sdn in the enterprise: apic enterprise module
TRANSCRIPT
SDN in the Enterprise: APIC Enterprise Module T-ENM-01-I
Lila Rousseaux, Consulting Systems Engineer, Enterprise Networks, Cisco Systems Canada Tim Szigeti, Technical Marketing Engineer, Enterprise Architecture Team, Cisco Systems
Thank you for attending Cisco Connect Toronto 2015, here are a few housekeeping notes to ensure we all enjoy the session today.
§ Please ensure your cellphones / Laptops are set on silent to ensure no one is disturbed during the session
§ Ask questions !!
House Keeping Notes
§ What problem are we trying to solve? § APIC-EM Architecture
§ APIC-EM Apps a.k.a how can the controller help simplify my environment?
§ What about Prime?
§ Wrap-Up
AGENDA
“A platform for developing new control planes”
“An open solution for VM mobility in the Data-Center”
“An open solution for customized flow forwarding control in the Data-Center”
“A means to do traffic engineering without MPLS”
“A way to scale my firewalls and loadbalancers”
“A solution to build a very large scale layer-2 network”
“A way to build my own security/encryption solution, avoiding RSA”
“A way to reduce the CAPEX of my network
and leverage commodity switches”
“A way to define virtual networks with specific topologies for my multi-tenant Data-Center”
“A means to scale my fixed/mobile gateways and optimize their placement”
“A solution to build virtual topologies with optimum multicast forwarding behavior”
“A way to optimize link utilization in my network, through new multi-path algorithms”
“A way to avoid lock-in to a single networking vendor”
“A way to distribute policy/intent, e.g. for DDoS prevention, in the network”
“A way to configure my entire network as a whole rather than individual devices”
“A solution to get a global view of the network – topology and state”
“With SDN I can develop solutions to my problems far faster – “at software speeds”. I don’t have to work with my network
vendor or go through length standardization”
SDN – Still Don’t kNow – Stanford Defined Networking Many things to Many people
Distributed Networking has worked
?
Distributed Networking adds complexity to manage/comprehend
!!
!
However
Abstracting Conventional Policy Complexity
Conventional Model
The What “Security Policy for
Branch A”
The How “Change ACLs in
the Following Elements”
The What “Security Policy for
Branch A”
The How “Change ACLs in
the Following Elements”
ACI Constructs Admin Driven
Admin Driven
Northbound APIs
APIC EM
Policy Based Model
Changing Nature of IT Ops with SDN led Management
Management (NMS)
NE NE NE NE
Customer developed provisioning tools, manual CLI
changes, and run book automation for IT Operations
support
Controller (APIC-EM)
Management (Provisioning and Assurance)
Automation (Workflow / Orchestration)
NE NE NE NE
Customer input on business / service intent
Traditional Management SDN Led Management
Changing Nature of IT Ops with SDN led Management
Traditional Management
Feature Configuration
SDN Led Management
Policy Automation
Policy Maturity to Cover Enterprise System of Change Use Cases will Evolve Over Time
policy
traditional conf
igur
atio
n
traditional
policy policy
Controller-based Automation
Today
traditional
Policy based Configuration à • Dynamic • Able to be
automated • Managed by
the controller Policy grows, static shrinks
Time
Cisco APIC Enterprise Module Architecture
Abstracts Network Devices to Mask Complexity
Treat Network as a System
Exposes Network Intelligence
For Business Innovation Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network Devices Catalyst, ASR, ISR
Network Info Database
Policy Infrastructure Automation
REST API
Southbound Interface: CLI
Security QoS IWAN Network PnP
Masking Network Complexity, Exposing Network Intelligence .
Cisco APIC Enterprise Module Architecture
Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network Devices Catalyst, ASR, ISR
Network Info Database
Policy Infrastructure Automation
REST API
Southbound Interface: CLI
Security QoS IWAN Network PnP
Masking Network Complexity, Exposing Network Intelligence .
1. Cisco Visualization Application a.k.a UI
2. Cisco Applications for specific solutions
IWAN, Network PnP, Collaboration, Security, etc
3. DevNet
4. Customer developed
SDN Innovation: Network Information Base Provides One Source of Truth
Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network Devices Catalyst, ASR, ISR
Network Info Database
Policy Infrastructure Automation
REST API
Southbound Interface: CLI
Security QoS IWAN Network PnP
Masking Network Complexity, Exposing Network Intelligence .
Cisco APIC Enterprise Module Architecture
Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network Devices Catalyst, ASR, ISR
Network Info Database
Policy Infrastructure Automation
REST API
Southbound Interface: CLI
Security QoS IWAN Network PnP
Masking Network Complexity, Exposing Network Intelligence .
