Gain Insight and Programmability with Cisco DC Networking

© 2017 Cisco and/or its affiliates. All rights reserved. 1
Robert Zalobinski Nadir Lakhani
Technical Solutions Architect Technical Solutions Architect
November 28, 2017
Cisco DC Networking:
Improved Insight and Programmability
Cisco
Connect
Montreal
Your Time
Is Now

C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pillars of Cisco’s Data Center Strategy
Hardware innovationApplication awareMulticloud First Capture Intent

Cisco Data Center Use Cases
Multicloud Mobility Security Modernize Infra.
• Threat Intel
• Multi-layer
• Compliance
• Performance
• Security
• Scale
Analytics
• Infra.
• Apps.
• Ops.
Automation
• Ops
• Provision
• Maint.
• Benchmark
• Policy
• Blueprints

4© 2017 Cisco and/or its affiliates. All rights reserved.
Nexus Switching

Portfolio at a Glance
Nexus 7700 Series
Nexus 7000 Series
Nexus F and M Series
Line Cards
Nexus 3200 Series
Nexus 3100 Series
Nexus 3600 R Series
Nexus 5600 Series
Nexus 2300 Series
Nexus 9500 Series
Nexus 97xx Series
Line Cards
Nexus 96xx-R Series
Line Cards
Nexus 9300 Series
Nexus 9200 Series
Nexus
7000 Series
Modular
Nexus
3000 Series
Fixed
Nexus 5000
and 2000
Series Fixed
Nexus
9000 Series
Modular
Nexus
9000 Series
Fixed

Areas of Investment
CloudScale
ASICs
Nexus 9000 CloudScale
General Data Center Design
• High Speed Fabrics
(ACI, NX-OS)
• VXLAN, Segment Routing
Broadcom
Jericho
Nexus 9000 Jericho
Financials and
Collapsed Core/Edge
• Financial Multicast (UDP)
• VXLAN, Segment
Routing, MPLS
• Large Routing Tables and
WAN buffer requirements
Cisco
Custom ASICs
Nexus 7000 Series
General Data Center Design
• Data Center Interconnect
• DC and Campus Core
• Cross Domain Policy
Integration
Broadcom T2+/T3/
TH/TH2/Jericho
Nexus 3000 Series
Merchant Silicon
Alternative
• Fabric Designs (customers
specifically looking for
BCOM based SOC)
• Specific Use Cases (ULL,
Data Path
Programmability)

EX and FX Series Cloud Scale Switches
Nexus 9200/9300
Nexus 9500
EX Cloud Scale
• ACI and NX-OS
• 10/25/40/100G
• Tetration Hardware Sensor
• Support for N2000 (FEX)
FX Cloud Scale Enhancement
• Line rate Encryption
• UP (25GbE and 32G FC)
• 25G RS FEC

Nexus 9000 Cloud Scale
Fabric Foundation with 2 Year Innovation Advantage
Nexus 9200/9300
Nexus 9500
Nexus 9000
Cloud Scale
Innovations
Integrated line rate flow capture
Streaming analytics export off chip
Integrated line rate encryption
Smart Buffering
Multi-speed ports
64p 100G line rate routing in single chip
Unified ports—10/25GbE and 8/16/32G FC

Nexus 9000 Cloud Scale
Addressing Customer Cloud Asks
Visibility and telemetry at line rate
Encryption at line rate
Fastest available: 10/25/50/100G
The right price point/50% lower system cost
Multi-speed—upgrade when needed/
minimize disruption
Dynamic Fabric Performance Optimization for
Cloud Applications
Better reliability
Nexus 9200/9300
Nexus 9500
Nexus 9000
Cloud Scale

