud Integration 180
    Summary 180
Chapter 5 Introduction to Networking with ACI 183
    Exploring Networking in ACI 184
        Groups and Contracts 184
        VRFs and Bridge Domains 197
        Connecting External Networks to the Fabric 208
    Network-Centric VLAN=BD=EPG 227
        Applying Policy to Physical and Virtual Workloads 230
        Moving Devices to the Fabric, VLAN by VLAN 232
        Unenforced vs. Enforced VRF 236
        L3 Connections to the Core 236
        Migrating the Default Gateway to the Fabric 242
    Summary 246
Chapter 6 External Routing with ACI 247
    Layer 3 Physical Connectivity Considerations 247
        Routed Ports Versus Switched Virtual Interfaces 249
        Outside Bridge Domains 250
        Bidirectional Forwarding Detection 251
        Access Port 252
        Port Channel 252
        Virtual Port Channel 254
        Gateway Resiliency with L3 Out 256
        Hot Standby Routing Protocol 256
    Routing Protocols 259
        Static Routing 259
        Enhanced Interior Gateway Routing Protocol 260
        Open Shortest Path First 261
        Border Gateway Protocol 265
    External Endpoint Groups and Contracts 268
        External Endpoint Groups 268
        Contracts Between L3 Out EPGs and Internal EPGs 269
    Multitenant Routing Consideration 269
        Shared Layer 3 Outside Connection 271
        Transit Routing 273
        WAN Integration 278
        Design Recommendations for Multitenant External Layer 3Connectivity 280
        Quality of Service 280
    Multicast 282
        Multicast Best-Practice Recommendations 283
        Multicast Configuration Overview 286
    Summary 287
Chapter 7 How Life Is Different with ACI 289
    Managing Fabrics versus Managing Devices 290
        Centralized CLI 290
        System Dashboard 291
        Tenant Dashboards 292
        Health Scores 294
        Physical and Logical Objects 295
        Network Policies 296
    Maintaining the Network 300
        Fault Management 300
        Configuration Management 304
        Upgrading the Software 313
    Breaking the Shackles of IP Design 317
        Access Control Lists Without IP Addresses 317
        QoS Rules Without IP Addresses 317
        QoS Rules Without TCP or UDP Ports 317
    Physical Network Topology 318
        ACI as a Clos Fabric and Design Implications 318
        Fabric Topology and Links 320
        Individual Device View 320
        Port View 322
    Changing the Network Consumption Model 322
    Summary 324
Chapter 8 Moving to Application-Centric Networking 325
    “Network-Centric” Deployments 326
        Removing Packet Filtering in Network-Centric Deployments 328
        Increasing Per-Leaf VLAN Scalability 328
        Looking at the Configuration of a Network-Centric Design 329
    “Application-Centric” Deployment: Security Use Case 332
        Whitelist vs. Blacklist Models 333
        Enforced vs. Unenforced: ACI Without Contracts 333
        Endpoint Groups as a Zone-Based Firewall 334
        Contract Security Model 336
        Stateful Firewalling with Cisco Application Virtual Switch 344
        Intra-EPG Communication 346
        Any EPG 348
        Contract Definition Best Practices to Efficiently Use Resources 350
    “Application-Centric” Deployment: Operations Use Case 351
        Application-Centric Monitoring 351
        Quality of Service 352
    Migrating to an Application-Centric Model 355
        Disable Bridge Domain Legacy Mode 355
        Disable VRF Unenforced Mode 356
        Create New Application Profiles and EPGs 357
        Move Endpoints to the New EPGs 357
        Fine-Tune Security Rules 358
    How to Discover Application Dependencies 358
        Focus on New Applications 359
        Migrate Existing Applications 360
    Summary 364
Chapter 9 Multi-Tenancy 365
    The Need for Network Multi-Tenancy 366
        Data-Plane Multi-Tenancy 366
        Management Multi-Tenancy 366
    Multi-Tenancy in Cisco ACI 367
        Security Domains 368
        Role-Based Access Control 369
        Physical Domains 373
        Logical Bandwidth Protection Through Quality of Service 376
        What Is a Tenant? What Is an Application? 377
    Moving Resources to Tenants 382
        Creating the Logical Tenant Structure 382
        Implementing Management Multi-Tenancy 382
        Implementing Data-Plane Multi-Tenancy 386
        When to Use Dedicated or Shared VRFs 388
        Multi-Tenant Scalability 390
