1、Mayuri Kulkarni, Senior Product ManagerApplication Centric Infrastructure Release 4.0 UpdateTom Bakita, Senior Product Manager 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Extends ACI AnywhereOptimized FootprintOperational SimplicityCloud AutomationSecurity 4.0 Applicati

2、on Centric InfrastructureBuilding anIntent-Based Data CenterSMART LicensingRelease StrategyACI Software Release TimelineQ4 2016Q2 2017Q3 2017Q4 2017Q1 2018Q1 2017ACI 2.1ACI 2.2Long Lived ReleasesACI 3.2(x)ACI 2.1(x)ACI 2.3ACI 3.0ACI 3.1Maintenance Releases = Target One Release Every Four Months. ACI

3、 2.0(2)ACI 2.1(2)ACI 2.2(2)ACI 2.3(2)ACI 3.0(2)ACI 2.2(x)ACI 3.1(2)Q2 2018ACI 3.2ACI 4.0Q3 2018Q1 2019ACI 3.2(2)ACI 4.0(2)ACI 4.1Major Releases = 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicLong Lived Releases Two Long Lived Releases At Any Given Point of Time 1 Active Mainten

4、ance Will Be Primarily Focused On Long Lived Release2Target Duration Of Long Lived Release Support: Up to 18 Months From FCS Direct Upgrade From One Long Lived To Next Long Lived Release Will Be Supported Long Lived Releases Are Recommended For Networks That Will Not be Upgraded Frequently345ACI Sof

5、tware Release GuidelineShort Lived Releases No Active Maintenance Beyond Six Months From FCS1 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicNetworking InfrastructureA r e a s O f I n v e s t m e n tApplication Centric InfrastructureNetwork Security and OperationsVirtualization a

6、nd CloudOpen Ecosystem IntegrationsNetworking Infrastructure: Nexus 9000 Series PlatformsACI Software Enablement8ACI Leaf: N9K-C93240YC-FX248p 1/10/25G SFP28, 12p 40/100G QSFP28 ACI Access Leaf Flexible Speed 1/10/25/40/100G PortsLine-rate MACSEC Encryption40MB Buffer (10MB Per Slice, 20MB Shared) W

7、ith Smart Buffer Feature 1:1 Oversubscription for High Bandwidth ApplicationsFEX SupportTelemetry FT, FTE and SSXFlexible TCAM TemplatesNTE$30,000N9K-C93240YC-FX2ACI 4.09ACI Spine: N9K-C9332C 32p 40/100G QSFP28 1RU Form Factor To Support Small Scale ACI Fabric DeploymentsTelemetry SSX SupportEncrypt

8、ion Support On The Last 8 Ports10G Support With QSA At FCSSupport For AC/DC/HVDC PSU At FCS On Port-side Exhaust And Port-side IntakeOptics Support Parity With Existing ProductsTransition 1st Gen Nexus 9336PQ ProductNTE$36,000N9K-C9332CACI 4.010ACI Software EnablementNexus 9000 & APIC HardwareNe

9、xus Foundation: CloudScale PlatformsNexus 9300Nexus 9500ACIFuturesNexus C93216TC-FX3 96p 10GT12p 100G QSFP28ACI4.0APIC-CLUSTER-M3(= 1250 Leaf Ports)ACI4.0ACIFuturesNexus C93360YC-FX396p 25G SFP2812p 100G QSFP28 ACI4.011ACI Multi-Site VMVMVMSite ASite BSite CSite DVMVMVMMulti-Site OrchestratorVMVMVMV

10、MVMVMPolicy ConsistencySingle Point Of Orchestration Availability Fault Isolation Scale Shipping Since ACI 3.0 (Q3 CY 17)Consistent Policy across sitesSingle Point of OrchestrationFault IsolationScale 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI 3.2 ReleaseMulti-Site

11、+ Multi-PodL4-L7 Services SupportSpine-Spine (Dark Fiber)Consistency Checker ( Multi-Site, APIC, HW)UCS-D Orchestration (6.6)Up To 10 Sites, 1200 LeafsACI 3.1 ReleaseNexus 9364C (Fixed Spine)Multi-Site Health Check External AuthenticationAudit / Accounting LogsShared GolfUp To 8 Sites, 800 LeafsACI

12、4.0 ReleaseCloudSec L3 Multicast2-Node Service Graphs (FW+SLB)ER SPANN9K-9332C SpineUp To 12 Sites, 1200 LeafsACI: Multi-SiteRoadmapACI 4.1 ReleaseInter-site L3outMultisite + Remote LeafL1/L2 PBR Service GraphsPhysical AppliancePatch API, SwaggerACI Mini SupportNew 2018 Cisco and/or its affiliates.

13、All rights reserved. Cisco ConfidentialACI Release 4.1MSC 2.1181,8004001,0004,0004,0004,000500400Number Of SitesMax Leafs (across sites)TenantsVRFBDEPGsContractsL3Out (External EPGs)Isolated EPGsACI Release 3.1MSC 1.188002004002,0002,0002,000500400ACI Release 3.2MSC 1.2101,2003008003,0003,0003,00050

14、0400ACI Release 4.0MSC 2.0121,2004001,0004,0004,0004,000500400ACI Multi-SiteContinuous Scale ImprovementsNew14ACI Remote LeafSatellite DCBrownfieldRemote Location AVMVMVMVMVMVMVMVMAny Routed IP Network Telco/Co-loVMVMVMVMVMVMVMRemote Location BVMVMVMVMVMVMVMRemote Location CVMVMVMVMVMVMVMZero Touch

15、Auto Discovery of Remote Leaf AVE Policy Consistency Across Multiple HypervisorsAVS/AVE Feature Parity Q1 CY18Shipping Since ACI 3.1 (Q1 CY 18)VMVMVMVMVMVMVMACI Virtual Edge (AVE)ACI Virtual EdgeHypervisor DependentVM VM VM VM VM VMHypervisorBare Metal ServerAVSHypervisor AgnosticACI Virtual EdgeVMV

16、M VMHypervisorBare Metal ServerNative Switch 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI 3.2 ReleaseL4-L7 ServicesHealth MonitoringRemote Physical Leaf SupportRemote Storage SupportACI 3.1 ReleaseVLAN, VxLANMicro-SegmentationDistributed FirewallMigration from AVSACI

17、FutureVirtual Pod (vPod)Proactive HAVxLAN Load BalancingLocal Switching and PolicyContainer L4-L7 ServicesMulti NIC supportACI 4.0 ReleaseTetration SensorACI: Virtual Edge (AVE)RoadmapNew 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialIP Network Cisco ACI Virtual PodExtend

18、ACI to Bare Metal Clouds and Remote Data CentersBare Metal Clouds (IBM, OVH, etc.)Remote Data CentersCo-location Facilities (Equinix, CoreSite etc.)Brownfield Deployments Remote location On-premises ACI Data Center VMVMVMVMVMVMVMVMVMVMVMVMVMVMHypervisorPolicy extension from On-premise DCACI 4.0 2018

19、 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI vPod RequirementsHardware & Software ComponentsSupported SpinesFixed SpineN9364CN9332CModular Spine (C9504/C9508/C9516)N9732C-EX with N9K-C950 x-FM-E(2)N9736C-FX with N9K-C950 x-FM-E(2)APIC Controller SoftwareACI 4.0+ onwar

20、d releaseVMware vCenter running 6.0 or later2 hosts for Management cluster recommendedManagement & Payload Can Co-exist ESXi 6.0 or 6.5Each vSpine (x2) & vLeaf(x2) VM consumes 4vCPU, 16 GB RAM and 80 GB storageEach AVE (one per ESXi host) VM consumes 2vCPU, 8 GB RAM and 8 GB storage*Footprin

21、t of VMs might change at FCS.vPod Data CenterOn-Premises Data Center 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI vPod License ElementsCisco ACI Virtual Edge (vPod Mode - per Workload Server)ACI Virtual EdgeManagement Cluster per vPodAVE (vPod Mode) per ServerAVE (vPo

22、d Mode) per Server64 HostsUp To 6 vPods In FCS ReleaseSingle License Per Management Cluster Up to 64 AVE per vPod (FCS Up To 8)Software License Per AVE(AVE is NOT Licensed if Not In vPod)AVE (vPod Mode) per Server34 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential2SMART Acco

23、unt Is Required At Order TimeACI Software-only SKUs - Customer Supplies Server HW ACI vPod Software Licensing SKUsSubscription Of 1, 3, 5 Year Licenses Will Be OfferedACI Software-only SKUSCustomer Supplies HW ACI-VPOD-MGMT=ACI vPod Redundant Management Cluster Software (vSpine & vLeaf) X 2 $0 (

24、No Cost)ACI-VPOD-AVE=ACI vPod Virtual Edge Software (Per Server)$2,500 (per Server)1 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI 4.0 ReleaseLocal Policy EnforcementLive vMotion across vPod and On-PremStretched BD across vPod and On-Prem6 vPodsLocal L3outL4-L7 Service

25、sMicrosegmentationRemote Leaf supportMultisite supportTetration SensorFutureIPv6 supportACI: vPod RoadmapNew12 vPods36NodeNodeIndependent Openstack VMM domain and Openshift Container DomainOpenshift Nodes run as Openstack instances connected to a special Neutron network with APIC extensionsOpflex ma

26、naged KVM-OVS and Openshift-OVS without double encapsulation.Both Openshift PODs and KVM instances are first class citizens.Supported with Red Hat OSP10 or higher and Openshift 3.9.OpenShift on OpenStack integration with ACINodeOpFlexOVSACI PoliciesNetwork PolicyNodeOpFlexOVSFeaturesACI 4.0OpFlexOVS

27、OpFlexOVSNovaServersKVM VMNeutron Policy37Supported Container Application PlatformsBaremetalESXiKVM/OpenStackOpen source KubernetesFutureOpenshiftR4.0 CommittedPivotal Cloud Foundry n/aFutureDocker EE (Kubernetes) Future FutureFutureMesosphere Future FutureFutureRefer to the ACI virtualization suppo