Nexus 9300 Portfolio
Modular Uplink
Integrated Uplink
48x25G+6x100G (Nexus 93180YC-EX)
48x10GT+6x100G (Nexus 93108TC-EX)
28p 40/50G+4p 100G (Nexus 93180LC-EX)
48x10GT+12x40G (Nexus 9396TX)
48x10G+12x40G (Nexus 9396PX)
96x10G+8x40G (Nexus 93128TX)
32x40G (Nexus 9332Q)
48x10GT+6x40G (Nexus 9372TX(E))
48x10G+6x40G (Nexus 9372PX(E))
96x10G+6x40G (Nexus 93120TX)
Gen 1: 2 ASICs Gen 2: CloudScale (1 ASIC)
48x25G+6x100G (Nexus 93180YC-FX)
(Q2CY17)
48x1GT+4x10/25G+2p 100G (Nexus 9348GC-FXP)
48x10GT+6x100G (Nexus 93108TC-FX)
1G
10GT
10/25G
40/50G

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Programmable Fabric
VXLAN EVPN multi-site solution
VXLAN OAM, Tenant Multicast
Segment Routing L3 EVPN
DCNM Integration
Visibility/Analytics
Tetration Integration
NX SW and HW Streaming Telemetry
Netflow-v9
Security
Secured Access
Encryption (MacSec and CloudSec)
High Availability
Enhanced ISSU
Automation
DCNM
Nexus Configuration Mgmt Modules
(Puppet/Chef/Ansible)
Industry Standard Data Models
(OpenConfig / IETF YANG)
Infrastructure
NX-SDK
Intelligent Services, PMN
FCOE FC UP on FX Platforms
Cisco NX-OS
Innovations in Cisco NX-OS

Cisco ACI
Path to Agility in an App-Centric
World

Cisco ACI: Industry Leader
Ecosystem Partners
Data Center Switching Growth ACI Customers ACI Attach Rate on N9K Ecosystem Partners
6%Y/YQ4 50+%4,000+ 65+

ACI Benefits
Any workload
Physical, Virtual, Containers
Open
Programmability
Conducive for
Automation/Orchestration
Policy Driven
Eliminates Network Dependencies
Optimal DC Network
Eliminates L2 Spanning-Tree Protocol
L3 Fabric
Integrated VXLAN Overlay
Distributed L3 GW
VMM Integration
vCenter, HyperV, Openstack,
Kubernetes
Single Point of
Configuration
APIC Controller
Secure White-list
Model
Next-Gen DC Fabric
Spine / Leaf
Network Services Integration
Network Policy, Service Policy, Service Manager

Remote PoD Multi-Pod / Multi-Site Hybrid Cloud Extension
ACI Anywhere
Any Workload, Any Location, Any Cloud
ACI Anywhere
IP
WAN
IP
WAN
Remote Location Public CloudOn Premise
Security Everywhere Policy EverywhereAnalytics Everywhere

What’s New in ACI 3.0?
Hardware, Security, Scale, Usability, Fabric Extension
Policy-Driven
Infrastructure
Fabric Management
• Multi-Site
• Refreshed APIC GUI
• Graceful Insertion and Removal
• QinQ to EPG Mapping
• TCAM Tile Infra
• Latency and Precision Time Protocol
Infrastructure
• Nexus 9364C (Fixed Spine)
• Nexus 9348GC-FXP (1G ToR)
• N9K-X9736C-FX (Spine LC)
• Ingress QoS Policing per EPG
Virtualization
• Kubernetes Support
• VMM: Delayed EP detach/attach
for DVS and AVS
• AVS: QoS Marking
Security
• Micro-segmentation Enhancements
• 802.1X – End Point Authentication
• 2 Factor Authentication
• First Hop Security

ACI Software Enablement
Nexus 9000 Platforms
Nexus Foundation: CloudScale Platforms
Nexus 9300
Nexus 9500
Nexus 9000
ACI
3.0
Nexus 9364C –
Fixed Spine
64p 40/100G QSFP
ACI
3.0
Nexus 9736C-FX
36p 40/100G Line Card
(4/8/16 slot)
ACI
3.1
N9K-C9516-FM-E2
Fabric Module with 100G (16 slot)
ACI
2.2(2)
Nexus 93180YC-FX
48p 10/25G SFP +
6p 40/100G QSFP
ACI
2.2(2)
Nexus 93180TC-FX
48p 1/10GT + 6p 40/100G QSFP
ACI
3.0
Nexus 9348GC-FXP
48p 100M/1G Base-T,
4p 10/25G SFP+

