Cisco ACI

Started by mmcgurty, November 17, 2015, 08:44:23 AM

Previous topic - Next topic

deanwebb

Quote from: AspiringNetworker on November 21, 2016, 11:19:16 AM
Huh?  I wasn't making any suggestion - just asking if he defined building a hybrid/private cloud as using ACI.

So, what you're saying, is... I misinterpreted your statement. But it looked clear to me! :)

:oracle:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

NetworkGroover

#31
 :rofl:

That gif usage was masterful, Sir.
Engineer by day, DJ by night, family first always

ggnfs000

aci supposed to make it application centric. let application (namely policy) say to network, i want this and everything will come into place. sounds like it is not the case?

NetworkGroover

#33
Quote from: ggnfs000 on November 21, 2016, 02:42:31 PM
aci supposed to make it application centric. let application (namely policy) say to network, i want this and everything will come into place. sounds like it is not the case?

Trying to appear as non-bias as possible, it's a solution looking for a problem, and sounds elegant in slideware but in application is a completely different story.  It's an ugly, forklift, complex lock-in.  It's been around now for 2+ years, and if it were so awesome, you'd think you'd hear more about it being awesome with customer stories.. but that's not the case.. so....

But don't take it from me... I work for a competing vendor. ;P
Engineer by day, DJ by night, family first always

deanwebb

Quote from: ggnfs000 on November 21, 2016, 02:42:31 PM
aci supposed to make it application centric. let application (namely policy) say to network, i want this and everything will come into place. sounds like it is not the case?
And that's one of those things that looks great on paper. What do we do with over 40,000 applications? Does a policy that works for MS Office 2013 work for the 2016 version as well? Or for different SP versions of the same suite? What about different versions of the same industrial control suite, that maybe change which port they use to access the licensing server? Or if a licensing server in the cloud has an IP address change, does that get automagically updated in the ACI?

Does this mean that I need to account for the network needs of ALL my applications? I get that 40K number when I account for all the software and all the different versions of the software I see here at Multinational Megacorporation.

And what about the default policy? Is it permit all by default? Then the guy that replaced CALC.EXE with malware just got through, because CALC.EXE is pre-approved as a default Windows app, right? Or if it is deny all by default - then we see production lines crashing because the guys in charge didn't read our emails in time, or thought that they were exempt from ACI because they're a production network...

And don't even get me started on SGT... because the one thing all firewalls need to do is to double as Active Directory server proxies.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

ggnfs000

#35
Quote from: AspiringNetworker on November 21, 2016, 02:57:56 PM
Quote from: ggnfs000 on November 21, 2016, 02:42:31 PM
aci supposed to make it application centric. let application (namely policy) say to network, i want this and everything will come into place. sounds like it is not the case?

Trying to appear as non-bias as possible, it's a solution looking for a problem, and sounds elegant in slideware but in application is a completely different story.  It's an ugly, forklift, complex lock-in.  It's been around now for 2+ years, and if it were so awesome, you'd think you'd hear more about it being awesome with customer stories.. but that's not the case.. so....

yes i am also trying to

But don't take it from me... I work for a competing vendor. ;P

yes i work for csco but look everything from central pov in order  to try forecasting where it is heading. ( rise or fail)  althoug i aint directly involved in aci dev i am just interested in how it is performing in real life. i think they are putting big emphasis on this.

ggnfs000

#36
Quote from: ggnfs000 on November 21, 2016, 03:33:52 PM
Quote from: AspiringNetworker on November 21, 2016, 02:57:56 PM
Quote from: ggnfs000 on November 21, 2016, 02:42:31 PM
aci supposed to make it application centric. let application (namely policy) say to network, i want this and everything will come into place. sounds like it is not the case?

