教程案例教案aci40d

1、ACI Product Management Application Centric Infrastructure Release 4.0 Update 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Extends ACI AnywhereOptimized FootprintOperational SimplicityCloud AutomationSecurity 4.0 Application Centric InfrastructureBuilding anIntent-Based D

2、ata CenterSMART LicensingNetworking Infrastructure: Nexus 9000 Series PlatformsACI Software Enablement4ACI Leaf: N9K-C93240YC-FX248p 1/10/25G SFP28, 12p 40/100G QSFP28 ACI Access Leaf Flexible Speed 1/10/25/40/100G PortsLine-rate MACSEC Encryption40MB Buffer (10MB Per Slice, 20MB Shared) With Smart

3、Buffer Feature 1:1 Oversubscription for High Bandwidth ApplicationsFEX SupportTelemetry FT, FTE and SSXFlexible TCAM TemplatesNTE$30,000N9K-C93240YC-FX2ACI 4.05ACI Spine: N9K-C9332C 32p 40/100G QSFP28 1RU Form Factor To Support Small Scale ACI Fabric DeploymentsTelemetry SSX SupportEncryption Suppor

4、t On The Last 8 Ports10G Support With QSA At FCSSupport For AC/DC/HVDC PSU At FCS On Port-side Exhaust And Port-side IntakeOptics Support Parity With Existing ProductsTransition 1st Gen Nexus 9336PQ ProductNTE$36,000N9K-C9332CACI 4.06ACI Software EnablementNexus 9000 & APIC HardwareNexus Foundat

5、ion: CloudScale PlatformsNexus 9300Nexus 9500ACIFuturesNexus C93216TC-FX2 96p 10GT12p 100G QSFP28ACI4.0APIC-CLUSTER-M3(= 1250 Leaf Ports)ACI4.0ACIFuturesNexus C93360YC-FX296p 25G SFP2812p 100G QSFP28 ACI4.07ACI Multi-Site VMVMVMSite ASite BSite CSite DVMVMVMMulti-Site OrchestratorVMVMVMVMVMVMPolicy

6、ConsistencySingle Point Of Orchestration Availability Fault Isolation Scale Shipping Since ACI 3.0 (Q3 CY 17)Consistent Policy across sitesSingle Point of OrchestrationFault IsolationScale 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI 3.2 ReleaseMulti-Site + Multi-PodL

7、4-L7 Services SupportSpine-Spine (Dark Fiber)Consistency Checker ( Multi-Site, APIC, HW)UCS-D Orchestration (6.6)Up To 10 Sites, 1200 LeafsACI 3.1 ReleaseNexus 9364C (Fixed Spine)Multi-Site Health Check External AuthenticationAudit / Accounting LogsShared GolfUp To 8 Sites, 800 LeafsACI 4.0 ReleaseC

8、loudSec L3 Multicast2-Node Service Graphs (FW+SLB)ER SPANN9K-9332C SpineUp To 12 Sites, 1200 LeafsACI: Multi-SiteRoadmapACI 4.1 ReleaseInter-site L3outMultisite + Remote LeafL1/L2 PBR Service GraphsPhysical AppliancePatch API, SwaggerACI Mini SupportNew 2018 Cisco and/or its affiliates. All rights r

9、eserved. Cisco ConfidentialACI Release 4.1ACI Release 4.1MSC 2.1MSC 2.1181,8004001,0004,0004,0004,000500400Number Of SitesMax Leafs (across sites)TenantsVRFBDEPGsContractsL3Out (External EPGs)Isolated EPGsACI Release 3.1ACI Release 3.1MSC 1.1MSC 1.188002004002,0002,0002,000500400ACI Release 3.2ACI R

10、elease 3.2MSC 1.2MSC 1.2101,2003008003,0003,0003,000500400ACI Release 4.0ACI Release 4.0MSC 2.0MSC 2.0121,2004001,0004,0004,0004,000500400ACI Multi-SiteContinuous Scale ImprovementsNew10ACI Remote LeafSatellite DCBrownfieldRemote Location AVMVMVMVMVMVMVMVMAny Routed IP Network Telco/Co-loVMVMVMVMVMV

11、MVMRemote Location BVMVMVMVMVMVMVMRemote Location CVMVMVMVMVMVMVMZero Touch Auto Discovery of Remote Leaf AVE Policy Consistency Across Multiple HypervisorsAVS/AVE Feature Parity Q1 CY18Shipping Since ACI 3.1 (Q1 CY 18)VMVMVMVMVMVMVMACI Virtual Edge (AVE)ACI Virtual EdgeHypervisor DependentVM VM VM

12、VM VM VMHypervisorBare Metal ServerAVSHypervisor AgnosticACI Virtual EdgeVMVM VMHypervisorBare Metal ServerNative Switch 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI 3.2 ReleaseACI 3.2 ReleaseL4-L7 ServicesHealth MonitoringRemote Physical Leaf SupportRemote Storage Su

