integration of hypervisors aci...

Integration of Hypervisors and L4-7 Services into an

ACI FabricAzeem Suleman, Principal Engineer, Insieme Business Unit

Agenda

• Introduction to ACI

• Review of ACI Policy Model

• Hypervisor Integration

• Layer 4-7 Services Integration

• Conclusion

Introduction to ACI

ACI Fabric

Scale-Out Penalty Free Overlay

App DBWeb

Outside

(Tenant VRF)

QoS

Filter

QoS

Service

QoS

Filter

Application Policy

Infrastructure

Controller

APIC

Cisco ACILogical Network Provisioning of Stateless Hardware

Service Producers EPG “Users”EPG “Files”

Leaf Nodes

Spine Nodes

EPG “Internet”

AVS

Service Consumers

ACI Nomenclature

Review of the ACI Policy Model

Bridge Domain (BD)

• Unique layer 2 (L2) or layer 3 (L3) forwarding domain

• Can contain one or more subnets (if unicast routing is enabled)

• Each bridge domain must be linked to a context (VRF)

Equivalent Network Construct:

• If a BD is configured as L2 forwarding domain

• It will have one or more associated VLANs

• Each VLAN will be equal to EPG

• If a BD is configured as L3 forwarding domain

• This is equivalent to a SVI with one or more subnets per BD

NOTE: BD can span across multiple switches

Object Relationship

Tenant

Context

BD

Subnet A

Subnet B

BD

Subnet C

Context

BD

Subnet B

Subnet C

End Point Group (EPG)

• Set of host(s) that behave the same

• Behavior describes as all host(s) representing application or application components independent of other network constructs

HTTPS

Service

HTTPS

Service

HTTPS

Service

HTTPS

Service

HTTP

Service

HTTP

Service

HTTP

Service

HTTP

Service

EPG - Web

POLICY MODEL

Application Network Profile (ANP)

• Application Network Profile(s) are group of EPGs and the policies that define the communication between them

Inbound/Outbound

PoliciesInbound/Outbound

Policies

Application Network Profile

POLICY

MODEL

=

EPG - WEB EPG - APP EPG - DB

Integration with Multiple Hypervisors

Hypervisor Integration Agenda

• Hypervisor Integration Overview

• VMware vCenter Integration

• Microsoft SCVMM & Azure Pack Integration

• OpenStack Integration

Hypervisor Interaction with ACITwo Modes of Operation

• ACI Fabric as an IP-Ethernet Transport

• Encapsulations manually allocated

• Separate Policy domains for Physical and Virtual

VLAN 10 VLAN 10 VXLAN 10000

Non-Integrated Mode

• ACI Fabric as a Policy Authority

• Encapsulations Normalised and dynamically provisioned

• Integrated Policy domains across Physical and Virtual

APP WEB DB

Integrated Mode

DB

vCenter DVS SCVMM

Relationship is formed between APIC and Virtual Machine Manager (VMM)

Multiple VMMs likely on a single ACI Fabric

Each VMM and associated Virtual hosts are grouped within APIC

Called VMM Domain

There is 1:1 relationship between a Virtual Switch and VMM DomainVMM Domain 1

Hypervisor Integration with ACIControl Channel - VMM Domains

vCenter AVS

VMM Domain 2 VMM Domain 3

Hypervisor Integration Agenda

• Hypervisor Integration Overview

• VMware vCenter Integration

• Microsoft SCVMM & Azure Pack Integration

• OpenStack Integration

VMware IntegrationThree Different Options

+

Distributed Virtual Switch

(DVS)vCenter + vShield

Application Virtual Switch

(AVS)

• Encapsulations: VLAN

• Installation: Native

• VM discovery: LLDP

• Software/Licenses: vCenter with Enterprise+ License

• Encapsulations: VLAN, VXLAN

• Installation: Native

• VM discovery: LLDP

• Software/Licenses: vCenter with Enterprise+ License, vShield Manager with vShield License

• Encapsulations: VLAN, VXLAN

• Installation: VIB through VUM or Console

• VM discovery: OpFlex

• Software/Licenses: vCenter with Enterprise+ License

ACI Basics: APIC EPG to vSphere Port Group

Port Group – Web

VXLAN 5001

Port Group – App

VXLAN 5002

Port Group – DB

VXLAN 5003

Virtual Distributed Switch EPG Web

Policy

EPG App

Policy

EPG DB

APIC

ACI Hypervisor Integration – VMware

Hypervisor Integration with ACIEndpoint Discovery

DVS Host

APIC

VMM

Control

(vCenter API)

Data Path

LLDP

Virtual Endpoints are discovered for reachability & policy purposes via 2 methods:

Control Plane Learning:

- Out-of-Band Handshake: vCenter APIs

- Inband Handshake: OpFlex-enabled Host (AVS, Hyper-V, etc.)

