Brkaci 1000

#CLMEL
Introduction to ACI
Richard Watson, DC Systems Engineer

BRKACI-1000
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKACI-1000
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Introduction
• Evolution of Data Centre
Networking & Management
• What is ACI?
• ACI Anywhere
• Making the most of ACI
• Where to go next
#CLMEL BRKACI-1000 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
DC Network Evolution
Spanning Tree
Layer-3 HSRP HSRP
Layer-2
Spanning-Tree
Layer-2 Layer-2 Layer-2 Layer-2 Layer-2 Layer-2 Layer-2
Baremet al Hypervisor Hypervisor Hypervisor Baremet al Hypervisor Baremet al Baremet al Hypervisor Hypervisor
Simplified Spanning Tree with vPCs
Replace Spanning Tree with FabricPath (MAC-in-MAC Encapsulation)
Replace Spanning Tree with VXLAN (MAC-in-IP Encapsulation)
Improved VXLAN Performance with BGP Control Plane (EVPN)
*
Current operating models aren’t working
95% 70% 75%

Network Changes Policy Violations OpEx Spent on Network Changes
Performed Manually Due to Human Error and Troubleshooting
US$60B Spent on Network Operations Labour and Tools

Source: McKinsey study conducted for Cisco in 2016
22% of all network
outages are caused
by human error
core-router#debug ip packet
BRKACI-1000 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Traditional Automation
Software Defined Networking
• SDN is about providing a mechanism to automatically configure the network as a
whole.
• Still deals with traditional networking constructs, Interfaces, VLANs, VRFs etc.
• Typically focused at automating “Day 2” tasks
• Add a VLAN to these interfaces on these switches
• Add a route to this VRF
• Still a gap between the business requirements of the network and how those
requirements are implemented and verified
• Leaves room to misinterpret and misconfigure
• Ideally need a network that is defined by the original Intent
Intent-Based Networking
Intelligent Automation & Assurance
• Builds on traditional SDN capabilities
• Activation
• Starts with Business Requirements (i.e. the
intent) and translates into device-specific
configuration (i.e. policies)
• Uses the policies to generate device-specific
configuration that is then programmed
(activation) though API
• Feedback loop (assurance) to ensure that the
intent has been realised
• Continuously checked
• What is the Intent of the Application?
• Who the users, How they access the app, What
Other services are required?
Automation – Do what works for you…
Do-It-Yourself / B.Y.O Automation Off-the-Shelf / Prebuilt Platform
• Standard NXOS Open API • Single vendor simplicity
• From build to ongoing support
• NetConf / Yang Models
• Integrated Intent Based Networking
• Large Ecosystem of partners • Translation, Activation, Assurance
• Extensible for homegrown tools with • Intent-based Policy based management

LXC and Docker containers
• ..But takes time to setup & manage
Partners Automated IT Policy
Application Centric Infrastructure

Pre-built, Best Practice-based, Platform for
Intent-based DC Networking Automation
Agenda
• Introduction
• What is ACI?
• ACI Anywhere
Application Centric
Intent-Based Data Centre Infrastructure (ACI)
Intent • The network made simple
“Should” • Optimisation & automation
Policy • Network security & availability
• Multi-cloud networking
• Translation & Activation
Network Assurance
Engine (NAE)
Tetration
• Predict impact of changes
• Application Dependency
• Verify network-wide behavior Mapping (ADM)
• Assure network security • Network Performance
policy & compliance Monitoring & Diagnostic
• Proactive Assurance Guarantees ADM (NPDM)
Compliance Monitoring • Real-time visibility & insights
Consistency Forensics • Workload security
• Reactive Assurance
“Can” “Did”
Inter-Site/Inter-Pod Network
ACI Fabric Physical

Overview
WAN Routers
ACI Spine
(9300/9500) IP WAN
External
L3Out
(vrf-lite)
ACI Leaf
(9300)
UCS Fabric
APIC Interconnect
L4-L7 Services Bare Metal

Servers
UCS Servers
Cisco Nexus 9500 Cloud Scale Modular Portfolio
Cisco Nexus® 9500 Chassis
16-Slot ACI MACSec CloudSec Capacity
3.6Tbps
8-Slot (5 FM NX-OS)
21 RU
Ports 29 - 36
X9736C-FX 36p 100G
4-Slot
13 RU
3.2Tbps
7 RU
X9732C-EX 32p 100G
Nexus 9504 Nexus 9508 Nexus 9516 400G QSFP-DD* 6.4Tbps

