How is that achieved? Manville says, "The APIC has the construct of endpoint groups, which are like closed user groups. You set them up and then put in virtual machines, VLANs and other capabilities, and specify what traffic can go to that endpoint group and what traffic can come out. And that's done at a much higher level than writing an ACL and saying, This IP address can only speak to that IP address on this port.' And because we can now automate a lot of these things we don't have to have as much back-and-forth with application teams. In many cases the application teams can actually decide what they want from the infrastructure themselves using a GUI."
That should drive down OPEX costs, Manville says, but he is also looking for increased efficiencies: "If we can raise the abstraction layer so an application person doesn't have to know about subnets or why this IP address can't talk to that one, we should be able to significantly lower the friction, the time it takes to interact between the application and the infrastructure teams to provision and configure the infrastructure for whatever the application needs."
ACI deployment plans
Although Cisco has been testing ACI in the Allen data center, the first major implementation is going to be in an engineering data center in San Jose using the ACI switches in "standalone mode," Manville says.
"Probably around June'ish we'll have the APIC running in an engineering data center handling all the networking aspects in that data center," Manville says. "In the other data centers we're planning to implement the fabric almost standalone and then migrate applications and workloads one by one. And that's going to take a series of quarters for us to integrate with the release schedules of the applications, doing our testing of those applications, understanding the dependencies of those applications, so we can make best use of the endpoint group capability."
He anticipates ACI being deployed in most environments by calendar year 2017.
VMware pushed out?
When it comes to software controlled networks, Cisco is facing bold new competition from VMware with its NSX technology.
VMware isn't shy about its intention of worming its way into the market by putting a network shim below virtual servers and rendering the physical network to the lowly job of creating tunnels between virtual resources.
So, given that market threat, will Cisco migrate away from the VMware technology that underpins so much of the company's private cloud?
"That's a great question," Manville says. "A part of CITEIS now has OpenStack as the environment and KVM as the hypervisor. At the moment we're giving CITEIS users a choice between an OpenStack or VMware environment. And there are definitely advantages to both.
Sign up for Computerworld eNewsletters.