cisco digital network architecture (dna) with apic-em

The Network Enables Business Transformation

Cisco Digital Network Architecture (DNA) with APIC-EM

2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Digital Transformation is Moving IT to the Boardroom

UPS My ChoiceDelivery Control

Personalized Service

Customer ExperiencePhysical and Virtual

RFID Content

Workforce EfficiencyWIP Inventory and

Part Tracking

American ExpressPersonalized Service

Through Mobile


Starbucks AppsOrder AheadSkip the Line


…And Creating New Priorities for Digital Organization

Simplify / Automate Processes

Faster Time to MarketLeaner Operations

Empower Workforce Efficiency and Innovation

Increased ProductivityBetter Retention

Personalize Customer/ Citizen Experience

Increased LoyaltyGreater Insight

IoTMobility Analytics CloudMobile traffic will Exceed

wired traffic by 2017IoT Devices will triple by 2020

75% of companies planning to or investing in Big Data

80% of organizations will primarily use SaaS by 2018


Network

A New Infrastructure for the Digital Organization


Network Requirements for the Digital Organization


Insights &Actions

Drive Business Innovations

Security & Compliance

Real-time & Dynamic Threat Defense

Automation& Assurance

Speed, Simplicity and Visibility

Cisco Digital Network Architecture (DNA)


Evolution of Networking Software

Virtualization

Secure

ControllersCommon

Policy Portability Standards

Analytics

Open APIs Cloud

ISVs

How does this come together?

How do I build applications?

How do I ensure security?

How do I achieve speed &

simplicity?


Cisco Digital Network Architecture

Principles

Cloud Enabled

AutomationAbstraction & Policy Control

from Core to Edge

Open & Programmable | Standards-Based

Open APIs | Developers Environment

Network Enabled ApplicationsCollaboration | Mobility | IoT | Security

Insights& Actions

Automation& Assurance

Security & Compliance

Benefits

VirtualizationPhysical & Virtual Infrastructure | App Hosting

AnalyticsStructured Data,

Contextual Insights


What’s New: Cisco DNA Innovations

New!

Enterprise NFVBranch Service VirtualizationControlled Availability March 2016

New!

New!

Available on DNA-Ready Infrastructure through Cisco ONE Software

APIC-EM Automation PlatformCompletely New PlatformAvailable Now

Base Automation: Plug and PlayAvailable Now

Policy Services: IWAN App & Easy QoSAvailable Now | March 2016, respectively

CMX CloudPresence Analytics and ConnectAvailable Now, US only, Apr 2016 for ROW

DNA Automation - APIC-EM


Too many manual processes

Change/Config managementdifficulties

Maintenance Window inhibits new technology implementation

Provisioning difficulties

Drivers for SDN40%

36%

29%

28%


Simplication

Higher Agility

Lower OPEX

How do we solve the problem….Cisco SDN Led Management

Business Intent

Programmability

Automation


NetworkAutomation

and Simplification

Network Having Greater

Application Awareness

These goals are shapingour SDN strategy


APIC

EMEnterprise Module(Catalyst, ISR, ASR, Nexus 7k*, 6k*, 5k*,

WLAN, NfV*)

DCData Center

(Nexus 9000)

APIC

Application Policy Infrastructure ControllerApplication Centric Infrastructure (ACI) User Centric Infrastructure (UCI)

13

*limited in EFT2 and CA


APIC-EM similarity to SmartphoneThe APIC-EM has:

A strong base platform for SDN use cases

It has build in App’s (eg QoS, ACL, Policy etc)

It offers an API to be used by ISV & App’s can be developed by many

One App example – Jabber / Unified communication integration

14


NetworkElements

Controller

Applications

Allow Protocol/APIchoice while

maintaining stackintegrity

Flexible “Programmable” Interfaces

• CLI• SNMP• Web UI*• NETCONF*• XML*• RESTconf*• Openstack*• OpenFlow*

• Web UI• YANG• REST API

APICEM

15

* Future Options


Controller ArchitectureHigh Level

Network Element Layer

Policy Infrastructu

reAutomation

Network Information Database

North Bound APIs

South Bound APIs

SECURITY COLLABORATION ORCHESTRATIONSERVICES WAN

CLI, NetConf, REStConf, Openflow……

CLI Provides Investment Protection


Runs on x86 HW (single ISO now)

