Wednesday, July 19, 2017

Cisco SD-Access and the Complexity Monster


A few weeks back, I attended Cisco Live 2017.  The headline announcement for the week was the Catalyst 9k series and DNA Center making up Cisco's SD-Access solution.  This represents a major shift in direction for Cisco’s networking business.  And while it looks very exciting, I am approaching DNAC and the 9k with some skepticism.

Why skepticism?  Because I’m a little nervous about the complexity of technology that this solution brings to bear.  Most of the components have been available in the Cisco portfolio for a while, but few have seen tremendous adoption.




via GIPHY

This cute Sesame Street Gif is kinda how i feel right now.  Most of these technology are either really new, or really old and never came to fruition on their own.

Let’s talk a little about how The Network, Intuitive goes together.  Not a look at the hardware, but some of the less talked about pieces that make up this solution.

Smart Licensing - Fairly New:
I’ve yet to see this deployed quickly, easily and without issue in non-Intuitive infrastructure.  It’s failed to live up to the “Make Licensing Great Again” mantra and most of my customers are still opting to go traditional management of PAKs rather than go this route.  I know that mandatory use of Smart Licensing is coming, both CUCM and 9Ks, but I’m hoping that the kinks finally get worked out before DNAC and the 9ks are shipping.

Overlay Network - Fairly New:
The overlay network is a VXLAN transport over a routed underlay.  SD-Access leverage VXLAN is a the overlay tunnel and LISP as the control plane for the fabric.  I’ve see seen VXLAN adoption in the datacenter, but almost no LISP deployed outside of a an ACI lab.  I know there have been use-cases galore for LISP, but I’ve not seen this widely deployed.  New Hardware platform with new features used in new parts of the network.

SGT and SGACL - Fairly Old:
Done with Cisco ISE, Security Group Tags (SGT) marks packets inside the VXLAN overlay as they ingress the network with a tag and that tag is enforced on egress with a Security Group ACL on the egress port.  I’ve had a number of customers test this in POCs and labs, very few have made it outside of this.  It was a PITA for brownfield and mixed switching environments and resulted in a lot of complexity to manage. 

Provisioning - Really New:
DNA Center leverages APIC-EM for it’s Plug-N-Play module to provision new network devices.  This feature works today in shipping catalyst product lines.  It works, and works moderately well with a number of limitations.  The work-arounds include using self-destructing EEM scripts to inject config that would break the provisioning process.

ISE and 802.1X - Fairly Old:
Identity based network security (the original IBNS) have been around for years.  Wired 802.1X has been challenging, the process is long and tedious but worth it in the end.  Throughout the years there have been bugs around deploying advanced features in wired 802.1X.  On top of that, there’s been a number of changes in the last few years including the Class-based Policy Language (CPL) which changes how the wired 802.1X service works.  I haven’t seen a lot of customers adopting CPL, even though it introduces a lot of new and attractive features for 802.1X.  Between newer code and few implementations, I worry about software stability.  The ISE portion is pretty commonly deployed, and generally works pretty well.  I’m unsure if SD-Access will leverage CPL, but my assumption is that it will considering that Cisco has been driving towards this for a few years now.

EasyQoS - Really New:
Another APIC-EM feature, and for the most part it’s worked well for me in the lab. I am constantly checking to make sure it’s doing what I ask, and for the most part, it has done very well.  My only major pain point is that some of these QoS policies can get very complex based on the intents you have defined.

Jake (Not Tom’s) take:
Ultimately, there’s a LOT of complexity in this solution.  Managing that complexity is going to be the ultimate challenge. We’ve seen these solutions from Cisco before where they take a lot of existing intellectual property and try to roll them into a solution (IWAN).  Managing all the complexity continues to be the challenge in doing that (DMVPN, NHRP, PFR, AVC, etc).  Here’s hoping SD-Access breaks this trend and gives users the simplicity they are hoping for.

For end-customers, the promise of abstracting away all this complexity to do so pretty amazing stuff looks attractive.  If the speed of deployment, operational flexibility and stability are there, organizations will like up to deploy it.  For partners, prepare to bring your A-game for understanding how all these pieces fit together.  Hone those troubleshooting skills and figure out how to work with TAC on these very sophisticated and complex networks.

And finally, don’t rush into this. Give it time to bake, bake it out for your org in the lab and PoC.