Data Path Learning: Distributed switch learning

LLDP used to resolve Virtual host ID to attached port on leaf node (non-OpFlex Hosts)

OpFlex

Host

Control

(OpFlex)

Data Path

APIC Admin

VI/Server Admin Instantiate VMs,

Assign to Port Groups

L/B

EPG

APPEPG DB

F/W

EPG

WEB

Application Network Profile

Create Application Policy

WebWebWeb App

HYPERVISOR HYPERVISOR

VIRTUAL DISTRIBUTED SWITCH

WEB PORT GROUP APP PORT GROUP DB PORT GROUP

vCenter

Server / vShield

8

5

1

9ACI

Fabric

Automatically Map

EPG To Port Groups

Push Policy

Create VDS2

Cisco APIC and

VMware vCenter Initial

Handshake

6

DB DB

7Create Port

Groups

ACI Hypervisor Integration – VMware DVS/vShield

APIC

3

Attach Hypervisor

to VDS

4Learn location of ESX

Host through LLDP

Southbound

OpFlex API

VMVM VM VM

N1KV VEM

vSphere

Hypervisor Manager

OpFlex Control protocol

- Control channel

- VM attach/detach, link state notifications

VEM extension to the fabric

vSphere 5.0 and above

BPDU Filter/BPDU Guard

SPAN/ERSPAN

Port level stats collection

Application Virtual Switch (AVS)Integration Overview

APIC Admin

VI/Server Admin Instantiate VMs,

Assign to Port Groups

L/B

EPG

APP

EPG

DBF/W

EPG

WEB

Application Network Profile

Create Application Policy

WebWebWeb App

HYPERVISOR HYPERVISOR

Application Virtual Switch (AVS)

WEB PORT GROUP APP PORT GROUP DB PORT GROUP

vCenter

Server

8

5

1

9ACI

Fabric

Automatically Map

EPG To Port Groups

Push Policy

Create AVS

VDS2

Cisco APIC and

VMware vCenter Initial

Handshake

6

DB DB

7Create Port

Groups

ACI Hypervisor Integration – AVS

APIC

3

Attach Hypervisor

to VDS

4Learn location of ESX

Host through OpFlex

OpFlex Agent OpFlex Agent

ACI Hypervisor Integration – VMware AVS

Name of VMM Domain

Type of vSwitch (DVS or AVS)

Associated Attachable Entity Profile (AEP)

VXLAN Pool

vCenter Administrator Credentials

vCenter server information

Switching mode (FEX or Normal)

Multicast Pool

Micro-segmentation: VM Attribute based Grouping

VM Attribute

Guest OS

VM Name

VM (id)

VNIC (id)

DVS

DVS Port-group

Data centre

MAC

IP Address Prefix

• Flexible Attribute based Grouping for VMs

• Enables Micro-Segmentation based on VM attributes

• Supported on vSphere with AVS

EPG: VM name contains “web”

Hypervisor Integration Agenda

• Hypervisor Integration Overview

• VMWare vCenter Integration

• Microsoft SCVMM & Azure Pack Integration

• OpenStack Integration

Microsoft Interaction with ACITwo modes of Operation

• Policy Management: Through APIC

• Software / License: Windows Server with HyperV, SCVMM

• VM Discovery: OpFlex

• Encapsulations: VLAN

• Plugin Installation: Manual

Integration with SCVMM

APIC

Integration with Azure Pack

APIC

• Superset of SCVMM

• Policy Management: Through APIC or through Azure Pack

• Software / License: Windows Server with HyperV, SCVMM, Azure Pack (free)

• VM Discovery: OpFlex

• Encapsulations: VLAN

• Plugin Installation: Integrated

+

APIC Admin

(Basic Infrastructure)

