Network Services team expands its ACI tool set
UIT has spent the past few years progressively adopting new Cisco technologies as it converts the university's data centers to application-centric infrastructure (ACI) environments.
“ACI will shape the future of the university’s network ecosystem,” said Tim Urban, principle network engineer.
Networks use switches — hardware that connects multiple devices on the same network — to control the movement of data between network-connected devices, which are also called hosts. Sometimes, communication between hosts should be monitored, limited, or blocked entirely by a separation, or network segmentation.
- VLANs create a virtual separation between a group of hosts on the same physical network hardware.
- Subnets are networks inside a network, or more technically, partitions of an IP network into multiple, smaller network segments. Subnets offer separation between hosts and make networks more efficient by allowing data to reach its destination without passing through unnecessary routers.
- Routers are virtual or physical devices that manage traffic between networks by forwarding data packets to their intended IP addresses. Think of a router as an air traffic controller and data packets as planes headed to various airports.
- Firewalls are network devices that block or deny data packets coming in and out of networks based on security rules that define permissible traffic.
Traditionally, network segmentation is achieved by using virtual local area networks (VLANs), subnetworks (subnets), routers, and firewalls (see the sidebar at right for more details). Based on internet protocol (IP) addresses, subnets, and types of traffic (web, database, file share, etc.), security policies applied to routers and firewalls allow hosts to “talk” between different networks or VLANs.
This type of network segmentation is commonly referred to as being “network-centric” or “network-based” due to its reliance on IP addresses and subnets.
“In traditional network designs, network routes and firewall rules must be in place to do things like access the internet or send an email,” said David Tubbs, network engineer III. “However, continuing to support this methodology for segmentation requires additional operational overhead, introduces greater potential for human error, and can’t provide as many levels of security compared to more modern network security designs offered in ACI.”
ACI, an ambitious data center strategy that Cisco unveiled in 2013, shifted the security focus from the “the network” to “the application.” When combined with integrations into VMware and other virtualization platforms, ACI software can control individual switch port configurations, reduce the time to add or move a server, and mitigate human error related to those moves.
In 2017, Cisco announced its plan to extend ACI into the public cloud domain and coined the phrase “ACI anywhere.” Cisco also released a version of ACI that included the Multisite Orchestrator, now called the Nexus Dashboard Orchestrator, which the university began testing. The Nexus Dashboard Orchestrator allows network engineers to centrally access applications to manage their fabric.
ACI fabric is defined by the software that programs it, freeing its security policy to be more application-centered and allowing for more granular segmentation around an application rather than an IP address or subnet. With ACI, applications are grouped by type, function, security posture requirement, or similar combination.
“Fabric” refers to how computing, network, and software components of a data center are designed. “Multisite” means that two or more ACI fabrics can be managed as a single unit, allowing security policy, subnets, and endpoint groups (EPGs) — managed objects that contain servers or virtual machines that connect to the network — to be used from either fabric. Applications can therefore co-exist in the University of Utah’s two primary data centers — the Downtown Data Center (DDC) in Salt Lake City and Tonaquint Data Center (TDC) in St. George — utilizing the same IP space from either site.
This is a huge advantage for disaster recovery (DR) efforts at the university, Tubbs said, because application owners may not have to change IPs when restoring systems to one data center should the other experience a serious service disruption, which greatly reduces the total time to recovery.
Network infrastructures at the DDC and TDC continue to be primarily application-centric,
programmable, and interconnected.
In April 2021, UIT’s network team implemented a change that allows a subnet to be used in both data centers. The university’s Microsoft BizTalk server environment, a middleware application that automates business processes, is the first application to be tested in a multisite environment that combines application-centric security policy with the ability to use the same subnet from both data centers.
“Essentially, if an application requires a subnet that spans between both locations, this is now a suitable option,” Urban said. “... ACI multisite technologies will continue to open up new possibilities like this.”
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.