You are on page 1of 21

ACI Overview

1
Agenda

• What is ACI?
• Policy Driven Model
• Why ACI?

4
What is ACI?

5
What is ACI?

• Still Networking ACI

– Just a different
approach
Fabric
• Single Fabric that is
controlled as a whole
• Fabric is an Intelligent
Network

6
Application Centric

• Provides rapid
Application Environment
deployment of Network Storage
Storage

to satisfy connectivity Web


Tier App Tier DB Tier

needs of Application
• Not involved in what the
application is doing and Fabric

how it works

Application Environment
"Sits On" the Fabric
7
Network Virtualisation Chassis
Back plane and
Switch Fabric
• Single “Big Supervisor

Chassis” Supervisor
Line Card
– Central controller Line Card
Line Card
Line Card
• Software Overlays Line Card
Line Card
Line Card
Line Card

Chassis Components
8
Software Overlays – Network Virtualization
Virtual Network 1
VxLAN
Tunnels
Virtual Network 2

Virtual Network 3

L3 routed non- Encapsulated


blocking ECMP traffic carried over
Fabric CLOS fabric

9
ACI Fabric

ACI Spines

ACI Leafs
External L4–7
L2 / L3 Services
Servers

APIC Cluster APIC APIC APIC

OOB Management

10
Virtual Chassis

• ACI functionally Supervisor


APICs
Supervisor
maps to single
Line Card
Chassis Line Card
Line Card Leaves
Line Card
Spines
Line Card
Line Card
Line Card
Note: Line Card
Not exact functional mapping
Virtual Chassis Components
11
Policy Driven Model

12
Policy Driven

• Central Policy Controller


(APIC)
• "What" not "How"
• Self configuring devices APIC

based on policy
• Next generation SDN
• Policy applied at the
edge

13
ACI Fabric Mode Data and Policy Model

Controller APIC

Manage the entire Data


Policy Center
End Points Group (network and network
Identity End
security)
Points

Application Network Profiles - Easier Infrastructure Changes


- Security decoupled from IP
- Policy: virtual or physical servers
Fabric - Elasticity
Location
(and attached SLB and FWs)

Decoupling ‘Identity’ from ‘Location’

14
ACI Application Profiles

Web App DB

QoS QoS QoS


Outside
(Tenant VRF) Filter Service Filter

APIC

ACI Fabric Application Policy


Infrastructure
VXLAN Underlay Controller

15
Application Policy Model and Instantiation
Application Client
Application policy model: Defines the
application requirements (application Storage
Storage
profile)
Web
Tier App Tier DB Tier

Policy instantiation: Each device


dynamically instantiates the required APIC
changes based on the policies
VM VM VM VM VM VM VM

10.2.4.7 10.9.3.37 10.32.3.7

All forwarding in the fabric is managed through the application profile


• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements

16
Why ACI?

17
Network Relevance

• Role of Network • Victim of own success


– More important than – Complexity
ever – Many moving parts
– Part of application – Many services
• Organic growth
– Hard to re-engineer
• Extended change
procedures