28、rt matrix for details: ACI Security 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI 2-Factor Authentication Options VMVMVMVMVMVMVMExternal Authenticationvia SAML and IDPs supported Okta & MSFT ADFSLocal AuthenticationTOTP using Google Authenticator for 2nd factor pin

29、/barcode RSA SecureIDPingFederate SSO PingID 2-FAFederal Common Access Card (CAC)ACI 3.0ACI 3.0ACI 3.1ACI 3.2ACI 4.0 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACIStretchFabricSpineLeafIPN/WANDCI (N7k/ASR9k)N7k/ASR9kGenerate Keys for Every Link SegmentBorder LeafVmware

30、AVS3. Multi-POD or GOLF1. Fabric Links2. Stretch Fabric 2. Border Leaf to DCI 1. Fabric LinksMACSEC Link EncryptionMKA Key Exchange APIC Centralized Key ManagementMACSEC for Fixed SpinesShipping Since ACI 3.1Support For Fixed Spines:N9k-9364CN9k-9332CNew 2017 Cisco and/or its affiliates. All rights

31、reserved. Cisco ConfidentialCertificationACICertifiedCertifiedCertifiedCertifiedVulnerability ScannersNessus, Fuzzing, etc Port Scan, AppScanCertified(Ran every release)Security Certifications 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialACI Hardening Every Major and Mino

32、r SW ReleaseFlooding AttacksSYN-FLOOD: Remain stable during SYN flooding attackEST-FLOOD: Remain stable during ESTABLISHED flooding attackLASTACK-FLOOD: Remain stable during LASTACK flooding attackFINWAIT-FLOOD: Remain stable during FINWAIT flooding attackCLOSING-FLOOD: Remain stable during CLOSING

33、flooding attackPort and Service ScansDEF-CRED: No default authentication credentialsRECON-PORT-TCP: Remain stable during TCP port scanRECON-PORT-UDP: Remain stable during UDP port scanRECON-OSID: Remain stable during OS FingerprintingRECON-IP-PROT: Remain stable during IP protocol scanNESSUS-SCAN: K

34、nown vulnerability scanner- NessusWEB-DEFECT: Known webserver and application defectsWEB-ID: Remain stable during web fingerprintingFuzzingESIC: UUT must endure malformed Ethernet packetsICMPSIC: UUT must endure malformed ICMP packetsISIC: UUT must endure malformed IPv4 packetsTCPSIC: UUT must endur

35、e malformed TCP packetsUDPSIC: UUT must endure malformed UDP packetsICMPSIC6: UUT must endure malformed ICMPv6 packetsISIC6: UUT must endure malformed IPv6 packetsTCPSIC6: UUT must endure malformed TCP over IPv6 packetsUDPSIC6: UUT must endure malformed UDP over IPv6 packetsWeb ScanNexposeIBM AppSca

36、nOpenVasPlatformHardeningAPIC+N9k ACI Multisite AVE Virtual APIC vPod Telemetry ACI 4.0 Software Hardening 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialMulti-SiteIP / WANSite ASite BVMVMVMSite CMACSECMACSECCloudSecTodayFutureACI AnywhereEncrypted DCI ConnectivityACI 4.0Ne

37、w 2018 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialMulti-SiteIP / WANSite 1MACSECMACSECMACSECSite 2Site Ntx_keyrx_keyrx_keyrx_keytx_keyrx_keyACI:Cloud SecAutomated Key Distribution & Re-KeyACI 4.0New Multi-site Controller Driven Reliable And Secure Key Transport Non Disru

38、ptive Re-key Always EncryptedACI Integrations 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicMapping Application And Service Components To ACI(Standalone App)BetaMapping Application And Service Components To ACI(Standalone App)GACross Launch AppDynamics and APIC To Correlate Netw

39、ork And Application DataBaseline Application Health Status In AppDynamics By Correlating ACI MO Health And FaultsMicro-segmentation Based On Application Tiers ACI 4.0ACI 4.1ACI 4.1FutureFutureNetwork & Application Health Correlation VMVMVMVMVMVMVMAPPDYNAMICSACI: AppDynamics IntegrationIdentify P

40、roblems Faster By Correlating Applications & Network Data 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicSecurity EnforcementSecurity ManagementApplication Delivery ControlL4-7 Integrations: Integrate, Automa

41、te, and InteroperateData Center Networking Rich Ecosystem 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicCisco ACI Config ManagementSupport for Puppet and Ansible Ansible Tenant, Fabric Access, L3Out, AAA Policies 55 ACI Modules Puppet New Tenant Policies - 11 New Types and Provi

42、ders Availability Ansible Ansible Core (2.4 and 2.5) Puppet GitHub now; Puppet Forge soon New 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicIdentify Problems Faster by Correlating Applications & Network DataACI Ecosystem Updates BMC Remedy ITSM Solution for Cisco ACIBeta Soo

43、nBeta SoonCisco ACI Configuration Management Support55 ACI Ansible Modules and 11 New Puppet PoliciesMapping & Automation for Cisco ACI and Legacy Heterogeneous NetworksNew L4-7 Integration without through Service Manager Mode with REST API 2018 Cisco and/or its affiliates. All rights reserved. Cisco P