Professional Documents
Culture Documents
BRKACI-2117-Cisco ACI Anywhere-Journey From Single DC To Multi-Cloud
BRKACI-2117-Cisco ACI Anywhere-Journey From Single DC To Multi-Cloud
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
#CiscoLiveLA
Cisco ACI Anywhere
Journey from single DC to Multi-Cloud
#CiscoLiveLA
Legal DISCLAIMER
Any information provided in this document regarding future functionalities
is for informational purposes only and is subject to change including
ceasing any further development of such functionality. Many of these
future functionalities remain in varying stages of development and will be
offered on a when-and-if available basis, and Cisco makes no
commitment as to the final delivery of any of such future functionalities.
Cisco will have no liability for Cisco’s failure to deliver any or all future
functionalities and any such failure would not in any way imply the right to
return any previously purchased Cisco products.
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
ACI Anywhere
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
ACI: Turnkey integrated solution
• Zero-touch provisioning
• Auto deployment of the Underlay and the Overlay
• Managed like a single large switch
• Single management point
• Underlay and Overlay
• Monitoring
• Troubleshooting
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI : Any Type of Workload – Anywhere
Network
Admin
Any workload
APIC
Virtual / Bare Metal / Container
APIC
Penalty Free Overlay
• Integrated gateway for VLAN and
VXLAN networks from virtual to
physical to container
VLAN VLAN VLAN VLAN VLAN
VXLAN NVGRE VXLAN
• Normalization for VXLAN, and VXLAN
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Any VLAN anywhere
Outside
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco ACI : Secure Multi-Tenant Fabric
Authentication, Authorization, and RBAC
• Multi-Tenancy
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Components
APIC-CLUSTER-M3
APIC-CLUSTER-L3
(> 1250 Edge Ports)
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Architecture
Spines
Leafs
Controllers
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Architecture
Modular Switch
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Object Model
Tenant (ex: Dev, Prod, …) Dev
ANP VRF-1 VRF-2
EPG EPG EPG ANP
C C Web App DB
C C
VRF (L3) BD BD
BD (L2) BD (L2)
Subnet Subnet
10.10.10.254 10.10.20.254 10.10.21.254
Service Insertion in ACI
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
How to extend ACI
outside one DC?
Data Center Interconnect Solutions
ACI Simplifies the Deployment of DCI
• Common Control/Data Plane options used across different architectures
• Consistent security policies end-to-end
ACI Multi-Pod Fabric ACI Multi-Site
IPN IP
Pod ‘A’ Pod ‘n’ Fabric ‘A’ Fabric ‘n’
… …
APIC Cluster
#CiscoLiveLA TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Multi-Pod
ACI Multi-Pod For More Information on
ACI Multi-Pod:
The Ideal Architecture for Active/Active DC Deployments BRKACI-2003
VXLAN
Inter-Pod Network
Pod ‘A’ Pod ‘n’
MP-BGP - EVPN
…
50 msec RTT
APIC Cluster
IS-IS, COOP, MP-BGP IS-IS, COOP, MP-BGP
Availability Zone
§ Multiple ACI Pods connected by an IP Inter-Pod L3 § Forwarding control plane (IS-IS, COOP) fault
network, each Pod consists of leaf and spine nodes isolation
§ Managed by a single APIC Cluster § Data Plane VXLAN encapsulation between Pods
§ Single Management and Policy Domain § End-to-end policy enforcement
#CiscoLiveLA TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
18
ACI Multi-Pod
Supported Topologies
Intra-DC Two DC sites directly connected
10G/40G/100G
40G/100G 40G/100G
POD 1 40G/100G 40G/100G
POD n POD 1 Dark fiber/DWDM POD 2
(up to 50 msec RTT)
…
POD 3 #CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Multi-Site
Orchestrator
ACI Multi-Site
Use Cases
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Shipping
ACI Multisite Multisite Orchestrator
Consistent Policy across sites
Single Point of Orchestration
Fault Isolation
Scale
Site A
Site C
Site D
Site B
VM VM VM
VM VM VM
VM VM VM
VM VM VM
MP-BGP - EVPN
Multi-Site Orchestrator
Site 1 Site 2
REST
GUI
API
Availability Zone ‘A’ Availability Zone ‘B’
§ Separate ACI Fabrics with independent APIC clusters § MP-BGP EVPN control plane between sites
§ ACI Multi-Site Orchestrator pushes cross-fabric § Data Plane VXLAN encapsulation across sites
configuration to multiple APIC clusters providing § End-to-end policy definition and enforcement
scoping of all configuration changes
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
ACI Multi-Site
Software and Hardware Requirements
• Support all ACI leaf switches (1st Gen, EX, FX, FX2) Can have only a subset
of spines connecting to
Inter-Site the IP network
• Modular Spine with EX/FX line card to Network
connect to the inter-site network
1st Gen 1st Gen -EX -EX
• 9364c or 9332c fixed spine supported for
Multi-Site from ACI 3.1 release (shipping)
• 1st generation spines (including 9336PQ)
not supported
• Can still leverage those for intra-site leaf
to leaf communication
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
ACI Multi-Site
Multi-Site Orchestrator (MSO)
• Three MSO nodes are clustered and run concurrently (active/active)
§ Typical database redundancy considerations
(minority/majority rules)
REST § Up to 150 msec RTT latency supported between MSO nodes
GUI
API
§ vSphere VM only form factor initially, physical appliance
planned for a future ACI release
ACI Multi-Site Orchestrator
150 msec RTT • OOB Mgmt connectivity to the APIC clusters deployed in
(max)
VM VM VM separate sites
§ Up to 1 sec RTT latency between MSO and APIC nodes
Hypervisor
• Main functions offered by MSO:
1 sec RTT § Monitoring the health-state of the different ACI Sites
(max)
§ Provisioning of day-0 infrastructure configuration to establish
inter-site EVPN control plane and VXLAN data plane
…..
