Cisco Application Centric Infrastructure

OpFlex: Framework for a Broad Partner Ecosystem

  • Viewing Options

  • PDF (466.3 KB)
  • Feedback

Current Data Center Challenges

Current infrastructure management tools generally embed the provisioning logic in scripts and workflows. Today’s software-defined networking (SDN) approaches generally employ centralized control planes, which can create challenges, limiting an organization’s capability to operate at scale, troubleshoot failures in the infrastructure, and support interoperability and innovation.

Introduction of OpFlex

Cisco® Application Centric Infrastructure (ACI) uses a fundamentally different approach, implementing a declarative control model that allows each device to receive a high-level, abstract policy that can be rendered and enforced locally. In addition, Cisco works with its partners to build a powerful, comprehensive set of APIs to allow any device to connect to the Cisco Application Policy Infrastructure Controller (APIC) and the Cisco ACI solution.

OpFlex, the southbound API, is an open and extensible policy protocol used to transfer abstract policy in XML or JavaScript Object Notation (JSON) between a policy controller such as the Cisco APIC and any device, including hypervisor switches, physical switches, and Layer 4 through 7 network services. Cisco and its partners, including Intel, Microsoft, Red Hat, Citrix, F5, Embrane, and Canonical, are working through the IETF and open source community to standardize OpFlex and provide a reference implementation.

OpFlex is a new mechanism for transferring abstract policy from a modern network controller to a set of smart devices capable of rendering policy. Although many existing protocols such as the Open vSwitch Database (OVSDB) management protocol focus on imperative control with fixed schemas, OpFlex is designed to work as part of a declarative control system such as Cisco ACI in which abstract policy can be shared on demand.

In addition to its implementations in the open source community, OpFlex is one of the primary mechanisms through which other devices can exchange and enforce policy with the Cisco APIC. OpFlex defines that interaction. As a result, by integrating a number of devices from both Cisco and an ecosystem partner using the Cisco ACI fabric, it can be used to provide investment protection.

Value to the Ecosystem

OpFlex has been widely accepted by the Cisco partner ecosystem because it offers a powerful set of advantages. It allows vendors to continue to innovate and expose new features in their platforms. These new features can be exposed through an abstract policy model that each device autonomously interprets. This approach allows one device to take advantage of a new feature without requiring others to do so, too. Additionally, OpFlex offers interoperability and ease of integration with declarative control systems through support for abstract policy.

Main OpFlex Use Cases

OpFlex can be broadly applied across a range of devices, but several use cases stand out as points of customer interest.

Core Routing and Data Center Interconnect

Cisco OpFlex provides investment protection by extending policy management support to the core routing and data center interconnect (DCI) with Cisco Nexus® 7000 Series Switches and Cisco ASR 9000 Series Aggregation Services Routers (Figure 1). Cisco APIC is the central point of datacenter policy management in this architecture while WAN configuration is done through a separate WAN controller or directly by the user. The goal with OpFlex in this scenario is to automate fabric-facing configuration and exchange per-tenant information.

Figure 1. OpFlex Extended to Core Routing and Data Center interconnect

Hypervisor Partners

OpFlex’s declarative model approach allows virtual switches in popular hypervisors to enforce network policy. In this role, these switches function as extended policy leaves, or virtual leaves (vLeaves). Supported devices include Cisco Nexus 1000V Switch for VMware vSphere, Microsoft Hyper-V, Red Hat KVM, Canonical KVM and Xen, and Citrix XenServer (Figure 2).

Figure 2. OpFlex Extended to Virtual Computing and Hypervisor Switching

Layer 4 through 7 Services

OpFlex provides an alternative mechanism for deep integration between Layer 4 through 7 devices and the Cisco APIC to activate service chain behaviors, allowing the Cisco APIC to manage the full cycle of the Layer 4 through 7 service deployment (Figure 3).

Figure 3. OpFlex Extended to Layer 4 Through 7 Services

The OpFlex Layer 4 through 7 ecosystem allows customers to use their existing service nodes and their current modes of operation. OpFlex allows the customer to deploy automated security and configuration and advanced performance monitoring for Layer 4 through 7 services.


OpFlex provides an extensible way to implement scalable infrastructure while providing investment protection for Cisco data center core and WAN platforms, providing network policy extensions to hypervisor switches and integrating with Layer 4 through 7 services. OpFlex openness provides the framework for a broad and open ecosystem that allows policy exchange between the Cisco APIC and any device.

For More Information