Cisco ACI Multicloud DC Networking€¦ · Security Everywhere Analytics Everywhere Policy...
Transcript of Cisco ACI Multicloud DC Networking€¦ · Security Everywhere Analytics Everywhere Policy...
Cisco ACI
Multicloud DC Networking
Pepa VenzhöferSystems Engineer DC, CCIE DC#59794
5.2.2019
Remote Leaf / Virtual PoD APIC / Multi-Site Multi-Cloud Extensions
ACI Anywhere - VisionAny Workload, Any Location, Any Cloud
ACI Anywhere
IP WAN
IP WAN
Remote Location Public CloudOn Premise
Security Everywhere Policy EverywhereAnalytics Everywhere
ACI Software Release Timeline
Q4 2016 Q2 2017 Q3 2017 Q4 2017 Q1 2018Q1 2017
ACI 2.1
ACI 2.2
Long Lived Releases
ACI 3.2(x)
ACI 2.1(x)
ACI 2.3
ACI 3.0
ACI 3.1
Maintenance Releases =>
Target – One Release Every Four Months.
ACI 2.0(2)
ACI 2.1(2)
ACI 2.2(2)
ACI 2.3(2)
ACI 3.0(2)
ACI 2.2(x)
ACI 3.1(2)
Q2 2018
ACI 3.2
ACI 4.0
Q3 2018 Q1 2019
ACI 3.2(2)
ACI 4.0(2)
ACI 4.1
Major Releases =>
Long Lived Releases
Two Long Lived Releases At Any Given Point of Time 1
Active Maintenance Wil l Be Primarily Focused On Long Lived Release2
Target Duration Of Long Lived Release Support: Up to 18 Months From FCS
Direct Upgrade From One Long Lived To Next Long Lived Release Wil l Be Supported
Long Lived Releases Are Recommended For Networks That Wil l Not be Upgraded Frequently
3
4
5
ACI Software Release Guideline
Short Lived Releases
No Active Maintenance Beyond Six Months From FCS1
Networking Infrastructure: Nexus 9000 Series Platforms
ACI Software Enablement
ACI Spine: N9K-C9332C 32p 40/100G QSFP28
▪ 1RU Form Factor To Support Small Scale ACI Fabric Deployments
▪ Telemetry –SSX Support
▪ Encryption Support On The Last 8 Ports
▪ 10G Support With QSA At FCS
▪ Support For AC/DC/HVDC PSU At FCS On Port-side Exhaust And Port-side Intake
▪ Optics Support Parity With Existing Products
▪ Transition 1st Gen Nexus 9336PQ Product
N9K-C9332C
ACI 4.0
ACI Leaf: N9K-C93240YC-FX248p 1/10/25G SFP28, 12p 40/100G QSFP28
▪ ACI Access Leaf
▪ Flexible Speed 1/10/25/40/100G Ports
▪ Line-rate MACSEC Encryption
▪ 40MB Buffer (10MB Per Slice, 20MB Shared) With Smart Buffer Feature
▪ 1:1 Oversubscription for High Bandwidth Applications
▪ FEX Support
▪ Telemetry – FT, FTE and SSX
▪ Flexible TCAM Templates
N9K-C93240YC-FX2
ACI 4.0
ACI Software EnablementNexus 9000 & APIC Hardware
Nexus Foundation: CloudScale Platforms
Nexus 9300
Nexus 9500
ACI
Futures
Nexus C93216TC-FX2 96p 10GT
12p 100G QSFP28
ACI
4.0APIC-CLUSTER-M3(< 1200 Leaf Ports)
Nexus C93240YC-FX248p 1/10/25G SFP28,
12p 40/100G QSFP28
ACI
3.1(2x)Nexus 9336C-FX236-port 40/100G QSFP28
ACI
3.1Nexus N2K-C2348TQ-E48p 1/10G + 6p 40G QSFP+
ACI
4.0
Nexus 9332C –
Fixed Spine32p 40/100G QSFP28, 2p 10G
APIC-CLUSTER-L3(>= 1200 Leaf Ports)
ACI
4.0
ACI
Futures
Nexus C93360YC-FX296p 25G SFP28
12p 100G QSFP28
ACI
4.0
Remote Leaf
© 2019 Cisco and/or its affiliates. All rights reserved.
