SDN Technology

Cisco Upgrades SDN Security, Flexibility

Cisco today announced a new software release for its SDN platform, the Application Centric Infrastructure (ACI), that takes major strides toward openness and provides some useful service provider tools as well. Among the benefits of the new release are multi-site policy coordination, simplified service chaining to produce higher-level services and applications and integration of Docker containers through open source work to which Cisco is contributing.

In general, this latest Cisco Systems Inc. (Nasdaq: CSCO) release includes a lot that is useful for service providers and "a sense of openness that is refreshing," says Dan Conde, an analyst with the Enterprise Strategy Group (ESG) . "For telcos who like to integrate components to construct a telco cloud, these products can fit in well, including ACI toolkits that enable apps, open source code for integrating with OpenStack and containers and use of standards like EVPN."

The release has two components, a release 1.2 of the Cisco Application Policy Infrastructure Controller (APIC) and Release 11.2 of Cisco's NX-OS. Those sound incremental, says Conde, but he thinks there is more to this particular software release than those numbers reflect.

Here's a look at some of the new capabilities:

Extension of ACI across multi-site environments to deliver policy-driven automation across multiple data centers: One advantage to this approach is that it allows service providers to move workloads between data centers and have consistent policies and they can do disaster recovery across data centers, says Srinivas Kotamraju, director of product management for ACI, to easily recover for failures.

As analyst Conde notes, this functionality allows ACI customers to keep policies consistent across a wide geography. "But the interesting thing is that this is not a 'feature,' it's a multi-site app they wrote using an ACI toolkit," he says. "So this means that in the future, more apps can be written to run atop ACI."

Enhanced security: ACI can now provide micro-segmentation support for VMware Inc. (NYSE: VMW)'s VDS, Microsoft Corp. (Nasdaq: MSFT)'s Hyper-V virtual switch and bare-metal applications. Kotamraju sees that as important to service providers because it lets them set "specific security policies at a very granular level" and isolate virtual machines based on a variety of attributes for security purposes. Conde sees this enhancement as more interesting in the enterprise environment where VMWare and Hyper-V are more widely in use.

Zoom in on vendor SDN strategies in our SDN section here on Light Reading.

Simplified Layer 4-Layer 7 services: ACI no longer requires what's called a device package to do service chaining or service insertion so that becomes easier, Conde notes. "Service providers who need to stitch together services will find this very useful."

Broader choices of cloud automation tools: Cisco is offering what it calls "the industry's most comprehensive support for cloud automation tools." In addition to its previous support of Microsoft AzurePack for private clouds, Cisco now also supports full policy-based cloud automation with VMware vRealize Automation and OpenStack deployments. The company has also open sourced an agent for OpFlex, Cisco's policy protocol, which extends ACI into the Linux hypervisor, Conde says.

"This means that they are living up to working with the open source community," he says. "Previously, they've opened up their ACI-like policy capabilities with a open source project called Group-Based Policy. With this addition, ACI works well with OpenStack with deeper integration. It works with Red Hat, Mirantis and Ubuntu."

With this new functionality Cisco "can offer distributed switching and routing and network address translation in OpenStack through our ACI fabric and open V-switch," says Michael Cohen, product management director for ACI. "It gives you a scalable high-performance networking solution for OpenStack. We offer operational visibility into an OpenStack cloud environment -- from APIC, you can actually see how different virtual machines are distributed across your OpenStack environment."

Docker container support: Cisco delivers support for both physical and virtual endpoints, and now extends support for Docker container endpoints through integration with the Cisco Application Policy Infrastructure Controller (APIC) and Project Contiv. Project Contiv is an open source project defining infrastructure operational policies for container-based application deployment. ACI's unified policy model enforces policy via endpoint groups (EPG), a collection of network endpoints that includes a wide range of entities, including bare-metal servers, virtual machines and containers. Docker offers an open source platform for running distributed applications in Linux containers.

"It plugs into Docker's 'libnetwork' framework to be one of many possible plugins to allow containers across multiple servers to talk to each other," Conde explains. "Before, that was cumbersome. So this means you can have consistent policies that work across containers, physical or virtual machines. What's interesting is that here Cisco is being quite open with the open source community. You see other networking projects -- like Project Calico from Metaswitch -- that plug into Docker networking, but Cisco is also joining these open source efforts."

Operational flexibility: To make it easier for telecom operators to do things in a manner with which they are already familiar, Cisco is adding software functionality that provides support for a Command Line Interface for APIC, in addition to two graphic user interface modes (basic and advanced) and SNMP-based support as well.

Cisco's ACI platform has already started gaining traction with service providers, as indicated in the company's most recent quarterly earnings statement. (See Cisco SP Revenue Improves – Finally.)

— Carol Wilson, Editor-at-Large, Light Reading

Phil Morrison 12/3/2015 | 3:30:35 PM
Re: Really welcome upgrade and news of the new "Open" Cisco offerings Nuage Networks has had microsegmentation for quite sometime already.   I hardly see this as a game changer for Cisco, it's more like a "must have" capability.    

One would hope that Cisco can port this capability over to their customers who invested in Nexus 7K infra.   If not Nuage Networks can certainly do so with it's SDN overlay capabilities.
NetworkT47565 12/3/2015 | 3:14:12 PM
Really welcome upgrade and news of the new "Open" Cisco offerings This could be a game-changer in the microsegmentation space. To date, VMWare has had that as it's secret sauce and it's been one of the most compelling reasons for NSX sales (or at least POCs) to date.

With Cisco attempting to match this feature (albeit in a slightly different way) we may now see it as the expected norm - with the zero trust model already been deployed as the modus operandi for most SDN operating systems, and let's see if it can galvenise the move to 9k's for those enterprises with security and zoning at the heart of their requirements. 
Sign In