Professional Documents
Culture Documents
Cisco public
Cisco ACI is the industry leading SDN solution that provides policy driven Optimize your network
automation through an integrated underlay and overlay, is hypervisor • Operational simplicity, with common policy, management, and operation
agnostic; and extends policy automation to any workload-including virtual models across application, network, and security resources
machines, physical bare-metal servers, and containers.
• A flexible and yet highly available network that allows agile application
Cisco ACI Anywhere is a comprehensive solution: with one intent, using any deployment within a site, across sites, and across global data centers
hypervisor, for any workload, in any location, and in any cloud. while removing the need for complex Data Center Interconnect
(DCI) infrastructure
Cisco ‘ACI Anywhere’ offers a set of capabilities that enable seamless
• Centralized network management and visibility with full automation and
connectivity between on-premises data center, remote small-scale data
real-time network health monitoring
centers, and geographically dispersed multiple data centers under a single
pane of policy orchestration. In future, these capabilities will extend to public • Seamless integration of underlay and overlay
cloud as well. • Open northbound APIs to provide flexibility for DevOps teams and
ecosystem partner integration
With Cisco ACI, you can build a better network anywhere.
• An SDN solution at cloud scale
Figure 1. Cisco ACI differentiated business benefits • Common platform for managing physical and virtual environments
Protect your business
Optimize Your • Business continuity and disaster recovery
Network
• Secure networking with a zero-trust security model and innovative security
features such as microsegmentation
• Security at cloud scale accelerated by hardware
Accelerate multi-cloud
Accelerate • Single policy and seamless connectivity across any data center and
Multi-Cloud public cloud
• Any hypervisor, any workload, any location, any cloud
• Cloud automation enabled by integration with vRealize, AzurePack,
OpenStack, OpenShift, Kubernetes, and UCS Director
Protect Your
Business
Cisco ACI building blocks Cisco Application Policy Infrastructure Controller (APIC)
The infrastructure controller is the main architectural component of the
The Cisco ACI solution consists of the following building blocks (Figure 2):
Cisco ACI solution. It is the unified point of automation and management for
• Cisco Application Policy Infrastructure Controller (APIC) the Cisco ACI fabric, policy enforcement, and health monitoring. The APIC
• Cisco Nexus® 9000 Series spine and leaf switches for Cisco ACI appliance is a centralized, clustered controller that optimizes performance
and unifies the operation of physical and virtual environments. The controller
• Cisco ACI MultiPod
manages and operates a scalable multitenant Cisco ACI fabric.
• Cisco ACI Multi-Site Orchestrator
The main features of the APIC include the following:
• Cisco ACI Virtual Edge (AVE)
• Application-centric network policies
• Cisco ACI Physical Remote Leaf
• Data-model-based declarative provisioning
• Cisco ACI Virtual Pod (vPod)
• Application and topology monitoring and troubleshooting
• Cisco ACI Mini Fabric
• Third-party integration
Figure 2. Cisco ACI Architectural building blocks
- Layer 4 through Layer 7 (L4-L7) services
- VMware vCenter and vRealize
Cisco ACI - Microsoft Hyper-V, System Center Virtual Machine Manager (SCVMM),
Rapid deployment of applications on networks with security, scalability
and full visibility
and AzurePack
- Open Virtual Switch (OVS) and OpenStack
- Kubernetes
• Image management (spine and leaf)
Multi-Site
• Cisco ACI inventory and configuration
Data center A Data center B
Traditional
3-tier
Traditional
3-tier
• Implementation on a distributed framework across a cluster of appliances
F/W F/W
Application
ADC
WEB ACC APP DB Application
ADC
WEB ACC APP DB • Health scores for critical managed objects
Application Application (tenants, application profiles, switches, etc.)
network network
profile profile • Fault, event, and performance management
The controller framework enables broad ecosystem and industry
IP Network interoperability with Cisco ACI. It enables interoperability between a Cisco
ACI environment and management, orchestration, virtualization, and L4-L7
services from a broad range of vendors.
