sdn in the enterprise: apic enterprise module

SDN in the Enterprise: APIC Enterprise Module T-ENM-01-I

Lila Rousseaux, Consulting Systems Engineer, Enterprise Networks, Cisco Systems Canada Tim Szigeti, Technical Marketing Engineer, Enterprise Architecture Team, Cisco Systems

Housekeeping Notes

Thank you for attending Cisco Connect Toronto 2015, here are a few housekeeping notes to ensure we all enjoy the session today.

§  Please ensure your cellphones / Laptops are set on silent to ensure no one is disturbed during the session

§  Ask questions !!

House Keeping Notes

§  What problem are we trying to solve? §  APIC-EM Architecture

§  APIC-EM Apps a.k.a how can the controller help simplify my environment?

§  What about Prime?

§  Wrap-Up

AGENDA

What problem are we trying to solve?

“A platform for developing new control planes”

“An open solution for VM mobility in the Data-Center”

“An open solution for customized flow forwarding control in the Data-Center”

“A means to do traffic engineering without MPLS”

“A way to scale my firewalls and loadbalancers”

“A solution to build a very large scale layer-2 network”

“A way to build my own security/encryption solution, avoiding RSA”

“A way to reduce the CAPEX of my network

and leverage commodity switches”

“A way to define virtual networks with specific topologies for my multi-tenant Data-Center”

“A means to scale my fixed/mobile gateways and optimize their placement”

“A solution to build virtual topologies with optimum multicast forwarding behavior”

“A way to optimize link utilization in my network, through new multi-path algorithms”

“A way to avoid lock-in to a single networking vendor”

“A way to distribute policy/intent, e.g. for DDoS prevention, in the network”

“A way to configure my entire network as a whole rather than individual devices”

“A solution to get a global view of the network – topology and state”

“With SDN I can develop solutions to my problems far faster – “at software speeds”. I don’t have to work with my network

vendor or go through length standardization”

SDN – Still Don’t kNow – Stanford Defined Networking Many things to Many people

Resiliency/Scale has been proven

Distributed Networking has worked

Distributed Networking has worked

?

Distributed Networking adds complexity to manage/comprehend

!!

!

However

But uses controller to mask complexity

NETWORK

Admin still makes network behavior decisions

Abstracting Conventional Policy Complexity

Conventional Model

The What “Security Policy for

Branch A”

The How “Change ACLs in

the Following Elements”

The What “Security Policy for

Branch A”

The How “Change ACLs in

the Following Elements”

ACI Constructs Admin Driven

Admin Driven

Northbound APIs

APIC EM

Policy Based Model

What is Policy?

WHAT HOW Policy à way to simplify how we do things via abstraction

Changing Nature of IT Ops with SDN led Management

Management (NMS)

NE NE NE NE

Customer developed provisioning tools, manual CLI

changes, and run book automation for IT Operations

support

Controller (APIC-EM)

Management (Provisioning and Assurance)

Automation (Workflow / Orchestration)

NE NE NE NE

Customer input on business / service intent

Traditional Management SDN Led Management


Traditional Management

Feature Configuration

SDN Led Management

Policy Automation

Policy Maturity to Cover Enterprise System of Change Use Cases will Evolve Over Time

policy

traditional conf

igur

atio

n

traditional

policy policy

Controller-based Automation

Today

traditional

Policy based Configuration à •  Dynamic •  Able to be

automated •  Managed by

the controller Policy grows, static shrinks

Time

APIC-EM Architecture

Cisco APIC Enterprise Module Architecture

Abstracts Network Devices to Mask Complexity

Treat Network as a System

Exposes Network Intelligence

For Business Innovation Cisco APIC Enterprise Module

Cisco and Third Party Applications

Network Devices Catalyst, ASR, ISR

Network Info Database

Policy Infrastructure Automation

REST API

Southbound Interface: CLI

Security QoS IWAN Network PnP

Masking Network Complexity, Exposing Network Intelligence .


