Gain Insight and Programmability with Cisco DC Networking

© 2017 Cisco and/or its affiliates. All rights reserved. 1

Robert Zalobinski Nadir LakhaniTechnical Solutions Architect Technical Solutions Architect

November 28, 2017

Cisco DC Networking:Improved Insight and Programmability

CiscoConnectMontreal

Your TimeIs Now

C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Pillars of Cisco’s Data Center Strategy

Hardware innovationApplication awareMulticloud First Capture Intent


Cisco Data Center Use Cases

Multicloud Mobility Security Modernize Infra.

• Threat Intel

• Multi-layer

• Compliance

• Performance

• Security

• Scale

Analytics

• Infra.

• Apps.

• Ops.

Automation

• Ops

• Provision

• Maint.

• Benchmark

• Policy

• Blueprints

4© 2017 Cisco and/or its affiliates. All rights reserved.

Nexus Switching


Portfolio at a Glance

Nexus 7700 SeriesNexus 7000 Series

Nexus F and M Series Line Cards


Nexus 3600 R Series


Nexus 9500 SeriesNexus 97xx Series

Line CardsNexus 96xx-R Series

Line Cards


Nexus 7000 Series

Modular

Nexus 3000 Series

Fixed

Nexus 5000 and 2000

Series Fixed

Nexus 9000 Series

Modular

Nexus 9000 Series

Fixed


Areas of Investment

CloudScale ASICs

Nexus 9000 CloudScale

General Data Center Design• High Speed Fabrics

(ACI, NX-OS)• VXLAN, Segment Routing

Broadcom Jericho

Nexus 9000 Jericho

Financials and Collapsed Core/Edge• Financial Multicast (UDP) • VXLAN, Segment

Routing, MPLS• Large Routing Tables and

WAN buffer requirements

Cisco Custom ASICs

Nexus 7000 Series

General Data Center Design• Data Center Interconnect• DC and Campus Core• Cross Domain Policy

Integration

Broadcom T2+/T3/TH/TH2/Jericho

Nexus 3000 Series

Merchant Silicon Alternative• Fabric Designs (customers

specifically looking for BCOM based SOC)

• Specific Use Cases (ULL, Data Path Programmability)


EX and FX Series Cloud Scale Switches

Nexus 9200/9300

Nexus 9500

EX Cloud Scale

• ACI and NX-OS• 10/25/40/100G• Tetration Hardware Sensor• Support for N2000 (FEX)

FX Cloud Scale Enhancement

• Line rate Encryption • UP (25GbE and 32G FC) • 25G RS FEC


Nexus 9000 Cloud ScaleFabric Foundation with 2 Year Innovation Advantage

Nexus 9200/9300

Nexus 9500

Nexus 9000 Cloud Scale

InnovationsIntegrated line rate flow captureStreaming analytics export off chipIntegrated line rate encryptionSmart BufferingMulti-speed ports 64p 100G line rate routing in single chipUnified ports—10/25GbE and 8/16/32G FC


Nexus 9000 Cloud ScaleAddressing Customer Cloud Asks

Visibility and telemetry at line rateEncryption at line rateFastest available: 10/25/50/100GThe right price point/50% lower system costMulti-speed—upgrade when needed/minimize disruptionDynamic Fabric Performance Optimization for Cloud Applications Better reliability

Nexus 9200/9300

Nexus 9500

Nexus 9000 Cloud Scale


Nexus 9300 PortfolioModular Uplink

Integrated Uplink

48x25G+6x100G (Nexus 93180YC-EX)

48x10GT+6x100G (Nexus 93108TC-EX)

28p 40/50G+4p 100G (Nexus 93180LC-EX)

48x10GT+12x40G (Nexus 9396TX)

48x10G+12x40G (Nexus 9396PX)

96x10G+8x40G (Nexus 93128TX)

32x40G (Nexus 9332Q)

48x10GT+6x40G (Nexus 9372TX(E))

48x10G+6x40G (Nexus 9372PX(E))

96x10G+6x40G (Nexus 93120TX)

Gen 1: 2 ASICs Gen 2: CloudScale (1 ASIC)

48x25G+6x100G (Nexus 93180YC-FX)

(Q2CY17)

48x1GT+4x10/25G+2p 100G (Nexus 9348GC-FXP)

48x10GT+6x100G (Nexus 93108TC-FX)

1G

10GT

10/25G

40/50G

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Programmable FabricVXLAN EVPN multi-site solutionVXLAN OAM, Tenant Multicast

