How to be a data centre hero with SDN

Make the complex simple and give business leaders what they want with software-defined networking (SDN) and next-generation switching for the multicloud era



Legacy networks were conceived to connect A to B. They were never intended to support the distributed nature of cloud computing, nor the growth rates we’re seeing in the number of users, devices and ‘endpoints’. Gartner predicts there’ll be 63 million new connections every second by 2020




The app economy has propelled business continuity to a whole new level. Consumers expect apps, devices and networks to be available instantly and work together seamlessly.


As digital transformation shifts an ever-increasing proportion of business online, the application (app) runs the business. App innovation, availability and performance become the key differentiators.


Whether you’re looking to attract and retain customers, or combat digital disruption, your IT infrastructure must be:


  • Agile to enable you to respond to changes fast
  • Always available with low latency delivering a superior customer experience
  • Efficient in both the provisioning of services and the best use of resources
  • Simple to manage so that your entire infrastructure is always in sync
  • Secure to meet compliance mandates and combat a threat landscape always on the move


Yet apps are more distributed by the minute. Consuming different workloads and apps from different services and clouds creates new complexity.


In an ideal world, apps would be able to be moved between locations, pick up localised information and addresses and just work.


In reality they can’t. Especially not if your app team and network team operate in silos.


To be able to deliver an app all the time you need a form of active-active architecture for that app. You can get this from storage and virtual machines (VMs), but the network is trickier.

To be able to deliver an app all the time you need a form of active-active architecture for that app. 

Need to modernise

 

Legacy networks were conceived to connect A to B. They were never intended to support the distributed nature of cloud, nor the growth rates we’re seeing in the number of users, devices and endpoints. Gartner predicts there’ll be 63 million new connections every second by 2020.

 

Virtualisation exposed many of the legacy network’s limitations. In virtualised environments, apps are spun up as virtual machines in a matter of minutes and moved within seconds. With legacy, manual configuration of network devices takes days, weeks or even longer.

 

For the network to be pervasive between locations, you need connectivity, management, and policy to be integrated. But even if you’ve virtualised, it’s likely you still don’t have an automated way of keeping multiple sites in sync, or even have the same people managing them.

You’re not dynamic if you have to raise a ticket.

Security is a further challenge. Many of the security holes are caused by ‘that switch in the last rack that no-one cares about as it doesn’t have any production servers attached’. If that switch hasn’t been patched for some time and be compromised, an attacker suddenly has a leg into all of the other switches via the management network.

 

Network admins are looking to technologies such as software-defined networking (SDN) to address these challenges and work more efficiently. But there are many options available that bring new challenges.

 

With so many board directives competing for your budget – security, digital transformation, cloud – to name just a few, where do you start?

Envisage your future data centre network

You’re Head of IT at a company with branches in 5 countries, 12,000 employees and growing at 5% each year. Digital transformation is already underway. 

 

The Board wants you to:

  • Reduce time-to-market and improve brand perception by being more responsive to the changing needs of the business and consumers
  • Gain greater visibility across your systems and networks to know instantly how all traffic is flowing and resolve performance issues much faster
  • Protect sensitive data and ensure compliance – remember, a breach is a matter of if not when&hellip
  • Futureproof your infrastructure with networks that can be reconfigured on the fly without more cost
You no longer need to physically touch servers and networking equipment 

 

Fast forward 3 years…

 

You’ve successfully modernised your operations with IT infrastructure that’s fast to provision, scales dynamically and protects your business better.

Drag and drop deployments

Drag and drop deployments mean you no longer need to hire more people to undertake major data centre projects, you simply copy what you’ve done once and drop it in using a single console that allows you to deploy and manage both physical and virtual resources. This saves you:

 

  • 2 weeks of design time and 6 weeks of installing, wiring, and configuring all of the hardware – with the entire project delivered by an existing team of 3
  • 70 hours of effort each time a large, new hardware addition is made

Faster time to market

Faster time to market has been achieved despite the number of new apps and major updates you’re asked to deliver rising from 4 to 6 over the transformation period:

 

  • 2 hours to deploy versus 72 hours using legacy infrastructure
  • $18,000 saved in the first year, and more than $50,000 saved over the following 2 

Lower hardware costs 

Lower hardware costs because you only need a small amount of cabling and now use networking equipment more efficiently:

 

  • Up to a 20% reduction in hardware capex
  • Potential savings of $200,000 over 3 years

Easy ongoing administration 

Reduced the scope of compliance and mitigated security risks. You can:

 

  • Create compliance reports rapidly and perform real-time IT risk assessments using policy and audit logs pulled from your infrastructure
  • Use network telemetry to analyse events in real time and remediate fast
  • Support an open security framework for critical Layer 4-7 security services

Reduced the scope of compliance and mitigated security risks.

