Brkaci 2125 PDF
Brkaci 2125 PDF
Brkaci 2125 PDF
Architecture and
Deployment
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session Objectives
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• ACI Network and Policy Domain
Evolution
• ACI Multi-Site Deep Dive
Overview and Use Cases
Introducing ACI Multi-Zone
Inter-Site Connectivity Deployment
Considerations
Control and Data Planes
Connecting to the External Layer 3 Domain
CloudSec and VMM Integration
Migration Scenarios
• Conclusions and Q&A
ACI Network and Policy Domain
Evolution
Introducing: Application Centric Infrastructure (ACI)
Web App DB
Outside QoS QoS QoS
(Tenant
Filter Service Filter
VRF)
APIC
Application Policy
ACI Fabric Infrastructure Controller
Integrated GBP VXLAN Overlay
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Cisco ACI
Fabric and Policy Domain Evolution
ACI Single Pod Fabric ACI Stretched Fabric ACI Multi-Pod Fabric ACI Multi-Site
IPN IP
Pod ‘A’ Pod ‘n’ Fabric ‘A’ Fabric ‘n’
… …
ACI
APIC Cluster Multi-Zone
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Fabric and Policy Domain Evolution
Deployment Options
Single APIC Cluster/Single Fabric Multiple APIC Clusters/Multiple Fabrics
Stretched Fabric Multi-Fabric (with L2 and L3 DCI)
ACI Fabric Fabric ‘A’ Fabric ‘n’
DC1 APIC Cluster DC2
Inter-Site
App
L2/L3
DCI
… …
ACI
APIC Cluster Multi-Zone
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Regions and Availability Zones
OpenStack and AWS Definitions
OpenStack
MP-BGP - EVPN
APIC Cluster
IS-IS, COOP, MP-BGP IS-IS, COOP, MP-BGP
Availability Zone
Multiple ACI Pods connected by an IP Inter-Pod Forwarding control plane (IS-IS, COOP)
L3 network, each Pod consists of leaf and spine fault isolation
nodes Data Plane VXLAN encapsulation between
Managed by a single APIC Cluster Pods
Single Management and Policy Domain End-to-end
BRKACI-2125
BRKACI-2003© 2017policy
Cisco and/or enforcement
its affiliates. All rights reserved. Cisco Public 12
Single Availability Zone with Maintenance & Configuration Zones
Scoping ‘Network Device’ Changes
Maintenance Zones – Groups of
switches managed as an “upgrade”
group Inter-Pod Network
ACI Multi-Pod
Fabric
APIC Cluster
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Reducing the Impact of Configuration Errors
Introducing Configuration Zones
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Single Availability Zone with Tenant Isolation
Isolation for ‘Virtual Network Zone and Application’ Changes
Inter-Pod Network
ACI Multi-Pod
Fabric
APIC Cluster
The ACI ‘Tenant’ construct provide a domain of application and associated virtual
network policy change
Domain of operational change for an application (e.g. production vs. test)
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
ACI Multi-Pod
Supported Topologies
Intra-DC Two DC sites directly connected
10G/40G/100G
10G*/40G/100G 10G*/40G/100G
POD 1 10G*/40G/100G 10G*/40G/100G
POD n POD 1 Dark fiber/DWDM POD 2
(up to 50 msec RTT**)
…
MP-BGP - EVPN
ACI
Multi-Zone
REST
GUI
API Availability Zone ‘B’
Availability Zone ‘A’
Region ‘C’
Separate ACI Fabrics with independent APIC MP-BGP EVPN control plane between sites
clusters Data Plane VXLAN encapsulation across
ACI Multi-Zone (AMZ) pushes cross-fabric sites
configuration to multiple APIC clusters End-to-end policy definition and enforcement
providing scoping of all configuration changes
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Typical Requirement
Creation of Two Independent Fabrics/AZs
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Creation of Two Independent Fabrics/AZs
Deployment of Two (or More) Pods per Fabric/AZ
ACI
Multi-Zone
‘Classic’ Active/Active
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Creation of Two Independent Fabrics/AZs
Use Case 1: Fabrics/AZs Map to Physical DCs
DC ‘One’
ACI
Multi-Zone
‘Classic’ Active/Active
DC ‘Two’ BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Creation of Two Independent Fabrics/AZs
Use Case 2: Fabric/AZ Deployed across Physical DCs
DC ‘One’ ACI
Multi-Zone
DC ‘Two’
‘Classic’ Active/Active
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
ACI Multi-Site Deep Dive
Overview and Use Cases
ACI Multi-Site ACI 3.0 Release
(Q3CY17)
Overview IP Network
MP-BGP - EVPN
