Data Center Application Centric Infrastructure Fundamentals

DCACIF V2.0; 5 days, Instructor-led

Course Description

DCACIF (Data Center Application Centric Infrastructure Fundamentals) is a 5-day Instructor-led training course that is designed for systems & field engineers who install & implement the Cisco Nexus 9000 Switches in ACI mode using the updated 2.0(x) version & updated Cisco Nexus 9000 hardware platform. The course covers the key components & procedures you need to know to understand, configure, manage Cisco Nexus 9000 Switches in ACI mode utilizing the updated 2.0(x) version, & how to connect the ACI Fabric to external networks & services.

Cisco ACI Release 2.0(x) offers many new features. The main new features introduced with the 2.0 version are:

• ACI vCenter Plugin for VMware vSphere Web Client • AVS Health Status • Contact Permit Logging • COOP Authentication • Digital Optical Monitoring • Layer 3 Multicast Support • Added OSPF Inbound Route Controls • Policy-Based Redirect for Provisions Service Appliances • EPG Deployment Through AEP • FCoE N-Port Virtualization Support • Layer 3 EVPN Services Over WAN Fabric • Port-Security • Support for Multiple vCenters per Fabric

Course Objectives

Upon completing this course, the learner will be able to meet these overall objectives:

• Describe the Cisco Nexus 9000 Series Switch ACI • Describe the ACI fabric • Describe Cisco Nexus 9000 Series Switch hardware • Configure the ACI controller (APIC) • Configure ACI L4L7 service integration

• Integrate the APIC hypervisor • Understand the programmability & orchestration of the ACI network • Discuss ACI connectivity to outside networks • Implement ACI management

Audience

This course is for systems engineers, technical architects, & product specialists in data center technical sales roles. Students include those who need to gain experience with understanding, configuring, & designing the data center networking environment with Cisco Nexus 9000 Series Switches.

Prerequisites

The knowledge & skills that a learner should have before attending this course are as follows:

• This course is designed for systems engineers, technical architects, & product specialists in data center technical sales roles

• Students should be familiar with Cisco Ethernet switching products • Students should understand Cisco data center architecture • Students should be familiar with virtualization • Good understanding of networking protocols, routing, & switching: • Recommended CCNA Certification • Recommended attendance of Cisco IP Routing Class (ROUTE) • Recommended attendance of Cisco Switching Class (SWITCH) • During the course of instruction, the learner will be exposed to the configuration of advanced

technologies, such as BGP, OSPF & IS-IS. The learner will not be required to have experience with these technologies in order successfully complete the class

Course Outline

Module 1: Cisco ACI Overview

Lesson 1: What problems are we trying to fix?

• The 3-Tier Application • Application Flow • Three Tier Application with Networking • What are VLANs for? • Applying Logical Model to Physical Model • Maintenance of Large Infrastructure is Complex • Problem: Micromanagement of Infrastructure • Example: Configure Network on a New Server • Imperative Control Systems • Goal: Capture & Preserve User Intent • The ACI Solution • Unified Ports

• Unified Fabric • What is ACI? • Logical Networking Provisioning of Stateless Hardware • What is the APIC? • ACI Design & Philosophy • Solution: Declarative Control • Summary

Lesson 2: Hardware Overview

• The Cisco Nexus 9000 Solution • Common Hardware Platform: Two Modes • Modular Switch Overview • Modular Switch Chassis • Modular Switch Components • Modular Line Cards • Fixed Switch Platforms (Spine) • Fixed Switch Platforms (Leaf) • Fabric Extenders • 40G QSFP BiDi • 40G/10G Breakout • Cisco Nexus 9000 Hardware Differentiators • Going Beyond SDN • Describing the Cisco APIC • Centralized Automation & Fabric Management • Algorithmically Sharded Cluster • APIC Controller is Attached In-Band • Spine & Leaf Topology • Why Spine/Leaf? • ISIS Fabric Infrastructure Routing • Decoupled Identity, Location, & Policy Multi-Hypervisor Normalization • Summary

Lesson 3: Software Overview

• Networking Concepts • Tenants • Contexts • Bridge Domain • Application Profiles • End Point Groups • EPGs, Subnets, & Policy • External Connectivity Options • L4-L7 Services • Security Policies • Contracts • ACI Contracts

• Subjects • Filters • Building Contracts • Taboos • The Provider & Consumer Relationship • Defining Provider & Consumer Relationships • Supported Deployment Models • Network Centric (Example VLAN=BD=EPG) • Application Centric (Example) • Hybrid (Example) • Inter-Tenant Communication • Inter-Tenant Contracts • Summary

