Cisco has extended the data center SDN controller that its Insieme spin-in developed so it now manages legacy campus and branch networks as well.
Cisco originally presented Insieme's Application Centric Infrastructure (ACI) as a data center product line that comprises the Application Policy Infrastructure Controller (APIC) and a new Nexus 9000 series of switches. Now the company has added a Cisco APIC Enterprise module that extends that control to Catalyst switches, Integrated Services Routers (ISRs) and ASR-1000 enterprise edge routers.
"Data center SDN is really about IT process automation -- shorter provisioning times, automating the turning up of services. It allows IT to do things faster," he said. "SDN in the WAN and the access edge is about user experience automation. It's making applications run better. You can have a video conference call talk to APIC and it will open up a pipe between two endpoints and maintain a certain quality of service [until the video session ends]."
How Cisco APIC Enterprise works
APIC will initially control Catalyst switches, ISRs and ASRs by automatically programming Cisco's command-line interface (CLI). As these devices begin to support Cisco's onePK programmatic interface and OpenFlow, the APIC Enterprise module will use those interfaces as well. OpenFlow support will also allow APIC Enterprise to manage the network devices of other vendors.
APIC Enterprise is based on software from the forthcoming Hydrogen release of the open source OpenDaylight Project, said Jeff Reed, vice president of SDN at Cisco. APIC Enterprise uses OpenDaylight's southbound abstraction layer, which "allows us to support multiple protocols on the southbound interface," he said.
APIC's automated CLI programming allows Cisco to deliver SDN-like functionality to enterprises with legacy infrastructure, said Lee Doyle, principal analyst for Wellesley, Mass.-based Doyle Research. Cisco won't be adding onePK and OpenFlow support to its older switches and routers due to hardware limitations, and engineers aren't going to rip out devices in the middle of their depreciation cycle just to add those features.
Cisco APIC Enterprise use cases
Reed said APIC Enterprise is a Swiss Army knife. Customers and partners can develop any number of applications for the controller's northbound interface to solve problems on the network.
Cisco partners Radware, Glue Networks, Citrix Systems and ActionPacked Networks will all integrate with APIC Enterprise via its northbound application programming interfaces, he said. For example, Citrix NetScaler can identify applications running inside a virtual desktop infrastructure (VDI) session. Reed said NetScaler will signal APIC Enterprise to adjust quality of service (QoS) settings on routers and switches based on which applications are running in VDI.
Cisco has developed its own initial applications to serve three use cases, Reed said.
The first use case is security automation. "Today a lot of applications that can identify security risks will kick off a trouble ticket," Reed said. Engineers then have to update access control lists or firewall rules and then deal with the infected host. With APIC Enterprise, engineers can define security policies that automatically update security infrastructure to quarantine those infected hosts.
APIC Enterprise can also simplify QoS provisioning. "Cisco recently implemented Jabber HD [internally]," Reed said. "The IT team had to touch 7,000 switches with five to seven lines of [QoS] configuration changes. We created the ability [with APIC Enterprise] to drag and drop applications across either four or eight classes of QoS. Then the controller takes that high-level intent and translates that based on the topology of the network, what devices are in the network, what versions of IOS you are running, and what roles those devices play. It pushes those changes out across the infrastructure automatically."
The third use case involves the automatic configuration of Cisco's Intelligent WAN (IWAN) architecture, a set of features on Cisco routers that optimizes user experience. Performance Routing is a core element of IWAN. It allows a router to choose the best WAN link based on the priority of an application and the performance of that link. Adoption of this feature has been slow because the router configuration is highly manual, Reed said. APIC Enterprise will now automate that configuration.
Cisco APIC Enterprise beyond Catalyst, ISR and ASR
APIC Enterprise's OpenFlow support will also allow the controller to work with third-party equipment, which is important outside the data center.
"Survey data shows that in campus environments, 60% to 80% of organizations are dual-vendor, which is not the case in data centers. That means you need to have management and control that can manage other people's equipment, not just your own," said Andre Kindness, principal analyst for Cambridge, Mass.-based Forrester Research Inc.
Cisco is also developing an APIC module for other switches in its data center portfolio. "We're working on a module for Nexus 7000 and Nexus 5000," Reed said. "Stay tuned for that."
APIC Enterprise is in trials with customers now. The software will begin shipping in the second quarter of this year.