Cisco ACI first impressions

This post was originally posted as Twitter thread 28.10.2020.

I took a 5 days Cisco DCACI course. This is all new to me. I’m confused. Who is ACI for? Capabilities and completeness of features are fantastic but how to manage this complex system?

Everything is based on objects. I thought Junos is policy heavy but this is ultimate. There are no proper tools to create and manage all these objects and policies. Manually through GUI it seems impossible even on at small scale. So you’d need external automation tools and inventory.

Object names can’t be changed after creation. Do things right for the first time or do it several times by trial and error. Logical structure and consistency are hard. 

APIC GUI is overwhelming. Config hierarchy is very deep and hard to navigate. You can’t list or find all objects at once but you have to pick everyone in a different config hierarchy.

Leaf access interface configuration blocks for example. Interface policy has 20 drop down menus to define used policies. Simple access port configuration takes about 10 different policy definitions and gluing them together.

Physical Domain 
Switch Profile 
Explicit vPC 
Interface Profile 
Access Pon 
Leaf 101 
Leaf 102 
Attachable Access 
Entity Profile 
BareMetal AAEP 
vPC Interface 
Policy Group 
Server IPG 
Port Block 
LLDP Policy 
CDP Policy 
LACP Policy 
LAC P-Active 
Encap Blocks 
Leaf 101 
Leaf 102

L3 interfaces are also complex to manage. Like OSPF configuration which is distributed to multiple config hierarchies.

Bridge Domains 
Extemal Bridged Networks 
OSPF L30ut 
Logical Node Profiles 
Logical Interface Profiles 
OSPF L30ut interfaceprofile 
OSPF Interface Profile 
Configured Nodes 
ARP forVRF-Sales:Presales VRF 
BGPforVRF-Sales:Presales VRF 
ND forVRF-sales:Presales VRF 
OSPFforVRF-Sales:Presales VRF 
Extemal EPGs 
Route map for import and export route control 

Every GUI config page has tens of config options. You have to check what is it and do I need to set it. Very complex and time consuming to operate. Most options are best to just ignore in the first round. 

That’s just basic connectivity at switchport level. Along with the vlan pools, physical domains, attachable entity profiles, bridgedomains, VRFs, L3outs you need contracts between endpoints to let traffic flow. You can skip this and allow all traffic but then you lose a lot of ACI.

Verification and troubleshooting is still relying on CLI. GUI has a lot of visibility but finding simple things like what is configured and what is the protocol status is frustrating via GUI.

Lower level network verification ends up logging device CLI and running show commands. 

I hate NX-OS syntax. It’s a combination of Linux and IOS but a worse combination than each one alone. Even the industry standard “sh” command is not working without writing it completely. Argh…

Overall ACI was impressive with its comprehensive features and capabilities. But operations using GUI are frustrating and almost impossible to handle. You need a huge amount of config structure and feature understanding and planning. Hard to see it going right the first time.

That’s why you want to use an external single source of truth where you can create and manipulate objects and push a new configuration to APIC.

Also, you may want to standardize and simplify your connectivity and services before putting it all in ACI. Which is only a good thing.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: