Más contenido relacionado La actualidad más candente (20) Similar a ACI Hands-on Lab (20) ACI Hands-on Lab1. Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Cisco ACI Hands-on
Lab
Azeem Suleman - Principal Engineer, Insieme Business Unit
Nadir Lakhani – Systems Engineer, Sales
18th May 2016
In collaboration with
2. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Housekeeping notes
Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes
to ensure we all enjoy the session today.
• Please ensure your cellphones / laptops are set on silent to ensure no one is disturbed
during the session
• You should have laptop or device that can access to dCloud for the lab
• Have enough power or energy to live for 4 hours
3. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Global Traction Across All Market Segments
6,000+ 50+1400+
Nexus 9K and ACI
Customers Globally
Ecosystem
Partners
ACI
Customers
NEW ECOSYSTEM
5. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Accelerating Convergence Disruptions
Through Innovation…
2005 2010 2014 2016+
Innovation Timeline
Data
Voice
Video
Compute
Network
Storage
Application
Network
Scale & Security
Analytics
HyperConvergence
Cloud Scale
IP
Convergence
Virtualization
Application
Economy
Hybrid Cloud
6. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Security Everywhere9
Analytics Everywhere10
8 Policy Everywhere
Policy-Driven Integrated Infrastructure Answers
Customers’ Request
1
Modernize Infrastructure:
Open and Programmable
Network / L4-7
Compute
Storage
Security
Data Center
5
Move Data and
Workloads Securely
6
Self-Service Portal
(IT as a Service)
7
Extend Policy
Model
2
Automate
and Simplify
POLICY
3
Build Your
Hybrid Cloud
Private Cloud
Stack
Integrated Infrastructure
4
Choose any
Other Cloud
Managed
Public
Private
7. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
A Generation Ahead:
Leapfrogging the Competition
2012 2014 2015 20172016 2018
FeaturesandCapabilities
Competition
2 Year Dev Cycle
Cisco
18 Month Dev Cycle
N9K Gen1 ASICs
28nm
T2
40nm
TH
28nm
N9K Gen2 ASICs
16nm
New Switches every
18 months
Jericho
28nm
8. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Next Gen Foundation with 2 Year Advantage
Fabric Wide Cloud Scale and Services
P O W E R E D B Y C I S C O
ASIC innovation using 16nm technology
Cloud Scale
Technology
Cost Advantage
25G/100G at price of 10/40G
Investment Protection
for the next decade
Non-blocking Performance Pervasive Visibility at Line Rate
Embedded Security
at cloud scale
Enhanced Fabric
Performance
50% Lower system cost, better reliability, lower power
Multi-speed ports 100M -100G
IP storage, FCOE/FC ready
36p 100G line rate w/
single chip—25% more
Wire rate NetFlow
50% faster application completion
time
8x more network segmentation vs competition
Cloud scale endpoint density 6-7x
12x IPv6 routesNexus 9200
Nexus 9300EX Nexus 9500
9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Modular Cloud Scale Platform for Spine/Aggregation
Cloud Economics: Starts at $1,500 US List per 100G Port
Cloud Network Requirements
Shift to scale-out architectures based on
Spine/Leaf routed designs
Support for workload mobility and dynamic
traffic flow optimization
Granular control and telemetry at tenant
and application level
Automation at scale
Available
NowNexus 9500
Build for generations
Best Price-Performance Available Today
Full Internet Route Table – 1M+
Up to 512 line rate 100G ports per chassis
Converged Fabric for IP storage
10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Organizational Transformation with ACI
Ultimate Goal: Achieve Application Agility with Minimal Risk
Policy-driven Framework Across All Elements of the Infrastructure, Private and Public Cloud
• Deploy a modern,
programmable
infrastructure
• Train/upgrade the skillset
of your team on
programmable APIs
Step 1:
Network Automation
Step 2:
Services Automation
Step 3: Application
Based Automation
• Integrate additional
L4-L7 services
• Deploy applications
based on policy
templates
11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Application Centric Infrastructure (ACI)
Rapid Deployment of Applications onto
Networks with Scale, Security and Full Visibility
ACI
APPLICATION CENTRIC
POLICY CONTROLLERNEXUS 9500 AND 9300
12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Architecture
Service Producers EPG “Users”
EPG “Files”
Leaf Nodes
Spine Nodes
EPG “Internet”
AVS
Service Consumers
13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Application Policy Model and Instantiation
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
Application
Client
Application policy model: Defines
the application requirements
(application network profile)
Policy instantiation: Each device
dynamically instantiates the required
changes based on the policies
VM VMVM
10.2.4.7
VM
10.9.3.37
VM
10.32.3.7
VMVM
App Tier DB Tier
Storage Storage
Web Tier
14. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Access Methodology
• CLI (Command-line interface)
Means of interacting with a computer program where user issues commands to the program in the form of
successive lines of text (command lines)
• GUI (Graphical user interface)
Interface that allows users to interact with devices through graphical icons and visuals
• Programmable interface
Software components / objects exposed to be called directly by other programs
• Open Source Tool
ACI Toolkit – Configuration Roll Back, Endpoint Tracker and other applications
15. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
ACI Toolkit
• Simple toolkit built on top of APIC API
• Set of simple python classes
Python Library
Used to generate REST API calls
Runs locally
• Small number of classes
~30 currently
“Intuitive” names
• Not full functionality, most common
Focused primarily on configuration
• Preserves the ACI basic concepts
Tenants, EPGs, Contracts, etc.
