Cisco Connect Toronto 2018 dc-aci-anywhere

Cisco Connect Toronto
October 18, 2018
Global vision.
Local knowledge.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Overview
• ACI Multi-Site Orchestrator
• ACI Remote Leaf
• ACI AVE
• ACI Virtual Pod (vPOD)
• ACI Cloud APIC (cAPIC)
• Q&A
Agenda

Cisco Application Centric Infrastructure (ACI)
Journey So Far…
2014
SDN Launch
ACI 1.0, 1.1, 1.2, 1.3
Intent Based Netw orking
ACI Single Fabric
Virtualization Integration
L4-L7 Ecosystem
Merchant+ Hardw are
2015-2016
SDN Leadership
ACI 2.0, 2.1, 2.2, 2.3
Best of InterOp
Multi-Pod
Micro-segmentation
Operations
Cloud Scale ASICs
2017
SDN: Breaking Away
ACI 3.0, 3.1
ACI Anyw here
Multi-site
Remote Leaf
ACI Virtual Edge
Heavenly (FX2)
2018
Multi-Cloud: Launch
ACI 3.2, 4.0, 4.1
vPOD
AWS
IBM, Oracle
Tetration
AppDynamics

Q4 2016 Q2 2017 Q3 2017 Q4 2017 Q1 2018Q1 2017
ACI
2.1
ACI
2.2
Long Lived
Releases
ACI
3.2(x)
ACI
2.1(x)
ACI
2.3
ACI
3.0
ACI
3.1
Maintenance Releases =>
Target – One Release Every Four Months.
ACI
2.0(2)
ACI
2.1(2)
ACI
2.2(2)
ACI
2.3(2)
ACI
3.0(2)
ACI
2.2(x)
ACI
3.1(2)
Q2 2018
ACI
3.2
ACI
4.0
Q3 2018 Q1 2019
ACI
3.2(2)
ACI
4.0(2)
ACI
4.1
Major Releases =>
ACI Software Release Timeline

Long Lived Releases
Two Long Lived Releases At Any Given Point of Time1
Active Maintenance Will Be Primarily Focused On Long Lived Release2
Target Duration Of Long Lived Release Support: Up to 18 Months From FCS
Direct Upgrade From One Long Lived To Next Long Lived Release Will Be Supported
Long Lived Releases Are Recommended For Networks That Will Not be Upgraded Frequently
3
4
5
Short Lived Releases
No Active Maintenance Beyond Six Months From FCS1
ACI Software Release Guideline
For your info
& reference

ACI: Mini ACI Fabric
Cloud
Optimized Physical Footprint – 5 RU System
ACI Fabric For Small Scale Deployments
VM
Leaf 1 – 48 ports
Leaf 2 – 48 ports
Spine 1
Spine 2
APIC
VM
ACI 4.0
No. of EPGs
No. of Tenants
No. of Spines
No. of Leafs
No. of BDs
No. of EPs
No. of VRFs
1000
25
2
2-4
1000
20,000
25
Virtual APIC
Physical APIC
2
1
Description PID
Step1:
Spines PLUS Controller Kits
ACI-C9332-VAPIC-B1
(Consists of 2x N9K-C9332C +
1x APIC-CLUSTER-XS*)
20% discount
Step 2:
N9300 Starter Kits (2 –pack)
Ex: N9K-C93180-EX-B24C
(Consists of 2x N9K-C93180YC-EX
+ 8x 100G Optics)
10% discount
Step 3:
ACI Leaf License
2x ACI-ES-XF

ACI: Mini ACI Fabric
Fabric Scope (4.0)
Single Pod and Single Site
200 Edge Ports per APIC-
CLUSTER-XS
No support for Remote Leaf,
GOLF and vPod
vAPIC Config
ESXi 6.5
8 vCPU
32G Memory
HDD 300G &
SDD 100G local storage
ACI 4.1 Enhancements
Mini ACI with Multi Site
Support

