NFD26: Update on Two Cisco Fabric Automation Platforms
Cisco presented at Network Field Day (#NFD26) on four topics:?
That’s a lot to cover, so I’m going to limit myself to some impressions and brief summaries.?
My intent is to give you some information, to help you decide whether to watch the recorded video(s) or not, and which ones.?
One challenge with Cisco products is there are so many, and not enough time. The result is that most of us keep up with whatever we’re working with at the moment. Unless you’re employed or consulting and specializing in one tech area, keeping up with Cisco on a range of products is … interesting, a challenge.?
The NFD26 delegates experienced a bit of that. It became apparent none or few of us have been watching Nexus Dashboard closely, so we lacked a baseline reference point for what the new features added. I’ve added some description to try to fill any such gap for you readers.?
TL;DR
Cisco Nexus Dashboard?(CND) looks like an interesting work in progress. With me not being in an ACI supporting Ops role, it looks somewhat useful now, with the potential to become much more useful as more functionality is added to it. Having it tie together multiple dashboards across sites is a distinctly useful first step in making Nexus datacenter Ops easier.?
Sites may have not paid much attention to CND previously, if they felt the value added was not great enough yet. There’s also the licensing / funding side of that. The latest CND release may have changed that. (Or not.)?
Concerning?Cisco DNA Center?(DNAC), I’ve been waiting for the programmability side to be fleshed out, and glad to see that happening!?Bottom line: there is now a lot of developer support for DNAC.?
I’m also a huge fan of?Cisco’s Zero Trust (“ZTA”) story, especially the SD-Access / DNAC / ISE user and device side of it. I have the feeling that the ZTA story may get a bit tuned out, since people feel they need DNAC, SD-Access, and ISE to get started, and are put off by the apparent work and learning involved.?
I do agree there’s a learning curve, but there are several fairly well-documented paths which get you from “zero ISE” to “full ISE” in steps. Some good sales / consulting advice can help with that.??
FWIW, I keep watching Cisco’s competition for comparable features. They are starting to show up. The part around “we integrate with Cisco ISE and/or Aruba ClearPass” tends to be a little vague (or I haven’t sought hard enough for concrete documentation). I’m looking into that some, but Cisco may have a pretty good lead there in terms of “fit and finish” (polished product). I hope to have more to say about that in a later blog.?
Given the order of the presentations, the DNAC ZTA story will be a case of saving the best for last. With the recorded videos, you don’t have to wait to view it, if that’s your interest!
Cisco Nexus Dashboard
The few next paragraphs represent background that I wish I’d had before the Cisco Nexus Dashboard presentations. I’ve gleaned what I could from the Cisco website, with perhaps some interpolation, so I may have gotten parts of the following wrong. (No, I don’t get to be hands-on with some / most GUI products: limited time, no access to an instance, etc.)
Cisco’s stated goal for?Cisco Nexus Dashboard?(CND) is to have one central view and one point of administration of hybrid cloud (including datacenters), with full lifecycle automation.?
Let’s briefly look at the ingredients, based on the?CND web pages ?and screen captures I have from the presentations.??
Previously, people ran CND in a cluster per site.?
With CND now, the per-site CND instances can be clustered in the sense that any of them can provide a view across all of them, with click-through cross-launch taking you to any of the per-site instances. (My wording.) The magic glue is API’s. Setup appears to be simple: identify cluster peers on one member, and it propagates the peer list to the peers. Repeat as needed.?
The shared / central view aggregates statistics and information from the individual site instances. For instance, it displays problems and outages across all clustered sites.?
One component of CND is the?Cisco Nexus Dashboard Orchestrator, the former Multi-Site Orchestrator (“MSO”). Orchestrator automates deployment. Apparently ACI will somehow be tied in, presumably via MSO (now NDO) integration.?
CND provides support for consistent?policy?across sites (and ACI instances, apparently) in support of IP mobility and DR. That makes sense, one place to push out policy from.?
CND supports multi-cloud deployments into AWS and Azure, along with interconnects between sites. (I lack further details.)?
CND includes a?Nexus Dashboard Data Broker, to collect and provide visibility for high-volume business-critical traffic.?
CND is (or will be) an all-encompassing web front end and name for a family of products. To that end,?DCNM is being rebranded as Cisco Nexus Dashboard Fabric Controller (“NDFC”).?
I’m guessing that DCNM may eventually have GUI changes to provide a more common look and feel. In the short term, I suspect it will be more of a GUI launch from CND. We’ll just have to see how Cisco proceeds with that.?
Various licensing packages apply – see Cisco’s CND web pages for details.??
Here’s the starting / main screen in CND:
One good question I have is “what happens to ACI?”. Note that ACI is OK for provisioning stuff. But perhaps not the best NetOps tool for ongoing admin and troubleshooting. Will Dashboard complement ACI or eventually replace it??
So what’s new here? The obvious item is the cross-site clustering.?
