Cisco unveiled its long-awaited data center software-defined networking technology Wednesday, and not surprisingly, hardware lies at the heart of the release.
Cisco also announced it will spend up to $863 million to acquire Insieme Networks, the company Cisco formed more than a year ago to develop data center networks that are programmable and flexible enough to keep up with the cloud and heavily virtualized data centers.
The result of Insieme’s work is the Application Centric Infrastructure (ACI), which includes a new line of Nexus 9000 switches that form an application-aware switching fabric along with a centralized controller that manages both virtual and physical network infrastructures.
With Cisco ACI, engineers can control tens of thousands of ports from a central point, ending box-by-box management. They can also use the controller and fabric to automate infrastructure and provision distinct network paths along with Layer 4-7 services for specific applications. This will let users launch new applications with supporting network, storage and compute resources through one orchestrated system in minutes rather than weeks.
Cisco ACI brings desperately needed programmability and flexibility to the data center but data center operators will only realize its full benefits by investing in new hardware and committing fully to Cisco products throughout the network. ACI is Cisco's attempt to prove that hardware-centric SDN and network virtualization are the best ways to solve today's data center challenges, rather than VMware’s all-software approach with its NSX overlay.
“What we see in software-based network virtualization is that while it enables flexibility, it lacks scale. There is limited visibility and security aspects are disjointed … you are running another network between the application and physical domain and those three environments will run as ships in the night,” said Frank D’Agostino, senior director at Insieme.
At the ACI launch in NYC on Wednesday, Cisco CEO John Chambers said ACI integrates physical and virtual infrastructure and provides a “common point of control” to provision network resources and support applications. Users that implement inexpensive merchant silicon networks and software overlays for virtualization (as with a VMware NSX implementation) will end up paying 75% more than they would by implementing Cisco’s new integrated infrastructure because VMware will charge a "per-VM tax" for NSX, he said.
While Cisco ACI brings a new level of flexibility to the Cisco data center network, it also bypasses true SDN flexibility, standards-based programmability and multi-vendor openness.
“Cisco will help customers achieve more network agility. But this is a walled-in garden where they can deliver enough value to make it attractive enough for customers to continue to invest … but we are dealing with short-term network agility,” said distinguished Gartner analyst Mark Fabbi. In a truly flexible SDN system, engineers could use white box switches and work with multiple operating systems with more long-term network agility because they will be able to develop any network application they can dream up, he said..
How the Nexus 9000 switches and central controller drive Cisco ACI
Insieme built the Nexus 9000 switch series with a combination of Broadcom Trident II silicon and custom ASICs, so the switches can run either an optimized version of NX-OS or an ACI operating system. In “stand-alone” NX-OS mode, the 9000s act as basic Layer 2/3 switches in a Nexus shop. But when users prepare to deploy the devices in ACI mode, they can build very simple leaf-spine physical infrastructure with allows for non-blocked connectivity between nodes.
In ACI mode, the switches form a fabric controlled by Insieme's Application Policy Infrastructure Controller (APIC) as a single point of management for the entire system. When application traffic hits the network, the switches and the controller read the header information of the first packets in the application flow and automatically provision distinct network paths along with Layer 4-7 services and policy. On the flip side, these segments can also be rolled back just as easily, so the IT team is running only the applications and related network resources being used at any given time.
The controller works with a collection of application network profiles that define the requirements of an application and its interdependencies on the underlying network. The controller users these profiles to dynamically provision networking, services, compute, storage and security for each application.
The controller also provides visibility of every endpoint in the system in real time in order to enforce policy and to provide health checks. Insieme also developed the Cisco Application Virtual Switch, which drives that policy enforcement for applications and visibility on each tenant.
Just how open is the Cisco ACI controller?
Beyond network provisioning and visibility, the controller will act as a conduit for integrated IT orchestration. Cisco will encourage data center operators to integrate the controller on the northbound side with OpenStack, Puppet or Chef to orchestrate applications and services across compute, storage and networks. In fact, over time, APIC will be used to enforce policy and provisioning as an integrated part of UCS, orchestrating and provisioning storage, compute and network resources mapped to applications. The controller will be able to see interdependencies across all these resources.
The APIC controller can communicate with any endpoint in the physical and virtual infrastructure and can work in any hypervisor environment. Each controller can see up to one million endpoints.
Many proponents of SDN have championed openness and standards. In fact, Cisco led the effort to launch the OpenDaylight Project, which has drawn a broad list of vendors who subscribe to the idea that if they all use common northbound APIs and southbound interfaces, an ecosystem of network applications will emerge that are portable from one vendor's controller to another and engineers will be able to use a wide variety of data forwarding devices.
In a nod to this kind of openness, Cisco has a Resftful JSON API on the southbound and northbound sides of its APIC controller. On the southbound side, this approach would allow engineers to use OpenFlow or any other protocol to touch an object in the network – including NSX endpoints. On the northbound side of the controller, engineers could plug the OpenDaylight controller into the system.
But that’s not what Cisco is encouraging users to do. If users go that route, they “won’t get quite the same acceleration on the fabric side,” said Ish Limkakeng a sales vice president of Insieme, which is now Cisco.
Instead, Cisco has created an ecosystem of orchestration, storage, security and Layer 4-7 partners that have tested integration into ACI. These partners include BMC, Computer Associates, Citrix, EMC, Embrane, Emulex, F5, IBM, Microsoft, NetApp, OpsCode, Panduit, Puppet Labs, Niksun, Red Hat, SAP, Splunk, Symantec, VCE, and VMware.
The path to Nexus 9000 and Cisco ACI migration could be bumpy
Even in stand-alone mode, the Nexus 9000 has a lot to offer in speeds and feeds -- which may leave customers wondering why Cisco bothered to try selling the new Nexus 7700 to them.
The Nexus 9508, which is already available, is an end-of-row 10 and 40 Gigabit Ethernet (GbE) chassis. Meanwhile, the 9396 switches due out early next year, will have 48 fixed 10 GbE ports and 12 40 GbE ports. While the 9000s running in stand-alone mode could serve as, say, top-of-rack switches in an existing Nexus implementation, the Nexus 7000 line is not backward compatible with full ACI mode switching fabric.
Fabbi call Cisco ACI the “Nexus 7000 killer.” But Cisco insists the Nexus 7000 series plays an important role in other aspects of the data center network, including inter-data center connectivity.
“Your 7000s will still be in distribution and core deployments, as well as data center interconnect,” said Limkakeng. “The 7700 is still a great distribution platform from a standpoint of scalability.” Meanwhile the Nexus 2000 Fabric Extender will still work in the ACI model, he said.
Cisco will begin selling Nexus 9000 switches immediately for stand-alone mode, but when the controller becomes available in 2014, customers will likely start by building “pods of capability,” said Rob Lloyd, Cisco president of development and sales. One example of these pods could be a Hadoop cluster, he explained. Over time, they’ll start to build the clusters together for a total brownfield data center transition.
For now, customers can get into ACI for as low as $75,000 for 288 ports with a pay-as-you-grow model, said Chambers.