APIC-EM and Software Defined in the Enterprise CVU Update Januar 2016
advertisement
APIC-EM and
Software Defined in the Enterprise
CVU Update Januar 2016
René Andersen & Søren Andreasen
System Engineer
Cisco
Cisco APIC-EM
An Application Platform for Enterprise WAN and Access Networks
•
Virtual (ISO VM) or appliance-based
• Provides user policy abstraction and automation
• Simplification of complex network configuration with
Cisco® application best practices
• Existing and new installations (Catalyst®, ISR, ASR, WLC)
`
Ready-to-deploy applications (October 2015):
BENEFITS:
Brownfield support
Ready-to-use-applications
Open, northbound API
IWAN (with a license)
Plug-n-Play (free)
Path Trace (free)
APIC-EM Delivers IT Flexibility
A
B
SIMPLE
Manual
Box-Centric
Provision in Months
Automated
OPEN
`
Static
Programmable
Network-wide
Greenfield
Brownfield + Greenfield
Hours
Expert CLI
Policy + GUI
Enabling Automation Through Innovative Management Principles
Network-Wide Abstractions Simplify the Network
Applications
Orchestration
Automation
Collaboration
Security
Virtualization
REST API
The SDN
SDN Ideal:
Ideal:
Controller
as the
Application
Platform
Controller
as
the Application
Platform
SOUTHBOUND ABSTRACTION LAYER
CATALYST®
CISCO NEXUS®
ISR
ASR
ASA
WIRELESS
OTHER
APIC-EM
Resolves declarative business intent
Renders into domain-specific language
Application, User, and
Business-Driven Policies
Network-Specific
Control
“Only corporate-owned devices in
Group:FinExec can access quarterly
results DB”
Cisco® ISE + TrustSec + ACL
Configuration Commands
APIC-EM Application Overview at GA
Enterprise
Network
BRANCH
Public
Cloud
Day 0
Day 1
Day 2
Plug-and-Play App
Cisco IWAN App
Path Trace App
Zero touch deployment of routers /
switches / APs
Guided, fast auto-provisioning of
IWAN solution with Cisco experts’
best practices
Discover path between two end
points based on 5 tuple
Accelerated roll-out: Eliminates
tech visits and shrinks deployment
from months to minutes
From 1000 CLI commands to 10
GUI clicks per branch
Rapidly troubleshoot congestion and
ACL issues and lower OPEX for
trouble ticket processing by 98%
APIC-EM PnP Application
Use Case: Auto-Discovery and Provisioning
IT
New Router
New Switch
PnP Application
NETWORK
BENEFITS
SDN
Simple Workflow
Zero Touch Deployment.
Shortened Deployment Time.
Zero Touch
Provisioning
No On-Site Expert Needed
Open
Architecture
Increased Security. Decreased
Chance of Misconfiguration.
Network Plug and Play (PnP)
Deployment
Device receives target
image and configuration
Discovery
Device can reach
PnP Server on APIC-EM
No Staging
Routers (ISR, ASR)
Switches (Catalyst®)
Wireless Access Points
No Staging Required
PnP Runs from Cisco
Factory-Default Configuration
1
2
PnP – Simple & Secure & Consistent
APIC-EM PnP Dashboard
APIC-EM PnP REST API Support
Device Repository
and Database
PnP REST API
Python
APIC-EM Bulk Import/Export
Automation Framework
(i.e. Python scripts,
configuration generator, etc)
APIC-EM API
Customer’s Existing
Automation Frameworks
Switches
(Catalyst)
Routers
(ISR/ASR)
Wireless AP
APIC-EM IWAN Application
Use Case: Cisco Best Practices & Knowledge for SDWAN
IT
Business Policy:
App SLA
IWAN
Application
DMVPN
SLA QoS
Path Selection
NETWORK
BENEFITS
SDN
Simple Workflow
Zero Touch
Provisioning
Network,
Applications
Monitoring
From Weeks to
Minutes
Note: IWAN App Release 1 targets less than 500 sites, 2 links per Branch with ISR4000.