ACI Anywhere

ACI
Virtual Edge
(AVE)
ACI Anywhere
Component Summary
Multisite
Orchestrator
Remote
Leaf
Virtual
Pod
(vPOD)
Cloud
APIC
(cAPIC)
APIC
+
N9K
EFT in Progress
- ACI 4.0
Q1CY19 –
AWS
Delivered Delivered Delivered Delivered
21 3 4 5 6

Multi-Site
Orchestrator
2

ACI Multi-Site
Overview
 Separate ACI Fabrics with independent APIC clusters
 ACI Multi-Site Orchestrator pushes cross-fabric
configuration to multiple APIC clusters providing
scoping of all configuration changes
 MP-BGP EVPN control plane between sites
 Data Plane VXLAN encapsulationacross sites
 End-to-end policy definition and enforcement
MP-BGP - EVPN
Availability Zone ‘A’ Availability Zone ‘B’
IP Network
ACI 3.0
Release
VXLAN
Site 1 Site 2REST
API
GUI
Multi-Site Orchestrator

Scale-Up Model to Build a Large
Intra-DC Network
Data Center Interconnect (DCI)
ACI Multi-Site
Use Cases

ACI Multi-Site
Software and Hardware Requirements
• Support all ACI leaf switches (1st Gen, EX, FX, FX2)
• Modular Spine with EX/FX line card to
connect to the inter-site network
• 9364c or 9332x fixed spine supported for
Multi-Site from ACI 3.1 release (shipping)
• 1st generation spines (including 9336PQ)
not supported
• Can still leverage those for intra-site leaf
to leaf communication
1st Gen
Inter-Site
Network
-EX-EX
Can have only a subset
of spines connecting to
the IP network
1st
Gen

Layer 3 only across sites
 Bridge Domains and subnets
not extended across Sites
 Layer 3 Intra-VRF or Inter-
VRF communication (shared
services across
VRFs/Tenants)
ISN
Site
1
Site
2
AW S
1
IP Mobility without BUM flooding
 Same IP subnet defined in
separate Sites
 Support for IP Mobility (‘cold’
and ‘live’* VM migration) and
intra-subnet communication
across sites
 No Layer 2 BUM flooding
across sites
Site 2
ISN
Site
1
Site
2
AW S
2
Layer 2 adjacency across Sites
 Interconnecting separate sites
for fault containment and
scalability reasons
 Layer 2 domains stretched
across Sites, support for ‘live’*
VM migration and application
clustering
 Layer 2 BUM flooding
across sites
ISN
Site
1
Site
2
AW S
3
ACI Multi-Site Networking Options
Per Bridge Domain Behavior

ACI Multi-Pod and Multi-Site
Connectivity between Pods and Sites
Pod ‘A’ Pod ‘B’
IPN
IP WAN
Site 2
Site 1 Site 2
1st Gen 1st Gen
APIC Cluster
 Only 2nd generation spines must be connected to the external network
• Need to add 2nd
gen spines in each Pod (at least two per Pod) and migrate connections to the IPN from 1st
gen
spines to 2nd
gen spines
 Single ‘infra’ L3Out and set of uplinks to carry both Multi-Pod and Multi-Site East-Westtraffic

 Adding a Multi-Pod Fabric as a ‘Site’ on the Multi-Site Orchestrator (MSO)
ACI Multi-Pod and Multi-Site
Main Use Cases
 Converting a single Pod Fabric (already added to MSO) to a Multi-Pod fabric
ACI 3.2 Release

 Back-2-back connections are ONLY supported for 2 sites
 Multi-Site + Multi-Pod not supported
APIC Cluster APIC Cluster
Intersite E-W (Direct Cable or Dark Fiber)
Multi-Site Back-2-Back Spine

MP-BGP EVPN
VXLAN
• Multi-Site Infra: Unicast, Multicast, BGP TEPs
and Tunnel state
• Multi-Site Tenant and EPG granularity:
 Inspect and validate full-stack programming:
MSC, APICs and Spine translations
 Validate the consistency of local and remote
inter-site EPGs, BD, VRF, External EPG, policies,
etc.
 Root cause configuration programming issues
without callingTAC
• GUI and APIs supportedSpines Spines
ACI 3.2
Release
ACI Multi-Site
Day-2 Operations: Full-Stack Consistency Checker

ACI Multi-Site Open API
(Swagger)
• Swagger benefits
• Allow end developers to effortlessly interactand try out every single operation your API exposes
for easy consumption.
• Swagger UI can auto import the Authorization token from MSC UI giving seamless access to the
APIs.
• Types of endpoints: API GET, POST, PUT, PATCH, DELETE

Multi-Site
IP / WAN
Site A Site B
VMVMVM
Site C
MACSEC MACSEC
CloudSec
Today Future
ACI Anywhere
Encrypted DCI Connectivity

…..
Site 1 Site 2 Site n
UCSD 6.6
Orchestration
UCSD 6.6 and Ansible Main Functions
Site Management
Site Infra config and test connectivity
MSC site inventory
APIC site management (cross-launch)
User Management
Tenant Lifecycle and Site Association
Schema and Template lifecycle (AP, EPGs, Contracts, VRF, BD, etc … )
L3out and External EPG
Deploy Tenants and Schemas to sites
Monitoring MSC and Management
Import brownfield tenant policies and deploy across sites
Trouble-shooting
Shipping
Ansible
Q4-CY18
ACI Multi-Site
UCSD & Ansible Integration

NewACI 3.2 Release
Multi-Site + Multi-Pod
L4-L7 Services Support
Spine-Spine (Dark Fiber)
Consistency Checker
( Multi-Site, APIC, HW)
UCS-D Orchestration
(6.6)
Up To 10 Sites, 1200
Leafs
ACI 3.1 Release
Nexus 9364C (Fixed
Spine)
Multi-Site HealthCheck
External Authentication
Audit / Accounting Logs
Shared Golf
Up To 8 Sites, 800 Leafs
ACI 4.0 Release
CloudSec
L3 Multicast
2-Node Service Graphs
(FW+SLB)
ER SPAN
N9K-9332C Spine
Up To 12 Sites, 1200
Leafs
ACI: Multi-Site
Roadmap
ACI 4.1 Release
Inter-site L3out
Multisite + Remote Leaf
L1/L2 PBR Service
Graphs
Physical Appliance
Patch API, Swagger
ACI Mini Support
For your info
& reference

ACI Release 4.1
MSC 2.1
18
1,800
400
1,000
4,000
4,000
4,000
500
400
Number Of Sites
Max Leafs (across sites)
Tenants
VRF
BD
EPGs
Contracts
L3Out (External EPGs)
Isolated EPGs
ACI Release 3.1
MSC 1.1
8
800
200
400
2,000
2,000
2,000
500
400
ACI Release 3.2
MSC 1.2
10
1,200
300
800
3,000
3,000
3,000
500
400
ACI Release 4.0
MSC 2.0
12
1,200
400
1,000
4,000
4,000
4,000
500
400
ACI Multi-Site
Continuous Scale Improvements
New
For your info
& reference

Remote Leaf
3

IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Site A Remote
Location
Zero Touch Auto
Discovery of Remote Leaf
Two Remote Leafs
Up To 20 Remote Locations
Stretch EPG, BD, VRF,
Tenant, Contract
Health Scores,
EPG Stats
VMVMVM VMVMVMVMVMVMVM VMVMVMVM
Logical Connection To Spine
(VXLAN)
Port Speed:
1/10/40/100G
Shipping since ACI 3.1 (Q1 CY 18)
ACI: Physical Remote Leaf