* CY19 Roadmap
EX & FX line cards can be mixed in the same chassis with

FM-E or FM-E2 fabric modules
Cisco Nexus 9300 Fixed CloudScale 1/10/25G Switches
96p 1/10GT + 12p 100G QSFP28 Q2 CY19
Nexus 93216TC-FX2 96p 25G SFP + 12p 100G QSFP28
Nexus 9300 FX2 Nexus 93360YC-FX2
Q2 CY19
48p 25G SFP + 12p 100G QSFP

Nexus 93240YC-FX2
48p 1/10GT + 6p 100G QSFP28 48p 25G SFP + 6p 40/100G QSFP 48p 100M/1GT + 4p 25G SFP
Nexus 93108TC-FX Nexus 93180YC-FX + 2p 100G QSFP28
Nexus 9348GC-FXP
Nexus 9300 FX
48p 1/10GT + 6p 100G QSFP28 48p 25G SFP + 6p 100G QSFP28

Nexus 93108TC-EX Nexus 93180YC-EX
Nexus 9300 EX
Cisco Nexus 9300 CloudScale 40/100/400G Switches
16p 40/100/400G 28p 40/100G QSFP & 8p 40/100/400G
Nexus 9316D-GX Nexus 93600CD-GX
Nexus 9300 *CY19 *CY19
400G Leaf/Spine
64p 40/100G QSFP 32p 40/100G QSFP

Nexus 9364C Nexus 9332C
Nexus 9300
40/100G Spine
32p QSFP 36p 40/100G QSFP 28

32p 40/50G | 24p 40G + 6p 100G | 28p 40G + 4p 100G | 18p 100G Nexus 9336C-FX2
Nexus 9300 Nexus 93180LC-EX
40/100G Leaf
Legend ACI Leaf/Spine & NX-OS ACI Spine & NX-OS ACI Leaf & NX-OS
• 6 ACI Spines
• Up to 16 x 16p
400G LCs
• 6.4Tb per LC
• >100Tb per Spine
• Up to 200 x Access Leaf Switches

• Each 28 x 100G Access
• >400Tb Access Bandwidth!
• 326 RU of Space!!
ACI Mini – Maximum features, Minimum size
5 RU
• Full ACI Platform
• 2 x Nexus 9332C
Physical APIC 1
• 2 x Nexus 93180YC
Virtual APIC 2
• 1 x APIC-M3 Controller
No. of Leafs 2-4 Server
No. of Spines 2
No. of Tenants 25
No. of End Points 20,000
ACI 4.1
Typical 3-Tier DC Cabling ACI Multi-Tier (New)

Core Network Core Network
(Core) N7K N7K (ACI Spine)
N9K N9K
End-of-Row (EoR) End-of-Row (EoR)

(Distribution) (ACI Leaf)
N5K N5K N5K N5K N9K N9K N9K N9K
Top-of-Rack (ToR) Top-of-Rack (ToR)

(Access) (ACI Sub-Leaf)
N2K N2K N2K N2K N2K N2K N2K N2K N9K N9K N9K N9K N9K N9K N9K N9K
10G MMF 40/100G BiDi

Network Underlay
Routing between Leaf & Spines Switches
• Routed Interfaces between Leaf & Spines Lo0
Lo0
Lo0
Lo0
/32 Lo0 /32 Lo0
• APIC assigns IP Addresses Automatically IS-IS Lo0 Lo0
• Jumbo+ MTUs (9366) RR RR

