Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cisco Digital Network Architecture (DNA) with APIC-EM


Published on

The Network Enables Business Transformation

Published in: Technology
  • Justin Sinclair has helped thousands of women get their Ex boyfriends back using his methods. Learn them at: ▲▲▲
    Are you sure you want to  Yes  No
    Your message goes here

Cisco Digital Network Architecture (DNA) with APIC-EM

  1. 1. The Network Enables Business Transformation Cisco Digital Network Architecture (DNA) with APIC-EM
  2. 2. Digital Transformation is Moving IT to the Boardroom UPS My Choice Delivery Control Personalized Service Customer Experience Physical and Virtual RFID Content Workforce Efficiency WIP Inventory and Part Tracking American Express Personalized Service Through Mobile Starbucks Apps Order Ahead Skip the Line
  3. 3. …And Creating New Priorities for Digital Organization Simplify / Automate Processes Faster Time to Market Leaner Operations Empower Workforce Efficiency and Innovation Increased Productivity Better Retention Personalize Customer/ Citizen Experience Increased Loyalty Greater Insight IoTMobility Analytics Cloud Mobile traffic will Exceed wired traffic by 2017 IoT Devices will triple by 2020 75% of companies planning to or investing in Big Data 80% of organizations will primarily use SaaS by 2018
  4. 4. Network A New Infrastructure for the Digital Organization
  5. 5. Network Requirements for the Digital Organization Insights & Actions Drive Business Innovations Security & Compliance Real-time & Dynamic Threat Defense Automation & Assurance Speed, Simplicity and Visibility Cisco Digital Network Architecture (DNA)
  6. 6. Evolution of Networking Software Virtualization Secure Controllers Common Policy Portability Standards Analytics Open APIs Cloud ISVs How does this come together? How do I build applications? How do I ensure security? How do I achieve speed & simplicity?
  7. 7. Cisco Digital Network Architecture Principles Cloud Enabled Automation Abstraction & Policy Control from Core to Edge Open & Programmable | Standards-Based Open APIs | Developers Environment Network Enabled Applications Collaboration | Mobility | IoT | Security Insights & Actions Automation & Assurance Security & Compliance Benefits Virtualization Physical & Virtual Infrastructure | App Hosting Analytics Structured Data, Contextual Insights
  8. 8. What’s New: Cisco DNA Innovations New! Enterprise NFV Branch Service Virtualization Controlled Availability March 2016 New! New! Available on DNA-Ready Infrastructure through Cisco ONE Software APIC-EM Automation Platform Completely New Platform Available Now Base Automation: Plug and Play Available Now Policy Services: IWAN App & Easy QoS Available Now | March 2016, respectively CMX Cloud Presence Analytics and Connect Available Now, US only, Apr 2016 for ROW
  9. 9. DNA Automation - APIC-EM
  10. 10. Too many manual processes Change/Config management difficulties Maintenance Window inhibits new technology implementation Provisioning difficulties Drivers for SDN 40% 36% 29% 28%
  11. 11. Simplication Higher Agility Lower OPEX How do we solve the problem…. Cisco SDN Led Management Business Intent Programmability Automation
  12. 12. Network Automation and Simplification Network Having Greater Application Awareness These goals are shaping our SDN strategy
  13. 13. APIC EM Enterprise Module (Catalyst, ISR, ASR, Nexus 7k*, 6k*, 5k*, WLAN, NfV*) DC Data Center (Nexus 9000) APIC Application Policy Infrastructure Controller Application Centric Infrastructure (ACI) User Centric Infrastructure (UCI) *limited in EFT2 and CA
  14. 14. APIC-EM similarity to Smartphone The APIC-EM has: A strong base platform for SDN use cases It has build in App’s (eg QoS, ACL, Policy etc) It offers an API to be used by ISV & App’s can be developed by many One App example – Jabber / Unified communication integration
  15. 15. Network Elements Controller Applications Allow Protocol/API choice while maintaining stack integrity Flexible “Programmable” Interfaces • CLI • SNMP • Web UI* • NETCONF* • XML* • RESTconf* • Openstack* • OpenFlow* • Web UI • YANG • REST API APIC EM * Future Options
