2. Agenda
Aruba Fabric Composer 6.4 TOI
• Switch Support
• Policy Engine
• Topologies
• Orchestration
• Telemetry
• Licensing
Session 1
AFC 6.4 Use Cases:
• Support for new DC switches, to drive DC growth
• Target larger scale DCs with the 9300
• Key release for new CX 9300
• Continue to expand AFC telemetry for monitoring and troubleshooting
• Continue momentum for 10K, to grow DC DevOps/SecOps positioning
• Ease-of-use to enhance the customer experience with Aruba
products through continuous customer driven features
3. 3
Key Features
Description Presenter
Switch Support
9300 (Carmel) switch platform
support
AFC CX 9300 support for all the standard AFC capabilities
, CX 9300 requires OS-CX 10.10
or above, and AFC 6.4.0 or above
, CX 9300 can be configured as a leaf or a spine.
Simon
RADIUS authentication for AFC with
role mapping
RADIUS to authenticate AFC login – Admin, Operator, Viewer. Matt/Dan
RADIUS configuration on the switch AFC UI to configure RADIUS authentication on the switch. Matt/Dan
Policy Engine
Pensando PSM integration
enhancements
Create VMware vSphere user credentials in PSM, to allow support for workload groups and
vMotion.
Marek
Micro-seg workflow enhancements
[VM to PVLAN_PG]
Ability to migrate Virtual Machine’s VNICS to the created by AFC PVLAN PortGroups. Marek
Micro-seg workflow enhancements
[LACP/LAG]
Ability to create LACP configuration on VMware vSphere and LAG/MLAG on CX switches. Marek
AFC Policy enhancements for ACLs
– VLAN enforcement
Provide support for applying ACLs to VLANs. Current support limited to applying ACLs to
interfaces or LAGs.
Marek
Topologies
DC-DC workflow Phase 2 Enhancements to this will add capabilities that allow user to select fabrics from remote AFC
sites, select fabrics from local AFC, delete remote fabrics, add remote fabrics from local or
remote AFC, edit existing DC – DC workflows.
Yuhui
Orchestration
CLI edit capabilities
(configuration
editor)
User can select a switch or switches to obtain running config, edit and apply back to switch
or switches. User can also validate config changes against the switch. The switch will return
an error if there is a mistake. User can also select checkbox to automatically do a checkpoint
before any changes are applied.
Eric
AFC HA enhancements– Backup /
Restore HA clusters
Backup an HA cluster and then restore to an existing or newly deployed HA cluster. Tim T.
Inline editing Build upon inline editing capabilities first introduced in AFC 6.3. Anywhere you see a pencil in
a box ICON can now be edited.
Eric/Matt
Licensing Licensing enforcement in AFC Simon
Telemetry
AFC Analytics phase 2 Enhancements to this will add capabilities that allow the user to view and modify NAE default
agent parameter values for things like thresholds and other settings, inclusion of new NAE
EVPN-VxLAN health monitor script.
Tim T/ Mike
Aruba Fabric Composer 6.4 – Agenda
5. 5
AOS-CX API
ARUBA FABRIC
COMPOSER
H i g h l y A v a i l a b l e
VTEP2
RR RR
VTEP1
Site1
Border-Leader
VLAN 20
VM20
VLAN 11
VM11
Site2
VTEP4
RR RR
VTEP3
VLAN 20
VM20
VLAN 11
VM11
Border-Leader
VLAN 10
VLAN 11
ARUBA FABRIC
COMPOSER
H i g h l y A v a i l a b l e
3rd
Party
APIs
ECOSYSTEM INTEGRATIONS
AOS-CX API
Core
Access
Traditional 2-Tier DC
L2
L3
VSX VSX
VSX
VS
X
L2
Spines
Leafs
L3
Layer 3 Spine and Leaf
VSX VSX VSX
Servers
OOB
Leafs
1G-T
1/10G-T
Spines
MGMT
port
MGMT
port
iLO port
Management Fabric
AFC Fabrics
Aruba Fabric Composer – API Driven
Unified NetOps and SecOps, for Data Center orchestration and telemetry
AFC API
7. 7
Footer content
CX 9300 Switch Platform Support
Aruba next-generation datacenter
switch, 32-ports, 100/200/400Gb
• AFC CX 9300 support for all the standard AFC
capabilities
• CX 9300 requires OS-CX 10.10 or above, and
AFC 6.4.0 or above
• CX 9300 can be configured as a leaf or a spine
• Default config 1x400
• You can only split ports via switch CLI,
• no API support for this feature in initial 10.10 release,
so not supported with AFC at this time
• AFC will however accurately represent split ports,
configured via CLI through reconcile
9. 9
Footer content
RADIUS authentication for AFC
Centralize authentication
• Use ClearPass RADIUS to authenticate AFC login for (as
available today with local login and LDAP)
• Administrator - Full read/write privileges
• Operator - Operator can perform most operations as
administrator can, except manage users, password policies,
switch passwords, system settings, backups, or certificates
• Viewer - Has read-only access (can change their own
password)
• Key features
• Developed and qualified using Aruba ClearPass but works
against other RADIUS servers
• Authentication via RADIUS, Authorization via Role Mapping
• With ClearPass it’s possible to specify days user has AFC
access, for example user has access Monday through
Friday
10. 10
Footer content
Custom Service Account User for AFC Switch Discovery
Backed by RADIUS, or desired authentication source
• Historically, version <6.3.0, AFC supported only a fixed service user account
for discovery "afc_admin". AFC 6.4.0 introduces the ability to discover
switches with a custom service account user. This user can be backed by any
desired authentication source.
• Prior to switch discovery and ingestion, the user can optionally configure a
custom authentication backend or local user on the switch
• RADIUS
• TACACS
• Local user
• Considerations/Notes
• When using RADIUS/TACACS verify the authentication server sends the correct
authorization role to the switch to ensure the user is authorized as an Administrator
• When updating credentials on your centralized AAA server, make sure to
coordinate and update the credentials on AFC
• If you do not configure RADIUS/TACACS/local user prior to discovery, AFC will
attempt to create a local user for you with the given credentials to simplify
discovery
11. 11
Footer content
RADIUS Configuration on the Fabric or Switch
• AFC UI to configure RADIUS authentication on the
switch for switch users to be validated against
• Very flexible - can use AFC local login for AFC and
RADIUS to authenticate AFC when contacting switch
• RADIUS configuration can be applied to either a
Fabric or Switch scope.
• Considerations/Notes
• Verify that your Service User Account exists in your
radius server before applying
• AFC will configure RADIUS AAA settings on the switch
to fall back to the local user that existed prior to
configuration. It is okay to remove this user or local fall
back after you are sure that your RADIUS
configuration is successful.
13. 13
Footer content
Pensando PSM Integration Enhancements
PSM->Orchestrator->vCenter
• Create VMware vSphere user credentials that are sent in
to PSM, to allow support for workload groups and
vMotion.
• PSM requires vSphere credentials for vMotion support,
even if workload groups are not used in PSM.
• This is a POC/Beta functionality at this point.
15. 15
Footer content
Micro-seg workflow enhancements
Migrate VM NIC to PVLAN Port Group
• Provides ability to migrate Virtual Machine’s
VNICS to created by AFC PVLAN
PortGroups.
• This functionality is available for AFC
created, Promiscuous and Isolated PVLAN
port groups only
• No support for distributed or standard PGs
17. 17
Micro-seg workflow enhancements
LAG Configuration for Micro-segmentation
• Provides ability to create LAG configuration on the Host
• VMware vSphere LACP/LAG
• User is be able to create LACP LAG in the
‘create DVS’ workflow
• User is be able to add LACP/LAG for an
existing DVS
• Existing DVS configurations will be synced and
exposed via API
• Existing LACP/LAG configurations will be
synced and exposed via API LAG/MLAG on CX
switches.
Host View – before DVS creation
Create LAG on the ESXi host
Footer content
19. 19
Footer content
Micro-seg workflow enhancements
Create LAG on CX switch
• Provides ability to create LAG/MLAG on CX switches that are connected to the host(s)
• User opens LAG/MLAG sub-workflow to create LAG/MLAG
20. 20
Footer content
Micro-seg workflow enhancements
Create LAG on CX switch
• When LLDP data available thanks to host vnic selection (previous step), AFC remembers pairing between host vnic and switch
interface
• LAG wizard for the switch selects those interfaces automatically.
22. 22
Footer content
Micro-seg workflow enhancements
• When LLDP data between host and switches is not available user needs to select the CX switch
interface
25. 25
AFC Policy enhancements for ACLs
VLAN Enforcement
AFC Policy enhancements for ACLs provides
ability for the user to create access-lists enforced
on a VLAN
27. 27
Footer content
DC-DC workflow Phase 2
Simplify configuration of Remote Fabrics
• Provides enhancements to DC-DC workflow by integration Remote AFC sites
• Auto-fill Remote ASN/IP addresses by selecting remote fabrics from:
• remote AFC sites
• local AFC
• Extension of DC-DC workflow
• Delete existing remote fabrics
• Add remote fabrics by selecting from local or remote AFC
• Visualization of DC-DC workflow
• List of existing remote fabrics
Recap 6.3 release :
1. AFC Remote Site - bring remote Fabrics insight
2. DC-DC workflows - stretch EVPN vxlan tunnels between
Fabrics
28. 28
Footer content
Select remote Fabric from AFC remote site
Auto-filled ASN and IP addresses
Select Remote AFC
Site/Fabric/Border-leader
Auto-fill ASN/IP addresses
base on selection
32. 32
Footer content
CLI Edit Capabilities
Switch Configuration Editor
Configuration Editor feature has been added, launched from the Configuration
icon as shown.
