Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure
Cena Brutto: 270.90
Cena netto: 258.00
Frank Dagenhardt, Jose Moreno, Bill Dufresne
Deploying ACI: The complete guide to planning, configuring, and managing Application Centric Infrastructure
With the Cisco Application Centric Infrastructure (ACI) software-defined networking platform, you can achieve dramatic improvements in data center performance, redundancy, security, visibility, efficiency, and agility. In Deploying ACI, three leading Cisco experts introduce this breakthrough platform, and walk network professionals through all facets of design, deployment, and operation. The authors demonstrate how ACI changes data center networking, security, and management; and offer multiple field-proven configurations.
Deploying ACI is organized to follow the key decision points associated with implementing data center network fabrics. After a practical introduction to ACI concepts and design, the authors show how to bring your fabric online, integrate virtualization and external connections, and efficiently manage your ACI network.
You’ll master new techniques for improving visibility, control, and availability; managing multitenancy; and seamlessly inserting service devices into application data flows. The authors conclude with expert advice for troubleshooting and automation, helping you deliver data center services with unprecedented efficiency.
Understand the problems ACI solves,and how it solves them
Design your ACI fabric, build it, and interface with devices to bring it to life
Integrate virtualization technologieswith your ACI fabric
Perform networking within an ACI fabric (and understand how ACI changes data center networking)
Connect external networks and devices at Layer 2/Layer 3 levels
Coherently manage unified ACI networks with tenants and application policies
Migrate to granular policies based on applications and their functions
Establish multitenancy, and evolve networking, security, and services to support it
Integrate L4–7 services: device types, design scenarios, and implementation
Use multisite designs to meet rigorous requirements for redundancy and business continuity
Troubleshoot and monitor ACI fabrics
Improve operational efficiency through automation and programmability
Introduction xxiv Chapter 1 You’ve Purchased ACI. Now What? 1 Industry Trends and Transitions 1 Next-Generation Data Center Concepts 2 New Application Types 2 Automation, Orchestration, and Cloud 3 End-to-End Security 4 Spine-Leaf Architecture 5 Existing Infrastructure and ACI (Places in the Network) 8 ACI Overview 9 ACI Functional Components 10 Nexus 9500 10 Nexus 9300 10 Application Centric Infrastructure Controllers 11 Protocols Enabling the ACI Fabric 11 Data Plane Protocols 11 Control Plane Protocols 12 Interacting with ACI 13 GUI 13 NX-OS CLI 14 Open REST API 14 Introduction to the Policy Model 14 Application Network Profiles and Endpoint Groups 14 VRFs and Bridge Domains 15 Fabric Topologies 15 Single-Site Model 15 Multi-Pod Model 16 Multi-Site Model 16 Summary 17 Chapter 2 Building a Fabric 19 Building a Better Network 19 Fabric Considerations 20 Phased ACI Migration 33 Evolution to Application-Centric Mode 41 Virtual Machine Manager (VMM) Integration 46 AVS 46 VMware 48 Microsoft 50 OpenStack 51 Layer 4-7 Services 51 Managed Mode 52 Unmanaged Mode 53 Additional Multisite Configurations 54 Cisco ACI Stretched Fabric 55 Cisco ACI Multi-Pod 56 Cisco ACI Multi-Site 57 Cisco ACI Dual-Fabric Design 57 Pervasive Gateway 57 VMM Considerations 58 Summary 59 Chapter 3 Bringing Up a Fabric 61 Out of the Box 61 Suggested Services 62 Management Network 64 Logging In to the GUI for the First Time 73 Basic Mode vs. Advanced Mode 74 Discovering the Fabric 77 Fabric Extenders 79 Required Services 79 Basic Mode Initial Setup 80 Advanced Mode Initial Setup 84 Management Network 92 Fabric Policies 94 Managing Software Versions 96 Firmware Repository 97 Controller Firmware and Maintenance Policy 98 Configuration Management 101 Configuration Snapshots 101 Configuration Backup 102 Summary 105 Chapter 4 Integration of Virtualization Technologies with ACI 107 Why Integrate Cisco ACI with Virtualization Technologies? 