Cisco DC Networking: Gain Insight and Programmability with

© 2017 Cisco and/or its affiliates. All rights reserved. 1
Cisco
Connect Your Time
Is Now
Cisco DC Networking:
Gain Insight and Programmability
January, 2018

What’s Happening in Your Data Centre
Data and
Endpoints
Complexity
Security

Is your Data Centre doing what you intend?

C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Intent Cycle
Adapt
Learn
Protect
APP

Cisco ACI: Industry Leader
Ecosystem Partners
Data Center Switching Growth ACI Customers ACI Attach Rate on N9K Ecosystem Partners
6%Y/YQ4 50+%4,000+ 65+

6© 2017 Cisco and/or its affiliates. All rights reserved.
Nexus Switching

Portfolio at a Glance
Nexus 7700 Series
Nexus 7000 Series
Nexus F and M Series
Line Cards
Nexus 3200 Series
Nexus 3100 Series
Nexus 3600 R Series
Nexus 5600 Series
Nexus 2300 Series
Nexus 9500 Series
Nexus 97xx Series
Line Cards
Nexus 96xx-R Series
Line Cards
Nexus 9300 Series
Nexus 9200 Series
Nexus
7000 Series
Modular
Nexus
3000 Series
Fixed
Nexus 5000
and 2000
Series Fixed
Nexus
9000 Series
Modular
Nexus
9000 Series
Fixed

Areas of Investment
CloudScale
ASICs
Nexus 9000 CloudScale
General Data Center Design
• High Speed Fabrics
(ACI, NX-OS)
• VXLAN, Segment Routing
Broadcom
Jericho
Nexus 9000 Jericho
Financials and
Collapsed Core/Edge
• Financial Multicast (UDP)
• VXLAN, Segment
Routing, MPLS
• Large Routing Tables and
WAN buffer requirements
Cisco
Custom ASICs
Nexus 7000 Series
General Data Center Design
• Data Center Interconnect
• DC and Campus Core
• Cross Domain Policy
Integration
Broadcom T2+/T3/
TH/TH2/Jericho
Nexus 3000 Series
Merchant Silicon
Alternative
• Fabric Designs (customers
specifically looking for
BCOM based SOC)
• Specific Use Cases (ULL,
Data Path
Programmability)

ASIC Portfolio For Nexus 3000/9000
Merchant
Merchant + Cisco
1st Gen Switches:
2013–2015
40nm
28nm
Trident T2
ASE, ALE
Merchant
2nd/3rd Gen Switches:
2016/2017
28nm
16nm
Tomahawk
Trident 2+
LS1800EX, S1600,
S3600, LS1800FX,
S6400
40nm
Scale
• Route/ Host tables
• Sharding
• Encap normalization
• EPG/ SGT/ NSH
Telemetry
• Analytics
• Netflow
• Atomic Counters
Optimization
• Intelligent Buffers
• DLB/ Flow Prioritization

Cisco ASIC Differentiation
• Industry leading port density à Enables 64 x 100G in single chip
• Multi Speed 1/10/25/40/50/100G à Investment protection
• DC Optimized Smart Buffer and TCAM Scale à Best in class
price/performance supporting 1 million routes
• Flow Level Granular Visibility à Real-time visibility, and analytics to see
every packet
• Unified Fabric with LAN and SAN Convergence à Single Unified network

EX and FX Series Cloud Scale Switches
Nexus 9300
Nexus 9500
EX Cloud Scale
• ACI and NX-OS
• 10/25/40/100G
• Tetration Hardware Sensor
• Support for N2000 (FEX)
FX Cloud Scale Enhancement
• Line rate Encryption
• UP (25GbE and 32G FC)
• 25G RS FEC

