SDN & APIC-EM TECH-Update - Cisco · SDN & APIC-EM TECH-Update August 2015 ... multiple enterprise use cases APIC EM Apps APIC IWAN App GA with dynamic QoS Multiple apps across Wireless,

SDN & APIC-EM TECH-Update August 2015

René Andersen System Engineer Cisco DK

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Why SDN, programming and APIC?

2


Manual Automated

Box-Centric Network-Wide

Provision in Months Hours

Closed Systems Open and Programmable

Network Data Business Intelligence

New Installations Existing + New Installations

Fast IT: IT Agility at the Speed of Business


Design Point for Cisco APIC-EM Solution

4

Low Risk Minimal to NO programming

Low Complexity

Brownfield Support

Start with few solvable problems


But uses controller

to mask complexity

NETWORK

Why controllers helps us all, admin still has the power.

5


APIC APIC-EM

DC WAN Access

ODL

Open

Source

Cisco SDN Controller Technologies

1 2 3

Different controllers different purposes


Abstracting Conventional Policy Complexity

Conventional Model

The What

“Security Policy for Branch A”

The How

“Change ACLs in the Following

Elements”

The What

“Security Policy for Branch A”

The How

“Change ACLs in the Following

Elements”

ACI Constructs

Admin

Driven

Admin Driven

Northbound APIs

APIC EM

ACI Policy Model

ACI Abstracts System Management and Enables Programmable Driven Policies

7


What is Policy?

WHAT HOW

Policy way to simplify how we do things via abstraction 8

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public 9

Cisco APIC Enterprise Module Architecture

Abstracts Network Devices to Mask Complexity

Treat Network as a System

Exposes Network Intelligence

For Business Innovation

Cisco APIC Enterprise Module

Cisco and Third Party Applications

Network Devices Catalyst, ASR, ISR

Network Info Database

Policy Infrastructure

Automation

REST API

Southbound Interface: CLI

Security QoS IWAN Network PnP

Masking Network Complexity, Exposing Network Intelligence .


Intent Policies

High Level Constructs

Translation

Network Control Functions

QoS ACL Configuration

UI:: BradWebAllow: brad http allow

Policy Manager:: Business Policy -> Network Policy

Policy Programmer:: Network Policy-> Network Cmds

Scanner-Service:: Network Commands -> device

Policy engine – Business Intent

Translation of high level constructs to

network control functions reduces skills

gaps and clarifies policy procedures

10


{"policyName":"bradweballow","policyOwner":"Admin","policyPriority":4095,”

networkUser":{"userIdentifiers”:["brad"]},"resource":{"applications":["80,80,tcp"]}

,"actions":["PERMIT"]}

UNDER THE COVERS – YOU DON’T SEE THIS!

CompositeNetworkPolicy [networkPolicy=NetworkPolicy [policyId=902000be-adaf-4f41-bfb7-

d1d9ee01e0f8,

creatorUserId=Admin, policyName=bradweballow, policyPriority=4095,

businessPolicyId=10d7e374-c1e0-4190-b3f8-58b3a49b4a90,

flowId=7ba2034a-3cb0-4877-ae14-4a6c33aac312,

actionId=70fb3b4c-ccf8-4561-b49c-684e5dc8d3cd, ],

flow=Flow [flowId=7ba2034a-3cb0-4877-ae14-4a6c33aac312,

srcIp=10.10.30.2, srcIpMask=32, dscp=-1, protocol=tcp, srcTptPortLower=0,

srcTptPortUpper=0, dstTptPortLower=80, dstTptPortUpper=80], flowAction=FlowAction

[actionId=70fb3b4c-ccf8-4561-b49c-684e5dc8d3cd, action=permit, actionPropDscp=-1, ]]

CLI = config t, ip access-list extended User-Acl--8653840507576742282,

10 permit tcp host 10.10.30.2 any eq 80,

interface GigabitEthernet1/0/4, ip access-group User-Acl--8653840507576742282 in, end

20:22:28.992 EST DEBUG c.c.c.qos.acl.AclPolicy - Acl Policy Created Successfully on the

