63. Describe Resolution & Deployment immediacy
So let’s try to understand this resolution, this deployment immediacy, and other factors lab related to this. You will see in the next section—that’s four, three. Now, what’s the key concept and have the diagram as well. So from there, you will understand it 100%. The key concept here is that we have two different terms, the resolution immediacy that is dealing with the VRFbridge domains Ski that are pushed to the leaf nodes. So that’s one term that when we are creating different terms, obviously we are creating these terms over the epic, and then the epic is pushing these to the leaf nodes. So at that time, we have various options. One option is immediacy in resolution immediacy. Now the next term we have is actually related to a term that when you are creating thecal or when you are creating the contract again it’s the agreement between the consumer and the provider then how and when it will go and program those contracts into the hardware, into the actual hardware. Correct. So in this picture, the deployments immediately will come into the picture and you can see here clearly that it will be means you may have domain related to Vims applicable to the VMM domain or set of VLANsmapped to a set of leap switch and associated ports. Correct? So let’s learn these terms one by one. And again I have some diagrams as well from where he can understand it easily.
Again, we have one other term as well, and that’s pre-provisioning, and at the moment we are talking about the resolution’s immediacy. So resolution immediacy with respect to preprovisioning, remember, resolution immediacy belongs to VRFbridge domains Ski, et cetera. Okay? So when you have the preprovisioning option, that means that the VRF bridge domain SVI and the epgvlambd mapping are configured on the leaf nodes based on where the domain OK is, and again, as the name suggests, this is a preprovisioning. So you have your preset of rules for the leaf switch correct and for which you are writing the rules. For now, the next two terms are immediate and on demand. Again, this is respect for resolution immediacy, and that is respect for VRF-BDSV et cetera. so immediate and on demand. You’ll find that we actually have two popular options. And in upcoming lab what I will do that I will go and choose the immediate option means at the moment you’ll go and create the rules or policy. It will go and push those to the leaf. Or it will go and push to the actual hardware. Correct? Now, let me quickly show you the diagram here, and from the diagram, it will be very easy to understand. So first of all, if you have a resolution immediacy with respect to on demand, what does it mean? On demand means that your VM has been placed. So whatever VM you have, you can see in the diagram it is placed into the EPG, EPG equals to port group that we know about that from our earlier previous knowledge.
So at the moment, you’ll go and associate the VM with the EPG, and then second, the policies are then downloaded on demand from the leaf switch or V switch. Now let me explain this to you a little more. So on demand means here again you’ll understand? So this means that the policies related to VR enrich domain SVIS and EPC VLAN mappings are configured on the leaf switch only when a hypervisor connected to this leaf switch is connected to a virtual switch managed by Epic. Correct? So what does it mean? Again, I’ll go back to the diagram. It means that it is applicable when—in very straight terms—you have the VM associated with the port group or EPG. Correct. So that’s the on-demand; what about immediate? As the name suggests, at the moment you’ll go and create all these constructs, all these objects, and next here, you can see the conditions that the hypervisor attached to the deviously distributed virtual switch. So you may have a different type of hypervisor than we know, whether it’s VMware, Microsoft, et cetera. So at the moment the hypervisor will get attached with the distributed Virtual switch policies will get downloaded to the physical leaf, to virtual leaf. Great.
So that’s the term here. It is very easy to understand when we are talking about the resolution. Immediacy preprovisioning means you are mapping it immediately, which means that your hypervisor will get associated with the distributed virtual switch, or DBS. And on-demand means that even this is going further. Granular means that when you have the VM attached, you can see that the VM is attached to the EPG or the Port group. Great. The next topic we have is related to immediate deployment—that is, talking about the contracts and the filters, or, in other words, the policies and the accused—and for that, you need the cam memory that will be actually written inside the cam. So again, you have two options. You have immediate means at the moment you will gonad create the policy, at the moment you’ll go and create the contract actually then it will go and write those policies or write those contracts to the hardware. On demand means that you can see the warning. Let me highlight so as soon as the first data plane packet reaches the switch and I haven’t had the table here in this, let me quickly see just for reference, you can pause the recording and you can check the table this and this. But let me quickly show you in the diagram how it will be.