Azure Pack Tenant

3

6

ACI

Fabric

Push Network

Profiles to APIC

Pull Policy on leaf

where EP attaches

Indicate EP Attach to attached leaf

when VM starts

1

2

HYPERVISOR HYPERVISOR HYPERVISOR

ACI Azure Pack Integration

APIC

Get VLANs allocated

for each EPG

Create Application

Policy

7

Azure Pack \ SPF

SCVMM PluginAPIC Plugin OpFlex Agent OpFlex Agent OpFlex Agent

Instantiate VMs

5

1

4Create VM Networks

4

Web WebWebWeb AppApp DB DB

Summary

• Micro-segmentation in Microsoft Hyper-V

• Static IP pool automation through SCVMM and Azure Pack

• SCVMM integration

• WAP integration

• Multiple BDs in the same VRF (for WAP virtual private plan)

• Layer3 out in the user tenant (for WAP virtual private plan)

Hypervisor Integration Agenda

• Hypervisor Integration Overview

• VMWare vCenter Integration

• Microsoft SCVMM & Azure Pack Integration

• OpenStack Integration

Initial Focus on Networking

(Neutron)

OpenStack Components

(Neutron)

Tenant

Network Security Group

Security Group

Rule

Network:

externalRouter

PortSubnet

Core APIL3 + External

Net Extension

Sec Grp

Extension

OpenStack Neutron Networking Model

Tenant

Bridge DomainContext

(VRF)

Subject

App ProfileOutside

Network

Subnet

Endpoint Group

Contract

Cisco ACI Model

OpenStack Driver Options

Neutron API and Modular Layer 2 (ML2) Group-Based Policy

RouterSecurity

GroupNetwork

OpenStack Controller

APIC ML2

Plug-in performs conversion from Neutron toCisco® APIC policy model

Group-based policy native drivers interfaces directly with APIC policy model

Rule SetPolicy

Group

Policy

Group

OpenStack Controller

GBP APIC Driver

ADCFW

Group-Based Policy

OpFlex Extends Cisco ACI to Hypervisor

Pre-OpFlex Implementation

Native Neutron approach using OVS agent

OpenStack Controller

APIC Driver OVS Driver

Hypervisor Open vSwitch OVS Agent

Project 1 Project 2 Project 3

vm1

vm2

vm3

vm4vm5

VLAN

• VLAN per network

and group to ToR

• VXLAN within

Cisco ACI™

• Physical domain in

Cisco ACI

• No Cisco® APIC

GUI integration

• Supports unmodified

OVS and OVS agent

OpFlex and OVS

OpFlex agent directly manages OVS and integrates with APIC

• VLAN or VXLAN per

network and policy group

to ToR

• OpFlex proxy runs in leaf,

and OpFlex agent

manages OVS

• Hypervisor-local traffic has

policy and switching,

routing handled locally

• VMM domain and GUI

integration with APIC

• Distributed support for NAT,

metadata server proxies,

and DHCP

OpenStack Controller

APIC Driver

Hypervisor Open vSwitch OVS Agent

Project 1 Project 2 Project 3

vm1

vm2

vm3

vm4vm5

VXLAN and VLAN

OpFlex

Proxy

Summary: OpenStack

• Multiple OpenStack driver options:

‐ Cisco® APIC native group-based policy

‐ Neutron ML2

• Operations, troubleshooting, and visibility for physical and virtual

‐ Endpoint statistics, health, and faults in APIC

• Hypervisor local enforcement security policies

‐ Security groups (ML2 driver) through IP address tables

‐ Group-based policies through OpenFlow in Open vSwitch

• Distributed NAT support on each computing node

‐ Floating IP address

‐ Source NAT (sNAT) (through hypervisor host IP address)

• Distributed Neutron services per computing node

‐ Layer 3 and anycast gateway, metadata, and Dynamic Host

Configuration Protocol (DHCP)

• Multiple Virtual Routing and Forwarding (VRF) instance support

• Support for VLAN and VXLAN to Cisco ACI™ fabric

• Solution high availability: Support for virtual port channel *vPC) and

multiple APICs

OpenStack Controller

APIC Driver

Hypervisor Open vSwitch OpFlex Agent

Project 1 Project 2 Project 3

vm1

vm2

vm3

vm4vm5

VXLAN and VLAN

OpFlex

Proxy

Layer 4-7 Services Integration

Challenges with Network Service Insertion

Service Insertion In traditional Networks

Router

Router

Switch

LB

FW

Configure firewall network parameters

Configure Network to insert Firewall

Configure firewall rules as required by the application

Configure Router to steer traffic to/from Load Balancer

Configure Load Balancer Network Parameters

Configure Load Balancer as required by the application

vFW

servers

Service insertion takes days

Network configuration is time consuming and error prone

Difficult to track configuration on services

• No integration (same as today)

• Unmanaged (network-only automation)