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Site A Remote Location
Zero Touch Auto Discovery of Remote Leaf
Two Remote Leafs Up To 20 Remote Locations
Stretch EPG, BD, VRF, Tenant, Contract
Health Scores, EPG Stats
VMVMVM VMVMVMVMVMVMVM VMVMVMVM
Logical Connection To Spine
(VXLAN)
Port Speed:1/10/40/100G
Shipping since ACI 3.1 (Q1 CY 18)
ACI: Physical Remote Leaf
IP Reachability for VTEP address pool
© 2019 Cisco and/or its affiliates. All rights reserved.
Remote Leaf RequirementsHardware & Software
ACI Main DC
Supported Spines
Fixed Spine• N9364C• N9332C (ACI 4.0)
Modular Spine (C9504/C9508/C9516)• N9732C-EX• N9736C-FX
Remote LocationSupported Leaf• N93180YC-EX• N93108TC-EX• N93180LC-EX• N93180YC-FX• N93108TC-FX• N9348GC-FXP• N9336C-FX2
All hardware from –EX onwards is supported
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI Remote LeafPBR
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Main DC Remote Location
EP3EP1 EP2
EP1EPG1
EP2EPG2
ContractPBR to Service
Node at RL
L4-L7
Service Node
ACI 4.0
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI Remote LeafInter-VRF Traffic
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Main DC Remote Location
EP3EP1
VRF1
EP2
VRF2
ACI 4.0
© 2019 Cisco and/or its affiliates. All rights reserved.
NEW EP learning on RL during Spine failure
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Main DCRemote Location
EP3EP1
BD1
EP2
BD2
X X X X
ARP for EP2
t_glean process at RL will
initiate glean for discovery for
EP2 and EP2 will learn on RL
ACI 4.0
© 2019 Cisco and/or its affiliates. All rights reserved.
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Main DC
Remote Location
EP3
100.1.1.2 100.1.1.2/32
External Client
WAN
20.20.20.0/24
20.1.1.1
Host route advertisement from BL
Local-Pod-L3out
RL L3out
EP1
100.1.1.1
100.1.1.1/32
Host route advertisement from RL
Host route advertisement from BL & RLIngress path optimization
ACI 4.0
© 2019 Cisco and/or its affiliates. All rights reserved.
EP1
EP3
ACI Main DCPoD1
ACI Main DCPoD2
Remote LocationPoD1
Remote Location-2PoD2
ACI Remote LeafRL-to-RL Traffic Forwarding
ACI 4.1
EP3
EP2
Remote Location-1PoD2
Remote LocationPoD1
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
© 2019 Cisco and/or its affiliates. All rights reserved.
EP1
EP2
ACI Main DCSite1
ACI Main DCSite2
Remote LocationSite1
Remote LocationSite2
ACI Remote Leaf with Multi-SiteACI 4.1
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI 3.2 Release
FEX Support
ACI Virtual Edge
OpenStack, Kubernetes
Atomic Counters
ACI 3.1 Release
EX and FX Models
vMotion To Remote Location
VMware DVS, Hyper-V
Local Service Integration
ACI 4.1 Release
MACSEC
Local Switching at RL for PBR, Inter-VRF &
ERSPAN
EP Tracker & troubleshooting
wizard
Remote Leaf + Multi-Site
RL to RL direct forwarding
Leaning new EP when Spine is down
ACI 4.0 Release
128 ToRs
ACI Remote Leaf
Virtualization & Cloud Automation
© 2018 Cisco and/or its affiliates. All rights reserved .
