Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1

ACI Operations &SikkerhedMikkel Brodersen & Michael PetersenSystem Engineers, Cisco Danmark

14 April 2016

Cisco Confidential 2© 2015 Cisco and/or its affiliates. All rights reserved.

Mikkel Brodersen & Michael Petersen

ACI Operations &SikkerhedSystem Engineers, Cisco Danmark

14 April 2016

Cisco Confidential 3© 2015 Cisco and/or its affiliates. All rights reserved.

ACI Status

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Status på ACI i Danmark• 11 installationer i produktion

Fuld Enterprise Cloud Suite løsning hos KMD – tidligere breakout sessionACI installation nr. 1000 hos Danske Bankhttp://blogs.cisco.com/news/danske-bank-our-1000th-cisco-aci-customer

• 100+ kunder og partnere trænetACI Test Drive - 2 dageTræningspartner kurser 2-5 dageKundetræning

• 10+ projekter undervejsHandelOffentlige datacentreKommuner

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

• Service udbydere / Hosting firmaer

Hurtig aktivering af ny kundeSikker og ensartet definition afinfrastrukturForlængelse af eksisterende datacenter netværk med policy kontrol

• Offentlige DatacentreTidsbesparende administrationNye applikationsmiljøerHurtig SLA respons

• Udviklingshuse / Applikationshosting

Testmiljøer etableres hurtigt og sikkertKan fjernes igen uden problemerKan simpelt ændres til produktionsmiljø

• Financielle kunderNye applikationsmiljøerHurtig SLA responsSikker aktivering af applikationer

Typiske installationer

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

Hvor lang tid tager det ?

• Planlægning er nøglen – 90% planlægning, 10% implementation

• Identifikation af nytteområder(applikationer, automatisering, tidskrævende processer, fejlfri installationer)

• Lærekurven er stejl – træning inden planlægning og implementation er vigtig

• Scripting bliver vigtigt – teknikker og sprog skal læres, men er universelt anvendeligt

• Scripting erfaring findes ofte i huset hos server og applikationsgrupper

• Scripting giver meget hurtig implementation, efter kundekrav er identificeret ogmappet korrekt

…… men man kan også køre et fuldt ACI miljø fra GUI’en – og her er mange muligheder!

To uger!

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Existing Cisco Nexus 9000 Portfolio10/40G Optimized, Over 6000 Customers

36p wire rate100G 56p 40G + 8p 40/100G72p 40G 48p 10/25G SFP & 4p 100G/ 6p 40G

48p 10/25G SFP & 6p 100G 48p 10GT & 6p 100G

Nexus 9300EX

Nexus 9200

Industry First

Industry First

Industry First

Nexus 9000 Portfolio Extension1/10/25/40/50/100G

48p 10G & 4p 40GVXLAN routing option

36p 40G ACI32p 40G NX-OS

Nexus 9300

Nexus 9504 Nexus 9508 Nexus 9516

Nexus 9500

N9300 & N9500 – Same Hardware for NX-OS and ACI

36p 40/100G ACI & NX-OS

Existing ChassisDelivering on Investment Protection

Promise48p 10G & 6p 40G96p 10G & 6p 40G32p 40G

NX-OSOnly

NEW!

