APIC-EM: An Enterprise SDN Solution
Karthik Dakshinamoorthy
Product Line Manager
Date: 28/05/2015
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
AGENDA

Enterprise SDN Approach

APIC-EM High Level Architecture

APIC-EM Use Cases

APIC-EM Requirements

APIC-EM Infrastructure & Deployment

Programmability - API Ecosystem

Positioning

Roadmap

Conclusion
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
Enterprise SDN Approach
APIC-EM Introduction
Let’s Get These Answered Before We Proceed Any Further!!
Are You Looking for Easy and Customized Ways
to Manage and Operationalize Your Networks
Holistically?
Are You Looking for Fast, Focused, Programmable
solutions for Your Evolving Business & Application
Needs?
Do You Want to Focus more on Business
Processes or just simply love to deal with Network
nuts and bolts?
Today’s Business Model
Operations
New Business Model
Adopting To Lower OPEX and
Faster LOB Alignment
Operations Goals
Business Applications and
Networking Components offered
With “Some Assembly Required”
Seamlessly Fused Business Applications
And Networking Components
“Out of the Box”
Reducing the Need for Business Operations To Be Expert Network Technology Centers
Is A Catalyst for Aligning with New Business Goals
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
5
SDN Led Automation Dramatically Lowers Cost and Risk
COST
RISK / COMPLEXITY
Device / Platform
High
100’s of Features
End User
Validate and
Test
High Operational
Cost
Cisco Solution
Validated
Medium
Operational cost
CVD Best Practices
Low
© 2015 Cisco and/or its affiliates. All rights reserved.
Policy Abstraction of
Best Practices
through APIC-EM
SDN
Automated
Cost saving
through
Automation
Cisco Confidential
6
Changing Network Software Coding Styles
Utilize Programmatically “Linked” Interfaces
REST API
SAL
“Semantically linked” interfaces allow
abstraction layers to change while maintaining
the stack integrity
Customer Flexibility
Vendor Flexibility
Enables Use Case Evolution
+ Investment Protection
Allows Various Components
to mature over time while
preserving interoperability
Emerging Northbound and Southbound OpenDaylight Standards
Solidifies Industry Support for Semantics
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
For Deploying & Managing Applications Easily in Your Network
Configuration-driven
Policy-based
Infrastructure-centric
Application-centric
Element management
Network-wide management
Deliver Solutions that Accelerate Innovation Adoption for
Faster LOB Alignment and at Lower TCO
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
APIC-EM High Level Architecture
For LAN & WAN
SECURITY
COLLABORATION
SERVICES
ORCHESTRATION
WAN
REST API
APIC
EM
SERVICES ABSTRACTION LAYER (SAL)
CATALYST
NEXUS
ISR
ASR
ASA
WIRELESS
NON CISCO NETWORK ELEMENTS
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
10
For LAN & WAN
App 1
App 2
App 3
NB REST API
APIC-EM Services
Topology
NETWORK
MODEL
Identity
Management
Policy
Analysis
Identity
ManagerPxgrid
Path Trace
ACL Trace
ACL
Analysis
QoS
Analysis
Radius
Proxy
Statistics
Manager
Policy Control
Segmentation
Manager
Policy
Manager
Easy QoS
DA
S
Inventory
DEVICE
MODEL
DEVICE
INTERFACE
Policy
Programmer
Network
Tapping
NIB
Policy
Preparer
Network Programmer
Network Discovery
Network Events
CLI
SNMP
OnePK
Network
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
• Layered architecture
–Network Model, Device Model, Device Interface
• Clearly defined and disciplined API between services and layers
• Data model driven
–Conversion to south-bound protocols at the very low layers
• Independent evolution of south-bound protocols and controller intelligence
• Asynchronous message-based communication (for scale, HA)
• Stateless (for scale, HA)
• Multiple instances (for scale, HA)
• Transactionality, Rollback & Preview functionality
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
Consistent Policy Across Cloud, DC, WAN and Access
APIC
APIC
Application Network Profile
User/Things Network Profile
SLA, Security, QoS, Load Balancing
QoS, Security, SLA, Device
Cloud
© 2015 Cisco and/or its affiliates. All rights reserved.
