apic-em vedran hafner - cisco · • simplify your network • automate your network deployment and...
TRANSCRIPT
APIC-EM
Vedran Hafner – Systems Engineer
APIC-EM
Aleksandar Vulović – Systems Engineer
• Introduction to Cisco SDN and APIC-EM intent
• What is APIC-EM ?
• APIC-EM Deployment – what you get and how to use it
• Use Cases
Agenda
3
“A platform for
developing new control planes”
“An open solution for VM mobility in
the Data-Center”
“An open solution for customized flow
forwarding control in the Data-Center”
“A means to do traffic engineering without
MPLS”
“A way to scale my firewalls
and loadbalancers”
“A solution to build a very large scale layer-2
network”
“A way to build my own security/encryption
solution, avoiding RSA”
“A way to reduce the
CAPEX of my network
and leverage commodity
switches”
“A way to define virtual networks with specific
topologies for my multi-tenant Data-Center”
“A means to scale my fixed/mobile gateways
and
optimize their placement” “A solution to build virtual topologies with
optimum multicast forwarding behavior”
“A way to optimize link utilization in my network, through
new multi-path algorithms”
“A way to avoid lock-in to a
single networking vendor”
“A way to distribute policy/intent, e.g. for DDoS
prevention, in the network”
“A way to configure my entire network as
a whole rather than individual devices” “A solution to get a global view of the
network – topology and state”
“With SDN I can develop solutions to my problems far faster –
“at software speeds”. I don’t have to work with my network
vendor or go through length standardization”
SDN – Still Don’t kNow – Stanford Defined Networking Many things to Many people
SDN Controller – Overview OK that looks really ugly but wait a minute…
… all cars
• Four wheels
• Steering wheel
• Gas pedal
• Brake pedal
But complete different use-cases
APIC
EM
Enterprise Module (Catalyst, ISR, ASR, Nexus 7k*, 6k*, 5k*,
WLAN, NfV*)
(DC)
Data Center (Nexus 9000)
APIC
Application Policy Infrastructure Controller
Application Centric Infrastructure (ACI) User Centric Infrastructure (UCI)
*limited support
APIC - Design Points There are two approaches to Control Systems
Air traffic control tells where to
take off from, but not how to fly the plane
Baggage handlers follow sequences
of simple, basic instructions
IMPERATIVE CONTROL DECLARATIVE CONTROL
What is APIC-EM ?
8
Copyright by Saskia
The challenges !
• Simplify your network
• Automate your network deployment and RMA
• Keep the configuration consistent
• Dynamic Policies where necessary
• Control network traffic and optimize it
• Interface with the User and Application (UCI and ACI)
• Quickly react on events like Intrusion detection, collaboration events etc
9
APIC-EM similarity to Smartphone
The APIC-EM has:
• A strong base platform for SDN use cases
• It has build in App’s (eg QoS, ACL, Policy etc)
• It offers an API to be used by ISV & App’s can be developed by many
• One App example – Jabber / Unified communication integration
10
Network
Elements
Controller
Applications
Allow Protocol/API
choice while
maintaining stack
integrity
Flexible “Programmable” Interfaces
• CLI
• SNMP
• Web UI*
• NETCONF*
• RESTConf*
• Openstack*
• OpenFlow*
• Web UI
• YANG
• REST API
APIC
EM
* Future Options
APIC-EM: High-Level Controller Architecture
Security Collaboration Services Orchestration WAN
Network Element Layer
Southbound APIs CLI, SNMP
Northbound APIs RESTful API GET PUT POST DELETE
Policy Infrastructure Automation Network Information
Database
12
APIC-EM - Platform Architecture
Network PnP Network Inventory Path Trace IWAN
Advanced Topology Visualizer
APIC-EM
Applications
APIC-EM Controller
Northbound REST APIs
APIC-EM
Services
Grapevine
Inventory
Manager RBAC Policy Analysis Policy (QoS)
Network PnP Data Access
Service
Topology
Services IWAN
Services
Elastic Service Infrastructure
APIC-EM
Applications
APIC-EM
Services
Addresses
Scale Out
and HA
Requirements
Easy static and dynamic QoS
13
Controller in Action !