• Managed (full automation)

L4-7 Integration Options

Network Service Insertion

WEBEXTERNAL Consumes Web Contract

HTTP: Accept, Service Graph

FWLB

Contract provides a mechanism to add Network Services through associating a Service Graph

APIC configures network service functions on devices like firewall, Load Balancers through a device packages

Consumer Provider

A Service Graph identifies a set of network service functions required by an application

A device package can be uploaded on APIC at run time

Adding new network service support through device package does not require APIC reboot

Provides

• By using the Service graph you can

• install a service, such as a firewall once and

• deploy it multiple times in different logical topologies

• The benefits of the service graph are:

• a configuration template that can be reused multiple times

• Automatic management of VLAN assignments

• collecting Health scores from the device

• collecting statistics from the device

• updating ACLs and Pools automatically with endpoint discovery

The Advantages of the Service Graph

Layer 4-7 Services Integration

Do I really need a Service graph?

Without Service Graph

Network admin:

• configures the ports, VLANs to connect the FW or the LB

• FW admin day 0: configures ports and VLANs

• FW admin day 1: configures ACLs and so on

• The three configurations are spread over multiple phases / days

With Service Graph

ACI admin:

• configures the ports, VLANs to connect the FW or the LB

• FW admin day 0: configures ports and VLANs

• FW admin day 1: configures ACLs and so on

• All configurations are performed in a single step.

A Different Operational Models

APIC

Configurations with Service Graph

• All configurations performed in a single operation:

• Fabric configuration: Bridge Domains, VLANs, Routing, EPGs

• Firewall configuration: VLANs, Interfaces

• ACLs

Network-only Stitching

With Network-only Stitching ACI Only Configures the Fabric Not the L4L7 Device

Create Tenants, VRF BD EPG

Associate vNIC or physical port

Create contracts

Device Not managed by ACI

Network Stitching - unmanaged L4 L7 Device

Uncheck “Managed”

Fill in the info

• Name: Concrete Device Name

• Service Type: Firewall, ADC, IPS etc

• Device Type: Physical or Virtual

• Domain

• Mode

• Some customer have requirements that APIC only completes network automation for service devices. (For example, customer have existing orchestrator or tool for configuring L4-L7 service appliances or a device package is not available for L4-L7 device)

• Network only switching feature adds the flexibility for customer to use only network automation for service appliance. The configuration of the L4-L7 device is completed by L4- L7 admin so a Device Package is not required.

Network Only Stitching

2: configure L4-L7 service appliance

1: configure ACI Fabric for

L4-L7 service appliance

L4-L7 Admin

Service Graph APIC-to-L4 L7 communication Device Package

APIC Talks to the L4 L7 Device

API

API

No Requirements for New Protocols

L4L7 Device language

APIC Requires a Device Package Device Package

Configuration Model (XML File)

Python Scripts

Configuration Model

Device Interface: REST/CLI

APIC Script Interface

Python Scripts

Script Engine

APIC – Policy Manager

Service Devices

• Service functions are added to APIC through device package

• Device Package contains a device model and device python scripts

• Device Model defines Service Function and Configuration

• Device scripts translates APIC API callouts to device specific callouts

• Script can interface with the device using REST, SSH or any mechanism

Device Package Example

Following functions can be configured through APIC

Device Information Extracted Out of Device Package

Vendor Info, Software Version Info and Model Info of Service Device

Info on how many interfaces types the appliance has (Inside, Outside and Mgmt for e.g.)

Functions (Or Services) provided by the Service DeviceSLB, SSL, Responder

Only Configuration needed on the L4L7 Device is Management Access

Enable SSH

Enable HTTP access

Configure Credentials

Terminology:

The Guiding Principle of Service Graph is

• to Connect “functions” not Boxes.

• E.g. a Load Balancer can provide various functions:

• Load balancing

• SSL offloading etc…

• This may be academic, but this is the abstraction that ACI provides

Key Concepts in Service Insertion

• Concrete Device: it represents a service device, e.g. one load balancer, or one firewall

• Logical Device: represents a cluster of 2 devices that operate in active/standby mode for instance.

• Service Graph: defines a sequence of “functions” connected: e.g. a firewall from Checkpoint followed by a load balancing from “F5”.

• Logical Device Context: specifies upon which criteria a specific device in the inventory should be used to render a service graph

• Device Package:

• defines things such as how to label “connectors” for a function, and how to translate “names” from ACI to the specific device.

• E.g. a load balancer “function” has predefined connectors called:• “external”

• “internal”

• “management”.

