Cisco Blogs

Cisco Blog > Data Center

Cisco ACI – A Hardened Secure Platform With Native, Built-in Security

This blog has been developed in association with  Javed Asghar, Insieme Business Unit

The Cisco ACI Platform consists of the Cisco APIC controller and Nexus 9000 series switches connected in a spine/leaf topology in a CLOS architecture configuration. All management interfaces (REST API, web GUI and CLI) are authenticated in ACI using AAA services (LDAP, AD, RADIUS, TACACS+) and RBAC policies which maps users to roles and domain.
The ACI fabric is inherently secure because it uses a zero trust model and relies on many layers of security: Here are the highlights:

  • All devices attached to the ACI fabric use a HW-based secure keystore:
    – All certificates are unique, digitally signed and encrypted at manufacturing time
    – The Cisco APIC controllers use Trusted Platform Module (TPM) HW crypto modules
    – The Cisco Nexus 9000 series switches use Trust Anchor Module (TAM) to store digitally signed certificates
  • During ACI fabric bring-up or while adding a new device to an existing ACI fabric, all devices are authenticated based on their digitally signed certificates and identity information.
  • Downloading and image bootup:
    – All fabric switch images are digitally signed using RSA-2048 bit private keys
    – When the image is loaded onto an ACI fabric device, the signed image must always be verified for its authenticity using hardware rooted Cisco Secure Boot
    – Once the verification is complete “only then” the image can be loaded onto the device
  • The ACI fabric system architecture completely isolates management vlan, infrastructure vlan and all tenant data-plane traffic from each other. (The Cisco APIC communicates in the infrastructure VLAN (in-band))
  • The infrastructure VLAN traffic is fully isolated from all tenant (data-plane) traffic and management vlan traffic.
  • All messaging on infrastructure vlan used for bring-up, image management, configuration, monitoring and operation are encrypted using TLS 1.2.
  • After a device is fully authenticated, the network admin inspects and approves the device into the ACI fabric.

These are various layers of security built into ACI’s architecture to prevent rogue/tampered device access into the ACI fabric.

Please stay tuned for a blog posting by Praveen Jain (ACI Engineering VP) which will cover the APIC and Fabric security is more detail in coming weeks

Praveen Jain’s recent blogs:
New Innovations for L4-7 Network Services Integration with Cisco’s ACI Approach

Micro-segmentation: Enhancing Security and Operational Simplicity with Cisco ACI

Network Security Considerations

Additional Information:
The Cisco Application Policy Infrastructure Controller 


Tags: , , , , ,

A Summary of Cisco VXLAN Control Planes: Multicast, Unicast, MP-BGP EVPN

With the adoption of overlay networks as the standard deployment for multi-tenant network, Layer2 over Layer3 protocols have been the favorite among network engineers. One of the Layer2 over Layer3 (or Layer2 over UDP) protocols adopted by the industry is VXLAN. Now, as with any other overlay network protocol, its scalability is tied into how well it can handle the Broadcast, Unknown unicast and Multicast (BUM). That is where the evolution of VXLAN control plane comes into play.

The standard does not define a “standard” control plane for VXLAN. There are several drafts describing the use of different control planes. The most commonly use VXLAN control plane is multicast. It is implemented and supported by multiple vendors and it is even natively supported in server OS like the Linux Kernel.

This post tries to summarize the three (3) control planes currently supported by some of the Cisco NX-OS/IOS-XR. My focus is more towards the Nexus 7k, Nexus 9k, Nexus 1k and CSR1000v.

Each control plane may have a series of caveats in their own, but those are not covered by this blog entry. Let’s start with some VXLAN definitions:

(1) VXLAN Tunnel Endpoint (VTEP): Map tenants’ end devices to VXLAN segments. Used to perform VXLAN encapsulation/de-encapsulation.
(2) Virtual Network Identifier (VNI): identify a VXLAN segment. It hast up to 224 IDs theoretically giving us 16,777,216 segments. (Valid VNI values are from 4096 to 16777215). Each segment can transport 802.1q-encapsulated packets, theoretically giving us 212 or 4096 VLANs over a single VNI.
(3) Network Virtualization Endpoint or Network Virtualization Edge (NVE): overlay interface configured in Cisco devices to define a VTEP

VXLAN with Multicast Control Plane

Read More »

Tags: , , , , , ,

Ready, Set…Cloud! Vblock, VxBlock and Cisco ACI usher in operational simplicity and software defined innovation for the cloud era

Complexity is easy. Simplicity is hard. Solving operational complexity has been one of the hardest challenges in data center and cloud build-outs. For customers, the challenge of interfacing with different infrastructure vendors and driving integration has been a significant hurdle in the past, slowing application rollouts. The success of the integrated Infrastructure approach has largely been due to focused efforts on behalf of multiple vendors to come together to solve this challenge, resulting in a new hyper-growth market category being created. According to IDC’s Q3CY2014 integrated infrastructure tracker, the integrated infrastructure market has grown to ~$5.5B annually and most analysts have this market growing at 30+ percent YoY.

