Migration from Classic Design to ACI Fabric - alcatron.net Live 2014 Melbourne/Cisco Live... ·...

Migration from Classic Design to ACI Fabric BRKDCT-2642

Kannan Ponnuswamy

Solution Architect

Cisco Advanced Services

© 2014 Cisco and/or its affiliates. All rights reserved. BRKDCT-2642 Cisco Public

Acronyms

3

IOS

AAA VDC

ISE STP

FTP UCS

ToR

QoS OTV

PIM

CDP

vPC

FEX

ASA

RIP TAC

BGP

VSG

CPU

ARP Network Programmability

IaaS PaaS SaaS

SECaaS

XaaS

MTIaaS

VRF

ACI


Icons and Terms

Cisco Nexus 9500 Cisco Nexus 9300

Router Load Balancer Firewall

APIC

Application Policy Infrastructure Controller

(APIC)

Storage VMware

vCenter

Nexus 5000 Nexus 7000 Nexus 2000 / FEX Nexus 1000

Virtual Machine

4


APIC

Agenda

Application Centric Infrastructure (ACI) Overview

Planning for the future with Nexus 9000

Migration to ACI

Network Centric

Hybrid Approach

Application Centric

5


ACI Overview

6

Physical

Virtualisation

Networking

APP DB POLICY WEB

HYPERVISOR HYPERVISOR HYPERVISOR

APIC Application

External Network POLICY POLICY

Polic

y D

riven

Merc

hant+


Nexus 9000 Series

Open, Flexible, & Choice

of Programmability

Modes

Per-Box

Programmability

Policy Controller,

Centralised Fabric

Programmability

1/10/40/100GE

Common Platform

Network Ops Driven, Switch

Automation

User Driven, Policy Based Fabric

Automation

APIC

7


Migration Paths to ACI

8

ACI Fabric

Current DC

Infrastructure

Classic mode • Growth – Addition

• Network refresh

ACI Integration • New environments

• Service Chaining

• Dev, Test

ACI Migration • Business drivers

• Security, Compliance, TCO,

Programmability, Operations etc.


APIC

Agenda



Migration to ACI

Network Centric

Hybrid Approach

Application Centric

9


Classic Mode Adoption – Nexus 9000 Series

10

vPC

N9500

N5K

N2K

Layer 3

Layer 2

vPC

vPC

N7K

N9300

VM

#4

VM

#3

VM

#2

Layer 3

Layer 2

New access POD or Catalyst Replacement

Aggregation Catalyst Replacement

VM

#4

VM

#3

VM

#2

N2K

New Aggregation, Access POD

vPC

VM

#4

VM

#3

VM

#2

N2K

vPC

vPC vPC

N9500

N9300

Layer 3

Layer 2 C6500

10


Classic Mode Adoption - VxLAN on Nexus 9000 Series

VXLAN Overlay

Workload mobility

L2 Multipathing

VXLAN Gateway (VXLAN to VLAN)

VXLAN Bridging (VXLAN to VXLAN at L2)

VXLAN Routing

Routing between VXLANs and VLAN to VXLAN

Anycast Gateway for vPC setup

11


Classic Mode Tools for Nexus 9000 Series

12

On CCO: Catalyst 6500/4500 IOS to Nexus 9000 NX-OS Configuration Converter


Open Source for Nexus 9000 Series

Community contributed code and samples

Sample scripts for automation, operations and

general use

Python Modules to aid in rapid development

For custom use cases, development could be

done by your in-house team

https://github.com/datacenter/nexus9000/tree/master/nx-os

Cisco Advanced Services 13





Nexus Deployment Assistant

POD builder questionnaire

• Select technology you would like to deploy

• Select aggregation, access devices, line cards

• Select connectivity requirements

• Select protocol settings and other configuration

Cisco AS

Best

Practices

14


Nexus Deployment and Migration Tool

15

Nexus Deployment Assistant + Selective Catalyst IOS to Nexus 9000 config migration

