Cisco ACI TALKs

Migrate from Switched Network to ACI || Part-1

Now as we deployed our ACI fabric and it Initialized and operational, now it is migration time from our existing network to the Cisco ACI Fabric.

We can divide the methodology of migration into three steps:

1. Deployment
2. Integration
3. Migration

Deployment:

Phase is done, and our ACI fabric is ready and operational properly. So let's go for the 2nd phase.

Integration:

considerations while integrating between ACI and existing networks:

• Interconnection between existing network and ACI fabric should be placed at the correct switch (ex. switches that aggregate all connection together or switches that have connectivity to all other switches)
• The interconnection between two networks should be in redundant manner:

1. If the interconnection links will be on the same switch on both sides existing network and ACI, So recommended to bundle links between these devices.
2. Recommended design while integration: - From existing network side to connect these links to redundant device using vPC or stacking technology if available.- From ACI side: connect both connections from existing network to dual leaf switches and ensure that all used links are utilized and STP loop is created or blocked ports between two networks.- The VPC or the connection between our existing and ACI fabric is configured as trunk as 802.1q trunk and allow VLANs to be migrated.

Migration:

In this example, workloads from VLAN 10and VLAN 20 need to be migrated to Cisco ACI fabric: the workload from VLAN 10 to EPG-VLAN10 and VLAN20 to EPG-VLAN20.

This mapping is done by creating one BD and EPG per VLAN, the reason for separate BDs is to isolate Layer 2 domains for each segment in the existing network.

Example:

You need to plan your migration in proper way like:

• How your application and services are working.
• Will you need to separate your workloads into multiple VRFs or single VRF.
• How many VLANs need to be migrated.
• Allocation of default gateway for each VLAN/Subnet.

By default Cisco ACI optimizes the traffic forwarding in the BD, which means Layer 2 unknown unicast and ARP flooding is disabled since all EPs connected to Cisco ACI fabric should be well known.

During migration not all workloads are migrated once, as some times some workloads are migrated while the others are still connected to the existing network. In such case Cisco ACI will not be fully aware of workloads connected to existing network, so if ACI leaf as default to optimize traffic forwarding, traffic between non-migrated workloads and migrated workload will be dropped.

So ARP and Layer 2 unknown unicast features should be changed to flood to let migration work smoothly on the bridge domain level configuration:

• L2 unknown unicast --> Flood
• ARP Flooding --> Flood
• Unicast routing --> Disabled

Now Workloads are migrated to Cisco ACI successfully and ACI acting as layer 2 extension for the existing network.

Next phase in the migration is default gateway placement:

At this moment the default gateway and routing between subnet is done in the existing network.

Migration of default gateway from existing network to Cisco ACI fabric recommended to migrate 1 gateway / subnet at a time.

During this time migrating gateway, some communications between migrated services and non-migrated services need to be accessible.

So to enable this connectivity between ACI and existing network, L3out connection should be done.

• This L3out should be associated with the BDs where the default gateways will be migrated.
• Also and the gateway subnet should be advertised externally.

Gateway migration is implemented by removing the gateway from the existing network and applying the IP address of the default gateway at the BD level.

At this point Gateway of VLAN 10 is migrated to Cisco ACI, but not all workloads are migrated to Cisco ACI fabric.

So Layer 2 unknown unicast flooding and ARP flooding must still be enabled as well as unicast routing.

Note:

• While creating the default gateway IP address on BD level on ACI, configure its MAC address like the mac address of the existing network, to make migration from old to new seamlessly, otherwise all EPs which already chased gateway IP with old MAC will be impacted. and they will be required to refresh their ARP cache entries again.

Once VLAN 10 gateway is migrated successfully, let's migrate other gateway.

following the same process and configurations.

After migrating all gateways and all workloads successfully from existing network to ACI fabric, now all L2 connection between two networks should be deleted and keep the L3out connection only.

Now after all workloads are migrated and L2 connection is disabled, Layer 2 unknown unicast flood and ARP flooding should be optimized again under BD level configuration (maintenance windows is required recommended).

Bridge domain configuration after migration to ACI fabric should be as follows:

• ARP flooding is disabled
• Layer 2 unknown unicast forwarding is changed from Flood to Hardware Proxy.
• Unicast routing is enabled.

All the above illustrated points and scenarios may vary from design to another or from network to another.

Also the design followed on this migration is Network Centric approach and some variations should happen during configuration and migration if Application Centric is followed.