工作分享类ACI详解

ACI（ApplicationCentricInfrastructure）详解,提纲,ACI的控制平面及转发平面ACI的EcosystemACI的应用案例,ACI网络架构,InfraVRFUsedforinbandAPICtoswitchnodecommunication,nonroutableoutsidethefabricInbandManagementNetworktenantVRFcreatedforinbandaccesstoswitchnodesOOBManagementNetworkAPICandswitchnodededicatedmgmtports,OOBManagementNetwork,APICwillhave:2attachedtofabricfordata2formgmt(OOB)1consoleethernetport(canbeonlyusedfordirectlaptophookup)CIMC/IPMIports,InbandManagementVRF,InfrastructureVRF,Switchnodeswillhave:InbandaccesstoInfranochangesrequiredtoapplicationsorendpointIPstacksACIFabricprovidesoptimalforwardingforLayer2andLayer3FabricprovidesapervasiveSVI,whichallowsforadistributeddefaultgatewayLayer2andLayer3trafficaredirectlyforwardedtothedestinationendpointIPARPandGARPpacketsareforwardeddirectlytothetargetendpointaddresscontainedwithinARPorGARPheader(eliminationofflooding),DistributedDefaultGateway,DirectedARPForwarding,分布式三层网关实现原理,VM1sendsARPrequestforDefaultGatewayTheARPrequestwillbereceivedatTORandpuntedtotheSupervisor,whereMACandIPislearnedanddistributedTORactsasregularDefaultGatewayandsendsARPresponsewithGW_MACtoVM1,VM1ARPCache0-GW_MAC,SVIIPAddress(VRFBlue)MAC:0000.dead.beefIP:,rib,VM1generatesadatapacketdestinedtoPM2IP(0)withGW_MACasdestinationMACTORreceivesthepacketandperformsLayer-3lookupforthedestination(known)TORaddsVXLAN-Headerinformation(DestinationVTEP,VNI,etc)andforwardsthepacketacrosstheLayer-3fabric,pickingoneoftheequalcostpathsavailableviathemultipleSpinesThedestinationTORreceivesthepacket,stripsofftheVXLANheaderandperformslookupandforwardingtowardPM2,0-PM2_MACPM2_MAC-eth1/32,分布式三层网关实现原理,交换架构内无ARP泛洪ARP直接转发,ARP帧从终端发出,ARPPayload,ARP帧转发给目标终端,Leaf节点使用ARP包头中的目标IP地址，查询该主机位于哪个Leaf节点，然后建立到该Leaf节点的VXLAN隧道,所有的二层攻击在Fabric里都不能奏效，比如ARP攻击、生成树攻击、组播IGMP欺骗、DHCP欺骗等,VXLANForwardingModesComparison,Proxy-Gateway,Anycast-Gateway&ACI-Anycast,子网内或子网间主机之间的IP转发均基于目的IP地址，在交换架构内构建eVXLAN隧道进行转发，二层非IP流量基于目的MAC地址采用eVXLAN隧道进行转发交换架构相对于应用完全是透明的，管理人员无需关注交换架构的情况，可以把更过精力放在应用和数据上。采用分布式映射数据库在Leaf节点和Spine节点管理内部主机IP地址与位置的关系,ACI模式下的数据转发过程,ACIVXLAN(eVXLAN)Header,ACIVXLAN(eVXLAN)headerprovidesataggingmechanismtoidentifypropertiesassociatedwithframesforwardedthroughanACIcapablefabric.ItisanextensionoftheLayer2LISPprotocol(draft-smith-lisp-layer2-01)withtheadditionalofpolicygroup,loadandpathmetric,counterandingressportandencapsulationinformation.TheeVXLANheaderisnotassociatedwithaspecificL2segmentorL3domainbutprovidesamulti-functiontaggingmechanismusedinACIApplicationDefinedNetworkingenabledfabric.,EthernetHeader,Payload,FCS,OuterIP,OuterUDP,eVXLAN,OuterEthernet,InnerEthernet,Payload,NewFCS,VXLANInstanceID(VNID),M/LB/SP,SourceGroup,Flags,Rsvd,8Bytes,1Byte,NLRsvdI,N:TheNbitisthenonce-presentbit,L:TheLbitistheLocator-Status-Bitsfieldenabledbit,I:TheIbitistheInstanceIDbit,IndicatesthepresenceoftheVXLANNetworkID(VNID)field.Whenset,itindicatesthattheVNIDfieldisvalid,IPHeader,InnerIPHeader,Flags/DRE,VirtualeXtensibleLAN(VXLAN),VirtualeXtensibleLAN(VXLAN)isaLayer2overlayschemeoveraLayer3network.A24-bitVXLANSegmentIDorVXLANNetworkIdentifier(VNI)isincludedintheencapsulationtoprovideupto16MVXLANsegmentsfortrafficisolation/segmentation,incontrastto4KsegmentsachievablewithVLANs.EachofthesesegmentsrepresentsauniqueLayer2broadcastdomain,andcanbeadministeredinsuchawaythatitcanuniquelyidentifyagiventenantsaddressspaceorsubnet.,ACIFabricVNID的不同作用,VNID=BridgeDomain,M/LB/SP,SourceGroup,Flags,Flags/DRE,VNID=VRF,M/LB/SP,SourceGroup,Flags,Flags/DRE,VNID=EPG,M/LB/SP,SourceGroup,Flags,Flags/DRE,IPForwardingisenabledfortheBridgeDomain(default)Anypacketisrouted(forwardedtothedefaultGWMAC)whentheBDisconfiguredfornonIPforwardingAnyIPpacketisforwardedtothespineproxyforaddressresolutionAnyUnicastARPpacketisforwardedtothetargethost(technicallynotaroutedframebutwithinthefabricforwardedaccordingtotheARPIPaddress),AmulticastpacketisforwardedAnypacketisforwardedwhenIPv6isenabledintheVRF/Context(IPv6willfollowIPv4behaviourwithsupportofIPv6tenantforwarding),Aframeisforwardedtoaserviceapplianceinstandard/legacyIPServiceschainingmode,VNIDidentifiestheVRFwhen:,VNIDidentifiestheBDwhen:,VNIDidentifiestheEPGwhen:,vSwitch(VMWare),vSwitch(MSFT),ACI单播报文转发流程,MulticastForwardingFTAGTopologies,ToimproveloadbalancingMulticasttrafficisdistributedacross16FTAGtopologiesintheFabricDestinationgroupsarehashedacrosstheFTAGtopologiesFTAGtreesarerootedatspineswitches(rootsdeterminedbyIFC)FTAGtreecalculationisperformedbyIS-ISandwillcreatetheFTAGtreesasmaximallyredundantgraphsFTAGnodesareadvertisedusingusingGM-LSPwithmartianaddresses0.0.0.representingtheFTAG(thelast4bitsindicatetheFTAG),FTAGRootforTree0,FTAGRootforTree1,FTAGtopologiesareadvertisedviaIS-ISusingmartianaddresseswiththefinal4bitssettotheFTAG,0.0.0.,FTAGtopologiesarelimitedtospinetoleaflinksandonlyifadownlinkislostwilltheFTAGtopologypassthroughaleaf,vSwitch,FTAGRootforTree0,4,8,12,FTAGRootforTree2,6,10,14,FTAGRootforTree3,7,11,15,FTAGRootforTree1,5,9,13,vSwitch,SpineSwitchesmaintainatableofGIPo(MulticastIPOverlayGroup)toLeafbinding.ALeafwillreceivetrafficforaGIPoiftheEPGBDexistsonthatLeaf.TheGIPorepresentsamulticastTEP.,vSwitch,ACI组播报文转发流程,vPC在ACI架构中的数据转发,Host,TrafficarrivingonvPCportissourcedfromvPCanycastVTEPaddresstoavoidflappingofsourceVTEPonegressLeafTrafficarrivingtoavPCanycastaddressisforwardedbasedonasymmetricalhardwarehashtoavoidduplication,Host,Host,Host,Host,ACI的基本术语,EP,.,EP,EP,EPGWEB,BD,EPGAPPSERVER,EPG,BD,subnet,subnet,subnet,L3context(isolatedtenantVRF),Withorwithoutfloodingsemantics,networkprofile,Tenant,outside,26,Tenant“University”,PN“Engineering”,PN“Business”,Subnet/24Subnet/24Subnet/24,EPGWeb,EPGApp,BridgeDomain172,Subnet/24,EPGDB,BridgeDomain10,ContractPolicy“HTTP”,ContractPolicy“SQL”,Subnet/24Subnet/24,BridgeDomain100,EPGApp,EPGWeb,EPGDB,ContractPolicy“HTTP”,ContractPolicy“SQL”,Infrastructure,Apps,ACI中的一些基本概念,配置ACI的转发模式,UnicastRouting:Theforwardingmethodbasedonpredefinedforwardingcriteria(IPorMACaddress).Thedefaultislayer3forwarding(IPaddress)L2UnknownUnicast:forwardingmethodforunknownlayer2destinations.Themethodcanbefloodorproxy(default)ARPFlooding:SpecifieswhetherARPfloodingisenabled.Iffloodingisdisabled,unicastroutingwillbeperformedonthetargetIPaddress.Canbeonoroff(default),ACIInteractionwithSTP,BPDU,BPDU,BPDU,STPRootSwitch,SameEPG,NoSTPrunningwithinACIfabricBPDUframesarefloodedwithinEPG.NoConfigurationrequiredExternalswitchesbreakanypotentialloopuponreceivingthefloodedBPDUframefabricBPDUfilterandBPDUguardcanbeenabledwithinterfacepolicy,ACIInteractionwithSTPVLANStitching,AccessportVLAN10BPDUguardenable,AccessportVLAN20BPDUguardenable,ACIFabricallowsVLANstitchingMakesurenoexternalloopandtheBPDUguardisenabledonaccessportsDataisfloodedwithinBDandBPDUisfloodedwithinEPG.,ConnectingTwoACIFabricsARPResolutionwithSameGWMAC,ESX,ESX,ESX,ESX,ACIFabric1,ACIFabric2,0,0,0,0,AnycastGWIPMAC:MAC-A,.0,.20isunknown.GenerateARPrequest,2.Routing.0isunknown.Sendtospineproxy,4.ARPrequestisfloodedtoFabric2,5.SendARPreply.DestinationIPDestinationMAC:MAC-A,6.ARPreplydestiningtome.LeafconsumesARPreplyandlearnIPandMACof0,7.ARPreplynevermakestoFabric1.Fabric1isnotawareof0,ConnectingTwoACIFabricsARPResolutionwithDifferentGWMAC,ESX,ESX,ESX,ESX,ACIFabric1,ACIFabric2,0,0,0,0,AnycastGWIPMAC:MAC-A,.0,.20isunknown.GenerateARPrequest,2.Routing.0isunknown.Sendtospineproxy,4.ARPrequestisfloodedtoFabric2,5.SendARPreply.DestinationIPDestinationMAC:MAC-A,6.ARPreplyisencapsulatedtovxlandestiningtoborderleaf,7.ARPreplyissentovertoFabric1borderleaf,8.ARPreplyisreceivedbyspineofFabric1,ConnectingMultipleACIFabricsBridgeDomainConfiguration,ChangeGWMACaddress.Bydefault,AllfabricandallBDsharesameGWMAC,EnableroutingandARPflooding,ConnectingTwoACIFabricsConsiderations,VLAN100,ESX,VLAN100,ESX,VMMDomain:DC1EPGWEB/24,VLAN200,ESX,VLAN200,ESX,VMMDomain:DC2EPGWEB/24,OneL2DomainOnesubnet,VLAN300,ACIFabric1,ACIFabric2,TwoseparateACIFabrics,AnycastGWwithsameGWIPbutdifferentMAC,TwoseparatevCenter,L2Outsideconnection,AnycastGWwithsameGWIPbutdifferentMAC,Twoseparate/independentACIfabric.NocontrolplaninteractionbetweentwofabricsTwovCenterwithoutlivemigrationoronevCenterwithoutVMMintegrationNeedtoturnonARPflooding.NoARPsuppression.Twofabricsareinsamefloodingzone,SupportanycastGWonbothsides.SameGWIPbutdifferentMACBorderleaflearnsalltheMACandIPofanotherfabric,应用的可视性：硬件辅助精确测量流量基于应用的遥测（ApplicationBasedTelemetry）,输入监控目标比如：某应用的WebServer到AppServer,将收发两端的计数器联系在一起反馈结果,M,硬件设置标记,应用的可视性：应用健康监测,96%,Microsecond(s),PacketsDropped,5,25,7,3,应用标识的实现,WAN/Core,边缘终结所有的主机二层协议：包括MAC学习,ARP,IGMP,LLDP,DHCP内部严格的故障隔离：Fabric内没有生成树、ARP广播、未知单播洪泛等等，象传统的三层路由网络一样可扩展VLANAnywhere：任何服务器可在任意VLAN，VLAN可延展到全网GatewayAnywhere：任意位置都可做任意VLAN路由，同一VLAN网关一致RoutingAnywhere：无论VLAN内还是VLAN之间都以类似三层路由的方式通信,ACIFabric优势总结：象三层路由网络一样的扩展和隔离性，实现统一的二层/三层转发,GWIP:GWMAC:0011:2222:3333,增强型的TRILL增强型的VXLAN,灵活拓扑横向扩展高可用性动态接入,Nexus9500SwitchLineCards,X9600SeriesLineCardsHighPerformance40GAggregationN9K-X9636PQ12x100GEPortLineCard(Future),X9500SeriesLineCardsPerformance10G/40GAccess/AggregationN9K-X9564PXN9K-X9564TXN9K-X9536PQ,Merchantonly,NX-OSMode,Merchant+,NX-OSModeACILeafReady*,NX-OSModeonly,*ACIleafsupportisCY15,ACILeaf：Nexus9300,NFET2,ALE-NS,NetworkInterfaces,12x40GbHi-Gig2,12x40GbEthernet,FrontPanel48x1GE/10GEPorts,GEM12x40GEQSFP+Uplinks,Nexus9396PQ/Nexus9396TX,Nexus93128TX,NFET2,ALE-NS,NetworkInterfaces,8x40Gb,24x40GbEthernet,FrontPanel96x1GE/10GEPorts,GEM12x40GEQSFP+Uplinks(only8portsareactive),Scale,提纲,ACI的控制平面及转发平面ACI的EcosystemACI的应用案例,完全开源、开放、公开透明的多厂商架构,OpenRESTAPIsSupportIntegrationWithAnySoftware,OpFlex:OpenFabricAttachedDeviceAPISupportsIntegrationwithAnyNetworkDevice,北向,南向,Openflow,3rdpartyswitches,OpFlexAFlexible,ExtensiblePolicyProtocol,OpflexProtocol+Ecosystem,OPENSOURCEOpensourceimplementationavailabletoanyone,ECOSYSTEMBroad,growingvendorsupportincludinghypervisor,network,andL4-7,STANDARDUpcomingOpflexstandardthroughIETF,OpFlex,DELIVERINGINVESTMENTPROTECTIONBYALLOWINGANYDEVICETOINTEGRATEWITHCISCOACI,ACILayer4-7ServiceIntegration,Centralized,Automated,AndSupportsExistingModel,ElasticserviceinsertionarchitectureforphysicalandvirtualservicesHelpsenableadministrativeseparationbetweenapplicationtierpolicyandservicedefinitionAPICascentralpointofnetworkcontrolwithpolicycoordinationAutomationofservicebring-up/tear-downthroughprogrammableinterfaceSupportsexistingoperationalmodelwhenintegratedwithexistingservicesServiceenforcementguaranteed,regardlessofendpointlocation,Chain“Security5”,PolicyRedirection,.,ServiceProfile,“Security5”ChainDefined,44,ServiceAutomationThroughDevicePackage,PolicyEngine,APICprovidesextendablepolicymodelthroughDevicePackage,ConfigurationModel,DeviceInterface:REST/CLI,APICScriptInterface,PythonScripts,ScriptEngine,APICPolicyManager,ConfigurationModel(XMLFile),PythonScripts,ProviderAdministratorcanuploadaDevicePackage,DevicePackagecontainsXMLfinedefiningDeviceConfigurationModel,DevicescriptstranslatesAPICAPIcalloutstodevicespecificcallouts,45,DevicePackageExample,FollowingfunctionscanbeconfiguredthroughAPIC,46,CreateServiceGraph,47,VI/ServerAdmin,InstantiateVMs,AssigntoPortGroups,CreateApplicationPolicy,Web,Web,Web,App,WEBPortgroup,Appportgroup,Dbportgroup,8,5,1,9,ACIFabric,AutomaticallyMapEPGToPortGroups,PushPolicy(Lazy),APICCreatesVDS,2,CiscoAPICandVMwarevCenterInitialHandshake,6,DB,DB,7,APICCreatesPortGroups,ACIHypervisorIntegrationVMWareDVS,3,AttachHypervisortoVDS,4,LearnlocationofESXHostthroughLLDP,AzurePackTenant,Web,Web,Web,Web,App,App,3,6,ACIFabric,PushNetworkProfilestoAPIC,PullPolicyonleafwhereEPattaches,IndicateEPAttachtoattachedleafwhenVMstarts,1,2,DB,DB,HYPERVISOR,HYPERVISOR,HYPERVISOR,ACIAzurePackIntegration,GetVLANsallocatedforeachEPG,CreateApplicationPolicy,7,AzurePackSPF,SCVMMPlugin,APICPlugin,1,OpenStackAPICPlugin,Operation:UsestandardOpenStackAPIsandprimitivesnetworks,subnets,etc.LeveragestandardOVSIPTablesavailableforsecuritygroupfunctions,Host1,OVS,NetworkBV(X)LAN10/24,NetworkAV(X)LAN100/24,Host2,OVS,NetworkCV(X)LAN10/24,NetworkAV(X)LAN100/24,Host3,OVS,NetworkBV(X)LAN10/24,NetworkAV(X)LAN100/24,Host4,OVS,IPTables,NetworkCV(X)LAN10/24,NetworkAV(X)LAN100/24,IPTables,IPTables,IPTables,AdvantagesACIFabricoffershardwareVXLANencapsulationFlexibleplacementofvirtualmachinesDistributedL3gatewayL2Extensiontophysicalservers,etc.,APICPluginconvertsnetworkstoEndPointGroups,RESTAPI,OpenstackComponents,OpenStackNeutronArchitecture,NeutronServer,RESTAPI,NeutronCoreplugins,NeutronServiceplugins,Core+ExtensionRESTAPIsMessageQueueforcommunicatingwithNeutronAgentsCoreandServicePluginsDifferentvendorcorepluginsDifferentnetworktechnologysupportML2pluginwithTypeandMechanismDriversServicepluginswithbackenddrivers,CoreAPINetworkPortSubnet,ResourceandAttributeExtensionAPIProviderNetworkPortBindingRouterQuotasSecurityGroupsAgentSchedulerLBaaSFWaaSVPNaaS.,Tenant,Network,SecurityGroup,SecurityGroupRule,Network:external,Router,Port,Subnet,CoreAPI,L3+ExternalNetExtension,SecGrpExtension,OpenStackNeutronNetworkingModel,53,Tenant,BridgeDomain,Context(VRF),Subject,AppProfile,OutsideNetwork,Subnet,EndpointGroup,Contract,CiscoACIModel,54,CiscoOpenStackACIModel,NeutronAPIMapping,55,VMsonComputeNodes,NeutronCiscoApplicationPolicyInfrastructureController(APIC)DriverandPlugin,56,NeutronServer,NeutronCoreplugin(ML2),CiscoAPICDriver,APIC,VMsonComputeNodes,vSwitchDriver,ACISpine/LeafSwitches,RESTAPI,Network:EPG,Router:Contract,ProvidesdistributedL2,L3functionality,DevelopingIntegrationwithAPICUsingOpenStackNeutronGroupPolicyAPI,vswitch,OpenStackTenant(PerformsSteps1,4),InstantiateVMs,CreateApplicationPolicy,Web,Web,Web,Web,App,App,4,3,5,ACIFabric,AutomaticallyPushNetworkProfilestoAPIC,PushPolicy,CreateNetwork,Subnet,SecurityGroups,Policy,Network,ROUTING,SECURITY,1,2,DB,DB,HYPERVISOR,HYPERVISOR,HYPERVISOR,OPENVIRTUALSWITCH,OPENVIRTUALSWITCH,OPENVIRTUALSWITCH,ACIOpenStackIntegrationPhase1,57,Group-basedPolicyinOpenStack,ApprovedforJunoRelease,MessymappingACItocurrentOpenStackcomponentsEndpointGroups(Ports+SecurityGroups)Contracts(SecurityGroups+SecurityGroupRules)Goal:IntroduceACImodelintoOpenStackStartingwithGroupsandGroupbasedPolicies,58,ACIOpenStackIntegrationPhase2,2,CreateApplicationPolicy,3,5,ACIFabric,PushPolicy,OpenStackTenant(Performsstep1,4),InstantiateVMs,Web,Web,Web,Web,App,App,4,CreateApplicationNetworkProfile,1,DB,DB,HYPERVISOR,HYPERVISOR,HYPERVISOR,AutomaticallyPushNetworkProfilestoAPIC,OpenvSwitch,Neutron,Order3-TierApplicationwebTier/appTieronOpenstack,CiscoIAC,ServiceCatalog&SelfServicePortal,GlobalOrchestration(CiscoProcessOrchestrator),EPG,EPG,appTier,webTier,DistributedvSwitch,ESXi,Order3-TierApplication:dbTieronvmware,CiscoIAC,ServiceCatalog&SelfServicePortal,vCenter,EPG,EPG,appTier,webTier,EPG,dbTier,GlobalOrchestration(CiscoProcessOrchestrator),Order3-TierApplication:servicechainingandapplicationprofile,CiscoIAC,ServiceCatalog&SelfServicePortal,EPG,EPG,appTier,webTier,Contract“rmi”,EPG,dbTier,Contract“sql”,GlobalOrchestration(CiscoProcessOrchestrator),Contract“web”,提纲,ACI的控制平面及转发平面ACI的EcosystemACI的应用案例,Spine（Nexus9508