Hypervisor Agnostic

Single Touch Point - Fast & Easy Install

Policy Based Service Management

Role Based Access Control

Auto Scale Service Model

Highly Available

Seamless Upgrade

APIC-EM


What is a Business Policy…

Who What Where When

Endpoints

To and From

Access to Resources

Monitoring

Scope

Location

Time Based

Event Triggered


Policy Examples…. Engineering Group (Who: From)

Engineering Applications (Who: To)

Laptop (Who: Device Type)

Permit (What: Action)

Properties: priority level - high, trust level – high (What: Action Properties)

Tom (Who: From)

Netflix(Who: To)

Permit (What: Action)

Properties: priority level – Low, trust level – low (What: Action Properties) Cafetaria (Where: Location)

11AM-1PM (When: Time)


Protocol agnostic SB abstraction layer

Network Programmer

App Services

Policy Manager

REST API’s

App Services

App Services

App Services


Network Programmer

App Services

Policy Manager

REST API’s

App Services

App Services

App Services

Automation Across Greenfield & Brownfield

Software Downloads

1538Customers117

Deployments running up to

2500 sites

APIC EM with IWAN App allows us to save 40% in annual circuit costs while adding in desperately needed intelligence to our application routing metrics.

Devices (show icons)

Cisco IWAN

ControllerScale and resiliency enabled with elastic platform and controller clusters

APIC EM

Cisco PnP

Cisco Easy QoS

3rd Party App

3rd PartyApp

Proven out-of-box support for a broad set of of devices

Growing Ecosystem: 50+ partners

Integrated monitoring and troubleshooting for apps


Network Programmer

App Services

Policy Manager

REST API’s

App Services

App Services

App Services

Network Elements

Applications

Dan Schiefer, San Diego Court – IT, Sep 11, 2015

Network Plug-n-Play


Device On-boarding – Customer Challenges

Central Staging Facility Site-1

• Install OS• Install base

config

Network

Admin

Installer

Customer, Partner

Operational Challenges

For end-site Installation

Direct Costs•Pre-staging & Shipping costs

•Travel costs

Security•3rd party not secure•Rogue devices

Time/Productivity•Manual process •Shipping , Storage, Travel

Complexity•Configuration errors•Different products, IOS Releases

Pre-staging Shipping to End site Techy Installer at site


Simple & Secure & Consistent device onboarding Network Plug-n-Play

Simple, Secure & Consistent device on-boarding for Enterprise platforms

Zero-Touch provisioning of Campus & Branch deployments

GUI Based workflows Robust Discovery Mechanisms for all

deployment types (DHCP, DNS, Mobile App, USB)

Cloud Redirect Service for automated branch deployments (Roadmap)

Switches(Catalyst)

Routers (ISR/ASR) Wireless AP

SUDI based device authentication CA based server (APIC-EM)

authentication Secure HTTPS based image &

configuration downloads No configuration access to Installer Unplanned device workflow – Admin

claims device

Support for end-to-end Enterprise platforms – Switches, Routers, AP

Consistent workflows for all platforms Backward compatible w/ Smart-Install

(Switches Only) Integrated w/ PI3.x workflows

SecureSimple Consistent


Network Plug and Play - Components

PnP AgentRuns on Cisco® switches, routers, and wireless access points

Automates the deployment process

1

2

4

PnP ServerCentral server - APIC-EM

Manages sites, devices, images, licenses

Provides northbound REST APIs

PnP ProtocolRuns between Agent and Server

Open schema

PnP Helper AppDelivers bootstrap status and troubleshooting checks

3


Python

Cisco APIC EM: PnP ServerUser Interface and REST API

APIC-EM API

PnP REST API

Customer’s Existing Automation Framework

Automation Framework(i.e. Python script, configuration generator)

Device Repository and Database

Cisco® DevicesCatalyst®, ISR, ASR, Access Points

Enterprise Applications and Orchestration Layer

Network PnP Application UI

IWAN App

Topology Discovery

Pre-provisioning Ad-hoc and unclaimed devices

CLI, PnP Protocol

REST API

PnP Service APIC-EM Controller

PnP Server

PnP & APIC-EM Programmable Interface

User Interface


PnP Server Discovery Options

Switches (Catalyst®) Routers (ISR, ASR) Wireless Access Points

1

2

3

4

5

DHCPServer

DNSServer

DHCP with options 60 and 43PnP string: 5A1D;B2;K4;I172.19.45.222;J80

DNS lookuppnpserver.localdomain ---- 172.19.45.222 (PnP Server)