Source: http://www.mysweety.eu
Controller creates and enforces Policies:
The “WHAT”
The horse takes care of:
The “HOW”
APIC-EM Deployment what you get and how to
use it
15
APIC-EM Deployment Considerations
Bare Metal/HW Appliance Virtual Appliance
GV Root
GV Client GV Client
Libs/Bins Libs/Bins
LXC
Container
LXC
Container
Server Hardware
Operation System
Server Hardware
Hypervisor and/or Host OS
Virtual Machine
Operation System
GV Root
GV Client GV Client
Libs/Bins Libs/Bins
LXC
Container LXC
Container
16
Before You Deploy: System Requirements
Server: 64-bit x86
(should be supported by Ubuntu 14.04 LTS)
vCPU: 6 (2.4 GHz) or more
RAM: 64 GB (for single-host deployments)/
32 GB (for multi-host deployments)
Storage: 500 GB HDD
− Hardware-based RAID at RAID level 10
− Disk I/O Speed: 200 MBps
Network adaptor: 1 x
Browser: Google Chrome (44.0 or later)
Hypervisor: VMware vSphere 5.1/5.5
(for Virtual Appliance) – tested should run on any
17
Single Host Multi Host
There will be no virtual IPs configured
All inbound requests into APIC-EM will be via the host IPs (like they are with CA2 and CA3)
The customer can convert their deployment into a multi-host deployment at a later time
The customer will provide the virtual IPs Grapevine should use (one for each external network) during the config wizard workflow
On startup, Grapevine will bring up the virtual IPs on one of the hosts
All inbound requests into APIC-EM will be via these virtual IPs (instead of the host IPs), and the requests will be routed to the services running on different hosts via the reverse-proxy
If the host which has the virtual IP dies, Grapevine will bring up the virtual IP on one of the remaining hosts
18
Multi-Host Deployment
Note: For the general availability release, all the nodes in the APIC-EM cluster need to be in the same subnet
APIC-EM Cluster
Node 1
IP Addr1
Node 2
IP Addr2
Node 3
IP Addr3
Virtual IP
Address
Cisco® Cloud,
NTP,
DNS, etc.
DNS NTP
REST APIs
and
APIC-EM UI
Network
Devices
19
APIC-EM – 5 step installation
Physical Appliance or Virtual Downloadable ISO Image
.ISO for virtual
Pre-installed
APIC-EM software
APIC-EM Appliance SKUs:
− APIC-EM-APL-R-K9
− APIC-EM-APL-G-K9
OS: Ubuntu 14.04 64-bit
Deployment Options:
− Bare-metal install
(recommended)
− Virtual machine
Boot .iso Enter IP
address
Enter APIC-EM IP (Subnet / Def GW learned automatically)
Change
Credentials
Shell and UI
Username and
PWD plus CCO
login for update
Add NTP
Server
Enter NTP
Server IP (mandatory!)
Finalize
Installation
Finalize
installation and
bring up
controller
20
Network Discovery - Input Parameters
Seed IP address for CDP-
based network discovery
IP address range for discovery scope -
Click on the Add icon to provide multiple
IP address ranges
For Your Reference
21
SDN Innovation: Network Information Base Provides 1 Source of Truth
User Defined Group Tagging Allows Applications to Segment Analysis and Control (not shown here)
For Your Reference
APIC-EM Demo
23
API: VERBS + NOUNS + Syntax
GET
POST
PUT
DELETE
JSON Syntax:
{
"policyOwner": "Admin",
"networkUser":
{"userIdentifiers":["40.0.0.15"],
"applications":[{"raw": "12340;UDP"}]
}
}
Header: Content-Type: Application/JSON
https://fra-apicem1.cisco.com/api/v1/network-device GET/POST
/host
/link
/network-device
/interface
Use Cases
25
Network Plug and Play (PnP)
Discovery Device can reach
PnP Server on APIC-EM 1
Deployment Device receives target
image and configuration 2
No Staging No Staging Required
PnP Runs from Cisco
Factory-Default Configuration Switches (Catalyst®)
Routers (ISR, ASR)
Wireless Access Points
26
PnP Server
Central Server on APIC-EM
Manages sites, devices, images, licenses, workflow
Provides Northbound REST APIs
Network Plug and Play (PnP) – Components
PnP Agent
Runs on Cisco® switches, routers, and wireless access points
Automates the deployment process
PnP Protocol
Runs between Agent and Server
Open Schema
PnP Helper App
[ Optional ]
Delivers bootstrap, status and troubleshooting checks
Redpark RJ45
Apple 30pin
Redpark RJ45
Apple 8pin
GetConsole
Airconsole2.0
Bluetooth Adapter
Cloud Redirect Service
[ Optional ]
Roadmap Phase 2
27
PnP – Discovery Options
Switches (Catalyst®)
Routers (ISR, ASR)
Wireless Access Points
1
2
3
4
5
DHCP Server
DNS Server
DHCP with options 60 and 43
PnP string: 5A1D;B2;K4;I172.19.45.222;J80
DNS lookup
pnpserver.localdomain ---- 172.19.45.222 (PnP Server)
Cloud re-direction - roadmap (Q4CY2015)
https://devicehelper.cisco.com/device-helper re-directs to 172.19.45.22
(PnP Server)
USB-based bootstrapping
Manual - using the Cisco® Installer App
iPhone, iPad, Android, (roadmap - Windows mobile and PC)
X Others
Any other manual or automated discovery method – Scripting, AN, EEM, NAP, etc.
