We’re excited about Cisco’s announcement at Cisco Live SF that it is delivering on its vision for Application Centric Infrastructure (ACI) through the release this summer of the Application Policy Infrastructure Controller (APIC).  Citrix is pleased to be a key ACI ecosystem partner through the integration of the Citrix NetScaler ADC with the Cisco APIC controller.

There are several interesting technologies being leveraged to deliver the joint solution and we thought you’d appreciate a look under the hood at how this is implemented.

Cisco APIC addresses the two main requirements for achieving the application centric data center vision:

  • Policy-based automation framework
  • Policy-based service insertion technology

Policy-based Automation Framework

A policy-based automation framework enables the APIC to dynamically provision and configure resources according to application requirements.  As a result, core services such as firewalls and Layer 4 through 7 switches can be consumed by applications and made ready to use in a single automated step.

Being application centric, the APIC allows the creation of application profiles, which define the Layer 4 through 7 services consumed by a given data center tenant application.  As a key ADC partner in the ACI ecosystem, Citrix NetScaler provides L4-L7 services such as load balancing, application acceleration, and application security.
Figure 1. Cisco ACI and Citrix NetScaler ADC Solution

Figure 1. Cisco ACI and Citrix NetScaler ADC Solution

Device Package Integration

Integration between the Cisco APIC controller and the NetScaler ADC is achieved through a NetScaler “Device Package”.  Imported by the APIC controller, the device package enables REST-based API integration and allows the APIC controller to perform detailed feature level configuration of the NetScaler.  Through the joint work of the Cisco and Citrix teams, the list of NetScaler features that can be automated by the APIC controller spans the extensive set of ADC services offered by the NetScaler, and includes:

  • AAA
  • Application Firewall
  • Cache Redirection
  • Compression
  • Content Accelerator
  • Content Switching
  • DataStream
  • Domain Name Service
  • Dynamic Routing
  • Global Server Load Balancing
  • Integrated Caching
  • Load Balancing
  • SSL Offload
  • NAT
Citrix NetScaler Device Package
Figure 2. Citrix NetScaler Device Package

Policy Based Service Insertion

The second key technology of the ACI architecture is Policy-based Service Insertion.  The Cisco APIC solution automates the steps of routing network traffic to the correct services based on application policies.  This enables L4-L7 resources to be dynamically provisioned and configured according to application requirements on a per tenant basis.

The Cisco APIC offers a graphical drag and drop GUI to easily create L4-L7 Service Graphs that specify network traffic routing;  any of the L4-L7 ADC features available in the NetScaler device package can be included in a Service Graph definition, allowing comprehensive NetScaler integration with the Cisco APIC.

Figure 3. Cisco APIC Service Graph, with Citrix NetScaler ADC and Cisco ASA Firewall Routing
Figure 3. Cisco APIC Service Graph, with Citrix NetScaler ADC and Cisco ASA Firewall Routing

Policy-based service insertion automates the steps of routing network traffic to the correct services based on application policies.  The automated addition, removal, and  reordering of services allows administrators to quickly change the resources that an application require without the need to rewire and reconfigure the network or relocate the services. For example, if the business decision is made to use an application firewall found in a modern ADC as a cost-effective way of achieving PCI compliance, administrators would simply need to redefine the policy for the services that should be used for the related applications. The Cisco APIC can dynamically distribute new policies to the infrastructure and service nodes in minutes, without requiring the network be manually changed.

Once created, a Service Graph can be assigned to an Application Profile and contracted to a data center tenant, thereby defining the network traffic flow for that specific application and tenant.

APIC Service Graph and Application Profile for Tenant www.Acme.com
Figure 4. APIC Service Graph and Application Profile for Tenant www.Acme.com

Solution Benefits

The unique joint Cisco ACI and Citrix NetScaler solution improves data center operations and application deployment, using the Cisco APIC as the central policy control and management station and Cisco ACI service-insertion technology to direct traffic to the appropriate service nodes.

The main benefits include:

  • Central point of network control with ADC service policy coordination and automation: The Cisco APIC acts as a point of configuration management and automation for NetScaler SDX, MPX, and VPX appliances; tightly coordinates the ADC service delivery with the network automation; and provides end-to-end telemetry and visibility of service-aware applications and tenants.
  • Scalable and elastic architecture for physical and virtual appliances: Cisco ACI defines a policy-based service insertion mechanism for both physical and virtual ADC appliances, providing full lifecycle service management based on workload instantiation and decommissioning.
  • Investment protection: Cisco ACI and Cisco APIC are fully compatible with existing ADC networks, preserving existing service operation models and using open standards protocols.
  • Open ecosystem for service integration: Cisco and Citrix are guiding the IETF standard for the Network Service Header (NSH) Protocol, with the promise of agile and elastic service delivery capable of supporting the movement of service functions and application workloads.

Citrix NetScaler Platforms Supported

Cisco APIC is capable of orchestrating services deployed on all Citrix NetScaler ADC appliance form factors and models – the VPX virtual appliance, multi-tenant SDX appliance, and high performance MPX appliance.  The Citrix NetScaler NS1000V, a virtual NetScaler appliance sold and supported by Cisco, is also supported by Cisco APIC.


As businesses quickly move to make the data center more agile, application centric automation and virtualization of both hardware and software infrastructure become increasingly important.  Cisco ACI builds the critical link between business-based  requirements for applications and the infrastructure that supports them. Citrix NetScaler ADC connects infrastructure and applications and makes that insight available to the Cisco APIC though deep integration.

For additional information about ACI, and Citrix NetScaler/Cisco integrations, please visit:


Citrix NetScaler/Cisco integrations

For an interesting perspective on ACI and DevOps, listen in on conversations between Steve Shah and Cisco execs as they discuss the Cisco/Citrix partnership and how Cisco ACI and NetScaler are enabling automated, programmable networks to enable evolving DevOps models in today’s app-first networks.

“Cisco ACI & Citrix NetScaler: Enabling DevOps Models with Programmable Networks”


To better grasp what talent and expertise is required for the successful adoption of Cisco ACI and DevOps models in customer and partner IT skill sets, listen in on this conversation between Steve Shah and Cisco DevNet execs.

“Evolving IT Skill Sets in the Era of Programmable Networks”