Cisco Blogs

Cisco Blog > Data Center

Cisco ACI – A Hardened Secure Platform With Native, Built-in Security

This blog has been developed in association with  Javed Asghar, Insieme Business Unit

The Cisco ACI Platform consists of the Cisco APIC controller and Nexus 9000 series switches connected in a spine/leaf topology in a CLOS architecture configuration. All management interfaces (REST API, web GUI and CLI) are authenticated in ACI using AAA services (LDAP, AD, RADIUS, TACACS+) and RBAC policies which maps users to roles and domain.
The ACI fabric is inherently secure because it uses a zero trust model and relies on many layers of security: Here are the highlights:

  • All devices attached to the ACI fabric use a HW-based secure keystore:
    – All certificates are unique, digitally signed and encrypted at manufacturing time
    – The Cisco APIC controllers use Trusted Platform Module (TPM) HW crypto modules
    – The Cisco Nexus 9000 series switches use Trust Anchor Module (TAM) to store digitally signed certificates
  • During ACI fabric bring-up or while adding a new device to an existing ACI fabric, all devices are authenticated based on their digitally signed certificates and identity information.
  • Downloading and image bootup:
    – All fabric switch images are digitally signed using RSA-2048 bit private keys
    – When the image is loaded onto an ACI fabric device, the signed image must always be verified for its authenticity using hardware rooted Cisco Secure Boot
    – Once the verification is complete “only then” the image can be loaded onto the device
  • The ACI fabric system architecture completely isolates management vlan, infrastructure vlan and all tenant data-plane traffic from each other. (The Cisco APIC communicates in the infrastructure VLAN (in-band))
  • The infrastructure VLAN traffic is fully isolated from all tenant (data-plane) traffic and management vlan traffic.
  • All messaging on infrastructure vlan used for bring-up, image management, configuration, monitoring and operation are encrypted using TLS 1.2.
  • After a device is fully authenticated, the network admin inspects and approves the device into the ACI fabric.

These are various layers of security built into ACI’s architecture to prevent rogue/tampered device access into the ACI fabric.

Please stay tuned for a blog posting by Praveen Jain (ACI Engineering VP) which will cover the APIC and Fabric security is more detail in coming weeks

Praveen Jain’s recent blogs:
New Innovations for L4-7 Network Services Integration with Cisco’s ACI Approach

Micro-segmentation: Enhancing Security and Operational Simplicity with Cisco ACI

Network Security Considerations

Additional Information:
The Cisco Application Policy Infrastructure Controller 


Tags: , , , , ,

Don’t be Bewitched by the Switch – What You Need to Know when You Evaluate Solutions

It’s undeniable that the biggest convergence happening in the access layer is Wired/Wireless. Today, we’re no longer forced to treat wired and wireless any differently when it comes to network visibility and management. However, the unification of Wired/Wireless doesn’t come without its own challenges and complexity.

As we’ve seen with the latest switching announcement at Interop 2015, there is a lot of noise in the marketplace and customers and partners increasingly need to cut through this to achieve their IT goals and meet today’s increasing demands on the network and the demands of tomorrow.

Earlier this week, HP made false claims about our Catalyst 4500E switch. To help you out, here is what you need to know about Cisco switching and, specifically, our Catalyst 4500E switch:

  • As the world becomes increasingly more digital, there is an elevated need for a flexible and scalable network to address rapid shifts in technology use and its associated traffic. We’ve seen tremendous demand for our modular switches that supply the best flexibility for this change. In fact, Cisco has the industry’s most widely deployed modular access switches with a modular PoE port share that just reached an all time high of 81.5 percent.
  • To tackle the biggest convergence in the access layer, Catalyst 4500E supports built-in wireless controller capabilities and delivers common intelligent services across wired and wireless for security and policy, application visibility and control, network resiliency, smart operations, and more.
  • Cisco’s Catalyst Multigigabit (mGig) technology available across the access portfolio including the Catalyst 4500E can prepare customers’ access switches for the next wave in wireless, 802.11ac wave 2 by delivering speeds beyond 1 Gigabit on existing Category 5e cables. This technology also supports PoE, PoE+, and Cisco Universal PoE (UPOE) so you don’t need to install new electrical circuits to power your access points.
  • Cisco’s modular access switch portfolio offers backward compatibility with up to three generation of line-cards providing unmatched investment protection – 2x in terms of number of years over other vendors.
  • A key operational consideration for IT is to maximize uptime and provide seamless code upgrades. In Service software upgrades (ISSU) have been available on Cisco’s 4500E portfolio for almost a decade
  • The Catalyst 4500E has unmatched scale to meet the needs of a customer’s network and future proof for an influx of new devices – 25X route entries, 16X multicast entries & 42X Security/QoS entries when compared to other vendors.
  • As IoT trends upward, more “things” connect to the access network and it is key that the network is able to scale to meet these needs – Cisco offers 33 percent more scale in terms of POE+ ports and 50 percent more POE+ scale for redundant power deployments to connect more users, devices and things. Additionally, Cisco supports UPOE, which future-proofs our customers for upcoming applications requiring more than 30W/port.
  • Security is a top of mind for our customers and Cisco offers a complete end-to-end solution with support for MacSec, Cisco TrustSec, Identity Services Engine and Flexible Netflow, providing the best in class network encryption, segmentation and networking sensing solutions.
  • The Catalyst 4500E is designed for supporting rich media services with its superior multicast scale and design. Cisco Catalyst 4500 is designed to support hardware accelerated multicast with deep buffers. The Cisco Catalyst 4500E accommodates up to nine times larger data bursts, delivered to otherwise loaded output ports, without loss.
  • Cisco Catalyst 4500E supports a multitude of capabilities that support IT simplicity and smart operations. Examples: Simplified provisioning with Plug and Play, Simplified configuration of switches & interfaces with AutoConfiguration and Interface templates and faster troubleshooting with embedded wireshark, a world-class protocol analyzer.

