Documente Academic
Documente Profesional
Documente Cultură
#CLUS
Agenda
• An orchestration tool for vCenter
• Entering the Goldilocks Zone
• Microsegment all the things!
• Containers as First-Class Citizens
• Overlays Inception?
• Extending the Virtual Datacenter
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session SPEAKER 1
How SPEAKER 2
1 Find this session in the Cisco Live Mobile App WEBEX TEAMS
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Objectives of this session
• Understand the value of ACI in a VMware
environment
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
ACI domains define
where and how to
deploy policies
And it can also
orchestrate vCenter
port-groups creation
Virtual Machine Manager Domain
Control Plane
VMM Domain
• The VMware Virtual Machine Manager Domain (VMM) VLAN 1001 VLAN 2030
defines a relationship between APIC and vCenter
• Each VMM maps to a VDS that is configured on vCenter
(provisioned through vSphere APIs)
EPG EPG
Configured
C Policy
• Each EPG maps to a port-group with dynamic VLAN Web App
allocation
Resolved Policy
• APIC reports full vCenter inventory
dot1q trunk
(1001,2030)
• Host Teaming and Failover Policy is automatically configured ESXi Host
• Policies are deployed on-demand. (other option is VM# VM# VM# CDP/LLDP enabled
immediate)
VM# VM# VM#
• Enables the use of ACI vCenter Plugin
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Resolution vs Instrumentation Immediacy
• Resolution Immediacy – When is policy downloaded?
• Immediate: When hypervisor attached to VDS Policy = VRF/BD/EPG + ACL
• On-Demand: When VM is attached to Port-group
• Pre-provision: Not relying on LLDP, based on AAEP (solves chicken and egg
problem for vmkernel ports)
• NO-EFFECT on Physical Domain (always resolved with AAEP)
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Resolution vs Instrumentation Immediacy
• Deployment Immediacy – When is policy implemented in TCAM?
• Immediate: As soon as policy is downloaded
• On-demand: When first packet hits the leaf
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Enhanced LACP Policy
• With ACI 4.0(1h), APIC can provision enhanced LACP policies in VDS
• Multiple LAGs can be created on a VDS
• APIC asks user to choose LAG uplink during EPG association to VMM domain
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Enhanced LACP Policy
Choose # of uplinks
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Enhanced LACP Policy
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Enhanced LACP Policy
Result in vCenter
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
ACI can also control
host network
configuration
Use vSwitch Policies when host is not directly connected
Attachable Access
Entity Profile vPC - PC - Access
Interface Interface
AAEP Policy Profile /
Group Selector
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
AVE is operating in
user space, terminating
VXLAN tunnel in ESXi
The Goldilocks Zone
Getting closer to the Hypervisor
• Closer to the workloads
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
AVE Architecture
Port-groups mapped to Isolated
PVLAN based on EPG configuration vmkernel port i/o (management,
forcing inter-VM E-W traffic via AVE Physical NICs vMotion, NFS, etc) does not transit
AVE
VDS
Isolated PVLANs
vmkernel
ports
VM VM VM
AVE
Outside trunk
Inside trunk for traffic to/from the ACI fabric
configured in Promiscuous Mode with Configured with infra VLAN or APIC
Primary and Secondary VLANs VLAN pool depending upon AVE
mode (VXLAN/VLAN)
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
AVE Architecture
VLAN-10 VLAN-20
Internal External Mgmt
VDS
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
AVE Architecture
VLAN-10 VLAN-20
Internal External Mgmt
VDS
VM sends traffic in
Internal AVE Port-group Secondary
is Promiscuous Trunk Isolated VLAN
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
How do we scale performance
Management
vmnic
VDS
• Multiple internal links for PVLAN
uplink
VXLAN / VLAN
distribution (P,S)=50,51 (P,S)=52,53
encapsulation
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
How do we scale performance
Management
vmnic
VDS
• Multiple internal links for PVLAN
uplink
VXLAN / VLAN
distribution Traffic between
(P,S)=50,51
local (P,S)=52,53 encapsulation
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
AVE Native (by-pass) mode
VMKernel AVE-SVM
(eg. Storage, Mgmt)
inside outside
vmnic
uplink
VDS
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Pro-active HA
vCenter
• Health Provider defined for AVE
VMM
DRS Cluster
• User can trigger AVE maintenance
mode Ø
Ø
Maintenance Mode
Quarantine ESXi ESXi ESXi
• Set host is yellow state Health Provider AVE AVE AVE
• When host maintenance mode is
VM VM VM VM
enabled, AVE is powered off after host
evacuation
• AVE is powered on after host is up AVE VMM Domain
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Microsegment all
the Things!