ACI Virtual Edge
Maintain Existing Operational Models
Simple Transition/Migration AVS => AVE
Policy Consistency Across Multiple Hypervisors
AVS/AVE Feature Parity
Q1 CY18
Shipping Since ACI 3.1 (Q1 CY 18)
VMVMVM VMVMVMVM
ACI Virtual Edge (AVE)
ACI Virtual Edge
Hypervisor Dependent
VM VM VM VM VM VM
Hypervisor
Bare Metal Server
AVS
Hypervisor Agnostic
ACI Virtual Edge
VM VM VM
Hypervisor
Bare Metal Server
Native Switch
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI 3.2 Release
L4-L7 Services
Health Monitoring
Remote Physical Leaf Support
Remote Storage Support
ACI 3.1 Release
VLAN, VxLAN
Micro-Segmentation
Distributed Firewall
Migration from AVS
ACI Future
Virtual Pod (vPod)
Proactive HA
VxLAN Load Balancing
Local Switching and Policy
Container L4-L7 Services
Multi NIC support
ACI 4.0 Release
Tetration Sensor
ACI: Virtual Edge (AVE)Roadmap
© 2019 Cisco and/or its affiliates. All rights reserved.
IP Network
Cisco ACI Virtual PodExtend ACI to Bare Metal Clouds and Remote Data Centers
Bare Metal Clouds (IBM, OVH, etc.)
Remote Data Centers
Co-location Facilities
(Equinix, CoreSite etc.)
Brownfield Deployments
Remote location On-premises ACI Data Center
VMVMVM VMVMVMVM
VMVMVM VMVMVMVM
Hypervisor
Policy extension from
On-premise DC
ACI 4.1
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI vPod RequirementsHardware & Software Components
Supported Spines
Fixed Spine• N9364C• N9332C
Modular Spine (C9504/C9508/C9516)• N9732C-EX with N9K-C950x-FM-E(2)• N9736C-FX with N9K-C950x-FM-E(2)
APIC Controller Software• ACI 4.0+ onward release
✓ VMware vCenter running 6.0 or later
✓ 2 hosts for Management cluster recommended
• Management & Payload Can Co-exist
✓ ESXi 6.0 or 6.5
• Each vSpine (x2) & vLeaf(x2) VM consumes 2vCPU, 8 GB RAM and 80 GB storage
• Each AVE (one per ESXi host) VM consumes 2vCPU, 8 GB RAM and 8 GB storage
vPod Data CenterOn-Premises Data Center
ACI 4.1
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI vPod License Elements
Cisco ACI Virtual Edge (vPod Mode - per Workload Server)
ACI Virtual Edge
Management Cluster – per vPod
AVE (vPod Mode) – per Server
AVE (vPod Mode) – per Server
Up To 6 vPods In ACI 4.1 Release
Single License Per Management Cluster
Up to 64 AVE per vPodACI 4.1 up to 32
Software License Per AVE(AVE is NOT Licensed if Not In vPod)
AVE (vPod Mode) – per Server
ACI 4.1
NodeNode
• Independent Openstack VMM domain and Openshift Container Domain
• Openshift Nodes run as Openstack instances connected to a special Neutron network with APIC extensions
• Opflex managed KVM-OVS and Openshift-OVS without double encapsulation.
• Both Openshift PODs and KVM instances are first class citizens.
• Supported with Red Hat OSP10 or higher and Openshift 3.9.
OpenShift on OpenStack integration with ACI
NodeOpFlex OVS
ACI Policies
Network Policy
Node
OpFlex OVS
Features
ACI 4.0
OpFlex OVSOpFlex OVSNova
Servers
KVM
VM
Neutron Policy
Supported Container Application Platforms
Baremetal ESXiKVM/
OpenStack
Open source Kubernetes Future
Openshift
Pivotal Cloud Foundry n/a Future
Docker EE (Kubernetes) Future Future Future
Mesosphere Future Future Future
Refer to the ACI virtualization support matrix for details:https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/aci/virtualization/matrix/virtmatrix.html
ACI Multi-Tier
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI: Multi-Tier Architectures
Seamless Migration From Legacy 3-Tier Architectures
Three Tier ACI Fabric
Vertical Expansion Of ACI Policy Domain
Investment Protection: Reuse Exist ing Cable Plan
Replace FEX Architecture With 2 nd Tier Leaf:Better Visibi l ity & Policy Enforcement
1
2
3VMVMVM VMVMVMVM
2nd Tier Leaf
1st Tier Leaf
Spine
ACI 4.1
Simplify N2/N5/N7k Migration to ACI4
© 2019 Cisco and/or its affiliates. All rights reserved.