28
APIC-EM GA Code in production
APIC-EM GA Production (Cont.)
867 Devices
4784 Hosts
Path Trace (Trace) For Your Reference
Path Trace with Statistics GA+1
EasyQoS Solution
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
Catalyst 4500
1P7Q1T
Catalyst 6500
1P3Q4T
1P7Q4T
2P6Q4T
…
Nexus 7700
F3: 1P7Q1T
WLC
PEP
ASR/ISRs
MQC
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Wireless AP
Trust Boundary
PEP
4Q (WMM)
EM
Applications can interact with APIC-EM via Northbound
APIs, informing the network of application-specific and
dynamic QoS requirements
Southbound APIs translate
business-intent to platform-
specific configurations
Network Operators express high-level
business-intent to APIC-EM EasyQoS
What Do We Do Under-the-Hood? Apply RFC 4594-based Marking / Queuing / Dropping Treatments
Application
Class
Per-Hop
Behavior
Queuing &
Dropping
Application
Examples
VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence
Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx
Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps
Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution
Best Effort DF Default Queue + RED Default Class
Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox Live
1. Define new Application –
Jabber Video
2. Update QoS
Policy
Qo
S
3. Push Updated QoS Policy to Network Devices
4. Deploy Jabber Video
Client
APIC-EM Easy-QoS
What happens if you get a new Application ? Example: QoS Video Classification Enables Enterprise Wide Jabber
SDN-Enabled QoS for Collaboration
Prime
Collaboration
Assurance
EF
AF41
BE
• Campus Switches: APIC-EM EasyQoS
• WAN Edge: APIC-EM IWAN
• Consistent marking of audio (EF)
• Single video queue (AF4x)
• Allow different drop priorities for video
• Bandwidth Planning
• Video Rate Adaptation
• Untrusted devices: Per-flow marking via APIC-EM
• Trusted devices: Trust extension via APIC-EM
• Prime Collaboration Monitoring Assurance and Diagnostics: Media Flow Analysis with APIC-EM
Express Business Intent Deploy Policy
Identify Media
Classify & Schedule
Provision Resource Control
Monitor Troubleshoot
Optimize
CUCM
WA
N
Branch
SourceFire
Defence Center
SDN Controller
ISR Sensor
X
SourceFire Sensor
Sensor
1. BYOD Malware/Javascript Attack
2. SF Sensor detects threat
3. SF DC notifies Controller
4. Remediation API event
5. Policy installed on Access switch port by Controller.
6. Block or quarantine end-point
WAN
ISR
Internet
HQ
Malware Attack
Defence Centre Alert!!!!
Controller Notification
Remediation Policy Enforcement
Host Quarantined
SourceFire Integration: Network Threat Defense Dynamic Network Branch security
Cisco
APIC-
Enterprise
Module
CAMPUS
Use Case: Granular Control Per User Per Application Access Policy Enforcement
Block
Bit-Torrent
ISE
Block
Bit-Torrent
AD/Radius
Server
User moves to a branch site. Policy
moves with it
1. Admin configures business policy to block application traffic on a per user basis
2. Controller uses identity information to install user specific access policy at the edge
3. If the user moves, the controller dynamically moves the user policy along with it, providing near real time granular control
Identity Services
• APIC-EM can gather user identity information via:
Cisco Identity Services Engine (ISE) though Cisco Platform Exchange Grid (pxGrid)
RADIUS proxy
Active Directory through LDAP calls (*)
• Identity information is a key enabler for highly sophisticated policies with user level information for tighter enforcement.
