0% found this document useful (0 votes)

16 views304 pages

ACI Fundamentals

The document compares underlay and overlay networks, detailing the architecture and functionality of VXLAN as an overlay technology. It explains data-plane and control-plane learning methods, emphasizing the use of BGP for MAC address learning and routing in an ACI network. ACI is described as an automated overlay network operating over an ISIS underlay, facilitating the management of network services through a centralized platform (APIC).

Uploaded by

Luis Salvador Torres Aguilar

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

16 views304 pages

ACI Fundamentals

Uploaded by

Luis Salvador Torres Aguilar

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 304

Underlay vs Overlay

Underlay vs Overlay ( Cont. )

Underlay
OSFP
IS-IS
Underlay vs Overlay ( Cont. )
Overlay

VXLAN
Architecture
Architecture ( Cont. )
Architecture ( Cont. )
Architecture ( Cont. )
Architecture ( Cont. )
Architecture ( Cont. )
Architecture ( Cont. )
What is an VXLAN?
The simplest VxLAN model is data-plan learning.
It’s also known as ‘bridging’, as it acts as a layer-2
bridge between hosts.
As the ‘flood and learn’ suggests, some traffic is
flooded through the underlay. It’s a lot like regular
ethernet in this way. Also, there’s no built-in support for
routing
Encapsulation

Ethernet Frame
Encapsulation ( Cont. )
VXLAN Header

•Reserved (8 bits) – Currently unused information. This is set to zero on transmission and ignored when received
•VNI (24 bits) – The VNI ID number. 24 bits allows for about 16 million possible VNI’s
•Reserved (24 bits) – As before, this is currently unused
•Flags (8 bits) – Currently only bit 3 is used. This is the I flag, and indicates if this is a valid VNI
Encapsulation ( Cont. )
VXLAN UDP

After the VxLAN header, the VTEP adds a UDP header. This uses a destination port
of 4789, and a random source port.
Encapsulation ( Cont. )
VXLAN IP (VTEP )
L2

VNI 5001 L3

VTEP 10.0.0.1
VNI 9001
Address Learning
Address Learning ( Cont. )
BUM ( Broadcast, Unknown unicast, Multicast )
Address Learning ( Cont. )
VNI Mcast Group
1701 224.0.17.1
9000100 224.0.0.100
16 224.0.44.57
Address Learning ( Cont. )
Address Learning ( Cont. )
Data Plane Learning ( Bridging )

Data plane learning is the typical flood-and-learn style. It’s in the original
VxLAN specification and is very similar to the way Ethernet learns addresses.

The other reason this is called bridging is that this is a layer-2 only solution. There is
no built-in way to route between VNI’s. If you need this, you must connect an
external router, and let traffic ‘hair-pin’ through it.
Address Learning ( Cont. )
Data Plane Learning Configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Underlay Configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Underlay Configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Underlay Configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration

On the Nexus platform, a virtual interface called an NVE interface is

used. This is the VTEP. The source-interface command tells the VTEP
to get it’s IP address from loopback0.
Address Learning ( Cont. )
Control Plane Learning (EVPN)

BGP operates in the control plane. A normal BGP deployment will share IP
reachability information (routes). When integrated with VxLAN, it can also
share MAC and VTEP reachability information.

As all the addresses are learned proactively, there’s no need for flooding.

When VTEPs are learned through BGP, they are dynamically added to a
whitelist. This prevents rogue VTEP injection. BGP neighbour authentication
can be used to prevent rogue peers.
Address Learning ( Cont. )
Control Plane Learning (EVPN)

Integrated Routing and Bridging (IRB) is supported when using BGP. This means
that each switch with a VTEP can also be a router.
Now that routing is supported, each switch with a VTEP can be a default gateway.
This is an anycast gateway.
Address Learning ( Cont. )
Control Plane Learning (EVPN) configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Underlay Configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration

Interface vlan is used to create a virtual interface based on a VLAN. We use this to
create the anycast gateway IP for the VNI, and to tie VNI’s to a tenant’s VRF. Don’t
worry, it’ll make more sense soon.
Overlay evpn adds the EVPN address family.
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration

There is a vMAC address on each switch for the Anycast Gateway. This is the
same on each switch. Making this the same on each means that any switch can
respond as the default gateway.
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration The NVE interface is the VTEP. There is
only one of these per switch. It uses the
loopback interface to get its IP address.
We set BGP as the host-reachability
protocol, which enables BGP control
plane learning. If this isn’t enabled, then
we’re using flood and learn.
The BGP instance is configured mostly as
normal. Remember that this is iBGP, so in
the real world you need to make sure
that you have a full mesh or route
reflectors.
We enable the L2VPN EVPN address
family, which lets MP-BGP carry MAC
addresses.
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration

Add the first tenant. The configuration here is the same on both switches.
create a VRF. This is associated with VNI 900001, making this an L3VNI. The L3VNI
defines the tenant within the fabric, and contains L3 routes for the tenant.
Address Learning ( Cont. )
The L3VNI needs an SVI to be created
Data Plane Learning Configuration on each switch. SVI’s are based on
VLAN, so we need to associate VNI
Overlay Configuration 900001 with VLAN 101 first.
The SVI then needs to be created and
associated with the tenant’s VRF. The
SVI and VRF represent the tenant’s
routing boundary.
The ip forward command is added to
the SVI. This command enables routing.
Technically, it enables the switch to
take the decapsulated VxLAN packet,
and forward it to the CPU or Supervisor
for handling.
In BGP, we need to add the Tenant’s
VRF. Inside this, we use the advertise
l2vpn evpn command. This enables
advertising EVPN routes (MAC
addresses) within the tenant.
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration
Now it’s time for the L2VNI’s. These are
the more traditional LAN segments.
We start with binding VNI 5000 to VLAN
1000. VNI 5000 then needs to be added
to the VTEP. This is also where we enable
ARP Suppression, and configure ingress
replication. Finally, associate the VNI with
the tenant’s L3VNI/VRF to enable IRB.
Each VNI that needs to be routable needs
to have an SVI in the tenant’s VRF. This
SVI is given the same IP address on each
switch, which enables Anycast Gateway.
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration
Address Learning ( Cont. )
Data Plane Learning Configuration
Overlay Configuration
What is an ACI network?

4
4
In reality ACI is all about networking and how you deploy
applications onto the network
At a very basic level ACI is really just a Spine/Leaf network of
Nexus 9k switches with a management platform

The network management platform (APIC) provides you with

a single place from which to manage the network
Is ACI an Overlay or Underlay network?

13
ACI is an automated (VXLAN) overlay network running over
an automated (ISIS) underlay network

ACI can transport any IP traffic including “Overlay” networks

based on VXLAN*, NVGRE* etc.
Let’s build a network…!

15
Physically Building the ACI Network
Physically Building the ACI Network

APIC
Physically Building the ACI Network
APIC

APIC

Management options: Benefits:

• GUI (basic/advanced) • Distributed, Centralised Management
• CLI • Full traffic visibility*
• XML/JSON • Self documenting
• Scripting • Integrated virtual and physical network
• Open API • Integrated L4-7 device management
• Automation • Policy defined network

* Excludes pre encapsulated/encrypted traffic

An ACI network allows organisations to offer automated
network services “on demand” through an open REST API

• Leaf Profiles • EPGs

• Switch Profiles • Contracts

ACI Consumption Model
Interface Configuration Interface Consumption
Fabric | Access Policies Tenants
• VLANs • Tenants
• Domains • VRFs
• AAEP • Route Leaking
• Interface Policies • L2/L3out
• Leaf Policy Groups • Bridge Domains

• Leaf Profiles • EPGs

• Switch Profiles • Contracts

Interface Configuration: Fabric | Access Policies

APIC

APIC
Interface Configuration: Fabric | Access Policies

APIC

Access Policies configure

external interface parameters
Interface Configuration: Fabric | Access Policies

APIC

Access Policies configure

external interface parameters
Tenants Switch Policies
VRFs, subnets, security rules
etc
Leaf Profiles
Collection of switches
Concrete Model
Interface Policies Logical Model
Leaf Profiles
Collection of interface IDs

Interface Selectors
Interface IDs

AAEP Leaf Policy Groups Interface Policies

Collection of allowed VLANs, Interface settings
VXLANs etc Interface type and settings

Domains
Where VLANs, VXLANs etc
are consumed

Pools
List of VLANs, VXLANs etc
Security Domains
Restricts VLANs, Switches,
Interfaces, Tenants

Tenants Switch Policies

VRFs, subnets, security rules
etc
Leaf Profiles
Collection of switches
Concrete Model
Interface Policies Logical Model
Leaf Profiles
Collection of interface IDs

Interface Selectors
Interface IDs

AAEP Leaf Policy Groups Interface Policies

Collection of allowed VLANs, Interface settings
VXLANs etc Interface type and settings

Domains
Where VLANs, VXLANs etc
are consumed

Pools
List of VLANs, VXLANs etc
Let’s consider a practical example…
Rack Layout
APIC

APIC

Leaf 101 Leaf 103 Leaf 105

Leaf 102 Leaf 104 Leaf 106

Rack 02
Rack 01 Rack 03

ACI Leaf Racks

Rack Layout
APIC

APIC

c3850
Leaf 101 Leaf 103 Leaf 105

Leaf 102 Leaf 104 Leaf 106

n7706 n9504

Rack 05 Rack 06
Rack 01 Rack 02 Rack 03 Rack 04

ACI Leaf Racks External Equipment Racks

24
Rack Layout
APIC

APIC

c3850
Leaf 101 Leaf 103 Leaf 105

Leaf 102 Leaf 104 Leaf 106

n7706 n9504

Rack 05
Rack 06
Rack 01 Rack 02 Rack 03 Rack 04

ACI Leaf Racks External Equipment Racks

Rack Layout Rack / Leaf
Interfac
e
Rack /
Device
Interfac
e
R01_Leaf_101 1/1 R04_c3850 1/1
APIC R01_Leaf_101 1/2 R05_n7706 1/1
APIC R01_Leaf_101 1/3 R06_n9504 1/1
APIC
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
R01_Leaf_102 1/3 R06_n9504 1/2

c3850
Leaf 101 Leaf 103 Leaf 105

Leaf 102 Leaf 104 Leaf 106

n7706 n9504

Rack 05 Rack 06
Rack 01 Rack 02 Rack 03 Rack 04

ACI Leaf Racks External Equipment Racks

Switch Policies Interfac Rack / Interfac
Leaf Profiles e Device e
Leafs_101_and_102 Rack / Leaf
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
Interface Policies R01_Leaf_101 1/3 R06_n9504 1/1
Leaf Profiles
R01_to_R04_c3850
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
Interface Selectors R01_Leaf_102 1/3 R06_n9504 1/2
1/1

AAEP Leaf Policy Groups Interface Policies

all_L3_domains L3_to_c3850 cdp-enabled

Domains
common:vrf-01

Pools
shared_vlan_pool
Switch Policies Interfac Rack / Interfac
Leaf Profiles e Device e
Leafs_101_and_102 Rack / Leaf
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
Interface Policies R01_Leaf_101 1/3 R06_n9504 1/1
Leaf Profiles
R01_to_R04_c3850
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
Interface Selectors R01_Leaf_102 1/3 R06_n9504 1/2
1/1

AAEP Leaf Policy Groups Interface Policies

all_L3_domains L3_to_c3850 cdp-enabled

Domains
common:vrf-01

Pools
shared_vlan_pool

25
Switch Policies Interfac Rack / Interfac
Leaf Profiles e Device e
Leafs_101_and_102 Rack / Leaf
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
Interface Policies R01_Leaf_101 1/3 R06_n9504 1/1
Leaf Profiles
R01_to_R05_n7706
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
Interface Selectors R01_Leaf_102 1/3 R06_n9504 1/2
1/2

AAEP Leaf Policy Groups Interface Policies

all_L3_domains L3_to_n7706 cdp-enabled

Domains
common:vrf-01

Pools
shared_vlan_pool

26
Switch Policies Interfac Rack / Interfac
Leaf Profiles e Device e
Leafs_101_and_102 Rack / Leaf
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
Interface Policies R01_Leaf_101 1/3 R06_n9504 1/1
Leaf Profiles
R01_to_R05_n7706
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
Interface Selectors R01_Leaf_102 1/3 R06_n9504 1/2
1/2

AAEP Leaf Policy Groups Interface Policies

all_L3_domains L3_to_n7706 cdp-enabled

Domains
common:vrf-01

Pools
shared_vlan_pool

26
Switch Policies Interfac Rack / Interfac
Leaf Profiles e Device e
Leafs_101_and_102 Rack / Leaf
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
Interface Policies R01_Leaf_101 1/3 R06_n9504 1/1
Leaf Profiles
R01_to_R06_n9504
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
Interface Selectors R01_Leaf_102 1/3 R06_n9504 1/2
1/3