BGP
• vPC without Peer Link!
• Loopbacks (/32) for VTEP & BGP
• VXLAN Tunnel Endpoint for Leaf and Spines
• 2nd Anycast VTEP Loopback for vPC Switches
• Spines have additional Anycast IP Proxy VTEP
Loopbacks
VPC
• IS-IS and PIM are used as the routing protocol
• MP-BGP between leaf & selected spines /27
• Spines as Route Reflectors Lo0 Lo0 Lo1 Lo0 Lo1
/32 /32 /32 /32 /32
Integrated VXLAN Overlay
VXLAN with In-band Flow-level Metadata
• VXLAN-GPE (Generic Protocol Extension) MAC IPv4 IPv6 MAC IPv4 IPv6
• Carries “Class ID” defining flows’ details
• VXLAN Virtual Network Identifiers
• Separate VNIs for L2 & L3 traffic
VRF Cust A
• ALL external traffic carried in Overlay (L3 VNI)
• Both Bridged & Routed Traffic in VXLAN VNI
L2 Bridge Domain 1
• Routed L3 Multicast supported! (L2 VNI)
• Mapping Database of IP/MAC to VTEP VPC
• Council of Oracles Protocol (COOP)
• Spine know where ALL hosts are
• Unknown destination traffic sent to Spine HW VTEP VTEP VTEP VPC VTEP
proxy VTEP (MAC, IPv4/v6) VTEP
Integrated VXLAN Overlay
Pervasive L3 Gateway at Top of Rack
• L3 SVI IP address created on each
relevant ToR
• No Endpoints on switch, no SVI
• Same IP address, Same MAC address
• If routed to GW MAC, ToR will
answer and use local VRF’s L3 route VRF Cust A
table
VPC
• No HSRP, No vPC Peer Gateway
• External routes learnt via MP-BGP SVI VLAN 10 SVI VLAN 10 SVI VLAN 10
10.1.1.1/24 10.1.1.1/24 10.1.1.1/24
SIM Cards and Application Profiles
Logical Abstraction of Identity and Configuration
SIM Card Service Profile Application Profile
Identity for a Phone Identity for Compute Identity for the Network
Service Profile
Network Policy
Storage Policy
Compute Policy
Fabric Access Policies
Interface Policies & Profiles
Interface Policy Group Switch Switch Profile
Profile
Interface Group Profile
E1/1 Name: ESXi

ESXiUplink Policy
Uplink Policy Name: ESXi Host1 Interfaces
E1/2 Selected
Selected Switches:
Interfaces:
Type: Virtual Port Channel
Interface
Switch Policy
PolicyGroup:
Group:
Link Level Policy
Policies:
LLDP Policy
Port Channel Policy
Fabric Access Policies
Switch Policies & Profiles
Switch Policy Group SwitchProfile
Switch Profile
Switch Profile
Leaf 101 Name: Access

AccessSwitches
Switches Name: Compute Pod
L101 L102
Leaf 102 Policies: SelectedSwitches:
Switches:
Selected
E1/2 E1/1
E1/1 E1/2
BFD Policy SwitchPolicy
Switch PolicyGroup:
Group:
vPC
STP Policy
NetFlow Policy Selected Interface Profiles:
vPC Domain ESXi

Host #1
ESXi Host1 Interfaces
192.168.254.2/30 192.168.254.6/30
Tenant A Tenant B
(E1/1.100) (E1/1.200)
Tenant OSPF
WAN WAN
OSPF
Policy /BGP
/BGP
Model L105/1/2
L105 L106
L106/1/2
L3Out
VRF-A
Tenant A
192.168.254.1/30
Vlan 100
BD1
EPG1 192.168.1.1/24
ACI FABRIC
L3Out
192.168.254.5/30 Tenant B
Vlan 200 VRF-B
BD2 EPG2 192.168.2.1/24
L101 Static EPG

Host-vPC1 L102 L103 Static EPG
Host-vPC2
L104
(L101/1/1-2,VLAN 10
L102/1/1-2) VLAN 10
(L103/1/1-2, L104/1/1-2)
E1/2 E1/1 E1/2 E1/1
E1/1 E1/2 E1/1 E1/2
Static EPG Static EPG
vPC20
VLAN vPC VLAN 20
End Point Groups
Collection of Servers that Provide or Consume a Common Service
Static EPGs Dynamic EPGs
• Simple mapping of ingress • Virtual Machine Manager (VMM) Domains
VLAN ID to an EPG • VMware, Hyper-V, RHEL, Kubernetes
• i.e. All MAC/IPs learnt on Port • Mapping of vDS Port Group (VMware) to EPG
X join EPG A • i.e. All MAC/IPs from VMs on PG X join EPG B
• VLAN IDs can be different • ACI can automate creating

