1 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Partner Summit 2016
Cisco Virtual Update Juni 2017 – Data Center
Nexus 9000/ACI “Vi vil præsentere ACI nyheder i 2.1 og 3.0 software - Integration med ISE og TrustSec, Multi-Pod udvidelser, shared services EPG med mikrosegmentering, brugerbaseret mikrosegmentering (VDI), Azure udvidelser og derudover løfter vi sløret for v3.0 nyheder.”
Mikkel Brodersen, SE, [email protected] Brian Kvisgaard, SE, [email protected]
2 © 2016 Cisco and/or its affiliates. All rights reserved.
T E C H N O L O G Y V I S I O N F O R A N A G I L E D ATA C E N T E R ACI Software Release Timeline
Q3 2016 Q4 2016 Q2 2017 Q3 2017 Q4 2017 Q1 2018 Q1 2017
ACI 2.0
ACI 2.1
ACI 2.2
Long Lived Releases
ACI 3.1(x)
ACI 2.1(2E)
ACI 2.3
ACI 3.2
ACI 3.0
ACI 3.1
Maintenance
Releases
Target – One Release Every Four Months.
ACI 2.0(2)
ACI 2.1(2)
ACI 2.2(2)
ACI 3.1(2)
ACI 2.3(2
ACI 3.0(2)
You Are Here (Jun 2017)
Congo Crystal Danube Drava Ebro
3 © 2016 Cisco and/or its affiliates. All rights reserved.
ACI 2.x releases • 2.1 (Crystal) Maintenance release
• 2.1(1h) - oct 16 Initial • 2.1(1i) - dec 16 update • 2.1(2e) - feb 17 - • 2.1(2g) - apr 17 -
• 2.2 (Danube) Major release • 2.2(1n) - jan 17 Initial • 2.2(1o) - mar 17 update • 2.2(2e) - apr 17 Maintenance Release 1 • 2.2(2f) - apr 17 update • 2.2(2i) - may 17 -
4 © 2016 Cisco and/or its affiliates. All rights reserved.
Cisco ACI 2.0 Release (July 2016) Infrastructure Virtualization and Operations
• Routing & Switching • Policy based Redirect • Symmetric Multipath Load
balancing & Redirection • Multicast Routing PIM support • OSPF in-bound area filtering • BGP limit maximum AS (max as-
limit) • 64-way ECMP
• Visibility & Analytics • Copy Service
• Security • Permit Logging
• Scale • 4 PoDs in Multi-Pod configuration,
up to 300 leaf(s) total
• Hardware • 93108TC-EX • DC48V support (Fixed & Modular
spine) • DOM on ACI Mode
• Multi-PoD (ALE and ALE-2) • WAN Integration (ALE & ALE-2)
• VXLAN EVPN BGP (iBGP and eBGP) for IPv4 & IPv6
• OpFlex Push to N7K, ASR9K • QSA Support on N9332Q access ports • FCoE NPV (N9300-EX only), PFC
(802.1Qbb)
• ACI vCenter Plugin • Multiple vCenter per Fabric (50) • vRealize 7.0 • Cisco AVS
• vRealize • VEM Commands from APIC • EPG health score
• OpenStack -‐ ‘Liberty’ Support
-‐ Hierarchical VLANs -‐ VMware Hypervisor integration -‐ Group-Based Policy and ML2 Unified
Plugin
5 © 2016 Cisco and/or its affiliates. All rights reserved.
Multipod
6 © 2016 Cisco and/or its affiliates. All rights reserved. 6
Pod ‘A’
MP-BGP - EVPN
Single APIC Cluster
§ Multiple ACI Pods connected by an IP Inter-Pod L3 network, each Pod consists of leaf and spine nodes
§ Managed by a single APIC Cluster § Single Management and Policy Domain
§ Forwarding control plane (IS-IS, COOP) fault isolation
§ Data Plane VXLAN encapsulation between Pods
§ End-to-end policy enforcement
Pod ‘n’ Inter-Pod Network
…
IS-IS, COOP, MP-BGP IS-IS, COOP, MP-BGP
ACI Multi-POD Solution Overview
7 © 2016 Cisco and/or its affiliates. All rights reserved.
Policy Based Redirect
8 © 2016 Cisco and/or its affiliates. All rights reserved.
• In an ACI fabric, traffic is routed/bridged based on IP/MAC • This is also true when using the Service Graph
• With ACI 2.0, we provide PBR functionality with Service Graph
• Works for both physical and virtual services
PBR on ACI
9 © 2016 Cisco and/or its affiliates. All rights reserved.
