BRKACI-2117-Cisco ACI Anywhere-Journey From Single DC To Multi-Cloud

Please read
This presentation template uses the

CiscoSans TT Light font. If the text in
these two columns does not match,
please take a moment to install the
font. Otherwise, your presentation
will not display correctly.
Please download the fonts from
Brand Exchange here. The font can
also be found in the zipped folder.
Double-click the font file and click
“Install” in the window that appears.
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
#CiscoLiveLA
Cisco ACI Anywhere
Journey from single DC to Multi-Cloud
Lionel Hercot, Technical Marketing Engineer, DCN

@LHercot
BRKACI-2117
#CiscoLiveLA
Legal DISCLAIMER
Any information provided in this document regarding future functionalities
is for informational purposes only and is subject to change including
ceasing any further development of such functionality. Many of these
future functionalities remain in varying stages of development and will be
offered on a when-and-if available basis, and Cisco makes no
commitment as to the final delivery of any of such future functionalities.
Cisco will have no liability for Cisco’s failure to deliver any or all future
functionalities and any such failure would not in any way imply the right to
return any previously purchased Cisco products.
ACI Anywhere
Edge / Remote Core Data Centers Multicloud
Virtual ACI IP WAN

ACI IP WAN Cloud ACI
ACI ACI ACI Virtual Cloud

Multi-POD Multisite Remote Leaf ACI ACI
ACI 2.0 ACI 3.0 ACI 3.1 ACI 4.0 ACI 4.1
ACI: Turnkey integrated solution
• Zero-touch provisioning
• Auto deployment of the Underlay and the Overlay
• Managed like a single large switch
• Single management point
• Underlay and Overlay
• Monitoring
• Troubleshooting
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI : Any Type of Workload – Anywhere
Network
Admin
Any workload
APIC
Virtual / Bare Metal / Container
APIC
Penalty Free Overlay
• Integrated gateway for VLAN and
VXLAN networks from virtual to
physical to container
VLAN VLAN VLAN VLAN VLAN
VXLAN NVGRE VXLAN
• Normalization for VXLAN, and VXLAN
VLAN networks ESX Hyper-V KVM Container

VMware Microsoft Red Hat Docker
• Customer not restricted by a choice VMware
PHYSICAL
of hypervisor Microsoft
SERVER
Red Hat
• Fabric is ready for ANY workload Docker
Application Application
Admin Management
Any VLAN anywhere
Outside
UCS_VLANs vDS-01 Linux_VLANs Windows_VLANs Outside_VLANs

(Static Pool) (Dynamic Pool) (Static Pool) (Static Pool) (Pools)
Bare Metal Servers Virtual Machines Physical Servers Physical Servers Outside_Fabric
with Integrated DCI solution (Multi-Pod)
Cisco ACI : Secure Multi-Tenant Fabric
Authentication, Authorization, and RBAC
• Multi-Tenancy
• Any type of workload

anywhere
• “Availability" zones structured

with loose coupling
ACI Components
Leafs Spines Controllers
Nexus 9300 Nexus 9300 Nexus 9500
APIC-CLUSTER-M3
APIC-CLUSTER-L3
(> 1250 Edge Ports)
ACI Architecture
Spines
Leafs
Controllers
ACI Architecture
Modular Switch
ACI Object Model
Tenant (ex: Dev, Prod, …) Dev
ANP VRF-1 VRF-2
EPG EPG EPG ANP
C C Web App DB
C C
VRF (L3) BD BD
BD (L2) BD (L2)
Subnet Subnet
10.10.10.254 10.10.20.254 10.10.21.254
Service Insertion in ACI
Users EPG Web EPG
Service Graph can be:

• Managed or unmanaged
• Can copy or redirect traffic
• L2 or L3
How to extend ACI
outside one DC?
Data Center Interconnect Solutions
ACI Simplifies the Deployment of DCI
• Common Control/Data Plane options used across different architectures
• Consistent security policies end-to-end
ACI Multi-Pod Fabric ACI Multi-Site
IPN IP
Pod ‘A’ Pod ‘n’ Fabric ‘A’ Fabric ‘n’
MP-BGP - EVPN MP-BGP - EVPN
… …
APIC Cluster
ACI Physical Remote Leaf ACI Virtual Remote Leaf (vPod)
#CiscoLiveLA TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Multi-Pod
ACI Multi-Pod For More Information on
ACI Multi-Pod:
The Ideal Architecture for Active/Active DC Deployments BRKACI-2003
VXLAN
Inter-Pod Network
Pod ‘A’ Pod ‘n’
MP-BGP - EVPN
…
50 msec RTT
APIC Cluster
IS-IS, COOP, MP-BGP IS-IS, COOP, MP-BGP
Availability Zone
§ Multiple ACI Pods connected by an IP Inter-Pod L3 § Forwarding control plane (IS-IS, COOP) fault
network, each Pod consists of leaf and spine nodes isolation
§ Managed by a single APIC Cluster § Data Plane VXLAN encapsulation between Pods
§ Single Management and Policy Domain § End-to-end policy enforcement
18
ACI Multi-Pod
Supported Topologies
Intra-DC Two DC sites directly connected
10G/40G/100G
40G/100G 40G/100G
POD 1 40G/100G 40G/100G
POD n POD 1 Dark fiber/DWDM POD 2
(up to 50 msec RTT)
…
DB Web/App APIC Cluster Web/App DB Web/App APIC Cluster Web/App
3 DC Sites directly connected Multiple sites interconnected by a

10G/40G/100G
generic L3 network
40G/100G 40G/100G
POD 1 POD 2
Dark fiber/DWDM 40G/100G 40G/100G
(up to 50 msec RTT)
L3
40G/100G (up to 50msec RTT) 40G/100G
40G/100G
POD 3 #CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Multi-Site
Orchestrator
ACI Multi-Site
Use Cases
Scale-Up Model to Build a Large Data Center Interconnect (DCI)