  16. 16. Controller Architecture High Level Network Element Layer Policy Infrastructure Automation Network Information Database SECURITY COLLABORATION ORCHESTRATIONSERVICES WAN CLI, NetConf, REStConf, Openflow…… CLI Provides Investment Protection
  17. 17.  Runs on x86 HW (single ISO now)  Hypervisor Agnostic  Single Touch Point - Fast & Easy Install  Policy Based Service Management  Role Based Access Control  Auto Scale Service Model  Highly Available  Seamless Upgrade APIC-EM
  18. 18. What is a Business Policy… Who What Where When Endpoints To and From Access to Resources Monitoring Scope Location Time Based Event Triggered
  19. 19. Policy Examples…. Engineering Group (Who: From) Engineering Applications (Who: To) Laptop (Who: Device Type) Permit (What: Action) Properties: priority level - high, trust level – high (What: Action Properties) Tom (Who: From) Netflix(Who: To) Permit (What: Action) Properties: priority level – Low, trust level – low (What: Action Properties) Cafetaria (Where: Location) 11AM-1PM (When: Time)
  20. 20. Protocol agnostic SB abstraction layer Network Programmer App Service s Policy Manager REST API’s App Service s App Service s App Service s Protocol agnostic SB abstraction layer Network Programmer App Service s Policy Manager REST API’s App Service s App Service s App Service s Automation Across Greenfield & Brownfield Software Downloads 1538 Customers 117 Deployments running up to 2500 sites APIC EM with IWAN App allows us to save 40% in annual circuit costs while adding in desperately needed intelligence to our application routing metrics. Devices (show icons) Cisco IWAN Controller Scale and resiliency enabled with elastic platform and controller clusters APIC EM Cisco PnP Cisco Easy QoS 3rd Party App 3rd Party App Proven out-of-box support for a broad set of of devices Growing Ecosystem: 50+ partners Integrated monitoring and troubleshooting for apps Protocol agnostic SB abstraction layer Network Programmer App Service s Policy Manager REST API’s App Service s App Service s App Service s Network Elements Applications Dan Schiefer, San Diego Court – IT, Sep 11, 2015
  21. 21. Network Plug-n-Play
  22. 22. Device On-boarding – Customer Challenges Central Staging Facility Site-1 • Install OS • Install base config Network Admin Installer Customer, Partner Operational Challenges For end-site Installation Direct Costs •Pre-staging & Shipping costs •Travel costs Security •3rd party not secure •Rogue devices Time/Productivity •Manual process •Shipping , Storage, Travel Complexity •Configuration errors •Different products, IOS Releases Pre-staging Shipping to End site Techy Installer at site
  23. 23. Simple & Secure & Consistent device onboarding Network Plug-n-Play Simple, Secure & Consistent device on-boarding for Enterprise platforms  Zero-Touch provisioning of Campus & Branch deployments  GUI Based workflows  Robust Discovery Mechanisms for all deployment types (DHCP, DNS, Mobile App, USB)  Cloud Redirect Service for automated branch deployments (Roadmap) Switches (Catalyst) Routers (ISR/ASR) Wireless AP  SUDI based device authentication  CA based server (APIC-EM) authentication  Secure HTTPS based image & configuration downloads  No configuration access to Installer  Unplanned device workflow – Admin claims device  Support for end-to-end Enterprise platforms – Switches, Routers, AP  Consistent workflows for all platforms  Backward compatible w/ Smart-Install (Switches Only)  Integrated w/ PI3.x workflows SecureSimple Consistent
  24. 24. Network Plug and Play - Components PnP Agent Runs on Cisco® switches, routers, and wireless access points Automates the deployment process PnP Server Central server - APIC-EM Manages sites, devices, images, licenses Provides northbound REST APIs PnP Protocol Runs between Agent and Server Open schema PnP Helper App Delivers bootstrap status and troubleshooting checks
