Brkaci 1090

Data Centre and DNA Campus
Fabric Integration
Victor Moreno, Distinguished Engineer
BRKACI-2220

• Introduction
• Multi-level Policy and Management Architecture
• Introduction to ACI and DNA Campus Fabric
• Policy abstractions in ACI and DNA Campus Fabric
• Control and Data Plane Interworking
• Conclusion
Agenda

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Icon Legend
DB
APIC-EM Enterprise Network Controller
SDA Controller (APIC-EM + ISE)
Identity Services Engine (ISE)
APIC Data Center Network Controller
Scalable Groups
(User and Application)

Multi-level Switching Fabric
Architecture

Complex
Operational Simplicity
Security Concerns
Mobility
Reduce the Attack Surface with
Segmentation and Access
Control
Any IP anywhere
Pervasive L2 and L3 forwarding
Reactive
Operational Visibility and Streaming
Telemetry
Switching Fabric Trends

Switching Fabrics
Secure Segmentation
• Coarse Segmentation into Virtual Networks
• Flexible User/Device Grouping
• Fine Grain Segmentation into device
Groups
Mobility
• Any IP anywhere
• Wired and Wireless
• Layer 2 and Layer 3 services
Policy Driven
• Simplification of Intent
• Policy defines relationships between
Groups of devices
• Defines segmentation and security
Mobility Collaboration Security
Endpoints
Branch

What exactly is a Fabric?
Virtual Networks
Overlay Control Plane
Underlay Control PlaneUnderlay Network
Hosts
(End-Points)
Edge DeviceEdge Device
Virtual Network
Encapsulation
Mobility
Segmentation
Manageability

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9Presentation ID
Switching Fabric Mobility
Locator-ID separation for L2 and L3 Services with host mobility
IP core
Device IPv4 or IPv6
Address Represents
Identity and Location
Today’s IP Behavior
Loc/ID “Overloaded” Semantic
10.1.0.1 When the Device Moves, It Gets
a New IPv4 or IPv6 Address for
Its New Identity and Location
20.2.0.9
Device IPv4 or IPv6
Address Represents
Identity Only.
When the Device Moves, Keeps
Its IPv4 or IPv6 Address.
It Has the Same Identity
Loc/ID “Split”
IP core
1.1.1.1
2.2.2.2
Only the Location Changes
10.1.0.1
10.1.0.1
Its Location Is Here!

Virtual Network 1 Virtual Network 2
Switching Fabric Segmentation
10
Identity Services
users things
groups

Fabric Enabled Segmentation
Virtual Network based Segmentation
Underlay Network
Virtual Networks

Group
Printers
Group
Projector
Group
Temp
Group
Perm
Campus/DC
JOHN MIKE
Device Group Based Segmentation
Employee Segment
00Building-Systems
JOHN MIKE
x
Virtual Networks
Airgap isolation between
communities of interest
End-point Groups
Access to resources controlled
based on User/Device role

Switching Fabric Manageability & Policy
Virtual Network

Switching Fabric Functional Tiers

Switching Fabrics: ACI and DNA
Campus

DNA Campus Fabric
Secure Segmentation
• Coarse Segmentation into Virtual Networks
• Flexible User/Device Grouping
• Fine Grain Segmentation into device
Groups
Mobility
• Any IP anywhere
• Wired and Wireless
• Layer 2 and Layer 3 services
Policy Driven
• Simplification of Intent
• Policy defines relationships between
Groups of devices
• Defines segmentation and security
Mobility Collaboration Security
Endpoints
Branch

Application Centric Infrastructure - ACI
Rapid Deployment of Applications onto
Networks with Scale, Security and Full Visibility
ACI
APPLICATION CENTRIC
POLICY CONTROLLERNEXUS 9500 AND 9300

Fabric Segmentation across DC and Campus
18Presentation ID
Identity Services
users things
Scalable
Groups
End-Point
Groups
Web DBApp
Compute
vCenter
compute storageapplications
LISP/VXLAN L2 and L3 Services
USER – USER Policy
COOP/VXLAN L2 and L3 Services
APP – APP Policy
BGP/VXLAN xFabric Handoff
USER – APP Policy

Why not a just have a single fabric?
Access Network
User centric
Wireless + Wired
User and IOT connectivity
POE
Integration with AAA
Moderate BW
Different yet complementary roles
Data Center
Application centric
Wired only
Virtualized Compute connectivity
Convergence of Storage & Compute
Integration with hypervisors
High BW, low latency
User to Application
C
Web

