ACI Basics
So far, these are what i know of ACI that i would like to share to you:
Architecture
> ACI is comprised of Nexus 9K machines.
> The APIC (controller) is a UCS-based appliance.
> The Nexus 9K can operate either in ACI mode, or NX-OS mode (needs restart).
> Spine is kind-of-like the Core switches.
> The leafs are like Access/Distribution switches.
> Spines never connect to each other.
> Leafs never connect to each other.
> 40G uplink is used in ACI using QSFP.
> The APIC controller attaches to one or more Leaf switches.
L2 Facts
> You can do vPC in ACI, similar to NX-OS.
> There is no Spanning-tree in ACI because there is no need to.
> Bridge-domain is kind-of-like collision domain.
> VLANs are still present in ACI for grouping purposes.
L3 Facts
> Internally, ACI runs MP-BGP, ISIS and VXLANs to switch and route inside and outside the ACI domain.
Policy
> Contracts = Policy/Access-list
> Same EPG = Can talk to each other without contracts
> Without contracts, any 2 nodes in different EPGs will not be able to talk to each other, even if they are in the same subnet or same VLAN.
> Filters = ACE (access control list entry)
> Contracts = collection of filters
> Contract scope can be context, application profile, tenants.
> Contract scope defines the scope of which the contract can be applied to (ex. scope = context, contract can only be used within a VRF)
Components:
> Tenants = VDC (contains 1 or more Private networks)
> Private Networks = VRFs = Contexts (Contains 1 or more App Profile)
> Application Profile - The combination of EPGs and the policies that define their interaction (Contains one or more EPGs/Contracts)
> EPG - End Point Group (collection of end points)
> Bridge Domain - Collision domain
> Subnets - created inside a Bridge Domain (defines a gateway)
> End Point - Server
Fun new features:
> IGPs can turn on or off something called "Enforced/Unenforced" option.
> Enforced - (default) Contracts will be enforced
> Unenforced - Contracts will not be enforced within this Private network, meaning EPGs will not need contracts to communicate with other EPGs.
> ARP Flooding is not needed in ACI ( disabled by default but can be turned on if needed by some application), as the Fabric knows the location of all hosts.
> Unknown Multicast Flooding - can be tuned to Flood to all ports, or "Optimized Flood" which means to flood only to known multicast receivers.
> L2 Unknown Unicast - (Hardware Proxy by default) can be set to Flood (legacy) if needed.
> Unicast Routing - (Enabled by default) - needed when routing between Bridge domains is needed
Subnets:
> anycast gateway
> present in any of the leaf nodes (equiv to SVI but in all nodes)
> Scope: Shared, Public or Private (can be all checked)
> Shared - can be used in other tenants, or contexts (vrf route-leaking)
> Public - can be advertised to external network (OSPF, BGP)
> Private - cannot be advertised to external network
Access Policies:
> When deploying a host/server, we need to have a vlan, leaf node, and interface/port to be defined.
> VLAN/VLAN Pool creation:
Static VLAN allocation mode should be used if the VLAN pool in question will be used for bare metal hosts or other non-virtualised devices. Later, when we create EPGs, we will manually assign a VLAN from the static pool to the EPG and port.
Dynamic allocation mode is used when connecting VMs into the fabric , specifically when using VMM integration with the hypervisor management system. In that case, a VLAN will be dynamically assigned to the port group that gets created on the Distributed Virtual Switch. I’ll cover this in more detail in a future post.
> Static VLAN allocation mode should be used if the VLAN pool in question will be used for bare metal hosts or other non-virtualised devices. Later, when we create EPGs, we will manually assign a VLAN from the static pool to the EPG and port.
> Dynamic allocation mode is used when connecting VMs into the fabric , specifically when using VMM integration with the hypervisor management system. In that case, a VLAN will be dynamically assigned to the port group that gets created on the Distributed Virtual Switch.
> Domain - defines the ‘scope’ of a VLAN pool, i.e. where that pool will be applied. A domain could be physical, virtual, or external (either bridged or routed)
> AAEP - grouping together multiple domains that may need to be associated with an interface