）,LeafNexus9396,ECMP,40G,IpsecVPN,Internet,LeafNexus9396,LeafNexus9396,BorderLeaf,ASR1002,MSTP,石家庄联通机房（二枢纽）,北京机房,济南机房,ASR1002,ASR1002,汽车之家数据中心,与运营商采用10G接口对接，使用静态路由，需要和2家运营商对接（有可能最终只与联通对接）,OSPFPeeringConsideration,SupportOSPFNSSAareawithcurrentsoftwareNoOSPFadjacencybetweenborderleafswitches(unlessuseSVIforL3outsideconnection)Dualconnectborderleaftoexternalrouterstoavoidsplitarea.HavingredundantconnectionsbetweenexternalroutersSupportpolicytotunesomeprotocolparametersOSPFreferencebandwidthSPFtimerTagOSPFroutes,ACIL3OutsideConnectionOSPFDesignFailureScenario,Area10NSSA,ACIBorderLeaf,ACIBorderLeaf,NoTransitrouting/transitL3trafficsupportwithcurrentsoftwareCurrentpolicymodelsupportscontractbetweeninternalEPGandexternalEPG.NocontractsupportbetweentwoexternalEP.MakesureexternalroutersdonotuseACIfabricastransitnode,负载均衡设备（FullNAT）,PC-VIP,M-VIP,API-VIP,负载均衡设备RNAT,M物理服务器,PC物理服务器,未命中缓存,未命中缓存,搜索服务器,数据库缓存Redis/Rabbitmq,负载均衡设备RNAT,图片服务器,内部用户,互联网PC用户,互联网移动终端,DNS,80,DNS,80,DNS,80,IP,80,IP,80,IP,80,IP,80,IP,80,IP,1433,IP,8080,IP,8080,IP,445和139,要点：外部负载均衡设备对源和目的IP都做了NAT缓存设备缺省网关没有指向外部负载均衡设备缓存设备双网卡绑定为teaming连接到网络上，与外部负载均衡设备以及物理服务器都是通过这一对网卡进行通信搜索服务器负载均衡设备使用了源地址NAT(SNAT)内部用户访问可以通过负载均衡设备访问PC物理服务器，负载设备进行了SNAT缓存设备通过Nginx的反向代理实现对物理服务器的负载均衡，将动态业务请求发送到物理服务器图像缓存设备Squid只对图像服务器进行读操作PC物理服务器只对图像服务器进行写操作物理服务器与数据库服务器之间有缓存服务器Redis或Rabbitmq，二手车与资讯共用数据库缓存,IP,80,二手车业务线应用现状,数据库服务器,负载均衡设备,互联网用户,业务线1,缓存设备,图片服务器,FastDFS存储,业务线2,应用互访分析,生产业务线,开发测试,新业务,管理服务环境,业务线之间的互访有两种方式，一是通过负载均衡器，二是通过Nginx反向代理新业务主要是电商业务开发测试是生产业务线的一个简化版环境生产业务线、新业务和开发测试彼此独立，但基本架构相同生产业务线、新业务和开发测试间需要彼此获取业务数据管理服务器环境需要访问生产业务线、新业务和开发测试,数据库缓存,反向代理,ACI部署,Tenant:Autohome,鹿泉中心划分一个Tenant划分四个BridgeDomain，分别对应生产、开发测试、新业务和网络管理BridgeDomain启用优化措施：Layer2unknownunicast:hardwareproxyARPflooding：disable每个BridgeDomain对应一个Subnet（IP地址段）各个Subnet属于一个Context（VRF)生产按照业务线及各种共有资源划分EPG根据实际需要划分ApplicationProfile开发测试和新业务的EPG、ApplicationProfile划分方式与生产类似,Context:Autohome-Private-Network,BridgeDomain1,BridgeDomain2,BridgeDomain3,BridgeDomain4,OverlayControllers,Forwarders(DataPlane),Location(ControlPlane),Provisioning(ManagementPlane),Controller,Provisioning,OverlayCP,Driver:DynamicprovisioningofVirtualNetworks(Overlays)&NetworkPolicyNirvana:Coupleoverlayandunderlaymanagement,Reachabilitychannel,Provisioningchannel,Centralized-DatabaseTightintegrationwithprovisioning/managementLimitedscale,OverlayControlPlaneApproaches,Distributed-NetworkProtocolLooserintegrationwithprovisioning/managementGlobalscale,OpenFlow,OVSDB,BGP/LISP,OpFlex,OVSDB.NefConf-YAN