apic-em controler for - cisco · detect user access policy violations better application experience...

APIC-EM controler for everyone & networks for the future

Aleksander Kocelj

System engineer

Cisco systems

15. – 16. marec 2017| Cisco Connect | Portorož, Slovenija

Agenda

3

APIC-EM

Catalyst 3K

Catalyst 2K

• APIC-EM• Automatization

• Programmability

• Built-in applications

• Catalyst 3K

• Catalyst 2K


Simplification Creates Agility

Applications Are the Vehicle for Digital Business

DO-IT-YOURSELF ASSEMBLY AND INTEGRATION READY TO GO

Faster Time to Market and Lower OpEx


APIC – 2 Controllers!

EM

Enterprise Module(Catalyst, ISR, ASR, Nexus 7k*, 6k*, 5k*,

WLAN, NfV*)

(DC)

Data Center(Nexus 9000)

APIC

Application Policy Infrastructure Controller

Application Centric Infrastructure (ACI) User Centric Infrastructure (UCI)


Cisco Digital Network Architecture

Automation

Abstraction and Policy Control

from Core to Edge

Open and Programmable | Standards-Based

Open APIs | Developers Environment

Cloud Service Management

Policy | Orchestration

Virtualization

Physical and Virtual Infrastructure | App Hosting

Analytics

Network Data,

Contextual Insights

Insights and

Experiences

Automation

and Assurance

Security and

Compliance

Network-enabled Applications

Cloud-enabled | Software-delivered

Principles


Northbound REST API

APIC-EM Platform Architecture

APIC-EM Applications

Elastic Controller Infrastructure (Grapevine )

Network

PnPIWAN

Path

Trace

Network

Inventory

Advanced Topology Visualizer

APIC-EM Services

Inventory

ManagerRBAC Policy Analysis

Policy

Programmer

Network PnPData Access

Service

Topology

Services

IWAN

Services

Applications built on top of APIC-EM

Applications packaged with APIC-EM

Core Applications bundled

IWAN Application separately licensed

Open and Documented REST API

Core Services

Applications Specific Services

Provides Scale and High Availability


APIC-EM Packaging and Deployment

Built as a

Linux Container

Grapevine

Root

LXC

Container

LXC

Container

GV

Client

GV

Client

Operation System

Server / Machine

Standalone or

Resilient Deployment

3 Nodes• active-active-active

• Scale and HA- Software failure- HW failure of 1 node

1 or 2 Nodes• active-active

• Scale and HA- Software failure only

Download or

Preinstalled Appliance

Download• .iso image including

ubuntu 14.04 64bit

• available from:- software.cisco.com- devnet.cisco.com

Cisco Appliance• APIC-EM installed

• ready-to-go

• or SKU:- APIC-EM-APL-R-K9- APIC-EM-APL-G-K9


`

System Requirements

Server: 64-bit x86 (Ubuntu 14.04 LTS)

vCPU: 6*

RAM: 32 or 64 GB (for single or Multi-host

deployments)

Storage: 500 GB HDD

Browser: Google Chrome or Firefox

Hypervisor: VMware vSphere 5.1/5.5/6.0 (for Virtual

Appliance)

* 12 vCPU for a single Node (32GB)

http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/application-policy-

infrastructure-controller-enterprise-module/datasheet-c78-730594.html


`

Scale Numbers

Network

Devices:

10000

Access

Points:

10000

End

Hosts:

100,000

Note: These scale numbers are for the APIC-EM platform and the base applications.

Some other APIC-EM applications might have different scale numbers.


APIC-EM – 5 step installation

Physical Appliance Downloadable ISO Image

Pre-installed

APIC-EM software

APIC-EM Appliance SKUs:

− APIC-EM-APL-R-K9

− APIC-EM-APL-G-K9

OS: Ubuntu 14.04 64-bit

Deployment Options:

− Bare-metal install

(recommended)

− Virtual machine

Boot .isoEnter IP

address

Enter APIC-EM IP(Subnet / Def GW learned automatically)

Add NTP

Server

Enter NTP

Server (mandatory)

