VMware & OpenStack Integration With Cisco ACI Application Policy Infrastructure Controller

VMware & OpenStack Integration With Cisco ACI Application Policy Infrastructure Controller


I am currently working on a solution that requires both an OpenStack (Neutron) and VMware integration with the controller, as well as bare metal end points. The preferred solution is Cisco ACI, and I've been working to clarify the business and technical requirements prior to making a recommendation.

It's something I am sure others will want to do, but it wasn't obvious that this would pose a problem at first. So given that seemed to be the case, it felt like a good excuse to write my first blog post in months.

The Problem

The specifics of potential use cases in this environment mean that a single service could potentially be provisioned across all of these platforms, for example:

  • Web Tier – Linux (OpenStack)
  • App Tier – Windows (VMware)
  • DB Tier – Bare Metal

This requirement will increase complexity of the network deployment, and subsequently efforts to automate, secure and efficiently operate the platform. The diagram below describes the limitations of the integrations between the APIC with VMware and OpenStack in this specific scenario. It should be noted that it is possible to successfully integrate both private cloud / virtualisation platforms within the same fabric.

For simplicity, the diagram uses the ACI contract concept for provision of security between the tiers of an application. Each tier of the application is assumed to be in a separate end point group (EPG). The "C" in each of the arrows represents the source of control flow for each services.

  • In an OpenStack integration, the Cisco APIC cedes control of the provision of new networks to the OpenStack networking service, neutron.
  • Networks are created in OpenStack by integrating Neutron with the APIC using the ACI plugin. Networks must be created from within OpenStack, and are pushed to the APIC to create.
  • Networks are created either from the APIC, or in VMware vCenter via the ACI plugin, for the application tier workloads in this example.
  • Additionally, there are issues with deploying workloads in the same EPG across both platforms (e.g. DHCP native to the OpenStack platform)
  • Bare metal connectivity to the customer virtual network is deployed from the APIC.

Possible Solutions

Short of taking the approach that each of the platforms (VMware and OpenStack) should be used separately to host discrete services, there isn't much available in terms of elegant solutions at this time with regards to ACI. You'll need to fully understand how deployment works, work out a strategy for IP address allocation and DHCP, and then sprinkle liberally with automation. It feels like a bit of a bodge job.

My recommendation at this stage is to investigate other SDN products. I've been persuading my customer to review the Nuage Networks solution, which fits this use case perfectly... and it looks like this may well be the way we go.