Nexus Hybrid Cloud

Nexus Hybrid Cloud :
Connecting On-Prem VXLAN

Fabric to Public Cloud
Ambrish Singh, Lead Technical Marketing Engineer
Rahul Nema, Technical Marketing Engineer
Cloud Networking Group
• BRKDCN-2671
• Introduction
• Challenges with Hybrid Cloud networking
Agenda • What’s Cisco Hybrid Cloud Solution

• Supported Topologies
• Demo
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Introduction
What is Hybrid Cloud
Hybrid clouds are infrastructure combinations of two or more clouds,

such as on-premises private, hosted private, or public, that can be
centrally managed to enable interoperability for various use cases.
Introduction
• Private Cloud – On-prem Data Center
• Public Cloud – AWS, Azure, GCP
• Hybrid Cloud – Private Cloud + Public Cloud
• Hybrid Multi Cloud - Private Cloud + 2 or more Public Clouds
• Multi Cloud – Public Cloud + Public Cloud
Hybrid Multicloud Networking – The requirements
Connectivity Zero Trust and security

Connecting applications across Maintaining a consistent security posture
on-premises, public clouds and that is agnostic to where app and clients
edge networks are located
Visibility Application networking

Observing and analyzing connectivity,
Enabling application intent to dynamically
traces, logs, and metrics across
drive network behavior
heterogeneous networks
Challenges with
Hybrid Cloud
Networking
Network Admin Challenges
Heterogenous networks
Multiple configuration touchpoints
Human effort prone to errors
No centralized control
No consistent policy model
Network Admin Challenges
NX-OS ACI
Tenant Account Subscription/ Account/Project

Separate
Resource Group
Infrastructure +
VXLAN
Data Center Site/Pod Region Region Region
VRF VRF VPC VNet VPC
Bridge Domain/ CIDR/Subnet Subnet Subnet

VLAN
Subnet
EPG Security Groups Application/Network Firewall

VLAN Tag
Security Groups
Access-list (ACL) Contracts & Filters Security Group Security Rules Firewall Rules
Rules
What’s Cisco
Hybrid Cloud
Solution
Building Hybrid Multicloud
NDO 4.1(1)
NDFC 12.1.2e
Cisco Nexus CNC 25.1(1e)

Dashboard Orchestrator
Site 1 Site 2 Site 3 Site 4 Site 5
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
Consistent
Secure Single Point of Automated Cloud Only
Network
Communication Orchestration Connectivity (Multi-Cloud)
and Policy
Hybrid Cloud : Building Blocks
Cisco Cloud
Catalyst 8000v Network Nexus Dashboard
Controller
Catalyst 8000v
• IOS-XE based Cloud Native Router
• SAAS offering (ISO, BIN, OVA, and QCOW2 formats)
• Available on CCO and Cloud Marketplace (PAYG or BYOL)
• Up to 10 Gbps of Throughput per instance
• VM requirement –
• CPU – 1 to 8 virtual CPUs
• Memory – 4 GB to 16 GB
• Disk space – 8 GB
• Two or more vNICs, up to maximum allowed by hypervisor
https://www.cisco.com/c/en/us/products/collateral/routers/catalyst-8000v-edge-
software/datasheet-c78-744101.html
Reference slide
Catalyst 8000v Feature Overview

• IPsec, DMVPN, Flex VPN, GetVPN
• BGP, OSPF, EIGRP
• VXLAN Gateway, VXLAN Multicast & Unicast
• ACL, AAA,
• GRE, QoS, IP SLA
• NAT, LISP, OTV
• DHCP, HSRP
Cisco Cloud Network Controller (CNC)
• Provides the ability to connect and consume public clouds,
accelerating business agility to support hybrid or multicloud
environments.
• Utilizes cloud-native constructs, the solution enables automation that
accelerates infrastructure deployment and governance and simplifies
management to easily connect workloads across multicloud
environments.
Cisco Cloud Network Controller (CNC)
• Manage multiple regions through a single Cloud Network Controller
instance
• Provide secure interconnect for multi cloud environment and
automate network connectivity across multiple On Premises and
Public Cloud environments
• Enable Consistent Policy, Security and Operations between On-
Premises and Public Cloud environments
Reference slide
Cisco Cloud Network Controller feature overview

Cloud networking Segmentation
• Intra-Cloud: TGW, VNET peering • Extend segments from
• Inter-Cloud: C8Kv automation on-premises to cloud
• Connectivity: IPsec, direct • Extend segments from

connect, express route cloud to cloud
• Security group rule management
Cisco Cloud
Visibility Network
Controller
• View and connect to brownfield Support on Public
Data Private
VPC networks center cloud • AWS, Azure, Google Cloud
• Inventory and topology view
L4-L7 services
• Automate service insertion Open APIs
and service chaining • Enable automation using
(load balancers, firewalls, …) Terraform and Ansible
Cloud Network Controller
Public cloud policy mappings
Cloud Network AWS Azure GCP

Controller
Tenant Account Subscription Project
VRF VPC Virtual Network VPC
Bridge Domain Subnet Subnet Subnet Subnet
EPG Security Group App Security Group Firewall

