Data centers have been evolving at an unprecedented pace. Transformational trends like AI and security are further accelerating that evolution. Data center networking forms the foundation for AI workloads, and it plays a critical role in protecting the high-value assets from sophisticated AI-driven cyberattacks.
At Cisco, we always meet our customers where they are. That is why we are evolving the data center network architecture, addressing the trends reshaping the environment right now.
Meet Cisco Nexus One, our next-generation data center networking architecture.
To understand Nexus One, we need to step back in time. When we launched Cisco Application Centric Infrastructure (ACI) back in 2014, we weren’t just releasing a new architecture. We were fundamentally changing how customers approached the data center. The industry needed a way to bridge the gap between traditional, manual networking and the agility the emerging cloud-native world demanded. We introduced many industry firsts with ACI: group-based microsegmentation, flexible service chaining, object-model APIs, and a controller-based approach with Cisco Application Policy Infrastructure Controller (APIC) to help customers address explosive business growth. It has been a remarkable journey. More than 13,000 organizations rely on ACI to power their most critical workloads.
Now, look at the horizon. The massive shift toward AI-ready data centers, the need to protect against AI-driven security threats, and a clear desire for greater architectural flexibility have become top priorities. The next phase of our data center networking journey requires us to think bigger, more openly, and flexibly without compromising backward compatibility. That thinking led to the creation of Cisco Nexus One.
Cisco Nexus One: An architecture built for flexibility, openness, and scale
I often hear this question: “Is Nexus One a product, a solution, or an architecture?”
The answer is simple: It’s an architecture, exactly as ACI is.
If ACI was about trailblazing, creating industry-first innovations, Nexus One is about standardization, flexibility, and choice. We took the groundbreaking concepts that made ACI successful, including group-based segmentation, service chaining, and deep observability, and we are standardizing them through the Internet Engineering Task Force (IETF).
By anchoring on the widely deployed VXLAN EVPN technology as our baseline, we are ensuring that the innovations you’ve trusted are built on open, interoperable standards.
Nexus One is our commitment to giving our customers and partners an architecture that is open, extensible, and fully backward compatible with the investments you’ve already made. It’s ready for the new AI/ML workloads while delivering end-to-end security.
Cisco Cloud Control: Bringing AgenticOps capabilities to Nexus One
At Cisco Live 2026 Las Vegas, we announced Cisco Cloud Control, our single, unified AgenticOps platform for managing the entire Cisco product portfolio—by both humans and AI agents. AI Canvas in Cisco Cloud Control is a live, interactive workspace, generated dynamically by live AI agents to focus on the issues at hand.

Nexus One integrates into Cisco Cloud Control to bring the data center networking portfolio under a Cisco-wide unified management plane. AI agents inside Cisco Cloud Control’s AI Canvas leverage the MCP server API on Nexus One controllers (Nexus Dashboard and Nexus Hyperfabric) to perform truly agentic operations for fast-tracking diagnostics, triaging, and issue resolution.
Your data center, your way: Built on first principles

To understand how Nexus One changes the game, let us look at the four layers of the networking stack. We’ve designed Nexus One to provide flexibility at every layer, because no two data centers are exactly alike.
- The silicon layer: foundation of performance. We are moving beyond a fixed path to support a broader range of silicon options. Nexus One supports Cisco Cloud Scale, Cisco Silicon One, and NVIDIA Spectrum-X Ethernet switch silicon. This gives you the flexibility to choose the hardware foundation that best suits your performance, power, and workload requirements, whether you’re running high-performance AI training clusters or AI inferencing, AI storage, CPU workloads, or out-of-band management networks.
- The systems layer: the hardware anchor. Our flagship Cisco N9000 Series Switches remain the hardware anchor of the architecture. It continues to deliver the high-performance, reliable hardware you’re accustomed to, now paired with the most advanced optics available. In the AI era, the physical layer is just as critical as the software layer, and we are not compromising on either.
- The software layer: operating system choice. Nexus One supports Cisco ACI, NX-OS, and now SONiC. Many of you have developed specialized expertise across different operating systems, and we want to give you the flexibility to choose the network operating system that best aligns with your operational strategy and talent pool while enabling full interoperability across these software offerings. By adding SONiC to our portfolio, we are delivering solutions that address our customers’ evolving needs. To that extent, we recently announced that Cisco will support SONiC as an option for Cisco N9000 Series Switches.
