ACI in 2019

deanwebb · August 28, 2019, 12:22:12 PM

How's it going for those who are tangling with ACI? It's been almost 6 years since it was announced and almost 5 years since it shipped. I know some folks here had nightmares and headaches about it a few years back... has the product improved or is it still a difficult beast to tame? What's changed and what still needs to change?

I'll answer the first question, though... why is a security guy asking about ACI?

Well, I'll tell you... I'm reading up on how $VENDOR, where I work, connects to ACI to provide visibility and to act as a bridge between assets in the ACI environment with other applications, like ServiceNow. I've got customers that have ACI environments at various stages of maturity, so I'd like to know some ACI war stories.

dlots · September 12, 2019, 08:34:52 PM

ACI kinda sucks. They gave their customers a GUI and an API and washed their hands of it. If you want to anything you have to write it for yourself. At the very least they need a "make switch A port 2 on vlan 5" program and stick it in there. There is just nothing to it. They made everything worse in that you have to go though 8 pages in a GUI, but unless you have a team of programmers the API doesn't really do anything for you.

Personally I think the GUI is very much an after thought.

deanwebb · September 13, 2019, 01:49:32 PM

In your experience, how fast did the programmers pick up on ACI, and did they get to where they were good at it?

icecream-guy · September 18, 2019, 03:41:25 PM

Big discussion today about redoing the DC architecture to support SDN, long meeting ( good that I was not invited)
but customer wants to move toward the SDN thing, so we plan it. customer wants a simpler architecture, we've had much DC downtime as of recent. Since we are a Cisco shop ACI, (

) and with all the vulnerabilities (

). Time to put on my programmer hat

I've been through the initial planning as last place, and once they realized, that every application, port, protocol, source, destination all need to be identified and programmed into the system it went

( insert flush smiley here)

deanwebb · September 18, 2019, 05:23:51 PM

So basically, they ain't gonna do it, once they see how much of it that they gotta do...

dlots · September 19, 2019, 08:54:54 PM

I was a really bad programer, and i couldn't make changes to it, but it wasn't to bad. There were a couple people who did most of their work via postman, and they had no programing XP at all.

Their documentation was pretty half ass though, and there is a lot of stuff you can't access over the API it seems (trouble shooting stuff it seems).

deanwebb · September 24, 2019, 10:55:47 AM

And, of course, no push inside of Cisco to address either documentation or API limitations.

NetworkGroover · December 16, 2019, 11:39:38 AM

So I see the problems with ACI continue...

I was looking for ACI posts because I'm curious with the new Cisco One chip platforms (New 8000 series) that ACI isn't supported... I'm curious to hear from more Cisco-rooted folks if they are telling you to move to different platforms, if it will be supported in the future, etc.? This is a pretty important point to understand clearly, and I find it a little hard to believe hence reaching out to you guys.

If what I'm hearing is true... this is pretty wild.

deanwebb · December 16, 2019, 03:06:51 PM

Quote from: AspiringNetworker on December 16, 2019, 11:39:38 AM
So I see the problems with ACI continue...

I was looking for ACI posts because I'm curious with the new Cisco One chip platforms (New 8000 series) that ACI isn't supported... I'm curious to hear from more Cisco-rooted folks if they are telling you to move to different platforms, if it will be supported in the future, etc.? This is a pretty important point to understand clearly, and I find it a little hard to believe hence reaching out to you guys.

If what I'm hearing is true... this is pretty wild.

Cisco One doesn't support ACI?

https://www.cisco.com/c/dam/en/us/products/collateral/software/nb-06-one-software-aag-ctp-en.pdf leads one to think that it does link up with ACI. Where are you seeing no support for ACI in the 8000 series of gear?

This *is* interesting stuff!

Otanx · December 17, 2019, 10:48:57 AM

The Cisco One licensing stuff is different than the Cisco One chip platform on the 8000 routers. The new 8K routers have a new ASIC called "Cisco Silicon One". I feel Cisco marketing team gets a number in their head, and won't let go. Nexus 9Ks, Cat 9Ks, ASR9Ks... Now it is Cisco One. I don't know if this is on purpose as a misguided effort to unify product lines, or they just like confusing customers.

