SDN in the Enterprise: APIC Enterprise Module

SDN in the Enterprise: APIC Enterprise Module
T-ENM-01-I
Lila Rousseaux, Consulting Systems Engineer, Enterprise Networks, Cisco Systems Canada
Tim Szigeti, Technical Marketing Engineer, Enterprise Architecture Team, Cisco Systems

Thank you for attending Cisco Connect Toronto 2015, here are a few
housekeeping notes to ensure we all enjoy the session today.
§  Please ensure your cellphones / Laptops are set on silent to ensure
no one is disturbed during the session
§  Ask questions !!
House Keeping Notes

§  What problem are we trying to solve?
§  APIC-EM Architecture
§  APIC-EM Apps a.k.a how can the controller help simplify my
environment?
§  What about Prime?
§  Wrap-Up
AGENDA

What problem are we trying to
solve?

“A platform for
developing new control planes”
“An open solution for VM mobility in
the Data-Center”
“An open solution for customized flow
forwarding control in the Data-Center”
“A means to do traffic engineering without
MPLS”
“A way to scale my firewalls
and loadbalancers”
“A solution to build a very large scale layer-2
network”
“A way to build my own security/encryption solution,
avoiding RSA”
“A way to reduce the
CAPEX of my network
and leverage commodity
switches”
“A way to define virtual networks with specific
topologies for my multi-tenant Data-Center”
“A means to scale my fixed/mobile gateways and
optimize their placement”
“A solution to build virtual topologies with
optimum multicast forwarding behavior”
“A way to optimize link utilization in my network, through
new multi-path algorithms”
“A way to avoid lock-in to a
single networking vendor”
“A way to distribute policy/intent, e.g. for DDoS
prevention, in the network”
“A way to configure my entire network as
a whole rather than individual devices”
“A solution to get a global view of the
network – topology and state”
“With SDN I can develop solutions to my problems far faster –
“at software speeds”. I don’t have to work with my network
vendor or go through length standardization”
SDN – Still Don’t kNow – Stanford Defined Networking
Many things to Many people

Resiliency/Scale has been proven
Distributed Networking has worked

Distributed Networking has worked
?
Distributed Networking adds complexity to manage/comprehend
!
!
!
However

But uses controller
to mask complexity
NETWORK
Admin still makes network behavior decisions

Abstracting Conventional Policy Complexity
Conventional Model
The What
“Security Policy for
Branch A”
The How
“Change ACLs in
the Following
Elements”
The What
“Security Policy for
Branch A”
The How
“Change ACLs in
the Following
Elements”
ACI Constructs
Admin
Driven
Admin Driven
Northbound APIs
APIC EM
Policy Based Model

What is Policy?
WHAT HOW
Policy à way to simplify how we do things via abstraction

Changing Nature of IT Ops with SDN led
Management
Management
(NMS)
NE NE NE NE
Customer developed
provisioning tools, manual CLI
changes, and run book
automation for IT Operations
support
Controller
(APIC-EM)
Management
(Provisioning and Assurance)
Automation
(Workflow / Orchestration)
NE NE NE NE
Customer input on business /
service intent
Traditional Management SDN Led Management

Changing Nature of IT Ops with SDN
led Management
Traditional Management
Feature
Configuration
SDN Led Management
Policy
Automation

Policy Maturity to Cover Enterprise System of Change
Use Cases will Evolve Over Time
policy
traditional
configuration
traditional
policy policy
Controller-based
Automation
Today
traditional
Policy based
Configuration à
•  Dynamic
•  Able to be
automated
•  Managed by
the controller
Policy grows,
static shrinks
Time

Cisco APIC Enterprise Module Architecture
Abstracts Network Devices to Mask Complexity
Treat Network as a System
Exposes Network Intelligence
For Business Innovation
Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network Devices
Catalyst, ASR, ISR
Network Info
Database
Policy
Infrastructure
Automation
REST API
Southbound Interface: CLI
Security QoS IWAN Network PnP
Masking Network Complexity, Exposing Network Intelligence
.

Network Devices
Catalyst, ASR, ISR
Network Info
Database
Policy
Infrastructure
Automation
REST API
.
1.  Cisco Visualization Application a.k.a UI
2.  Cisco Applications for specific solutions
IWAN, Network PnP, Collaboration,
Security, etc
3.  DevNet
4.  Customer developed

SDN Innovation: Network Information Base
Provides One Source of Truth
Network Devices
Catalyst, ASR, ISR
Network Info
Database
Policy
Infrastructure
Automation
REST API
.

Network Devices
Catalyst, ASR, ISR
Network Info
Database
Policy
Infrastructure
Automation
REST API
.
1.  Network programmer service: used for
programming the network
2.  Services within the controller leverage
network programmer to talk to the network
3.  Depending on the type of platform and
functionality the network programmer
chooses the southbound protocol
4.  Services within the controller unaware of
these protocols
5.  If new protocols are required, we only
need to add the plug-in for that protocol in
the network programmer

APIC-EM Apps a.k.a how can
the controller help simplify my
environment?

First we need to check the APIC-EM User Interface

APIC-EM User Interface App: Device Inventory

Network Information Base - Host Inventory

APIC-EM User Interface App: Discovery

APIC-EM User Interface App: Topology

Use Case: Path Visualization
•  No efficient method to troubleshoot IP voice and video sessions traversing the network
on demand
•  Lack of network visibility creates large OPEX to diagnose and find problem sources
•  Path computation service provides a fast and accurate method for rapidly identifying/
isolating paths causing problems
•  Low risk use case for SDN

Path Trace Visualizer
Wireless to Wired

Boxes greyed out once
traffic is blocked for easy
visualization
Policy Analysis

CAMPUS
Security Policy App (within User Interface)
Per User Per Application Access Policy Enforcement
SiSiSiSi
APIC-EM
Controller
Block
Bit-Torrent
BRANCH
Authentication
ISE
Block
Bit-Torrent
AD/Radius
Server§  Admin configures business policy to block
application traffic on a per user/
user_group basis.
§  Controller uses identity information to
install user specific access policy at the
edge.
User moves to a branch site. Policy moves with it

Branch
SourceFire
Defence Center
SDN Controller
ISR
Sensor
X
Sensor
1.  BYOD Malware/Javascript
Attack
2.  SF Sensor detects threat
3.  SF DC notifies Controller
4.  Remediation API event
5.  Policy installed on Access
switch port by Controller.
6.  Block or quarantine end-point
WAN
ISR
Internet
HQ
Malware Attack
Defense Center
Alert!!!!
Controller
Notification
Remediation Policy
Enforcement
Host Quarantined
How to use Policy Programming for Network
Threat Defense - Policy Programming outside the UI

How to use Policy Programming for Network
Threat Defense - Policy Programming outside the UI
Branch
SourceFire
Defence Center
SDN Controller
ISR
Sensor
X
Sensor
WAN
ISR
Internet
HQ
Controller
Notification
Host Quarantined
Defense Center
/api/v0/policy POST!
{"actions": ["DENY"],
"policyOwner":"admin”,
"policyName": "deny_all”,
"networkUser":
{"userIdentifiers”:
["10.10.20.7"]}}!

EasyQoS App
No more Box-by-Box configuration
Config.
Cisco Validated
Design- Based Templates
Control
Transactio
nalData
RealtimeBestEffort
Cisco Validated
Design {CVD}
Cisco
APIC -
Enterprise
Module