Segment Routing L3 EVPNDCNM Integration

Visibility/AnalyticsTetration Integration

NX SW and HW Streaming TelemetryNetflow-v9

SecuritySecured AccessEncryption (MacSec and CloudSec)

High AvailabilityEnhanced ISSU

AutomationDCNMNexus Configuration Mgmt Modules (Puppet/Chef/Ansible) Industry Standard Data Models (OpenConfig / IETF YANG)

InfrastructureNX-SDKIntelligent Services, PMNFCOE FC UP on FX Platforms

Cisco NX-OS

Innovations in Cisco NX-OS


Cisco ACIPath to Agility in an App-Centric World


Cisco ACI: Industry Leader

Ecosystem Partners

Data Center Switching Growth ACI Customers ACI Attach Rate on N9K Ecosystem Partners

6% Y/Y Q4 50+%4,000+ 65+


ACI Benefits

Any workloadPhysical, Virtual, Containers

Open Programmability

Conducive for Automation/Orchestration

Policy DrivenEliminates Network Dependencies

Optimal DC NetworkEliminates L2 Spanning-Tree ProtocolL3 FabricIntegrated VXLAN OverlayDistributed L3 GW

VMM IntegrationvCenter, HyperV, Openstack,

Kubernetes

Single Point of Configuration APIC Controller

Secure White-list Model

Next-Gen DC FabricSpine / Leaf

Network Services Integration Network Policy, Service Policy, Service Manager


Remote PoD Multi-Pod / Multi-Site Hybrid Cloud Extension

ACI AnywhereAny Workload, Any Location, Any Cloud

ACI Anywhere

IP WAN

IP WAN

Remote Location Public CloudOn Premise

Security Everywhere Policy EverywhereAnalytics Everywhere


What’s New in ACI 3.0? Hardware, Security, Scale, Usability, Fabric Extension

Policy-DrivenInfrastructure

Fabric Management• Multi-Site• Refreshed APIC GUI

• Graceful Insertion and Removal• QinQ to EPG Mapping

• TCAM Tile Infra• Latency and Precision Time Protocol

Infrastructure• Nexus 9364C (Fixed Spine)• Nexus 9348GC-FXP (1G ToR)

• N9K-X9736C-FX (Spine LC)• Ingress QoS Policing per EPG

Virtualization• Kubernetes Support• VMM: Delayed EP detach/attach

for DVS and AVS• AVS: QoS Marking

Security• Micro-segmentation Enhancements• 802.1X – End Point Authentication

• 2 Factor Authentication• First Hop Security


ACI Software EnablementNexus 9000 Platforms

Nexus Foundation: CloudScale Platforms

Nexus 9300

Nexus 9500

Nexus 9000

ACI3.0

Nexus 9364C –Fixed Spine64p 40/100G QSFP

ACI3.0

Nexus 9736C-FX36p 40/100G Line Card (4/8/16 slot)

ACI3.1

N9K-C9516-FM-E2Fabric Module with 100G (16 slot)

ACI2.2(2)

Nexus 93180YC-FX48p 10/25G SFP + 6p 40/100G QSFP

ACI2.2(2)

Nexus 93180TC-FX48p 1/10GT + 6p 40/100G QSFP

ACI3.0

Nexus 9348GC-FXP48p 100M/1G Base-T, 4p 10/25G SFP+


Inter-Site IP Network

Site A Site B

Multi-SiteAppliance

Geographically Dispersed Active/Active Data Centers

Active/Standby Data Centers For Disaster Recovery

Stretch VRF, EPG, BD Across Sites with VXLAN

Up to 500ms to 1 sec Latency

ACI MultisiteExtends Network Virtualization, Policy & Services to Multiple Fabrics


First Step Towards Intuitive APIC GUI

Usability• New Look and Feel across Applications• Consistent Layout across Tabs• Collaborate by Sharing Objects• Simplified Topology Views • Release Bulletin• Troubleshooting• User Profiles• Alerts

Operations• Personalized User Profile• Dashboard Widgets• Improved Health Score and

Fault Counts

Configuration• Best of both Basic and Advanced UI• Simplified Port Selectors• Workflows simplified• New APIC Postman App


Gracefully isolate the node from fabric

Troubleshoot (if required)

Re-commission the node

1

2

3L2/L3

GIR diverts the data traffic to alternate paths and allows node troubleshooting, maintenance and upgrade.

