Frank Dagenhardt, CCIE No. 42081, is a technical solutions architect for Cisco focusing on next-generation data center architectures. Frank has over 22 years in Information Technology and holds certifications from HP, Microsoft, Citrix, and Cisco. A Cisco veteran of over 11 years, he works with customers daily, designing, implementing, and supporting end-to-end architectures and solutions. In recent months, he has been focusing on policy, automation, and analytics. Frank has worked on and continues to be involved in publications about Cisco products. He presents regularly at Cisco Live on data center topics. He lives in Michigan with his wife and four wonderful [...] Moreno, CCIE No. 16601 and CCDE No. 20100008, attended the Polytechnic Universities of Madrid and Milan. After he graduated, he started his career as a network architect in a big data center in Germany, at Amadeus Data Processing. In 2007 he moved to Cisco, where he started working as data center systems engineer. Since then he has worked in many different Cisco data center technologies, including Cisco Unified Compute System and the Cisco Nexus switching series. Since 2014 Jose has focused on Cisco Application Centric Infrastructure as a technical solutions architect. Jose has presented multiple times at Cisco Live. He lives with his wife and children in Munich, [...] Dufresne is a Distinguished Systems Engineer and member of the Data Center/Cloud Team at Cisco. He regularly works with customers on complex technical designs while leading global teams in various disciplines. He has been with Cisco since 1996 and has more than 31 years of experience in the IT industry. Bill has held several industry certifications, including Cisco CCIE for more than 19 years, VMware VCP, CISSP, Microsoft, and even Banyan Vines. He is an expert in Routing & Switching, Data Center Compute Infrastructure, Software Defined Networking, Virtual Networking, Analytics, and foremost, an expert in Systems, Application, and Cloud Adoption. Bill is a frequent speaker at a multitude of industry conferences including Cisco Live, VMWorld, Vmware Partner Exchange, VMware User Groups, EMC World, and various other events. He has worked with many customers of all sizes, across verticals such as Global Financial; Transportation; Retail; Healthcare; State, Local, and National Government; and Higher Education. Bill lives south of Nashville, TN with his wonderful wife, enjoying their ‘empty nest’ years.

Introduction xxiv
Chapter 1 You’ve Purchased ACI. Now What? 1
Industry Trends and Transitions 1
Next-Generation Data Center Concepts 2
New Application Types 2
Automation, Orchestration, and Cloud 3
End-to-End Security 4
Spine-Leaf Architecture 5
Existing Infrastructure and ACI (Places in the Network) 8
ACI Overview 9
ACI Functional Components 10
Nexus 9500 10
Nexus 9300 10
Application Centric Infrastructure Controllers 11
Protocols Enabling the ACI Fabric 11
Data Plane Protocols 11
Control Plane Protocols 12
Interacting with ACI 13
GUI 13
NX-OS CLI 14
Open REST API 14
Introduction to the Policy Model 14
Application Network Profiles and Endpoint Groups 14
VRFs and Bridge Domains 15
Fabric Topologies 15
Single-Site Model 15
Multi-Pod Model 16
Multi-Site Model 16
Summary 17
Chapter 2 Building a Fabric 19
Building a Better Network 19
Fabric Considerations 20
Phased ACI Migration 33
Evolution to Application-Centric Mode 41
Virtual Machine Manager (VMM) Integration 46
AVS 46
VMware 48
Microsoft 50
OpenStack 51
Layer 4-7 Services 51
Managed Mode 52
Unmanaged Mode 53
Additional Multisite Configurations 54
Cisco ACI Stretched Fabric 55
Cisco ACI Multi-Pod 56
Cisco ACI Multi-Site 57
Cisco ACI Dual-Fabric Design 57
Pervasive Gateway 57
VMM Considerations 58
Summary 59
Chapter 3 Bringing Up a Fabric 61
Out of the Box 61
Suggested Services 62
Management Network 64
Logging In to the GUI for the First Time 73
Basic Mode vs. Advanced Mode 74
Discovering the Fabric 77
Fabric Extenders 79
Required Services 79
Basic Mode Initial Setup 80
Advanced Mode Initial Setup 84
Management Network 92
Fabric Policies 94
Managing Software Versions 96
Firmware Repository 97
Controller Firmware and Maintenance Policy 98
Configuration Management 101
Configuration Snapshots 101
Configuration Backup 102
Summary 105
Chapter 4 Integration of Virtualization Technologies with ACI 107
Why Integrate Cisco ACI with Virtualization Technologies? 107
Networking for Virtual Machines and Containers 108
Benefits of Cisco ACI Integration with Virtual Switches 111
Comparing ACI Integration to Software Network Overlays 112
Virtual Machine Manager Domains 115
EPG Segmentation and Micro-Segmentation 121
Intra-EPG Isolation and Intra-EPG Contracts 129
Cisco ACI Integration with Virtual Switches in Blade Systems 132
OpFlex 134
Deployments over Multiple Data Centers 136
VMware vSphere 137
Cisco ACI Coexistence with the vSphere Standard Switch 138
Cisco ACI Coexistence with the vSphere Distributed Switch 139
Cisco ACI Integration with the vSphere Distributed Switch 139
vCenter User Requirements 141
Micro-Segmentation with the VDS 142
Blade Servers and VDS Integration 142