EPG Client
EPG Web
• Inspect specific traffic by FW.
PBR: Use Case 1
Only HTTP traffic is redirected to FW, and then traffic is going to Web endpoint
Other traffic permitted by contract are going to Web endpoint directly.
EPG Client
EPG Web Contract
Redirect
provider consumer
10 © 2016 Cisco and/or its affiliates. All rights reserved.
Customer A EPG-‐A
Customer B EPG-‐B
• Use different Firewall based on source.
PBR: Use Case 2
EPG-A goes to L3out via FW1 EPG-B goes to L3out via FW2
FW1 FW2
L3Out
11 © 2016 Cisco and/or its affiliates. All rights reserved.
• Routing design simplification for L4-L7 service integration.
PBR: Use case 3
Need to have separate VRF to make sure traffic is going through FW.
VRF11
VRF12
VRF11 Use traffic redirection (PBR)
EPG Client
EPG Web Contract
Redirect
provider consumer
12 © 2016 Cisco and/or its affiliates. All rights reserved.
Copy Service
13 © 2016 Cisco and/or its affiliates. All rights reserved.
EPG Client
EPG Web
• Inspect specific traffic.
Copy Service use case 1
Traffic is copied to IDS
Original traffic goes to Web endpoint directly.
EPG Client
EPG Web Contract
Copy
provider consumer
IPS
14 © 2016 Cisco and/or its affiliates. All rights reserved.
EPG Client
EPG Web
• Inspect specific traffic
Copy Service Use Case 2
Only HTTP traffic is copied
Original traffic goes to Web endpoint directly.
EPG Client
EPG Web Contract
Copy
provider consumer
Subject1 (permit HTTP) Subject2 (permit ALL)
15 © 2016 Cisco and/or its affiliates. All rights reserved.
• Copy Service can be deployed between EPGs in same BD, EPGs in different BD under same VRF, EPGs in different BD in different VRF, EPGs in user tenant and tenant common.
Supported topology
Example
EPG Client
BD1 (192.168.1.254/24)
192.168.1.1/24 192.168.1.2/24
EPG Web
Copy Device
VRF1 VRF2
EPG Client
BD1 (192.168.1.254/24) BD2 (192.168.2.254/24)
192.168.1.1/24 192.168.2.1/24
EPG Web
Copy Device
VRF1
EPG Client
BD1 (192.168.1.254/24) BD2 (192.168.2.254/24)
192.168.1.1/24 192.168.2.1/24
EPG Web
Copy Device
VRF1
Route-leaking
Service Graph is mandatory Create Copy Device on APIC (Today physical device only) Supported only on Sugarbowl based HW. (Nexus 9300-EX) Copy applies for the traffic flow in both directions
16 © 2016 Cisco and/or its affiliates. All rights reserved.
vCenter Plug-In
17 © 2016 Cisco and/or its affiliates. All rights reserved.
Cisco ACI Plugin for vSphere Web Client (a.k.a. ACI vCenter Plugin)
§ The ACI vCenter Plugin provides a GUI integrated inside vSphere Web Client to allow managing an ACI Fabric
§ Allows the vSphere administrator configure and/or monitor ACI networking from an interface that is familiar to them
§ Focuses on Simplicity: No in-depth networking or ACI knowledge required
18 © 2016 Cisco and/or its affiliates. All rights reserved.
§ Stateless, does not store any information: fetch everything from APIC
§ Does not change existing integration of ACI with vCenter. A VMM Domain must exists already. The Plugin just allows to do the configuration of APIC from the vSphere Web Client
ACI vCenter Plugin Overview
vCenter Plugin
vSphere Web Client
vCenter
VMM Domain
19 © 2016 Cisco and/or its affiliates. All rights reserved.
Cisco ACI 2.1 Release (Oct 2016) Infrastructure Virtualization and Operations
• MultiPoD support for Congo Features • (PIM,PBR for NS and SB
symmetric PBR, Permit Logging, External connectivity, Copy service)
• Security Feedback Loop solution with IPS for DVS, AVS, SCVMM and BM
• 1000 SVI under Single L3 Out • IP based Aging • Static Routes on APIC • FIPS support on APIC • AAA Enhancements
• Golf – Host Routing Type-2 support • Golf on Sugar Bowl with MultiPoD • IGMP Static Group and Access List • Port Security – in Sugar Bowl ToR’s • Egress Cos Remarking based on Ingress
DSCP to Cos Mapping • Outbound and Inbound Prefix list, and
Route map based Filtering • IP-Based EPG as shared service provider • QSA support on N95xx –EX LC, EX
Leafs • MAC-EPG for BareMetal
• EPG Trunking for DVS • AVS: VEM commands for troubleshooting
from APIC • AVS: LACP hashing (AVS specific only) • AVS : Mixed mode support (Vlan and
Vxlan) in same VMM domain • User-friendly Tenant names for Azure
pack users & MSFT WAP
20 © 2016 Cisco and/or its affiliates. All rights reserved.