Nexus 9300-FX Series
Nexus 9300-FX
NEW
Q2’CY16
Nexus 93108TC-FX
48p 1/10GT + 6p 40/100G QSFP
Nexus 93180YC-FX
48p 10/25G SFP + 6p 40/100G QSFP
* Hardware Readiness, Check Software Roadmap for Enablement Timelines
Dual personality – ACI and NX-OS mode
Flexible port configurations – 1/10/25/40/50/100G
Line rate encryption all ports
32G FC support on all SFP ports
25G distances beyond 3m (RS FEC)
Large Route/ACL table
Flow Table (Tetration)
FEX Support
Key Features
Support for Nexus 5K FC designs – transition platform
Link Security against fiber taps
Key Benefits
Nexus 9348GC-FXP
48p 100m/1GT + 4x 10/25G SFP28
+ 2x 40/100G QSFP28

Nexus 9000 Cloud Scale
Fabric Foundation with 2 Year Innovation Advantage
Nexus 9300
Nexus 9500
Nexus 9000
Cloud Scale
Innovations
Integrated line rate flow capture
Streaming analytics export off chip
Integrated line rate encryption
Smart Buffering
Multi-speed ports
64p 100G line rate routing in single chip
Unified ports—10/25GbE and 8/16/32G FC

Nexus 9300 Portfolio
Modular Uplink
Integrated Uplink
48x25G+6x100G (Nexus 93180YC-EX)
48x10GT+6x100G (Nexus 93108TC-EX)
28p 40/50G+4p 100G (Nexus 93180LC-EX)
48x10GT+12x40G (Nexus 9396TX)
48x10G+12x40G (Nexus 9396PX)
96x10G+8x40G (Nexus 93128TX)
32x40G (Nexus 9332Q)
48x10GT+6x40G (Nexus 9372TX(E))
48x10G+6x40G (Nexus 9372PX(E))
96x10G+6x40G (Nexus 93120TX)
Gen 1: 2 ASICs Gen 2/3: CloudScale (1 ASIC)
48x25G+6x100G (Nexus 93180YC-FX)
48x1GT+4x10/25G+2p 100G (Nexus 9348GC-FXP)
48x10GT+6x100G (Nexus 93108TC-FX)
1G
10GT
10/25G
40/50G

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Programmable Fabric
VXLAN EVPN multi-site solution
VXLAN OAM, Tenant Multicast
Segment Routing L3 EVPN
DCNM Integration
Visibility/Analytics
Tetration Integration
NX SW and HW Streaming Telemetry
Netflow-v9
Security
Secured Access
Encryption (MacSec and CloudSec)
High Availability
Enhanced ISSU
Automation
DCNM
Nexus Configuration Mgmt Modules
(Puppet/Chef/Ansible)
Industry Standard Data Models
(OpenConfig / IETF YANG)
Infrastructure
NX-SDK
Intelligent Services, PMN
FCOE FC UP on FX Platforms
Cisco NX-OS
Innovations in Cisco NX-OS

Cisco ACI
Path to Agility in an App-Centric
World

Remote PoD Multi-Pod / Multi-Site Hybrid Cloud Extension
ACI Anywhere
Any Workload, Any Location, Any Cloud
ACI Anywhere
IP
WAN
IP
WAN
Remote Location Public CloudOn Premise
Security Everywhere Policy EverywhereAnalytics Everywhere

Areas of Investment
Infrastructure Virtualization Security Ecosystem

What’s New in ACI 3.0?
Hardware, Security, Scale, Usability, Fabric Extension
Policy-Driven
Infrastructure
Fabric Management
• Multi-Site
• Refreshed APIC GUI
• Graceful Insertion and Removal
• QinQ to EPG Mapping
• TCAM Tile Infra
• Latency and Precision Time Protocol
Infrastructure
• Nexus 9364C (Fixed Spine)
• Nexus 9348GC-FXP (1G ToR)
• N9K-X9736C-FX (Spine LC)
• Ingress QoS Policing per EPG
Virtualization
• Kubernetes Support
• VMM: Delayed EP detach/attach
for DVS and AVS
• AVS: QoS Marking
Security
• Micro-segmentation Enhancements
• 802.1X – End Point Authentication
• 2 Factor Authentication
• First Hop Security

