Looks like we might be getting some Cisco ACI lab gear to play with before too long. We spent all day on Friday with Cisco at their offices looking at Cisco ACI and how we might be able to leverage it in our network. I am excited to play with this in our own environment and see what kind of time it can save us.
it can really only save time for various tasks that can be automated. rather than think what SDN can do for you, think about traffic flows and how repetitive tasks can be automated. i.e. when your primary link hits 80%. you'd want to push some traffic over the secondary link.
Sweet! Please do keep us updated - I'd love to hear your experiences with it.
Quote from: AspiringNetworker on November 17, 2015, 12:20:05 PM
Sweet! Please do keep us updated - I'd love to hear your experiences with it.
Absolutely!
Quote from: ristau5741 on November 17, 2015, 11:52:48 AM
it can really only save time for various tasks that can be automated. rather than think what SDN can do for you, think about traffic flows and how repetitive tasks can be automated. i.e. when your primary link hits 80%. you'd want to push some traffic over the secondary link.
I think it will save us more time for TEST/DEV environments from a network/VMware/F5 perspective. Being able to bring up environments and tear them down with a click of a button could save us lots of time.
Quote from: mmcgurty on November 17, 2015, 12:47:30 PM
Quote from: ristau5741 on November 17, 2015, 11:52:48 AM
it can really only save time for various tasks that can be automated. rather than think what SDN can do for you, think about traffic flows and how repetitive tasks can be automated. i.e. when your primary link hits 80%. you'd want to push some traffic over the secondary link.
I think it will save us more time for TEST/DEV environments from a network/VMware/F5 perspective. Being able to bring up environments and tear them down with a click of a button could save us lots of time.
Not really what SDN is all about, there are many other pieces of the pie to make this sort of thing work in an SDN environment.
but have a go at it, and if you can start to get some good reading under your belt.
try some of these:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals.pdf
http://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/Operating_ACI/Cisco_OperatingApplicationCentricInfrastructure.pdf
I STRONGLY recommend attending training or at least reading the book before tearing into it. You'll be completely at sea otherwise, its like learning a new language.
Re: automating test/dev deployments, to be brutally honest, you can vagrant up in AWS.... ACI really doesn't do anything special in this regard. Also, not to be a naysayer, but ask your Cisco rep about ACI's integration into Vsphere6...... because I didn't like the answer 6 months ago, not sure what the answer is now. Also, I know for a fact F5 integration is flat out broken. One of our deployments the team has had more attempts (counting it via backed out changes :) ) at it than the fingers on my hand and still isn't working.
Quote from: wintermute000 on November 17, 2015, 03:06:51 PM
I STRONGLY recommend attending training or at least reading the book before tearing into it. You'll be completely at sea otherwise, its like learning a new language.
Re: automating test/dev deployments, to be brutally honest, you can vagrant up in AWS.... ACI really doesn't do anything special in this regard. Also, not to be a naysayer, but ask your Cisco rep about ACI's integration into Vsphere6...... because I didn't like the answer 6 months ago, not sure what the answer is now. Also, I know for a fact F5 integration is flat out broken. One of our deployments the team has had more attempts (counting it via backed out changes :) ) at it than the fingers on my hand and still isn't working.
F5 integration isn't a deal breaker but VMware certainly is. This is precisely why it will be in a lab environment and tested rather than rolling it out to production first and then taking it on the chin.
Quote from: mmcgurty on November 17, 2015, 03:11:02 PM
This is precisely why it will be in a lab environment and tested rather than rolling it out to production first and then taking it on the chin.
Smart move...
Quote from: ristau5741 on November 17, 2015, 02:43:29 PM
Quote from: mmcgurty on November 17, 2015, 12:47:30 PM
Quote from: ristau5741 on November 17, 2015, 11:52:48 AM
it can really only save time for various tasks that can be automated. rather than think what SDN can do for you, think about traffic flows and how repetitive tasks can be automated. i.e. when your primary link hits 80%. you'd want to push some traffic over the secondary link.