APIC
ACI Toolkit
Linux
Commands
NX-OS
like
CLI
Custom
Python
Scripts
16. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
ACI Release Timeline
A (11.0)
Aug’14
CY14
11.0 MR1
Nov’14
11.0 MR2
Feb’15
11.0 MR3
May’15
CY15
B (11.1)
Jun’15
11.1
MR1
Aug’15
CY16
11.2
Dec’15
Congo
Q3CY16
11.2. MR1
Feb’16
11.1 MR3
Nov’15
11.2 MR2
Q2CY16
11.1 MR2
Sep’15
17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Overloaded Network Constructs
VLAN VLAN VLAN
Subnet Subnet Subnet
Basic Network
Policy
SLAs L4-7 Services
Network constructs are overloaded with unintended functionality.
18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Some new (or not so new) terms: Tenants, VRF
(Context), Bridge Domains, Application Network
Profiles, Endpoint Groups, Contracts/Filters
19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Bridge Domain (BD)
• Unique layer 2 (L2) or layer 3 (L3) forwarding domain
• Can contain one or more subnets (if unicast routing is enabled)
• Each bridge domain must be linked to a context (VRF)
Equivalent Network Construct:
• If a BD is configured as L2 forwarding domain
It will have one or more associated VLANs
Each VLAN will be equal to EPG
• If a BD is configured as L3 forwarding domain
This is equivalent to a SVI with one or more subnets per BD
NOTE: BD can span across multiple switches
20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Bridge Domain (BD) Modes
L2 Unknown
Unicast
ARP Flooding Unicast Routing
Unknown Multicast
Flooding
Flood – packet is flooded
within a BD
Enabled: ARP Packets are
flooded in the BD
Enabled: define subnets
Flood:
• Ingress TOR: Flood
• Egress TOR
• If router port exists on
any BD: Flood to FP
ports
• If transit: Send to
fabric
Hardware Proxy – packet
sent only to Proxy Spine
Disabled:
• ARP Packets undergo L3
unicast lookup for Target
IP in VRF
• ARP behaves like L3
unicast packet until it
reaches egress TOR
Disabled: no subnets
defined
Optimized Flood (Up to ~75
BDs per TOR)
Sent only to Router Ports in
the Fabric
21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Object Relationship
Tenant
Context
BD
Subnet
A
Subnet
B
BD
Subnet
C
Context
BD
Subnet
B
Subnet
C
22. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
End Point Group (EPG)
• Set of host(s) that behave the same
• Behavior describes as all host(s) representing application or application components
independent of other network constructs
HTTPS
Service
HTTPS
Service
HTTPS
Service
HTTPS
Service
HTTP
Service
HTTP
Service
HTTP
Service
HTTP
Service
EPG - Web
POLICY MODEL
23. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Application Network Profile (ANP)
• Application Network Profile(s) are group of EPGs and the policies that define the
communication between them
Inbound/Outbound
Policies
Inbound/Outbound
Policies
Application Network Profile
POLICY
MODEL
=
EPG - WEB EPG - APP EPG - DB
24. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Contracts
• Defines the way in which EPGs interact
EPG
A
EPG
B
EPG
CContract 02
The policy model allows for
both unidirectional and
bidirectional policies.