ACI Software Enablement
Nexus 9000 Platforms
Nexus Foundation: CloudScale Platforms
Nexus 9300
Nexus 9500
Nexus 9000
ACI
3.0
Nexus 9364C –
Fixed Spine
64p 40/100G QSFP
ACI
3.0
Nexus 9736C-FX
36p 40/100G Line Card
(4/8/16 slot)
ACI
3.1
N9K-C9516-FM-E2
Fabric Module with 100G (16 slot)
ACI
2.2(2)
Nexus 93180YC-FX
48p 10/25G SFP +
6p 40/100G QSFP
ACI
2.2(2)
Nexus 93180TC-FX
48p 1/10GT + 6p 40/100G QSFP
ACI
3.0
Nexus 9348GC-FXP
48p 100M/1G Base-T,
4p 10/25G SFP+

Inter-Site IP Network
Site A Site B
Multi-Site
Appliance
Geographically Dispersed
Active/Active Data Centers
Active/Standby Data Centers
For Disaster Recovery
Stretch VRF, EPG, BD
Across Sites with VXLAN
Up to 500ms to
1 sec Latency
ACI Multisite
Extends Network Virtualization, Policy & Services to Multiple Fabrics

First Step Towards Intuitive APIC GUI
Usability
• New Look and Feel across Applications
• Consistent Layout across Tabs
• Collaborate by Sharing Objects
• Simplified Topology Views
• Release Bulletin
• Troubleshooting
• User Profiles
• Alerts
Operations
• Personalized User Profile
• Dashboard Widgets
• Improved Health Score and
Fault Counts
Configuration
• Best of both Basic and Advanced UI
• Simplified Port Selectors
• Workflows simplified
• New APIC Postman App

Profile 1: Default Profile*
Profile 2: Policy Heavy
Profile 3: L2-Only Mode
Profile 4: Multicast
Flexibility To Choose TCAM
Profile Based On Your
Infrastructure Needs
L2 MAC
DA
Lookup
Policy
Info
Tile 0 Tile 5 Tile 17
IPv6 Host
Entries
Optimized TCAM Resources
* Only One Profile is Supported in 3.0
TCAM Profiles

Gracefully isolate the node from fabric
Troubleshoot (if required)
Re-commission the node
1
2
3
L2/L3
GIR diverts the data traffic to alternate paths and allows
node troubleshooting, maintenance and upgrade.
Graceful Insertion and Removal (GIR)

Cisco ACI Virtual Edge
Decoupled From Hypervisor Kernel API Dependencies
ACI Virtual Edge
ACI Virtual Edge (AVE)
Maintain Existing
Operational Models
Simple Transition/Migration
AVS => AVE
Policy Consistency Across
Multiple Hypervisors
AVS/AVE
Feature Parity
Legacy AVS (Today)
Hypervisor Dependent
Cisco AVE (Q1 CY18)
Native vSwitch
VM
Switching +
Policy Enforcement
VM VM
AVE
Q2
FY18
Q1
CY18
Hypervisor Agnostic
VM VM VM
AVE
AVS
Policy Enforcement,
Services, Telemetry
UserSpaceKernel
Future

ACI Infrastructure
Extend ACI Policy to Satellite Data Centers
Options 1. Remote Physical Leaf (Nexus 9K)
ACI 3.1
2. Remote Pod (Virtual)
(Futures)
On Premise
IP
Network
L2 / L3
Remote Data Center
Nexus 9K
Physical Leaf
Remote PoD
Virtual (Spine + Leaf)
AVE AVE