Easy QoS App
Cisco Validated Design (CVD) classification and marking

Easy QoS
Easy customization of policies

APIC-EM with CUCM Integration—Step 1a
EM
The administrator enters strategic business Intent to APIC-EM
APIC-EM deploys:
a)  static (ingress) ACL-based classification & DSCP-marking policies
(on access edge interfaces only)
with null ACL entries for VOICE and VIDEO
ip access-list extended VOICE
ip access-list extended VIDEO
ip access-list extended BULK-DATA
permit tcp any any eq ftp
permit tcp any any eq ftp-data
…
class-map match-all VOICE
match access-group name VOICE
class-map match-all VIDEO
match access-group name VIDEO
class-map match-all BULK-DATA
match access-group name BULK-DATA
…
policy-map APIC-EM-INGRESS-MARKING
class VOICE
set dscp ef
class VIDEO
set dscp af41
class BULK-DATA
set dscp af11 …

APIC-EM with CUCM Integration—Part 1b
EM
Once the administrator has entered strategic business Intent to APIC-EM
APIC-EM deploys:
a)  static (ingress) ACL-based classification & DSCP marking policies
b)  static (ingress and egress) DSCP-based queuing policies on all switches
class-map match-all VOICE-PQ1
match dscp ef
class-map match-all VIDEO-PQ2
match dscp af41
class-map match-any BULK-DATA-QUEUE
match dscp af11 af12 af13
…
policy-map APIC-EM-2P6Q3T
class VOICE-PQ1
priority level 1
class VIDEO-PQ2
priority level 2
class BULK-DATA-QUEUE
bandwidth remaining percent 5
queue-buffers ratio 10
queue-limit dscp values af13 percent 80
queue-limit dscp values af12 percent 90
queue-limit dscp values af11 percent 100 …

APIC-EM with CUCM Integration—Part 2
EM
CUCM signals APIC-EM of a proceeding call
APIC-EM deploys a dynamic ACL update for voice and/or video
to all ports on the switch (or switch module)
match udp host 10.1.1.1 eq 18578 host 10.2.2.2 eq 17333

APIC-EM with CUCM Integration—Part 3
EM
CUCM signals APIC-EM of a terminating call
APIC-EM removes the dynamic ACL update for voice and/or video
no match udp host 10.1.1.1 eq 18578 host 10.2.2.2 eq 17333

Intelligent WAN
WAN Transport
Branch
MPLS
$$$
Low Cost Circuit,
Internet, 4G
$
Private
Cloud Virtual
Private
Cloud
Direct
Internet
Access
Internet
backhaul
Cisco
Cloud
Web Security
Public
Cloud
ü  Secure WAN transport across MPLS
and/or Internet for private cloud / DC
access
Increase WAN Capacity Improve App Performance Scale Security at the Branch
ü  Leverage Low Cost path for public cloud
and Internet access
Cisco
APIC -
Enterprise
Module

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential –Use under NDA – DO NOT DISTRIBUTE
wolfgang@cisco.com
wolfgang@cisco.com
APIC EM Apps will innovate on design simplicity and intuitiveness

APIC-EM IWAN App
Site provisioning

IWAN App – Site provisioning

APIC-EM IWAN App
Application Policy
•  Applications detected in the network when enabling AVC
•  Classify applications in different categories
•  Organize application in categories to create business
policies based on these categories

APIC-EM IWAN App
Application Policy

APIC-EM IWAN App
Application Policy
•  Business logic à we tell the controller what
applications are relevant for the business
•  The controller is going to perform background tasks
based on this business logic

APIC-EM IWAN App
Application Policy
•  Define primary path for group of applications
•  The controller will create a PfR policy based on
those paths.

Network Plug & Play
(a.k.a. Zero Touch Deployment)

Network Plug-n-Play – for Zero Touch Deployment
Unskilled
Installer
GUI Based
Consistent for devices &
PIN(Campus/Branch)
Secure
Zero-touch
RMA
Greenfield
& Brownfield
Central Staging Facility
Site-1
•  Install OS
•  Install base
config
Network
Admin
Installer
Site-3
Today’s Process
Site-2 Site(s)
Network PnP
Pre Provision
Projects/Sites
Network Admin
1
Install & Power-on
devices
2
Installer
Monitor device
installation
3
Network Admin
Reseller/
Partner
Ships
equipment Cisco
APIC -
Enterprise
Module

