ACI Anywhere (3.1/3.2) Brian Kvisgaard, System Engineer - Datacenter Switching

Transcription

1 ACI Anywhere (3.1/3.2) Brian Kvisgaard, System Engineer - Datacenter Switching bkvisgaa@cisco.com

2 På denne Cisco Virtual Update vil vi diskutere de seneste muligheder i ACI: multi-site support, Fibre Channel support, Remote Leaf og GOLF udvidelser. På NX-OS siden vil vi snakke Unified Ports (Fibre Channel) på FX switchene, Docker container på switchen, EVPN support opdateringer, ISSU på FX switchene og Netflow v9 på EX switchene.

3 Application Centric Infrastructure Fabric and Policy Domain Evolution ACI Single Pod Fabric ACI Multi-Site ACI Multi-Cloud Fabric A IP Fabric n ACI Multiple Networks (Pods) in a single Availability Zone (Fabric) MP-BGP - EVPN ACI 3.1/3.2 - Remote Leaf and vpod extends an Availability Zone (Fabric) to remote locations ACI Leaf/Spine Single Pod Fabric Pod A ACI Multi-Pod Fabric IPN Pod n ACI 3.0 Multiple Availability Zones (Fabrics) in a Single Region and Multi-Region Policy Management ACI Remote Leaf Future ACI Extensions to Multi-Cloud MP-BGP - EVPN APIC Cluster

4 ACI Multi-Pod and Multi-Site Main Use Cases ACI 3.2 Release Adding a Multi-Pod Fabric as a Site on the Multi-Site Orchestrator (MSO) Converting a single Pod Fabric (already added to MSO) to a Multi-Pod fabric

5 ACI Multi-Pod and Multi-Site Connectivity between Pods and Sites IP WAN IPN 1 st Gen 1 st Gen Site 2 Pod A APIC Cluster Pod B Site 1 Site 2 Only 2 nd generation spines must be connected to the external network Need to add 2 nd gen spines in each Pod (at least two per Pod) and migrate connections to the IPN from 1 st gen spines to 2 nd gen spines Single infra L3Out and set of uplinks to carry both Multi-Pod and Multi-Site East-West traffic

6 ACI Multi-Pod and Multi-Site BGP Spine Roles BGP Forwarders Pod A IPN/ISN BGP Speakers 1 st Gen 1 st Gen APIC Cluster Site 1 BGP Forwarders Pod B Spines in each Multi-Pod fabric can have one of those two roles: 1. BGP Speakers: establish EVPN peerings with BGP speakers in remote sites and with BGP Forwarders in the local site (intra- and inter- Pods) Recommended to deploy two speakers per Multi-Pod fabric (in separate Pods) Explicitly configured on MSO Multi-Site Speaker must be a Multi-Pod spine as well 2. BGP Forwarders: establish BGP EVPN peerings with BGP speakers in the local site All the spines that are not speakers implicitly become forwarders

7 ACI Multi-Site Day-2 Operations: Full-Stack Consistency Checker ACI 3.2 Release Multi-Site Infra: Unicast, Multicast, BGP TEPs and Tunnel state Multi-Site Tenant and EPG granularity: Inspect and validate full-stack programming: MSC, APICs and Spine translations Validate the consistency of local and remote intersite EPGs, BD, VRF, External EPG, policies, etc. Spines MP-BGP EVPN VXLAN Spines Root cause configuration programming issues without calling TAC GUI and APIs will both be supported

8 Multisite Back to Back Spine Basic Setup Directly connected link APIC Cluster APIC Cluster Site-1 Support for direct connection between spines of two different sites without any IPN between the sites. Only supported for single POD per site deployments. Requires non-overlapping TEP pools across the sites. Requires different fabric names across sites. Site-2

9 ACI 3.2: Multi-Site Enhancements Multi-Site Orchestrator Site A Site C Site B Site D Multi-site with multi-pod Consistency checker L4-L7 Services support Back-to-back Spine UCS-D Orchestration

10 Where to Go for More Information ACI Multi-Pod White Paper ACI Multi-Pod Configuration Paper ACI Multi-Site White Paper Deploying ACI Multi-Site from Scratch

11 ACI Remote Physical Leaf Business Value and Use Cases ACI 3.1 Release Extending the ACI policy model outside the main datacenter to remote sites distributed over IP Backbone (Satellite DCs, CoLo facilities, etc.) Extending ACI fabric policy and L2/L3 connectivity to a small DR site without requiring the deployment of a full-blown ACI Fabric Centralized Policy Management and Control Plane for remote locations Small form factor solution at locations with space constraints