Supports:
- Multi switch configuration viewing, editing, validating and applying.
- Per switch errors are displayed
- Option to automatically create a Switch Configuration Checkpoint prior to
applying.
34. 34
Footer content
Expanded Inline Editing for Configuration
‒ Introduced in 6.3 to allow for editing of Policies, Rules,
etc.
‒ Expanded functionality to all configuration tables to
support Name and Description editing (where
applicable).
‒ Additional feature-specific editing support to be added
in later releases.
36. 36
Footer content
Licensing Model And Types
- Lightweight licensing model that will not block any functionality in AFC if license is missing/expired/invalid.
- Goal is to track customer deployments.
- License types : Paid, 90D Eval, 1Y Demo
- License key can be obtained from ASP account
44. 44
Footer content
AFC Backup / Restore
Backup / restore AFC HA cluster
• Backup an HA cluster and then restore to an existing or newly deployed HA cluster
• Additionally, can restore a standalone backup to a newly deployed HA cluster
• Backup AFC > download to a PC for example > upload to AFC as needed > restore AFC to this configuration
• This is backing up AFC, not switches
• Does back up AFC DBs, StackStorm, switch startup configs / running config and so forth contained on AFC
• Restore can take a few minutes
• AFC will be unavailable during restore and Admin will need to log back in when this is complete
• Restore will create an entry in the Audit logs
46. 46
Footer content
Telemetry enhancements
New capabilities added to Monitor Agents in 6.4
• AFC will now discover and display NAE scripts not hosted by AFC. Users will be able to
enable/disable/delete non-hosted scripts.
• Running NAE Agent configuration is available through the AFC API and viewable in the UI.
• NAE Agent configuration can be set when it's started and subsequently modified.
• NAE Agent configurations made on the switch are reflected in AFC.
• A new NAE EVPN-VxLAN health monitor script has been added to the list of hosted NAE scripts.
![3
Key Features
Description Presenter
Switch Support
9300 (Carmel) switch platform
support
AFC CX 9300 support for all the standard AFC capabilities
, CX 9300 requires OS-CX 10.10
or above, and AFC 6.4.0 or above
, CX 9300 can be configured as a leaf or a spine.
Simon
RADIUS authentication for AFC with
role mapping
RADIUS to authenticate AFC login – Admin, Operator, Viewer. Matt/Dan
RADIUS configuration on the switch AFC UI to configure RADIUS authentication on the switch. Matt/Dan
Policy Engine
Pensando PSM integration
enhancements
Create VMware vSphere user credentials in PSM, to allow support for workload groups and
vMotion.
Marek
Micro-seg workflow enhancements
[VM to PVLAN_PG]
Ability to migrate Virtual Machine’s VNICS to the created by AFC PVLAN PortGroups. Marek
Micro-seg workflow enhancements
[LACP/LAG]
Ability to create LACP configuration on VMware vSphere and LAG/MLAG on CX switches. Marek
AFC Policy enhancements for ACLs
– VLAN enforcement
Provide support for applying ACLs to VLANs. Current support limited to applying ACLs to
interfaces or LAGs.
Marek
Topologies
DC-DC workflow Phase 2 Enhancements to this will add capabilities that allow user to select fabrics from remote AFC
sites, select fabrics from local AFC, delete remote fabrics, add remote fabrics from local or
remote AFC, edit existing DC – DC workflows.
Yuhui
Orchestration
CLI edit capabilities
(configuration
editor)
User can select a switch or switches to obtain running config, edit and apply back to switch
or switches. User can also validate config changes against the switch. The switch will return
an error if there is a mistake. User can also select checkbox to automatically do a checkpoint
before any changes are applied.
Eric
AFC HA enhancements– Backup /
Restore HA clusters
Backup an HA cluster and then restore to an existing or newly deployed HA cluster. Tim T.
Inline editing Build upon inline editing capabilities first introduced in AFC 6.3. Anywhere you see a pencil in
a box ICON can now be edited.
Eric/Matt
Licensing Licensing enforcement in AFC Simon
Telemetry
AFC Analytics phase 2 Enhancements to this will add capabilities that allow the user to view and modify NAE default
agent parameter values for things like thresholds and other settings, inclusion of new NAE
EVPN-VxLAN health monitor script.
Tim T/ Mike
Aruba Fabric Composer 6.4 – Agenda](https://image.slidesharecdn.com/6-250219184256-4825981b/85/6-4_TOI_asdddddddddddddddddddddddslides-pptx-3-320.jpg)
