I suppose this could be an *Update* from my "Today I screwed up post"
So with this most recent outage a lot of eyes have been placed on ACI. We have had 3 outages in the last 6 months tied to ACI. The first being a bug in the upgrade process that caused a data center interruption that could of been far worse if it happened today. At the time we had only moved a handful of SVI's from our 7k into ACI. During the upgrade process all SVI's that were controlled by ACI failed hence killing those networks during the upgrade process. Today we have close to 100 networks being controlled by ACI which would be awful.
Our second outage with ACI caused our leafs to reboot at the same time due to a bug in the default configuration of how netflow is configured or rather not configured.
The third outage was my post from last week, this one fell squarely on me as I deleted the parent profile and not the specific child vpc profile. We are providing a feature request to Cisco in hopes that we can tag objects to prevent accidental deletion. Similar to how you do it in AD with OU objects.
So on to my question, we have discussed internally quite a bit about what benefits has ACI provided us, and at the time we feel that from a traditional network perspective we would be better off running like we did pre ACI. As a company our data center is just far to small to see the benefits, if we had dozens if not 100's of leafs ACI could be a real asset.
The big area we really felt ACI won on was from a security perspective. The idea of going to an application centric network with contracts built out specifically to control what traffic is allowed. Obviously the caveat here is getting to this point, and to be honest I do not see any easy way of taking an established network and beginning to lay contracts down on it without the high chance of causing some severe interruptions as we migrate towards it.
The question was posed to me, if we backed out of ACI and went back to a more traditional approach how would we secure the data center? I guess that is the question I am hoping you all might have some insight into. Cisco is going to push us towards tetration which I am not opposed to, but I will not lie when I say I am a person that prefers a simplistic approach to a complicated one.
A firewall seems like an expensive alternative to ACI, but I could see how you would gain visibility that ACI does not provide out of the box. This would allow us to build out rules that start in monitoring and then slowly builds into an actual firewall restricting traffic without interruption of services. Outside of a firewall does anyone have any other suggestions, as I do not see that being a very well liked suggestion.
I also wanted to thank everyone for their comments on the last thread, it really was helpful. I appreciate it everyone.
Thank you
No comments:
Post a Comment