Beyond Hadoop-as-a-Service: The Opportunity for Big-Data-as-a-Service

– August 31, 2016 – 1 Comment

I’ve written in the past about the opportunity for Hadoop-as-a-Service (HaaS) – providing self-service provisioning, elastic scaling, and support for multi-tenancy. But in my discussions with customers over the past year, it’s become clear that the opportunity is even bigger than Hadoop. The next big thing in big data is Big-Data-as-a-Service (BDaaS).

There are three key trends driving the evolution and emergence of this new BDaaS opportunity:

Apache Spark and the evolving big data ecosystem. Hadoop recently celebrated its 10th birthday and continues to gain widespread adoption. But in recent years, other new big data frameworks and tools have also gained in popularity. Foremost among these is Apache Spark, the most active open source project in big data. We’re also seeing increased interest in Kakfa, Flink, NoSQL technologies such as Cassandra, and much more. And there continues to be rapid innovation in the commercial software market for big data – including analytics, ETL, search, log analytics, and other BI tools. Hadoop is still at the forefront (and many of these tools complement and extend Hadoop), but BDaaS is much more than Hadoop.

Enterprise adoption of containers and microservices. Container and microservices technology (Docker in particular) has taken hold in the enterprise, and the pace of adoption has accelerated over the past year. Like Spark, Docker has become one of the fastest growing open source technologies ever. Application developers have embraced the simplicity and agility of containers, and microservices are a foundation of the DevOps model. Enterprise IT teams have made containers part of their architecture strategy. And the container revolution is now being extended to big data applications.

The cloud experience for big data, with no compromises. Until recently, big data deployments were almost exclusively bare metal on-premises. But now data scientists, analysts, and developers in the line of business want the cloud experience; they want self-service, on-demand clusters, elasticity, and DevOps agility with all their big data tools. There are several public  cloud services for Hadoop and Spark, but there are important factors that prevent many big data workloads from moving to the public  cloud – including performance, security, compliance, and data gravity. Data gravity means that data that already resides on-prem is likely to stay on-prem due to the cost, risk, and challenges of moving very large volumes of data. Using container technology and next generation big data infrastructure, customers can have the BDaaS cloud experience and the enterprise-grade performance, security, compliance, and high availability required for big data workloads on-premises.

To learn more about Big-Data-as-a-Service, register for our upcoming joint webinar on September 15th with BlueData, a software company that provides an innovative platform for BDaaS using Docker containers, and a Cisco Solution Partner:


Leave a comment

We’d love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.


    Great article.

How Cisco CloudCenter Stacks up

– August 31, 2016 – 0 Comments

If you are like me – all the cloud management tools sound the same. Vendors all use the same words to describe very different solutions. Hybrid. Platform. Automation. Service.

So to help you figure out what the words mean, I’ve recorded a short webcast with product manager Zack Kielich (@zackOmatic), that shows how Cisco CloudCenter stacks up to Gartner’s Cloud Management Platform feature taxonomy.

You can access a Gartner report that includes the feature taxonomy list, as well as 5 key questions that help you evolve your cloud strategy.  And then listen to the webcast where we go through Gartner requirements and describe how CloudCenter features deliver 14 Gartner recommended capabilities in 4 key areas.

So why is a CMP review on the Datacenter Blog?  CloudCenter deploys and manages applications in datacenter or cloud environments.  It’s both a cloud and datacenter solution.

Some highlights:

Access Management

  • Multi-tenancy – CloudCenter has a service provider class multi-tenant architecture that offers great value for enterprise IT. It saves money by reducing the solution footprint for organizations with multiple business units. It supports a centralized IT service strategy with a flexible mix of sharing and isolation.  Central IT can offer standard services. Each tenant can consume those services but also add or customize their own, and even skin the UI for different user groups.
  • Governance – A tag-based governance scheme makes it easy for IT to help users make the right decisions. Compliance can be automated by using tags to enforce policies.  Users add simple tags when they deploy applications. IT can hard code tags if needed for compliance.  The tags link to policies that direct placement, deployment and run-time decisions. The tags make it easy for users to make the right choices. And they don’t have to understand the policies.

Service Management

  • Logical service modeling – This is where CloudCenter really shines. You can model a deployable application blueprint with ease in a drag and drop interface. Each component represents a service like OS, or application or web server, database, etc. You can use out of box, or easily customize or add your own. It supports configuration management tools, PaaS and cloud services, as well as containers. Multiple IT groups can put their configuration finger print on the building blocks or fully modeled stacks before releasing for users. IT maintains control. Users don’t get stuck in the infrastructure weeds, and get an on-demand self-service experience.
  • Usage and cost control – With usage and cost plans, you get a variety of options to create boundaries for self-service on demand deployment. You want to limit developers from a certain group to a pool of 200 VMs in a vCenter environment? No problem. You want to keep AWS costs for a BU to $2,000 per month? No problem. You want to allocate costs across the SDLC for dev, test, staging, and then production. Again, no problem.

Service Optimization

  • Monitoring and auto-scaling – CloudCenter lets you horizontally scale legacy applications in your datacenter. That’s right! Cloud-like scaling without rewriting applications. Set performance triggers and scale out by deploying additional instances of the whole stack or individual tier, with just enough resource to minimize cloud costs and optimize infrastructure utilization. You can even burst to cloud by scaling out to a cloud for periods of heavy usage.
  • Usage Visibility – IT executives love the consolidated reporting of costs and usage from any of 20 supported datacenter, private and public cloud environments, all in one platform. View usage and costs by tenant, by user group, by application, by cloud. Roll up or drill down. And allocate or charge back costs as needed. You get data needed to make effective decisions.  IT can add use-based economics to traditional datacenter and legacy applications, just like in the public cloud.

External APIs

  • CloudCenter has mature, documented APIs. Everything users can do from the UI, you can access via API. This facilitates easy integration with development tools like Jenkins, ITSM catalogs like Cisco Prime Service Catalog or ServiceNow, existing ITOM tools like IPAM and DNS. Read the integration guide.
  • SDN like VMware and Cisco API are supported. So you get the security and operational efficiency of zero trust, white list communication between tiers, via fully automated integration. Application owners get confidence in case of a security breach. Network teams don’t need to hand craft port settings or configure firewall runs for each deployment.
  • CloudCenter abstracts the cloud. CloudCenter supports more than 20 different datacenter, private and public clouds. But the APIs are hidden and abstracted by the CloudCenter Orchestrator. Users don’t need to learn each cloud. They get the benefits of Software defined datacenter and cloud, without the cost of learning APIs specific to each platform.

There’s more.  Check out the webinar to find out about benchmarks, bursting, automated end-of-life actions that all cut your cloud bill or improve datacenter resource utilization.

Read about how CloudCenter is now part of the revamped Cisco ONE Enterprise Cloud Suite.


Leave a comment

We’d love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

Deliver Simplicity and Freedom

– August 30, 2016 – 0 Comments

Digital transformation is happening NOW.   Your smartphone is your bank branch.   Your mouse and PC are quickly replacing brick and mortar stores. As consumers, we have the tendency to seek alternatives when we don’t get want we want, when we want it.

If you’re in IT, you are already feeling the pain. The modern enterprise has become user-centric instead of IT-centric.  Line of business, application developers and DevOps teams expect you to define, offer and deliver services where, when and how they want. When you don’t, they go around you.

The benefits of transforming IT to an as-a-service model are well known and yet the pace has been slow. The reasons for this are complex as change is swirling around business models, customers, application development as well as your data center.   Now add the fact that all these changes are happening at once along with the reality that every business is different and you have the formula for slow transformation.

Years of managing data and accelerating organizations has taught Cisco precisely what is needed to transform your business. There are four pillars to transformation but I am focusing on one element: automation.   Automation allows your data center, and ultimately your business, to respond faster by replacing manual, trouble-ticket processes with consistent, automated service delivery.  The cornerstone to Cisco’s enterprise automation is Cisco ONE Enterprise Cloud Suite.     Watch this video to learn more.

This refreshed solution combines two award winning products into a single solution that simplifies data centers, delivers freedom of choice to business and applications teams while maintaining control with built-in governance, usage and workload placement policies.

The ITSM component delivers on-demand consumption of data center and business services.  The cloud management component empowers modeling and deployment of applications across 20 different data center, private and public environments.  The IaaS component provisions and manages resources across compute, network and storage with built-in security and isolation models, governance and usage rules.

  • Gone is the need to install every component before your business experiences the ROI and benefits of automation
  • Gone is the tug of war between IT and application teams
  • Gone are the long wait times after submitting a resource request only to find the need to debug before you can start coding

Every business is different so you need a better approach to automation.  Cisco’s modular automation and subscription-based licensing enables you to tackle your immediate pain points and grow organically from there.   IT needs speed and agility? Install infrastructure automation.  Shadow IT a problem? Install cloud management. Your business experiences the benefits from prompt benefits of automated service delivery while your employees adjust to the new processes as well as the faster response.

We have found that this modular approach delivers a number of benefits:

  • Business experiences efficiencies faster (remember you are addressing your worst pain points first)
  • Resistance to automation is reduced as customers experience the benefits and want more
  • Developers experience consistent infrastructure instances and IT professionals are freed up to focus on new opportunities

Digital transformation is happening now but Cisco ONE Enterprise Cloud Suite makes it possible to transform your business, achieve simplicity and provide freedom of choice for application teams so your business can scoop up new opportunities as quickly as they materialize.

Want to go deeper? Watch this video.


Leave a comment

We’d love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

Vegas Street Performers, HyperFlex, and VMworld

– August 25, 2016 – 1 Comment




VMworld 2016 US is finally here!

In a town known for hype, HyperFlex is proving to be the real deal. The Cisco team is excited to bring HyperFlex to its very first VMworld in Las Vegas.

