New Innovations for L4-7 Network Services Integration with Cisco’s ACI Approach
As application performance, security and delivery get more critical, and as the need for network automation grows, the vision of an architecture that allows easy integration of L4-7 services into the data center fabric is increasingly getting validated. We’ve seen at least two services load balancers and firewalls in every application tier our customers deploy. Traditional deployment models are also shifting, as we have seen the model evolve from north-south traffic (perimeter based approaches) to east-west traffic patterns bringing new requirements of scale, security and application performance.
Cisco Application Centric Infrastructure (ACI) architecture was designed to help both easy integration and scale of network services. ACI can manage physical switches, virtual switches in hypervisors as well as L4-7 services from multiple vendors stitching everything under the umbrella of applications. Recognizing that customers have a choice of L4-7 vendors, ACI has taken an open approach to accommodate automation of network services from multiple vendors (for both physical and virtual form factors) with its policy-driven architecture, delivering greater operational simplicity to customers.
Traditional way of inserting L4-L7 devices, from any vendor, in the network is to manually steer traffic through L4-L7 devices and configuring each of these devices independently. The manual steering of traffic is done by carefully provisioning VLANs/VRFs/Subnets etc by a network administrator today.
While ACI supports traditional mode of L4-L7 insertion from any vendor device, ACI provides additional capabilities for automating the entire workflow and tying it to applications. There are two steps in automation of L4-L7 integration through APIC:
- Automatically steering traffic from one application tier to chain of L4-L7 service devices and finally connecting back to another application tier.
- Automatically configuring all L4-L7 devices in a chain as the application are deployed and modified
The step (2) is ultimate level of automation; configuring all L4-L7 devices as needed by application and keeping it up to date as the application life cycle changes. For example customers add security policies into their firewall, but never clear them since it’s hard to correlate which policies to clear when application goes away, or when there are organizational changes with the relevant SME moves out. With APIC managing application tiers and configuration on L4-7 device, the configuration is added and removed dynamically as application are added or removed.
Since day 1, APIC supports traditional manual way of inserting L4-L7 services from any L4-L7 vendor. Similarly ACI supports fully automated mode called “Managed” mode, where both the network services stitching and device configuration is performed as described by both 1 and 2 above. The managed mode requires a “device package” which is typically provided by the concerned L4-L7 ecosystem partner and jointly qualified by Cisco/Partner for ACI.
A second new automation mode called “Unmanaged” will be introduced that equates to network stitching only as described in #1. Customers have realized that traditional manual mode is error-prone and hard to automate as workload moves around. The “Unmanaged” mode will provide a middle ground between traditional L4-L7 mode and fully automated ACI “managed” mode.
Here’s a view of several sample use-cases that the ACI architecture helps support, allowing customers flexibility of L4-7 services insertion options.*
While there are benefits of full automation including configuration of L4-L7 devices, some customers have requested to provide “unmanaged” mode for their custom devices or as a migration path to full automation.
ACI already allows mix and match of Traditional and Managed mode since day 1. When “Unmanaged” mode is released, all three modes can be used at the same time giving you full flexibility and choices.
Further, ACI has integrated with higher level stacks including Microsoft AzurePack, VMware vRealize (future release) and Cisco UCS Director providing instantiation of multi-machine workloads chained together with L4-L7 services. The native multi-vendor L4-L7 capabilities of ACI, as described above, makes this integration one click with any vendor offering tremendous flexibility, investment protection and operational simplicity to customers.
*Updated 8 October 2015