1. Network programmer service: used for programming the network
2. Services within the controller leverage network programmer to talk to the network
3. Depending on the type of platform and functionality the network programmer chooses the southbound protocol
4. Services within the controller unaware of these protocols
5. If new protocols are required, we only need to add the plug-in for that protocol in the network programmer
Use Case: Path Visualization
• No efficient method to troubleshoot IP voice and video sessions traversing the network on demand
• Lack of network visibility creates large OPEX to diagnose and find problem sources • Path computation service provides a fast and accurate method for rapidly identifying/
isolating paths causing problems • Low risk use case for SDN
CAMPUS
Security Policy App (within User Interface) Per User Per Application Access Policy Enforcement
SiSiSiSi
APIC-EM Controller
Block Bit-Torrent
BRANCH
Auth
entic
atio
n
ISE
Block Bit-Torrent
AD/Radius Server § Admin configures business policy to block
application traffic on a per user/user_group basis.
§ Controller uses identity information to install user specific access policy at the edge.
User moves to a branch site. Policy moves with it
Branch
SourceFire Defence Center
SDN Controller
ISR Sensor
X
SourceFire Sensor
Sensor
1. BYOD Malware/Javascript Attack
2. SF Sensor detects threat
3. SF DC notifies Controller
4. Remediation API event
5. Policy installed on Access switch port by Controller.
6. Block or quarantine end-point
WAN
ISR
Internet
HQ
Malware Attack
Defense Center Alert!!!!
Controller Notification
Remediation Policy Enforcement
Host Quarantined
How to use Policy Programming for Network Threat Defense - Policy Programming outside the UI
How to use Policy Programming for Network Threat Defense - Policy Programming outside the UI
Branch
SourceFire Defence Center
SDN Controller
ISR Sensor
X
Sensor
WAN
ISR
Internet
HQ
Controller Notification
Host Quarantined
Defense Center
/api/v0/policy POST!{"actions": ["DENY"], "policyOwner":"admin”, "policyName": "deny_all”, "networkUser": {"userIdentifiers”:["10.10.20.7"]}}!
EasyQoS App No more Box-by-Box configuration
Config.
Cisco Validated Design- Based Templates
Con
trol
Tran
sact
iona
l Dat
a R
ealti
me
Bes
t Effo
rt
Cisco Validated Design {CVD}
Cisco APIC -
Enterprise Module
APIC-EM with CUCM Integration—Step 1a
EM
The administrator enters strategic business Intent to APIC-EM APIC-EM deploys:
a) static (ingress) ACL-based classification & DSCP-marking policies (on access edge interfaces only) with null ACL entries for VOICE and VIDEO
ip access-list extended VOICE ip access-list extended VIDEO ip access-list extended BULK-DATA permit tcp any any eq ftp permit tcp any any eq ftp-data … class-map match-all VOICE match access-group name VOICE class-map match-all VIDEO match access-group name VIDEO class-map match-all BULK-DATA match access-group name BULK-DATA … policy-map APIC-EM-INGRESS-MARKING class VOICE set dscp ef class VIDEO set dscp af41 class BULK-DATA set dscp af11 …
APIC-EM with CUCM Integration—Part 1b
EM
Once the administrator has entered strategic business Intent to APIC-EM APIC-EM deploys:
a) static (ingress) ACL-based classification & DSCP marking policies b) static (ingress and egress) DSCP-based queuing policies on all switches
class-map match-all VOICE-PQ1 match dscp ef class-map match-all VIDEO-PQ2 match dscp af41 class-map match-any BULK-DATA-QUEUE match dscp af11 af12 af13 … policy-map APIC-EM-2P6Q3T class VOICE-PQ1 priority level 1 class VIDEO-PQ2 priority level 2 class BULK-DATA-QUEUE bandwidth remaining percent 5 queue-buffers ratio 10 queue-limit dscp values af13 percent 80 queue-limit dscp values af12 percent 90 queue-limit dscp values af11 percent 100 …
APIC-EM with CUCM Integration—Part 2
EM
CUCM signals APIC-EM of a proceeding call APIC-EM deploys a dynamic ACL update for voice and/or video
to all ports on the switch (or switch module)
ip access-list extended VOICE match udp host 10.1.1.1 eq 18578 host 10.2.2.2 eq 17333 ip access-list extended VIDEO match udp host 10.1.1.1 eq 31199 host 10.2.2.2 eq 24141
ip access-list extended VOICE match udp host 10.2.2.2 eq 17333 host 10.1.1.1 eq 18578 ip access-list extended VIDEO match udp host 10.2.2.2 eq 24141 host 10.1.1.1 eq 31199
APIC-EM with CUCM Integration—Part 3
EM
CUCM signals APIC-EM of a terminating call APIC-EM removes the dynamic ACL update for voice and/or video
ip access-list extended VOICE no match udp host 10.1.1.1 eq 18578 host 10.2.2.2 eq 17333 ip access-list extended VIDEO no match udp host 10.1.1.1 eq 31199 host 10.2.2.2 eq 24141
ip access-list extended VOICE no match udp host 10.2.2.2 eq 17333 host 10.1.1.1 eq 18578 ip access-list extended VIDEO no match udp host 10.2.2.2 eq 24141 host 10.1.1.1 eq 31199
Intelligent WAN
WAN Transport
Branch
MPLS
$$$
Low Cost Circuit, Internet, 4G
$
Private Cloud Virtual
Private Cloud
Direct Internet Access
Internet backhaul
Cisco Cloud
Web Security Public Cloud
ü Secure WAN transport across MPLS and/or Internet for private cloud / DC access
Increase WAN Capacity Improve App Performance Scale Security at the Branch
ü Leverage Low Cost path for public cloud and Internet access
Cisco APIC -
Enterprise Module
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential –Use under NDA – DO NOT DISTRIBUTE [email protected]
wol
fgan
g@ci
sco.