AAEP Leaf Policy Groups Interface Policies

all_L3_domains L3_to_n9504 cdp-enabled

Domains
common:vrf-01

Pools
shared_vlan_pool

27
Switch Policies Interfac Rack / Interfac
Leaf Profiles e Device e
Leafs_101_and_102 Rack / Leaf
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
Interface Policies R01_Leaf_101 1/3 R06_n9504 1/1
Leaf Profiles
R01_to_R06_n9504
R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
Interface Selectors R01_Leaf_102 1/3 R06_n9504 1/2
1/3

AAEP Leaf Policy Groups Interface Policies

all_L3_domains L3_to_n9504 cdp-enabled

Domains
common:vrf-01

Pools
shared_vlan_pool

27
Switch Policies Switch Policies Switch Policies
Leaf Profiles Leaf Profiles Leaf Profiles
Leafs_101_and_102 Leafs_101_and_102 Leafs_101_and_102
Concrete Model
Interface Policies Interface Policies Interface Policies Logical Model
Leaf Profiles Leaf Profiles Leaf Profiles
R01_to_R04_c3850 R01_to_R05_n7706 R01_to_R06_n9504

Interface Selectors Interface Selectors Interface Selectors

1/1 1/2 1/3

Leaf Policy Groups Leaf Policy Groups Leaf Policy Groups

L3_to_c3850 L3_to_n7706 L3_to_n9504

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

29
Switch Policies Switch Policies Switch Policies
Leaf Profiles Leaf Profiles Leaf Profiles
Leafs_101_and_102 Leafs_101_and_102 Leafs_101_and_102
Concrete Model
Interface Policies Interface Policies Interface Policies Logical Model
Leaf Profiles Leaf Profiles Leaf Profiles
R01_to_R04_c3850 R01_to_R05_n7706 R01_to_R06_n9504

Interface Selectors Interface Selectors Interface Selectors

1/1 1/2 1/3

Leaf Policy Groups Leaf Policy Groups Leaf Policy Groups

L3_to_c3850 L3_to_n7706 L3_to_n9504

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

all_L3_domains cdp-enabled
R01_Leaf_101 1/1 R04_c3850 1/1
R01_Leaf_101 1/2 R05_n7706 1/1
R01_Leaf_101 1/3 R06_n9504 1/1
Pools Domains
shared_vlan_pool common:vrf-01 R01_Leaf_102 1/1 R04_c3850 1/2
R01_Leaf_102 1/2 R05_n7706 1/2
R01_Leaf_102 1/3 R06_n9504 1/2
30
Switch Policies Switch Policies Switch Policies
Leaf Profiles Leaf Profiles Leaf Profiles
Leafs_101_and_102 Leafs_101_and_102 Leafs_101_and_102
Concrete Model
Interface Policies Interface Policies Interface Policies Logical Model
Leaf Profiles Leaf Profiles Leaf Profiles
R01_to_R04_c3850 R01_to_R05_n7706 R01_to_R06_n9504

Interface Selectors Interface Selectors Interface Selectors

1/1 1/2 1/3

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

Interface Selectors Interface Selectors Interface Selectors

1/1 1/2 1/3

Access Policy Groups can be reused

Leaf Policy Groups
L3_to_ext_L3_switch
Port channel / vPC Policy Groups map 1:1
to the attached device

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

31
Switch Policies Switch Policies Switch Policies
Leaf Profiles Leaf Profiles Leaf Profiles
Leafs_101_and_102 Leafs_101_and_102 Leafs_101_and_102
Concrete Model
Interface Policies Interface Policies Interface Policies Logical Model
Leaf Profiles Leaf Profiles Leaf Profiles
R01_to_R04_c3850 R01_to_R05_n7706 R01_to_R06_n9504

Interface Selectors Interface Selectors Interface Selectors

1/1 1/2 1/3

Leaf Policy Groups

L3_to_ext_L3_switch

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

Leaf Policy Groups

L3_to_ext_L3_switch

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

Interface Selectors
1/1, 1/2,1/3

Leaf Policy Groups

L3_to_ext_L3_switch

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

33
Device Centric Model
Concrete Model
Logical Model

34
Device Centric Model
Concrete Model
Interface Policies Logical Model
Leaf Profiles
ESX_Hosts

Interface Selectors
1/1, 1/2, 1/3….

Leaf Policy Groups

ESX_Hosts

Domains AAEP Interface Policies

Cisco-vds-01 all_vlans cdp-enabled

Pools
all_vlans

34
Switch Policies
Leaf Profiles
Leafs_101_and_102
Concrete Model
Interface Policies Logical Model
Leaf Profiles
ESX_Hosts
Leaf Profiles aligned to attached
Leaf dPerovifcileim.ea.pEpSeXd_tHoosswtsitches

Interface Selectors
1/1, 1/2, 1/3….

Leaf Policy Groups

ESX_Hosts

Domains AAEP Interface Policies

Cisco-vds-01 all_vlans cdp-enabled

Pools
all_vlans

34
Switch Policies Switch Policies Switch Policies
Leaf Profiles Leaf Profiles Leaf Profiles
Leafs_101_and_102 Leafs_103_and_104 Leafs_105_and_106
Concrete Model
Interface Policies Logical Model
Leaf Profiles
ESX_Hosts
Leaf Profiles aligned to attached
device i.e. ESX_Hosts Configure additional Leaf
switches with the selected Leaf
Profile
Interface Selectors
1/1, 1/2, 1/3….

Leaf Policy Groups

ESX_Hosts

Domains AAEP Interface Policies

Cisco-vds-01 all_vlans cdp-enabled

Pools
all_vlans

34
Switch Centric Model

35
Switch Centric Model
Interface Policies
Leaf Profiles
Leafs_101_and_102

Interface Selectors
1/1, 1/2, 1/3….

Leaf Policy Groups

ESX_Hosts

Domains AAEP Interface Policies

Cisco-vds-01 all_vlans cdp-enabled

Pools
all_vlans

35
Switch Policies
Leaf Profiles
Leafs_101_and_102

Interface Policies
Leaf Profiles al iegned to switches Leaf Profiles
Leafs_101_and_102

Interface Selectors
1/1, 1/2, 1/3….

Leaf Policy Groups

ESX_Hosts

Domains AAEP Interface Policies

Cisco-vds-01 all_vlans cdp-enabled

Pools
all_vlans

35
Switch Policies
Leaf Profiles
Leafs_101_and_102

Interface Policies
Leaf Profiles al iegned to switches Leaf Profiles
Leafs_101_and_102

Interface Selectors Interface Selectors

1/1, 1/2, 1/3…. 1/11, 1/12, 1/13….

Leaf Policy Groups Leaf Policy Groups

ESX_Hosts Linux_Hosts

Domains AAEP Interface Policies

Cisco-vds-01 all_vlans cdp-enabled

Pools Domains
all_vlans physical_servers

35
Switch Policies
Leaf Profiles
Leafs_101_and_102

Interface Policies
Leaf Profiles al iegned to switches Leaf Profiles
Leafs_101_and_102

Interface Selectors Interface Selectors Interface Selectors

1/1, 1/2, 1/3…. 1/11, 1/12, 1/13…. 1/21, 1/22, 1/23….

Leaf Policy Groups Leaf Policy Groups Leaf Policy Groups

ESX_Hosts Linux_Hosts Windows_Hosts

Domains AAEP Interface Policies

Cisco-vds-01 all_vlans cdp-enabled

Pools Domains
all_vlans physical_servers

35
Repeat the process for additional
Leaf switches
Switch Policies Switch Policies Switch Policies
Leaf Profiles Leaf Profiles Leaf Profiles
Leafs_101_and_102 Leafs_103_and_104 Leafs_105_and_106

Interface Policies Interface Policies Interface Policies

Leaf Profiles al iegned to switches Leaf Profiles Leaf Profiles Leaf Profiles
Leafs_101_and_102 Leafs_103_and_104 Leafs_105_and_106

Interface Selectors Interface Selectors Interface Selectors

1/1, 1/2, 1/3…. 1/11, 1/12, 1/13…. 1/21, 1/22, 1/23….

…………..
Leaf Policy Groups Leaf Policy Groups Leaf Policy Groups
ESX_Hosts Linux_Hosts Windows_Hosts

Domains AAEP Interface Policies

Cisco-vds-01 all_vlans cdp-enabled

Pools Domains
all_vlans physical_servers

35
It’s not an either/or method, both methods can be used at the
same time…

Access Policy Groups can be reused …

Port channel / vPC Policy Groups create unique port channel IDs

36
Let’s use the network
interfaces…!

37
ACI Consumption Model
Interface Configuration Interface Consumption
Fabric | Access Policies Tenants
• VLANs • Tenants
• Domains • VRFs
• AAEP • Route Leaking
• Interface Policies • L2/L3out
• Leaf Policy Groups • Bridge Domains

• Leaf Profiles • EPGs

• Switch Profiles • Contracts

38
ACI Consumption Model
Interface Configuration Interface Consumption
Fabric | Access Policies Tenants
• VLANs • Tenants
• Domains • VRFs
• AAEP • Route Leaking
• Interface Policies • L2/L3out
• Leaf Policy Groups • Bridge Domains

• Leaf Profiles • EPGs

• Switch Profiles • Contracts

38
Tenants

39
Tenants: Isolated configuration “zones” on common physical
infrastructure
APIC

APIC

40
Tenants: Isolated configuration “zones” on common physical
infrastructure
APIC

APIC

Objects created in “Common” can be APIC

consumed by other Tenants

VRF-01 VRF-02 VRF-03

BD:192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
AD DNS DHCP
Tenant: Common

40
Tenants: Isolated configuration “zones” on common physical
infrastructure
APIC

APIC

Objects created in “Common” can be APIC

consumed by other Tenants

VRF-01 VRF-02 VRF-03

BD:192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
AD DNS DHCP
Tenant: Common

BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes

Tenant: Production Tenant: Pre-Production

40
Tenants: Isolated configuration “zones” on common physical
infrastructure
APIC

APIC

Objects created in “Common” can be APIC

consumed by other Tenants

VRF-01 VRF-02 VRF-03

BD:192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes
AD DNS DHCP VRF-01
Tenant: Common
BD:192.168.10.x_24 BD: 192.168.12.x_24
GW:192.168.10.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes

BD: 192.168.11.x_24 BD: 192.168.12.x_24 BD: 192.168.11.x_24

GW:192.168.11.1/24 GW:192.168.12.1/24 GW:192.168.11.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Tenant: Production Tenant: Pre-Production Tenant: ESX-Hosts

40
Tenants: Isolated configuration “zones” on common physical
infrastructure
APIC

APIC
Objects created in “Common” can be APIC
consumed by other Tenants

VRF-01 VRF-02 VRF-03

BD:192.168.10.x_24
GW:192.168.10.1/24

Advertise Externally: Yes

AD DNS DHCP VRF-01
Tenant: Common
BD: 192.168.10.x_24 BD: 192.168.12.x_24
GW:192.168.10.1/24 GW:192.168.12.1/24

Advertise Externally: Yes Advertise Externally: Yes

BD: 192.168.11.x_24 BD: 192.168.12.x_24 BD: 192.168.11.x_24

GW:192.168.11.1/24 GW:192.168.12.1/24 GW:192.168.11.1/24

Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Tenant: Production Tenant: Pre-Production Tenant: ESX-Hosts

40
Looking under the covers at Tenants
apic1# show running-config tenant Cisco
# Command: show running-config tenant Cisco #
Time: Tue Jan 30 13:47:50 2018
tenant Cisco
vrf context vrf-01
exit
bridge-domain 192.168.10.x_24
vrf member vrf-01
exit
bridge-domain 192.168.11.x_24
vrf member vrf-01
exit
bridge-domain 192.168.12.x_24
vrf member vrf-01
exit
bridge-domain vlan-501
arp flooding
l2-unknown-unicast flood
no unicast routing
vrf member vrf-01
exit

41
Looking under the covers at Tenants
apic1# show running-config tenant Cisco
# Command: show running-config tenant Cisco.
# Time: Tue Jan 30 13:47:50 2018
tenant Cisco
vrf context vrf-01
exit
bridge-domain 192.168.10.x_24
vrf member vrf-01
exit
bridge-domain 192.168.11.x_24
vrf member vrf-01
exit
bridge-domain 192.168.12.x_24
vrf member vrf-01
exit
bridge-domain vlan-501
arp flooding
l2-unknown-unicast flood
no unicast routing
vrf member vrf-01
exit