Graceful Insertion and Removal (GIR)


Cisco ACI Virtual EdgeDecoupled From Hypervisor Kernel API Dependencies

ACI Virtual Edge

ACI Virtual Edge (AVE)

Maintain Existing Operational Models

Simple Transition/Migration AVS => AVE

Policy Consistency Across Multiple Hypervisors

AVS/AVE Feature Parity

Legacy AVS (Today)

Hypervisor Dependent

Cisco AVE (Q1 CY18)

Native vSwitch

VM

Switching + Policy Enforcement

VM VM AVE

Q2 FY18

Q1 CY18

Hypervisor Agnostic

VM VM VM

AVE

AVS

Policy Enforcement, Services, TelemetryU

ser S

pace

Kern

el

Future


Future

ACI InfrastructureExtend ACI Policy to Satellite Data Centers

Options 1. Remote Physical Leaf (Nexus 9K)ACI 3.1: Q1 CY 2018

2. Remote Pod (Virtual)(Futures)

On Premise

IP Network

L2 / L3

Remote Data Center

Nexus 9K

Physical Leaf

Remote PoD

Virtual (Spine + Leaf)

AVE AVE


Connectivity

Usability

Maintenance

Operations

ACI Infrastructure Enhancements

Integration of Clustered Network Services

IEEE 1588 and Latency (ACI 3.0)

TCAM Profiles (ACI 2.3 and ACI 3.0)

Maintenance Mode (ACI 3.0)

Software Maintenance Update (SMU)

Patching SupportMixed OS (ACI 2.3)

EPG Contract Inheritance (ACI 2.3)

New APIC GUI with Simplified Workflows

(ACI 3.0)vSphere Tags (ACI 2.3)

100G Front Panel Port Support: 93180LC-EX

(ACI 2.3)

Breakout (93180LC-EX)

(ACI 3.1)

Flexible Port Configuration for Uplink/Downlink

QSA (9364c) (ACI 3.1)


ACI: Cloud AutomationVirtualization and Orchestration

Deploy Tenant

Deploy App

Deploy Firewall

vSphere 6.5, Tags (ACI 2.3)

vCenter Plugin (RBAC) (ACI 3.0)

NG-Application Virtual Switch

AzurePack –VPN Termination (ASA, ASR 1K)

AzureStack

Newton Support, IPv6 (ACI 2.3)

Bare-Metal Provisioning (Ironic)

Ocata Support

Cloud Automation

Unified Networking (ACI 3.0)

Integration of Kubernetes network policies and ACI policies

Visibility


ACI SecurityAutomated Security with Built In Multi-Tenancy

Q4 CY2018

Micro-SegmentationDNS EPG, AD Based EPG (ACI 3.1)

ACI3.0

ContractsInheritance, Intra-EPG Contracts

Q4 CY2017

CertificationsFIPs and UC-APL CertifiedCommon Criteria (in progress)

ACI3.1

MACSEC Encryption APIC Centralized Key Management

ACI2.3

ACI-TrustSec IntegrationHigher Scale (15K)

ACI3.0

First Hop Security IP Source Guard, DHCP Guard, DHCP Snooping, etc.


Scale Improvements

FEXUp to 650 / Fabric

Up to 20 / Leaf

Leafs Up to 400 Per Fabric

8 Border Leafs per L3 Out

Multicast GroupsUp to 8,000 (S,G) routes with Convergence of 5 seconds

Bridge DomainsUp to 21,000 (L2), 15,000 (L3)Up to 1750 Bridge Domains/VRF3967 VLANs per leaf3967 VLANs + BDs

EPGsUp to 15000

Up to 1k L3 EPGs/EX-Leaf4k L3 EPGs for one tenant

& one context250 Isolated EPGs

Other Up to 200 vCentersUp to 2,000 ContractsUp to 61k TCAM Rules 500 Service Graphs Per ClusterUp to 12 Pods in Multi-Pod

TenantsUp to 3000

Layer-350 VRFs Per Tenant , 1k Ips/MAC


ACI/NX-OSL4-7 Integrations: Interoperate and Extend Automation

Security EnforcementSecurity ManagementADC


Cloud Orchestration and ITSM

Cloud Automation and PaaSMonitoring NX-OS

Rich Ecosystem with Cisco ACI and NX-OS


Cisco ACI: App CenterProgrammable Infrastructure: Open APIs For Value Added Applications

Visually monitor externally routed interface states

And next hop add/delete

Monitoring and Troubleshooting

Analytics

Auto Provision ACI network by simply importing Tetration

ADM

Auto Provisioning

cTrac Fault Analytics Tetration

Intuitively analyze historical fault metrics and audit logs

with variety of filters

Infoblox v2.0

Connectors and Integrators

ECOSYSTEM Sample Apps

Improved UI with robust syncing. Configure and

provision new DHCP ranges from the App


Cisco Tetration AnalyticsGet to a Secure Zero-Trust Model in an Application-Centric World