- The operating model: control and agility. We’ve expanded our management options to provide more control and agility. You can leverage the on-premises power of Nexus Dashboard or embrace the cloud-native, SaaS-based efficiency of Nexus Hyperfabric.
Table 1. Nexus One management options
Nexus Dashboard: On-premises management platform for Nexus One. |
Nexus Hyperfabric: Cloud-management platform for Nexus One. |
|---|---|
| Nexus Dashboard delivers centralized automation and management for Nexus One on-premises data center networking. It simplifies network operations through a single, integrated control point. Nexus Dashboard provides unified visibility across your fabric, automates policy enforcement, and streamlines day-2 operations. Nexus Dashboard will support Nexus 9000 automation running SONiC alongside Cisco NX-OS and Cisco ACI. The result is greater flexibility, reliability, faster troubleshooting, and reduced operational overhead, helping IT infrastructure teams maintain stability and security while controlling costs across complex environments. | The newest addition to our portfolio, Nexus Hyperfabric delivers scalable, cloud-managed, full-stack fabric deployment and lifecycle automation for data center infrastructure. It takes ease of use to the next level with innovative features such as design before you buy, plug-and-play deployment, easy-to-implement cabling plans with real-time feedback, assertion-based monitoring, and an API-first approach that enables customers to build VXLAN EVPN fabrics at scale. It extends deployment-ready capabilities to GPU servers and SmartNICs, in addition to networking for AI fabrics. Hyperfabric will continue to evolve, adding support for multi-site, group-based microsegmentation with Endpoint Security Groups (ESGs), plus monitoring and image management for Cisco NX-OS switches alongside the native SONiC switches it already manages. |
Regardless of your choice, the goal is the same: simplifying day-0, day-1, and day-N operations with consistent technical and business outcomes.
The standards underneath: Standards to bring the ACI policy model into VXLAN EVPN
The real-world operational value of Nexus One is inseparable from the standards that govern how fabrics communicate, exchange state, and enforce policy. The IETF has been advancing a body of work that directly underpins the distributed policy enforcement and fabric interoperability models central to this architecture. With Nexus One, we want to offer the choice to customers to build data center fabrics that are open standards compliant.
To standardize the policy-based segmentation pioneered with ACI, we actively contributed to three key IETF drafts.
- draft-smith-vxlan-group-policy: defines how a Group Policy ID is encoded as a flag and metadata field directly within the VXLAN header
- draft-wlin-bess-group-policy-id-extended-community: introduces a BGP extended community to carry that Group Policy ID through the EVPN control plane
- draft-lrss-bess-evpn-group-policy: binds the two together into a coherent EVPN Group Policy framework
Collectively, these drafts define the Group Policy Object (GPO) standard—a direct, open-standards evolution of ACI’s ESG segmentation model into native VXLAN EVPN fabrics.
NX-OS has implemented ESG and the associated contracts for microsegmentation and service chaining using the GPO standard. Hyperfabric will follow suit based on the same standards. You can achieve consistent microsegmentation and service chaining outcomes with your fabric of choice.
How can you extend the notion of policy across fabrics? Can you set up contracts between ESGs residing in two different fabric types (Ex: ESG in NX-OS and ESG in ACI)? Yes, you can, with enhanced EVPN Border Gateways.
Enhanced Border Gateways: What is “enhanced” about them?
Border Gateways (BGWs) existed in VXLAN EVPN for a while. BGW is the device that stitches multiple fabric domains together at the control and data plane boundary. It terminates inbound VXLAN tunnels from site-internal VTEPs, re-originates them toward remote sites using its own anycast Virtual IP (VIP) address, and masks the internal VTEP topology from the rest of the network. Each BGW acts as an autonomous system boundary, using eBGP between sites and iBGP within a site, which gives you clean failure isolation and VTEP scale containment.
BGW implementation in Nexus One is based on RFC 9014 and the IETF multi-site EVPN draft (draft-sharma-bess-multi-site-evpn) that Cisco co-authored. ACI BGW implementation is the latest to adapt to these standards.
BGW implementation is enhanced to support the GPO standard. It understands the ESG format in the data plane and control plane. It can translate between ESG tags as the packets go from one fabric to another fabric. BGW can also enforce policy depending on the contracts defined. The result is that NX-OS fabrics, ACI, SONiC, and Nexus Hyperfabric–based fabrics can seamlessly interconnect with consistent policy enforcement without compromising the segmentation model you have invested in.