13、pportACI 3.1 ReleaseACI 3.1 ReleaseVLAN, VxLANMicro-SegmentationDistributed FirewallMigration from AVSACI FutureACI FutureVirtual Pod (vPod)Proactive HAVxLAN Load BalancingLocal Switching and PolicyContainer L4-L7 ServicesMulti NIC supportACI 4.0 ReleaseACI 4.0 ReleaseTetration SensorACI: Virtual Ed

14、ge (AVE)RoadmapNew 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialIP Network Cisco ACI Virtual PodExtend ACI to Bare Metal Clouds and Remote Data CentersBare Metal Clouds (IBM, OVH, etc.)Remote Data CentersCo-location Facilities (Equinix, CoreSite etc.)Brownfield Deployment

15、s Remote location On-premises ACI Data Center VMVMVMVMVMVMVMVMVMVMVMVMVMVMHypervisorPolicy extension from On-premise DCLimited Availability 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI vPod RequirementsHardware & Software ComponentsSupported SpinesFixed SpineN9364

16、CN9332CModular Spine (C9504/C9508/C9516)N9732C-EX with N9K-C950 x-FM-E(2)N9736C-FX with N9K-C950 x-FM-E(2)APIC Controller SoftwareACI 4.0+ onward releaseVMware vCenter running 6.0 or later2 hosts for Management cluster recommendedManagement & Payload Can Co-exist ESXi 6.0 or 6.5Each vSpine (x2)

17、& vLeaf(x2) VM consumes 4vCPU, 16 GB RAM and 80 GB storageEach AVE (one per ESXi host) VM consumes 2vCPU, 8 GB RAM and 8 GB storage*Footprint of VMs might change at FCS.vPod Data CenterOn-Premises Data CenterLimited Availability 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confid

18、entialACI vPod License ElementsCisco ACI Virtual Edge (vPod Mode - per Workload Server)ACI Virtual EdgeManagement Cluster per vPodAVE (vPod Mode) per ServerAVE (vPod Mode) per Server64 HostsUp To 6 vPods In FCS ReleaseSingle License Per Management Cluster Up to 64 AVE per vPod (FCS Up To 8)Software

19、License Per AVE(AVE is NOT Licensed if Not In vPod)AVE (vPod Mode) per ServerLimited Availability 30 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential2SMART Account Is Required At Order TimeACI Software-only SKUs - Customer Supplies Server HW ACI vPod Software Licensing SKUsS

20、ubscription Of 1, 3, 5 Year Licenses Will Be OfferedACI Software-only SKUSCustomer Supplies HW ACI-VPOD-MGMT=ACI vPod Redundant Management Cluster Software (vSpine & vLeaf) X 2 $0 (No Cost)ACI-VPOD-AVE=ACI vPod Virtual Edge Software (Per Server)$2,500 (per Server)1Limited Availability 31NodeNode

21、Independent Openstack VMM domain and Openshift Container DomainOpenshift Nodes run as Openstack instances connected to a special Neutron network with APIC extensionsOpflex managed KVM-OVS and Openshift-OVS without double encapsulation.Both Openshift PODs and KVM instances are first class citizens.Su

22、pported with Red Hat OSP10 or higher and Openshift 3.9.OpenShift on OpenStack integration with ACINodeOpFlexOVSACI PoliciesNetwork PolicyNodeOpFlexOVSFeaturesACI 4.0OpFlexOVSOpFlexOVSNovaServersKVM VMNeutron Policy32Supported Container Application PlatformsBaremetalESXiKVM/OpenStackOpen source Kuber

23、netesFutureOpenshiftR4.0 CommittedPivotal Cloud Foundry n/aFutureDocker EE (Kubernetes) Future FutureFutureMesosphere Future FutureFutureRefer to the ACI virtualization support matrix for details: ACI Security 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI 2-Factor Auth

24、entication Options VMVMVMVMVMVMVMExternal Authenticationvia SAML and IDPs supported Okta & MSFT ADFSLocal AuthenticationTOTP using Google Authenticator for 2nd factor pin/barcode RSA SecureIDPingFederate SSO PingID 2-FAFederal Common Access Card (CAC)ACI 3.0ACI 3.0ACI 3.1ACI 3.2ACI 4.0New 2017 C

25、isco and/or its affiliates. All rights reserved. Cisco ConfidentialACIStretchFabricSpineLeafIPN/WANDCI (N7k/ASR9k)N7k/ASR9kGenerate Keys for Every Link SegmentBorder LeafVmware AVS3. Multi-POD or GOLF1. Fabric Links2. Stretch Fabric 2. Border Leaf to DCI 1. Fabric LinksMACSEC Link EncryptionMKA Key

