For the past ten years, I have been a traditional route/switch network engineer. I have worked with spanning-tree environments that needed to be cleaned up. I've helped transition between protocols like MSTP, STP, and Rapid-PVST. I've looked at the routing protocols and helped migrate from RIP to EIGRP or OSPF. Looking at the WAN, we have MPLS, DMVPNs, and other carrier-grade circuits running various IGPs or BGP. I've worked in the data center and held firm my delineation where the network ends and other teams begin. But, is that the world we live in today? No. For the past five years, I have become more intimately involved in technologies such as storage (storage pools, LUNs), server virtualization (multi-hypervisor, configurations, deployments), security, load balancing, and more. That said, I know I'm not the only one. I hear this from companies who are going through the transition or those that have completed it. Some companies will maintain this segregation and siloed environments for a while, but the shift is here and the time to evolve is now.
In the data center, we used to build large core routing, core switching, distribution switching, and access layer switching environments. We then simplified this a little by doing some collapsing of the core and distribution. Perhaps we ran larger bladed chassis that supported virtual segmentation. Maybe we ran virtually linked physical hardware to simplify management. Perhaps you adopted technologies like Cisco's FabricPath to create one large layer 2 fabric. However, in all of these technological or architectural changes, you never changed your stance on visibility and responsibility.
Moving to Cisco's Application Centric Infrastructure (ACI) changes everything. The concepts of VLANs within the fabric cease to exist, except for how it talks to non-fabric components. You can do virtual machine manager (VMM) integration with different hypervisor providers like vCenter, Hyper-V, Red Hat KVM, and OpenStack. This isn't just an integration point where you say "I'm good, that's not my problem anymore." You have a visibility that a few years ago a network engineer didn't know and, I would argue, often didn't care to know. Now you can see within your network fabric where a host resides by physical port and MAC address, but also layer 3 IP information, which hypervisor they're attached, and the vNIC configuration. ACI installs a vSwitch for the integration, and while you could lean on a server admin to make changes, you can learn a lot from the setup and how it works. Likewise, the server admin can see components of the network fabric that are configured by how the EPGs populate port groups dynamically in a drop-down vNIC selection. A lot of communication, often argumentative, and back and forth myself and others have experienced in the past is overcome by these integrations. The network engineer is aware of the virtualized environment, and the virtualization engineer is aware of the network. Simplified teamwork, easier management, and more emphasis on the business objectives.
Next, think about firewall configurations within the traditional data center. You always have a perimeter firewall, but sometimes, you have internal firewalls to segment east-west traffic in the data center. Now, you can integrate the firewall into the fabric and perform micro-segmentation even between hosts on the same subnet! Imagine that, the ability to take 10.10.10.0/24 subnet in the data center and tell the network when host 10.10.10.10 talks to host 10.10.10.11, not only permit or deny this based on the ACI fabric, but punt it to a firewall for things like deep packet inspection, IPS, IDS, and/or data loss prevention. Also, not only do you provide benefits to the network security team, they benefit from your integration between the systems. Firewalls become aware of the endpoint groups (network constructs) and dynamically update groups of IPs in existing rules (built automatically by the ACI fabric) based on when a host is active in the group or decommissioned. Next, what if we only want some traffic to go the firewall and others not? We can do that too, by allowing some ports/protocols to go directly versus some going to the firewall. Maybe we want to ensure our incoming traffic to the fabric passes through a firewall for only a handful of subnets and not others while riding the same routing and physical path. We can do that as well. We have built not only a data center fabric but an intelligent fabric!
In closing, the days of the pure routing and switching engineer are coming to a close. The evolution of software-defined networking (SDN) is bringing about consolidation and more intelligent networks, which brings with it, more capable engineering operators and architects. Does this mean the knowledge is disappearing and not needed? No. SDN strategies are only as good as those who understand the foundation. However, the ability to leverage your foundation and expand your horizons will allow you to prosper in a field where everything is converging, moving to GUIs, and becoming less complex while providing more value, security, and benefits to the business.