Offering Infrastructure as a Service increased agility, lowered costs, and enhanced security.
Cisco's competitive advantage stems from its ability to rapidly introduce innovative products and more efficient business solutions. The advantage depends on Cisco® employees' ability to quickly obtain IT infrastructure for new projects.
"In the past, data center infrastructure tended to be difficult to scale and costly, affecting internal user satisfaction," says Brian Cinque, CITEIS solutions architect. Employees who requested IT infrastructure for a project had to wait six to eight weeks while Cisco IT engineers architected a solution, designed it, found a place to put it, and then procured, installed, configured, and secured the infrastructure. The long wait impeded business agility, affected user satisfaction, and increased costs.
Cisco IT has successively accelerated infrastructure provisioning and reduced the required IT effort. The first step was virtualizing as much of the application environment as possible. By 2009, slightly more than half of all applications in the Cisco enterprise had been virtualized.
The next step was building a data center platform with a unified fabric, based on the Cisco Unified Data Center platform. This platform, which includes Cisco Unified Computing System™ and Cisco Nexus® switches, has become the standard for all new deployments at Cisco. (For more details, read the "IT as a Service" case study.) By early 2011, Cisco IT had virtualized 71 percent of the applications in the Texas Metro Virtual Data Center (MVDC), all of them on the Cisco Unified Computing System. The target is 80 percent virtualization by the end of 2012. "Virtualizing applications on the Cisco UCS® lowered server TCO by 61 percent and time to delivery from 6 to 8 weeks to 2 to 3 weeks," says Cinque.
Then, in 2009, Cisco IT introduced the first version of CITEIS, which was internally coded. Cisco employees no longer had to worry about server placement, procurement, installation, configuration, or security. Instead, they used preconfigured workflows to automate server provisioning, including VMware and Cisco UCS Manager tasks. "But Cisco IT still had to provision storage and networking, which took another 2-9 days," says Cinque. "We wanted to develop a comprehensive IaaS offering that also included storage and networking."
To achieve the goal, Cisco IT decided to deploy the second generation of CITEIS, this time using a standard, commercially available toolset, Cisco Intelligent Automation for Cloud. Design requirements for the new version of CITEIS included:
• Agility: Cisco users anywhere in the world would be able to self-provision infrastructure at any time, and scale up or down on demand. "Our goal was to create a one-stop shop where Cisco employees could order compute, networking, and storage resources from one interface," says Michael Myers, director of CITEIS Cloud development. "We also had to implement billing mechanisms to do departmental chargeback for infrastructure."
• Flexibility: Employees would be able to select prebuilt operating system (OS) images or upload custom images. This flexibility would provide the foundation for future Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) offerings from Cisco IT.
• Cost-effectiveness: "We wanted our IaaS offering to cost about the same to Cisco business users as a third-party service provider's IaaS," says Myers. Cisco IT also wanted to reduce manual provisioning, lowering overall TCO.
• Security: The service would be available only to Cisco employees, and enable departments to assign different privileges to different users. Each tenant's resources would be segmented.
In June 2011, Cisco IT introduced CITIES Express, enabling an individual employee to create sandbox development areas without charge. The CITEIS Virtual Data Center (VDC) offering followed two months later, enabling employee teams to create their own application spaces in a secure and supported pay-as-you-go environment (Figure 1). "Prior to our CITEIS private cloud, there was no easy way to deliver a server to a customer, especially a virtual server," says James Cribari, IT Manager for the Cisco Global Data Center Program. "Since the offer of CITEIS Express, built from commercially available tools, Cisco employees can self-provision a full IaaS environment in a few minutes."
In 2012, CITEIS supports all business-critical applications requiring up to 99.9-percent availability across the entire infrastructure.
• User Self-Service Portal: Cisco employees order servers, storage, and networking resources by selecting them from the Cisco Cloud Portal, part of the Cisco Intelligent Automation for Cloud software stack. Request fulfillment is entirely automated.
• Customized Virtual Images and Appliances: Employees can either select a preconfigured OS image provided by Cisco IT or other CITEIS users, or upload their own images. Cisco IT supports standard OS images only. Clients who self-manage their images are given a platform to manage the lifecycle of the OS, applications, and bundles.
• Metering and Billing: CITEIS supports subscription-based billing. Departments receive an aggregated bill for resources based on the quantity of resources and hours or days in the subscription.
• Security and Segmentation: Cisco departments can specify entitlements for individual users to control who can order which types of resources. CITEIS also provides logical segmentation between tenants. More details about security appear in the "Service Platform, Resource Managers, and Security" section of this case study.
