Cisco Virtual Update Juni 2017 – Data Center Nexus 9000/ACI · TECHNOLOGY VISION FOR AN AGILE...

1 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Partner Summit 2016

Cisco Virtual Update Juni 2017 – Data Center

Nexus 9000/ACI “Vi vil præsentere ACI nyheder i 2.1 og 3.0 software - Integration med ISE og TrustSec, Multi-Pod udvidelser, shared services EPG med mikrosegmentering, brugerbaseret mikrosegmentering (VDI), Azure udvidelser og derudover løfter vi sløret for v3.0 nyheder.”

Mikkel Brodersen, SE, [email protected] Brian Kvisgaard, SE, [email protected]

2 © 2016 Cisco and/or its affiliates. All rights reserved.

T E C H N O L O G Y V I S I O N F O R A N A G I L E D ATA C E N T E R ACI Software Release Timeline

Q3 2016 Q4 2016 Q2 2017 Q3 2017 Q4 2017 Q1 2018 Q1 2017

ACI 2.0

ACI 2.1

ACI 2.2

Long Lived Releases

ACI 3.1(x)

ACI 2.1(2E)

ACI 2.3

ACI 3.2

ACI 3.0

ACI 3.1

Maintenance

Releases

Target – One Release Every Four Months.

ACI 2.0(2)

ACI 2.1(2)

ACI 2.2(2)

ACI 3.1(2)

ACI 2.3(2

ACI 3.0(2)

You Are Here (Jun 2017)

Congo Crystal Danube Drava Ebro


ACI 2.x releases •  2.1 (Crystal) Maintenance release

•  2.1(1h) - oct 16 Initial •  2.1(1i) - dec 16 update •  2.1(2e) - feb 17 - •  2.1(2g) - apr 17 -

•  2.2 (Danube) Major release •  2.2(1n) - jan 17 Initial •  2.2(1o) - mar 17 update •  2.2(2e) - apr 17 Maintenance Release 1 •  2.2(2f) - apr 17 update •  2.2(2i) - may 17 -


Cisco ACI 2.0 Release (July 2016) Infrastructure Virtualization and Operations

•  Routing & Switching •  Policy based Redirect •  Symmetric Multipath Load

balancing & Redirection •  Multicast Routing PIM support •  OSPF in-bound area filtering •  BGP limit maximum AS (max as-

limit) •  64-way ECMP

•  Visibility & Analytics •  Copy Service

•  Security •  Permit Logging

•  Scale •  4 PoDs in Multi-Pod configuration,

up to 300 leaf(s) total

•  Hardware •  93108TC-EX •  DC48V support (Fixed & Modular

spine) •  DOM on ACI Mode

•  Multi-PoD (ALE and ALE-2) •  WAN Integration (ALE & ALE-2)

•  VXLAN EVPN BGP (iBGP and eBGP) for IPv4 & IPv6

•  OpFlex Push to N7K, ASR9K •  QSA Support on N9332Q access ports •  FCoE NPV (N9300-EX only), PFC

(802.1Qbb)

•  ACI vCenter Plugin •  Multiple vCenter per Fabric (50) •  vRealize 7.0 •  Cisco AVS

•  vRealize •  VEM Commands from APIC •  EPG health score

•  OpenStack -‐  ‘Liberty’ Support

-‐  Hierarchical VLANs -‐  VMware Hypervisor integration -‐  Group-Based Policy and ML2 Unified

Plugin


Multipod

6 © 2016 Cisco and/or its affiliates. All rights reserved. 6

Pod ‘A’

MP-BGP - EVPN

Single APIC Cluster

§  Multiple ACI Pods connected by an IP Inter-Pod L3 network, each Pod consists of leaf and spine nodes

§  Managed by a single APIC Cluster §  Single Management and Policy Domain

§  Forwarding control plane (IS-IS, COOP) fault isolation

§  Data Plane VXLAN encapsulation between Pods

§  End-to-end policy enforcement

Pod ‘n’ Inter-Pod Network

…

IS-IS, COOP, MP-BGP IS-IS, COOP, MP-BGP

ACI Multi-POD Solution Overview


Policy Based Redirect


•  In an ACI fabric, traffic is routed/bridged based on IP/MAC •  This is also true when using the Service Graph

•  With ACI 2.0, we provide PBR functionality with Service Graph

•  Works for both physical and virtual services

PBR on ACI


EPG Client

EPG Web

•  Inspect specific traffic by FW.