Change

Credentials

Shell and UI

Username and

PWD plus CCO

login for update

Finalize

Installation

Finalize

installation and

bring up

controller -- WAIT


`

Software Upgrades

Download the release upgrade pack from the

Cisco® Cloud

Upgrade - Drag and drop the release upgrade pack to

the controller using the UI

Controller Releases will be Incremental


`

Backup and Restore

One-click capability to

create database backup

Ability to download a copy

of the backup file to an

external location

Restore DB capability from

the last known backup

Ability to drag and drop the

backup file from an

external location


Supported Switches

Catalyst 3560CG Series

Catalyst 3560-X Series

Catalyst 3750-X Series (Stack)

Catalyst 2960-S Series (Stack)


Catalyst 4500(Sup7E) Series

Catalyst 4500E(Sup8E) Series

Catalyst 3650 Series

Catalyst 3850 Series (Stack)

Catalyst 6500(Sup720-3C/B)

Series

Catalyst 6500 (Sup2T) Series


Supported Switches

Cisco Nexus 5000 Series



Supported Ether Switch

Service Modules

Cisco 2900: SM-ES2-16-P


Cisco 2900: SM-D-ES2-48



Cisco 3900: SM-D-ES3-48-P

Supported Routers

Cisco ISR G2

Cisco ISR 4k

Cisco ASR 1000 Series

Cisco ASR 9000 Series

Supported WLCs

Cisco 2500 Series WLC

Cisco 5500 Series WLC

Cisco 5760 WLC

Cisco 8500 WLC

Cisco WiSM2

Devices Supported

http://www.cisco.com/c/en/us/td/docs/cloud-systems-management/application-policy-infrastructure-controller-

enterprise-module/1-3-x/supported-devices/b_apic_em_supported_devices_1-3-x.html


Discovery

• New Discovery UI for improved UX

• Easy identification of devices with failures for faster troubleshooting

• Editing of Existing Discovery Jobs

• Cloning of Discovery Jobs to quickly create new ones

• Discovery History to track changes


Topology

• Geo-Tagging (Mapbox) for easier management of network topology

• Tagging based on Civic Address or Zip code

• RBAC scope based topology view

• Improved UX

• Faster Topology Rendering

• Easier identification of collaboration endpoints such as Phones

• Ability to disaggregate multiple devices all at once


Inventory

• API to pull LC, module and License Information from device Inventory

• Filters in Host Inventory for Faster Search

• Support for additional platforms (IE4k, IE3K )

• Auto Configuration of SNMP on devices

• Auto Configuration of IPDTBeta on devices

• Intuitive feedback on device failure status


RBAC – Scope Awareness

• Scope (Group) based awareness to allow user access to only select network resources

• Better alignment with Organizational structure and roles

• Supported for both Internal and External controller authentication

• Current Roles Supported: Admin, Policy Admin and Observer

Note: Installer Role cannot access the Cisco APIC-EM GUI. As such, they are not bound

by an RBAC scope.

APIC-EM Path Trace App


APIC-EM Path Trace Application

User Trouble Ticket IT Path Trace

NETWORK

Open

Architecture

Network,

Applications

Monitoring

Simple Workflow

BENEFITS

SDN

Easy visual discovery of trouble spots in the

communication path based on 5-tuple info

OpEx for ticket processing decreased by 98%

from 1.6 hours to 1 minute


`

Path Trace App: Application Flow Visibility

Link Source InformationStats: Device, Interface, QoS, PerfmonACL CheckCAPWAP Tunnel

APIC-EM PnP App


NETWORK

New RouterNew Switch

PnP ApplicationIT

Simple Workflow Zero Touch

Provisioning

SDN

Open

Architecture

BENEFITS

APIC-EM PnP ApplicationUse Case: Auto-Discovery and Provisioning

Zero Touch Deployment.

Shortened Deployment Time.No On-Site Expert Needed

Increased Security. Decreased

Chance of Misconfiguration.