Lesson 4: Fabric Transport

• ACI Fabric Integrated Overlay • Virtual Extensible LAN • ACI VXLAN Header • VNID as a Private Network Identifier • VNID as a Bridge Domain Identifier • VNID as an Endpoint Identifier • Network Services Header Extends the VXLAN Data Plane • Decoupled Identity, Location, & Policy • Multi-hypervisor Normalization • Normalization of Ingress Encapsulation • Overview of ACI Fabric Unicast Forwarding • Overview of ACI Fabric Policy Mechanisms • Summary

Module 2: Cisco ACI - Configuring Basic Constructs

Lesson 1: GUI & CLI Overview

• Graphical User Interface • Login Screen • Menu Bar/Submenu Bar • Navigation/Work Pane • System • Tenant • Fabric • VM Networking • L4-L7 Services • Admin • Operations • Search/Info • Welcome

• Command Line Interface • Logging into NXOS-CLI • Modes of Operation • Configuring Out of Band (OOB) Management-Example Summary

Lesson 2: Configuring Tenants & Contracts

• Configuring a Tenant • Configuring a Tenant • Configuring a Private Network (VRF) • Configuring a Bridge Domain • CLI Option- Tenant, VRF & BD • Configuring an Application Profile • Configuring an EPG • CLI Option- Application Profiles & EPGs • Configuring Contracts • Configuring a Filter • Configuring a Contract • Configuring a Contract (Cont...) • CLI Option- Contracts & Filters • Providing Contracts • Consuming Contracts • CLI Option- Providing a Contract • CLI Option- Consuming a Contract • Summary

Module 3: Cisco ACI External Connectivity, Management, & Migration

Lesson 1: Policy Coordination with VM Managers

• VMM Domains • VMM VLANs (Dynamic) • Leveraging the Native vSwitch • Cisco Nexus AVS Integration Overview • EPG Spanning Across VMM Domains • Recommended Practices for VLAN Networks • Concept Map • Port Groups Extend to Both Physical & Virtual & Across Virtualized Servers • Summary

Lesson 2: Hypervisors & Bare Metal

• Hypervisor Integration • Management Networks • ACI Fabric & VMWare DVC Integration • Endpoint Identification • Cisco ACI & Microsoft Integration

• Integration with Microsoft Hyper-V • Cisco Integration with Redhat Linux • Bare Metal • Bare Metal Connectivity • Port Encapsulation

Lesson 3: Vmm Domains

• Configuring Vmm Domains • Fabric Access Policies • Interface Policies –CDP/LLDP Policy • Interface Policies-Access Port Policy Group • Interface Policies- Interface Profile / Access Port Selector • Switch Profile • Attachable Access Entity Profile (AAEP) • VLAN Pools • Creating VMM Domain • Attaching the EPG to the VMM Domain • Verifying the DVS Creation • ESXI Configuration • Attach the Guest • CLI Option- VMM Creation-VLANS • CLI Option- VMM Creation- Interface Profiles & APPG • CLI Option- VMM Creation – Switch Profile • CLI Option- VMM Creation - VMM Domain • CLI Option- VMM Creation- Attaching EPG • Summary

Lesson 4: Microsegmentation in the New Data Center

• Virtual Distribution Switch • Integrating Cisco ACI with VMware • Configuration Integration with VMware • Endpoint Identification • Cisco ACI Hypervisor Integration – VMware VDS • Create a VMM Domain • Create a vCenter Domain • Create a VLAN Namespace • Create a vCenter Controller Association • ACI VMware Integration – Create a VMM Domain • Associate EPG to VMM • Create a VLAN Namespace • Configuration Integration with Microsoft SCVM • Integration with Microsoft Hyper-V • Comparing AVS to Hypervisor-Based Virtual Switches • Cisco AVS Key Features

Module 4: Cisco ACI - Configuring ACI Connectivity to Outside Networks

Lesson 1: Overview of External Connectivity

• Use Cases • Options • What is a Network on APIC? • Relationship to Rest of Components • Policy View • Important Concepts- Inside Outside • Internal EPG to External EPG • External EPG to Internal EPG • Scaling • SVI Connection • ACI Layer 3 Outside Connection IP Multicast Traffic • Extended Layer 2 Domain Out of ACI • STP Interaction • BPDU Flooding • ACI Layer 2 External Connections STP TCN Snooping • Local Loop Detection • Summary

