O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure

Book Description

Use ACI fabrics to drive unprecedented value from your data center environment

With the Cisco Application Centric Infrastructure (ACI) software-defined networking platform, you can achieve dramatic improvements in data center performance, redundancy, security, visibility, efficiency, and agility. In Deploying ACI, three leading Cisco experts introduce this breakthrough platform, and walk network professionals through all facets of design, deployment, and operation. The authors demonstrate how ACI changes data center networking, security, and management; and offer multiple field-proven configurations.

Deploying ACI is organized to follow the key decision points associated with implementing data center network fabrics. After a practical introduction to ACI concepts and design, the authors show how to bring your fabric online, integrate virtualization and external connections, and efficiently manage your ACI network.

You’ll master new techniques for improving visibility, control, and availability; managing multitenancy; and seamlessly inserting service devices into application data flows. The authors conclude with expert advice for troubleshooting and automation, helping you deliver data center services with unprecedented efficiency.

  • Understand the problems ACI solves,and how it solves them
  • Design your ACI fabric, build it, and interface with devices to bring it to life
  • Integrate virtualization technologieswith your ACI fabric
  • Perform networking within an ACI fabric (and understand how ACI changes data center networking)
  • Connect external networks and devices at Layer 2/Layer 3 levels
  • Coherently manage unified ACI networks with tenants and application policies
  • Migrate to granular policies based on applications and their functions
  • Establish multitenancy, and evolve networking, security, and services to support it
  • Integrate L4–7 services: device types, design scenarios, and implementation
  • Use multisite designs to meet rigorous requirements for redundancy and business continuity
  • Troubleshoot and monitor ACI fabrics
  • Improve operational efficiency through automation and programmability

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. About the Technical Reviewers