Reduce attack surface of ESXi hosts
10.10.10.0/16
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Simplify network by flattening IP subnets
Contract Contract
Cluster A Cluster 02
Cluster B
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
EPG classification can leverage VM attributes
• 𝜇EPG defines a security zone that includes VMs with common attribute set
VLAN 1500 / VXLAN 346500 EPG
TEST
VM# VM# VM# VM# VM# VM# VM# VM# VM#
𝜇EPG Remediation
Quarantine = True infected ports
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
𝜇Seg is available with VDS, AVS and AVE
1
• Supported with AVE (ACI 3.1) Allow 𝜇Seg
2
• Supported with VDS and EX/FX 4
based leaf. (ACI >= 1.3) Proxy-ARP
Steps:
1. APIC connects to vCenter and fetches VM
inventory including the attributes. Any changes
in VM attribute are synced based on VC events.
2. When user configures “EPG PROD” with ‘Allow
VDS
Micro-Segmentation’, APIC pushes it as
isolated-PVLAN based port-group to steer
traffic to the leaf (P:100,S:200)
3. VMs attached to the port-group are pushed to
the leaf as mac EPG
EPG
4. User creates a new uSeg EPG with Attributes
PROD VM# VM# VM# 3
5. APIC does the attribute matching to MAC-list 𝜇EPG Web
6. APIC updates MAC-list to uSeg EPG on the leaf
MAC = A, B,
B C Zone = Web
5 MAC = C
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
ACI Security tool set
• vzAny: EPG shortcut representing all Endpoints within a VRF (including external L3
Out EPG)
• Preferred Group: Group of EPGs that can communicate without any contract
• vzAny and Preferred group are mutually exclusive
• Contract Inheritance: User can compose new EPG contracts from parents EPGs. All
corresponding contracts are associated to the new EPG.
• Any modification on parent EPG affects all children
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Consuming SDN
API from vCenter
ACI vCenter plugin
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
ACI vCenter plugin
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Network is still under control
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Now let’s move to
the cloud!
vRO/vRA plugin for ACI
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Service Blueprints
• Day 1 Operations
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Event Broker Subscription Integration
vRA Blueprint
payload
Event triggered Contextual variables
(provisioning, (OS, system generated
decommissioning) variables, custom variables)
Events
RabbitMQ Message Bus
Subscriptions
Execute workflow
upon event vRO
Subscription to ACI
plugin blueprint events
payload
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Containers as
First-class Citizens
Containers in VMs?
Management tools:
- Change management granularity
- Single Management Interface for VMs and
container hosts across multiple locations
(centralized SSO,vCenter Templates)
- Take advantage of vSphere high-availability and
resource scheduling capabilities (HA, DRS)
Security
- VM encapsulation as logical boundary
- Better isolation
Storage
- HCI integration (Hyperflex)
- Storage optimization (SIOC, storage DRS)
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
ACI and K8S Integration Deployment Architecture
• Integration supported for K8S nodes as bare metal host or VM
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Overlays Inception
Why Running Software Overlays over ACI?
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
ACI provides mgmt-
How about VMware NSX-V? plane visibility and
adds L3 capabilities
ACI provides
the overlay
Security
+ Ecosystem Partners
Web HTTPS App 3306 DB
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Option 1
• Use Micro-segmentation and Network Services:
• No need for Controllers, Edge Gateways and Edge Racks
• Substantial savings for compute resources
• No connectivity island
• Dedicated Security API, NSX security tags can be for automation
• NSX network services can be provisioned on demand: SLB or NAT, FW
• Take advantage of ACI policies virtual, physical and containers domain knowledge
• Single API shared across multiple teams to orchestrate application deployment and
infrastructure
• E/W stateful security for VMs, while ACI brings service insertion capabilities for N/S
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Architecture example
Redirect HTTP/HTTPS Permit ANY
VRF CTX-01
10.10.1.0/24 192.168.1.0/24
L3 Out
.1 .1
Ext EPG EPG Web
VIP: 10.10.1.100
Permit
BD-WEB Any
192.168.2.0/24
BD-ESG SLB
.1
On-demand EPG App
load-balancing PBR – Service Graph
BD-App
Shadow EPG gets automatically
created with corresponding port-
group
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Option 2
• ACI as the underlay and L3 boundary
• All VTEPs can be part of the same subnet
• ACI can further provide VTEP subnet segmentation with appropriate EPG mapping
EPG A EPG B
TZ – Cluster A TZ – Cluster B
BD 10.30.0.1/16
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
S1 S2 SVI or
L2 ext Subinterface
L2 ext Core
Benefits vs non-ACI L3 Fabrics*
WAN/
DCI
• No need for Edge Racks:
L1 L2 L3 L4 L5 L6 L7 L8 o Perimeter ESG for Tenant/Customer is
part of the tenant
o Edge physical failure domain is
independent from other tenants
VLAN
ESG
VXLAN • No L2 isolation at ToR for non-VM traffic:
o ACI provides L2 reachability between
DLR
Customers or Tenant racks.
