cisco application policy infrastructure controller enterprise module (apic-em) - hands-on lab

Cisco Confidential © 2015 Cisco and/or its affiliates. All rights reserved. 1

Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) - Hands on Lab Saurav Prasad Technical Marketing Engineer San Jose, USA

Lila Rousseaux – CCIE#6899 Technical Solutions Architect

Canada

Jim Galvez, Technical Solutions Architect Oregon, USA

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

House Keeping Notes Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.

•  Ask Questions!!

Please ensure your cellphones / laptops are set on silent to ensure

no one is disturbed during the session

A power bar is available under each desk in case you need to

charge your laptop


Agenda •  Introduction to APIC-EM

•  APIC-EM Apps

•  API’s

•  Lab Overview

•  Get started with the Lab!

•  Let’s get back together for APIC-EM GA1.2 Preview

•  Elastic Services (Grapevine)


Introduction to APIC-EM


Conventional Model

The What “Security Policy for

Branches A-N”

The How “Change ACLs in

the following elements”

Admin Driven

System Driven

Controller Led Policy Deployment

The What “Security Policy for

Branches A-N”

The How “Change ACLs in

the following flements”

Admin Driven

Manual Policy Deployment

Manual to Systemic Policy Deployment


Agnostic SB interface supporting multiple protocols

APIC-EM: Cisco Enterprise SDN

Software or Appliance Based NB RESTful APIs

Existing and New Device Support

Cisco, Partner or Customer Developed Apps

Open, Programmable App Platform for Enterprise Network Transformation

EM


SECURITY COLLABORATION ORCHESTRATION SERVICES WAN

Cisco APIC Enterprise Module Architecture

Network Element Layer

Policy Infrastructure Automation Network Information Database

CLI, SNMP

Abstracts Network Devices to Mask Complexity

Treat Network as a System

Exposes Network Intelligence

For Business Innovation


APIC-EM Applications at GA1

PLUG-AND-PLAY Zero touch deployment of routers / switches / APs

Accelerated roll-out: Eliminates tech visits and shrinks deployment from months to minutes

Cisco IWAN (SDWAN) Guided, fast auto-provisioning of IWAN solution

From 250 CLI commands to 5 GUI clicks per branch: 1000% IWAN deployment acceleration

Path Trace Discover path between two end points based on 5 tuple

Rapidly troubleshoot congestion and ACL issues and lower Opex for trouble ticket processing by 500%

Static QoS Configure QoS automatically and end to end based on Cisco Best Practices

Dynamic QoS Dynamic QoS for Jabber/MS Lync

EasyQoS


APIC-EM Apps


Network Information Base – Device Inventory

•  Real‐time network device inventory and asset service management

•  Includes all network devices with an abstraction for the entire network –

• Full knowledge of network • Awareness of the overall operational

health of the physical network • Detailed inventory information for

easier consumption by controller services and applications

• Allows applications to be device agnostic

•  Inventory service runs in the background to maintain the DB accurate

•  SNMP traps sent by devices during link up/down; APIC-EM runs discovery on that device (*)

(*) GA1


Network Information Base – Host Inventory

•  Real‐time host and end-point inventory (PCs, Wireless devices, IP Phones, Printers etc.)

•  Detailed information about each host/end-point –

• Network attachment point for the host to the network device

• Host Name, IP and Mac-Address information

•  Host Inventory service runs in the background to maintain the accuracy of the database –

•  Information collected via CDP, LLDP and IP Device Tracking DB lookup

•  SNMP Traps used to update host inventory DB


Network Information Base – Discovery

• Quick, easy and efficient network discovery

•  Flexible Discovery options – •  CDP and IP Address Range

• Ability to Start, Stop and Delete the scan at anytime

• Auto-discovery of newly added network devices

•  Initiate via UI or NB REST APIs


Topology Visualizer

• Auto discovers and maps devices to a physical topology

• Detailed device level data • Always up-to-date network

topology • Layer 2 and 3 topologies on top of

Physical provides granular view for design planning, simplified troubleshooting etc.