Cloud re-direction - roadmap (Q4CY2015)https://devicehelper.cisco.com/device-helper re-directs to 172.19.45.22(PnP Server)

USB-based bootstrapping

Manual - using the Cisco® Installer AppiPhone, iPad, Android

PnP Agent

https://devicehelper.cisco.com/device-helper


Network-PnP: Pre-provisioning Workflow

PnP-Agent PnP-Agent

Device Authentication

Installer

N-PnP app on APIC-EMDownload

Image & Config

Admin

EM

DHCPServer

DNSServer

N-PnP App pre-provisioned w/ device SR#

Configure device discovery• DHCP Option-43• or DNS

Secure Deployment

• Installer powers-on devices• Devices securely downloads

Image & Configuration

OR

DiscoveryPre-provision

EM

1 2 3


Summary

Solution Summary Benefits

Cisco® Network PnP is a simple, highly secure, and scalable automated network device deployment solution

The agent is supported on end-to-end Cisco IOS®

Software products The Cisco APIC-EM is the central server for the solution Programmability: The APIC-EM allows scripting (REST API)

to automate server workflows Python server reference implementation in DevNet:

Give link here Open-source protocol available: Customers and partners can

adapt the PnP server into their own processes or build their own server based on open protocols (The schema is proprietary, even if using XMPP)

No pre-staging of devices Unskilled installer at remote sites GUI-based workflows Highly secure and scalable

Virginia Runion -X (vrunion - EDITCETERA at Cisco)

Add information here

DNA Easy QoS


• Customers are endeavoring to increase employee productivity though the effective and innovative use of collaborative applications

• Collaboration Quality of Experience should be seamless, regardless of platform, media or location

• The foremost barrier to enabling QoS/QoE is complexity, as end-to-end designs need to be comprehensive and cohesive

Customer Challenges


EasyQoS Solution

Wireless APTrust Boundary

PEP4Q (WMM)

Catalyst 3650Trust Boundary

PEP2P6Q3T

Catalyst 45001P7Q1T

Catalyst 65001P3Q4T1P7Q4T2P6Q4T

…

Nexus 7700F3: 1P7Q1T

WLCPEP

ASR/ISRsMQC

Catalyst 2960-XTrust Boundary

PEP1P3Q3T

Wireless APTrust Boundary

PEP4Q (WMM)

EM

Applications can interact with APIC-EM via Northbound APIs, informing the network of application-specific and dynamic QoS requirements

Southbound APIs translate business-intent to platform-specific configurations

Network Operators express high-level business-intent to APIC-EM EasyQoS


EasyQoS GUIStep 1: Select a Scope for Policy Application


EasyQoS GUIStep 2: (Optional) Change Application Business-Relevance


EasyQoS GUIStep 3: (Optional) Add Custom Applications


What Do We Do Under-the-Hood?Apply RFC 4594-based Marking / Queuing / Dropping Treatments

Application Class

Per-Hop Behavior

Queuing &Dropping

Application Examples

VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)

Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV

Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence

Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx

Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)

Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE

Signaling CS3 BW Queue SCCP, SIP, H.323

Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog

Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps

Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution

Best Effort DF Default Queue + RED Default Class

Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox Live


Establish Trust Boundaries and Policy Enforcement Points (PEPs)

• The Trust Boundary is the point where Layer 2 or Layer 3 markings are accepted or rejected• The Policy Enforcement Point (PEP) is the edge where classification and marking policies are enforced

• The PEP may or may not be the same as the trust boundary• Multiple PEPs may exist for different types of network devices

Trust BoundaryRouter

PEPSwitch

PEP

EasyQoS will deploy:• Wired and wireless trust boundaries at the network edges• Policy Enforcement Points at the network edges as well as at

strategic locations (where extended classification technologies may be available)

Guiding Mandate:Each device will be configured to express the business-intent with maximum fidelity to the best of its capabilities


Deploy End-to-End DSCP-Based Queuing Policies

EM

EasyQoS will seamlessly interconnect all types of hardware and software queuing models to achieve consistent and compatible end-to-end treatments aligned with the expressed business-intent