Connectivity
Usability
Maintenance
Operations
ACI Infrastructure Enhancements
Integration of Clustered
Network Services
IEEE 1588 and Latency
(ACI 3.0)
TCAM Profiles
(ACI 2.3 and ACI 3.0)
Maintenance Mode
(ACI 3.0)
Software Maintenance
Update (SMU)
Patching Support
Mixed OS (ACI 2.3)
EPG Contract
Inheritance (ACI 2.3)
New APIC GUI with
Simplified Workflows
(ACI 3.0)
vSphere Tags (ACI 2.3)
100G Front Panel Port
Support: 93180LC-EX
(ACI 2.3)
Breakout
(93180LC-EX)
(ACI 3.1)
Flexible Port
Configuration for
Uplink/Downlink
QSA (9364c)
(ACI 3.1)

ACI: Cloud Automation
Virtualization and Orchestration
Deploy
Tenant
Deploy
App
Deploy
Firewall
vSphere 6.5, Tags (ACI 2.3)
vCenter Plugin (RBAC) (ACI 3.0)
NG-Application Virtual Switch
AzurePack –
VPN Termination (ASA, ASR 1K)
AzureStack
Newton Support, IPv6 (ACI 2.3)
Bare-Metal Provisioning (Ironic)
Ocata Support
Cloud
Automation
Unified Networking (ACI 3.0)
Integration of Kubernetes
network policies and ACI policies
Visibility

ACI Security
Automated Security with Built In Multi-Tenancy
Q4 CY
2018
Micro-Segmentation
DNS EPG, AD Based EPG
(ACI 3.1)
ACI
3.0
Contracts
Inheritance, Intra-
EPG Contracts
Q4 CY
2017
Certifications
FIPs and UC-APL Certified
Common Criteria (in progress)
ACI
3.1
MACSEC Encryption
APIC Centralized Key
Management
ACI
2.3
ACI-TrustSec Integration
Higher Scale (15K)
ACI
3.0
First Hop Security
IP Source Guard, DHCP Guard,
DHCP Snooping, etc.

End Point Groups End-Points vCenter/Fabric Bridge DomainsNumber of Sites
15,000 180,000 12 200 15,0004
Number of Pods
11
10
9
8
7
654
3
2
1
11
10
9
8
7
654
3
2
1
11
10
9
8
7
654
3
2
1
11
10
9
8
7
654
3
2
1
11
10
9
8
7
654
3
2
1
11
10
9
8
7
654
3
2
1
Leafs Tenants Policy CAM Service ChainsFilters
800 3000 2000 61,000 100010000
Contracts
11
10
9
8
7
654
3
2
1
11
10
9
8
7
654
3
2
1
11
10
9
8
7
654
3
2
1
11
10
9
8
7
654
3
2
1
11
10
9
8
7
654
3
2
1
11
10
9
8
7
654
3
2
1
ACI
3.0
ACI: Infrastructure Scaling

Cisco Tetration Analytics
Get to a Secure Zero-Trust Model in
an Application-Centric World
Cisco
Tetration
Analytics

Rapid App
Deployment
Continuous Development
Application Mobility
Micro Services
Policy
Enforcement
Heterogeneous Network
Secure Zero-Trust
Policy Compliance
Security Challenges in Modern Data Centers
Securing Applications Has Become Complex
Applications Are Driving Modern Datacenter Infrastructure

Holistic Approach to Server Protection
Dynamic and heterogeneous
environment
Traffic visibility, server process
baseline, and analytics
Policy that enables
application segmentation
Segmentation
Application control
using whitelists
Advanced
behavior analysis
Break
organizational
siloes

Operations
Use Cases
Security
Cisco Tetration™
Visibility and
forensics
Application
insight
Policy
Neighborhood
graphs
Application
segmentation
Compliance
Policy
simulation
Process
inventory

Architecture Overview
Software sensor and
enforcement
Embedded network
sensors
(telemetry only)
ERSPAN sensors
(telemetry only)
Analytics engine
Web GUI REST API Event notification Cisco Tetration apps
Third-party
sources
(configuration data)
Data collection layer
Access mechanism
Bring your own
data
(streaming telemetry)