Unidirectional
Communication
Bidirectional
CommunicationContract 01
Ex: ACI Logical Model applied to the “3-Tier App” ANP
25. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Infrastructure Virtualization, Operations
Multi-PoD
WAN Integration (GOLF)
VXLAN EVPN BGP (iBGP and
eBGP) for IPv4 and IPv6
Opflex Push to N7K, ASR9K
QSA Support on –EX Spine/Leaf
FCoE NPV, PFC (802.1Qbb)
Routing & Switching
PBR and Policy Based Service
Insertion
Symmetric Multipath Load
Balancing & Redirection
Mcast Routing PIM Support
(PIM-SM/SSM/Bidir) on –EX HW
ACI vCenter Plugin
Multiple vCenter per fabric (50)
AVS
vRealize
VEM Commands from
APIC
EPG health score
WAP 2.0 + Service Chaining
OpenStack
‘Liberty’ Support
Hierarchical VLANs
VMware Hypervisor integration
GBP + ML2 Unified Plugin
Routing & Switching
OSPF in-bound area filtering
BGP limit maximum AS (maxas-
limit)
64 way ECMP
Visibility and Analytics
Analytics support on –EX HW
Copy Service
Security
Permit logging
Congo Release – 2.x Execute
Committed
Target Q3 CY 2016
Hardware :
DC48V Support(Fixed and
Modular Spine)
DOM on ACI Mode
26. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Multiple ACI Pods connected by an IP Inter-Pod
L3 network, each Pod consists of leaf and spine
nodes
Managed by a single APIC Cluster
Single Management and Policy Domain
Forwarding control plane (IS-IS, COOP)
fault isolation
Data Plane VXLAN encapsulation between
Pods
End-to-end policy enforcement
ACI Multi-Pod Solution
Overview
Inter-Pod Network
Pod ‘A’
MP-BGP - EVPN
…
Single APIC Cluster
IS-IS, COOP, MP-BGP
Pod ‘n’
IS-IS, COOP, MP-BGP
27. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
L3 core
>2 interconnected sites
ACI Multi-Pod Solution
Use Cases
Handling 3-tiers physical
cabling layout
Cable constrain (multiple
buildings, campus, metro)
requires a second tier of “spines”
Preferred option when compared
to ToR FEX deployment
Evolution of Stretched Fabric
design
Metro Area (dark fiber, DWDM),
Inter-POD
And
WAN/DCI
ACI Fabric
‘B’
ACI Fabric
‘A’
ACI Fabric
‘E’
ACI Fabric
‘D’
ACI Fabric
‘C’
28. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
ACI Integration with WAN at Scale
‘Project GOLF’ Overview
Addresses both control plane and data
plane scale
VXLAN data plane between ACI spines and
WAN Routers
BGP-EVPN control plane between ACI spines
and WAN routers
OpFlex for exchanging config parameters (VRF
names, BGP Route-Targets, etc.)
Consistent policy enforcement on ACI leaf
nodes (for both ingress and egress
directions)
‘GOLF’ Router support (Q3CY16)
Nexus 7000, ASR9000 and ASR1000 (not yet
committed)
29. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
ACI Integration with WAN at Scale
Supported Topologies
30. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
New Automation:
Cisco Nexus Fabric Manager
Single Point, Fabric-Wide Management
Build and self-manageVXLAN-based fabric
Fully deploy in three steps
Zero-touch provisioning
Dynamically configure switches
Simplify management with point-and-click
user interface
Fabric Management Lifecycle
Creation Expansion
Fault MgmtReporting
Connection
NFM
Automate
31. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Traditional Script-Based Approaches
• Hard-Wired
• Workflow
• Custom Scripting
• Rigid
• Change PaaS ?...
• Breaks System
• Re-Scripting Required
• Change Cloud ?...
• Breaks System
• Re-Scripting Required
32. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
CliQr CloudCenter:
Any App, Any Cloud, One Platform
Private Clouds
Datacenters
Public Clouds
Model
Manage
Deploy
Profile
NFS
33. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Working Together: End-to-End Orchestration
Business (ITSM)
Prime Service Catalog, ServiceNow, Custom
Development (DevOps)
CliQr, Jenkins
Application-Centric Lifecycle Management
Model Benchmark Deploy Manage
Application Profiles
UCS
Director
ACI
Nexus
Switching
StorageUCS
Datacenter Private Cloud Public CloudProfileProfile
Hyper-V
34. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
How to access lab
URL: http://dcloud.cisco.com/
Username: CiscoLiveStudent1 – 24
Password: C1sc0123live
Notas del editor Explosive growth in applications – IOT’s, Customer-facing, Mobile and more…
Same time- huge diversification in infrastructure choices – data centers, private clouds, public clouds
Complexity is forcing customers to realize the the OLD way of forcing apps to conform to different infrastructure environments and clouds JUST DOESN”T SCALE
Needs to be a NEW WAY – A WAY to GET THE INFRASTUCTURE TO WORK FOR THE APPS, NOT THE OTHER WAY AROUND
THERE NEEDS TO BE A WAY TO CAPTURE THE APPLICATION PROFILE ONCE AND ALLOW IT TO MOVE TO AND BE MANAGED ON ANY DATA CENTER, PRIVATE OR PUBLIC CLOUD
THIS IS WHAT CLIQR PROVIDES
ONE SIMPLE APPLICATION PROFILE ENABLES CUSTOMERS TO MANAGE THE ENTIRE LIFECYCLE ON ANY APP TO AND BETWEEN ANY ENVIRONMENT
SIMPLE, SECURE, PORTABLE, MANAGEABLE – NO LOCKIN
WE LISTIEN TO OUR CUSTOMERS
IMAGINE GRAPHICALLY CREATING A SIMPLE APP PROFILE
WITH A CLICK – AUTOMATE THE PROVISIONING OF ALL INFRASTRUCTURE: COMPUTE, STORAGE AND ACI NETWORK
…AND AUTOMATE THE DEPLOYMENT OF THE ENTIRE APP STACK
ALL IN A CLICK
ONE APP PROFILE, PORTABLE AND MANAGEABLE ACROSS ANY ENVIRONMENT