Real World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601

Transcription

1

2 Real World ACI Deployment and Migration Kannan Ponnuswamy, Solutions Architect BRKACI-2601

3 Icons and Terms APIC Application Policy Infrastructure Controller (APIC) Cisco Nexus 9500 Cisco Nexus 9300 Nexus 7000 Nexus 5000 Nexus 2000 / FEX Nexus 1000 Router Load Balancer Firewall Storage Virtual Machine VMware vcenter

4 Agenda Application Centric Infrastructure (ACI) Overview ACI Design Parameters Building an Application Profile Real World ACI Adoption and Migration Network Centric Hybrid Approach Application Centric

5 Nexus 9000 Series Network Ops Driven, Switch Automation User Driven, Policy Based Fabric Automation Per-Box Programmability Open, Flexible, & Choice of Programmability Modes Policy Controller, Centralized Fabric Programmability NX-API 1/10/40/100GE Common Platform APIC

6 Policy Driven Merchant+ ACI Overview External Network POLICY WEB POLICY APP POLICY DB Application Virtualization APIC Networking Physical HYPERVISOR HYPERVISOR HYPERVISOR

7 Agenda Application Centric Infrastructure (ACI) Overview ACI Design Parameters Building an Application Profile Real World ACI Adoption and Migration Network Centric Hybrid Approach Application Centric

8 ACI Fabric Initialization ACI Fabric supports discovery, boot, inventory and systems maintenance processes via the APIC Fabric Discovery and Addressing: Fabric Discovery is through LLDP and is done automatically and progresses as administrator registers the switches to join the fabric. Once a switch is registered, its LLDP neighbors are now visible for the admin to approve for them to join the fabric. Commissioning, Decommissioning, Image Management Lifecycle management of switches Topology validation through wiring diagram and systems checks ACI Fabric APIC APIC APIC

9 ACI Forwarding Model Tenant VRF_Context_One Bridge Domain One EPG_1 VRF_Context_N EPG1A /16 Bridge Domain One / /16 Bridge Domain N EPG_N EPGNA Non-IP, L2 forwarding only EPG_Legacy A Tenant may be referred to by one or more VRFs/Contexts A Context/VRF is referred to by one or more Bridge Domains (BD) Bridge Domains identify properties influencing forwarding behavior. One or more subnets, ARP handling, Multicast etc. A collection of end-points form an end-point group(epg). EPG associates to a BD. EndPoint Groups Identified by: Physical or Virtual Switch ports, VLAN ID, VNID Future - NVGRE (VSID), DNS hostname, IP address

10 L3 Sub-Interfaces Key concept to understand In the following valid topology, N9KA L3 sub-interface is treating 802.1Q as just a tag to identify the L3 IP interface, while on the N9KB side, the tags correspond to the L2 VLANs. Interface e1/1.10 ip /24 encapsulation dot1q 10! Interface e1/1.20 ip /24 encapsulation dot1q 20 Nexus 9KA L Q L Q Nexus 9KB Vlan 10 name l2 vlan 10! Vlan 20 name l2 vlan 20! Interface e1/1 switchport mode trunk switchport trunk allowed vlan 10,20

11 L3 Sub-Interfaces Key concept to understand Vlan10! Interface vlan10 ip address /24! Interface e1/1 switchport mode trunk switchport trunk allowed vlan 10 Nexus 9KA L Q L Q Vlan 10! Interface vlan10 ip address /24! Interface e1/1 switchport mode trunk switchport trunk allowed vlan 10 Nexus 9KB Interface e1/2.10 ip /30 encapsulation dot1q 10 Interface e1/2.10 ip /30 encapsulation dot1q 10 When configuring L3 Sub-interfaces on a Nexus Switch, The 802.1Q tag is local to the interface and has no relevance to a VLAN with same number on the same switch. Eventhough L3 subinterface uses 802.1Q, the 802.1q tag determines the IP L3 interface and not the L2 vlan.