Cisco ACI Integration with Cisco Application Virtual Switch 143
Cisco AVS Installation 147
Blade Servers and AVS Integration 147
Distributed Firewall 148
Virtual Network Designs with VDS and AVS 150
Cisco ACI Plug-in for vSphere vCenter Server: Configuring ACI from vCenter 154
Cisco ACI Coexistence with VMware NSX 157
Microsoft 158
Introduction to Microsoft Hyper-V and SCVMM 159
Preparing for the Integration 159
Micro-Segmentation 161
Blade Servers and SCVMM Integration 161
OpenStack 162
ML2 and Group-Based Policy 163
Installing Cisco ACI Integration with OpenStack 164
Cisco ACI ML2 Plug-in for OpenStack Basic Operations 164
Cisco ACI ML2 Plug-in for OpenStack Security 166
Cisco ACI ML2 Plug-in for OpenStack and Network Address Translation 167
Cisco ACI GBP Plug-in for OpenStack 168
Docker: Project Contiv 170
Docker Networking 170
Kubernetes 174
Kubernetes Networking Model 175
Isolation Models 176
Creating a New EPG for Kubernetes Pods 178
Assigning a Deployment or a Namespace to an EPG with Annotations 179
Visibility in ACI for Kubernetes Objects 180
Public Cloud Integration 180
Summary 180
Chapter 5 Introduction to Networking with ACI 183
Exploring Networking in ACI 184
Groups and Contracts 184
VRFs and Bridge Domains 197
Connecting External Networks to the Fabric 208
Network-Centric VLAN=BD=EPG 227
Applying Policy to Physical and Virtual Workloads 230
Moving Devices to the Fabric, VLAN by VLAN 232
Unenforced vs. Enforced VRF 236
L3 Connections to the Core 236
Migrating the Default Gateway to the Fabric 242
Summary 246
Chapter 6 External Routing with ACI 247
Layer 3 Physical Connectivity Considerations 247
Routed Ports Versus Switched Virtual Interfaces 249
Outside Bridge Domains 250
Bidirectional Forwarding Detection 251
Access Port 252
Port Channel 252
Virtual Port Channel 254
Gateway Resiliency with L3 Out 256
Hot Standby Routing Protocol 256
Routing Protocols 259
Static Routing 259
Enhanced Interior Gateway Routing Protocol 260
Open Shortest Path First 261
Border Gateway Protocol 265
External Endpoint Groups and Contracts 268
External Endpoint Groups 268
Contracts Between L3 Out EPGs and Internal EPGs 269
Multitenant Routing Consideration 269
Shared Layer 3 Outside Connection 271
Transit Routing 273
WAN Integration 278
Design Recommendations for Multitenant External Layer 3Connectivity 280
Quality of Service 280
Multicast 282
Multicast Best-Practice Recommendations 283
Multicast Configuration Overview 286
Summary 287
Chapter 7 How Life Is Different with ACI 289
Managing Fabrics versus Managing Devices 290
Centralized CLI 290
System Dashboard 291
Tenant Dashboards 292
Health Scores 294
Physical and Logical Objects 295
Network Policies 296
Maintaining the Network 300
Fault Management 300
Configuration Management 304
Upgrading the Software 313
Breaking the Shackles of IP Design 317
Access Control Lists Without IP Addresses 317
QoS Rules Without IP Addresses 317
QoS Rules Without TCP or UDP Ports 317
Physical Network Topology 318
ACI as a Clos Fabric and Design Implications 318
Fabric Topology and Links 320
Individual Device View 320
Port View 322
Changing the Network Consumption Model 322
Summary 324
Chapter 8 Moving to Application-Centric Networking 325
“Network-Centric” Deployments 326
Removing Packet Filtering in Network-Centric Deployments 328
Increasing Per-Leaf VLAN Scalability 328
Looking at the Configuration of a Network-Centric Design 329
“Application-Centric” Deployment: Security Use Case 332
Whitelist vs. Blacklist Models 333
Enforced vs. Unenforced: ACI Without Contracts 333
Endpoint Groups as a Zone-Based Firewall 334
Contract Security Model 336
Stateful Firewalling with Cisco Application Virtual Switch 344
Intra-EPG Communication 346
Any EPG 348
Contract Definition Best Practices to Efficiently Use Resources 350
“Application-Centric” Deployment: Operations Use Case 351
Application-Centric Monitoring 351
Quality of Service 352
Migrating to an Application-Centric Model 355
Disable Bridge Domain Legacy Mode 355
Disable VRF Unenforced Mode 356
Create New Application Profiles and EPGs 357
Move Endpoints to the New EPGs 357
Fine-Tune Security Rules 358
How to Discover Application Dependencies 358
Focus on New Applications 359
Migrate Existing Applications 360
Summary 364
Chapter 9 Multi-Tenancy 365
The Need for Network Multi-Tenancy 366
Data-Plane Multi-Tenancy 366
Management Multi-Tenancy 366
Multi-Tenancy in Cisco ACI 367
Security Domains 368
Role-Based Access Control 369
Physical Domains 373
Logical Bandwidth Protection Through Quality of Service 376
What Is a Tenant? What Is an Application? 377
Moving Resources to Tenants 382
Creating the Logical Tenant Structure 382
Implementing Management Multi-Tenancy 382
Implementing Data-Plane Multi-Tenancy 386
When to Use Dedicated or Shared VRFs 388
Multi-Tenant Scalability 390
External Connectivity 390
Shared External Network for Multiple Tenants 393
Inter-Tenant Connectivity 396
Inter-VRF External Connectivity 396
Inter-VRF Internal Connectivity (Route Leaking) 397
L4-7 Services Integration 400
Exporting L4-7 Devices 400
Multi-Context L4-7 Devices 401
...