When Cisco announced the acquisition of Insieme in Nov. 2013, Cisco revealed its long-awaited Software Defined Network (SDN) strategy; Application Centric Infrastructure (or ACI).
ACI is essentially a “policy-driven” network. Network policies are defined by the network administrator, and the network implements those policies.
The way Insieme designed ACI involves two pieces of infrastructure:
- a new line of Nexus switches; the Nexus 9000,
- and the “Application Policy Infrastructure Controller” (APIC).
First of all, the Nexus 9k switches are designed using a mix of “merchant silicon” (commodity ASICs) and custom Cisco ASICs. This is a break from Cisco’s other Nexus and Catalyst products which are built entirely on Cisco custom ASICs. The Nexus 9000 line of switches are available (GA) today, and are priced very competitively compared not only to Cisco’s other Nexus switches, but with competitive products from Arista and HP.
The Nexus 9000 switches can run a stripped-down version of the Nexus Operating system (NX-OS) so that the switches can be used as a traditional networking device. When the remaining elements of the ACI product set are available, the Nexus 9000 switches can be upgraded to the ACI operating system. Other Nexus switches will not have an ACI version of NX-OS.
Classes of NX9k
There are two different classes of Nexus 9000 switches, the 9500 and the 9300. The 9300 switches are designed to be used Leaf nodes, and the Nexus 9500 switches are designed to be Spine nodes.
The ACI topology leaves behind the age-old three-tier (Access, Distribution/Aggregation and Core) network design and instead is based on a two-layer Spine-Leaf network. This topology is used quite often in high density compute designs (Hadoop, HPC and Cloud hosting, for example).
Additionally, Cisco has announced a soft-switch (Cisco Application Virtual Switch, or AVS) that will replace the virtual switch in VMware platforms (like the Nexus 1000v does today). The AVS will also behave like a leaf-node in the ACI topology, allowing policy to be controlled for virtual machines.
For customers who prefer using the Open vSwitch (OVS) in a KVM environment, Cisco has plans there as well. Cisco has created an “open” southbound protocol, called OpFlex, and has open-sourced it as an IETF RFC and is now a working group inside of the OpenDaylight project. Eventually, ACI policy can be pushed to any device that supports OpFlex.
The APIC is the central policy engine for ACI.
The APIC (controller) is actually a virtual machine running the APIC application. The APIC software is delivered on turn-key UCS C-Series server appliances, so the end product is a combination of hardware and pre-installed software. The design point is to use three instances of the APIC, deployed in a cluster, for redundancy and resilience.
Once the APIC is generally available, and the ACI NX-OS image is installed on the Nexus 9000 switches, the network administrator no longer configures the Nexus 9000 switches in the “traditional” way, using a CLI. The application is represented as end point groups (EPGs) and policies are defined detailing how each EPG can communicate with other EPGs. Policies can also require traffic to flow through other services (firewall, load balancer, VPN, SSL offload) in a services chain.
Multiple vendors have teamed up with Cisco to implement ACI policy in their products (F5, Citrix and many others) so that implementing these policies can include these service chains.
Do not fear, as I once did, that you will need to forklift upgrade your current network to support an ACI network. There are designs and planning guides available for integrating your existing (non-Cisco even) network into an ACI network. It is true, however, that Cisco intends for customers who choose the ACI path, to eventually migrate (as capital depreciation allows) all switches to the Nexus 9000 platform.
ACI is actually very interesting. In my opinion, Cisco jumped over the competition with this move. Can they pull it off? Will customers buy into the idea? There is some doubt in the industry. Like other SDN solutions, ACI will probably be a “wait and see” play for many customers, or it will be pushed into a “pod” of compute until the kinks and operational details can be worked out.
There is much more detail than I’ve included in this quick overview. If you want to know more, I’d be happy to deliver a more detailed document, provide links to more info, or have a chat with you.