• Visualize Device TAGs on top of the Physical network topology

• Advanced HTML 5 Javascript based visualizer that utilizes REST APIs

• Highly interactive application experience


APIC-EM Path Trace Application Accelerate Trouble-Ticket Processing

User Trouble Ticket IT Path Trace

NETWORK

Open Architecture

Network, Applications Monitoring

Simple Workflow

BENEFITS

SDN

Easy visual discovery of trouble spots in the communication path based on 5-tuple info

OpEx for ticket processing decreased by 98% from 1.6 hours to 1 minute


Path Trace App: 5-Tuple Input Through User Interface

Note: Layer 4 port and protocol information is optional but highly recommended for accurate path calculation

Required Information SRC and DEST IP address [End host or L3 interface]

Optional Information SRC and DEST L4 port numbers;

L4 protocol (TCP or UDP)


Path Trace App: Enhanced Application Flow Visibility

CAPWAP Tunnel Visualization

Accuracy Note (in a percentage)

Link Source Information

Ingress/Egress Interface

Interface/QOS Stats


Device On-boarding – Customer Challenges

Central Staging Facility Site-1

•  Install OS •  Install base

config

Network Admin

Installer

Today’s Process

Customer, Partner

Ships equipment

Operational Challenges

To Final Site

Direct Costs • Pre-staging & Shipping costs

• Travel costs

Security • 3rd party not secure

• Rogue devices

Time/Productivity • Manual process • Shipping , Storage, Travel

Complexity • Configuration errors • Different products, IOS Releases

Pre-staging Cost $$ Re-shipment Cost $$ Techy Installer $$ Travel cost $$


Device On-boarding – Network Plug and Play Network Plug and Play Process

Ships equipment

Network Admin

NOC

Pre Provision Config and OS

Operational Benefits

Unskilled Installer

Consistent Campus/Branch

Secure GUI Based

Greenfield & Brownfield

Monitor device installation

Network Admin

NOC

Site-1

Installer

Racks, cable & Power-on devices


PnP Server

Use Case Example Device Deployment in Campus

DHCP Server

Switch running PnP Agent

<..snip..> CISCO_PNP.pnpserver "5A;B2;K4;I10.11.11.11;J80"; <..snip..>

Devicevalidatesserver’sloca/onandestablishesacommunica/onwiththeserver

Installer

Remote Installer •  Mount and cable

devices •  Power-on

Day 1

Network Admin remotely monitors status of install while in progress.

Day 1

IP Address 10.11.11.11

Cisco IOS®

Config file….


Network-PnP: Pre-provisioning Workflow

PnP-Agent PnP-Agent

Device Authentication

Installer

N-PnP app on APIC-EM Download

Image & Config

Admin

EM

DHCP Server

DNS Server

N-PnP App pre-provisioned w/ device SR#

Configure device discovery •  DHCP Option-43 •  or DNS

Secure Deployment

•  Installer powers-on devices •  Devices securely downloads

Image & Configuration

OR

Discovery Pre-provision

EM


Network-PnP: Claim-device Workflow

PnP-Agent PnP-Agent

Device Authentication

Installer

N-PnP app on APIC-EM

Admin

EM

DHCP Server

DNS Server

•  Network admin claims devices based on device information

•  Device downloads Image & configuration

Configure device discovery mechanism •  DHCP Option-43 •  or DNS

Secure Deployment

•  Installer powers-on devices •  Devices securely connects to

APIC-EM Server, waiting to be ‘Claimed’

OR

Un-claimed Devices Discovery

EM


Intelligent WAN

WAN Transport

Branch

MPLS

$$$

Low Cost Circuit, Internet, 4G

$

Private Cloud

Virtual Private Cloud

Direct Internet Access

Internet backhaul

Cisco Cloud

Web Security Public Cloud

ü  Secure WAN transport across MPLS and/or Internet for private cloud / DC access

Increase WAN Capacity Improve App Performance Scale Security at the Branch

ü  Leverage Low Cost path for public cloud and Internet access


EasyQoS App No more Box-by-Box configuration

Config.