PBR: Use Case 1

Only HTTP traffic is redirected to FW, and then traffic is going to Web endpoint

Other traffic permitted by contract are going to Web endpoint directly.

EPG Client

EPG Web Contract

Redirect

provider consumer


Customer A EPG-‐A

Customer B EPG-‐B

•  Use different Firewall based on source.

PBR: Use Case 2

EPG-A goes to L3out via FW1 EPG-B goes to L3out via FW2

FW1 FW2

L3Out


•  Routing design simplification for L4-L7 service integration.

PBR: Use case 3

Need to have separate VRF to make sure traffic is going through FW.

VRF11

VRF12

VRF11 Use traffic redirection (PBR)

EPG Client

EPG Web Contract

Redirect

provider consumer


Copy Service


EPG Client

EPG Web

•  Inspect specific traffic.

Copy Service use case 1

Traffic is copied to IDS

Original traffic goes to Web endpoint directly.

EPG Client

EPG Web Contract

Copy

provider consumer

IPS


EPG Client

EPG Web

•  Inspect specific traffic

Copy Service Use Case 2

Only HTTP traffic is copied

Original traffic goes to Web endpoint directly.

EPG Client

EPG Web Contract

Copy

provider consumer

Subject1 (permit HTTP) Subject2 (permit ALL)


•  Copy Service can be deployed between EPGs in same BD, EPGs in different BD under same VRF, EPGs in different BD in different VRF, EPGs in user tenant and tenant common.

Supported topology

Example

EPG Client

BD1 (192.168.1.254/24)

192.168.1.1/24 192.168.1.2/24

EPG Web

Copy Device

VRF1 VRF2

EPG Client

BD1 (192.168.1.254/24) BD2 (192.168.2.254/24)

192.168.1.1/24 192.168.2.1/24

EPG Web

Copy Device

VRF1

EPG Client

BD1 (192.168.1.254/24) BD2 (192.168.2.254/24)

192.168.1.1/24 192.168.2.1/24

EPG Web

Copy Device

VRF1

Route-leaking

Service Graph is mandatory Create Copy Device on APIC (Today physical device only) Supported only on Sugarbowl based HW. (Nexus 9300-EX) Copy applies for the traffic flow in both directions


vCenter Plug-In


Cisco ACI Plugin for vSphere Web Client (a.k.a. ACI vCenter Plugin)

§  The ACI vCenter Plugin provides a GUI integrated inside vSphere Web Client to allow managing an ACI Fabric

§  Allows the vSphere administrator configure and/or monitor ACI networking from an interface that is familiar to them

§  Focuses on Simplicity: No in-depth networking or ACI knowledge required


§  Stateless, does not store any information: fetch everything from APIC

§  Does not change existing integration of ACI with vCenter. A VMM Domain must exists already. The Plugin just allows to do the configuration of APIC from the vSphere Web Client

ACI vCenter Plugin Overview

vCenter Plugin

vSphere Web Client

vCenter

VMM Domain


Cisco ACI 2.1 Release (Oct 2016) Infrastructure Virtualization and Operations

•  MultiPoD support for Congo Features •  (PIM,PBR for NS and SB

symmetric PBR, Permit Logging, External connectivity, Copy service)

•  Security Feedback Loop solution with IPS for DVS, AVS, SCVMM and BM

•  1000 SVI under Single L3 Out •  IP based Aging •  Static Routes on APIC •  FIPS support on APIC •  AAA Enhancements

•  Golf – Host Routing Type-2 support •  Golf on Sugar Bowl with MultiPoD •  IGMP Static Group and Access List •  Port Security – in Sugar Bowl ToR’s •  Egress Cos Remarking based on Ingress

DSCP to Cos Mapping •  Outbound and Inbound Prefix list, and

Route map based Filtering •  IP-Based EPG as shared service provider •  QSA support on N95xx –EX LC, EX

Leafs •  MAC-EPG for BareMetal

•  EPG Trunking for DVS •  AVS: VEM commands for troubleshooting

from APIC •  AVS: LACP hashing (AVS specific only) •  AVS : Mixed mode support (Vlan and

Vxlan) in same VMM domain •  User-friendly Tenant names for Azure

pack users & MSFT WAP


GOLF/Multi-Pod

Single APIC Domain

. . .

