Jan. 2020

 

More and more Data Centers are adopting the Cisco ACI solution for its ability to unitary and efficiently manage geographically distributed data centers, Disaster Recovery sites, and Cloud infrastructures. To help companies that deal with these requirements, Datanet Systems and Cisco Romania held on the 16th of January, 2020, the workshop entitled “Practical perspective on Cisco ACI – applications, benefits, demonstrations”.

 

ACI, the result of technological evolution

Spanning Tree, vPC, Fabric Path, VXLAN are stages in the technological evolution of the Cisco ACI solution.

“Currently, the main problem is not that we use Spanning Tree, vPC or VXLAN, but that we make many manual changes. Also, although we have policies and rules, we are unable to abide by them due to constantly occurring changes. All these issues have a major impact on the efficiency of the network and its security, but especially on the operational efficiency. When you make 50 manual changes and it lasts a week, it is difficult to have operational speed. Nor is it safe, given that 22% of all network incidents are caused by human error,” explained George Boulescu, Cisco Systems Consulting Engineer at the event.

Simplifying operations in the datacenter

One of the strengths of Cisco ACI is that it eliminates these challenges by introducing a single management point for the entire network.

“All network changes are made from APIC, Application Policy Infrastructure Controller. Thus, it is no longer necessary to access each switch separately to configure a link, for example. Everything is done from the controller, which is redundant, the cluster configuration being at least three devices. Also, even if the controller fails, the network will not shut down because APIC is never in traffic. In addition, ACI technology is built to provide security by default. The ACI fabric, unlike a traditional network, operates according to a “whitelist” model. This means that each data stream must be allowed through the network for it to work,” said the Cisco specialist.

ACI technology provides operational benefits through automation, as well as increased scalability and agility across the entire network (You can find HERE more details on the generic benefits of the Cisco ACI solution.)

 

Practically demonstrated advantages of Cisco technology

The concrete gains that Cisco ACI provides have been exemplified by a series of practical demonstrations made by Sergiu Daniluk, ACI Solution Engineer at Datanet Systems.

At the beginning of the session, the Datanet specialist exemplified the efficiency of working with the ACI solution in current datacenter operations. One of the detailed examples was how to define and use network policies

By a policy we define a specific configuration function, and by grouping them we obtain a Policy Group. In turn, these Policy Groups can be applied to an Interface Profile, which defines a single interface or a group of interfaces. The same procedure also applies to switches – definition, grouping (Switch Policy Group) and application to switch profiles. In this case, policies include specific protocols, and the group defines the types of equipment used in the network.

The benefits of the Cisco ACI configuration model are immediate. For example, if we want to configure a NetFlow protocol on 100 sheets, it is sufficient to define a single policy on a single leaf and apply it to the profile of the other 99. We also act similarly when we want to activate a specific protocol on a subset of interfaces.

Another advantage is that, if one of the switches has to be replaced, the operation is carried out simply and quickly, because there is already a correlation between the leaf and the profile that is to be applied. The administrator no longer has to intervene when the switch appears on the network, because APIC already knows what configuration the respective switch must have and automatically applies it”, explained Sergiu Daniluk

Other elements that contribute to the efficiency of the current activities in the datacenter introduced by Cisco ACI and presented during the workshop are:

  • endpoint groups (EPGs);
  • the concepts of Bridge Domain (BD) and Contract;
  • Tenants groups (which include all the BDs and VRFs defined in the network).

Proactivity and automation

Another area of functionality in which Cisco ACI determines the efficiency of operations is monitoring and troubleshooting in the datacenter.

The solution provides detailed visibility into its mode of operation and allows administrators to quickly detect the occurrence of problems and potential risks in the network. Thus, Cisco ACI provides an extensive suite of monitoring tools. For example, System Health delivers information about the overall performance of the network and the status of the equipment and tenants groups. Faults, in turn, signal the appearance of configuration problems, grouped by domains, types of errors, etc.

Cisco ACI also provides a number of tools for proactive problem identification. For example, Atomic Counters, which counters the packets of data transmitted to detect lost areas or the Capacity Dashboard that offers a detailed view of the network in terms of software and hardware resource consumption.

Within the ACI solution, a number of third-party applications integrated with APIC, such as those developed by Cisco – ELAM Assistant, Network Insights or Network Assurance Engine can also be installed. More such applications are available on the  Cisco DC App Center page.

To facilitate automation, Cisco ACI supports several programming possibilities – Python, Ansible, Puppet – and was designed on the “API first” model. This allows the automation of an extensive range of operations, ensuring a reduction of operations duration and the reduction of human errors. You can find more resources in this area on the ACI Programmability page.

 

Native security features

Another advantage of Cisco ACI is that it allows the segmentation of data traffic routes, both at the network and at the endpoint level.

“By default, if no contract is set up between EPGs, they will not communicate with each other. By grouping the equipment into different EPGs, even if they are in the same subnet, they do not communicate by default. By an additional policy that regulates the communication between endpoints in the same group, micro-segmentation can be done. Basically, we have only one broadcast domain, but the communication is only between the endpoints selected by the network administrator”, explained Sergiu Daniluk.

The Datanet specialist also exemplified how dynamic segmentation rules can be created. In the event of a security alert for a certain operating system version, by automatically attaching a tag it is possible to segment the virtual machines running that version. Thus, based on the tag, the affected VMs are automatically moved to a micro-EPG with a special security policy. Similarly, if a security system signals a compromised end-point, by allocating and assigning a specific tag, it can be automatically moved to a restricted access EPG.

 

Flexible implementation scenarios

Another aspect developed during the workshop was the use of Cisco ACI for the unitary management of the networks in several data centers. Thus, ACI Multi-Pod uses a single cluster of APICs for the management of two or more Pods (maximum 12).

ACI Multi-Site is a similar process, where two or more sites (each with its own cluster of APICs) are interconnected, but without any modification that is made to one site to automatically propagate to the second one, use dedicated virtual equipment – Multi-Site Orchestrator for management. ACI Multi-Site is a useful scenario when managing a Data Center and Disaster Recovery related site, as well as if the network has reached the limit of scalability (in terms of leaf number) or when we want to connect the on-premises network with public Cloud environments.

Also, Cisco ACI allows simultaneous use of Multi-Site and Multi-Pod configurations.

To find out more information about specific ways to use it, please read the Cisco ACI Case Study at Raiffeisen Bank Romania.

For additional information on the Cisco ACI solution or for product evaluations, please contact us by email at sales@datanets.ro.