PnP Server
Use Case: Device Deployment in Campus
DHCP Server
Pre Provision Projects/
Sites
•  Policies
•  Match Rules
•  Configs/Image
•  IP Addressing
Network Admin
Day 0
Cisco
APIC -
Enterprise
Module
Pre-provision DHCP
Server
•  IP address
•  option 43

PnP Server
Use Case: Device Deployment in Campus
DHCP Server
Switch running
PnP Agent
Device
receives
PnP
server

speciﬁc
metadata
info

conﬁgured
in
DHCP
op7on
43

Device
validates
server’s
loca7on
and

establishes
a
communica7on
with
the
server

Installer
Remote Installer
•  Mount and cable
devices
•  Power-on
Day 1
Network Admin remotely
monitors status of install
while in progress.
Day 1
Cisco
APIC -
Enterprise
Module

APIC-EM ZTD App – Configure Site, Device, Config
•  Campus
Workflow
•  Serial #
and PID-
based
device
matching
•  Operational
config and
IOS image
for each
device
Network Admin
Day 0

The End stage
Network Admin remotely
monitors status of install while
in progress.
Day 1

APIC-EM Apps a.k.a how can the controller help
simplify my environment?
•  Path Visualization
•  Path Visualization + Integration with Cisco Prime
Collaboration Manager
•  ACL Trace
•  ACL Analysis
•  Security Policy Programming (Per User/Group)
•  Policy Programming for Network Threat Defense
•  Easy QoS via User Interface
•  Dynamic Policy for video soft clients
•  IWAN App
•  Network Plug and Play Server
Applications
Released in
phases
Just a few
examples,
there’s much
more

System of record vs. system of change
Prime Infrastructure APIC - EM
System of Record System of Change
•  Policy definition
•  Historical reporting on
events & performance
•  Configuration archive
•  Troubleshooting workflows
•  Capacity Trending
•  Predictive Analytics
•  Policy enforcement
•  Discovery (for change)
•  Topology (for change)
•  PnP
•  Network state monitoring
•  Device abstraction
•  Network Control

Cisco Prime and APIC-EM
Control
Layer
Device
Layer
Operational Automation
Policy and Service Definition
Automated Assurance Provisioning
Visualization, Trending and
Analytics
Network Intelligence
Device Layer Abstraction
Network Control
Policy Enforcement & Network
Change
Management
&
Orchestration
Layer
Cisco Devices
Enterprise Networks, Data Center
Cisco APIC
Common ACI Architecture
APIC for datacenter APIC Enterprise Module
CLI, OpenFlow, OnePK API
REST API (ONE DevKit)
Catalog /
Provisioning
Fault /
Events
User / Data
Management
Performanc
e Monitoring
Reporting /
Analytics
Cisco IAC
UCSD
APIC-EM
App (IWAN)
PRIME INFRASTRUCTURE
& NAM

Summary
§  Changing Nature of IT Ops with SDN led Management
§  APIC-EM and Apps are a System of Change that will drive real time changes in the
network
§  Prime Infrastructure role will evolve into end-to-end assurance as System of Record,
while also catering to feature configuration for custom environments
§  The network administrator can now focus on Policy and Business Intent
(WHAT)
§  Controllers job to translate into network semantics/implementation (HOW)
§  API to expose the networks capabilities
§  APIC EM abstracts the underlying complexity of the network infrastructure

Give us your feedback and you could win a Plantronics
headset. Complete the session survey on your Cisco
Connect Toronto Mobile app at the end of your session
for a chance to win
Winners will be announced and posted at the
Information desk and on Twitter at the end of the day
(You must be present to win!)
Complete your session evaluation – May 14th

SDN in the Enterprise: APIC Enterprise Module

More Related Content

What's hot

Viewers also liked

Similar to SDN in the Enterprise: APIC Enterprise Module

More from Cisco Canada

Recently uploaded

SDN in the Enterprise: APIC Enterprise Module