Cisco Blogs

Cisco Blog > Data Center

New Innovations for L4-7 Network Services Integration with Cisco’s ACI Approach

As application performance, security and delivery get more critical, and as the need for network automation grows, the vision of an architecture that allows easy integration of L4-7 services into the data center fabric is increasingly getting validated. We’ve seen at least two services load balancers and firewalls in every application tier our customers deploy. Traditional deployment models are also shifting, as we have seen the model evolve from north-south traffic (perimeter based approaches) to east-west traffic patterns bringing new requirements of scale, security and application performance.

Cisco Application Centric Infrastructure (ACI) architecture was designed to help both easy integration and scale of network services. ACI can manage physical switches, virtual switches in hypervisors as well as L4-7 services from multiple vendors stitching everything under the umbrella of applications. Recognizing that customers have a choice of L4-7 vendors, ACI has taken an open approach to accommodate automation of network services from multiple vendors (for both physical and virtual form factors) with its policy-driven architecture, delivering greater operational simplicity to customers.

Traditional way of inserting L4-L7 devices, from any vendor, in the network is to manually steer traffic through L4-L7 devices and configuring each of these devices independently. The manual steering of traffic is done by carefully provisioning VLANs/VRFs/Subnets etc by a network administrator today.

While ACI supports traditional mode of L4-L7 insertion from any vendor device, ACI provides additional capabilities for automating the entire workflow and tying it to applications. There are two steps in automation of L4-L7 integration through APIC:

  1. Automatically steering traffic from one application tier to chain of L4-L7 service devices and finally connecting back to another application tier.
  2. Automatically configuring all L4-L7 devices in a chain as the application are deployed and modified

The step (2) is ultimate level of automation; configuring all L4-L7 devices as needed by application and keeping it up to date as the application life cycle changes. For example customers add security policies into their firewall, but never clear them since it’s hard to correlate which policies to clear when application goes away, or when there are organizational changes with the relevant SME moves out. With APIC managing application tiers and configuration on L4-7 device, the configuration is added and removed dynamically as application are added or removed.

What’s new?

Since day 1, APIC supports traditional manual way of inserting L4-L7 services from any L4-L7 vendor. Similarly ACI supports fully automated mode called “Managed” mode, where both the network services stitching and device configuration is performed as described by both 1 and 2 above. The managed mode requires a “device package” which is typically provided by the concerned L4-L7 ecosystem partner and jointly qualified by Cisco/Partner for ACI.

A second new automation mode called “Unmanaged” will be introduced that equates to network stitching only as described in #1. Customers have realized that traditional manual mode is error-prone and hard to automate as workload moves around. The “Unmanaged” mode will provide a middle ground between traditional L4-L7 mode and fully automated ACI “managed” mode.
Read More »

Tags: , ,

Tales of a Fourth-Grade Something: Big Data with Cisco & Splunk at .conf & Strata

Someone at a meeting recently told me how cool it was that big data was finally moving out of the early adopter phase. He’s lucky I wasn’t drinking a beverage at the time, or he might have ended up wearing it.

I’m accused of being sort of a unicorn when it comes to the Big Data ecosystem, having worked with engineered Big Data environments since 2004 or so and Hadoop proper since 2009. And while some individual companies may be emerging from early adopter, it’s hard to say that Big Data itself is that new. You just have to look at the conference world to see how big this ecosystem has become, and how it’s shifted from theory and skunkworks projects and resume fodder, to technology solutions for new and metamorphic problems in business.

Some people will say “But surely there’s only been a competitive landscape for Hadoop distributions since 2012, right?” That’s true, but as I’ve said in 20 or more presentations in the past year, Big Data is more than Hadoop. And don’t call me Shirley.

One of the oldest companies driving Big Data software predates commercial Hadoop by a couple of years. In fact, they’re just about old enough to go into fourth grade (with apologies to Judy Blume for my title on this post). And you still have time to join Splunk (and Cisco) for their seventh annual worldwide user conference the week of September 21, 2015.

Buttercup at the .conf Search Party courtesy Lily Wai (@lgwai)

Buttercup at .conf Search Party via Lily Wai (@lgwai)


.conf is Splunk’s annual worldwide user conference, attended by thousands of customers and partners and users of Splunk’s suite of products.

Cisco has been attending, and presenting, for a while now, and 2015 is no exception. We will have a booth in the expo at .conf 2015, and you can join members of the Cisco team at two IT Operations breakout sessions.

  • Thursday, September 24, 11:15am: Cisco and Splunk: Under the Hood of Cisco IT (with Robert Novak and Cisco IT’s George Lancaster)

Learn how Cisco IT uses Splunk software to gain deep operational visibility into applications, accelerate problem resolution, and drive better business outcomes.

  • Thursday, September 24, 1:15pm: Event-Driven SDN with Splunk and Cisco’s Open SDN Controller (with Steven Carter and Friea Berg)

This session presents and demonstrates a system using Splunk and the Cisco Open SDN Controller for steering large data flows around firewalls and other devices that could disturb their performance while actively blocking threats.

Read More »

Tags: , , , , , , , , ,

Make The World A Better Place – Simplify and Automate Your Data Center

Last week, I wrote about Cisco’s SDN Strategy for the Data Center. I’d like to follow that up with 2 comments today.

  • A reminder of the fact that we’ll be doing a webinar tomorrow on this topic, and
  • A general observation regarding SDN making the world a better place (don’t roll your eyes yet.  There’s beer involved.  Well, kind of. Read on…)

earth - beer

The webinar is called “How To Simplify and Automate Your Data Center With Cisco’s SDN Strategy” and its tomorrow, September 15, 2015 at 10am PST. You can register here. We’ll spend a few minutes talking about ACI, then much of the time on Programmable Fabric and Programmable Networks. As the webinar name would imply, we’ll cover some cool tools that help make your life easier, if you have something to do with deploying and operating networks in a data center. We’ll have at least one demo and relate the technology back to some use cases, showing how SDN can be applied in practical ways.

