ACI - POD -MULTI POD - ANYWHERE - CLOUD

ACI multi-pod

In the first few versions of ACI, all leaf switches had to connect to all the spines. This meant the ACI fabric had to be co-located in a single data center. Later versions allowed users to segment spines into sets of leaf switches, which allowed for stretched fabrics and transit leaf designs located in multiple data centers. However, these designs were limited by a need for 40GB connections between sites.

When ACI multi-pod came out in early 2016, it was the real leap toward fully extending data center networks because it let users extend Layer 2 data center connectivity to multiple pods. The extension was initially limited to 10 ms before subsequent code releases extended it to 50 ms.

ACI multi-pod used a Layer 3 network called an IPN to connect the spines in multiple ACI fabrics from a routing standpoint. It then creates a VXLAN overlay between these spines to extend Layer 2. Multi-pod also used a new BGP Extension called MP-BGP EVPN to advertise endpoint MAC and host addressing for reachability between the ACI pods.?

While multi-pod had distance limitations and only a single availability zone, it worked well for a large number of our clients looking to extend their data centers and offer a single point of visibility and control from a business use case.

ACI multi-site, multi-site orchestrator, remote leaf and vPOD

Cisco released version 3.0 of ACI in the summer of 2017, which featured multi-site and the multi-site orchestrator (MSO). These enhancements offered users the ability to extend ACI sites anywhere in the world through localized availability zones.

Multi-site featured several key improvements over multi-pod. Notably, multi-site increased the distance limitation to 1000 ms, offered multiple availability zones and did not require multicast in the ISN network connecting the sites. Moreover, the introduction of MSO allowed users to create connectivity between sites as well as configure multiple sites from a single pane of glass.

Shortly thereafter, ACI version 3.1 introduced the concept of the remote leaf. This capability allowed users to extend ACI policy to any ACI capable leaf switch with Layer 3 connectivity and manage it like any other blade in our giant ACI switch.?

Next Cisco also introduced ACI virtual POD (vPOD), which allowed users to can create virtual spines and virtual leaf switches, and then create a VXLAN overlay on top of any network.

At this point, all the pieces were there to extend ACI to any part of the data center — they just were not yet holistically integrated.

Cisco ACI Anywhere

Cisco ACI anywhere, true multi-cloud

One of the ‘Holy Grails’ of on-premise (or private cloud) and public cloud delivery is allowing these disparate entities to function in the same management and networking domains. The process, which can be carried out manually, is labyrinthine in its complexity, with lots of individual components and policies that cannot be managed centrally, making deployment and continued support a daunting prospect.

ACI (Application Centric Infrastructure) Anywhere is a logical multi-cloud SDN extension for ACI MSO (Multi-Site Orchestrator). MSO is a software component used for the deployment of Multi-Site ACI. The MSO is responsible for ensuring the ACI fabrics in each DC have the same polices and objects created. Think of MSO as the glue that takes two entirely independent fabrics (each with its own failure domain) and ensures they function as a single entity (on-premise to cloud and cloud to cloud), including seamless region to region inside the same cloud provider.

With ACI anywhere the same MSO can perform this function for various cloud IaaS providers, ensuring that functions such as security enforcement policies and workload analytics are visible and adhered to automatically, the underlying network functions as a secure cloud interconnect, managed as a single entity.

MSO uses APIs to communicate with the ACI fabric APIC’s (Application Policy Infrastructure Controller) and the fabrics various cloud providers, meaning MSO provides a single pane of glass to manage not only the private cloud (ACI) but the public cloud as well.

ACI anywhere can quickly deploy a cloud fabric, including the networking and security components that are indistinguishable from the private cloud, this process removes one of the blockers for organisations to fully leverage a true seamless hybrid cloud - the operational, configurational and management complexity. With ACI anywhere seamless fabrics can be automated and stood up on demand, using a single intuitive GUI.

APIC has a cloud hosted version, imaginatively titled - Cloud APIC, available from the marketplace on each of the cloud providers. The Cloud APIC is usually deployed automatically by the MSO and configured using restful northbound API’s. At least one Cloud APIC is required for each cloud provider. The Cloud APIC is responsible for performing ACI policy translation into the cloud provider fabric.

The Cloud APIC does not necessarily need the private cloud element (on premise ACI) to function, it’s a perfectly valid use case, to use it to provide seamless multi-cloud using just cloud provider IaaS. That being said a hybrid cloud architecture is recommended to truly realise the power of ACI Anywhere and the inherent cost savings it provides.

To act as the network layer to underpin this process ACI Anywhere leverages the popular 1000v CSR (a staple of many cloud provisions) to act as the fabric underlay, with support for IPSEC (DMVPN), VxLAN, mBGP EVPN and anycast gateway, the 1000v CSR provides seamless IP mobility options for virtualised environments. The CSR 1000v’s are usually deployed automatically by the MSO and configured using Netconf.

For the purposes of seamlessly stitching the private / public cloud together the following technologies are used as overlays, all configured by the Cloud APIC, thus abstracting the complexity involved:

• VxLAN data plane is used to connect the ACI fabric to the cloud provider, this is transported over an overlay technology such as IPSEC, DMVPN, SDWAN, which forms an underlay for Multi-cloud itself.
• mBGP EVPN is used for routing reachability between the ACI fabric and the cloud provider.
• Other Sites are connected with any overlay technology IPSEC, DMVPN, SDWAN.

The flexibility provided in the networking stack ensures that true cloud based VM mobility is possible, whereby VMs can be hosted and addressed in the same way whether they are physically (from a hypervisor point of view) in the private cloud or the public cloud. I’d strongly recommend that SD-WAN be used as an underlay for all multi-cloud connections. With SD-WAN, ACI Anywhere can leverage many additional benefits such as policy based best path selection and seamless fabric integration with the major cloud providers. This includes SaaS providers (including O365, Salesforce, ServiceNow etc.) and IaaS providers.

Due to the flexibility of ACI anywhere it is possible to deploy applications seamlessly across multiple cloud vendors whilst maintaining identical policy enforcement and networking stacks.

ACI Anywhere enables automation, security, and intent-based networking to optimize data center operations, protect digital businesses, and accelerate our customers' expansion into the multicloud.

Cloud extension - ACI Anywhere!" in the process. This meant that key attributes of the ACI solution — such as unified security policy, single-pane-of-glass management and visibility — are be available in public cloud environments (e.g., AWS, Google Public Cloud, Microsoft Azure). This give customers the flexibility to run applications across multiple datacenters, container platforms, virtual environments, generic networks with ACI policy on top (vPOD) and, of course, ACI extensions to the public cloud.

The?vision?for ACI Anywhere is to enable customers to build agile data center networks for scale, availability, security and operational simplicity anywhere.?While the pieces, parts and concepts were all there at the time of this announcement, they were not yet a fully integrated solution.?

ACI Cloud APIC (cAPIC). The cAPIC allows customers to use the MSO to easily connect on-premise ACI sites via VXLAN to public cloud providers. I

Moreover, Cisco's introduction of analytics products like Tetration, Network Assurance Engine (NAE) and Network Insight Resources (NIR) offers never before end-to-end visibility — no matter if your workload is on a container, in an on-prem cloud or in a public cloud.

How can you use ACI Anywhere?

At this point, the ACI vision has come full circle — from early backroom conversations to fully supported integrated solutions. Our four business outcomes (1) a single-pane-of-glass control, (2) end-to-end security, (4) analytics and automation and (4) multicloud and container ease of use are now a reality.?

So what are customers doing now that Cisco ACI Anywhere is finally here?

• Upgrading: Many of our organizations with existing Generation 1 spines and leaf switches are looking at migrating to newer spines for multi-site support and -FX leaf switches for micro-flow-based analytics using NIR.
• Analytics: Many organizations are also looking at the new Services Engine and premier licensing to get NAE and NIR to offer better visibility in their data-centers.
• Big data: Financials and other companies that need high-speed big data application and Hadoop clusters are looking at the new 400GB -GX line of switches, which were introduced in the 4.2 code version last month for high-speed, high-bandwidth applications.
• Public cloud: Organizations are using ACI for an easier way to connect multi-site environments to the public cloud. We're also seeing customers in carrier-neutral facilities with low latency public cloud connectivity (such as Equinix) connect multi-site pods directly into the public cloud using cAPIC. This gives customers the previously unavailable ability to extend to, apply consistent policy to and obtain visibility to the public cloud.

more info on aci anywhere @ https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-PSODCN-1119.pdf