Connecting Multiple Fabrics Together
Preserving Segmentation and Group Policy Semantics

Abstraction and Network Consumption
Network
Consumer (Intent)
Multi-tier application cluster
Segments: VLANs/VRFs,
ACLs,
Firewalls,
Service Chains
Network Admin
(Network Management FCAPS)

Distinct Functionality, Distinct Domains
Data Center A
Access Domain
(Campus/Branch/WAN) Data Center BNetwork Operator Network Operator
Focused on User Access
Wireless Integration
User Identity / AAA
Path Engineering
Focused on Applications
Virtualization: VMs, Containers
Compute Integration
Agile Application Deployment
Hybrid Cloud Mobility
Fate Separation, Scale, Administrative Delineation

Unified Policy Language across Domains
Data Center A
Access Domain
(Campus/Branch/WA
N)
Data Center BNetwork Operator Network Operator
Policy Element/Object Exchange
consumer
…
Web
Servers
Web
Users
Contract
Allow only web traffic in/out
Sessions must be logged
Violations must be inspected
….
providerconsumer
Security Domain
Security Operator

Management & Orchestration Fabric Framework
Automated
DCI / WAN
V
M
O
S
V
M
O
S
API
Intent Based Policy (Cross Domain)Orchestration
Compute Control
vCenter
Agile/DevOps
Consumer
UI / API: Intent model
Infrastructure (Network,
Compute, Storage)
Administrators
Physical Virtual
DCI/WAN
SDN Control &
Management
API
Service Lifecycle
Managers
Network Service
Administrators
Identity Store
ISE
API
API

Multi-Fabric Management and Orchestration
API
Intent Based Policy (Cross Domain)Orchestration
Compute Control
vCenter
Agile/DevOps
Consumer
UI / API: Intent model
Infrastructure (Network,
Compute, Storage)
Administrators
Physical Virtual
WAN
APIC ControllerAPI
Service Lifecycle
Managers
Network Service
Administrators
Identity Store
ISE
API
API
Wired
API
Access Fabric
Controller
API
control plane
data plane

Group Based Policy (GBP)
Web
Servers
web-1 web-2 web-n
…
…
Clients
Contract
Allow only web traffic in/out
Sessions must be logged
Violations must be inspected
….
….
….
End-Points
End-Point
Groups
providerconsumerContracts

Render
ACI - Policies across operational roles
Network
VLANs, VRFs, ports
Firewalls, ACLs, SGACLs
DB Server Admin
DB
Servers
Allow
…
Provide DB
traffic only
Mail Server Admin
Mail
Servers
Allow
…
Provide Mail
traffic only
Consume DB
Service
Web Server Admin
Web
Servers
Allow
…
Provide Web
traffic only
Consume
Mail Service
Application
Service
Infrastructure
Admin
Rendering
Policy
Consumer /
App Developer
I have a new Web Based
Mail App. This service
provides all I need

Tenant-A
Private Network-1
Bridge
Domain-1
ACI Segmentation
Subnet-1
Customer /
Group / BU
Routing Table
VRF
L2 Boundary
IP Space(s)
Groups of
end points
Tenant-B
Private Network-2
Bridge
Domain-2
Bridge
Domain-3
Bridge
Domain-4
Subnet-2 Subnet-3
Subnet-4
Subnet-5
EPG-A
EPG-B
EPG-C
EPG-D
EPG-E
EPG-F
Private Network-3
Bridge Domain-5
Subnet-6
Subnet-7
EPG-A
EPG-B
EPG-C

DNA Campus Fabric Segmentation
Virtual Networks (VN) and Groups
Tenant-A
Virtual Network 1
Subnet-1
Tenant-B
Virtual Network 2
SG-A
SG-B
SG-C SG-D SG-E
SG-F
Virtual Network 3
SG-A
SG-B
SG-C
Subnet-2
Subnet-3
Subnet-4
Subnet-5
Subnet-6
Subnet-7
Customer /
Group / BU
Routing Table
VRF
IP Space(s)
Groups of
end points

