Cisco Live 2023 Day Two

Tuesday

My day two was jam packed full of sessions, probably too many which I realised when I crashed mid-afternoon before getting a coffee and heading to my last session about VPCs in VXLAN.  

08:45 BRKCOC-2738: Cisco Hybrid Workplace

  • Cisco have a flexibility and reliability approach to the hybrid workplace.  
  • Cisco employees expect 10 days or less a month in the office.  
  • 64% of employees stay or leave depending on whether they’re remote.  
  • Cisco haven’t seen a change in the amount of people using their video cameras during meetings on Webex, this statistic still sits at 50%.  
  • They have the approach that work can be done anywhere, work is a thing you do not a place you go to.  
  • However remote working has had an impact on security with a 2.4x increase in malicious access attempts.  
  • ISPs contribute to 95% of hybrid worker outages and only 5% of outages were caused by Cloud providers.  
  • Hybrid work is sustainable work with a non-negotiable approach to this.  
  • Offices are now event-based culture hubs. 

https://cisco.com/go/hybridwork 

10:00 Opening Keynote

  • What a great start to Cisco Live, with over 13,000 people on site during the opening Keynote.  
  • Cisco are looking to the future with Quantum computing, Decentralised applications and Generative and Ethical AI.  
  • Currently they are looking into predictive networks, application security, sustainability and Net Zero.  
  • Some mentions of ChatGPT after Liz Centoni confirmed she asked ChatGPT how Adele would introduce (FSO) Full Stack Observability. FSO was heavily mentioned throughout.  
  • Cisco expect open telemetry to be widely adopted in 2023. Cisco is still the #1 contributor to this with other 400 contributors.  
  • Jonathan Davidson talked about simplification which involved DNA-C, Nexus Cloud, Open API, and cloud monitoring catalyst devices with Meraki Dashboard. He also confirmed that DNA Licenses include the Meraki Dashboard Monitoring.  
  • Sustainability has been a focal point of the opening Keynote and the whole of the week at Cisco Live.  
  • Javed Khan discussed the hybrid work space and confirmed that the attack surface has grown and that as an industry we’re still learning. He also discussed running Webex alongside Teams using the Webex suite which is compatible with O365.  
  • Tom Gillis the founder of Iron Port discussed Secure Network as a Service with Cisco security cloud and confirmed Zero Trust should be used to reduce reliance on passwords and push us towards the use of fingers and face. He also discussed Wi-Fi fingerprinting so that hackers cannot take advantage of fatigue when users are being spammed with MFA requests.  

11:30: BRKDCN-2906: Intro to Infrastructure as Code for ACI with Ansible and Terraform

  • Session was presented by Thomas Renzy and Rafael Muller. 
  • From a show of hands 60% of the room had used Ansible and Terraform. With most having used Ansible.  
  • Infrastructure as a code was pushed all week in the DevNet zone and during the automation sessions.  
  • Source of Truth tools discussed included Git and Github.  
  • Pipeline tools discussed included CI / CD, Drone, Travi. 
  • Execution tools discussed included Ansible and Terraform.  
  • Ansible characteristics were covered in-depth.  
    • It was confirmed ACI and MSO modules are available for Ansible, so you don’t need to know how to code to be able to use these tools, just need to understand data structures (IOS is a data structure).  
  • Ansible concepts were shown, roles, playbooks, group_vars, files, inventory.yaml. 
  • Throught the demonstrations VSCODE and yaml was used.  
  • JINJA2 was used for templates and variable substitution.  
  • Ansible can also be used to gather information from hosts.  
  • Some of the key points made:  
    • Do not store username and password inside source control such as Github.  
    • Use iteration to loop tasks for example when creating multiple VLANs.  
    • There is no need to remove previous code from Ansibles playbooks, if the configuration is already in place Ansible will ignore it.  
    • Use group_vars to scale, for use when creating VLAN pools.  
    • When you push configuration to ACI using Ansible you get an Ansible symbol in the ACI GUI next to configuration it has created, Terraform does the same with it’s own symbol.  
  • Terraform was demonstrated, it was confirmed again that no coding / programming knowledge is required to use this tool only knowledge of data structures. 
  • Where as Ansible uses Python, Terraform uses GO.  
  • Terraform has multiple providers:  
    • Partner: Cisco (Cisco is committed to maintaining this).  
    • Official: AWS, GCP, AZURE. 
    • Community: Open Source. 
  • When using Terraform you must declare the providers that are being used. For example, a source could be Cisco DevNet / ACI.  
  • The main difference between Terraform and Ansible is Terraform is stateful, the state table is stored in the terraform.tfstate file. Ansible doesn’t have state. This means Terraform is quicker, but this is double edged as you can accidentally delete configuration.  
    • Do not run this on your own laptop, use a remote backend. 
    • When using Git do not push the tfstate file.  
    • Do not modify the tfstate file, changes are made to the configuration only.  
  • Terraform maps dependencies such as the dependency of a VRF to a Bridge Domain to an End Point Group.  
  • Both Ansible and Terraform use username and passwords and the session limit on ACI before version 5 won’t allow it.  
  • Certificate based authentication for NDO / MSO also isn’t an option.  
  • Infrastructure as a Code can be integrated with SNOW.  
    • Changes to ACI can be managed via Git allowing for change reviews and approval.  
  • Cisco is committed to Ansible and Terraform. 
  • TAC will support with modules and resources, however they will not support your playbooks. Github also has support.  