A shining example of solving this huge challenge has been VCE’s Vblock offerings that have been on a stellar growth path. Nothing speaks better of this than customer success and market traction it enjoys –

  • VCE surpassed a $2 billion annualized demand run-rate for Vblock and Vblock-related products and services exiting Q3 2014.
  • Its sixth consecutive quarter of greater than 50% year-over-year demand growth.
  • Clear leader in integrated infrastructure systems according to Gartner and IDC
  • A leader in the Gartner, Inc. Magic Quadrant for Integrated Systems, based on an evaluation of VCE’s completeness of vision and ability to execute.

With its UCS Integrated Infrastructure solution approach Cisco has been literally in the midst of all of this action. Cisco UCS, Nexus and MDS switches have been key components of the integrated offering along with innovations from the other companies.  Customers have loved the operational benefits as they scale their cloud build outs. Last October next-generation “ACI-ready” Vblocks were introduced allowing customers to further accelerate their journey to SDN and cloud.

And now it is time to raise the bar even further. As VCE introduces VxBlocks in addition to the flagship Vblock offering, as well as vScale architectures and VCE Vision 3.0, Cisco and VCE are together committed to build on the past success as we align our sights to the future –

  • VCE and Cisco are committed to drive open, future proof converged infrastructure solutions through the GA shipments of ACI-Ready Nexus 9K enabled Vblocks and Cisco UCS. We already have 100+ joint customers in production.
  • VxBlocks will be featuring Nexus 9K as their default networking platform to support all their different flavors of SDN within their integrated infrastructure, even as Cisco UCS will continue to be their default compute platform. As of Cisco’s last fiscal quarter, there were over 1700+ Nexus 9000 and Cisco ACI customers, making the Nexus 9000 one of the highest growth products within the company even as new Cisco APIC customers shot up to over 300+ within two quarters. Cisco UCS has been on a tear in terms of market share worldwide and has continued to set world record benchmarks.
  • The Vscale Fabric is ACI enabled and includes the Nexus 9000s as the networking component of the fabric.  This  allows customers to choose ACI and get the added benefits of such.  If a customer chooses to deploy ACI in the fabric then the APIC would be a deployed as an add-on.   The Vscale architecture also uses MDS as the SAN fabric enhancing the convergence capabilities.

 What Cisco Application Centric Infrastructure (ACI) Brings to Vblocks and VxBlocks:

Cisco ACI is all about operational flexibility and choice. For example, customers can enjoy the  benefits of the Nexus 9396 in a standalone mode, or deploy it as an ACI leaf configuration. This is called “ACI-ready”. They can also be “ACI-enabled”, which means the Nexus 9396s are ACI leafs connected to spines and APIC clusters all part (provisioned and supported) of a Vblock or VxBlock.

Read More »

Tags: , , , , , , , , , , ,

Cisco ACI and Nexus 9000 Activities at Cisco Live Milan 2015

Interested in learning more about Cisco Application Centric Infrastructure and Nexus 9000? We are hosting a myriad of activities here at Cisco Live Milan 2015! With Meet the Expert sessions and Demos at the World of Solutions, DevNet Zone labs, a plethora of breakout sessions, and customer whisper suite sessions, there is a wide range of content available throughout the week at the MiCo. Check out the highlights below.


  • “Let’s Discuss: Cisco’s Controllers – Why, What, How, When”

Wednesday, January 28 • 2:30pm – 3:30pm

  • “API Deep Dive: APIC DC”

Monday, January 26 • 3:30 PM – 4:30 PM

  • “API Deep Dive: APIC DC APIs”

Thursday, January 29 • 11:00 AM – 12:00 PM


1.TECACI-2009 – Intermediate – Application Centric Infrastructure (ACI) – The Policy Driven Data Center

2.BRKAPP-9000 – Introduction to Application Centric Infrastructure.

3.BRKACI-2001 – Intermediate – Integration and Interoperation of existing Nexus networks into an ACI architecture

4.TECDCT-2002 – Intermediate – Next Generation Data Center Infrastructure

5.BRKAPP-9004 – Intermediate – Data Center Mobility, VXLAN & ACI Fabric Architecture

6.BRKACI-3456 – Advanced – Mastering OpenStack and ACI

7.TECDCT-2002 – Intermediate – Next Generation Data Center Infrastructure

8.BRKACI-2006 – Intermediate – Integration of Hypervisors and L4-7 Services into an ACI Fabric

9.LTRDCT-1224 – Intermediate – Implementing VXLAN in Datacenter

10.BRKDCT-1302 – APIC and Nexus 9000: Network Programmability and Automation

11.BRKVIR-2931 – Intermediate – End-to-End Application-Centric Data Center

Cisco ACI/N9K Whisper Suites

Please visit to register a request. Please note a Cisco domain name is required.