12 ACI Remote Physical Leaf Architecture Overview APIC and Spine Nodes (Proxy function) remain at primary Pod(s) IP WAN A Remote Leaf Site gets associated with the Spines of one specific Pod in Main DC L2 / L3 ACI Main DC IPN Requirements (3.1) 300 msec maximum RTT 500 Mbps minimum BW 1600B minimum MTU No PIM-Bidir required vswitch Hypervisor Bare Metal Legacy Infrastructure Remote Leaf Site: a pair of Nexus 9300 nodes connected to a L3 Network via uplink ports and fully managed by a centralized APIC cluster

13 ACI Remote Physical Leaf Hardware and Software Support ACI Main DC Supported Spines Fixed N9364C Modular N9732C-EX N9736C-FX Remote Location Supported from ACI 3.1(1) Supported Leaf N93180YC-EX N93108TC-EX N93180LC-EX N93180YC-FX N9K-C93108TC-FX N9K-C9348GC-FXP All hardware from -EX onwards is supported

14 Fabric Membership for Remote Leaf

15 ACI Remote Physical Leaf and Multi-Pod RL Sites Can Be Associated to Separate Pods RL Site 1 associated to Pod1 RL Site 2 associated to Pod2 RL Site1 RL Site 2 Inter-Pod Network IP WAN IP WAN (Multicast Enabled) ACI Main DC Pod1 ACI Main DC Pod2 15

16 ACI Remote Physical Leaf Endpoint Connectivity Considerations RL Nodes not part of a vpc Domain RL Nodes part of a vpc Domain EP info sync over vpc control plane RL Nodes part of a vpc Domain EP info sync over vpc control plane EP1 EP2 EP1 EP2 EP1 EP2 ACI 3.1 Release Dual attached host with single active uplinks (MAC pinning, Active/Standby teaming, etc.) Single attached hosts ACI 3.1 Release Dual attached host with Active/Active links (LACP) ACI 3.2 Release Dual attached host with Active/Active links (LACP) Single attached hosts (orphan ports)

17 ACI 3.2: Physical Remote Leaf Extend ACI to Satellite Data Centers IP Network (WAN Core IPv4, MPLS, SR, etc ) Port Speed: 1/10/40/100G Site A Remote Location Vlan, Vxlan based AVE Attachment FEX support with Remote Leaf M Domain integration for all types of M Domains Orphan port support

18 ACI : Virtualization and Cloud Automation

19 ACI 3.2 : Virtual Edge Features ACI Virtual Edge Q2 FY18 Legacy AVS (Today) Cisco AVE AVE AVE Policy Enforcement, Services, Telemetry ACI Virtual Edge (AVE) AVS Switching + Policy Enforcement Native vswitch Hypervisor Dependent Hypervisor Agnostic L4-L7 Services enablement Health Monitoring Remote Physical Leaf Support Remote Storage Support

20 ACI Virtual Edge is configured and managed by APIC AVE brings networking features widely used in the physical world into the ware hypervisor Application profiles configured on APIC are pushed to AVE OpFlex Agent OpFlex Agent V M V M Cisco AVE ESXi-1 V M V M V M V M Cisco AVE ESXi-2 V M V M OpFlex protocol is used to push ACI polices to AVE

21 OpFlex OpFlex OpFlex Investment Protection by Extending ACI to Existing Networks Scenario Customers deploying ACI along with existing Networking Infrastructure Issue Extend ACI Policies to the virtual environment which are not directly connected to ACI Leaf. Full Layer 2 Network (Nexus 7K/6K/5K/3K/2K /Fl between Leaf and AVE AVE AVE AVE Solution AVE relies on OpFlex and can support a full layer 2 network (Nexus 7k/6k/5k/3k/2k/FI) infrastructure between the leaf and the hypervisor

22 Distributed Firewall Maintain Existing Security Polices Across Moves Scenario How can one maintain security policies and the state across Moves? Sourc e EPG Source Port Dst EPG Dst Port Flag Action A * B 80 * Allow B 80 A * ACK Allow Prevent malicious SYN+ACK attacks from Provider Solution Offers Stateful Connection Tracking when s move across the DC Stateful filters are limited to checking if the ACK bit is set in the packets from the provider to the consumer without any TCP flow state tracking AVE AVE Cisco AVE maintains a connection table to track TCP flows and creates a TCP flow table entry on receiving the first TCP SYN packet VLAN Protoco l Source IP Source Port Dst IP A TCP IP_A 1234 IP_ B Dst Port 80 A TCP IP_B 80 IP_ 123 SYN + ACK attack from Provider B to Consumer B TCP A where IP_B the connection 80 IP_ A 4 is not initiated by A (Dst Port!=1234) fails since the SYN + ACK packets A are dropped by the AVE in the absence of a matching flow table entry Consumer A VLAN Protoco l Source IP Source Port Dst IP B TCP IP_A 1234 IP_ B Dst Port Provider B