ACI
ACI and DNA Campus Fabric Segmentation
End-Point Groups (EPG)
Bound to a Bridge Domain (BD)
Subnets are also bound to BDs
Virtual Networks (VN) and Groups
Tenant-A
Private Network-1
Bridge
Domain-1
Subnet-1
Tenant-B
Private Network-2
Bridge
Domain-2
Bridge
Domain-3
Bridge
Domain-4
Subnet-2 Subnet-3
Subnet-4
Subnet-5
EPG
-A
EPG
-B
EPG
-C EPG
-D
EPG
-E
EPG
-F
Private Network-3
Bridge
Domain-5
Subnet-6
Subnet-7
EPG
-A
EPG
-B
EPG
-C
DNA Fabric
Secure Groups (SG)
Independent of subnet and BD
May exist in one VN or many (VN agnostic)
Tenant-A
Virtual Network 1
Subnet-1
Tenant-B
Virtual Network 2
SG-A
SG-B
SG-C
SG-D SG-E
SG-F
Virtual Network 3
SG-A
SG-B
SG-C
Subnet-2
Subnet-3
Subnet-4
Subnet-5
Subnet-6
Subnet-7

Federated Identity
Independent Policies with Cross Domain Group awareness
Exchange Policy Groups
User-User
Access Control: SG-ACL
User-App
Application Prioritization
DB
App1 DBWeb1 Qo
SFilt
er
Qo
SSe
rvi
ce
App to App Contracts
User to App Contracts
C
Web
Web
DB
Web
DB

Goal: Federated Policy across domains
DNA Campus / Branch
DNA Policy Domain
Exchange Complete
Policy
User-User
Access Control: SG-ACL
Trustsec Domain
Trustsec Policy Domain
User-App
Application Prioritization
DB
App1 DBWeb1 Qo
SFilt
er
Qo
SSe
rvi
ce
App to App Contracts
C
Web
Data Center
ACI Policy Domain

IP Network
ACI COOP FabricDNA LISP Network
Border
BGP-EVPNLISPCONTROL-PLANE
Border
COOP
VXLAN+EPGVXLAN/LISP+SGT
DATA-PLANE
HOST-H1
HOST-H2
Control and Data Plane Interworking
Propagate reachability and segmentation across domains
Spine
Spine
Map Server

WAN/Campus
§ Similar problem scale to DNS
• Leverage demand based protocols
§ A directory of hosts
• Location as well as policy
• Location != Routing
§ Keep routing lean
• Move all host state to LISP directory
§ Minimize state on the routers and
switches (cache on demand)
Branch/
Closet
LISP XTR
DC 1 DC 2
LISP Host
directory
Handling Host State at Large Scale with LISP

Locator / ID Separation Protocol
Location and Identity Separation
IP core
Device IPv4 or IPv6
Address represents both
Traditional Behavior -
Location + ID are “Combined”
10.1.0.1
When the Device moves, it gets a
new IPv4 or IPv6 Address for its new
20.2.0.9
Device IPv4 or IPv6
Address represents
Identity only
When the Device moves, it keeps
the same IPv4 or IPv6 Address.
It has the Same Identity
Overlay Behavior -
Location & ID are “Separated”
IP core
Only the Location Changes
10.1.0.1
10.1.0.1
Location Is Here

LISP “Mapping System” is analogous to a DNS lookup
‒ DNS resolves IP Addresses for queried Name Answers the “WHO IS” question
‒ LISP resolves Locators for queried Identities Answers the “WHERE IS” question
Host
DNS
Name -to- IP
URL Resolution
[ Who is lisp.cisco.com ] ?
DNS
Server
[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]
LISP
ID -to- Locator
Map Resolution
LISP
Router
LISP Map
System
[ Where is 2610:D0:110C:1::3 ] ?
[ Locator is 128.107.81.169, 128.107.81.170 ]
LISP Mapping System

Branch
IP Network
1.1.1.1
10.1.0.0/24
ITRS
DNS Entry:
D.abc.com A 10.2.0.1
1
10.1.0.1 à 10.2.0.1
2
Path Preference
Controlled
by Destination Site
10.1.0.1 à 10.2.0.1
1.1.1.1 à 2.1.1.1
4
How does LISP operate?
Mapping
System
5.1.1.1
5.3.3.3
5.2.2.2
Non-LISP Non-LISP
PXTR
EID-prefix: 10.2.0.0/24
Locator-set:
2.1.1.1, priority: 1, weight: 50 (D1)
2.1.2.1, priority: 1, weight: 50 (D2)
Mapping
Entry
3
ETR
10.2.0.0/24
Campus
D
2.1.1.1 2.1.2.1
DC
10.3.0.0/24
3.1.1.1 3.1.2.1ETR
10.1.0.1 à 10.2.0.1
5