The bottom line appears to be increased ease of use, and smoothing operations tasks, with more to come on both fronts.?
The recorded video demonstrates use of multi-site CND, something I can’t really summarize in words.?
Here is a screen capture showing various alerts and their “anomaly scores”:
One related report is shown below:
Note the actionable information.?
Here is one more screen capture, showing a multi-site view (dashboard):
Cisco Nexus Dashboard Insights – IT Ops Made Simple
The abbreviation would be CNDI – are we going to pronounce that “Cindy”??
With all the data feeding into the CND Data Broker, the Integrated Assurance Engine can provide network insights, including anomaly correlation. This is what Cisco has been calling “Assurance” lately. In the near term, Assurance provides suggestions and alerts you to things you might want to know, possibly with one-click remediation. At some future date, perhaps fully autonomous remediation may take place (if enabled).?
Assurance allows doing pre-change analysis, for proposed configuration changes (what breaks) and compliance. It can also do post-update validation checks.?
CNDI also can display anomalies it detects (below screen capture).?
At present you apparently have to note fault ID’s, which you can then launch to from the Dashboard. (A sign of integration in progress.)
If any of this sounds useful to you, please watch the recording to see how it flows.?
领英推荐
Assurance also links to the Bug Search Tool. That should in principle be great. It is handy if you like the Bug Search Tool.?
(Candid side note: I won’t use the Bug Search Tool – the tool is OK, but the data it searches is mostly incomprehensible outside of TAC and Cisco programmers. Cisco’s trying to help here, but fixing the bug entries to be more understandable is a massive task. On the other hand, enabling self-service might reduce costly TAC engineer time)
Cisco DNA Center Compliance and IAC (Infrastructure as Code) for NetOps
There were two main themes for this presentation and video.?
We’ll start with a couple of screen captures showing some of the compliance functionality. These followed some general talk about DNAC compliance.?
You can see the five main categories of compliance checks in the above. Here’s a summary of what they cover (based on RTFM):
The following screen capture shows some of what you get with compliance item drill-down.?
Concerning the Developer / Automation side of DNAC, I will repeat Cisco’s API automation use cases:
The following shows some ways Cisco suggests you can automate compliance-related tasks.?
And next, I’ve included a summary slide about the types of tools the Cisco Enterprise (“EN”) programmability group has built (and may be extending). Good stuff!?
Another slide listed Dev resources, which I’ll include here for convenience:
Glad to see the developer side of the product gaining momentum!
Cisco SD-Access for Zero Trust Workplace
This presentation started out with a slide sequence covering building an endpoint policy, and then some coverage of AI analytics, including trust score, spoofing detection, posture status, etc.?
I’ve included two screen captures below to summarize the ZTA aspect.?
The first emphasizes macro and micro segmentation. The competition is just starting to do user-side macro segmentation. Integration with an 802.1x controller like ISE or ClearPass seems to be a gray area for them (other than perhaps Aruba – I need to spend more time reading their documentation).
Macro typically separates user / device VN’s by routing via a firewall. In anyone’s scheme that I’ve seen, that requires central backhaul in some form, usually tunnels.?
To me, micro-segmentation is best if distributed, switch-enforced, with local traffic flows. That seems to be work-in-progress for some other vendors. Possibly not tightly integrated as far as tools.?
I see a lot of power to Cisco’s approach, due to the way ISE’s capabilities have been built up for device identification, tracking, and profiling, along with ongoing security trust assessment.?
The next screen capture highlights what ISE does to classify devices. Pre-packaged sets of device ID’s help there. And the Cisco-sponsored MUD protocol (one of my prior blogs) may help, although I expect IOT and device vendors to be sloppy about how they implement it.?
Manufacturer Usage Description: “My name is MUD.”?
Conclusions
I like what Cisco is trying to do with Nexus Dashboard and see potential there. Preventing problems in datacenter fabric and cloud deployments is certainly something we all want. Quickly troubleshooting them ditto. Commonality across datacenter deployment styles (ACI, DCNM and Ansible/other) would also be helpful.?
So if you’re operating hybrid datacenter or multiple ACI-based cloud instances, CND is something you should be taking a look at. It’ll also be interesting to see how the integration of DCNM works out over time. DCNM is incredibly powerful but improving the GUI (and “undo” functionality) are high on my DCNM wish-lists.?
The plethora of products and consequent licensing complexity is a bit of a concern.?
For DNAC, I’ve already noted that I think Cisco has the strongest Zero Trust for campus story I’ve seen, as well as more mature products (by 2-5 years).?
Links
Comments
Comments are welcome, both in agreement or constructive disagreement about the above. I enjoy hearing from readers and carrying on deeper discussion via comments. Thanks in advance!?
Hashtags:?#NetCraftsmen #CiscoChampion #CCIE25years #NFD26 #Cisco
Twitter:?@pjwelcher
LinkedIn:?Peter Welcher