APIC-EM and Software Defined in the Enterprise · Cisco APIC-EM An Application Platform for...
Transcript of APIC-EM and Software Defined in the Enterprise · Cisco APIC-EM An Application Platform for...
System Engineer
René Andersen & Søren Andreasen
Cisco
CVU Update Januar 2016
APIC-EM and Software Defined in the Enterprise
`
Cisco APIC-EMAn Application Platform for Enterprise WAN and Access Networks
• Virtual (ISO VM) or appliance-based
• Provides user policy abstraction and automation
• Simplification of complex network configuration withCisco® application best practices
• Existing and new installations (Catalyst®, ISR, ASR, WLC)
Ready-to-deploy applications (October 2015):
IWAN (with a license)
Plug-n-Play (free)
Path Trace (free)
BENEFITS:Brownfield support
Ready-to-use-applications
Open, northbound API
`
APIC-EM Delivers IT Flexibility
Enabling Automation Through Innovative Management Principles
OPEN
Static Programmable
Expert CLI Policy + GUI
Greenfield Brownfield + Greenfield
SIMPLE
A B
Manual Automated
Box-Centric Network-wide
Provision in Months Hours
Applications
Network-Wide Abstractions Simplify the Network
SecurityOrchestration Automation Collaboration
SOUTHBOUND ABSTRACTION LAYER
REST API
CATALYST® CISCO NEXUS® ASRISR WIRELESSASA OTHER
SDN Ideal: Controller as the
Application Platform
The SDN
Ideal:Controller as
the Application
Platform
Virtualization
APIC-EM Resolves declarative business intent
Renders into domain-specific language
Network-Specific
Control
Application, User, and
Business-Driven Policies
“Only corporate-owned devices in
Group:FinExec can access quarterly
results DB”
Cisco® ISE + TrustSec + ACL
Configuration Commands
APIC-EM Application Overview at GA
Public Cloud
Enterprise Network
Day 0Plug-and-Play App
Zero touch deployment of routers / switches / APs
Accelerated roll-out: Eliminates tech visits and shrinks deployment from months to minutes
Day 1Cisco IWAN App
Guided, fast auto-provisioning of IWAN solution with Cisco experts’ best practices
From 1000 CLI commands to 10 GUI clicks per branch
Day 2Path Trace App
Discover path between two end points based on 5 tuple
Rapidly troubleshoot congestion and ACL issues and lower OPEX for trouble ticket processing by 98%
BRANCH
NETWORK
New RouterNew Switch
PnP ApplicationIT
Simple Workflow Zero Touch
Provisioning
SDN
Open
Architecture
BENEFITS
APIC-EM PnP ApplicationUse Case: Auto-Discovery and Provisioning
Zero Touch Deployment.
Shortened Deployment Time.No On-Site Expert Needed
Increased Security. Decreased
Chance of Misconfiguration.
Network Plug and Play (PnP)
DiscoveryDevice can reach
PnP Server on APIC-EM1
DeploymentDevice receives target
image and configuration2
No StagingNo Staging Required
PnP Runs from Cisco
Factory-Default ConfigurationSwitches (Catalyst®)
Routers (ISR, ASR)
Wireless Access Points
PnP – Simple & Secure & Consistent
Switches
(Catalyst)
Routers
(ISR/ASR)Wireless AP
APIC-EM PnP Dashboard
APIC-EM Bulk Import/Export
APIC-EM PnP REST API Support
Python
APIC-EM API
PnP REST API
Customer’s Existing
Automation Frameworks
Automation Framework
(i.e. Python scripts,
configuration generator, etc)
Device Repository
and Database
NETWORK
DMVPNSLA QoS
Path SelectionBusiness Policy:
App SLAIWAN
ApplicationIT
SDN
Simple Workflow Zero Touch
Provisioning
Business Level
Policies
Open
Architecture
Network,
Applications
Monitoring
BENEFITS
APIC-EM IWAN ApplicationUse Case: Cisco Best Practices & Knowledge for SDWAN
Note: IWAN App Release 1 targets less than 500 sites, 2 links per Branch with ISR4000.