Multi-Tier Fabric TopologiesCable Plant Simplification
• Multi-Pod often used to support Multiple Blocks connected within the same DC (between halls, buildings, … within the same Campus)
• Multi-Tier provides another option to addresses Cabling limitations
• Ease Migrations from Nexus 7/5/2K designs
Inter-POD
And
WAN/DCI
ACI Pod
‘B’
ACI Pod
‘A’ACI Pod
‘E’
ACI Pod
‘D’
ACI Pod
‘C’
© 2019 Cisco and/or its affiliates. All rights reserved.
Supported Platforms in ACI 4.1
Spine
Any next gen Spine (-EX/FX, N9364C)
1st Tier Leaf
Any –EX, –FX & -FX2 ToR (Exception:-N93180LC-EX)
2nd Tier Leaf
Any –EX, –FX & -FX2 ToRVMVMVM VMVMVMVM
Spine
1st Tier Leaf
2nd Tier Leaf
VMVM
© 2019 Cisco and/or its affiliates. All rights reserved.
Connectivity requirement to 2nd Tier Leaf
• 2nd Tier Leaf fabric port connects to 1st Tier Leaf’s fabric port
• All ports of 1st Tier Leaf can be converted to fabric port using port profile feature
• 2nd Tier Leaf can connect to multiple 1st Tier Leaf. It could be an advantage for ACI design where customer can connect to more than 2 upstream switches in comparison to traditional double sided vPC design with only 2 upstream switches.
VMVMVM VMVMVMVM
Spine
1st Tier Leaf
2nd Tier Leaf
VMVM
ACI Multisite
ACI Multi-Site
VMVMVM
Site A
Site B
Site C
Site D
VMVMVM
Multi-Site Orchestrator
VMVMVM
VMVMVM
Policy Consistency
Single Point Of Orchestration
Availability Fault Isolation
Scale
Shipping Since ACI 3.0 (Q3 CY 17)
Consistent Policy across sites
Single Point of Orchestration
Fault Isolation
Scale
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI 3.2 Release
Multi-Site + Multi-Pod
L4-L7 Services Support
Spine-Spine (Dark Fiber)
Consistency Checker
(Multi-Site, APIC, HW)
UCS-D Orchestration
(6.6)
Up To 10 Sites, 1200
Leafs
ACI 3.1 Release
Nexus 9364C (Fixed
Spine)
Multi-Site Health Check
External Authentication
Audit / Accounting Logs
Shared Golf
Up To 8 Sites, 800 Leafs
ACI 4.0 Release
CloudSec
L3 Multicast
2-Node Service Graphs (FW+SLB)
N9K-9332C Spine
Up To 12 Sites, 1200
Leafs
ACI: Multi-SiteRoadmap
ACI 4.1 Release
Inter-site L3out
Multisite + Remote Leaf
L1/L2 PBR Service Graphs
Physical Appliance
Patch API, Swagger
ACI Mini Support
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI Release 4.1
MSC 2.1
18
1,800
400
1,000
4,000
4,000
4,000
500
400
Number Of Sites
Max Leafs (across sites)
Tenants
VRF
BD
EPGs
Contracts
L3Out (External EPGs)
Isolated EPGs
ACI Release 3.1
MSC 1.1
8
800
200
400
2,000
2,000
2,000
500
400
ACI Release 3.2
MSC 1.2
10
1,200
300
800
3,000
3,000
3,000
500
400
ACI Release 4.0
MSC 2.0
12
1,200
400
1,000
4,000
4,000
4,000
500
400
ACI Multi-SiteContinuous Scale Improvements
ACI Anywhere Extension to Cloud
VMVMVM
Site A
Site B
Site C
Site D
VMVMVM
ACI Extensions To Multi-Cloud
ACI Multi-Site Appliance
Consistent Network and Policy across clouds
Seamless Workload Migration
Single Point of Orchestration
Secure Automated Connectivity
AWS Region
On-Premises
VMVMVM
Public CloudSite A Site B
Multi-Site
Infra VPC
AWS Direct ConnectRouters
CSR1000V
DX Location
Colocation
Customer Router
Amazon VGW
Customer Premise Router
User VPC-1
AWS Instances
CSR1000V
User VPC-2
AWS Instances
CSR1000V
