Why I think ACI and VXLAN are the future

The Raise of the Robots & The End of an Era

I had an interesting read or listen I should say last week – The Rise of The Robots. This audio-book made me think about the number of things but the one that sprang to mind immediately was automation and my own prospects when it comes to be replaced by the machines…

I keep telling myself, they can’t automate everything and there will always be a requirement for highly skilled engineer to migrate the LAN or WAN edge while making sure nothing is impacted.. You can’t really replace the core network without talking to multiple teams, assessing the impact, identifying exceptions or legacy issues. You need a plan, strong team and great communication skills to achieve all that so there is still too many variables to let machines replace your network but how about automating daily tasks and troubleshooting?

We are all used to old ways and very resistant to change. Classic example is slow adoption of IPv6 but hey lets leave that for another blog. We like our VLANs, SVIs, IP subnets, HSRP, OSPF, BGP and all this is pretty well understood and documented. How about turning the traditional networking concepts upside down into the 21st century?

The Raise of VXLAN in Enterprise Networks

I have always been a big fan of Layer 3 to the edge because it simplifies access layer design and we shouldn’t really be afraid of routing. In the end of the day if there is a requirement to span one VLAN between various access switches you could have a hybrid solution by allowing that VLAN in addition to P2P routed SVIs on both ends. That makes sense but  VXLAN brings it all into the next level.

Can you imagine having all access layer switches configured with the same VLAN ID for data as well as the same large IP subnet and gateway address? How about those legacy VLANs that used to be “trunked” across the whole estate when you needed to extend the VLAN everywhere? Imagine you can stay Layer 2 adjacent across Layer 3 boundary? Broadcast Storms and Layer 2 loops? Forget about them, VXLAN lets you encapsulate Layer 2 frames across Layer 3 network so you can extend the VLAN without any trunks.

Your Corporate Layer 3 network becomes just a network of Loopback addresses for VXLAN tunnel endpoints while the controller running LISP delivers Endpoint to Location mapping. You literally have the same configuration on each access layer switch with the exception of the Loopback and Uplink addressing!

The Raise of Application Centric Infrastructure in the Cloud

The concept of tunnelling is relatively straightforward compared to what ACI does to your head though. In ACI fabric the concept of traditional IP Subnet to VLAN mapping is turned on its head. It doesn’t matter anymore what your IP address is to enforce the security. If you remember Private VLANs you will probably say that you use them to logically separate endpoints inside the same subnet or top level VLAN. In any traditional network you are enforcing security between various endpoints by creating multiple VLANs, Subnets, Access Lists etc.

When you look at ACI the concept of VLAN and IP address is somewhat secondary and what really matters is how the endpoints are classified into Endpoint Groups – EPGs. It kind of moves the abstraction level above IP Layer and into the application. In the end of the day it shouldn’t matter what your IP address is as long as you can access required resources or be restricted from that access based on the policy. VXLAN is at the heart of ACI and its headers provide all the information required to pass the packets between endpoints and enforce desired policy. The idea of Layer 2 loops and data plane MAC address learning that led to development of Spanning Tree is not the case here. Yes, there is no Spanning Tree at all and it works great without it.

The massive benefit of running your Datacenter on ACI platform is automation and speed of application deployment. You don’t need to worry about trunking VLANs, managing IP spreadsheets and firewall rules. Remember IP address don’t matter anymore, it is just a resource. What really matters is your Application and how you want to deploy it – number of tiers and security between them.

Keeping Up with the Technology

Having strong traditional networking skills I wasn’t a big fan of Software Defined Networking which essentially ACI is until I looked at this closely last month. As a freelance consultant you basically have to get on with things and the time isn’t on your side. It was the beginning of January 2017 when I immersed myself into my first massive ACI deployment project leading design and implementation across three data centres Worldwide.

Long days and evenings filled with designing, learning not only the way it works but how you implement it – Python, Jason, REST API etc. 2 months later I enjoy it a lot more than when I started obviously because everything that is new doesn’t make much sense. Daily regime of Cisco Live videos and reading various White Papers and blogs will continue into the future but should it ever stop if we want to win the battle with robots?