Current Device Module Selected Interfaces

Access Switch #1 WS-X6548-GE-TX GigabitEthernet1/1

GigabitEthernet1/2

GigabitEthernet1/3

GigabitEthernet1/4

Access Switch #2 WS-X6748-GE-TX GigabitEthernet3/1

GigabitEthernet3/2

GigabitEthernet3/3

GigabitEthernet3/4

Target

Device Module

Target

Interfaces

vPC Pair

NewAccess1

NewAccess2

N9K-X9564TX Ethernet1/1

Ethernet1/2

Ethernet1/3

Ethernet1/4


Nexus Deployment and Migration Tool

16

• Automate Nexus 9000 deployment and configuration

• Catalyst and Nexus 9000 integration and end device migration

• Migrate any Catalyst 6500 topology to any Nexus 9000 topology

Deployment Assistant

Catalyst Environments

Si Si Si Si

Si Si Si Si

Si Si Si Si

VSS

Si Si Si Si

Nexus Deployment

Cisco AS

Best

Practices



APIC

Agenda



Migration to ACI

Network Centric

Hybrid Approach

Application Centric

17

Deploying an ACI POD


ACI Fabric

ACI Fabric Initialisation

19

APIC APIC APIC

ACI Fabric supports discovery, boot, inventory

and systems maintenance processes via the APIC

• Fabric Discovery and Addressing

• Image Management

• Topology validation through wiring diagram

and systems checks


Tenant

Bridge Domain One

ACI Forwarding Model

20

EPG_N EPG_1

VRF_Context_One

Bridge Domain One

EPG_N EPG_1

VRF_Context_N

192.168.1.0/24

10.10.0.0/16

Bridge Domain N

EPG_Legacy

Non-IP, L2 forwarding only

• A collection of end-points form an end-point

group(EPG). EPG associates to a BD.

• EndPoints Identified by: • Physical or Virtual Switch ports, VLAN ID, VNID

• Future - NVGRE (VSID), DNS hostname, IP address

• A Tenant refers to one or more VRFs/Contexts

• A Context/VRF is referred to by one or more

Bridge Domains (BD)

• Bridge Domains identify properties influencing

forwarding behaviour. One or more subnets,

ARP handling, Multicast etc.

10.10.0.0/16


Tenant

ACI Policy Model

Application Profile

C Contracts define what an EPG

exposes to other EPGs and how

Contracts are reusable for

multiple EPGs and EPGs

can inherit multiple

contracts

C

C

EPG NFS

EPG MGMT

EPG DB EPG App EPG Web C C C

21


ACI Policy Model – What is a Contract

Allows to specify rules and policies on

groups of physical or virtual end-points

without understanding of specific

identifiers and regardless of physical

location.

…

filter action

filter action

filter action

filter action

identifier to which

actions will be

applied

L4 port ranges

TCP options

…

identifies actions to

be applied

Permit

QoS

Log

Redirect to Services …

defined bi-directionally in the “provider” centric way

C

22


No Such Thing as Enough Security

23

http://www.pcworld.com/article/2031580/mcafee-warns-of-malware-targeting-point-of-sale-systems.html

McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf

http://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24927/en_US/McAfee_Labs_Threat_Advisory_EPOS_Data_Theft.pdf


ACI Adoption Strategies

24

ACI Fabric Model New OPERATIONS Model DESIGN Model = +

New ACI Fabric Operational Model

ACI Fabric

Leverage Known

APPLICATIONS

Constructs (decoupled

from Network)

OPERATIONS DESIGN

Leverage Known

NETWORKING

Constructs OPERATIONS DESIGN

HYBRID: Leverage BOTH

APPLICATIONS &

NETWORKING

Centric Constructs

OPERATIONS DESIGN


APIC

Agenda



Migration to ACI

Network Centric

Hybrid Approach

Application Centric

25


Classic

Access Switches

APIC

Network Centric Deployment Example 1 VRF + 1 VLAN

VLAN 10

.101

.102

1.1

.1.0

/30

1.1

.1.1

2/3

0

1.1

.1.0

/30

1.1

.1.1

2/3

0

.3 .2

Bridge Domain Blue_1

10.10.10.1/24

Blue Tenant

and Context

External EPG

Exchange

Routes (Blue)

Tag 10

.102

Policies

EPG blue_1

10.10.10.1/24

VRF Blue

•Routing

•VLAN 10

•HSRP

•Access List

•QoS etc.

Classic mode shown here for Reference ACI Fabric

.101

Tag could be VLAN ID or VNID

26


APIC

Classic Access VLAN 10

(10.10.10.0/24)

Vlan 10,11

1.1

.1.0

/30

1.1

.1.1

2/3

0

1.1

.1.0

/30

1.1

.1.1

2/3

0

BD Blue_1

(10.10.10.1/24)

Blue Tenant

and Context

External EPG

Exchange

Routes (Blue)

Tag 10

Policies

EPG

blue_1

VLAN 11

(10.10.11.0/24)

Tag 11

BD Blue_2

(10.10.11.1/24)

EPG

blue_2

ACI Fabric

Network Centric Deployment Example 1 VRF + 2 VLANs – Option 1

Classic mode shown here for Reference

27


APIC

Classic Access

28

VLAN 10

(10.10.10.0/24)

Vlan 10,11

1.1

.1.0

/30

1.1

.1.1

2/3

0

1.1

.1.0

/30

1.1

.1.1

2/3

0

BD Blue_1

10.10.10.1/23

Blue Tenant

and Context

External EPG

Exchange

Routes (Blue)

Tag 10

Policies

EPG

blue_1

VLAN 11

(10.10.11.0/24)

What if different policies between two groups mandated separate VLANs in Classic Networks.

EPG

blue_2

Tag 11

ACI Fabric


1. Policies are based on EPG

2. Forwarding is based on BD attributes

X


28


Classic Access


29

VLAN 10

(10.10.10.0/24)

Vlan 10,11

1.1

.1.0

/30

1.1

.1.1

2/3

0

APIC

1.1

.1.0

/30

1.1

.1.1

2/3

0

BD Blue_1

10.10.10.1/23

Blue Tenant

and Context

External EPG

Exchange

Routes (Blue)

Tag 10

Policies

VLAN 11

(10.10.11.0/24)

What if two VLANs was only due to ARP broadcast concerns.

ACI Fabric 1. Forwarding based on destination IP Address for intra and inter subnet (Default Mode)

2. Hardware based directed ARP forwarding

EPG blue_1


29

Network Centric ACI Migration


Access

.102

Network Centric Migration Example VRF + 2 VLANs

VLAN 10

(10.10.10.0/24)

Vlan 10,11

1.1

.1.1

2/3

0

APIC

1.1

.1.0

/30

BD Blue_1

Blue Tenant

and Context

External EPG

Tag 100

Policies

EPG

blue_1

Migration

Tag 101

BD Blue_2

10.10.11.1/24

EPG

blue_2

Layer 2 vPC Trunk

Layer 3 Routing

Static, OSPF, BGP

• STP compatibility with Classic Network

• VLAN 10 maps to BD Blue_1


• Classic Devices are still the Default Gateway

• Equally applicable to L4-7 services (FW/LB)

in the Classic Network

• Flooding enabled on ACI BDs during

migration

• Once migration completed, insert needed

services and move Default Gateway ACI BDs

L2_

Out L2_

Out

Tag could be VLAN ID or VNID.

.101

VLAN 11

(10.10.11.0/24)

31

© 2014 Cisco and/or its affiliates. All rights reserved. BRKDCT-2642 Cisco Confidential

ACI Fabric

ACI Integration and Migration

10G/40G to ACI

Layer 3

Layer 2 - 1GE

Layer 2 - 10GE

10 GE DCB

10 GE FCoE/DCB

4/8 Gb FC

32


ACI Integration and Migration

10G/40G to ACI

Layer 3

Layer 2 - 1GE

Layer 2 - 10GE

10 GE DCB

10 GE FCoE/DCB

4/8 Gb FC

ACI Fabric

L3

L2

Forwarding Flow

Migration Path

• Default Gateway moves to ACI Leaf layer

• EPG = VLAN / Subnet (initial step)

• Host / FEX can migrate to Leaf (overtime)

33


Many Migration Options

Option 1:

Migrate FEX to

9300 Option 2:

Migrate 5500 +

FEX to 9300 Option 3: Interconnect

existing POD to Fabric

APIC

34


APIC

Agenda



Migration to ACI

Network Centric

Hybrid Approach

Application Centric

35


Access

AppThree’s

WebServer AppTwo’s

WebServer

AppOne’s

WebServer

Deployment Example – Hybrid Approach

VLAN 10 (10.10.10.0/24)

APIC

.3 .2

Blue Tenant

and Context

External

EPG

Exchange

Routes (Blue)

Policies

AppOne’s

WebServer

AppTwo’s

WebServer

AppThree’s

WebServer

External Network

External Network

VLAN 11

(10.10.11.0/24 Tag 2011

EPG 11

BD Blue_1

10.10.10.1/24

BD Blue_2

10.10.11.1/24

EPG

One-web EPG

Two-web

EPG

Three-web

Tag 101

Tag 102

Tag 100


36

Hybrid (Network and Application Centric) ACI Migration


Access

AppTwo’s

WebServer

AppThree’s

WebServer

ACI Migration for Hybrid Approach

APIC

Blue Tenant

and Context

External

EPG

Exchange

Routes (Blue)

Policies

VLAN 11

(10.10.11.0/24 Tag 2011

EPG 11

BD Blue_1

BD Blue_2

EPG

One-web EPG

Two-web

EPG

Three-web

Tag 101

Tag 102

Classic L2 Extension.