Trying to appear as non-bias as possible, it's a solution looking for a problem, and sounds elegant in slideware but in application is a completely different story.  It's an ugly, forklift, complex lock-in.  It's been around now for 2+ years, and if it were so awesome, you'd think you'd hear more about it being awesome with customer stories.. but that's not the case.. so....

yes i am also trying to

But don't take it from me... I work for a competing vendor. ;P

yes i work for csco but look everything from central pov in order  to try forecasting where it is heading. ( rise or fail)  althoug i aint directly involved in aci dev i am just interested in how it is performing in real life. i think they are putting big emphasis on this.

well this brings the issue into entirely new dimension. Once the size, complexity and breadth of offering, product becomes mega, unfortunately the quality just nose dives. It is not like org A is better than org B, they are all in same visinity, it is almost by all of nature. I think it does not matter really the company or product, since it is inherently tied to quality of engineers creating it. Once No. of engineer surpasses 1000's the bad apples tends to mix in tends to screw things around and plus once you mix in the factors like TTM, resource, permutations of tests involved, no way, it is only possible to release something that is "acceptable". However overtime, it may have a chance to get better. But once products matures, what I hate about matured products is that products break backward compatibility in the name of "innovation", "new features".  When users transition to 6.X to 7.X host of commands sets, UI is completely change and there is nothing innovative, better in the "change". It just simply screw around. I personally take examples like RedHat and most of linux distributions which is one of the worst products. It is simply impossible to control this many people to work like a one team because there are too many people who has "new idea" and screws things around. Perhaps if top-notch expert is sitting on top of product design and holds the rest under iron-fist, may be possible to do something great.

wintermute000

#37
yep, so application centric it defines them as..... stateless packet filters. Not only is it not application aware in any way, its not even stateful. But its OK, you can service chain someone else's NGFW or vArmour or <insert-additional-costly-complex-doodad-> to do that.

I have seen an ACI deployment where they were at wits end and the decision was made to rip out all the EPGs and contracts, convert them to firewall rules and then re-write all the policies to force all inter-EPG traffic through a traditional firewall inline.... the worst part is, it was in some ways probably the least bad decision.

I've not met a single person who's seen it up close and likes it. This includes sales and management as well as engineers. If VMware got their heads out of their behinds and priced NSX at a not insane level they would have already won the war. Be that as it may, everyone is converging on a hypervisor overlay solution - VMware, Microsoft, Openstack and friends, Contrail, Nuage, etc.

burnyd

Quote from: wintermute000 on November 22, 2016, 05:10:58 AM
yep, so application centric it defines them as..... stateless packet filters. Not only is it not application aware in any way, its not even stateful. But its OK, you can service chain someone else's NGFW or vArmour or <insert-additional-costly-complex-doodad-> to do that.

I have seen an ACI deployment where they were at wits end and the decision was made to rip out all the EPGs and contracts, convert them to firewall rules and then re-write all the policies to force all inter-EPG traffic through a traditional firewall inline.... the worst part is, it was in some ways probably the least bad decision.

I've not met a single person who's seen it up close and likes it. This includes sales and management as well as engineers. If VMware got their heads out of their behinds and priced NSX at a not insane level they would have already won the war. Be that as it may, everyone is converging on a hypervisor overlay solution - VMware, Microsoft, Openstack and friends, Contrail, Nuage, etc.

Haha stateless packet filters pretty much says it all.  Stateless packet filters to fill up all your tcam and you are 100% correct service chaining is available in other flavors that you can run with anything that has IP connectivity.  I would wait until the realm of things like evpn and segment routing come into the data center.  Those two technologies combined will make service chaining and multi vendor a reality.  Then you take openconfig on top of it and you have a completely orchestrated infrastructure that will just work.  I mean shit look at it like if you wanted to provision a VM in your orchestration like why not just add that /32 or network to an acl with some sort of automation?  That would solve all of your aci/epg/apg easily.

Getting back to your comments here.. I have also not met a single success story with ACI.  Any customer I have spoken to its the first thing that Cisco generally pitches and 9/10 its a failure or a different direction than the rest of the industry is moving.  Network people need to embrace all things open source and the idea of automation.  Falling back to hardware defined is not the correct approach. 

ggnfs000