The Anatomy of Automation: Q&A With Cisco's Roland Acra

Steve Saunders

Automating the data center

SS: How have you gone about bringing automation to life inside the data center?

RA: The first manifestation of automation in the data center was Cisco's Application Centric Infrastructure (ACI) intent-based networking framework. Before ACI we built things like network forwarding paradigms, access control and policy implementations around this static view of where the applications were on the network. You knew that behind this Ethernet port was the database, behind this other one was a web server or what have you -- and you manually created your policy based on this information.

The problem with doing things that way is that today's applications are much more fragmented; they have a multi-point footprint, and it changes over time because of virtualization and containerization. What we think of as a database at ten in the morning might have nine VMs implementing it on three servers, but by noon it will probably peak to 23 VMs on a whole bunch of other servers. And yet we still want our policy to follow that mobile, nomadic and elastic workload.

So, this was the genesis of ACI, which replaces this model with a programmatic paradigm that allows users to define a contract that they want to initiate with their network; one which defines which applications can talk to what databases; issues those instructions to the network using the kind of abstractions that an application developer is familiar with; and goes on to ensure that the network continues to enforce that policy regardless of whether the database expands, shrinks, or moves around because of things like containers.

And that's the genesis of ACI. Simply, it's a new, expressive language for you to declare what you would like the network to do for you, and we've had a ton of success with that. Today we have upwards of 4,000 customers with big ACI fabrics.

Step two happened about a year ago, when we brought Tetration Analytics to market. The purpose of Tetration is to answer the questions that came up when customers implemented ACI and realized that, while it was wonderful to be able to define intent on the network, they lacked the level of visibility into what was running where in their data centers to be able to take advantage of it and formulate their intent in the first place.

So, that's what Tetration does: delivering broad, pervasive visibility. Not a single packet gets missed. Not a single communication element gets missed across all the applications that are running. More importantly, it automatically creates the intent, expressed as a white list of what is allowed, using this pervasive visibility and behavioral observation of the applications over the network as well as within their host operating system. It does an amazing amount of work by sitting there and listening to what the network is doing, and what workloads are doing, teed up through observation and machine learning.

So, this is a new concept. Increasingly the industry is using the term "intent-based networking." And there are lots of definitions. To me, in the data center, intent-based networking is about creating the ability for programmers to formulate what they would like the network to do for them in way that is expressive, that a programmer relates to. A coder, not a network admin.

But Tetration is more than that. It gives you the whole life cycle of everything running in your data center; the inventory and footprint [of the applications]; how these change over time; how they talk within each cluster to one another, and how they talk across clusters; it gives you graphs of connectivity on who's calling who when, on which port, and in which direction; and ultimately it results in a suggested white list that you, with ultimate human agency, correct or agree with, or complement with context that we can't infer from observation of telemetry, and then lock it down as your unique policy, and make sure that it is honored and enforced in a way that the network can support.

And the exciting thing is that Tetration works both with Cisco switches, at line speed, if you happen to have a Cisco nexus switching network, or via a software agent that travels with the workload regardless of underlying switching infrastructure. This means it can work in a Cisco environment, a non-cisco environment, or where you have a mix. And it can work in a cloud infrastructure, so customers can use it with Amazon or Azure or whatever.

SS: Which means you can get the benefits of this whether you have your own private cloud or whether you're transitioning across a public cloud?

RA: That's right. Or if you're straddling both, which is often the case.

SS: A hybrid cloud.

RA: That's right; a multi-cloud footprint. And this is really where the majority of our customers are today. They like some attributes of Amazon, they like some attributes of Google or Azure, but there's a lot that they continue to do on premise, and they don't want to have a fragmented policy and compliance model. They're saying "I have to prove that my consumer data was treated with the utmost care... we can't have an Equifax situation. I want to prove that I've protected the databases from not talking to strangers or not being exposed to more connectivity than they have to."

We're moving on from how we used to build IP networks, and enterprise networks, which was "anything goes," with one or two exceptions. Today, the prevailing model for security and for compliance -- known as "zero trust" -- is to say "Nothing goes, except where I open the veins for the blood to flow through." The new paradigm is "don't talk to strangers."

Next page: Hand me my Kevlar jacket

(5)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
User Rank: Light Beer
12/27/2017 | 4:40:35 AM
Re: What's poor old Roland done to upset you
The speech is very slightly hijacked, without more
User Rank: Light Sabre
12/25/2017 | 9:00:14 AM
Re: Very True
It does indeed seem pretty logical how Roland thinks and taking his explantion when he says " I can go and build all this from scratch -- build a company, raise funds and so forth -- or there's a platform right there at Cisco for me..." does seem an indication that he's got a good head on those shoulder to take on the challenge for Cisco to move forward in a direction that will keep growing business and profits over the coming years.
User Rank: Lightning
12/16/2017 | 12:16:48 PM
What Roland talked about
What Roland talked about, other vendors already have products in that space that are shipping.
Steve Saunders
Steve Saunders,
User Rank: Blogger
12/8/2017 | 5:17:45 PM
Re: What's poor old Roland done to upset you
Hi Dalaman, I don't think "poor" Roland needs your sympathy (or patronization). He seems to have an interesting job, and to enjoy it. I enjoyed the conversation with him. 

What you are reading is called "journalism." That's where I analyze information, and hold indpendent opinions.   

There are plenty of folk suggesting Cisco is looking at leaving or at least backing off from CSP right now - it's more than supposition. And that's something that our readers need to know... and now they do. You're welcome.  

I suspect this nuance may either have sailed over your head, or more likely it doesn't gel with your personal agenda. If so, there are lots of other Web sites to read which will happily just parrot the vendor position du jour. 



Dalaman Tunk
Dalaman Tunk,
User Rank: Light Beer
12/8/2017 | 8:25:27 AM
What's poor old Roland done to upset you
Won't Roland be upset you've hijacked his interesting interview to take a pot shot? Certainly not just Cisco putting the wind up SPs for eyeing up their lunch... but guessing the others bought tickets to your party lol.
More Blogs from From the Founder
After almost two decades at Light Reading, it's time for a different optical adventure.
John Chambers is still as passionate about business and innovation as he ever was at Cisco, finds Steve Saunders.
Light Reading founder Steve Saunders talks with VMware's Shekar Ayyar, who explains why cloud architectures are becoming more distributed, what that means for workloads, and why telcos can still be significant cloud services players.
Light Reading's recent Automation Everywhere conference provided invaluable guidance and insights for network operators figuring out their automation strategies.
Ngena's global 'network of networks' solves a problem that the telecom vendors promised us would never exist. That doesn't mean its new service isn't a really good idea.
Featured Video
Flash Poll
Upcoming Live Events
September 17-19, 2019, Dallas, Texas
October 1, 2019, New Orleans, Louisiana
October 2-22, 2019, Los Angeles, CA
October 10, 2019, New York, New York
November 5, 2019, London, England
November 7, 2019, London, UK
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
All Upcoming Live Events
Partner Perspectives - content from our sponsors
Transform Beyond Borders to Lead the Innovation
By Ben Zhou, CEO, Whale Cloud
Reject Limits. Build the Future.
By David Wang, Huawei
China Telecom & Huawei Jointly Complete the World's First End-to-End 5G SA Voice & Video Call
By Jay Liu, Senior Marketing Manager, Cloud Core Product Line, Huawei Technologies
All Partner Perspectives