Agenda

• Introduction to ACI and its Advantage

• ACI Design Option
• Traditional Options
How Cisco Data Center Switching Has Evolved
 From the Catalyst 6500 to the existing Nexus 9000 family

Catalyst 6000 / 6500 Nexus 2K / 5K / 6K Nexus 7700

Flagship Campus and Launched as part of the UCS N7K architecture evolution of
Datacenter switch with foundation (FEX and FCoE as bringing higher performance
100/1GE market leadership innovation). Transition to and 100GE
ToR-based designs

2000
From
/ 2007 2011 2012 2014
2008
2003

Nexus 7000 Nexus 3K / 3500 Nexus 9K / ACI

1st product on Nexus family Nexus 3064 was the 1st DC Foundation to ACI
aimed to transition from switch with merchant silicon with focus on 10GE
Cat6K with 1/10GE focus (targeting HFT initially) and 40GE at scale
Nexus 3548 followed with
Cisco ASIC
Distributing the Switch Fabric
Nexus 7706 Spine-Leaf Fabric

Spine Layer ~ Fabric Modules

Line Cards: Host-facing ports APIC (in ACI) ~ Supervisor
 Fabric Modules: Connectivity
between line cards. System bandwidth SDN technologies such as VXLAN overlays and SDN controllers make distributing the switching

components possible. An L3

can be increased by adding or Spinelarge virtual L2/L3 switch optimized for East-Leaf switch fabric eliminates spanning-West traffic flows.-tree
and builds a upgrading modules.
Now let’s imagine a network switch …
… at the moment, largely configured on the CLI
All nodes are managed and operated independently,
and the actual topology dictates a lot of configuration
• Device basics: AAA, syslog, SNMP, PoAP, hash
seed, default routing protocol bandwidth …

• Interface and/or Interface Pairs: UDLD, BFD,

MTU, interface route metric, channel hashing,
Queuing, LACP, …
• Fabric and hardware specific design: HW
Tables, TCAM, …
• Switch Pair/Group: HSRP/VRRP, VLANs, vPC,
STP, HSRP sync with vPC, Routing peering,
Routing Policies, …
• Application specific: ACL, PBR, static routes,
QoS, ...
• Fabric wide: MST, VRF, VLAN, queuing,
CAM/MAC & ARP timers, COPP, route protocol
defaults
Cisco ACI solves the problem …
Interfaces, protocols, TCAM, etc … all represented in an object model, and
ALL accessible through an XML/JSON API and CLI
APIC becomes single point of management for
the entire fabric … with a policy-based model
… and the fabric acts like a single (virtualized) switch
Adding, removing or replacing nodes

becomes extremely simple

And so do network upgrades …
… and you get best troubleshooting with
full physical, virtual and services visibility …
Cisco ACI for the Network Admin
ACI Delivers On the Top Network Admin Expectations
ACI Operational Simplicity
ACI – Day 2 Tools for Simplified Operations

System Health Endpoint

Scores Tracker

Statistics Per Real-time

App Heat Maps

Endpoint
Contract Troubleshooting
Deny Logs Wizard
ACI Policy Model
Policy Defined by Application
Network
ACI Application
Language Language
Push configurations automatically to the entire
network
ACI Whitelist Policy supports “Zero Trust” Model

Whitelist policy = Explicitly configured ACI contract between EPG 1 and EPG 2 allowing traffic between their members

TRUST BASED ON LOCATION ZERO TRUST ARCHITECTURE

(Traditional DC Switch) (Nexus 9K with ACI)

1 2 3 4

1 2 3 4 EPG 1 EPG 2
“WEB” “APP”

Servers 2 and 3 can No communication allowed between

communicate unless blacklisted Servers 2 and 3 unless there is a whitelist policy
The ACI Policy Model
 Contracts≈ Access Lists
Tenant ≈ VDC

VRF ≈ VRF
EPG1 EPG2
Bridge Domain ≈ Subnet/SVI Any-Any
Replicates a
Traditional Switch

End Point Group ≈ Broadcast Domain/VLAN

Private VLAN L2 External EPG≈ 802.1q Trunk
L3 External EPG≈ L3 Routed Link
The ACI Policy Model – Network Centric Configuration
Tenant
Global VRF/Routing Table and Protocol

VLAN 10
VLAN 20BD
BD VLAN 30 BD
[Link]/24
[Link]/24 [Link]/24

VLAN 10
VLAN 20EPG
EPG VLAN 30 EPG

Any-Any Contract Any-Any Contract

The ACI Policy Model – Network Centric
Configuration
ACI Design Option
ACI Design Internet-
Reference
Hardware Reference
 Nexus 9372PX-E: leaf switch,1.44 Tbps
48 port downlink

Nexus 9504 : spine switch, 15 Tbps

Nexus 9336 : spine switch, 2.88 Tbps

Traditional Options
 LAN-WAN-Internet

WAN- WAN-
INT INT
FMC
m
g
7K-1 7K-2
m
t
FP-1 FP-2

BL-SW-1 BL-SW-2

Blade Chassis
server
Sample ASA clustering topo
FP-1 FP-2
po31 po32
CCL L2- 1/6
SW 4 7K-1
1
1/8 1/9 1/8 1/7
1/8 Server
1/5 KAL 1
1/6
7K-1 1/1-2 po1 7K-2 4
po1 = peer-link L2-
1/10 1/11 SW
2
1/7 7K-2
1/10 1/11

Po2 = data link

FP-1 FP-2
 ASA Clustering
Cluster Control Link (CCL) Carries all data and control communication
between
cluster members
vPC • Master discovery, configuration replication, keepalives,
interface status updates
• Centralized resource allocation (such as PAT/NAT,
pinholes)
• Flow Director updates and Owner queries
• Centralized and asymmetric traffic redirection from
CCL
Forwarders to Owners
CCL
Must use same dedicated interfaces on each member •
Separate physical interface(s), no sharing or VLAN sub-
interfaces
• An isolated non-overlapping subnet with a switch in
between members
• No packet loss or reordering; up to 10ms one-way
ASA Cluster latency in
CCL loss forces the member out of the cluster
 ASA Clustering
• No direct back-to-back connections
Data Interfaces Mode
Recommended
vPC

data interface mode is Spanned

Etherchannel “L2”
Multiple physical interfaces
Data Link Data Link

asa(config)# asa(configacross all members

bundl-if)# interface Portport-channel-Channel1span-cluster
e into a single Etherchannel
ASA Cluster
 ASA Clustering
External Etherchannel loadbalancing algorithm defines per-
unit load
All units use the same virtual IP and MAC on each logical
data interface
Kết nối vật lý

outside vlan 300

 ASA Clustering
CCL

vPC ASA Cluster

Data Link

inside vlan 101,102…