  6. Dedication
  7. Acknowledgments
  8. Contents at a Glance
  9. Contents
  10. Reader Services
  11. Goals and Methods
  12. Who Should Read This Book?
  13. How This Book Is Organized
  14. Introduction
  15. Chapter 1: You’ve Purchased ACI. Now What?
    1. Industry Trends and Transitions
    2. Next-Generation Data Center Concepts
      1. New Application Types
      2. Automation, Orchestration, and Cloud
      3. End-to-End Security
    3. Spine-Leaf Architecture
      1. Existing Infrastructure and ACI (Places in the Network)
    4. ACI Overview
    5. ACI Functional Components
      1. Nexus 9500
      2. Nexus 9300
      3. Application Centric Infrastructure Controllers
    6. Protocols Enabling the ACI Fabric
      1. Data Plane Protocols
      2. Control Plane Protocols
    7. Interacting with ACI
      1. GUI
      2. NX-OS CLI
      3. Open REST API
    8. Introduction to the Policy Model
      1. Application Network Profiles and Endpoint Groups
      2. VRFs and Bridge Domains
    9. Fabric Topologies
      1. Single-Site Model
      2. Multi-Pod Model
      3. Multi-Site Model
    10. Summary
  16. Chapter 2: Building a Fabric
    1. Building a Better Network
      1. Fabric Considerations
        1. Roles of a Leaf
        2. Fixed vs. Modular Spine
        3. Integration Planning and Considerations
        4. Security Considerations
      2. Phased ACI Migration
        1. Network-Centric Mode: Single Tenant
        2. Network-Centric Mode: Multiple Tenant
      3. Evolution to Application-Centric Mode
        1. Microsegmentation
        2. Bare-Metal Workloads
        3. Virtualized Workloads
        4. Containers
    2. Virtual Machine Manager (VMM) Integration
      1. AVS
      2. VMware
      3. Microsoft
      4. OpenStack
    3. Layer 4-7 Services
      1. Managed Mode
      2. Unmanaged Mode
    4. Additional Multisite Configurations
      1. Cisco ACI Stretched Fabric
      2. Cisco ACI Multi-Pod
      3. Cisco ACI Multi-Site
      4. Cisco ACI Dual-Fabric Design
      5. Pervasive Gateway
      6. VMM Considerations
    5. Summary
  17. Chapter 3: Bringing Up a Fabric
    1. Out of the Box
      1. Suggested Services
      2. Management Network
        1. Out-of-Band Network
        2. In-Band Network
      3. What to Expect when You Configure a Controller
        1. Fabric Infrastructure IP Range Recommendations
        2. Fabric Infrastructure VLAN Recommendations
        3. Cluster Size and APIC Controller ID
        4. About High Availability for APIC Cluster
    2. Logging In to the GUI for the First Time
      1. Basic Mode vs. Advanced Mode
        1. System Tab
        2. Tenants Tab
        3. Fabric Tab
        4. VM Networking Tab
        5. L4-L7 Services Tab
        6. Admin Tab
        7. Operations Tab
        8. Apps Tab
      2. Discovering the Fabric
      3. Fabric Extenders
    3. Required Services
      1. Basic Mode Initial Setup
        1. Management Network
        2. NTP
        3. Route Reflectors
        4. VLAN Domains
      2. Advanced Mode Initial Setup
        1. Access Policies
        2. VLAN Pools and Domains
        3. Attachable Access Entity Profiles
        4. Interface Policies
        5. Interface Policy Groups
        6. Interface Profile
        7. Switch Profile
      3. Management Network
      4. Fabric Policies
        1. NTP
        2. Route Reflectors
    4. Managing Software Versions
      1. Firmware Repository
      2. Controller Firmware and Maintenance Policy
        1. Firmware Groups and Policy
        2. Maintenance Group and Maintenance Policy
        3. Using the Scheduler
    5. Configuration Management
      1. Configuration Snapshots
      2. Configuration Backup
    6. Summary
  18. Chapter 4: Integration of Virtualization Technologies with ACI
    1. Why Integrate Cisco ACI with Virtualization Technologies?
    2. Networking for Virtual Machines and Containers
      1. Benefits of Cisco ACI Integration with Virtual Switches
      2. Comparing ACI Integration to Software Network Overlays
      3. Virtual Machine Manager Domains
      4. EPG Segmentation and Micro-Segmentation
      5. Intra-EPG Isolation and Intra-EPG Contracts
      6. Cisco ACI Integration with Virtual Switches in Blade Systems
      7. OpFlex
      8. Deployments over Multiple Data Centers
    3. VMware vSphere
      1. Cisco ACI Coexistence with the vSphere Standard Switch
      2. Cisco ACI Coexistence with the vSphere Distributed Switch
      3. Cisco ACI Integration with the vSphere Distributed Switch
      4. vCenter User Requirements
      5. Micro-Segmentation with the VDS
      6. Blade Servers and VDS Integration
      7. Cisco ACI Integration with Cisco Application Virtual Switch
      8. Cisco AVS Installation
      9. Blade Servers and AVS Integration
      10. Distributed Firewall
      11. Virtual Network Designs with VDS and AVS
      12. Cisco ACI Plug-in for vSphere vCenter Server: Configuring ACI from vCenter
      13. Cisco ACI Coexistence with VMware NSX
    4. Microsoft