Inter-Site IP Network
Site A Site B
Multi-Site
Appliance
Geographically Dispersed
Active/Active Data Centers
Active/Standby Data Centers
For Disaster Recovery
Stretch VRF, EPG, BD
Across Sites with VXLAN
Up to 500ms to
1 sec Latency
ACI Multisite
Extends Network Virtualization, Policy & Services to Multiple Fabrics

First Step Towards Intuitive APIC GUI
Usability
• New Look and Feel across Applications
• Consistent Layout across Tabs
• Collaborate by Sharing Objects
• Simplified Topology Views
• Release Bulletin
• Troubleshooting
• User Profiles
• Alerts
Operations
• Personalized User Profile
• Dashboard Widgets
• Improved Health Score and
Fault Counts
Configuration
• Best of both Basic and Advanced UI
• Simplified Port Selectors
• Workflows simplified
• New APIC Postman App

Gracefully isolate the node from fabric
Troubleshoot (if required)
Re-commission the node
1
2
3
L2/L3
GIR diverts the data traffic to alternate paths and allows
node troubleshooting, maintenance and upgrade.
Graceful Insertion and Removal (GIR)

Cisco ACI Virtual Edge
Decoupled From Hypervisor Kernel API Dependencies
ACI Virtual Edge
ACI Virtual Edge (AVE)
Maintain Existing
Operational Models
Simple Transition/Migration
AVS => AVE
Policy Consistency Across
Multiple Hypervisors
AVS/AVE
Feature Parity
Legacy AVS (Today)
Hypervisor Dependent
Cisco AVE (Q1 CY18)
Native vSwitch
VM
Switching +
Policy Enforcement
VM VM
AVE
Q2
FY18
Q1
CY18
Hypervisor Agnostic
VM VM VM
AVE
AVS
Policy Enforcement,
Services, Telemetry
UserSpaceKernel
Future

Future
ACI Infrastructure
Extend ACI Policy to Satellite Data Centers
Options 1. Remote Physical Leaf (Nexus 9K)
ACI 3.1: Q1 CY 2018
2. Remote Pod (Virtual)
(Futures)
On Premise
IP
Network
L2 / L3
Remote Data Center
Nexus 9K
Physical Leaf
Remote PoD
Virtual (Spine + Leaf)
AVE AVE

Connectivity
Usability
Maintenance
Operations
ACI Infrastructure Enhancements
Integration of Clustered
Network Services
IEEE 1588 and Latency
(ACI 3.0)
TCAM Profiles
(ACI 2.3 and ACI 3.0)
Maintenance Mode
(ACI 3.0)
Software Maintenance
Update (SMU)
Patching Support
Mixed OS (ACI 2.3)
EPG Contract
Inheritance (ACI 2.3)
New APIC GUI with
Simplified Workflows
(ACI 3.0)
vSphere Tags (ACI 2.3)
100G Front Panel Port
Support: 93180LC-EX
(ACI 2.3)
Breakout
(93180LC-EX)
(ACI 3.1)
Flexible Port
Configuration for
Uplink/Downlink
QSA (9364c)
(ACI 3.1)

ACI: Cloud Automation
Virtualization and Orchestration
Deploy
Tenant
Deploy
App
Deploy
Firewall
vSphere 6.5, Tags (ACI 2.3)
vCenter Plugin (RBAC) (ACI 3.0)
NG-Application Virtual Switch
AzurePack –
VPN Termination (ASA, ASR 1K)
AzureStack
Newton Support, IPv6 (ACI 2.3)
Bare-Metal Provisioning (Ironic)
Ocata Support
Cloud
Automation
Unified Networking (ACI 3.0)
Integration of Kubernetes
network policies and ACI policies
Visibility

