Cisco ACI vpod One intent: Any workload, Any location, Any cloud Organizations are increasingly adopting hybrid data center models to meet their infrastructure demands, to get flexibility and to optimize total cost of ownership. Often this is accomplished by combining a variety of technologies, including public baremetal clouds and other internal IT resources, along with remote locations such as hosted data centers, satellite data centers. With the addition of Cisco ACI (vpod) to its portfolio, Cisco ACI now addresses extending this policy-driven automation to multiple data centers, including satellite data centers with smaller footprints, and extending a common fabric all the way to public clouds which support bare-metal provisioning. The Cisco ACI vpod solution is a software-only extension to the on-premise data center and leverages the common Cisco APIC management to provide centralized policy and management of the data center fabric. A Virtual-Pod is constituted of virtual spines (vspines), Virtual Leafs (s) and s (AVEs) that are deployed on an hypervisor infrastructure.
Figure 1: Cisco ACI vpod overview IP Network (IPN) APIC APIC APIC Logical connection to Spine (BGP-EVPN) Policy extension from On-premise DC Remote Location Hypervisor On-premises ACI Data Center Cisco ACI vpod consists of the following components: Cisco ACI virtual Spine (vspine) Cisco ACI virtual Leaf () Cisco
Figure 2: Cisco ACI vpod components Virtual-Pod vspine vspine Figure 2 gives the overview of the Cisco vpod components. Cisco ACI vspine and are deployed in virtual form factor and emulate the control-plane functionalities of the physical spine and leaf. Packet forwarding, policy enforcement, and all data plane management are taken care by the Cisco ACI Virtual Edge running on each host in the Cisco ACI vpod. Cisco ACI vpod offers customers a single pane of glass to manage multiple data centers with consistent security enforcement, it improves agility in bringing up applications at the satellite data centers for faster business needs and provides investment protection on traditional datacenters.
Figure 3: ACI Anywhere Extend ACI to bare-metal cloud and remote locations vspine vspine Investment protection Extend ACI policies over a traditional (legacy) network in existing brownfield Security everywhere Define policies once and extend them to the cloud Great business agility Reduce infrastructure and network provisioning time Cisco vpod solution can be deployed in the following scenarios: Cisco ACI policy extension to bare-metal clouds Cisco ACI policy extension to brownfield Cisco ACI policy extension to remote sites/colocation facilities Cisco ACI extension to bare-metal clouds Customers who are looking into a hybrid cloud solution often stretch their applications between an on-premise data center and the public cloud. This basically means it requires common security policies between on-premise fabrics and the public cloud extensions. Customers run into the problems of defining security policies in the cloud that need to comply with on-premise data center. Policies for the on-premise data center are sometimes governed by their information security team.
Customers also need to have a network administrator who is well versed with the cloud provider portal, which often leads to hiring of new personnel to maintain the cloud side of the network. While separation of duties helps admins keep operations clean, we also see that it often causes delay in bringing the applications up and running from end to end, causing loss of revenue and valuable time. Figure 4: Bare-metal cloud extension using Cisco ACI vpod Bare-metals running ESXi APIC APIC APIC Logical connection to Spine (BGP-EVPN) IP Network (IPN) Policy extension from on-premise With the introduction of Cisco ACI vpod, customers can now deploy Cisco ACI in their on-premise main data center and deploy Cisco ACI vpod in the public cloud on bare-metal servers running ESXi hypervisor. Figure 3 depicts a physical fabric on the left, connecting over an IP connection to a virtual fabric running Cisco ACI vpod. Using the on-premise Cisco APIC controller, administrators configure the network connectivity and security rules that are common to the hybrid fabric and provide consistent policy and management for workloads running anywhere. The existing Cisco APIC policy constructs such as tenants, Endpoint Groups (EPGs), Bridge Domains (BDs), Virtual Routing and Forwarding instances (VRFs), and security policies (contracts) are extended to the Cisco ACI vpod, and policy enforcement happens at the Cisco. With this in place, even dynamic workload migration (vmotion) is allowed between the on-premise data center and a bare-metal cloud configured with Cisco ACI vpod.
Cisco ACI extension into brownfield Cisco ACI customers had a challenge of extending network policies to the virtual workloads that connect to the data center behind a legacy (non-cisco ACI) networking device. While Cisco ACI Virtual Edge resolved this issue to some extent, policy enforcement was still done at the fabric level, causing hair-pinning of traffic. Also, there was a need to extend the Infrastructure VLAN used inside the physical fabric into the legacy network. Figure 5: Brownfield deployment APIC APIC APIC IP Network Logical connection to Spine (BGP-EVPN) ACI Data center Policy extension from on ACI DC Traditinal Data Center As shown in Figure 5, with Cisco ACI vpod solution, customers will now be able to extend Cisco ACI network policies to virtual workloads that are hosted behind traditional data center networks over Layer 3. Policy enforcement is done locally on the host running Cisco. This solution also gives customers an investment protection on the traditional network devices and can gradually migrate workloads into the Cisco ACI fabric.
hardware to Cisco ACI fabric With the extension of ACI network constructs to workloads behind the traditional network devices and with the support of extension of Cisco ACI tenants, EPGs, bridge domains, VRFs and security policies (contracts) to workloads behind traditional networks it is very easy for customers to migrate virtual workloads from traditional networks into the Cisco ACI fabric without complex configuration or additional cabling. Cisco ACI extension into remote sites or colocation Data Centers Customers extending their workloads into a remote site or colocation data center have to carefully plan for the deployment of workloads and often face constraints based on rack space, power and cooling budget, and time required to deploy the hardware and bring the application into service. Figure 6: Cisco ACI Policy extension to colocation data centers using Cisco ACI vpod Logical connection to Spine (BGP-EVPN) IP Network APIC APIC APIC Equinix Rackspace Policy extension from on-premise
Deploying Cisco ACI vpod at such locations gives greater business agility as the infrastructure hardware is reduced and network provisioning time is reduced. Customers will also have a single pane of management through the Cisco APIC controller. Cisco ACI and Cisco ACI vpod together enable customers with a single pane of management to extend networks and security constructs across main data center and public bare-metal clouds, satellite remote data centers, colocation data centers, and brownfield in a very simple and agile fashion. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) C22-741315-00 10/18