Whisper suites are being held offsite at:

Melia Milano Hotel

Via Masaccio, 19

We hope you will enjoy the show.

Tags: , , , , , , ,

Software Defined Networks with L4-L7 ADC Policy Automation

It appears only a short time ago we introduced Cisco ACI to the market, but it is already the one-year anniversary time. In this one-year period, we have seen tremendous momentum on customer adoption and partner eco-system for both the Nexus 9k hardware platform and the ACI software. To date there are more than 1,000 plus Nexus 9k hardware customers and 200 plus ACI software customers. And don’t forget the growing eco-system of partners that now stands at an impressive 34.

To commemorate this one-year anniversary of ACI and its success, we have planned a grand Data Center Webcast to be broadcast on Jan 13 at 9 AM PST. Click here to register for the webcast. Attendees of the webcast will have the opportunity to hear from our ACI ecosystem partners how their solutions integrate to help customize and extend ACI deployments. The audience will also hear from Cisco customers all over the world about the benefits they’ve discovered with our ACI architecture. Check out Cisco exec Shashi Kiran’s blog for more details on the webcast.

For the remainder of this blog I am going to focus on the ACI L4-L7 partner eco-system momentum. Since August 2014, major L4-L7 Application Delivery Controller (ADC) vendors have collaborated with our Insieme Business Unit to build, test, certify joint integrated solutions and introduce publicly downloadable device packages for customers to seamlessly deploy ACI in existing ADC deployments.


What makes the ACI integration with L4-L7 ADC vendors’ devices so seamless and easy? Well, the answer lies in the flexible and open service policy management inherent in ACI. The highly open and programmable nature of Cisco APIC and the ability to selectively associate service chains with specific applications and data flows, and the flexibility of applying application delivery policies to different applications (Figure-1). This far exceeds that of a traditional network based ADC. To date F5, Citrix, A10 Networks have built FCS versions of device packages for Cisco ACI. I want to take you on a quick tour of each of these ACI joint solutions, and the benefits they uniquely bring to existing customer deployments.

The exciting L4-L7 eco-system ramp began in August 2014 when ADC market leader F5 announced the availability of its device package for ACI. Since then, our partnership has clicked into high gear. We had a very successful F5 Agility event at Copenhagen (June) and New York (early August) showcasing the Cisco ACI-F5 BIG-IP joint solution in breakout sessions, world of solutions Expo, and in keynotes Panels. Cisco also published a jointly written technical whitepaper, a solutions brief and a Design guide with F5. In the webcast planned for Jan 13, we have an exclusive partner panel session featuring F5 exec, Calvin Rowland, and Cisco Exec, Soni Jiandani. I urge you to tune in to this webcast to get the low-down on the customer traction and how customers are benefiting from the policy based automation and application centric approach of our joint solution.

The Citrix and Cisco strategic partnership dates back to early 2010 with a strategic alliance on the UCS-Citrix Desktop Virtualization front. Since then, our alliance has expanded to other technology areas, and in August we introduced the ACI-Citrix NetScaler joint solution to market with the availability of the Citrix device package for Cisco ACI. Citrix and Cisco ACI engineering teams are also actively working in IETF and ODL standards efforts to create thought leadership around NSH and the OpFlex protocols. I can vouch that it will be a rewarding experience for you to listen to Steve Shah of Citrix at the Jan 13 webcast, and get insights on how customers are benefiting from our joint solution featuring open policy model and a programmable infrastructure. Check out the solutions brief and whitepaper from our joint website to gather more details.

A10 Networks is the new kid on the ACI eco-system block. ACI’s SDN paradigm is a natural fit for A10 Networks’s vision and strategy to expose L4-L7 networking features programmatically. As a first step, A10 Networks has successfully certified their device package for ACI and is now available for download. The A10 device package is open source, and can be easily enhanced by customers to create custom value with near ubiquitous programmability. Exciting near term joint engagements include potentially collaborating on an OpFlex and NSH standards effort as well as some advanced ADC features such as WAF, SSL offload, GSLB, and device partitions among others. I do not want to steal all of the webcast’s thunder, so tune in on Jan 13 to get a 360 degree view from A10 CTO Raj Jalan.

As I am writing this blog there is more exciting news. Yes, Radware is also testing their ACI device package with the Insieme Business Unit now. Stay tuned to hear more outcomes on this engagement. The L4-L7 ACI eco-system momentum is truly on a fast track. In closing, I want to re-iterate, do not forget to register for Cisco’s ACI webcast set for Jan 13.

Related Links


Tags: , , , ,