Cisco ACI first impressions

Posted byAntti LeimioPosted inDesign, TechTags:, ,

This post was originally posted as Twitter thread 28.10.2020.

I took a 5 days Cisco DCACI course. This is all new to me. I’m confused. Who is ACI for? Capabilities and completeness of features are fantastic but how to manage this complex system?

Everything is based on objects. I thought Junos is policy heavy but this is ultimate. There are no proper tools to create and manage all these objects and policies. Manually through GUI it seems impossible even on at small scale. So you’d need external automation tools and inventory.

Object names can’t be changed after creation. Do things right for the first time or do it several times by trial and error. Logical structure and consistency are hard. 

APIC GUI is overwhelming. Config hierarchy is very deep and hard to navigate. You can’t list or find all objects at once but you have to pick everyone in a different config hierarchy.

Leaf access interface configuration blocks for example. Interface policy has 20 drop down menus to define used policies. Simple access port configuration takes about 10 different policy definitions and gluing them together.

Physical Domain Sales_PhyDom Switch Profile LEAF101-102_SWP Explicit vPC Protection Group Selectors LEAF101-102 Interface Profile LEAF101-102_lFP Access Pon Selector Server Leaf 101 Leaf 102 Attachable Access Entity Profile BareMetal AAEP vPC Interface Policy Group Server IPG Port Block 1/9 LLDP Policy LLDP-On CDP Policy CDP-Off LACP Policy LAC P-Active VLAN Pod Sales_phydom_VLANs Encap Blocks 1501 Leaf 101 Leaf 102

L3 interfaces are also complex to manage. Like OSPF configuration which is distributed to multiple config hierarchies.

Networking Bridge Domains VRFs Extemal Bridged Networks L30uts o OSPF L30ut Logical Node Profiles L102 Logical Interface Profiles OSPF L30ut interfaceprofile OSPF Interface Profile Configured Nodes topology/pod-1/node-102 ARP forVRF-Sales:Presales VRF BGPforVRF-Sales:Presales VRF Neighbors ND forVRF-sales:Presales VRF Neighbors Interfaces > OSPFforVRF-Sales:Presales VRF Areas > Interfaces > Routes Extemal EPGs > Route map for import and export route control >

Every GUI config page has tens of config options. You have to check what is it and do I need to set it. Very complex and time consuming to operate. Most options are best to just ignore in the first round. 

That’s just basic connectivity at switchport level. Along with the vlan pools, physical domains, attachable entity profiles, bridgedomains, VRFs, L3outs you need contracts between endpoints to let traffic flow. You can skip this and allow all traffic but then you lose a lot of ACI.

Verification and troubleshooting is still relying on CLI. GUI has a lot of visibility but finding simple things like what is configured and what is the protocol status is frustrating via GUI.

Lower level network verification ends up logging device CLI and running show commands. 

I hate NX-OS syntax. It’s a combination of Linux and IOS but a worse combination than each one alone. Even the industry standard “sh” command is not working without writing it completely. Argh…

Overall ACI was impressive with its comprehensive features and capabilities. But operations using GUI are frustrating and almost impossible to handle. You need a huge amount of config structure and feature understanding and planning. Hard to see it going right the first time.

That’s why you want to use an external single source of truth where you can create and manipulate objects and push a new configuration to APIC.

Also, you may want to standardize and simplify your connectivity and services before putting it all in ACI. Which is only a good thing.

Leave a Reply