Data Center
WAN
13
Access
Cisco Confidential
13
SDN for DC vs. SDN for WAN/LAN
Equipment
Physical Location
Network Elements
SDN Focus
Data Center
LAN/WAN
Centralized
Spread Out
Geographically
Homogeneous
One of
Everything
Ever Sold
Flow Policy
Management
User Policy
Management
Comments
SDN for WAN/LAN
requires a brownfield
approach
SDN for WAN/LAN
must use CLI to provide
investment protection
and low risk migration
SDN Controller
services are vastly
different for the
DC vs. WAN/LAN
Any Controller Strategy Must Comprehend the Domain Differences
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
14
APIC-EM Use Cases
Use Case
Description
Release
Discovery & Inventory
Device, User/Host Database (CDP/Seed IP based Discovery)
CA, EFT2
Topology
Network and User Topology (Host Attachment)
CA, EFT2
Path Trace
Trace path of a flow (Dynamic, can detect ECMP, HSRP, Routing protocols in path)
CA
Policy Provisioning –
ACL
End to End ACL Provisioning
EFT2
ACL analysis
Follow me ACL – troubleshooting ACL flows
EFT2
Policy Provisioning –
QoS
Easy QoS – One Click Deployment
EFT2
Dynamic QoS for
Collaboration Apps
Dynamic policy programming for Lync and Jabber
Demo, GA
IWAN
DMVPN, AVC, PfRv3 and QoS - Monitoring + Provisioning
EFT image, GA
Security/Source Fire
SourceFire Defense Sensor integration with APIC-EM (block/quarantine at access)
Demo, Planned EFT
ZTD
PnP Application (Day 0 provisioning)
EFT image, GA
Policy Provisioning Policy for SPAN (troubleshooting workflows)
SPAN
© 2015 Cisco and/or its affiliates. All rights reserved
.
EFT2
Cisco Confidential
16
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
18
APIC EM Returns A Path Based on a 5 Tuple Input
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
ACLs: What You Are Afraid Of ?
Example: 4000 Lines of ACL in Fortune 100 Switches
Manual CLI, Lack of Tools
Difficult to Implement Policy
Debugging an ACL problem, or finding the
right place for edits is like finding a needle
in a haystack!
FRAGILE! -
Customers Are Hesitant to Change ACLs for Fear of Breaking Them!
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
•
Policy Based on “Users”, “Resources”, “Action” and “Priority”
•
Translates to QoS/ACL Policies on the device
•
Integrates with IS/AAA/LDAP for Host user
•
Supports Tagging - e.g. can apply an ACL to a given site/branch
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
API Controller Enterprise Module - Policy Control
Event Triggers
•
•
•
•
•
•
•
•
•
•
User-identifier
(tenant/user)
Application
Device Type
Location
Policy Properties
Policy Creator
Policy Name
Policy Scope
Policy Priority
Policy Time:
• Start Time
• End Time
• Hard timeout
• Idle timeout
• recurrence
© 2015 Cisco and/or its affiliates. All rights reserved.
Actions
Resources
Network Users
•
•
•
•
•
•
•
•
User-identifier
(tenant/user)
Application
Device Type
Location
•
•
•
•
•
•
•
Permit
Deny
Copy
Monitor
Redirect (L3, L4, L7)
No copy
No redirect
Action Properties
•
•
•
•
•
•
Priority Level
Resource Level
Experience Level
Trust Level
Destination
Sample Rate
High Level Business Intent Policies
Automatically converted to Network Language
Conflict Detection and Resolution
Extensible
Supports different patterns of policies:
• Access Policies
• Source-Destination Directional Policies
• Event – Condition – Action
• Includes Collections (Ex: a group of userids, a group of applications, etc.)
• Choose custom tags for policies
• Choose multiple attributes in each category
Cisco Confidential
22
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
• Identify ACL conflicts, duplicates &
misconfigurations,
• Debugs ACL problems
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
QoS: What You Are Afraid Of ?
Incredibly Difficult to Deploy for Every Application
Box by Box Configuration, Too Many Controls
Device Specific Implementation
Many CLI Variants, varying functionality across devices & Nerd Knobs...
Need manual knowledge of which apps map to what traffic classes
Customers Avoid QoS and Simply Over Provision or Live with It
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
CVD Based
Templates - 12
class model is
the default;
Ingress marking,
Egress Queuing
Create custom
apps & Policies
© 2015 Cisco and/or its affiliates. All rights reserved.
Deploy with a Click on group of devices - Tag Based
NBAR2 based application categorization - default mapping to QoS
Cisco Confidential
28
Application Driven Network Dynamics:
Dynamic Policy Management for Jabber Audio/Video (applies to Lync too)
Cisco APIC Enterprise Module
Cisco UC Manager
APIC
EM
CUCM
• Bob Calls Alice
• CUCM calls APIC-EM to setup
Policy
• QoS Policy enabled on network
device
Application
Dynamic Policy
Management
• Policy removed after the call
ends
Jabber Client
Jabber Client
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
Application Driven Network Dynamics:
Dynamic Policy Management for Lync Audio/Video
Cisco APIC Enterprise Module
APIC
Application
Dynamic Policy
Management
Lync Client
© 2015 Cisco and/or its affiliates. All rights reserved.
Lync Client
Cisco Confidential
30
Application Driven Network Dynamics:
Dynamic Policy Management for Lync Audio/Video
Application
APIC
EM
Dynamic Policy
Management
Client A calls
Client B
REST API
Lync sends call
setup info to
App server
APP calls
APIC-EM to
setup Policy
QoS Policy
enabled on
network device
Application
APIC
EM
Dynamic Policy
Management
REST API
Calls Ends
Lync sends call
teardown info to
App server
© 2015 Cisco and/or its affiliates. All rights reserved.
APP calls
APIC-EM to
delete policy
QoS Policy
removed from
network device
Cisco Confidential
31
APIC-EM GA
June 2015
IWAN Management
Provisioning large no. of sites & their “customized” WAN configs is tedious and error prone
Policy Management
Deploying Business Level Policies for a growing list of applications is difficult without an app aware framework
Difficult to Monitor applications, enforce path control intuitively
Automating The WAN!
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
Automated IWAN Path Optimization
Performance Routing (PfR) Configuration and Compliance Assurance
Cisco APIC Enterprise Module
Internet
Enterprise HQ
APIC
Business
Internet
MPLS
PfR
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
33
Cisco Intelligent WAN App for APIC-EM
APP
Business
Policy:
App SLA
IT Admin
Access
DMVPN
SLA
QoS
Security
Path
Selection
NETWORK
Application
Network Profile
SDN
Simple Workflow
Templates
Zero Touch
Provisioning
Network, Applications
Monitoring
Business
Level Policies
Open
Architecture
Business Policy Dictates Network Action
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
34
IWAN App for APIC-EM
Provides -
© 2015 Cisco and/or its affiliates. All rights reserved.
•
“Site Profiles” Based Automatic
WAN Configuration
•
“Zero Touch” Router Deployment
•
“Business Priority” based Application
Policies
•
“Application Level” Monitoring &
Reporting
Cisco Confidential
35
Site topology choices in IWAN app
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
Link type selection in
IWAN app
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
37
Application priority policy setting in IWAN app
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
38
Dynamic Network Branch security
Controller
Notification
SDN Controller
Remediation Policy
Enforcement
1. BYOD Malware/Java script Attack
SourceFire
Defence Center
HQ
2. SF Sensor detects threat
3. SF DC notifies Controller
WAN
Internet
Defense
Center Alert!!!!
4. Remediation API event
Malware Attack
5. Policy installed on Access switch port
by Controller.
