Why a Flexible DC Solution like ACI is Important in The Digital Age?

This blog is based on my own opinion and not a company or someone else view, it will use a sample case study to show how digital transformation can change our perspective when we architect and build modern enterprise networks”.

First, let’s define what does flexibility mean and why it is an important aspect in today’s modern IT solutions and specifically within the data center.jacked_world_800_clr_8862

Flexibility in IT reflects the level of elasticity of a solution or technology to response to the strategic business trends, changes or transformation.

A change or transformation here refers to the direction the business is heading toward, which can take different forms. For example, this change maybe adopting a Digital Strategy, a typical organic business growth, a decline in business, a merger, or an acquisition.

We all know the Data Center is at the heart of the enterprise IT infrastructure, however, unlike a decade ago where the focus was mainly on connectivity, today in the digital age it’s not only about connectivity (even though connectivity still the most powerful force we have to transport all the data and information). Instead, as we are entering the era of digitization (where most of the business investments are in technology solutions), the focus more about user experience, applications, data analytics and applications intelligence. Therefore, today’s IT needs to provide a platform for innovation, agility and visibility where flexibility becoming more and more a critical aspect of modern IT solutions.


Which means, that you need a data center infrastructure, that is capable enough to adopt with the various applications’ requirements including, different Operating systems, different types of hypervisors, ability to provide Data Center wide policy as well as enterprise wide security policy across virtual and physical workloads with ease of provisioning and end to end visibility, at a IoT scale (people, devices, wearable technologies etc.)

Otherwise, it will be an obstacle to the business to move forward at the speed of the today’s fast moving and changing markets’ needs. As a result, businesses ultimately won’t be able to cope with the competition and digital disruption in the digital era.

That’s why it is critical to look at the big picture, and see how the arch-1DC network fits with the other places in the network PINs within the enterprise and avoid designing these PINs in isolation.

Let’s consider the following scenario of an educational institution environment (university) that is building a 21st century education (Digital University) which is taken from one of my previous blogs, then we will look at how different SD-DC solutions may help or limit this university in its digital transformation journey.

This university rely heavily on WiFi, to decide where students/staff are located at any given time, and based on the density of the people located in each place, it uses API integration between the Cisco location services system CMX and energy/power system to adjust the air-conditioning and lighting level to save energy. This university, employs Cisco ISE as the Advanced NAC solution to perform AAA for both wired and wireless networks.

Also it uses the location based services to push announcements, way finding, and provide access to certain services based on the students/staff location within the campus. in brief, this university wants to achieve the following:

  • Segregate the traffic of students, Staff, CCTV cameras, and IoT devices across the entire network.
  • Ability to provision access to any of the aforementioned type of access groups without introducing any major change or requires the intervention of multiple teams.
  • All the university staff must be able to access HR web portal from anywhere within the campus
  • Permanent staff must be able to access the university examination system from anywhere within the campus while contracting staff can access it only when they are connected to the WiFI network inside the administration offices.
  • Engineering school students must be able to access engineering web portal, only when they are using any university PC or connected to any classroom WiFi
  • business school students must be able to access business web portal, only when they are using any university PC or connected to any classroom WiFi
  • Both staff and students must be able to access the university Internal social network website
  • Any staff can use his/her own device, however the network access will be restricted to the internet, mail server and the Internal social network website.

let’s start with an SD-DC solution that either support network based overlay .. in which the visibility will be limited to the DC network only or support host-based overlay, in this case it will obviously limit the visibility and control to the Data center, in particular the virtualized part only.

As mentioned earlier, In the digital age, the focus is on applications and data analytics no matter what OS, or virtualization/physical platform is used.

Therefore, limiting your visibility and control to the data center or its virtual part only can be a real constraint to modern businesses in this digital age with the connected countries, cities and things, where automation, fast and zero touch provisioning form the foundation to enable the digital transformation.

If you have a bit deeper look, you will notice that you will need a security node (physical or virtual) at the DC edge with the campus core to perform packet filtering based on source/destination IPs.

The question here, how fast such approach can be, when the management need to rollout new applications or services with certain access restrictions (location based)?

First, this typically requires the intervention of the DC network team to configure the access policies (manual or through an orchestrator).

Secondly, the security team need to know the source(s) IPs, destination(s) IPs etc. and create ACLs at the DC firewalls (no matter if the creation of these entries is through script/API or manual) this is a typical “communication islands” approach, which lacks the flexibility or ability to respond quickly to business needs/changes etc. in such dynamic environment.

Third, the provisioning of different access groups such as staff, students, IoT, CCTV camera will require creation of different logical access networks (VLANs, VRFS, maybe MPLS VPN at the etc.). Even if Cisco ISE and SGT concept is used at the campus, at the DC FW edge you will need this separation because the campus and DC working as separate “communication islands”. which is  not a simple task when you have an existing production network and you need to add/delete logical networks and the associated security rules. As a result this will lead to delays, increased OPEX and ultimately degraded users’ experience (UX).


What about Cisco ACI, how could you achieve the aforementioned requirements with ACI?

By using Cisco TrustSec integrated with Cisco ACI, you can provision and mange a cohesive solution to achieve the aforementioned requirements without introducing any operational complexity.


As shown in the figure below, Cisco ISE (the central of the TrustSec) integrate with the Cisco ACI APIC (the ACI/SDN controller). With this integration the ACI-APIC can pull and translate the SGTs into external EPGs. Then from the APIC simply you can control who can access what, using the contract concept between an external EPG and the existing internal EPGs where the intended servers/applications are grouped.


Also TrustSec uses SGTs to distinguish between different users groups packets in which the isolation and provisioning of different users groups does not need major change to the network or manual intervention once ISE with TrustSec is added to the network.

For instance, when this university has 400 new students joining next week along with 20 new staff members. Typically, the system admin adds those students and staff members into the respective Active Directory Group, and TrustSec takes care of the rest of the security policy enforcement. Also, with this integration, the relevant access policies to DC resources will be applicable  to those new users no matter what IP address/subnet those users will be assigned (enterprise wide policy). This will enable this university to achieve true zero-touch provisioning that required at least three teams to be involved using a traditional or inflexible  enough DC solution.


Not to mention, with ACI you can connect all the different workloads (virtual or physical) to the same fabric and with the Cisco Tetration you can literally “Turn the Lights On in the Data Center

Moreover, with this approach you will not only be able to build and control enterprise wide groups and security policy, but also you can extend the policy plane integration between Cisco TrustSec and Cisco ACI to the Cisco Stealthwatch, allowing full visibility into the unified TrustSec-ACI policy. “Seeing Over the Wall

Some might say, to run ACI you must use Cisco Nexus 9000 switches .. can we consider this as a limitation? 

Is this a vlid question? Yes, is it a limitation? Not really.. for two main reasons: First, as mentioned earlier, as we are entering the digital age the focus is more about users’ experience, visibility and data analytics and applications intelligence. This means the business won’t care if you are using a nexus 9K or a white-box node as long as the technology solution provide the desired outcomes. Secondly as discussed in my previous blog using a DC solution that has both the underlay and overlay working together will ultimately reduces operational complexity.

In summary, in the digital age, the focus is more on, applications, user’s experience and data analytics, where speed, agility, visibility, flexibility and security of the IT platform are key foundational elements to enable a successful digital transformation. Therefore, securing your data center from external networks and among the applications/VMs within the data center is a must, but not enough in today’s networks. That why, as a network or solution architect you need “always” to look at the big picture and see how you can achieve “enterprise wide” control and visibility in a unified manner.

By sharing contextual and different policy group information among TrustSec and ACI domains, will enable the network infrastructure to become more responsive to new business needs and changes as well as enterprises will be able to address network access breaches, compliance challenges and meet complex, and dynamic security segmentation requirements of today’s networks. In fact, with the group-based policy approach used by TrustSec and ACI, enterprises can define a unified and consistent security policies to gain ‘end to end’ visibility and control with vastly simplified security design, management and compliance across the different places in the network (remote sites, Campus, VPN users and Data center).

Related Topics:

Cisco ACI & TrustSec – A Holistic Approach for Secure Enterprise Networks
Why Cisco ACI Can Be More Reliable Than NSX? – A Network Architect Perspective
Marwan Al-shawi – CCDE No. 20130066, Google Cloud Certified Architect, AWS Certified Solutions Architect, Cisco Press author (author of the Top Cisco Certifications’ Design Books “CCDE Study Guide and the upcoming CCDP Arch 4th Edition”). He is Experienced Technical Architect. Marwan has been in the networking industry for more than 12 years and has been involved in architecting, designing, and implementing various large-scale networks, some of which are global service provider-grade networks. Marwan holds a Master of Science degree in internetworking from the University of Technology, Sydney. Marwan enjoys helping and assessing others, Therefore, he was selected as a Cisco Designated VIP by the Cisco Support Community (CSC) (official Cisco Systems forums) in 2012, and by the Solutions and Architectures subcommunity in 2014. In addition, Marwan was selected as a member of the Cisco Champions program in 2015 and 2016.


Leave a Reply

Your email address will not be published. Required fields are marked *

Order Now