Reduced the scope of compliance and mitigated security risks. Detailed and flexible segmentation of both physical and virtual endpoints based on group policies means you can:


  • Create compliance reports rapidly and perform real-time IT risk assessments using policy and audit logs pulled from your infrastructure
  • Support an open security framework for critical Layer 4 through 7 security services such as intrusion detection systems (IDS) and intrusion prevention systems (IPS), plus next-generation firewall services

Drag and drop deployments

Drag and drop deployments mean you no longer need to hire more people to undertake major data centre projects, you simply copy what you’ve done once and drop it in using a single console that allows you to deploy and manage both physical and virtual resources.

Faster time to market

Faster time to market has been achieved despite the number of new apps and major updates you’re asked to deliver rising from 4 to 6 over the transformation period:


  • 2 hours to deploy versus 72 hours with your legacy infrastructure
  • $18,000 saved in the first year, and more than $50,000 saved in the following 2 years

Lower hardware costs 

Lower hardware costs because you only need a small amount of cabling and now use networking equipment more efficiently:


  • 20% reduction in hardware capex
  • $200,000 saved over 3 years

Easy ongoing administration 

Easy ongoing administration via automation and the ability to make changes at the click of a button. You no longer have to physically touch servers and networking equipment:


  • You can connect a switch to your network in under 1 minute – without using an engineer, saving 20 man-hours
  • You’ve achieved a 30% reduction in cost and effort around incident management
  • You’ve halved the time it takes to on-board new users, which means substantial savings long term

Reduced the security risks.

Reduced the scope of compliance and mitigated security risks. Detailed and flexible segmentation of both physical and virtual endpoints based on group policies means you can:


  • Create compliance reports rapidly and perform real-time IT risk assessments using policy and audit logs pulled from your infrastructure
  • Support an open security framework for critical Layer 4 through 7 security services such as intrusion detection systems (IDS) and intrusion prevention systems (IPS), plus next-generation firewall services

What you did

You made the complex simple. You modernised your core IT infrastructure with next-generation switches and SDN.

 

Next-gen switches provide your physical network ‘fabric’ or ‘underlay’. They respond faster to dynamic virtualised and cloud-based workloads, and support both rapid traffic growth and changing traffic patterns.

 

You chose a switch series that includes a choice of custom, app-specific integrated circuit (ASIC) and merchant silicon options, together with flexible 1, 10, 25, 40, 50, and 100 Gigabit Ethernet port configurations.

ASICS

The forwarding and processing of packets occurs in the transistors of the ASIC. Custom ASICs give you a major advantage in terms of the SDN functionality you get compared to merchant silicon because they offer significantly higher transistor density and lower power consumption. More transistors mean more bandwidth, more ports, larger routing tables, more granular visibility hooks, and larger buffers. IDC explains more

25 Gigabit Ethernet (25GbE)

For Top-of-the-Rack (ToR) server interfaces allows for seamless migration from 10GbE without the need to touch existing cables. Superior price-to-performance value and minimal infrastructure capex means there are plenty of reasons to turbo charge your network.

Spine and leaf 

Unlike traditional 3-tier networks, every access (leaf) switch connects to every aggregation (spine) switch. Every connection is made via a leaf switch. To increase overall bandwidth, add another spine switch. To add access ports, simply add another leaf switch. Every leaf is only two hops away from every other leaf for consistently low latency. Every link is always active, so your network delivers the maximum bandwidth with the fewest switches.

In switching platforms, SDN separates the data control and application planes

Software Defined Networking

 

SDN is an architectural approach to networking that decouples software from specific hardware. It uses network function virtualisation (NFV) so that the functions of the platform can be carried out via software. Should functions need to change, only the software needs to change.

