Book Image

Cisco ACI Cookbook

By : Stuart Fordham
Book Image

Cisco ACI Cookbook

By: Stuart Fordham

Overview of this book

Cisco Application Centric Infrastructure (ACI) is a tough architecture that automates IT tasks and accelerates data-center application deployments. This book focuses on practical recipes to help you quickly build, manage, and customize hybrid environment for your organization using Cisco ACI. You will begin by understanding the Cisco ACI architecture and its major components. You will then configure Cisco ACI policies and tenants. Next you will connect to hypervisors and other third-party devices. Moving on, you will configure routing to external networks and within ACI tenants and also learn to secure ACI through RBAC. Furthermore, you will understand how to set up quality of service and network programming with REST, XML, Python and so on. Finally you will learn to monitor and troubleshoot ACI in the event of any issues that arise. By the end of the book, you will gain have mastered automating your IT tasks and accelerating the deployment of your applications.

Related Content you might be interested in

Current Title:

Small book image
Cisco ACI Cookbook
Stuart Fordham
May, 2017 | 424 pages
Small book image
Building Modern Networks
Steven Noble
Jul, 2017 | 324 pages
Small book image
Implementing Cisco UCS Solutions
Anuj Modi | Prasenjit Sarkar
Apr, 2017 | 482 pages
Small book image
Learning VMware NSX
Ranjit Singh Thakurratan
Aug, 2017 | 254 pages
Table of Contents (17 chapters)
Title Page
Title Page
Credits
Credits
About the Author
About the Author
About the Reviewers
About the Reviewers
www.PacktPub.com
www.PacktPub.com
Customer Feedback
Customer Feedback
Preface
Preface
Free Chapter
1
Understanding Components and the ACI Fabric
Understanding Components and the ACI Fabric
Introduction
Understanding ACI and the APIC
An overview of the ACI fabric
Converting Cisco from Nexus NX-OS mode to ACI mode
ACI fabric overlay
An introduction to the GUI
2
Configuring Policies and Tenants
Configuring Policies and Tenants
Introduction
Creating fabric policies
Creating access policies
Creating tenants
Configuring bridge domains
Configuring contexts
Creating application network profiles
Creating endpoint groups
Using contracts between tenants
Creating filters
Creating contracts within tenants
Creating management contracts
3
Hypervisor Integration (and Other Third Parties)
Hypervisor Integration (and Other Third Parties)
Introduction
Installing device packages
Creating VMM domains and integrating VMWare
Associating vCenter domains with a tenant
Deploying the AVS
Discovering VMWare endpoints
Adding virtual machines to a tenant
Tracking ACI endpoints
Integrating with A10
Deploying the ASAv
Integrating with OpenStack
Integrating with F5
Integrating with Citrix NetScaler
4
Routing in ACI
Routing in ACI
Introduction
Creating a DHCP relay
Utilizing DNS
Routing with BGP
Configuring a layer-3 outside interface for tenant networks
Associating a bridge domain with an external network
Using route reflectors
Routing with OSPF
Routing with EIGRP
Using IPv6 within ACI
Setting up multicast for ACI tenants
Configuring multicast on the bridge domain and interfaces
ACI transit routing and route peering
5
ACI Security
ACI Security
Introduction
Creating local users
Creating security domains
Limiting users to tenants
Connecting to a RADIUS server
Connecting to an LDAP server
Connecting to a TACACS+ server
6
Implementing Quality of Service in ACI
Implementing Quality of Service in ACI
Introduction
Preserving existing CoS settings
Configuring user-defined classes
Creating a basic QoS configuration
Verifying QoS
7
Network Programmability with ACI
Network Programmability with ACI
Introduction
Browsing the object store using the Object Store Browser
Programming the ACI through REST
Authenticating through REST and XML
Creating a tenant using REST and XML
Deleting a tenant using REST and XML
Creating an APN and an EPG using REST and XML
Creating an application profile and EPG using REST
Authenticating through REST and JSON
Creating a tenant using REST and JSON
Using the Python SDK
Logging into the APIC using Cobra
Creating a tenant using the SDK
8
Monitoring ACI
Monitoring ACI
Introduction
Finding faults
Viewing events
Navigating the audit logs
Setting up Call Home
Configuring SNMP
Configuring Syslog
Configuring NetFlow
9
Troubleshooting ACI
Troubleshooting ACI
Introduction
Layer 2 troubleshooting
FEX troubleshooting
SSL troubleshooting
Switch diagnostics
APIC troubleshooting
Upgrading the ACI software
VMM troubleshooting
Routing verifications
Troubleshooting external connectivity
Multicast troubleshooting
QoS troubleshooting
10
An End-to-End Example Using the NX-OS CLI
An End-to-End Example Using the NX-OS CLI
Introduction
Setting up in-band and out-of-band access to the nodes
Creating the security domain
Creating the VLAN domain
Creating the VMWare domain
Creating the tenant
Creating the VRF
Creating the bridge domains
Creating the applications and EPGs
Creating the contract
Creating an L4-L7 device
Creating service templates
Setting up the client VMs

Understanding ACI and the APIC

ACI is for the data center. It is a fabric (which is just a fancy name for the layout of the components) that can span data centers using OTV or similar overlay technologies, but it is not for the WAN. We can implement a similar level of programmability on our WAN links through APIC-EM (Application Policy Infrastructure Controller Enterprise Module), which uses ISR or ASR series routers along with the APIC-EM virtual machine to control and program them. APIC and APIC-EM are very similar; just the object of their focus is different. APIC-EM is outside the scope of this book, as we will be looking at data center technologies.