When I think about Las Vegas, the many street performances come to mind, and I feel like I’ve already been walking the strip with all the performances we’ve seen in the HCI industry this past week. HyperFlex is proving to be the hyperconverged platform of choice for VMware users with over 500 new HyperFlex customers across all industries and verticals around the globe in just the few months since its launch.

Cisco HyperFlex Systems is the end-to-end Cisco hyperconverged platform – engineered on the Cisco UCS platform. It offers customers a Cisco-convergence of: the Cisco UCS Servers for Compute, the Cisco HX Data Platform for Storage, and (what some solutions tend to forget) the Cisco UCS Fabric for Networking. HyperFlex is the next generation of hyperconvergence that enables customers new levels of end-to-end simplicity in their data centers.







HyperFlex offers several key features for VMware users such as:

  • Cisco hyperconverged infrastructure for all vSphere Editions such as Enterprise Plus, Standard, Essentials Plus
  • Factory installation and Day 0 automation of the VMware vSphere hypervisor on all HyperFlex Nodes
  • Ability to independently scale compute and storage
  • Simplified management and monitoring from within the HX vCenter plugin
  • VM-centric advanced data services such as cloning and snapshots that are VAAI certified
  • Rapid deployment and management of VMware Horizon 7 VDI seats

Learn more with the HyperFlex VSI Solution Brief.

Here are some more ways to experience HyperFlex at VMworld:

1. Schedule a One-on-One HyperFlex Briefing with our Team

Learn how HyperFlex can reinvent your data center with a One-on-One Briefing during VMworld. To schedule, please email with available times and days at:

2. Attend the Breakout Session: Cisco HyperFlex Systems: Next Generation Hyperconvergence

(EUC9922-SPO, Monday, Aug 29, 4:00 p.m. – 5:00 p.m, Lagoon H, Level 2, Mandalay Bay Convention Center)

Come hear in-depth about HyperFlex with a tour of its integrated network fabric, powerful data optimization, enterprise storage management features, and unified management. There will also be previews of how HyperFlex is delivering new levels of cluster deployment, expansion, and automation simplicity. Register here

3. Visit the Cisco Booth and HyperFlexUp

Go Slow to Go Fast: Why Cisco Services Invests More Up Front

– August 24, 2016 – 0 Comments

There are 2 questions I am asked from time to time: The first is related to my job – “OK I understand what’s involved in product development, but why do ‘service development’?  Don’t you just have really smart people turn up and do their [professional services] ‘stuff’?”    The second is, quite simply, “Why Cisco for professional services?”

The answer to the first question is that we invest up front to help the organization scale and deliver faster, with greater customer value.  And answer to the second question is similar – we invest more up front in planning to ensure rapid execution and delivery of higher business value for our customers.  To illustrate, I’ll use the following video.  (It’s worth watching!)

This video shows how a railway tunnel was “inserted” underneath a major road highway (the A12 highway towards Arnhem in the Netherlands) over a 3 day weekend (yes 3 days – not a typo!), by Dutch construction company Heijmans. The busy national road was shut over the weekend but was back up and running by the Monday morning.  Now, if you’re experience of roadwords is anything like mine, you would probably expect this to be a 6 month project – yet this amazing Dutch company completed the task in 3 days!  You can read more here on this amazing feat of engineering.

Let’s now discuss the connection between the approach used to build this tunnel and Cisco Services.

This video illustrates very clearly the benefit of up-front planning; of coordinated, disciplined resourcing; with trained staff and experts available at the right time and the right place; consistently.  It even shows the use of pre-built components (the tunnel itself was built in advanced and literally “slotted” into place).  While the “service delivery” of tunnel building took 3 days, you can bet your bottom dollar that the planning phase took way longer.  Even as a Scotsman who doesn’t bet, I will bet that in this case more many days were invested in planning than execution.

This reflects very much the philosophy we have in the development and delivery of Cisco professional services by our Advanced Services organization.  And the essence of carefully planned and rapidly executed service delivery is captured in our portfolio framework, shown below.

as capabilities fwk


This diagram captures our recently revised Cisco Advanced Services Capabilities Framework – covering Advise, Implement, and Optimize (we’ve simplified significantly since our prior “PPDIOO” methodology a few years back).  Within the “Advise” services, we deliver expert guidance on technology to drive business outcomes. Core to our “Implement” services is effective integration of solutions.  We don’t forget about post-deployment challenges.  Cisco Optimization Services are available as an ongoing subscription offer to deliver proactive innovation and efficiency, ensuring you have “resource on tap” as you evolve and further improve your deployed solution.

In the Dutch railway tunnel project above, it’s the up-front “Advise” stage that you don’t see much of in the video above that has clearly resulted in fabulous execution success.  The project team clearly invested in strategy development, and crafted a rigorous and disciplined approach to how the project would work.  They assessed the current road, everything from when the quieter period of road usage would be to minimize commuter downtime to investigating the materials underneath the road.  Design was equally meticulous – from clear “migration” design, with carefully aligned resource plans, to pre-built components, especially the pre-fabricated tunnel enclosure. Substantial investment was made in this “Advise” stage of the transformation.  There is no question in my mind that this up-front investment – which I’ll bet seemed like a slow process to start with – was what ultimately led to project success and rapid outcome delivery.  In the words of one of my colleagues, they had to “Go Slow to Go Fast”.

This is why we invest so much in up-front development of Cisco professional services.  Before our consultants arrive at the kick off meeting with your team, we’ve invested in methodologies, document templates and checklists to reduce the risk of any key previous lesson being forgotten, automation tools and in cases pre-built components and designs – and of course, not forgetting continued training and development of our consulting experts.

When you engage Cisco Services then to help your technology projects, then, you can be confident that you are gaining much more than the investment we make on-site.  Ultimately this is why, as a general rule, customers who’ve engaged Cisco Advanced Services to help in their IT and technology transformations are Cisco’s happiest customers.



Leave a comment

We’d love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

Favorite Technologies at Cisco Live U.S. 2016

– August 23, 2016 – 2 Comments

Countless new innovations and solutions are launched everyday, and it’s really hard to keep up. How do you cut through the noise and get quality information? One way to do it is by attending Cisco Live, the premier educational event that top industry engineers attend to stay updated with the latest and greatest innovations. But even so, the amount of information may still be too much to digest in a few days. Like one of the customers I met at Cisco Live said, “The amount of innovation is amazing, but it is impossible to check out all of the solutions here by my own. I wish I could clone myself”.  



Image Source: Link

Inspired by this customer’s comment, on the last day of Cisco Live U.S. 2016, I walked around the  World of Solutions floor, and randomly picked attendees to ask them “What is your favorite solution?” What a practical way to filter information right?!

Following are some of people’s favorite solutions:


  1. Cisco Unified Computing System (Cisco UCS)

“Cisco Unified Computing System (Cisco UCS) is a groundbreaking approach to computing. It is designed for IT innovation and business acceleration. The product portfolio includes blade and rack servers, edge scale computing, converged infrastructure, composable infrastructure, and hyperconverged infrastructure solutions. More than 50,000 Cisco UCS customers are experiencing the benefits now.” (Cisco Unified Computing System)

  1. Cisco Hyperconverged Infrastructure

“Extend the benefits of distributed storage technology to more applications and use cases. Cisco HyperFlex HX-Series combine compute, storage, and networking into an easy-to-use system that brings new levels of speed and efficiency to IT. Use our HyperFlex technology to unlock the full potential of hyperconverged infrastructure today.”

  1. Cisco Tetration Analytics

“Our new Tetration Analytics platform delivers visibility across everything in your data center in real time. It uses hardware and software sensors to give you behavior-based application insight with deep forensics. Get a highly secure and reliable zero-trust model. Dramatically simplify your operations. Migrate applications faster. Make changes intelligently.” Learn more and ask questions in the comments section here.

  1. Cisco Nexus Switches

The all-new Cisco Nexus Switches that were presented at Cisco Live U.S. 2016 were the Cisco Nexus 9000 Series Switches. One thing that makes them different, as mentioned by a customer in the video – is the Cisco Cloud Scale ASIC. Read Dave Dhillon’s blog to find out what makes is so unique: link

  1. Cisco Security Solutions

As attackers are becoming more and more sophisticated, Cisco has put a strong emphasis in security. Many attendees commented that Cisco is the leader in its field, and when it comes to security related issues, they trust in Cisco’s legacy, and rely on Cisco for the best security solutions. Check out Cisco’s complete portfolio of security solutions here.

  1. Group-Based Policy (GBP)

Group-Based Policy (GBP) framework, designed to offer a new set of API extensions to manage OpenStack infrastructure through declarative policy abstractions. GBP is designed on the principle of capturing application requirements directly rather than converting the requirements into a specific set of infrastructure configurations. It introduces a new declarative API for automating OpenStack infrastructure. Learn more here: link

  1. DevNet, DevNet Hackathon

If you are a developer, DevNet is your to-go place to leverage tools, resources, and code you need to build innovative, network-enabled solutions. Visit website here.

  1. Bill Shields

Woolala! Cisco Introduces, the all-new Cisco Bill Shields! Just kidding, but it’s amazing that when I asked people “what is your favorite solution at Cisco Live” and I get “Bill Shields”. This tells you that he is someone worth following to get quality information. Bill is the marketing manager for UCS Mini and UCS M-Series modular servers. He manages the development Cisco’s UCS TCO/ROI tools; provides sales team and partner tool support; in charge of server competitive analysis and positioning. Follow him @HighTechBill

These are just some of the technologies mentioned by Cisco Live attendees; watch the following video to find out what other attendees say about their favorite technology:


Note: Given the limited time I had on the show floor, and I only picked few attendees randomly. If other technologies and solutions aren’t mentioned in here, it doesn’t mean they weren’t impressive.

What about you? If you attended Cisco Live U.S. 2016, what was your favorite solution? Please comment below and share.




Leave a comment

We’d love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.


    Favorite Solution? Meraki Fullstack with an MC74 that will soon be available in Germany (hint, hint … 😉 )

  • Yes! If you watch the video, Meraki is one of favorite technoliges too, mentioned by different customers, different occasions.

Implementing DevOps with Cisco UCS and VMware vRealize

– August 22, 2016 – 0 Comments

A Cisco sponsored session at VMworld provides practical guidance for IT organizations transitioning to DevOps methodologies.


Business Driving DevOps Adoption

DevOps adoption is increasing due to the demands of the business to deliver and update new services rapidly. IT organizations are changing to accommodate the need for speed and innovation. According to a recent survey*, 81% of enterprises have implemented DevOps in some form: by projects or teams (29%), by business units or divisions (31%), or company-wide (21%). This is an important topic, so a track is focused on it at VMworld US in Las Vegas. Cisco will sponsor a session to explain how you can leverage your investments in VMware tools and Cisco UCS™ and Cisco HyperFlex™ infrastructure, as you transition to DevOps.

Implementing DevOps with VMware vRealize and Cisco UCS (DEVOP9965-SPO)

Date: Tuesday, August 30, 11:30 – 12:30

Location: Mandalay Bay Convention Center, Islander H, Level 1

A Framework for Implementing DevOps

DevOps implementations utilize management and automation tools that can leverage programmable infrastructure to facilitate rapid software development lifecycles. Cisco UCS servers, storage and networking as well as Cisco HyperFlex hyperconverged infrastructure were designed from the beginning to be programmable infrastructure. They allow you to treat infrastructure as code. When they are combined with the vSphere and the automation and operations functionality of the VMware vRealize suite, they provide a robust framework for implementing DevOps.VMworld 2016 LV

Cisco and VMware have worked together to develop integrations for vSphere, vRealize Operations and vRealize Orchestrator. This session will explain how your organization can transition to the higher levels of automation and faster problem resolution required in DevOps environments. It will include demos, information regarding SDKs, and an overview of the open ecosystem Cisco has developed to help organizations successfully implement DevOps methodologies.

You can find the entire VMworld catalog here.

Type “ucs” in the search field to quickly find the session and register.


For more information on the Cisco UCS Management Pack for vRealize Operations, click here.

* “State of the Cloud Report”, RightScale, Inc., 2016


Leave a comment

We’d love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

Cisco ACI and Apprenda PaaS Integration Goes to Production

– August 22, 2016 – 0 Comments

“No-Ops” for Developers and “No-Dev” for IT Ops


Analysts agree that IT is in the midst of a major transformation. Based on the results of latest Gartner enterprise IT buying behavior survey, the majority of spending is going towards modernizing, functionally expanding or substituting long-standing business and office applications with cloud-based software-as-a-service. According to the June 2016 forecast from Gartner, worldwide spending on enterprise application software will reach $154 billion in 2016, increasing to more than $216 billion in 2020. To make things even more interesting, by 2020, 75% of application purchases supporting digital business will be “build,” not “buy” involving “a combination of application components.”  As a result, these applications will not be deployed and managed from one place – e.g. all cloud native SaaS or all on-prem traditional out-of-the-box.

Apprenda ACI BLOG TITLE Feature Image OPTION 2

What would you do if you had the opportunity to redesign your IT department? What if your IT organization could simultaneously provide stability of legacy and agility of innovation? And what if you could do this without worrying about silos between IT operations and software development teams and without doubling the size of your teams?

Now you can achieve these goals!

I am ecstatic to announce the production grade integration of Apprenda PaaS platform and Cisco ACI. The integration allows developers to run their existing N-tier applications and new cloud native applications in a self-service fashion without requiring networking or infrastructure management expertise. In addition, it allows enterprise users to inherently cloud enable legacy Java or .NET application enabling them across data center or multi-cloud and hybrid clouds environments.

Apprenda ACI Block Diagram for Blog image OPTION 2

Apprenda’s container based PaaS platform integrates with Cisco ACI’s open policy interfaces to free developers and IT operations teams from the manual constraints of network configuration and achieve very high isolation of application tiers, data and network without any dedicated infrastructure. Cisco ACI segments the network based on policy information collected from the application and developer, and Apprenda optimizes placement of workloads based on the same policy information. The mapping of these two policy frameworks constitutes the integration between Apprenda and Cisco ACI.