Cisco APIC Enterprise Module





REST API




1.  Cisco Visualization Application a.k.a UI

2.  Cisco Applications for specific solutions

IWAN, Network PnP, Collaboration, Security, etc

3.  DevNet

4.  Customer developed

SDN Innovation: Network Information Base Provides One Source of Truth






REST API










REST API




1.  Network programmer service: used for programming the network

2.  Services within the controller leverage network programmer to talk to the network

3.  Depending on the type of platform and functionality the network programmer chooses the southbound protocol

4.  Services within the controller unaware of these protocols

5.  If new protocols are required, we only need to add the plug-in for that protocol in the network programmer

APIC-EM Apps a.k.a how can the controller help simplify my environment?

First we need to check the APIC-EM User Interface

APIC-EM User Interface App: Device Inventory

Network Information Base - Host Inventory

APIC-EM User Interface App: Discovery

APIC-EM User Interface App: Topology

Use Case: Path Visualization

•  No efficient method to troubleshoot IP voice and video sessions traversing the network on demand

•  Lack of network visibility creates large OPEX to diagnose and find problem sources •  Path computation service provides a fast and accurate method for rapidly identifying/

isolating paths causing problems •  Low risk use case for SDN

Path Trace Visualizer 5-tuple

Path Trace Visualizer Wireless to Wired

Path Trace Visualizer ECMP

Policy Analysis

Boxes greyed out once traffic is blocked for easy

visualization Policy Analysis

CAMPUS

Security Policy App (within User Interface) Per User Per Application Access Policy Enforcement

SiSiSiSi

APIC-EM Controller

Block Bit-Torrent

BRANCH

Auth

entic

atio

n

ISE

Block Bit-Torrent

AD/Radius Server §  Admin configures business policy to block

application traffic on a per user/user_group basis.

§  Controller uses identity information to install user specific access policy at the edge.

User moves to a branch site. Policy moves with it

APIC-EM Policy App

APIC-EM Policy Under the hood

Branch

SourceFire Defence Center

SDN Controller

ISR Sensor

X

SourceFire Sensor

Sensor

1. BYOD Malware/Javascript Attack

2. SF Sensor detects threat

3. SF DC notifies Controller

4. Remediation API event

5. Policy installed on Access switch port by Controller.

6. Block or quarantine end-point

WAN

ISR

Internet

HQ

Malware Attack

Defense Center Alert!!!!

Controller Notification

Remediation Policy Enforcement

Host Quarantined

How to use Policy Programming for Network Threat Defense - Policy Programming outside the UI

How to use Policy Programming for Network Threat Defense - Policy Programming outside the UI

Branch

SourceFire Defence Center

SDN Controller

ISR Sensor

X

Sensor

WAN

ISR

Internet

HQ

Controller Notification

Host Quarantined

Defense Center

/api/v0/policy POST!{"actions": ["DENY"], "policyOwner":"admin”, "policyName": "deny_all”, "networkUser": {"userIdentifiers”:["10.10.20.7"]}}!

SDN QoS Direction

EasyQoS App No more Box-by-Box configuration

Config.

Cisco Validated Design- Based Templates

Con

trol

Tran

sact

iona

l Dat

a R

ealti

me

Bes

t Effo

rt

Cisco Validated Design {CVD}

Cisco APIC -

Enterprise Module

Easy QoS App Cisco Validated Design (CVD) classification and marking

Easy QoS Easy customization of policies

APIC-EM with CUCM Integration—Step 1a

EM

The administrator enters strategic business Intent to APIC-EM APIC-EM deploys:

a)  static (ingress) ACL-based classification & DSCP-marking policies (on access edge interfaces only) with null ACL entries for VOICE and VIDEO

ip access-list extended VOICE ip access-list extended VIDEO ip access-list extended BULK-DATA permit tcp any any eq ftp permit tcp any any eq ftp-data … class-map match-all VOICE match access-group name VOICE class-map match-all VIDEO match access-group name VIDEO class-map match-all BULK-DATA match access-group name BULK-DATA … policy-map APIC-EM-INGRESS-MARKING class VOICE set dscp ef class VIDEO set dscp af41 class BULK-DATA set dscp af11 …