Cisco Tetration Analytics


Rapid App Deployment

Continuous DevelopmentApplication Mobility

Micro Services

Policy Enforcement

Heterogeneous Network Secure Zero-TrustPolicy Compliance

Security Challenges in Modern Data CentersSecuring Applications Has Become Complex

Applications Are Driving Modern Datacenter Infrastructure


Holistic Approach to Server Protection

Dynamic and heterogeneous environment

Traffic visibility, server process baseline, and analytics

Policy that enables application segmentation

Segmentation

Application controlusing whitelists

Advancedbehavior analysis

Break organizational siloes


Ope

ratio

ns

Cisco Tetration Analytics Use Cases

Secu

rity

Cisco Tetration™

Visibility andforensics

Application insight

Policy

Neighborhood graphs

Application segmentation

Compliance

Policysimulation

Process inventory


Cisco Tetration Analytics Architecture Overview

Software sensor and enforcement

Embedded network sensors

(telemetry only)

ERSPAN sensors(telemetry only)

Analytics engine

Web GUI REST API Event notification Cisco Tetration apps

Third-party sources

(configuration data)

Data collection layer

Access mechanism

Bring your own data

(streaming telemetry)


Cisco Tetration Analytics Data Sources

Main featuresü Low CPU overhead (SLA enforced)ü Low network overhead

ü New Enforcement point (software agents)ü Highly secure (code signed and authenticated)ü Every flow (no sampling) and no payload

*Note: No per-packet telemetry; not an enforcement point

Software sensors

Universal*(basic sensor for other OS)

Linux servers(virtual machine and bare metal)

Windows servers(virtual machines and bare metal)

Windows Desktop VM(virtual desktop infrastructure only)

Cisco Nexus 9300 EX

Cisco Nexus 9300 FX

Network sensorsNext-generation Cisco Nexus® Series Switches

Third-party sources

Asset tagging

Load balancers

IP address management

CMDB

…

Third-party data sourcesAvailable today


• Dedicated virtual machines on each host with 4 software sensors in each virtual machine• Each sensor binds to a separate vNIC• ERSPAN terminates on the virtual machine vNIC• Each sensor terminates one ERSPAN session• Sensor generates telemetry based on the data-plane traffic• Horizontally scalable

Layer 3 connection

ERSPAN

Layer 3 switch

Cisco Tetration telemetry: ERSPAN option

Expanded telemetry collection option• Augment telemetry from other

parts of the network• Useful when software sensor

or hardware sensor is not feasible

Cisco Tetration™telemetry

Cisco Tetration™ Platform

Production network

Production network


Application Dependency and Cluster Grouping

Bare-metal, VM,and switchtelemetry

Cisco Tetration Analytics™ platform

Unsupervised machine learning

Behavior analysis

On-premises and cloud workloads (AWS)

Bare-metal and VM telemetry

VM telemetry (AMI …)

BM VM

BMVM

VM BM

BMVM

BM

VM BM

VMVM

Bare metal and VM

BM VM VM BM

Brownfield

üüü ü

BM VM VM BM

üüü ü

Network-only sensors, host-only sensors, or both (preferred)

BM VM VM VM BM

Cisco Nexus® 9000 Series ü


Application clusters conversation views Policy details

Application Conversation View


Whitelist Policy Recommendation

Application discovery{

"src_name": "App","dst_name": "Web", "whitelist": [{ "port": [0, 0], "proto": 1, "action": "ALLOW"

}, { "port": [80, 80], "proto": 6, "action": "ALLOW"

}, { "port": [443, 443], "proto": 6, "action": "ALLOW"

}]

}

Whitelist policy recommendation(available in JSON, XML, and YAML)


Compliance, Policy Validation

All Flows are tracked 4 ways• Permitted, bidirectional flows

that match the policy• Misdropped, permitted traffic

where we have dropped a packet

• Escaped, bidirectional flows that are against the policy

• Rejected, uni-directional flows that are against the policy


User-Uploaded asset tags

• Discovered inventory• Uploaded inventory and metadata (32 arbitrary tags)• Inventory tracked in real time, along with historical trends

User-uploaded tags

Cisco Tetration Analytics™sensor feed

Real-time inventory merged withinformation with historical trends

Cisco Tetration Analytics

mergeoperation

VMware vCenter(virtual machine attributes)

AWS attributes(AWS tags)