 

In switching platforms, SDN separates the data control and application planes. This allows the intelligence of a network device to be split from the packet-forwarding engine and controlled centrally while data transport is distributed. It means apps can interface with the network programmatically for improved control, automation, and orchestration of network behaviour.

 

The API is viewed as the new command line interface (CLI) for faster, smarter integration across IT.

APIs 

 

Application programming interfaces (APIs) allow the integration of systems across network, security, compute, and storage. They also enable IT to automate processes that provision the unique set of services each app needs to be secure, to scale to meet demand, and to execute responsively. The API is viewed as the new command line interface (CLI) for faster, smarter integration across IT.

Policy models

 

Capture app requirements and allow you to automate deployment of those apps. Policies can be defined once and rolled out automatically across your infrastructure, enabling a Software-Defined Everything (SDx) approach to deployment, delivery and continuous monitoring from top to bottom. 

 

Why you did it

The proliferation of apps and their underlying server, storage, and networking technologies placed a huge burden on your IT team. Network performance was patchy at best. Patching switches and provisioning new users and devices took too much time and was prone to manual error.

 

Security and quality-of-service (QoS) policies were configured manually or scripted across hundreds or thousands of network devices. Changes to policy were complicated. Config errors often led to hours of troubleshooting.

 

Next-gen data centre switches together with SDN ensured you can provision in no time what your stakeholders and consumers want. With automated delivery and governance of apps and infrastructure using defined policies, you’re successfully executing on the Board’s digital transformation, security and compliance mandates.

With automated delivery and governance of apps and infrastructure using defined policies, you’re successfully executing on the Board’s digital transformation, security and compliance mandates. 


Automation and programmability eliminate many of the processes required to provision network resources. There’s a subtle difference between the two:


  • Automation in the networking domain means certain tasks that are automated ‘out of the box’. Such capabilities are often provided by networking vendors by default, so you can choose to use them or not.
  • Programmability is where network admins who find themselves entering the same set of commands over and over again decide to automate tasks using scripting capabilities provided by the operating system. The extent to which an operating system supports programmability often varies.


A wide range of automation features and robust APIs for external tools are available with next-gen switches, routers, servers, and service appliances. They support use cases such as:


  • DevOps – writing and deploying production-ready code on infrastructure that’s highly decentralised and cloud-based
  • Infrastructure provisioning and automation
  • IT as a service (ITaaS)
  • Monitoring, security, and compliance

Learn more on automation and programmability


Visibility is the logical starting point for achieving pervasive security. With the intelligent use of analytics your network can constantly learn and begin to block threats automatically.
  • Analytics

  • Security and compliance
  • White List Policy for zero-trust operations
  • How you paid for it

Visibility is the logical starting point for achieving pervasive security. With the intelligent use of analytics your network can constantly learn and begin to block threats automatically. Plus, when it’s all in real time, actionable insights mean you can guide and set policy for automation and zero trust security.

 

Explore data centre analytics

 

The whitelist model permits communication only where explicitly allowed. This helps to ensure policy omissions do not leave security holes.

 

Security device provisioning and configuration can be automated according to the whitelist policy that you define and manage centrally. SDN controllers within your network then enforce it to create ‘zero-trust operations’.

The whitelist model permits communication only where explicitly allowed, helping to ensure that policy omissions do not leave security vulnerabilities.

 

All security device provisioning and configuration can be automated according to the whitelist policy that you define and manage centrally. SDN controllers within your network then enforce it to create ‘zero-trust operations’.

 

Microsegmentation combined with a white-list policy model enhances the security posture inside the perimeter of the data centre in 3 key ways:

 

  • Minimises exposure to vulnerabilities by allowing only the protocols and ports required to each microsegment
  • Lateral movement possibilities are greatly reduced by creating segments that can be as small as a single endpoint
  • Automation accomplished in simpler ways by assigning endpoints dynamically to the right microsegment based on a number of the endpoint attributes

Financing any IT investment is always a balancing act. But you explored different ways to fund your initiative to minimise upfront costs and deliver the benefits you want.