Site 1 Site 2 Site n § Defining and provisioning tenant policies across sites
§ Day-2 operation functionalities
#CiscoLiveLA TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
ACI Multi-Site Networking Options
Per Bridge Domain Behavior
Layer 3 only across sites IP Mobility without BUM flooding Layer 2 adjacency across Sites
1 2 3
ISN ISN ISN
Site Site Site Site 2
Site Site Site
1 2 1 2 1 2
AWS AWS AWS
§ Bridge Domains and subnets § Same IP subnet defined in § Interconnecting separate sites
not extended across Sites separate Sites for fault containment and
§ Layer 3 Intra-VRF or Inter- § Support for IP Mobility (‘cold’ scalability reasons
VRF communication (shared and ‘live’* VM migration) and § Layer 2 domains stretched
services across intra-subnet communication across Sites, support for ‘live’*
VRFs/Tenants) across sites VM migration and application
§ No Layer 2 BUM flooding clustering
across sites § Layer 2 BUM flooding
across sites
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
ACI Multi-Pod and Multi-Site
Connectivity between Pods and Sites
IP WAN
IPN
Site 2
1st Gen 1st Gen
APIC Cluster
Pod ‘A’ Pod ‘B’
Site 1 Site 2
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Multi-Site Back-2-Back Spine
Intersite E-W (Direct Cable or Dark Fiber)
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
ACI 4.2
Multi-Site and External Layer 3 Connectivity
Multi-Site
Site A IP Site B
Network
L3 OUT
L3 Peering L3 OUT
VM VM VM
(Mainframe) VM VM VM
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
ACI 3.2
ACI Multi-Site Release
Day-2 Operations: Full-Stack Consistency Checker
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
ACI Multi-Site API
(Swagger)
• Swagger benefits
• Allow end developers to effortlessly interact and try out every single operation your API exposes
for easy consumption.
• Swagger UI can auto import the Authorization token from MSC UI giving seamless access to the
APIs.
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
How to use them?