Dynamic QoS Workflow


• No need to open a wide UDP port-range in your trust boundary, making your network more secure

• No Need for DPI at the edge

• Classification becomes application-aware, yet lightweight• Support wireless & BYOD devices without client software upgrades• Supports brownfield deployments

Business Value of Dynamic QoS


EasyQoS GUIStep 4: (Optional) Enabling Dynamic QoS


Dynamic QoS WorkflowPart 1: Proceeding Voice/Video Call

EM

CUCM signals APIC-EM of a proceeding call via a Northbound Rest APIAPIC-EM acknowledges the flow and assigns a Flow-IDAPIC-EM deploys dynamic ACLs for voice and/or video

to the specific switch ports hosting the endpoints

ip access-list extended VOICE permit udp host 10.1.1.1 eq 18578 host 10.2.2.2 eq 17333ip access-list extended VIDEO permit udp host 10.1.1.1 eq 31199 host 10.2.2.2 eq 24141

ip access-list extended VOICE permit udp host 10.2.2.2 eq 17333 host 10.1.1.1 eq 18578ip access-list extended VIDEO permit udp host 10.2.2.2 eq 24141 host 10.1.1.1 eq 31199

POST /api/v0/fms/flow:{"srcIPAddress":"10.1.1.1","dstIPAddress":"10.2.2.2","srcPort":31999,"dstPort":21141,"mediaType":"video","qosClassName":"conversational.video.avconf.aq", "averageBandwidth":0, "peakBandwidth":0,"appid":"CUCM","codec":"H.264”}

{"response":{"data":"success","flowId":"bc8727b7-76d0-4bac-94b9-fa6b76a1a803"},"version":"0.0"}


Dynamic QoS WorkflowPart 2: Terminating Voice/Video Call

EM

CUCM signals APIC-EM to delete the Flow-ID of a terminating callAPIC-EM removes the dynamic ACLs for voice and/or video

from the specific switch ports hosting the endpoints

ip access-list extended VOICE no permit udp host 10.1.1.1 eq 18578 host 10.2.2.2 eq 17333ip access-list extended VIDEO no permit udp host 10.1.1.1 eq 31199 host 10.2.2.2 eq 24141

ip access-list extended VOICE no permit udp host 10.2.2.2 eq 17333 host 10.1.1.1 eq 18578ip access-list extended VIDEO no permit udp host 10.2.2.2 eq 24141 host 10.1.1.1 eq 31199

DELETE /api/v0/fms/flow/bc8727b7-76d0-4bac-94b9-fa6b76a1a803


Summary

Solution Summary Benefits

Cisco® EasyQoS is a simple, highly secure, and scalable automated network QoS policy deployment solution

EasyQoS is business-intent driven, requiring network operators only to confirm which applications are relevant to their business, while abstracting all platform-specific implementation details

Cisco APIC-EM is the central controller which supports Northbound APIs that can interface with applications (via REST APIs) and also Southbound APIs to translate application requirement to platform-specific configurations

EasyQoS deploys industry-standard best-practices via Cisco Validated Designs

Provides end-to-end orchestration of QoS Simple and easy to deploy Works for and both greenfield and brownfield deployments Business-intent driven End-to-End provisioning done in minutes Reduces time to onboard new applications and allows SLA

compliance Provides dynamic, lightweight and accurate application-

aware classification Support wireless & BYOD devices without client software

upgrades


EasyQoS– Supported Platforms (GA+1)Platform-Families

Catalyst 2K(2960-S, 2960-X)

Catalyst 3K(3560CG, 3560-X, 3750-X)

Catalyst 3650/3850

Catalyst 4K(Sup 7E, Sup8E, 4500-X)

Catalyst 6500—Sup2T & 6880-X

AireOS WLC(2500, 5500, 8500, WiSM2)

ISR (ISR G2 / ISR 4400)

ASR 1000


APIC-EM Integration with PI


• PI 3.0 uses the PnP and PKI service from the APIC-EM via Rest API calls

• With this integration, all the actions are driven from PI – no need to logon to the APIC-EM GUI for PnP or PKI

• Add APIC-EM as a server within PI (Administration APIC-EM Controller)

PI integration with APIC-EMPnP and PKI

Enter the APIC-EM Admin Credentials to Rest API

Calls

Enable the APIC-EM Global Setting for PnP

and PKI


Data CenterBranch

Internet

MPLS

3G/LTE

ISR

PnP/PKI Workflow

49

• Connect Internet and MPLS cables• Insert PnP bootstrap USB stick• Power up ISR

Router PnP agent starts “call-home”

2

Power On!