 

You found that there were multiple options for you to combine all your hardware, software, and services costs together in monthly expected subscription-based payments, as well as consumption models that can be scaled up and down as needed.

 

Crucially, you secured built-in flexibility to scale or update outside of planned refresh cycles.

 

Because who knows what the future holds?

 

Find the best flexible payment option for your technology solution

Analytics

Complete visibility into performance and behaviours throughout the business is absolutely achievable, even with the constant balancing act of users, devices, networks, apps, workloads and processes. Visibility is the logical starting point for achieving pervasive security.


With the intelligent use of analytics your network can constantly learn and begin to block threats automatically. Plus, when it’s all in real-time, actionable insights mean you can guide and set policy for automation and zero trust security.


It’s where all your infrastructure conversations should start and end.


Explore data centre analytics

Security and compliance

Non-stop protection is required for all apps, infrastructure, data, users, and devices as threats and attacks become more sophisticated and diverse.


Policy-driven security means you have the ability to isolate, segment and conduct forensics to ensure compliance in real-time. Most importantly, with policy-based automation and analytics you have the ability to know exactly what’s going on across your entire IT infrastructure and move fast to mitigate threats and remediate.


  • Policy-based network deployment runs your apps within secure, isolated environments. In other words, it isolates your apps and tenants (users) from each other, placing each in a microsegmented environment with app- and tenant-specific policy-based network control.
  • Microsegmentation makes it possible to quarantine segments of your infrastructure and prevent a cyber-attack from spreading.
  • Monitoring and telemetry provides details about latency, packet drops, and traffic paths that are correlated with apps and logical network segments, giving you more visibility and control.

White List Policy

The whitelist model permits communication only where explicitly allowed, helping to ensure that policy omissions do not leave security vulnerabilities.


All security device provisioning and configuration can be automated according to the whitelist policy that you define and manage centrally. SDN controllers within your network then enforce it to create ‘zero-trust operations’.


Microsegmentation combined with a white-list policy model enhances the security posture inside the perimeter of the data centre in 3 key ways:


  • Minimises exposure to vulnerabilities by allowing only the protocols and ports required to each microsegment
  • Lateral movement possibilities are greatly reduced by creating segments that can be as small as a single endpoint
  • Automation accomplished in simpler ways by assigning endpoints dynamically to the right microsegment based on a number of the endpoint attributes

How you paid for it

How you paid for it

 

Financing any IT investment is always a balancing act. But you explored different ways to fund your initiative to minimise upfront costs and deliver the benefits you want.

 

You found that there were multiple options for you to combine all your hardware, software, and services costs together in monthly expected subscription-based payments, as well as consumption models that can be scaled up and down as needed.

 

Crucially, you secured built-in flexibility to scale or update outside of planned refresh cycles.

 

Because who knows what the future holds?

 

Find the best flexible payment option for your technology solution

A unique flavour of SDN: Cisco ACI

Cisco Application Centric Infrastructure (ACI) is at the forefront of SDN innovation. It includes the Application Policy Infrastructure Controller (APIC), the Nexus 9000 family of data centre switches, and a set of southbound and northbound APIs.

 

Designed from the ground up to tightly integrate physical and virtual elements of IT infrastructure, Cisco ACI simplifies operations through app-based policies. It does this by decoupling the logical identity of the network from the physical infrastructure through an integrated overlay – a network fabric comprising of a pool of shared resources that can be provisioned and re-coupled dynamically, based on app needs.

 

Cisco ACI frees the app so it’s no longer bound by network complexity. IT staff identify the app’s key requirements and capture them in a policy. That policy is then used to instruct the network on what services are needed for that app and automate its provisioning.

Cisco ACI frees the app so it’s no longer bound by network complexity. 

Always available, everywhere

 

Cisco ACI integrates, controls, and provisions the virtual switching and physical switching, so it’s always in sync. Operationally this gives the feeling of ‘it just works’.

 

You define a network via a single ACI console that shows you all the information you need. That network is then available everywhere, so a VM admin can simply drop a VM into a port group. This simplifies troubleshooting, as the network engineer doesn’t have to navigate unfamiliar management tools while under pressure to get an issue resolved.