Looking at the info available for the 8Ks I don't see ACI mentioned anywhere, and you would think it would be somewhere if it was supported. However, these are so new you can't download software for them yet so it might just be incomplete info for a new product. Not like that has ever happened.

-Otanx

deanwebb · December 17, 2019, 01:39:57 PM

https://www.cisco.com/c/en/us/products/cloud-systems-management/crosswork-network-automation/index.html

Is that the new branding for ACI? Or am I but a simple caveman, confused by Cisco marketing?

wintermute000 · December 19, 2019, 02:59:29 AM

8Ks are IOS-XR so its service provider. Nothing to do with ACI. I could be wrong LOL but I see IOS-XR = SP BU

ACI is fine if you can learn the new paradigms and if you just want a fabric (i.e. network-centric). Sure its a learning curve and you need to at least script to get the most out of it but if you say want to understand VXLAN EVPN thoroughly there's also a steep-ish curve esp once you get into Type-4 ESI multihoming and other fancy features or Cisco add-ons like multi-site (sorry haven't kept up with new Arista hotness).

Application-centric is pointless and stupid, like ristau said map out all your apps and ports to... enforce them one-way (ACLs, not even stateful lol) in expensive silicon with no layer-7 or app-layer features.

I think it will keep on keeping on, they've come too far to abandon it now, and they always choose to put the new hotness in there first (Tetration integration etc.). The service chaining is pretty cool and way beyond anything you can natively accomplish with VXLAN EVPN though you can throw controllers and openflow and other kludges at it as well. But i think the market has de-facto consolidated around VXLAN EVPN.

re: crosswalk, from a glance it looks like the latest stab at automate all the things, its unclear whats actually the product or the separate bits of the ecosystem. As usual with this kind of marketing its hard to work out what "it" is. I suspect its a bunch of different solutions branded together e.g. NSO which has been around for a long time. It definitely looks like a SP automation play not enterprise - NSO has always been SP centric, they talk about RPKI and segment routing.

deanwebb · December 19, 2019, 09:19:59 AM

That is what I was gathering that the 8K stuff was for major backbone work, with backplanes and total throughput numbers like that.

NetworkGroover · December 19, 2019, 11:13:15 AM

Quote from: wintermute000 on December 19, 2019, 02:59:29 AM
8Ks are IOS-XR so its service provider. Nothing to do with ACI. I could be wrong LOL but I see IOS-XR = SP BU

ACI is fine if you can learn the new paradigms and if you just want a fabric (i.e. network-centric). Sure its a learning curve and you need to at least script to get the most out of it but if you say want to understand VXLAN EVPN thoroughly there's also a steep-ish curve esp once you get into Type-4 ESI multihoming and other fancy features or Cisco add-ons like multi-site (sorry haven't kept up with new Arista hotness).

Application-centric is pointless and stupid, like ristau said map out all your apps and ports to... enforce them one-way (ACLs, not even stateful lol) in expensive silicon with no layer-7 or app-layer features.

I think it will keep on keeping on, they've come too far to abandon it now, and they always choose to put the new hotness in there first (Tetration integration etc.). The service chaining is pretty cool and way beyond anything you can natively accomplish with VXLAN EVPN though you can throw controllers and openflow and other kludges at it as well. But i think the market has de-facto consolidated around VXLAN EVPN.

re: crosswalk, from a glance it looks like the latest stab at automate all the things, its unclear whats actually the product or the separate bits of the ecosystem. As usual with this kind of marketing its hard to work out what "it" is. I suspect its a bunch of different solutions branded together e.g. NSO which has been around for a long time. It definitely looks like a SP automation play not enterprise - NSO has always been SP centric, they talk about RPKI and segment routing.

This makes sense - I should probably go back and look at what I saw earlier and see where I got my wires crossed regarding ACI support in Silicon One. For the 8k I agree it doesn't make sense with an SP-focus.. but I think this may extend to other product lines but I'll go back and look a little harder.

wintermute000 · December 19, 2019, 03:18:31 PM

Remember CSCO is a behemoth, ACI = enterprise but silicon one looks to me aimed at creating a new revenue stream by becoming a new broadcom and flogging tomahawks to hyperscaler whiteboxes IMO