ACI Service Graph Definitions

Terminal Terminal

Permit ip tcp * dest-ip <vip> dest-port 80Deny ip udp *

Virtual-ip <vip>Port 80 Lb-aglorithm: round-robin

Ipaddress <vip> port 80

Connectors (VLANs)

Consumer ProviderFunction Firewall

Function SSL offload

Function Load Balancer

Service Graph: “web-application”

Connectors (VLANs)

“L4L7 Parameters”

ACI Rendering a Service Graph

Co

nn

ecto

rs (

VLA

Ns)

Function Firewall

Function SSL offload

Function Load Balancer

Co

nn

ecto

rs (

VLA

Ns)

EPG outside EPG web

Contract webtoapp

• “Generic” representation of the expected traffic flow

• Defines

• Connection Points (connections and terminals)

• Nodes

L4-L7 Service Graph Template

• The Service Graph Template defines the sequence of nodes/functions

• Example Load Balancer or Load Balancer followed by a Firewall

The Service Graph Template

Templates Must be “Applied” For it to Be “Rendered”

• Concrete Device: it represents a service device, e.g. one load balancer, or one firewall. Can be physical or virtual

• Logical Device: represents a cluster of 2 devices that operate in active/standby mode for instance.

Concrete and Logical Devices

SLB

Service Graph Function Node

Concrete Device Concrete Device

Logical Device

• Selects the right device cluster and interfaces based on selectors:

• Service Graph Template Name

• Contract Name

• Node Name

Device Selection Policies (or Logical Device Context)

Function Firewall

Function Load Balancer

Graph Template

Logical Devices

Rendered/deployed Graph

EPG outside EPG web

Contract

Deployed Graph Instances

L4 L7 Parameters

L4 L7 Parameters

API

L4L7 Device language

externaif IP Address

L4L7 Parameters

L4 L7 Parameters Function ProfileEntering the L4L7 parameters is tedious and error proneThe Function Profile solves this problem

Each Function Profile is a collection of L4 L7 parameters

Deployment Steps and Data Plane Considerations

• Preparation:• Create the necessary Physical and Virtual Domains

• Configure the Basic Management access on the L4L7 Device

• Import Device Package

• Create the necessary Bridge Domains/ VRFs

• Create EPGs and Contracts

• Configure Logical and Concrete Device

• Create or import a function profile

• Create a Graph Template (and use a function profile)

OR

• Create a Graph Template and enter L4 L7 parameters by hand

• Deploy the Graph Template• Create the Device Selection Policy

• Associate to a contract

Service Insertion Deployment Steps

Basics of ACI ForwardingHow to Create a L2 Domain?

• Create a Bridge Domain

• Keep Unicast Routing Enabled

• Associate the Bridge Domain with a VRF

• The association with the VRF is because of the object model

• The hardware won’t program any VRF if the Bridge Domain is configured only as L2

Bridge Domain 1

VRF

Bridge Domain 2

Bridge Domain 1 Bridge Domain 2

Consumer Side Provider Side

You Still Need to Create Bridge Domains and VRFs

VRF / Object model Relation

BD1 BD2

ACI Create Tenant, VRF, BD and EPG

• Goto: the L4L7 is the default gateway for the servers

• Gothrough: the L4L7 is just a transparent/L2 device, the next-hop or the outside BD provides the default gateway

• One-arm: the BD of the servers is the default gateway

Three Main Deployment Modes

Except for One-arm Mode you Need to Start with Two Bridge Domains

Bridge Domain 1

10.10.10.x 20.20.20.x

10.10.10.5 20.20.20.5

EPG outside EPG web

Bridge Domain 2

Bridge Domain Outside Bridge Domain Inside

Client EPG Server EPG

Service Graph

Contract

ProviderConsumer

For Consistency with ACI Policy Model

ARP Flooding

Unknown Unicast Flooding

No IP Routing

ARP flooding

Unknown Unicast Flooding

No IP Routing

Provider SideConsumer Side

Default Gateway for the Servers

For Consistency with ACI Policy Model

VRFGoto Mode

ACI Behind the scenes

Shadow

EPG

Internal Contracts

Contract (defined by the user)

EPG outside EPG webShadow

EPG

VLAN Assignment Physical Appliance

• VLANs are automatically created on the ACI interfaces

• VLANs are also automatically created on the L4L7 device

one VLAN per each BD it is attached to

VLAN Assignment Virtual Appliance

• In case of Virtual Appliances

• vNICs are automatically assigned to the shadow port-groups

• VLANs are automatically created on the ACI interfaces

• VLANs are also automatically created on the L4L7 device

• YOU CANNOT REUSE THE SAME GRAPH ON DIFFERENT BDs

No trunking on vNICs

Create Service Graph TemplateCreate L4-L7 Device

ACI

Fabric

EPGClient

EPGWeb

E1/9E1/9

VLAN 110

VLAN 111

Device Type: Physical

Select Path

In this case, ASA use one physical interface

for consumer and provider.

BD2BD1

EPGweb

192.168.2.1

consumer provider

192.168.2.100192.168.1.1/24

192.168.1.100

EPGclient

vlan110 vlan111

Select VLAN Encap for each interface

Dynamic Endpoint Attach

• APIC dynamically detect new endpoint, then the endpoint is automatically added to the pool member of VIP

Dynamic Attach Endpoint with Load Balancers

EPGConsumer

EPGProvider

20.20.20.1

VIP: 10.10.10.200

20.20.20.100/2410.10.10.100/24

Web-Pool

20.20.20.2

New

20.20.20.3

New

You Can Enable Endpoint Attachment Notification in the Graph

F5 - Endpoints are Automatically Added to the Pool

Multi-context

• When you select Multi-context it means that the same appliance can be exported to multiple Tenants

• This only works with PHYSICAL APPLIANCES

• The Virtual Appliance may also let you create multiple partitions but

• How are the vNICs shared if the Virtual Appliance is on multiple Tenant?

• It cannot be shared because there cannot be a trunk with VLANs on the same vNIC

Multi-context Support

• We can partition a single physical ASA into multiple virtual firewall, known as security/virtual contexts. Each context acts as an independent device, with its own security policy, interfaces and management IP. ACI doesn’t create the ASA contexts, they must be predefined.

• With F5 Partitions are automatically created and ACI Tenants are automatically mapped to an F5 partition.

Multi-context Support in ASA and in F5

Data Plane Separation

ACI configures sub interfaces automatically

Context 1

Context 2

VLAN 1006

VLAN 1040

VLAN 1073

VLAN 1074

APIC creates sub-interfaces based on dynamically allocated VLAN from a pool, and in the System context it

assigns Port-channel sub-interfaces to appropriate user context, Contexts A, B, and C

Data Plane Separation

ACI configures interfaces as trunks

Partition 1

Partition 2

VLAN 1006

VLAN 1040

VLAN 1073

VLAN 1074

Sharing Service Devices

• ACI lets you configure objects in tenant common that can be used by other Tenants. E.g. filters, BDs, VRFs and also Logical and Concrete Devices

• Tenants can attach EPGs to these objects for instance

ACI Shared Services

Tenant CommonTenant Sales Tenant Sales2

• You can define Logical and Concrete Devices in Tenant Common and use them from other Tenants

Tenant CommonTenant Sales Tenant Sales2

ACI Shared Services – Tenant level

• With Multi-context Devices, you can share a device defined in Tenant common and use it from more than one Tenant.

Sharing Devices with Multi-Context L4 L7 Devices

Tenant Common Tenant Sales Tenant Sales2

Partition 1 Partition 2

How To Undo a Service Graph

How to Undo a Configuration?

• If you delete the Template, the graph is removed but there may be stale objects

• You need to remove some of the objects created da service graph…

OR

• There is a wizard to do the deletion of all objects created by the Apply wizard.

• Right click on a graph (one created with the template) and select "Remove Related Objects Of Graph Template"

Conclusion

• ACI is a highly flexible, programmable and integrated data centrenetwork fabric

• ACI allows ease of connectivity via policy of physical and virtual devices

• ACI allows the automation of tedious tasks such as L4 to L7 Integration

• ACI has advanced troubleshooting capability for the network fabric and connected services

Conclusion

Q & A

Complete Your Online Session Evaluation

Learn online with Cisco Live!

Visit us online after the conference

for full access to session videos and

presentations.

www.CiscoLiveAPAC.com

Give us your feedback and receive a

Cisco 2016 T-Shirt by completing the

Overall Event Survey and 5 Session

Evaluations.– Directly from your mobile device on the Cisco Live

Mobile App

– By visiting the Cisco Live Mobile Site http://showcase.genie-connect.com/ciscolivemelbourne2016/

– Visit any Cisco Live Internet Station located

throughout the venue

T-Shirts can be collected Friday 11 March

at Registration

Thank you