Network Plug and Play - Components

PnP Agent

Runs on Cisco® switches, routers, and wireless access points

Automates the deployment process

PnP Server

Central server - APIC-EM

Manages sites, devices, images, licenses

Provides northbound REST APIs

PnP Protocol

Runs between Agent and Server

Open schema

PnP Helper App (optional)

Delivers bootstrap status and troubleshooting checks


PnP Server Discovery Options

Switches (Catalyst®) Routers (ISR, ASR) Wireless Access Points

1

2

3

4

5

DHCPServer

DNSServer

DHCP with options 60 and 43

PnP string: 5A1D;B2;K4;I172.19.45.222;J80

DNS lookup

pnpserver.localdomain ---- 172.19.45.222 (PnP Server)

Cloud re-direction

https://devicehelper.cisco.com/device-helper re-directs to 172.19.45.22

(PnP Server)

USB-based bootstrapping

Manual - using the Cisco® Installer App

iPhone, iPad, Android, (roadmap - Windows mobile and PC)

https://devicehelper.cisco.com/device-helper

Cisco iWANSolution Overview


NETWORK

DMVPNSLA QoS

Path SelectionBusiness Policy:

App SLAIWAN

ApplicationIT

SDN

Simple Workflow Zero Touch

Provisioning

Business Level

Policies

Open

Architecture

Network,

Applications

Monitoring

BENEFITS

APIC-EM IWAN ApplicationUse Case: Cisco Best Practices & Knowledge for SDWAN

Note: IWAN App Release 1 targets less than 500 sites, 2 links per Branch with ISR4000.

From Weeks to

Minutes

Over 1000 CLI commands

reduced to 10 GUI Clicks


`

IWAN SD-WAN Automation

Cisco® APIC-EM centralized policy expression

and distribution

Distributed policy enforcement

Automated application and topology discovery

Application and network performance monitoring

Adaptive path selection and QoS

to sustain policy

Performance analytics collected network-wide

and reported centrallyMC

Branch

MC

Large Site

MC

Campus

Data Center

or POP

4G

LTEInternet

Data Center

or POP #2...n

MPLS

(IP-VPN)

IWAN Domain

ControllerPolicy Rendering

Policy Distribution

and Domain Control

Distributed Policy

Enforcement

IWAN APP

Policy Expression

APIC-EM EasyQoS App


Policy Service: EasyQoS

Enhance Collaboration Experience

300% 50%Reduction in

voice jitter

Video quality

improves

No Operator Intervention

”

The EasyQoS App reduces deployment times

for network-wide QoS dramatically. We can

now respond to changing application needs via

policy-based automation within minutes or

even seconds.

“

Select from Predefined

Policies

AutomatedDeployment

of QoS config

Optimized for Any

Infrastructure

Edeka

Lower Costs & Complexity

Deploy changes: Months to Minutes

Thousands in cost savings


3131© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

EM

EasyQoS will seamlessly interconnect all types of

hardware and software queuing models to achieve

consistent and compatible end-to-end treatments

aligned with the expressed business-intent

EasyQoSApplication QoS- Deploy End-to-End DSCP based Queueing Policies

Cisco Catalyst 3K switches


MPLS on Catalyst 3850

http://www.cisco.com/c/en/us/products/switches/catalyst-3650-series-switches/index.html





MPLS Features

• Label Distribution Protocol

LDP

• MPLS QOS

• BFD

• MPLS TraceRoute/LSP Ping

• MPLS L3VPN-IPv4

PE-CE Protocols : Static, RIP, EIGRP,

OSPF

PE-P Protocols: OSPF & ISIS

MP-IBGP

• IPv6 L3VPN

• 6PE

• Multicast VPN

Catalyst 3850 (Supported

on All SKUs)

MPLS – Bringing MPLS to Access

CE PPE

PE

P

P

CE

P

PE

PE

CE

CE

MPLS Domain

Label switched path

LDP

Polaris | UADP | Standards-based

L3VPN


Network As A Sensor

Application Assurance

Detect Rich Endpoint Context

Detect Anomalous Traffic Flows

Detect User Access Policy Violations

Better Application Experience

Leverages DNS-AS and NBAR2

Visibility of Critical applications on the network

Consistent policies for End User Experience

Threat Analysis Key Benefits

Stealthwatch Deployed as

Physical or Virtual

Appliance

Collects Network Data

with Full NetFlow Per

Switch

Identifies and Reports

Potential Security Threats


Programmability, Why Network Programmability Matters

0

100%

67%

CAPEX OPEX

33%

0 10 100 1000

Computing Networking

Seconds

Network Expenses Deployment Speed

Time IT

spends on

operations

CMOs think IT

is not

responding fast

enough to time-

sensitive

projects

CEOs are

worried about IT

strategy not

supporting

business growth

80% 55% 57%

Source: Forrester Source: Open Compute Project


Programmability & Automation

Day 0:Programmable

Bootstrap

Device

Provisioning

Day 1:

Programmable Interfaces

Configuration

Day 2:

Telemetry

Monitoring

Bootstrap

Agent (PnP) ZTPNET

CONF

REST

CONF

YANG

ModelsPython

Model Driven

Telemetry

gRPCShipping

Shipping

Shipping


Cisco Stackwise Virtual

VSLSW-1 SW-2

o

o

Distributed stacking will support 16.1 feature parity during FCS.

Cisco Catalyst 2K switches


Cisco Catalyst 2960 Family

Advanced Layer 2

Stackable

Cisco Catalyst 2960-X

License: LAN Base

10G/1G SFP+/SFP 80G FlexStack-Plus Full

PoE, PoE+IPv6 FHS NetFlow-Lite

Gig

ab

it E

thern

et

Ease of Use

Robust Security

Enhanced Lifetime

Warranty

Energy Efficiency

Lower TCO

Fea

ture

Lea

de

rsh

ip a

nd

Cis

co

Qu

ali

ty a

t

Co

mp

eti

tive

Pri

ces

Layer 2 Standalone

Cisco® Catalyst® 2960-Plus

License: LAN Lite/LAN Base

1G SFP/BASE-T Uplinks

802.3af PoE

Fa

st

Eth

ern

et

Advanced Layer 2/3

Stackable +

Resilient

Cisco Catalyst 2960-XR

License: IP Lite

2960-X Features + IP Lite: L3/Routing

Redundant PSU

Layer 2 Standalone

Cisco Catalyst 2960-L

License: LAN Lite

1G SFP Uplinks Partial PoE,

PoE+Web UI, Bluetooth Ready

New


Introducing the Cisco Catalyst 2960-L Series

Extending Unified Access

Persistent PoE*

< 1-minboot time

Bluetooth ready

800MHzCPU

1.5 Mb perASIC

Prime Infrastructure and

PnP

Web UI for configuration

and management

Fanless

EEE

PoE+

2 x 1G or 4 x 1G

8/16/24/48 downlinks

4 queues per port

* FCS+1


C2960-L Series Hardware Specification

• Fanless*

• Flash: 256 Mb and DRAM: 512 Mb

• 800-MHz CPU

• Downlink options: 8/16/24/48 of 1G

• Fixed uplinks options: 2/4 of 1G

• Default license: LAN Lite (also

includes dot1x Multiauth, IPv6:

QoS and trust, IPv6 MLDv1 and

v2 snooping)

• Max available PoE budget: 370W

• Operating temperatures: -5C to 45C

(at sea level)

• Operating altitude: up to 10000 ft.

• Fixed power supply (no RPS

support)

• Stacking not supported

*Except 48-port switches


C2960-L Overview

Feature 8 Ports 16 Ports 24 Ports 48 Ports

Forwarding bandwidths 10 Gbps 18 Gbps 28 Gbps 52 Gbps

Switching bandwidth 20 Gbps 36 Gbps 56 Gbps 104 Gbps

Forwarding rate (64-byte L3 packets) 14.88 Mpps 26.78 Mpps 41.67 Mpps 77.38 Mpps

Unicast MAC addresses 8K 8K 8K 8K

Maximum active VLANs 64 64 64 64

VLAN IDs available 4,096 4,096 4,096 4,096

Maximum STP instances 64 64 64 64

MTU-L3 packet 9198 bytes 9198 bytes 9198 bytes 9198 bytes

Jumbo Ethernet frame 10,240 bytes 10,240 bytes 10,240 bytes 10,240 bytes

MTBF in hours (Data) 2,448,133 2,416,689 2,412,947 1,370,769

MTBF in hours (PoE) 315,044 313,496 909,838 437,970


Q&A

?

apic-em controler for - cisco · detect user access policy violations better application experience...

Documents