COOP – Council of Oracles Protocol
BRKACI-2303 40
Council of Oracle Protocol (COOP) is used to
communicate the mapping information (location and
identity) to the spine proxy.
Citizens register their directly connected hosts with
their Oracle
Oracles stay in sync using the COO Protocol
Citizens will send traffic for unknown destinations to
an Oracle
The Oracle forwards the traffic to the Citizen which
registered the destination host
The sending Citizen now learns the location of the
destination either from Oracle signaling or return
traffic
Oracle Oracle Oracle Oracle
Citizen Citizen Citizen Citizen Citizen Citizen
Council of Oracle

ACI and Campus Fabrics Integrated VXLAN Overlay
• Decoupled Identity, Location and Policy
ACI Fabric
ACI Leaf Nodes
ACI Spine Nodes
VTEP VXLAN PayloadIP
§ Forwarding within the Fabric is between VTEPs (ACI VXLAN tunnel endpoints) and leverages an
extended VXLAN header format referred to as the ACI VXLAN policy header
§ Any workload any where, Consistent Latency, Mapping of tenant MAC or Ip address to location is
performed by VTEP using distributed mapping database
BRKACI-2400 41

WAN § Connect an ACI Fabric to the external L3
domain (no support for L2 GOLF with ACI)
WAN Edge devices functionally behave as ACI ‘border leafs’
Control plane and data plane scale
OpFlex for automating the exchange of config parameters
(VRF names, BGP Route-Targets, etc.)
§ MP-BGP EVPN control plane between ACI
spine and WAN Edge routers
§ VXLAN data plane between ACI spine and
WAN Edge routers
§ Consistent policy (Drop/No-Drop, PBR, Copy
Services, etc.) for north-south traffic applied at
ACI leaf (both ingress and egress directions)
GOLF Routers
MP-BGP
EVPN
VXLAN Data Plane
= VXLAN Encap/Decap
Layer 3 EVPN Services for Fabric WAN
’GOLF’ Design (ACI 2.0 Release)
OpFlex
L3Out at spines
(‘infra’ Tenant)

Campus Fabric to ACI
Campus Fabric Border connectivity with ACI Fabric
IP Network
MP-BGP – EVPN
Trusted
VXLAN EPG
SGT-EPG
Translation
VXLAN SGT
MS/MR
C
E E E
Control
Plane
Data Plane ACI ASR1K N77XX/M3
BGP-EVPN VXLAN OpFlex
✔ ✔
LISP COOP
L3Out
EVPN
B
B
BRKACI-2400 43

DC
WAN/Campus
§ DC administrator responsibilities:
• Management of DC network & DC tenants
• Configure L3-Out
• Configure handoff EVPN parameters (Route-Targets)
• Configure tenant (VRF_name)
§ DC administrator provides VRF_name and Route-Target
WAN Mgr
§ WAN administrator responsibilities:
• Management of WAN service & DC-WAN router
• Day 0 configuration for DC handoff
• Parameterized Day 1/2 CLI Templates for DC handoff
§ Day 0 configuration provides seed information for locally
derived parameters
§ WAN Service provisioning may be triggered by OpFlex
events (e.g. Instantiate VRF and join MPLS VPN or
provision LISP)
OpFlex: <VRF_name, RT>
VXLAN-EVPN handoff
Administrative boundary
iVXLAN-COOPBGP/LISP-MPLS/VXLAN
Template
vrf context $vrfName
vni $include_vrfSegmentId
rd auto
address-family ipv4 unicast
address-family ipv4 unicast
route-target import $include_bgpRT_1 evpn
route-target export $include_bgpRT_1 evpn
Locally
Derived
Parameters
DC-WAN Hand-Off Automation

IP Network
ACI FabricLISP Network
Border
Border
ACI
HOST-H1
HOST-H2
Failures & Changes in the ACI Fabric
External advertisements to reflect state of the ACI Fabric
Spine
Spine
Map Server
Host
advertisements
from this spine
withdrawn
Border Routing
Tables updated
to remove faulty
spine
Host reachability
from spine lost or
degraded
45BRKACI-2220