ISR
Sensor
ISR
Sensor
6. Block or quarantine end-point
Branch
X
Host Quarantined
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
39
Network Threat Defense:
Investigation, Mitigation and Remediation using APIC-EM
• APIC-EM can be used as an SDN Network orchestrator, to integrate event information coming from
a 3rd party SIEM (Splunk), and take an action to program the network
What's New/Unique:
• Integration of APIC-EM with a 3rd Party SIEM (Splunk) to orchestrate inspection escalation with
SourceFire IDS
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
40
Network Threat Defense:
Investigation, Mitigation and Remediation using APIC-EM
Identity
Context
APIC Enterprise Module
Security Services
pxGrid
Quarantine
Investigation, Mitigation,
Remediation
SIEM
ISE
Core Services
Network Data
(Netflow, WSA, IPS)
Other Data
Intranet
Catalyst 3850
ASA
Sensitive Data
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
41
Network Threat Defense:
Investigation, Mitigation and Remediation using APIC-EM
APIC Enterprise Module
NB-API
Security Services
pxGrid
Quarantine
Investigation, Mitigation,
Remediation
SIEM
ISE
Core Services
IPS
Investigate
Other Data
Intranet
Catalyst 3850
ASA
Sensitive Data
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
42
Network Threat Defense:
Investigation, Mitigation and Remediation using APIC-EM
APIC Enterprise Module
NB-API
Security Services
pxGrid
Quarantine
Investigation, Mitigation,
Remediation
SIEM
ISE
Core Services
Mitigate
Security Group Tag = Suspicious
Other Data
Intranet
Catalyst 3850
ASA
Sensitive Data
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
43
Network Threat Defense:
Investigation, Mitigation and Remediation using APIC-EM
APIC Enterprise Module
NB-API
Security Services
pxGrid
Quarantine
Investigation, Mitigation,
Remediation
SIEM
ISE
Core Services
Remediate
(Contain)
Other Data
Intranet
Catalyst 3850
ASA
Sensitive Data
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
44
Network Threat Defense:
Investigation, Mitigation and Remediation using APIC-EM
APIC Enterprise Module
NB-API
Security Services
pxGrid
Quarantine
Investigation, Mitigation,
Remediation
SIEM
ISE
Core Services
Mitigate
(Block)
Other Data
Intranet
Catalyst 3850
ASA
Sensitive Data
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
45
Zero Touch Deployment with APIC-EM
Easy to use
PreProvision
Sites
IT Admin
Configure devices
IOS image for update
Configuration Text file
Build site topology
Assign Installer
Define match policy
• Work Flow Based
Scales to network size
• Centralized controller
Secure
• HTTPS based information flow
Internet
Unskilled onsite installer
• No CLI
• Installer App for assistance
Device Support
• All Campus and Branch devices (not AireOS)
Installer
Site-1
© 2015 Cisco and/or its affiliates. All rights reserved.
Site-2
Site-3
Zero Touch Automated Device
installation
• No Manual intervention
Cisco Confidential
46
APIC-EM Requirements
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
48
System Requirements and Platform Support
Server
64 bit x86
vCPU
4 or Higher (2.4 GHz)
RAM
64G or Higher
OS
Linux (Ubuntu 12.04)
Java
Ver(1.7)
Browser
Chrome (28.0 or later)
Hypervisor
vSphere 5.1
Storage
100GB
© 2015 Cisco and/or its affiliates. All rights reserved.
If using ISE
Ver (1.3.0.354)
Web
HTTPS
• Needs NTP Server
• Needs VMWare today; KVM/Hyper-V support in roadmap
• Needs vCenter Access
•
Root VM needs connectivity to:
1.
vSphere
2.
NTP server
3.
Internet
•
Client VMs need connectivity to
1.
Internet
2.
Network devices
Cisco Confidential
49
APIC-EM Infrastructure & Installations
Grapevine
Platform for Service Elasticity
What Does the Customer Get?
Two OVAs...
