《ACI 简介.pdf》由会员分享,可在线阅读,更多相关《ACI 简介.pdf(42页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveChris Merkel DC TSA CCIE 17841BRKDCN-1601Introduction to ACI 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the
2、Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-160
3、1#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaFabric BasicsPolicy ModelArchitectural DeploymentsDay 2 and beyondConclusion4BRKDCN-1601Fabric Basics 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACIACI:OneOne Network,any locationContai
4、nersContainers*ACIACIVirtual NetworksVirtual NetworksPhysical SwitchesPhysical Switches100M/1/10/25/40/50/100/400G100M/1/10/25/40/50/100/400GCloudCloudBRKDCN-16016 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIP WANIP WANEdge/RemoteHybrid Cloud&MulticloudCore Data Cente
5、rsACI AnywhereThe easiest Data Center and Cloud Interconnect Solution in the MarketTry it today!ACIMulti-PODACIMultisiteACIRemote LeafCloudACIACISingle-PODBRKDCN-16017 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKDCN-1601Single chassis(e.g.Nexus 7000)Single chassis(e
6、.g.Nexus 7000)Single VXLAN Network*Single VXLAN Network*Evolution from Nexus 5000 and Nexus 7000Evolution from Nexus 5000 and Nexus 7000The DC network beforeThe DC network beforeClassic modular switchingClassic modular switchingThe DC network The DC network NOWNOWACIACIAPICsAPICs(3 or more)SPINESPIN
7、E(1 to 6)LEAVESLEAVES(1 to 400 or more*)Zero-touch VXLANNo STP*500+Leaves with MultiPod/Multi-Site*Other topologies available(e.g.3-tier,etc)Supervisors(1 or 2)Up to 18 RUs Scale-upScale as you needFabric Modules(3-6)Linecards(Copper,Fiber,1/10G)8 2023 Cisco and/or its affiliates.All rights reserved
8、.Cisco Public#CiscoLiveApplication Centric Infrastructure Building BlocksBuilt on the Nexus 9000Centralized Policy Model,Network Automation Non-Blocking 40/100/400G Fabric,CLOS FabricSingle Open API for Entire System(Terraform,Ansible,Python,Etc)Flexible-Modular and Fixed Spine OptionsNetwork Servic
9、e Appliances(F5,ASA/FTD,Etc)IP Storage(iSCSI,NFS,NVMEoF,etc)WAN InterconnectPhysical,Virtual and Container Workloads(VMW,HyperV,Hadoop,AIX,K8S etc)Integrated Overlay,Distributed Gateway(Industry Leading:Price,Performance,Port-Density,Programmability,Power Efficiency)Integrated security-Built-in Dist
10、ributed Stateless Firewall,Multi-Tenant SecurityBRKDCN-16019 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAll nodes are managed and operated independently,and the actual topology dictates a lot of configurationBRKDCN-1601Device basicsDevice basics:AAA,syslog,SNMP,PoAP,h
11、ash seed,default routing protocol bandwidth Interface and/or Interface PairsInterface and/or Interface Pairs:UDLD,BFD,MTU,interface route metric,channel hashing,Queuing,LACP,Fabric and hardware specific designFabric and hardware specific design:HW Tables,Switch Pair/GroupSwitch Pair/Group:HSRP/VRRP,
12、VLANs,vPC,STP,HSRP sync with vPC,Routing peering,Routing Policies,Application specificApplication specific:ACL,PBR,static routes,QoS,.Fabric wideFabric wide:MST,VRF,VLAN,queuing,CAM/MAC&ARP timers,COPP,route protocol defaults10 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoL
13、iveACI:ACI:How difficult was it to bring up?What tasks&configuration did ACI just saved me from doing manually on every switchSSH to every switch,Assign IP Address,Enable Telnet/SSH,Add users on every switch/Create ACLs(optional)BEFOREBRKDCN-160111 2023 Cisco and/or its affiliates.All rights reserve