Network as “firewall”
Service Description
(*) Roadmap
Intelligent WAN (IWAN) Solution Components
WAAS
Akamai PfRv3
IPSec WAN overlay
Consistent operational model
DMVPN, PKI
Management and Orchestration
MPLS
Internet
3G/4G-LTE
Private
Cloud
Virtual Private Cloud
Public
Cloud
IWAN APP
Cisco Prime™
Branch
AVC
Transport
Independence
Optimal application routing
Efficient use of bandwidth
Performance Routing
(PfR) QoS
Intelligent
Path Control
Performance monitoring
Optimization and caching
AVC, WAAS, Akamai
Application
Optimization
NG strong encryption
Threat defense
Suite-B, CWS, ZBFW
Secure
Connectivity
40
Three main areas:
1.Hub site and settings
2.Administration of
application policy
3.Branch site setup
IWAN App on APIC-EM
3. Policy-Driven IWAN Site Deployment including PnP and Monitoring
1. Step-by-Step Network and Hub Settings
2. Simple Policy Definition and Customization
41
MPLS Internet
Data Center
Branch
SP ISP
Video
Delay = 50 Delay = 70 Delay = 90 Delay = 200
APIC-EM ACTION
TP - Video
TP - Video
Deteriorating Video Quality
ISR-G2
ASR ASR
Use Case: Path Preference (iWAN) Automated Provisioning of Routing Paths
1. Video forwarded over MPLS and Youtube over Internet
2. Delay goes up on MPLS circuits, deteriorating Video quality
3. Performance monitoring App instructs controller to reroute Video traffic over better path
4. Appropriate QoS policies are also provisioned to ensure proper handling of video on internet circuit
Cisco Prime and Cisco APIC Enterprise Module
Control Layer
Device Layer
Operational Automation
• Policy and Service Definition
• Automated Assurance Provisioning
• Visualization, Trending and Analytics
Network Intelligence
• Device Layer Abstraction
• Network Control
• Policy Enforcement & Network Change
Management Layer
Cisco Devices Enterprise Networks, Data Center
Cisco APIC Common ACI Architecture
APIC for datacenter APIC Enterprise Module
CLI, OpenFlow, OnePK API
REST API (ONE DevKit)
Catalog/ Provisioning
Fault/ Events
User / Data Management
Performance Monitoring
Reporting / Analytics
Cisco IAC
UCSD
3rd Party Apps
PRIME INFRASTRUCTURE & NAM
Cisco Prime Infrastructure PnP – your choice today…
For PnP
Cisco Devices Enterprise Networks, Data Center
Cisco APIC Common ACI Architecture
APIC for datacenter APIC Enterprise Module
CLI, OpenFlow, OnePK API
REST API (ONE DevKit)
Catalog/ Provisioning
Fault/ Events
User / Data Management
Performance Monitoring
Reporting / Analytics
Cisco IAC
UCSD
3rd Party Apps
PRIME INFRASTRUCTURE & NAM
Conclusion & Summary
45
APIC EM as a Platform
BASIC SERVICES
Discovery, Inventory, Topology
Policy, PnP…
GRAPEVINE ELASTIC ARCHITECTURE
REST APIs
App-Service Extensions
Solution Apps
App-Services
(Licensed based on Solution purchased – includes API’s)
TAC Support if Appliance or Network has a service coverage.
Basic-Services
(Free platform and API’s)
APIC-EM in dCloud http://dcloud.cisco.com
APIC-EM on DevNet https://devnetsandbox.cisco.com
Fun stuff to watch…
• Fundamentals of Cisco APIC-EM
https://www.youtube.com/watch?v=17lDRT9tuWY
• Metadata-Defined Data Center, Mike Dvorkin, Cisco Systems
http://techfieldday.com/appearance/introducing-the-next-generation-sddc-leaders-1
• Developing OpenDaylight Apps with MD-SAL
https://www.youtube.com/watch?v=uBnDJNsd6Qo
• Application Centric Infrastructure (ACI) Overview
http://www.youtube.com/watch?v=VZWwjNAiUpI
Thank you
50