Home / IT Certifications / CCNP Cloud / CLDACI / Cisco ACI Notes

Cisco ACI Notes

This is a collection of my Cisco ACI notes during my studies.

  • A packet in the fabric is encapsulated within an UDP datagram
  • VXLAN in the ACI fabric is different from the standard VXLAN
  • VXLAN offers 16 Million subnets. Each segment is distinguished with a VNI VXLAN Network Identifier.
  • VNI defines a L2 broadcast segment or a L3 context
  • Unknown Unicast traffic is handeled in two ways
    • flood
    • Hardware Proxy: unknown unicast frames are forwarded to the spines, where the addresses are analyzed. If there is no match in the table the frames are dropped.
  • ARP traffic in the ACI fabric is handeled in two ways:
    • flood: MAC addresses are learned from the L2 traffic
    • Unicast routing: MAC addresses are learned from L2 traffic and IP addresses are learned from L3 traffic
  • Unknown Multicast traffic is a multicast traffic crossing the ACI fabric without a IGMP Join message.
  • VLAN allocation in APIC is either static or dynamic. Dynamic allocation is recommended.
  • To be able to logically connect a physical server to ACI fabric you need to configure a Physical Domain on APIC
  • To be able to logically connect a virtualized server to ACI fabric you nedd to configure a VMM Domain on APIC.
  • Physical Domain:
    • connects a physical external entity to the fabric
    • Cisco recommends one physical domain when connecting the ACI fabric to an external network
  • Virtual Domain:
    • connects a virtualized server to the fabric.
    • is configured on APIC as a VMM Domain.
  • Both Physical and Virtual Domains require VLAN pool(s) each.
  • One difference between virtual and physical Domains: a physical Domain does not use a virtual machine manager.
  • The VMM Domain
    • connects a Virtual Machine Manager such as Vmware vCenter to APIC.
    • once you create a VMM Domain on APIC, a virtual switch is created on the virtualized server.
    • must be assigned a VLAN pool. The VLAN pool will provide the VLAN IDs that will be assigned dynamically to Port Groups for example in case of Vmware integration with ACI.
  • When a physical server is connecting to the ACI fabric, then configure static VLAN mapping.
  • When a virtualized server is connecting to the ACI fabric, then use dynamic VLAN allocation.
  • Physical workload generates traffic from a physical server
  • Virtual workload generates traffic from a virtual machine
  • An external entity (router, switch, server…) is attached to the ACI fabric through:
    • one port
    • vPC
    • Port Channel
  • AEP is required for attaching the external entity to the fabric.
  • AEP: Attach Entity Profile
    • links an infrastructure policy group to fabric interface(s), where an external entity connects. External entities with similar infrastructure policy requirements should be assigned the same AEP.
    • encapsulates one or more Domains.
  • Infrastructure administrator vs tenant administrator
    • Infrastructure administrator manages and controls VLAN namespaces for all tenants
    • Tenant administrator have access limited to his allowed tenants and their ressources.
  • NTP must be configured and synchronized on APIC and all fabric nodes.
  • New nodes being added to the fabric are automatically discovered by APIC through LLDP. As soon as they pop up in the APIC GUI Interface you can add or block them from joining the fabric, based on their Serial Numbers.
  • New fabric nodes send DHCP requests. APIC answers them.
  • APIC sends TEP addresses to the new leafs
  • image management occurs on the APIC, which supports TFTP
  • in ACI there is no need to:
    • configure loopback addresses on new switches
    • configure IGP protocol and neighborships
    • configure custom routing timers
    • configure list of allowed VLANs on trunks.
  • Giving lower numerical IDs to the spines is recommended. The subsequent higher IDs should be reserved for the leafs.
  • All fabric nodes and APICs should be connected to an OOB network for management purposes.
  • Access to leaf switches through console cable is possible but offers only read capabilities.
  • Swtiches in a Pod share the same VTEP prefix
  • APIC automatically creates an Infrastructure VRF to communicate with fabric switches
  • Management of the fabric can be performed also using an external management station connected to the fabric on tenant “mgmt”. In this scenario you must:
    • configure a VLAN Pool, an AEP, a phyiscal domain
    • assign the VLAN Pool to the domain
    • encapsulate the domain under the AEP
  • Provisioning a switch port in traditional networks is completely different from the ACI world:
    • in a traditional switch you configure interfaces separately
    • in ACI, you configure many constructs and objects at first, sch as domain, AEP, VLAN Pool, Switch Profile, Interface Profile… which may seem a burden at first. But its power lays with its flexibility and extensibility. For example if you want to add an interface with similar configuration to a previous one, simply add it to the Interface Profile.
  • an Application in the ACI model ist not a virtual/physical machine, but the combination of:
    • workloads, either physical or virtual
    • L2 – L7 policies: VLANs, subnets, L4 ports, ACL, QoS policies, filtering policies, load balancing policies,…
  • ACI fabric contains 2 to 6 spines: 2, 4, 6.
  • ACI fabric operates on a whitelist model: no communication is allowed unless specified.
  • Frames in ACI are routed, but the L2 switching semantics are preserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

*