12 EPG identification example vlan101 VM1...VM10 ACI Fabric Leaf Bridge Domain /24 EPG1 EPG2 EPG3 EPG4 vlan101 vlan102 vlan103 ESXi Host w/vswitch vlan102 vlan103 vlan104 vlan104 VM31..VM40 VLANs outside the ACI Fabric, map to EPGs inside the fabric EPGs then map to a BD where the gateway addresses are defined Policies are applied to let the VMs communicate VM11..VM20 VM21..VM30

13 Cisco ACI Hypervisor Integration VMWare DVS APIC 5 Create Application Policy F/W Application Network Profile EPG WEB L/B EPGAPP EPG DB APIC Admin 9 Push Policy ACI Fabric 1 Cisco APIC and VMware vcenter Initial Handshake 6 Automatically Map EPG To Port Groups 4 Learn location of ESX Host through LLDP 2 Create VDS VIRTUAL DISTRIBUTED SWITCH VI/Server Admin vcenter Server 8 Instantiate VMs, Assign to Port Groups 7 3 Create Port Groups Attach Hypervisor to VDS WEB PORT GROUP APP PORT GROUP DB PORT GROUP Web App HYPERVISOR DB Web Web HYPERVISOR DB

14 ACI Policy Model C Contracts define what an EPG exposes to other app tiers and how EPG MGMT C Tenant Application Profile C EPG Web C EPG App C EPG DB C EPG NFS Contracts are reusable for multiple EPGs and EPGs can inherit multiple contracts

15 ACI Policy Model What is a Contract C filter action Allows to specify rules and policies on groups of physical or virtual end-points without understanding of specific identifiers and regardless of physical location. filter identifier to which actions filter will be applied L4 port ranges TCP options filter action identifies actions to be applied action Permit QoS Log Redirect to Services action defined bi-directionally in the provider centric way

16 Agenda Application Centric Infrastructure (ACI) Overview ACI Design Parameters Building an Application Profile Real World ACI Adoption and Migration Network Centric Hybrid Approach Application Centric

17 Building the Application Profile Oracle Internet Expenses

18 Application Profile - iexpenses Other Applications: Payroll, .. Intranet Border Leaf TCP: *,443 C C C Active Directory

19 iexpenses Application Profile C Intranet Border Leaf C C Expenses EPG C Extranet Border Leaf C Oracle RAC DB

20 Agenda Application Centric Infrastructure (ACI) Overview ACI Design Parameters Building an Application Profile Real World ACI Adoption and Migration Network Centric Hybrid Approach Application Centric

21 Migration Paths to ACI Classic mode Growth Addition Network refresh Current DC Infrastructure ACI Integration New environments Service Chaining Dev, Test ACI Migration Business drivers Security, Compliance, TCO, Programmability, Operations etc. ACI Fabric

22 ACI Migration Methodology Deployment Design and deploy new ACI POD Integration Connecting ACI to your current infrastructure Migration Migrate workloads to use new ACI POD

23 ACI Adoption Strategies ACI Fabric Model = New OPERATIONS Model + DESIGN Model Leverage Known APPLICATIONS Constructs (decoupled from Network) Leverage Known NETWORKING Constructs OPERATIONS DESIGN HYBRID: Leverage BOTH APPLICATIONS & NETWORKING Centric Constructs OPERATIONS DESIGN OPERATIONS DESIGN ACI Fabric New ACI Fabric Operational Model

24 Agenda Application Centric Infrastructure (ACI) Overview ACI Design Parameters Building an Application Profile Real World ACI Adoption and Migration Network Centric Hybrid Approach Application Centric

25 / / / /30 Network Centric Deployment example 1 VRF + 1 VLAN Classic mode shown here for Reference ACI Fabric APIC Blue Tenant and Context Policies /24.3 VRF Blue Routing VLAN 10 HSRP Access List QoS etc..101 Bridge Domain Blue_ /24 EPG blue_1 External EPG Exchange Routes (Blue).101 VLAN Access or Virtual Switch Tag Tag could be VLAN ID or VNID

26 / / / /30 Network Centric Deployment Example 1 VRF + 2 VLANs Option 1 Classic mode shown here for Reference ACI Fabric APIC Vlan 10,11 Blue Tenant and Context BD Blue_1 ( /24) EPG blue_1 BD Blue_2 ( /24) EPG blue_2 Policies External EPG Exchange Routes (Blue) VLAN 10 ( /24) VLAN 11 ( /24) Access or Virtual Switch Tag 2101 Tag 2102