Cisco Validated Design- Based Templates

Con

trol

Tran

sact

iona

l Dat

a R

ealti

me

Bes

t Effo

rt

Cisco Validated Design {CVD}

Business

Relevant

Business

Irrelevant

Default /

Maybe / Unknown


Converting Business Intent to Tactical Policies

Wireless AP Trust Boundary

PEP 4Q (WMM)

Catalyst 3650 Trust Boundary

PEP 2P6Q3T

Catalyst 4500 Trust DSCP

1P7Q1T

Catalyst 6500 Trust DSCP

1P3Q4T 1P7Q4T 2P6Q4T …

Nexus 7700 Trust DSCP F3: 1P7Q1T

WLC PEP

ASR/ISRs Trust DSCP

HQoS MQC

Catalyst 2960-X Trust Boundary

PEP 1P3Q3T

Wireless AP Trust Boundary

PEP 4Q (WMM)

EM

•  the principle goal of the tactical QoS policy is to express the strategic QoS policy with maximum fidelity

•  QoS design best practices will be used to generate platform-specific configurations

•  QoS features will be selectively enabled if they directly contribute to expressing the strategic policy on a given platform


Determining Business Relevance How Important is a Given Application to Business Objectives

Business Relevant

Business Irrelevant

Default / Maybe / Unknown

•  These applications directly supports business objectives

•  Applications should be classified and marked according to RFC 4594-based rules

•  These applications may/may not support business objectives

•  E.g. HTTP/HTTPS •  Alternatively, administrator may

not know the application (or how its being used in the org)

•  Applications in this class should be marked DF and provisioned with a default best-effort service (RFC 2474)

•  These applications are known and do not directly support any business objectives; this class includes all personal/consumer applications

•  Applications in this class should be marked CS1 and provisioned with a “less-than-best-effort” service (RFC 3662)


What Do We Do Under-the-Hood? Apply RFC 4594-based Marking / Queuing / Dropping Treatments

Application Class

Per-Hop Behavior

Queuing & Dropping

Application Examples

VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)

Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV

Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence

Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx

Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)

Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE

Signaling CS3 BW Queue SCCP, SIP, H.323

Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog

Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps

Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution

Default Forwarding DF Default Queue + RED Default Class

Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox Live Irrelevant

Default

Relevant


EasyQoS

EM

Applications can interact with APIC-EM via Northbound APIs, informing the network of application-specific and dynamic QoS requirements

Southbound APIs translate business-intent to platform-specific configurations

Network Operators express high-level business-intent to APIC-EM EasyQoS


Dynamic QoS Classification for Jabber Video/MS Lync

Enterprise Network

3945/ISRG2 3945/ISRG2 3945/ISRG2

Cat 3750 Cat 3750

Single policy request produces automated change across all network elements enabling high quality user experience

QoS Changes

Collaboration App

Session Policy

AP

Pre-QOS change – Default Classification Post QoS change - Video

Example: The default port range for Jabber Video to receive media is 21,000-21,900. Jabber Video for TelePresence 4.6


API’s


Once more thought: APIC-EM Exposes APIs for customized applications


Introduction to the lab


Central Site

10.10.70.X VLAN 70

PC-2 PC-1

VLAN 10

GA 10.1.3.220

PoDTopology

PC-3

3560-CG PNP Branch

Data Center

G0/0

G1/0/14 G1/0/13

G1/0/1

G1/0/6

G0/1

G0/1 G0/2

G0/2 G0/1

G0/0

G1/0/1

G1/0/14

G1/0/13

G1/0/2

G2

G1

10.1.5.50 VLAN 5

AP-1

10.10.64.X. VLAN 64

10.1.22.X VLAN 22

10.2.251.X 10.2.252.X

10.10.64.X 10.10.70.X

.1

.2

10.1.8.X .2

.1

VLAN 3

EIGRP EIGRP

.1 .1

.2 .2

Terminal Server

128.107.91.195/196 Password: labops

10.1.20.X VLAN 20

G1/0/2

JUMP PC

128.107.91.20X Username: admin Password: Uabootcamp1

APIC-EM UI

https://10.1.3.220 Username: admin Password: Cisco123

BR-SW1

BR-R1

HQ-R1

HQ-SW1 5508

IWAN App http://localhost:3000

APIC-EM IWAN App UI

https://128.107.91.211:3000 Username: admin Password: Cisco123


JUMP PC

128.107.91.20X

JUMP PC

Username: admin Password: Uabootcamp1


APIC-EM

IWAN App Visualization (exercise 7 only)

Thank you.

cisco application policy infrastructure controller enterprise module (apic-em) - hands-on lab

Technology