41
VRFs

42
APIC

APIC

Tenant: common Tenant: infra Tenant: mgmt Tenant: Cisco

VRF: vrf-01 VRF: vrf-01 VRF: vrf-01 VRF: vrf-01

43
VRFs are configured within a Tenant
APIC

APIC

Tenant: common Tenant: infra Tenant: mgmt Tenant: Cisco

VRF: vrf-01 VRF: vrf-01 VRF: vrf-01 VRF: vrf-01

43
Bridge Domains

44
A Bridge Domain is a Layer 2 forwarding segment which
maps a (locally significant) VLAN on each Leaf switch to a
unique VXLAN segment

A Bridge Domain may have one or more associated SVIs

45
APIC

APIC

BD:192.168.10.x_24 BD:192.168.10.x_24
GW:192.168.10.1/24 .. GW:192.168.10.1/24
Advertise Externally: Yes Advertise Externally: Yes Layer 2 forwarding over
a Layer 3 network

46
What does this look like…
APIC

APIC

BD:192.168.10.x_24 BD:192.168.10.x_24
GW:192.168.10.1/24 .. GW:192.168.10.1/24
Advertise Externally: Yes Advertise Externally: Yes Layer 2 forwarding over
a Layer 3 network

…it looks like a VLAN “over” a VXLAN

46
Endpoint Groups

47
An Endpoint Group is a security “container” for devices that
are attached to an ACI fabric. There is a 1:1 mapping
between EPGs and Bridge Domains

Devices are mapped into an EPG by considering the

incoming switch/interface/vlan, or virtual switch/vlan

Communication within an EPG is permitted (by default),

communication between EPGs requires a Contract (ACL)

48
APIC

APIC

BD:192.168.10.x_24 BD: 192.168.11.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24
Advertise Externally: Yes Advertise Externally: Yes

EPG: Web EPG: App

Interface: 101/1/1 Communication allowed Interface: 101/1/2
VLAN: 10 VLAN: 11

H1 H2 H3 H4

49
What does this look like…
APIC

APIC

BD:192.168.10.x_24 BD: 192.168.11.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24
Advertise Externally: Yes Advertise Externally: Yes

EPG: Web EPG: App

Interface: 101/1/1 Communication allowed Interface: 101/1/2
VLAN: 10 VLAN: 11

H1 H2 H3 H4

…it looks like VLANs with ACLs

49
Application Profiles

50
An Application Profile is a collection of EPGs which may or
may not represent an Application, e.g. MyExpenses

51
APIC

APIC

BD:10.52.248.192_27 BD:10.52.249.192_27
GW:10.52.248.193/27 GW:10.52.249.193/27
Advertise Externally: Yes Advertise Externally: Yes

Application Profile: MyApp

EPG: Web EPG: App
Interface: 101/1/1 Communication allowed Interface: 101/1/2
VLAN: 10 VLAN: 11

H1 H2 H3 H4

52
What does this look like…
APIC

APIC

BD:10.52.248.192_27 BD:10.52.249.192_27
GW:10.52.248.193/27 GW:10.52.249.193/27
Advertise Externally: Yes Advertise Externally: Yes

Application Profile: MyApp

EPG: Web EPG: App
Interface: 101/1/1 Communication allowed Interface: 101/1/2
VLAN: 10 VLAN: 11

H1 H2 H3 H4

…it’s a collection of EPGs and Contracts 52

Application Centric
or
Network Centric?
What’s in a name?

55
What’s in a name?
Application Profile Application Profile
Application Profile
represents ESX represents
represents VLANs
Infrastructure Applications

55
Option 1: Single EPG on a Single BD with a Single Subnet –
“standard networking”
Tenant: Cisco
VRF: vrf-01

Application Profile: MyApp

vDS

56
Option 1: Single EPG on a Single BD with a Single Subnet –
“standard networking”
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App

VM VM VM VM VM VM

56
Option 2: Multiple EPGs on a Single BD with a Single
Subnet – µSegmentation in IP space
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

Application Profile: MyApp

vDS

57
Option 2: Multiple EPGs on a Single BD with a Single
Subnet – µSegmentation in IP space
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App

VM VM VM VM VM VM

57
Option 3: Multiple EPGs on a Single BD with Multiple
Subnets – IP secondary
Tenant: Cisco
VRF: vrf-01

BD: multiple_subnets
GW:192.168.10.1/24
GW:192.168.11.1/24
Advertise Externally: Yes

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App

Servers in either 192.168.10.x or

VM VM VM VM VM VM 192.168.11.x subnets
Options 1, 2, and 3 – µSegmentation within an EPG/Port
Group (no East/West traffic flows)
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

Communication blocked

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App
Communication blocked Communication blocked

VM VM VM VM VM VM
Options 1, 2, and 3 – µSegmentation within an EPG/Port
Group based on machine attribute
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24

Advertise Externally: Yes

Application Profile: MyApp

EPG: Web
vDS: Cisco-vds-01
VLAN: dynamic

vDS

Portgoup: Cisco:MyApp:Web

VM VM VM VM VM VM VM VM VM

60
Options 1, 2, and 3 – µSegmentation within an EPG/Port
Group based on machine attribute
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24

Advertise Externally: Yes

Application Profile: MyApp

EPG: Web
vDS: Cisco-vds-01
VLAN: dynamic
Dynamic EPG: Dynamic EPG: Dynamic EPG:
Name=WebSrvsApp1 Name=WebSrvsApp2 Name=WebSrvsApp3

vDS

Portgoup: Cisco:MyApp:Web

VM VM VM VM VM VM VM VM VM
VMs mapped to dynamic EPG
based on attribute
60
Alternative option: 3x Portgroups
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

Application Profile: MyApp

vDS

61
Alternative option: 3x Portgroups
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic VLAN: dynamic

vDS
Portgoup: Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App Cisco:MyApp:DB

VM VM VM VM VM VM VM VM VM

61
How do I retrofit my network and migrate from
“Network Centric” to “Application Centric”…?

62
Why change what is already working…?

63
Network Centric Mode: Single EPG on a Single BD with a
Single Subnet – “standard networking”
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

Application Profile: VLANs_10-20

EPG: Web EPG: VLAN_10_All_Web_Servers EPG: All_Web_Servers

vDS: Cisco-vds-01 vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: 10 VLAN: dynamic

vDS
Portgoup: Portgoup:
Portgoup: Cisco:VLANs_10-20:VLAN_10_All_Web_Servers
Cisco:MyApp:Web Cisco:MyApp:App

VM VM VM VM VM VM VM VM VM

64
Network Centric Mode: Single EPG on a Single BD with a
Single Subnet – “standard networking”
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

Application Profile: VLANs_10-20

EPG: Web EPG: VLAN_10_All_Web_Servers EPG: All_Web_Servers

vDS: Cisco-vds-01 vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: 10 VLAN: dynamic

vDS
Portgoup: Portgoup:
Portgoup: Cisco:VLANs_10-20:VLAN_10_All_Web_Servers
Cisco:MyApp:Web Cisco:MyApp:App

Single portgroup for all Web

servers, irrespective of VM VM VM VM VM VM VM VM VM
application

64
Application Centric Mode: Multiple EPGs on a Single BD
with a Single Subnet – µSegmentation in IP space
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

Application Profile: App_1 Application Profile: App_2 Application Profile: App_3

EPG: Web_1 EPG: Web_2 EPG: Web_3

vDS: Cisco-vds-01 vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic VLAN: dynamic

vDS
Portgoup: Portgoup: Portgoup:
Cisco:App_1:Web_1 Cisco:App_2:Web_2 Cisco:App_3:Web_3

VM VM VM VM VM VM VM VM VM

65
Application Centric Mode: Multiple EPGs on a Single BD
with a Single Subnet – µSegmentation in IP space
Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

Application Profile: App_1 Application Profile: App_2 Application Profile: App_3

EPG: Web_1 EPG: Web_2 EPG: Web_3

vDS: Cisco-vds-01 vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic VLAN: dynamic

vDS
Portgoup: Portgoup: Portgoup:
Cisco:App_1:Web_1 Cisco:App_2:Web_2 Cisco:App_3:Web_3

Web servers remapped to

Application specific portgroups VM VM VM VM VM VM VM VM VM

65
How do I allow inter
EPG communication?

66
Contracts permit communication
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Ext Switch: 6ka

VRF: global Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App

VM VM VM VM VM VM

67
Contracts permit communication
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Co
mm
BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

uni
GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

cati
on
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App

VM VM VM VM VM VM

Communication allowed Communication allowed

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Contracts permit communication
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Co
mm
BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

uni
GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

cati
on
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App

VM VM VM VM VM VM

Communication allowed Communication allowed

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

68
How do I use Contracts?

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

Contract Provider: Provided contracts define which

ports are open
permit_to_
application_servers
tcp 3201-3300

Contract Provider: Contract Provider:

permit_to_ permit_to_
web_servers database_servers
tcp 80/443 tcp 1521

68
How do I use Contracts?

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

Contract consumer: Contract Provider: Provided contracts define which

ports are open
permit_to_ permit_to_
application_servers application_servers
Reverse filter ports enables the
tcp 3201-3300 tcp 3201-3300
return traffic without an explicit
Consumed contract defines
which source EPGs can connect contract
to a Provider EPG
Contract Provider: Contract Consumer: Contract Provider:
permit_to_ permit_to_ permit_to_
web_servers database_servers database_servers
tcp 80/443 tcp 1521 tcp 1521
Apply in both directions allows
either the consumer or provider
to open a connection

68
Contract Scope
Contract enforcement is “scoped” at:
• Global
• Tenant
• VRF
• Application Profile

69
Contract Scope
Contract enforcement is “scoped” at:
• Global Application Profile: MyApp_1

• Tenant EPG: Web

vDS: Cisco-vds-01
EPG: App
vDS: Cisco-vds-01
EPG: DB
Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

• VRF
• Application Profile

Contract: Contract: Contract:

permit_to_ permit_to_ permit_to_
web_servers application_servers database_servers
tcp 80/443 tcp 3201-3300 tcp 1521
Scope: Tenant Scope: VRF Scope: App Profile
69
Contract Scope
Contract enforcement is “scoped” at:
• Global Application Profile: MyApp_1

• Tenant EPG: Web

vDS: Cisco-vds-01
EPG: App
vDS: Cisco-vds-01
EPG: DB
Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

• VRF
• Application Profile
Application Profile: MyApp_2

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/3-4
VLAN: dynamic VLAN: dynamic VLAN: 14

Contract: Contract: Contract:

• Tenant EPG: Web

vDS: Cisco-vds-01
EPG: App
vDS: Cisco-vds-01
EPG: DB
Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

• VRF
• Application Profile
Application Profile: MyApp_2

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/3-4
VLAN: dynamic VLAN: dynamic VLAN: 14

Contract: Contract: Contract:

• Tenant EPG: Web

vDS: Cisco-vds-01
EPG: App
vDS: Cisco-vds-01
EPG: DB
Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

• VRF
• Application Profile
Application Profile: MyApp_2

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/3-4
VLAN: dynamic VLAN: dynamic VLAN: 14

Contract: Contract: Contract:

permit_to_ permit_to_ permit_to_
web_servers application_servers database_servers
tcp 80/443 tcp 3201-3300 tcp 1521
Scope: Tenant Scope: VRF Scope: App Profile
69
Intra-EPG Contract

Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

EPG: Web(isolated) EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

70
Intra-EPG Contract

Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Intra-EPG Contract:
permit_heartbeat EPG: Web(isolated) EPG: App EPG: DB
vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
tcp 12675 VLAN: dynamic VLAN: dynamic VLAN: 12

TCP 12675 only

70
Contract Preferred Groups

Tenant: Cisco
VRF: vrf-01

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

EPG: Active_Directory EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

71
Contract Preferred Groups
Contract Consumer:
permit_to_
Tenant: Cisco
VRF: vrf-01 Active_Directory
tcp 53, 88, 445

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Contract Provider:
permit_to_ EPG: Active_Directory EPG: App EPG: DB
vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
Active_Directory VLAN: dynamic VLAN: dynamic VLAN: 12
tcp 53, 88, 445

All EPGs can communicate with

Active_Directory EPG

71
Contracts Inheritance

72
Contracts Inheritance

Application Profile: MyApp

EPG: Web_1 EPG: App_1 EPG: DB_1

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

Contract Provider: Contract consumer:

permit_to_ permit_to_
web_servers application_servers
tcp 80/443 tcp 3201-3300

72
Contracts Inheritance

Application Profile: MyApp

EPG: Web_1 EPG: App_1 EPG: DB_1

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

Contract Provider: Contract consumer:

permit_to_ permit_to_
web_servers application_servers
tcp 80/443 tcp 3201-3300

Application Profile: MyApp

EPG: Web_2 EPG: App_2 EPG: DB_2

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

72
Contracts Inheritance

Application Profile: MyApp

EPG: Web_1 EPG: App_1 EPG: DB_1

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

Contract Provider: Contract consumer:

permit_to_ permit_to_
web_servers application_servers
tcp 80/443 tcp 3201-3300

Application Profile: MyApp

EPG: Web_2 EPG: App_2 EPG: DB_2

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12
EPG Web_2 Inherits the
contracts from Web_1