APIC-EM with CUCM Integration—Part 1b

EM

Once the administrator has entered strategic business Intent to APIC-EM APIC-EM deploys:

a)  static (ingress) ACL-based classification & DSCP marking policies b)  static (ingress and egress) DSCP-based queuing policies on all switches

class-map match-all VOICE-PQ1 match dscp ef class-map match-all VIDEO-PQ2 match dscp af41 class-map match-any BULK-DATA-QUEUE match dscp af11 af12 af13 … policy-map APIC-EM-2P6Q3T class VOICE-PQ1 priority level 1 class VIDEO-PQ2 priority level 2 class BULK-DATA-QUEUE bandwidth remaining percent 5 queue-buffers ratio 10 queue-limit dscp values af13 percent 80 queue-limit dscp values af12 percent 90 queue-limit dscp values af11 percent 100 …

APIC-EM with CUCM Integration—Part 2

EM

CUCM signals APIC-EM of a proceeding call APIC-EM deploys a dynamic ACL update for voice and/or video

to all ports on the switch (or switch module)

ip access-list extended VOICE match udp host 10.1.1.1 eq 18578 host 10.2.2.2 eq 17333 ip access-list extended VIDEO match udp host 10.1.1.1 eq 31199 host 10.2.2.2 eq 24141

ip access-list extended VOICE match udp host 10.2.2.2 eq 17333 host 10.1.1.1 eq 18578 ip access-list extended VIDEO match udp host 10.2.2.2 eq 24141 host 10.1.1.1 eq 31199

APIC-EM with CUCM Integration—Part 3

EM

CUCM signals APIC-EM of a terminating call APIC-EM removes the dynamic ACL update for voice and/or video

ip access-list extended VOICE no match udp host 10.1.1.1 eq 18578 host 10.2.2.2 eq 17333 ip access-list extended VIDEO no match udp host 10.1.1.1 eq 31199 host 10.2.2.2 eq 24141

ip access-list extended VOICE no match udp host 10.2.2.2 eq 17333 host 10.1.1.1 eq 18578 ip access-list extended VIDEO no match udp host 10.2.2.2 eq 24141 host 10.1.1.1 eq 31199

Intelligent WAN

Intelligent WAN

WAN Transport

Branch

MPLS

$$$

Low Cost Circuit, Internet, 4G

$

Private Cloud Virtual

Private Cloud

Direct Internet Access

Internet backhaul

Cisco Cloud

Web Security Public Cloud

ü  Secure WAN transport across MPLS and/or Internet for private cloud / DC access

Increase WAN Capacity Improve App Performance Scale Security at the Branch

ü  Leverage Low Cost path for public cloud and Internet access

Cisco APIC -

Enterprise Module

APIC-EM IWAN App Dashboard

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential –Use under NDA – DO NOT DISTRIBUTE [email protected]

wol

fgan

g@ci

sco.

com

APIC EM Apps will innovate on design simplicity and intuitiveness

APIC-EM IWAN App Site provisioning

IWAN App – Site provisioning

APIC-EM IWAN App Application Policy

•  Applications detected in the network when enabling AVC

•  Classify applications in different categories

•  Organize application in categories to create business policies based on these categories


•  Business logic à we tell the controller what applications are relevant for the business

•  The controller is going to perform background tasks based on this business logic


•  Define primary path for group of applications

•  The controller will create a PfR policy based on those paths.