Segmentation Policy: Express Policies in Human Language

Development can’t talk to production

• Cisco Tetration™ knows who is production

• Cisco Tetration knows who is development

• Policies are continuously updated as applications change


Cisco Tetration Application Segmentation Policy Recommendation

Cisco TetrationAnalytics™

Application workspaces

Applicationsegmentation

policy

Public cloud

Private cloud

On-premise


Enforcement of Policy across any floor tile

Azure Amazon

Cisco Tetration Analytics™

1. Generates unique policy per workload

2. Pushes policy to all workloads

3. Workload securely enforces policy

4. Continuously recomputes policy from identity and classification changes

Google

Enforcement

Compliance monitoring

VirtualBare metal Cisco ACITMPublic cloud Traditional network


Policy-Related Notification

Cisco TetrationAnalytics™

Kafka broker

Northbound consumers


Message publish

Kafka

• Alerts every minutefor enforcement

• Policy complianceevent notifications

• Count of policy alertsuntil whitelisted

• Alerts when IP tables or firewall is flushed or disabled by user

• Alerts when enforcement sensor is disabled

• Publishes policy differences between versions


Rule-Processing Order

• Application owners need some amount of autonomy to make application-level changes quickly

• Security and network teams need to control the global aspects of application interconnection and shared services

• Cisco Tetration™ flattens intent in a deterministic order, prioritizing intent of higher-authority users over intent of application owners

Security team rules

Network team rules

Application owner rules


Rest API• Cisco Tetration flow search

• Sensor management

Push notification• Out-of-the-box events

• User-defined events

Cisco Tetration applications• Access to data lake

• Write your own application

Cisco Tetration Analytics Open API

Northbound application

Programmatic interface

Rest API

Kafka broker



Message publish

Cisco Tetration

Analytics™platform

Kafka

Cisco Tetration™applications


Cisco Tetration: Bring your own data

Main featuresü Stream any JSON-based telemetry to a data sinkü Support up to 10 simultaneous streaming topics

ü Bring up to 5 GB of data per hour per streaming topicü Analyze and write your results through alerts or UI


Datasink

Public Cloud

Streaming JSON telemetry


Cisco Tetration: User authentication

Cisco TetrationAnalytics™Users and application

owners and administrators Active Directory

integration for authentication

App 1, Role:Enforce

App 2, Role:Execute

App 3, Role: Read only

Windows ServerActive Directory

WordPress

SAP

Authentication• External AAA server integration• Authentication through Kerberos

or LDAP• Support for multiple domains• Default to local authentication

and authorization, ifnot configured

RBAC capabilities• Local users created

automatically when they log in• Administrator maps users to

specific roles and scopesfor authorization

• Administrator can set default role and scope for users without specific roles and scope mapping


Cisco Tetration™ Cloud• Software deployed in AWS

• Suitable for deployments of less than 1000 workloads

• AWS instance ownedby customer

Cisco Tetration™ Platform (large form factor)• Suitable for deployments of more

than 5,000 workloads

• Built-in redundancy

• Scales to up to 25,000 workloads

Includes:• 36 x Cisco UCS® C220 servers• 3 x Cisco Nexus® 9300

platform switches

Cisco Tetration-M (small form factor)• Suitable for deployments of less

than 5,000 workloads

Includes:

• 6 x Cisco UCS C220 servers• 2 x Cisco Nexus 9300

platform switches

Tetration Analytics: Deployment Options

AmazonWeb Services

On-premises options Public cloud


Cisco Tetration Analytics Ecosystem

Service visibility Layer 4-7 services integration

Security orchestration Service assurance

Insight exchange

Cisco Tetration Analytics™


Open

In summary: Platform built for scale and flexibilityReal time and scalable Granular policy

enforcement Easy to use

• Every packet, every flow

• Application segmentation for 1000s of applications

• Long term data retention

• Consistent policy enforcement

• Identify policy deviations in near real-time

• Support for workload mobility

• One touch deployment

• Self monitoring

• Self diagnostics

• Standard web UI

• REST API (pull)

• Event notification (push)

• Tetration applications


Cisco Data Center Reference Architecture

Cisco Prime services catalog

Cisco NexusCisco HyperFlexCisco UCSCisco MDSCisco AzureStack

Cisco Tetration AnalyticsCisco Security Portfolio

Cisco CloudCenterCisco TurbonomicsAppDynamicsCisco Tetration Analytics Cisco ACI

Cisco ACICisco DCNM Cisco IntersightCisco UCS-Director

Cisco Tetration AnalyticsAppDynamics

IT services consumption

multicloud

Private cloud/PaaS Integration

DC Infrastructure

Management and automation

SecurityAnalytics

ACI / Nexus

Tetration

Thank you.

Technology

Gain Insight and Programmability with Cisco DC Networking