• Support Services: Cisco IT offers service-level agreements (SLAs) for order fulfillment, maintenance windows, and hardware performance. Cisco users can sign up for IT support or manage the infrastructure themselves. So far, 90 percent of CITEIS users have selected the self-managed option, lowering the management burden for Cisco IT.
• Pre-Paid Resource Pools and On-Demand Services: Cisco employees can choose from two subscription models for CITEIS: Virtual Data Center (pre-paid resource pools) and Express (on-demand resources). These are discussed in the following section.
Cisco IT decided to centralize the user portal and service catalog for CITEIS to give Cisco employees a consistent experience with IaaS anywhere in the global enterprise.
Employees who want the CITEIS Virtual Data Center (VDC) service visit the Cisco Cloud Portal to select predefined pools of resources with bundled services, and must subscribe for at least three months (Figure 2). Cisco IT reserves and guarantees these resources, which tenants allocate and manage by themselves. When requesting a VDC, employees estimate the number of virtual machines (VMs) they want to build (5, 10, 25, 55, 120, or 250). Then they specify the CPU type, storage, and whether the service is internal or operates in the DMZ. "The VDCs are elastic, meaning you can add or remove resources on demand," says Myers. Employees can add a managed OS or support their own, and can also add storage, backups, and network components, in minutes.
When Cisco employees provision infrastructure, Cisco Cloud Portal creates a bill of materials detailing compute, network, and storage resources; location; lease period; passwords; and cost of service. Cisco Process Orchestrator, the automation engine within Cisco Intelligent Automation for Cloud, automatically provisions the resources.
Figure 2. VDCs Provide Predefined Pools of Resources and Options
The other service option, CITEIS Express, is designed for Cisco employees who need to quickly turn up one or two VMs for from one hour to 30 days, and can accept a best-effort SLA support. Employees specify whether the VM will act as a database server, web server, transaction server, and so on, and are then presented with appropriate options. The VM is ready for use in less than 15 minutes. Employees can renew their subscription to use the VM for up to 90 days.
Service Platform, Resource Managers, and Security
The new version of CITEIS consists of a service platform and behind-the-scenes resource managers (Figure 3). The service platform is based on Cisco Intelligent Automation for Cloud software, which provides the self-service portal, service catalog, and workflow and orchestration capabilities. "Using Cisco Intelligent Automation for Cloud, we were able to deploy a new and improved CITEIS, with a single storefront for all IaaS components, in just two months," says Myers. In contrast, developing the first version of CITEIS with internal coding required 24 months.
Figure 3. CITIES Structure
Technologies used in CITEIS include:
• Cisco Intelligent Automation for Cloud: Cisco Cloud Portal and Cisco Process Orchestrator
• Cisco Nexus 1000V Switch
• Cisco Virtual Network Management Console
• Cisco Virtual Security Gateway
• Cisco Global UCS Manager
• VMware vCloud Director
• VMware vCenter
• Microsoft SQL Server
• Oracle RAC 11g
Multiple layers of security are built into CITEIS:
• Virtual segmentation between clients at the compute, storage, and network layers.
• Security zones that enforce east-west and north-south traffic using the Cisco Virtual Security Gateway, part of the Cisco Nexus 1000V Software Switch.
• Traditional network zones, enforced at the firewall using access control lists (ACLs). The zones are defined using typical DMZ and non-DMZ nomenclature.
• Authorization and authentication within the service catalog and the virtual data center. The authorization method is identical whether users access CITEIS from the user interface or an API.
Cisco IT's centralized operations staff provides SLAs for CITEIS hardware. Using a standardized hardware platform (Cisco UCS servers and Cisco Nexus switches) simplifies support and troubleshooting.
For CITEIS tenants who select the self-managed VDC, Cisco IT provides base hardware support only. The tenant is responsible for managing the virtual machines and the resources operating on those virtual machines. For tenants who select the IT-managed option, Cisco IT provides an SLA for managing the virtual machines and resources.
Cisco IT reserves the right to take down the CITEIS environment during posted maintenance windows. To date, however, Cisco IT has not had to exercise this right. Instead, if a server needs service, Cisco IT moves the virtual machines to another blade server in the Cisco Unified Computing System. The In-Service Software Upgrade (ISSU) feature of Cisco Nexus switches means they do not need to be taken out of service for maintenance.
Cisco employees are assigned either a general user or administrator role for CITEIS. Administrators can assign different privileges to users without involvement by Cisco IT. CITEIS enforces entitlement at the service layer as well as external authorization points such as Microsoft Active Directory and Lightweight Directory Access Protocol (LDAP).