23 ACI: Virtual PoD Extend ACI To Bare-metal Cloud Beta: ACI 3.2 GA: ACI 4.0 IP Network (WAN Core IPv4, IPSEC,MPLS, etc ) Logical Connection To Spine (BGP-EVPN, VXLAN) Virtual Pod vspine vleaf ACI Virtual Edge vleaf On-Premise Remote Location Hypervisor Bare Metal Clouds (IBM cloud, AWS Elastic Metal,oracle etc.) Remote Data Centers Colo Facilities (Equinix, CoreSite etc.) BrownField Deployments

24 Virtual POD Key components vspine + vleaf Run as container services inside s at the vpod location (collocated for availability) vspine: Establishes a BGP EVPN connection to on-prem spine and Centralized endpoint (COOP and BGP) vleaf: Distribute APIC policies to AVE forwarders Not in forwarding data path vpod vtor IP Network vspine vtor ivxlan Overlay AVE Implements ACI data path functions Use ivxlan for communication within Remote site as well as between the vpod and other PODs AVE Hypervisor Web AVE Hypervisor App AVE Hypervisor DB

25 ACI 3.2: Smart Licensing Track License Usage within ACI Fabric Cisco Smart Software Manager Visibility into ACI License Usage Register APIC with Cisco Smart License Manager Compare Used versus Purchased Licenses

26 Device Led Conversion (DLC) tool The DLC feature is available for customers who have an existing ACI fabric and are upgrading to APIC version 3.2. Smart Licensing view. Verify that DLC is enabled for each existing Cisco ACI deployment. Ensure that you have configured your Smart Account to claim device licenses in Smart Software manager. Ensure all nodes and controllers have been installed and connected to the ACI fabric. Ensure all nodes have been upgraded to the firmware version of the APIC. Ensure all features for which you have purchased licenses are in use. You can view this in the License Summary section of the of the Smart Licensing view. x/smart_licensing/b_smart_licensing.html

27 ACI 3.2: Infrastructure Enhancements Connectivity Breakout On Converted Ports (93180YC-FX) MTU 9216 on TOR Front Panel) TWAMP PBR Enhancements Usability Fabric Access Policy Simplification CPU-Memory Table By Node Search Apps Dashboard Operations Smart Call Home Upgrade To/From +/- 2 Smart Licensing Long Lived Releases GUI Enhancements

28 Summary Views

29 Show Config Zones on Topology

30 Port Config Copy/Paste

31 Duplicate IP Usage

32 ACI 3.2 GUI Configuration Multi-Tier App with Service Graph Simplification Fabric Access Policy Simplification Port Config Copy/Paste Multi-Pod for Multi-Site Updates Upgrade Device Package Summary Views Show Config Zones on Topology Improved Search Functionality Tenant/Fabric Folder Simplification Full Screen ACI Apps ACI Apps as Dashboards Operations Last Fabric Route-Reflector Warning During Decommission Ignore Faults/Change Severity Events/Audit Log Fault Correlation Duplicate IP Usage Usability

33 ACI Release 3.2(1) FW Cluster Support across Pods IPN Active and Standby pair deployed across Pods No issues with asymmetric flows Active Standby IPN Independent Active/Standby pairs deployed in separate Pods Need to avoid the creation of asymmetric paths crossing different active FW nodes Active/Standby Active/Standby IPN Cluster FW cluster deployed across Pods Supported from ACI release 3.2 Requires the use of Service-Graph with PBR

34 ACI 3.2: Security Connectivity PingFederate SSO and PingID 2-FA 64k scale ACI-SGT/IP binding scale 802.1x Multi- Domain/Host/Auth Profiles Blacklist Contracts folder EPG Services Multisite L4-L7 Services Anycast MAC/IP for ASA Services Service Graph Wizard AVE L4-L7 routed mode

35 Overview Spine 1 Spine 2 Leaf 2 (FC Leaf 1 NPV switch) Leaf 3 VF-port VN-port NP-port F-port FC NPIV Core Switch VF-port VN-port FCoE Target FCoE Initiator FC Target FC Link FCoE Link F-port N-port 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

36 ACI Anywhere - Vision Any Workload, Any Location, Any Cloud 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Optimize Your Network With Cisco ACI, you can build a better network Integrate Hybrid IT anywhere. Protect Your Business 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public