From Weeks to
Minutes
Over 1000 CLI commands
reduced to 10 GUI Clicks
`
Intelligent WAN Solution Components
WAAS
AkamaiPfRv3
IPSec WAN overlay
Consistent operational model
DMVPN, PKI
Management and Orchestration
MPLS
Internet
3G/4G-LTE
Private
Cloud
VirtualPrivate Cloud
Public
Cloud
IWAN APP
Cisco Prime™
Branch
AVC
Transport
Independence
Optimal application routing
Efficient use of bandwidth
Performance Routing
(PfR) QoS
Intelligent
Path Control
Performance monitoring
Optimization and caching
AVC, WAAS, Akamai
Application
Optimization
NG strong encryption
Threat defense
Suite-B, CWS, ZBFW
Secure
Connectivity
`
Three main areas:
1. Hub site and settings
2. Administration of
application policy
3. Branch site setup
IWAN App on APIC-EM
Policy-Driven IWAN Site Deployment including PnP and Monitoring
Step-by-Step Network and Hub Settings
Simple Policy Definition and Customization
NETWORK
ITTrouble Ticket
Path Visualization User
Simple Workflow
SDN
Open ArchitectureApplication Path
Monitoring
APIC-EM Path Trace ApplicationUse Case: Accelerate Trouble-Ticket Processing
Easy visual discovery of trouble spots in
communication path based on 5-Tuple
OPEX for ticket processing decreased by 98%
From 1.4 hours to 1 minute
APIC-EM Path Trace Hop-by-hop Details specific to 5-tuple Path
Introducing APIC-EM and 3 Apps
Day 0 : Plug-and-Play App
Zero touch deployment of routers / switches / APs
Shrinks deployment from months to minutes
Day 1 : Cisco IWAN App
Guided, fast auto-provisioning of IWAN solution with Cisco experts’ best practices
From 1000s of CLI commands to a few policy deployments with a few GUI clicks per branch
Day 2 : Path Trace App
Discover path between two end points based
Lower OPEX for trouble ticket processing by 98%
3 N E W A P P L I C A T I O N S
Applications
SecurityOrchestration Automation Collaboration
SOUTHBOUND ABSTRACTION LAYER
CATALYST | ISR | ASR | WIRELESS
REST API
E N T E C H N O L O G Y D I F F E R E N T I A T I O N
Northbound REST API
APIC-EM Platform Architecture
APIC-EM Applications
Elastic Controller Infrastructure (Grapevine )
Network
PnPIWAN
Path
Trace
Network
Inventory
Advanced Topology Visualizer
APIC-EM Services
Inventory
ManagerRBAC Policy Analysis
Policy
Programmer
Network PnPData Access
Service
Topology
Services
IWAN
Services
Applications built on top of APIC-EM
Applications packaged with APIC-EM
Core Applications bundled
IWAN Application separately licensed
Open and Documented REST API
Core Services
Applications Specific Services
Provides Scale and High Availability
APIC-EM Northbound REST API
Problem: How to get started with a Controller API?
Solution: Explore
Example:
1) In the APIC-EM User Interface,click on [API]
2) Navigate to the desired APIin our example:/network-device/count
47
Using APIC-EM Northbound REST APIs
A Session Token is required for APIC-EM
northbound REST API calls
− Use the POST/ticket API Call to generate token
− Embed the generated ticket as the X-Auth-Token
Header in subsequent API calls
Northbound REST APIs use the JSON format
for exchange of data between the controller
and the REST application (API consumer)
Typical Developer Sequence is
− Explore via APIC-EM GUI (Swagger)
− Prototype in Chrome/POSTMAN
− Script (Python, perl, …)
− Integrate
Step 1: Request service ticket
Step 2: API response with service ticket information
Step 3: Add ticket to the X-Auth-Token header
APIC-EM Packaging and Deployment
Built as a
Linux Container
Grapevine
Root
LXC
Container
LXC
Container
GV
Client
GV
Client
Operation System
Server / Machine
Standalone or
Resilient Deployment
3 Nodes• active-active-active
• Scale and HA- Software failure- HW failure of 1 node
1 or 2 Nodes• active-active
• Scale and HA- Software failure only
Download or
Preinstalled Appliance
Download• .iso image including
ubuntu 14.04 64bit
• available from:- software.cisco.com- devnet.cisco.com
Cisco Appliance• APIC-EM installed
• ready-to-go
• or SKU:- APIC-EM-APL-R-K9- APIC-EM-APL-G-K9
APIC-EM Deployment Considerations
`
Bare Metal/HW Appliance Virtual Machine
GV Root
GV Client GV Client
Libs/Bins Libs/Bins
LXC
Container
LXC
Container
Server Hardware
Operation System
Server Hardware
Hypervisor and/or Host OS
Virtual Machine
Operation System
GV Root
GV Client GV Client
Libs/Bins Libs/Bins
LXC
ContainerLXC
Container
`
Before You Deploy: System Requirements
Server: 64-bit x86 (supported by Ubuntu 14.04 LTS)
vCPU: 6 (2.4 GHz) or more
RAM: 64 GB (for single-host deployments)/
32 GB (for multi-host deployments)
Storage: 500 GB HDD
− Hardware-based RAID at RAID level 10
− Disk I/O Speed: 200 MBps
Network adaptor: 1 x
Browser: Google Chrome (44.0 or later)
Hypervisor: VMware vSphere 5.1/5.5
(for Virtual Appliance)
`
Scale Numbers
Network
Devices:
2000
Access
Points:
2000
End
Hosts:
20,000
Note: These scale numbers are for the APIC-EM platform and the base applications.
