Cisco Secure Interconnection of Heterogeneous Fabrics (ACI and VXLAN EVPN)

In this presentation, Lukas Krattiger and Max Ardica from Cisco’s Data Center Business Unit discuss new functionalities for Cisco Data Center networking. They focus on the secure interconnection of heterogeneous fabrics, specifically integrating ACI (Application Centric Infrastructure) and standard VXLAN EVPN (Ethernet VPN) fabrics.

Max introduces the concept of the ACI Border Gateway, which is a device that allows for controlled connectivity between different leaf-spine topologies, enabling the extension of layer 2 and layer 3 connectivity in a controlled manner. The ACI Border Gateway operates in a standard VXLAN EVPN fashion to interconnect with VXLAN EVPN border gateways of other fabrics. This allows for the expansion of a network using either ACI or VXLAN EVPN fabrics within the same multi-fabric domain.

They also introduce the VXLAN Group Policy Option (GPO), which provides secure group segmentation within a VXLAN EVPN fabric, similar to the concept of SGT (Security Group Tag) discussed in a previous session. GPO enables microsegmentation and service chaining, allowing administrators to direct traffic through firewalls or other network services as part of a security policy.

Lukas and Max emphasize the importance of using a control plane to exchange group information, allowing for optimal traffic flow by applying security policies at the ingress leaf. This approach is more efficient as it avoids sending unnecessary traffic across the network only to be dropped at the destination.

The discussion also touches on the need for policy authoring and enforcement, which will be facilitated by software tools like Nexus Dashboard or Ansible playbooks, allowing for consistent policy application across ACI and VXLAN EVPN fabrics.

Throughout the conversation, they address scalability, resource management, and the benefits of using border gateways to abstract network complexity and control inter-fabric connectivity. They also mention the possibility of synchronizing policy across different network domains and the potential integration with third-party security management tools.