14、d.Cisco Public#CiscoLiveSSH to every switch,Assign IP Address,Enable Telnet/SSH,Add users on every switch/Create ACLs(optional)(Times X Switches&Y VNIs)BEFOREBRKDCN-1601ACI:ACI:How difficult was it to bring up?What tasks&configuration did ACI just saved me from doing manually on every switch12 2023
15、Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveACI:ACI:How difficult was it to bring up?What tasks&configuration did ACI just saved me from doing manually on every switchUnderlay Routed Network(ISUnderlay Routed Network(IS-IS)IS)Overlay Network(VXLAN)Overlay Network(VXLAN)Exte
16、rnal to Internal Route redistribution External to Internal Route redistribution&Control Plane(MP&Control Plane(MP-BGP,QoS,BGP,QoS,etcetc)Multicast(BD Multicast(BD GIPoGIPo Addressing)Addressing)Switch management&Best PracticesSwitch management&Best PracticesSSH to every switch,Assign IP Address,Enab
17、le Telnet/SSH,Add users on every switch/Create ACLs(optional)(Times X Switches&Y VNIs)ACI ACI AutomatedAutomated taskstasksFrom From HOURSHOURS to to secondsseconds!BEFORENOWNOWBRKDCN-160113ACI Policy ModelSimplified 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe ACI
18、Policy ModelBRKDCN-1601Tenant VDCVRF VRFBridge Domain Subnet/SVI/Default GWEnd Point Group Broadcast Domain/VLAN Private VLANContracts Access ListsL2 External EPG 802.1q TrunkEPG1EPG2L3 External EPG L3 Routed LinkAny-Any(Replicates a Traditional Switch*)*Preferred group or vzAny achieve the same out
19、come15 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe ACI Policy Model Migrating into ACIBRKDCN-1601TenantVRFVLAN 30 BD10.10.30.1/24VLAN 30 EPGVLAN 20 BD10.10.20.1/24VLAN 20 EPGAny-Any Contract*Any-Any Contract*VLAN 10 BD10.10.10.1/24VLAN 10 EPG*Preferred group or vzA
20、ny achieve the same outcome16 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKDCN-1601The ACI Policy Model Migrating into ACITenantGlobal VRF/Routing Table and ProtocolVLAN 30 BD10.10.30.1/24VLAN 30 EPGVLAN 20 BD10.10.20.1/24VLAN 20 EPGAny-Any Contract*Any-Any Contract*
21、VLAN 10 BD10.10.10.1/24VLAN 10 EPGL2 External(802.1q Trunk)L3 External(Routed Interface)ConnectTo External Switch*Preferred group or vzAny achieve the same outcome17 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKDCN-1601The ACI Policy Model Extending the configuration
22、Endpoint GroupsTenantGlobal VRF/Routing Table and ProtocolAny-Any Contract*Any-Any Contract*VLAN 10 BD10.10.10.1/24VLAN 10 EPGL2 External(802.1q Trunk)L3 External(Routed Interface)ConnectTo External SwitchAD_SVRXenAppProd_SQLPrint SvcVMVMVMVMVMVMVMVM*Preferred group or vzAny achieve the same outcome
23、18 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKDCN-1601TenantGlobal VRF/Routing Table and ProtocolVLAN 30 BD10.10.30.1/24VLAN 30 EPGVLAN 20 BD10.10.20.1/24VLAN 20 EPGVLAN 10 BD10.10.10.1/24VLAN 10 EPGL2 External(802.1q Trunk)L3 External(Routed Interface)ConnectTo Ex
24、ternal SwitchAD EpSGPrint Svc EpSGThe ACI Policy Model Extending the configurationEndpoint Security Groups-ACI 5.0 and greaterEPG to EpSG requires vzAny or Preferred Group for communication19 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKDCN-1601Advancing the ACI Conf
25、igurationApp 1-Database Tier EPGApp 1-App TierApp 1-Web TierL2/L3 ExternalPolicy Based Redirect with Service GraphsTo DBOnly SQLOnly HTTPSFirewall+Load Balancer InsertionOnly tcp/2048Copy to IPS+Load Balancer Insertion20ACI Deployment Options 2023 Cisco and/or its affiliates.All rights reserved.Cisc
26、o Public#CiscoLiveBRKDCN-1601IP WANIP WANEdge/RemoteHybrid Cloud&MulticloudCore Data CentersACI AnywhereThe easiest Data Center and Cloud Interconnect Solution in the MarketTry it today!ACIMulti-PODACIMultisiteACIRemote LeafCloudACIACISingle-POD22 2023 Cisco and/or its affiliates.All rights reserved