Lesson 2: Layer 3 Outside Connectivity & Configuration

• L3 Outside Connectivity • Layer 3 Connection Options • Route Redistribution • OPSFv3 Peering Considerations • Route Redistribution with OSFPv2 • ACI as a Layer 3 Stub Network

• EIGRP Peering Considerations • IBGP Peering Considerations • EBGP Considerations • Configuring L3 Outside • Route-Reflector Configuration • Route Reflector Configuration-Pod Policy Group • Route Reflector Configuration Applying Pod Policy • Verifying Route Reflector Configuration • CLI-Option BGP Route-Reflector • Preparing the Fabric for L3 Out • Tenant- External Routed Out • Tenant- External Node • Tenant- Interface Profile • Tenant- Example - SVI Interface • Tenant- External EPG • Verifying the L3 External Out Configuration- OSPF

• Verifying the L3 External Out Configuration- EIGRP • Verifying the L3 External Out Configuration- BGP • Configuring Layer 2 Outside • L2 Bridged Outside Concept • Tenant- External Bridged Out • Tenant-L2 EPG Profile • Verifying the L2 External Out Configuration • Summary

Module 5: Cisco ACI - L4-L7 Services

Lesson 1: Service Insertion Concepts

• Device Packages • Device Cluster • Programmability • Programming Options • Device Packages • Developing Device Specifications • Opflex is a Flexible, Extensible Policy Protocol • Opflex Uses a Declarative Model • Service Insertion • Service Insertion • Redirection to Multiple Services • Service Graphs • Where are Service Graphs Helpful • Service Graph Parameters • Service Graph Rendering • Summary

Lesson 2: Configuring L4-L7 Devices

• Configuring The Concrete Device • Configuring the Functional Profile • Configuring a Service Graph • Summary

Module 6: Cisco ACI - Administration & Troubleshooting Tools

Lesson 1: Administration & Troubleshooting Tools

• RBAC • Security Domains • Users • Roles • Applying Security Domains & Roles • LDAP/RADIUS/TACACS+

• Firmware • Prior to Upgrading • Uploading Code to the APIC • Firmware Repository • Upgrading the Controller • Firmware Groups • Maintenance Groups • Upgrading the Nodes • Backups • Defining Remote Locations • Snapshot Feature • Import • Configuration Rollbacks

Lesson 2 Troubleshooting, Faults & Monitoring

• Troubleshooting • Troubleshooting Philosophy • Troubleshooting Example • Possible places to begin-Operations Tab • Possible Fix Points • Faults • Fault Overview • Fault Properties • Isolating Faults through Health Checks • Isolating Faults through Health Checks(Cont.) • Isolating Faults through Health Checks(Cont.) • Isolating Faults through Health Checks(Cont.) • Isolating Faults through Health Checks(Cont.) • Isolating Faults through Health Checks(Cont.) • Isolating Faults through Health Checks(Cont.) • Other Troubleshooting Tools • Monitoring • Summary

Module 7: Cisco ACI - Demonstrating ACI Network Programmability & Orchestration

Lesson 1: Need for Programming

• The Business Need for Network Programmability • ACI Programmability • ACI Open APIs & Ecosystem • API Protocols • How is REST Used? • Summary

Lesson 2: JSON & XML

• What is XML? • What is JSON? • Evaluating XML & JSON • Northbound: REST API, Python, Puppet, Chef, Openstack • ACI Fabric-Attached Device API- OpFlex • Southbound: Layer 4 to Layer 7 Scripting API • Cisco DevNet- New Developer Program from Cisco • Community Code Development • Summary

Lesson 3: Programmability with REST API

• What is REST? • REST APIs • Configuration & the RESTful API • What is RPC used for? • The ACI APIC Object-Based Tree • APIC REST API Operations • APIC REST API Message Format • dMIT Queries • Summary

Lesson 4: Orchestration

• Opflex is a Flexible, Extensible Policy Protocol • Opening the ACI Policy Engine with OpFlex • How OpFlex Works-Simplified • Opflex Protocol • Opflex Protocol Messages • Example OpFLex Plus Open vSwitch • Opflex-Declarative Models • OpenStack-Enabling the Cloud • Two Option from OpenStack APIs • Neutron API • Group Policy API • Group Based Policy in OpenStack • Group Policy Model • OpenStack ACI Integration • Group-Based Policy Workflow • OpenStack APIC Plug-in Details • OpenStack Group Policy Details • OpenStack Group Policy Plus OpFlex • Application Policy in OpenDaylight • Open Policy Exposed Through OSS Tools • Summary