ACI Remote Leaf
Use Cases
Satellite DC
Brownfield
Co-location
Remote Location A
V
M
ACI Main Data Center
VMVMVM VMVMVMVM
IP Network
Telco 5G
VMVMVM VMVMVMVM
Remote Location B
VMVMVM VMVMVMVM
Remote Location C
VMVMVM VMVMVMVM
Remote Location D
VMVMVM VMVMVMVM

Remote Leaf Requirements
Hardware & Software
ACI Main DC
Supported Spines
Fixed Spine
• N9364C
• N9332C (ACI 4.0)
Modular Spine (C9504/C9508/C9516)
• N9732C-EX
• N9736C-FX
Remote Location
Supported Leaf
• N93180YC-EX
• N93108TC-EX
• N93180LC-EX
• N93180YC-FX
• N93108TC-FX
• N9348GC-FXP
• N9336C-FX2
*Footprint of VMs might change at FCS.
All hardware from –EX onwards is supported

ACI Remote Leaf
Local Traffic Forwarding for vPC Endpoints
Main DC
Remote
Location
Switches are in vPC
domain EP info synch
over vPC control plane
Po1 Po2
• “Greedy Forwarding” vPC
Po1 to vPC Po2 on RL
EP3 EP1 EP2
ACI 3.1

ACI Remote Leaf
End Connectivity Options
Remote Leaf should be part of a vPC Domain
• Dual attachedhost with Active /
Active links (LACP)
• Dual attachedhost with Active / Active links (LACP)
• Dual attachedhost with single active uplinks (MAC pinning,
Active/Standby teaming etc.)
• Single attachedhosts (orphan ports)
EP info sync over
vPC control plane
EP info sync over
vPC control plane
ACI 3.2

ACI Remote Leaf
Local Traffic Forwarding for Orphan Endpoints
Main DC
Remote
Location
Switches are in vPC
domain EP info synch
over vPC control plane
EP3 EP1 EP2
ACI 3.2

ACI Remote Leaf
PBR
Main DC Remote
Location
EP1 EP2
EP1
EPG1
EP2
EPG2
Contract
PBR to Service
Node at RL
L4-L7
Service Node

ACI Remote Leaf
PBR
Main DC Remote
Location
EP3
EP1 EP2
EP1
EPG1
EP2
EPG2
Contract
PBR to Service
Node at RL
L4-L7
Service Node
ACI 4.0

ACI Remote Leaf
Inter-VRF Traffic
Main DC Remote
Location
EP3
EP1
VRF1
EP2
VRF2

ACI Remote Leaf
Inter-VRF Traffic
Main DC Remote
Location
EP3
EP1
VRF1
EP2
VRF2
ACI 4.0

ACI 3.2 Release
FEX Support
ACI Virtual Edge
OpenStack,
Kubernetes
Atomic Counters
ACI 3.1 Release
EX and FX Models
vMotion To Remote
Location
VMware DVS,
Hyper-V
Local Service
Integration
ACI 4.1 Release
MACSEC
Inter-VRF Local
Switching
EP Tracker &
Traffic Map
Remote Leaf +
Multi-Site
RL to RL direct
switching
64 ToRs
ACI 4.0 Release
120 ToRs
ACI: Remote Leaf
Roadmap New

Cisco ACI
Virtual Edge
4

ACI Virtual Edge
Maintain Existing
Operational Models
Simple Transition/Migration
AVS => AVE
Policy Consistency Across
Multiple Hypervisors
AVS/AVE
Feature Parity
Q1
CY 18
Shipping Since ACI 3.1 (Q1 CY 18)
VMVMVM VMVMVMVM
ACI Virtual Edge (AVE)
Cisco ACI Virtual Edge
Hypervisor Dependent
VM VM VM VM VM VM
Hypervisor
Bare Metal Server
AVS
Hypervisor Agnostic
ACI Virtual
Edge
VM VM VM
Hypervisor
Bare Metal Server
Native Switch

Use Cases
Simplify Fabric Interconnect and Blade Switch deployments
Complete visibility into virtual workloads
Micro-Segmentation
Investment Protection & Migration of workloads to ACI
1
2
3
4
Distributed Firewall and Scale5

ACI 3.2 Release
L4-L7 Services
Health Monitoring
Remote Physical Leaf
Support
Remote Storage
Support
ACI 3.1 Release
VLAN, VxLAN
Micro-Segmentation
Distributed Firewall
Migration from AVS
ACI Future
Virtual Pod (vPod)
Proactive HA
VxLAN Load
Balancing
Local Switching and
Policy
Container L4-L7
Services
Multi NIC support
ACI 4.0 Release
Tetration Sensor
ACI: Virtual Edge (AVE)
Roadmap New

Virtual PoD
(vPoD)
5

vSpine
vLeafvLeaf
ACI Virtual Edge
IP Network
On-Premise
Remote
Location
Bare Metal Clouds
(IBM BlueMix, AWS Elastic Metal etc.)
Remote Data
Centers
Colo Facilities
(Equinix, CoreSite etc.)
Brownfield
Deployments
VMVMVM VMVMVMVMVMVMVM VMVMVMVM
Virtual Pod
Hypervisor
Logical Connection To Spine
(BGP-EVPN/ VXLAN)
ACI: Virtual PoD
ACI 4.0

ACI vPod Requirements
Hardware & Software Components
Supported Spines
Fixed Spine
• N9364C
• N9332C
Modular Spine (C9504/C9508/C9516)
• N9732C-EX with N9K-C950x-FM-E(2)
• N9736C-FX with N9K-C950x-FM-E(2)
APIC Controller Software
• ACI 4.0+ onward release
 VMware vCenter running 6.0 or later
 2 hosts for Management cluster
recommended
• Management & Payload Can Co-exist
 ESXi 6.0 or 6.5
• Each vSpine (x2) & vLeaf(x2) VM consumes 4vCPU,
16 GB RAM and 80 GB storage
• Each AVE (one per ESXi host) VM consumes 2vCPU,
8 GB RAM and 8 GB storage
*Footprint of VMs might change at FCS.
vPod Data CenterOn-Premises Data Center

ACI vPod License Elements
Cisco ACI Virtual Edge
(vPod Mode - per WorkloadServer)
ACI Virtual Edge
Management Cluster – per vPod
AVE (vPod Mode) – per Server
64 Hosts
Up To 6 vPods In FCS Release
Single License
Per ManagementCluster
Up to 64 AVE per vPod
(@FCS – Up To 8)
Software License Per AVE
(AVE is NOT Licensed if Not In vPod)

ACI 4.0 Release
Local Policy Enforcement
Live vMotion across vPod and
On-Prem
Stretched BD across vPod and
On-Prem
6 vPods
Local L3out
L4-L7 Services
Microsegmentation
Remote Leaf support
Multisite support
Tetration Sensor
Future
IPv6 support
ACI: vPod Roadmap
New
12 vPods

Cloud APIC
(cAPIC)
6

SAN
NAS, NFS
RDMS
Elastic Block Store (EBS),
Elastic File System (EFS), S3
Amazon RDS
On-Premise Servers
Virtual Machines (VM)
Containers
Amazon Machine Image (AMI)
Amazon EC2 Instances
Elastic Container Service (EKS)
Router
Switch
Load Balancer
Virtual Private Cloud (VPC)
Elastic Load Balancing (ELB)
Firewall
Access Control Lists (ACLs)
Administrators
Security Groups
Network ACLs (NACL)
Identity and Access Management (IAM)
Security
Networking
Servers /
Computation
Storage &
Databases
Cloud Core
Infrastructure & Services
Traditional AWS

Challenges in building a Multi Cloud environment
• Consistent policy, security
and analytics for the
workloads deployed either
or across On-Premise
datacenters and Public
Cloud
• Need an automated and
secure Inter-connect
between On-Premise
datacenters and public
cloud with ease of
provisioning and
monitoring
• Single pane of glass to
manage, monitor and
troubleshoot policies
across On-Premise
datacenters and Public
cloud

