The Problem with NSX and ACI

Let’s face it, if there’s even the slightest whiff of someone in a business somewhere mentioning or even thinking about ‘SDN’, Cisco and VMware will be knocking on that door… with a sledge hammer!
The problem is, neither vendor’s product is perfect and as yet, they don’t talk to each other.
NSX doesn’t manage infrastructure. Period.  It has not a care in the world to what is going on with the underlay.  And you might say “Well that’s how it’s designed – to be underlay agnostic”.  My problem with this is; if you’re doing a greenfield DC or refresh, you still have to consider the physical infrastructure. How are you going to manage that infrastructure, monitor it and maintain it. NSX won’t make it go away.  What NSX is good at is the logical stuff – it’s easy to understand the concepts of an edge firewall, distributed firewall, dLR and logical networks. And it’s easy to create the tenant spaces within those constructs.
ACI is infrastructure, it is not virtualisation. The super-cool thing about ACI is just how easy it is to deploy, configure and manage large-scale network infrastructure.  It’s unbelievable how easy it is! Where it fails, not abysmally just badly, is delivery of the infrastructure constructs into the hypervisor space.  Cisco need to create an hypervisor-component capable of everything a physical leaf does – sending traffic up to a physical leaf for processing and then returning it back to the hypervisor is just clumsy. Even worse, assigning VLANs (which we’re trying to get away from the limits of) into port-groups on the VDS and using that for [micro-]EPG separation is clunky.
Are these two competitors? Cisco and VMware believe so, but in reality they are solving different problems, expensively.
What is the answer.. working together.  Which is tricky – NSX has come along way in terms of the VXLAN/Logical Switching/dLR development and of course ACI is doing the same at the physical layer in the leaf(s) (leaves?). I like NSX’s ability to provide a limited set of basic network functions (Edge, SSL/VPN/SLB) in an easy-to-consume way, what I don’t like is it’s total ignorance to physical infrastructure and physical workloads.

NSX Ninja

In the later-half of 2015 I was lucky enough to be invited to the NSX Ninja partner course at VMware in Staines.  This is a course specifically to drive the knowledge-base of partner consultants and architect-types to enable them to seek out and position NSX oppertunities.  With two weeks of training on the agenda and the assumption you’ve already spent some time on either a training course (ICM or Fast Track) and earned the VCP-NV; this course focuses first on low-level troubleshooting components and packet flows, then on the design side with the intention of preparing students for the VCIX-NV.

Read the rest of this entry »


Cloud and the Reseller

Attending an event today at Cisco I was blindsided by the lack of forsight with some ‘fellow’ VAR representatives.

When asked the question ‘Do you feel that cloud is a direct competitor or threat to your business’, one plainly answered; ‘Yes- if the customer is buying cloud then they’re not buying hardware’.
I think most of us are in agreement that the days of being a pure box-seller (even if it’s a solution of boxes) are long gone. VARs should be looking to exploit cloud services and create offerings around them- incorporate them into solution designs; sell services such as DRaaS in the cloud, or Global Availability/localisation, or flexible compute for development. Sure, you might not get as big of a slice of the Capex budget, but you’ll get on-going Opex monies instead. If you’re smart, you’ll sell some form of managed service or cloud-support too.

Meraki – How networking should be done

Well – I had my first proper introduction to Meraki last month by doing their 1-day CMNA course and I have to say, I was very impressed.

Here’s a company that have taken edge networking (wireless and access switching) and security networking and made it easy.  Taken the complexity of the CLI out, made the UI intuitive enough and made the whole “crap, how do I do this” experience a thing of the past.  Sure, the kit and dashboard doesn’t have the bells, knobs and whistles as Cisco gear but sometimes there’s just no need for that.

Being able to attached a bit of the kit to the network and have it almost self-configure and become instantly visible in the dashboard is a far cry from having to find a console cable and manually configure management not only on the switch itself – IP address, syslog server, SNMP server/strings, local credentials, RADIUS or TACACS – but also on each of those monitoring systems as well.  Think of the time saved here when it’s all done, automatically, as if by magic..

Now, don’t let me deceive you here, there are actually some pretty neat and fairly complex things you can do around MDM profiles, client-specific profiles (with client-specific firewall and QoS) and site-to-site or client-based VPNs, but they are all made much easier.  Not to mention that EVERY device in the Meraki offering has Layer 7 capabilities (which is totally crazy!!) and makes good use of it.

Anyway – don’t take my word for it – try it out for yourself.

Oh, and before anyone asks just how expensive it is.. don’t forget, the license includes all the support you’ll need, hardware replacement, and you don’t have to license any additional or third party monitoring tools, so go factor that into your TCO before you dismiss it.