GOLF/Multi-Pod
Single APIC Domain
. . .
Multiple Pods
IPN
DCIG Devices
MP-BGP EVPN Control Plane
WAN
Web/App DB Web/App
DB
Web/App DB
Single APIC Cluster
IPN is not managed by APIC. IPN topology, which can be arbitrary, provides connectivity between pods and can connect to WAN routers for GOLF.
GOLF Device for connection to WAN/MPLS/Internet. Can be same device as IPN device.
21 © 2016 Cisco and/or its affiliates. All rights reserved.
Consuming Micro-Segmentation ACI and SourceFire – Security Closed Feedback Loop
CORP EPG
FW
NGIPS 10.1.0.234
Attack
PUBLIC EPG
REM EPG
QUA EPG
FW
FireSIGHT Management
Center
REST Calls to APIC NB API
Move VM To Quarantine
Quarantine for Remediation Post Remediation Move Cleaned VM
Status: 1. Productization target is VMware DVS,
AVS, BM (Q3-CY16) • Quarantine Micro-EPG creation • Quarantine bad endpoints only
2. INSBU + Security BU validating this scalability of solution
3. Service graph + Remediation EPG (Future)
22 © 2016 Cisco and/or its affiliates. All rights reserved.
What’s New in ACI 2.2(1)? Virtualization, Visibility & Monitoring, Operational Flexibility
Policy-Driven Infrastructure
Hardware • Cisco Nexus 93180LC-EX • Standby APIC
Virtualization • AzurePack + Service Chaining • OpenStack – Unified Plugin
Network & Security • Full Netflow • Contract Preferred Groups
Ecosystem • Cisco ACI App Center • Apps: Infoblox, ServiceNow
23 © 2016 Cisco and/or its affiliates. All rights reserved.
Nexus 9300-EX Series CloudScale ASICs
48p 1/10GT + 6p 40/100G QSFP Nexus 93108TC-EX
48p 10/25G SFP + 6p 40/100G QSFP Nexus 93180YC-EX
* Hardware Readiness, Check Software Roadmap for Enablement Timelines
Dual personality – ACI and NX-OS mode Industry’s first native 25G capable switch Flexible port configurations – 1/10/25/40/50/100G Up to 40 MB shared buffer Flow Table (Tetration support)
FEX Support
Key Features
Better understand network flow Flexible network upgrades using multi-speed ports IP Storage optimized buffering
Key Benefits 32p QSFP 32p 40/50G | 24p 40G + 6p 100G* 28p 40G + 4p 100G* | 18p 100G* Nexus 93180LC-EX
Nexus 93180LC-EX
24 © 2016 Cisco and/or its affiliates. All rights reserved.
ACI Mode (Nexus 93180LC-EX Port Configuration) Available now!
48p 10G/25G Fiber
Option 2 – Upto 12p 100G host ports & 6p 100G uplinks Shipping! Port configuration supported: • Ports 1,3,5…23 are 100G capable
(Corresponding ports 2, 4, 6…24 are shut down if a 100G transceiver is plugged in)
• Ports 25, 27, 28-32 are uplinks
Option 1 – 24p 40/50G & 6p 100G (40G Leaf) Shipping! Port configuration supported: • Ports 1 – 24 support 40/50G, ports 25, 27,
28-32 are100G uplinks • Ports 1-24 support QSA w/ 10G optics at
FCS • Upto 48p 10G with 4x10G breakout will be
supported on port 1, 3, 5,..23 in future release
Ø 1.8 Tbps bandwidth Ø Templates support planned for future release Ø Redundant 1+1 AC/DC Power supplies and N+1 fan
modules Ø FEX Support
6p 100G
-- --
24p 40/50G - -
- - - - -
25 © 2016 Cisco and/or its affiliates. All rights reserved.
Operational Flexibility 40G To 4X10G
Nexus 9332PQ Breakout
FCoE NPV FEX for ‘-EX’ Switch
Single Fabric For LAN and SAN Connectivity
HSRP L3 Sub-If (IPv4/IPv6)
QinQ Support Nexus ‘-EX’ Switch
ACI 2.2: Infrastructure Innovations
VF VF
VF VF
Leaf
FEX
Host - CNA
Leaf
L2 Switch L2 Switch
Active Standby
EP EP
Redundancy options to connect legacy networks
Additional Services Flexibility
Leaf
L2 Switch
MAC vlan 10 data
Preserve dot1q Tag Spine
26 © 2016 Cisco and/or its affiliates. All rights reserved.
Cloud Apps
Troubleshooting Apps
Security Apps
Networking Apps
Monitoring Apps
Optimization Apps
ACI 2.2: Introducing Cisco App Center Application Categories
ACI 2.2: Introducing Cisco ACI App Center
https://aciappcenter.cisco.com/
27 © 2016 Cisco and/or its affiliates. All rights reserved.
27
App Center Apps Programmable Infrastructure: Open APIs for Value Added Applications
Infoblox ServiceNow
Sync Configuration Between ACI & Infoblox Appliance
Simplify IP Address Management
Push ACI Logical Topology Constructs To Service Now
Automated Service Management
Sample Apps
Get Your Fabric A Score On Security And Compliance.
Path Analysis
Connectivity and Compliance
AlgoSec
ECOSYSTEM
Gain real time visibility centrally across your ACI
deployments
Splunk Connector for
Centralized Monitoring
Splunk
28 © 2016 Cisco and/or its affiliates. All rights reserved.
What’s New in ACI 2.2(2)? Virtualization, Visibility & Monitoring, Operational Flexibility
Policy-Driven Infrastructure
Hardware • Cisco Nexus 93180YC-FX
(48p 10/25G Fiber switch)
• Cisco Nexus 93108TC-FX (48p 1/10G copper switch)
• 100G on front panel ports for N9K-C93180LC-EX
Virtualization • vSphere 6.5 Support
• AVS, DVS, vSphere Plugin, vRealize
Network & Security • Contracts application to directly
connected subnets on L3out
• Inter/Intra Tenant VRF leaking for L3Out-L3Out Communications
• BGP Timers per L3Out • Multiple BGP communities per
route prefix
29 © 2016 Cisco and/or its affiliates. All rights reserved.
Nexus 9300-FX Series CloudScale ASICs
48p 1/10GT + 6p 40/100G QSFP Nexus 93108TC-FX
48p 10/25G SFP + 6p 40/100G QSFP Nexus 93180YC-FX
* Hardware Readiness, Check Software Roadmap for Enablement Timelines
Dual personality – ACI and NX-OS mode Flexible port configurations – 1/10/25/40/50/100G Line rate encryption all ports * 32G FC support on all SFP ports * 25G distances beyond 3m (RS FEC) Large Router ACL table Flow Table (Tetration) FEX Support
Key Features
Key Benefits
Shipping
Support for Nexus 5K FC designs – transition platform Link Security against fiber taps
30 © 2016 Cisco and/or its affiliates. All rights reserved.
ACI 2.2: Infrastructure Scale
FEX Up to 200 / Fabric
Up to 18 / Leaf
Leafs Up to 200 Per Fabric
Up to 300 Across Multiple Fabrics
Multicast Groups Up to 8,000
Bridge Domains Up to 21,000 (L2) Up to 15,000 (L3)
EPGs Up to 15000
Max 500 Per Tenant 200 InstP EPG per L3 Out
General Up to 5 APICs Up to 200 vCenters Up to 2,000 Contracts Up to 60k TCAM Rules 400 VRFs per Tenant (2.2(2e))
Tenants Up to 3000
Increased Scale and Performance
31 © 2016 Cisco and/or its affiliates. All rights reserved.
• Microsoft has announced update to their existing product line. • Windows Server 2016 • System Center 2016
• Danube release officially support ACI integration with Windows Server 2016 and System Center Virtual Machine Manager 2016.
• Operationally there is no change to ACI usability as compared to Windows Server 2012
Windows 2016 support
32 © 2016 Cisco and/or its affiliates. All rights reserved.
• Nano Server support - is not currently supported. • Windows Server 2016 has introduced a new SKU of Nano Server which is very tiny footprint
version of Windows Server 2016. This is not currently supported.
• VXLAN - is not currently supported. • System Center 2016 has introduced new Network Controller to enable VXLAN encapsulation
support. This is not currently supported.
• Ensure on Hyper-V 2016 Servers that the Hyper-V PowerShell Management Modules are installed. • If they are not, Cisco-ACI Hyper-V Integration will not function correctly
• Ensure that SCVMM 2016 HA Pair is in normal state if SCVMM is in a cluster. • Otherwise fix the SCVMM Cluster forwarding questions to Microsoft support first.
Others