You don’t have to go all in on Cisco’s SDN to reap many of its benefits.
That’s what Danish cloud provider Venzo A/S found with its implementation of Cisco’s Application Centric Infrastructure (ACI). Venzo turned up a new point of presence with ACI and an underlay of Cisco Nexus 9000 switches a year ago to handle increased subscriber capacity and automate network configuration.
Venzo provides software-, platform- and infrastructure-as-a-service based on Microsoft products, such as Office 365, Hyper-V, Azure, Lync and Exchange. The cloud provider is availing itself of ACI’s group-based policy and contract capabilities, which assign and enforce policies based on groups of inter-communicating endpoints.
+MORE ON NETWORK WORLD: SDN showdown: Examining the differences between VMware’s NSX and Cisco’s ACI+
ACI features Venzo is bypassing for now include service graphing, or chaining, in which ACI configures Layer 4-7 services devices such as firewalls and load balancers. Venzo is also not using ACI’s Application Virtual Switch for VMware vSphere workloads, or Cisco’s Nexus 1000v virtual switch at the present time though with the microsegmentation features Cisco is adding to them, use may become imperative.
For now though, all Venzo needs from ACI is a resilient, scalable and reliable fabric.
“We needed to buy something that we could run in production right away,” says Thomas Raabo, principal infrastructure engineer at Venzo Hosting. “We needed to do something different, through APIs. But we didn’t need to enable all of the features Day One.”
The new PoP supports 1,000 virtual machines and 400 users. The ACI fabric includes eight leaf switches and two spines but Venzo plans to support 32 leaves and 240 hosts in each ACI pod, Raabo says.
And after discounting, customers can get up and running on ACI for under $100,000, he says.
ACI serves as an orchestration layer on top of Nexus 9000 switches, Raabo says. All of the provisioning is done from scripts interfacing with ACI’s APIC through a REST API.
Venzo is using ACI as a way to automate the configuration of VLANs and then add services to them.
“We wanted to scale without adding cost or losing agility,” Raabo says. “We wanted to grow the network without having to grow our networking team.”
Venzo configured storage and network infrastructure tenants in the ACI fabric for separation and control. Venzo can grant access to storage via endpoint groups (EPGs) in those tenants.
The cloud provider is also using ACI microsegmentation to divide the PoP into smaller, more protected zones than can be configured through perimeter defense. Through ACI microsegmentation, each server or application is put into an EPG with context within and between them.
This is not as easy as it is in VMware’s NSX, Raabo says, because NSX adds a firewall to each VM.
“That helps a lot,” he says, adding that he also evaluated NSX at Zitcom A/S, Raabo’s previous employer. “At the moment, ACI is not as powerful (at microsegmentation) as NSX but we are almost there.”
Raabo says he expects Cisco to move towards a firewall-per-VM microsegmentation model with AVS.
Venzo also likes ACI’s ability to integrate with Microsoft Azure cloud services via the Microsoft Azure Pack, which provides a single pane of glass for definition, creation, and service management. ACI’s APIC controller integrates with a Microsoft System Center Virtual Machine Manager instance to extend the ACI policy framework to Microsoft Hyper-V workloads.
Venzo’s initial ACI implementation was not bug free. Raabo says switches initially couldn’t see the APIC controllers after adding a certificate, and they all rebooted at once. Luckily for the cloud provider, they all rebooted during a maintenance window and defaulted to the master configuration.
Still, “it shouldn’t have happened,” Raabo says.
It took Venzo four weeks to get ACI into production mode carrying live customer traffic, he says. And Raabo advises other users considering ACI to not bite off more than they can chew.
“They shouldn’t try to enable everything,” he says. “They should try to understand the technology because we have had to move stuff around later, because we had to pick the right naming schemes, move tenants around later. You should play with it and have time to play with it. But also, you shouldn’t be afraid of the technology. Throw some stuff at it.”
After all, it’s not all that unfamiliar.
“It is just a switch and it is just a router,” Raabo says.