107 Networking for Virtual Machines and Containers 108 Benefits of Cisco ACI Integration with Virtual Switches 111 Comparing ACI Integration to Software Network Overlays 112 Virtual Machine Manager Domains 115 EPG Segmentation and Micro-Segmentation 121 Intra-EPG Isolation and Intra-EPG Contracts 129 Cisco ACI Integration with Virtual Switches in Blade Systems 132 OpFlex 134 Deployments over Multiple Data Centers 136 VMware vSphere 137 Cisco ACI Coexistence with the vSphere Standard Switch 138 Cisco ACI Coexistence with the vSphere Distributed Switch 139 Cisco ACI Integration with the vSphere Distributed Switch 139 vCenter User Requirements 141 Micro-Segmentation with the VDS 142 Blade Servers and VDS Integration 142 Cisco ACI Integration with Cisco Application Virtual Switch 143 Cisco AVS Installation 147 Blade Servers and AVS Integration 147 Distributed Firewall 148 Virtual Network Designs with VDS and AVS 150 Cisco ACI Plug-in for vSphere vCenter Server: Configuring ACI from vCenter 154 Cisco ACI Coexistence with VMware NSX 157 Microsoft 158 Introduction to Microsoft Hyper-V and SCVMM 159 Preparing for the Integration 159 Micro-Segmentation 161 Blade Servers and SCVMM Integration 161 OpenStack 162 ML2 and Group-Based Policy 163 Installing Cisco ACI Integration with OpenStack 164 Cisco ACI ML2 Plug-in for OpenStack Basic Operations 164 Cisco ACI ML2 Plug-in for OpenStack Security 166 Cisco ACI ML2 Plug-in for OpenStack and Network Address Translation 167 Cisco ACI GBP Plug-in for OpenStack 168 Docker: Project Contiv 170 Docker Networking 170 Kubernetes 174 Kubernetes Networking Model 175 Isolation Models 176 Creating a New EPG for Kubernetes Pods 178 Assigning a Deployment or a Namespace to an EPG with Annotations 179 Visibility in ACI for Kubernetes Objects 180 Public Cloud Integration 180 Summary 180 Chapter 5 Introduction to Networking with ACI 183 Exploring Networking in ACI 184 Groups and Contracts 184 VRFs and Bridge Domains 197 Connecting External Networks to the Fabric 208 Network-Centric VLAN=BD=EPG 227 Applying Policy to Physical and Virtual Workloads 230 Moving Devices to the Fabric, VLAN by VLAN 232 Unenforced vs. Enforced VRF 236 L3 Connections to the Core 236 Migrating the Default Gateway to the Fabric 242 Summary 246 Chapter 6 External Routing with ACI 247 Layer 3 Physical Connectivity Considerations 247 Routed Ports Versus Switched Virtual Interfaces 249 Outside Bridge Domains 250 Bidirectional Forwarding Detection 251 Access Port 252 Port Channel 252 Virtual Port Channel 254 Gateway Resiliency with L3 Out 256 Hot Standby Routing Protocol 256 Routing Protocols 259 Static Routing 259 Enhanced Interior Gateway Routing Protocol 260 Open Shortest Path First 261 Border Gateway Protocol 265 External Endpoint Groups and Contracts 268 External Endpoint Groups 268 Contracts Between L3 Out EPGs and Internal EPGs 269 Multitenant Routing Consideration 269 Shared Layer 3 Outside Connection 271 Transit Routing 273 WAN Integration 278 Design Recommendations for Multitenant External Layer 3Connectivity 280 Quality of Service 280 Multicast 282 Multicast Best-Practice Recommendations 283 Multicast Configuration Overview 286 Summary 287 Chapter 7 How Life Is Different with ACI 289 Managing Fabrics versus Managing Devices 290 Centralized CLI 290 System Dashboard 291 Tenant Dashboards 292 Health Scores 294 Physical and Logical Objects 295 Network Policies 296 Maintaining the Network 300 Fault Management 300 Configuration Management 304 Upgrading the Software 313 Breaking the Shackles of IP Design 317 Access Control Lists Without IP Addresses 317 QoS Rules Without IP Addresses 317 QoS Rules Without TCP or UDP Ports 317 Physical Network Topology 318 ACI as a Clos Fabric and Design Implications 318 Fabric Topology and Links 320 Individual Device View 320 Port View 322 Changing the Network Consumption Model 322 Summary 324 Chapter 8 Moving to Application-Centric Networking 325 “Network-Centric” Deployments 326 Removing Packet Filtering in Network-Centric Deployments 328 Increasing Per-Leaf VLAN Scalability 328 Looking at the Configuration of a Network-Centric Design 329 “Application-Centric” Deployment: Security Use Case 332 Whitelist vs. Blacklist Models 333 Enforced vs. Unenforced: ACI Without Contracts 333 Endpoint Groups as a Zone-Based Firewall 334 Contract Security Model 336 Stateful Firewalling with Cisco Application Virtual Switch 344 Intra-EPG Communication 346 Any EPG 348 Contract Definition Best Practices to Efficiently Use Resources 350 “Application-Centric” Deployment: Operations Use Case 351 Application-Centric Monitoring 351 Quality of Service 352 Migrating to an Application-Centric Model 355 Disable Bridge Domain Legacy Mode 355 Disable VRF Unenforced Mode 356 Create New Application Profiles and EPGs 357 Move Endpoints to the New EPGs 357 Fine-Tune Security Rules 358 How to Discover Application Dependencies 358 Focus on New Applications 359 Migrate Existing Applications 360 Summary 364 Chapter 9 Multi-Tenancy 365 The Need for Network Multi-Tenancy 366 Data-Plane Multi-Tenancy 366 Management Multi-Tenancy 366 Multi-Tenancy in Cisco ACI 367 Security Domains 368 Role-Based Access Control 369 Physical Domains 373 Logical Bandwidth Protection Through Quality of Service 376 What Is a Tenant? What Is an Application? 377 Moving Resources to Tenants 382 Creating the Logical Tenant Structure 382 Implementing Management Multi-Tenancy 382 Implementing Data-Plane Multi-Tenancy 386 When to Use Dedicated or Shared VRFs 388 Multi-Tenant Scalability 390 External Connectivity 390 Shared External Network for Multiple Tenants 393 Inter-Tenant Connectivity 396 Inter-VRF External Connectivity 396 Inter-VRF Internal Connectivity (Route Leaking) 397 L4-7 Services Integration 400 Exporting L4-7 Devices 400 Multi-Context L4-7 Devices 401 Use Cases for Multi-Tenancy Connectivity 401 ACI as Legacy Network 401 Granting Network Visibility to Other Departments 401 Network Shared Across Organizations with Shared Services 402 External Firewall Interconnecting Multiple Security Zones 404 Service Provider 404 Summary 405 Chapter 10 Integrating L4-7 Services 407 Inserting Services 407 How We Do It Today 408 Managed vs. Unmanaged 415 Ecosystem Partners 420 Management Model 422 Functional Profiles 425 Security for All Hosts 430 Building an End-to-End Security Solution 431 Integrating Firewalls 438 Integrating Security Monitoring 452 Integrating Intrusion Prevention Systems 453 Integrating Server Load Balancing and ADC 457 Two-node Service Graph Designs 462 Summary 465 Chapter 11 Multi-Site Designs 467 Bringing Up a Second Site 468 Stretched Fabric Design 470 Multiple-Fabric Design 476 Multi-Pod Architecture 488 ACI Multi-Pod Use Cases and Supported Topologies 489 ACI Multi-Pod Scalability Considerations 492 Inter-Pod Connectivity Deployment Considerations 493 IPN Control Plane 494 IPN Multicast Support 496 Spines and IPN Connectivity Considerations 500 Pod Auto-Provisioning 505 APIC Cluster Deployment Considerations 507 Reducing the Impact of Configuration Errors with Configuration Zones 513 Migration Strategies 516 Multi-Site Architecture 517 APIC Versus Multi-Site Controller Functionalities 521 Multi-Site Schema and Templates 522 Multi-Site Use Cases 527 Multi-Site and L3 Out Considerations 533 Layer 3 Multicast Deployment Options 535 Migration of Cisco ACI Fabric to Cisco ACI Multi-Site 537 Summary 539 Chapter 12 Troubleshooting and Monitoring 541 You Have a Poor Health Score. Now What? 542 NX-OS CLI 543 Connecting to the Leaf Switches 546 Linux Commands 549 Mapping Local Objects to Global Objects 551 Some Useful Leaf Commands 556 ping 560 Troubleshooting Physical Issues 562 Troubleshooting Cabling 562 Troubleshooting Switch Outages 565 Replacing a Fabric Switch 566 Troubleshooting Contracts 567 Troubleshooting Tools in ACI 570 Hardware Diagnostics 570 Dropped Packets: Counter Synchronization 571 Atomic Counters 572 Traffic Mirroring: SPAN and Copy Services 572 Troubleshooting Wizard 581 Endpoint Tracker 588 Effectively Using Your Fabric Resources 590 Monitoring Policies and Statistics 596 SNMP Policies 596 Syslog Policies 598 Statistics 598 Third-Party Monitoring Tools with ACI Support 601 IBM Tivoli Netcool 601 SevOne 601 ScienceLogic 601 Splunk 601 Zenoss 601 Summary 602 Chapter 13 ACI Programmability 603 Why Network Programmability? Save Money, Make Money! 603 What Is Wrong with Previous Network Automation Concepts? 604 Programming Interfaces and SDKs 606 Cisco ACI Programming Interfaces 607 Cisco ACI REST API 607 Cisco ACI Object Model 609 Cisco ACI Software Development Kits 617 Where to Find Automation and Programmability Examples 619 Developing and Testing Your Code Without an ACI Fabric at Hand 620 Increasing Operational Efficiency Through Network Automation 622 Offering Visibility to the Network 622 Externalizing Network Configuration 623 Horizontal Automation Integrations 626 Automating the Generation of Network Documentation 630 Enabling Additional Business Models Through Network Automation 630 Agile Application Deployment and DevOps 631 Private Cloud and IaaS 634 Hybrid Cloud 638 Platform as a Service 639 ACI Integration with Apprenda 640 Mantl and Shipped 640 Cisco ACI App Center 642 Summary 644 9781587144745, TOC, 1/31/2018