      1. Introduction to Microsoft Hyper-V and SCVMM
      2. Preparing for the Integration
      3. Micro-Segmentation
      4. Blade Servers and SCVMM Integration
    5. OpenStack
      1. ML2 and Group-Based Policy
      2. Installing Cisco ACI Integration with OpenStack
      3. Cisco ACI ML2 Plug-in for OpenStack Basic Operations
      4. Cisco ACI ML2 Plug-in for OpenStack Security
      5. Cisco ACI ML2 Plug-in for OpenStack and Network Address Translation
      6. Cisco ACI GBP Plug-in for OpenStack
    6. Docker: Project Contiv
      1. Docker Networking
    7. Kubernetes
      1. Kubernetes Networking Model
      2. Isolation Models
      3. Creating a New EPG for Kubernetes Pods
      4. Assigning a Deployment or a Namespace to an EPG with Annotations
      5. Visibility in ACI for Kubernetes Objects
    8. Public Cloud Integration
    9. Summary
  19. Chapter 5: Introduction to Networking with ACI
    1. Exploring Networking in ACI
      1. Groups and Contracts
        1. Contracts Are ACLs Without IP Addresses
        2. Filters and Subjects
        3. Concept of Direction in Contracts
        4. Understanding the Bidirectional and Reverse Filter Options
        5. Configuring a Single Contract Between EPGs
        6. Using vzAny
        7. Contract Scope
        8. Contracts and Filters in the Common Tenant
      2. VRFs and Bridge Domains
        1. VRF Design Considerations
        2. Bridge Domain Design Considerations
        3. VRFs and Bridge Domains in the Common Tenant
        4. VRFs in the Common Tenant and Bridge Domains in User Tenants
        5. Layer 3 External Connection in the Common Tenant with VRFs and Bridge Domains in User Tenants
        6. Ingress Versus Egress Filtering Design Recommendations
      3. Connecting External Networks to the Fabric
        1. L2 Connections
        2. Basic Mode GUI
        3. Advanced Mode Access Policies
    2. Network-Centric VLAN=BD=EPG
      1. Applying Policy to Physical and Virtual Workloads
      2. Moving Devices to the Fabric, VLAN by VLAN
      3. Unenforced vs. Enforced VRF
      4. L3 Connections to the Core
        1. Layer 3 Out and External Routed Networks
        2. L3 Out Simplified Object Model
        3. Border Leafs
      5. Migrating the Default Gateway to the Fabric
    3. Summary
  20. Chapter 6: External Routing with ACI
    1. Layer 3 Physical Connectivity Considerations
      1. Routed Ports Versus Switched Virtual Interfaces
      2. Outside Bridge Domains
      3. Bidirectional Forwarding Detection
      4. Access Port
      5. Port Channel
      6. Virtual Port Channel
      7. Gateway Resiliency with L3 Out
      8. Hot Standby Routing Protocol
    2. Routing Protocols
      1. Static Routing
      2. Enhanced Interior Gateway Routing Protocol
      3. Open Shortest Path First
        1. OSPF Summarization
      4. Border Gateway Protocol
        1. BGP Route Profile
        2. Outbound BGP Policy
        3. BGP Protocol Statistics
    3. External Endpoint Groups and Contracts
      1. External Endpoint Groups
      2. Contracts Between L3 Out EPGs and Internal EPGs
    4. Multitenant Routing Consideration
      1. Shared Layer 3 Outside Connection
      2. Transit Routing
        1. Supported Combinations for Transit Routing
        2. Loop Prevention in Transit Routing Scenarios
      3. WAN Integration
      4. Design Recommendations for Multitenant External Layer 3 Connectivity
      5. Quality of Service
        1. User-Defined Classes
        2. Reserved Classes
        3. Classification and Marking
    5. Multicast
      1. Multicast Best-Practice Recommendations
        1. Scenario 1: Leaf Switches Not Based on Cisco Nexus EX Platform
        2. Scenario 2: Leaf Switches Based on Cisco Nexus EX Platform
        3. Scenario 3: Hybrid Fabric with Leaf Switches Both Based on and Not Based on Cisco Nexus EX Platform
      2. Multicast Configuration Overview
        1. Minimum Multicast Configuration: PIM-ASM
        2. Minimum Multicast Configuration: PIM-SSM
    6. Summary
  21. Chapter 7: How Life Is Different with ACI
    1. Managing Fabrics versus Managing Devices
      1. Centralized CLI
      2. System Dashboard
      3. Tenant Dashboards
      4. Health Scores
      5. Physical and Logical Objects
      6. Network Policies
        1. Fabric-wide Policies
        2. Comparing the ACI Controller to Traditional Network Management Systems
        3. Troubleshooting the Deployment of Global Policies
        4. Configuring Multiple Ports at the Same Time
    2. Maintaining the Network
      1. Fault Management
        1. Faults Across the Network
        2. Fault Lifecycle
        3. Immediate Fault Reporting for Change Validation
      2. Configuration Management
        1. Evaluating Change Impact
        2. Configuration Zones: Running Changes Gradually
        3. Centralized Change Description
        4. Atomicity of Network Changes
        5. Configuration Snapshots
        6. Network Audit Trails
      3. Upgrading the Software
    3. Breaking the Shackles of IP Design