Read More »

Tags: , , , , , , ,

Making it easy to deploy Cisco’s Intelligent WAN

We continue to see great interest and momentum around our Intelligent WAN solution but there is one thing we are hearing loud and clear from our customers; the need for better tools to configure and manage branch sites and associated WAN connections. For those of you familiar with Cisco’s Intelligent WAN there are four main business outcomes that the solution promises to deliver:

  • Better Application Experience for Users
  • Robust Secure Access for Applications and Users
  • Lower IT Costs
  • IT Simplicity for Increased Agility

Management falls into the IT Simplicity bucket and many times while presenting our Intelligent WAN solution customers are already thinking about how they are going to reconfigure their network into an Intelligent WAN. One of the main concerns is that the more sites you have the larger the task. Quite often there are limited or no IT resources at the branch and the thought of sending someone onsite (truck rolls) to change or reconfigure the branch router can be an expensive proposition. So what can you do to take advantage of the cost savings provided by an Intelligent WAN?

Read More »

Tags: , , , , , ,

New Cisco APIC Software allows stretched ACI Fabric across long distances

In the world of Cisco ACI, there is never a shortage of excitement and action. Today, we are pleased to bring to your attention news about the latest Cisco APIC software release. If you wonder what’s hot of the press in APIC SW release 1.0(3f) for Nexus 9000 series ACI mode, there are quite a few.

The Stretched Fabric feature captures the headlines. For quite some time now customers have been asking for an ACI Fabric that can stretch across datacenters and over long distances. The new software allows for each leaf and spine, that participate in creating a fabric, to be located up to 30 KMs apart.  It also removes the restriction for every leaf to be connected to all spines. Let us take a close peek at the stretched fabric feature.

ACI Stretched Fabric Topology

Stretched ACI fabric is a single fabric. It is a partially meshed design that connects ACI leaf and spine switches distributed in multiple locations. Typically, an ACI fabric implementation is a single site where the full mesh design connects each leaf switch to each spine switch in the fabric.  This yields the best throughput and convergence. In multi-site scenarios, full mesh connectivity may be not possible or may be too costly. Multiple sites, buildings, and rooms can span distances that are not serviceable by enough fiber connections, or are too costly to connect each leaf switch to each spine switch across the sites.  Diagram below illustrates the stretched fabric architecture.

Transit Leaf Switch Guidelines

Transit leaf refers to the leaf switches that provide connectivity between two sites. Transit leaf switches connect to spine switches on both sites. There are no special requirements and no additional configurations required for transit leaf switches

Provision Transit and Border Leaf Functions on Separate Switches

The key benefits of stretched fabric include workload portability and VM mobility.The stretched ACI fabric behaves the same way as a regular ACI fabric, supporting full VMM integration. For example, one VMWare vCenter operates across the stretched ACI fabric sites. The ESXi hosts from both sites are managed by the same vCenter and Distributed Virtual Switch (DVS).  They are stretched between the two sites.

The ACI switch and APIC  software recover from various failure scenarios. Check out the failover scenario analysis for details.

Additional resources


Tags: , , , , , ,

Cisco Live Milan 2015: Hi-Tech revisits City of Tradition and Fashion

When I first visited Milan last year in January, the occasion was Cisco Live and I was pleasantly surprised to learn that the Alpine city is known as much for its Hi-tech as it is for fashion and tradition. I am one of the lucky few in Cisco to be visiting this great city for a second year in row as Cisco Live Europe is all set to commence here next week. What is special this year? From a Cisco Data center standpoint ACI, Inter-Cloud, IOT and UCS continue to grab the headlines. Particularly, ACI has established itself as the dominant SDN technology with more than 1,000 plus N9K customers, 200 plus ACI customers and a growing eco-system of 34 partners in just one year. In this blog, I am going to present excerpts of what attendees can broadly expect to see and experience at the buzzing event, and I will take you on a tour of how ACI is ready to engage and enrich you.


At the outset, I’d recommend that you attend all keynotes to understand Cisco’s strategy for the emerging technology trends and market transitions. Cisco Execs Carlos Dominguez and Jeremy Bevan kick-start the proceedings with an opening keynote on Jan 27 as they review the amazing things we have achieved in building the internet over the last decade and look at what we must do to build an Internet fit for purpose for the next decade. Don’t miss several technology trends keynotes occurring on Jan27 and 28. Soni Jiandani’s session scheduled for Jan 28 on SDN/ACI topic is going to be a sell-out. Come and listen to Soni to understand how ACI enables business outcomes and IT automation through the creation of an agile infrastructure.