13:45: BRKDCN-1688: How to Operate your Nexus and ACI networks from the Cloud

  • Session was presented by Domenico Dastoli and Carlos Campos Torres.  
  • Cloud is an operational and financial model.  
  • Nexus Cloud can run NX-OS and ACI. 
  • Nexus Dashboard is an appliance, Nexus Cloud is SaaS.  
  • Nexus Cloud runs with Cisco Intersight which has a common data lake available from lost of different infrastructures.  
  • APIC 5.2(7f), 6.0(2) can be onboarded with full feature set. APIC 4.2 onwards can be onboarded with a reduced feature set.  
  • NX-OS 10.2(4)M and 10.3(2)f can be onboarded with full feature set.  
  • Not currently in general availability.  
  • 90 Day grace period included.  
  • Anomalies are reported and fixes are advised, advisories available for PSIRT.  
  • If devices are already in Cisco intersight you don’t need to reclaim.  
  • Devices can be manually claimed with device ID and claim code.  
  • Nexus Cloud shows resources, endpoints, L3 neighbors and it can drill down into VMM domains.  
  • With NX-OS you only need to discover one device, from here Nexus Cloud will discover the rest of the network.  
  • Software management is available, with the ability to download ACI upgrade assistance which runs a pre upgrade report and a post upgrade report, these reports show any issues. This tool also configures its own maintenance groups in ACI prior to upgrades.  
  • CIMC is currently not available for software management, but this is a future possibility.  
  • NDFC support is coming in weeks.  
  • NDO / MSO is not included. Cisco are looking at a unified upgrade experience in the near future.  
  • General Availability 2QCY23.  
  • Ask Cisco account managers for access to the Nexus Cloud to have a look.  
  • Nexus Cloud and Nexus Dashboard can co-exist and no further licenses are required.  
  • Nexus Dashboard has, NDO, Databroker and NDFC whereas Nexus Cloud currently doesn’t.  

15:00: BRKOPT-2705: Growing Networks with 400Gbps Coherent Pluggable Optics

  • Session presented by Emerson Moura  
  • Why do we need 400Gbps?  
    • Not just about speed. 
    • Silicon 1 architecture is highly optimised. 
    • Lower power requirements.  
    • Lower cost. 
    • Enabling 10Tbps / RU. 
    • Smaller form factor. 
    • Better port density. 
    • Better thermal profile. 
  • 95% less power and coding requirement.  
  • Zero extra rackspace required.  
  • Significantly lower CAPEX. 
  • Less hardware, less touchpoints.  
  • We no longer need 100Gbps transponders or grey optics.  
  • 10db span budget, 40km with no amplification.  
  • 400ZR with optical amplification up to 120km (Point to Point DWDM). 
  • With full DWDM up to 1,400km.  
  • Cisco believes this will be the only way to interconnect with Hyperscalers in the future.  
  • QSFP-DD is Cisco’s go to.  
  • Its interoperable with other vendors. (Thermal profiles may vary).  
  • If required multi-degree ROADM or an Add / Drop DWDM MUX / DEMUX can be used to even out power levels when using traditional optics alongside 400Gbps.  
  • Cisco compatibility matrix tmgmatrix.cisco.com. 
  • Graphana can be used to show optical statistics.  
  • QSFP-DD has enabled the Next Gen SP to use RON – Routed Optical Networks 
  • This session links is well with Internet for the Future: Journey to Next Gen SP Architecture and Operating Model.  

16:00: BRKDCN-2912: Best Practice of Virtual Port Channel in VXLAN

  • Session was presented by Nemanja Kamenica. 
  • The first question to audience was “Has everyone configured a VPC before?“, the answer was yes.  
  • Overview of the basics of VPCs, Domains, Keep Alice, Peer Link.  
  • If VPC consistency check “1” fails, its due to the STP mode or VLAN configuration don’t match. The outcome is secondary VPC peer is suspended.  
  • If VPC consistency check “2” fails, its due to the SVI configuration. The outcome is just a notification.  
  • Overview of VXLAN, VTEP, VNI/VNID, VNI HEADER, confirmed RR – Route Reflectors share MP-BGP EVPN between VTEPs. Each has control plane information by peering with RR. 
  • Type 2 and Type 5 messages were covered in-depth.  
  • If devices are within the same VNI they can communicate at layer 2  
  • If devices have an L3VNI then traffic can be routed.  
  • In VPC with VXLAN two VTEPs are combined, they both share an anycast VTEP and have an individual node identifier.  
  • VPC in VXLAN is active / active there is no need for FHRP.  
  • Port-channel hashing is what avoids duplicate BUM (Broadcast Unicast Multicast) traffic.  
  • The Route Definition is duplicate from both VPC peers, this is how the RR knows there is peers in the VPC domain. This is sent with the RMAC (Router MAC).  
  • Hosts in the same VNI have the Ext Community as the RMAC address.  
  • Best practice for subnet advertisement with VPC and VXLAN is to DUAL-HOME.  
  • There is two ways to do BUM traffic in VPC.  
    • VTEP to VTEP same VNI. Traffic is sent to the same VTEP everywhere with the same L2VNI.  
    • Dynamic list of VTEP to VNI pairings.  
  • VPC with Fabric Peering was discussed, virtual peer-link is via the fabric. This uses the Spines for redundancy and doesn’t use a VTEP address.  
  • Best practices  
    • VPC Delay restore (Orphan port).   
    • VPC Delay restore (SVI).   
    • NVE Hold down timer.  
    • VXLAN VPC consistency check.  
  • Finally, VPC Border Gateways in multi-site were discussed.  
    • Two VTEPs are in BGW mode so are extended via the DCI (DC Interconnect).  
    • 512 VTEPs are allowed per site.  
    • This can be used for migration purposes.  
Back to GENERAL NETWORKING

© Copyrights 2024 Starfish Vlabs. All Rights Reserved.