This document discusses Cisco's Application Centric Infrastructure (ACI) architecture. It provides an overview of Cisco's data center strategy, use cases for ACI including multicloud, security, analytics and automation. It then details the Cisco Nexus platforms that support ACI software including the 9348GC-FXP leaf switch. The document outlines benefits of ACI such as policy-driven operations, visibility and security capabilities. It also discusses ACI integration with orchestration platforms and containers.

1. © 2017 Cisco and/or its affiliates. All rights reserved. 1
Robert Zalobinski
Technical Solutions Architect
April 3, 2018
Application Agility and
Programmability with Cisco
ACI Architecture
Cisco
Connect
Halifax
Your Time
Is Now

2. C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pillars of Cisco’s Data Center Strategy
Hardware innovationApplication awareMulticloud First Capture Intent

3. C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Data Center Use Cases
Multicloud Mobility Security Modernize Infra.
• Threat Intel
• Multi-layer
• Compliance
• Performance
• Security
• Scale
Analytics
• Infra.
• Apps.
• Ops.
Automation
• Ops
• Provision
• Maint.
• Benchmark
• Policy
• Blueprints

4. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Software Enablement
Nexus 9000 & APIC Hardware
Nexus Foundation: CloudScale Platforms
Nexus 9300
Nexus 9500
ACI
3.0
Nexus 9364C –
Fixed Spine
64p 40/100G QSFP
ACI
4.0
APIC-CLUSTER-M3
(< 1000 Leaf Ports)
ACI
4.0
Nexus 9336C-FX2
36-port 40/100G QSFP28
ACI 4.0
Nexus C93240YC-FX2
48p 1/10/25G SFP28,
12p 40/100G QSFP28
ACI
3.1
Nexus 9336C-FX2
36-port 40/100G QSFP28
ACI
3.1
Nexus N2K-C2348TQ-E
48p 1/10G + 6p 40G QSFP+
ACI
4.0
Nexus 9332C –
Fixed Spine
32p 40/100G QSFP28, 2p 10G
APIC-CLUSTER-L3
(>= 1000 Leaf Ports)
ACI
4.0

5. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nexus 9348GC-FXP
ACI Leaf: 48p 100M/1G, 4p 10/25G, 2p 40/100G
Flexible Speeds w/ 100M, 1,10, 25, 40,100G support
Full feature L2/L3 ASIC
40 MB buffer w/ smart buffer feature
Dual 350W power supply for
enhanced performance
• Gigabit Ethernet application
• Up to 696 Gbps of bandwidth and 250+ mpps
• 2 and 4 post rack mount options
ACI 3.0

6. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
100G line rate MACSEC and VTEP-VTEP
overlay encryption on 16 ports*
40 MB buffer w/ smart buffer feature
Flexible TCAM templates
1M+ IPv4 routes
VXLAN Routing
QSFP28 Connector, Pin compatible
with 40G QSFP+
Flexible Speed 64 ports with
1,10,25,40,50,100G
6.4 T full feature L2/3 ASIC
Nexus 9364C 64p 40/100G - ACI Fixed Spine
* future
Ideal for space constrained fabrics
Support for mixed 1st & 2nd gen ACI
leaf designs
Support for mixed 40/100G fabrics
speed designs
Note: Roadmap: ACI 3.1 onwards 16 ports of MACSEC will be supported
ACI 3.0

7. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nexus 9500 Spine Linecard
N9K-X9736C-FX: 36p 40/100G
• ACI Spine, 36x100G Ports
• MACSEC and VTEP-VTEP encryption (aka Cloud Sec) capable
ACI 3.0

8. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nexus 9300 36-port 40/100G QSFP28 ACI/NX-OS Leaf
Cisco Cloud Scale – L2/L3, VXLAN Routing
Flexible Speed 1/10/25/40/50/100G Ports
Line-rate MACsec Encryption
40MB buffer (10MB per slice, 20MB shared) with
Smart Buffer feature
Flexible TCAM Templates
FEX and 4x10/25G breakout support
Telemetry – FT, FTE and SSX support
N9K-C9336C-FX2
ACI 3.1

9. Nexus 9300 48p 1/10/25G SFP28, 12p
40/100G QSFP28
ACI/NX-OS Leaf
ACI Access leaf in a compact 1.2 RU form factor
Cisco Cloud Scale – L2/L3, VXLAN Routing
Flexible Speed 1/10/25/40/50/100G Ports
Line-rate MACsec Encryption
40MB buffer (10MB per slice, 20MB shared) with Smart Buffer feature
FEX support
Telemetry – FT, FTE and SSX support
Flexible TCAM Templates
10G support with QSA at FCS on all 12p QSFP28; Breakout support on
downlink QSFP28 ports
Support for AC/DC/HVDC PSU at FCS on port-side exhaust and port-
side intake
N9K-C93240YC-FX2
ACI 4.0