Now I want to segue to ACI specifics. The last year has been phenomenal from an ACI eco-system momentum standpoint. F5 and Citrix, leading ADC vendors, have developed joint solutions with ACI and we have experienced several customer wins and success stories. F5 is a platinum sponsor and has a big presence at Cisco Live Milan this year to delight the 8,000 plus attendees. At the world of solutions F5 has dedicated demo stations to showcase multiple Cisco ACI-F5 joint solutions (featuring both BIG IP and BIG IQ), and F5’s engineers will be happy to explain via whiteboard how these solutions are relevant to your needs. Vincent Ng from F5, an expert presenter, has a technical breakout session on Jan 27 featuring ACI-F5 joint solution. Vincent’s expertise spans hands-on demos alongside lucid architectural illustrations, so do not miss this session.

Citrix has been a regular platinum sponsor at Cisco Live events. This year at Cisco Live Milan, Citrix has a large booth presence in the partner area. The key activities at the booth include joint solution demos featuring UCS-XD/XA, ACI-NetScaler, Mobility and Cloud among other major ones. Besides, David Potter and Christian Hietzschold from Citrix are doing a presentation on topic, “Delivering the best in SDN and ACI integration solutions.” If you happen to be in the DevNet zone, you may want to check out Citrix’s short theater presentations to get a well-rounded view of our joint alliance.

A10 Networks and Radware both have a presence in the WOS, showcasing joint solutions with ACI, thereby providing further evidence for the fast growing ACI L4-L7 eco-system.

At the World of Solutions (WOS) this year, ACI and Cloud take center stage in the Data center category. There are 10 demos showcasing ACI innovations and 6 on the Data Center Networking front. We also have an “Ask the Expert- Solutions Design Center” where Cisco architects will help address your data center, cloud, ACI strategy and design questions to accelerate ROI and reduce TCO. The ACI demos cover broad customer interest areas such as Analytics/Telemetry/Visibility, popular Cloud Management Platforms such as Microsoft Azure and Open Stack, Support for Multi-Hypervisors, Secure Application deployment etc. Our ACI subject matter experts will be on site to give you a real-life demo and explain how these are relevant to your needs.


We also have Hands-on labs at the WOS that give you the opportunity to explore and evaluate a range of Cisco technologies, and our Meet the Engineer and Technical Solution Clinics give you access to the people who design Cisco’s solutions and give you the insight you need about your own environment and technical challenges. So stop by the WOS to explore new technologies and get answers to your unique questions.

In addition to the hands-on demos, we also have round the clock mini-presentations at the WOS Cisco Theater. This year we have three innovative ACI theater topics namely “Simplifying day-0, day-1, day-2 operations with ACI”, “Securing Applications with ACI” and “NX-OS Programmability and Automation”. The special draw at the WOS Theater is the topic of “Simplifying Operations with ACI”. This presentation will cover how application deployment can be accelerated and how easy it is to troubleshoot problems with ACI. To satisfy your broader interests we also have theater sessions on UCS, Cloud and Nexus switching portfolio. Check our WOS Theater roster in the agenda handout.

To your heart’s delight is how I’ll describe Cisco technical breakout sessions. Yes, we have more than 500 breakouts from industry recognized experts at the show. ACI breakouts feature prominently and ACI domain experts Carlos Pereira, Mike Cohen, Mike Herbert, Maurizio Portolani all co-present Jan 26 on topic ‘ACI-Policy Driven Data Center”. This session ranks at the top for me. If you are an Open Stack fan then you must look into the session “APIC Integration with Open Stack” presented by Sebastian Jeuk and Lijun Deng. Harry Petty is doing an ACI operations focused session PSODCT-2455. Data Center operators focused on tenant on-boarding, application monitoring and trouble-shooting will find this session very relevant, so mark this as a must-attend. There are many more breakouts and Lab sessions on ACI, and check out the session catalog for details. Another insightful breakout session PSODCT-1200 by Craig Huitema focuses on the Nexus switching portfolio and ACI and how together they enable a faster, responsive and flexible IT.

As a Cisco Live attendee you benefit from the opportunity to interact with your peers, Cisco staff and partner technical experts in both structured and informal settings. Our Welcome Reception and Customer Appreciation Event are the highlights of the week’s social calendar. Read more on the Social Events & Networking Onsite section. Our online communities on Facebook and Twitter provide year round access to like-minded individuals as well as valuable content, news and updates. We’d love it if you would join the conversation.

I can go on and on, but I’d never be able to cover all of the excitement in store. I’d leave some for you to explore on your own and our Meet and Greet ambassadors will be more than happy to assist you at the show. As for me, if time permits, I am planning on acquainting myself with some of the legendary artworks of MichelAngelo. Safe travels and a happy Cisco Live.

Related Links


Tags: , , , , , , , , ,