  25. 25. Python Cisco APIC EM: PnP Server User Interface and REST API APIC-EM API PnP REST API Customer’s Existing Automation Framework Automation Framework (i.e. Python script, configuration generator) Device Repository and Database Cisco® Devices Catalyst®, ISR, ASR, Access Points Enterprise Applications and Orchestration Layer Network PnP Application UI IWAN App Topology Discovery  Pre-provisioning  Ad-hoc and unclaimed devices CLI, PnP Protocol REST API PnP Service APIC-EM Controller PnP Server PnP & APIC-EM Programmable Interface User Interface
  26. 26. PnP Server Discovery Options Switches (Catalyst®) Routers (ISR, ASR) Wireless Access Points 1 2 3 4 5 DHCP Server DNS Server DHCP with options 60 and 43 PnP string: 5A1D;B2;K4;I172.19.45.222;J80 DNS lookup pnpserver.localdomain ---- (PnP Server) Cloud re-direction - roadmap (Q4CY2015) re-directs to (PnP Server) USB-based bootstrapping Manual - using the Cisco® Installer App iPhone, iPad, Android PnP Agent
  27. 27. Network-PnP: Pre-provisioning Workflow PnP-Agent PnP-Agent Device Authentication Installer N-PnP app on APIC-EM Download Image & Config Admin EM DHCP Server DNS Server N-PnP App pre-provisioned w/ device SR# Configure device discovery • DHCP Option-43 • or DNS Secure Deployment • Installer powers-on devices • Devices securely downloads Image & Configuration OR DiscoveryPre-provision EM
  28. 28. Summary Solution Summary Benefits  Cisco® Network PnP is a simple, highly secure, and scalable automated network device deployment solution  The agent is supported on end-to-end Cisco IOS® Software products  The Cisco APIC-EM is the central server for the solution  Programmability: The APIC-EM allows scripting (REST API) to automate server workflows  Python server reference implementation in DevNet: Give link here  Open-source protocol available: Customers and partners can adapt the PnP server into their own processes or build their own server based on open protocols (The schema is proprietary, even if using XMPP)  No pre-staging of devices  Unskilled installer at remote sites  GUI-based workflows  Highly secure and scalable
  29. 29. DNA Easy QoS
  30. 30. • Customers are endeavoring to increase employee productivity though the effective and innovative use of collaborative applications • Collaboration Quality of Experience should be seamless, regardless of platform, media or location • The foremost barrier to enabling QoS/QoE is complexity, as end-to- end designs need to be comprehensive and cohesive Customer Challenges
  31. 31. EasyQoS Solution Wireless AP Trust Boundary PEP 4Q (WMM) Catalyst 3650 Trust Boundary PEP 2P6Q3T Catalyst 4500 1P7Q1T Catalyst 6500 1P3Q4T 1P7Q4T 2P6Q4T … Nexus 7700 F3: 1P7Q1T WLC PEP ASR/ISRs MQC Catalyst 2960-X Trust Boundary PEP 1P3Q3T Wireless AP Trust Boundary PEP 4Q (WMM) EM Applications can interact with APIC-EM via Northbound APIs, informing the network of application-specific and dynamic QoS requirements Southbound APIs translate business-intent to platform- specific configurations Network Operators express high-level business-intent to APIC-EM EasyQoS
  32. 32. EasyQoS GUI Step 1: Select a Scope for Policy Application
  33. 33. EasyQoS GUI Step 1: Select a Scope for Policy Application
  34. 34. EasyQoS GUI Step 2: (Optional) Change Application Business-Relevance
  35. 35. EasyQoS GUI Step 3: (Optional) Add Custom Applications
  36. 36. What Do We Do Under-the-Hood? Apply RFC 4594-based Marking / Queuing / Dropping Treatments Application Class Per-Hop Behavior Queuing & Dropping Application Examples VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729) Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs) Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE Signaling CS3 BW Queue SCCP, SIP, H.323 Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution Best Effort DF Default Queue + RED Default Class Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox Live
  37. 37. Establish Trust Boundaries and Policy Enforcement Points (PEPs) • The Trust Boundary is the point where Layer 2 or Layer 3 markings are accepted or rejected • The Policy Enforcement Point (PEP) is the edge where classification and marking policies are enforced • The PEP may or may not be the same as the trust boundary • Multiple PEPs may exist for different types of network devices Trust Boundary Router PEP Switch PEP EasyQoS will deploy: • Wired and wireless trust boundaries at the network edges • Policy Enforcement Points at the network edges as well as at strategic locations (where extended classification technologies may be available) Guiding Mandate: Each device will be configured to express the business-intent with maximum fidelity to the best of its capabilities
  38. 38. Deploy End-to-End DSCP-Based Queuing Policies EM EasyQoS will seamlessly interconnect all types of hardware and software queuing models to achieve consistent and compatible end-to-end treatments aligned with the expressed business-intent
  39. 39. Dynamic QoS Workflow
  40. 40. • No need to open a wide UDP port-range in your trust boundary, making your network more secure • No Need for DPI at the edge • Classification becomes application-aware, yet lightweight • Support wireless & BYOD devices without client software upgrades • Supports brownfield deployments Business Value of Dynamic QoS
  41. 41. EasyQoS GUI Step 4: (Optional) Enabling Dynamic QoS
  42. 42. Dynamic QoS Workflow Part 1: Proceeding Voice/Video Call EM CUCM signals APIC-EM of a proceeding call via a Northbound Rest API APIC-EM acknowledges the flow and assigns a Flow-ID APIC-EM deploys dynamic ACLs for voice and/or video to the specific switch ports hosting the endpoints ip access-list extended VOICE permit udp host eq 18578 host eq 17333 ip access-list extended VIDEO permit udp host eq 31199 host eq 24141 ip access-list extended VOICE permit udp host eq 17333 host eq 18578 ip access-list extended VIDEO permit udp host eq 24141 host eq 31199 POST /api/v0/fms/flow: {"srcIPAddress":"","dstIPAddress":"","srcPort":31999,"dstPort" :21141,"mediaType":"video","qosClassName":"", "averageBandwidth":0, "peakBandwidth":0,"appid":"CUCM","codec":"H.264”} {"response":{"data":"success","flowId ":"bc8727b7-76d0-4bac-94b9- fa6b76a1a803"},"version":"0.0"}
  43. 43. Dynamic QoS Workflow Part 2: Terminating Voice/Video Call EM CUCM signals APIC-EM to delete the Flow-ID of a terminating call APIC-EM removes the dynamic ACLs for voice and/or video from the specific switch ports hosting the endpoints ip access-list extended VOICE no permit udp host eq 18578 host eq 17333 ip access-list extended VIDEO no permit udp host eq 31199 host eq 24141 ip access-list extended VOICE no permit udp host eq 17333 host eq 18578 ip access-list extended VIDEO no permit udp host eq 24141 host eq 31199 DELETE /api/v0/fms/flow/bc8727b7-76d0-4bac-94b9-fa6b76a1a803
  44. 44. Summary Solution Summary Benefits  Cisco® EasyQoS is a simple, highly secure, and scalable automated network QoS policy deployment solution  EasyQoS is business-intent driven, requiring network operators only to confirm which applications are relevant to their business, while abstracting all platform-specific implementation details  Cisco APIC-EM is the central controller which supports Northbound APIs that can interface with applications (via REST APIs) and also Southbound APIs to translate application requirement to platform-specific configurations  EasyQoS deploys industry-standard best-practices via Cisco Validated Designs  Provides end-to-end orchestration of QoS  Simple and easy to deploy  Works for and both greenfield and brownfield deployments  Business-intent driven  End-to-End provisioning done in minutes  Reduces time to onboard new applications and allows SLA compliance  Provides dynamic, lightweight and accurate application-aware classification  Support wireless & BYOD devices without client software upgrades
  45. 45. EasyQoS– Supported Platforms (GA+1) Platform-Families Catalyst 2K (2960-S, 2960-X) Catalyst 3K (3560CG, 3560-X, 3750-X) Catalyst 3650/3850 Catalyst 4K (Sup 7E, Sup8E, 4500-X) Catalyst 6500—Sup2T & 6880-X AireOS WLC (2500, 5500, 8500, WiSM2) ISR (ISR G2 / ISR 4400) ASR 1000
  46. 46. APIC-EM Integration with PI
  47. 47. • PI 3.0 uses the PnP and PKI service from the APIC-EM via Rest API calls • With this integration, all the actions are driven from PI – no need to logon to the APIC-EM GUI for PnP or PKI • Add APIC-EM as a server within PI (Administration  APIC- EM Controller) PI integration with APIC-EM PnP and PKI Enter the APIC-EM Admin Credentials to Rest API Calls Enable the APIC-EM Global Setting for PnP and PKI