Device : d29d175f-aacc-4c9c-a290-2392fc80a0e3

11


First we need to check the APIC-EM User Interface

12


APIC-EM User Interface App: Device Inventory

13


APIC-EM User Interface App: Topology

14


APIC-EM User Interface App: **possible** future services


Use Case: Path Visualization

• No efficient method to troubleshoot IP voice and video sessions traversing the network on demand

• Lack of network visibility creates large OPEX to diagnose and find problem sources

• Path computation service provides a fast and accurate method for rapidly identifying/isolating paths causing problems

• Low risk use case for SDN

16


Path Trace Visualizer 5-Tuple Input

17


Path Trace Visualizer Wireless to Wired

18

Path Visualization (Trace) For Your Reference


Key Milestones to SDN Led Management Evolution 2015

Q1 2015 Q4-2015 Q1- 2016

APIC-EM CA

Path Visualization application for

network path tracing

APIC-EM GA

Scalable controller foundation

supporting multiple use case / apps

APIC-EM Updates

Expanded application support across

multiple enterprise use cases

APIC EM Apps

IWAN App GA with dynamic QoS

changes; BSA app EFT

APIC-EM Apps

Multiple apps across Wireless, Access,

Collab, Security and Automation

APIC-EM Apps

IWAN app EFT with policy based provisioning of Secure WAN

20


APIC-EM Policy App

21


APIC-EM Policy App Under the hood

22


Branch

SourceFire

Defence Center

SDN Controller

ISR Sensor

X

SourceFire Sensor

Sensor

1. BYOD Malware/Javascript Attack

2. SF Sensor detects threat

3. SF DC notifies Controller

4. Remediation API event

5. Policy installed on Access switch port by Controller.

6. Block or quarantine end-point

WAN

ISR

Internet

HQ

Malware Attack

Defense Center Alert!!!!

Controller Notification

Remediation Policy Enforcement

Host Quarantined

How to use Policy Programming for Network Threat Defense Policy Programming outside the User Interface

23


Branch

SourceFire

Defence Center

SDN Controller

ISR Sensor

X

Sensor

WAN

ISR

Internet

HQ

Controller Notification

Host Quarantined

How to use Policy Programming for Network Threat Defense Policy Programming outside the User Interface

24

Defense Center

/api/v0/policy POST

{"actions": ["DENY"],

"policyOwner":"admin”,

"policyName": "deny_all”,

"networkUser":

{"userIdentifiers”:["10.1

0.20.7"]}}

http://10.66.124.132:8081/api/v0/policy


EasyQoS App No More Individual, Box-by-Box Configuration

Config.

Cisco Validated

Design- Based Templates

Contr

ol

Tra

nsa

cti

on

al D

ata

R

ealtim

e

Best

Effort

Cisco Validated Design {CVD}

25

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=ln_0goqaJV_MOM&tbnid=fbpPXIoFBe-8DM:&ved=0CAUQjRw&url=http://www.engageselling.com/training/sales-mastery-home-action-kit.php&ei=A992UruEBOjSiAL1poCAAw&psig=AFQjCNGEdyJtQSH_IxOVNaDM1Ky7EL_ReQ&ust=1383608435713168


Easy QoS App Cisco Validated Design (CVD) classification and marking

26


Easy QoS Easy customization of policies

27


Use Case: Dynamic QoS Classification for Jabber Video

Enterprise Network

3945/ISRG2 3945/ISRG2

EN

Controller

3945/ISRG2

Cat 3750

Cat 3750

Single policy request produces automated change

across all network elements enabling high quality user

experience

QoS Changes

Collaboration

App

Session

Policy

AP

Pre-QOS change – Default Classification

Post QoS change - Video

28


Application Driven Network Dynamics Dynamic Policy Management for Jabber Audio/Video

Client A

calls Client

B

Calls Ends

CUCM calls

APIC-EM to

setup Policy

QoS Policy

enabled on

network device

APIC

EM

REST API

QoS Policy

removed from

network device

APIC

EM

REST API

CUCM calls

APIC-EM to

Delete Policy

29 (*) Roadmap

Cisco Confidential 30 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

NG Plug-N-Play - Simple Secure Scalable

Unskilled

Installer GUI Based

Consistent for devices &

PIN(Campus/Branch) Secure

RMA Use

Case

Greenfield

& Brownfield

Pre Provision Projects/Sites • Policies • Match Rules • Configs/Image • IP Addressing

Network Admin

1

• Network Admin remotely monitors status of install while in progress.