Business Level
Policies
Over 1000 CLI commands
reduced to 10 GUI Clicks
Open
Architecture
Intelligent WAN Solution Components
AVC
Private
Cloud
MPLS
Virtual
Private Cloud
3G/4G-LTE
Branch
IWAN APP
WAAS
Akamai
PfRv3
` Orchestration
Management and
Transport
Independence
Public
Cloud
Internet
Intelligent
Path Control
Application
Optimization
Cisco Prime™
Secure
Connectivity
IPSec WAN overlay
Optimal application routing
Performance monitoring
NG strong encryption
Consistent operational model
Efficient use of bandwidth
Optimization and caching
Threat defense
DMVPN, PKI
Performance Routing
(PfR) QoS
AVC, WAAS, Akamai
Suite-B, CWS, ZBFW
IWAN App on APIC-EM
Step-by-Step Network and Hub Settings
Simple Policy Definition and Customization
`
Three main areas:
1. Hub site and settings
2. Administration of
application policy
3. Branch site setup
Policy-Driven IWAN Site Deployment including PnP and Monitoring
APIC-EM Path Trace Application
Use Case: Accelerate Trouble-Ticket Processing
User
IT
Trouble Ticket
Path
Visualization
NETWORK
SDN
Simple Workflow
Application Path
Monitoring
Easy visual discovery of trouble spots in
communication path based on 5-Tuple
Open Architecture
OPEX for ticket processing decreased by 98%
From 1.4 hours to 1 minute
APIC-EM Path Trace
Hop-by-hop Details specific to 5-tuple Path
Introducing APIC-EM and 3 Apps
EN TECHNOLOGY DIFFERENTIATION
3 NEW APPLICATIONS
Day 0 : Plug-and-Play App
Applications
Zero touch deployment of routers / switches / APs
Shrinks deployment from months to minutes
Orchestration
Automation
Collaboration
Security
Day 1 : Cisco IWAN App
REST API
Guided, fast auto-provisioning of IWAN solution
with Cisco experts’ best practices
From 1000s of CLI commands to a few policy
deployments with a few GUI clicks per branch
Day 2 : Path Trace App
SOUTHBOUND ABSTRACTION LAYER
CATALYST
|
ISR
|
ASR
|
WIRELESS
Discover path between two end points based
Lower OPEX for trouble ticket processing by 98%
APIC-EM Platform Architecture
APIC-EM Applications
Network
PnP
Path
Trace
IWAN
Applications built on top of APIC-EM
Network
Inventory
Advanced Topology Visualizer
Applications packaged with APIC-EM
Core Applications bundled
IWAN Application separately licensed
Northbound REST API
Open and Documented REST API
APIC-EM Services
Inventory
Manager
RBAC
Policy Analysis
Policy
Programmer
Topology
Services
Data Access
Service
Network PnP
IWAN
Services
Elastic Controller Infrastructure
(Grapevine
)
Core Services
Applications Specific Services
Provides Scale and High Availability
APIC-EM Northbound REST API
Problem: How to get started with a Controller API?
Solution: Explore
Example:
1) In the APIC-EM User Interface,
click on [API]
2) Navigate to the desired API
in our example:
/network-device/count
47
Using APIC-EM Northbound REST APIs
Step 1: Request service ticket
A Session Token is required for APIC-EM
northbound REST API calls
− Use the POST/ticket API Call to generate token
− Embed the generated ticket as the X-Auth-Token
Header in subsequent API calls
Step 2: API response with service ticket information
Northbound REST APIs use the JSON format
for exchange of data between the controller
and the REST application (API consumer)
Typical Developer Sequence is
−
−
−
−
Explore via APIC-EM GUI (Swagger)
Prototype in Chrome/POSTMAN
Script (Python, perl, …)
Integrate
Step 3: Add ticket to the X-Auth-Token header
APIC-EM Packaging and Deployment
Cisco Appliance
Grapevine
Root
GV
Client
GV
Client
LXC
Container
LXC
Container
Operation System
Server / Machine
• APIC-EM installed
• ready-to-go
• or SKU:
•
•
Download
• .iso image including
ubuntu 14.04 64bit
• available from:
Download or
Preinstalled Appliance
active-active
Scale and HA
- Software failure only
- APIC-EM-APL-R-K9
- APIC-EM-APL-G-K9
- software.cisco.com
- devnet.cisco.com
Built as a
Linux Container
1 or 2 Nodes
3 Nodes
•
•
active-active-active
Scale and HA
- Software failure
- HW failure of 1 node
Standalone or
Resilient Deployment
APIC-EM Deployment Considerations
Bare Metal/HW Appliance
Virtual Machine
GV Root
GV Root
GV Client
GV Client
Libs/Bins
Libs/Bins
LXC
Container
LXC
Container
GV Client
GV Client
Libs/Bins
Libs/Bins
Operation System
LXC
Container
LXC
Container
Virtual Machine
`
Operation System
Hypervisor and/or Host OS
Server Hardware
Server Hardware
Before You Deploy: System Requirements
Server: 64-bit x86 (supported by Ubuntu 14.04 LTS)
vCPU: 6 (2.4 GHz) or more
RAM: 64 GB (for single-host deployments)/
32 GB (for multi-host deployments)
Storage: 500 GB HDD
−
−
Hardware-based RAID at RAID level 10
Disk I/O Speed: 200 MBps
Network adaptor: 1 x
Browser: Google Chrome (44.0 or later)
Hypervisor: VMware vSphere 5.1/5.5
(for Virtual Appliance)
`
Scale Numbers
Network
Devices:
2000
Access
Points:
2000
`
End
Hosts:
20,000
Note: These scale numbers are for the APIC-EM platform and the base applications.