72
Checking the Provided/Consumed Contracts
apic1# show epg
Tenant Application AEPg Consumed Contracts Provided Contracts Denied Contracts Description
---------- ---------- ---------- -------------------- -------------------- -------------------- ------------
Cisco MyApp App permit_to_database_servers permit_to_application_servers MyApp | App

Cisco MyApp DB permit_to_database_servers MyApp | DB

Cisco MyApp Web permit_to_application_servers permit_to_web_servers MyApp | Web

73
Checking the Provided/Consumed Contracts
apic1# show epg
Tenant Application AEPg Consumed Contracts Provided Contracts Denied Contracts Description
---------- ---------- ---------- -------------------- -------------------- -------------------- ------------
Cisco MyApp App permit_to_database_servers permit_to_application_servers MyApp | App

Cisco MyApp DB permit_to_database_servers MyApp | DB

Cisco MyApp Web permit_to_application_servers permit_to_web_servers MyApp | Web

73
What happens if I don’t know the required Filter ports?

74
Filter discovery
• Ask the Application Owner – it’s their application, they will (ok should) know
• Ask the Security Admin for the firewall rules
• Use an “any-any” Filter between EPGs ! Most customers start here
• Install Tetration for Application Dependency Mapping
• Use Wireshark
• Configure “Unenforced” mode on the VRF

75
Deep Dive – Bridge
Domains

76
Bridge Domain Forwarding Options
Hardware Proxy (default) Flood and Learn
• Unknown Unicast sent to Spine Proxy (forward/ • Unknown Unicast flooded over multicast tree
discarded) and constrained in BD or Encap
• Removes unknown unicast flooding
Bridge Domain Forwarding –
Hardware Proxy (Unicast
Routing)

78
Bridge Domain Forwarding – Hardware Proxy

79
Bridge Domain Forwarding – Hardware Proxy
Tenant: common
VRF: vrf-01

APIC

BD: 10.52.248.192_27
APIC
GW:10.52.248.193/27
Advertise Externally: Yes
APIC

No unknown unicast Tenant: ssharman

flooding Application Profile: Candid
EPG: candid-
prod-64.1.0.0.872
vDS: Cisco-vds-01
BD:10.52.248.192/27 BD:10.52.248.192/27 VLAN: dynamic
GW:10.52.249.193/27 GW:10.52.249.193/27
Advertise Externally: Yes Advertise Externally: Yes

EPG: infra-ssharman-29
Interface: candid-prod-64.1.0.0.872
VLAN: 2087 vDS
Portgoup:
ssharman|Candid|candid-
candid- prod-64.1.0.0.872
VM VM VM

VM VM VM

79
Bridge Domain Forwarding – Hardware Proxy

80
Bridge Domain Forwarding – Hardware Proxy

80
Bridge Domain Forwarding – Hardware Proxy
If the destination Mac/IP is not known the packet is sent to the Spine proxy database, where it will be
forwarded or discarded

EPG learns Mac and

IP Addresses

80
Endpoint Learning – Flood and Learn with Unicast Routing
Enabled
apic1# show endpoints vlan 2087
Legends:
(P):Primary VLAN
(S):Secondary VLAN

Dynamic Endpoints:
Tenant : ssharman
Application : Candid
AEPg : candid-prod-64.1.0.0.872

End Point MAC IP Address Node Interface Encap Multicast Add

----------------- ---------------------------------------- ---------- ------------------------------ --------------- ---------------
00:50:56:99:08:11 10.52.248.203 101 eth1/22 vlan-2087 not-applicable
00:50:56:99:B4:7B 10.52.248.204 101 eth1/21 vlan-2087 not-applicable
00:50:56:99:EF:B3 10.52.248.202 101 eth1/21 vlan-2087 not-applicable

Total Dynamic Endpoints: 3

Total Static Endpoints: 0

81
Endpoint Learning – Flood and Learn with Unicast Routing
Enabled
apic1# show endpoints vlan 2087
Legends:
(P):Primary VLAN
(S):Secondary VLAN

Dynamic Endpoints:
Tenant : ssharman
Application : Candid
AEPg : candid-prod-64.1.0.0.872

End Point MAC IP Address Node Interface Encap Multicast Add

Total Dynamic Endpoints: 3

Total Static Endpoints: 0

81
Bridge Domain Forwarding –
Flood and Learn with Unicast
Routing Disabled

82
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Disabled

83
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Disabled

APIC Tenant: ssharman

VRF: vrf-01
APIC

APIC

BD: outside_infra-
ssharman-29
Unknown unicast GW: N/A
Advertise Externally: N/A
flooded over multicast
tree

Tenant: ssharman

BD: infra-ssharman-29
Application Profile: lab-vlans
BD: infra-ssharman-29
GW: N/A GW: N/A EPG: infra-ssharman-29
Advertise Externally: N/A Advertise Externally: N/A Path:
1Gbps_vPC_to_n5548
VLAN: 29
EPG: infra-ssharman-29
Interface:1Gbps_vPC_to_n5548
VLAN: 29

H1 H2
H1 H2 H3

83
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Disabled
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Disabled
Unknown Unicast flooded over multicast tree and constrained in BD or Encap

ARP is always flooded when

Hardware Proxy is disabled
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Disabled
Unknown Unicast flooded over multicast tree and constrained in BD or Encap

Unicast routing enables/disables

the learning of IP addresses for a
given BD

ARP is always flooded when

Hardware Proxy is disabled

If Unicast routing is disabled ARP

is always flooded
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Disabled
Unknown Unicast flooded over multicast tree and constrained in BD or Encap

Unicast routing enables/disables

the learning of IP addresses for a
given BD

ARP is alway s flooded when

Hardware P roxy is disabled

IIffUUnniicacaststrorouuttinnggissddiisasabblleeddA
R
AR
PP
EPG only learns Mac issaalwwaaysysfloodedflooded
Addresses
Endpoint Learning – Flood and Learn with Unicast Routing
Disabled
apic1# show endpoints vlan 29
Legends:
(P):Primary VLAN
(S):Secondary VLAN
Dynamic Endpoints:
Tenant : ssharman
Application : lab-vlans
AEPg : infra-ssharman-29

End Point MAC IP Address Node Interface Encap Multicast Add

----------------- ---------------------------------------- ---------- ------------------------------ --------------- ---------------
00:00:0C:07:AC:1D --- 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:18:74:E2:15:40 --- 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:1A:A2:D5:C0:80 --- 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:26:0B:F1:F0:02 --- 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:50:56:86:25:74 --- 102 eth1/21 vlan-29 not-applicable

Total Dynamic Endpoints: 5

Total Static Endpoints: 0

85
Endpoint Learning – Flood and Learn with Unicast Routing
Disabled
apic1# show endpoints vlan 29
Legends:
(P):Primary VLAN
(S):Secondary VLAN
Dynamic Endpoints:
Tenant : ssharman
Application : lab-vlans
AEPg : infra-ssharman-29

End Point MAC IP Address Node Interface Encap Multicast Add

Total Dynamic Endpoints: 5

Total Static Endpoints: 0

85
Bridge Domain Forwarding –
Flood and Learn with Unicast
Routing Enabled

86
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Enabled

87
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Enabled

APIC Tenant: ssharman

VRF: vrf-01
APIC

APIC

BD: outside_infra-
ssharman-29
Unknown unicast GW: N/A
Advertise Externally: N/A
flooded over multicast
tree

Tenant: ssharman

H1 H2
H1 H2 H3

87
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Enabled
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Enabled
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Enabled

Unicast routing enables/disables

the learning of IP addresses for a
given BD
Bridge Domain Forwarding – Flood and Learn with Unicast
Routing Enabled
Unknown Unicast flooded over multicast tree and constrained in BD or Encap

Unicast routing enables/disables

the learning of IP addresses for a
given BD

EPG learns Mac and

IP Addresses
Endpoint Learning – Flood and Learn with Unicast Routing
Enabled
apic1# show endpoints vlan 29
Legends:
(P):Primary VLAN
(S):Secondary VLAN

Dynamic Endpoints:
Tenant : ssharman
Application : lab-vlans
AEPg : infra-ssharman-29

End Point MAC IP Address Node Interface Encap Multicast Add

----------------- ---------------------------------------- ---------- ------------------------------ --------------- ---------------
00:00:0C:07:AC:1D --- 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:18:74:E2:15:40 192.168.29.2 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:1A:A2:D5:C0:80 192.168.29.3 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:26:0B:F1:F0:02 --- 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:50:56:86:25:74 192.168.29.10 102 eth1/21 vlan-29 not-applicable

Total Dynamic Endpoints: 5

Total Static Endpoints: 0

89
Endpoint Learning – Flood and Learn with Unicast Routing
Enabled
apic1# show endpoints vlan 29
Legends:
(P):Primary VLAN
(S):Secondary VLAN

Dynamic Endpoints:
Tenant : ssharman
Application : lab-vlans
AEPg : infra-ssharman-29

End Point MAC IP Address Node Interface Encap Multicast Add

----------------- ---------------------------------------- ---------- ------------------------------ --------------- ---------------
00:00:0C:07:AC:1D --- 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:18:74:E2:15:40 192.168.29.2 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:1A:A2:D5:C0:80 192.168.29.3 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:26:0B:F1:F0:02 --- 101 102 vpc 1Gbps_vPC_to_n5548 vlan-29 not-applicable
00:50:56:86:25:74 192.168.29.10 102 eth1/21 vlan-29 not-applicable

Total Dynamic Endpoints: 5

Total Static Endpoints: 0

89
90
Why should we be cautious with Unicast Routing Enabled
and no SVI configured…?

90
Subnet behind L3out
L3out Tenant: Cisco
Default Gateway VRF: vrf-01
192.168.10.1/24

BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes

Communication allowed
EPG: App EPG: DB
vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic

Communication allowed

vDS
Portgoup: Portgoup:
Cisco:MyApp:App Cisco:MyApp:DB
Communication allowed

VM VM VM VM VM VM

91
Subnet behind L3out
L3out Tenant: Cisco
Default Gateway VRF: vrf-01
192.168.10.1/24

BD: L2 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:N/A GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: N/A Advertise Externally: Yes Advertise Externally: Yes

Communication allowed
EPG: Web
vDS: Cisco-vds-01
VLAN: 10 EPG: App EPG: DB
Domain: outside vDS: Cisco-vds-01 vDS: Cisco-vds-01
Path: vPC_to_outside VLAN: dynamic VLAN: dynamic

Communication allowed

vDS
Portgoup: Portgoup:
Cisco:MyApp:App Cisco:MyApp:DB
Communication allowed

VM VM VM VM VM VM

91
Subnet behind L3out
L3out Tenant: Cisco
Default Gateway VRF: vrf-01
192.168.10.1/24

BD: L2 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:N/A GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: N/A Advertise Externally: Yes Advertise Externally: Yes

Communication allowed
EPG: Web
vDS: Cisco-vds-01
VLAN: 10 EPG: App EPG: DB
Domain: outside vDS: Cisco-vds-01 vDS: Cisco-vds-01
Path: vPC_to_outside VLAN: dynamic VLAN: dynamic
* Proxy B
0050.5686.2574 Leaf-102 Communication allowed
00:50:56:99:0A:11 Po1
192.168.10.10 Po1
00:50:56:99:BB:7B Po1
192.168.10.11 Po1 vDS vDS
00:50:56:99:EC:B3 Po1 Portgoup: Portgoup: Portgoup:
192.168.10.12 Po1 Cisco:MyApp:Web Cisco:MyApp:App Cisco:MyApp:DB
Communication allowed

IP addresses learnt via

L2 EPG for subnet VM VM VM VM VM VM VM VM VM
behind L3out
91
Subnet behind L3out
L3out Tenant: Cisco
Default Gateway VRF: vrf-01
192.168.10.1/24

BD: L2 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:N/A GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: N/A Advertise Externally: Yes Advertise Externally: Yes

d
apic1# fabric 101 clear system internal epm endpoint vrf Cisco:vrf-01 remote
e
w

Communication allo
EPG: Web
vDS: Cisco-vds-01
VLAN: 10 EPG: App EPG: DB
Domain: outside vDS: Cisco-vds-01 vDS: Cisco-vds-01
Path: vPC_to_outside VLAN: dynamic VLAN: dynamic
* Proxy B
0050.5686.2574 Leaf-102 Communication allowed
00:50:56:99:0A:11 Po1
192.168.10.10 Po1
00:50:56:99:BB:7B Po1
192.168.10.11 Po1 vDS vDS
00:50:56:99:EC:B3 Po1 Portgoup: Portgoup: Portgoup:
192.168.10.12 Po1 Cisco:MyApp:Web Cisco:MyApp:App Cisco:MyApp:DB
Communication allowed

IP addresses learnt via

L2 EPG for subnet VM VM VM VM VM VM VM VM VM
behind L3out
91
92
How do we prevent this scenario…?

