iwan apic-em application - cisco · definition of application categories path preference...
TRANSCRIPT
![Page 1: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/1.jpg)
Cisco Intelligent WAN
IWAN APIC-EM Application
Feb 23th 2016
René og Per Cisco DK SE´s
![Page 2: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/2.jpg)
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
MPLS
Branch
3G/4G-LTE
AVC
Internet
PrivateCloud
VirtualPrivateCloud
PublicCloudWAAS PfR
Application Optimization
• Application visibility with
performance monitoring
• Application acceleration
and bandwidth
optimization
Secure Connectivity
• Certified strong encryption
• Comprehensive threat
defense
• Cloud Managed Security for
secure direct Internet access
Intelligent Path Control
• Dynamic Application best
path based on policy
• Load balancing for full
utilization of bandwidth
• Improved availability
TransportIndependent
• Consistent operational model
• Simple provider migrations
• Scalable and modular design
• IPsec routing overlay design
Control, Management, & Automation
![Page 3: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/3.jpg)
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM)
A New Software-Driven Platform for Solutions Development
Published Rest APIs
CATALYST® ASRISR WIRELESS
EN
D-T
O-E
ND
SO
LU
TIO
NS
Cisco® APIC-EM ServicesNetwork Plug and Play
Discovery
PKI (Trust Manager)
Topology
Common Policy
Engine
IWANSecurity Collaboration Services Orchestration
Device Abstraction Layer (SAL)
![Page 4: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/4.jpg)
IWAN TransportData Center with ASR 1000
Okay to use 4000 ISR or CSR 1000
Data Center
Master
Controller
ASR 1000
Typical IWAN POC LAB
Greenfield for 4000 ISR
LAN Branch
Switch4000 ISR
LAN Branch
Internet HUB
ASR 1000
Internal network
In the data center
BGP,
OSPF,
EIGRP
Switch
MPLS
Internet
Sing Router Branch
Dual Router Branch
IWAN APP
MPLS HUB
ASR 1000
Switch
Switch
4000 ISR
![Page 5: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/5.jpg)
Possible Architectures
Branch
1. Dual router dual links
2. Single router dual links
3. Single router single links
1 2
3
SP links can be:
Internet + MPLS
Internet + Internet
1 2 3
Data Center
1. For a lab or
POC, MC can
run in one of the
DMVPN hubs
2. Single data
center with a
separate MC
3. Dual data center
with primary
and transit
![Page 6: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/6.jpg)
![Page 7: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/7.jpg)
MonitoringCisco Prime Infrastructure 3.0.2+
![Page 8: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/8.jpg)
Typical End-to-End IWAN Management
Plug and play
Secure PKI certificate automation
IWAN CVD provisioning (DMVPN, QoS, PfR, AVC)
Centralized business-policy definition
Definition of application categories path preference
Configuration archive
End-to-end assurance
Detailed, network-level monitoring (CPU, Mem, Interfaces)
Day-2 monitoring for PfR, L7 app visibility, QoS
REST APIsPrime™
Infrastructure 3.0.2
IWAN APP
![Page 9: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/9.jpg)
Integration with Cisco Prime Infrastructure3.0.2 or Above
Using REST API calls, the APIC-EM will:
Automatically add every IWAN app device to Cisco
Prime™ (DMVPN hubs and branch sites)
Start NeFlow export and allow Cisco® Prime to collect and
process NetFlow data for AVC (L7 visibility), application
response time (ART), QoS stats, PfRv3 monitor
Prime also keeps a configuration archive of each device
Configuration compliance jobs will be run by Prime on a
daily basis. Detailed compliance reports are available
in Prime
Enter your PI 3.0.2 credentials
under global APIC-EM settings
![Page 10: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/10.jpg)
Overall application/site
health and stats
![Page 11: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/11.jpg)
PI 3.0 PfR Dashboard
SP SLA summary: Reachability
| loss | jitter | delay
Number of threshold crossings
over time
PfR resolved threshold
crossings/route-change events
![Page 12: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/12.jpg)
Link details
Link Details
Detailed Site View
Threshold Crossings
![Page 13: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/13.jpg)
Application or category usage
over time for a given
link/provider
![Page 14: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/14.jpg)
QoS: application at a site
on a provider link
![Page 15: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/15.jpg)
How to Add Additional Features to a Site
Any additional features can be pushed to the router. One way is to use Cisco Prime™ to push any
CLI template
Take care when pushing new CLI commands, which may conflict with the IWAN features (like
ACLs, routing,
RSA keys)
Any feature pushed by the IWAN App (listed in the previous slide) cannot be changed
manually. This will make the IWAN App policies become unsynchronized
![Page 16: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/16.jpg)
![Page 17: IWAN APIC-EM Application - Cisco · Definition of application categories path preference Configuration archive End-to-end assurance Detailed, network-level monitoring (CPU, Mem, Interfaces)](https://reader034.vdocuments.us/reader034/viewer/2022043022/5f3e58c93cab443cce113ac2/html5/thumbnails/17.jpg)
IWAN App Requirements
Data Center
Two ASR 1000 routers for DMVPN hubs - one must be
Internet. Two minimum interfaces: one for WAN and one for
LAN, management, and ub interconnect
Hubs need to be configured with the WAN, management IP
address, and with SNMP credentials before stating with
IWAN app
One ASR 1000 master controller (in lab/POC; MC can run in
the DMVPN hub)
HTTPS/HTTP proxy for plug and play (no need for lab/POC)
APIC-EM and IWAN app:
Server: 64-bit x86
vCPU: 6 (2.4GHz)
RAM: 64 Gigabytes
Disk space: 500 Gb
Disk I/O speed: 200 Mbps
Network adapter: 1x
Browser: Chrome (4.3.0 or later)
Cisco IOS® Software version:
Cisco® IOS-XE 3.16 or above; Cisco IOS-XE 3.16.1 is
required for a dual data center
Branch Sites
4000 ISR with two clouds (one must be Internet)
3 Gigabit interfaces (4321 ISR requires a switch module)
The ISR must have a clean configuration, with no RSA keys
Either dual router with dual link, or single router dual link.
Single router with single link is supported, but without PfR