Cisco aci guide
Components and versions. Cisco ACI building blocks. Cisco Nexus Series hardware. Leaf switches. Spine switches. Fabric with mixed hardware or software. Fabric with different spine types. Fabric with different leaf types. Fabric with different software versions. Fabric Extenders FEX Physical topology. Leaf-and-spine design. Leaf uplinks.Demo: Visibility and Troubleshooting with Cisco ACI
Virtual port channel Placement of outside connectivity. Using border leafs for server attachment Do not use the L3Out to connect servers. L3Out and vPC. Service leaf considerations. Fabric transport infrastructure design considerations. Choosing the leaf forwarding profile. Infrastructure VLAN. TEP address pool BGP Route Reflector policy.
BGP autonomous system number considerations. BGP route-reflector placement BGP maximum path. IS-IS metric for redistributed routes. Maximum transmission unit Configuring the fabric infrastructure for faster convergence. Fast Link Failover Debounce timer This guide contains the maximum verified scalability limits for Cisco Application Centric Infrastructure Cisco ACI parameters in the following releases:.
These values are based on a profile where each feature was scaled to the numbers specified in the tables. These numbers do not represent the theoretically possible Cisco ACI fabric scale. L2 Fabric: In Legacy mode there is no routing, L3 context, nor contract enabled in the L2 fabric profile.
A tenant in this profile does not need to be mapped to one dedicated ACI tenant. A tenant can be represented by a set of EPGs instead. L3 Fabric: The ACI L3 fabric solution provides a feature-rich highly scalable solution for public cloud and large enterprise. With this design, almost all supported features are deployed at the same time and are tested as a solution.
The scalability numbers listed in this section are multi-dimensional scalability numbers. The fabric scalability numbers represent the overall number of objects created on the fabric. The per-leaf scale numbers are the objects created and presented on an individual leaf switch. The fabric level scalability numbers represent APIC cluster scalability and the tested upper limits. Some of the per-leaf scalability numbers are subject to hardware restrictions.
The per-leaf scalability numbers are the maximum limits tested and supported by leaf switch hardware. This does not necessarily mean that every leaf switch in the fabric was tested with maximum scale numbers.
Stretched Fabric: Stretched fabric allows multiple fabrics up to 3 distributed in multiple locations to be connected as a single fabric with a single management domain. The scale for the entire stretched fabric remains the same as for a single site fabric.
For example a L3 stretched fabric will support up to leaf switches total which is the maximum number of leaf switches supported on a single site fabric. Parameters only relevant to stretched fabric are mentioned in the tables below. Multi-Pod: Multi-Pod enables provisioning a more fault-tolerant fabric comprised of multiple pods with isolated control plane protocols. Also, Multi-Pod provides more flexibility with regard to the full mesh cabling between leaf and spine switches.
For example, if leaf switches are spread across different floors or different buildings, Multi-Pod enables provisioning multiple pods per floor or building and providing connectivity between pods through spine switches. An ACI Multi-Site Orchestrator is part of the architecture and is used to communicate with the different APIC domains to simplify the management of the architecture and the definition of inter-site policies. The maximum number of leaf switches overall is per fabric scale. The maximum number of physical ports is 19, per fabric.
The maximum number of remote leaf RL switches is per fabric, with total number of BDs deployed on all remote leaf switches in the fabric not exceeding 60, While the higher number of controllers is supported, the preferred size is based on the number of leaf switches in the environment. For a fabric with multiple Tenants: per Tenant, up to 21, total across all Tenants.
For a fabric with multiple Tenants: per Tenant, up to 15, total across all Tenants.This architecture simplifies, optimizes, and accelerates the entire application deployment life cycle.
The APIC provides a unified point of automation and management, policy programming, application deployment, and health monitoring for the fabric. The APIC, which is implemented as a replicated synchronized clustered controller, optimizes performance, supports any application anywhere, and provides unified operation of the physical and virtual infrastructure.
The APIC enables network administrators to easily define the optimal network for applications. Data center operators can clearly see how applications consume network resources, easily isolate and troubleshoot application and infrastructure problems, and monitor and profile resource usage patterns. The ACI fabric provides consistent low-latency forwarding across high-bandwidth links 40 Gbps, with a Gbps future capability. Traffic with the source and destination on the same leaf switch is handled locally, and all other traffic travels from the ingress leaf to the egress leaf through a spine switch.
