Cisco is walking the fine line between building programmable networks that meet increasing corporate demand for open solutions, and building SDN that will protect the company’s primary business – the marketing of switching and routing hardware. How is it possible to square the circle? By “redefining open” in a new application-centric platform that unifies and automates the provisioning of physical and virtual resources in hardware-defined networking infrastructure. According to Frank D’Agostino, senior director, technical marketing and solutions engineering at Insieme Networks, the now wholly owned Cisco spin off tasked with developing the network giant’s alternative to SDN, this approach to ‘open’ carries no internal contradiction: the strong ecosystem of partners that Cisco brings to support its platform announcement, combined with Cisco’s innovation contributions to various open standards bodies attest to the broad applicability of the solution.
Beyond responding to the SDN challenge, Cisco’s Application Centric Infrastructure (ACI) announcement is designed to address what CEO John Chambers described as a fundamental shift: “Applications have become the lifeblood of our economy. They are how business is done; how partners and suppliers interact; how employees connect; how consumers share, learn and buy. Every business is becoming an applications business. Every industry is becoming an application-centric industry, and the business model shift is only accelerating.” This app-centric world has its corollary in the data centre – a growing need to quickly deploy, manage and provision apps with the requisite resources, and vendors such as HP have worked to develop templates that automate provisioning according to specific app compute requirements. Application Centric Infrastructure is Cisco’s answer to providing business agility through advanced networking, which is capable of delivering scale, security, full visibility and speed – “60 Tbps of switching capacity, three times faster multicast performance and a third of the latency at three times the traffic load of any other data center modular switch tested,” according to the company.
So what are the components of ACI, and how is this different from SDN solutions that are working to gain market traction? ACI is comprised of software, hardware and OS elements, including:
1) APIC is control software that unifies physical and virtual infrastructure to enable automation and central management of ACI fabric, programming policy and the health of all aspects of the network. It provides visibility into systems telemetry (packets), latency, and because it is hardwired into bare metal, unifies physical and virtual assets to offer enhanced control over VMs (including VMware, Microsoft, Xen and Red Hat), firewalls. The APIC delivers centralized provisioning, dynamic load balancing and orchestration through a single point of control in the Application Delivery Controller.
To address application specificity, APIC features Application Network Profiles that define an application’s infrastructure dependencies, which in turn instruct on the provision of networking, services and compute storage resources as well as security policies; Virtual ASA, integrated security services based on application needs that scale on demand and work in physical and virtual environments; and an Application Virtual Switch, which has been optimized for consistent policy enforcement to improve the performance of applications running on ACI.
2) Nexus 9000 portfolio, featuring the industry’s first backplane free design for a modular data center switch which provides a 15 percent improvement in power and cooling efficiency, and is designed to allow future scale to 100G and beyond. Other innovations include 40G Bidi Optics to ease transition to 40G with zero fiber costs, atomic counters for system level telemetry, and a built in line rate directory service supporting 1million endpoints. This series is available in modular and fixed 1/10/40 Gigabit Ethernet switch configurations and can operate in standalone NX-OS mode or in ACI mode. This dual capacity is designed to allow customers to protect existing Nexus investments while plotting a migration path to ACI.
3) An enhanced version of the NX-OS operating system, which enables transition to the ACI-mode of NX-OS through software upgrade and the addition of the APIC.
Through this holistic approach to network management, Cisco has been careful to distance itself from traditional SDN, which it describes as a “network of boxes” with “disjointed overlay and underlay” that lacks scale and security, is less capable of managing complexity and which requires more time to service applications (Cisco claims a 30 percent reduction in application completion time for ACI). Since it operates independently of switch data and control planes, Cisco argues, APIC removes Layer 2 from the equation to simplify networking, and allows the network to respond to endpoint changes even when APIC is offline. D’Agostino explained: “For networking, this is absolutely critical. We have been for many years, joining the application in the tenant service with the physical interface in the box. And because those two things have been coupled, I have to mirror the application in tenant service for everybody, and do complex configurations on an interface-by-interface and box-by-box basis. If I completely remove that association, the physical level is just layer three – and fast layer three… One you can define a service, and instantiate it, it can be automated.”
The result is improvement in performance and scale: Cisco claims the ability to deliver security and application policy at line rate 10/40 (and 100G in the future, 60 Tbps of switching capacity, three times faster multicast performance and one third the latency at three times the traffic load of any other data center modular switch, 20 percent greater non-blocking port density — 576 40G line rate ports with 50 percent plus reduction in ASICs per module compared to merchant silicon only competitors, the ability to manage 1M endpoints, 55K+ 10G ports and 64K+ tenants. Through dynamic load balancing and prioritization, Cisco claims to speed application completion time from 30 – 90 percent.
In this announcement, Cisco has also responded to arguments that third-party SDN, combined with commodity physical hardware can produce a more economical networking alternative. On this point, D’Agostino noted the ability to protect existing infrastructure through easy upgrade from NX-OS to the automated networking model that APIC represents (Catalyst migration is in planning), saving produced through use of a common policy framework and IT collaboration in a single, optimized platform for hardware, software and OS, and the potential to leverage existing investments in hypervisors and operating systems through open APIs – even the ability to integrate merchant silicon through Merchant Plus, a new technology that Cisco secures with its acquisition of Insieme.
In fact, Cisco claims that a TCO comparison between networking virtualization combined with merchant silicon vs. an app centric, ASIC-based solution produces a whopping 75% saving for the latter. According to D’Agostino, a huge part of this savings comes fromremoval of the “VM Tax” (VMware tax?) in the Cisco model – removal of software costs that approach $10 per VM, he estimated. What is not clear in the study assumptions (the Gartner link is little help here) is the true cost of network virtualization costs as compared to APIC, or the basis for capital expense estimates, which are virtually identical in the Cisco schema but rarely in reality.
Cisco has mustered broad support for this announcement, however, with a roster of partners that includes Computer Associates, Citrix, EMC, F5, IBM, Microsoft, NetApp, Red Hat, SAP, Symantec, VCE and VMware (and excludes many vendors who signed on to support VMware’s NSX platform) who will work with Cisco via connectors built to the APIC platform. This support is critical to the automation of networks in the heterogeneous environments which are typical of most customer operations. But D’Agostino differentiates this ‘open’ from ‘open’ as it is commonly understood: “OVSDB [Open vSwitch Database Management Protocol] is a good example of the challenge with these interfaces. OVSDB has a very limited subset of attributes that can be programmed based on a dadaptive model that came from Open vSwitch, and that is being pushed as a way of integrating physical and virtual. But it is not feature rich, it is very limited, and in this environment, you have to commit to opening your entire data model, and you have to do that in a way that is published.” In contrast, he argued, Cisco has built extensions – descriptors that enable infrastructure and management systems to read, see and interpret the application needs and integration capabilities in Merchant Plus that it “will be driving into the open community.” No doubt the company’s dominance in the networking marketplace will also serve to nudge the open dial closer to Cisco-defined networking.