• Booting devices call out to PnP Server, requesting instructions

3

Campus-

Bldg-2

Smart Install Proxy

PnP Agent

Smart Install-Client

PnP Agent

PnP Agent

PnP Agent

PnP Server

Installer

Remote Installer • Mount and cable devices • Power-on

2 APIC EM


NG PnP – Components

PnP Agent: An embedded agent on the ISR

and Catalyst to automate deployment process

PnP Server: A central server that manages deploy

devices (images, configurations, files and licenses)

for the devices being deployed.

APIC EM PnP Server provides a north bound

interface for management applications.

PnP Server communicates with the Agents using an

open PnP protocol.

PnP Protocol: Protocol between the

Agent and the PnP server. This is an

open schema allowing third-party

development of PnP servers

Cisco Cloud Redirection Service

https://devicehelper.cisco.com/device-

helper

PnP Helper Applications:

Applications on smart phones and

personal computers that facilitate

deployment

Deliver Boot Strap config when

needed

Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 32

Example Branch Automated Deployment

Pre Provision Projects/Sites • Policies • Match Rules • Configs/Image • IP Addressing

Network

Admin

Installer

Day 0

Day 1

Day 1

PnP Server

Network Admin

Internet

Deliver bootstrap

IT Admin remotely monitors

status of install while in

progress.

PnP Server site Device list

Installer on site • Mount and cable

devices • Power-on

PID Serial # Hostname IP address

ISR-2951 FOX23zxcd ISR-main 192.168.15.1

ISR-2951 FOX23zxcb ISR-bakcup 192.168.15.2

C3850 FOC123dfg Dist1 192.168.16.3

C3560C FOC443asd ACC-sw1 192.168.16.4

C3560C FOC443asa ACC-sw2 192.168.16.5

C3560C FOC443asg ACC-sw3 192.168.16.6

C3560C FOC443asx AC-sw4 192.168.16.7

Booting

devices

contact PnP

Server

requesting

instructions


APIC EM Component: PnP/ZTD Manageability Pre-provisioning and Day0

Cisco Devices Catalyst, ISR, ASR

Cisco ONE Enterprise APIC Controller - EM

CLI, OpenFlow, OnePK API, PNP Protocol

REST API

Zero Touch Deployment (ZTD)

App

Enterprise Applications & Orchestration Layer

Image & Config.

Policy Definition

Pre-

Provisioning

ZTD component

Scripts based on REST API

ZTD

component

First GUI based

PnP Server from

Cisco

ZTD App

Available Q4

2015

Security QOS Mobility


NG PnP: Installer App

No CLI by installer

Why an Installer App for Deployment

Delivers boot strap

Troubleshooting tool: ie: device status

Communicates with Server

3G/4G/Wifi

Provides device install status & progress

Provide project install notes/documents

Optional: the Installer App is not required for solution

Bootstrap and installer aid only

Supported Devices: Iphone, Ipad, laptop

Uses special Serial/console cable

Special App

Console

cables


NG PnP Server Discovery: precedence 1) DHCP Response with Options 60 & 43 – consistent with Cisco LWAP

Option 60 – Vendor Class ID matching Networking Device– optionally configured on DHCP Server

Option 43 – IP Address of PnP Server

2) pnpserver.localdomain – customer configures their DNS server to resolve

3) Cloud redirection https://devicehelper.cisco.com/device-helper

4) Neighbor assisted – when no DHCP

DNS Server

DNS response: 192.168.1.1

AGent

Resolve DNS “pnpserver.localdomain”