Some other APIC-EM applications might have different scale numbers. At GA: IWAN App Release 1 targets < 500
sites, 2 links per Branch with ISR4000
Devices SupportedGeneral Availability Release
`
Device Series
Catalyst 2960-X/XR Series Switches Catalyst 4500x Series Switches
Catalyst 2960-S Series Switches Catalyst 4900 Series Switches
Catalyst 2960 Series Compact Switches Catalyst 6500 Series Switches
Catalyst 3560 Series Compact Switches Catalyst 6800 Series Switches
Catalyst 3650 Series Switches Cisco Nexus 5000 Series Switches
Catalyst 3850 Series Switches Cisco Nexus 7000 Series Switches
Catalyst 3750-X Series Switches
EtherSwitch Modules for Integrated
Services Routers: SM-E22-16-P, SM-
ES2-24-P, SM-D-ES2-48, SM-ES3-16-P,
SM-ES3-24-P, SM-D-ES3-48-P
Catalyst 3560-X Series Switches Industrial Ethernet 2000 Series Switches
Catalyst 4500 Series Switches Industrial Ethernet 3000 Series Switches
LAN
Device Series
4000 Series Integrated Services Routers
Integrated Services Routers Generation 2
ASR 1000 Series Aggregated Services Routers
ASR 9000 Series Aggregated Services Routers
Cisco Cloud Services Router 1000v
WAN
Device Series
Wireless LAN Controllers (IOS XE & AireOS)
WLAN
`
Software Upgrades
Download the release upgrade pack from the
Cisco® Cloud
Upgrade - Drag and drop the release upgrade pack to
the controller using the UI
Controller Releases will be Incremental
`
Controller Health Monitoring - Services
`
Controller Health Monitoring - Hosts
`
RBAC - Roles and Privileges
Supports role-based access control (RBAC)
for restricting access to controller applications
and functionality to authorized users
Ability to assign appropriate roles to users for
accessing the controller
Support for pre-defined roles for
administrative control (administrator,
observer, and installer)
Role Controller Privileges
Administrator
(ROLE_ADMIN)
Provides full administrative
privileges to all
Cisco® APIC-EM resources
Observer
(ROLE_OBSERVER)
Provides primarily read-only
privileges to the
Cisco APIC-EM
Installer
(ROLE_INSTALLER)
Allows an installer to use the
Network PnP mobile app to
access the APIC-EM
Common Policy Model from Branch to Data Center
Application Network Flow Profile
SLA, Security, QoS, Load Balancing
User and Things Network Profile
QoS, Security, SLA, Device, Location, Role
Cloud Data Center WAN Access
POLICY
DATA CENTER WAN AND ACCESS
CISCO® ADVANTAGE
BROWNFIELD AND
GREENFIELDEND TO END
POLICY FRAMEWORK: FOCUS ON
APPLICATION AND USER ENABLEMENT
Application Ecosystem via Open APIs
Network
RESTful APIs
CISCO APPLICATIONS
Path
TracePnP Future
AppsIWAN
3RD PARTY APPLICATIONS
You @ DevNet Developer Ecosystem
Application-aware
Performance
Management,
Visualization, Granular
Troubleshooting,
Real-time analytics
and Flow Visibility
Advanced
Orchestration,
Provisioning,
Lifecycle Mgmt, and
Customized Policies
UC Integration and
monitoring
Defense Force
for Security
Securing SDN
Controller
Deployments
Compliance Topology
visualization
across AWS and
multiple controllers
Average Growth
per Month
20APIC-EM DevNet
Companies
153devnet.cisco.com
Forum | Sandbox | API Index | Documentation
Resources and Starting Points
• Demos in dCloud and DevNet Sandboxes (today still running EFT code, upgrading in the coming weeks)
• APIC-EM @ CCO: www.cisco.com/go/apicem