Intra-DC Network
Shipping
ACI Multisite Multisite Orchestrator
Consistent Policy across sites
Single Point of Orchestration
Fault Isolation
Scale
Site A
Site C
Site D
Site B
VM VM VM
VM VM VM
VM VM VM
VM VM VM
Policy Single Point Of Availability Scale

Consistency Orchestration Fault Isolation
ACI Multi-Site For More Information
ACI on
ACI Multi-Site:
3.0
Release
Overview VXLAN
BRKACI-2125
IP Network LABACI-2000
MP-BGP - EVPN
Multi-Site Orchestrator
Site 1 Site 2
REST
GUI
API
Availability Zone ‘A’ Availability Zone ‘B’
§ Separate ACI Fabrics with independent APIC clusters § MP-BGP EVPN control plane between sites
§ ACI Multi-Site Orchestrator pushes cross-fabric § Data Plane VXLAN encapsulation across sites
configuration to multiple APIC clusters providing § End-to-end policy definition and enforcement
scoping of all configuration changes
ACI Multi-Site
Software and Hardware Requirements
• Support all ACI leaf switches (1st Gen, EX, FX, FX2) Can have only a subset
of spines connecting to
Inter-Site the IP network
• Modular Spine with EX/FX line card to Network
connect to the inter-site network
1st Gen 1st Gen -EX -EX
• 9364c or 9332c fixed spine supported for
Multi-Site from ACI 3.1 release (shipping)
• 1st generation spines (including 9336PQ)
not supported
• Can still leverage those for intra-site leaf
to leaf communication
ACI Multi-Site
Multi-Site Orchestrator (MSO)
• Three MSO nodes are clustered and run concurrently (active/active)
§ Typical database redundancy considerations
(minority/majority rules)
REST § Up to 150 msec RTT latency supported between MSO nodes
GUI
API
§ vSphere VM only form factor initially, physical appliance
planned for a future ACI release
ACI Multi-Site Orchestrator
150 msec RTT • OOB Mgmt connectivity to the APIC clusters deployed in
(max)
VM VM VM separate sites
§ Up to 1 sec RTT latency between MSO and APIC nodes
Hypervisor
• Main functions offered by MSO:
1 sec RTT § Monitoring the health-state of the different ACI Sites
(max)
§ Provisioning of day-0 infrastructure configuration to establish
inter-site EVPN control plane and VXLAN data plane
…..
Site 1 Site 2 Site n § Defining and provisioning tenant policies across sites
§ Day-2 operation functionalities
ACI Multi-Site Networking Options
Per Bridge Domain Behavior
Layer 3 only across sites IP Mobility without BUM flooding Layer 2 adjacency across Sites
1 2 3
ISN ISN ISN
Site Site Site Site 2
Site Site Site
1 2 1 2 1 2
AWS AWS AWS
§ Bridge Domains and subnets § Same IP subnet defined in § Interconnecting separate sites
not extended across Sites separate Sites for fault containment and
§ Layer 3 Intra-VRF or Inter- § Support for IP Mobility (‘cold’ scalability reasons
VRF communication (shared and ‘live’* VM migration) and § Layer 2 domains stretched
services across intra-subnet communication across Sites, support for ‘live’*
VRFs/Tenants) across sites VM migration and application
§ No Layer 2 BUM flooding clustering
across sites § Layer 2 BUM flooding
across sites
ACI Multi-Pod and Multi-Site
Connectivity between Pods and Sites
IP WAN
IPN
Site 2
1st Gen 1st Gen
APIC Cluster
Pod ‘A’ Pod ‘B’
Site 1 Site 2
§ Only 2nd generation spines must be connected to the external network

• Need to add 2nd gen spines in each Pod (at least two per Pod) and migrate connections to the IPN from 1st gen
spines to 2nd gen spines
§ Single ‘infra’ L3Out and set of uplinks to carry both Multi-Pod and Multi-Site East-West traffic
Multi-Site Back-2-Back Spine
Intersite E-W (Direct Cable or Dark Fiber)
APIC Cluster APIC Cluster
§ Back-2-back connections are ONLY supported for 2 sites

§ Multi-Site + Multi-Pod not supported
ACI 4.2
Multi-Site and External Layer 3 Connectivity
Multi-Site
Site A IP Site B
Network
L3 OUT
L3 Peering L3 OUT
VM VM VM
(Mainframe) VM VM VM
Common Discovery Policy Monitoring & Single Point Operational

Governance
Endpoint in &Site-A
Visibility Translation
Using L3Out in Site-B Troubleshooting
Endpoint BehindOf Orchestration
L3Out Consistency
in Site-A Using Site-B L3out
#CiscoLiveLA
Presentation ID BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
ACI Multi-Site L4-L7 Services Support
• ACI Multisite + L3 PBR + L4-L7 Services
• 1 node (firewall) service graph shipping in ACI 3.2
• 2 node (firewall and load-balancer) service graphs supported in ACI 4.0
• N-S and E-W service graphs support
• ACI Multisite + L1/L2 PBR + L4-L7 Services