Typical Requirement
Creation of Two Independent Fabrics/AZs
Application
workloads deployed
across availability
zones
#CiscoLiveLA TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Typical Requirement
Creation of Two Independent Fabrics/AZs
‘Classic’ Active/Active
ACI Multi-Site
‘Classic’ Active/Active
#CiscoLiveLA TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Remote Leaf
Shipping
ACI: Physical Remote Leaf
Extend ACI to Satellite Data Centers
On-Prem DC IP Network
(WAN Core – IPv4, MPLS, SR, etc …)
Remote
Locations
VM VM VM VM VM VM VM VM VM VM VM VM VM VM
Zero Touch Auto Two Remote Leaf vPC Pair Multi-site Support All benefits of ACI visibility
Discovery of Remote Leaf Up To 32 Remote Locations Stretch Tenant, EPG, etc Health Scores, Stats
#CiscoLiveLA
BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Remote Location A
ACI Remote Leaf
Use Cases
VM VM VM VM VM VM VM
Satellite DC
IP Network
Remote Location B
V VM VM VM
VM VM VM VM
Brownfield
M
Remote Location C
Telco 5G VM VM VM VM VM VM VM
VM VM VM VM VM VM VM Remote Location D
Co-location
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
ACI: Physical Remote Leaf
Hardware Support
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI 3.1
ACI Remote Leaf
Local Traffic Forwarding for vPC Endpoints
Remote
Main DC Location
Po1 Po2
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
ACI 3.2
ACI Remote Leaf
Local Traffic Forwarding for Orphan Endpoints
Remote
Main DC Location
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
ACI Remote Leaf
PBR
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Main DC Remote
Location
L4-L7
Service Node
EP1 EP2
Contract
EP1 EP2
PBR to Service
EPG1 EPG2
Node at RL
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
ACI 4.0
ACI Remote Leaf
PBR
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Main DC Remote
Location
L4-L7
Service Node
EP3
EP1 EP2
Contract
EP1 EP2
PBR to Service
EPG1 EPG2
Node at RL
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
ACI Remote Leaf
Inter-VRF Traffic
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Main DC Remote
Location
EP3
EP1 EP2
VRF1 VRF2
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
ACI 4.0
ACI Remote Leaf
Inter-VRF Traffic
IP Network (WAN Core – IPv4, MPLS, SR, etc …)
Main DC Remote
Location
EP3
EP1 EP2
VRF1 VRF2
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
ACI 4.1.2
Remote Leaf : Direct Switching over IPN
Pod 1 Pod 2
Inter-Pod IP Network
Site 1 Site 2
Inter-site IP Network
ACI Virtual
VM VM VM
Edge
Native Switch
ACI Virtual Edge (AVE) Hypervisor
VM VM VM VM VM VM VM Bare Metal Server
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Virtual Pod (vPod)
Shipping
Virtual ACI: Virtual Pod
Extend ACI to Bare Metal Clouds and Remote Data Centers
IP Network
VM VM VM VM VM VM VM
Hypervisor
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Data Center A
ACI vPod Use Cases
IP Network
VM VM VM VM
Brownfield
Data Center C
VM VM VM VM VM VM VM
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Virtual Pod Scaling
Management Cluster – per vPod Cisco ACI Virtual Edge
(vPod Mode - per Workload Server)
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
ACI 4.0
ACI Infrastructure Enhancements
Host Route On
Deployment RoCE v2 Border Leaf
#CiscoLiveLA
BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Mini ACI
Shipping Since ACI 4.0
ACI: Mini ACI Fabric
ACI Fabric For Small Scale Deployments – 5RU System
Cloud
Physical APIC 1
1st Tier
Leaf
L3out can be connected to Tier-2 Leaf or
2nd Tier to Tier-1 leaf
Leaf
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Connectivity requirement to 2nd Tier Leaf
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
1G support on leaf downlink to Tier-2-leaf uplink
• Use case: Long OM2 fibers from 93180YC Leaf to 9348 Tier-2-leaf.
• 10G range is shorter on OM2 than 1G
• 10G OM2 (10GBASE-SR. 82 m)
• 1G OM2 (1000BASE-SX. 550m)
Spine
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Cloud ACI
Multi-Site Orchestrator
VM VM VM
VM VM VM
VM VM VM
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
ACI Extensions to Cloud Multi-Site
IP SG
SG Rule
SG
SG Rule
SG
Web APP DB
EPG
Contract
EPG EPG Network
Web APP Contract
DB
AWS Region
IP
Network ASG ASG ASG
NSG NSG
Web APP DB
VM VM VM
Azure Region
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Why does this matter?
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why does this matter?
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Cases
Supported
ACI 4.1
Application Stretch
Multi-Site Orchestrator
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Supported
ACI 4.1
Shared Services for Hybrid-Cloud
Multi-Site Orchestrator
CIDR 3 CIDR 5
• Contract will leak
App-EPG App-EPG subnet between VRFs
for reachability
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Supported
ACI 4.1
Cloud and On-Prem L3outs
Multi-Site Orchestrator (MSO)
On-Premise Public Cloud
Site B
CSR CSR
• On-Prem local L3out
Site A
AZ-1 AZ-2
• On-Prem site
IPSec Tunnel
VGW VGW IPSec Tunnel endpoints cannot use
User VPC - 1 User VPC -2 Cloud L3out
EPG-1 EPG-1 EPG-2 EPG-3
• Shared On-Prem L3out
IGW IGW
L3out
for Cloud VPCs *
L3out
SG-1 SG-1 SG-2 SG-3
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Architecture
Cloud APIC Architecture
• Virtual Form Factor of APIC
• Automates / Manages Cloud Routers
Web Server (NGINX)
• Translates ACI Policy to cloud native constructs
Policy Distributor (PD)
• Deploys cloud resources and infrastructure
Policy Manager (PM) components
Cloud Policy Cloud Policy • Intuitive GUI and Similar ACI UI look and feel
Element Element
….
