Cloud provider merging ACI’s network fabric with open source storage and compute framework
At last count, only 15% of the now 2,000 combined customers for Cisco System’s Application Centric Infrastructure (ACI) and VMware’s NSX SDN products were using them in production mode.
One such Cisco customer, cloud provider Key Information Systems of Agoura Hills, CA, is using ACI to provide cloud-enabled data center services to organizations in Southern California. KeyInfo is looking for ACI to provide it with multi-tenancy security, automated application-based network provisioning, and scalability of virtualized and non-virtualized workloads.
Over time, KeyInfo will combine ACI with an OpenStack managed hosting offering to provide an application policy-based networking component to OpenStack’s compute and storage-centric cloud fabric, says Clayton Weise, director of cloud services at KeyInfo. But for now, ACI and Cisco’s Nexus 9000 switches are replacing an aged Catalyst 6500 infrastructure with a higher performance fabric, and setting the foundation for new network-as-a-service offerings from the KeyInfo cloud.
“We did some fairly limited deployments of it early on,” Weise said, describing KeyInfo’s current ACI deployment as 12 leaf switches, four spines and three APIC controllers clustered together. “We were using it to replace Cat 6500 chassis. It was a migration in terms of moving the cabling and everything over. The next phase for us is we’re really going to use some of the functionality more heavily in our environment.”
That next phase is a bit more of a transition, Weise says, because KeyInfo also has an existing investment of Cisco Nexus 5000s to be migrated to the Nexus 9000s. It will take a bit more time because KeyInfo has to do a lot more design work to take advantage of more ACI functionality, he says.
After evaluating Cisco ACI, Juniper Networks’ Contrail and Arista Networks’ Software Defined Cloud Networking, KeyInfo selected ACI because of Cisco’s incumbency with the cloud provider, but also to instill some switch-based policy management of a hybrid, multivendor environment of server colocation, virtual infrastructure and legacy IBM AS/400 and AIX systems that need to participate in VXLANs.
“Having that type of encapsulation and de-encapsulation of what they’re doing in the VXLAN, doing that at the switch made a lot more sense for us,” Weise says. “It allowed us to merge those environments without a whole lot of difficulty.”
KeyInfo is also looking at extending the ACI fabric out across its DWDM optical network and into the customer premises. So longer term, ACI will be offered as a service from KeyInfo in addition to supporting the cloud provider’s own infrastructure.
And that service will ostensibly be application policy-based networking integrated with OpenStack’s compute and storage capabilities.
“OpenStack is pretty modular when it comes to compute and storage,” Weise says. “But when it comes to networking it’s a little bit more monolithic. ACI is the direction we’re going to go because it gives us the best flexibility.”
It will also ease implementation of firewalls and other security services that go beyond OpenStack’s “namespaces on a Linux box” security, he says.
“For a lot of our client base, that is totally unacceptable,” Weise says. “Plus, some might have specific reasons for why they want to use Palo Alto Networks (firewalls) or (Cisco) ASA with intrusion protection. That kind of capability doesn’t come easy with the way OpenStack is now so we have to use ACI to add network security-as-a-service on top of the services that are already there.”
Weise says a mix of different technologies will be used in conjunction with OpenStack group-based policy and ACI group-based policy to meet the “stringent requirements” of KeyInfo’s customers.
KeyInfo is not using the OpFlex policy protocol, developed by Cisco, Microsoft, IBM, Citrix and Sungard, to push group-based policies out to the infrastructure, though it is an option, Weise says. Another is middleware from a third-party vendor to do that through ACI API calls, he says.
“We’re trying to stay away from being too much of a middleman” for translating and instantiating policies, Weise says.
The biggest challenge in implementing ACI was leaving the old CLI routines behind when defining, configuring and administering group-based policy, Weise says. The biggest benefit is the automation of configuring end point groups vs. manually touching each device in that group.