Service Catalog
Root
Client
Grapevine Root OVA:
•
Ubuntu 14.04 64-bit
•
Grapevine Root bits
•
APIC-EM Service Catalog
Grapevine Client OVA:
•
Ubuntu 14.04 64-bit
•
Grapevine Client bits
Single OVA in Roadmap
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
51
Goals: Customer Deployment
Compute
SDN Elastic Appliance
SDN
SDN
SDN
Service
Service
Service
Network
Storage
Appliance will deploy services on
available capacity to run SDN…
Cisco customer installs SDN
appliance and provides “capacity”…
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
52
Grapevine Capabilities
1.
HA for APIC-EM services
2.
Rolling upgrades for APIC-EM services
3.
Planned/unplanned bursts in controller load
4.
Growing the controller as customer’s network infrastructure grows
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
53
Components: Grapevine
Provides on-demand capacity to run
services…
Grapevine Root
Starts, stops, monitors
service instances across
Grapevine…
Monitors load / health of
services across
Grapevine…
Service
Manager
Capacity
Manager
Load
Monitor
Service
Catalog
Repository of service bundles
that can be deployed on
Grapevine nodes…
Grapevine Client
Starts, stops, monitors service
instances running on a single
Grapevine node…
© 2015 Cisco and/or its affiliates. All rights reserved.
Service
Monitor
Download
Manager
Downloads and deploys service
bundle on Grapevine node…
Cisco Confidential
54
Internet
vSphere
NTP
External Network #1
ExtNet #1 IP
Pool
ExtNet #1 Root IP
Address
route
Client
r
Client
VM
Root
VM
VM
RouterService configures NAT
for both inbound and
outbound connections to/from
internal network…
Internal Network
Client default gateways point
to VM running RouterService
to get connectivity to external
network…
© 2015 Cisco and/or its affiliates. All rights reserved.
Client
VM
Cisco Confidential
55
Deployment
Admin deploys both OVAs into
their virtual infrastructure…
VMware vSphere 5.1
Physical Host
© 2015 Cisco and/or its affiliates. All rights reserved.
Physical Host
Cisco Confidential
56
Deployment
Admin starts an instance of
the Grapevine root OVA…
Physical Host
© 2015 Cisco and/or its affiliates. All rights reserved.
Physical Host
Cisco Confidential
57
Configuration
Admin logs into Grapevine Root
VM console to configure
controller…
Physical Host
© 2015 Cisco and/or its affiliates. All rights reserved.
Physical Host
Cisco Confidential
58
Instantiation of Services
Physical Host
Physical Host
Grapevine automatically provisions VMs
and starts services based on “min
instance count” requirements…
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
59
Root Redundancy
Physical Host
© 2015 Cisco and/or its affiliates. All rights reserved.
Physical Host
Run multiple instances of
Grapevine Root for
active-active redundancy…
Cisco Confidential
60
Adding Capacity
Physical Host
Physical Host
Physical Host
Add more capacity by simply
adding more physical hosts…
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
61
Automatic Scaling
As load increases…
Physical Host
Physical Host
Physical Host
…Grapevine spins up more
service instances in response…
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
62
Automatic Scaling
As load decreases…
Physical Host
Physical Host
Physical Host
Grapevine spins down
instances…
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
63
High Availability
Physical Host
Physical Host
Physical Host
When a service fails, Grapevine starts a replacement instance,
ensuring service’s “min instance count” requirements are
maintained…
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
64
Service Upgrades
Cisco deploys new version of
service to the cloud…
Physical Host
© 2015 Cisco and/or its affiliates. All rights reserved.
Physical Host
… and service catalogs are
updated with new version…
Physical Host
Cisco Confidential
65
Service Upgrades
Physical Host
Physical Host
Physical Host
Grapevine automatically deploys the
new version of the service…
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
66
APIC-EM Programmability
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
69
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
70
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
71
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
72
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
73
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
74
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
75
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
76
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
77
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
Cisco Confidential
78
APIC-EM Positioning
Traditional Management
Customer developed
provisioning tools, manual CLI
changes, and run book
automation for IT Operations
support
SDN Led Management
Customer input on business /
service intent
Automation
(Workflow / Orchestration)
Feature
Configuration
Management
(Provisioning and Assurance)
Management
(NMS)
Controller
(APIC-EM)
NE
NE
© 2015 Cisco and/or its affiliates. All rights reserved.