per switch or interface dPG and assign dynamic
VLAN from host(s) to ACI
Leaf
• Very simple to operate
EPGs are
fundamental to
ACI Security!
End Point Groups – Micro-Segmentation
Micro-Segmentation EPGs
• Sub-IP Network or VLAN Segmentation
• Works across VM, Bare Metal, Containers,
Cloud etc
• Use a combination of attributes to create
micro-segmentation EPGs
• IP/MAC
• DNS
• AD Group
• VM Operating System
• VM Custom Attributes
• VM Tags
End Point Groups - External
• IP networks used to identify source and destination traffic flows
– outside the ACI fabric
• Only have IP addresses to work with!
• Think of network objects used in an ACL
• Associated with an External (L3Out) Domain
• Not necessarily the same as a learnt dynamic or static route
Application Profiles (AP)
Typical 3-tier Application – Common Policies
Web App. DB
192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
WAN
Copy/S
ACL ADC
ACL pan
IPS WAF Traffic
Application Profiles (AP)
Abstracted logical construct of an “Application” and associated policies
Application Profile
WAN Web EPG App. EPG DB EPG
External EPG 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
(10.0.0.0/8)
WAN
Contract Contract Contract

• Filter WAN ➔Web • Filter Web ➔App • Filter App ➔ DB
(Allow HTTPS) (Allow TCP 2000) (Allow TCP 1521)
• Service Graph (In-line or PBR) (Allow ICMP) • Copy Graph
-> Firewall Cluster A (X.X.X.X) (Destination X.X.X.X)
-> ADC Cluster B (Y.Y.Y.Y)
ACI Fabric – Two Deployment Models
“Network Centric”
Existing network – Nexus, Catalyst, etc
BD: Blue BD: Red • Leverage well known
10.1.1.0/24 20.1.1.0/24 networking constructs.
EPG: Blue-100 EPG: Red-200
VLAN 100: • VLANs, IP addresses,
10.1.1.0/24
Subnets, Flood Domains etc.
App Profile
VLAN 200:
20.1.1.0/24 ACI Fabric
“Application Centric”
External
Connectivity L3 Outside
• Leverage well known
application constructs.
EPG EPG EPG • Application profiles,

Web App DB
Web App DB dependency mapping etc.
FW / ADC FW / ADC
App Profile
ACI Fabric
You can mix both network centric and application centric -> typical customer transition path!
of the Security Team’s Time
76% is Spent on Security in the Data Centre
Percentage of Security Team’s Time
47% 29% 24%

Servers Customer Data Endpoints
Zero-Trust Default Security
White List Model: No Contract, No Communication
Without contracts, by
default there is no
communication
between groups
BM-01 VM-02 VM-03 BM-04

10.10.10.11 10.10.10.12 10.10.10.13 10.10.10.14
EPG BLUE EPG GREEN
Bridge Domain – 10.10.10.1/24
Contracts Enforce Communication Intent
White List Model: Contract Determines Communication
any,tcp/8080
any,tcp/80
any, tcp/80
Contract: Blue-to-Green
Scope: VRF
CONSUMES
PROVIDES
Subject: AppTraffic
BM-01 VM-02 Both Directions: True VM-03 BM-04
10.10.10.11 10.10.10.12 Reverse Port Filters: Yes 10.10.10.13 10.10.10.14
permit tcp/80
permit tcp/443
EPG BLUE EPG GREEN

GREEN Provides the contract, so
BLUE Consumes the contract, so
ports tcp/80 and tcp/443 are
ports tcp/80 and tcp/443 are NOT
exposed.
exposed.
Contracts Redirect Traffic to L4-7 Services
Service Graphs - NGFW, ADC, IDS/IPS, etc.
You can insert an FW, or a LB by
attaching a Service Graph to the
contract subject
Contract: Blue-to-Green
Scope: VRF
Subject: AppTraffic
Both Directions: True
Reverse Port Filters: Yes
permit tcp/80
permit tcp/443
CONSUMES
PROVIDES
BM-01 VM-02 VM-03 BM-04
10.10.10.11 10.10.10.12 10.10.10.13 10.10.10.14
EPG BLUE EPG GREEN
Trusted External EPGs
• By default – have to manually create External EPGs
• Can use ISE (Identity Services Engine) to bridge common data between Enterprise and Data Centre
• Group information shared between ISE and APIC
• Authenticated, trusted user groups dynamically synchronised to ACI
• ACI sends dynamic EPG membership back to ISE as groups
TrustSec Policy Domain ACI Policy Domain
ISE
Campus / Branch / Non-ACI DC Data Centre
TrustSec Policy Domain APIC
ACI Policy Domain
Voice Employee Supplier BYOD