      1. Access Control Lists Without IP Addresses
      2. QoS Rules Without IP Addresses
      3. QoS Rules Without TCP or UDP Ports
    4. Physical Network Topology
      1. ACI as a Clos Fabric and Design Implications
        1. Connecting Endpoints to Leaf Switches
        2. Scaling an ACI Fabric Means Adding More Leaf Switches
      2. Fabric Topology and Links
      3. Individual Device View
      4. Port View
    5. Changing the Network Consumption Model
    6. Summary
  22. Chapter 8: Moving to Application-Centric Networking
    1. “Network-Centric” Deployments
      1. Removing Packet Filtering in Network-Centric Deployments
      2. Increasing Per-Leaf VLAN Scalability
      3. Looking at the Configuration of a Network-Centric Design
    2. “Application-Centric” Deployment: Security Use Case
      1. Whitelist vs. Blacklist Models
      2. Enforced vs. Unenforced: ACI Without Contracts
      3. Endpoint Groups as a Zone-Based Firewall
        1. Dynamic EPG Relationships: Micro-Segmentation EPGs
        2. Multiple EPGs in the Same Subnet
      4. Contract Security Model
        1. Inter-EPG Communication
        2. Contract Scope
        3. Contract Subject Settings
        4. Filter Settings
        5. Contract Subject Labels
        6. Contract Inheritance
      5. Stateful Firewalling with Cisco Application Virtual Switch
      6. Intra-EPG Communication
      7. Any EPG
      8. Contract Definition Best Practices to Efficiently Use Resources
    3. “Application-Centric” Deployment: Operations Use Case
      1. Application-Centric Monitoring
      2. Quality of Service
        1. Impact Analysis
        2. Asset Allocation
    4. Migrating to an Application-Centric Model
      1. Disable Bridge Domain Legacy Mode
      2. Disable VRF Unenforced Mode
      3. Create New Application Profiles and EPGs
      4. Move Endpoints to the New EPGs
      5. Fine-Tune Security Rules
    5. How to Discover Application Dependencies
      1. Focus on New Applications
      2. Migrate Existing Applications
        1. Legacy Application Dependency Mapping
        2. Cisco Tetration Analytics
    6. Summary
  23. Chapter 9: Multi-Tenancy
    1. The Need for Network Multi-Tenancy
      1. Data-Plane Multi-Tenancy
      2. Management Multi-Tenancy
    2. Multi-Tenancy in Cisco ACI
      1. Security Domains
      2. Role-Based Access Control
      3. Physical Domains
      4. Logical Bandwidth Protection Through Quality of Service
      5. What Is a Tenant? What Is an Application?
        1. Logical Separation for Lines of Business
        2. Logical Separation for Security or Compliance
    3. Moving Resources to Tenants
      1. Creating the Logical Tenant Structure
      2. Implementing Management Multi-Tenancy
        1. Moving EPGs and Contracts
        2. Exporting and Importing Contracts for Inter-Tenant Communication
      3. Implementing Data-Plane Multi-Tenancy
      4. When to Use Dedicated or Shared VRFs
      5. Multi-Tenant Scalability
    4. External Connectivity
      1. Shared External Network for Multiple Tenants
    5. Inter-Tenant Connectivity
      1. Inter-VRF External Connectivity
      2. Inter-VRF Internal Connectivity (Route Leaking)
    6. L4-7 Services Integration
      1. Exporting L4-7 Devices
      2. Multi-Context L4-7 Devices
    7. Use Cases for Multi-Tenancy Connectivity
      1. ACI as Legacy Network
      2. Granting Network Visibility to Other Departments
      3. Network Shared Across Organizations with Shared Services
      4. External Firewall Interconnecting Multiple Security Zones
      5. Service Provider
    8. Summary
  24. Chapter 10: Integrating L4-7 Services
    1. Inserting Services
      1. How We Do It Today
      2. Managed vs. Unmanaged
      3. Ecosystem Partners
      4. Management Model
      5. Functional Profiles
    2. Security for All Hosts
      1. Building an End-to-End Security Solution
      2. Integrating Firewalls
        1. Service Node Failover
        2. Deploying Clustering for Physical Appliances (Cisco ASA Cluster)
        3. Virtual versus Physical
      3. Integrating Security Monitoring
      4. Integrating Intrusion Prevention Systems
        1. Copy Service
      5. Integrating Server Load Balancing and ADC
      6. Two-node Service Graph Designs
    3. Summary
  25. Chapter 11: Multi-Site Designs
    1. Bringing Up a Second Site
      1. Stretched Fabric Design
        1. Site-to-Site Connectivity Options
        2. Stretched ACI Fabric Preserves VM Mobility
        3. Loss of a Single APIC
        4. Split Fabric
        5. Standby APIC
      2. Multiple-Fabric Design
        1. Cisco Data Center Interconnect
        2. Transit Leaf and L3 Out Considerations
        3. DCI or Inter-Pod Network Considerations
        4. Multiple Fabric Connectivity Options
    2. Multi-Pod Architecture
      1. ACI Multi-Pod Use Cases and Supported Topologies
      2. ACI Multi-Pod Scalability Considerations
      3. Inter-Pod Connectivity Deployment Considerations
      4. IPN Control Plane