ACI
Multi-Zone
REST
GUI
API Availability Zone ‘B’
Availability Zone ‘A’
Region ‘C’
Separate ACI Fabrics with independent APIC clusters MP-BGP EVPN control plane between sites
ACI Multi-Zone pushes cross-fabric configuration to Data Plane VXLAN encapsulation across sites
multiple APIC clusters providing scoping of all End-to-end policy definition and enforcement
configuration changes
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
ACI Multi-Site
Network and Identity Extended between Fabrics
MP-BGP - EVPN
ACI
Multi-Zone
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
ACI Multi-Site
Namespace Normalization
Translation of Class-ID, VNID
Translation of Source IP Network (scoping of name spaces)
VTEP address
MP-BGP - EVPN
…
ACI
Multi-Zone
Site 1 Site to Site VTEP traffic (VTEPs, VNID
Site n
and Class-ID are mapped on spine)
Leaf to Leaf VTEP, Class-ID is local to the Fabric
Leaf to Leaf VTEP, Class-ID is local to the Fabric
VTEP
VNID Class-ID Tenant Packet
VTEP IP
VNID Class-ID Tenant Packet VTEP
IP VNID Class-ID Tenant Packet
IP
Maintain separate name spaces with ID translation performed on the spine nodes
Requires specific HW on the spine to support for this functionality
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
ACI Multi-Site
Hardware Requirements
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
ACI Multi-Site Networking Options
Per Bridge Domain Behavior
L3 L3
Site Site Site Site 2
Site
1 2 1 2
ACI ACI
Multi-Zone Multi-Zone
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
ACI Multi-Site Networking Options
IP Mobility without Layer 2 Flooding
Traditional L3Out on the Border Leaf Nodes
IP
WAN
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
ACI Multi-Site Networking Options
IP Mobility without Layer 2 Flooding
Traditional L3Out on the Border Leaf Nodes GOLF L3Out
IP WAN
GOLF Routers GOLF Routers
MP-BGP MP-BGP
EVPN EVPN
WAN
Ingress traffic may continue to be steered to Site 1 Host routes must be advertised from each site
even after the IP Mobility event toward the GOLF routers
ACI Multi-Site discovers the new location of the Ingress traffic is optimally steered toward the
endpoint and redirects the traffic to Site 2 new endpoint location
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
ACI Multi-Site Networking Options
Per Bridge Domain Behavior
Layer 3 only across sites IP Mobility without L2 Full Layer 2 and Layer
flooding 3 Extension
L3 L3 L3
Site Site Site Site 2
Site Site Site
1 2 1 2 1 2
ACI ACI ACI
Multi-Zone Multi-Zone Multi-Zone
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
ACI Multi-Site
Scalability Values Supported in 3.0 Release
AMZ Scale AMZ Scale
Scale Parameter
Stretched Objects Not Stretched Objects
Sites 4 N/A
New York
Site3
IP Network
WAN
Milan Rome
Hypervisor Hypervisor Hypervisor Site1 Site2
VM VM VM
ACI Multi-Zone
Hypervisor Hypervisor
ACI
VM VM Multi-Zone VM
Hypervisors can be connected directly to the DC OOB network Moderate latency supported between ACI Multi-Zone nodes
Each ACI Multi-Zone VM has a unique routable IP Higher latency (500 msec to 1 sec RTT) between ACI Multi-Zone
Async calls from ACI Multi-Zone to APIC nodes and remote APIC clusters
If possible deploy a node in each site for availability purposes
(network partition scenarios)
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
ACI Multi-Zone
Dashboard
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
ACI Multi-Zone
MP-BGP/EVPN Infra
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
ACI Multi-Zone
Users
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
ACI Multi-Zone
Tenants
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
ACI Multi-Zone
Templates and Profiles
Profile
Template = APIC policy definition POLICY
EP1 EP2
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
ACI Multi-Zone
Templates and Profiles
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
ACI Multi-Zone
Scope of Changes
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
APIC vs. ACI Multi-Zone Functions
ACI
Multi-Zone
Maintains runtime data (VTEP address, VNID, End-to-end visibility and troubleshooting
Class_ID, GIPo, etc.) No run time data, configuration repository
No participation in the fabric control and data No participation in the fabric control and data
planes planes
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Inter-Site Connectivity
Deployment Considerations
ACI Multi-Site
Inter-Site IP Network Requirements
MP-BGP EVPN
ACI
Multi-Zone
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Control and Data Planes
ACI Multi-Site
BGP Inter-Site Peers
Spines connected to the IP Network perform
IP two main functions:
Network
1. Establishing MP-BGP EVPN peerings with
BGP Inter-Site
Peers
remote sites
• One dedicated Control Plane ETEP address (CP-
ETEP) is assigned to each spine running MP-BGP
1st Gen 1st Gen
DP-ETEP EVPN must be a globally routable address
CP-ETEP
1
CP-ETEP
2
• Full mesh MP-BGP EVPN peerings with BGP Inter-Site
Peers in remote sites
• Received EVPN information is synced with the other
local spines that are not BGP Inter-Site Peers
2. Forward inter-sites data-plane traffic
• One Anycast Data Plane ETEP address (DP-ETEP) is
assigned to all the spines externally connected
uniquely identifies the site and must be globally
routable in the inter-site network
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
ACI Multi-Site IP Network Routing Table
Exchanging TEP Information across Sites
DP-ETEP A
CP-ETEP S3-S4
DP-ETEP B
CP-ETEP S5-S8
OSPF between spines and Inter-Site
network (only supported option in 3.0)
Exchange of External Spine TEP OSPF IP
OSPF
addresses (DP-ETEPs and CP-ETEPs) Network
across sites
DP-ETEP A DP-ETEP B
TEP Pool information not advertised to the S1 S2 S3 S4 S5 S6 S7 S8
CP-ETEPs S3-S4 IS-IS to OSPF CP-ETEPs S5-S8
Inter-Site network mutual redistribution
Recommended to use not overlapping TEP TEP Pool 1 TEP Pool 2
Pools if possible ACI
Multi-Zone
Multicast support not required in the
Inter-Site Network Site 2
Site 1
Head-End Replication (HER) for L2 BUM traffic
(only for stretched BDs) Leaf Routing Table Leaf Routing Table
IP Prefix Next-Hop IP Prefix Next-Hop
DP E-TEP B Pod1-S3, Pod1-S4 DP E-TEP A Pod2-S1, Pod2-S2,
Pod2-S3, Pod2-S4
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
ACI Multi-Site
Inter-Site MP-BGP EVPN Control Plane
IP
Network
DP-ETEP A DP-ETEP B
Inter-Site policies defined on S1 S2 S3 S4 S5 S6 S7 S8
the ACI Multi-Zone are
pushed to the respective
ACI
APIC domains Multi-Zone
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
ACI Multi-Site
Inter-Sites Unicast Data Plane Policy information (EP1’s
Class-ID) carried across Pods
S2 has remote info for EP2
VTEP IP VNID Class-ID Tenant Packet
and encapsulates traffic to
remote DP ETEP B
EP1 AddressLeaf 4
S6 translates the VNID
EP2 Leaf 4
EP2 DP ETEP B S4 rewrites the S-VTEP and Class-ID to local DP ETEP A
IP values and sends traffic to
EP1
to be DP ETEP A
the local leaf
4 4
Site 1 3 5 Site 2
DP-ETEP A DP-ETEP B
5 * Proxy B
* Proxy A ACI
Multi-Zone
Leaf learns remote Site
EP2 unknown, traffic is 2 location info for EP1
EP1 EP2
encapsulated to the local Proxy
A Spine VTEP (adding S_Class 1 6
information) EP1 sends traffic destined If policy allows it, EP2
to remote EP2 receives the packet
EP1 EP2
EPG
C EPG = VXLAN Encap/Decap
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
ACI Multi-Site
Inter-Site Data Plane (2) Policy information (EP1’s
S_Class) carried across Pods
10 9
Site 1 DP-ETEP B Site 2
DP-ETEP A
S1 S2 S3 S4 S5 S6 S7 S8
EP1 e1/3
EP2 DP ETEP B EP1 DP ETEP A
** Proxy A
8 * Proxy B
11 ACI
Leaf encapsulates traffic to
Leaf learns remote Site Multi-Zone
remote DP ETEP address
location info for EP2 EP1 EP2
12 7
EP1 receives the packet EP2 sends traffic back to
remote EP1
EP1 EP2
EPG
C EPG = VXLAN Encap/Decap
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
ACI Multi-Site
Inter-Site Data Plane (3) = VXLAN Encap/Decap
From this point EP1 to EP2 communication is encapsulated Leaf to Remote Spine DP ETEPs in both directions
IP
S1 S2 S3 S4 S5 S6 S7 S8
**
ACI
Multi-Zone
EP1 EP2
EP1 EP2
EPG
C EPG
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
ACI Multi-Site
Layer 2 BUM Traffic Data Plane
S3 is elected as Multi-Site forwarder for GIPo 1 S7 translates the VNID and the
BUM traffic it creates an unicast VXLAN GIPo values to locally significant
packet with DP-ETEP A as S_VTEP and ones and associates the frame to
Multicast HER-ETEP B* as D_VTEP IP an FTAG tree
3 4
DP-ETEP A HER-ETEP B
S1 S2 S3 S4 S5 S6 S7 S8
BUM frame is flooded along the
tree associated to GIPo. VTEP
2 5
* learns VM1 remote location
*
EP1 DP-ETEP A
BUM frame is associated to ACI
Multi-Zone
GIPo1 and flooded intra-site via Proxy B
*
the corresponding FTAG tree EP1 EP2
1 6
GIPo1 = Multicast Group EP1 generates a BUM EP2 receives the BUM
associated to EP1’s BD frame
frame
*This is a different ETEP address than the one used for inter-site L3 unicast communication
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Connecting to the External
Layer 3 Domain
Connecting ACI to Layer 3 Domain
‘Traditional’ L3Out on the BL Nodes
Client
PE
PE
WAN
PE
L3Out PE
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Multi-Site and Traditional L3Out BD1 L3Out-1 BD2
2 4
IP Network
2 ExtEPG-1 ExtEPG-2
Site 1 Site 2
1 L3Out-1 L3Out-2 1
BL Nodes BL Nodes
Routing Protocol Routing Protocol
Route policy Route policy
ExtEPG-1 ExtEPG-1
5 5
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Multi-Site and Traditional L3Out BD L3Out-1
Stretched BD
L3Out-2
Basic assumptions: every site ACI EPG Web
Multi-Zone
defines its local L3Out connection C1
ExtEPG-1 ExtEPG-2
IP Network
Site 1 Site 2
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Connecting ACI to Layer 3 Domain For More Information on
GOLF Deployment:
‘GOLF’ Design LABACI-2101
WAN
GOLF Routers WAN
GOLF Routers GOLF Routers
ACI ACI
Multi-Zone Multi-Zone
Common when ‘sites’ represent rooms/halls in the ‘Sites’ represent separate physical DCs
same physical DC
Local only MP-BGP EVPN peering between
MP-BGP EVPN peering required from spines in spines and GOLF router
each fabric and the centralized WAN Edge devices
*Supported post-FCS BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
GOLF and Multi-Site Integration
Inter-DC Scenario with Stretched BD
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
GOLF and Multi-Site Integration
Inter-DC Scenario with Stretched BD (2) Granular inbound path
Remote Router Table
10.10.10.10/32 optimization( host route
G1,G2
advertisement into the WAN or
10.10.10.11/32 G3,G4
integration with LISP)
IPN
Proxy A Proxy B
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
CloudSec and VMM
Integration
ACI Multi-Site
CloudSec Encryption for VXLAN Traffic
Encrypted Fabric to Fabric Traffic
[ GCM-AES-128 (32-bit PN), GCM--AES-256 (32-bit
PN), GCM-AES-128-XPN (64-bit PN), GCM-AES-256-
VTEP Information Clear Text XPN (64-bit PN)])
IP Network
MP-BGP - EVPN
ACI
Multi-Zone
Support planned for 3.1 release for FX line cards and 9364C platform
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
ACI Multi-Site and L3Out 3 EPG Web
VMM Integration ACI
Multi-Zone
VMM DC1 VMM DC2
2 4
IP Network
2
1 1
vCenter vCenter
Server-1 Server-2
5 5
ESX ESX ESX ESX
Live migration with vSphere 6 and above
Port-Group Web Port-Group Web
6 VDS1 6 VDS2
VMM Domain: DC1 and DC2
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Migration Scenarios
ACI Multi-Zone Interactions with APIC Clusters Supported at
FCS
Supported at FCS
1
ACI ACI
2
1
Multi-Zone Multi-Zone
2
1 2
1 1 3
1
2
ACI ACI
1
Multi-Zone Multi-Zone
Diff &
2
1 Merge
1 3
1 1 1
3
1
Assumption: Tenant1 is defined in site1 only 1. Import existing Tenant1, App1 definition from
both sites
1. Import existing Tenant1, App1 definition
from site 1 APIC 2. Diff/merge template policies and apply the
template to both sites
2. Apply App1 template to site 2
3. Push template policies to both sites
3. Push App1 template to site 2
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
ACI Multi-Site
Migration Paths
Fabric 1
Multi-Site
APIC
Multi-Zone
APIC Cluster
APIC Cluster
APIC
Multi-Pod Planned for Q1CY18 Site 1 Multi-Zone
Fabric 1 Fabric 2
Multi-Fabric Design to
Inter-Site Site 1 Site 2
App Multi-Site
L2/L3
DCI APIC
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
ACI Multi-Pod and ACI Multi-Site
Summary of Main Differences
Multi-Pod Multi-Site
Pod ‘A’ IPN Pod ‘n’ Site ‘A’ IP Site ‘n’
MP-BGP EVPN MP-BGP EVPN
… …
APIC Cluster
ACI
Multi-Zone
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Where to Go for More Information
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKACI-2125 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Thank you