2 1

PnP Server

Contact PnP Server directly using option 43

“192.168.1.1”

https://devicehelper.cisco.com/device-helper




APIC-EM ZTD: pre-provision site process

Site Workflow

- Serial # and PID create rule to match the device

- Operational Config and/or IOS image for each device

- Bootstrap config optional

- Import/Export to use table driven data entry


Platform PnP Agent Support on Products Supported

Release

Release

Timelines

Access

Switches

Cisco Catalyst 4500E Switches (Sup8-E, 7-E/7L-E, 6-E/6L-E)

Cisco Catalyst 4500-X, 4900 Series Switches

Cisco Catalyst 3850, 3650, 3750-X, 3560-X Series Switches

Cisco Catalyst 2960-C, 3560-C Series Compact Switches

Cisco Catalyst 2960-S/SF/X/XR Series Switches

Cisco 5700 Series Wireless Controller

IOS 15.2(2)E,

IOS-XE 3.6.0E July 2014

Core Switches Cisco Catalyst 6500 Series Switches: Sup2T/Sup720

Cisco Catalyst 6880-X, 6807-XL Series Switches IOS 15.2(1)SY Dec 2014

Access Routers

Cisco 4451-X Integrated Services Router

Cisco ASR 1000 Series Aggregation Services Routers

Cisco Cloud Services Router 1000V Series

Cisco 800, 1900, 2900, 3900 Series Integrated Services Routers

IOS-XE 3.12/

IOS 15.4(2)T July 2014

Industrial

Ethernet

Switches

Cisco Industrial Ethernet 2000 Series Switches

Cisco Industrial Ethernet 3000 Series Switches IOS 15.2(2)E July 2014

Firewall, Data-

Center Switches

Cisco ASA Firewalls, Cisco Nexus Series Switches Roadmap Q4CY15

NG Plug-N-Play – Supported Platforms


Cisco Solution: APIC EM + IWAN

Single policy management domain Seamless LAN and WAN interoperability

Better Resource Utilization

Central point of control for multiple services Simplified Management

Lower Operational Complexity

One click implementation of business context policies Easier Deployment

Centralized end to end network level view Greater control of Service Level Objectives for critical Apps

Complete service location and form factor

transparency Higher Agility

Smarter Branch, Simpler Operations, Faster Service Delivery

IOS FW WAAS PfR

AVC

DMVPN


Cisco Intelligent WAN App for APIC-EM

Business Policy Dictates Network Action

IT Admin

Business

Policy:

App SLA

APP DMVPN

SLA

QoS

Security

Path

Selection

Access Application

Network Profile

NETWORK

SDN

Simple Workflow

Templates

Zero Touch

Provisioning Business

Level Policies

Open

Architecture

Network, Applications

Monitoring

39


APIC-EM IWAN App Dashboard and Site Configuration

40


Site topology choices in IWAN app


Link type selection in

IWAN app


Application priority policy setting in

IWAN app


Cisco Prime and APIC-EM

Control Layer

Device Layer

Operational Automation

Policy and Service Definition

Automated Assurance Provisioning

Visualization, Trending and Analytics

Network Intelligence

Device Layer Abstraction

Network Control

Policy Enforcement & Network Change

Management & Orchestration Layer

Cisco Devices Enterprise Networks, Data Center

Cisco APIC Common ACI Architecture

APIC for datacenter APIC Enterprise Module

CLI, OpenFlow, OnePK API

REST API (ONE DevKit)

Catalog / Provisioning

Fault / Events

User / Data Management

Performance Monitoring

Reporting / Analytics

Cisco IAC

UCSD

APIC-EM App (IWAN)

PRIME INFRASTRUCTURE & NAM

44


System of record vs. system of change

Prime Infrastructure APIC - EM

System of Record System of Change

• Policy definition

• Historical reporting on

events & performance

• Configuration archive

• Troubleshooting workflows

• Capacity Trending

• Predictive Analytics

• Policy enforcement

• Discovery (for change)

• Topology (for change)

• PnP

• Network state monitoring

• Device abstraction

• Network Control

45


Policy Maturity to Cover Enterprise System of Change

policy

traditional configura

tion

traditional

policy policy

Controller-based Automation ACI Today

traditional

Policy based

Configuration:

Dynamic, able to

be automated,

managed by the

controller;