Contracts, Filters Security Group Rule Network Security Group Firewall Rule
Consumed Contracts Inbound Rule Inbound Rule Inbound Rule
Provided Contracts Outbound Rule Outbound Rule Outbound Rule
Cisco Cloud Network Controller
Cloud Network ASN 65091 Cloud Network

ASN 65092
Controller Controller
C8Kv C8Kv
TGW NLB
Connect TGW
US West Infra VPC US East Infra Vnet
Powering automation
Cisco Nexus Dashboard Unified agile platform
Simple to automate, simple to consume
Cisco Nexus
Dashboard
Insights Fabric Discovery
Fabric Controller
Orchestrator
Data Broker SAN Controller

Consume all services in one place
Private cloud Public cloud Custom/third-
party
Nexus Dashboard Fabric Controller
A comprehensive data center automation tool
NDFC helps you easily and reliably deploy, operate and maintain
VXLAN-EVPN, LAN, SAN, and Media fabrics
for Cisco NX-OS Nexus and MDS, IOS-XE, IOS-XR infrastructure
and interconnect with public clouds
Day-0 Day-1 Day-2 with Scale out with

Bootstrap, deploy Provision, maintain, ND Insights ND Orchestrator
monitor, operate Troubleshoot, Multi-site and
plan, grow cloud acceleration
It addresses challenges by providing comprehensive solution-level control,

automation, visibility, monitoring, and integration
Automation Management Visibility

Accelerate provisioning In depth Management Get Centralized Visibility
and simplify deployments and control for all and Monitoring views
network deployments
• Manages On-prem VXLAN fabric

• Built-in templates for building on-prem
ASN: 65084 ASN: 65080
VXLAN fabric
Border
Gateway
• VXLAN fabric must have one or more
Spine On-prem
IPsec Router
Border Gateways (BGW)
• External fabric for Managed or Unmanaged
Leaf1 Leaf2
IPsec devices
172.16.10.0/24 External fabric
• IPsec device should be in Core Router role
VXLAN fabric
Nexus Dashboard Orchestrator
Multi-site Orchestrator
NDO offers multi-site networking orchestration and policy management, disaster
recovery and high availability, as well as provisioning and health monitoring.
Multi-site Network Multicloud Consistent Policy Disaster Recovery

Orchestration Orchestration Management and Agility
Private Cloud, Hybrid Cloud, Multiple Cloud Data Centers

Nexus Dashboard Orchestrator
Single point of control

Cisco Nexus
Dashboard Orchestrator
•
Site 1 Site 2 Site 3 Site 4 Site 5 • Orchestrating end-to-end connectivity

between –
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM • On-premises to Cloud sites
• Cloud to Cloud
• Centralized deployment of –
• VRFs/Networks in on-prem VXLAN fabric
• VPCs/VNets in Cloud sites
Hybrid Cloud : Under the Hood
Underlay (BGP/IPsec)
Overlay (Vxlan Multi-site)
BGP EVPN (Control-Plane)
NDFC
ASN: 65091 Cloud Network
ASN: 65084 ASN: 65080 Controller
Border
Gateway
Underlay
OverlayInternet/DC/ER
TGW
Spine On-prem
IPsec Router
us-west-1 Infra VPC
Leaf1 Leaf2
VXLAN fabric
Use-Cases
Stretched VRF
Schema: Stretched-VRF
Template: Template:
Stretched-VRF On-Prem
Cloud Network BGW

Cloud Network
Spine
Region - us-west-1 Region – East US

C8Kv VPC - stretched-vrf C8Kv VNet - stretched-vrf
CIDR 10.210.0.0/16 CIDR 70.10.0.0/16 Leaf
TGW NLB
Connect TGW
US West Infra VPC US East Infra Vnet Net - 172.16.10.0/24

VRF – stretched-vrf
stretched-vrf
Use-Cases
VRF Route Leaking
Schema: Route-leaking
Template: Template: Template:

AWS Azure On-Prem
Cloud Network BGW

Cloud Network
Spine
Region - us-west-1 Region – East US

C8Kv C8Kv VNet – azure10
VPC - aws10
CIDR 10.220.0.0/16 CIDR 90.10.0.0/16 Leaf
TGW NLB
Connect TGW
US West Infra VPC US East Infra Vnet

Net - 172.16.20.0/24
VRF – v10
VRF: aws10 VRF: azure10 VRF: v10
Route Leaking
Supported
Topologies
Supported Topologies VXLAN Multi-site
Single On-prem site

Cloud Site1 Cloud Site2
Cloud Cloud
Network Network
C8Kv C8Kv
Internet/DC/ER
C8Kv
Cisco
NDFC BGW
Spine
Leaf
On-Prem Site1
Multiple On-prem sites

Cloud Cloud
Network Network
C8Kv C8Kv
Internet/DC/ER
C8Kv C8Kv C8Kv
Cisco
NDFC BGW BGW BGW
Spine Spine Spine
Leaf Leaf Leaf
On-Prem Site1 On-Prem Site2 On-Prem Site3

Multiple On-prem sites (via Hub site)