NE
NE
Policy
Automation
NE
NE
NE
NE
Cisco Confidential
80
System of
Automation:
Branch Service Automation
• Branch Design
• Prescriptive or
Customizable
• Service Ordering
• Service Provisioning
Enterprise Service Design (Knowledge Pack Integration)
Configuration Automation for Approvals and Provisioning
Prime Infrastructure
System of Record:
CVD based Knowledge Pack repository
Automated Service Monitoring, Reporting and Historical Analytics
System of Change:
•
•
•
•
Knowledge Repository
Service Monitoring
Trending and Reporting
Troubleshooting
APIC-EM
• Network abstraction
• Configuration and
Change
• Policy resolution and
enforcement
Configuration Change and Policy Compliance
Network Services Automation
NE
© 2015 Cisco and/or its affiliates. All rights reserved.
NE
NE
NE
NE
Branch
Infrastructure
(Physical / Virtual)
Cisco Confidential
81
Common Automation Layer
System of
Automation
Manual or Custom Scripted
by Customers / Partners
Common Monitoring / Assurance
System of
Record
Prime Infrastructure
Feature Configurable
Provisioning
Prime Infrastructure
System of
Change
Common Controller Layer
For Campus/Branch
NE
NE
NE
© 2015 Cisco and/or its affiliates. All rights reserved.
NE
No Controller Existed in 2014
NE
NE
NE
NE
NE
Cisco Confidential
NE
82
Common Automation Layer
System of
Automation
Branch Service Automation
Common Monitoring / Assurance
System of
Record
Prime Infrastructure
Feature
Configurable
Provisioning
Policy
Prescriptive
Provisioning
Prime
Infrastructure
Multiple APIC-EM
Apps
System of
Change
Common Controller Layer
for Campus/ Branch
NE
NE
NE
© 2015 Cisco and/or its affiliates. All rights reserved.
NE
APIC-EM
NE
NE
NE
NE
NE
Cisco Confidential
NE
83
Q1 2015
Q3- CY 2015
Q4 2015
APIC-EM CA
APIC-EM GA
APIC-EM Updates
Path Visualization application for
network path tracing
Scalable controller foundation
supporting multiple use case / apps
Expanded application support across
multiple enterprise use cases
Prime Infra 2.2 FCS (Dec 2014)
Prime Infra Niihau
Prime Infra Lanai
Cross domain monitoring across
WAN, Access, DC
Integration with APIC-EM for core
network service automation
Integration with APIC-EM and
Automation as System of Record
APIC-EM Apps
APIC EM Apps
APIC-EM Apps
IWAN app EFT with policy based
provisioning of Secure WAN
IWAN App GA with dynamic QoS
changes; BSA app EFT
Multiple apps across Wireless, Access,
Collab, Security and Automation
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
84
Example:
Compare & Contrast
Cisco Intelligent WAN App for APIC-EM
APP
Business
Policy:
App SLA
IT Admin
Access
DMVPN
SLA
QoS
Security
Path
Selection
NETWORK
Application
Network Profile
SDN
Simple Workflow
Templates
Zero Touch
Provisioning
Network, Applications
Monitoring
Business
Level Policies
Open
Architecture
Business Policy Dictates Network Action
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
86
Site topology choices in IWAN app
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
87
Link type selection in
IWAN app
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
88
Application priority policy setting in IWAN app
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
89
SDN Led Provisioning
Feature Configuration
Guided Workflow to
help design and deploy
IWAN on your branch
or hub
© 2015 Cisco and/or its affiliates. All rights reserved.
91
Cisco Confidential
91
Select the PIN (hub or branch)
Identify the device role
Select the IWAN features to be configured:
•
•
•
•
© 2015 Cisco and/or its affiliates. All rights reserved.
