cisco application policy infrastructure controller enterprise module (apic-em) - hands-on lab
TRANSCRIPT
Cisco Confidential © 2015 Cisco and/or its affiliates. All rights reserved. 1
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) - Hands on Lab Saurav Prasad Technical Marketing Engineer San Jose, USA
Lila Rousseaux – CCIE#6899 Technical Solutions Architect
Canada
Jim Galvez, Technical Solutions Architect Oregon, USA
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
House Keeping Notes Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes to ensure we all enjoy the session today.
• Ask Questions!!
Please ensure your cellphones / laptops are set on silent to ensure
no one is disturbed during the session
A power bar is available under each desk in case you need to
charge your laptop
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Agenda • Introduction to APIC-EM
• APIC-EM Apps
• API’s
• Lab Overview
• Get started with the Lab!
• Let’s get back together for APIC-EM GA1.2 Preview
• Elastic Services (Grapevine)
Cisco Confidential © 2015 Cisco and/or its affiliates. All rights reserved. 4
Introduction to APIC-EM
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Conventional Model
The What “Security Policy for
Branches A-N”
The How “Change ACLs in
the following elements”
Admin Driven
System Driven
Controller Led Policy Deployment
The What “Security Policy for
Branches A-N”
The How “Change ACLs in
the following flements”
Admin Driven
Manual Policy Deployment
Manual to Systemic Policy Deployment
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Agnostic SB interface supporting multiple protocols
APIC-EM: Cisco Enterprise SDN
Software or Appliance Based NB RESTful APIs
Existing and New Device Support
Cisco, Partner or Customer Developed Apps
Open, Programmable App Platform for Enterprise Network Transformation
EM
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
SECURITY COLLABORATION ORCHESTRATION SERVICES WAN
Cisco APIC Enterprise Module Architecture
Network Element Layer
Policy Infrastructure Automation Network Information Database
CLI, SNMP
Abstracts Network Devices to Mask Complexity
Treat Network as a System
Exposes Network Intelligence
For Business Innovation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
APIC-EM Applications at GA1
PLUG-AND-PLAY Zero touch deployment of routers / switches / APs
Accelerated roll-out: Eliminates tech visits and shrinks deployment from months to minutes
Cisco IWAN (SDWAN) Guided, fast auto-provisioning of IWAN solution
From 250 CLI commands to 5 GUI clicks per branch: 1000% IWAN deployment acceleration
Path Trace Discover path between two end points based on 5 tuple
Rapidly troubleshoot congestion and ACL issues and lower Opex for trouble ticket processing by 500%
Static QoS Configure QoS automatically and end to end based on Cisco Best Practices
Dynamic QoS Dynamic QoS for Jabber/MS Lync
EasyQoS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Network Information Base – Device Inventory
• Real‐time network device inventory and asset service management
• Includes all network devices with an abstraction for the entire network –
• Full knowledge of network • Awareness of the overall operational
health of the physical network • Detailed inventory information for
easier consumption by controller services and applications
• Allows applications to be device agnostic
• Inventory service runs in the background to maintain the DB accurate
• SNMP traps sent by devices during link up/down; APIC-EM runs discovery on that device (*)
(*) GA1
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Network Information Base – Host Inventory
• Real‐time host and end-point inventory (PCs, Wireless devices, IP Phones, Printers etc.)
• Detailed information about each host/end-point –
• Network attachment point for the host to the network device
• Host Name, IP and Mac-Address information
• Host Inventory service runs in the background to maintain the accuracy of the database –
• Information collected via CDP, LLDP and IP Device Tracking DB lookup
• SNMP Traps used to update host inventory DB
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Network Information Base – Discovery
• Quick, easy and efficient network discovery
• Flexible Discovery options – • CDP and IP Address Range
• Ability to Start, Stop and Delete the scan at anytime
• Auto-discovery of newly added network devices
• Initiate via UI or NB REST APIs
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Topology Visualizer
• Auto discovers and maps devices to a physical topology
• Detailed device level data • Always up-to-date network
topology • Layer 2 and 3 topologies on top of
Physical provides granular view for design planning, simplified troubleshooting etc.