      5. IPN Multicast Support
      6. Spines and IPN Connectivity Considerations
      7. Pod Auto-Provisioning
      8. APIC Cluster Deployment Considerations
      9. Reducing the Impact of Configuration Errors with Configuration Zones
      10. Migration Strategies
    3. Multi-Site Architecture
      1. APIC Versus Multi-Site Controller Functionalities
      2. Multi-Site Schema and Templates
      3. Multi-Site Use Cases
        1. Stretched Bridge Domain with Layer 2 Broadcast Extension (Option 3)
        2. Stretched Bridge Domain with No Layer 2 Broadcast Extension (Option 2)
        3. Stretched EPG Across Sites (Option 1.1)
        4. Stretched VRF with Inter-Site Contracts (Option 1.2)
        5. Shared Services with Stretched Provider EPG
      4. Multi-Site and L3 Out Considerations
      5. Layer 3 Multicast Deployment Options
      6. Migration of Cisco ACI Fabric to Cisco ACI Multi-Site
    4. Summary
  26. Chapter 12: Troubleshooting and Monitoring
    1. You Have a Poor Health Score. Now What?
    2. NX-OS CLI
      1. Connecting to the Leaf Switches
      2. Linux Commands
      3. Mapping Local Objects to Global Objects
        1. VLAN IDs
        2. Legacy Mode
        3. Port Channels
      4. Some Useful Leaf Commands
      5. ping
    3. Troubleshooting Physical Issues
      1. Troubleshooting Cabling
      2. Troubleshooting Switch Outages
      3. Replacing a Fabric Switch
      4. Troubleshooting Contracts
    4. Troubleshooting Tools in ACI
      1. Hardware Diagnostics
      2. Dropped Packets: Counter Synchronization
      3. Atomic Counters
      4. Traffic Mirroring: SPAN and Copy Services
        1. SPAN Destination Groups
        2. ERSPAN Types
        3. SPAN Source Groups
        4. Cisco ACI Scalability for SPAN Sessions
        5. Nexus Data Broker
      5. Troubleshooting Wizard
        1. Defining the Troubleshooting Session
        2. Faults in the Troubleshooting Wizard
        3. Statistics in the Troubleshooting Wizard
        4. Contract Information in the Troubleshooting Wizard
        5. Events and Audits in the Troubleshooting Wizard
        6. Traceroute in the Troubleshooting Wizard
        7. Atomic Counters in the Troubleshooting Wizard
        8. Configuring SPAN from the Troubleshooting Wizard
      6. Endpoint Tracker
      7. Effectively Using Your Fabric Resources
        1. Using Traffic Map to Find Bandwidth Bottlenecks
        2. Using Capacity Dashboard to Detect Resource Bottlenecks
        3. Using ACI Optimizer to Plan for Changes
    5. Monitoring Policies and Statistics
      1. SNMP Policies
      2. Syslog Policies
      3. Statistics
    6. Third-Party Monitoring Tools with ACI Support
      1. IBM Tivoli Netcool
      2. SevOne
      3. ScienceLogic
      4. Splunk
      5. Zenoss
    7. Summary
  27. Chapter 13: ACI Programmability
    1. Why Network Programmability? Save Money, Make Money!
      1. What Is Wrong with Previous Network Automation Concepts?
        1. SNMP
        2. Network Configuration Protocol and YANG
      2. Programming Interfaces and SDKs
        1. What Is REST?
        2. What Is a Software Development Kit?
    2. Cisco ACI Programming Interfaces
      1. Cisco ACI REST API
        1. REST API Authentication
        2. API Inspector
        3. REST API Clients
        4. Using REST APIs in Programming Languages
      2. Cisco ACI Object Model
        1. Debug Information in the GUI
        2. Visore
        3. moquery
      3. Cisco ACI Software Development Kits
        1. Python SDK: Cobra
        2. Simplified Python SDK: ACI Toolkit
        3. Ruby SDK
        4. PowerShell SDK
      4. Where to Find Automation and Programmability Examples
      5. Developing and Testing Your Code Without an ACI Fabric at Hand
        1. Cisco DevNet
        2. dCloud
        3. Cisco ACI Simulator
    3. Increasing Operational Efficiency Through Network Automation
      1. Offering Visibility to the Network
      2. Externalizing Network Configuration
        1. Externalizing Switch Port Configuration
        2. Externalizing Security Configuration
      3. Horizontal Automation Integrations
        1. Horizontal Integration Examples Embedded in the Product
        2. Horizontal Integration Example Through External Automation
      4. Automating the Generation of Network Documentation
    4. Enabling Additional Business Models Through Network Automation
      1. Agile Application Deployment and DevOps
        1. Continuous Deployment and Continuous Integration
        2. Linux Containers and Microservices Architectures
        3. Configuration Management Tools
      2. Private Cloud and IaaS
        1. Integration with Cisco Enterprise Cloud Suite
        2. Integration with VMware vRealize Suite
        3. Integration with Microsoft Azure Pack and Azure Stack
        4. Integration with OpenStack
      3. Hybrid Cloud
      4. Platform as a Service
        1. ACI Integration with Apprenda
        2. Mantl and Shipped
    5. Cisco ACI App Center
    6. Summary
  28. Index