• 1 node (IPS) service-graph supported in ACI 4.1
• N-S and E-W service-graphs supported
ACI 3.2
ACI Multi-Site Release
Day-2 Operations: Full-Stack Consistency Checker
• Multi-Site Infra: Unicast, Multicast, BGP TEPs

and Tunnel state
• Multi-Site Tenant and EPG granularity:
§ Inspect and validate full-stack programming:
MSC, APICs and Spine translations
§ Validate the consistency of local and remote
inter-site EPGs, BD, VRF, External EPG, policies,
etc.
§ Root cause configuration programming issues
MP-BGP EVPN without calling TAC
Spines VXLAN Spines • GUI and APIs supported
ACI Multi-Site API
(Swagger)
• Swagger benefits
• Allow end developers to effortlessly interact and try out every single operation your API exposes
for easy consumption.
• Swagger UI can auto import the Authorization token from MSC UI giving seamless access to the
APIs.
• Types of endpoints: API GET, POST, PUT, PATCH, DELETE
How to use them?
Typical Requirement
Creation of Two Independent Fabrics/AZs
Fabric ‘A’ (AZ 1)
Fabric ‘B’ (AZ 2)
Application
workloads deployed
across availability
zones
Typical Requirement
Creation of Two Independent Fabrics/AZs
Multi-Pod Fabric ‘A’ (AZ 1)
‘Classic’ Active/Active
Pod ‘1.A’ Pod ‘2.A’
ACI Multi-Site
Multi-Pod Fabric ‘B’ (AZ 2)
‘Classic’ Active/Active
Pod ‘1.B’Application Pod ‘2.B’

workloads deployed
across availability
zones
Remote Leaf
Shipping
ACI: Physical Remote Leaf
Extend ACI to Satellite Data Centers
On-Prem DC IP Network
(WAN Core – IPv4, MPLS, SR, etc …)
Remote
Locations
VM VM VM VM VM VM VM VM VM VM VM VM VM VM
Zero Touch Auto Two Remote Leaf vPC Pair Multi-site Support All benefits of ACI visibility
Discovery of Remote Leaf Up To 32 Remote Locations Stretch Tenant, EPG, etc Health Scores, Stats
#CiscoLiveLA
BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Remote Location A
ACI Remote Leaf
Use Cases
VM VM VM VM VM VM VM
Satellite DC
IP Network
Remote Location B
V VM VM VM
VM VM VM VM
Brownfield
M
Remote Location C
Telco 5G VM VM VM VM VM VM VM
VM VM VM VM VM VM VM Remote Location D
ACI Main Data Center

Co-location
ACI: Physical Remote Leaf
Hardware Support
On-Premise Data Center Remote Site

Supported Spines Supported Leaf
Fixed • N9K-C93180YC-EX
• N9K-C9364C • N9K-C93108TC-EX
• N9K-C9332C • N9K-C93180LC-EX
• N9K-C9316D-GX • N9K-C93180YC-FX
Modular • N9K-C93108TC-FX
• N9K-X9732C-EX • N9K-C9348GC-FXP
• N9K-X9736C-FX • N9K-C9336C-FX2
• N9K-C93240YC-FX2
• N9K-C93600CD-GX
ACI 3.1
ACI Remote Leaf
Local Traffic Forwarding for vPC Endpoints
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Switches are in vPC

domain EP info synch
over vPC control plane
Remote
Main DC Location
Po1 Po2
EP3 EP1 EP2

• “Greedy Forwarding” vPC
Po1 to vPC Po2 on RL
ACI 3.2
ACI Remote Leaf
Local Traffic Forwarding for Orphan Endpoints
Switches are in vPC

domain EP info synch
over vPC control plane
Remote
Main DC Location
EP3 EP1 EP2
ACI Remote Leaf
PBR
Main DC Remote
Location
L4-L7
Service Node
EP1 EP2
Contract
EP1 EP2
PBR to Service
EPG1 EPG2
Node at RL
ACI 4.0
ACI Remote Leaf
PBR
Main DC Remote
Location
L4-L7
Service Node
EP3
EP1 EP2
Contract
EP1 EP2
PBR to Service
EPG1 EPG2
Node at RL
ACI Remote Leaf
Inter-VRF Traffic
Main DC Remote
Location
EP3
EP1 EP2
VRF1 VRF2
ACI 4.0
ACI Remote Leaf
Inter-VRF Traffic
Main DC Remote
Location
EP3
EP1 EP2
VRF1 VRF2
ACI 4.1.2
Remote Leaf : Direct Switching over IPN
Pod 1 Pod 2
Inter-Pod IP Network
Remote Leaf Remote Leaf Remote Leaf Remote Leaf

(Location A, Pod 1) (Location B, Pod 1) (Location X, Pod 2 ) (Location Y, Pod 2)
RL to RL Forwarding Within Pod RL to RL Forwarding Across Pod

ACI 4.1.2
Remote Leaf Multisite Support
Multisite Orchestrator
Site 1 Site 2
Inter-site IP Network
Remote Leaf Remote Leaf Remote Leaf Remote Leaf

(Location A, Site 1) (Location B, Site 1) (Location X, Site 2 ) (Location Y, Site 2)
Consistency Policy Stretched between On-Prem and Remote Locations

Cisco ACI Virtual
Edge
Shipping
Cisco ACI Virtual Edge
ACI Virtual Edge Hypervisor Agnostic
ACI Virtual
VM VM VM
Edge
Native Switch
ACI Virtual Edge (AVE) Hypervisor
VM VM VM VM VM VM VM Bare Metal Server
Maintain Existing Policy Consistency Across

Operational Models Multiple Hypervisors
Virtual Pod (vPod)
Shipping
Virtual ACI: Virtual Pod
Extend ACI to Bare Metal Clouds and Remote Data Centers
IP Network
Policy extension from

On-premise DC
Hypervisor
On-premises ACI Data Center Remote location

Bare Metal Clouds Remote Data Co-location Brownfield

(IBM, OVH, etc.) Centers Facilities Deployments
(Equinix, CoreSite etc.)
ACI Virtual Pod (vPod)
Management Cluster (vSpine + vLeaf)

Virtual Pod
• vSpine and vLeaf: Run ACI control plane function
vSpine vSpine • vLeaf: Distribute APIC policies to ACI Virtual Edge
ACI Virtual Edge (vPod Mode)