92
DMVPN
PFR
AVC
QOS
Cisco Confidential
92
Select the devices
- Hub device
- Branch devices
by location
- Enables
configuration of
more than one
branch
© 2015 Cisco and/or its affiliates. All rights reserved.
93
Cisco Confidential
93
DMVPN Configuration
- Can be part of Hub or
Spoke configuration
© 2015 Cisco and/or its affiliates. All rights reserved.
94
Cisco Confidential
94
PfR Configuration
- PfR Policy on Hub
- PfR at the spoke with
reference to MC
- Out of the Box 3 class
model
© 2015 Cisco and/or its affiliates. All rights reserved.
95
Cisco Confidential
95
QoS Configuration
- On the hub (8 class
model)
- On the spoke (8 class
model)
- NBAR based
classification and
shaping
© 2015 Cisco and/or its affiliates. All rights reserved.
96
Cisco Confidential
96
AVC Configuration
- Pick and choose the
technologies to enable
- Out of the box Cisco
CVD design
© 2015 Cisco and/or its affiliates. All rights reserved.
97
Cisco Confidential
97
APIC-EM Roadmap
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
99
• Enforce Business Aligned Network Policies – Intent Based Configuration
–No More Feature Driven Config, No More Complexity for the Network Admin
• Works with Your EXISTING Network
–Focus is to have the SDN controller work in Brownfield Deployments
• A Platform for Bringing Your Own Applications Faster and Easier
–Programmable, Standards Based REST API’s to build your own apps
• Baseline Enterprise Applications are FREE
–Start Small with Key Enterprise Problems and Expand to Richer services..
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
100
Cisco’s SDN Led IT Operations Management will :
 Empower IT Ops to manage the Network as a System, not as a collection of resources
 Drive massive simplicity through intent based policy automation
 Deliver application-centric visibility from the Branch to Datacenter
 Support existing and new devices for full investment protection
 Offer open, programmable API’s for bespoke innovation
 Realize cost savings from automation and abstraction
 Require new skills in intent based and programmable network management
© 2015 Cisco and/or its affiliates. All rights reserved.
10
Cisco Confidential
101
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
102
“…In the SDN architecture, the control and data planes are decoupled,
network intelligence and state are logically centralized, and the underlying
network infrastructure is abstracted from the applications…”
https://www.opennetworking.org/images/stories/downloads/white-papers/wp-sdn-newnorm.pdf
“…open standard that enables researchers
to run experimental protocols in campus networks. Provides standard hook
for researchers to run experiments, without exposing internal working of
vendor devices……”
http://www.openflow.org/wp/learnmore/
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
103
Why Does A Controller Matter?
What Makes It Deployable?
Smarter Apps
Simplified abstractions to direct behavior in areas like
security, network policy and instrumentation
Simpler Ops
Simplify management and automate operations with
both customized and industry standard toolsets
Reduce Network Complexity
Low Risk adoption of SDN- Brown field
Product with minimal to no programming
requirement
Start with small set of real life, solvable problems
Consistent Experience
Make it easy for the customer - Hide
network/device variations & complexity
Ability to ensure end-to-end user experience
© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
104
Let The Use Case Decide..
Business
Applications
IT Software Infra
BI
Collaboration
ERM
Analytics
Infrastructure S/W
Service Management
Orchestration
Management
Policy & Compliance
abstract
Controller
Network
Device Plug-Ins
Device
© 2015 Cisco and/or its affiliates. All rights reserved.
detail
Cisco Confidential
105
System of Change vs. System of Record
•
•
•
•
•
•
•
APIC EM
Prime Infra
System of Change
System of Record
Policy enforcement
Discovery (for change)
Topology (for change)
PnP
Network state monitoring
Device abstraction
Network Control
© 2015 Cisco and/or its affiliates. All rights reserved.
•
•
•
•
•
Policy definition
Historical reporting on
events, performance and
configuration changes
Troubleshooting
workflows
Capacity Trending
Predictive Analytics
Cisco Confidential
106