Cisco ACI (Application Centric Infrastructure) Lab Test Drive - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Thursday, January 25, 2018

Cisco ACI (Application Centric Infrastructure) Lab Test Drive

  • ACI is an open-source, centralized policy model that connects to all components of the data center and controls the network and information flow.
  • ACI is a principle of action by the business, synonymous with code and system.
  • A policy is a state of intent that is applied to the network, with the network being responsible for carrying out that intent.
  • Application logic through policy makes changes at any layer of the stack independent from each other.
  • Advantages of policy in the data center are abstraction, extensibility, and reusability.

Unicast forwarding through the fabric occurs as follows:

1.The packet is sourced from the VM attached to the ingress port group or directly from the physical server.
2.The virtual switch (vSwitch) encapsulates the frame and forwards to the leaf.
3.The leaf swaps ingress encapsulation with VXLAN and performs any required policy functions.
4a. If the leaf has learned the inner [P to egress VTEP binding, the leaf will set the required VTEP address and forward directly to the egress leaf.
4b. If the ingress leaf does not contain a cached entry of the IP to egress VTEP binding, the leaf will set the VTEP address as the anycast VTEP, which is in the spine. This setting will perform inline hardware lookup and perform egress VTEP rewrites. No additional latency or decrease in the throughput due to lookup will be realized assuming the packet was going through the spine anyway.
5. The egress leaf will swap the outer VXLAN with the correct encapsulation and perform any required policy functions.
6. The leaf then forwards the flame to the vSwitch.
7. From there, the vSwitch will forward the flame or send directly to the physical server.

1. Accessing the Remote Lab Environment

Note: APIC =Application Policy Infrastructure Controller
What is the APIC?
The APIC has the following characteristics:
- Is the policy controller
- Holds the defined policy
- Is required for instantiation of policy adds or changes
- Is a highly redundant cluster of three or more servers
- Is not the control plane
- Is not in the path of the traffic

2. Configuring Basic Network Constructs

COOP = Council of Oracle Protocol
-Is used to communicate the location and identity mapping information to the spince proxy.

The management network for servers, applications, and other devices can use the ACI network in separate contexts. This way, there is separation from the data and control plane of other traffic. This feature maintains security while still allowing traffic that has explicit access to the network. The management endpoint group (EPG) is created to allow communication to management entities in a management network.

3. Attaching Internal Compute and Adding the VMM Domain
VMM Domain 
To build the foundation of the application profile, you must create a domain in which endpoints operate. Endpoints need to be associated with a domain, either physical or virtual, to be managed within ACI and to have policy applied to the traffic flows to and from the endpoints. Domains provide the connectivity profile. You will create a VMM domain in this lab to be used to identify the switches, ports, and VLANs that are used by the endpoints in the fabric.

Activity Objective 
In this activity, you will meet these objectives:
 Create a physical domain which is part of a vPC domain for attaching servers using specific ports on the leaf switches in an active-active team
 Create the vCenter VMM domain for the APIC to manage the group vCenter

4. Creating a Two-Tier Application
You will now create a two-tier application profile. 
There is a two-tier app on the vCenter host already.  It has a W2K3 for testing from, the ACME Web Server, and an ACME DB.  You will build the application Profile, Contracts, and filters to make this work through the ACI fabric.

Activity Objective 
In this activity, you will meet these objectives:
 Configure the application profile for the lab app
 Add the application VMs to the ACI-created virtual switch and verify correct connectivity


No comments:

Post a Comment