• Implements ACI data plane function and policy
vLeaf vLeaf
enforcement data plane
ACI Virtual Edge
• iVXLAN for communication within vPod and
across Pods
Data Center A
ACI vPod Use Cases
IP Network
Bare Metal Cloud

Data Center B
VM VM VM VM
Brownfield
Data Center C
ACI Main Data Center

Co-location/Remote DC
ACI vPod Requirements
Hardware & Software Components
On-Premises Data Center vPod Data Center
Supported Spines ü VMware vCenter running 6.0 or later

Fixed Spine ü 2 hosts for Management cluster
• N9364C recommended
• N9332C
• Management & Payload Can Co-exist
Modular Spine (C9504/C9508/C9516)
• N9732C-EX with N9K-C950x-FM-E(2) ü ESXi 6.0 or 6.5
• N9736C-FX with N9K-C950x-FM-E(2)
APIC Controller Software • Each vSpine (x2) & vLeaf(x2) VM consumes 4vCPU,
16 GB RAM and 80 GB storage
• ACI 4.0+ onward release • Each AVE (one per ESXi host) VM consumes 2vCPU,
8 GB RAM and 8 GB storage
Virtual Pod Scaling
Management Cluster – per vPod Cisco ACI Virtual Edge
(vPod Mode - per Workload Server)
AVE (vPod Mode) – per Server

32 Hosts
ACI Virtual Edge
Up To 6 vPods Up to 32 AVE per vPod
ACI 4.0
ACI Infrastructure Enhancements
Host Route On
Deployment RoCE v2 Border Leaf
Networking FC NPV Inter-VRF Multicast
Operations QOS Enhancements
#CiscoLiveLA
BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Mini ACI
Shipping Since ACI 4.0
ACI: Mini ACI Fabric
ACI Fabric For Small Scale Deployments – 5RU System
Cloud
Physical APIC 1
APIC Virtual APIC 2

No. of Leafs 2-4
Spine 2
No. of Spines 2
Spine 1
No. of Tenants 25
Leaf 2 – 48 ports VM
No. of EPs 20,000
Leaf 1 – 48 ports
VM No. of BDs 1000
No. of EPGs 1000
No. of VRFs 25
Co-Location DC | SMB DC | SP Micro-DC

Multi-Tier
ACI 4.1
ACI: Multi-Tier Architecture
Three Tier ACI Fabric
1 Vertical Expansion Of ACI Policy Domain

Spine
1st Tier Replace FEX Architecture With 2 nd Tier

Leaf 2 Leaf: Better Visibility & Policy Enforcement
2nd Tier
Leaf
3 Investment Protection: Reuse Existing

Cable Plan
4 Simplify N2/N5/N7k Migration to ACI
Seamless Migration From Legacy 3-Tier Architectures

ACI 4.1
ACI: Multi-Tier Architecture
Three Tier ACI Fabric
Tier-2 Leaf can connect to multiple Tier-1

Spine
Leafs (advantage over traditional VPC)
1st Tier
Leaf
L3out can be connected to Tier-2 Leaf or
2nd Tier to Tier-1 leaf
Leaf
VM VM VM VM VM VM VM APIC controller can be connected to Tier-2

Leaf or to Tier-1 leaf
Seamless Migration From Legacy 3-Tier Architectures

Supported Platforms in ACI 4.1
• Spine: Any EX/FX/C spines (9332C,
9364C)
• Tier-1 Leaf: Any EX/FX/FX2
Spine
except N9K-C93180LC-EX
• Tier-2 Leaf: Any EX/FX/FX2
Tier-1
Leaf
VM VM
Tier-2 • 1st gen is not supported

Leaf
• Max number of Tier-1-leaf + Tier-2-leaf is
equal to the max number of Leaf in the
fabric (200 per pod. 400 per Multi-Pod)
• Max number of Tier-2-leaf per Leaf is 48.
Connectivity requirement to 2nd Tier Leaf
• 2nd Tier Leaf fabric port connects to 1st

Tier Leaf’s fabric port.
Spine
• All ports of 1st Tier Leaf can be converted
to fabric port using port profile feature
Tier-1
Leaf • 2nd Tier Leaf can connect to multiple 1st
VM VM
Tier Leaf. It could be an advantage for
Tier-2 ACI design where customer can connect
Leaf
to more than 2 upstream switches in
comparison to traditional double sided
vPC design with only 2 upstream
switches.
1G support on leaf downlink to Tier-2-leaf uplink
• Use case: Long OM2 fibers from 93180YC Leaf to 9348 Tier-2-leaf.
• 10G range is shorter on OM2 than 1G
• 10G OM2 (10GBASE-SR. 82 m)
• 1G OM2 (1000BASE-SX. 550m)
Spine
1G downlink from leaf to Tier-2-leaf

Leaf (93180)
Tier-2-leaf QSA on 9348 40/100G uplink port

and use it as 1G
(9348)
Cloud ACI
Challenges in building a Multi Cloud environment
• Building an automated and • Maintain consistent policy, • Requires a single pane of

secure interconnect security and analytics for glass to manage policies
between On Premises and workloads deployed across on-premise and
Cloud datacenters with across on-premises and cloud locations
ease of provisioning and cloud locations
monitoring at scale
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Cloud ACI
VM VM VM
VM VM VM
VM VM VM
Cloud Region(s) On-Premises Cloud Region(s)
ACI Extensions to Cloud Multi-Site
On-Premises DC Public Cloud
IP SG
SG Rule
SG
SG Rule
SG
Web APP DB
EPG
Contract
EPG EPG Network
Web APP Contract
DB
AWS Region
IP
Network ASG ASG ASG
NSG NSG
Web APP DB
VM VM VM
Azure Region
Consistent Policy Enforcement Automated Inter-connect Simplified Operations

on-Premises & Public Cloud provisioning with end-to-end visibility
Why does this matter?
Why does this matter?
Use Cases
Supported
ACI 4.1
Application Stretch
On-Premises Public Cloud
• Stretch tenant/VRF across on-