BGP EVPN Control Plane
VXLAN TUNNEL (DATA PLANE)
OVERLAY
ACI Anywhere: On-Prem Connectivity To AWSVPC With Direct Connect + VPN
ACI 4.1
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI AnywhereRoles of MSO & Cloud APIC
MSO Cloud APIC (cAPIC)
Physical & Cloud Site:• Registration• On-Prem and Cloud sites inter-connectivity• Tenant Creation across On-Prem and Cloud sites
cAPIC Cluster:• Defines 1 cloud site with multiple regions• Zero touch provisioning of cloud infra VPC• Manages the lifecycle of CSR across all regions• Renders ACI policy model in any public cloud• Manages cloud health
Usecases:• VRF and EPG stretch• Contracts between On-Prem and Cloud EPGs• Cloud and On-Prem Shared Services • L3out cloud and on-prem• L4-L7 Application LB
ACI Policy and Networking:• ACI policy translation to cloud native policy (AWS,
Azure, GCP, etc …)• ACI policy enforcement using cloud native
constructs and vice versa• Provision underlay for connecting other cloud and
On-Prem sites• Auto-provisioning and scale resources based on
usage
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI AnywhereRoles of MSO & Cloud APIC
MSO Cloud APIC (cAPIC)
Import and Deploy:• Brownfield templates from cAPIC• (eg. site1::region-us-east1 => site2::region-us-
west1)
Imports and Deploy:• Brownfield cloud deployments into ACI policy • (eg. site1::region-us-east1 to site1::region-us-
east2)
Migration between On-Prem to Cloud and vice-versa Supports cloud first deployment across all regions
Operations: • Day 1: On-Prem and cloud site• Day 2: Health, trouble-shooting and monitoring
Supports consuming all public cloud native services
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI 4.1
APIC Site 1
Physical
cAPIC Site 2
AWS
Tenant 1
Stretched VRF1
BD/Subnet1
Web-EPG1
BD3/Subnet3
App-EPG1
CIDR 2
Web-EPG2
CIDR 4
App-EPG2
C1
Multi-Site Orchestrator
C1 C2C2
AWS: Use Case-1Stretched VRF with Inter-Site Contracts
© 2019 Cisco and/or its affiliates. All rights reserved.
AWS: Use Case-2Stretched EPG
APIC Site 1
Physical
cAPIC Site 2
AWS
Tenant 1
VRF 1
BD1/Subnet1 CIDR 2
CIDR 4BD2/Subnet3
Multi-Site Orchestrator
Stretched EPG - Web
Stretched EPG - App
C1
ACI 4.1
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI 4.1AWS: Use Case-3Inter-Site Shared Services
APIC Site 1
Physical
APIC Site 2
Physical
APIC Site 3
Physical
cAPIC Site 3
AWScAPIC Site 4
AWS
Tenant 1
VRF 1
BD1/Subnet1 BD1/Subnet2
BD2/Subnet4 BD2/Subnet5
Web-EPG
App-EPG
Tenant 2
VRF 2
CIDR 1
VRF Route Leaking
Provider
Multi-Site Orchestrator
C1
C2
CIDR 2
DNS – Stretched EPG
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI 4.1AWS Use Case-4L3out Cloud and On-Prem
On-Premise
Multi-Site Orchestrator (MSO)
Public Cloud
Site B
Infra VPC
AZ-1 AZ-2
Region 1
CSR CSR
Site A
User VPC -2
VGW
User VPC - 1
VGWIPSec / GRE Tunnel IPSec Tunnel
EPG-1 EPG-3EPG-2EPG-1
SG-1 SG-1 SG-3SG-2
Instance 01 Instance 02 Instance 03 Instance 04
IGWIGW
L3outL3out
L3out• Cloud local L3out
via IGW
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI 4.1AWS: Use Case-5L4-L7 Services – Application Load Balancer
L3Out (0.0.0.0/0)
AZ1
AZ2
Subnet-1
Subnet-2
IGW
© 2019 Cisco and/or its affiliates. All rights reserved.