1

4

3

APIC-EM PnP pushes new IOS if needed

• Network wide settings have been defined• Datacenter has been configured• Application policies have been set

APIC-EM PnP calls PKI service to push a PKI 509.X certificate

APIC-EM

PnP/PKI

DMZ

HTTP Proxy

Cisco IOS®

PKI Cert

Prime Infrastructure

Rest APIs


Data CenterBranch

Internet

ISR

IWAN Workflow after the Router is managed by PI

50

• IWAN config is applied• Hybrid WAN tunnel come up

1Admin starts the IWAN workflow then push IWAN templates to new router

MPLS

DMZ

ASR 1KMPLS

Internet

Prime Infrastructure

2

• Prime generates device configuration based on current policy settings/network-wide settings

• Config is pushed to device line by line:o DMVPNo Routingo Front Door VRFo AVC (NBAR2)o 8 Class QoSo PfRo MPLS QoS translationo Start net flow collection o Start Syslog exporting

Config policies….SSH

Monitor

• Prime generates IWAN config• Prime pushes config to device


System of record vs. System of changePrime Infrastructure APIC - EM

System of Record System of Change

• Policy definition• Historical reporting on

events & performance• Configuration archive• Troubleshooting workflows• Capacity Trending • Predictive Analytics

• Policy enforcement• Discovery (for change)• Topology (for change)• PnP• Network state monitoring• Device abstraction• Network Control

Customizable Templates Guided Workflows

Full CLI Access

Massive SimplificationPolicy AutomatedNO CLI Changes


Cisco Enterprise ManagementConsolidation of Licensing / Features

Enterprise Management 3.xSDN Management for the Enterprise

Lifecycle Assurance Basic Apps Solution Apps

Cisco Prime Infrastructure 3.0

APIC-EMController

Network Management Application Centric Policy Based Management


Cisco Enterprise Management BenefitsSDN Management End-to-End• Integrated and simplified management of Routers, Switches and Wireless• Monitoring all network elements, from Branch/Campus to the Data Center, reducing

number of tools required to manage the network

Management Simplicity and Automation• Integration with Controller (APIC-EM) for Plug and Play• Policy Driven workflows & templates for managing the network• Automated monitoring of application and Proactive alerting based on abnormal behaviors

Reduces Operational and Capital Costs• Simplified Management reducing need for multiple solutions• Rapid device deployment and management through consolidated architecture• Single licensing structure providing access to Prime Infrastructure (Lifecycle &

Assurance) and APIC-EM (Foundation & Solution Apps)

Cisco One


DNA Offers Mapping

Cisco DNA Delivered through Cisco ONE Software

Advanced Applicatio

n

Foundation

Available on DNA-Ready Infrastructure through Cisco ONE SoftwareISR 4000 | ASR 1000 | Catalyst 6800 | Catalyst 4000-E | Catalyst 3850 | Catalyst 3650 | Aironet 802.11ac | Meraki

Cisco ONE Packaging

Connected Mobile Experiences (CMX)

Network as a Sensor / Enforcer

Pervasive Mobility

Experience

Converged Branch

Intelligent WAN

Virtual Branch

Unified Threat Management


Cisco ONE Simplifies Software Purchasing

Cisco ONE Foundation: core networking, management, automation, embedded security

Cisco ONE Advanced: enhanced automation, service assurance, adv. configuration, etc.

Cisco ONE Full Suite: Foundation + Advanced

Select your Software Capabilities

1Pick your platform

2 Choose Purchasing Model

3

ISR/ASR Router Virtual Router Catalyst Switch Wireless Controller Virtual Wireless Controller Access Points

License Model: Perpetual Subscription

Contract: Transactional Volume Purchase

Purpose Built Applications | Ongoing Innovation | License Portability & Flexibility

General availability of subscription & volume purchase to be announced

cisco digital network architecture (dna) with apic-em

Technology