When it comes to leadership in the SDN marketplace, clearly there is one winner. And that is, Cisco ACI. The proof is in customer momentum numbers. Cisco ACI has 2700+ ACI customers and a rapidly growing ecosystem of 65 technology partners. ACI ecosystem partners come from a broad spectrum of L4/L7, Security Management and Orchestration, Analytics, Operations Monitoring and Compliance, Service delivery, and other categories addressing a broad set of use-cases and buying center requirements.

In this blog, I intend to give an overview of our major L4-7 ecosystem partner solutions, the new innovations, a quick discussion on what to look forward to in 2017, and how customers can benefit deploying the solution.



Before I continue on, I would like to thank my colleagues, Ahmed Dessouki and Asha Hegde, (Insieme Business Unit), our colleagues at the Cisco Security Business Unit, and our ecosystem partners for providing their contributions in this blog.

Cisco ACI with Cisco Security

Cisco continued to enhance and extend security integration with ACI throughout 2016. The ASA device package, available since the introduction of ACI, received updates to improve policy automation capabilities while development began for Cisco’s advanced threat protection solutions: Firepower NGIPS and Firepower Threat Defense NGFW. Highlights include:

  • TrustSec support in the ASA device package to simplify policy management by enforcing policy based on Security Group Tags (SGT)
  • Rapid Threat Containment for ACI to instruct APIC to quarantine offending devices when a threat is detected
  • Offering customers ASA deployment flexibility by adding support for Service Management Mode integration with the ASA Fabric Insertion device package. This allows organizations to benefit from automated firewall services insertion without disrupting the way ASA(v) policy is managed
  • Integrating advanced threat protection with the FirePOWER (NGIPS) and Firepower Threat Defense (NGFW) device packages. The device packages will support the Service Manager Mode so security service insertion is automated by APIC and security policy management is maintained by the Firepower Management Center. These are currently in Beta with a release target of Q1 CY17.

In 2017, we’ll add support for additional use cases with Rapid Threat Containment for ACI and will improve policy automation and simplicity by allowing FirePOWER/Firepower Threat Defense policy to be defined using ACI constructs like EPGs.


Cisco ACI with A10 Networks

The integration of A10 Networks Thunder Application Delivery Controllers with Cisco ACI provides organizations with rich application services in a shared, multi-tenant environment. This integration can be leveraged to dynamically provision advanced L4-L7 application services, and to ensure that SLAs and security requirements are consistently met. The Thunder ADC platform can help customers to deliver secure, responsive, and always-on experiences to their users from their data center applications and networks. A10 Thunder and Cisco ACI integration enables customer choice with Thunder hardware, virtual, and bare metal form factor integration.

The integrated solution has been generally available (GA) since 2014, and since GA, A10 has focused on enhancing the solution with additional features. This year, A10 enhanced the service policy mode with complete ADC on-device capabilities, including support for, device clustering and data path redundancy, WAF, Layer-3 virtualization and multi-tenancy, and various deployment modes. In 2017, A10 will implement the service manager mode through the A10 aGalaxy centralized management system. This will both further simplify and provide advanced ADC deployment capabilities. A10 will also integrate its security offerings into the ACI environment.


Cisco ACI with Avi Networks

The Avi Vantage Platform, a software-defined application services product with separate central control & distributed service delivery, is integrated with the L4-7 Service insertion framework of ACI. In 2016, several multinational organizations deployed the joint ACI-Avi solution in production. In addition, the solution was enhanced with support for ACI Service Manager Mode, application services across different VRFs, and single arm deployment of load balancers with traffic accessible by ACI L3 routed mode.

2017 will see continuing advancements and differentiation in performance and resilience with features such as BGP route health injection for elastic scale-out and policy based routing for advanced traffic flow. These will enable further automation of customer environments with software-defined networking across the entire stack.