10. • BigSky ASIC based 32p 40/100G, 2p 10G in 1RU form factor to support small scale ACI
fabric deployments
• Telemetry –SSX support
• Encryption support on the last 8 ports
• 10G support with QSA at FCS
• Support for AC/DC/HVDC PSU at FCS on port-side exhaust and port-side intake
• Optics support parity with existing products
• Transition 1st gen Nexus 9336PQ product
N9K-C9332C
32p 40/100G QSFP28, 2p 10G ACI/NX-OS Spine
ACI 4.0

11. C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Benefits
Any workload
Physical, Virtual, Containers
Open
Programmability
Conducive for
Automation/Orchestration
Policy Driven
Eliminates Network Dependencies
Optimal DC Network
Eliminates L2 Spanning-Tree Protocol
L3 Fabric
Integrated VXLAN Overlay
Distributed L3 GW
VMM Integration
vCenter, HyperV, Openstack,
Kubernetes
Single Point of
Configuration
APIC Controller
Secure White-list
Model
Next-Gen DC Fabric
Spine / Leaf
Network Services Integration
Network Policy, Service Policy, Service Manager

12. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Remote Leaf / Virtual PoD APIC / Multi-Site Multi-Cloud Extensions
ACI Anywhere - Vision
Any Workload, Any Location, Any Cloud
ACI Anywhere
IP
WAN
IP
WAN
Remote Location Public CloudOn Premise
Security Everywhere Policy EverywhereAnalytics Everywhere

13. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Inter-Pod IP Network
ACI MultiPod
Single APIC Cluster Extends Network Virtualization, Policy, Services to Multiple PODs
Site A Site B
Active-Active
Datacenters
Virtual Metro
Clusters
Stretch VRF, EPG, BD
Across PoDs with VXLAN
Up to 50ms
Latency
Shipping

14. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VMVMVM
Site A
Site B
Site C
Site D
VMVMVM
ACI Multi-Site Multi-Site
Consistent Policy across sites
Single Point of Orchestration
Fault Isolation
Scale
ACI 3.0
VMVMVM
VMVMVM
Geographically Dispersed
Active/Active Data Centers
Active/Standby Data Centers
For Disaster Recovery
Stretch VRF, EPG, BD
Across Sites with VXLAN
Up to One sec
Latency

15. IP Network
ACI: Physical Remote Leaf
Extend ACI to Satellite Data Centers
Site A Remote
Location
Zero Touch Auto Discovery
of Remote Leaf
Two Remote Leafs
Up To 20 Remote Locations
Stretch EPG, BD, VRF,
Tenant, Contract
Health Scores,
EPG Stats
VMVMVM VMVMVMVM
VMVMVM VMVMVMVM
ACI 3.1

16. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco ACI Virtual Edge
Decoupled From Hypervisor Kernel API Dependencies
ACI Virtual Edge
Maintain Existing
Operational Models
Simple Transition/Migration
AVS => AVE
Policy Consistency Across
Multiple Hypervisors
AVS/AVE
Feature Parity
Legacy AVS (Today)
Hypervisor Dependent
Cisco AVE (Q1 CY18)
Native vSwitch
VM
Switching +
Policy Enforcement
VM VM
AVE
Q2
FY18Q1
CY18
Hypervisor Agnostic
VM VM VM
AVE
AVS
Policy Enforcement,
Services, Telemetry
ACI 3.1
VMVMVM VMVMVMVM
ACI Virtual Edge (AVE)

17. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vSpine
vLeafvLeaf
ACI Virtual Edge
IP Network
ACI: Virtual PoD
Extend ACI To Bare-metal Cloud
On-Premise
Remote
Location
Bare Metal Clouds
(IBM BlueMix, AWS Elastic Metal etc.)
Remote Data Centers Colo Facilities
(Equinix, CoreSite etc.)
BrownField
Deployments
Beta: ACI 3.2
VMVMVM VMVMVMVMVMVMVM VMVMVMVM
Virtual Pod
Hypervisor
Logical Connection To Spine
(VXLAN)
GA: ACI 4.0

18. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Gracefully isolate the node from fabric
Troubleshoot (if required)
Re-commission the node
1
2
3
L2/L3
GIR diverts the data traffic to alternate paths and allows
node troubleshooting, maintenance and upgrade.
Graceful Insertion and Removal (GIR)
ACI 3.0

19. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bootstrap Network Infrastructure
Manage Tenants, Subnets,
Application Profiles
VI Admin
Network Compute Storage
VI Admin
vCenter
Manage
Define and Manage Security Groups
ACI
Plugin
AVS Support
(ACI 2.2(2))
vSphere 6.5
Support (ACI 2.3)
ACI Plugin for VMWare vCenter
ACI 2.3
Manage ACI Infrastructure Through vCenter

20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI: Cloud Automation
Virtualization and Orchestration
Deploy
Tenant
Deploy
App
Deploy
Firewall
vSphere 6.5, Tags (ACI 2.3)
vCenter Plugin (RBAC) (ACI 3.0)
NG-Application Virtual Switch
AzurePack –
VPN Termination (ASA, ASR 1K)
AzureStack
Newton Support, IPv6 (ACI 2.3)
Bare-Metal Provisioning (Ironic)
Ocata Support
Cloud
Automation
Unified Networking (ACI 3.0)
Integration of Kubernetes
network policies and ACI policies
Visibility

21. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
vRealize Automation
vRealize Orchestrator
üFabric Bring-up
üInfrastructure provisioning
üSecurity Domains
üShared Services Plans
üVirtual Private Cloud
üNetworks, Subnets, SecurityTenant 1 App WebDB
ESX Hypervisor
Day Zero Operations
Day 1/ Day 2 Operations
Deploy
Tenant
Deploy
Load
Balancer
Deploy
App
Deploy
Firewall
ACI Policy Driven vRealize Automation Blueprints to Accelerate Application Deployment
Cloud Automation with vRealize
Shipping

22. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
APIC Provisions Logical Networks
• Visibility Into RHV Domains
• Security & Segmentation
• Migration From Proprietary Hypervisors
Cisco ACI + Red Hat Virtualization
VMVMVM VMVMVMVM
Red Hat
Virtualization Manager
RHV Clusters
ACI 3.1

23. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI and Containers
• OpenShift VMM Domain
• Turnkey cluster networking
• Seamless developer experience
• Optional extensions for ACI policies
• Hardware load balancing
Cisco ACI + OpenShift Integration
Red Hat Enterprise
Virtualization Manager
Node
ACI 3.1
Node
OpFlex OVSOpFlex OVS
Cloud Foundry
Node
ACI Policies
Network Policy

24. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• IP per Container.
• VMM Domain for visibility, ease of integration
• Native Policies: ASGs (app security groups),
container to container policy, and isolation
segments
• ACI Policy: Ability to map apps/spaces/orgs to
EPGs and use contracts
• Preservation of app identity
PCF Networking and Security with ACI
Node
OpFlex OVS
Cloud
Foundry
ACI Policies
Network Policy
Node
OpFlex OVS
Features
ACI 3.2

25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Security
Automated Security with Built In Multi-Tenancy
Q4 CY
2018
Micro-Segmentation
DNS EPG, AD Based EPG
(ACI 3.1)
ACI
3.0
Contracts
Inheritance, Intra-
EPG Contracts
Q4 CY
2017
Certifications
FIPs and UC-APL Certified
Common Criteria (in progress)
ACI
3.1
MACSEC Encryption
APIC Centralized Key
Management
ACI
2.3
ACI-TrustSec Integration
Higher Scale (15K)
ACI
3.0
First Hop Security
IP Source Guard, DHCP Guard,
DHCP Snooping, etc.

26. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• ACI 3.0 supports “Intra-EPG Contracts”
• Allows whitelist policy enforcement of Intra-EPG traffic
• Can co-exist with Inter-EPG contracts
• Eliminates the need to create uSeg EPGs or deploy external FW for Intra-EPG
segmentation
• Enforcement is on Leaf switch (ie. EX or above)
• Same as regular contract scale
• Supported for VMWare vDS and Bare-Metal Servers
Intra-EPG Contracts
EPG
Web
EPG
DB
C1
C2 C3
ACI 3.0

27. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure Connectivity To Any Cloud With CloudSec
Overlay Encryption
Site A
Multi-Site
Encrypted VXLAN Overlay for
Inter-Site Traffic
MKA Key Exchange over BGP-
EVPN Protocol
Overlay Encryption
VXLAN Tunnel Over IP/WAN
VMVMVM
Site B
IP / WAN

28. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Certification ACI
Done
Done
In progress
Target Q1 CY18
Done
Security Certifications

29. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Orchestration
Cloud Automation
and PaaS
Monitoring Automation
Cisco ACI and NX-OS Rich Ecosystem

30. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Ecosystem Partners

31. 32
App Center Apps
Programmable Infrastructure: Open APIs for Value Added Applications
Task Robo
GIT Integration Dimension Data Jenkins Integration
ECOSYSTEM Sample Apps
Cisco Dev. Network
Fabric Resource
Inspector
Checkpoint And Restore
Sub-configs To/From GIT
(e.g Tenant Level)
Fast Snap
Protocol Level Color
Coded Routes.
Route Visualizer
Schedule, Configure,
Validate And Audit APIC
Configuration Jobs
Keep A Pulse On Your Network
Hardware Resources
(TCAM, Memory Etc.)
Future

32. C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Data Center Reference Architecture
Cisco Prime services catalog
Cisco Nexus
Cisco HyperFlex
Cisco UCS
Cisco MDS
Cisco AzureStack
Cisco Tetration Analytics
Cisco Security Portfolio
Cisco CloudCenter
Cisco Turbonomics
AppDynamics
Cisco Tetration Analytics
Cisco ACI
Cisco ACI
Cisco DCNM
Cisco Intersight
Cisco UCS-Director
Cisco Tetration Analytics
AppDynamics
IT services consumption
multicloud
Private cloud/PaaS Integration
DC Infrastructure
Management and automation
SecurityAnalytics
ACI / Nexus
Tetration

33. Thank you.