Connector Connector
• REST API North Bound Interface
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Topology Health
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Endpoints in an EPGs
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
For your
info &
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
For your
info &
Network Adapter
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Infra – AWS
Multisite Orchestrator
ACI DC
On-Premises Public Cloud
Region - 1
Infra VPC
CSR1kv CSR1kv
VM VM VM
IPSec Tunnel
VGW VGW
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Cloud Infra – Azure
Multisite Orchestrator
ACI DC
On-Premises Public Cloud
Region - 1
Infra VNET
CSR1kv CSR1kv
VM VM VM
IPSec Tunnel
VNG VNG
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud EPG
WEB EPG
Mapping Endpoints by Tags / Region / AZ / IP DB EPG
Site B
US-East-1 US-West-1
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploying
Cloud APIC
Cloud APIC in AWS Marketplace http://cs.co/capic-aws
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud APIC in Azure Marketplace http://cs.co/capic-azure
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Network
Integration
ACI Virtual Networking Integrations
CCP
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Container Platforms with ACI-CNI integration
KVM/
Baremetal ESXi
OpenStack
Open Source Kubernetes 1.6-1.13 Future
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Hardware
Nexus 9000 & APIC Hardware
ACI
Nexus C93360YC-FX2 Nexus 9332C – Fixed Spine
ACI 4.0
96p 25G SFP28 32p 40/100G QSFP28, 2p 10G
4.1(2) Nexus 9500
12p 100G QSFP28
Nexus 9316D-GX Fixed Spine ACI
Nexus C93216TC-FX2 4.2(2)
ACI
Q2CY1 96p 10GT 16p 400G QSFP-DD
4.1(2)
9
12p 100G QSFP28
Nexus 9300 Nexus 9716D-GX
Nexus 93600CD-GX Future
ACI Modular Spine
28p 100G QSFP28
4.2(2)
8p 400G QSFP-DD
APIC-CLUSTER-L3* ACI
ACI Nexus 9336C-FX2 (>= 1200 Leaf Ports) 4.0
3.1(2) 36p 40/100G
APIC-CLUSTER-M3* ACI
(< 1200 Leaf Ports) 4.0
Offered as a single VM
1 x APIC
• Native APIC, uses the same APIs that are
published for third parties
1 x Spine
• Use cases – Training, Lab, Test, etc.,
Leaf 1 • Control plane only, no data plane
Leaf 2 • Support offered through Cisco
Communities, no TAC support
TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Cloud Automation with vRealize
vRealize Automation
Day Zero Operations
vRealize Orchestrator
Deploy
ü Fabric Bring-up
Deploy Deploy Deploy
Load
Tenant App Firewall
Balancer ü Infrastructure provisioning
ü Security Domains
Reasoning you do after the fact, the Engine does before the fact, continuously, network wide
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Smart Events & Compliance Score for Compliance
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Epoch Delta Analysis
Correlated Ad hoc Analysis Workflow
4 Qs, correlated answers…
• What changed?
• Who was impacted?
• Was it due to config changes?
• What happened as a result?
Use Cases
• Change Management
• Root-cause analysis
Before / After /
Baseline Current • Migration
• Maintenance Upgrades
• Capacity Management
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Health Delta - Summary
Change in the health of the Fabric
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Network Insight Telemetry Applications On APIC
Providing Network Health Visibility & Enabling Proactive Insights
New Apps
NIA
Network Insights Advisor NIR
Network Insights Resources
Data Collection
Anomaly
Detection
Remediation
Event Analytics Dashboard Displays Faults, Events, And Audit Logs In A Time Series Fashion.
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Resource Utilization Dashboard
#CiscoLiveLA TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Resource Analysis – Flow Analytics
Proactive Anomaly Detection for ACI Deployments
Targeted Flow Monitoring Use Cases –
• Application Performance Issues:
• Forwarding/policy Drops indicating congestion
• High end to end application latency
• Application Downtime Event –
• Policy misconfiguration due to ACL’s
#CiscoLiveLA TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Network Insights-Advisor
Software/Hardware
Recommendations Avoid multiple TAC calls
Workarounds
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Network Insights Advisor Targeted Use Cases
Proactive supportability insights
Dashboard ”Give me a summary of issues”
Advisories
Provides advisories based on anomalies, bugs,
PSIRTs and field notices. Measure upgrade impact
Anomalies
hardening checks, scale checks
TECACI-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
ACI Service Engine
ACI 4.2
ACI: Services Engine
New Application Hosting Platform
Network Network
3rd Party Apps
Insights Assurance Engine
ACI Services
Engine
192 GB memory
2.4 TB x 2 HDD
Vulnerability
PCI DoD FIPS Common Criteria
Scanners
VM VM VM VM VM VM VM
ACI 3.0 ACI 3.0 ACI 3.1 ACI 3.2 ACI 4.0
ACI Services
Graph
L1/L2/L3 PBR
Anycast IP/MAC Multi-site Services L1/L2 PBR PBR with Multi-Node Floating L3out
Multi-node PBR Intra-EPG contract ACI Fabric, MPOD, Tracking PBR N+M standby
Resilient hash PBR with PBR Remote Leaf and
PBR with vzAny Service EPG in Multisite PBR with Service EPG
preferred group in L3out
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Shipping
ACI Anywhere
Encrypted DCI Connectivity Multi-Site
IP / WAN
Shipping CloudSec
Future
MACSEC MACSEC
VM VM VM
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Cisco Integrations
UCSM Integration with VMM domain
• New ACI App to integrate UCSM to provision VLANs on-demand.