27 / / / /30 Network Centric Deployment Example 1 VRF + 2 VLANs FW is the Def. GW Classic mode shown here for Reference ACI Fabric APIC Vlan 10,11 Blue Tenant and Context BD Blue_1 EPG blue_1 BD Blue_2 EPG blue_2 External EPG Exchange Routes (Blue) VLAN 10 ( /24) VLAN 11 ( /24) Tag 2101 Classic Access Tag 2102

28 Network Centric Configuration

29 Configuring ACI Forwarding Unicast Routing: Enable both L3 and L2 Forwarding (IP or MAC address). Enabled by default. L2 Unknown Unicast: forwarding method for unknown layer 2 destinations. The method can be flood or proxy (default) ARP Flooding: Specifies whether ARP flooding is enabled. If flooding is disabled, unicast routing will be performed on the target IP address. Can be on or off (default) Traditional VLAN ACI Innovations

30 / / / /30 Network Centric Deployment Example 1 VRF + 2 VLANs Option 2 Classic mode shown here for Reference What if different policies between two groups mandated separate VLANs in Classic Networks. 1. Policies are based on EPG 2. Forwarding is based on BD attributes APIC ACI Fabric Vlan 10,11 Blue Tenant and Context EPG blue_1 BD Blue_ / /24 X EPG blue_2 Policies External EPG Exchange Routes (Blue) Classic Access VLAN 10 ( /24) Tag 2101 Tag 2102 VLAN 11 ( /24)

31 / / / /30 Network Centric Deployment Example 1 VRF + 2 VLANs Option 3 Classic mode shown here for Reference Hardware based directed ARP forwarding ACI Fabric What if two VLANs was only due to ARP broadcast concerns. APIC Vlan 10,11 Blue Tenant and Context BD Blue_ / /24 EPG blue_1 Policies External EPG Exchange Routes (Blue) Classic Access VLAN 10 ( /24) Tag 2101 VLAN 11 ( /24)

32 Network Centric - ACI Deployment as a L2 Fabric

33 ACI as a Layer 2 Fabric (L2Context, BD200, EPG200), No IP Def. GW, No Contracts Vlan-200 Maps to EPG / /24 VM VMOne_on_EPG200 on Host1 DVS VM VMTwo_on_EPG200 on Host2 DVS N7K1 Def. GW: ,.2,.3 vpc, SVI200 N7K2

34 Extending current infrastructure with Layer 2 ACI Fabric Internet WAN / DCI vpc/stp based Current Infrastructure L3 L2 N7K N7K ACI L2 Fabric N9K N9K APIC N9300 N9300 N9300 N9300 N9300 N9300 N9300 N9300 V Integrated L4-L7 Services Physical & Virtual

35 Layer 2 Fabric STP Containment Tenant(TraditionalDC) Context(CtxtForL2VLANs) BridgeDomain(BD202) EPG(EPG202, EPG1202) If Context is in enforced mode, Contracts are needed to communicate between EPG202 and 1202 even though they are on same Subnet. TraditionalDC(Tenant) EPG1202 BD202 ; No IP Addr CtxtForL2VLANs (Context) EPG 202 (or L2 Out) VLAN 502 VLAN 102 VLAN /24 DVS VM VMOne_on_EPG1202 on Host1 DVS /24 vswitch1 VM VMTwo_on_EPG1202 on Host2 DVS N7K ,.2,.3 vpc, SVI202 N7K2 STP BPDUs from the N7Ks are limited to EPG202 and does not unnecessarily flood into the fabric and EPG1202.