I think it will save us more time for TEST/DEV environments from a network/VMware/F5 perspective. Being able to bring up environments and tear them down with a click of a button could save us lots of time.
Not really what SDN is all about, there are many other pieces of the pie to make this sort of thing work in an SDN environment.
but have a go at it, and if you can start to get some good reading under your belt.
try some of these:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals.pdf
http://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/Operating_ACI/Cisco_OperatingApplicationCentricInfrastructure.pdf
Thank you for the links! I also have an Ebook from Cisco Press titled "Policy Driven Data Center with ACI, The: Architecture, Concepts, and Methodology" I won during Cisco Live this year. If it truly operates in a way that Cisco Sales/Marketing says it will within our environment I think it will save the VMware guys tons of time. We are already using all Cisco UCS blade chassis and FI's already, so I think that helps integration wise for that side.
Why not just integrate NSX into your existing environment?
There are a lot of things you can do already with F5s/vsphere 6 capability to bring up environments easily with a vro workflow or script.
Quote from: mmcgurty on November 17, 2015, 03:15:35 PM
If it truly operates in a way that Cisco Sales/Marketing says it will within our environment ....
sipping the Cisco cool aid? does anything Cisco ever work the way their sales/marketing teams say?????
We were sold by sales and marketing on several 9Ks, on the assurance that they support FEX. still don't... keeps getting bumped into the future. (BTW since you are moving toward 9K's to run ACI, if you have a need for FEX... GL)
Quote from: burnyd on November 17, 2015, 07:30:05 PM
Why not just integrate NSX into your existing environment?
There are a lot of things you can do already with F5s/vsphere 6 capability to bring up environments easily with a vro workflow or script.
Separate teams handle the VMware and Networking.
Quote from: ristau5741 on November 18, 2015, 07:29:20 AM
Quote from: mmcgurty on November 17, 2015, 03:15:35 PM
If it truly operates in a way that Cisco Sales/Marketing says it will within our environment ....
sipping the Cisco cool aid? does anything Cisco ever work the way their sales/marketing teams say?????
We were sold by sales and marketing on several 9Ks, on the assurance that they support FEX. still don't... keeps getting bumped into the future. (BTW since you are moving toward 9K's to run ACI, if you have a need for FEX... GL)
Good to know. We do use FEX'es but we have them off of 5548's and 5600's right now. I know they had talked about 9332's for our spine but not sure what was ever decided at the leaf level. I think there are still some discussions on the lab kit we are looking to purchase/borrow.
Quote from: mmcgurty on November 18, 2015, 08:02:15 AM
Quote from: burnyd on November 17, 2015, 07:30:05 PM
Why not just integrate NSX into your existing environment?
There are a lot of things you can do already with F5s/vsphere 6 capability to bring up environments easily with a vro workflow or script.
Separate teams handle the VMware and Networking.
Understood but where is the demarcation here when it comes to ACI?
Also there is no reason why you would not be able to run an NSX related environment.
Just to keep the water cooler chat going here...
With 1.3 out now and apparently more like 2.0 (basically fills in a LOT of the former blanks + all the bugs that the first wave of implementations hit), Cisco's pushing it HARD. They're not happy with flogging open N9K, they want the hardware lock-in badly.
There I times when I wonder if Cisco is about to go the way of Novell or IBM, from being an 800-pound gorilla to just another player in the grand scheme of things.