ACI Fabric
Web App DB
Voice Data
VLAN VLAN TrustSec domain
Trusted External EPGs
Agenda
• Introduction
• What is ACI?
• ACI Anywhere
IoT Edge
Significant amounts of data are being
Enterprise DC generated remotely which need to be
This is where we began, analysed, processed, and consumed.
and it’s here to stay
5G Telco Edge
There is Nothing New apps are creating
new BW demands
Public Cloud “CENTRE-ED”
About Data Anymore
A new operating model and growth Enterprise Edge
of cloud native apps
Data processing needs to be closer
Private Cloud to the sources of demand
Colo
The DC Needs to go Anywhere the Data is
IoT Edge
Enterprise DC 5G Telco Edge
Public Cloud / IaaS Enterprise Edge
Private Cloud Colo / Bare Metal Cloud
Cisco ACI Anywhere
Any Workload, Any Location, Any Cloud
ACI Anywhere
Remote Leaf / Virtual ACI Multi-Pod / Multi-Site ACI Cloud ACI
IP IP
WAN WAN
Remote Location On Premise Public Cloud
Security Everywhere Analytics Everywhere Policy Everywhere
IPN Requirement:
ACI Multi Pod • 50ms Latentcy
• IP Multicast (PIM BiDir),
Network
IPN Routers IPN Routers
DWDM • OSPF,
• DHCP Relay
DWDM
ACI Spine ACI Spine

(9364) (9364)
IP WAN
ACI Leaf ACI Leaf

(9300) (9300)
UCS Fabric Single UCS Fabric

Interconnect Interconnect
APIC
Bare Metal
Cluster Bare Metal
L4-L7 Services APIC APIC L4-L7 Services
Servers Servers
UCS Servers UCS Servers
Synchronous Replication
Shipping Since ACI 3.0
ACI Multi-Site
Multi-Site Orchestrator
Consistent Policy across sites
Single Point of Orchestration
Fault Isolation
Scale
Site A
Site C
Site D
Site B
VM VM VM
VM VM VM
VM VM VM
VM VM VM
Policy Consistency Single Point Of Availability Fault Scale

Orchestration Isolation
Cisco ACI Anywhere
ACI Anywhere
IP IP
WAN WAN
Remote Location A
ACI Remote Leaf RL
VM VM VM VM VM VM VM
Any Routed IP Network Satellite DC
Remote Location B
RL
Pod 1 VM
Brownfield
Remote Location C
RL
Telco/Co-lo
Zero Touch Auto Discovery of <= 300 ms RTT, 100M+ BW Single central management
Remote Leaf Up to 20 Remote Locations Automated L2 VXLAN extension
Cisco Virtual ACI (Virtual Pod)
Extend ACI to Bare Metal Clouds and Remote Data Centres
IP Network
Policy extension from

On-premise DC
Hypervisor
On-premises ACI Data Centre Remote location

Bare Metal Clouds Remote Data Co-location Facilities Brownfield

(IBM, OVH, etc.) Centres (Equinix, CoreSite etc.) Deployments
Cisco ACI Anywhere
ACI Anywhere
IP IP
WAN WAN
ACI 4.1
ACI Extensions to AWS Multi-Site
Site A On-Premise Public Cloud Site B
IP
Network
EPG EPG EPG
Contract Contract
Web APP DB
SG SG SG
SG Rule SG Rule
Web APP DB
AWS Region
VM VM VM
Common Discovery Policy Monitoring & Single Point Operational

Governance & Visibility Translation Troubleshooting Of Orchestration Consistency
Example Use Cases
Tenant Stretching Cloud Bursting Shared Services
Note: Extending a L2 broadcast domain between on-premises and

the cloud is not possible. Cloud vendors typically do not run
broadcast or multicast and never face unknown unicast situations.
Agenda
• Introduction
• What is ACI?
• ACI Anywhere
Furthering the reach with ACI integrations
Observability and Analysis Public Cloud
ACI
Fabric
Automation ITSM
ADC Container & VM Management Security
Cisco ACI Integration with Containers / PaaS
Key Benefits
Unified networking: Containers, VMs, and
bare-metal
Micro-services load balancing integrated in

fabric for HA / performance
EXT
Secure multi-tenancy and seamless
integration of Kubernetes network policies
and ACI policies
OpFlex OVS OpFlex OVS Visibility: Live statistics in APIC per
Node Node
container and health metrics
Security team configures via FMC
Firepower (FTD) Integration with ACI

Managed Service Graph
Hybrid – Service Manager Model
App DB
GUI API API / GUI

SECURITY FMC 6.2 NETWORK
Security Admin Network Admin

Pre-defines a security policy rule in FMC for use in the ACI fabric: Uses APIC to attach FTD to ACI fabric and EPG traffic to a policy by:
✓ Defines initial criteria for allowed Protocols and can update later ✓ Creating Interfaces and matching VLANs for traffic to arrive to FTD
✓ Attaches appropriate threat policies (Malware, NGIPS) ✓ Defining mode of operation: Routed, Transparent FW, NGIPS
✓ Adds URL Filtering, Geo-location, Threat Grid sandboxing, etc. ✓ Creating Security Zones and attaching to pre-defined security policy
➢ Access Control Policy Rule is dedicated per service graph ➢ FTD device package programs Fabric Insertion features from APIC
ACI Multi-Pod and Network Services
▪ Active and Standby pair deployed across Pods

▪ No issues with asymmetric flows but causes
Active Standby
traffic hair-pinning across the IPN
▪ Independent Active/Standby pair deployed in

each Pod
▪ Only for perimeter FW use case assuming proper
solution is adopted to keep symmetric
ingress/egress traffic flows
Active/Standby Active/Standby
▪ FW cluster (ASA/FTD) deployed across Pods

▪ Supported from ACI 3.2
Firewall Cluster
▪ Allows for stateful active/active DC failovers
ACI Multi-Site and Network Services
ISN • Active and Standby pair deployed across Pods
• Currently supported only if the FW is in L2 mode or in L3 mode
but acting as default gateway for the endpoints
• Useful for Active/Standby DC Scenarios
Active Standby
ISN
• Active/Active FW cluster deployed across Sites
• Not currently supported – Probably a bad idea anyway!

Active/Active Cluster
ISN
• Most common deployment model for ACI Multi-Site
• Independent L4-7 services per DC, Better fault separation
Active/Standby Active/Standby
ACI App Centre (https://aciappcenter.cisco.com)
Programmable Infrastructure: Open APIs for Value Added Applications
AlgoSec Splunk Infoblox ServiceNow
Get Your Fabric A Score On Gain real time visibility

Security And Compliance. Sync Configuration Between Push ACI Logical Topology
centrally across your ACI ACI & Infoblox Appliance Constructs To Service Now
Path Analysis deployments
Connectivity and Splunk Connector for Simplify IP Address Automated Service

Compliance Centralised Monitoring Management Management
ECOSYSTEM Sample Apps

Cisco ACI and AppDynamics (AppIQ)
Enhanced Visibility & Monitoring Troubleshooting
• Automated correlation of application services with ACI • Faster MTTR with context aware cross launch and report
constructs generation from Appdynamics to APIC
• Contextual overlay of services rendered by the application, • ACI fault and health aware creation of Application Baseline on
business transactions, health and metrics on ACI constructs Appdynamics
• Augmented Application Flow Map on objects in ACI
App on ACI Native support

App Center in AppD
ACI: Tetration Integration
Capture Intent & Translate To ACI Policy
Tenant and Application Policy

Requirements (ADM)
Cisco Tetration™
Cisco ACI Fabric
Platform
Rich Telemetry Data from Hardware

(Nexus 9000)
Shipping Shipping Future ACI 4.1 ACI 4.1
Hardware Sensor Tetration NPMD Support Tetration NPMD Support Hardware Sensor Standalone Application
Support On Nexus 9000 For ACI For Multi-Site, Support On Nexus 9000 To Generate ACI Policy
EX and FX Leafs Fabric Multi-Pod, Remote Leaf EX Spine Line Cards From Tetration
& (Single Fault Domain) ADM Output
FX Spine Line Cards
ACI 4.1
ACI: Telemetry with Network Insights App

