apic-em vedran hafner - cisco · • simplify your network • automate your network deployment and...
TRANSCRIPT
![Page 1: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/1.jpg)
APIC-EM
Vedran Hafner – Systems Engineer
![Page 2: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/2.jpg)
APIC-EM
Aleksandar Vulović – Systems Engineer
![Page 3: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/3.jpg)
• Introduction to Cisco SDN and APIC-EM intent
• What is APIC-EM ?
• APIC-EM Deployment – what you get and how to use it
• Use Cases
Agenda
3
![Page 4: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/4.jpg)
“A platform for
developing new control planes”
“An open solution for VM mobility in
the Data-Center”
“An open solution for customized flow
forwarding control in the Data-Center”
“A means to do traffic engineering without
MPLS”
“A way to scale my firewalls
and loadbalancers”
“A solution to build a very large scale layer-2
network”
“A way to build my own security/encryption
solution, avoiding RSA”
“A way to reduce the
CAPEX of my network
and leverage commodity
switches”
“A way to define virtual networks with specific
topologies for my multi-tenant Data-Center”
“A means to scale my fixed/mobile gateways
and
optimize their placement” “A solution to build virtual topologies with
optimum multicast forwarding behavior”
“A way to optimize link utilization in my network, through
new multi-path algorithms”
“A way to avoid lock-in to a
single networking vendor”
“A way to distribute policy/intent, e.g. for DDoS
prevention, in the network”
“A way to configure my entire network as
a whole rather than individual devices” “A solution to get a global view of the
network – topology and state”
“With SDN I can develop solutions to my problems far faster –
“at software speeds”. I don’t have to work with my network
vendor or go through length standardization”
SDN – Still Don’t kNow – Stanford Defined Networking Many things to Many people
![Page 5: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/5.jpg)
SDN Controller – Overview OK that looks really ugly but wait a minute…
… all cars
• Four wheels
• Steering wheel
• Gas pedal
• Brake pedal
But complete different use-cases
![Page 6: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/6.jpg)
APIC
EM
Enterprise Module (Catalyst, ISR, ASR, Nexus 7k*, 6k*, 5k*,
WLAN, NfV*)
(DC)
Data Center (Nexus 9000)
APIC
Application Policy Infrastructure Controller
Application Centric Infrastructure (ACI) User Centric Infrastructure (UCI)
*limited support
![Page 7: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/7.jpg)
APIC - Design Points There are two approaches to Control Systems
Air traffic control tells where to
take off from, but not how to fly the plane
Baggage handlers follow sequences
of simple, basic instructions
IMPERATIVE CONTROL DECLARATIVE CONTROL
![Page 8: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/8.jpg)
What is APIC-EM ?
8
![Page 9: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/9.jpg)
Copyright by Saskia
The challenges !
• Simplify your network
• Automate your network deployment and RMA
• Keep the configuration consistent
• Dynamic Policies where necessary
• Control network traffic and optimize it
• Interface with the User and Application (UCI and ACI)
• Quickly react on events like Intrusion detection, collaboration events etc
9
![Page 10: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/10.jpg)
APIC-EM similarity to Smartphone
The APIC-EM has:
• A strong base platform for SDN use cases
• It has build in App’s (eg QoS, ACL, Policy etc)
• It offers an API to be used by ISV & App’s can be developed by many
• One App example – Jabber / Unified communication integration
10
![Page 11: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/11.jpg)
Network
Elements
Controller
Applications
Allow Protocol/API
choice while
maintaining stack
integrity
Flexible “Programmable” Interfaces
• CLI
• SNMP
• Web UI*
• NETCONF*
• RESTConf*
• Openstack*
• OpenFlow*
• Web UI
• YANG
• REST API
APIC
EM
* Future Options
![Page 12: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/12.jpg)
APIC-EM: High-Level Controller Architecture
Security Collaboration Services Orchestration WAN
Network Element Layer
Southbound APIs CLI, SNMP
Northbound APIs RESTful API GET PUT POST DELETE
Policy Infrastructure Automation Network Information
Database
12
![Page 13: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/13.jpg)
APIC-EM - Platform Architecture
Network PnP Network Inventory Path Trace IWAN
Advanced Topology Visualizer
APIC-EM
Applications
APIC-EM Controller
Northbound REST APIs
APIC-EM
Services
Grapevine
Inventory
Manager RBAC Policy Analysis Policy (QoS)
Network PnP Data Access
Service
Topology
Services IWAN
Services
Elastic Service Infrastructure
APIC-EM
Applications
APIC-EM
Services
Addresses
Scale Out
and HA
Requirements
Easy static and dynamic QoS
13
![Page 14: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/14.jpg)
Controller in Action !
