Tech101 – Cisco ACI

I recently completed the Cisco ACI Field Engineering course.  This post describes the major building blocks of the Cisco Application Centric Infrastructure (ACI) and how it all fits together.

Cisco ACI is the next generation of Data Center flexible network fabrics, it replaces what you currently have with Nexus 2K, 5K and 7K (traditional Core, Distribution, Access or FabricPath architecture).  Cisco’s previous TRILL-based leaf and spine technology is FabricPath, which has nothing to do with ACI (based upon VXLAN).  The two are not compatible and unrelated, aside from supporting the Clos-type architecture.

Cisco ACI is designed to provide a unified fabric for physical and virtual networking, moving away from the management of individual physical switches.  If you are used to the policy construction of the Cisco UCS, then you will easily understand Cisco ACI.

The Cisco Application Centric Infrastructure (ACI) has the following major components:

  • Clos-type Leaf and Spine architecture with VXLAN ECMP
  • Application Policy Infrastructure Controller (APIC) – minimum of three per fabric.  The APIC has a UI but is really designed for northbound REST API integration with a Cloud Management Platform that will push policy into the ACI fabric.
  • 3rd party integration via OpFlex (open policy protocol supporting XML and JSON)
  • Nexus 9000 Product Family – 9500 series & 9300 series
  • Spine Switches – Nexus 9336 fixed chassis (“baby spine”) or 9736 line card with the 95xx chassis
  • Application Virtual Switch (AVS) – replaces the Nexus 1000V and allows APIC policy to be pushed to the vSwitch

The diagram below illustrates the Cisco ACI Leaf and Spine architecture, complete with APIC management nodes.

Cisco_ACI_Physical

Cisco ACI is driven via policy and the main policy groups are:

  • APIC Controllers
  • Fabric, Access & Inventory
  • Tenants
  • VM Domains
  • Layer 4 to Layer 7 Services
  • AAA & Security

Cisco_ACI_Policy_Universe

Weaknesses (Cisco APIC version 1.0)

  • Can only use the Nexus 9000 series hardware for the ACI fabric.  There is talk of other Nexus models and other vendors being supported in the future.
  • Only a small number of vendors support OpFlex at this point in time (eg. F5, Citrix).
  • Cisco ACI was released in 2014, it will take some time for it to gain maturity.
  • Currently does not have the concept of Micro-segmentation as a service of the hypervisor (like VMware NSX-v does).
  • ACI Fabric “Federation” (unifying multiple ACI fabrics into one) is not currently supported.
  • Single vCenter to multiple ACI fabrics is currently not supported (technically possible, but is an unsupported configuration).
  • Operationally complex without a Cloud Management Platform to push policy, which is true for any network virtualisation solution.
  • Current supported CMPs are OpenStack and Cisco UCS Director.
  • QoS enforcement within the ACI fabric is currently not supported.

For additional information:

7 thoughts on “Tech101 – Cisco ACI

  1. What was the name of the course you attended, I take it it was the implementation one from Cisco themselves? Would you recommend it?

    • Hello Simon, This is a course that Cisco offers to their Partners and early adoption Customers: “Cisco ACI Field Engineering” course, 5 days, excellent hands on labs. Highly recommended for implementers and installers, not really tailored for architects who are interested in design nuances and caveats (as the title of the course suggests) – however the instructors are quite happy to chat about design when there is time. Cheers, Rene.

  2. Thanks for a nice summary!
    My 5 cents:
    There is also a two-day Cisco ACI SE (sales engineer, apparently) course to pair the FE one. As far as I understand, the SE course content is a subset of FE’s content; so, if you attended ACI FE, there is no point in spending time on SE as well. And the lab part of the SE course is done on dcloud, with no real hardware.

  3. What happened with DFA (Dynamic Fabric Automation)? That was the previous solution offered by Cisco with Nexus 5000/7000, which seems to be abandoned.
    What do you think about it?
    I’m delivering the DCNX5K30 course and DFA is one of the chapters
    I don’t know how to explain Cisco abandoning this technology.

    • My guess would be that since Cisco developed ACI from the ground up with VXLAN, elements of DFA are probably present but the name has changed. Pure speculation on my part. I read the DFA data sheet and most of the functional elements are included in ACI.

  4. I agree with you!
    But the most important change is ACI is only supported with Nexus 9000
    Nexus 5000 and 7000 doesn’t support ACI
    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s