So immediate means what are the condition the policy downloaded in the physical leaf software? Immediate policy programmed in hardware means you are creating the policy at the level of Epic. It will go and will be downloaded actually will be written to the switch and then will be programmed inside the hardware. Correct? What about on demand? There is a slight variation. and this is the granular thing. Policy downloaded in the first of all the switch, whatever physical leaf software or switch we have. And then policy is programmed in the hardware upon first packet arrival. So when it will go and visible via the first data plane or via the packet inside the data plane. All right, so as per the diagram, you can easily understand. And then I have a summary of all those things that we have studied. So here you can see that we have the Deployment immediacy and deployment immediacy on demand and deployment immediacy immediate. So we have two terms: demand and immediate. And then you can see the difference between the resolution Immediacy and the resolution immediacy on demand.
64. Service Graph Theory
Before understanding the service graph, we should understand that there are packages that we can import inside the ACI fabric, and those packages, again, we can use as a cloud service or we can use as a service insertion as well. So, for example, I can import the package with respect to a firewall, with respect to Firepower, and those firewalls can be used as a service. Now what does it mean? So let’s understand the package first, and then I will explain to you the importance and the usability of the services in the data center ACI fabric, obviously. So here you can see in the diagram that you have a package, and what is in the package? You have a configuration module XML file plus a Python script. Now these packages we can download from Cisco site.
You should have the proper workable CCU account, you can go and download it.I’ll show you how you can import it. Already I have downloaded one and in the last section I will show you that where you can go and you can import it, correct? Now, once we have the service package, in my example, I’m going to use Sahiwal as a virtual AC five-wall. Then what? What is the next step? The next step is to suppose that in our case we have an endpoint group, a database, and a web. So few of the end points mean that end point, and then the end points are mapped to the endpoint group, obviously. So for example, you have certain endpoints or you have certain services related to databases, and then you have certain services related to the web, and those are clients. So your DB is an example server, and your client is an example web. They can interact, and while they are doing the interaction, in between that interaction, you can put the services. Now services, as per the definition, are nothing but the security appliance.
Here you can see that you have web and apps, and in between you have a service graph, meaning traffic will go via the service graph and these services like the AC, firewall, firepower, etc. The supported services have a good amount of capability, correct? So you can redirect it, you can do some sort of firewalling, you can do some sort of URL filtering, and you can do a number of things with respect to services. Services simply means any type of security service, like a firewall or maybe load balancing, et cetera. Great. So here you can see in the lab you come to know that you have the terminal load, means you have the consumer, you have the provider. And obviously these consumer and provider, they have the endpoint map to end, number of endpoints map to consumer few, number of endpoints match to provider. And in between that you may have services. So this traffic will go to these security appliances or devices first, and then it will go to the destination, and traffic will flow from now on. I have one summary step there in the diagram you can see in this slide that you can go and create the access policy, correct? And then you can go and create the fabric policy. Now this is something like your tenant-related configuration, which obviously means this is something that is logical, obviously.
And this is something that is coming with the access policy. So you have to create an interface policy. Inside the interface policy group, what is the glue factor? Define the AEP VLAN pole, then the interface profile, then the switch profile. You should have VMM integration. And these things we have already discussed earlier, we have done the VMM integration. Then we can go and install the package. Once we have this one set up and ready, then we can go and install the appliance. So what you need to do, add the L four seven device, create the function profile, whatever things you want to add, whatever policies you want to add, youkan add it inside L four, L seven device. Then we have to go and create the service graph template. Once you have the service graph template, you should go and create the function profile. And then you have to apply the service graph template, correct? I’ll show you all this stuff in the lab, so that will be easier. So what I’m going to do here, let’s stop here. And in the next section, I’m going to show you the lab. In that lab we have already endpoint configured first of all and second thing that we already have the VMM integration. So what we are going to do basically is that we’ll install the package, and after that, we’ll go and follow these steps that we can see here. All right? So let’s move on to the last section.
65. Section 1.5 Starts…
In section one five we have to understand about analyze, packet flow related to unicast, multicast and broadcast. Now, what I have done for this particular section is that I have taken these series of videos. Here you can see first of all we should understand what is endpoint. We should know that what is VXLAN and that I have already covered earlier. But here also, again, if you want to do the revision, you can do the revision; otherwise, you can skip this section. What is VXLAN? What is VXLAN encapsulation? So these sections you can skip. So you can complete this and then you can go to SEI overlay VXLAN TEP tunnel endpoint one and two, these two videos and then the EPGendpoint learning coupe protocol endpoint learning. This will very much cover item five. So after that, you will find approximately 123456 videos related to this to complete Section Number one five.