Some other APIC-EM applications might have different scale numbers.
At GA: IWAN App Release 1 targets < 500
sites, 2 links per Branch with ISR4000
Devices Supported
General Availability Release
LAN
WAN
Device Series
Device Series
Catalyst 2960-X/XR Series Switches
Catalyst 4500x Series Switches
4000 Series Integrated Services Routers
Catalyst 2960-S Series Switches
Catalyst 4900 Series Switches
Integrated Services Routers Generation 2
Catalyst 2960 Series Compact Switches
Catalyst 6500 Series Switches
ASR 1000 Series Aggregated Services Routers
Catalyst 3560 Series Compact Switches
Catalyst 6800 Series Switches
ASR 9000 Series Aggregated Services Routers
Catalyst 3650 Series Switches
Cisco Nexus 5000 Series Switches
Catalyst 3850 Series Switches
Cisco Nexus 7000 Series Switches
Catalyst 3750-X Series Switches
EtherSwitch Modules for Integrated
Services Routers: SM-E22-16-P, SMES2-24-P, SM-D-ES2-48, SM-ES3-16-P,
SM-ES3-24-P, SM-D-ES3-48-P
WLAN
Catalyst 3560-X Series Switches
Industrial Ethernet 2000 Series Switches
Device Series
Catalyst 4500 Series Switches
Industrial Ethernet 3000 Series Switches
`
Cisco Cloud Services Router 1000v
Wireless LAN Controllers (IOS XE & AireOS)
Software Upgrades
Download the release upgrade pack from the
Cisco® Cloud
`
Upgrade - Drag and drop the release upgrade pack to
the controller using the UI
Controller Releases will be Incremental
Controller Health Monitoring - Services
`
Controller Health Monitoring - Hosts
`
RBAC - Roles and Privileges
Supports role-based access control (RBAC)
Role
Controller Privileges
Administrator
(ROLE_ADMIN)
Provides full administrative
privileges to all
Cisco® APIC-EM resources
Observer
(ROLE_OBSERVER)
Provides primarily read-only
privileges to the
Cisco APIC-EM
Installer
(ROLE_INSTALLER)
Allows an installer to use the
Network PnP mobile app to
access the APIC-EM
for restricting access to controller applications
and functionality to authorized users
Ability to assign appropriate roles to users for
accessing the controller
Support for pre-defined roles for
`
administrative control (administrator,
observer, and installer)
Common Policy Model from Branch to Data Center
POLICY
DATA CENTER
Cloud
WAN AND ACCESS
Application Network Flow Profile
User and Things Network Profile
SLA, Security, QoS, Load Balancing
QoS, Security, SLA, Device, Location, Role
Data Center
WAN
Access
CISCO® ADVANTAGE
BROWNFIELD AND
GREENFIELD
END TO END
POLICY FRAMEWORK: FOCUS ON
APPLICATION AND USER ENABLEMENT
Application Ecosystem via Open APIs
3RD PARTY APPLICATIONS
CISCO APPLICATIONS
IWAN
Path
Trace
PnP
Future
Apps
RESTful APIs
Network
You @ DevNet Developer Ecosystem
153
APIC-EM DevNet
Companies
Topology
visualization
across AWS and
multiple controllers
Compliance
20
Average Growth
per Month
devnet.cisco.com
Forum | Sandbox | API Index | Documentation
Securing SDN
Controller
Deployments
Defense Force
for Security
UC Integration and
monitoring
Advanced
Orchestration,
Provisioning,
Lifecycle Mgmt, and
Customized Policies
Application-aware
Performance
Management,
Visualization, Granular
Troubleshooting,
Real-time analytics
and Flow Visibility
Resources and Starting Points
•
Demos in dCloud and DevNet Sandboxes
(today still running EFT code, upgrading in the coming weeks)
•
•
APIC-EM @ CCO: www.cisco.com/go/apicem