ACI Security
Automated Security with Built In Multi-Tenancy
Q4 CY
2018
Micro-Segmentation
DNS EPG, AD Based EPG
(ACI 3.1)
ACI
3.0
Contracts
Inheritance, Intra-
EPG Contracts
Q4 CY
2017
Certifications
FIPs and UC-APL Certified
Common Criteria (in progress)
ACI
3.1
MACSEC Encryption
APIC Centralized Key
Management
ACI
2.3
ACI-TrustSec Integration
Higher Scale (15K)
ACI
3.0
First Hop Security
IP Source Guard, DHCP Guard,
DHCP Snooping, etc.

Scale Improvements
FEX
Up to 650 / Fabric
Up to 20 / Leaf
Leafs
Up to 400 Per Fabric
8 Border Leafs per L3 Out
Multicast Groups
Up to 8,000 (S,G) routes with
Convergence of 5 seconds
Bridge Domains
Up to 21,000 (L2), 15,000 (L3)
Up to 1750 Bridge Domains/VRF
3967 VLANs per leaf
3967 VLANs + BDs
EPGs
Up to 15000
Up to 1k L3 EPGs/EX-Leaf
4k L3 EPGs for one tenant
& one context
250 Isolated EPGs
Other
Up to 200 vCenters
Up to 2,000 Contracts
Up to 61k TCAM Rules
500 Service Graphs Per Cluster
Up to 12 Pods in Multi-Pod
Tenants
Up to 3000
Layer-3
50 VRFs Per Tenant , 1k Ips/MAC

ACI/NX-OS
L4-7 Integrations: Interoperate and Extend Automation
Security EnforcementSecurity ManagementADC

Cloud Orchestration
and ITSM
Cloud Automation
and PaaS
Monitoring NX-OS
Rich Ecosystem with Cisco ACI and NX-OS

Cisco ACI: App Center
Programmable Infrastructure: Open APIs For Value Added Applications
Visually monitor externally
routed interface states
And next hop add/delete
Monitoring and
Troubleshooting
Analytics
Auto Provision ACI network
by simply importing Tetration
ADM
Auto Provisioning
cTrac Fault Analytics Tetration
Intuitively analyze historical
fault metrics and audit logs
with variety of filters
Infoblox v2.0
Connectors and
Integrators
ECOSYSTEM Sample Apps
Improved UI with robust
syncing. Configure and
provision new DHCP ranges
from the App

Cisco Tetration Analytics
Get to a Secure Zero-Trust Model in
an Application-Centric World
Cisco
Tetration
Analytics

Rapid App
Deployment
Continuous Development
Application Mobility
Micro Services
Policy
Enforcement
Heterogeneous Network
Secure Zero-Trust
Policy Compliance
Security Challenges in Modern Data Centers
Securing Applications Has Become Complex
Applications Are Driving Modern Datacenter Infrastructure

Holistic Approach to Server Protection
Dynamic and heterogeneous
environment
Traffic visibility, server process
baseline, and analytics
Policy that enables
application segmentation
Segmentation
Application control
using whitelists
Advanced
behavior analysis
Break
organizational
siloes

Operations
Use Cases
Security
Cisco Tetration™
Visibility and
forensics
Application
insight
Policy
Neighborhood
graphs
Application
segmentation
Compliance
Policy
simulation
Process
inventory

Architecture Overview
Software sensor and
enforcement
Embedded network
sensors
(telemetry only)
ERSPAN sensors
(telemetry only)
Analytics engine
Web GUI REST API Event notification Cisco Tetration apps
Third-party
sources
(configuration data)
Data collection layer
Access mechanism
Bring your own
data
(streaming telemetry)