IP Network
ACI FabricLISP Network Border
Border
ACI
HOST-H1
HOST-H2
Failures & Changes in the LISP Network
Dynamic redistribution of LISP state into BGP @ Border XTR
Spine
Spine
Map Server
Prefix
advertisements
from this border
withdrawn
Leaf Tables
updated to route
around failure
Border XTR
connectivity to LISP
Network degraded:
• Dynamic LISP
State updates
• Core Reachability
Tracking
Registration
State Changes
Communicated to
Border XTR
46BRKACI-2220

IP Network
ACI COOP FabricDNA LISP Network
Border
Border
ACI
HOST-H1
HOST-H2
Control Plane Interworking
Propagate reachability and segmentation across domains
Spine
Spine
BGP
Adjacency
Map Server
LISP Registered Prefixes are advertised in BGP from Map-Server to Border XTR
The BGP adjacencies between Map-Server and Border XTR are monitored with BFD
Upon failure, the adjacency is broken, prefixes removed at the Border XTR and withdrawn
Fast convergence (BFD è 180ms)
47BRKACI-2220

Border
User VRF
DC Domain (ACI)
EBGP
EBGP
LISP MS
LISP to BGP-EVPN dynamic route handoff
Separate Border and MS
router lisp
!
instance-id 1000
service ipv4
eid-table vrf cust1
route-export site-registrations <export registered prefixes to
the RIB>
distance site-registrations 250
exit-service-ipv4
site border
authentication-key 1
eid-record instance-id 1000 0.0.0.0/0 accept-more-specifics
exit-site
!
router bgp 65002
neighbor 192.168.29.1 remote-as 65003 <peer with the border>
!
address-family vpnv4
neighbor 192.168.29.1 activate
neighbor 192.168.29.1 send-community both
neighbor 192.168.29.1 route-map tag out < tag routes to Border>
exit-address-family
!
address-family ipv4 vrf PACAF
aggregate-address 72.1.0.0 255.255.255.0 summary-only
redistribute lisp metric 10 <redistribute lisp to BGP >
exit-address-family
route-map tag permit 10 <community attribute tag>
set community 655370
router lisp
…
instance-id 1000
service ipv4
eid-table vrf cust1
route-import database bgp 65003 route-map database locator-
set border <register prefixes from external BGP into LISP>
route-import map-cache bgp 65002 < install punt for LISP
prefixes>
exit-service-ipv4
exit-router-lisp
router bgp 65003
!
…
address-family l2vpn evpn <peer with EVPN>
import vpnv4 unicast re-originate
exit-address-family
!
address-family ipv4 vrf cust1
advertise l2vpn evpn
redistribute connected
exit-address-family
!
ip community-list 1 permit 655370 < Match the community list with
the community value from MS/MR>
!
route-map database deny 10 < deny the prefixes coming from
MS/MR to be imported into database, permit rest>
match community 1
!
route-map database permit 20

Border
User VRF
DC Domain (ACI)
EBGP
LISP MS
LISP to BGP-EVPN dynamic route handoff
Consolidated Border and MS router lisp
…
instance-id 1000
service ipv4
eid-table vrf cust1
route-import database bgp 101 locator-set border <register prefixes from external BGP into LISP>
route-export site-registrations <export registered prefixes to the RIB>
distance site-registrations 250
map-cache site-registration <install punt adjacencies for registered LISP prefixes>
exit-service-ipv4
!
site border
authentication-key 1
exit-site
!
exit-router-lisp
router bgp 101
!
…
address-family l2vpn evpn
import vpnv4 unicast re-originate
exit-address-family
!
address-family ipv4 vrf cust1
advertise l2vpn evpn
redistribute connected
redistribute lisp metric 10 <redistribute lisp installed routes to BGP>
aggregate-address 72.1.0.0 255.255.255.0 summary-only
exit-address-family
!

Virtual Networks
Underlay Network
Virtual Networks
Outer/Transport
IP-UDP Header
Original IP Packet or L2 FrameVXLAN Header
Virtual Network Identifier (24 bits)
Group Policy Identifier (16 bits)

Cisco TrustSec
Simplified segmentation with Group Based Policy
VLAN BVLAN A
Campus Switch
DC Switch
or Firewall
Application
Servers
ISE
Enterprise
Backbone
Enforcement
Campus Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
Shared
Services
Employee Tag
Supplier Tag
Non-Compliant Tag
DC switch receives policy
for only what is connected
Classification
Static or Dynamic
SGT assignments
Propagation
Carry “Group” context
through the network
using only SGT
Enforcement
Group Based Policies
ACLs, Firewall Rules