Cisco ACI with Check Point

Check Point vSEC for CISCO ACI offers industry leading advanced security protections against malware and zero-day attacks as well as advanced cloud network integration for modern day data-center infrastructures. Certified by Cisco for ACI, vSEC automates provisioning and simplifies deployment of Check Point’s advanced threat prevention security in next generation data centers built on Cisco ACI technology. Together, Cisco and Check Point provide a powerful solution that gives customers proactive protection from cyber threats as well as, complete traffic control as well as full threat visibility, logging and reporting of both physical and virtual data center environments. The joint solution forms the foundation of a dynamic application delivery architecture, where comprehensive security protections seamlessly follow workloads to accelerate application deployment while lowering the costs and complexities of securing private clouds.

vSEC for Cisco ACI, released in July 2016, delivers comprehensive threat prevention, automated security provisioning (insertion) supporting both go-thru (L2) and go-to (L3) service insertion models, automated and dynamic security policies with auto-discovery of Cisco ACI cloud objects (endpoint groups), import and usage of EPG objects in security policy for ease of provisioning and enabling fine-grained micro-segmented security policy, complete threat visibility, policies and logs that leverage cloud objects, control, centralized and unified management. The joint integrated solution uses the Service Manager integration Mode for both physical, multi-tenant and virtual security gateways – Network Policy Mode is also supported. In 2017, Check Point will add deeper integration with ACI environments, support for tagging/auto-quarantining of infected hosts as well as enhanced PBR support (policy based redirect) alleviating a lot of unnecessary topology and configuration changes to EPGs, dynamic peer routing capabilities, multi-site/multi-pod support, and Check Point apps in Cisco AppCenter.


Cisco ACI with Citrix

We are very excited to deliver on yet another innovative and differentiated solution to our growing base of customers, integration between Citrix NetScaler Management and Analytics System (MAS) with Cisco ACI. This solution is also referred to as Service Manager Mode/Hybrid Mode. Simply put this mode enables customers to perform network automation through the Application Policy Infrastructure Controller (APIC), while delegating the rich and detailed L4-L7 configuration to NetScaler MAS, which acts as a Device Manager in the APIC. In addition to the Service Policy Mode/Managed Mode, Network Policy Mode/Unmanaged Mode and the new offering of Service Manager Mode/Hybrid Mode, customers now have the choice of pacing their journey towards application centric automation.

The Cisco ACI-MAS framework enables consumption of physical, virtual, multi-tenant and containerized NetScaler’s through APIC as part of the application workflow. We look forward to delivering continued customer success with further differentiated solutions in the near future, specifically around hybrid cloud with Cisco Cloud Center, Private Cloud with Microsoft AzurePack, micro-services deployments, and integration with Cisco Tetration Analytics platform.


Cisco ACI with F5

F5 released F5 iWorkflow earlier in June 2016, which presents F5 network services provisioning to Cisco APIC in a very flexible and dynamic fashion. F5’s iWorkflow enables cloud and DC admins to dynamically define the F5 device package based on F5 iApps technology. Different flavors of device package can be generated dynamically based on required L4-L7 policies, thereby providing cloud & application teams the option of integrating F5 BIG-IP in Service Manager Mode. F5 iWorkflow acts as the F5 Service Device Controller. Through self-service catalogues, iWorkflow tenants deploy highly-configurable and administrator-defined application services templates, a.k.a F5 iApps. Deploying services as a template approach provides the tenant an abstraction from device-centric operational complexity.

The benefits of such abstraction, and simplification, are twofold: (1) greatly reducing the learning-curve for deployment staff unfamiliar with complex application delivery services, and (2) simplifying the integration of application-delivery policy into 3rd party management and orchestration systems. As F5 and Cisco march on together, we’d be looking at continuously improving and evolving the service catalog experience and extending to other integration points as well, such as Cisco Cloud Center (a.k.a CliQr) and more.


Cisco ACI with Fortinet

FortiGate Connector for Cisco ACI provides the automation and programmable application services to build software-defined infrastructure where policy enforcement across all workloads is consistent and segmented intelligently. Cisco ACI, together with Fortinet’s FortiGate Next Generation firewall, allows enterprises and cloud service providers to respond rapidly to business demands by enabling automatic provisioning and insertion of dynamic L4-L7 security and network services.

