Nexus Outside the Datacenter

Started by Fred, May 14, 2015, 09:58:03 PM

Previous topic - Next topic

burnyd

Im phasing out any chassis based device in the dc anyways.  I just dont have a need for one anymore everything is like highly populated 40gb/10gb anymore.

that1guy15

Quote from: burnyd on May 16, 2015, 10:14:09 PM
Im phasing out any chassis based device in the dc anyways.  I just dont have a need for one anymore everything is like highly populated 40gb/10gb anymore.
Yep, just had this conversation with the boss the other day.  Id rather build out on 5600 or 6K if we stayed Nexus. But I am interested in dropping the 2Ks and going full on 9K and ACI.

But being a smaller shop we could easily go with a Big Switch or Nuage networks deployment and make it work.

Not sure Ill be around to see the 7Ks retire...
That1guy15
@that1guy_15
blog.movingonesandzeros.net

NetworkGroover

Quote from: that1guy15 on May 16, 2015, 10:52:58 PM
Quote from: burnyd on May 16, 2015, 10:14:09 PM
Im phasing out any chassis based device in the dc anyways.  I just dont have a need for one anymore everything is like highly populated 40gb/10gb anymore.
Yep, just had this conversation with the boss the other day.  Id rather build out on 5600 or 6K if we stayed Nexus. But I am interested in dropping the 2Ks and going full on 9K and ACI.

But being a smaller shop we could easily go with a Big Switch or Nuage networks deployment and make it work.

Not sure Ill be around to see the 7Ks retire...

ACI - ha, yeah I'd like to see that.
Engineer by day, DJ by night, family first always

burnyd


deanwebb

Cisco is really pushing for us to get ACI where I'm at, since we're basically all Nexus, Vblock, and stuff like that in the DC. I'm supposed to have an ACI meeting next week, but I think that I would rather spend the two hours working on NAC issues...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

burnyd

Dean, as a security person there are some benefits.  Everything has to have a policy in order for anything to talk.  However, if multisegmentation is your goal Im going to tell you NSX is the better way to go.

NetworkGroover

#21
Quote from: deanwebb on May 17, 2015, 08:15:49 AM
Cisco is really pushing for us to get ACI where I'm at, since we're basically all Nexus, Vblock, and stuff like that in the DC. I'm supposed to have an ACI meeting next week, but I think that I would rather spend the two hours working on NAC issues...

Want a fun conversation?  Ask for customer references.  Ask what to do with your current Nexus gear because if it doesn't have the custom ACI ASICs, it can't play in the ACI fabric.  You HAVE to have the ACI ASICs (The ACI Spine Engine, or "ASE," and the ACI Leaf Engine, or "ALE") in order for the ACI policy model to function - and at BOTH the leaf and spine layers (the spine also has to be able to read the eVXLAN meta data).  Ask your application guys if their apps fall into the pretty 3-tier model that ACI forces you to abide  by.

I researched this pretty heavily when it was first coming out... but now when asked about it I just kind of laugh.. not trying to be a troll about it.. it's just how it is. Though - I don't really get asked about it anymore...


EDIT - Most importantly, I would LOVE to hear some real feedback - I've gotten little to none. 

Basically, make sure your entire networking/server/db/etc. team is there when you have that conversation.

EDIT 2 - Wait a minute - are we still talking about outside the data center?  I seriously hope when talking about ACI you're talking about inside the data center... though that would be quite entertaining to know if Cisco's trying to sell ACI to the campus/enterprise...
Engineer by day, DJ by night, family first always

icecream-guy

Cisco has a nice small ACI Starter kit, I think it starts about 250K.  We've got one in procurement now, hopefully I get the project. The important thing is to know all your application flows, as you will need to create groups of things and rules for those things to communicate with other things.  so if your web tier has a back end DB, you'll need a rule to allow users to the web site, and a rule to allow the web server to communicate with the db server, a rule for the db server to communicate with the web server, and a rule for the web server to communicate with the customers.  you'll also need to take int account dns, ntp etc. because nothing talks unless it's part of a group.  luckily similar things can be bundled and put into the same group.
ACI is very similar to a non-stateful firewall.   
:professorcat:

My Moral Fibers have been cut.

that1guy15

Im still talking DC. How about we split this side discussion off into its own thread as to not dilute the original question?
That1guy15
@that1guy_15
blog.movingonesandzeros.net

NetworkGroover

#24
That was towards Dean, but yeah sorry - I'm going down a rabbit hole here.
Engineer by day, DJ by night, family first always

burnyd

Quote from: ristau5741 on May 18, 2015, 07:59:54 AM
Cisco has a nice small ACI Starter kit, I think it starts about 250K.  We've got one in procurement now, hopefully I get the project. The important thing is to know all your application flows, as you will need to create groups of things and rules for those things to communicate with other things.  so if your web tier has a back end DB, you'll need a rule to allow users to the web site, and a rule to allow the web server to communicate with the db server, a rule for the db server to communicate with the web server, and a rule for the web server to communicate with the customers.  you'll also need to take int account dns, ntp etc. because nothing talks unless it's part of a group.  luckily similar things can be bundled and put into the same group.
ACI is very similar to a non-stateful firewall.

:zomgwtfbbq:

roflcopter!

that1guy15

Quote from: burnyd on May 18, 2015, 02:58:57 PM
Quote from: ristau5741 on May 18, 2015, 07:59:54 AM
Cisco has a nice small ACI Starter kit, I think it starts about 250K.  We've got one in procurement now, hopefully I get the project. The important thing is to know all your application flows, as you will need to create groups of things and rules for those things to communicate with other things.  so if your web tier has a back end DB, you'll need a rule to allow users to the web site, and a rule to allow the web server to communicate with the db server, a rule for the db server to communicate with the web server, and a rule for the web server to communicate with the customers.  you'll also need to take int account dns, ntp etc. because nothing talks unless it's part of a group.  luckily similar things can be bundled and put into the same group.
ACI is very similar to a non-stateful firewall.

:zomgwtfbbq:

roflcopter!

Are you still doing your ACI sessions at CLUS? What have you seen lately that is pushing you away from ACI? I dont think I can keep up with you and your DC trends anymore :) Hell I still want to play around with Fabric Path and OTV... Maybe Ill learn this new-fangled VxLAN stuff one of these days.
That1guy15
@that1guy_15
blog.movingonesandzeros.net

burnyd

Well like in your post... Hey these 7ks/5ks and all the other stuff you purchased go ahead and use them as cores or something.  They do not have our aci fabric in them so they are not compatible.  Im just not a fan of a product that needs specific hardware to function properly.  It is the right idea to have the application end groups and I cant remember what the other one is called.  But it just strikes me wrong.  So as you scale out your dc fabric you absolutely need 9ks.

The hypervisor method makes so much more sense to me because you can run it on anything and use the underlay simply as a fabric.  Any network devices you want to.  Plus the price is aaalllootttt cheaper and multi tenancy is easier.

But yes, I will be at the ACI class just to check it out.  I have zero intentions of running it I just want the deep dive for learning purposes.

ScottF

Quote from: that1guy15 on May 15, 2015, 12:14:19 PM
VSS is running the campus core but the more I run it the less I like it.

Out of interested why don't you like VSS?

that1guy15

Quote from: ScottF on May 26, 2015, 10:13:29 AM
Quote from: that1guy15 on May 15, 2015, 12:14:19 PM
VSS is running the campus core but the more I run it the less I like it.

Out of interested why don't you like VSS?
Shared control-plane. Split-brain and failure scenarios with VSS can get pretty hairy.   
That1guy15
@that1guy_15
blog.movingonesandzeros.net