Now if you go and watch those videos, you’ll find that I have covered and in those section I’ll show that this is the agenda that I want to Corvids’ what are the things I want to COVID? Here you can see that I want to COVID first of all the ACI overlay VX land TEP, ACI forwarding component, the various protocols, deep learning, group JDRF forwarding a spine, proxy architecture, Essex, et cetera.We suppose if you want tolearn the complete entire topic. So for that, I have created a two-hour single video, which means I merged all those videos into one video and uploaded it to this YouTube link. If you go and use this link, you’ll find this page, and then your two-hour video will start. But just for the context of Section 1, you need to understand only these six videos. Even if you know VXLAN, you can skip it. If you know VXLAN encapsulation, you can skip it. So you should go and check the ACI endpoint, then the overlays, and then the EP information. And also, if you know VX line from the previous section, then you can use 1234 and these five videos to complete Section one five. Once you complete Section 1, then we’ll move to the next section.
66. What is ACI Endpoint
existing data center and the ACI data center. That’s how you’re building the rip table, the endpoint table, the Mac table, for example, and then how you’re building the op table. So there is a difference in that. Now, the end point here is where we can see the definition: “a network that consists of one Mac and zero or more IP addresses.” So either it can be a Mac or an address, or it can be a Mac plus IP, or it can be a Mac plus more IP addresses. That’s the definition of an endpoint. Here you can see in the diagram that you have the Mac address. Obviously, it’s a layer-two frame. Then you have only a Mac address. Means if you want to do the communication only with layer two communication, or if you have layer two extension from one DC to other DC. So you can do Mac-based communication. At that time, the endpoint will have the Macintyre, and you will have Mac plus IP, or Mac plus more than one IP. So these are the definitions of the endpoint. Now, if you want to compare the traditional network with the ACI network, there are slight differences. So rip table in the traditional network we know that everything, all the IPS including slash32 will be there in the rip table. But in the ACI, all the tables are excluded from the 32 because this slash (32, 32) is going inside the endpoint. So you have a new term here: endpoint entry, where you have the Mac and 32 IPS. Because these are 230 or maybe slashes 128 IPS, they are going to be used as a VTIP or VX line tunnel endpoint. Correct? And then finally we have the slight change in the ARP as well. We know that IP two Micmac to IP is the ARP table.
But in ACI, the significance of the ARP is only for the layer 3 outside, or L 3 out, communication. Correct. So it’s actually interesting. One of the core pieces inside ACI is the end point, where you have the Mac plus the IP 22 (or 28 in the case of IPV 6). Now, how you can check this, obviously you can go and check show endpoint and then the Mac and the IP. These are the keywords that you can go ahead and use on the leaf. So you have one endpoint here who has the Mac and IPad again, in an upcoming series of videos, you will learn more and more about this. So first of all, when you go and communicate with the leaf, the leaf will learn the Mac and the IP if it’s the IP-related packet. And then suppose if you want to send the packet to the destination, suppose if you don’t know the destination, you will go and do the query with the spine. And if a spine has that in any, it will tell you this way you can reach it. If a spine doesn’t exist, then in the case of L 3-communication, they can do ARP cleaning, and then it will do the query on your behalf, and then it will tell you how to reach that particular destination. Correct. So here clearly you can see that the end point having Mac IP Mac plus more than one IP addresses. Now there are two different endpoints. We may have a local endpoint and a remote endpoint. In the Local endpoint we have Mac address and in IP address interestingly, in remote endpoint you have either Mac or one IP address.
So when you are doing L3-out communication, you are learning the endpoint entry. So at that time you are learning either the IP or Single Maces one Mac or one IP address scope is that they are stored in the coupe database. The remote endpoint scope is only on each leaf as a cache entry for up to 300 seconds. By default, the local endpoint can be there for up to 900 seconds. How you can verify it, you have a command show endpoint IP in case of Local Endpoint. And here you can see the keyword called L stands for Local. And then each interface, actually the front panel interface, you are learning that in the case of a remote endpoint, you can check the tunnel, and here you can go and check the VXLAN, and you can check the scope, which will be the VRF label. So this way we can go and run the commands, we can verify, and we can get more information about IP Mac if we have the access encapsulation VLAN. Even you have the Pi platform independent VLANs as well that you can go and check from these very important commands show endpoint IP and we’ll get that now the Local and the remote endpoint learning how it is happening again. The local endpoint You may have two packets. You may have had L 3 packets, correct? So in case of say for example L two packet, what you will do, say ACI Leaf learn Mac address. If you have L2 packets, a packet, or a routed packet, then you will go and learn the IP and the Mac. IP and the Mac. Correct. So you have L three packet.