Policy grows,

static shrinks


Cisco Controller and Management System Portfolio for the Campus/Branch in 12-24 Months

Common Controller Layer

for Campus/ Branch

Policy

Prescriptive

Provisioning

Feature

Configurable

Provisioning

Common Monitoring / Assurance

Common Automation Layer System of

Automation

System of Record

System of Change

NE NE NE NE NE

APIC-EM

Multiple APIC-EM

Apps

Prime

Infrastructure

Prime Infrastructure

Branch Service Automation

NE NE NE NE NE


Traditional Management to SDN led Management (1 of 5)

Prime Infra (NMS) NW (LF, AS)*, UCS

NE NE NE NE

Customer developed

provisioning tools, manual CLI

changes, and run book

automation for IT Operations

support

Traditional Management

NE NE NE NE

Controller

(APIC-EM)

Automation (Workflow / Orchestration)

Customer input on business /

service intent

Prime Infra (NMS) (Provisioning and Assurance)

SDN Led Management

* LF: Lifecycle, AS: Assurance


Traditional Management to SDN led Management (5 of 5) Prime Infra + APIC EM (w/ Foundation Apps, Solution Apps, Advanced Apps)

Prime Infra (NMS) NW (LF, AS)*, UCS

NE NE NE NE

Customer developed

provisioning tools, manual CLI

changes, and run book

automation for IT Operations

support

Traditional Management SDN Led Management

NE NE NE NE

Controller (APIC-EM)

…. APIC-EM Foundation Apps ($0) Ex: Inv., Topo., PnP..

APIC-EM Controller SW ($0)

(Opt) UCS HW Platform($$)

...

MGMT 3.x Lic. ($$) • PI 3.x

• Solution Apps Ex. IWAN App, etc

Advanced Apps ($$) Ex: BSA*, Prime Insight

Customer input on

business / service intent

Automation

...

... PI 3.x (NMS)

*BSA: Branch Services Automation


Add an APIC-EM Controller to Prime 3.0


In Prime – Enable APIC-EM Next-Gen PnP server for Plug and Play globally


APIC-EM Controlled Availability – Supported devices

52

What you get for CA2 APIC-EM ver. 0.9

Single ISO Image:

Containing one Linux Machine

Ubuntu 14.04 64-bit

Grapevine bits

APIC-EM Service Catalog

Client Container

Service Catalog

Operating System

Container

Bins / libs

Client Root

Virtual Machine

How APIC-EM can be deployed !

Hardware

Operating System

Container

Bins / libs

Client

Container

Bins / libs

Client Root

Hardware

Container

Bins / libs

Client

Container

Bins / libs

Client Root

Hypervisor

Operating System

Bare Metal Hypervisor Agnostic

C

u

s

t

o

m

e

r

a

s

k

!

!

!

Before you deploy… General Requirements:

• CPU: 2-4 cores or more

• RAM: 8-64GB or higher (for scaling)

• HDD: 40-150GB

• Bare Metal or ANY Hypervisor !

• Multiple Physical Machines for HA

• NTP server

• Internet access (for automatic updates)

Minimum Number of IP Addresses

Required = 1 (external Phy Interface)

Depending on the customer’s environment:

• Add +1 for access to NTP server network if separated (needed all times!)

• Add +1 for access to Internet (if not routable from above networks)

Custom made Apic-EM Apps


DevNet Forums | Sandbox | API Index | Documentation


Self-Service Sandboxes

Select environment

Verify availability

Reserve

Setup Conduct activities

Collaborate

Teardown


Building the Partner Ecosystem: Advanced Apps

Cloud Hosted WAN Management

Threat Detection & Mitigation

Network Performance Management

VDI & Load Balancing

More Partners are in Pipeline

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=54_EncgjLVDHYM&tbnid=jip67xWardNNjM:&ved=0CAUQjRw&url=http://www.berkatweb.com/?p=156&ei=J5LHUvmNL4TgoATxnoKwBg&bvm=bv.58187178,d.cGU&psig=AFQjCNHtH5y-fPR5LT5aaxQzmfrUkzWhDw&ust=1388897159743599