26、Exchange APIC Centralized Key ManagementMACSEC for Fixed SpinesShipping Since ACI 3.1Support For Fixed Spines:N9k-9364CN9k-9332CNew 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialCertificationACICertifiedCertifiedCertifiedCertifiedVulnerability ScannersNessus, Fuzzing, etc

27、Port Scan, AppScanCertified(Ran every release)Security CertificationsACI 4.0 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI Hardening Every Major and Minor SW ReleaseFlooding AttacksSYN-FLOOD: Remain stable during SYN flooding attackEST-FLOOD: Remain stable during ESTAB

28、LISHED flooding attackLASTACK-FLOOD: Remain stable during LASTACK flooding attackFINWAIT-FLOOD: Remain stable during FINWAIT flooding attackCLOSING-FLOOD: Remain stable during CLOSING flooding attackPort and Service ScansDEF-CRED: No default authentication credentialsRECON-PORT-TCP: Remain stable du

29、ring TCP port scanRECON-PORT-UDP: Remain stable during UDP port scanRECON-OSID: Remain stable during OS FingerprintingRECON-IP-PROT: Remain stable during IP protocol scanNESSUS-SCAN: Known vulnerability scanner- NessusWEB-DEFECT: Known webserver and application defectsWEB-ID: Remain stable during we

30、b fingerprintingFuzzingESIC: UUT must endure malformed Ethernet packetsICMPSIC: UUT must endure malformed ICMP packetsISIC: UUT must endure malformed IPv4 packetsTCPSIC: UUT must endure malformed TCP packetsUDPSIC: UUT must endure malformed UDP packetsICMPSIC6: UUT must endure malformed ICMPv6 packe

31、tsISIC6: UUT must endure malformed IPv6 packetsTCPSIC6: UUT must endure malformed TCP over IPv6 packetsUDPSIC6: UUT must endure malformed UDP over IPv6 packetsWeb ScanNexposeIBM AppScanOpenVasPlatformHardeningAPIC+N9k ACI Multisite AVE Virtual APIC vPod Telemetry ACI 4.0 Software Hardening 2018 Cisc

32、o and/or its affiliates. All rights reserved. Cisco ConfidentialMulti-SiteIP / WANSite ASite BVMVMVMSite CMACSECMACSECCloudSecTodayFutureACI AnywhereEncrypted DCI ConnectivityACI 4.0New 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialMulti-SiteIP / WANSite 1MACSECMACSECMACSE

33、CSite 2Site Ntx_keyrx_keyrx_keyrx_keytx_keyrx_keyACI:Cloud SecAutomated Key Distribution & Re-KeyACI 4.0New Multi-site Controller Driven Reliable And Secure Key Transport Non Disruptive Re-key Always EncryptedACI Integrations 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicMap

34、ping Application And Service Components To ACI(Standalone App)BetaMapping Application And Service Components To ACI(Standalone App)GACross Launch AppDynamics and APIC To Correlate Network And Application DataBaseline Application Health Status In AppDynamics By Correlating ACI MO Health And FaultsMic

35、ro-segmentation Based On Application Tiers ACI 4.0ACI 4.1ACI 4.1FutureFutureNetwork & Application Health Correlation VMVMVMVMVMVMVMAPPDYNAMICSACI: AppDynamics IntegrationIdentify Problems Faster By Correlating Applications & Network Data 2018 Cisco and/or its affiliates. All rights reserved.

36、 Cisco Public 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicSecurity EnforcementSecurity ManagementApplication Delivery ControlL4-7 Integrations: Integrate, Automate, and InteroperateData Center Networking Rich Ecosystem 2018 Cisco and/or its affiliates. All rights reserved. Cis

37、co PublicCisco ACI Config ManagementSupport for Puppet and Ansible Ansible Tenant, Fabric Access, L3Out, AAA Policies 55 ACI Modules Puppet New Tenant Policies - 11 New Types and Providers Availability Ansible Ansible Core (2.4 and 2.5) Puppet GitHub now; Puppet Forge soon New 2018 Cisco and/or its

38、affiliates. All rights reserved. Cisco PublicIdentify Problems Faster by Correlating Applications & Network DataACI Ecosystem Updates BMC Remedy ITSM Solution for Cisco ACIBeta SoonBeta SoonCisco ACI Configuration Management Support55 ACI Ansible Modules and 11 New Puppet PoliciesMapping & A

39、utomation for Cisco ACI and Legacy Heterogeneous NetworksNew L4-7 Integration without through Service Manager Mode with REST API 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco ACICisco ACIBroad Ecosystem to Use, Customize and Extend Your IT InvestmentsBroad Ecosystem to Use, Customize and Extend Your IT InvestmentsSMART LicensingC97-739634-00 2017 Cisco and/or