o ESXi hosts network configuration is
drastically simplified. (No need for
North/South Flow multiple VMKernel TCP/IP Stacks)
Tenant A (Rack 1-2) Tenant B (Rack 3-4)
ECMP
HA pair HA pair
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
ACI Integration with NAT VNF
Permit HTTP/HTTPS
VRF CTX-01
10.10.1.1/24 BD-ESG VXLAN / Geneve
L3 Out
*You can’t have ESG with NAT + ECMP: another routing layer is required for
ECMP
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
ACI Peering with Virtual Router VNF
Routing adjacency
L3Out
Host 1 Host 2 Host 3 Host 4
VMware
VM#
DRS Cluster
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
ACI Peering with Virtual Router VNF
VMware
VM#
DRS Cluster
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
ACI Peering with Virtual Router VNF
Routing occurs
at the directly
connected ToR
Selected NH
L3Out
Host 1 Host 2 Host 3 Host 4
VMware
VM#
DRS Cluster
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
New Model for better
integration with VNF:
L3Out
Routing adjacency
VM# VM#
External network
prefixes
#CLUS BRKACI-3612 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Floating IP for L3 Out
BD needs to be
stretched to
roaming border leaf
Routing adjacency
L3Out
External network
prefixes
#CLUS BRKACI-3612 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Floating IP for L3 Out
Floating IP* required so
transit subnet can be
deployed on leaf
L3Out
VM# VM#
#CLUS BRKACI-3612 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
South-North sample flow
L3Out
External network
prefixes
#CLUS BRKACI-3612 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
North-South sample flow
L3Out
External network
prefixes
#CLUS BRKACI-3612 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Extending the
Virtual Datacenter
High Availability vs Disaster Recovery
• HA provides non-orchestrated recovery within a single management domain
• Single failure domain
• Zero RPO can be achieved via synchronous storage replication
• RTO can be minimized
• vSphere HA is responsible for recovering workloads
• Depending on recovery units (e.g. Network, Site, Application), L2 extension and/or flooding
may be required
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
High Availability vs Disaster Recovery
• DR provides recovery processes and orchestration across distinct management
domains
• Multiple failure domains
• Long distance can rule out synchronous replication
• RTO generally takes longer to achieve (human decision to activate Recovery Plan)
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
High Availability with vMSC
• HA across locations is achieved via vSphere Stretched Clusters (vMSC)
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
vSphere vMSC Requirements
• Stretched Storage (uniform or non-uniform access)
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Disaster Recovery with SRM
• VMware Site Recovery Manager enables orchestrated recovery of VM workloads across 2
vCenter
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
SRM Requirements
• Supported SRA (Storage Replication Adapter) or vSphere Replication
• Network reachability
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
HA with ACI (Multipod)
Inter Pod
Network
L3 Pod 1 Pod 2
L3
Out Out
MP-BGP VXLAN EVPN
GW GW GW GW GW GW GW GW GW GW
APIC Cluster
vCenter
VDS
Port-group EPG VM VM VM
Port-group EPG VM VM VM VM VM VM
Port-group EPG VM VM VM VM VM VM
Stretched EPGs
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
ACI Multipod Properties and Benefits
• Distributed GW across locations
• 12 Pods
• 50ms RTT
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Disaster Recovery with ACI (Multisite)
Inter Site
Network
L3 Site 1 Site 2
L3
Out Out
MP-BGP VXLAN EVPN
GW GW GW GW GW Per BD selective GW GW GW GW GW
flooding
VDS VDS
Port-group EPG VM VM Port-group EPG
Port-group EPG VM VM Port-group EPG VM VM
Port-group EPG VM VM Port-group EPG VM VM
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
ACI Multisite Properties and Benefits
• Single policy model across multiple locations and ACI fabrics (12 Sites)
• Multiple failure domains
• Can select L2 flooding per BD
• Up to 150 msec RTT latency supported between MSO nodes
• Higher latency (500ms to 1s RTT) between MSO nodes and managed APIC clusters
• Support for cross-vCenter vMotion without flooding
• MSO manages Fabric Virtualization policies
• Simple public REST API to create policies, push to multiple sites and maintain synchronization
• Same port-group names at protected and recovery sites
• VMM domain properties and EPG association are managed per fabric
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Key Takeaways
ACI Overlay and VMware solutions
• ACI provides the best overlay manager for VMware based solutions
• APIC is tightly integrated with VMware VDS and allows for flexible network designs
• ACI REST API allows for simple integration by means of plugins maintained by Cisco
(available on CCO)
• VMware vCenter
• vRealize Automation
• Network team keeps CONTROL over the physical AND the virtual network
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Q&A
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Continue your education
Demos in the
Walk-in labs
Cisco campus
#CLUS BRKACI-2300 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Thank you
#CLUS
#CLUS