Source: http://www.mysweety.eu
Controller creates and enforces Policies:
The “WHAT”
The horse takes care of:
The “HOW”
![Page 15: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/15.jpg)
APIC-EM Deployment what you get and how to
use it
15
![Page 16: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/16.jpg)
APIC-EM Deployment Considerations
Bare Metal/HW Appliance Virtual Appliance
GV Root
GV Client GV Client
Libs/Bins Libs/Bins
LXC
Container
LXC
Container
Server Hardware
Operation System
Server Hardware
Hypervisor and/or Host OS
Virtual Machine
Operation System
GV Root
GV Client GV Client
Libs/Bins Libs/Bins
LXC
Container LXC
Container
16
![Page 17: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/17.jpg)
Before You Deploy: System Requirements
Server: 64-bit x86
(should be supported by Ubuntu 14.04 LTS)
vCPU: 6 (2.4 GHz) or more
RAM: 64 GB (for single-host deployments)/
32 GB (for multi-host deployments)
Storage: 500 GB HDD
− Hardware-based RAID at RAID level 10
− Disk I/O Speed: 200 MBps
Network adaptor: 1 x
Browser: Google Chrome (44.0 or later)
Hypervisor: VMware vSphere 5.1/5.5
(for Virtual Appliance) – tested should run on any
17
![Page 18: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/18.jpg)
Single Host Multi Host
There will be no virtual IPs configured
All inbound requests into APIC-EM will be via the host IPs (like they are with CA2 and CA3)
The customer can convert their deployment into a multi-host deployment at a later time
The customer will provide the virtual IPs Grapevine should use (one for each external network) during the config wizard workflow
On startup, Grapevine will bring up the virtual IPs on one of the hosts
All inbound requests into APIC-EM will be via these virtual IPs (instead of the host IPs), and the requests will be routed to the services running on different hosts via the reverse-proxy
If the host which has the virtual IP dies, Grapevine will bring up the virtual IP on one of the remaining hosts
18
![Page 19: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/19.jpg)
Multi-Host Deployment
Note: For the general availability release, all the nodes in the APIC-EM cluster need to be in the same subnet
APIC-EM Cluster
Node 1
IP Addr1
Node 2
IP Addr2
Node 3
IP Addr3
Virtual IP
Address
Cisco® Cloud,
NTP,
DNS, etc.
DNS NTP
REST APIs
and
APIC-EM UI
Network
Devices
19
![Page 20: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/20.jpg)
APIC-EM – 5 step installation
Physical Appliance or Virtual Downloadable ISO Image
.ISO for virtual
Pre-installed
APIC-EM software
APIC-EM Appliance SKUs:
− APIC-EM-APL-R-K9
− APIC-EM-APL-G-K9
OS: Ubuntu 14.04 64-bit
Deployment Options:
− Bare-metal install
(recommended)
− Virtual machine
Boot .iso Enter IP
address
Enter APIC-EM IP (Subnet / Def GW learned automatically)
Change
Credentials
Shell and UI
Username and
PWD plus CCO
login for update
Add NTP
Server
Enter NTP
Server IP (mandatory!)
Finalize
Installation
Finalize
installation and
bring up
controller
20
![Page 21: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/21.jpg)
Network Discovery - Input Parameters
Seed IP address for CDP-
based network discovery
IP address range for discovery scope -
Click on the Add icon to provide multiple
IP address ranges
For Your Reference
21
![Page 22: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/22.jpg)
SDN Innovation: Network Information Base Provides 1 Source of Truth
User Defined Group Tagging Allows Applications to Segment Analysis and Control (not shown here)
For Your Reference
![Page 23: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/23.jpg)
APIC-EM Demo
23
![Page 24: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/24.jpg)
API: VERBS + NOUNS + Syntax
GET
POST
PUT
DELETE
JSON Syntax:
{
"policyOwner": "Admin",
"networkUser":
{"userIdentifiers":["40.0.0.15"],
"applications":[{"raw": "12340;UDP"}]
}
}
Header: Content-Type: Application/JSON
https://fra-apicem1.cisco.com/api/v1/network-device GET/POST
/host
/link
/network-device
/interface
![Page 25: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/25.jpg)
Use Cases
25
![Page 26: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/26.jpg)
Network Plug and Play (PnP)
Discovery Device can reach
PnP Server on APIC-EM 1
Deployment Device receives target
image and configuration 2
No Staging No Staging Required
PnP Runs from Cisco
Factory-Default Configuration Switches (Catalyst®)
Routers (ISR, ASR)
Wireless Access Points
26
![Page 27: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/27.jpg)
PnP Server
Central Server on APIC-EM
Manages sites, devices, images, licenses, workflow
Provides Northbound REST APIs
Network Plug and Play (PnP) – Components
PnP Agent
Runs on Cisco® switches, routers, and wireless access points
Automates the deployment process
PnP Protocol
Runs between Agent and Server
Open Schema
PnP Helper App
[ Optional ]
Delivers bootstrap, status and troubleshooting checks
Redpark RJ45
Apple 30pin
Redpark RJ45
Apple 8pin
GetConsole
Airconsole2.0
Bluetooth Adapter
Cloud Redirect Service
[ Optional ]
Roadmap Phase 2
27
![Page 28: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/28.jpg)
PnP – Discovery Options
Switches (Catalyst®)
Routers (ISR, ASR)
Wireless Access Points
1
2
3
4
5
DHCP Server
DNS Server
DHCP with options 60 and 43
PnP string: 5A1D;B2;K4;I172.19.45.222;J80
DNS lookup
pnpserver.localdomain ---- 172.19.45.222 (PnP Server)
Cloud re-direction - roadmap (Q4CY2015)
https://devicehelper.cisco.com/device-helper re-directs to 172.19.45.22
(PnP Server)
USB-based bootstrapping
Manual - using the Cisco® Installer App
iPhone, iPad, Android, (roadmap - Windows mobile and PC)
X Others
Any other manual or automated discovery method – Scripting, AN, EEM, NAP, etc.