    External Connectivity 390
        Shared External Network for Multiple Tenants 393
    Inter-Tenant Connectivity 396
        Inter-VRF External Connectivity 396
        Inter-VRF Internal Connectivity (Route Leaking) 397
    L4-7 Services Integration 400
        Exporting L4-7 Devices 400
        Multi-Context L4-7 Devices 401
    Use Cases for Multi-Tenancy Connectivity 401
        ACI as Legacy Network 401
        Granting Network Visibility to Other Departments 401
        Network Shared Across Organizations with Shared Services 402
        External Firewall Interconnecting Multiple Security Zones 404
        Service Provider 404
    Summary 405
Chapter 10 Integrating L4-7 Services 407
    Inserting Services 407
        How We Do It Today 408
        Managed vs. Unmanaged 415
        Ecosystem Partners 420
        Management Model 422
        Functional Profiles 425
    Security for All Hosts 430
        Building an End-to-End Security Solution 431
        Integrating Firewalls 438
        Integrating Security Monitoring 452
        Integrating Intrusion Prevention Systems 453
        Integrating Server Load Balancing and ADC 457
        Two-node Service Graph Designs 462
    Summary 465
Chapter 11 Multi-Site Designs 467
    Bringing Up a Second Site 468
        Stretched Fabric Design 470
        Multiple-Fabric Design 476
    Multi-Pod Architecture 488
    ACI Multi-Pod Use Cases and Supported Topologies 489
        ACI Multi-Pod Scalability Considerations 492
        Inter-Pod Connectivity Deployment Considerations 493
        IPN Control Plane 494
        IPN Multicast Support 496
        Spines and IPN Connectivity Considerations 500
        Pod Auto-Provisioning 505
        APIC Cluster Deployment Considerations 507
        Reducing the Impact of Configuration Errors with Configuration Zones 513
        Migration Strategies 516
    Multi-Site Architecture 517
        APIC Versus Multi-Site Controller Functionalities 521
        Multi-Site Schema and Templates 522
        Multi-Site Use Cases 527
        Multi-Site and L3 Out Considerations 533
        Layer 3 Multicast Deployment Options 535
        Migration of Cisco ACI Fabric to Cisco ACI Multi-Site 537
    Summary 539
Chapter 12 Troubleshooting and Monitoring 541
    You Have a Poor Health Score. Now What? 542
    NX-OS CLI 543
        Connecting to the Leaf Switches 546
        Linux Commands 549
        Mapping Local Objects to Global Objects 551
        Some Useful Leaf Commands 556
        ping 560
    Troubleshooting Physical Issues 562
        Troubleshooting Cabling 562
        Troubleshooting Switch Outages 565
        Replacing a Fabric Switch 566
        Troubleshooting Contracts 567
    Troubleshooting Tools in ACI 570
        Hardware Diagnostics 570
        Dropped Packets: Counter Synchronization 571
        Atomic Counters 572
        Traffic Mirroring: SPAN and Copy Services 572
        Troubleshooting Wizard 581
        Endpoint Tracker 588
        Effectively Using Your Fabric Resources 590
    Monitoring Policies and Statistics 596
        SNMP Policies 596
        Syslog Policies 598
        Statistics 598
    Third-Party Monitoring Tools with ACI Support 601
        IBM Tivoli Netcool 601
        SevOne 601
        ScienceLogic 601
        Splunk 601
        Zenoss 601
    Summary 602
Chapter 13 ACI Programmability 603
    Why Network Programmability? Save Money, Make Money! 603
        What Is Wrong with Previous Network Automation Concepts? 604
        Programming Interfaces and SDKs 606
    Cisco ACI Programming Interfaces 607
        Cisco ACI REST API 607
        Cisco ACI Object Model 609
        Cisco ACI Software Development Kits 617
        Where to Find Automation and Programmability Examples 619
        Developing and Testing Your Code Without an ACI Fabric at Hand 620
    Increasing Operational Efficiency Through Network Automation 622
        Offering Visibility to the Network 622
        Externalizing Network Configuration 623
        Horizontal Automation Integrations 626
        Automating the Generation of Network Documentation 630
    Enabling Additional Business Models Through Network Automation 630
        Agile Application Deployment and DevOps 631
        Private Cloud and IaaS 634
        Hybrid Cloud 638
        Platform as a Service 639
        ACI Integration with Apprenda 640
        Mantl and Shipped 640
    Cisco ACI App Center 642
    Summary 644
9781587144745, TOC, 1/31/2018