Cisco Nexus 9000 Series Spine and Leaf Switches for Cisco ACI Cisco ACI Multi-Site Orchestrator
Cisco Nexus 9300 and 9500 platform switches support Cisco ACI. The Cisco ACI multisite appliance provides a single point of provisioning
Organizations can use them as spine or leaf switches to take full advantage for multiple Cisco ACI fabrics operating in a coordinated way. When this
of an automated, policy-based, systems management approach. appliance is combined with the latest networking enhancements of Cisco ACI,
organizations can manage extension network elements such as Virtual Routing
Cisco Nexus 9000 Series Switches include modular and fixed 1, 10, 25, and Forwarding (VRF) instances, bridge domains, and subnets across multiple
40, 50, and 100 Gigabit Ethernet switch configurations that are designed fabrics. Centralized policy and security controls across geographically distributed
to operate either in NX-OS mode for compatibility and consistency with the fabrics and very large scaled-out fabrics at a single site enable automation and
current Cisco Nexus switches (using Cisco NX-OS Software) or in ACI mode operations from a common point for global cloud-scale infrastructure.
to take full advantage of Cisco ACI application-policy-based services and
infrastructure automation features. This dual-function capability provides The main features of the multisite solution include the following:
customers with investment protection and ease of migration to Cisco ACI • Single point of administration for multiple Cisco ACI fabrics
through a software upgrade. • Capability to map tenants, applications, and associated networks to
Cisco ACI MultiPod specific availability domains within the Cisco ACI multisite
• Change control across multiple fabrics, allowing staging, testing, and if
ACI MultiPod is part of the “Single APIC Cluster/Single Domain” family of
required, clean backout of any policy changes
solutions as a single APIC cluster is deployed to manage all the different
• Automatic configuration and management of fabric network interconnects
ACI networks that are interconnected. These separate ACI networks are
across an IP backbone
named “Pods” and each of them looks like a regular two-tiers spine-leaf
topology. The same APIC cluster can manage several Pods and to increase Multi-Site
the resiliency of the solution the various controller nodes that make up the
cluster can be deployed across different Pods.
Site A
Site C
Site B Site D
Inter-Pod
IP Network
Pod A Pod B
Cisco ACI Virtual Edge
Cisco ACI Virtual Edge is the next generation of the Application Virtual
Switch for Cisco ACI environments. Cisco ACI Virtual Edge is a hypervisor-
independent distributed service VM that leverages the native distributed
virtual switch that belongs to the hypervisor. Cisco ACI Virtual Edge runs
in user-space, operates as a virtual leaf, and is managed by the Cisco
Application Policy Infrastructure Controller (APIC).
© 2018 Cisco and/or its affiliates. All rights reserved.
Solution overview
Cisco public
to Spine
distributed virtual switch of the hypervisor (VXLAN)
• ACI policy model for virtual workloads and policy consistency with
physical environment
• Seamless workload mobility
• Ability to secure east-west traffic using micro segmentation Remote
Site A location
• Maintain distributed firewall policies across virtual machine moves
With the introduction of Cisco Mini ACI Fabric customers can now leverage
an optimized ACI solution for their small-scale deployments. This solution
IP Network
comprises of APIC-CLUSTER-XS (1 physical and 2 virtual controllers) along
with 2 spines and a minimum of 2 and maximum of 4 leafs.
Logical
Virtual Pod Physical APIC 1
Connection
APIC APIC APIC to Spine Virtual APIC 2
(BGP-EVPN) vSpine vSpine
APIC APIC No. of Leafs 2-4
Policy extension vLeaf vLeaf
from On-premise
Spine 2 No. of Spines 2
DC
ACI Virtual Edge
Spine 1 No. of Tenants 25
Hypervisor
Remote Leaf 2 - 48 ports APIC No. of EPs 20,000
Location
On-premises ACI Data Center Leaf 1 - 48 ports APIC
No. of BDs 1000
No. of VRFs 25
Fabric
Virtualization Network Open
Management and
and containers Security Ecosystem
Automation
API-based The APIC’s open northbound APIs allow Cisco ACI Precision time ACI supports the IEEE 1588 Precision Time Protocol
automation and to interoperate with products such as Cisco UCS protocol to measure latency between a combination of end
orchestration Director, Cisco Cloud Center, and Cisco Tetration points, endpoint groups, external interfaces and ip
Analytics plus many third-party products. addresses within the ACI fabric.
Fabric latency is a troubleshooting tool to monitor
Avoid vendor lock-in and gain control and visibility the time taken by a packet to traverse from source
for the network fabric using our application to destination in the fabric. The ACI Fabric can also
policy framework. act as the NTP Master to provide clock services to
servers attached to it.
High availability Operate the APIC cluster in active-standby mode.
The APIC provides split-brain detection.
Virtualization and containers
Deploy multipod and multisite solutions.
Table 2 summarizes the Cisco ACI virtualization and container features.
Get N-way spine redundancy.
Table 2. Virtualization and container features
Deploy APIC cluster software rolling upgrades
and downgrades. Feature Description
Site ID recovery helps recover the configuration
Virtual machine Consistently enforce policies across both virtual and
state of APIC from the operational state of physical workloads managed by hypervisors from
networking
ACI network. multiple vendors.
Multiple software To ease network migration and upgrades, you can Virtual Machine Enable virtual machine mobility and placement of
versions in fabric use Cisco ACI fabric nodes with different qualified Manager (VMM) workloads anywhere in the Cisco ACI fabric.
software versions at the same time. domain profiles
OpenShift Cisco ACI integrates with the OpenShift container Kubernetes The ACI Containers solution brings native ACI
Integration application platform. OpensShift platform simplifies and Openshift support to container orchestration systems.The
deployments of containers for both development Nested in ACI Containers Nested in OpenStack VMs will
and production workfloads. Cisco ACI provides OpenStack VMs support the deployment of the ACI Containers
foundational networking optimized for performance, solution inside OpenStack VMs. Cisco APIC serves
scale and availability of OpenShift Container as the normalization point for common policy
platform. and provides one place for administering it. This
solution preserves the design of the ACI Container
Microsoft Cisco ACI integrates with Microsoft Windows Azure solution for Bare-Metal servers and adapts it to run
Windows Pack to provide a self-service experience for the inside OpenStack VMs.
Azure Pack tenant. Cisco ACI with Microsoft Windows Azure
Integration Pack for Windows Server is a collection of Microsoft
Azure technologies that include the following Network security
capabilities: Management portal for tenants;
Table 3 summarizes the Cisco ACI security features.
Management port for administrators; Service
Management API.
Feature Description
RedHat Cisco ACI integration with RedHat Virtualization Zero-trust security The Cisco ACI whitelist-based policy model
Virtualization helps in further enhancing the network management
model supports zero-trust security architecture. It
capabilities of the platform. This solution will enable
assumes no default trust between entities
the next generation cloud deployments that drive
regardless of the location of the entity.
business agility and lower operational costs.
Cisco and Red Hat offer a certified, supported turn- Role-Based Achieve true multitenant isolation with custom
key ACI based OpenStack solution. This solution Access Control RBAC rules on the APIC. The APIC provides
enables customers to deploy the full range of service (RBAC) access according to a user’s roles, privilege
and deployment models with OpenStack to meet the types, and security domain tags.
most demanding needs of cloud deployments.
Micro Reduce your network’s attach surface by
segmentation reducing the possibilities for lateral movement
Pivotal Cloud Cisco ACI integration with Pivotal Cloud Foundry in the event of a security breach. Cisco ACI
Foundry enables customers to use all Cisco ACI security and microsegmentation allows you to formulate
policy features in Pivotal Cloud Foundry. a custom security group of virtual machine
endpoints based on various virtual machine–level
attributes, tags, etc.
Security Standards
Table 5. Streaming telemetry features
Council
Feature Description
Open Ecosystem Tetration sensor Stream your traffic from Cisco Nexus 9000 Series
Table 4 Summarizes the Features of the Cisco ACI Open Ecosystem. support Switches hardware sensors to the Cisco Tetration
Analytics platform for pervasive visibility into
Table 4. Open Ecosystem features
applications through big data analytics.
Feature Description
Cisco NetFlow Monitor data traffic flowing through your Cisco
Third-party Avoid vendor lock-in and expand choice and ACI fabric. Monitoring provides a metering base
integration enabled flexibility to build your own data center solution. for applications, traffic accounting, use-based
by open APIs network billing, and network planning. This
Jointly certified Employ a best-in-class SDN ecosystem with feature also provides denial-of-service monitoring
software more than 65 technology partners, with partners capabilities.
solutions with publishing a certification matrix to guide
ecosystem customers to install and upgrade compatible Network Insight The Network Insight Resources App is a platform
partners software versions. Resources for predictive analytics, streaming telemetry data
for networking fabrics and providing flow level
L4-L7 service Deploy multivendor service graphs with a Cisco telemetry information. The App provides system
integration ACI integration mode of your choice to meet your metrics, statistical data correlation, fabric anomaly
through service operational and organizational needs. detection and flow triage information along with
chaining fabric resource utilization.
Cisco ACI Cisco ACI applications help you get the best
App Center applications for Cisco ACI in an efficient way. The
Cisco ACI App Center:
• Accelerates innovations related to the Cisco ACI
open ecosystem
• Enables Cisco internal partners, customers,
and third-party developers to add value to
Cisco ACI networks
• Allows customers to efficiently extract value from
their networking investments
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other
countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective
owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) C22-741487-00 11/18