Example is ARP and routed where you are learning the IP and the Maci you have L two packet, obviously you are learning only the Mac entry, then remote endpoint again in case of remote endpoint, if you have L two packet. So you will go and learn. So here you can see that you have L two packet. Let me do one thing. Let me wash this stuff. And here you can see point number two. I’ll come to one and three. Point number two is that Cisco Facelift learn Mace as a remote endpoint. In VXLAN contains bridge domain if the traffic is moving inside the bridge domain, or maybe if you are using ACI just in L two mode, even you are not enabling the unicorn routing over bridge domain. So for that inside the VXLAN, it will go and check the two VN, Vet, void that’s for the L two packet. Now for L three packet, so for L three packet it will go and learn the IP address. So for L two packet it will go and learn the Mac. But for L three packet either it’s routed packets where you can see that Cisco relearn IP as a remote endpoint. If the VX line contains VRF information (virtual routing and forwarding instance), it will learn the IP. In the case of bridge domain L-two communication, it will learn the Mac address. Okay, so these are the important details.
The point number one simply is telling this that the ACI leaf receive a packet with a source Mace and the source IPA from a spine switch means obviously you understand this analogy and again in the upcoming slide you have more and more. So if you have leaf one, leaf two, and if you have a spine one, you don’t know the destination. Obviously, you do the query to the spine, and then the spine will go and do the query on your behalf, and then you’ll get the actual destination so you can do the communication correctly. So this is the significance and importance we have attributed to the end point. Remember that what new change we have in the ACIfirst thing and then the local endpoint and remote endpoint, how it is getting stored and what will be the default caching time or default retention time.
67. what is vxlan_2
Let us understand about ACI Ivana, why we need Ivana and what are the benefits advantage we have with Iboland. Now, suppose at this point of time, if you do not know the acronyms, so we have the full acronyms here. Just for the purpose of summarization, this is important, this particular section. So we have the destination outer, source outer, destination inner, source inner, and then we have the Jeep outer, multicast group IP, and the Vet.
All right? So let’s try to understand why we have this VXLAN type of data center, or the VXLAN that is being used inside the modern data center. We can go a little bit back in the history and we can see that in the data center technology we have STP where we have 50% of blockage. Then we have a VPC that’s still being used in all the data centers. Then we have different options like fabric paths and VXLAN. This is actually the evolution of data center and most of the modern data center, even the DC automation or the new data centers, they are using VXLAN. Either it’s a Cisco-related data center solution like ACI or a VMware-related data center solution like NSX. Everywhere nowadays, we are using VXLAN. Why? because we have an advantage. What type of advantages we have will see in the upcoming slide. Now, in the traditional data center, you can see that you have the core distribution and access layer switches. You are running STP and you don’t have first of all, you are not utilizing the 100% of bandwidth first thing. Second thing, that it’s not capable enough to understand the modern technology means in ACI we can integrate the ACI with the physical and the virtual workload. That’s actually not that much flexibility.
We don’t have them actually in the traditional data center, considering all those factors related to integrating new services, scalability, full utilization of bandwidth, et cetera. We have the gloss architecture, where we have the leaf as a fine leaf structure, where apart from all these features that I told you, we have new feature capabilities as well, right? So what are the new features and capabilities? That is the concept in this course as well. You will find that the last topic we have, “anywhere to anywhere,” means the SEI solution can work as anywhere to anywhere or any service to any service. We will discuss this in upcoming sections. That means the SEI solution can be used inside the cloud, can be integrated with the physical world and the virtual world, can be worked in a private data center, and can be worked in a public data center as well. Again, with certain use cases. So it’s like any to any now, it can be integrated with any type of hypervisor, it can be integrated with any type of container and all those things are there. All right, so these are the important aspects we have now: the advantage of clause architecture, scalability, ACMP high retention for any subnet anywhere at any cost, Cat wise, et cetera. Now, the advantages that we are discussing about clause architecture the same type of advantage, at least few of the advantages we have with respect to VXLAN as well.
So because we are integrating VXLAN here in this solution as an overlay inside the fabric or on top of the fabric, That’s why we have this type of flexibility inside the cross architecture. We know that we have two components. Actually, we have three. But we have two working components of the leaf switch. And then you have this fine switch. Now this leaf switch has two ports. I told you already earlier that you may have access port, you may have fabric port. So when you are going inside the ACI, you are using the fabric. Obviously, you’re going inside the spine. And when you are connecting with the end point at that time, you have to configure the access policies. There are some other terms as well. So this clause architecture is something like “you are always one hop away.” You are using ECMP even if the spine will go and fail, still you have redundant spine and your coup database is sinking in between that. So you have less data-plane interruption. We have a Miss Gabbling protocol as well and detect Miss Gabbling correctly. So far what we have done, we just discussed about the evolution of data center and the advantages of the clause fabric or the cross architecture. Now, what’s the benefit that is going to be put into this clause architecture with VXLAN? Let’s discuss that. First of all, what is VXLAN? VXLAN’s overlay solution and how it will be built I will show in the diagram once you watch the diagram, once you see the diagram, you’ll find it. This is the VX lane, and that’s the usability of VXLAN. So just hold for two three upcoming slides.
But VXLAN, a network virtualization technique, offers several advantages. It extends layer two segments over layer three and FRA to build a layer two overlay logical network. And then we have the encapsulation. I have one session after this recording. I have one recording for VXLAN encapsulation. So they will discuss much more about the inner editor, outer rate, encapsulation, et cetera. So, what is VX Land? Now VX line is nothing but the extension. This is the exact benefit and definition of VXLAN: to extend layer two segments over layer three infrastructure to build a layer two overlay logical network. And that’s the key. We know that inside ACI fabric we have IP. That fabric itself is IP fabric. because the ISIS routing protocol is running for fabric communication inside the ACI. Correct. On top of that, we have these VXLAN tunnels, this dynamic tunnel, and how they are forming, which I will show in the next slide here. So here you can see that you have your fabric, and inside the fabric, you have this IP reachability. Suppose this is my ACI fabric, and I’m running the ISIS protocol in between that and it. And suppose if you have your leaf switches suppose if have three leaf, leaf one, leaf two and leaf three and then one to communicate what will happen? First of all, obviously, these devices are endpoints, so my leaf switches will learn those endpoints, and then they will send that information to the COUP database or to the spine.
So leaf will learn and send that information to the spine, but still, that can happen over an IP network, so what’s the use of VXLAN? Now you can see here that once you have the land or the VTP, that’s VXLAN tunnel endpoint tunnels. So once you have the VTP tunnels set up like this, then on top of the IP network, you have your VXLAN overlay set up correctly, and the actual communication is happening inside the overlay. So whatever actual packet you have, then you have the tag, and you’ll see that it actually has an encapsulation of VXLAN, and then you have some UDP header, et cetera. And then you have the outer header to think of this as an inner header, and then you have the outer header and your communication. Once these endpoints understand where to reach them and how to reach them, then communication will only happen on the basis of the outer header. So say one, then communicate with two. And obviously the physical path may be via going through the spine, but still the spine will only see the outer header and it will forward the packet correct? So that’s how the packet is forwarded. And we have so many different video sessions in this section. After a few videos you’ll find just to explain, that how packet is forwarding inside the ACI fabric. Now, once you use this VXLAN, you can use 16 million segments, and that’s the restriction with the VLAN. In VLAN, you are using only 4K VLAN, and you can create only 4K logical segments. But here, you can create up to 16 million logical segments. It will allow layer-two multicasting. We are not running STP, so we are not blocking any interface. It uses layer three ACMP cloth fabric it’s very much similar logic like fabric path which has the IP based.
So in fabric paths, we are running ISIS as the underlay protocol, so you have the IP-based underlay protocol, which obviously includes the scaling enhancement, so once you use the Vlad, your scaling factor will increase multiple times. Again while using the VXLAN we are Optimizing the control Plane that is the Mac learning ARP table bum Replication because now we are moving from traditional mac learning to the conversational. Learning means at the time of communication only. The tunnel will get created, and those Mac address learnings will happen, but they will not break layer two. Adjacency requirement that’s true allows for any to any see how important these terms are any to any stateless layer two and layer three transport like V motion. So if you are moving the virtual VM machine from one leaf to another leaf at that time, Also, there is no interruption because the spine will understand the new location and then tell the leaf how to communicate with the new location. Correct. It allows multitenancy separation of customer traffic over shared under the fabric. Obviously, when you have multitenancy, one building can be divided into different types of tenants. So you have tenant A, B and C and those tenants, their networking can be separated or separated allows for overlapping of two L three addresses, that is the wheel. And an IP is locally significant because again, you are dividing things inside the segments. You are dividing things within the multiple tenants. So that’s why you can reuse the IP space, and you can reuse the VLAN space as well. Great, so let’s just stop here, and in the next section, we will learn about VXLAN encapsulation.