A nice alternative view I found (i.e. a pro-ACI post for a change!)
http://ciscomonkey.org/2015/01/08/nsx-vs-aci-its-a-no-brainer-my-shirt-makes-no-difference/ (http://ciscomonkey.org/2015/01/08/nsx-vs-aci-its-a-no-brainer-my-shirt-makes-no-difference/)
Some of his claims on NSX seem a bit overdone though. But I'll admit he has some good points (like firewalling done on the hypervisor being a single attack vector)
Just for kicks...
https://www.reddit.com/r/vmware/comments/45570r/nsx_be_very_careful_rebooting_vsphere_server/
Yeah I'm still somewhat interested to see where ACI goes - if they'll actually take it to a point where folks embrace it, or if they'll continue to lose money on it. I still have yet to hear any real traction (No, giving away gear for free only to be used in Non-ACI mode does not count). To be completely frank, it's gotten to the point that a vendor I know will openly tell customers to invite Cisco to bring in ACI to do a bake-off against them. It only helps their case when it takes an army of CCIEs a week to try to set things up versus a vendor's single SE doing it in a day or two.
To be honest I didn't thoroughly read your article winter, but as I glanced through it what kept reverberating in the back of my mind is, "Look at the Cloud Titans (Facebook, Google, Microsoft, etc.). I'm sure they have smart guys that think about stuff like this.... and are any of them using ACI?" Considering ACI is a proprietary fabric that other vendors can't play in, and knowing what I know, I'd almost be willing to bet my paycheck that answer is no.
Quote from: deanwebb on January 29, 2016, 06:30:04 PM
There I times when I wonder if Cisco is about to go the way of Novell or IBM, from being an 800-pound gorilla to just another player in the grand scheme of things.
It's heading that way for the DC at least. I think they still have a very strong grip on Campus and other areas.
I've been seeing stuff internally re: ACI integration with Openstack. Basically using ACI to extend the 'vxlan' tunnels between ovs-switch instead of the native agent, and performing the L3 routing in place of neutron.
If there ever was an award for 'the most complicated way to get from A to B', that would appear to be it.... though you could take the alternative view that since Vmware's locked them out of vswitching from 6.x, their only chance of integrating properly with the virtual layer is via open vswitch, so might as well switch targets.
If I had to guess, its trying to ram a square peg into a round hole for Cisco Intercloud (even though blind freddy can see that if you had to use a Cisco leaf-spine with Openstack, just EVPN it and be done with it)
I really need to be put on one of these leaf-spine projects, instead of armchair commentating from the sidelines and endlessly reading white papers!!!
Quote from: AspiringNetworker on February 11, 2016, 10:55:38 AM
Yeah I'm still somewhat interested to see where ACI goes - if they'll actually take it to a point where folks embrace it, or if they'll continue to lose money on it. I still have yet to hear any real traction (No, giving away gear for free only to be used in Non-ACI mode does not count). To be completely frank, it's gotten to the point that a vendor I know will openly tell customers to invite Cisco to bring in ACI to do a bake-off against them. It only helps their case when it takes an army of CCIEs a week to try to set things up versus a vendor's single SE doing it in a day or two.
To be honest I didn't thoroughly read your article winter, but as I glanced through it what kept reverberating in the back of my mind is, "Look at the Cloud Titans (Facebook, Google, Microsoft, etc.). I'm sure they have smart guys that think about stuff like this.... and are any of them using ACI?" Considering ACI is a proprietary fabric that other vendors can't play in, and knowing what I know, I'd almost be willing to bet my paycheck that answer is no.
I aint huge network export, however certain issues exist with the public cloud i.e. the likes of Amazon, Google, etc. in respect to security, long-term cost etc., So many orgs are embrazing private cloud + public -> hybrid. I have read at least once regarding a case study where specific organization was paying excess of 1million dollar monthly in a run-away public cloud cost and they switched back most of their computing needs back to in-premise equipments.
So I think there are will be a certain needs for off-the-shelf vendors and Amazon, Google and Facebook are not likely to compete with traditional vendors to sell their equipments. With them putting all their attention to AI, VR, AV, Self driving and cloud service it is not likely they will do so any time soon. Perhaps they might but I just dont see them doing now.
