The Nexus 9000 switches can run in either standalone mode with merchant silicon, or ACI mode, with a combination of merchant and custom Cisco silicon. Merchant silicon on the Insieme Nexus 9000 switches will get you open source, OpenFlow and OpenDaylight controllers, and Cisco's onePK programmability, and other industry understood SDN-friendly hooks like decoupled control and data planes.
Custom Insieme silicon-based Nexus 9000 hardware will get you Insieme's anti-SDN: ACI and the APIC controller, with hardware acceleration, deep visibility into application interaction and behavior, and granular service level metrics.
ACI incorporates XML, JSON, and RESTful APIs to speak with higher level orchestration and automation systems, including OpenStack, Puppet, Chef, CFEngine and Python scripting. These APIs also enable the ACI ecosystem for management, orchestration, monitoring, virtualization, network service, and storage partners, and open up the environment for OpenDaylight, virtual switches, and VXLAN, Cisco says.
But the full value of ACI is in the APIC controller, managing Nexus 9000 switches in ACI mode. APIC is capable of managing 1 million endpoints, Cisco says, and unlike traditional SDN controllers, it operates independently of switch data and control planes meaning it does not decouple data and control planes.
Cisco says this allows the network to respond to endpoint changes even when the APIC is offline.
APIC is the brains of ACI. It is designed to unify physical and virtual networks, and provide security, compliance and real-time visibility at the system, tenant and application levels.
APIC provides centralized policy management with application network profiles and Layer 4-7 network service automation across application, network, security, virtualization, compute and storage resources and personnel. APIC allows the ACI network to adapt to application requirements through dynamic insertion and chaining of physical and virtual Layer 4-7 network services including firewalls, application delivery controllers, and intrusion detection systems, Cisco says.
One of the firewalls it supports is Cisco's new ASAv, a virtualized version of the company's ASA firewall.
Application and tenant security is enhanced through APIC's ability to centralize programmable policy, and enable isolation at scale for multitenant private and public cloud environments, Cisco says. Standard APIs allow for partner security applications to be added.
APIC also provides a real-time view of per tenant and per application health, statistics, and troubleshooting analytics across physical and virtual infrastructure, to aid in application placement decisions. It monitors and isolates packet drops by application to assist in problem resolution, Cisco says.
APIC's application network profiles define the requirements of an application and its interdependencies on the underlying ACI infrastructure. With these profiles, APIC dynamically provisions networking, services, compute, storage and security policies wherever the application is or however it changed, Cisco says.
APIC also manages Cisco's new AVS (Application Virtual Switch), an ACI-enabled virtual switch optimized for policy enforcement, improved visibility and performance of applications running on ACI.
The Nexus 9000 switches run new versions of NX-OS "optimized" for standalone mode or fortified for ACI mode. Transitioning from one mode to the other requires a software upgrade and APIC, Cisco says, but reconfiguring the Nexus 9000 switches for true ACI mode operation requires line card and cabling replacements, sources say.