• STP compatibility with Classic Network



• Classic Devices are still the Default

Gateway

• Flooding enabled on ACI BDs during

migration

• Equally applicable to L4-7 services

(FW/LB) in the Classic Network

• Once migration completed, insert

needed services and move Default

Gateway ACI BDs

AppOne’s

WebServer

VLAN 10 (10.10.10.0/24)

Tag 100

38


Virtual Environment Migration Example

L3

L2

N5500 N5500

N7K N7K ACI Fabric

VMware vSwitch, DVS, N1kV

L3 L3

L3 L3

“APIC Created” VMware DVS / Cisco N1kV

vCenter

vShield

L2 L2 L2 L2

vMotion / Cold Migration

“APIC Created” VMware DVS / Cisco N1kV

39


ACI Virtual Migration Assistant

• User and Workflow driven

• Multiple scenarios

• vSwitch ACI

• DVS ACI

• N1kv ACI

• Any Combination ACI


40


APIC

Agenda



Migration to ACI

Network Centric

Hybrid Approach

Application Centric

41


Application Centric Migration Building the Application Profile – an Example

Oracle Internet Expenses

42


C Intranet EPG

@ Border Leaf

C

Other

Applications

TCP: *,443


43


Intranet EPG

@ Border Leaf

C

C

Expenses EPG

Extranet EPG

@ Border Leaf

Oracle

RAC DB

C

C


44


ACI Introduction L3

L2 Spine

Leaf

ACI Deployments for Known Application Profiles

N7K N7K

N9K N9K

N9300 N9300 N9300 N9300 N9300 N9300 N9300 N9300

Integrated L4-L7 Services

Physical & Virtual

V

Internet WAN / DCI ACI POD for Greenfield or well understood applications

45


Defining Profiles for Applications in Use

Common Customer Challenges

• Lack of confidence on existing information • CMDB, Single Source of Truth (SSOT), IPAM etc.

• Not knowing End-Point (EP) details • Identification

• In-use vs decommissioned

• Unsure on App ↔ Host association

• List of L4 ports: Client or Server

• EPs classification and Application grouping assignment • Customer needs guidance

• Application End Point Groups and associated policies 46


Application Network Profile Discovery Unknown Application Network Profiles

47

Web Tier

FW

LB

APP 1 DB 1 F/W

LB

WEB 1

FW

LB

APP 3 DB 3 F/W

LB

WEB 3

FW

LB

APP 2 DB 2 F/W

LB

WEB 2

App Tier DB Tier

F/W

LB FW

LB


Application Network Profile Explorer Tool (Post Network Centric Migration)

48

User

Changes

Analysis &

ANP Proposal

Network Data Analysed: • Device Configurations

• Protocol State

• Traffic Capture

FW

LB

APP 2 DB 2 F/W

LB

WEB 2

APIC


Commit APIC Profile changes


Application Network Profile Explorer Tool (Pre Migration)

49

User

Changes

Analysis &

ANP Proposal

Network Data Analysed: • Device Configurations

• Protocol State

• Traffic Capture

FW

LB

APP 2 DB 2 F/W

LB

WEB 2

APIC


Commit ANP


ACI Deployment Assistant (Post Network Centric Migration)

Network Discovery: • Device

Configurations

• Protocol State

• Traffic Capture

Server Discovery: • Servers

• Process

• Network Stats

Application Dependency Analysis • Network and Server data

correlation

• Application fingerprinting

• Customer input


APIC

• Comprehensive Application Dependencies

• Multiple Application Network Policies

• Application, Server Mapping

• Automate APIC Profile changes Cisco Advanced Services

50


ACI Deployment Assistant (Pre Migration)

Network Discovery: • Device

Configurations

• Protocol State

• Traffic Capture

Server Discovery: • Servers

• Process

• Network Stats

Application Dependency Analysis • Network and Server data

correlation

• Application fingerprinting

• Customer input


APIC

• Comprehensive Application Dependencies

• Multiple Application Network Policies

• Application, Server Mapping

• Automate Physical, Virtual Migration Cisco Advanced Services

51


ACI Migration Summary

52

• ACI designed from the ground-up to be Application Centric

• Flexible and customisable to fit your business needs

• A phased approach: Grow, Integrate, Migrate

• Solution flexible to be Network Centric, Application Centric or a Hybrid approach

Thank You!!

Q & A


Complete Your Online Session Evaluation

Give us your feedback and receive a Cisco Live 2014 Polo Shirt!

Complete your Overall Event Survey and 5 Session Evaluations.

Directly from your mobile device on the Cisco Live Mobile App

By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile

Visit any Cisco Live Internet Station located throughout the venue

Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm

Learn online with Cisco Live!

Visit us online after the conference for full access

to session videos and presentations.

www.CiscoLiveAPAC.com

54

http://www.ciscoliveaustralia.com/mobile

http://www.ciscoliveapac.com/

Date post:	12-Mar-2018
Category:	Documents
Upload:	trinhliem
View:	215 times
Download:	1 times

Migration from Classic Design to ACI Fabric - alcatron.net Live 2014 Melbourne/Cisco Live... ·...

Documents