Will it work??

ggnfs000 · June 21, 2017, 01:18:48 PM

http://www.networkcomputing.com/cloud-infrastructure/cisco-touts-intent-based-networking-future/427147250?_mc=sm_nwc_editor_marciasavage

icecream-guy · June 21, 2017, 02:13:13 PM

A network that actually thinks on behalf of our customers," Robbins said.

...smells like something is burning in the oven....

here I'll fix that, for it's Cisco....

A network that actually creates outages on behalf of our customers," Robbins meant to say.

deanwebb · June 21, 2017, 02:16:54 PM

But seriously, folks...

Cisco will do lots of tricks to make it work - it's a subscription service. They also want to make sure it can work with older gear so that people can get on that subscription gravy train and worry about upgrades later.

I'm just curious how this is more effective than, say, running a netflow monitoring program and deciding to block all the traffic going to TOR nodes...

that1guy15 · June 21, 2017, 02:20:40 PM

"Intent Based Networking" is the way to move forward. Apstra really spear-headed this charge and Cumulus and others jumped on shortly after. Cisco with this announcement just confirmed its relevance and there is a market.

Now in true Cisco fashion they tied it to a hardware platform with the new Cat 9000 whatever. Which IMO is a against the true idea of intent based networking.

The idea of intent based networking is to provide what you want out of a network and how you want it to perform and have a design built that meets those needs. Protocols, config and what hardware you use does not matter unless they are limiting. Think about running through a Wizard and a DC fabric spits out the other end.

Once the network is built you know the intent of the network and have better visibility into performance and deviations since you know what the network should be doing.

Cisco is coming at this backwards. They are saying here is all this hardware and features you can build your network with now how do you want it.

My guess is Cisco will do just like iWAN with this one. Run it hard for a year or two. Fail miserably and buy out one of the top players in this game to stay relevant.

deanwebb · June 21, 2017, 02:24:21 PM

OK, so does intent-based networking scale well? How does a LAN/Security team handle hundreds of existing applications that have to keep running because production?

that1guy15 · June 21, 2017, 02:36:04 PM

Quote from: deanwebb on June 21, 2017, 02:24:21 PM
How does a LAN/Security team handle hundreds of existing applications that have to keep running because production?

This is done the same as now. Use sound flexible designs like using a spine/leaf fabric connecting various pods. New apps need new pods? OK spin up a new set of leafs and pods and move along.

deanwebb · June 21, 2017, 02:48:26 PM

That answer responds to the datacenter aspect of intent-based networking. How about the periphery, where all the end-users are HTTPSing their time away with YouTube, FaceBook, and Twitter? Will this intent-based networking be something to help with dealing with intellectual property theft?

that1guy15 · June 21, 2017, 03:06:32 PM

You're right, so far the full focus has been on DC fabric. Not sure how other areas will approach this.

I have a buddy who is working for Fortinet right now and talking with him they have a similar approach with an intent based something or other. Same concept but I dont know what all it covers. I would assume mostly what you are talking about.

IMO security needs to shift away from the network and wire and deeper into the servers and applications themselves. Let security controls take place before the packet or session hits the wire.

You already see talk of this with a couple companies and BPF/XDF which applies filtering at the kernal level. Im also hearing people talk about full end to end encryption of app sessions, which makes sense. Traditional security just does not make in these scenarios to me.

But Im not a SEC guys and try to mostly avoid it.

deanwebb · June 21, 2017, 04:21:48 PM

Security absolutely has to leave behind the perimeter mindset. Watching endpoints and who they talk to is more and more critical. We also have to start getting real about using a whitelisting approach to corporate Internet traffic. We simply can't assume that all the web is OK except for the stuff we realize after the fact to be malicious. Employees that want to use the Internet for fun at work should be told to bring their own devices, use a guest network, and sign a waiver that they won't hold the company responsible for damages because Internets be crazy.

Or, even better, everybody work from home and use your home network for your own Internets and a VPN for the corporate stuff. Have fun with that, kids!

Then, when everyone says that not using the Internet is JUST. TOO. HARD. and that they all want to quit, say that there's another way to do this and talk about never, ever opening email attachments. Ever. Or clicking on links in emails. Ever. The only exception is if the link or file is sent from someone that you asked you to send a link or a file.

ggnfs000 · June 21, 2017, 04:59:37 PM

seems like AI is infiltrating the security arena. Not just network security. Cylance comes to mind.

wintermute000 · June 21, 2017, 05:56:42 PM

I think you guys have this a little bit wrong, though I agree re: hardware lockin comment. Its much more ACI than IWAN.
Intent based goes beyond 'I want a network', its 'I want a service', abstract even the networking bits away. Its the holy grail behind all the ACI constructs, app-centric contract designs etc. Think service modelling and orchestration. This new thingy is intent based to the point where you're tying endpoint policy to identity then enforcing via trustsec. Its not just I want a new fabric. Its micro-segging at the edge, all the way, just like ACI, using intent based language, leveraging custom silicon.