Cloud Deployment
2-Tier App Deployment Model Comparison
Region 1
Availability Set 1
Subnet
Scale
Set
Azure Load
Balancing (external)
Azure Load
Balancing (Internal)
Azure Management
Portal
Subnet
Public IP
Availability Set 2
Availability Set 1 Availability Set 2
Netw ork
Security
Group
Netw ork
Security
Group
Region 1
Availability Zone 1 Availability Zone 2
Subnet
Auto
Scaling
Group
Security
Group
Elastic Load
Balancing (external)
Elastic Load
Balancing (Internal)
AWS Management
Console
Availability Zone 1 Availability Zone 2
Subnet
Security
Group
Elastic IP

Cloud APIC (cAPIC)
cAPIC
Virtual Form Factor of APIC
Translates ACI Policy to Cloud Native Policy Constructs
Automates the deployment and configuration of
Infrastructure components in the Cloud
North Bound Rest Interface to configure cloud
deployments
Similar look and feel as APIC
cAPIC cluster can manage one or more regions

IP
Network
AWS Region
EPG
W eb
EPG
APP
Contract Contract
EPG
DB
SG
W eb
SG
APP
SG Rule SG Rule
SG
DB
On-Premise DC
VMVMVM
Public Cloud
Monitoring &
Troubleshooting
Common
Governance
Operational
Consistency
Single Point
Of Orchestration
Discovery
& Visibility
Policy
Translation
Multi-
Site
ACI Extensions to AWS
Site 1 Site 2
GA Q1CY19

Application Security Group
(ASG)
Virtual Network
Subnet
Network Security Group
(NSG)
Outbound rule
Inbound rule
Resource Group
Source/Destination: ASG or Subnet or IP or Any or ‘Internet’
Protocol
Port
Network Adapter
Tenant
VRF
BD Subnet
EPG
Filters
Consumed contracts
Provided contracts
Virtual Machine
Policy Mapping - Azure
For your info
& reference

Security Group
Virtual Private Cloud
Security Group Rule
Outbound rule
Inbound rule
User Account
Source/Destination: Subnet or IP or Any or ‘Internet’
Protocol
Port
Network Adapter
Tenant
VRF
BD Subnet
EP to EPG Mapping
Contracts, Filters
Consumed contracts
Provided contracts
EC2 Instance
VPC subnet
EPG
Tag / Label
End Point (fvCEp)
Network Access List Taboo
Policy Mapping - AWS
For your info
& reference

Policy Mapping – AWS (2/2)
Region
Identity and Access
Management (IAM)
AAA Users, Security Domains
Pod
Path/Node Attachment
Overlay-1 VRF (ACI Infra)
Border Leaf, Spine (Internal and
External connectivity)
Shared Services / Common
Availability Zone (AZ)
Infra VPC
VPC Peering
Internet Gateway,
VPN Gateway,
Direct Connect,
CSR1000V
Inter Region VPC Peering
Direct Connect Gateway
Inter POD Connectivity
For your info
& reference

• cAPIC
• AVE
• VPoD
• Multisite
Orchestrator
Public
Cloud
(XaaS)
• AVE
• Remote Physical
Leaf (N9K)
Bare Metal
Cloud
(Physical)
ACI Anywhere
Deployment Stack
Bare Metal
Cloud
(Virtual)
• AVE
• VPoD
• APIC
• Spine / Leaf
(N9K)
• AVE / OVS / DVS
• Multisite
Orchestrator
On-Prem
Data Center
+

Cisco Connect Toronto 2018 dc-aci-anywhere

Cisco Connect Toronto 2018 dc-aci-anywhere

More Related Content

What's hot

Similar to Cisco Connect Toronto 2018 dc-aci-anywhere

More from Cisco Canada

Recently uploaded

Cisco Connect Toronto 2018 dc-aci-anywhere