APIC Cloud APIC premises and cloud sites
Tenant
• During peak times easily deploy
VRF application tiers and resources in the
CIDR 2
BD1/Subnet
1Web-EPG1 Web-EPG2
cloud site
• Consistent segmentation policy and

HTTPs HTTPs enforcement within and across on-
premises and cloud sites
BD3/Subnet3 CIDR 4
App-EPG2
App-EPG1
• Application stack failover between
sites (active/disaster recovery)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Supported
ACI 4.1
Stretched EPG with Consistent Segmentation
APIC Cloud APIC

• Web Tier and App Tier are stretched
Tenant and securely segmented across on-
VRF
premise and public cloud sites
BD/Subnet1 CIDR 2
EPG - Web • Consistent segmentation policy and
enforcement for endpoints of
HTTPs, redis
Web/App Tier are independent of
location
BD3/Subnet3 CIDR 4
EPG - App
Supported
ACI 4.1
Shared Services for Hybrid-Cloud

• Provides a capability to
APIC Cloud APIC deploy shared service
across hybrid cloud
Tenant 1 Route Tenant 2 Tenant 3
Leaking
VRF2 VRF3 • Shared Service
VRF1
CIDR 2 CIDR 4
deployed in 1 Site can
DNS Web-EPG Web-EPG be consumed by
endpoints across other
BD/Subnet1
HTTPs HTTPs, redis
sites
DNS-EPG
CIDR 3 CIDR 5
• Contract will leak
App-EPG App-EPG subnet between VRFs
for reachability
Supported
ACI 4.1
Cloud and On-Prem L3outs
Multi-Site Orchestrator (MSO)
On-Premise Public Cloud
Site B
Infra VPC • Cloud local L3out via

Region 1 IGW
L3out
CSR CSR
• On-Prem local L3out
Site A
AZ-1 AZ-2
• On-Prem site
IPSec Tunnel
VGW VGW IPSec Tunnel endpoints cannot use
User VPC - 1 User VPC -2 Cloud L3out
EPG-1 EPG-1 EPG-2 EPG-3
• Shared On-Prem L3out
IGW IGW
L3out
for Cloud VPCs *
L3out
SG-1 SG-1 SG-2 SG-3
Instance 01 Instance 02 Instance 03 Instance 04

* Depends on QA Validation Completion by FCS
Supported
ACI 4.2
Cloud First
• Cloud APIC only without on-premises ACI
• Optional MSO
• Abstract AWS networking constructs from
user that is familiar with ACI, delivering
ACI-consistent policy and operational
MSO
model
• Deploy EPG and contracts on top of AWS
public cloud
Architecture
Cloud APIC Architecture
• Virtual Form Factor of APIC
• Automates / Manages Cloud Routers
Web Server (NGINX)
• Translates ACI Policy to cloud native constructs
Policy Distributor (PD)
• Deploys cloud resources and infrastructure
Policy Manager (PM) components
Cloud Policy Cloud Policy • Intuitive GUI and Similar ACI UI look and feel
Element Element
….
Connector Connector
• REST API North Bound Interface
API (AWS, Azure...) • cAPIC manages 1 or more regions

NetConf (CSR1000v)
Topology Health
• Network connectivity and Health
Endpoints in an EPGs
For your
info &
Policy Mapping - AWS

reference
User Account Tenant

Virtual Private Cloud VRF
VPC subnet BD Subnet
Tag / Label EP to EPG Mapping
Security Group EPG

Network Access List Taboo
Security Group Rule Contracts, Filters
Outbound rule Consumed contracts
Source/Destination: Subnet or IP or Any or ‘Internet’
Protocol
Port
Inbound rule Provided contracts
EC2 Instance
Network Adapter End Point (fvCEp)
For your
info &
Policy Mapping - Azure

reference
Resource Group Tenant

Virtual Network VRF
Subnet BD Subnet
Application Security Group EPG

(ASG)
Network Security Group

(NSG) Filters
Outbound rule Consumed contracts

Source/Destination: ASG or Subnet or IP or Any or ‘Internet’
Protocol
Port
Inbound rule Provided contracts

Virtual Machine
Network Adapter
Cloud Infra – AWS
ACI DC
Region - 1
Infra VPC
CSR1kv CSR1kv
VM VM VM
IPSec Tunnel
VGW VGW
User VPC 1 User VPC 2
Cloud Infra – Azure
ACI DC
Region - 1
Infra VNET
CSR1kv CSR1kv
VM VM VM
IPSec Tunnel
VNG VNG
User VNET 1 User VNET 2
Cloud EPG
WEB EPG
Mapping Endpoints by Tags / Region / AZ / IP DB EPG
Site B
Subnet-S1 – 10.1.1.0/24 Subnet-S3 – 10.1.3.0/24
Subnet-S2 – 10.1.2.0/24 Subnet-S4 – 10.1.4.0/24
US-East-1 US-West-1
Deploying
Cloud APIC
Cloud APIC in AWS Marketplace http://cs.co/capic-aws
Cloud APIC in Azure Marketplace http://cs.co/capic-azure
Virtual Network
Integration
ACI Virtual Networking Integrations
CCP
Container Platforms with ACI-CNI integration
KVM/
Baremetal ESXi
OpenStack
Open Source Kubernetes 1.6-1.13 Future
Cisco Container Platform Future
Docker EE 2.1 (Kubernetes) Future
OpenShift 3.6, 3.9, 3.11
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Hardware
Nexus 9000 & APIC Hardware
ACI
Nexus C93360YC-FX2 Nexus 9332C – Fixed Spine
ACI 4.0
96p 25G SFP28 32p 40/100G QSFP28, 2p 10G
4.1(2) Nexus 9500
12p 100G QSFP28
Nexus 9316D-GX Fixed Spine ACI
Nexus C93216TC-FX2 4.2(2)
ACI
Q2CY1 96p 10GT 16p 400G QSFP-DD
4.1(2)
9
12p 100G QSFP28
Nexus 9300 Nexus 9716D-GX
Nexus 93600CD-GX Future
ACI Modular Spine
28p 100G QSFP28
4.2(2)
8p 400G QSFP-DD
APIC-CLUSTER-L3* ACI
ACI Nexus 9336C-FX2 (>= 1200 Leaf Ports) 4.0
3.1(2) 36p 40/100G
APIC-CLUSTER-M3* ACI
(< 1200 Leaf Ports) 4.0
Nexus Foundation: CloudScale Platforms
* No Support for copper NICs