Cloud Cloud
Network Network
C8Kv C8Kv
Internet/DC/ER
C8Kv
Cisco
NDFC BGW BGW BGW
Spine On-Prem Site2 Spine

(Hub Site)
Leaf Leaf
On-Prem Site1 On-Prem Site3

Demo
Topology
Starting Point

Controller
NLB
East US Infra VNet
NDFC
ASN: 65084 ASN: 65080
Border
Gateway ASN: 65091 Cloud Network
Spine Controller
On-prem
IPsec Router
TGW
Leaf1 Leaf2
us-west-1 Infra VPC
VXLAN fabric
Topology
Step 1 : Build Underlay

Controller
NLB
East US Infra VNet
NDFC
ASN: 65084 ASN: 65080
Border
Gateway Internet/DC/ER ASN: 65091 Cloud Network
Spine Controller
On-prem
IPsec Router
TGW
Leaf1 Leaf2
us-west-1 Infra VPC
VXLAN fabric
Topology
Step 2 : Build Underlay
eBGP
OSPF Controller
NLB
East US Infra VNet
NDFC
ASN: 65084 ASN: 65080
Border
Spine Controller
On-prem
IPsec Router
TGW
Leaf1 Leaf2
us-west-1 Infra VPC
VXLAN fabric
Topology
Step 2 : Build Overlay
eBGP
OSPF Controller
BGP EVPN
NLB
East US Infra VNet
NDFC
ASN: 65084 ASN: 65080
Border
Spine Controller
On-prem
IPsec Router
TGW
Leaf1 Leaf2
us-west-1 Infra VPC
VXLAN fabric
Topology
Step 3 : Deploy VRFs and Networks

Controller
VNet
Peering
10.1.1.0/24
NLB
East US
East US Infra VNet
NDFC
ASN: 65084 ASN: 65080
Border
Spine Controller
On-prem
IPsec Router VPC
TGW
Attachment
10.2.1.0/24
Leaf1 Leaf2
172.16.10.0/24
172.16.10.0/24 External fabric us-west-1
us-west-1 Infra VPC
VXLAN fabric
DEMO VIDEOS Demo Video
Further References
• Cisco Cloud ACI on AWS White Paper

• Cisco Cloud ACI on Microsoft Azure White Paper
• Hybrid Cloud Connectivity Deployment for Cisco NX-OS
Thank you

Nexus Hybrid Cloud

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nexus Hybrid Cloud

Uploaded by

Copyright:

Available Formats

Nexus Hybrid Cloud :

Connecting On-Prem VXLAN

Agenda • What’s Cisco Hybrid Cloud Solution

Hybrid clouds are infrastructure combinations of two or more clouds,

Connectivity Zero Trust and security

Visibility Application networking

Multiple configuration touchpoints

Human effort prone to errors

No consistent policy model

Tenant Account Subscription/ Account/Project

VRF VRF VPC VNet VPC

Bridge Domain/ CIDR/Subnet Subnet Subnet

EPG Security Groups Application/Network Firewall

Cisco Nexus CNC 25.1(1e)

Site 1 Site 2 Site 3 Site 4 Site 5

Catalyst 8000v Feature Overview

Cisco Cloud Network Controller feature overview

• Connectivity: IPsec, direct • Extend segments from

Cloud Network AWS Azure GCP

Bridge Domain Subnet Subnet Subnet Subnet

EPG Security Group App Security Group Firewall

Provided Contracts Outbound Rule Outbound Rule Outbound Rule

Cloud Network ASN 65091 Cloud Network

US West Infra VPC US East Infra Vnet

Insights Fabric Discovery

Data Broker SAN Controller

Day-0 Day-1 Day-2 with Scale out with

It addresses challenges by providing comprehensive solution-level control,

Automation Management Visibility

• Manages On-prem VXLAN fabric

Multi-site Network Multicloud Consistent Policy Disaster Recovery

Private Cloud, Hybrid Cloud, Multiple Cloud Data Centers

Single point of control

Site 1 Site 2 Site 3 Site 4 Site 5 • Orchestrating end-to-end connectivity

Cloud Network BGW

Region - us-west-1 Region – East US

US West Infra VPC US East Infra Vnet Net - 172.16.10.0/24

Template: Template: Template:

Cloud Network BGW

Region - us-west-1 Region – East US

US West Infra VPC US East Infra Vnet

VRF: aws10 VRF: azure10 VRF: v10

Single On-prem site

Multiple On-prem sites

C8Kv C8Kv C8Kv

Spine Spine Spine

Leaf Leaf Leaf

On-Prem Site1 On-Prem Site2 On-Prem Site3

Multiple On-prem sites (via Hub site)

Spine On-Prem Site2 Spine

On-Prem Site1 On-Prem Site3

ASN: 65092 Cloud Network

East US Infra VNet

ASN: 65084 ASN: 65080

ASN: 65092 Cloud Network

East US Infra VNet

ASN: 65084 ASN: 65080

East US Infra VNet

ASN: 65084 ASN: 65080

East US Infra VNet

ASN: 65084 ASN: 65080

ASN: 65092 Cloud Network

ASN: 65084 ASN: 65080

• Cisco Cloud ACI on AWS White Paper