Collector
Data Lake
Data Source Analytics Engine
ACI/NX-OS Nexus9K Network

Software Hardware Insights
Telemetry Telemetry App
FT
FTE
SSX
Availability Network Operations Flow Based Analysis

• Interface/Link Status • Hotspot Detection & • Flow Latency Monitoring
• Data Plane Statistics Congestion Monitoring • Path Tracing & Anomaly
• Environmental Monitoring • Buffer Utilisation Detection
• Protocol State • Queue-Level Microburst • Flow-Level Microburst
Detection Detection
ACI 4.1
ACI: Network Insights - Resources

Understand What’s Running In Your Network
Event Analytics Dashboard Flow Analytics Dashboard
Displays Faults, Events, And Audit Logs In Displays Key Indicators Of Infrastructure Data Plane
A Time Series Fashion. Health In A Time Series Fashion.
ACI 4.1
ACI: Network Insights - Advisor

Analyse and Advise
• Advisories
• Software/Hardware
Recommendations
• Notices
• EOL/EOS Field Notices
• Anomalies
• Known Bugs/PSIRTs
• Config anomalies
• Compliance
• Version Scale Limits/Hardening Check
• Diagnostics
• Forwarding State Check
• Loops Detection
Cisco Network Assurance Engine
Proactive Assurance
Data Collection Formal Modeling of Network Continuous Analysis

Capture DC Wide Intent, Policy, Precise Mathematical Models that codify Models verify that Network operates per
Control/State across Forwarding & Cisco’s 30+ Years of Networking and Cross Intent and accurately tell what is wrong,
Security Customer Domain Knowledge where, why, impact and how to fix
Reasoning you do after the fact, the Engine does before the fact, continuously, network wide
Expected ACI 4.2
ACI: SD WAN (Viptela) Integration
Extend Operational Domain And Policy To Branch & Public Cloud
Los Angeles Chicago

Branch Branch
App Policy Determines vManage Optimal Path Selection
1 Routing Path Between 1 Between On-Prem Apps 2
Branch And Data Centre To and Services Hosted In
Meet SLA SD-WAN Fabric Multi-Region AWS
vEdge vEdge
MPLS I nter net
FW FW
DB App DB App
server server Web server server
Web
server
Subnet 10.1.1.0/24 server
San Francisco New York
Subnet 10.121.0/24
Data Center Data Center

Region West Multi-Site Region East
Automation Beyond the Fabric
• Comprehensive APIC REST API and Python SDK
• Exposes the logical, abstracted, tenant policy
model
• Integrate ACI with 3rd party automation tools
• Ansible, Chef, Puppet etc.
• Private Cloud Automation Plugins
• vRealise, AzurePack, OpenStack, UCS Director
Agenda
• Introduction
• What is ACI?
• ACI Anywhere
Cisco Intent-Based Networking
ACI ACI
Anywhere
The network
made simple
Software-Defined Campus Software-Defined

Access (SDA) Data Centre Networking (SDN)
Catalyst 9000 Nexus 9000
Software-Defined
WAN (SD-WAN)
ACI – Leading Intent-Based DC Networking
Improving Agility, Better Automation
Better Orchestration, Integration with DC Infrastructure
Maintaining Uptime In Data Centre Networks
“The percentage of manual data centre networking

operational activities will fall below 50% by 2021,
down from 80% today”
Gartner Magic Quadrant 2018
Gartner Magic Quadrant - 2018
Q&A
#CLMEL
Like to learn more?
Session ID Title Day Time
BRKACI-1001 Your First 7 Days of ACI Tuesday 2:15PM
Integration and Interoperation of Existing Nexus Networks into an
BRKACI-2001 Wednesday 8:30AM
ACI Architecture
BRKACI-2004 How to Setup an ACI Fabric from Scratch Wednesday 12:50PM
BRKACI-2102 ACI Troubleshooting Wednesday 2:30PM
Extending Your Data Centre Policies into the Cloud with Cisco ACI
BRKACI-3128 Thursday 8:30AM
Anywhere
Mastering ACI Forwarding Behaviour
BRKACI-3545 Thursday 12:50PM
– A Day in the Life of a Packet
BRKACI-2506 How to Easily Integrate Security/L4-L7 Services into ACI Thursday 2:30PM
BRKACI-2505 Deploying Kubernetes in the Enterprise with Cisco ACI Thursday 4:30PM
BRKACI-2125 ACI Multi-Site Architecture and Deployment Friday 8:00AM
BRKACI-2770 Automating ACI Friday 9:40AM
Like to learn more?
Session ID Title Day Time
How to manage and build your DC Fabric DevOps style
TECACI-2540 Tuesday 9:00AM
(4 Hours)
Migrating Your Network Centric ACI Deployment to Application
TECACI-1132 Tuesday 2:00PM
Centric (4 Hours)
Session ID Session Title Day Start End