Multiple Pods

IPN

DCIG Devices

MP-BGP EVPN Control Plane

WAN

Web/App DB Web/App

DB

Web/App DB

Single APIC Cluster

IPN is not managed by APIC. IPN topology, which can be arbitrary, provides connectivity between pods and can connect to WAN routers for GOLF.

GOLF Device for connection to WAN/MPLS/Internet. Can be same device as IPN device.


Consuming Micro-Segmentation ACI and SourceFire – Security Closed Feedback Loop

CORP EPG

FW

NGIPS 10.1.0.234

Attack

PUBLIC EPG

REM EPG

QUA EPG

FW

FireSIGHT Management

Center

REST Calls to APIC NB API

Move VM To Quarantine

Quarantine for Remediation Post Remediation Move Cleaned VM

Status: 1.  Productization target is VMware DVS,

AVS, BM (Q3-CY16) •  Quarantine Micro-EPG creation •  Quarantine bad endpoints only

2.  INSBU + Security BU validating this scalability of solution

3.  Service graph + Remediation EPG (Future)


What’s New in ACI 2.2(1)? Virtualization, Visibility & Monitoring, Operational Flexibility

Policy-Driven Infrastructure

Hardware •  Cisco Nexus 93180LC-EX •  Standby APIC

Virtualization •  AzurePack + Service Chaining •  OpenStack – Unified Plugin

Network & Security •  Full Netflow •  Contract Preferred Groups

Ecosystem •  Cisco ACI App Center •  Apps: Infoblox, ServiceNow


Nexus 9300-EX Series CloudScale ASICs

48p 1/10GT + 6p 40/100G QSFP Nexus 93108TC-EX

48p 10/25G SFP + 6p 40/100G QSFP Nexus 93180YC-EX

* Hardware Readiness, Check Software Roadmap for Enablement Timelines

Dual personality – ACI and NX-OS mode Industry’s first native 25G capable switch Flexible port configurations – 1/10/25/40/50/100G Up to 40 MB shared buffer Flow Table (Tetration support)

FEX Support

Key Features

Better understand network flow Flexible network upgrades using multi-speed ports IP Storage optimized buffering

Key Benefits 32p QSFP 32p 40/50G | 24p 40G + 6p 100G* 28p 40G + 4p 100G* | 18p 100G* Nexus 93180LC-EX

Nexus 93180LC-EX


ACI Mode (Nexus 93180LC-EX Port Configuration) Available now!

48p 10G/25G Fiber

Option 2 – Upto 12p 100G host ports & 6p 100G uplinks Shipping! Port configuration supported: •  Ports 1,3,5…23 are 100G capable

(Corresponding ports 2, 4, 6…24 are shut down if a 100G transceiver is plugged in)

•  Ports 25, 27, 28-32 are uplinks

Option 1 – 24p 40/50G & 6p 100G (40G Leaf) Shipping! Port configuration supported: •  Ports 1 – 24 support 40/50G, ports 25, 27,

28-32 are100G uplinks •  Ports 1-24 support QSA w/ 10G optics at

FCS •  Upto 48p 10G with 4x10G breakout will be

supported on port 1, 3, 5,..23 in future release

Ø  1.8 Tbps bandwidth Ø  Templates support planned for future release Ø  Redundant 1+1 AC/DC Power supplies and N+1 fan

modules Ø  FEX Support

6p 100G

-- --

24p 40/50G - -

- - - - -


Operational Flexibility 40G To 4X10G

Nexus 9332PQ Breakout

FCoE NPV FEX for ‘-EX’ Switch

Single Fabric For LAN and SAN Connectivity

HSRP L3 Sub-If (IPv4/IPv6)