Although this architecture appears as two hops from a physical perspective, it is actually a single Layer 3 hop because the fabric operates as a single Layer 3 switch.
It enables programming of objects for each configurable element of the system. The concrete model is analogous to compiled software; it is the form of the model that the switch operating system can execute. All the switch nodes contain a complete copy of the concrete model. The APIC then performs the intermediate step of creating a fully elaborated policy that it pushes into all the switch nodes where the concrete model is updated.
The APIC is responsible for fabric activation, switch firmware management, network policy configuration, and instantiation. While the APIC acts as the centralized policy and network management engine for the fabric, it is completely removed from the data path, including the forwarding topology. Therefore, the fabric can still forward traffic even when communication with the APIC is lost. Various resources exist to start learning ACI, here is a list of interesting articles from the community.
A complete list of existing ACI modules is available for the latest stable release on the list of network modules. You can also view the current development version. For this very reason, the modules need to run on the local Ansible controller or are delegated to another system that can connect to the APIC. Because we run the modules on the Ansible controller gathering facts will not work.
That is why when using these ACI modules it is mandatory to disable facts gathering. You can do this globally in your ansible. This will fail with a clear error, yet may be confusing to some. Another option frequently used, is to tie the local connection method to this target so that every subsequent task for this target will use the local connection method hence run it locally, rather than use SSH.
Various resources exist to start learn more about ACI programmability, we recommend the following links:. If you want to log on using a username and password, you can use the following parameters with your ACI modules:.This document does not provide step-by-step configuration examples for all scenarios.
Instead, its focus is on understanding the key concepts. The ACI fabric is formed from multiple components. Some of these components include bridge domains BDs and endpoint groups EPGs to provide Layer L2 connectivity or default gateway functions for a group of endpoints.
Cisco ACI was originally built to be a stub network in a data center to manage endpoints.
Due to this stub nature, traffic traversing from one L3Out to another through the ACI network was originally not supported. L3Out, essentially, connects a network device that has other subnets behind it. Basic components of L3Out. Learn external routes via routing protocols or static routes. Distribute learned external routes or static routes to other leaf switches.
Advertise learned external routes to other L3Outs Transit Routing. Allow traffic to arrive from or be sent to external networks via L3Out by using a contract. In the following, each step is briefly explained. Learn external routes on border leaf switches. The parts in bold are the mandatory components to configure a routing protocol and learn external routes from an external network device. At least one L3Out EPG is also required to deploy a routing protocol and related interface parameters on leaf switches even though the L3Out EPG itself is a security construct like the EPGs, and is not a routing protocol configuration.
The following steps are the summary to deploy a routing protocol on an ACI border leaf with the components shown in Figure 4. Root of L3Out. Select a VRF to deploy the routing protocol. This domain itself is configured via Fabric Access Policies. Node Profile.
Select leaf switches on which the routing protocol is deployed. These are called border leaf switches. Configure the Router-ID for the routing protocol on each leaf. Interface Profile.
Cisco Application Centric Infrastructure Design Guide White Paper
Configure leaf Interfaces on which the routing protocol runs.Transform operations in data center networks to a fundamentally more proactive model and automate troubleshooting, root-cause analysis, and remediation. Extend ACI across on-premises and multicloud instances for consistent policy, security, and visibility. Correlate app health and network for optimal performance, deep monitoring, and fast root-cause analysis.
Map user identities consistently to endpoints and apps across your entire network, from campus to data center. Cisco Tetration offers a holistic workload protection for multicloud data centers. It is available in SaaS and software-only models. With Cisco ACI, you can remain competitive with better outcomes and faster time-to-market for your applications. Cisco services help determine IT readiness, simplify operations, and reduce risk through expert guidance and centralized support.
Are you a Cisco partner? Log in to see additional resources. Looking for a solution from a Cisco partner? Connect with our partner ecosystem. Skip to content Skip to footer. Watch now Contact Cisco Chat with Sales. Cisco: Welcome to Cisco! How can I help you? What Cisco ACI offers. Automate for scale Achieve automation through common policy for data center operations.
Accelerate to multicloud Extend consistent policies across multiple on-premises and cloud instances. Network protection Pervasive security aids business continuity and disaster recovery.
Cisco ACI for Data Center
Assurance and insights Transform operations in data center networks to a fundamentally more proactive model and automate troubleshooting, root-cause analysis, and remediation. The power behind Cisco ACI. Virtual Pod Virtual Edge. Multicloud Extend ACI across on-premises and multicloud instances for consistent policy, security, and visibility. Tools and software.