Increased Business Agility
"CITEIS enables Cisco IT's diverse clients to automate a composite offering-compute, storage, and networking-in a timeframe that typically exceeds their expectations," says Cinque. "Attaining infrastructure in minutes rather than months lets Cisco employees pursue more business opportunities, more quickly."
In fact, with the new version of CITEIS, employees can begin using computing, networking, and storage resources about ten minutes after submitting the infrastructure request. This represents a significant advance over the original CITEIS, when servers could be provisioned in 15 minutes but users had to wait for networking and storage to be manually provisioned (Figure 4).
"CITEIS Gen2 has lowered TCO, increased productivity by shortening the wait for new infrastructure, and increased customer satisfaction," Cinque says. "It has also increased business resiliency because standardized infrastructure offerings avoid configuration issues that can lead to downtime or performance problems."
Figure 4. New Version of CITEIS Lowered TCO By 27 Percent Compared to Earlier Version
Sixty-One Percent Lower TCO
Since Cisco IT began virtualizing the application environment and introduced CITEIS, the average TCO for computing resources in the Cisco enterprise has decreased by 61 percent. Savings are expected to compound as Cisco IT continues to virtualize the application environment.
A major factor contributing to lower TCO is that more than 90 percent of the VMs that Cisco employees provision with CITEIS are self-managed. Cisco teams using these environments do not submit trouble tickets, lowering the support burden for Cisco IT.
An unanticipated benefit of CITEIS is that Cisco employees are less likely to overprovision because they know they can easily order additional processing or storage capacity when needed. In addition, they can see the cost of the infrastructure. "Now that we're selling pools of resources to our clients, we're seeing much more realistic demands," says Cinque.
Other factors contributing to TCO reduction include:
• Keeping IT in control through standards and policies
• Maximizing asset utilization
• Promoting best practices and the re-use of IT intellectual capital
• Use of existing infrastructure
High User Satisfaction
The simple ordering experience and low infrastructure costs in CITEIS appeal to Cisco users. By early 2012, more than 50 internal Cisco groups had signed up to use CITEIS, including the Cisco Services Technology Group, Home Networking Business Unit, LAN Switching Business Unit, and Storage Business Unit. More than 300 employees have tried CITEIS Express offering for projects ranging from temporary lab resources to providing resources for newly acquired companies. Typical of the feedback is this from Olav Phillips, an architect in the Security Business Unit: "Cisco IT's private cloud saves us critical time using a fast and simple online ordering process. It's easy to request and to provision, which significantly accelerates our projects and enables us to access applications anytime, anywhere."
Cisco IT shares the following lessons learned with other organizations planning to offer IaaS:
• Prepare early by virtualizing the server environment and implementing a wire-once server environment that eliminates the need to individually cable new servers.
• Use commercial, off-the-shelf components instead of developing the software internally. "Using Cisco Intelligent Automation for Cloud accelerated deployment from 24 months to 2 months," says Cinque. "In addition, we didn't have to train internal IT resources to maintain custom software, and we have the option to out-task management of the IaaS program to Cisco Services or a third party."
• Develop the operational model early. Map out every step for a service before you take it live.
• Know your clients and their expectations. "Early communication with customers is essential," says Jim Heil, with the CITEIS Client Engagement Team. "They will always want additional capabilities, so you have to draw a line for the first release and constantly follow up, keeping a close eye on the options from external IaaS providers."
• Start small. Make sure you can provision the simplest resource end-to-end before offering more complex resources.
• Make a simple user experience a high priority. "It doesn't matter how great the automation is if the service portal isn't easy to use," says Cinque. Hide the complexities of the offering by creating short, simple online forms.
• Calculate the TCO for the environment if you are going to implement a chargeback model.
The location of resources will become less important as Cisco IT's vision is to host the complete software lifecycle, including development, test, and production, in the cloud (Figure 5). This will require that applications have the intelligence to be in the right locations at the right time. Supporting a distributed architecture will also require rewriting certain applications to tolerate latency and disconnects.
Figure 5. Cisco IT Continues to Automate IaaS Provisioning
Shaw-Jen Chang, Vice President of Network and Data Center Services, is committed to continually enhancing Cisco IT infrastructure services. "We will continue to improve efficiency on the PaaS layer," Chang says, "and increase cost-effectiveness when the PaaS layer is automated."
For More Information
To read additional Cisco IT case studies on a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT www.cisco.com/go/ciscoit
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described; Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties, therefore this disclaimer may not apply to you.