 

ACI also greatly simplifies the upgrading of firmware across all switches in all locations, as well as ensuring consistent security policy on all switches. You define the order you want it to happen, upload the image, then click ‘update now’. No more unpatched switches.

 

For your network to be pervasive between locations, Cisco ACI Multi-Site gives you built-in connectivity, management, and policy. These elements are integrated, so the data centre interconnect is ‘aware’ of the network fabric. No more travelling from one site to another and manually copying configurations.

 

Ultimately, Cisco ACI ensures your IT infrastructure is:

Agile 

  • The app-based policy model drives speed through automation, reduces errors, and accelerates app deployment and IT processes from weeks to minutes
  • Support mixed physical and virtual endpoints seamlessly – including bare-metal servers, virtual servers on any hypervisor, containers, and Layer 4-7 services
  • Centralised, app-level visibility with real-time app health monitoring for faster troubleshooting
  • Every leaf switch is a hardware-based Virtual Extensible LAN (VXLAN) gateway, delivering faster performance than other solutions requiring external gateways
  • The policy model means an ACI environment can be scaled out easily without adding complexity, while the network supports high-density and high-capacity speeds

Open 

  • Supports open APIs, open source tools, and open standards
  • Partner ecosystem has more than 65 members – including major partners F5, Symantec, and Microsoft

Secure 

  • Whitelist model automatically disallows connectivity between devices until the policy specifically allows it
  • Traffic, connectivity, and policies for each app and user can share the same infrastructure without leakage of information across tenants
  • Automatic capture of all configuration changes integrates seamlessly with audit and compliance tracking solutions

Cisco ACI has achieved great success with more than 4,800 users. Over half of companies choosing Nexus 9000 Series switches choose ACI too.

 

Contact a Cisco expert today and join our journey to SDx.

Choose the right accomplice

You’ve seen the movies: no superhero reaches full mastery of their powers overnight. Most benefit from help along the way. Cue training montage clip…

Plan your route

Where are you today? Where do you need to get to? And what’s the best route to get there? Get your plan straight before you get going. Chart the quickest route with the lowest risk by performing a detailed analysis of your current state, primary use cases, business goals and operational constraints.

 

Cisco ACI Advisory Services can help you:

 

  • Determine the correct strategy for your business
  • Identify the primary requirements and use cases
  • Develop a high-level roadmap and architecture
  • Create and validate a design for your implementation

Deploy with confidence

Careful preparation makes all the difference. You’ll need to consider how to migrate workloads, define policies for your app groups, and integrate APIs.

 

Cisco ACI Implementation Services can help you:

 

  • Create a migration roadmap
  • Determine security policies and placement
  • Evaluate application dependencies
  • Execute proof of concept with an initial trial
  • Install, configure, and integrate new solutions in your production network

Get your team ready

If you’re used to configuring switches in CLI and cut your teeth on VLANs and spanning tree, the idea of policy-based automation can present a whole new world. If you want your team to be ready to take charge on Day 1, Cisco Services can help with:

 

  • Documentation including run books and best practices
  • Guidance on operational processes and maturity for the SDN world
  • Formal training, on-site or remote
  • Knowledge transfer from engineer to engineer throughout the project
  • Managed services for your ACI environment

Fighting fit

Your data centre and app environment won’t stand still. You’ll need to evaluate the impact of new apps, changes in use cases, new regulation or security practices, as well as the day to day work of scaling capacity and optimising performance using the data you pull from the SDN environment. Cisco Business Critical Services can help with:

 

  • Strategic guidance for best practices around tuning and optimisation of configurations
  • Reviews and recommendations around routine planned changes, including design guidance
  • Ongoing knowledge transfer and training
  • Readiness assessments for major migrations, upgrades, integrations and other changes

Get the support you need

Interoperability issues, bugs, human error, hardware failure are all facts of life. Make sure you’ve got the support you need, right on hand. Cisco Technical Services gives you:

 

  • Responsive assistance from highly trained TAC engineers, day or night, to help you resolve all kinds of problems fast
  • A single point of contact at every stage of your case
  • Easy management of your data centre assets including software updates, support coverage status and end of life alerts to keep you in control

See a real example of how Solution Support made a difference

 

Find out more about our services for ACI