APIC-EM @ DevNet: devnet.cisco.com/site/apic-em
Cisco YouTube
https://www.youtube.com/watch?v=mUY5Er-fjOs
List of Solution Demonstrations for upcoming Apps
• QoS Video Classification Enables Enterprise Wide Jabber
• CUCM - Enhanced Collaboration QoE using APIC-EM
• Dynamic Policy Management for Lync Audio/Video
• Dynamic Network Branch security
• Investigation, Mitigation and Remediation using APIC-EM
• Optimizing Video for Citrix VDI
• Cisco APIC-EM Extension for Mission-Critical Apps – SAP HANA
QoS-App
Demo
QoS-App
Download Demo Video here: https://www.youtube.com/watch?v=mUY5Er-fjOs
What happens if you get a new Application ?
Example: QoS Video Classification Enables Enterprise Wide Jabber
APIC-EM Easy-QoS
QoS
1. Define new Application –
Jabber Video
2. Update QoS
Policy
3. Push Updated QoS Policy to Network Devices
4. Deploy Jabber Video
Client
Easy QoS Application
Converting Strategic Policy to Tactical Policies
• QoS design best practices will be used to generate
platform-specific configurations
• QoS features will be selectively enabled if they
directly contribute to expressing the strategic policy on
a given platform
• the principle goal of the tactical QoS policy is
to express the strategic QoS policy with
maximum fidelity
EasyQoS App
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 4500
Trust DSCP
1P7Q1T
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
IWAN App
ASR/ISRs
Trust DSCP
HQoS
MQC
Nexus 7700
Trust DSCP
F3: 1P7Q1T
Catalyst 6500
Trust DSCP
1P3Q4T
1P7Q4T
2P6Q4T
…
WLC
PEP
EasyQoS App
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Dynamic QoS / Jabber
Demo
Dynamic QoS
Download Demo Video here: https://www.youtube.com/watch?v=mUY5Er-fjOs
Signaling per-Application, per-Session QoS
Problem: What if an Application requires a specific QoS policy to be applied for the duration
of a Transaction or Session ?
Solution: Provide an API for Applications
to request predefined Policies
Applications
request
Example:
1) Operator defines and approves
relevant Policies
2) Application requests Policies upon
Session Start and Signals Session
End to Controller-based App
NOC Operators
define
response
manage
Application Interfaces – (REST)
APIC-EM QoS and ACL Apps
deploy
report
Virtual / Overlay Networks
3) App and APIC-EM validate, deploy,
report the dynamic change
Network
Example: Dynamic Policy for Jabber
1) Client A initiates Call to Client B
2) CUCM Requests predefined
Policy via APIC-EM REST API
3) APIC-EM QoS and ACL Apps validate
and deploy into the Network via APIC-EM
1)
2) request
http://<APIC-EM IP>/api/v0/policy POST
{ "policyName": "voice:audio:10.1.1.7",
"policyOwner": "Admin",
"networkUser":{
"userIdentifiers":["10.1.1.7"],
"applications":["20324,20324,UDP"]},
"actionProperty": {"priorityLevel": "46"},
"actions": ["PERMIT"]
}
NOC Operators
Cisco UC Manager
define
response
manage
Application Interfaces – (REST)
APIC-EM QoS and ACL Apps
3) deploy
report
4) Call Ends
Virtual / Overlay Networks
5) CUCM Signals to APIC-EM
6) APIC-EM Apps remove
Policy from Network
Jabber Client A
Network
Jabber Client B
Dynamic QoS Classification
43
For Your
Reference
Application Driven Network Dynamics:
Optimizing Video for Citrix VDI 3rd Party Apps.
Cisco APIC Enterprise Module
APIC
Netscaler
Store Front
Xen
Desktop