92
Enforce Subnet Check on Bridge Domain to prevent IP
Learning

93
Enforce Subnet Check on Bridge Domain to prevent IP
Learning

93
Bridge Domain Configuration Recommendations
Generation 1 Generation 2 Mixed Leafs
• Bridge Domain Configuration • Fabric Wide Configuration • Bridge Domain Configuration
• Limit IP Learning ToSubnet • IP Aging Policy (enabled by • Limit IP Learning ToSubnet
default)
• Fabric Wide Configuration • Disable Remote EP Learn (on • Fabric Wide Configuration
• IP Aging Policy (enabled by border leaf) • IP Aging Policy (enabled by
default) • Prerequisite is to set Tenant> default)
Networking> VRFs> Policy
• Disable Remote EP Learn (on Control Enforcement to Ingress • Disable Remote EP Learn (on
border leaf) on your VRF instances border leaf)
• Prerequisite is to set Tenant> • Prerequisite is to set Tenant>
Networking> VRFs> Policy
• Enforce Subnet Check Networking> VRFs> Policy
Control Enforcement to Ingress Control Enforcement to Ingress
on your VRF instances on your VRF instances
• Enforce Subnet Check

94
Deep Dive – EPG
Forwarding

95
Spine Proxy Table
0025.b5dc.034e Leaf-102 ARP table only used for L3out
10.52.248.21 Leaf-102

Packet Walk
0025.b5dc.040f Leaf-101
10.52.248.20 Leaf-101
10.52.248.204 Leaf-101
apic1# fabric 101 show ip arp
00:50:56:99:EF:B3 Leaf-101 ----------------------------------------------------------------
10.52.248.202 Leaf-101 Node 101 (Leaf-101)
----------------------------------------------------------------
00:00:0C:07:AC:1D Leaf-101 Flags: * - Adjacencies learnt on non-active FHRP router
00:18:74:E2:15:40 Leaf-101 + - Adjacencies synced via CFSoE
# - Adjacencies Throttled for Glean
APIC 00:1A:A2:D5:C0:80 Leaf-101 D - Static Adjacencies attached to down interface
0050.5686.2574 Leaf-102
IP ARP Table for all contexts
APIC
Total number of entries: 4
Address Age MAC Address Interface
10.0.0.1 - b838.61f7.1435 vlan1
APIC
101.0.100.1 00:07:39 0018.74e2.1540 eth1/96.9
101.0.101.1 00:06:59 0018.74e2.1540 eth1/96.13
101.0.102.1 00:06:59 0018.74e2.1540 eth1/96.25

Leaf: 101
Leaf 101 BD: vlan-8_host-mgmt
Leaf: 102
BD: vlan-8_host-mgmt
* Proxy B GW:10.52.248.193/27 GW:10.52.248.193/27
Advertise Externally: Yes Advertise Externally: Yes
Tunnel22
0050.5686.2574 (Leaf-102) Global Leaf 102
Tunnel22 EPG: host-mgmt * Proxy B
0025.b5dc.034e (Leaf-102) Interface: 101-102/1/21 Tunnel06
Tunnel22
VLAN: 8 0050.2986.2574 (Leaf-103) Global
10.52.248.21 (Leaf-102) Local Tunnel15
0025.b5dc.040f 1/21 0025.b5dc.040f (Leaf-101)
10.52.248.20 1/21 Tunnel15
C1 C2 C3 10.52.248.20 (Leaf-101) Local
0025.b5dc.034e 1/21
.20 .21 10.52.248.21 1/21

101/1/21 Tun22

BRKACI-1002 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Spine Proxy Table
0025.b5dc.034e Leaf-102
10.52.248.21 Leaf-102

Packet Walk
0025.b5dc.040f Leaf-101
10.52.248.20 Leaf-101
10.52.248.204 Leaf-101
00:50:56:99:EF:B3 Leaf-101
10.52.248.202 Leaf-101
00:00:0C:07:AC:1D Leaf-101
00:18:74:E2:15:40 Leaf-101
APIC 00:1A:A2:D5:C0:80 Leaf-101
0050.5686.2574 Leaf-102
APIC

APIC

IP Payload

Packet Sourced from

1 Leaf: 101
physical server Leaf 101 BD: vlan-8_host-mgmt
Leaf: 102
BD: vlan-8_host-mgmt
* Proxy B GW:10.52.248.193/27 GW:10.52.248.193/27
Advertise Externally: Yes Advertise Externally: Yes
Tunnel22
0050.5686.2574 (Leaf-102) Global Leaf 102
Tunnel22 EPG: host-mgmt * Proxy B
0025.b5dc.034e (Leaf-102) Interface: 101-102/1/21 Tunnel06
Tunnel22
VLAN: 8 0050.2986.2574 (Leaf-103) Global
10.52.248.21 (Leaf-102) Local Tunnel15
0025.b5dc.040f 1/21 0025.b5dc.040f (Leaf-101)
10.52.248.20 1/21 Tunnel15
C1 C2 C3 10.52.248.20 (Leaf-101) Local
0025.b5dc.034e 1/21
.20 .21 10.52.248.21 1/21

101/1/21 Tun22

BRKACI-1002 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Spine Proxy Table
0025.b5dc.034e Leaf-102
10.52.248.21 Leaf-102

Packet Walk
0025.b5dc.040f Leaf-101
10.52.248.20 Leaf-101
10.52.248.204 Leaf-101
00:50:56:99:EF:B3 Leaf-101
10.52.248.202 Leaf-101
00:00:0C:07:AC:1D Leaf-101
00:18:74:E2:15:40 Leaf-101

APIC
00:1A:A2:D5:C0:80 Leaf-101
0050.5686.2574 Leaf-102
APIC

L1 VTEP VXLAN IP Payload APIC

Leaf swaps ingress encapsulation with VXLAN (EPG)

2 ID and performs any required policy functions

IP Payload

Packet Sourced from

101/1/21 Tun22
Spine Proxy Table
0025.b5dc.034e Leaf-102
10.52.248.21 Leaf-102

Packet Walk
0025.b5dc.040f Leaf-101
10.52.248.20 Leaf-101
10.52.248.204 Leaf-101
00:50:56:99:EF:B3 Leaf-101
L6 VTEP VXLAN IP Payload 10.52.248.202 Leaf-101 S1 VTEP VXLAN IP Payload
00:00:0C:07:AC:1D Leaf-101
If the ingress Leaf has learned the If the ingress Leaf has NOT learned the
destination IP to egress VTEP binding it 00:18:74:E2:15:40 Leaf-101 destination IP to egress VTEP binding it
3a will set required destination VTEP APIC
00:1A:A2:D5:C0:80 Leaf-101 3b will set required destination VTEP to the
address and forward 0050.5686.2574 Leaf-102 Spine Proxy VTEP
APIC

L1 VTEP VXLAN IP Payload APIC

Leaf swaps ingress encapsulation with VXLAN (EPG)

2 ID and performs any required policy functions

IP Payload

Packet Sourced from

101/1/21 Tun22
Spine Proxy Table
0025.b5dc.034e Leaf-102
10.52.248.21 Leaf-102

L1 VTEP VXLAN IP Payload APIC L6 VTEP VXLAN IP Payload

Leaf swaps ingress encapsulation with VXLAN (EPG) Leaf removes ingress VXLAN (EPG) ID and performs
2 ID and performs any required policy functions
4 any required policy functions

IP Payload

Packet Sourced from

101/1/21 Tun22
Spine Proxy Table
0025.b5dc.034e Leaf-102
10.52.248.21 Leaf-102

L1 VTEP VXLAN IP Payload APIC L6 VTEP VXLAN IP Payload

Leaf swaps ingress encapsulation with VXLAN (EPG) Leaf removes ingress VXLAN (EPG) ID and performs
2 ID and performs any required policy functions
4 any required policy functions

IP Payload IP Payload

Packet Sourced from Packet Delivered to

1 Leaf: 101 5
physical server Leaf 101 BD: vlan-8_host-mgmt
Leaf: 102
BD: vlan-8_host-mgmt
physical server
* Proxy B GW:10.52.248.193/27 GW:10.52.248.193/27
Advertise Externally: Yes Advertise Externally: Yes
Tunnel22
0050.5686.2574 (Leaf-102) Global Leaf 102
Tunnel22 EPG: host-mgmt * Proxy B
0025.b5dc.034e (Leaf-102) Interface: 101-102/1/21 Tunnel06
Tunnel22
VLAN: 8 0050.2986.2574 (Leaf-103) Global
10.52.248.21 (Leaf-102) Local Tunnel15
0025.b5dc.040f 1/21 0025.b5dc.040f (Leaf-101)
10.52.248.20 1/21 Tunnel15
C1 C2 C3 10.52.248.20 (Leaf-101) Local
0025.b5dc.034e 1/21
.20 .21 10.52.248.21 1/21

101/1/21 Tun22
The EPG shows the switches where the Mac/IP addresses
are learned

97
The EPG shows the switches where the Mac/IP addresses
are learned

97
The EPG shows the switches where the Mac/IP addresses
are learned
apic1# show endpoints vlan 8
Legends:
(P):Primary VLAN
(S):Secondary VLAN

Dynamic Endpoints:
Tenant : common
Application : outside_vlans
AEPg : vlan-8_host-mgmt

End Point MAC IP Address Node Interface Encap Multicast Add

----------------- ---------------------------------------- ---------- ------------------------------ --------------- ---------------
00:25:B5:DC:04:0F 10.52.248.20 101 eth1/21 vlan-8 not-applicable
00:25:B5:DC:03:4E 10.52.248.21 102 eth1/21 vlan-8 not-applicable

98
The EPG shows the switches where the Mac/IP addresses
are learned
apic1# show endpoints vlan 8
Legends:
(P):Primary VLAN
(S):Secondary VLAN

Dynamic Endpoints:
Tenant : common
Application : outside_vlans
AEPg : vlan-8_host-mgmt

End Point MAC IP Address Node Interface Encap Multicast Add

98
External Connectivity

99
100
Layer 2 connectivity
1 Bridge Domain = 1 Outside VLAN

100
External Layer 2 – Extended EPG
Tenant: Cisco
Default Gateway VRF: vrf-01
192.168.10.1/24

Communication allowed
BD: 192.168.11.x_24 BD: 192.168.12.x_24
GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes

EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic
Web_VL10

VM VM VM vDS
Portgoup: Portgoup:
Cisco:MyApp:App Cisco:MyApp:DB
Communication allowed

VM VM VM VM VM VM

101
External Layer 2 – Extended EPG
Tenant: Cisco
Default Gateway VRF: vrf-01
192.168.10.1/24

Communication allowed
BD: 192.168.11.x_24 BD: 192.168.12.x_24
GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes

EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic

Web_VL10

vDS
VM VM VM Portgoup: Portgoup:
Cisco:MyApp:App Cisco:MyApp:DB
Communication allowed

VM VM VM VM VM VM

101
External Layer 2 – Extended EPG
Tenant: Cisco
Default Gateway VRF: vrf-01
192.168.10.1/24

Communication allowed
BD: Outside_Web_VL10 BD: 192.168.11.x_24 BD: 192.168.12.x_24
GW:N/A GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Application Profile: MyApp

EPG: Outside_Web_VL10
EPG: App EPG: DB
Domain: Outside vDS: Cisco-vds-01 vDS: Cisco-vds-01
Path: vpc_to_legacy
VLAN: dynamic VLAN: dynamic
VLAN: 10
Web_VL10

VM VM VM vDS
Portgoup: Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App Cisco:MyApp:DB
Communication allowed

VM VM VM VM VM VM VM VM VM

101
102
Layer 3 connectivity
L3out’s are simply routed interfaces/sub interfaces/SVIs

102
Anatomy of a L3out
Tenant: Common
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

EPG: Web
vDS: Cisco-vds-01
VLAN: dynamic

103
Anatomy of a L3out
Tenant: Common
VRF: vrf-01

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

EPG: Web
vDS: Cisco-vds-01
VLAN: dynamic

103
Anatomy of a L3out
Tenant: Common
External Routed VRF: vrf-01
Network (L3out)
VRF: Common:VRF-01
Routing Protocol

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

EPG: Web
vDS: Cisco-vds-01
VLAN: dynamic

103
Anatomy of a L3out
Tenant: Common
Logical Node Profile External Routed VRF: vrf-01
Switch ID / Router-ID Network (L3out)
Static-Routes* VRF: Common:VRF-01
Loopback Address Routing Protocol

BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

EPG: Web
vDS: Cisco-vds-01
VLAN: dynamic

103
Anatomy of a L3out
Tenant: Common
Logical Node Profile External Routed VRF: vrf-01
Switch ID / Router-ID Network (L3out)
Static-Routes* VRF: Common:VRF-01
Loopback Address Routing Protocol

Logical Interfaces
Profile
Routed Interface Type
Interface IP Address
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

EPG: Web
vDS: Cisco-vds-01
VLAN: dynamic

103
Anatomy of a L3out
Tenant: Common
Logical Node Profile External Routed VRF: vrf-01
Switch ID / Router-ID Network (L3out)
Static-Routes* VRF: Common:VRF-01
Loopback Address Routing Protocol

Logical Interfaces
Profile
Routed Interface Type
Interface IP Address
BD: 192.168.10.x_24
GW:192.168.10.1/24
Advertise Externally: Yes

OSPF Interface Profile*

Authentication
OSPF Interface Policy

EPG: Web
vDS: Cisco-vds-01
OSPF Interface Policy* VLAN: dynamic
OSPF Interface Type
Timers

103
Anatomy of a L3out
Tenant: Common
Logical Node Profile External Routed VRF: vrf-01
Switch ID / Router-ID Network (L3out)
Static-Routes* VRF: Common:VRF-01
Loopback Address Routing Protocol

Logical Interfaces
Profile
Routed Interface Type
Interface IP Address
BD: 192.168.10.x_24
GW:192.168.10.1/24
Ext Switch: 6ka
VRF: global Advertise Externally: Yes

OSPF Interface Profile*

Authentication
OSPF Interface Policy

Ext Switch: 6kb

VRF: global
EPG: Web
vDS: Cisco-vds-01
OSPF Interface Policy* VLAN: dynamic
OSPF Interface Type
Timers

103
Anatomy of a L3out
Tenant: Common
Logical Node Profile External Routed VRF: vrf-01
Switch ID / Router-ID Network (L3out)
Static-Routes* VRF: Common:VRF-01
Loopback Address Routing Protocol

Logical Interfaces Logical Networks

Profile (List of permitted
Routed Interface Type remote subnets)
Interface IP Address 0.0.0.0/0
BD: 192.168.10.x_24
GW:192.168.10.1/24
Ext Switch: 6ka

Co
m
VRF: global Advertise Externally: Yes

m
un
OSPF Interface Profile*

ica
tio
Authentication

n
al
OSPF Interface Policy

lo
we
d
Ext Switch: 6kb
VRF: global
EPG: Web
vDS: Cisco-vds-01
OSPF Interface Policy* VLAN: dynamic
OSPF Interface Type
Timers

103
Shared L3out
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Co
mm
BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

uni
GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

cati
on
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App

VM VM VM VM VM VM

Communication allowed Communication allowed

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Shared L3out
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Co
mm
BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

uni
GW:192.168.10.1/24 GW:192.168.11.1/24

cati
GW:192.168.12.1/24

on
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App

VM VM VM VM VM VM

Communication allowed Communication allowed

Shared L3out
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Co
mm
BD: 192.168.10.x_24 BD: 19 2.168.11.x_24 BD: 192.168.12.x_24

uni
GW:192.168.10.1/24

cati
GW:192.168.11.1/24 GW:192.168.12.1/24

on
Advertise Externally: Yes Adverti se Externally: Yes Advertise Externally: Yes

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile : MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: C iscolive-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App

VM VM VM VM VM VM

Communication allowed
Shared L3out
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Co
mm
BD: 192.168.10.x_24 BD: 19 2.168.11.x_24 BD: 192.168.12.x_24

uni
GW:192.168.10.1/24

cati
GW:192.168.11.1/24 GW:192.168.12.1/24

on
Advertise Externally: Yes Adverti se Externally: Yes Advertise Externally: Yes

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile : MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: C iscolive-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App

VM VM VM VM VM VM
External EPG permits connectivity
to the listed subnets Communication allowed Communication allowed
L3out in the Common Tenant
apic1# fabric 101-102 show ip interface brief vrf common:vrf-01
----------------------------------------------------------------
Node 101 (Leaf-101)
----------------------------------------------------------------
IP Interface Status for VRF "common:vrf-01"(4)
Interface Address Interface Status
eth1/96.9 101.0.100.2/30 protocol-up/link-up/admin-up
vlan12 192.168.110.1/24 protocol-up/link-up/admin-up
vlan54 10.52.248.193/27 protocol-up/link-up/admin-up
lo2 101.1.1.1/32 protocol-up/link-up/admin-up

----------------------------------------------------------------
Node 102 (Leaf-102)
----------------------------------------------------------------
IP Interface Status for VRF "common:vrf-01"(4)
Interface Address Interface Status
eth1/96.5 102.0.100.2/30 protocol-up/link-up/admin-up
vlan9 192.168.110.1/24 protocol-up/link-up/admin-up
vlan53 10.52.248.193/27 protocol-up/link-up/admin-up
lo2 102.1.1.1/32 protocol-up/link-up/admin-up

apic1#

105
L3out in the Common Tenant
apic1# fabric 101-102 show ip interface brief vrf common:vrf-01
----------------------------------------------------------------
Node 101 (Leaf-101)
----------------------------------------------------------------
IP Interface Status for VRF "common:vrf-01"(4) Routed sub interface
Interface Address Interface Status
eth1/96.9 101.0.100.2/30 protocol-up/link-up/admin-up
vlan12 192.168.110.1/24 protocol-up/link-up/admin-up
vlan54 10.52.248.193/27 protocol-up/link-up/admin-up
lo2 101.1.1.1/32 protocol-up/link-up/admin-up

----------------------------------------------------------------
Node 102 (Leaf-102)
---------------------------------------------------------------- Routed sub interface
IP Interface Status for VRF "common:vrf-01"(4)
Interface Address Interface Status
eth1/96.5 102.0.100.2/30 protocol-up/link-up/admin-up
vlan9 192.168.110.1/24 protocol-up/link-up/admin-up
vlan53 10.52.248.193/27 protocol-up/link-up/admin-up
lo2 102.1.1.1/32 protocol-up/link-up/admin-up

apic1#

105
Common Tenant Configuration
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global

106
Common Tenant Configuration
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Leaking 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global

106
Common Tenant Configuration
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Leaking 0.0.0.0/0

Ext Switch: 6ka

VRF: global

Ext Switch: 6kb

VRF: global

Consuming the
exported contract

106
Common Tenant Configuration
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Leaking 0.0.0.0/0

Leaking all
Ext Switch: 6ka routes
VRF: global

Ext Switch: 6kb

VRF: global

Consuming the
exported contract

106
Default Route in Common Tenant
apic1# fabric 101-102 show ip route 0.0.0.0 vrf common:vrf-01
----------------------------------------------------------------
Node 101 (Leaf-101)
----------------------------------------------------------------
IP Route Table for VRF "common:vrf-01"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF<string>

0.0.0.0/0, ubest/mbest: 1/0

*via 101.0.100.1, eth1/96.9, [110/1], 5d17h, ospf-default, type-2, tag 1

----------------------------------------------------------------
Node 102 (Leaf-102)
----------------------------------------------------------------
IP Route Table for VRF "common:vrf-01"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF<string>

0.0.0.0/0, ubest/mbest: 1/0

*via 102.0.100.1, eth1/96.5, [110/1], 5d17h, ospf-default, type-2, tag 1

apic1#

107
Default Route in Common Tenant
apic1# fabric 101-102 show ip route 0.0.0.0 vrf common:vrf-01
----------------------------------------------------------------
Node 101 (Leaf-101)
----------------------------------------------------------------
IP Route Table for VRF "common:vrf-01"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF<string>

0.0.0.0/0, ubest/mbest: 1/0

*via 101.0.100.1, eth1/96.9, [110/1], 5d17h, ospf-default, type-2, tag 1

0.0.0.0/0, ubest/mbest: 1/0

*via 102.0.100.1, eth1/96.5, [110/1], 5d17h, ospf-default, type-2, tag 1

apic1#

107
Default Route in Cisco Tenant
apic1# fabric 101-102 show ip route 0.0.0.0 vrf Cisco:vrf-01
----------------------------------------------------------------
Node 101 (Leaf-101)
----------------------------------------------------------------
IP Route Table for VRF "Cisco:vrf-01"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF<string>

0.0.0.0/0, ubest/mbest: 1/0

*via 101.0.100.1%common:vrf-01, eth1/96.9, [20/1], 00:16:31, bgp-64512, external, tag 64512

----------------------------------------------------------------
Node 102 (Leaf-102)
----------------------------------------------------------------
IP Route Table for VRF "Cisco:vrf-01"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF<string>

0.0.0.0/0, ubest/mbest: 1/0

*via 102.0.100.1%common:vrf-01, eth1/96.5, [20/1], 00:16:33, bgp-64512, external, tag 64512

apic1#

108
Default Route in Cisco Tenant
apic1# fabric 101-102 show ip route 0.0.0.0 vrf Cisco:vrf-01
----------------------------------------------------------------
Node 101 (Leaf-101)
----------------------------------------------------------------
IP Route Table for VRF "Cisco:vrf-01"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF<string>

0.0.0.0/0, ubest/mbest: 1/0

*via 101.0.100.1%common:vrf-01, eth1/96.9, [20/1], 00:16:31, bgp-64512, external, tag 64512

----------------------------------------------------------------
Node 102 (Leaf-102)
----------------------------------------------------------------
IP Route Table for VRF "Cisco:vrf-01"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF<string>

0.0.0.0/0, ubest/mbest: 1/0

*via 102.0.100.1%common:vrf-01, eth1/96.5, [20/1], 00:16:33, bgp-64512, external, tag 64512

apic1#

108
Firewall Integration

109
L3out – Route Peering
Tenant: Common Tenant: Cisco Tenant: Cisco
VRF: vrf-01 VRF: vrf-01 VRF: vrf-02
Route Leak
FW_Out FW_In
EPG: Out EPG: In

Co BD: 192.168.10.x_24 BD: 192.168.11.x_24

m
m GW: 192.168.11.1/24
un GW: 192.168.10.1/24
ica
tio Advertise Externally: Yes Advertise Externally: Yes
n
al
lo
we
d

Ext Switch: 6ka

VRF: global Application Profile: MyApp

EPG: Web EPG: App

vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic
Ext Switch: 6kb
VRF: global

110
L3out – Route Peering
Tenant: Common Tenant: Cisco Tenant: Cisco
VRF: vrf-01 VRF: vrf-01 VRF: vrf-02
Route Leak
FW_Out FW_In
EPG: Out EPG: In

Co BD: 192.168.10.x_24 BD: 192.168.11.x_24

Communication allowed
Communication allowed
m GW: 192.168.11.1/24
un GW: 192.168.10.1/24
ica
tio Advertise Externally: Yes Advertise Externally: Yes
n
al
lo
we
d

Ext Switch: 6ka

VRF: global Application Profile: MyApp

EPG: Web EPG: App

vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic
Ext Switch: 6kb
VRF: global

110
NAT
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak L2 Bridge Domain
Tenant: ssh arman
VRF: vrf-01

Co
mm
BD: 192.168.10.x_24 BD: FW_Inside

uni
GW: 192.168.10.1/24 GW: N/A

cati
on
Advertise Externally: Yes Advertise Externally: N/A

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App

vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic
Ext Switch: 6kb
VRF: global

111
NAT
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak L2 Bridge Domain
Tenant: ssh arman
VRF: vrf-01

Co
mm
BD: 192.168.10.x_24 BD: FW_Inside

uni
GW: 192.168.10.1/24 GW: N/A

cati
on
Advertise Externally: Yes Advertise Externally: N/A

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App

vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic
Ext Switch: 6kb
VRF: global

Default Gateway

111
PBR – Service Graph
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak
Tenant: ssh arman
VRF: vrf-01

Co
mm
BD: 192.168.10.x_24 BD: 192.168.11.x_24

uni
GW: 192.168.10.1/24 GW: 192.168.11.1/24

cati
on
Advertise Externally: Yes Advertise Externally: No

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App

vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic
Ext Switch: 6kb
VRF: global

112
PBR – Service Graph
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak
Tenant: ssh arman
VRF: vrf-01

Co
mm
BD: 192.168.10.x_24 BD: 192.168.11.x_24

uni
GW: 192.168.10.1/24 GW: 192.168.11.1/24

cati
on
Advertise Externally: Yes Advertise Externally: No

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App

vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic
Ext Switch: 6kb
VRF: global
Communication allowed

Contract enforces PBR next hop

to Firewall for specific traffic

112
How does ACI integrate with
VMware’s virtual switches?
Why should you care about integrating with VMware’s
Virtual Switches?

