A network in an ACI factory is similar to a traditional hierarchical model, but it is much simpler to build. To organize the network, the Leaf-Spine model is used, which has become a generally accepted approach for implementing next-generation networks. This model consists of two levels: Spine and Leaf, respectively.
The Spine level is only responsible for performance. The overall performance of the Spine switches is equal to the performance of the entire factory, therefore, switches with ports 40G or higher should be used at this level.
Spine switches connect to all the next level switches: Leaf switches to which end hosts connect. The main role of Leaf switches is port capacity cybersecurity architect.
Thus, scaling issues are easily resolved: if we need to increase the throughput of the factory, we add Spine switches, and if we need to increase the port capacity - Leaf.
For both levels, the Cisco Nexus 9000 series switches are used, which for Cisco are the main tool for building data center networks regardless of their architecture. For the Spine level, Nexus 9300 or Nexus 9500 switches are used, and for the Leaf only Nexus 9300
switches are used. The lineup of Nexus switches used in the ACI factory is shown in the figure below.
Cluster of APIC controllers (Application Policy Infrastructure Controller)
APIC controllers are specialized physical servers, and for small deployments it is allowed to use a cluster of one physical APIC controller and two virtual ones.
APIC controllers provide management and monitoring functions. It is important that the controllers never participate in the data transfer, that is, even if all the cluster controllers fail, then this will not affect the stability of the network. It should also be noted that with the help of APICs, the administrator manages absolutely all the physical and logical resources of the factory, and in order to make any changes, it is no longer necessary to connect to a particular device, since the ACI uses a single control point.
Now let's move on to one of the main components of ACI - application profiles.
An Application Network Profile is the logical foundation of ACI. It is application profiles that determine the interaction policies between all network segments and directly describe the network segments themselves. ANP allows you to abstract from the physical layer and, in fact, imagine how to organize the interaction between different segments of the network from the point of view of the application.
An application profile consists of End-point groups (EPGs). A connection group is a logical group of hosts (virtual machines, physical servers, containers, etc.) that are in the same security segment (not a network, namely security). End hosts that belong to a particular EPG can be determined by a large number of criteria. The following are commonly used:
Physical port
Logical port (port-group on the virtual switch)
VLAN ID or VXLAN
IP address or IP subnet
Server attributes (name, location, OS version, etc.)
The Spine level is only responsible for performance. The overall performance of the Spine switches is equal to the performance of the entire factory, therefore, switches with ports 40G or higher should be used at this level.
Spine switches connect to all the next level switches: Leaf switches to which end hosts connect. The main role of Leaf switches is port capacity cybersecurity architect.
Thus, scaling issues are easily resolved: if we need to increase the throughput of the factory, we add Spine switches, and if we need to increase the port capacity - Leaf.
For both levels, the Cisco Nexus 9000 series switches are used, which for Cisco are the main tool for building data center networks regardless of their architecture. For the Spine level, Nexus 9300 or Nexus 9500 switches are used, and for the Leaf only Nexus 9300
switches are used. The lineup of Nexus switches used in the ACI factory is shown in the figure below.
Cluster of APIC controllers (Application Policy Infrastructure Controller)
APIC controllers are specialized physical servers, and for small deployments it is allowed to use a cluster of one physical APIC controller and two virtual ones.
APIC controllers provide management and monitoring functions. It is important that the controllers never participate in the data transfer, that is, even if all the cluster controllers fail, then this will not affect the stability of the network. It should also be noted that with the help of APICs, the administrator manages absolutely all the physical and logical resources of the factory, and in order to make any changes, it is no longer necessary to connect to a particular device, since the ACI uses a single control point.
Now let's move on to one of the main components of ACI - application profiles.
An Application Network Profile is the logical foundation of ACI. It is application profiles that determine the interaction policies between all network segments and directly describe the network segments themselves. ANP allows you to abstract from the physical layer and, in fact, imagine how to organize the interaction between different segments of the network from the point of view of the application.
An application profile consists of End-point groups (EPGs). A connection group is a logical group of hosts (virtual machines, physical servers, containers, etc.) that are in the same security segment (not a network, namely security). End hosts that belong to a particular EPG can be determined by a large number of criteria. The following are commonly used:
Physical port
Logical port (port-group on the virtual switch)
VLAN ID or VXLAN
IP address or IP subnet
Server attributes (name, location, OS version, etc.)
No comments:
Post a Comment