Data Sources
Main features
ü Low CPU overhead (SLA enforced)
ü Low network overhead
ü New Enforcement point (software agents)
ü Highly secure (code signed and authenticated)
ü Every flow (no sampling) and no payload
*Note: No per-packet telemetry; not an enforcement point
Software sensors
Universal*
(basic sensor for other OS)
Linux servers
(virtual machine and bare metal)
Windows servers
(virtual machines and bare metal)
Windows Desktop VM
(virtual desktop infrastructure only)
Cisco Nexus 9300 EX
Cisco Nexus 9300 FX
Network sensors
Next-generation Cisco Nexus® Series Switches
Third-party sources
Asset tagging
Load balancers
IP address
management
CMDB
…
Third-party data sourcesAvailable today

Cisco Tetration Application Segmentation
Policy Recommendation
Cisco Tetration
Analytics™
Application workspaces
Application
segmentation
policy
Public
cloud
Private
cloud
On-premise

Enforcement of Policy across any floor tile
Azure Amazon
Cisco Tetration Analytics™
1. Generates unique policy
per workload
2. Pushes policy to all
workloads
3. Workload securely enforces
policy
4. Continuously recomputes
policy from identity and
classification changes
Google
Enforcement
Compliance monitoring
VirtualBare metal Cisco ACITMPublic cloud Traditional network

Policy-Related Notification
Cisco Tetration
Analytics™
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Kafka
• Alerts every minute
for enforcement
• Policy compliance
event notifications
• Count of policy alerts
until whitelisted
• Alerts when IP tables or
firewall is flushed or disabled
by user
• Alerts when enforcement
sensor is disabled
• Publishes policy differences
between versions

Rest API
• Cisco Tetration flow search
• Sensor management
Push notification
• Out-of-the-box events
• User-defined events
Cisco Tetration applications
• Access to data lake
• Write your own application
Open API
Northbound
application
Programmatic interface
Rest API
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Cisco
Tetration
Analytics™
platform
Kafka
Cisco Tetration™
applications

Cisco Tetration™ Cloud
• Software deployed in AWS
• Suitable for deployments of
less than 1000 workloads
• AWS instance owned
by customer
Cisco Tetration™ Platform
(large form factor)
• Suitable for deployments of more
than 5,000 workloads
• Built-in redundancy
• Scales to up to 25,000 workloads
Includes:
• 36 x Cisco UCS® C220 servers
• 3 x Cisco Nexus® 9300
platform switches
Cisco Tetration-M (small form
factor)
• Suitable for deployments of less
than 5,000 workloads
Includes:
• 6 x Cisco UCS C220 servers
• 2 x Cisco Nexus 9300
platform switches
Tetration Analytics: Deployment Options
Amazon
Web Services
On-premises options Public cloud

Open Ecosystem
Program, interoperate and extend
Ecosystem

ACI/NX-OS
L4-7 Integrations: Interoperate and Extend Automation
Security EnforcementSecurity ManagementADC

Cloud Orchestration
and ITSM
Cloud Automation
and PaaS
Monitoring NX-OS
Rich Ecosystem with Cisco ACI and NX-OS

ACI App Center

Cisco ACI: App Center
Programmable Infrastructure: Open APIs For Value Added Applications
Visually monitor externally
routed interface states
And next hop add/delete
Monitoring and
Troubleshooting
Analytics
Auto Provision ACI network
by simply importing Tetration
ADM
Auto Provisioning
cTrac Fault Analytics Tetration
Intuitively analyze historical
fault metrics and audit logs
with variety of filters
Infoblox v2.0
Connectors and
Integrators
ECOSYSTEM Sample Apps
Improved UI with robust
syncing. Configure and
provision new DHCP ranges
from the App

Ecosystem
Service visibility Layer 4-7 services integration
Security orchestration Service assurance
Insight exchange
Cisco Tetration
Analytics™

Cisco DC Networking: Gain Insight and Programmability with

More Related Content

What's hot (20)

Similar to Cisco DC Networking: Gain Insight and Programmability with (20)

More from Cisco Canada (20)

Recently uploaded (20)

Cisco DC Networking: Gain Insight and Programmability with