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

DeploymentBuilding an Initially Small ACI POD

WAN - Core

The end goal is to migrate endpoints and network services to the ACI fabric

Brownfield Network Greenfield ACI Fabric

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

IntegrationConnecting Brownfield and Greenfield Networks

WAN - Core

First step: creating a L2 connectivity path

L2 Trunk

L2

L3 Back-to-back vPC for avoiding L2 loops

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

Endpoints IntegrationUse Case 1: VLAN == BD == EPG

WAN - Core

L2

L3

VLAN 10

VLAN 10

VLAN 20 VLAN 20

Map VLAN10/EPG1 and VLAN20/EPG2

EPG1App1 Web10.10.10.10

App1 Web10.10.10.11

EPG2App1 Web10.20.20.10

App1 Web10.20.20.11

BDWeb1

BDWeb2

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

Endpoints IntegrationUse Case 2: Single VLAN to Different EPGs

WAN - Core

L2

L3

VLAN 10 VLAN 10 VLAN 10 VLAN 10

Map VLAN10 to EPG-Outside

VLAN 10

EPG1BD

Web

App1 Web10.10.10.10 C

C

App1 Web10.10.10.10

App1 Web10.10.10.11

App1 Web10.10.10.20

App1 Web10.10.10.21 EPG2

Communication secured by ACI policy

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

Default Gateway ConsiderationsExisting Design

HSRPDefault GW

Subnet 1 = VLAN 10

PP PP VMVM VMVM VMVM

ACI Fabric

Subnet 1 = EPG1

PP VMVM

L2 Bridging

Default Gateway up to this point is still deployed in the Brownfield network

ACI initially provides only L2 connectivity services

L2 path between the two networks leveraged by migrated endpoints to reach the default gateway

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

MigrationRouting between Brownfield and Greenfield

Existing Design

HSRPDefault GW

IP Subnet 2 = VLAN 30

PP PPVMVM VMVM VMVM

ACI Fabric

IP Subnet 1 = EPG1

PPVMVM VMVM

PPVMVM

L3 Routing

Routing between Brownfield and Greenfield may still be required• Handling communication to IP subnets that remain only on Brownfield (default

gateway remains on aggregation devices)• Handling communication with the WAN

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

MigrationRouting between Brownfield and Greenfield

WAN - Core

L2

L3

L3 Links

EPG1 10.10.10.11

VLAN 30

10.30.30.10

Default Gateway for VLAN 30

VLAN 30 NOT carried on the vPC connection

L2

L3

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

ACI Multi-Fabric Design OptionsSingle APIC Cluster/Single Domain Multiple APIC Clusters/Multiple Domains

Site 1 Site 2ACI Fabric

Stretched Fabric

ACI Fabric 2ACI Fabric 1

Dual-Fabric Connected (L2 and L3 Extension)

DB Web AppL2/L3

POD ‘A’ POD ‘B’

Web/AppDB Web/AppAPIC Cluster

MP-BGP - EVPNMP-BGP - EVPN

Multi-POD

IP NetworkSite ‘A’ Site ‘B’

MP-BGP - EVPNMP-BGP - EVPN

WebDB App

Multi-Site (Future)

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

ACI Multi-POD Solution Topologies

POD 1 POD n

Web/AppDB Web/AppAPIC Cluster

…

Intra-DC Two DC sites connected back2back

POD 1 POD 2

Web/AppDB Web/AppAPIC Cluster

Dark fiber/DWDM (up to 10 msec RTT)

POD 1 POD 2

POD 3

3 DC Sites

Dark fiber/DWDM (up to 10 msec RTT)

L3

40G/100G 40G/100G

10G/40G/100G40G/100G 40G/100G

40G/100G 40G/100G

40G/100G

10G/40G/100G

40G/100G

40G/100G

40G/100G

40G/100G

Multiple sites interconnected by a generic

L3 network

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

ACI Integration with WAN at ScaleOverview

Web/AppDB

WANWAN

MP-BGP EVPN

VRF-1 VRF-2

L3Outwith VRF-lite

WAN connection at ACI spine

VXLAN data plane between ACI spine and WAN Routers

BGP-EVPN control plane between ACI spine and WAN routers

OpFlex for exchanging config parameters (VRF names, BGP Route-Targets, etc.)

Address both control plane and data plane scale

Consistent policy for WAN traffic at ACI leaf (both ingress and egress directions)

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Web/AppDB

Web/AppDB

Single APIC Domain

Web/App

. . .