Data Sources
Main features
ü Low CPU overhead (SLA enforced)
ü Low network overhead
ü New Enforcement point (software agents)
ü Highly secure (code signed and authenticated)
ü Every flow (no sampling) and no payload
*Note: No per-packet telemetry; not an enforcement point
Software sensors
Universal*
(basic sensor for other OS)
Linux servers
(virtual machine and bare metal)
Windows servers
(virtual machines and bare metal)
Windows Desktop VM
(virtual desktop infrastructure only)
Cisco Nexus 9300 EX
Cisco Nexus 9300 FX
Network sensors
Next-generation Cisco Nexus® Series Switches
Third-party sources
Asset tagging
Load balancers
IP address
management
CMDB
…
Third-party data sourcesAvailable today

• Dedicated virtual machines on each host with 4 software sensors in each virtual machine
• Each sensor binds to a separate vNIC
• ERSPAN terminates on the virtual machine vNIC
• Each sensor terminates one ERSPAN session
• Sensor generates telemetry based on the data-plane traffic
• Horizontally scalable
Layer 3 connection
ERSPAN
Layer 3 switch
Cisco Tetration telemetry: ERSPAN option
Expanded telemetry
collection option
• Augment telemetry from other
parts of the network
• Useful when software sensor
or hardware sensor is not
feasible
Cisco Tetration™
telemetry
Cisco Tetration™
Platform
Production
network
Production
network

Application Dependency and Cluster Grouping
Bare-metal, VM,
and switch
telemetry
Cisco Tetration
Analytics™ platform
Unsupervised machine
learning
Behavior analysis
On-premises and cloud workloads (AWS)
Bare-metal and
VM telemetry
VM telemetry
(AMI …)
BM VM
BMVM
VM BM
BMVM
BM
VM BM
VMVM
Bare metal and VM
BM VM VM BM
Brownfield
üüü ü
BM VM VM BM
üüü ü
Network-only sensors,
host-only sensors, or both (preferred)
BM VM VM VM BM
Cisco Nexus® 9000 Series ü

Application clusters
conversation views Policy details
Application Conversation View

Whitelist Policy Recommendation
Application discovery
{
"src_name": "App",
"dst_name": "Web",
"whitelist": [
{
"port": [0, 0],
"proto": 1,
"action": "ALLOW"
},
{
"port": [80, 80],
"proto": 6,
"action": "ALLOW"
},
{
"port": [443, 443],
"proto": 6,
"action": "ALLOW"
}
]
}
Whitelist policy recommendation
(available in JSON, XML, and YAML)

Compliance, Policy Validation
All Flows are tracked 4 ways
• Permitted, bidirectional flows
that match the policy
• Misdropped, permitted traffic
where we have dropped a
packet
• Escaped, bidirectional flows
that are against the policy
• Rejected, uni-directional
flows that are against the
policy

User-Uploaded asset tags
• Discovered inventory
• Uploaded inventory and metadata (32 arbitrary tags)
• Inventory tracked in real time, along with historical trends
User-uploaded tags
Cisco Tetration Analytics™
sensor feed
Real-time inventory merged with
information with historical trends
Cisco Tetration
Analytics
merge
operation
VMware vCenter
(virtual machine attributes)
AWS attributes
(AWS tags)

Segmentation Policy: Express Policies in Human
Language
Development can’t talk to production
• Cisco Tetration™ knows who is production
• Cisco Tetration knows who is development
• Policies are continuously updated as applications change

Cisco Tetration Application Segmentation
Policy Recommendation
Cisco Tetration
Analytics™
Application workspaces
Application
segmentation
policy
Public
cloud
Private
cloud
On-premise

Enforcement of Policy across any floor tile
Azure Amazon
Cisco Tetration Analytics™
1. Generates unique policy
per workload
2. Pushes policy to all
workloads
3. Workload securely enforces
policy
4. Continuously recomputes
policy from identity and
classification changes
Google
Enforcement
Compliance monitoring
VirtualBare metal Cisco ACITMPublic cloud Traditional network

Policy-Related Notification
Cisco Tetration
Analytics™
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Kafka
• Alerts every minute
for enforcement
• Policy compliance
event notifications
• Count of policy alerts
until whitelisted
• Alerts when IP tables or
firewall is flushed or disabled
by user
• Alerts when enforcement
sensor is disabled
• Publishes policy differences
between versions

