Cisco revealed how enterprises can integrate older Nexus switches into its data center SDN technology, Application Centric Infrastructure (ACI). It also announced some new ACI hardware options.
In an ACI architecture, Cisco's Application Policy Infrastructure Controller (APIC) applies automatic policy-based configuration changes and optimizes forwarding in a network of new Nexus 9300 and Nexus 9500 series switches on an application-by-application basis. Since Cisco announced ACI, network engineers who have already invested in Cisco's other data center switches, most notably the pricy Nexus 7000 series, have grumbled about investment protection for their older equipment.
"My customers have a lot of questions about their current investments in Nexus 2000s and 5000s," said Andre Kindness, principal analyst with Forrester Research. "People bought a ton of equipment and they don't want to replace it."
Cisco announced new capabilities that allow APIC to apply application policies to server workloads connected to Cisco's older switches.
The first element of investment protection is the Application Virtual Switch (AVS), a Nexus 1000v distributed virtual switch with an OpFlex agent. OpFlex is a southbound SDN protocol that Cisco created to extend support for ACI's policy-based SDN approach to non-Nexus 9000 equipment and third-party equipment. Enterprises can deploy AVS on hypervisor hosts that are connected to the network via older Nexus switches. AVS effectively creates a network overlay from the Nexus 9000-based ACI network, across the legacy Nexus network and to the AVS host.
Second, Cisco introduced a feature that allows APIC to apply policy control to bare-metal server workloads attached to legacy Nexus switches. Cisco customers can make a Layer 2 connection between a port on an older Nexus switch and a port on a Nexus 9300 that is operating as an ACI leaf switch. Although APIC cannot apply configuration changes or optimize the forwarding on legacy Nexus gear, it can at least incorporate workloads on the legacy network into its overall policy model. From the workload's perspective, ACI's policy control is applied to packets once they reach the Nexus 9300.
Both of these investment protection options require the installation of a full ACI fabric, with a minimum of two Nexus 9000 spine switches, two Nexus 9000 leaf switches and three APIC nodes.
"We can take an ACI port and connect it to an existing Nexus 2000, 7000, 5000 or 6000 port and extend the policy model from ACI over to the existing port," said Yousuf Khan, senior director of technical marketing at Cisco. "So when you do workload placement either with older ports or newer ports, you have consistent policy across both. You can do a workload placement for the Web tier of an application onto an existing Nexus 2000-7000 [server facing port], but the database and application tiers can be available on an ACI port."
Brandon Mangold, network architect for United Airlines, has been evaluating data center fabrics like ACI. He is interested in using AVS to incorporate his legacy workloads into an ACI architecture, but he also feels that Cisco's current approach, which requires that AVS be deployed with a small core ACI-enabled Nexus 9000 switches, is limiting. He wants the option of using AVS with the APIC controller as a pure overlay on his existing fabric. Then he would only need to buy Nexus 9000s for new servers.
"I want my migration plan to be virtual only and [I want to] put in Nexus 9300s for physical workloads and attach that to ACI for the orchestration," Mangold said.
Still, Cisco's approach does allow an enterprise to start with a small ACI core of Nexus 9000 switches and integrate workloads attached to older Nexus switches into ACI's policy framework, said Peter Christy, research director at 451 Research. "So you have to go in the ACI direction [and buy Nexus 9000 switches], but you don't have to do it in an abrupt way."
"It's unclear what can and can't be done [with these investment protection options]," Kindness said. "There is a lot of fog around what exactly people are getting and how this is going to work."
But at least Cisco is making it clear to its customers that a lot of work is being done in the background to make sure all these products work together, "which I had heard from them before, so Cisco is moving in the right direction," Kindness said.
Gartner Research Director Andrew Lerner said existing Nexus 7000 customers will find most of these migration options relatively unappealing, because they require major changes to virtual and physical switching environments or the repurposing of physical switches. "In addition, the announcement didn't address the Catalyst line of switches, which also have a substantial footprint in mainstream data centers," he said.
As far as ACI momentum goes, Cisco said it has 1,000 customers in the pipeline for Nexus 9000 switches. It also has 70 companies testing ACI on APIC simulators that Cisco has shipped to select companies on UCS blades. Customers will be able to move from simulations to pilots this summer when Cisco will make the APIC controller commercially available.
New Cisco ACI hardware for a spine switch core
Cisco also announced two new Nexus 9300 switches and the first line card that will allow engineers to use the Nexus 9500 chassis as a spine switch in an ACI architecture.
The Nexus 9336PQ is the first fixed-configuration switch from Cisco that can function as a spine switch in an ACI network. All other Nexus 9300 models can only function as a leaf switch. The Nexus 9336PQ, a 2 RU switch with 36 QFSP+ 40 Gbps ports and 2.88 Tbps of throughput, gives engineers the flexibility to deploy smaller, cheaper spines rather than expensive chassis-based spines which often go often go under-utilized.
"There is definitely a religious war over chassis switches versus stackables," Forrester's Kindness said. Many enterprises often have chassis switches in their core with more than half their slots empty. They deploy them with the intention of adding more capacity over time. However, many enterprises are finding that it's easier to build out a core with fixed switches, adding new switches as they are needed, Kindness said.
Cisco has traditionally recommended chassis switches in data center cores. A Nexus 9300 spine switch shows that Cisco is making changes, he said.
The Nexus 9396TX is Cisco's first copper leaf switch for the ACI product line. The 2 RU switch features 48 10 GBase-T server-facing ports and 12 QFSP+ uplink ports with 1.92 Tbps of throughput.
The new 9736PQ line card is the first module that enables the Nexus 9500 chassis as a spine switch in an ACI network. All previously shipped line cards for the chassis are engineered to support leaf functionality. Engineers who have already deployed the Nexus 9500 in a traditional network will need to buy this new line card if they are planning to use the chassis in an ACI core or spine. The 9736PQ has 36 QFSP+ 40 Gbps ports.
Integrating UCS Director and APIC controller
Cisco also announced that UCS Director 5.0 -- its data center management tool that provisions traditional Nexus switches along with servers, storage, network services and virtualization -- will integrate with the APIC controller.
This integration "allows you to have the entire infrastructure in sync in terms of the policies that are instantiated from UCS director and also with the network application policy profiles in APIC," said Craig Huitema, director of systems engineering at Cisco. "Now you have a single tool to provision and manage the existing Nexus 2000 through 7000 as well as the ACI fabric."