36 Layer 2 ACI Fabric with External GW Internet WAN / DCI L3 L2 N7K N7K ACI L2 Fabric Spine APIC N9K N9K Leaf N9300 N9300 N9300 N9300 N9300 N9300 N9300 N9300 Integrated L4-L7 Services Physical & Virtual

37 ACI as L2 Fabric With Services Three-Tiered Applications: Load Balancer as gateway non-automated insertion GW LB Context 1 (Routed Mode) GW GW Firewall Context 1 (Routed Mode) ASR 9000 VLAN A VLAN B VLAN C VLAN D OSPF / ibgp / Static VLAN D VLAN E OSPF / ibgp VLAN E EPG Web1 EPG App EPG DB EPG LB_Out EPG LB_Out EPG FW_Out EPG FW_Out No contract necessary for host to LB communication BD Web BD App BD DB BD LB_out BD FW_out EPG Web EPG App EPG DB ACI Fabric Bridge Domain Settings (all BDs): ARP Flooding: enabled Unicast Routing: disabled L2 Unknown Unicast: flood Web Server App Server DB Server

38 Layer 2 ACI Fabric (BD One, EPG One), No IP Def. GW, No Contracts (BD Two, EPG Two), No IP Def. GW, No Contracts. (BD 3500, EPG 3500), No IP Def. GW, No Contracts How? 1 BD and 1EPG per Current Infrastructure VLAN Also available is BD in legacy mode which preserves VLAN resources to allow for 3500 BDs per Leaf. Who are deploying? Customers who want to slowly introduce ACI NFV or Virtual Overlay Use Case Benefits: Network Operations, Network Automation Any VLAN, Any Workload, Any Where Network Capacity and Bandwidth

39 Network Centric - ACI Deployment as a L3 Fabric

40 ACI as a Layer 3 Fabric SubnetOne (BD) Def GW ZoneOne (EPG) CtxtForL3VLANs (Context) VLAN 234 VXLAN VLAN 2100 DVS AVS ESX Host 1 vswitch1 DVS AVS ESX Host 2 vswitch /24 VM VMOne_on_ZoneOne /24 VM VMTwo_on_ZoneOne VM /24 VMThree_on_ZoneOne

41 Layer 3 Fabric: PXE Booting Aggregation Spines dhcp relay APIC Access Leafs LACP Individual State LACP Individual State DHCP, PXE Server Traditional Nexus Infrastructure [no] lacp suspend-individual: LACP sets a port to the individual (I) state if it does not receive an LACP protocol data unit (PDU) from the peer DHCP, PXE Server ACI Fabric Disable LACP suspend-individual Set Untagged packets to belong to dedicated BD Set the BD dhcp relay to point to PXE/DHCP Server DHCP Option 82 support

42 Multi-Tenancy with services ACI Fabric RegularSoda (BD) EPGAppOne VLAN VXLAN DietSoda (BD) EPGAppOne VLAN VXLAN DVS AVS External Stateful Firewall DVS AVS /24 VM VMOne_on_ RegSodaAppOne VM /24 VMTwo_on_ RegSodaAppOne Tenant RegularSoda /24 VM VMOne_on_ DietSodaAppOne Tenant DietSoda VM /24 VMTwo_on_ DietSodaAppOne

43 Multi-Tenancy: shared external routes example Internet Routes , N7K1 N7K2 ACI Fabric: Tenant Common PubForRegularSoda (BD) EPGWebOne VLAN VXLAN OSPF and ibgp Over VLAN 300 C C PubForDietSoda (BD) SharedContext (Context) VLAN EPGWebOne VXLAN DVS AVS DVS AVS /24 VM VMOne_on_ RegSodaWebOne VM Tenant RegularSoda /24 VMTwo_on_ RegSodaWebOne /24 VM VMOne_on_ DietSodaWebOne VM /24 VMTwo_on_ DietSodaWebOne Tenant DietSoda

44 Layer 3 ACI Fabric (BD One, EPG One), IP Def. GW, Optional Contracts (BD Two, EPG Two), IP Def. GW, Optional Contracts. (BD 1750, EPG 1750), IP Def. GW, Optional Contracts How? 1 BD and 1EPG per Current Infrastructure VLAN Fabric as default gateway with or without policy enforcement. Who are deploying? Customers who want basic L3 ACI Features, and adopt ACI Fabric as a single DC switching system Benefits: Pervasive Gateway, Directed ARP and other features Network Operations, Network Automation Any VLAN, Any Workload, Any Where Network Capacity and Bandwidth