TrustSec Access Control
Consistent access governed by simplified policy
VLAN BVLAN A
Campus Switch
DC Switch
or Firewall
Application
Servers
Enterprise
Backbone
Enforcement
Campus Switch
Voice Sales Supplier Non-CompliantVoiceSalesNon-Compliant
Shared
Services
Sales Tag
Supplier Tag
Non-Compliant Tag
Users are authenticated and
authorized into end-point
groups (aka Scalable Groups)
Policy defined between
Scalable Groups
Scalable Group Tags (SGTs)
encoded in a VXLAN header
Access Policy enforced
based on SGTs
Improve access control policy
manageability and scale
User-User
Contract: SG-ACL
User-Device
Contract: SG-ACL
Group Registry

Cisco Trust Security
Ingress Classification with Egress Enforcement
Egress
Enforcement
(SGACL)
Cat3850 Cat6800 Nexus 2248
WLC5508
Cat6800 Nexus 7000
User Authenticated =
Classified as Marketing (5)
FIB Lookup =
Destination MAC = SGT 20
DST: 10.1.100.52
SGT: 20
SRC: 10.1.10.220
DST: 10.1.200.100
SGT: 30
CRM
Web
DST è
ê SRC
CRM
(20)
Web
(30)
Marketing (5) Permit Deny
BYOD (7) Deny Permit
Destination Classification
CRM: SGT 20
Web: SGT 30
Enterprise
Backbone
54
Nexus 5500
SRC: 10.1.10.220
DST: 10.1.100.52
SGT: 5
5 5

What are SGTs?
How do they differ from EPGs?
§ SGT is a security group tag assigned to user’s
or device’s traffic in campus networks based on
their roles
§ SGT is a 16 bit value that the Cisco ISE assigns
to the user or endpoint’s session upon login
§ SGT is globally unique
§EPG is end point group in ACI
fabric used to group servers that
require similar treatment of policy
§EPG is hierarchical in nature
Campus Fabric ACI Fabric
BRKACI-2400 55

VXLAN and GBP extensions
Ethernet in IP with a shim for scalable segmentation and policy metadata
Outer MAC Header Outer IP Header Outer UDP Header
FCS
Original Layer 2 FrameVXLAN Header
VXLAN
VXLAN-GBP
GBP = Group Based Policy
SGT = EPG
(SDA) (ACI)

SGT & EPG Source Group
Mapping of Group Based Policy ID
Cisco Meta Data (CMD)
DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC
Version LengthCMD EtherType SGT Opt Type SGT Value Other CMD Options
Encrypted
Authenticated
Layer 2 SGT Frame and Cisco Meta Data Format
Outer
IP
Outer
UDP
GBP VXLAN
Outer
Ethernet
Inner
Ethernet
Payload
New
FCS
VXLAN Instance ID (VNID) M/LB/SPGroup Policy ID (SGT)Flags
8 Bytes
Inner IP
Header
Flags/DRE
Data Plane Encapsulation (GBP VXLAN)

Campus Fabric SGTs Provisioned in ACI
ISE dynamically provisions
SGTs and IP mappings
(SXP service) into APIC-
DC
ACIISE
Security Groups External (Outside Fabric) EPGs
Campus Fabric Domain
BRKACI-2400 59
EXT-
EPG3
EXT-
EPG1

ISE dynamically learns
EPGs and VM Bindings
from ACI fabric – shared to
SXP
ACI
VM1
VM25
Campus Fabric Domain
ISE
Internal (Inside Fabric) EPGsSecurity Group from APIC-DC
ACI EPGs Automatically Propagated into Campus Fabric
BRKACI-2400 60

SDA – ACI Policy Data-Plane Mapping
SDA
Domain
ACI Policy Domain
ACI Spine (N9K)
SDA Policy Domain
ISE
Auditor
10.1.10.220
PCI
10.1.100.52
SDA Border Device
(ASR 1K/N7K*)
SGT/EPG
Namespace Alignment
ACI Border Leaf
5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
#
SRC:10.1.10.220
DST: 10.1.100.52
EPG :#
EPG #
SGT # to EPG #
Translation Table