Mobility: Important for workloads too
One of the most operationally demanding challenges in hybrid multi-fabric infrastructure is moving a live workload between fabrics on its own schedule. This relocation must occur seamlessly without disrupting active services. This capability requires that the destination fabric present an identical Layer 2 domain to the relocating workload, even though the physical underlay connecting the two fabrics is a routed Layer 3 network.
This is where the BGW architecture pays direct operational dividends. With Nexus One, the workload experiences no IP address change, no TCP session teardown, and no ARP resolution delay when it moves across heterogenous fabrics. The Layer 2 broadcast domain follows it across the fabric boundary through the common EVPN control plane, with the BGW handling tunnel re-origination transparently. Because Nexus One associates policy with workload identity rather than with the physical or virtual port the workload is attached to, the policy binding—including any GPO-based segmentation rules—migrates with the workload automatically.
This unique capability lets you move workloads with greater flexibility, at a time of your choosing, rather than a forced cut-off date imposed by infrastructure constraints.
What about ACI?
Nexus One encompasses and extends ACI. If you are running ACI today, you are already running Nexus One. The innovations ACI pioneered are becoming open, standards-based capabilities that any Nexus One fabric can run. ACI is one of the choices described in the software layer in the architecture. Nexus One is not a replacement for ACI; it embraces and enhances ACI. ACI will continue to be supported as part of Nexus One.
Nexus One benefits: Seamless, secure, scalable—yet simple
Here’s how Nexus One delivers on each of these four promises—seamless, secure, scalable, and simple.
- Seamless interoperability: For most of you, the data center is not a “rip and replace” environment. It is a living ecosystem built over years of deliberate investment. Nexus One is built for that reality. It enables seamless interconnectivity and interoperability between different fabric architectures. You can deploy VXLAN EVPN fabrics alongside ACI fabrics, with Layer 2 and Layer 3 stretches and policy consistency across both. Whether you are running a traditional enterprise application or a cloud-native application running in virtual machines or Kubernetes deployments with Isovalent and Cilium, Nexus One provides a unified management plane and a consistent experience for full lifecycle management. This means you do not have to choose between the automation of ACI and the flexibility of NX-OS or SONiC. You can have everything managed through a single, cohesive architecture.
- Security at every layer: In this era of Mythos and AI-driven cyber threats, the mean time to exploit a vulnerability has dropped from days to hours or even to minutes. Protecting high-value digital assets in the data center is not just important, it is business critical. Nexus One expands group-based policy across multiple fabrics using ESG to implement microsegmentation in real time and mitigate security threats as they emerge. That segmentation can extend all the way into Kubernetes clusters with Isovalent integration. Customers can take security to the next level when they implement Nexus One with Cisco N9300 Smart Switches, which offer stateful microsegmentation enforced at the DPU built into Smart Switches. And Cisco Live Protect, built into the foundation of Nexus One, can provide CVE shields without having to patch the entire infrastructure during a vulnerability window or reload the switches. Security is infused into every layer of Nexus One.
- Scale, on both ends of the spectrum: When we think about scale, we are not just thinking about large-scale data centers with hundreds and thousands of switches; we are also thinking about small-scale data centers, edge data centers with tens of switches. Nexus One allows for building and operating large-scale data centers and small-scale data centers in a consistent and cost-effective way. Hyperfabric is an excellent choice for customers who operate small-to-midsize data centers, edge data centers, and out-of-band management networks, and who have embraced SaaS-based management. Nexus Dashboard offers the on-premises option, going all the way up to 1000 switches in a single cluster. On the lower end of the spectrum, customers can also deploy Nexus Dashboard on a single node or a virtual node to keep it cost effective for smaller deployments.
- Simple to operate: Networking is inherently complex; operations don’t have to be. As networks grow in size, the operating model needs to get simpler. Nexus One operating models focus on simplifying operations for operators. This approach is the same whether you are using on-premises Nexus Dashboard Controller or the SaaS-based Nexus Hyperfabric Controller. It also holds true whether you are a human user, an API user driving operations with network as code, or an AI agent driving agent operations. Simplicity and robustness sit at the core of every capability we build.
A commitment to our data center networking customers
The transition to AI-ready infrastructure is a marathon, not a sprint. It requires a partner who understands the complexities of your current environment while maintaining a clear vision for where the industry is heading.
With Cisco Nexus One, we meet you where you are. We are providing a future defined by open standards, security, operational choice, and unparalleled scale. We’re ready for what comes next, and we’re building it with you and for you.
Explore Cisco Nexus One
Additional resources: