Intercloud Fabric for Business

Since it has been at least forever since I’ve written a blog post I figure now is as good a time as any!

I’ve just attended a Cisco Intercloud Fabric for Business class and finally have a reasonably good idea of what the product is designed to solve for business and how it goes about doing it. My initial reaction to the product as I’ve seen it is a mix of  a bit of ‘it makes a lot of sense, but is still a lot of work,’ ‘why doesn’t it already do XYZ,’ and ‘wow this is pretty great,’ Does that make any sense? I thought not, I’ll try to clarify, but first I’ll start with a bit of a higher level overview since I’m sure a lot of people are still trying to even understand what the hell this thing is.

First things first, there are TWO Intercloud products. Because Cisco marketing? The two flavors are ‘Provider,’ and ‘Business.’ This class was focused on the ‘Business’ product which is an actual shipping thing right now. The Provider flavor is out and in the wild to an extent, but isn’t order able for us regular folk.

For now, all I will say about the Provider flavor is that it’s for…. dun dun dun…. PROVIDERS! As of right now that means AWS, Azure, and Dimension Data (to a less feature-full degree at this point). These are the available public clouds that Intercloud Fabric Business customers can leverage. BT and some other providers solutions will be available within the next few months, and of course more providers will be coming online as time goes by.

The Business flavor is intended to be deployed to a customer that has, or is implementing, a hybrid cloud solution. It seems that the primary motivation for Intercloud Fabric Business (ICFB from now on) is to provide the ability to put things into the public cloud, and still be able to migrate them back into a private cloud/on prem network. This is obviously a very important use case, and could potentially be very impactful for customers who fear getting ‘stuck’ in the cloud. It’s not quite (yet?) all it’s cracked up to be though, more on that later. The ICFB suite is actually composed of previously shipping products, plus one new tool to tie them together. The CSR 1000v servers the ‘router’ role — go figure. The 1000v (which I still shamelessly love despite everyones attitude about it), and the VSG serve the switch/controller/firewall roles, and the Prime Services Network Controller (PSNC — used to be VNMC if you played with VSG several years ago) coupled with the only ‘new’ product — the Intercloud Fabric Director (ICFD) provide management functionality.

If you are familiar with the 1000v in general and the pieces of it (VSM and VEM), then ICFB will make a lot of sense to you. Effectively by deploying the Intercloud Fabric Director, you deploy a VSM (and optionally VSG and CSRs if you chose to), and the VSM is still SSH-able and feels VERY familiar. Once the foundation is laid, the differences start to come out though. The Intercloud Fabric Extender, and Intercloud Fabric Switch are the first two new pieces — but they’re not all that new 🙂

The Intercloud Fabric Extender lives in the private data center (as a VM) side of things and is the piece that forms the tunnel to the provider. This tunnel is encrypted and supports L2 extension. I’ve asked if this is VxLAN or OTV, or L2TPv3, or something else entirely, but didn’t get a clear answer just yet. It connects to the (or perhaps to multiple) Intercloud Fabric Switches. The Intercloud Fabric Switches (ICFS) are VMs that live in the cloud provider (AWS/Azure/DiData/etc.), and terminate the tunnel between the provider and the business.

Beyond these pieces, the router and the firewall do basically what you would expect. If you’ve played with VSG, you know what ICFB can do in terms of firewall functionality, and if you’ve played with the CSR, you basically get that too. They are just deployed in slightly different ways, with a bit more clicking (next, accept, ok, submit)!

Okay, so what does it all do? Well… basically it allows you to migrate VMs from your data center to the clouds and back. It does that while providing security functionality via VSG, and some cool routing stuff via CSR. The security stuff is pretty self-explanatory — VSG functionality in the clouds — thats cool stuff. The routing allows you to have a default gateway in the clouds so you can have inter-VM traffic that doesn’t have to flow back through to your private cloud if you don’t want it to. Obviously you can do that part now, but this happens in a way that is standardized across multiple providers — i.e. AWS vs Azure.

All of this magic thats going on in the clouds is basically just leveraging the existing cloud provider functionality, and consuming it for you via API calls in the background. Obviously you could do some/most of this without the ICFB product, but having a single place to manage all of this, and importantly being able to ‘vMotion’ (basically?) VMs to/from the cloud is pretty cool.

Okay. Lots of wordy words about it, now let me explain myself.

It makes a lot of sense, but is still a lot of work:

It does make a lot of sense. It’s great to see a PRODUCT that helps people consume the CRAZY amount of options and nerd knobs that exist in public clouds. I put emphasis on PRODUCT because the vast majority of the customers i interact with simply aren’t interested in consuming things via custom written API calls, they don’t have dedicated devs, they don’t want to have to support things themselves — they all want a shipping, supported, product that can help them address the business and technology requirements that they have. From that perspective I think ICFB is a great step forward. Heres the hairy butt — its still a lot of work. There a lot of things happening. I need to spend some lab cycles to get further involved in the product and I’m sure I’ll feel more comfortable, but even having a pretty solid foundation in 1000v stuff, and cloud/networking in general I was a bit overwhelmed. Theres just a bunch of stuff happening, and the GUI, while relatively intuitive, has a ton of clicking to get things rolling.

Why doesn’t it already do XYZ:

This came up a few times in the course of the training… The biggie here I think was that you can’t (as of now) take EXISTING AWS workloads and pull them back into your private cloud. Obviously that doesn’t do a whole lot of good for customers who are already ‘stuck’ in AWS and want to be able to suck those workloads down and put them into their private cloud, or perhaps to another cloud provider that is offering a better price. The other ‘XYZ’ things it doesn’t do are obviously going to be different for everyone, but my first thoughts are — only supports a few providers, does NOT currently integrate nicely with existing 1kv/VSG deployments (this was the biggie for me), and why does it take so much clicking to do stuff — see previous section. The integration could be big-ish though — you ‘can’ integrate of course with existing deployments since this is all just copying VMs and providing L2/L3 connectivity/policy, but having an out of the box hook to suck existing policy out of a PNSC/VNMC and automagically populating that into the ICFB environment would be pretty slick in my opinion.

Wow this is pretty great:

So it actually works, and, is shipping. Thats totally a thing. I really feel like a lot of things in the last year or two from across the networking spectrum has been a marketechture — that is the presentation slides say it does a thing, but then it actually doesn’t. Despite many opinions of Cisco, I feel like Cisco has been pretty responsible in this respect. This is yet another example. I think a lot of people see the roadmap slides from Cisco and say that they’re advertising things that aren’t shipping/real yet, but thats obviously an unfair statement. Yes, there are things that ICFB could be doing better — arguably a lot, but its working, and is relatively intuitive. I also don’t know any other product that is doing this right now — there is something to be said for that. Obviously if you are NOT a Cisco shop today, there is less value in this whole suite of tools than there is for an existing Cisco shop, but it’s still cool at the very least. I’m looking forward to trying to get a deeper understanding — outside of a dCloud lab, where i can really break things on my own and see how it integrates with my lab gear.