27、.Cisco Public#CiscoLiveBRKDCN-1601Inter-Pod IP Network*w/PIM BiDir support ACI MultiPodThe evolution of a stretched fabricSite A ASite B BActive-Active DatacentersVirtual Metro ClustersStretch VRF,EPG,BD Across PoDs with VXLAN Up to 50ms Latency/500 Switches*ACI 5.2(3)adds support for 2 pods in a ba
28、ck-to-back spine configuration23 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKDCN-1601IP Network(WAN Core IPv4,MPLS,SR,etc)Site A ARemote Location Zero Touch Auto Discovery of Remote LeafTwo switches per site Up To 200 Remote Leaf Switches(ACI 6.0)300msStretch EPG,BD
29、,VRF,Tenant,ContractDC Migration/OTV replacementVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMVMPort Speed:1-400GACI:Physical Remote LeafExtend ACI to Satellite Data Centers24 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKDCN-1601ACI Multi-Site VMVMVMVMVMVMSit
30、e A ASite B BSite D DVMVMVMVMVMVMNexus Dashboard OrchestratorVMVMVMVMVMVMPolicy ConsistencySingle Point Of Orchestration Availability Fault Isolation Scale Consistent Policy across sitesSingle Point of OrchestrationFault IsolationScale25 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub
31、lic#CiscoLiveBRKDCN-1601ACI Multi-Site Cloud Integration VMVMVMVMVMVMSite A ASite B BSite C CSite D DVMVMVMVMVMVMNexus Dashboard OrchestratorVMVMVMVMVMVMPolicy ConsistencySingle Point Of Orchestration Availability Fault Isolation Scale Consistent Policy across sitesSingle Point of OrchestrationFault
32、 IsolationScale26 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEPG WebEPG APPContract Contract EPG DBSG WebSG APPSG Rule SG Rule SG DBACI Policy in the CloudIP IP NetworkNetworkAWS RegionOn-Premises DCVMVMVMVMVMVMPublic CloudsNexus DashboardOrchestratorAutomated Inter-c
33、onnect provisioningSimplified Operations with end-to-end visibilityConsistent Policy Enforcement on-Premises&Public CloudASG WebASG APPNSG NSGASG DBAzure RegionIP IP NetworkNetworkBRKDCN-1601Cloud Network ControllerCloud Network Controller27 2023 Cisco and/or its affiliates.All rights reserved.Cisco
34、 Public#CiscoLiveThe network-admin challengeProvisioning and monitoring complexity=RiskACINX-OSSeparate Infrastructure+Separate Infrastructure+VXLANVXLANTenantTenantAccountAccountSubscription/Subscription/Resource GroupResource GroupAccount/ProjectAccount/ProjectData CenterData CenterSite/PodSite/Po
35、dRegionRegionRegionRegionRegionRegionVRFVRFVRFVRFVPCVPCVNetVNetVPCVPCVLANVLANBridge Domain/Bridge Domain/SubnetSubnetCIDR/SubnetCIDR/SubnetSubnetSubnetSubnetSubnetVLAN TagVLAN TagEndpoint Groups/Endpoint Groups/Endpoint Security GroupsEndpoint Security GroupsSecurity GroupsSecurity GroupsApplication
36、/Network Application/Network Security GroupsSecurity GroupsFirewallFirewallAccessAccess-list(ACL)list(ACL)Contracts&FiltersContracts&FiltersSecurity Group RulesSecurity Group RulesSecurity RulesSecurity RulesFirewall RulesFirewall RulesBRKDCN-160128 2023 Cisco and/or its affiliates.All rights reserv
37、ed.Cisco Public#CiscoLiveSecurity GroupVirtual Private CloudSecurity Group RuleOutbound ruleInbound ruleUser AccountSource/Destination:Subnet or IP or Any or InternetProtocolPortNetwork AdapterTenantVRFBD SubnetEP to EPG MappingContracts,FiltersConsumed contractsProvided contractsEC2 InstanceVPC sub
38、netEPGTag/LabelEnd Point(fvCEp)Network Access ListTabooPolicy Mapping-AWSFor your info&referenceBRKDCN-160129 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Security Group(ASG)Virtual NetworkSubnetNetwork Security Group(NSG)Outbound ruleInbound ruleResource Gr
39、oupSource/Destination:ASG or Subnet or IP or Any or InternetProtocolPortNetwork AdapterTenantVRFBD SubnetEPGFiltersConsumed contractsProvided contractsVirtual MachinePolicy Mapping-AzureFor your info&referenceBRKDCN-160130ACI Day 2 and Beyond Making ACI Hum 2023 Cisco and/or its affiliates.All right
40、s reserved.Cisco Public#CiscoLiveCloud Networking:ChallengesHypervisorContainerDatacenterPrivatecloudIoTedgeColocationCloud NetworkingConnectivity and managementWorkloads are increasingly distributed and diverse.Complex to connect workloads across multiple public cloud providers,data centers and edg
41、e locations.Zero trust and securityWorkload migration and mobility of users imposes significant challenges to enforce right security policies across different environments.Need for homogenous experience across heterogenous cloud environmentsVisibility and automationTroubleshooting challenges due to
42、more decentralized architectures with different environments.BRKDCN-160132 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Nexus DashboardSimple to automate,simple to consumeConsume all services in one placeInsightsInsightsOrchestratorOrchestratorData BrokerData Brok
43、erSAN ControllerSAN ControllerFabric DiscoveryFabric DiscoveryFabric ControllerFabric ControllerPrivate cloudPublic cloudThird-party ConnectorsPoweringPowering automationautomationUnifiedUnified agileagile platformplatformCisco Nexus Cisco Nexus DashboardDashboardBRKDCN-160133 2023 Cisco and/or its
44、affiliates.All rights reserved.Cisco Public#CiscoLiveAnalyticsPacket SnifferIDS1 12 23 3SPAN and Tap Aggregation with Data BrokerNexus switch functions as packet brokerCost effectiveTurnkey automation with NDDB ControllerSupports Tap Aggregation and inline redirectionBenefitsCisco ACI fabricsCisco E
45、nterprise networksCisco NX-OS fabricsProduction Network TypesProduction NetworkPacket Broker NetworkToolsCapture Traffic using SPAN/TAPsAggregate,Filter,Load balanceProvide Sanitized data to Monitoring ToolsBRKDCN-160134 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSoft
46、ware and hardware telemetry-from switches and APICIntelligent operations powered by telemetryData enrichmentArtificial intelligence and machine learningEvent correlationCisco Nexus Dashboard InsightsBRKDCN-160135 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKDCN-1601A
47、vailabilityCisco Nexus Dashboard InsightsUse cases and benefitsInsightsEnd-to-end workflowsGuided remediationTAC assistTopology checkerError detection,latency,packet dropsControl plane issueMitigatePrevent outagesPre-change analysis*Compliance alertsPSIRT noticesEoS/EoL noticesAutomated alertsExplor
48、erHardening checksSoftware hardware recommendationsIdentify,locate,rootcause,remediateUpgrade impact advisories36 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKey TakeawaysConsistent SDN enabled network policy across all the switches within a fabric The Multi-site archi
49、tecture allows the same network policy to be applied across multiple sites,even cloudNexus Dashboard Insights enables proactive day 2 operations for ACI to give a better understanding of how the applications interact with networkBRKDCN-160137 2023 Cisco and/or its affiliates.All rights reserved.Cisc
50、o Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!38BRKDCN-1601These points help you get on the leaderboard and increase your chances of winning daily and grand
51、prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive educa
52、tion with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive41Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123441 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKDCN-1601#CiscoLive