Future
Azure, GCP
Cloud Native Services
using ACI Policy
SD-WAN Integration
L4-L7 FW Services
Telemetry and
Operations
Interconnect via DX and
Express Route
ACI 4.1 Release
ACI-AWS Launch
cAPIC Policy Translation
CSR Interconnect
Automation
MSO Public Cloud
Operations
AWS ALB support
4 Cloud Sites and 18
Physical Sites
ACI Anywhere Public Cloud Roadmap
Compliance and Security
Governance
L2 Mobility without re-IP
CSR in User VPC
Tetration Integration
CloudCenter Integration
Elastic BM
ACI Security
© 2017 Cisco and/or its affiliates. All rights reserved.
ACI 2-Factor Authentication Options
VMVMVM VMVMVMVM
External Authentication
via SAML and IDPs supported Okta &
MSFT ADFS
Local AuthenticationTOTP using Google Authenticator for 2nd
factor pin/barcode
RSA SecureID PingFederate SSO PingID 2-FA
Federal Common Access Card (CAC)
ACI 3.0 ACI 3.0 ACI 3.1 ACI 3.2 ACI 4.0
© 2017 Cisco and/or its affiliates. All rights reserved.
Certification ACI
Certified
Certified
Certified
Certified
Vulnerability Scanners• Nessus, Fuzzing, etc … • Port Scan, AppScan
Certified(Ran every release)
Security Certifications ACI 4.0
© 2017 Cisco and/or its affiliates. All rights reserved.
ACIStretchFabric
Spine
Leaf
IPN/WAN
DCI (N7k/ASR9k)N7k/ASR9k
Generate Keys for
Every Link Segment
Border Leaf
Vmware AVS
3. Multi-POD or GOLF
1. Fabric Links
2. Stretch Fabric
2. Border Leaf to DCI
1. Fabric Links
MACSEC Link EncryptionMKA Key Exchange
APIC Centralized Key Management
MACSEC for Fixed SpinesShipping Since ACI 3.1
Support For Fixed Spines:• N9k-9364C• N9k-9332C
New
© 2019 Cisco and/or its affiliates. All rights reserved.
Multi-Site
IP / WAN
Site A Site B
VMVMVM
Site C
MACSEC MACSEC
CloudSec
Today Future
ACI AnywhereEncrypted DCI Connectivity
ACI 4.0
New
Usability and Operations
© 2019 Cisco and/or its affiliates. All rights reserved.
Root Cause? Prevention? Evidence?
Capacity Planning? Uptime? Remediation?
Network Admin Operational Challenges
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Event Analytics
Presentation ID 54
ACI: Introducing Network Insights-ResourcesUnderstand What’s Running In Your Network
Flow Analytics
Resource Analytics
ACI Network Insights Resources
Deep Insights Into Network Health (Control Plane, Data Plane, Capacity, Utilization and Environmental Health)
Limited Availability
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI: Network Insights-ResourcesUnderstand What’s Running In Your Network
ResourceAnalytics
Data Collection
Anomaly Detection
Remediation
Event Analytics Dashboard Displays Faults, Events, And Audit Logs In A Time Series Fashion.
Event Analytics Dashboard
Limited Availability
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI: Network Insights-ResourcesUnderstand What’s Running In Your Network
Flow Analytics Dashboard Displays Key Indicators Of Infrastructure Data Plane Health.
Flow Analytics DashboardFlow Anomalies
Packet Drops
Latency
End Point Move
Limited Availability
ACI 4.0 GUI Enhancements
Configuration
• Fabric Membership Simplification
• L3out Simplification
• Admin Module Simplification
• vPod, Multi-pod Workflow Simplification
• Service Parameter Consolidation
• APIC Upgrade improvements
• Application Tab: Context Saving
Operations
• Show User Activity
• Configurable Capacity
Dashboard
• Tech Support Simplification
• TWS Usability Improvements
Usability
• New APIC Alerts
• Share Session Across Multiple Tabs
• Enhanced Capacity Dashboard
• APIC Upgrade.