Network Plug & Play (a.k.a. Zero Touch Deployment)

Network Plug-n-Play – for Zero Touch Deployment

Unskilled Installer GUI Based Consistent for devices &

PIN(Campus/Branch) Secure Zero-touch RMA

Greenfield & Brownfield

Central Staging Facility

Site-1

•  Install OS •  Install base

config Network Admin

Installer

Site-3

Today’s Process

Site-2 Site(s)

Network PnP

Pre Provision Projects/Sites

Network Admin

1

Install & Power-on devices

2

Installer

Monitor device installation

3

Network Admin

Reseller/Partner

Ships equipment Cisco

APIC - Enterprise

Module

PnP Server

Use Case: Device Deployment in Campus

DHCP Server

Pre Provision Projects/Sites •  Policies •  Match Rules •  Configs/Image •  IP Addressing

Network Admin

Day 0

Cisco APIC -

Enterprise Module

Pre-provision DHCP Server •  IP address •  option 43

PnP Server

Use Case: Device Deployment in Campus

DHCP Server

Switch running PnP Agent

Device receives PnP server specific metadata info configured in DHCP op7on 43

Device validates server’s loca7on and establishes a communica7on with the server

Installer

Remote Installer •  Mount and cable

devices •  Power-on

Day 1

Network Admin remotely monitors status of install while in progress.

Day 1

Cisco APIC -

Enterprise Module

APIC-EM ZTD App – Configure Site, Device, Config

•  Campus Workflow

•  Serial # and PID-based device matching

•  Operational config and IOS image for each device

Network Admin

Day 0

The End stage

Network Admin remotely monitors status of install while in progress.

Day 1

APIC-EM Apps a.k.a how can the controller help simplify my environment? • Path Visualization • Path Visualization + Integration with Cisco Prime

Collaboration Manager • ACL Trace • ACL Analysis • Security Policy Programming (Per User/Group) • Policy Programming for Network Threat Defense • Easy QoS via User Interface • Dynamic Policy for video soft clients •  IWAN App • Network Plug and Play Server

Applications Released in

phases

Just a few examples,

there’s much more

What about Prime?


Traditional Management

Feature Configuration

SDN Led Management

Policy Automation

System of record vs. system of change

Prime Infrastructure APIC - EM

System of Record System of Change

•  Policy definition •  Historical reporting on

events & performance •  Configuration archive •  Troubleshooting workflows •  Capacity Trending •  Predictive Analytics

•  Policy enforcement •  Discovery (for change) •  Topology (for change) •  PnP •  Network state monitoring •  Device abstraction •  Network Control

Cisco Prime and APIC-EM

Control Layer

Device Layer

Operational Automation Policy and Service Definition

Automated Assurance Provisioning

Visualization, Trending and Analytics

Network Intelligence Device Layer Abstraction

Network Control

Policy Enforcement & Network Change

Management & Orchestration Layer

Cisco Devices Enterprise Networks, Data Center

Cisco APIC Common ACI Architecture

APIC for datacenter APIC Enterprise Module

CLI, OpenFlow, OnePK API

REST API (ONE DevKit)

Catalog / Provisioning

Fault / Events

User / Data Management

Performance Monitoring

Reporting / Analytics

Cisco IAC UCSD

APIC-EM App (IWAN)

PRIME INFRASTRUCTURE & NAM

Wrap-Up

Summary §  Changing Nature of IT Ops with SDN led Management

§  APIC-EM and Apps are a System of Change that will drive real time changes in the network

§  Prime Infrastructure role will evolve into end-to-end assurance as System of Record, while also catering to feature configuration for custom environments

§  The network administrator can now focus on Policy and Business Intent (WHAT) §  Controllers job to translate into network semantics/implementation (HOW)

§  API to expose the networks capabilities §  APIC EM abstracts the underlying complexity of the network infrastructure

Give us your feedback and you could win a Plantronics headset. Complete the session survey on your Cisco Connect Toronto Mobile app at the end of your session for a chance to win

Winners will be announced and posted at the Information desk and on Twitter at the end of the day (You must be present to win!)

Complete your session evaluation – May 14th

Thank You …

sdn in the enterprise: apic enterprise module

Technology