The APIC is our frontend. Through this, we can create and manage our policies, manage the fabric, create tenants, and troubleshoot. Most importantly, the APIC is not associated with the data path. If we lose the APIC for any reason, the fabric will continue to forward the traffic.

To give you the technical elevator pitch, ACI uses a number of APIs (application programming interfaces) such as REST (Representational State Transfer) using languages such as JSON (JavaScript Object Notation), and XML (eXtensible Markup Language), as well as the CLI and the GUI to manage the fabric, and other protocols such as OpFlex to supply the policies to the network devices. The first set (those that manage the fabric) are referred to as northbound protocols. Northbound protocols allow lower-level network components talk to higher-level ones. OpFlex (which we will discuss later in this chapter) is a southbound protocol. Southbound protocols (such as OpFlex and OpenFlow, which is another protocol you will hear in relation to SDN) allow the controllers to push policies down to the nodes (the switches).

Figure 1

This is a very brief introduction to the how. Now let's look at the why. What does ACI give us that the traditional network does not?

In a multi-tenant environment, we have defined goals. The primary purpose is that one tenant remains separate from another. We can achieve this in a number of ways.

We could have each of the tenants in their own DMZ (demilitarized zone), with firewall policies to permit or restrict traffic as required. We could use VLANs to provide a logical separation between tenants. This approach has two drawbacks.

It places a greater onus on the firewall to direct traffic, which is fine for northbound traffic (traffic leaving the data center) but is not suitable when the majority of the traffic is east-west bound (traffic between applications within the data center; see Figure 2).

Figure 2

We could use switches to provide layer-3 routing and use access lists to control and restrict traffic; these are well designed for that purpose.

Also, in using VLANs, we are restricted to a maximum of 4,096 potential tenants (due to the 12-bit VLAN ID).

An alternative would be to use VRFs (virtual routing and forwarding). VRFs are self-contained routing tables, isolated from each other unless we instruct the router or switch to share the routes by exporting and importing route targets (RTs). This approach is much better for traffic isolation, but when we need to use shared services, such as an Internet pipe, VRFs can become much harder to keep secure.

One way around this would be to use route leaking. Instead of having a separate VRF for the Internet, this is kept in the global routing table and then leaked to both tenants. This maintains the security of the tenants, and as we are using VRFs instead of VLANs, we have a service that we can offer to more than 4,096 potential customers. However, we also have a much bigger administrative overhead. For each new tenant, we need more manual configuration, which increases our chances of human error.

ACI allows us to mitigate all of these issues.

By default, ACI tenants are completely separated from each other. To get them talking to each other, we need to create contracts, which specify what network resources they can and cannot see. There are no manual steps required to keep them separate from each other, and we can offer Internet access rapidly during the creation of the tenant. We also aren't bound by the 4,096 VLAN limit. Communication is through VXLAN, which raises the ceiling of potential segments (per fabric) to 16 million (by using a 24-bit segment ID).

Figure 3

VXLAN is an overlay mechanism that encapsulates layer-2 frames within layer-4 UDP packets, also known as MAC-in-UDP (Figure 3). Through this, we can achieve layer-2 communication across a layer-3 network. Apart from the fact that through VXLAN, tenants can be placed anywhere in the data center and that the number of endpoints far outnumbers the traditional VLAN approach, the biggest benefit of VXLAN is that we are no longer bound by the Spanning Tree Protocol. With STP, the redundant paths in the network are blocked (until needed). VXLAN, by contrast, uses layer-3 routing, which enables it to use equal-cost multipathing (ECMP) and link aggregation technologies to make use of all the available links, with recovery (in the event of a link failure) in the region of 125 microseconds.

With VXLAN, we have endpoints, referred to as VXLAN Tunnel Endpoints (VTEPs), and these can be physical or virtual switch ports. Head-End Replication (HER) is used to forward broadcast, unknown destination address, and multicast traffic, which is referred to (quite amusingly) as BUM traffic.

This 16M limit with VXLAN is more theoretical, however. Truthfully speaking, we have a limit of around 1M entries in terms of MAC addresses, IPv4 addresses, and IPv6 addresses due to the size of the TCAM (ternary content-addressable memory). The TCAM is high-speed memory, used to speed up the reading of routing tables and performing matches against access control lists. The amount of available TCAM became a worry back in 2014 when the BGP routing table first exceeded 512 thousand routes, which was the maximum number supported by many of the Internet routers. The likelihood of having 1M entries within the fabric is also pretty rare, but even at 1M entries, ACI remains scalable in that the spine switches let the leaf switches know about only the routes and endpoints they need to know about. If you are lucky enough to be scaling at this kind of magnitude, however, it would be time to invest in more hardware and split the load onto separate fabrics. Still, a data center with thousands of physical hosts is very achievable.

Previous Section
End of Section 3
Next Section