28
![Page 29: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/29.jpg)
APIC-EM GA Code in production
![Page 30: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/30.jpg)
APIC-EM GA Production (Cont.)
867 Devices
4784 Hosts
![Page 31: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/31.jpg)
Path Trace (Trace) For Your Reference
![Page 32: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/32.jpg)
Path Trace with Statistics GA+1
![Page 33: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/33.jpg)
EasyQoS Solution
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
Catalyst 4500
1P7Q1T
Catalyst 6500
1P3Q4T
1P7Q4T
2P6Q4T
…
Nexus 7700
F3: 1P7Q1T
WLC
PEP
ASR/ISRs
MQC
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Wireless AP
Trust Boundary
PEP
4Q (WMM)
EM
Applications can interact with APIC-EM via Northbound
APIs, informing the network of application-specific and
dynamic QoS requirements
Southbound APIs translate
business-intent to platform-
specific configurations
Network Operators express high-level
business-intent to APIC-EM EasyQoS
![Page 34: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/34.jpg)
What Do We Do Under-the-Hood? Apply RFC 4594-based Marking / Queuing / Dropping Treatments
Application
Class
Per-Hop
Behavior
Queuing &
Dropping
Application
Examples
VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence
Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx
Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps
Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution
Best Effort DF Default Queue + RED Default Class
Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox Live
![Page 35: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/35.jpg)
1. Define new Application –
Jabber Video
2. Update QoS
Policy
Qo
S
3. Push Updated QoS Policy to Network Devices
4. Deploy Jabber Video
Client
APIC-EM Easy-QoS
What happens if you get a new Application ? Example: QoS Video Classification Enables Enterprise Wide Jabber
![Page 36: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/36.jpg)
SDN-Enabled QoS for Collaboration
Prime
Collaboration
Assurance
EF
AF41
BE
• Campus Switches: APIC-EM EasyQoS
• WAN Edge: APIC-EM IWAN
• Consistent marking of audio (EF)
• Single video queue (AF4x)
• Allow different drop priorities for video
• Bandwidth Planning
• Video Rate Adaptation
• Untrusted devices: Per-flow marking via APIC-EM
• Trusted devices: Trust extension via APIC-EM
• Prime Collaboration Monitoring Assurance and Diagnostics: Media Flow Analysis with APIC-EM
Express Business Intent Deploy Policy
Identify Media
Classify & Schedule
Provision Resource Control
Monitor Troubleshoot
Optimize
CUCM
WA
N
![Page 37: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/37.jpg)
Branch
SourceFire
Defence Center
SDN Controller
ISR Sensor
X
SourceFire Sensor
Sensor
1. BYOD Malware/Javascript Attack
2. SF Sensor detects threat
3. SF DC notifies Controller
4. Remediation API event
5. Policy installed on Access switch port by Controller.
6. Block or quarantine end-point
WAN
ISR
Internet
HQ
Malware Attack
Defence Centre Alert!!!!
Controller Notification
Remediation Policy Enforcement
Host Quarantined
SourceFire Integration: Network Threat Defense Dynamic Network Branch security
Cisco
APIC-
Enterprise
Module
![Page 38: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/38.jpg)
CAMPUS
Use Case: Granular Control Per User Per Application Access Policy Enforcement
Block
Bit-Torrent
ISE
Block
Bit-Torrent
AD/Radius
Server
User moves to a branch site. Policy
moves with it
1. Admin configures business policy to block application traffic on a per user basis
2. Controller uses identity information to install user specific access policy at the edge
3. If the user moves, the controller dynamically moves the user policy along with it, providing near real time granular control
![Page 39: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/39.jpg)
Identity Services
• APIC-EM can gather user identity information via:
Cisco Identity Services Engine (ISE) though Cisco Platform Exchange Grid (pxGrid)
RADIUS proxy
Active Directory through LDAP calls (*)
• Identity information is a key enabler for highly sophisticated policies with user level information for tighter enforcement.