• APIC-EM @ DevNet: devnet.cisco.com/site/apic-em
Cisco YouTube
https://www.youtube.com/watch?v=mUY5Er-fjOs
• QoS Video Classification Enables Enterprise Wide Jabber
• CUCM - Enhanced Collaboration QoE using APIC-EM
• Dynamic Policy Management for Lync Audio/Video
• Dynamic Network Branch security
• Investigation, Mitigation and Remediation using APIC-EM
• Optimizing Video for Citrix VDI
• Cisco APIC-EM Extension for Mission-Critical Apps – SAP HANA
List of Solution Demonstrations for upcoming Apps
QoS-AppDemo
Download Demo Video here: https://www.youtube.com/watch?v=mUY5Er-fjOs
QoS-App
1. Define new Application –
Jabber Video
2. Update QoS
Policy
QoS
3. Push Updated QoS Policy to Network Devices
4. Deploy Jabber Video
Client
APIC-EM Easy-QoS
What happens if you get a new Application ?Example: QoS Video Classification Enables Enterprise Wide Jabber
Easy QoS Application
EasyQoS AppEasyQoS App IWAN App
Converting Strategic Policy to Tactical Policies
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
Catalyst 4500
Trust DSCP
1P7Q1T
Catalyst 6500
Trust DSCP
1P3Q4T
1P7Q4T
2P6Q4T
…
Nexus 7700
Trust DSCP
F3: 1P7Q1TWLC
PEP
ASR/ISRs
Trust DSCP
HQoS
MQC
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Wireless AP
Trust Boundary
PEP
4Q (WMM)
• the principle goal of the tactical QoS policy is
to express the strategic QoS policy with
maximum fidelity
• QoS design best practices will be used to generate
platform-specific configurations
• QoS features will be selectively enabled if they
directly contribute to expressing the strategic policy on
a given platform
Dynamic QoS / Jabber Demo
Download Demo Video here: https://www.youtube.com/watch?v=mUY5Er-fjOs
Dynamic QoS
Signaling per-Application, per-Session QoS
Problem: What if an Application requires a specific QoS policy to be applied for the duration of a Transaction or Session ?
Solution: Provide an API for Applications to request predefined Policies
Example:
1) Operator defines and approvesrelevant Policies
2) Application requests Policies upon Session Start and Signals Session End to Controller-based App
3) App and APIC-EM validate, deploy, report the dynamic change
Virtual / Overlay Networks
Network
APIC-EM QoS and ACL Apps
Applications
Application Interfaces – (REST)
reportdeploy
NOC Operators
responserequest managedefine
Example: Dynamic Policy for Jabber
Virtual / Overlay Networks
Network
APIC-EM QoS and ACL Apps
Cisco UC Manager
Application Interfaces – (REST)
report3) deploy
NOC Operators
response2) request managedefine
Jabber Client BJabber Client A
1) Client A initiates Call to Client B
1)
2) CUCM Requests predefined Policy via APIC-EM REST API
3) APIC-EM QoS and ACL Apps validateand deploy into the Network via APIC-EM
4) Call Ends
5) CUCM Signals to APIC-EM
6) APIC-EM Apps remove Policy from Network
http://<APIC-EM IP>/api/v0/policy POST
{ "policyName": "voice:audio:10.1.1.7",
"policyOwner": "Admin",
"networkUser":{
"userIdentifiers":["10.1.1.7"],
"applications":["20324,20324,UDP"]},
"actionProperty": {"priorityLevel": "46"},
"actions": ["PERMIT"]
}
Dynamic QoS Classification
43
For YourReference
Application Driven Network Dynamics:Optimizing Video for Citrix VDI 3rd Party Apps.
Netscaler
Store Front
Xen
Desktop
APIC
Cisco APIC Enterprise Module