New
in 4.2
ACI software simulator as a VM

Available starting 4.2 on CCO as • Experience ACI without hardware
a software download
• Full-featured APIC controller with a
simulated fabric
Offered as a single VM
1 x APIC
• Native APIC, uses the same APIs that are
published for third parties
1 x Spine
• Use cases – Training, Lab, Test, etc.,
Leaf 1 • Control plane only, no data plane
Leaf 2 • Support offered through Cisco
Communities, no TAC support
| x86 hardware | 24GB RAM | 100GB hard drive |

Automation
Automation Tools
TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Cloud Automation with vRealize
vRealize Automation
Day Zero Operations
vRealize Orchestrator
Deploy
ü Fabric Bring-up
Deploy Deploy Deploy
Load
Tenant App Firewall
Balancer ü Infrastructure provisioning
ü Security Domains
Day 1/ Day 2 Operations
ESX Hypervisor ü Shared Services Plans

ü Virtual Private Cloud
Tenant 1 App DB Web ü Networks, Subnets, Security
ACI Policy Driven vRealize Automation Blueprints to Accelerate Application Deployment

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Day 2 Operations
How Cisco Network Assurance Engine
• How it Works
Data Collection Formal Modeling of Network Continuous Analysis

Capture DC Wide Intent, Policy, Precise Mathematical Models that codify Models verify that Network operates
Control/State across Cisco’s 30+ Years of Networking and per Intent and accurately tell what is
Forwarding & Security Cross Customer Domain Knowledge wrong, where, why, impact and how to
fix
Reasoning you do after the fact, the Engine does before the fact, continuously, network wide
Smart Events & Compliance Score for Compliance
COMPLIANCE VIOLATED SMART EVENT COMPLIANCE SATISFIED SMART EVENT

• Identify compliant policy
• Identify non compliant policy
• Identify requirements
• Identify requirements violated
satisfied
• Identify non-compliant EPGs
• Identify compliant EPGs
COMPLIANCE SCORE
Epoch Delta Analysis
Correlated Ad hoc Analysis Workflow
4 Qs, correlated answers…
• What changed?
• Who was impacted?
• Was it due to config changes?
• What happened as a result?
Use Cases
• Change Management
• Root-cause analysis
Before / After /
Baseline Current • Migration
• Maintenance Upgrades
• Capacity Management
Health Delta - Summary
Change in the health of the Fabric
Network Insight Telemetry Applications On APIC
Providing Network Health Visibility & Enabling Proactive Insights
New Apps
Network Availability Network Health
NIA
Network Insights Advisor NIR
Network Insights Resources
Proactive Software Recommendations/Notifications Physical/Logical Network Capacity & Utilization

Issue Vulnerability Detection & Remediation Data & Control Plane & Environmental Health
Enhance Availability, Uptime & Network Wide Visibility

ACI: Network Insights-Resources
Understand What’s Running In Your Network
Resource
Event Analytics Dashboard Analytics
Data Collection
Anomaly
Detection
Remediation
Event Analytics Dashboard Displays Faults, Events, And Audit Logs In A Time Series Fashion.
Resource Utilization Dashboard
Resource Analysis – Flow Analytics
Proactive Anomaly Detection for ACI Deployments
Targeted Flow Monitoring Use Cases –
• Application Performance Issues:
• Forwarding/policy Drops indicating congestion
• High end to end application latency
• Application Downtime Event –
• Policy misconfiguration due to ACL’s
Network Insights-Advisor
Software/Hardware
Recommendations Avoid multiple TAC calls
Workarounds
EOL/EOS Keep Network up to date

Field Notices Adhere to Cisco policies
SMUs Recommendations
Network Known Issues/PSIRTs Remove Complexity

Anomalies Unknown runtime
Insights Config anomalies
Avoid Outages
Faster Deployment times
Advisor Version Scale

Limits/Hardening Significant CAPEX
Check And OPEX Savings
Configuration
Forwarding State Check

Prevent traffic black holing
Loops Detection
Cable Checkers Avoid downtimes
Network Insights Advisor Targeted Use Cases
Proactive supportability insights
Dashboard ”Give me a summary of issues”
Advisories
Provides advisories based on anomalies, bugs,
PSIRTs and field notices. Measure upgrade impact
Anomalies
hardening checks, scale checks
Bugs and PSIRTs

Known bugs and vulnerabilities in the
system
Fabric wide analysis
TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
ACI Service Engine
ACI 4.2
ACI: Services Engine
New Application Hosting Platform
Network Network
3rd Party Apps
Insights Assurance Engine
ACI Services
Engine
2.1 GHz 8 core CPU x 2
192 GB memory
2.4 TB x 2 HDD
16 GB USB Flash drive
Dual Boot Option | Cluster For Redundancy | APIC-L3