com
APIC EM Apps will innovate on design simplicity and intuitiveness
APIC-EM IWAN App Application Policy
• Applications detected in the network when enabling AVC
• Classify applications in different categories
• Organize application in categories to create business policies based on these categories
APIC-EM IWAN App Application Policy
• Business logic à we tell the controller what applications are relevant for the business
• The controller is going to perform background tasks based on this business logic
APIC-EM IWAN App Application Policy
• Define primary path for group of applications
• The controller will create a PfR policy based on those paths.
Network Plug-n-Play – for Zero Touch Deployment
Unskilled Installer GUI Based Consistent for devices &
PIN(Campus/Branch) Secure Zero-touch RMA
Greenfield & Brownfield
Central Staging Facility
Site-1
• Install OS • Install base
config Network Admin
Installer
Site-3
Today’s Process
Site-2 Site(s)
Network PnP
Pre Provision Projects/Sites
Network Admin
1
Install & Power-on devices
2
Installer
Monitor device installation
3
Network Admin
Reseller/Partner
Ships equipment Cisco
APIC - Enterprise
Module
PnP Server
Use Case: Device Deployment in Campus
DHCP Server
Pre Provision Projects/Sites • Policies • Match Rules • Configs/Image • IP Addressing
Network Admin
Day 0
Cisco APIC -
Enterprise Module
Pre-provision DHCP Server • IP address • option 43
PnP Server
Use Case: Device Deployment in Campus
DHCP Server
Switch running PnP Agent
Device receives PnP server specific metadata info configured in DHCP op7on 43
Device validates server’s loca7on and establishes a communica7on with the server
Installer
Remote Installer • Mount and cable
devices • Power-on
Day 1
Network Admin remotely monitors status of install while in progress.
Day 1
Cisco APIC -
Enterprise Module
APIC-EM ZTD App – Configure Site, Device, Config
• Campus Workflow
• Serial # and PID-based device matching
• Operational config and IOS image for each device
Network Admin
Day 0
APIC-EM Apps a.k.a how can the controller help simplify my environment? • Path Visualization • Path Visualization + Integration with Cisco Prime
Collaboration Manager • ACL Trace • ACL Analysis • Security Policy Programming (Per User/Group) • Policy Programming for Network Threat Defense • Easy QoS via User Interface • Dynamic Policy for video soft clients • IWAN App • Network Plug and Play Server
Applications Released in
phases
Just a few examples,
there’s much more
Changing Nature of IT Ops with SDN led Management
Traditional Management
Feature Configuration
SDN Led Management
Policy Automation
System of record vs. system of change
Prime Infrastructure APIC - EM
System of Record System of Change
• Policy definition • Historical reporting on
events & performance • Configuration archive • Troubleshooting workflows • Capacity Trending • Predictive Analytics
• Policy enforcement • Discovery (for change) • Topology (for change) • PnP • Network state monitoring • Device abstraction • Network Control
Cisco Prime and APIC-EM
Control Layer
Device Layer
Operational Automation Policy and Service Definition
Automated Assurance Provisioning
Visualization, Trending and Analytics
Network Intelligence Device Layer Abstraction
Network Control
Policy Enforcement & Network Change
Management & Orchestration Layer
Cisco Devices Enterprise Networks, Data Center
Cisco APIC Common ACI Architecture
APIC for datacenter APIC Enterprise Module
CLI, OpenFlow, OnePK API
REST API (ONE DevKit)
Catalog / Provisioning
Fault / Events
User / Data Management
Performance Monitoring
Reporting / Analytics
Cisco IAC UCSD
APIC-EM App (IWAN)
PRIME INFRASTRUCTURE & NAM
Summary § Changing Nature of IT Ops with SDN led Management
§ APIC-EM and Apps are a System of Change that will drive real time changes in the network
§ Prime Infrastructure role will evolve into end-to-end assurance as System of Record, while also catering to feature configuration for custom environments
§ The network administrator can now focus on Policy and Business Intent (WHAT) § Controllers job to translate into network semantics/implementation (HOW)
§ API to expose the networks capabilities § APIC EM abstracts the underlying complexity of the network infrastructure
Give us your feedback and you could win a Plantronics headset. Complete the session survey on your Cisco Connect Toronto Mobile app at the end of your session for a chance to win
Winners will be announced and posted at the Information desk and on Twitter at the end of the day (You must be present to win!)
Complete your session evaluation – May 14th