Tech101 – Cisco ACI

I recently completed the Cisco ACI Field Engineering course.  This post describes the major building blocks of the Cisco Application Centric Infrastructure (ACI) and how it all fits together.

Cisco ACI is the next generation of Data Center flexible network fabrics, it replaces what you currently have with Nexus 2K, 5K and 7K (traditional Core, Distribution, Access or FabricPath architecture).  Cisco’s previous TRILL-based leaf and spine technology is FabricPath, which has nothing to do with ACI (based upon VXLAN).  The two are not compatible and unrelated, aside from supporting the Clos-type architecture.

Cisco ACI is designed to provide a unified fabric for physical and virtual networking, moving away from the management of individual physical switches.  If you are used to the policy construction of the Cisco UCS, then you will easily understand Cisco ACI.

The Cisco Application Centric Infrastructure (ACI) has the following major components:

• Clos-type Leaf and Spine architecture with VXLAN ECMP
• Application Policy Infrastructure Controller (APIC) – minimum of three per fabric.  The APIC has a UI but is really designed for northbound REST API integration with a Cloud Management Platform that will push policy into the ACI fabric.
• 3rd party integration via OpFlex (open policy protocol supporting XML and JSON)
• Nexus 9000 Product Family – 9500 series & 9300 series
• Spine Switches – Nexus 9336 fixed chassis (“baby spine”) or 9736 line card with the 95xx chassis
• Application Virtual Switch (AVS) – replaces the Nexus 1000V and allows APIC policy to be pushed to the vSwitch

The diagram below illustrates the Cisco ACI Leaf and Spine architecture, complete with APIC management nodes.

Cisco ACI is driven via policy and the main policy groups are:

• APIC Controllers
• Fabric, Access & Inventory
• Tenants
• VM Domains
• Layer 4 to Layer 7 Services
• AAA & Security

Weaknesses (Cisco APIC version 1.0)

• Can only use the Nexus 9000 series hardware for the ACI fabric.  There is talk of other Nexus models and other vendors being supported in the future.
• Only a small number of vendors support OpFlex at this point in time (eg. F5, Citrix).
• Cisco ACI was released in 2014, it will take some time for it to gain maturity.
• Currently does not have the concept of Micro-segmentation as a service of the hypervisor (like VMware NSX-v does).
• ACI Fabric “Federation” (unifying multiple ACI fabrics into one) is not currently supported.
• Single vCenter to multiple ACI fabrics is currently not supported (technically possible, but is an unsupported configuration).
• Operationally complex without a Cloud Management Platform to push policy, which is true for any network virtualisation solution.
• Current supported CMPs are OpenStack and Cisco UCS Director.
• QoS enforcement within the ACI fabric is currently not supported.

For additional information:

• Cisco ACI Homepage
• Cisco Application Centric Infrastructure Fundamentals Guide
• If you want to play with Cisco ACI in your lab, here is the Cisco ACI Simulator.
• OpFlex: An Open Policy Protocol
• Learning ACI Parts 1, 2 & 3 by Adam Raffe
• Data Center Flexible Fabric Overview (FabricPath/TRILL, OTV, LISP & VXLAN) by Ron Fuller
• On choosing VMware NSX or Cisco ACI by Brad Hedlund
• Using TRILL, FabricPath, and VXLAN: Designing Massively Scalable Data Centers (MSDC) with Overlays (Networking Technology) by SK Hooda et al.