DEVNET-2000 Network Programmability with Cisco ACI Wednesday 12:00PM 12:45PM
Mastering ACI Programmability and Automating
DEVWKS-2001 Thursday 1:00PM 1:45PM
Common DC Tasks
Complete Your Online Session Evaluation
• Give us your feedback and receive a
complimentary Cisco Live 2019 Power Bank
after completing the overall event evaluation
and 5 session evaluations.
• All evaluations can be completed via the
Cisco Live Melbourne Mobile App.
• Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at:
https://ciscolive.cisco.com/on-demand-library/
Thank you
#CLMEL
#CLMEL

Brkaci 1000

Uploaded by

Copyright:

Available Formats

Brkaci 1000

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkaci 1000

Uploaded by

Copyright:

Available Formats

#CLMEL

Richard Watson, DC Systems Engineer

Layer-3 HSRP HSRP

Layer-2 Layer-2 Layer-2 Layer-2 Layer-2 Layer-2 Layer-2

95% 70% 75%

US$60B Spent on Network Operations Labour and Tools

• Extensible for homegrown tools with • Intent-based Policy based management

Application Centric Infrastructure

ACI Fabric Physical

L4-L7 Services Bare Metal

X9732C-EX 32p 100G

Nexus 9504 Nexus 9508 Nexus 9516 400G QSFP-DD* 6.4Tbps

EX & FX line cards can be mixed in the same chassis with

48p 25G SFP + 12p 100G QSFP

48p 1/10GT + 6p 100G QSFP28 48p 25G SFP + 6p 100G QSFP28

64p 40/100G QSFP 32p 40/100G QSFP

32p QSFP 36p 40/100G QSFP 28

• Up to 200 x Access Leaf Switches

Typical 3-Tier DC Cabling ACI Multi-Tier (New)

End-of-Row (EoR) End-of-Row (EoR)

Top-of-Rack (ToR) Top-of-Rack (ToR)

10G MMF 40/100G BiDi

• Jumbo+ MTUs (9366) RR RR

/32 /32 /32 /32 /32

E1/1 Name: ESXi

Port Channel Policy

Leaf 101 Name: Access

NetFlow Policy Selected Interface Profiles:

vPC Domain ESXi

BD2 EPG2 192.168.2.1/24

L101 Static EPG

• VLAN IDs can be different • ACI can automate creating

Contract Contract Contract

EPG EPG EPG • Application profiles,

Percentage of Security Team’s Time

47% 29% 24%

BM-01 VM-02 VM-03 BM-04

EPG BLUE EPG GREEN

Bridge Domain – 10.10.10.1/24

Bridge Domain – 10.10.10.1/24

EPG BLUE EPG GREEN

Bridge Domain – 10.10.10.1/24

TrustSec Policy Domain ACI Policy Domain

Voice Employee Supplier BYOD

Enterprise DC 5G Telco Edge

Public Cloud / IaaS Enterprise Edge

Private Cloud Colo / Bare Metal Cloud

Remote Location On Premise Public Cloud

Security Everywhere Analytics Everywhere Policy Everywhere

ACI Spine ACI Spine

ACI Leaf ACI Leaf

UCS Fabric Single UCS Fabric

UCS Servers UCS Servers

Policy Consistency Single Point Of Availability Fault Scale

Remote Location On Premise Public Cloud

Security Everywhere Analytics Everywhere Policy Everywhere

Policy extension from

On-premises ACI Data Centre Remote location

Bare Metal Clouds Remote Data Co-location Facilities Brownfield