As you consider the evolution of SDN over the past few years, its more or less gone from this thing with a limited definition (separation of control plane from data plane, etc.) that was kind of a solution looking for a problem, to a more loosely defined set of capabilities that are having real impact. There are still folks who define as SDN as “Still Does Nothing”, but I think that – even if you wipe away the hype from the media, analysts, vendors, etc. – SDN is making business more effective and helping make peoples lives better. I’m not talking like feeding the hungry, creating global peace type “make peoples lives better”.

I’m talking about the fact that most jobs have a certain amount of stuff that is cool/interesting/challenging/fun and another part that, well, just has to get done. The part that can be boring/laborious/mind numbing. A long time ago, I used to run a network. I would copy and paste configs from one box, make a few changes to IP addresses, or interface numbers, or ACLs, or maybe route redistribution metrics, or whatever – and paste them to another box. Rinse, repeat.   Many times. This was tedious stuff. And for the most part, not very interesting. Any activity with a lot of copy and pasting is probably better done by a machine than a human. But a lot of people are still running their networks in pretty much the same way.

There is a better way. SDN can help you minimize the ‘just have to get it done’ part of your job, so you can spend more time on stuff that is impactful and engaging. We will dig into this more tomorrow. So, maybe you won’t be displacing Mother Theresa, but you can make your world a better, more cool/interesting/challenging/fun place.  And have more time to drink beer.  Or do whatever it is you like to do.  In any case, I hope you can be there.



Tags: , , , , ,

Cisco UCS Director: Your Data Center Conductor

Customers frequently comment that IT simply isn’t keeping pace with their needs.  Provisioning new data center resources can take weeks.  To be fair, IT professionals are doing the best they can but manual processes and organizational silos can make the process equivalent to trying to play a symphony without a conductor.

Cisco UCS Director’s advanced automation acts as the orchestra conductor for your data center.  Your data center is the power source of your business — if it is slow, your business is slow.  Cisco UCS Director’s advanced automation is exactly what you need to deliver speed and efficiency allowing IT to move in concert with your business. Read More »

Tags: , , , , , ,

ITD: Load Balancing, Traffic Steering & Clustering using Nexus 5k/6k/7k/9k

Cisco Intelligent Traffic Director (ITD) is an innovative solution to bridge the performance gap between a multi-terabit switch and gigabit servers and appliances. It is a hardware based multi-terabit layer 4 load-balancing, traffic steering and clustering solution on the Nexus 5k/6k/7k/9k series of switches.

It allows customers to deploy servers and appliances from any vendor with no network or topology changes. With a few simple configuration steps on a Cisco Nexus switch, customers can create an appliance or server cluster and deploy multiple devices to scale service capacity with ease. The servers or appliances do not have to be directly connected to the Cisco Nexus switch.

ITD won the Best of Interop 2015 in Data Center Category.

With our patent pending innovative algorithms, ITD (Intelligent Traffic Director) supports IP-stickiness, resiliency, consistent hash, exclude access-list, NAT (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS. There is no service module or external appliance needed. ITD provides order of magnitude CAPEX and OPEX savings for the customers. ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.

ITD provides :

  1. Hardware based multi-terabit/s L3/L4 load-balancing at wire-speed.
  2. Zero latency load-balancing.
  3. CAPEX savings : No service module or external L3/L4 load-balancer needed. Every Nexus port can be used as load-balancer.
  4. Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  5. Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  6. IP-stickiness
  7. Resilient (like resilient ECMP), Consistent hash
  8. VIP based L4 load-balancing
  9. NAT (available for EFT/PoC). Allows non-DSR deployments.
  10. Weighted load-balancing
  11. Load-balances to large number of devices/servers
  12. ACL along with redirection and load balancing simultaneously.
  13. Bi-directional flow-coherency. Traffic from A–>B and B–>A goes to same node.
  14. Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  15. Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  16. The servers/appliances don’t have to be directly connected to Nexus switch
  17. Monitoring the health of servers/appliances.
  18. N + M redundancy.
  19. Automatic failure handling of servers/appliances.
  20. VRF support, vPC support, VDC support
  21. Supported on all linecards of Nexus 9k/7k/6k/5k series.
  22. Supports both IPv4 and IPv6
  23. Cisco Prime DCNM Support
  24. exclude access-list
  25. No certification, integration, or qualification needed between the devices and the Cisco NX-OS switch.
  26. The feature does not add any load to the supervisor CPU.
  27. ITD uses orders of magnitude less hardware TCAM resources than WCCP.
  28. Handles unlimited number of flows.

For example,

  • Load-balance traffic to 256 servers of 10Gbps each.
  • Load-balance to cluster of Firewalls. ITD is much superior than PBR.
  • Scale IPS, IDS and WAF by load-balancing to standalone devices.
  • Scale the NFV solution by load-balancing to low cost VM/container based NFV.
  • Scale the WAAS / WAE solution.
  • Scale the VDS-TC (video-caching) solution.
  • Scale the Layer-7 load-balancer, by distributing traffic to L7 LBs.
  • ECMP/Port-channel cause re-hashing of flows. ITD is resilient, and doesn’t cause re-hashing on node add/delete/failure.

Documentation, slides, videos:

Email Query or

Please note that ITD is not a replacement for Layer-7 load-balancer (URL, cookies, SSL, etc). Please email: for further questions.

Connect on twitter: @samar4

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,