ACI 4.0
ACI Integrations
100 SGT, 64K Bindings on Border Leaf with ISE 2.4 and ACI 3.2 onwards
TrustSec and ACIBorder Leaf Leveraging IP Based EPG
Shipping Since ACI 2.3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mapping Application And Service
Components To ACI(Standalone App)
[Beta]
Mapping Application And Service
Components To ACI(Standalone App)
[GA]
Cross Launch AppDynamics and APIC To Correlate
Network And Application Data
Baseline Application Health Status In AppDynamics By
Correlating ACI MO Health And Faults
Micro-segmentation Based On Application
Tiers
ACI
4.0ACI 4.1 ACI 4.1 Future Future
Network & Application Health
Correlation
VMVMVM VMVMVMVM
APPDYNAMICS
ACI: AppDynamics IntegrationIdentify Problems Faster By Correlating Applications & Network Data
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hardware Sensor Support On Nexus
9000 EX and FX Leafs &
FX Spine Line Cards
Tetration NPMD Support For ACI Fabric
(Single Fault Domain)
Tetration NPMD Support For
Multi-Site, Multi-Pod, Remote Leaf
Hardware Sensor Support On Nexus 9000 EX Spine Line
Cards
Standalone Application To Generate ACI Policy
From Tetration ADM Output
Shipping Shipping Future ACI 4.1 ACI 4.1
ACI: Tetration Integration Capture Intent & Translate To ACI Policy
Tenant and Application Policy Requirements (ADM)
Rich Telemetry Data from Hardware (Nexus 9000)
Cisco Tetration™ Platform
Cisco ACI Fabric
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
San FranciscoData Center
Multi-Site
New York Data Center
vEdge vEdgeSD-WAN Fabric
Region EastRegion West
Los AngelesBranch
Chicago Branch
ACI: SD WAN (Viptela) IntegrationExtend Operational Domain And Policy To Branch & Public Cloud
vManage
MPLS Internet
FW
Web
server
App
serverDB
server
Subnet 10.1.1.0/24
FW
Web
server
App
serverDB
server
Subnet 10.121.0/24
1App Policy Determines Routing Path Between
Branch And Data Center To Meet SLA
1
2
2Optimal Path Selection
Between On-PremApps and Services
Hosted In Multi-Region AWS
ACI 4.1
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ACI Config Management
Support for Puppet and Ansible
• Ansible
• Tenant, Fabric Access, L3Out, AAA Policies
• 55 ACI Modules
• Puppet New
• Tenant Policies - 11 New Types and Providers
• Availability
• Ansible – Ansible Core (2.4 and 2.5)
• Puppet – GitHub now; Puppet Forge soon
• https://github.com/cisco/ciscoacipuppet
New
Other Improvementsand Features
ACI Infrastructure EnhancementsACI 4.0
Deployment
Networking
OperationsAppD Integration
(App Center)
Network Insight
Resources App
(App Center)
New Troubleshooting Wizard
FC NPV Inter-VRF L3 Multicast AVE Enhancements
Dot1x for IP Phone
Policy Indirection
Host Route On Border LeafRoCE v2
ACI Fabric Scale
ACI 3.0
50
3K
256
512
256
16
1024
4k
250
8k
Max. Number of EPs
# of VRF Per Tenant
Max. # of VRF
Max. # of BDs per VRF
Max. # Of Subnets / BD
Common Pervasive Gateway/BD
vzAny Contracts / VRF
# of IP’s per MAC
IP-based EPG
External EPG / L3 Out
# of Multicast Groups
ACI 3.1
128*
3K
1k*
1k*
256
16
1024
4k
250
8k
ACI 3.2
128
3K
1k*
1k*
256
16
4K
4k
250
8k
ACI 4.0
128
3K
1k*
1k*
256
16
4K
4k
250
32k
Depends On Profile - See Verified Scalability Guide
Cisco ACI Verified Scalability Guide:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/3-x/verified_scalabilty/b_Verified_Scalability_3_1_1x_and_13_1_1x.html
Tile Profiles: ACI 4.0