• Visualize Device TAGs on top of the Physical network topology
• Advanced HTML 5 Javascript based visualizer that utilizes REST APIs
• Highly interactive application experience
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
APIC-EM Path Trace Application Accelerate Trouble-Ticket Processing
User Trouble Ticket IT Path Trace
NETWORK
Open Architecture
Network, Applications Monitoring
Simple Workflow
BENEFITS
SDN
Easy visual discovery of trouble spots in the communication path based on 5-tuple info
OpEx for ticket processing decreased by 98% from 1.6 hours to 1 minute
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Path Trace App: 5-Tuple Input Through User Interface
Note: Layer 4 port and protocol information is optional but highly recommended for accurate path calculation
Required Information SRC and DEST IP address [End host or L3 interface]
Optional Information SRC and DEST L4 port numbers;
L4 protocol (TCP or UDP)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Path Trace App: Enhanced Application Flow Visibility
CAPWAP Tunnel Visualization
Accuracy Note (in a percentage)
Link Source Information
Ingress/Egress Interface
Interface/QOS Stats
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Device On-boarding – Customer Challenges
Central Staging Facility Site-1
• Install OS • Install base
config
Network Admin
Installer
Today’s Process
Customer, Partner
Ships equipment
Operational Challenges
To Final Site
Direct Costs • Pre-staging & Shipping costs
• Travel costs
Security • 3rd party not secure
• Rogue devices
Time/Productivity • Manual process • Shipping , Storage, Travel
Complexity • Configuration errors • Different products, IOS Releases
Pre-staging Cost $$ Re-shipment Cost $$ Techy Installer $$ Travel cost $$
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Device On-boarding – Network Plug and Play Network Plug and Play Process
Ships equipment
Network Admin
NOC
Pre Provision Config and OS
Operational Benefits
Unskilled Installer
Consistent Campus/Branch
Secure GUI Based
Greenfield & Brownfield
Monitor device installation
Network Admin
NOC
Site-1
Installer
Racks, cable & Power-on devices
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
PnP Server
Use Case Example Device Deployment in Campus
DHCP Server
Switch running PnP Agent
<..snip..> CISCO_PNP.pnpserver "5A;B2;K4;I10.11.11.11;J80"; <..snip..>
Devicevalidatesserver’sloca/onandestablishesacommunica/onwiththeserver
Installer
Remote Installer • Mount and cable
devices • Power-on
Day 1
Network Admin remotely monitors status of install while in progress.
Day 1
IP Address 10.11.11.11
Cisco IOS®
Config file….
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Network-PnP: Pre-provisioning Workflow
PnP-Agent PnP-Agent
Device Authentication
Installer
N-PnP app on APIC-EM Download
Image & Config
Admin
EM
DHCP Server
DNS Server
N-PnP App pre-provisioned w/ device SR#
Configure device discovery • DHCP Option-43 • or DNS
Secure Deployment
• Installer powers-on devices • Devices securely downloads
Image & Configuration
OR
Discovery Pre-provision
EM
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Network-PnP: Claim-device Workflow
PnP-Agent PnP-Agent
Device Authentication
Installer
N-PnP app on APIC-EM
Admin
EM
DHCP Server
DNS Server
• Network admin claims devices based on device information
• Device downloads Image & configuration
Configure device discovery mechanism • DHCP Option-43 • or DNS
Secure Deployment
• Installer powers-on devices • Devices securely connects to
APIC-EM Server, waiting to be ‘Claimed’
OR
Un-claimed Devices Discovery
EM
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Intelligent WAN
WAN Transport
Branch
MPLS
$$$
Low Cost Circuit, Internet, 4G
$
Private Cloud
Virtual Private Cloud
Direct Internet Access
Internet backhaul
Cisco Cloud
Web Security Public Cloud
ü Secure WAN transport across MPLS and/or Internet for private cloud / DC access
Increase WAN Capacity Improve App Performance Scale Security at the Branch
ü Leverage Low Cost path for public cloud and Internet access
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
EasyQoS App No more Box-by-Box configuration
Config.
