Friday, July 29, 2022

Application Centric Infrastructure (ACI) Overview

What is ACI?

  • Old: IP endpoint-based network
  • New: Application based network

  • Old: Manually configured network
  • New: Software based network

  • Declarative model à Promise Theory
    • We don’t want to tell every single port how to behave explicitly, we want to use the promise theory to describe how we want the application to behave and let them translate from the fabric to the hardware.
    • For example: We get into the taxi, and tell the driver where we like to go, we don’t tell how to go, where to take turn, how fast to go, we just tell them the destination, and that similar is the promise theory is based. We just tell ACI what we want to accomplish, and the ACI ACI translate down to the hardware as per the requirement.

  • Separation of Control Plane and Data Plane

Cisco Application Centric Infrastructure (Cisco ACI) in the data center is a holistic architecture with centralized automation and policy-driven application profiles. Cisco ACI delivers software flexibility with the scalability of hardware performance that provides a robust transport network for today's dynamic workloads. Cisco ACI is built on a network fabric that combines time-tested protocols with new innovations to create a highly flexible, scalable, and resilient architecture of low-latency, high-bandwidth links.

This system-based approach simplifies, optimizes, and accelerates the entire application deployment life-cycle across data center, WAN, access and cloud environments. In doing so, this system empowers IT to be more responsive to changing business and application needs. This ability enhances agility and adds business value.

 Cisco ACI characteristics:

  • Application-centric fabric connectivity for:
    • Multi-tier applications
    • Traditional application
    • Virtualized applications
  • Multivendor support
  • Physical and virtual endpoints
  • Policy abstraction

ACI Starts with a Better Switch – Nexus 9000

The Cisco Nexus 9000 platforms has two modes of operation.

  • In the first mode, Nexus 9000 utilizes an enhanced version of the NXOS operating system to provide a traditional switching model with advanced automation and programmability capabilities.
  • In the second mode, ACI mode the Nexus 9000 provides an Application Centric Representation of the network, utilizing advanced features and profile-based deployments to abstract the complexity of the underlying network while improving application visibility and greater agility through DevOps methodologies.

Standalone Mode

  • Nexus 9300 and 9500
  • Behave as a regular Nexus L2/L3 switch.
  • Best in Class efficiency
  • Low latency and High 10G/40G Port Density

ACI Mode

  • Nexus 9300, Nexus 9500 Switches
  • Run an “ACI version” of software.
  • Managed by APIC
  • Spine and Leaf fabric Design

ACI Network Topology

ACI topology is a CLOS Fabric

  • All leafs uplink to all spines with 40/100 GigE
  • APICs connect to leafs with redundant 10 GigE links
  • Leafs do not plug into leafs
  • Spines  do not plug into spines
  • Traffic flows is Host > Leaf >  Spine > Leaf > Host
  • Scale out bandwidth by adding more spines

ACI is made up of 3 main components

  • Nexus 9K spine switches
  • Nexus 9K leaf switches
  • Application Policy Infrastructure Controller (APIC)

Cisco APIC

Cisco APIC is a policy controller. It relays the intended state of the policy to the fabric. The APIC does not represent the control plane and does not sit in the traffic path. The hardware consists of a cluster of three or more servers in a highly redundant array.

Key Point:

  • Policy Controller
  • Holds the defined policy - Management plane (Not the control plane, not in the traffic path)
  • Redundant cluster of three or more servers - Each server dual-homed for resilience
  • Leaf port density determines cluster requirements Verified Scalability Guide for Cisco ACI
  • Instantiates the policy changes

The Cisco APIC software is delivered on Cisco Unified Computing System (UCS) C-Series server appliances. The product consists of the server hardware and pre-installed Cisco APIC software.

  • Currently, two models and two generations
    • APIC-L2 (Large) and APIC-M2 (Medium) - C220 M4
    • APIC-L1 (Large) and APIC-M1 (Medium) - C220 M3
  • APIC controls the topology via a single GUI
    • Like UCSM, APIC is a shared management plane
    • APIC also supports CLI and APIs for automation

ACI Fabric Initialization

ACI Fabric supports discovery, boot, inventory, and systems maintenance processes via the APIC.

  • Fabric Discovery and Addressing
    • APIC finds a leaf
    • Leaf finds the spines
    • Spines find all other leafs
    • Minimal GUI configuration steps
  • Image Management
  • Topology validation through wiring diagram and system checks

More in detail for fabric initialization in next section

Spine-Leaf Topology

By using spine-leaf topology, the fabric is easier to build, test, and support. Scalability is achieved by simply adding more leaf nodes if there are not enough ports for connecting hosts, and adding spines nodes if the fabric is not large enough to carry the load of the host traffic. The symmetrical topology allows for optimized forwarding behavior, needing only two hops for any host-to-host connection.
Advantages:

  • Simple and consistent topology
  • Scalability for connectivity and bandwidth
  • Symmetry for optimization of forwarding behavior
  • Least-cost design for high bandwidth
  • Low-latency and oversubscription

IS-IS Fabric Infrastructure Routing

The fabric leverages a densely tuned environment utilizing Level 1 connections within the topology for advertising loopback addresses. These loopback addresses are the VTEPs (VXLAN Tunnel Endpoints) that are used in the integrated overlay and advertised to all other nodes in the fabric for overlay tunnel use.
Main feature about IS-IS in Cisco ACI
IS-IS is responsible for infrastructure connectivity

  • Advertises VTEP addresses
  • Compute multicast trees
  • Announces tunnels from every leaf to all other fabric nodes
IS-IS is tuned for densely connected fabric
IS-IS is also responsible for generating the multicast forwarding tag (FTAG) trees in the fabric using vendor TLVs.

Decoupling of Endpoint Location and Policy

The Cisco ACI fabric decouples the endpoint address from the location of that endpoint and defines the endpoint by its locator or VTEP address. Forwarding between VTEPs leverages an enhanced VXLAN header format. The mapping for host and tenant MAC and IP address to the location is performed using a distributed mapping database for reachability.
Main points about Endpoint location and policy:

  • Endpoints identified by IP or MAC address
  • Endpoint location specified by VTEP address
  • Forwarding occurs between VTEPs
  • Transport based on enhanced VXLAN header format
  • Distributed reachability database maps endpoints to VTEP locations

Notes: ACI Behind the Scenes

  • An automated VXLAN overlay tunnel system
  • Support both layer 2 and layer 3 VXLAN gateways
  • VLANs now have port-local significance
  • Underlay network uses IS-IS for transport

Leafs are VXLAN Tunnel Endpoints (VTEPs)
Provides VTEP to VTEP IP transport through spines

Physical, Virtual and Distributed

  • We can have some endpoint as a BareMetal, or some endpoint as a virtual, and in today we have lots of more workload transitioning to virtualization environment.
  • So, we must support any type of hypervisors, any type of BareMetal and hosts.
  • And that what ACI can do, which can hypervisor which support Microsoft, Hyper-V, KVM, BareMetal, etc. and policy can be applied to anything.

The other great thing that ACI can do for us, is called Normalization.

  • We take the encapsulation that come in the fabric, which can be standard VLAN 802.1Q tag, they can be VXLAN id, they can NVGRE. We can normalize the traffic into application endpoint groups (which we be talk about in next section).
  • Essentially, we can speak any languages coming into the fabric.
  • Once any endpoint is in the fabric, ACI will treat any endpoint with the same policy regardless of the encapsulation type they are using.

Important Point to be Remember

  • STP (Spanning-tree) is not used in ACI because STP blocks one of the links due to its behavior.
  • ACI uses ECMP (Equal cost multi-pathing) between two Leaf switches, Spine is the only hop and when Cost is same that traffic will be load balanced.
  • ACI is a layer 3 fabric, we use IS-IS routing protocol to build the routing table.
  • VXLAN is used for building Overlay Network.
  • Every network in ACI is a Host Based i.e., /32.
  • LLDP is the protocol for discovering the switches at Layer 2.
  • DHCP is used for allocating IPs to each switch by APIC.
  • In ACI, we follow Whitelisting model, by default everything is blocked unless we allow it. It is very good from the security point of view.
  • In ACI, everything we configure is stored in the form of objects and policies which can be accessed using Cisco API.
  • Configuration is stored in XML or JSON format; these can be configured using APIs as well.

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)