Rule-Processing Order
• Application owners need some amount of autonomy to
make application-level
changes quickly
• Security and network teams
need to control the global aspects
of application interconnection
and shared services
• Cisco Tetration™ flattens intent in a
deterministic order, prioritizing
intent of higher-authority users over intent of
application owners
Security team rules
Network team rules
Application owner rules

Rest API
• Cisco Tetration flow search
• Sensor management
Push notification
• Out-of-the-box events
• User-defined events
Cisco Tetration applications
• Access to data lake
• Write your own application
Open API
Northbound
application
Programmatic interface
Rest API
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Cisco
Tetration
Analytics™
platform
Kafka
Cisco Tetration™
applications

Cisco Tetration: Bring your own data
Main features
ü Stream any JSON-based telemetry to a data sink
ü Support up to 10 simultaneous streaming topics
ü Bring up to 5 GB of data per hour per streaming topic
ü Analyze and write your results through alerts or UI
Northbound
consumers
Data
sink
Public Cloud
Streaming JSON telemetry

Cisco Tetration: User authentication
Cisco Tetration
Analytics™Users and application
owners and
administrators Active Directory
integration for
authentication
App 1, Role:
Enforce
App 2, Role:
Execute
App 3, Role:
Read only
Windows Server
Active Directory
WordPress
SAP
Authentication
• External AAA server integration
• Authentication through Kerberos
or LDAP
• Support for multiple domains
• Default to local authentication
and authorization, if
not configured
RBAC capabilities
• Local users created
automatically when they log in
• Administrator maps users to
specific roles and scopes
for authorization
• Administrator can set default
role and scope for users without
specific roles and scope
mapping

Cisco Tetration™ Cloud
• Software deployed in AWS
• Suitable for deployments of
less than 1000 workloads
• AWS instance owned
by customer
Cisco Tetration™ Platform
(large form factor)
• Suitable for deployments of more
than 5,000 workloads
• Built-in redundancy
• Scales to up to 25,000 workloads
Includes:
• 36 x Cisco UCS® C220 servers
• 3 x Cisco Nexus® 9300
platform switches
Cisco Tetration-M (small form
factor)
• Suitable for deployments of less
than 5,000 workloads
Includes:
• 6 x Cisco UCS C220 servers
• 2 x Cisco Nexus 9300
platform switches
Tetration Analytics: Deployment Options
Amazon
Web Services
On-premises options Public cloud

Ecosystem
Service visibility Layer 4-7 services integration
Security orchestration Service assurance
Insight exchange
Cisco Tetration
Analytics™

Open
In summary: Platform built for scale and flexibility
Real time and scalable
Granular policy
enforcement
Easy to use
• Every packet, every flow
• Application segmentation
for 1000s of applications
• Long term
data retention
• Consistent policy
enforcement
• Identify policy deviations
in near real-time
• Support for
workload mobility
• One touch deployment
• Self monitoring
• Self diagnostics
• Standard web UI
• REST API (pull)
• Event notification (push)
• Tetration applications

Cisco Data Center Reference Architecture
Cisco Prime services catalog
Cisco Nexus
Cisco HyperFlex
Cisco UCS
Cisco MDS
Cisco AzureStack
Cisco Security Portfolio
Cisco CloudCenter
Cisco Turbonomics
AppDynamics
Cisco ACI
Cisco ACI
Cisco DCNM
Cisco Intersight
Cisco UCS-Director
AppDynamics
IT services consumption
multicloud
Private cloud/PaaS Integration
DC Infrastructure
Management and automation
SecurityAnalytics
ACI / Nexus
Tetration

Gain Insight and Programmability with Cisco DC Networking

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Gain Insight and Programmability with Cisco DC Networking

Similar to Gain Insight and Programmability with Cisco DC Networking (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Gain Insight and Programmability with Cisco DC Networking