EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFIntegrating With VMware
Policy Model of VMM domain
VMM domain profile (vmmDomP) provides connectivity policies which provides connectivity of ACI fabric to Virtual Machine Controller.
Below figure describes the Policy Configuration of VMM Domain in ACI fabric
VMM domain Components
With the help of VMM domain, admin can configure connectivity policies for Virtual machine controllers in ACI. Below are components of ACI VMM domain Policy model
- VMM domain
- VLAN Pool Association
- AAEP
- VMM domain endpoint group (EPG) Association.
VMM Domains:
VMM domain helps in grouping of VM controllers that require similar networking Policy like VLAN Pools, application EPG.
APIC communicates with VM controller to publish network configuration like Port-groups etc. which are applied on VM workload for network connectivity.
VMM domain profile needs below components:
- Credential: It associates a valid VM controller user credentials to APIC VMM domains.
- Controller: VM Controller which is used to manage the Virtual infrastructure, VM Controller profile instruct how to connect to VM controller.
APIC VMM domain is a collection of policies that defines VMM domain, which is created on APIC and is pushed to leaf switches.
VMM domain provides following functions:
- Provides scalable fault-tolerance support for multiple VM controller platform.
- VMM support for multiple tenants with in ACI fabric.
A VMM domain helps in VM mobility with in domain but not across domains. A single domain can be integrated with multiple VM controller of same vendor. ACI VMM domain listens for controller events such as VM mobility events and respond accordingly.
VMM Domain VLAN Pool:
VLAN pool contains a single VAN id or range of VLAN id. In ACI there are two method for VLAN pool allocation:
- Static allocation
- Dynamic Allocation
If we use Static allocation, Fabric admin needs to configure VLAN, where as if we use dynamic allocation, APIC assigns the VLAN to VMM domain dynamically. In ACI, only one VLAN or VXLAN pool can be assigned to VMM domain.
A fabric admin can assign the VLAN ID statically to an EPG, provided that VLAN must be on VLAN pool with static allocation type.
In VMM domain scenario, APIC controller dynamically assigns the VLAN ID to EPG and that particular VLAN ID must be associated to POOL and that pool must be associated to particular VMM domain.
APIC provisions VMM domain VLAN ID, on leaf switch ports based on EPG events, either statically binding or based on VM events from controller such as VMware vCenter or Microsoft SCVMM.
Attachable Access Entity Profile:
An AAEP associates VMM domain with Physical network infrastructure where vSphere hosts are connected. An AAEP defines which VLANs will be permitted on host-facing interfaces.
When a VMM domain is mapped to an EPG, AAEP will validate that the VLAN can be deployed on certain interfaces and then configures VM controller policies on leaf switch ports.
VMM Domain EPG Profiles:
Behavior of VMM domain EPG in ACI fabric are as follows:
- APIC pushes VMM domain EPGs as port groups in to VM controller
- AN EPG can span on Multiple VMM domains and VMM domains can contain multiple EPGs.
Below figure shows, multiple how EPGs are part of different VMM domains
An EPG can use multiple VMM domain in following ways:
- An EPG within a VMM domain is identified by an encapsulation identifier that is either automatically managed by the APIC or statically selected by the administrator. An example for a VLAN is a virtual network ID (VNID).
- An EPG can be mapped to multiple physical (for bare-metal servers) or virtual domains. It can use different VLAN or VNID encapsulations in each domain.
By default, an APIC dynamically manages the allocation of a VLAN for an EPG in a VMM integration. VMware vSphere Distributed Switch (VDS) administrators have the option of configuring a specific VLAN for an EPG. In that case, the VLAN is chosen from a static allocation block within the pool associated with the VMM domain.
EPG Policy Resolution and Deployment Immediacy
As soon as an EPG is associated to VMM domain, admin has to choose some option, so that ACI will push those policies based on option selected. Let’s understand these options in detail.
Resolution Immediacy:
It has following options, selection those will define, when policies are downloaded to leaf switch.
- Pre-Provision: In this option, policies like VRF, VLAN, VXLAN, Contracts, filters is downloaded to associated leaf even before, VM controller is attached to DVS or VDS defined by APIC via VMM domain.
- This option is useful when management traffic between Hypervisors and VM Controllers, is also using the APIC defined virtual switch.
- When VMM policy such as VLAN, VXLAN on leaf switch is deployed, APIC must collect CDP/LLDP information from Hypervisor through VM Controller and leaf switch to which it is connected.
- With Pre-Provision immediacy option , Policy is downloaded to Leaf switch , regardless of DCP/LLDP Neighbourship and even without a hypervisor host connected to VMM domain DVS.
- Immediate:This option specifies that a policy (such as VRF, VLAN, VXLAN binding, contracts, or filters) is downloaded to the associated leaf switch software upon ESXi host attachment to a DVS. LLDP or OpFlex permissions are used to resolve the VM controller to leaf switch attachments.
- The policy is downloaded to a leaf when you add a host to the VMM domain-defined DVS. CDP/LLDP Neighbourship from host to leaf is required.
- On Demand:This option specifies that a policy (such as VRF, VLAN, VXLAN binding, contracts, or filters) is pushed to the leaf node only when a host running hypervisor is attached to a DVS and a VM is placed in the port group (EPG).
- The policy is downloaded to a leaf when a host is added to the VMM domain-defined DVS and a virtual machine is placed in the port group (EPG). CDP/LLDP Neighbourship from host to leaf is required.
Deployment Immediacy
After the policies are downloaded to the leaf software through the Resolution Immediacy option, you can use Deployment Immediacy to specify when the policy is pushed to the hardware policy content-addressable memory (CAM). Two options are available:
- Immediate:This option specifies that the policy is programmed into the hardware policy CAM as soon as the policy is downloaded in the leaf software. You should be aware of your ACI infrastructure scalability limits when choosing this option.
- On Demand:This option specifies that the policy is programmed in the hardware policy CAM only when the first packet is received through the data path. This process helps optimize the hardware resources.
Integrating With VMWARE
In Virtual Infrastructure Integration , VMware is the very important technology which ACI integrates via VMM domain. The VMM domain helps ACI to connect to datacenter hypervisors like VMware Exsi, Hyper-V etc.
ACI uses Virtual Machine Manager (VMM) domain profiles for communication between virtual machine controllers and the ACI fabric.
A VMM domain helps the ACI infrastructure to send traffic to leaf switches by using POOL of VLANS or VXLAN. For this VLAN pool should be dynamic configured, to allow APIC to allocate the VLANs to EPGs and port groups as needed. VLAN pool can be dynamic or static in nature. Finally VMM domain is associated to AAEP and a Policy group.
The Virtual Machine Manager domain profile helps in grouping VM controllers together. Within this are two components: the credential for connecting to the VM controller, and the controller, which specifies how to connect to the VM controller.
The EPG association allows the APIC to push endpoint groups into the VM controller as port groups and also permits the EPG to span across several VMM domains.
The attachable entity profile association associates a VMM domain to the physical network. Here, we use an attachable entity profile (AEP), which is a network interface template, to set policies on leaf switch ports.
Finally, the VLAN pool association specifies the VLAN ID, or range of IDs, for encapsulation.
When we want to integrate the VMware infrastructure in to ACI, we have two option for deploying virtual networking
- VMWare vSphere distributed switch (VDS)
- Cisco Application Virtual Switch (AVS)
Both option provide similar virtual networking functions, but AVS option provides additional capabilities like VXLAN and Micro segmentation feature support.
LEAVE A COMMENT
Please login here to comment.