Module 8: Cisco ACI - Practical Review

Lesson 1: Attaching Appliances to the Fabric

• How does the Network Look Today? • Common Physical Design • Virtual Design • Physical Server • Network Design • Storage • Spine & Leaf • New Hardware Approach • Attaching the Virtual Appliances • Physical Server • L4-L7 Services • Storage

Lesson 2: Policy & Application Mapping

• Planning the Application EPG Connectivity • Identify the Endpoints • Who talks with whom? • Network Centric Model • Application Centric Model • Planning Filters • Assigning Filters to Contracts • Assigning Contracts • Bridged & Routed Outside • Identify the Connection Type • Basic Layout - No Security • Service Insertion • Service Insertion Considerations • Service Insertion Internal • Service Insertion External to Fabric • Summary

Lab Outline (Using Cisco ACI Release 2.0(x) OS version)

Lab 0: Accessing the Remote Lab Environment

Lab 1: Initiate ACI Fabric Discovery

• Connect to the Remote Lab Environment • Log in to the APIC Controller (Instructor Demo) • Register the Cisco Nexus 9000 Switches to APIC-1 (Instructor Demo) • Navigate Through the APIC GUI to Familiarize Yourself with the Fabric

Lab 2: Configuring the OOB Management Address for the Fabric Switches

• Log in to the APIC and configure management address

Lab 3: Configure Basic Network Constructs

• Create a Tenant • Create a Context • Create a Bridge Domain

Lab 4: Configure Policy Filters & Contracts

• Create Filters • Create Contracts

Lab 5: Deploy a Three-Tier Application Profile

• Create Application Profile

Lab 6: Building a Physical Domain

• Create a vPC Physical Domain (Instructor Demo) • Attach to the vPC Physical Domain (Instructor Demo) • Add the Physical Domain to Your Tenant App_EPG

Lab 7: Register a VMM Domain with ACI

• Register VMware vCenter to APIC by Creating a vCenter Domain • Create vCenter Credentials & Server Object • Verifying APIC Connection to vCenter Server

Lab 8: Configure VMware ESXi Hosts to Use the APIC-Initiated DVS

• Add ESXi Hosts to APIC DVS

Lab 9: Associate an EPG to a VMware vCenter Domain

• Associate vCenter Domain to App_EPG • Associate vCenter Domain to DB_EPG • Associate vCenter Domain to Web_EPG

Lab 10: Associate a VM to an EPG Port Group

• Connect to Your vCenter Server Using the vSphere Client • Edit Web-Server Settings • Edit App-Server Settings

• Edit DB-Server Settings

Lab 11: Deploy Cisco AVS and Microsegmentation

• Remove VMs, Uplinks, and Hosts from Classic DVS • Configure AVS-Based VM Domain • Deploy AVS • Associate EPGs with AVS and Migrate VMs to AVS • Implementation Microsegmentation Based on IP Address • Implement Microsegmentation Based on Custom Attribute

Lab 12: Configure APIC to Communicate to an External Layer 3 Network

• Configure MP-BGP Route Reflectors (Instructor Demo) • Configure External L3 Network • Create Application Profile to Propagate Internal Public Routes • Associate an L3 Outside Connection to a Bridge Domain • Verify That the Leaf Is Learning OSPF Routes

Lab 13: Configure APIC to Communicate to an External Layer 2 Network

• Create an External Bridged Network • Configure an Attachable Entity Profile to Selectively Allow VLAN Traffic

Lab 14: Deploy a Service Graph with Application Profile

• Import Device Packages (Instructor Demo)

Lab 15: Configure APIC Using the REST API

• Open the Postman Plugin for Google Chrome • Create an Application Profile Using the REST API • Create Device Cluster for the ASA • Create Service Graph • Create a Bridge Domain for the ASA • Create Logical Device Context for ASA

Lab 16: Configure APIC RBAC for Local and Remote Users

• Create a Security Domain and Map to your Tenant • Configure Local Users and Roles for your Tenant Security Domain • Create a RADIUS Security Domain and Map to your Tenant • Create an AAA Login Domain for RADIUS Authentication • Test RADIUS Authentication and Authorization

Lab 17: Monitor and Troubleshoot ACI

• View Faults Using the APIC GUI • View Events Using the APIC GUI • Using the Managed Object Browser (Visore) • Configuring Syslog Monitoring

Lab 18: Monitor & Troubleshoot ACI

• View Faults Using the APIC GUI • View Events Using the APIC GUI • Using the API Inspector • Using the Managed Object Browser (Visore) • Configuring Syslog Monitoring

Appendix A

• Hardware and Software Features