Network Security
Shipping
ACI Security Certifications
Vulnerability
PCI DoD FIPS Common Criteria
Scanners
Certified Certified Certified Certified Passed:

Nessus, Fuzzing,
Port Scan
Every Major and Minor Release We Run Our Hardening Suite

Shipping
ACI 2-Factor Authentication Options
External Local Authentication RSA SecureID PingFederate SSO Federal Common

Authentication TOTP using Google PingID 2-FA Access Card (CAC)
via SAML and IDPs Authenticator for 2nd
supported Okta & factor pin/barcode
MSFT ADFS
ACI: L4-L7 Service Integration
L4-L7 Service Automation
L4-L7 Service
ACI Services
Graph
L1/L2/L3 PBR
ACI 3.2 ACI 4.0 ACI 4.1 ACI 4.1.2 Future
Anycast IP/MAC Multi-site Services L1/L2 PBR PBR with Multi-Node Floating L3out
Multi-node PBR Intra-EPG contract ACI Fabric, MPOD, Tracking PBR N+M standby
Resilient hash PBR with PBR Remote Leaf and
PBR with vzAny Service EPG in Multisite PBR with Service EPG
preferred group in L3out
Shipping
ACI Anywhere
Encrypted DCI Connectivity Multi-Site
IP / WAN
Shipping CloudSec
Future
MACSEC MACSEC
VM VM VM
Site A Site B Site C
Cisco Integrations
UCSM Integration with VMM domain
• New ACI App to integrate UCSM to provision VLANs on-demand.
• With this integration, there is no need to pre-configure all of VLANs
in VMM VLAN pool on UCS FI beforehand that consumes logical-
ports (p*v).
• Requirement
• APIC version 4.1 or later
• UCSM version 3.2 or later
Current operation With the integration
• Need to configure VLANs on FIs • No need to pre-configure VLANs on FIs
beforehand
• Automate VLAN provisioning
• Consume logical-ports even though
VLANs are not actually used.
ACI Spines VLAN-pool: 1000-1999 ACI Spines VLAN-pool: 1000-1999

EPG1: VLAN1000 EPG1: VLAN1000
EPG2: VLAN1001 EPG2: VLAN1001
ACI Leafs ACI Leafs
UCS UCS
Fabric Interconnect Fabric Interconnect
Need to trunk VLAN 1000- Automatically add VLANs if
1999 on interfaces VLAN is allocated for an EPG
connected to each blade.
Only VLAN1000-1001 are
eth0 eth1
VLAN 1002-1999 are not eth0 eth1 eth0 eth1 allowed in this example.
eth0 eth1
pNIC
actually used in this pNIC pNIC
pNIC
example
UCS Blade Blade
UCS Blade Blade
Chassis Chassis
Multi-Domain - ACI and SDA
Cisco SDA Campus Cisco ACI Hybrid-DC
DNAC ISE
Group Exchange
VM VM VM VM
Sales Finance CCW DB Finance DB CCW Web Finance Web
ACI 4.0 Scale: 64K Bindings on Border Leaf

(ISE Version 2.4 Patch 6, DNA Version 1.2.10)
ACI 4.1
ACI: SD WAN (Viptela) Integration
Extend Operational Domain And Policy To Branch & Public Cloud
Los Angeles Chicago

Branch Branch
App Policy Determines vManage Optimal Path Selection
1 Routing Path Between 1 Between On-Prem 2
Branch And Data Center Apps and Services
To Meet SLA SD-WAN Fabric Hosted In Multi-
vEdge vEdge Region AWS
MPLS Internet
FW FW
DB App DB App
server server Web server server
Web
server
Subnet 10.1.1.0/24 server
San Francisco New York
Subnet 10.121.0/24
Data Center Data Center

Region West Multi-Site
Region East
ACI 4.1
ACI to SD-WAN (Viptela) Integration – Phase 1

ACI pushes Application Aware Policy to vManage
vManage
DSCP for signaling
between L3-Out and
vEdge in DC
SD-WAN Fabric
1 User 1
App 1
Los Angeles
San Francisco Data Center DSCP based path Branch
vEdge selection out of 4 vEdge
classes
3
1) Physical Connectivity – L3Out 2) Application Policy – Export of 3) Application Aware Routing -

per VPN Classification to vManage DC to Branch Ensured
Shipping
ACI: AppDynamics Integration
Identify Problems Faster By Correlating Applications & Network Data
APPDYNAMICS
Network &
Application Health
Correlation
• Map application and service components to ACI

• Cross launch AppDynamics and ACI-APIC to correlate network and app data
Ecosystem
Integrations
Shipping
F5 ACI App in Cisco ACI App Center
Extend F5 BIG-IP and Cisco ACI Joint Solution Use Cases
Shipping
ACI: ServiceNow Integration
Automated discovery and provisioning of ACI Fabric from ServiceNow ITOM
App Store
ACI App v1.8 (compatible with

Jakarta, Kingtson & London)
ACI App for ServiceNow v1.8
Discovery & Provisioning Mid

(APIC REST APIs) server
Cisco ACI
Fabric
CMDB
Shipping Shipping Shipping Shipping Future
Discovery: Visibility: Accurate & Provisioning: ServiceNow's External Discover cAPIC entities
Automatically discover up-to date CMDB Component Credential Store from ServiceNow ITOM
ACI’s Physical & logical Infrastructure Visibility & configuration, 40+ support,
entities from Mapping custom activity packs & Compatible with latest Automate ACI software
ServiceNow Configuration drift & workflow automation ServiceNow releases, update from
rollback Incident dashboards ServiceNow ITOM
Shipping
ACI: Splunk Integration
Central Proactive Monitoring, operational analytics and troubleshooting
ACI App & Add-on for Splunk Enterprise
ACI Fabric Monitoring, cross-tier

correlation, Troubleshooting
Published on Splunkbase Splunk App Inspect passed

Shipping Shipping Shipping Shipping Future
Real time and historical Operational Analytics, Audit, Risk and Cross-tier correlation - Splunk dashboards to
insights into ACI fabric Automated alerting, Compliance Analysis - gain visibility across the monitor c-APIC,
Drilldown into health Root cause analysis Prevent unauthorized entire data center Additional drilldown and
scores, performance access troubleshooting, CIM
Compliance, Syslog
metrics
parsing
Shipping
ACI: AlgoSec Integration
Multi-tenant, policy-driven, application-centric model for Security
Visibility and Compliance
ü Continuous compliance and risk analysis