Network as “firewall”
Service Description
(*) Roadmap
![Page 40: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/40.jpg)
Intelligent WAN (IWAN) Solution Components
WAAS
Akamai PfRv3
IPSec WAN overlay
Consistent operational model
DMVPN, PKI
Management and Orchestration
MPLS
Internet
3G/4G-LTE
Private
Cloud
Virtual Private Cloud
Public
Cloud
IWAN APP
Cisco Prime™
Branch
AVC
Transport
Independence
Optimal application routing
Efficient use of bandwidth
Performance Routing
(PfR) QoS
Intelligent
Path Control
Performance monitoring
Optimization and caching
AVC, WAAS, Akamai
Application
Optimization
NG strong encryption
Threat defense
Suite-B, CWS, ZBFW
Secure
Connectivity
40
![Page 41: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/41.jpg)
Three main areas:
1.Hub site and settings
2.Administration of
application policy
3.Branch site setup
IWAN App on APIC-EM
3. Policy-Driven IWAN Site Deployment including PnP and Monitoring
1. Step-by-Step Network and Hub Settings
2. Simple Policy Definition and Customization
41
![Page 42: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/42.jpg)
MPLS Internet
Data Center
Branch
SP ISP
Video
Delay = 50 Delay = 70 Delay = 90 Delay = 200
APIC-EM ACTION
TP - Video
TP - Video
Deteriorating Video Quality
ISR-G2
ASR ASR
Use Case: Path Preference (iWAN) Automated Provisioning of Routing Paths
1. Video forwarded over MPLS and Youtube over Internet
2. Delay goes up on MPLS circuits, deteriorating Video quality
3. Performance monitoring App instructs controller to reroute Video traffic over better path
4. Appropriate QoS policies are also provisioned to ensure proper handling of video on internet circuit
![Page 43: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/43.jpg)
Cisco Prime and Cisco APIC Enterprise Module
Control Layer
Device Layer
Operational Automation
• Policy and Service Definition
• Automated Assurance Provisioning
• Visualization, Trending and Analytics
Network Intelligence
• Device Layer Abstraction
• Network Control
• Policy Enforcement & Network Change
Management Layer
Cisco Devices Enterprise Networks, Data Center
Cisco APIC Common ACI Architecture
APIC for datacenter APIC Enterprise Module
CLI, OpenFlow, OnePK API
REST API (ONE DevKit)
Catalog/ Provisioning
Fault/ Events
User / Data Management
Performance Monitoring
Reporting / Analytics
Cisco IAC
UCSD
3rd Party Apps
PRIME INFRASTRUCTURE & NAM
![Page 44: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/44.jpg)
Cisco Prime Infrastructure PnP – your choice today…
For PnP
Cisco Devices Enterprise Networks, Data Center
Cisco APIC Common ACI Architecture
APIC for datacenter APIC Enterprise Module
CLI, OpenFlow, OnePK API
REST API (ONE DevKit)
Catalog/ Provisioning
Fault/ Events
User / Data Management
Performance Monitoring
Reporting / Analytics
Cisco IAC
UCSD
3rd Party Apps
PRIME INFRASTRUCTURE & NAM
![Page 45: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/45.jpg)
Conclusion & Summary
45
![Page 46: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/46.jpg)
APIC EM as a Platform
BASIC SERVICES
Discovery, Inventory, Topology
Policy, PnP…
GRAPEVINE ELASTIC ARCHITECTURE
REST APIs
App-Service Extensions
Solution Apps
App-Services
(Licensed based on Solution purchased – includes API’s)
TAC Support if Appliance or Network has a service coverage.
Basic-Services
(Free platform and API’s)
![Page 49: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/49.jpg)
Fun stuff to watch…
• Fundamentals of Cisco APIC-EM
https://www.youtube.com/watch?v=17lDRT9tuWY
• Metadata-Defined Data Center, Mike Dvorkin, Cisco Systems
http://techfieldday.com/appearance/introducing-the-next-generation-sddc-leaders-1
• Developing OpenDaylight Apps with MD-SAL
https://www.youtube.com/watch?v=uBnDJNsd6Qo
• Application Centric Infrastructure (ACI) Overview
http://www.youtube.com/watch?v=VZWwjNAiUpI
![Page 50: APIC-EM Vedran Hafner - Cisco · • Simplify your network • Automate your network deployment and RMA • Keep the configuration consistent • Dynamic Policies where necessary](https://reader035.vdocuments.site/reader035/viewer/2022070712/5eccd48b4f2cc4339c475cef/html5/thumbnails/50.jpg)
Thank you
50