45 Network Centric ACI Migration

46 Network Centric Migration Example VRF + 2 VLANs / /30 Layer 3 Routing Static, OSPF, BGP APIC Vlan 10,11 Migration Layer 2 vpc Trunk Blue Tenant and Context L2_ Out BD Blue_1 EPG blue_1 BD Blue_ /24 EPG blue_2 Policies L2_ Out L3Out.101 VLAN 10 ( /24) VLAN 11 ( /24).102 STP compatibility with Classic Network VLAN 10 maps to BD Blue_1 VLAN 11 maps to BD Blue_2 Classic Devices are still the Default Gateway Equally applicable to L4-7 services (FW/LB) in the Classic Network Flooding enabled on ACI BDs during migration Once migration completed, insert needed services and move Default Gateway ACI BDs Access Tag 2101 Tag 2102 Tag could be VLAN ID or VNID.

47 ACI Integration and Migration Forwarding Flow ACI Fabric L3 L2 Default Gateway moves to ACI Leaf layer EPG = VLAN / Subnet (initial step) Host / FEX can migrate to Leaf (overtime) Migration Path 10G/40G to ACI Layer 3 Layer 2-1GE Layer 2-10GE 10 GE DCB 10 GE FCoE/DCB 4/8 Gb FC

48 Nexus 9000 Migration from Standalone to ACI mode

49 Nexus 9000 Standalone to ACI mode migration non vpc L2 and L3 Connectivity Aggregation Spines APIC Load ACI software Access X X X X Load ACI software Leafs X X Active Standby Standby Active Standby Standalone Mode Nexus 9000 ACI Fabric

50 Nexus 9000 Standalone to ACI mode migration : vpc L2 and L3 Connectivity Aggregation Spines APIC Load ACI software Access X X X X Load ACI software Leafs X X Individual Standalone Mode Nexus 9000 ACI Fabric

51 Agenda Application Centric Infrastructure (ACI) Overview ACI Design Parameters Building an Application Profile Real World ACI Adoption and Migration Network Centric Hybrid Approach Application Centric

52 Deployment Example Hybrid Approach Classic mode shown here for Reference External Network APIC.2.3 Blue Tenant and Context BD Blue_ /24 EPG 11 EPG One-web BD Blue_ /24 EPG Two-web Policies EPG Three-web External EPG Exchange Routes (Blue) VLAN 11 Access ( /24 Tag 2011 VLAN 10 ( /24) Tag 100 Tag 101 Tag 102 AppOne s WebServer AppTwo s WebServer AppThree s WebServer AppOne s WebServer AppTwo s WebServer AppThree s WebServer External Network

53 Hybrid (Network and Application Centric) ACI Migration

54 ACI Migration for Hybrid Approach Exchange Routes (Blue) APIC External EPG BD Blue_2 Policies Blue Tenant and Context Classic L2 Extension. EPG 11 EPG One-web BD Blue_1 EPG Two-web EPG Three-web VLAN 11 ( /24 VLAN 10 ( /24) AppOne s WebServer AppTwo s WebServer AppThree s WebServer STP compatibility with Classic Network VLAN 10 maps to BD Blue_1 VLAN 11 maps to BD Blue_2 Classic Devices are still the Default Gateway Flooding enabled on ACI BDs during migration Equally applicable to L4-7 services (FW/LB) in the Classic Network Once migration completed, insert needed services and move Default Gateway ACI BDs Access Tag 2011 Tag 100 Tag 101 Tag 102

55 Virtual Environment Migration Example L3 L2 L3 vcenter vshield L3 N7K N7K ACI Fabric N5500 N5500 L2 L2 L3 L2 L2 L3 VMware vswitch, DVS, N1kV APIC Created VMware DVS / Cisco AVS APIC Created VMware DVS / Cisco AVS vmotion / Cold Migration

56 ACI Virtual Migration Assistant User and Workflow driven Multiple scenarios vswitch ACI DVS ACI N1kv ACI Any Combination ACI Cisco Advanced Services