• With this integration, there is no need to pre-configure all of VLANs
in VMM VLAN pool on UCS FI beforehand that consumes logical-
ports (p*v).
• Requirement
• APIC version 4.1 or later
• UCSM version 3.2 or later
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Current operation With the integration
• Need to configure VLANs on FIs • No need to pre-configure VLANs on FIs
beforehand
• Automate VLAN provisioning
• Consume logical-ports even though
VLANs are not actually used.
UCS UCS
Fabric Interconnect Fabric Interconnect
Need to trunk VLAN 1000- Automatically add VLANs if
1999 on interfaces VLAN is allocated for an EPG
connected to each blade.
Only VLAN1000-1001 are
eth0 eth1
VLAN 1002-1999 are not eth0 eth1 eth0 eth1 allowed in this example.
eth0 eth1
pNIC
actually used in this pNIC pNIC
pNIC
example
UCS Blade Blade
UCS Blade Blade
Chassis Chassis
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multi-Domain - ACI and SDA
Cisco SDA Campus Cisco ACI Hybrid-DC
Multi-Site Orchestrator
DNAC ISE
Group Exchange
VM VM VM VM
FW FW
DB App DB App
server server Web server server
Web
server
Subnet 10.1.1.0/24 server
San Francisco New York
Subnet 10.121.0/24
vManage
DSCP for signaling
between L3-Out and
vEdge in DC
SD-WAN Fabric
1 User 1
App 1
Los Angeles
San Francisco Data Center DSCP based path Branch
vEdge selection out of 4 vEdge
classes
3
APPDYNAMICS
Network &
Application Health
Correlation
VM VM VM VM VM VM VM
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Ecosystem
Integrations
Shipping
F5 ACI App in Cisco ACI App Center
Extend F5 BIG-IP and Cisco ACI Joint Solution Use Cases
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Shipping
ACI: ServiceNow Integration
Automated discovery and provisioning of ACI Fabric from ServiceNow ITOM
App Store
Discovery: Visibility: Accurate & Provisioning: ServiceNow's External Discover cAPIC entities
Automatically discover up-to date CMDB Component Credential Store from ServiceNow ITOM
ACI’s Physical & logical Infrastructure Visibility & configuration, 40+ support,
entities from Mapping custom activity packs & Compatible with latest Automate ACI software
ServiceNow Configuration drift & workflow automation ServiceNow releases, update from
rollback Incident dashboards ServiceNow ITOM
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Shipping
ACI: Splunk Integration
Central Proactive Monitoring, operational analytics and troubleshooting
ACI App & Add-on for Splunk Enterprise
Real time and historical Operational Analytics, Audit, Risk and Cross-tier correlation - Splunk dashboards to
insights into ACI fabric Automated alerting, Compliance Analysis - gain visibility across the monitor c-APIC,
Drilldown into health Root cause analysis Prevent unauthorized entire data center Additional drilldown and
scores, performance access troubleshooting, CIM
Compliance, Syslog
metrics
parsing
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Shipping
ACI: AlgoSec Integration
Multi-tenant, policy-driven, application-centric model for Security
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Cisco ACI
Broad Ecosystem to Use, Customize and Extend Your IT Investments
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
ACI Software Release Cadence
Target – one release every four months
Q2 CY Q3 CY Q4 CY Q1 CY Q2 CY Q4 CY Q1 CY Q2 CY Q3
Q3CY
CY Q4 CY Q1 CY
2017 2017 2017 2018 2018 2018 2019 2019 2019
2019 2019 2020
#CiscoLiveLA © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
ACI Anywhere
#CiscoLiveLA BRKACI-2117 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Thank you
#CiscoLiveLA
#CiscoLiveLA