The new platform has two major components: the Application Policy Infrastructure Controller (APIC) and a new switch line, the Nexus 9000 series.
The APIC is a software controller designed to run on UCS, Cisco’s server platform. The driving notion behind APIC is the creation of application profiles. These profiles encompass all the resources and services that an application requires (bandwidth, throughput, QoS, storage, compute, load balancing, and so on).
The APIC then configures the network to provide the required elements. The controller will support OpenFlow, onePK (Cisco’s proprietary package of southbound APIs for Cisco gear), and other mechanisms for configuring network hardware.
Administrators create the application profiles using an extensible scripting model from Cisco. “Policies remain with the application regardless of where the application resides, so you don’t have the problem of thousands of ACLs that no one is really sure what they do,” said Ish Limkakeng, vice president at Insieme. “When you change the application profile, it gets updated by the APIC to keep it consistent.”
[Whatever impact SDN will have on the data center, Greg Ferro says don’t expect less expensive networks. See his argument in “SDN Doesn’t Mean Cheaper Networking.”]
Application profiles would be created by the application team in an enterprise, with input from network, security and storage teams.
Limkakeng noted that because the controller maintains a view of the entire system, it will prevent application profiles from demanding more resources, such as bandwidth, than the network can provide. Limkakeng said the APIC should be able to scale up to tens of thousands of application profiles.
He also noted that while APIC can program the network and update application profiles, the controller is not involved in forwarding traffic. “If the APIC went out of the picture, you could still forward,” he said.
The APIC works with both a physical underlay and a network overlay. At present, the underlay requires the Nexus 9000 to serve as the spine nodes in a leaf/spine architecture.
Thus, customers looking to deploy APIC will have to purchase these new switches. Limkakeng also said that APIC will support the Nexus 7000 and Nexus 2000 Fabric Extender, as well as Cisco’s ASR, but that the 9000 is required to build out the physical fabric.
Given the requirement of Nexus 9000 switches, early deployments of APIC are likely to be set up as islands within an existing data center. “I think we’ll see customers stand up a pod within a data center…and workloads migrated over time,” said Limkakeng. He cited a low-end entry point of $75,000 for a deployment of a few hundred ports.
The Nexus 9000 series comes in two major models: the 9508, a 10/40 GbE, 13 rack-unit chassis for end of row or aggregation, and a pair of 9300 switches for top of rack that offer a mix of 1, 10 and 40GbE ports.
Note that the Nexus 9000 switches run Cisco’s NX-OS. They require an upgrade to NX-OS Plus to work with the controller.
APIC uses VXLAN for the overlay. It also supports a variety of hypervisors, including VMware vSphere, Microsoft Hyper-V and Red Hat KVM, to enforce virtual network policies and to gather telemetry.
An SDN controller is designed to present interfaces to third-party applications and services (so-called northbound APIs), and APIC is no different. Cisco has said it will support APIs for OpenStack, the popular cloud orchestration platform, as well as a number of vendors such as F5, Sourcefire. These partners will aim to provide services for APIC to link to, such as load balancing, security and so on.
Cisco will also enable its own gear to interoperate with APIC. As part of its ACI framework, Cisco announced ACI Security, which integrates management of security services into the controller, and a new virtual firewall called the ASAv.
The ASAv works with multiple hypervisors and includes all of the features of Cisco's other Adaptive Security Appliances. Unlike Cisco's existing virtual firewall, the ASA 1000v, which works with the Nexus 1000v switch, ASAv is "virtual switch agnostic," Scott Harrell, vice president of the Cisco Security Technology, said in an interview.
Cisco also updated its ASA 5585-X security appliance to interoperate with the new Nexus 9000 switches, which Harrell said can scale to 640Gbps via 16-way clustering with state synchronization. ACI Security is designed to provide visibility into both virtual and physical infrastructure.
The ability to provision and manage security via the controller will streamline what is today often a cumbersome and time-consuming firewall configuration process, Harrell said. With the ability to deploy ASAv appliances in a scalable way, security administrators can conduct more granular traffic inspection for improved security, he said.
The announcement of APIC now brings to three the total of controllers in which Cisco has some involvement. Two it owns outright: APIC and Open Network Environment (ONE), a controller Cisco debuted in February 2013.
Cisco is also closely involved in the OpenDaylight project, an effort from the Linux Foundation to build an open-source controller. Cisco contributed code from ONE that serves as the basis of the OpenDaylight controller.
Cisco also announced its intention to acquire the remaining stake in Insieme Networks, an early-stage company in which Cisco was the majority owner.