57 Agenda Application Centric Infrastructure (ACI) Overview ACI Design Parameters Building an Application Profile Real World ACI Adoption and Migration Network Centric Hybrid Approach Application Centric

58 Application Centric - iexpenses C Intranet Border Leaf C C Expenses EPG C Extranet Border Leaf C Oracle RAC DB

59 App Profiles - Exchange 2013 Architecture

60 ACI Deployments for Known Application Profiles Internet WAN / DCI ACI POD for Greenfield or well understood applications Spine L3 L2 N7K N7K ACI Introduction N9K N9K Leaf N9300 N9300 N9300 N9300 N9300 N9300 N9300 N9300 V Integrated L4-L7 Services Physical & Virtual

61 Application Centric ACI Migration

62 ACI Approach to Applications Traditional Data Center Design Web Tier Application Tier Database Tier Firewall Load Balancing Firewall Load Balancing ACI Approach Application Profile 1 FW LB WEB 1 FW APP 1 DB 1 LB Application Profile 2 FW LB WEB 2 FW APP 2 DB 2 LB Application Profile 3 FW LB WEB 3 FW APP 3 DB 3 LB

63 Operational Operational Challenges Challenges 1 Lack of Confidence in Existing Information CMDB SSOT IPAM 2 No Endpoint Details Identification Layer 4 Ports App Host Association Endpoint Classification Application Grouping 3 Classify and Group

64 Application Profiling Methodology Application Dependency Analysis Network and Server Data Correlation, Application Fingerprinting, Customer Input Network Discovery Device Configurations, Protocols, Traffic Server Discovery Collect and Analyze Servers, Processes, Network Statistics

65 Proposal for iexpenses Contract Authentication (Single Sign On) User Access Contract Financial Web Portal Provider Contract Contract Business Intelligence Contract Oracle DB

66 Advanced Services: Application Profiling for ACI Comprehensive application dependencies Multiple application network policies Application, compute, network, and storage mapping Automate physical and virtual migration APIC Traditional 3-Tier Application App Profile HYPERVISOR HYPERVISOR HYPERVISOR Cisco Advanced Services

67 Multi-POD ACI Deployments

68 Connecting Two ACI Fabrics ACI Fabric 1 ACI Fabric 2 Anycast GW IP MAC: MAC-A APIC vcenter Server Anycast GW IP MAC: MAC-B APIC vcenter Server ESX ESX ESX ESX

69 Single Fabric Scenarios Multi-Site (Stretched) Fabric Site/Room A Site/Room B Interconnect Leaf Nodes HYPERVISOR HYPERVISOR HYPERVISOR Single Fabric + Multi-Site Single Operational Zone (VMM, Storage, FW/LB are all treated as if it is one zone) e.g. Single vcenter with Synchronized Storage Interconnect between sites Direct Fiber (40G), DWDM (40G or multiple 10G), Pseudo Wire (10G or 40G)

70 Multi-Fabrics Current Options Synchronization of Fabric Policy Site A Site B H Y P E R V I S O R H Y P E R V I S O R H Y P E R V I S O R H Y P E R V I S O R H Y P E R V I S O R H Y P E R V I S O R Symmetrical XML Configuration will maintain consistent operation between fabrics Externally triggered Export and Import between Fabrics is another option to maintain consistency

71 ACI Migration Summary ACI designed from the ground-up to be Application Centric Flexible and customizable to fit your business needs A phased approach: Grow, Integrate, Migrate Solution flexible to be Network Centric, Application Centric or a Hybrid approach Help - Cisco Data Center Services Design World Of Solutions Thank You!!

72 Call to Action Visit the World of Solutions for Cisco Campus DataCenter, ACI Booths with Advanced Services Tools Demo Walk in Labs Technical Solution Clinics Follow-up Breakout Sessions BRKACI Integration and Interoperation of Existing Nexus Networks into an ACI Architecture BRKACI Integration of Hypervisors and L4-7 Services into an ACI Fabric BRKACI ACI Troubleshooting Tools and Best Practices BRKDEV Introduction to ACI Programming and APIs Meet the Engineer Lunch time Table Topics DevNet zone related labs and sessions

73 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

74 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings Related sessions

75 Thank you

76