114
A perceived barrier to timely delivery of new services
(from Virtualization Teams) is that it takes too long to
provision Network Services i.e. VLANs, Subnets,
and L4-7 Devices

Most automation projects start with server/

application teams, therefore it makes sense to offer
the network as a consumable service

115
There are four integration options with VMware
1. Independently configure the vSwitch/vDS as you do today
2. Create EPGs on vCenter and map them to an APIC managed vDS to create port groups – requires
ACI plugin
3. Create EPGs on APIC and map them to an APIC managed vDS to create port groups

4. Create EPGs on APIC and map them to an AVE to create port groups
Network Team configures VRFs/subnets

117
Network Team configures VRFs/subnets
Tenant: Cisco
VRF: vrf-01
APIC

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

117
Server Team configures network interfaces
Tenant: Cisco
VRF: vrf-01
APIC

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

118
Server Team configures network interfaces API Connection

Tenant: Cisco
VRF: vrf-01
APIC

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

118
VMware Team pushes vDS
Tenant: Cisco
VRF: vrf-01
APIC

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

119
VMware Team pushes vDS API Connection

Tenant: Cisco
VRF: vrf-01
APIC

vCenter

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

vDS

vDS pushed to ESX

Hosts

119
VMware Team pushes portgroups
Tenant: Cisco
VRF: vrf-01
APIC

vCenter

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

vDS

vDS pushed to ESX

Hosts

120
VMware Team pushes portgroups
Tenant: Cisco
VRF: vrf-01
APIC

vCenter

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

vDS

vDS pushed to ESX

Hosts

120
VMware Team pushes portgroups
Tenant: Cisco
VRF: vrf-01
APIC

vCenter

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App
vDS pushed to ESX
Hosts

120
Application Team deploys VMs
Tenant: Cisco
VRF: vrf-01
APIC

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App
vDS pushed to ESX
Hosts

121
Application Team deploys VMs
Tenant: Cisco
VRF: vrf-01
APIC

vCenter

BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 Path: 101/1/1-2
VLAN: dynamic VLAN: dynamic VLAN: 12

vDS
Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App
vDS pushed to ESX
Hosts

VM VM VM VM VM VM

121
There are two ways to interoperate with VMware NSX
Option 1 – NSX for Virtual Machine Security:
• Uses NSX as a security and services solution (DFW, LB, etc.)
• ACI functions as integrated overlay and underlay
• No requirement for NSX VTEP configuration
• ACI uses VMM Domain programming application dvPortGroups
There are two ways to interoperate with VMware NSX
Option 2 – NSX for Networking and Virtual Machine Security:
• ACI functions as an underlay network
• NSX functions as a VXLAN overlay
• Customer follows VMware Design Recommendations
• ACI can use VMM Domain to enhance visibility
• NSX Host to Host VTEP connectivity can use ACI in various VTEP subnet
models:
• Single VTEP Subnet
• VTEP Subnet per Rack
• VTEP Subnet per Cluster
NSX Overlay
Tenant: Cisco
VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG

BD: NSX
GW:N/A
Advertise Externally: Yes

Single EPG/VLAN for

Ext Switch: 6ka NSX VTEP
VRF: global
EPG: NSX
vDS: Cisco-vds-01
VLAN: 1000

Ext Switch: 6kb

VRF: global VTEP VTEP VTEP VTEP
10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4

LogicalSwitch: Web LogicalSwitch: App LogicalSwitch: DB

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

VM VM VM VM VM VM
124
NSX Overlay
Tenant: Cisco
VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG

ring
BD: NSX
GW:N/A
pee
Advertise Externally: Yes
ute

Single EPG/VLAN for

Ext Switch: 6ka NSX VTEP
Ro

VRF: global
EPG: NSX
vDS: Cisco-vds-01
VLAN: 1000

Ext Switch: 6kb

VRF: global VTEP VTEP VTEP VTEP
10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4

LogicalSwitch: Web LogicalSwitch: App LogicalSwitch: DB

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

VM VM VM VM VM VM
124
NSX Overlay
Tenant: Cisco Route peering
VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG

ESG
ring
BD: NSX
GW:N/A
pee
Advertise Externally: Yes
ute

Single EPG/VLAN for

Ext Switch: 6ka NSX VTEP
Ro

VRF: global
EPG: NSX
vDS: Cisco-vds-01
VLAN: 1000

Ext Switch: 6kb

VRF: global VTEP VTEP VTEP VTEP
10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4

LogicalSwitch: Web LogicalSwitch: App LogicalSwitch: DB

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

VM VM VM VM VM VM
124
NSX Overlay
Tenant: Cisco Route peering
VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG
Route
ESG
programming
ring
BD: NSX
GW:N/A
pee
Advertise Externally: Yes
ute

Single EPG/VLAN for

Ext Switch: 6ka NSX VTEP
Ro

VRF: global
EPG: NSX Controller
vDS: Cisco-vds-01
VLAN: 1000

Ext Switch: 6kb

VRF: global VTEP VTEP VTEP VTEP
10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4

LogicalSwitch: Web LogicalSwitch: App LogicalSwitch: DB

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

VM VM VM VM VM VM
124
NSX Overlay
Tenant: Cisco Route peering
VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG
Route
ESG
programming
ring
BD: NSX
GW:N/A
pee
Advertise Externally: Yes
ute

Single EPG/VLAN for

Ext Switch: 6ka NSX VTEP
Ro

VRF: global
EPG: NSX Controller
vDS: Cisco-vds-01 Route
VLAN: 1000
programming
Ext Switch: 6kb DLR
VRF: global VTEP VTEP VTEP VTEP
10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4

LogicalSwitch: Web LogicalSwitch: App LogicalSwitch: DB

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

VM VM VM VM VM VM
124
NSX Overlay
Tenant: Cisco Route peering
VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG
Route
ESG
programming
ring
BD: NSX
GW:N/A
pee
Advertise Externally: Yes
ute

Single EPG/VLAN for

Ext Switch: 6ka NSX VTEP
Ro

VRF: global
EPG: NSX Controller
vDS: Cisco-vds-01 Route
VLAN: 1000
programming
Ext Switch: 6kb DLR
VRF: global VTEP VTEP VTEP VTEP
10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4

LogicalSwitch: Web LogicalSwitch: App LogicalSwitch: DB

GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

VM VM VM VM VM VM
124
NSX Overlay at scale

125
NSX Overlay at scale
Tenant: Cisco
VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG

ESG Controller DLR

vCenter-01

125
NSX Overlay at scale
Tenant: Cisco
VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG

Tenant: Customer_1 ESG Controller DLR

VRF: vrf-01
L3out: Ext L3out: NSX
vCenter-01
EPG EPG

ESG Controller DLR

125
NSX Overlay at scale
Tenant: Cisco
VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG

Tenant: Customer_1 ESG Controller DLR

VRF: vrf-01
L3out: Ext L3out: NSX
vCenter-01
EPG EPG

Tenant: Customer_2 ESG Controller DLR

VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG

ESG Controller DLR

vCenter-02

125
NSX Overlay at scale
Tenant: Cisco
VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG

Tenant: Customer_1 ESG Controller DLR

VRF: vrf-01
L3out: Ext L3out: NSX
vCenter-01
EPG EPG

Tenant: Customer_2 ESG Controller DLR

VRF: vrf-01
L3out: Ext L3out: NSX
EPG EPG

Tenant: Customer_3 ESG Controller DLR

VRF: vrf-01
L3out: Ext L3out: NSX vCenter-02
EPG EPG

ESG Controller DLR

125
How to get started
programming your ACI fabric

126
First you need a basic understand of the ACI Policy Model

You’ve already been learning about the ACI Policy Model

during this presentation

127
Managed Objects Policy Universe

APIC Controllers … Tenants – User, Fabric, Access, VM Domains … Layer 4-7 Services AAA, Security
Common … Inventory …

128
Managed Objects Policy Universe

APIC Controllers … Tenants – User, Fabric, Access, VM Domains … Layer 4-7 Services AAA, Security
Common … Inventory …

Tenant

Outside Network Application Profile Bridge Domain VRF Contract Filter

Subnet Subject

EPG
128
https://{{APIC}}/doc/html/

130
https://{{APIC}}/visore.html

131
https://{{APIC}}/visore.html

131
132
Step 1: Build your required object(s) in the GUI
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Co
mm
BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

uni
GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

cati
on
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic VLAN: dynamic
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App Cisco:MyApp:DB

VM VM VM VM VM VM VM VM VM

133
Step 1: Build your required object(s) in the GUI
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Co
mm
BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

uni
GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

cati
on
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic VLAN: dynamic
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App Cisco:MyApp:DB

VM VM VM VM VM VM VM VM VM

133
Step 2: Save your configuration
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Co
mm
BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24

uni
GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24

cati
on
Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes

allo
we
d
Ext Switch: 6ka
VRF: global Application Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vds-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dynamic VLAN: dynamic
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup: Portgoup:
Cisco:MyApp:Web Cisco:MyApp:App Cisco:MyApp:DB

VM VM VM VM VM VM VM VM VM

134
Step 2: Save your configuration
Tenant: Common Tenant: Cisco
VRF: vrf-01 VRF: vrf-01
Route Leak 0.0.0.0/0

Co
m
mu
ni BD: 192.168.10.x_24 BD: 192.168.11.x_24 BD: 192.168.12.x_24
ca
tin o GW:192.168.10.1/24 GW:192.168.11.1/24 GW:192.168.12.1/24
allo
w Advertise Externally: Yes Advertise Externally: Yes Advertise Externally: Yes
ed

Ext Switch: 6ka Applicatio

VRF: global n Profile: MyApp

EPG: Web EPG: App EPG: DB

vDS: Cisco-vds-01 vDS: Cisco-vd s-01 vDS: Cisco-vds-01
VLAN: dynamic VLAN: dyna mic VLAN: dynamic
Ext Switch: 6kb
VRF: global

vDS
Portgoup: Portgoup : Portgoup:
Cisco:MyApp:Web Cisco:MyAp p:App Cisco:MyApp:DB

VM VM VM VM VM VM VM VM VM

134
Step 3: Clean up your JSON

135
Step 3: Clean up your JSON

135
Provided Contract

Step 4: Understand the configuration code

Contract name
Application Profile

“path” to the Domain

Application Profile

Endpoint Group
Application Profile
name
Domain name
(VMM)
Endpoint Group name

Children of the
Application Profile
Children of the
Endpoint Group

Bridge Domain

Bridge Domain name

Step 5: Select parameters to use as Provided Contract

variables
Contract name
Application Profile (variable)
“path” to the Application
Profile (variable) Domain

Endpoint Group

Application Profile
name (variable) Domain name
(VMM) (variable)
“path” to the Endpoint
Group (variable)
New “status” object
(variable)
Endpoint Group
name (variable)

New “status” object

(variable)
Bridge Domain

Bridge Domain name

(variable)
Step 6: Create a variable file

Option: created
Option: created,modified
Option: deleted
Understand how managed objects are related
Tenant
Layer 3 VRF
Outside Layer 2
Outside