ü Support for PCI, HYPPA, NERC, SOX,
BASEL II, ISO 2700, organizational stds
Security Policy Automation
ü Support for Multi-vendor firewalls- Cisco

ASA, Palo Alto, Fortinet, CheckPoint)
ü AlgoSec product release (2017.2 onwards) ü Predefined workflows for automation
ü Officially Supported by AlgoSec ü Ability to provision ACI contracts from
AlgoSec (New!)
Cisco ACI
Broad Ecosystem to Use, Customize and Extend Your IT Investments
ACI Software Release Cadence
Target – one release every four months
Major Releases =>
ACI ACI ACI ACI ACI ACI ACI ACI

2.3 3.0 3.1 3.2 4.0 4.1 4.2 5.0
Maintenance Releases =>

ACI ACI ACI ACI ACI ACI ACI ACI
2.2(2) 2.3(2) 3.0(2) 3.1(2) 3.2(2) 4.0(2) 4.1(2) 4.2(2)
Q2 CY Q3 CY Q4 CY Q1 CY Q2 CY Q4 CY Q1 CY Q2 CY Q3
Q3CY
CY Q4 CY Q1 CY
2017 2017 2017 2018 2018 2018 2019 2019 2019
2019 2019 2020
ACI Long Lived Releases ACI ACI

2.2(x) 3.2(x) 4.2(x)
ACI Anywhere
Edge / Remote Core Data Centers Multicloud
Virtual ACI IP WAN

ACI IP WAN Cloud ACI
ACI ACI ACI Virtual Cloud

Multi-POD Multisite Remote Leaf ACI ACI
Thank you
#CiscoLiveLA
#CiscoLiveLA

BRKACI-2117-Cisco ACI Anywhere-Journey From Single DC To Multi-Cloud

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKACI-2117-Cisco ACI Anywhere-Journey From Single DC To Multi-Cloud

Uploaded by

Copyright:

Available Formats

Please read

This presentation template uses the

Lionel Hercot, Technical Marketing Engineer, DCN

Edge / Remote Core Data Centers Multicloud

Virtual ACI IP WAN

ACI ACI ACI Virtual Cloud

VLAN networks ESX Hyper-V KVM Container

UCS_VLANs vDS-01 Linux_VLANs Windows_VLANs Outside_VLANs

with Integrated DCI solution (Multi-Pod)

• Any type of workload

• “Availability" zones structured

Leafs Spines Controllers

Nexus 9300 Nexus 9300 Nexus 9500

Users EPG Web EPG

Service Graph can be:

MP-BGP - EVPN MP-BGP - EVPN

ACI Physical Remote Leaf ACI Virtual Remote Leaf (vPod)

DB Web/App APIC Cluster Web/App DB Web/App APIC Cluster Web/App

3 DC Sites directly connected Multiple sites interconnected by a

Scale-Up Model to Build a Large Data Center Interconnect (DCI)

Policy Single Point Of Availability Scale

§ Only 2nd generation spines must be connected to the external network

APIC Cluster APIC Cluster

§ Back-2-back connections are ONLY supported for 2 sites

Common Discovery Policy Monitoring & Single Point Operational

• ACI Multisite + L1/L2 PBR + L4-L7 Services

• Multi-Site Infra: Unicast, Multicast, BGP TEPs

• Types of endpoints: API GET, POST, PUT, PATCH, DELETE

Fabric ‘A’ (AZ 1)

Fabric ‘B’ (AZ 2)

Multi-Pod Fabric ‘A’ (AZ 1)

Pod ‘1.A’ Pod ‘2.A’

Multi-Pod Fabric ‘B’ (AZ 2)

Pod ‘1.B’Application Pod ‘2.B’

ACI Main Data Center

On-Premise Data Center Remote Site

IP Network (WAN Core – IPv4, MPLS, SR, etc …)

Switches are in vPC

EP3 EP1 EP2

IP Network (WAN Core – IPv4, MPLS, SR, etc …)

Switches are in vPC

EP3 EP1 EP2

Remote Leaf Remote Leaf Remote Leaf Remote Leaf

RL to RL Forwarding Within Pod RL to RL Forwarding Across Pod

Remote Leaf Remote Leaf Remote Leaf Remote Leaf

Consistency Policy Stretched between On-Prem and Remote Locations

Cisco ACI Virtual Edge

ACI Virtual Edge Hypervisor Agnostic

Maintain Existing Policy Consistency Across

Policy extension from

On-premises ACI Data Center Remote location

Bare Metal Clouds Remote Data Co-location Brownfield

Management Cluster (vSpine + vLeaf)

vSpine vSpine • vLeaf: Distribute APIC policies to ACI Virtual Edge

ACI Virtual Edge (vPod Mode)

Bare Metal Cloud

ACI Main Data Center

On-Premises Data Center vPod Data Center

Supported Spines ü VMware vCenter running 6.0 or later

AVE (vPod Mode) – per Server

AVE (vPod Mode) – per Server

AVE (vPod Mode) – per Server

Up To 6 vPods Up to 32 AVE per vPod