  48. 48. Data CenterBranch Internet MPLS 3G/LTE ISR PnP/PKI Workflow • Connect Internet and MPLS cables • Insert PnP bootstrap USB stick • Power up ISR Router PnP agent starts “call-home” 2 Power On! 1 4 3 APIC-EM PnP pushes new IOS if needed • Network wide settings have been defined • Datacenter has been configured • Application policies have been set APIC-EM PnP calls PKI service to push a PKI 509.X certificate APIC-EM PnP/PKI DMZ HTTP Proxy Cisco IOS® PKI Cert Prime Infrastructure Rest APIs
  49. 49. Data CenterBranch Internet ISR IWAN Workflow after the Router is managed by PI • IWAN config is applied • Hybrid WAN tunnel come up 1 Admin starts the IWAN workflow then push IWAN templates to new router MPLS DMZ ASR 1K MPLS Internet Prime Infrastructure 2 • Prime generates device configuration based on current policy settings/network-wide settings • Config is pushed to device line by line: o DMVPN o Routing o Front Door VRF o AVC (NBAR2) o 8 Class QoS o PfR o MPLS QoS translation o Start net flow collection o Start Syslog exporting Config policies ….SSH Monitor • Prime generates IWAN config • Prime pushes config to device
  50. 50. System of record vs. System of change Prime Infrastructure APIC - EM System of Record System of Change • Policy definition • Historical reporting on events & performance • Configuration archive • Troubleshooting workflows • Capacity Trending • Predictive Analytics • Policy enforcement • Discovery (for change) • Topology (for change) • PnP • Network state monitoring • Device abstraction • Network Control Customizable Templates Guided Workflows Full CLI Access Massive Simplification Policy Automated NO CLI Changes
  51. 51. Cisco Enterprise Management Consolidation of Licensing / Features Enterprise Management 3.x SDN Management for the Enterprise Lifecycle Assurance Basic Apps Solution Apps Cisco Prime Infrastructure 3.0 APIC-EM Controller Network Management Application Centric Policy Based Management
  52. 52. Cisco Enterprise Management Benefits SDN Management End-to-End • Integrated and simplified management of Routers, Switches and Wireless • Monitoring all network elements, from Branch/Campus to the Data Center, reducing number of tools required to manage the network Management Simplicity and Automation • Integration with Controller (APIC-EM) for Plug and Play • Policy Driven workflows & templates for managing the network • Automated monitoring of application and Proactive alerting based on abnormal behaviors Reduces Operational and Capital Costs • Simplified Management reducing need for multiple solutions • Rapid device deployment and management through consolidated architecture • Single licensing structure providing access to Prime Infrastructure (Lifecycle & Assurance) and APIC-EM (Foundation & Solution Apps)
  53. 53. Cisco One
  54. 54. DNA Offers Mapping Cisco DNA Delivered through Cisco ONE Software Advanced Application Foundation Available on DNA-Ready Infrastructure through Cisco ONE Software ISR 4000 | ASR 1000 | Catalyst 6800 | Catalyst 4000-E | Catalyst 3850 | Catalyst 3650 | Aironet 802.11ac | Meraki Cisco ONE Packaging Connected Mobile Experiences (CMX) Network as a Sensor / Enforcer Pervasive Mobility Experience Converged Branch Intelligent WAN Virtual Branch Unified Threat Management
  55. 55. Cisco ONE Simplifies Software Purchasing  Cisco ONE Foundation: core networking, management, automation, embedded security  Cisco ONE Advanced: enhanced automation, service assurance, adv. configuration, etc.  Cisco ONE Full Suite: Foundation + Advanced Select your Software Capabilities 1 Pick your platform 2 Choose Purchasing Model 3  ISR/ASR Router  Virtual Router  Catalyst Switch  Wireless Controller  Virtual Wireless Controller  Access Points License Model:  Perpetual  Subscription Contract:  Transactional  Volume Purchase Purpose Built Applications | Ongoing Innovation | License Portability & Flexibility General availability of subscription & volume purchase to be announced
  56. 56. Demo