Bridge Domain Bridge Domain Bridge Domain

Application Profile

Endpoint Group Endpoint Group Endpoint Group Endpoint Group

vDS

Portgoup Portgoup

VM VM VM VM VM VM

141
Choose Your Management Method(s)

142
Choose Your Management Method(s)

142
Connect the Old to the New
APIC

APIC

vDS-01

143
Connect the Old to the New
APIC

APIC

Separate “border leafs”

shown for clarity

vDS-01

Layer 2 vPC to
existing network

Layer 3 to existing
network

143
Connect the Old to the New
APIC

APIC

Separate “border leafs”

shown for clarity

vDS-01

Layer 2 vPC to
existing network

Layer 3 to existing
network

143
Connect the Old to the New
APIC

APIC

Separate “border leafs”

shown for clarity

vDS-01

Layer 2 vPC to
existing network

Layer 3 to existing
network

143
Connect the Old to the New
APIC

APIC

Separate “border leafs”

shown for clarity

vDS-01 vDS-02

Layer 2 vPC to
existing network

Layer 3 to existing
network

143

Vxlan Bgp-Evpn: Vinit Jain Twitter - @vinugenie
100% (1)
Vxlan Bgp-Evpn: Vinit Jain Twitter - @vinugenie
25 pages
VXLAN - Theory
No ratings yet
VXLAN - Theory
38 pages
VXLAN Design & Deployment Guide
No ratings yet
VXLAN Design & Deployment Guide
59 pages
VX LAN@nettrain
No ratings yet
VX LAN@nettrain
59 pages
VXLAN
No ratings yet
VXLAN
2 pages
Cisco ACI & VXLAN Fabric Guide
No ratings yet
Cisco ACI & VXLAN Fabric Guide
53 pages
INE CCIE DCv2 ATC 01300 VXLAN PDF
No ratings yet
INE CCIE DCv2 ATC 01300 VXLAN PDF
64 pages
D 5.1-VxLAN-EVPN
No ratings yet
D 5.1-VxLAN-EVPN
14 pages
EVPN VXLAN Design Guide
No ratings yet
EVPN VXLAN Design Guide
45 pages
VXLAN
100% (2)
VXLAN
2 pages
Advanced VXLAN Networking
100% (1)
Advanced VXLAN Networking
39 pages
Vxlan Implementation
No ratings yet
Vxlan Implementation
20 pages
Tema 12. VXLAN - Compressed
No ratings yet
Tema 12. VXLAN - Compressed
44 pages
126 Virtual+Extensible+LAN
No ratings yet
126 Virtual+Extensible+LAN
5 pages
06 - VXLAN Part VI VXLAN BGP EVPN - Basic Configurations
100% (1)
06 - VXLAN Part VI VXLAN BGP EVPN - Basic Configurations
22 pages
En03 Vxlan and BGP Evpn
No ratings yet
En03 Vxlan and BGP Evpn
46 pages
VXLAN Communication Guide
No ratings yet
VXLAN Communication Guide
20 pages
EVPN VXLAN Design Guide
No ratings yet
EVPN VXLAN Design Guide
38 pages
VXLAN Configuration with MP-BGP EVPN
No ratings yet
VXLAN Configuration with MP-BGP EVPN
19 pages
Evpn Architecture Guide
No ratings yet
Evpn Architecture Guide
48 pages
Part 01 (Vxlan)
No ratings yet
Part 01 (Vxlan)
6 pages
ArubaOS-Switch VxLAN Interoperability Configuration Guide
No ratings yet
ArubaOS-Switch VxLAN Interoperability Configuration Guide
18 pages
IOT Module 4
No ratings yet
IOT Module 4
142 pages
EVPN Deployment Guide PDF
100% (1)
EVPN Deployment Guide PDF
75 pages
Vxlan KSS 22-02-2019
No ratings yet
Vxlan KSS 22-02-2019
45 pages
Virtual Extensible LAN VXLAN Overview 1690438418
No ratings yet
Virtual Extensible LAN VXLAN Overview 1690438418
24 pages
3-Building Data Centre Networks With VXLAN BGP EVPN
No ratings yet
3-Building Data Centre Networks With VXLAN BGP EVPN
86 pages
VXLAN by Anand Nande
100% (1)
VXLAN by Anand Nande
27 pages
VLan Some Basic Concepts PDF
No ratings yet
VLan Some Basic Concepts PDF
11 pages
Switching by Mohand
No ratings yet
Switching by Mohand
11 pages
Ethernet and IP Foundations of Modern Networking
No ratings yet
Ethernet and IP Foundations of Modern Networking
15 pages
VXLAN EVPN Config Guide For Cisco Nexus
No ratings yet
VXLAN EVPN Config Guide For Cisco Nexus
19 pages
Introducing Cisco Programmable Fabric VXLAN EVPN
No ratings yet
Introducing Cisco Programmable Fabric VXLAN EVPN
18 pages
MP BGP Vxlan Aci Demo
No ratings yet
MP BGP Vxlan Aci Demo
30 pages
Virtual Extensible LAN and Ethernet Virtual
No ratings yet
Virtual Extensible LAN and Ethernet Virtual
48 pages
Vxlan Fundamentals Nanopdf - Com Presentation
No ratings yet
Vxlan Fundamentals Nanopdf - Com Presentation
29 pages
BGP EVPN+VXLAN on Cisco Nexus Guide
No ratings yet
BGP EVPN+VXLAN on Cisco Nexus Guide
18 pages
Virtual Extensible LAN (VXLAN) Overview: VXLAN: Scaling Data Center Capacity
No ratings yet
Virtual Extensible LAN (VXLAN) Overview: VXLAN: Scaling Data Center Capacity
7 pages
Arista Networks VXLAN White Paper
100% (2)
Arista Networks VXLAN White Paper
7 pages
ACI Basic - LEARN WORK IT
No ratings yet
ACI Basic - LEARN WORK IT
12 pages
VXLAN Overview
No ratings yet
VXLAN Overview
14 pages
Vxlan
No ratings yet
Vxlan
421 pages
Vlan, Trunk, VTP
No ratings yet
Vlan, Trunk, VTP
29 pages
CCNP Enterprise LAb Guide - by Ashish Halder
No ratings yet
CCNP Enterprise LAb Guide - by Ashish Halder
24 pages
Cisco ACI and Nexus Evolution
No ratings yet
Cisco ACI and Nexus Evolution
49 pages
(07-08) VXLAN EVPN L3 Forwarding
No ratings yet
(07-08) VXLAN EVPN L3 Forwarding
12 pages
Vxlan Evpn
100% (1)
Vxlan Evpn
89 pages
VXLAN Scaling Data Center Designs
No ratings yet
VXLAN Scaling Data Center Designs
7 pages
B 176 BGP Evpn Vxlan 9300 CG
No ratings yet
B 176 BGP Evpn Vxlan 9300 CG
652 pages
01-01 VXLAN Configuration
No ratings yet
01-01 VXLAN Configuration
338 pages
Aruba Campus Access Webinar Part 1
100% (1)
Aruba Campus Access Webinar Part 1
63 pages
VXlan Deep Dive
No ratings yet
VXlan Deep Dive
40 pages
Inter VLAN Routing
No ratings yet
Inter VLAN Routing
18 pages
B 1712 BGP Evpn Vxlan 9300 CG
No ratings yet
B 1712 BGP Evpn Vxlan 9300 CG
940 pages
Configuring VXLAN 16
No ratings yet
Configuring VXLAN 16
16 pages
Juniper Courses
No ratings yet
Juniper Courses
335 pages
Networking A To Z For VMware
No ratings yet
Networking A To Z For VMware
314 pages
Vxlancontrolplaneandrouting 150522053200 Lva1 App6891
No ratings yet
Vxlancontrolplaneandrouting 150522053200 Lva1 App6891
93 pages
Vxlan MP-BGP Evpn L3 Vni
No ratings yet
Vxlan MP-BGP Evpn L3 Vni
30 pages
4 2 4 4
67% (3)
4 2 4 4
5 pages
Data Communication Protocols
No ratings yet
Data Communication Protocols
105 pages
Mobile IP for IT Students
No ratings yet
Mobile IP for IT Students
17 pages
Comtech/EFData H-Pico Heights Remote Gateway Datasheet
No ratings yet
Comtech/EFData H-Pico Heights Remote Gateway Datasheet
2 pages
Meiligao GPRS Communication Protocol GT30i GT60 VT300 VT310 VT400 V2.4
100% (1)
Meiligao GPRS Communication Protocol GT30i GT60 VT300 VT310 VT400 V2.4
24 pages
Cloud Computing Security Issues
No ratings yet
Cloud Computing Security Issues
31 pages
ZTE UMTS Handover Control Feature Description V3.1
100% (1)
ZTE UMTS Handover Control Feature Description V3.1
226 pages
IoT Wireless IO Solutions
No ratings yet
IoT Wireless IO Solutions
16 pages
Nimbra 300 Series: Installation and Maintenance Manual
No ratings yet
Nimbra 300 Series: Installation and Maintenance Manual
83 pages
Intro to Communication Systems Lab
No ratings yet
Intro to Communication Systems Lab
23 pages
B.Tech. III Year I Semester Regular Examinations, March 2021
No ratings yet
B.Tech. III Year I Semester Regular Examinations, March 2021
1 page
LG01N LoRa Gateway User Manual v1.1
No ratings yet
LG01N LoRa Gateway User Manual v1.1
60 pages
Junos OS: Hardware and Routing Guide
No ratings yet
Junos OS: Hardware and Routing Guide
9 pages
Ethernet Testing Guide for Technicians
No ratings yet
Ethernet Testing Guide for Technicians
4 pages
The Concept of Multiplexing
No ratings yet
The Concept of Multiplexing
18 pages
SC Timothy Pratt Index
100% (1)
SC Timothy Pratt Index
10 pages
Network Troubleshooting Guide
No ratings yet
Network Troubleshooting Guide
30 pages
2 Sea A Products Catalogue
No ratings yet
2 Sea A Products Catalogue
20 pages
Linux Ip Tables
No ratings yet
Linux Ip Tables
20 pages
ACT Fibernet - D-Link DIR 816 Basic Steps
No ratings yet
ACT Fibernet - D-Link DIR 816 Basic Steps
13 pages
Internship 22
No ratings yet
Internship 22
50 pages
I Use An External Squid Transparent Proxy For My Clients
No ratings yet
I Use An External Squid Transparent Proxy For My Clients
4 pages
NG SDH Korea
No ratings yet
NG SDH Korea
21 pages
M0SIP3E2012Iv02 SIP-3 User Guide R2-I
No ratings yet
M0SIP3E2012Iv02 SIP-3 User Guide R2-I
144 pages
IP Camera 9 Channel User Manual v2.0
No ratings yet
IP Camera 9 Channel User Manual v2.0
43 pages
Internet Questions
No ratings yet
Internet Questions
9 pages
Cellular Networks Explained
No ratings yet
Cellular Networks Explained
21 pages
IP Transport Network
100% (3)
IP Transport Network
28 pages
DSSS
No ratings yet
DSSS
9 pages
Com 1805
No ratings yet
Com 1805
21 pages

ACI Fundamentals

Uploaded by

ACI Fundamentals

Uploaded by

Underlay vs Overlay

Underlay vs Overlay ( Cont. )

On the Nexus platform, a virtual interface called an NVE interface is

The network management platform (APIC) provides you with

ACI can transport any IP traffic including “Overlay” networks

Management options: Benefits:

* Excludes pre encapsulated/encrypted traffic

An ACI network provides the underpinning for an automated

• Leaf Profiles • EPGs

• Switch Profiles • Contracts

• Leaf Profiles • EPGs

• Switch Profiles • Contracts

Access Policies configure

Access Policies configure

AAEP Leaf Policy Groups Interface Policies

Tenants Switch Policies

AAEP Leaf Policy Groups Interface Policies

Leaf 101 Leaf 103 Leaf 105

Leaf 102 Leaf 104 Leaf 106

ACI Leaf Racks

Leaf 102 Leaf 104 Leaf 106

ACI Leaf Racks External Equipment Racks

Leaf 102 Leaf 104 Leaf 106

ACI Leaf Racks External Equipment Racks

Leaf 102 Leaf 104 Leaf 106

ACI Leaf Racks External Equipment Racks

AAEP Leaf Policy Groups Interface Policies

AAEP Leaf Policy Groups Interface Policies

AAEP Leaf Policy Groups Interface Policies

AAEP Leaf Policy Groups Interface Policies

AAEP Leaf Policy Groups Interface Policies

AAEP Leaf Policy Groups Interface Policies

Interface Selectors Interface Selectors Interface Selectors

Leaf Policy Groups Leaf Policy Groups Leaf Policy Groups

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

Interface Selectors Interface Selectors Interface Selectors

Leaf Policy Groups Leaf Policy Groups Leaf Policy Groups

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

Interface Selectors Interface Selectors Interface Selectors

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

Interface Selectors Interface Selectors Interface Selectors

Access Policy Groups can be reused

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

Interface Selectors Interface Selectors Interface Selectors

Leaf Policy Groups

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

Leaf Policy Groups

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

Leaf Policy Groups

AAEP Interface Policies Rack / Leaf Interface Rack / Device Interface

Leaf Policy Groups

Domains AAEP Interface Policies

Leaf Policy Groups

Domains AAEP Interface Policies

Leaf Policy Groups

Domains AAEP Interface Policies

Leaf Policy Groups

Domains AAEP Interface Policies

Leaf Policy Groups

Domains AAEP Interface Policies

Interface Selectors Interface Selectors

Leaf Policy Groups Leaf Policy Groups

Domains AAEP Interface Policies

Interface Selectors Interface Selectors Interface Selectors

Leaf Policy Groups Leaf Policy Groups Leaf Policy Groups

Domains AAEP Interface Policies

Interface Policies Interface Policies Interface Policies

Interface Selectors Interface Selectors Interface Selectors

Domains AAEP Interface Policies

Access Policy Groups can be reused …

• Leaf Profiles • EPGs

• Switch Profiles • Contracts

• Leaf Profiles • EPGs

• Switch Profiles • Contracts

Objects created in “Common” can be APIC

VRF-01 VRF-02 VRF-03