Here is how typical application deployment workflow now looks like:

  • Network engineers create blueprint versions of EPGs and contracts
  • Developer passes application artifacts, including policy metadata, to the Apprenda platform
  • Apprenda platform sends network policy metadata to Cisco ACI
  • Cisco ACI controller maps policy to the right EPGs and contracts
  • Cisco ACI provisions the network

If you want to see how this all comes together, please check out this video

Apprenda ACI Demo Video Screen Capture Aug 19 2016

Together, the integrated solution brings the best possible means for application centric enterprises to achieve governance, security, rapid development, reliability with greatly reduced operating and capital expenses. The following are unique benefits for application development and IT operations teams:

  • Single way to manage diverse workloads, traditional and cloud native
  • Enable developers while ensuring consistent operations
  • Simple application governance despite diverse infrastructure
  • Manage a secure private cloud while leveraging public/hybrid clouds
  • Execute all of the above without being locked into a single underlying infrastructure

And last but not least, achieve “zero friction” IT through “No-Ops” experience for developers, and “No-Dev” experience for IT operations.

To learn more, please visit:

Demo Video: Cisco ACI and Apprenda Integration – How it works?

Solution Brief: Cisco ACI and Apprenda – Build a Policy-Based Secure Hybrid Cloud Application Platform

Solution Overview: Cisco ACI and Apprenda – Today’s Most Secure and Advanced Enterprise Hybrid Platform-as-a-Service

Cisco ACI Eco-system

Cisco ACI micro-site at Apprenda


Leave a comment

We’d love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

Micro Segmentation and Cisco ACI – From Theory to Practice Part IV

– August 22, 2016 – 0 Comments

This is Part IV in a four part series of blogs. This blog has been co-written with Vincent Esposito (@vesposit)

This is the last of a series of blogs dedicated to explaining some of the use cases that can leverage ACI Micro Segmentation capabilities. In the first blog we described how to use ACI micro segmentation to implement a 2-tier web application on a single flat subnet. In the second blog we illustrated how to leverage the APIC API to dynamically create a sandboxed environment for Development and Testing for that application, and how to use VM-attribute based micro segmentation to easily promote workloads from Dev to Test to Production environments, including automation of L4-7 services. On the third blog, we looked at operating the environment from previous blogs, and covered how the ACI integrated overlay approach and various operational capabilities of the APIC facilitate Day-2 operations in a micro segmentation environment.

In this post, we look at how we can use the ACI Policy Model and the micro segmentation features in order to enhance the security posture of the physical server infrastructure by minimizing the attack surface.

This blog has been written with my friend and colleague Vincent Esposito (@vesposit). Vincent also did the demos for this blog. So let’s look at how Acme will enhance security for its infrastructure.

If we think of the previous blogs referenced above, we can imagine that in order to run the online shop that was showcased, Acme Co. require a server infrastructure running a hypervisor. In those examples, the application was implemented on Virtual Machines running on vSphere 6.0 DRS clusters. In our lab, these clusters run on UCS C220 M4 servers running ESXi 6.0. Just like with the previous examples, we can extend the principles of the design discussed in this blog to other virtualization and physical server environments as well.

Of course Acme Co. is also very concerned about security, and is aware that any server infrastructure in itself can be subject to vulnerabilities and therefore attacked. If the infrastructure would be compromised, this could lead to a complete control of its assets by the attacker.

What we mean here by server infrastructure is in essence the following 2 components:

  • The Baseboard Management Controller (BMC) of each of the servers. In this case, it’s the Cisco Integrated Management Controller (CIMC ) on UCS platforms. This component is part of the Intelligent Platform Management Interface (IPMI) specification and is in itself a micro-server embedded on the motherboard of the server. It is running its own Operating System and set of applications, and as such, has its own attack surface
  • The hypervisor and its “utility” interfaces for management, live migration, storage access. Those interfaces can be used to access and compromise the hypervisor through vulnerabilities affecting the kernel and/or the services or applications it runs.

Compromising any of those 2 components could have catastrophic consequences. At a first glance, the idea of compromising the infrastructure at this level may sound highly unlikely to happen, but this is not such an incredible scenario, since vulnerabilities on those components are found periodically on all vendors, and some of them even have a price tag attached for writing the associated exploit. A quick Internet search helps finding cases where exploits targeting the infrastructure layer have been used.

While we cannot entirely prevent such a scenario from happening, we can limit the exposure of those components in order to reduce their attack surface and to minimize risk. This is what we will work on for the remainder of this blog post, by using the ACI Policy Model and its micro-segmentation capabilities.


Lab Physical Setup

The setup that we are going to use for this in the lab is very simple: we have 2 ACI leafs connected to the ACI spines. We also have 2 UCS C220 M4 servers, running ESXi 6.0 implementing a DRS cluster, that are connected to the ACI leafs with the following topology:



  • CIMC interface: each UCS CIMC interface is directly connected to an ACI Leaf. We use the “dedicated port” mode for the CIMC here, but we could also use the “shared LoM” or “shared LoM extended” mode that would enable us to share either the 1Gbps LoM ports of the C220 M4, or the 10Gbps ports of the VIC 1225/1227 card plugged in the server.
  • ESXi mgmt. interfaces: we use a pair of vmnic interfaces connected to vSwitch0 in active/standby mode for management purposes. This would be the case if the vSphere admin wants to have an out-of-band management for the ESXi host.
  • ESXi vmotion & storage interfaces: we use another pair of vmnic interfaces connected to a Virtual Distributed Switch (vDS) created by APIC by using a VMM Domain. We use an APIC-controlled vDS so that we can easily set different EPGs and the corresponding dvPortGroups for vMotion traffic and Storage (NFS) traffic.
  • Virtual Machines data interfaces: we use the last pair of vmnic interfaces for Virtual Machines traffic. We configure them in LACP mode and connect them to the Application Virtual Switch (AVS) in order to have the most complete set of features and capabilities.