18
router(config)#
switch1(config)# router(config)# int eth 1
switch1(config)# int eth 1/1 router(config)# ip add 6.6.6.1 255.255.255.0
vLAN 666 router(config)# not shut
switch1(config)# switch mode acc
switch1(config)# switch acc vlan 666 L3 router(config)# int eth 2
switch2(config)#
switch1(config)# no shut router(config)# ip addr 1.1.1.1 255.255.255.0
switch2(config)# int eth 1/2 - 3
vLAN 111 fw1(config)#
router(config)# no shut
switch2(config)# switch mode acc FW router(config)#
fw1(config)# introuter
eth 0/1eigrp 100
switch3(config)#
switch2(config)# switch acc vlan 111 router(config)#
fw1(config)# network
nameif 6.6.6.0
outside 0 mask 255.255.255.0
switch2(config)# int
switch3(config)# no shut
eth 1/4 - 5 vLAN 222 router(config)#
fw1(config)# intnetwork
eth 0/21.1.1.0 mask 255.255.255.0
switch3(config)# switch mode acc SSL router(config)#
fw1(config)# ip route
nameif 0.0.0.0
webfront 20 0.0.0.0 6.6.6.254
switch4(config)#
switch3(config)# switch acc vlan 222 SLB slb1 (CONFIG)
fw1(config)# object network webfront_vip
switch3(config)#
switch4(config)# no
intshut
eth 1/6 fw1(config)#
probe host 6.6.6.6
http http-probe
vLAN 333 fw1(config)#
switch4(config)# switch mode acc interval 30 static (webfront,outside) 1.1.1.6
switch4(config)# switch acc vlan 333 fw1(config)#
expect statusaccess-list
200 200 outside_web permit tcp any host 6.6.6.6 eq 80
switch4(config)# no shut fw1(config)#
rserver access-list outside_web permit tcp any host 6.6.6.6 eq 443
host websrvr1
Web
switch4(config)# int eth 1/7 - 9 fw1(config)#
description access-group outside_web in interface outside
foo web server
switch4(config)# switch mode acc www www www ip address 3.3.3.1
Servers
switch4(config)# switch acc vlan 333 inservice
switch4(config)# no shut fw2(config)#
rserver host websrvr2
fw2(config)#
description int
foo eth
web 0/1
server
FW
switch5(config)# fw2(config)# nameif webfront 20
ip address 3.3.3.2
switch5(config)# int eth 1/10 - 11 vLAN 444 fw2(config)#
inservice int eth 0/2
switch5(config)# switch mode acc fw2(config)#
rserver nameif appfront 50
host websrvr3
IDS/IPSslb2 (CONFIG)
switch5(config)# switch acc vlan 444 fw2(config)#
description object
foo web network
server appfarm_vip
SLB
switch5(config)# no shut fw2(config)#
ip address
rserver host 5.5.5.5
host 3.3.3.3
appsrvr1
switch5(config)# int eth 1/11 - 15 fw2(config)#
description nat
inservice foo (appfront,webfront)
app server static 4.4.4.4
switch5(config)# switch mode acc fw2(config)#
serverfarm
ip address access-list
host FOOWEBFARM
5.5.5.1 web_to_app permit tcp any host 4.4.4.4 eq 8081
vLAN 555
switch5(config)# switch acc vlan 555 probe http-probe
inservice
switch5(config)# no shut rserver
rserver websrvr1
host 80
appsrvr2
switch5(config)# monitor session 1 source vlan 555 inservice foo app server
description
switch5(config)# App
monitor session 1 dest eth 1/16
app app
rserver websrvr2
ip address 5.5.5.280
inservice
inservice
Servers rserver
rserver websrvr3
host 80
appsrvr3
inservice
description foo app server
switch6(config)# fw3(config)#
crypto generate
ip address key 1024 fooyou.key
5.5.5.3
switch6(config)# int eth 1/16 - 19 fw3(config)#
crypto int eth
csr-params
inservice 0/1
testparms
switch6(config)# switch mode acc FW IDS/IPS
fw3(config)# nameif appfront 70
country
serverfarm US FOOAPPFARM
host
switch6(config)# switch acc vlan 777 fw3(config)#
state
probe int eth 0/2
California
http-probe
switch6(config)# no shut vLAN 777 fw3(config)#
locality
rserver nameif dbfront 90
San Jose
appsrvr1 8081
switch6(config)# monitor session 1 source vlan 777 fw3(config)# object network
organization-name
inservice foo db_cluster
switch6(config)# monitor session 1 dest eth 1/20 fw3(config)# host 7.7.7.7
organization-unit
rserver appsrvr2 8081 you
fw3(config)# nat (dbfront,appfront)
common-name
inservice www.fooyou.com static 5.5.5.50
fw3(config)#
rserver access-list
serial-number
appsrvr3 web_to_app permit tcp any host 5.5.5.50 eq 1433
crisco123
8081
DB Servers db db
crypto generate csr testparms fooyou.key
Inservice
. . .
19
vLAN 666
L3
vLAN 111
FW
switch4(config)#
vLAN 222
switch4(config)# int eth 2/7 - 9
SSL
switch4(config)# switch mode acc SLB
switch4(config)# switch acc vlan 333 vLAN 333
switch4(config)# no shut slb1 (ADDED CONFIG)
rserver host websrvr4
Web Servers www www www www www description foo web server
ip address 3.3.3.4
inservice
FW
rserver host websrvr5
vLAN 444 description foo web server
Let’s add a couple SLB IDS/IPS ip address 3.3.3.5
inservice
more web servers vLAN 555 serverfarm host FOOWEBFARM
rserver websrvr4 80
inservice
rserver websrvr5 80
App Servers app app
inservice

FW IDS/IPS

vLAN 777

DB Servers db db

20
Need for a New way
• Drivers • Network Virtualisation the way
– Business driving ahead
– Applications directly support – Rapid and flexible deployment
Business – More in line with other silos of
– Delay and errors are business DC
impacting – Network to support Applications
• A New DC to support Business
– Cloud and shadow IT • Maintaining
– Changing roles and silos in DC – Functionality
– Security
– Efficiency and cost

21
Application Language Barriers

Developers Infrastructure Teams

Application VLANs
Tiers
Subnets

Protocols
Provider /
Consumer Ports
Relationships

Developer and infrastructure teams must translate


between disparate languages.

22
End

23

You might also like