Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1425
Views
0
Helpful
4
Replies

Minimal APIC Setup - Vmware integration

Go to solution
ulf-sp
Level 1
Level 1

‎04-15-2016 09:48 AM - edited ‎03-01-2019 04:56 AM

Hi,

I would like to know, what are the minimal requirements for an APIC Setup.

In detail:

I already have a running DC with Nexus 55k Switches and a lot of Vmware ESX Servers.

In first place I didn't need to connect any bare metal Servers/Loadbalancers/Firewalls to the APIC/ACI Infrastructure. Maybe later.

First I would like to do policy based switching controlled by Cisco APIC between VMs inside my Vmware ESX landscape. That's it, nothing more.

Correct me if I'm wrong but I think a don't need any Leaf Switches for this right?

I read already a lot and watched a lot of videos but it's really hard to find documentation, about what's going on under the hood of APIC/ACI?

I know already that I can control the dvSwitch and VTEP Interfaces on the ESX from the APIC.

What I didn't know is: I have VM a running on ESX a with VTEP a and I have VM b running on ESX b with VTEP b.

If I push a policy from the APIC, which allows communication from VM a to VM b, do the VTEP's already know how to find each other?

- Could VM a send traffic over VTEP a and VTEP a knows that it need to send the traffic to VTEP b because it knows that VM b is behind it?

- Does VTEP a itself already know that it's allowed to send traffic to VM b?

Which way is the traffic going, shortest path?

- If ESX a and ESX b is connected to the same Nexus 55k is the traffic not touching the APIC Fabric (N9K Spine Switches)?

- Or is the traffic running over the APIC Fabric (N9K Spine Switches) to enforce the policy?

ulf

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎04-15-2016 11:03 AM

First I would like to do policy based switching controlled by Cisco APIC between VMs inside my Vmware ESX landscape. That's it, nothing more.

Correct me if I'm wrong but I think a don't need any Leaf Switches for this right?

No, there is no Fabric with out Leaf/Spine switches.  The APICs are a fabric controller that optionally can be integrated with VMware, but its not a standalone virtual networking controller like I understand you're looking for. 

I read already a lot and watched a lot of videos but it's really hard to find documentation, about what's going on under the hood of APIC/ACI?

What do you want to know specifically?  Under the hood we use VXLAN over an IS-IS fabric to provide multipathing and redundancy between any switch nodes.  The controllers (APIC) are responsible for managing the logical configuration for the fabric, while the switch nodes resolve this logical policy into a concrete model.  The APIC also gathers health analystics from all switch nodes and can apply them to logical applications (rather than physical ports or hardware only).  This allows for a health score for logical applications which are a collection of endpoints (physical or virtual) that exist anywhere within the fabric or integrated solutions.  If you have other specific questions, let me know.

What I didn't know is: I have VM a running on ESX a with VTEP a and I have VM b running on ESX b with VTEP b.

If I push a policy from the APIC, which allows communication from VM a to VM b, do the VTEP's already know how to find each other?

Policy is "pushed" from the APIC to fabric switches and only enforced on Leaf nodes.  The APIC can push logical port groups (EPGs) to vCenter, but there's no inter-EPG communication without that traffic going up to the Leaf for policy validation and back.  Only Intra-EPG communication is permitted between endpoints in the same PortGroup/EPG on the same host (much like a vSwitch).  Another role of the ACI fabric is to know where every connected endpoint exists.  If a VTEP doesn't know the location of a specific endpoint, it will get punted to the Spine which (which has every endpoint entry) to determine if & where that endpoint exists, and forwards it to the corresponding VTEP.

- Could VM a send traffic over VTEP a and VTEP a knows that it need to send the traffic to VTEP b because it knows that VM b is behind it?

See answer above.

- Does VTEP a itself already know that it's allowed to send traffic to VM b?

See answer above.  Only Intra-EPG traffic is permitted, any inter-EPG (inter-PortGroup) traffic gets forwarded to the connecting leaf for policy validation.

Which way is the traffic going, shortest path?

Yes a VTEP is usually only ever 1-2 hops away (if you include VMM integration). VTEP (Leaf) == Spine == VTEP(Leaf)

- If ESX a and ESX b is connected to the same Nexus 55k is the traffic not touching the APIC Fabric (N9K Spine Switches)?

Traffic never flows "through" the APIC.  It's just a controller.  Policy enforcment and forwarding is done by the switches - mandatory.   With VMM integration with the VMware vDS, the ESX hosts need to be directly connected to a Leaf. With VMM integration using the Cisco AVS and VXLAN mode, your ESX hosts can be multiple L2 hops away from the fabric.  In this mode direction connections are not required, but the switching fabric is still required.

- Or is the traffic running over the APIC Fabric (N9K Spine Switches) to enforce the policy?

See above answer.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
dpita
Cisco Employee
Cisco Employee

‎04-15-2016 10:45 AM

Hello

Thanks for using SupportForums

I would first like to point out that the ACI solution requires all the pieces. APIC, Leafs and Spines. You will not be able to do any VMM integration and policy between your vCenter port groups without a leaf. 

The leaf is the switch that applies policy. Typically a Nexus 9300 series. 

We can get into the VTEP discussion if you really want but keep in mind, the VTEPs reference Leafs. even if you have the AVS (application virtual switch) on the ESXI hosts, you still need a physical leaf. 

The Nexus 5500 is not part of the ACI Fabric that can be managed by the APICs. 

What other questions do you have?

0 Helpful

Go to solution
ulf-sp
Level 1
Level 1
In response to dpita

‎04-19-2016 11:38 AM

Hi,

first, thanks for your answers.

The question is, if I only have a APIC and a spine switch with lots of ESX hosts at the end with the capability of handling VTEPs, we still need leaf switches to operate VXLANs in our data center, which would end in replacing hundreds of access switches?

Thanks,

ulf

0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee
In response to ulf-sp

‎04-19-2016 11:43 AM

Yes.  In ACI mode, Spines only connect to Leaf switches and hosts connect to leafs.  It's basic CLOS architecture.   You can slowly migrate your legacy hosts to ACI, and run both in tandem uninterrupted while doing so, but the fabric of Leafs & Spine switches is required.

Robert

0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎04-15-2016 11:03 AM

First I would like to do policy based switching controlled by Cisco APIC between VMs inside my Vmware ESX landscape. That's it, nothing more.

Correct me if I'm wrong but I think a don't need any Leaf Switches for this right?

No, there is no Fabric with out Leaf/Spine switches.  The APICs are a fabric controller that optionally can be integrated with VMware, but its not a standalone virtual networking controller like I understand you're looking for. 

I read already a lot and watched a lot of videos but it's really hard to find documentation, about what's going on under the hood of APIC/ACI?

What do you want to know specifically?  Under the hood we use VXLAN over an IS-IS fabric to provide multipathing and redundancy between any switch nodes.  The controllers (APIC) are responsible for managing the logical configuration for the fabric, while the switch nodes resolve this logical policy into a concrete model.  The APIC also gathers health analystics from all switch nodes and can apply them to logical applications (rather than physical ports or hardware only).  This allows for a health score for logical applications which are a collection of endpoints (physical or virtual) that exist anywhere within the fabric or integrated solutions.  If you have other specific questions, let me know.

What I didn't know is: I have VM a running on ESX a with VTEP a and I have VM b running on ESX b with VTEP b.

If I push a policy from the APIC, which allows communication from VM a to VM b, do the VTEP's already know how to find each other?

Policy is "pushed" from the APIC to fabric switches and only enforced on Leaf nodes.  The APIC can push logical port groups (EPGs) to vCenter, but there's no inter-EPG communication without that traffic going up to the Leaf for policy validation and back.  Only Intra-EPG communication is permitted between endpoints in the same PortGroup/EPG on the same host (much like a vSwitch).  Another role of the ACI fabric is to know where every connected endpoint exists.  If a VTEP doesn't know the location of a specific endpoint, it will get punted to the Spine which (which has every endpoint entry) to determine if & where that endpoint exists, and forwards it to the corresponding VTEP.

- Could VM a send traffic over VTEP a and VTEP a knows that it need to send the traffic to VTEP b because it knows that VM b is behind it?

See answer above.

- Does VTEP a itself already know that it's allowed to send traffic to VM b?

See answer above.  Only Intra-EPG traffic is permitted, any inter-EPG (inter-PortGroup) traffic gets forwarded to the connecting leaf for policy validation.

Which way is the traffic going, shortest path?

Yes a VTEP is usually only ever 1-2 hops away (if you include VMM integration). VTEP (Leaf) == Spine == VTEP(Leaf)

- If ESX a and ESX b is connected to the same Nexus 55k is the traffic not touching the APIC Fabric (N9K Spine Switches)?

Traffic never flows "through" the APIC.  It's just a controller.  Policy enforcment and forwarding is done by the switches - mandatory.   With VMM integration with the VMware vDS, the ESX hosts need to be directly connected to a Leaf. With VMM integration using the Cisco AVS and VXLAN mode, your ESX hosts can be multiple L2 hops away from the fabric.  In this mode direction connections are not required, but the switching fabric is still required.

- Or is the traffic running over the APIC Fabric (N9K Spine Switches) to enforce the policy?

See above answer.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License