Secondly the ones designed and used by Facebook, Google and Amazon are internally designed and tested and very tailored to their needs. If they decide to start selling, they have back their DC products with the same level of customer service, support (mighty expensive an erratic) just like other vendors which puts them in the same rat-hole position as vendors.
But... Cisco is now a software company! They said so! Doesn't that mean their software works now?
i am not sure on the quality of the software. as any big name company, pretty sure confusion, messup, ball drops are rampant. yes it is going software but i think mostly on management and control plane, you want hardware always in order to move around raw, bulk massive data since hardware is inherently 100s of times faster than software. saying that, hardware is less and less profitable (if odm-s keep producing white box gears on par with that of Networking vendors) perhaps then soon cisco and the likes might as well spin off their hardware division and become true software company.
Dude with aci everything is forcefully hairpin through physical.... It's horrifically inefficient and we've seen tcam exhaustion issues nevermind the ridiculous complexity
i wish i had an env to eval it myself.
Quote from: wintermute000 on November 20, 2016, 07:52:12 PM
Dude with aci everything is forcefully hairpin through physical.... It's horrifically inefficient and we've seen tcam exhaustion issues nevermind the ridiculous complexity
Hahaha yeah! Before I went to the vendor side I did a short gig with a VAR. It was fun but had to deploy ACI twice. Each time it was a bunch of frustration and confusion for something that was supposed to be turn key. But getting back to the TCAM exhaustion issues. So the service provider I did it in ran IPv6 heavily. IPv6 takes up 4x the tcam than IPv4 does. They wanted to get rid of firewalls so it was the lols when they were told they were restricted by certain apg/epg rules.
Also, another customer I installed it with tried the PA integration which was a huge failure on cisco's end. Some times it took 8-9 tried to push the policies for it to actually work. It wasnt the Palo's fault but the switching fabric. I am not a fan of Hardware defined insrtucture.
Quote from: ggnfs000 on November 19, 2016, 11:50:01 PM
Quote from: AspiringNetworker on February 11, 2016, 10:55:38 AM
Yeah I'm still somewhat interested to see where ACI goes - if they'll actually take it to a point where folks embrace it, or if they'll continue to lose money on it. I still have yet to hear any real traction (No, giving away gear for free only to be used in Non-ACI mode does not count). To be completely frank, it's gotten to the point that a vendor I know will openly tell customers to invite Cisco to bring in ACI to do a bake-off against them. It only helps their case when it takes an army of CCIEs a week to try to set things up versus a vendor's single SE doing it in a day or two.
To be honest I didn't thoroughly read your article winter, but as I glanced through it what kept reverberating in the back of my mind is, "Look at the Cloud Titans (Facebook, Google, Microsoft, etc.). I'm sure they have smart guys that think about stuff like this.... and are any of them using ACI?" Considering ACI is a proprietary fabric that other vendors can't play in, and knowing what I know, I'd almost be willing to bet my paycheck that answer is no.
I aint huge network export, however certain issues exist with the public cloud i.e. the likes of Amazon, Google, etc. in respect to security, long-term cost etc., So many orgs are embrazing private cloud + public -> hybrid. I have read at least once regarding a case study where specific organization was paying excess of 1million dollar monthly in a run-away public cloud cost and they switched back most of their computing needs back to in-premise equipments.
So I think there are will be a certain needs for off-the-shelf vendors and Amazon, Google and Facebook are not likely to compete with traditional vendors to sell their equipments. With them putting all their attention to AI, VR, AV, Self driving and cloud service it is not likely they will do so any time soon. Perhaps they might but I just dont see them doing now.
Secondly the ones designed and used by Facebook, Google and Amazon are internally designed and tested and very tailored to their needs. If they decide to start selling, they have back their DC products with the same level of customer service, support (mighty expensive an erratic) just like other vendors which puts them in the same rat-hole position as vendors.
I don't get your point - you know that you can build hybrid/private clouds without ACI, right?
Quote from: AspiringNetworker on November 21, 2016, 10:38:53 AM
I don't get your point - you know that you can build hybrid/private clouds without ACI, right?
There's what you *can* do, and then there's what you *may* do, what you *should* do, and what your manager say's it's your job to do... Don't always get a desirable overlap with those four things.
Huh? I wasn't making any suggestion - just asking if he defined building a hybrid/private cloud as using ACI.
Quote from: AspiringNetworker on November 21, 2016, 11:19:16 AM
Huh? I wasn't making any suggestion - just asking if he defined building a hybrid/private cloud as using ACI.
So, what you're saying, is... I misinterpreted your statement. But it looked clear to me! :)
:oracle:
:rofl:
That gif usage was masterful, Sir.
aci supposed to make it application centric. let application (namely policy) say to network, i want this and everything will come into place. sounds like it is not the case?
Quote from: ggnfs000 on November 21, 2016, 02:42:31 PM
aci supposed to make it application centric. let application (namely policy) say to network, i want this and everything will come into place. sounds like it is not the case?
Trying to appear as non-bias as possible, it's a solution looking for a problem, and sounds elegant in slideware but in application is a completely different story. It's an ugly, forklift, complex lock-in. It's been around now for 2+ years, and if it were so awesome, you'd think you'd hear more about it being awesome with customer stories.. but that's not the case.. so....
But don't take it from me... I work for a competing vendor. ;P
Quote from: ggnfs000 on November 21, 2016, 02:42:31 PM
aci supposed to make it application centric. let application (namely policy) say to network, i want this and everything will come into place. sounds like it is not the case?
And that's one of those things that looks great on paper. What do we do with over 40,000 applications? Does a policy that works for MS Office 2013 work for the 2016 version as well? Or for different SP versions of the same suite? What about different versions of the same industrial control suite, that maybe change which port they use to access the licensing server? Or if a licensing server in the cloud has an IP address change, does that get automagically updated in the ACI?
Does this mean that I need to account for the network needs of ALL my applications? I get that 40K number when I account for all the software and all the different versions of the software I see here at Multinational Megacorporation.
And what about the default policy? Is it permit all by default? Then the guy that replaced CALC.EXE with malware just got through, because CALC.EXE is pre-approved as a default Windows app, right? Or if it is deny all by default - then we see production lines crashing because the guys in charge didn't read our emails in time, or thought that they were exempt from ACI because they're a production network...
And don't even get me started on SGT... because the one thing all firewalls need to do is to double as Active Directory server proxies.
Quote from: AspiringNetworker on November 21, 2016, 02:57:56 PM
Quote from: ggnfs000 on November 21, 2016, 02:42:31 PM
aci supposed to make it application centric. let application (namely policy) say to network, i want this and everything will come into place. sounds like it is not the case?
Trying to appear as non-bias as possible, it's a solution looking for a problem, and sounds elegant in slideware but in application is a completely different story. It's an ugly, forklift, complex lock-in. It's been around now for 2+ years, and if it were so awesome, you'd think you'd hear more about it being awesome with customer stories.. but that's not the case.. so....
yes i am also trying to
But don't take it from me... I work for a competing vendor. ;P
yes i work for csco but look everything from central pov in order to try forecasting where it is heading. ( rise or fail) althoug i aint directly involved in aci dev i am just interested in how it is performing in real life. i think they are putting big emphasis on this.
Quote from: ggnfs000 on November 21, 2016, 03:33:52 PM
Quote from: AspiringNetworker on November 21, 2016, 02:57:56 PM
Quote from: ggnfs000 on November 21, 2016, 02:42:31 PM
aci supposed to make it application centric. let application (namely policy) say to network, i want this and everything will come into place. sounds like it is not the case?
Trying to appear as non-bias as possible, it's a solution looking for a problem, and sounds elegant in slideware but in application is a completely different story. It's an ugly, forklift, complex lock-in. It's been around now for 2+ years, and if it were so awesome, you'd think you'd hear more about it being awesome with customer stories.. but that's not the case.. so....
yes i am also trying to
But don't take it from me... I work for a competing vendor. ;P
yes i work for csco but look everything from central pov in order to try forecasting where it is heading. ( rise or fail) althoug i aint directly involved in aci dev i am just interested in how it is performing in real life. i think they are putting big emphasis on this.
well this brings the issue into entirely new dimension. Once the size, complexity and breadth of offering, product becomes mega, unfortunately the quality just nose dives. It is not like org A is better than org B, they are all in same visinity, it is almost by all of nature. I think it does not matter really the company or product, since it is inherently tied to quality of engineers creating it. Once No. of engineer surpasses 1000's the bad apples tends to mix in tends to screw things around and plus once you mix in the factors like TTM, resource, permutations of tests involved, no way, it is only possible to release something that is "acceptable". However overtime, it may have a chance to get better. But once products matures, what I hate about matured products is that products break backward compatibility in the name of "innovation", "new features". When users transition to 6.X to 7.X host of commands sets, UI is completely change and there is nothing innovative, better in the "change". It just simply screw around. I personally take examples like RedHat and most of linux distributions which is one of the worst products. It is simply impossible to control this many people to work like a one team because there are too many people who has "new idea" and screws things around. Perhaps if top-notch expert is sitting on top of product design and holds the rest under iron-fist, may be possible to do something great.
yep, so application centric it defines them as..... stateless packet filters. Not only is it not application aware in any way, its not even stateful. But its OK, you can service chain someone else's NGFW or vArmour or <insert-additional-costly-complex-doodad-> to do that.
I have seen an ACI deployment where they were at wits end and the decision was made to rip out all the EPGs and contracts, convert them to firewall rules and then re-write all the policies to force all inter-EPG traffic through a traditional firewall inline.... the worst part is, it was in some ways probably the least bad decision.
I've not met a single person who's seen it up close and likes it. This includes sales and management as well as engineers. If VMware got their heads out of their behinds and priced NSX at a not insane level they would have already won the war. Be that as it may, everyone is converging on a hypervisor overlay solution - VMware, Microsoft, Openstack and friends, Contrail, Nuage, etc.
Quote from: wintermute000 on November 22, 2016, 05:10:58 AM
yep, so application centric it defines them as..... stateless packet filters. Not only is it not application aware in any way, its not even stateful. But its OK, you can service chain someone else's NGFW or vArmour or <insert-additional-costly-complex-doodad-> to do that.
I have seen an ACI deployment where they were at wits end and the decision was made to rip out all the EPGs and contracts, convert them to firewall rules and then re-write all the policies to force all inter-EPG traffic through a traditional firewall inline.... the worst part is, it was in some ways probably the least bad decision.
I've not met a single person who's seen it up close and likes it. This includes sales and management as well as engineers. If VMware got their heads out of their behinds and priced NSX at a not insane level they would have already won the war. Be that as it may, everyone is converging on a hypervisor overlay solution - VMware, Microsoft, Openstack and friends, Contrail, Nuage, etc.
Haha stateless packet filters pretty much says it all. Stateless packet filters to fill up all your tcam and you are 100% correct service chaining is available in other flavors that you can run with anything that has IP connectivity. I would wait until the realm of things like evpn and segment routing come into the data center. Those two technologies combined will make service chaining and multi vendor a reality. Then you take openconfig on top of it and you have a completely orchestrated infrastructure that will just work. I mean shit look at it like if you wanted to provision a VM in your orchestration like why not just add that /32 or network to an acl with some sort of automation? That would solve all of your aci/epg/apg easily.
Getting back to your comments here.. I have also not met a single success story with ACI. Any customer I have spoken to its the first thing that Cisco generally pitches and 9/10 its a failure or a different direction than the rest of the industry is moving. Network people need to embrace all things open source and the idea of automation. Falling back to hardware defined is not the correct approach.
wow that sux. :o