Multiple PODs

IPN

WAN routes received on the POD spines as EVPN routes and translated

to VPNv4/VPNv6 routes with the spine proxy TEP as Next-Hop

WAN Devices

MP-BGP EVPN Control Plane

WAN

Public BD subnets advertised to WAN devices with the external spine-proxy TEP as Next-Hop

Single APIC Domain

Host routes for endpoint belonging to public BD subnets

Multi-POD and WANIntra-DC Deployment – Control Plane

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

Web/AppDB

Web/AppDB

IPN

Single APIC Domain

MP-BGP EVPN Control PlaneMP-BGP EVPN Control Plane

POD ‘A’ POD ‘B’

Host routes for endpoint belonging to public BD subnets in

POD ‘A’

Host routes for endpoint belonging to public BD subnets in

POD ‘B’

WAN devices inject host routes into the WAN or register them in

the LISP database

Multi-POD and WANMulti-DC Deployment – Control Plane

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 20

ACI – Lessons LearnedMichael PetersenSystems Engineer, CCIE #39836

Cisco Connect 2016

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 21

Agenda• Lessons Learned (Operations, VMM-integration)• Security (Build-in, Contracts)• Demo• Summary, Q&A

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

Programmable NetworkProgrammable FabricApplication Centric Infrastructure

Integrated stack Or

A-la-carte Automation

Streamlined Workflow Management

Modern NX-OS with enhanced NX-APIs

DevOps toolset used for Network Management(Puppet, Chef, Ansible etc.)

Customer Script based Operations and Workflows

Turnkey integrated solution with security,centralized management, compliance and scale

Automated application centric-policy model with embedded security

Broad and deep ecosystem

Your next DC Fabric - Turnkey or DIY solution?

FaultFault

AccountingAccounting

PerformancePerformance

SecuritySecurity

ConfigurationConfiguration

External ToolsIntegrated

Tools

VTSCreation Expansion

Fault MgmtReporting

Connection

External Tools

Integrated Tools

Building your fabric – How to get started?

APICAPIC

APIC

Layer 2 vPC to existing network

Layer 2 vPC to existing network

Layer 3 (OSPF etc) to existing network

Layer 3 (OSPF etc) to existing network

Connect new workloads to the ACI fabric and

route out

Connect new workloads to the ACI fabric and

route out

Separate “border leafs” shown for clarity

Separate “border leafs” shown for clarity

vDS-02vDS-01vDS-01

Separate “border leafs” shown for clarity

Separate “border leafs” shown for clarity

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 24

VMM-Integration

Hypervisor Interaction with ACITwo modes of Operation

• ACI Fabric as an IP-Ethernet Transport

• Encapsulations manually allocated• Separate Policy domains for Physical

and Virtual

VLAN 10 VLAN 10 VXLAN 10000

Non-Integrated Mode

• ACI Fabric as a Policy Authority• Encapsulations Normalized and

dynamically provisioned• Integrated Policy domains across

Physical and Virtual

APP WEB DB

Integrated Mode

DB

vCenter vDS SCVMM

Relationship is formed between APIC and Virtual Machine Manager (VMM)

Multiple VMMs likely on a single ACI Fabric

Each VMM and associated Virtual hosts are grouped within APIC

Called VMM Domain

There is 1:1 relationship between a Virtual Switch and VMM Domain

VMM Domain 1

Hypervisor Integration with ACIControl Channel - VMM Domains

vCenter AVS

VMM Domain 2 VMM Domain 3

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 27

Build-in Security (Contracts)

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

Cisco ACI SecurityAutomated Security with Built-in Multi-tenancy

Distributed stateless firewall

Line-rate security enforcement

Open: Integrate any security device

PCI and FIPS (new)

Embedded Security

• Whitelist firewall policy model• Authenticated northbound API

(X.509)• Encrypted management plane

(TLS 1.2)

Microsegmentation

• vDS, Hyper-V, and bare-metal workloads (new)

• Intra-EPG isolation (new)• Attribute-based isolation and

quarantine

Security Automation

• Dynamic service insertion and chaining

• Security policy follows workloads• Centralized security provisioning and

visibility

Cisco ACI™Services Graph

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

Segmentation for Physical and Virtual WorkloadsMicrosoft Hyper-V, VMware vDS, and Physical Workloads

Cisco ACI™ Policy Segmentation Today

IntragroupWorkload Isolation (New)

Basic Data Center Segmentation

Web

App

DB

ProdPod DMZ

Shared Services

VLAN 1 VXLAN 2

VLAN 3

Network-Centric Segmentation

Service-Level Segmentation

Web-Tier EPG

• Isolate virtual machines• Isolate bare-metal workloads

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

Michael Petersen, Systems Engineer

Demo

Summary. Questions?

Thank you.