Cisco ACI App Center
Cisco ACI App Center
ACI is a licensed Cisco SDN solution for data centers that automates configuration and policy enforcement processes under one central management. Actually, ACI is a type of hybrid SDN implementation. In this type of implementation, decisions are made by the switches themselves and only policies are announced to the switches from a central system. In this way, there is no need to configure and troubleshoot switches or routers like in traditional data centers, and of course there will be no need to worry about scaling up the network.
The main feature of the licensed Cisco ACI is to use its own topology and equipment to scale up the network in the shortest time and in the most convenient way. ACI expects the network administrator to focus on creating access policies and procedures. ACI takes care of all the details of their configuration and implementation in the switches, and this saves time and expert effort as a result of reducing human errors and TCO of the organization. Using the API that ACI provides to programmers, developers can take advantage of it to automate the application of policies in a hierarchical workflow.
In the following, we will review some commonly used ACI terms.
Commonly used ACI terms
- Contract: used to control input and output accesses between EPGs (equivalent to Rule definition in firewall).
- Bridge Domain: Used to specify the Broadcast Domain of an EPG (equivalent to VLAN definition in CLI).
- EPG (endpoint group): It is used to group applications and traffic for ease of applying policies (equivalent to ACL or object definition in CLI).
- Tenant: To isolate configuration and policies when serving multiple clients. By default, infra, common and mgm tenants are defined in ACI.
- APIC (Application Policy Infrastructure Controller): It is a software that plays the role of Controller in ACI and is used to manage and apply policies.
The licensed ACI uses CLOS topology for the communication of its switches, which increases the efficiency and speed of traffic between the switches, as well as the development of equipment for easier and faster Scale UP.
It is necessary to pay attention to the following points when implementing this topology:
- There should be no physical connection between Leaf and Spine switches.
- Connect the Leaf switch to the Spine switch with Port ALE.
- The APIC is connected to the leaf switch.
The switches that can be used to implement this combination are only the 9300 and 9500 series of Cisco Nexus, and other models, including the 9200, do not support ACI.
With the help of this licensed solution, you can define the security and infrastructure policies of your network, and APIC applies the appropriate settings and configuration according to the defined policies. APIC configuration can be done via Web, API, CLI.
EPG creation and EPG range determination and communication between created EPGs and… are configured through APIC.
Note that The unavailability of the APIC server does not disrupt the operation of the Data Center, and only changes in policies and access cannot be changed.
How to send traffic in ACI?
In traditional networks, routers use three tables to keep the addresses of devices connected to them:
- CAM: Stores MAC information.
- Routing Table: It keeps information about IP.
- ARP: Mapping between layer 2 and 3 addresses.
In the licensed Cisco ACI, this information is stored in a different way. ACI uses a table called Endpoint local table to store the information contained in MAC address table and ARP table.
Also, ACI knows the addresses of connected devices using the IP and MAC of the packet sender. While in traditional networks, this address learning was by using ARP generated by the host, which brought a lot of traffic and processing.
The switches report the information of their local endpoint table to the database (Council Of Oracle Protocol (COOP) which is present in the spine switches. This causes the information of all local end points to be stored in the database of the spine switches. Having this DB available Since it is for lead switches, there is no need to have the information of all the endpoints.
Leaf switches can get help from spine switches when they don’t have information to send traffic back.
In order to speed up sending traffic by making records in their database, leaf switches keep the addresses that interact with them more in their table so that they don’t have to use the SPINE switch database for routing.
Cisco ACI includes the following:
- Software and hardware innovations
- The new Cisco Nexus 9000 series switches
- Integrated physical and virtual infrastructure
- A Cisco Application Virtual Switch (AVS) for the virtual network edge
- An open ecosystem of networking, storage, management and coordination vendors.
- A centralized policy management or Cisco Application Policy Infrastructure Controller (APIC)
Cisco ACI App Center key features
Network optimization through:
- Providing a cloud-ready SDN solution
- Common platform for managing physical and virtual environments
- Centralized network management and visibility with full automation and real-time network health monitoring
- Operational simplicity, shared policies, operational management across applications, network and security resources
- Flexible yet highly available network that allows agile applications to be located in one or more sites and in global sites without the need for complex infrastructure (Data Center Interconnect (DCI).
Business protection through:
- Continuity in business and recovery of failures
- Create a secure network with a zero-trust security model and new security features such as microsegmentation
Spine and Leaf Structure:
The licensed ACI is built on a Clos network and has Spine and Leaf nodes. Each leaf is connected to the spine in a network. This design accommodates the increase in east-west traffic caused by the increase in virtual servers on top of the physical hosts located in the most modern data centers.