QinQ Support Nexus ‘-EX’ Switch

ACI 2.2: Infrastructure Innovations

VF VF

VF VF

Leaf

FEX

Host - CNA

Leaf

L2 Switch L2 Switch

Active Standby

EP EP

Redundancy options to connect legacy networks

Additional Services Flexibility

Leaf

L2 Switch

MAC vlan 10 data

Preserve dot1q Tag Spine


Cloud Apps

Troubleshooting Apps

Security Apps

Networking Apps

Monitoring Apps

Optimization Apps

ACI 2.2: Introducing Cisco App Center Application Categories

ACI 2.2: Introducing Cisco ACI App Center

https://aciappcenter.cisco.com/


27

App Center Apps Programmable Infrastructure: Open APIs for Value Added Applications

Infoblox ServiceNow

Sync Configuration Between ACI & Infoblox Appliance

Simplify IP Address Management

Push ACI Logical Topology Constructs To Service Now

Automated Service Management

Sample Apps

Get Your Fabric A Score On Security And Compliance.

Path Analysis

Connectivity and Compliance

AlgoSec

ECOSYSTEM

Gain real time visibility centrally across your ACI

deployments

Splunk Connector for

Centralized Monitoring

Splunk


What’s New in ACI 2.2(2)? Virtualization, Visibility & Monitoring, Operational Flexibility

Policy-Driven Infrastructure

Hardware •  Cisco Nexus 93180YC-FX

(48p 10/25G Fiber switch)

•  Cisco Nexus 93108TC-FX (48p 1/10G copper switch)

•  100G on front panel ports for N9K-C93180LC-EX

Virtualization •  vSphere 6.5 Support

•  AVS, DVS, vSphere Plugin, vRealize

Network & Security •  Contracts application to directly

connected subnets on L3out

•  Inter/Intra Tenant VRF leaking for L3Out-L3Out Communications

•  BGP Timers per L3Out •  Multiple BGP communities per

route prefix


Nexus 9300-FX Series CloudScale ASICs

48p 1/10GT + 6p 40/100G QSFP Nexus 93108TC-FX

48p 10/25G SFP + 6p 40/100G QSFP Nexus 93180YC-FX

* Hardware Readiness, Check Software Roadmap for Enablement Timelines

Dual personality – ACI and NX-OS mode Flexible port configurations – 1/10/25/40/50/100G Line rate encryption all ports * 32G FC support on all SFP ports * 25G distances beyond 3m (RS FEC) Large Router ACL table Flow Table (Tetration) FEX Support

Key Features

Key Benefits

Shipping

Support for Nexus 5K FC designs – transition platform Link Security against fiber taps


ACI 2.2: Infrastructure Scale

FEX Up to 200 / Fabric

Up to 18 / Leaf

Leafs Up to 200 Per Fabric

Up to 300 Across Multiple Fabrics

Multicast Groups Up to 8,000

Bridge Domains Up to 21,000 (L2) Up to 15,000 (L3)

EPGs Up to 15000

Max 500 Per Tenant 200 InstP EPG per L3 Out

General Up to 5 APICs Up to 200 vCenters Up to 2,000 Contracts Up to 60k TCAM Rules 400 VRFs per Tenant (2.2(2e))

Tenants Up to 3000

Increased Scale and Performance


•  Microsoft has announced update to their existing product line. •  Windows Server 2016 •  System Center 2016

•  Danube release officially support ACI integration with Windows Server 2016 and System Center Virtual Machine Manager 2016.

•  Operationally there is no change to ACI usability as compared to Windows Server 2012

Windows 2016 support


•  Nano Server support - is not currently supported. •  Windows Server 2016 has introduced a new SKU of Nano Server which is very tiny footprint

version of Windows Server 2016. This is not currently supported.

•  VXLAN - is not currently supported. •  System Center 2016 has introduced new Network Controller to enable VXLAN encapsulation

support. This is not currently supported.

•  Ensure on Hyper-V 2016 Servers that the Hyper-V PowerShell Management Modules are installed. •  If they are not, Cisco-ACI Hyper-V Integration will not function correctly

•  Ensure that SCVMM 2016 HA Pair is in normal state if SCVMM is in a cluster. •  Otherwise fix the SCVMM Cluster forwarding questions to Microsoft support first.

Others

Date post:	24-May-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Cisco Virtual Update Juni 2017 – Data Center Nexus 9000/ACI · TECHNOLOGY VISION FOR AN AGILE...

Documents