Cisco has updated its Application Centric Infrastructure (ACI) architecture with new capabilities, including extended microsegmentation, support for automated insertion of third-party Layer 4-7 services, and integration of Docker containers.
The software update comes as Cisco now counts 1,100 ACI customers and more than 5,000 "ACI ready" Nexus 9000 customers. Cisco initially unveiled its ACI software-defined networking platform in November 2013; the centerpiece of the framework -- the Application Policy Infrastructure Controller (APIC), a centralized management controller that pushes policies out to the network -- became available last July.
The feature enhancements to the ACI fabric that Cisco announced today aren’t earth-shattering, but are the types of enhancements that “are very much expected as ACI/APIC matures to be a more consumable product for the mainstream,” Andrew Lerner, research director at Gartner, told me in an email.
On the security front, ACI now has extended microsegmentation support beyond Cisco Application Virtual Switch to VMware vSphere Distributed Switch (VDS) and Microsoft Hyper-V virtual switch, plus bare-metal workloads. Users can enforce more granular isolation for both physical and virtual workloads, and isolate workloads within the same policy group, which can come in handy in the event a VM is infected.
Given all the hubbub in the industry over Docker, ACI’s new Docker container support is noteworthy. The support comes via integration with Project Contiv, a Cisco-led open source project that defines operational policies for container deployment. Cisco told me that its initial efforts for container support focus on Docker, but that it plans to extend the support to other container technologies overtime.
But the new feature that streamlines Layer 4-7 service insertion into the ACI fabric may be of more interest to enterprises, at least those that have already ventured into ACI deployments. Lerner said although Cisco has partnered with several companies such as F5 and Citrix to simplify deployment of L4-7 services, he’s heard from clients who are early ACI enterprise adopters that third-party device package integration can be difficult. That's due to internal staffing and cultural issues plus the requirement that both vendors be involved in the package deployment to get it operating correctly.
Cisco ACI now supports adding any L4-7 device without the need for a device package to coordinate with APIC, giving users more flexibility.
Another new capability comes via a new multi-site application in the ACI toolkit that enables policy-driven automation across multiple data centers. The app allows users to ensure policies are in sync across two separate, geographically dispersed network fabrics.
Cisco also expanded support for OpenStack by extending ACI policy into the Linux hypervisor using OpFlex on Open vSwitch. Cisco introduced OpFlex, an open standards-based southbound protocol, about 18 months ago.
And networking pros now have the option of using a familiar kind of interface to manage APIC -- an NX-OS style CLI – in addition to REST APIs and GUIs.