I was talking about it with a colleague and besides the obvious 'will it work' angle (HAHAHAHA at least v1, v2 etc... bug city) they're on a hiding to nothing because they have two choices:
- re-use ACI policy constructs which everyone hates
- make up a new set of policy constructs so everyone hates it AND ACI guys have to relearn it and hate it more

The pure unadulterated HW lockin will backfire on them I believe, along with the vision of enforcing micro-seg in hardware and making identity central to everything. Its a good idea in utopia, meanwhile in reality, we have 99% of clients not even knowing how many switches in their network let alone the capability/appetite to profile endpoint identity accurately, then define trustsec enforced security policies in an app-centric manner. Let alone with budget to deploy 3850s at the edge (no 2900s... merchant silicon pfffft).

We're starting the partner dance shortly so I might revise my opinions as I learn more about it.

ggnfs000 · June 21, 2017, 06:39:44 PM

Quote from: that1guy15 on June 21, 2017, 02:20:40 PM
"Intent Based Networking" is the way to move forward. Apstra really spear-headed this charge and Cumulus and others jumped on shortly after. Cisco with this announcement just confirmed its relevance and there is a market.

Now in true Cisco fashion they tied it to a hardware platform with the new Cat 9000 whatever. Which IMO is a against the true idea of intent based networking.

The idea of intent based networking is to provide what you want out of a network and how you want it to perform and have a design built that meets those needs. Protocols, config and what hardware you use does not matter unless they are limiting. Think about running through a Wizard and a DC fabric spits out the other end.

Once the network is built you know the intent of the network and have better visibility into performance and deviations since you know what the network should be doing.

Cisco is coming at this backwards. They are saying here is all this hardware and features you can build your network with now how do you want it.

My guess is Cisco will do just like iWAN with this one. Run it hard for a year or two. Fail miserably and buy out one of the top players in this game to stay relevant.

to my understanding, here is the parallel:
intent based net - apple - ferrari - luxurious, fast and furious but once broken you have to buy another iphone or ferrari.
traditional net - android, old clunker - breaks all the time, needs parts everytime it breaks.

deanwebb · June 21, 2017, 06:46:50 PM

I agree that the hardware lock-in is part of an extended services/subscription lock-in. Cisco is trying to be like Microsoft, where it can make $$$ through services and subscriptions, but it's still trying to hold on to the hardware market like grim death.

Other vendors have a much better chance at their innovations working...

wintermute000 · June 21, 2017, 07:40:37 PM

Quote from: ggnfs000 on June 21, 2017, 06:39:44 PM
Quote from: that1guy15 on June 21, 2017, 02:20:40 PM
"Intent Based Networking" is the way to move forward. Apstra really spear-headed this charge and Cumulus and others jumped on shortly after. Cisco with this announcement just confirmed its relevance and there is a market.

Now in true Cisco fashion they tied it to a hardware platform with the new Cat 9000 whatever. Which IMO is a against the true idea of intent based networking.

The idea of intent based networking is to provide what you want out of a network and how you want it to perform and have a design built that meets those needs. Protocols, config and what hardware you use does not matter unless they are limiting. Think about running through a Wizard and a DC fabric spits out the other end.

Once the network is built you know the intent of the network and have better visibility into performance and deviations since you know what the network should be doing.

Cisco is coming at this backwards. They are saying here is all this hardware and features you can build your network with now how do you want it.

My guess is Cisco will do just like iWAN with this one. Run it hard for a year or two. Fail miserably and buy out one of the top players in this game to stay relevant.

to my understanding, here is the parallel:
intent based net - apple - ferrari - luxurious, fast and furious but once broken you have to buy another iphone or ferrari.
traditional net - android, old clunker - breaks all the time, needs parts everytime it breaks.

You're joking right. Androids are far from old clunkers when you buy the right model. And I'm sure that every single cloud provider and hyper scaler views their standards based networks as clunkers.
And ferraris and apples... seriously, your employer bias is showing. Have fun with your version 1 code.

deanwebb · June 21, 2017, 09:18:57 PM

To put it a little more mildly than wintermute, there's a big, BIG difference between marketing material and reality. Those of us in operations and project/consulting work have to learn how to dissect a publicity statement about a new tech to reveal the gotchas that will get us when we try and make it work.

Big red flags for me: Nexus 9K and ISE. Don't have either of those? Hmmm... well, you can always buy them, right?

And our pro services will make implementation a snap!

Intent based networking can be like a Koenigsegg without a rear spoiler, which tried to kill the hosts of Top Gear and The Stig in Season 8. That rear spoiler made for a HUGE difference when the lads at the supercar manufacturer added it.

Traditional networking can be like a Toyota pickup... ugly, but it gets the job done in spite of no upgrade for the last 7 years.

Now, all of these can get wiped out by a well-aimed RPG, so let's not forget that they need protection.

Also, those big, expensive supercars can totally bottom out when they go over small bumps or when getting on or off ramps. They're not exactly 100% compatible with all streets. Again, that new stuff doesn't necessarily have all the bugs/kinks worked out.

This is why smart network guys will test and test again before recommending adopting a technology. It may look really cool in the demo, but let's put it through the paces before we cut the big purchase order.