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=NB3c0Q2me4yf5M&tbnid=oeBBCR2nrFdQGM:&ved=0CAUQjRw&url=http://www.actionpacked.com/company/about&ei=b5nHUqa-N5D9oATs94GABQ&bvm=bv.58187178,d.cGU&psig=AFQjCNHylaXW9UnOKTWOf4dAd0ZCBJfhHA&ust=1388899051545508

Homemade Apic-EM Apps


Scope : Ensure IT is not preventing business from

growing and Lower TCO by right sizing switching

infrastructure

2 functions

• List amount of unused ports for a given time period,

suggest replacements when valid

• Predict growth and expand before problems arise

“RightSize App Goal”


APIC-EM

Database Switch infrastructure

Admin workstation 1. RIGHTSIZING-APP polls

APIC-EM rest API

2. APIC-EM polls southbound switches using CLI

3. RIGHTSIZING-APP saves data in database

4. RIGHTSIZING-APP check growth parameters and creates events is Threshold exceeding

5. RIGHTSIZING-APP sends events using email to procurement department

1

3

4

2

Procurement

5

“RightSize App”








SkyConnect 4.0 Lufthansa Systems global WAN platform

Reference customer on APIC EM

Is the All in One – iWAN – LAN and Voice solution”


APIC-EM Apps a.k.a how can the controller help my customer simplify their environment?

Path Visualization

Path Visualization + Integration with CUCM (via MapCollab)

ACL Trace

ACL Analysis

Security Policy Programming (Per User/Group)

Policy Programming for Network Threat Defense

Easy QoS via User Interface

Dynamic Policy for video soft clients

IWAN App

Network Plug and Play Server

Applications

Released in

phases

Just a few

examples,

there’s

much more

APIC-EM for free Get Apps with Cisco ONE


What Is Cisco ONE Software? A More Valuable and Flexible Way to Consume Cisco Software

A La Carte, Separately Priced Items

Current Model

Licensing Tied to Hardware

Perpetual for the

Lifetime of the Box

Software Suites

Offered as a Solution

Software License Portability

Access to Ongoing Innovation

Perpetual, Subscription, & ELA Options

Cisco ONE


Cisco ONE Software

Note: Not represented is the Base Software Platform (e.g., operating system) included with each device. These are not sold as a Cisco ONE bundle, but included with the device

Foundation

Security

Applications

Cisco ONE for Data Center

Threat Defense for Data Center

Multi-Tenant Converged

Fabric

Intercloud Fabric

Foundation for Networking

Foundation for Compute

Networking Compute

ASA, ASAv

Nexus 3K, 5K, 6K, 7K,

9K, MDS 9000

X86, UCS

Cisco ONE for Access

Identity Services for Access

Campus Fabric Advanced Mobility Services

Foundation for Switching

Foundation for Wireless

Switching Wireless

ISE, ISEv

Catalyst 2K, 3K,

4K, 6K

WLC, MSE, AP

Cisco ONE for WAN

Threat Defense for WAN

WAN Collaboration

Foundation for WAN

ASA, ASAv, Cloud

ISR, ASR, CSR

WAN

Products

Suites


Some References

75

APIC-EM

Session PDF http://www.cisco.com/web/DK/seminarer/mate

rialer.html

APIC-EM Demo Video’s incl. Audio https://www.youtube.com/watch?v=mUY5Er-

fjOs

APIC-EM on Facebook https://www.facebook.com/groups/apicem/

German Blog http://gblogs.cisco.com/de/category/apic-em/

DevNet and Download https://developer.cisco.com/site/apic-em/

http://www.cisco.com/web/DK/seminarer/materialer.html

http://www.cisco.com/web/DK/seminarer/materialer.html

https://www.youtube.com/watch?v=mUY5Er-fjOs



https://www.facebook.com/groups/apicem/

http://gblogs.cisco.com/de/category/apic-em/



https://developer.cisco.com/site/apic-em/



Documents

SDN & APIC-EM TECH-Update - Cisco · SDN & APIC-EM TECH-Update August 2015 ... multiple enterprise use cases APIC EM Apps APIC IWAN App GA with dynamic QoS Multiple apps across Wireless,