While this setup is functioning properly, it is clearly over complicated. I hope the reader realizes that this blog and design is not at all about providing recommended designs. Our objective is mostly about showing the capabilities and options of the ACI Fabric with both standard vSwitch and Distributed Switches (both VDS and AVS). In a real deployment many customers configure the ESX vmkernel for management on the same VDS used for all other types of traffic, and this could be the native vSphere VDS or the AVS. Also, many customers connect the CIMC to a separate network or perhaps to a FEX. Again the intention here is to share ideas and show possibilities, not actual design recommendations.


Logical Setup

Now that we have everything connected physically, let’s now move on to the logical setup.

For the CIMC connectivity we know exactly the protocols required for it to work. We also know that from one CIMC interface you do not need access to other neighboring CIMC interfaces of other servers. Therefore, we can benefit from a white-list model, where we use a very simple Application Profile called “SERVER_MGMT” that contains a single EPG called CIMC to group all these interfaces. This EPG is mapped to a physical domain. This EPG is configured with intra-EPG isolation in order to prevent CIMC-to-CIMC communication. It also consumes a set of contracts for allowing access to shared services like DHCP, NTP and DNS servers, and provides a contract for the server management station to be able to access the CIMC interfaces (using HTTPS, SSH and KVM):



This reduces the exposure of CIMC interfaces to the protocols strictly required, and also minimizes the lateral movement in case one of the CIMC gets compromised.

We follow a very similar approach for the ESXi management interfaces. This time using a different Application Profile called “VSPHERE_INFRA”. We again have a single EPG, “VSPHERE_MGMT”, mapped to a physical domain with intra-EPG isolation turned on to prevent ESXi-to-ESXi communication over the management vmk interface. This EPG again consumes the same set of contracts for accessing shared services like DHCP, NTP, DNS servers, and it provides a couple of contracts consumed by both the vCenter and the management station to be able to access the management vmknic using SSH, vSphere Agent and the Console:




Finally, we build on the same principles for the vMotion and Storage vmkernel interfaces, using the same Application Profile “VSPHERE_INFRA”. We have 2 different EPGs, one for storage traffic called “NFS” and one for live migration traffic called “VMOTION”. Both are mapped to the VMM Domain with our Virtual Distributed Switch (vDS), so that the corresponding port-groups are automatically created in vCenter. We leave intra-EPG communication allowed for the “VMOTION” EPG for live migration traffic to work properly, but we enable intra-EPG isolation for the “NFS” EPG, since storage traffic is only between ESXi and the NFS server. The NFS EPG is the only one consuming the contract that allows access to our filers to have access to the centralized storage:



If we tie all of those logical setups together, here’s the entire view of what it looks like in the APIC GUI:




The application profile diagram from above represents the same traffic flow diagram that we can find in VMware’s Network Port Diagram for vSphere 6.x. By using the ACI Policy Model and its micro-segmentation capabilities, we’re able to secure the entire vSphere application using a white list model in order to minimize exposure and lateral movement.

Notice how we did not discuss subnetting at all. All of the EPGs, and therefore all interfaces, could be on the same subnet or on different ones and the security model will be the same. The policy is not tied to IP Addressing.

In the following video, you can see how this security is enforced for both physical endpoints like the CIMC and ESXi management interfaces, and for virtual endpoints like the Storage and vMotion interfaces:




Automation: adding a new hypervisor to the cluster


One of the major benefits of the ACI Fabric and its policy model is how it enables complete physical and virtual networking automation through the API exposed by the APIC. Using this API together with the UCS CIMC API, we have built a simple web application that takes care of provisioning the network connectivity for a new server using the model described above for maximum security (or put in another way, for minimal lateral movement options).

This way, as soon as a new server has been racked and cabled, an operator can use this web application to indicate the leaf and interface IDs that she or he used to connect this server to, and our simple application will take care of provisioning everything automatically: it configures all network interfaces, the server policies (BIOS, boot order, etc.), it powers on the server and boots it using PXE. Then the hypervisor is automatically installed using a kickstart file, and then we also automatically join the cluster in maintenance mode. All interfaces are automatically connected to the right EPGs as per the model shown above.

The following video demonstrates this simple application to automate adding a third server to the cluster running Acme Co.’s secure infrastructure in a matter of minutes:


Once again, this quick demo is to show how simple it is to do full network automation thanks to the APIC. This could also naturally be achieved using more sophisticated automation tools like Cisco UCS Director, that uses the APIC API and the UCS CIMC API, and enables the creation of sophisticated workflows encompassing network, server, storage and virtualization aspects from multiple vendors.


Wrapping it all up …

The use of Micro Segmentation combined with a white-list policy model contributes to enhancing the security posture inside the perimeter of the data center for three main reasons:

  • By allowing only the protocols and ports required to each micro segment, we minimize the exposure to vulnerabilities.
  • By creating segments that can be as small as a single endpoint, the lateral movement possibilities are greatly reduced.
  • And by dynamically assigning endpoints to the right micro segment based on a number of the endpoint attributes, automation can be accomplished in simpler ways.

Over the course of the last four blogs we have seen that these benefits are available to applications that run in virtual machines and to the infrastructure itself, as well as to any type of physical endpoint. We have also seen that APIC provides complete visibility of the applied policies and endpoint location, as well as automatic correlation of events, statistics and configuration changes in order to simplify audits, compliance and Day-2 operations in general in a single tool and interface.

But perhaps more important: we have seen that you do not need to deploy and operate two networks, one physical and one virtual, in order to achieve all these benefits. A single programmable fabric is all that is required. This translates into a lower TCO when compared to alternatives, and also ensures that the security benefits provided through micro segmentation are not restricted to a single vendor’s virtualization platform or operating system.

Security has to be everywhere or it is not security at all.


Leave a comment

We’d love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

Introducing FlashStack 5000-user VDI deployment with Cisco and Pure Storage

– August 19, 2016 – 0 Comments

Digital business transformation is driving renewed interest in desktop and app virtualization as a mean to provide secure application and desktop delivery to a mobile, distributed and fluctuating workforce. Keeping the desktops and apps securely centralized in the data center provides many benefits. It eases the headache associated with managing thousands of desktops, keeps your intellectual property protected and provides the deployment flexibility needed to keep up with the ever faster pace of business.

Desktop and app virtualization has evolved a lot in recent years. If you’ve tried it in the past and had a bad experience – slow, cumbersome, poor user adoption – you should give it another look. A lot has changed in the underlying infrastructure, allowing an on pare, if not better, experience as with physical desktops. Storage has evolved tremendously and Flash arrays have been a game changer. Similarly, the advent of virtual GPU support by Citrix and VMware, the leading desktop and app virtualization platforms, has improved user experience enormously. It even opened up new use cases such as 3D graphic workstations replacement, helping industries like automotive, manufacturing, architecture and design benefit from desktop and app virtualization.

At the core of a great desktop and app virtualization solution you need a solid foundation that is easy to manage and allows for growth. This is where Cisco Unified Computing Systems (UCS) shines. What is unique about UCS is that it was designed from the ground up for virtualization. It integrates compute, storage, networking, virtualization, and management into a single platform through a fabric Interconnect which delivers consistent networking across physical, virtual and cloud environments. It offers several form factors delivered as one system.
UCS portfolio

First, we have our core blade and rack servers which are the foundation of our solutions. They can be combined with Cisco networking and third party storage to provide custom built solutions on which you can deployed your virtualized workloads.

Then we have our integrated infrastructure where we’ve combined our UCS blade and rack servers with Nexus switches and third party storage such as Pure Storage with FlashStack.

Then moving down to even more integration and convergence, we have our recently released hyperconverged solution, Cisco HyperFlex systems. HyperFlex is also built on UCS but we integrated the compute, network storage and hypervisor nodes delivered as clusters in an appliance that can be stood up and one hour. The real benefit of hyperconvergence is you don’t need a SAN network or separate storage; the storage is part of the appliance.

Each architecture delivers specific benefits and customers will lean towards one architecture or the other based on storage vendor preference, deployment size and internal IT skills.

FlashStackOne recent entry in our portfolio of integrated infrastructure is FlashStack, based on Pure Storage all flash arrays and Cisco UCS blade servers.

Cisco’s technical team tested and documented the deployment of a 5000-seat mixed workload on FlashStack with VMware Horizon 6.2. With over 2,000 work hours in average in design and testing, Cisco Validated Designs (CVD) provide trusted, scalable and predictable guidelines for configuring and deploying your virtual desktop infrastructure. This CVD documents a mix of RDS server-based sessions and Linked Clone Windows 7 virtual desktops on vSphere 6. Read the CVD here.

This enterprise-grade solution delivers a highly adaptable architecture with non-disruptive scalability. The combination of Cisco UCS and Pure Storage FlashArray//m provides a high performance, easy to manage platform for a successful large-scale VDI deployment.

We will be showcasing our recent work with FlashStack and VMware Horizon at VMworld, Sun Aug 28- Wed Aug31. Come by Cisco booth #1739 to catch a theater presentation, or stop by our demo pod to talk to one of our VDI expert.

On a personal note, let me know if you have intel on where the good Pokémon hide in Vegas! pokemon-1530315_1920


Leave a comment

We’d love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.