Default Profile
Policy Heavy
L2-Only Mode
Multicast Scale
Flexibility To Choose tile
Profile Based On Your
Infrastructure Needs
Tile (Total = Local+Remote) Scale
EP MAC 64k
EP IPv4 64k
IPv4 Host route + EP IPv4 +
Multicast96k
EP IPv6 48k
LPM 38k
Policy 128k
Multicast 32k
High Dual-Stack
(FX – Leaf Switches Only)
ACI: FCoE NPV and FC NPV Support
FCoE NPV FC NPV FC Switching
N9k-93180YC-EX Shipping N/A N/A
N9k-93180-LC-EX Shipping N/A N/A
N9k-93180-YC-FX Shipping ACI 3.2 (Q2-CY18)
▪ FC NPV 8/16G Uplink SAN Switch support
Future
N9k-93180-YC-FX Shipping ACI 4.0 (Q3 CY 18) ▪ FC NPV Host port support
▪ Trunking and Port Channel support on FC Uplink
▪ San Boot
Future
N9K-C93360YC-FX2 Future Future Future
New
ACI: Mini ACI Fabric
Cloud
Optimized Physical Footprint – 5 RU System
ACI Fabric For Small Scale Deployments
VMLeaf 1 – 48 ports
Leaf 2 – 48 ports
Spine 1
Spine 2
APIC
VM
ACI 4.0
No. of EPGs
No. of Tenants
No. of Spines
No. of Leafs
No. of BDs
No. of EPs
No. of VRFs
1000
25
2
2-4
1000
20,000
25
Virtual APIC
Physical APIC
2
1
Promotion PID List Price
Step1:
Spines PLUS Controller Kits
ACI-C9332-VAPIC-B1(Consists of 2x N9K-C9332C + 1x APIC-CLUSTER-XS*)20% discount
$83,600
Step 2:
N9300 Starter Kits (2 –pack)
Ex: N9K-C93180-EX-B24C(Consists of 2x N9K-C93180YC-EX+ 8x 100G Optics) 10% discount
$55,000
Step 3:
ACI Leaf License
2x ACI-ES-XF $30,000
Total $168,600
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI: Mini ACI Fabric
Fabric Scope (4.0)
Single Pod and Single Site
200 Edge Ports per APIC-CLUSTER-XS
No support for Remote Leaf, GOLF and vPod
vAPIC Config
ESXi 6.5
8 vCPU
32G Memory
HDD 300G & SDD 100G local storage
ACI 4.1 Enhancements
Mini ACI with Multi Site Support
Licensing
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Center Networking Subscription Offers
Cisco Software Support Service (SWSS) included in all subscriptions
Cisco Nexus® 9000 Series
ACI Essentials - subscription
Network Services
ACI Base
LAN Enterprise
DCNM LAN
Streaming Telemetry
PTP
ACI Multi-pod
3/5 Year SubscriptionsSingle SKU
Single data center
ACI Advantage - subscription
ACI Essentials
VPN Fabric
3/5 Year SubscriptionsSingle SKU
ACI Multi-site
Physical Remote Leaf
Multiple data centers and/or
clouds
ACI Essentials
3/5 Year SubscriptionsSingle SKU
Network Assurance Engine
ACI Advantage
ACI Premier - subscription
Multiple data centers and/or clouds with highest innovation
Appliances (APIC, ACI Multi-site controller vApp, and NAE vApp) are separate purchases.
© 2019 Cisco and/or its affiliates. All rights reserved.
ACI: SMART Licensing Recap
Registration Recommendation Duration
• 120 days evaluation period
• No Functionality Impact At End Of Evaluation Period
Impact?
• No functionality impact to ACI fabric based on Smart Licensing status
Support
• Smart License Feature Will Be Supported On ACI From Release 3.2 Onwards
• APIC Will Have Workflow To Register With Cisco Smart License Manager
• Register APIC to track yourlicense usage and compliance
Create Smart Accounts While Placing New Orders With ACI Licenses
Summary
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Remote Leaf / Virtual PoD APIC / Multi-Site Multi-Cloud Extensions
ACI Anywhere
IP WAN
IP WAN
Remote Location Public CloudOn Premise
Security Everywhere Policy EverywhereAnalytics Everywhere
Cisco ACI AnywhereAny Workload, Any Location, Any Cloud
Thank you