The solution debuted in 2015. In 2016, we further embraced more FortiGate models to ACI ecosystem from midrange to high end firewall appliances. There are also additional supported features (IPv6 Policy Configuration, Firewall Port Forwarding (Destination NAT or DNAT), APIC Dynamic EPG Notification, Monitor FortiGate Devices (Health) Status, and FortiGate Device Packet Statistics on physical port. Service Policy Mode has been introduced in 2016 and we can look forward to supporting FortiManager centralized management, dynamical routing protocol BGP, Proxy Policy and SSL/SSH Inspection in 2017.


Cisco ACI with Palo Alto Networks

Palo Alto Networks® Next-Generation Firewall (NGFW) integration with Cisco® ACI™ enables advanced security to keep pace with the dynamic workloads within application-centric infrastructure. Palo Alto Networks device package for Cisco® ACI™ enables the APIC to configure both physical and virtualized form factor Palo Alto Networks next-generation firewalls via PAN-OS® Restful APIs. With new enhancements to the device package introduced recently, customers can now leverage high availability, multiple virtual systems, and aggregate interfaces on the physical firewalls and layer 2 support.

With the rich firewall feature set available through the integration, customers can do seamless service insertion of Palo Alto Networks next-generation firewall as a service, gain granular visibility and control of application traffic and leverage advanced threat prevention features, including, application-level segmentation, security policy enforcement that complements application centric nature of ACI, prevent known and unknown threats from both an inbound and lateral movement perspective , centrally manage with Panorama™ and automate security to keep pace with new or changing workloads.


Cisco ACI with Radware

As businesses move towards SDN infrastructures, they are finding the need to manage the benefits of these cloud architectures – agility and elasticity. Agility is the ability to change applications quickly and easily. Elasticity enables on-demand resourcing to scale resources based on client demand. It is essential that the network can deliver these services and application delivery controllers (ADC) are a key technology to enable these services.

Radware’s ADC, the Alteon NG platform, offers full integration with Cisco’s ACI architecture and APIC through Cisco’s Service Manager, the Alteon NG ADC can be used to deliver the agility and elasticity that ACI customers are looking for. Radware’s ADC technology enables the load balancing and scaling of services in addition to the protection of application layer services through web application firewall (WAF) and DDoS protection solutions. The ADC is a core technology required to enable the benefits of ACI architecture and Radware is committed to integrating their solutions into Cisco’s offerings.



The momentum is going strong with ACI ecosystem, and several new technology partners are in the process of coming on board. There are lots of exciting ACI innovations on the menu to benefit customers. The Cisco App Center is one of them which extends the openness, and programmability of Cisco ACI and enables our technology partners to run custom built Apps to serve customer needs.

We look forward to delivering continued customer success with further differentiated solutions in the near future, specifically around hybrid cloud with Cisco Cloud Center, micro-services deployments, integration with Tetration Analytics platform, and the ability to demo most, if not all, of the solutions mentioned in this blog on Cisco dCloud.

Related Links:

L4-L7 Compatibility List Solution Overview

vSEC for Cisco ACI Product page

Cisco Partner Marketplace – Check Point vSEC for Cisco ACI

Changing the game with Cisco ACI and NetScaler MAS Integration – Customers benefit from full L2-L7 Automation and Native Operational Flexibility

Large MNC Company simplifies operations with Cisco ACI and Avi Networks

Cisco ACI builds strong momentum with Security, Monitoring and Orchestration ecosystem Partners

YRC Freight achieves Business transformation with Cisco ACI and Citrix NetScaler

Cisco ACI – F5 iWorkflow solution talk of the show at F5 Agility

Choice and Flexibility in deploying L4-L7 services with Cisco ACI and Cisco Cloud Center



Ravi Balakrishnan

Senior Product Marketing Manager

Datacenter Solutions