Cisco Validated Design- Based Templates
Con
trol
Tran
sact
iona
l Dat
a R
ealti
me
Bes
t Effo
rt
Cisco Validated Design {CVD}
Business
Relevant
Business
Irrelevant
Default /
Maybe / Unknown
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Converting Business Intent to Tactical Policies
Wireless AP Trust Boundary
PEP 4Q (WMM)
Catalyst 3650 Trust Boundary
PEP 2P6Q3T
Catalyst 4500 Trust DSCP
1P7Q1T
Catalyst 6500 Trust DSCP
1P3Q4T 1P7Q4T 2P6Q4T …
Nexus 7700 Trust DSCP F3: 1P7Q1T
WLC PEP
ASR/ISRs Trust DSCP
HQoS MQC
Catalyst 2960-X Trust Boundary
PEP 1P3Q3T
Wireless AP Trust Boundary
PEP 4Q (WMM)
EM
• the principle goal of the tactical QoS policy is to express the strategic QoS policy with maximum fidelity
• QoS design best practices will be used to generate platform-specific configurations
• QoS features will be selectively enabled if they directly contribute to expressing the strategic policy on a given platform
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Determining Business Relevance How Important is a Given Application to Business Objectives
Business Relevant
Business Irrelevant
Default / Maybe / Unknown
• These applications directly supports business objectives
• Applications should be classified and marked according to RFC 4594-based rules
• These applications may/may not support business objectives
• E.g. HTTP/HTTPS • Alternatively, administrator may
not know the application (or how its being used in the org)
• Applications in this class should be marked DF and provisioned with a default best-effort service (RFC 2474)
• These applications are known and do not directly support any business objectives; this class includes all personal/consumer applications
• Applications in this class should be marked CS1 and provisioned with a “less-than-best-effort” service (RFC 3662)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
What Do We Do Under-the-Hood? Apply RFC 4594-based Marking / Queuing / Dropping Treatments
Application Class
Per-Hop Behavior
Queuing & Dropping
Application Examples
VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence
Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx
Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps
Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution
Default Forwarding DF Default Queue + RED Default Class
Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox Live Irrelevant
Default
Relevant
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
EasyQoS
EM
Applications can interact with APIC-EM via Northbound APIs, informing the network of application-specific and dynamic QoS requirements
Southbound APIs translate business-intent to platform-specific configurations
Network Operators express high-level business-intent to APIC-EM EasyQoS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Dynamic QoS Classification for Jabber Video/MS Lync
Enterprise Network
3945/ISRG2 3945/ISRG2 3945/ISRG2
Cat 3750 Cat 3750
Single policy request produces automated change across all network elements enabling high quality user experience
QoS Changes
Collaboration App
Session Policy
AP
Pre-QOS change – Default Classification Post QoS change - Video
Example: The default port range for Jabber Video to receive media is 21,000-21,900. Jabber Video for TelePresence 4.6
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Once more thought: APIC-EM Exposes APIs for customized applications
Cisco Confidential © 2015 Cisco and/or its affiliates. All rights reserved. 32
Introduction to the lab
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Central Site
10.10.70.X VLAN 70
PC-2 PC-1
VLAN 10
GA 10.1.3.220
PoDTopology
PC-3
3560-CG PNP Branch
Data Center
G0/0
G1/0/14 G1/0/13
G1/0/1
G1/0/6
G0/1
G0/1 G0/2
G0/2 G0/1
G0/0
G1/0/1
G1/0/14
G1/0/13
G1/0/2
G2
G1
10.1.5.50 VLAN 5
AP-1
10.10.64.X. VLAN 64
10.1.22.X VLAN 22
10.2.251.X 10.2.252.X
10.10.64.X 10.10.70.X
.1
.2
10.1.8.X .2
.1
VLAN 3
EIGRP EIGRP
.1 .1
.2 .2
Terminal Server
128.107.91.195/196 Password: labops
10.1.20.X VLAN 20
G1/0/2
JUMP PC
128.107.91.20X Username: admin Password: Uabootcamp1
APIC-EM UI
https://10.1.3.220 Username: admin Password: Cisco123
BR-SW1
BR-R1
HQ-R1
HQ-SW1 5508
IWAN App http://localhost:3000
APIC-EM IWAN App UI
https://128.107.91.211:3000 Username: admin Password: Cisco123
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
JUMP PC
128.107.91.20X
JUMP PC
Username: admin Password: Uabootcamp1
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
APIC-EM
IWAN App Visualization (exercise 7 only)