Popular ACI solutions and integrations. AppDynamics integration Correlate app health and network for optimal performance, deep monitoring, and fast root-cause analysis. Tetration integration Cisco Tetration offers a holistic workload protection for multicloud data centers.
Accelerate your success. Data center services Cisco services help determine IT readiness, simplify operations, and reduce risk through expert guidance and centralized support. Webinars Become a Multicloud Networking Guru. You may also like For partners Are you a Cisco partner? View all Data Center resources for partners. Follow Us. Demo Promotions and Offers.Firmware Repository—Firmware repository is a distributed store that stores firmware images that are required to upgrade Cisco ACI fabric.
Firmware repository is synced to every controller in the cluster. A firmware image is downloaded into the firmware repository from an external server HTTP or SCP when you configure a firmware source policy. There are three types of firmware images that can be stored in the repository:. Catalog image—This image consists of Cisco-created internal policies. These internal policies contain information about the capabilities of different models of hardware, the compatibility across different versions of software, and the hardware and diagnostic tests.
This image is usually bundled and upgraded along with the controller image. Unless specifically instructed by release notes of a specific release, an administrator should never have to individually upgrade a catalog image. A Firmware Policy specifies the desired firmware version for switches in the group. The Controller Firmware Policy specifies the desired version for controllers.
The Controller Maintenance Policy specifies when the upgrade of controllers should start. A Maintenance Group is a group of switches on which you would configure a Maintenance Policy. A Maintenance Policy specifies a schedule for upgrade. Upgrade immediately : In this mode, the firmware upgrade process is started immediately.
Schedule an upgrade : In this mode you can schedule the firmware upgrade for a later date and time. In the Scheduler field, either select an existing trigger scheduler, or click Create Trigger Scheduler to create a new trigger scheduler.
Click the Infrastructure tab, then click the Nodes sub-tab. Click Actionsthen click Schedule Node Upgrade. Select an existing group or create a new one in the Upgrade Group Name area. Now : In this mode, the firmware upgrade process is started immediately. Schedule for Later : In this mode you can schedule the firmware upgrade for a later date and time. Following are the important notes that you should understand before upgrading or downgrading the Cisco APIC and switch software:.
Important Notes on Firmware Management. If you upgraded from a release prior to the 3. To use the apps again, you must uninstall and reinstall them.
After you have completed the APIC software upgrade or downgrade process for the entire fabric the APIC nodes and switchesreenable the apps again if you disabled them. You can install or remove apps, or perform an app image upgrade, after the APIC software upgrade or downgrade process is complete. This issue happens when a remote leaf switch has the direct traffic forwarding feature from the When upgrading from the Regular leaf switches non-remote leaf switches are not affected by this bug.
When downgrading to the In APIC releases 4. Before Release 4. This check is required to make sure that Ethernet ports are properly identified. If the software check detects an Ethernet transceiver with Fibre Channel SPROM values, the transceiver fails the validation check and is put into a downed state. This accommodates the compressed image and provides adequate space to extract the image.If you are new to Cisco Application Centric Infrastructure ACI then you may well be daunted at this new method of configuring switches.
This is a configuration tutorial.
At the completion of the tutorial, you will have a fully configured ACI fabric ready for testing. See this post for a dcloud tutorial.
If you are not comfortable with terms like LeafSpineClos topology, End Point Groups and Application Profilesthen you will do well to do some research before you begin.
For this tutorial, I will use two of each, although in truth the spine switches will not feature much at all in the configuration. What will be more important is the equipment that is connected to the leaf switches. Note that there are two leaves. Already your fabric has begun the discovery process using LLDP, but before you can continue, you will have to register each leaf and spine switch in the APIC. After some time, the spine switches will be discovered via LLDP.
Pretty soon your screen should look something like this:. Well… not quite. Red Nectar. Well… not quite RedNectar's Blog.
RedNectar's Blog. Skip to content. Like this: Like Loading Bookmark the permalink. Well… not quite RedNectar's Blog Comments are closed. Search for:.
We Cisco instructors stick together. Create a free website or blog at WordPress. Post to Cancel. Post was not sent - check your email addresses! Sorry, your blog cannot share posts by email. This is the first of a series of at least eight blog posts that I plan to publish over the coming weeks.
If you are using Cisco dcloud, you may find that this step has already been completed. Housley works mainly around APJC, but are not restricted to this area.