ISE Retrieves:
EPG Name: PCI EPG
EPG Binding = 10.1.100.52
Campus Fabric SGT Info Used in ACI Policies
Campus
Fabric
ACI Policy Domain
ACI Border
Leaf (N9K)
ACI Spine (N9K)
NetworkLayerControllerLayer
Plain
Ethernet
(no CMD)
Campus Fabric Policy Domain
NetworkLayerControllerLayer
ISE
ACI Leaf
(N9K)Auditor
10.1.10.220
SGT Groups available in ACI Policies
PCI
10.1.100.52
ISE Exchanges:
SGT Name: Auditor
SGT Binding = 10.1.10.220
PCI EPG
10.1.100.52EPG Name = Auditor
Groups= 10.1.10.220
Plain
Ethernet
(no CMD)
5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
17000
SRC:10.1.10.220
DST: 10.1.100.52
EPG
SRC:10.1.10.220
DST: 10.1.100.52

ISE and APIC identity exchange
ACI Policy DomainSDA Policy Domain
Switch Router* Nexus9000 Nexus9000 ServerUser
LISP,SGT & VXLAN
Classification
SDA
ISE & APIC Exchange Groups
and Member information
ISE creates SGT to EPG
translation table
IP-ClassId, VNI bindings
Send translation table to
ASR 1K/N7K
Spine Leaf
Cisco ISE 2.1
Cisco APIC-DC
Security Groups End Point Groups
APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure
63
BGP EVPN, EPG &VXLAN
*ASR1K & N7700-M3 1HCY17
APIC-EM
IP, SGT mappings

Sharing Context Across the Enterprise
Campus
Fabric
Domain
ACI Policy Domain
ACI Spine (N9K)
Campus Fabric Policy Domain ISE
Auditor
10.1.10.220
PCI
10.1.100.52
Campus Fabric Border
Device
(ASR 1K/N7K*)
SGT/EPG
Namespace Alignment
5
SRC:10.1.10.220
DST: 10.1.100.52
SGT: 5
#
SRC:10.1.10.220
DST: 10.1.100.52
EPG :#
EPG #
SGT # to EPG #
Translation Table
* M3 Roadmap

Campus Fabric Policy Domain ACI Policy Domain
Campus to ACI Flow
SGT-EPG
VXLAN GBP
Contract Applied on Leaf
Lookup:s-class, d-class, policy
APP-EPG
Golf L3out
Target
Q2-CY17
BRKACI-2400 65
MS/MR
C
E E E
B
B
ASR1K
March 16.5.1
✔
SGT <-> EPG
translation

TrustSec/ISE Policy Domain ACI Policy Domain
ACI to Campus Flow
SGT-EPG
VXLAN GBP
VzAny Contract
Permit-all or filter ports
APP-EPG
Golf L3out
Target
Q2-CY17
SGACL Policy Applied
BRKACI-2400 66
MS/MR
C
E E E
B
B
ASR1K
March 16.5.1
✔
Employee-SGT
SGT <-> EPG
translation

WAN/Campus scope of management DC scope of management
SDA-DC Policy Driven Context Mapping
User Experience: Simply Define User-Application Relationships
Extranet Extranet provided with route leaking
VRF 2
VRF 1
VRF 2
VRF 1
VXLAN-EVPN
SGTs in VXLAN EPGs in VXLAN
C
Web
• The Policy Registry includes
VRF/Context information for each group
• The Extranet relationships may be
derived from the user-app contracts
• Extranets will be rendered automatically
in the ACI Fabric
VRF B
VRF C
VRF A
VRF D
Extranet
Extranet

Cisco Spark
Ask Questions, Get Answers, Continue the Experience
Use Cisco Spark to communicate with the Speaker and fellow
participants after the session
Download the Cisco Spark app from iTunes or Google Play
1. Go to the Cisco Live Melbourne 2017 Mobile app
2. Find this session
3. Click the Spark button under Speakers in the session description
4. Enter the room, room name = BRKACI-1090
5. Join the conversation!
The Spark Room will be open for 2 weeks after Cisco Live
69

Complete Your Online Session Evaluation
70BRKACI-1090
Learn online with Cisco Live!
Visit us online after the conference
for full access to session videos and
presentations.
www.CiscoLiveAPAC.com
Give us your feedback and receive a
Cisco Live 2017 Cap by completing the
overall event evaluation and 5 session
evaluations.
All evaluations can be completed via
the Cisco Live Mobile App.
Caps can be collected Friday 10 March
at Registration.

Brkaci 1090

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Brkaci 1090

Similar to Brkaci 1090 (20)

Recently uploaded

Recently uploaded (20)

Brkaci 1090