Post on 16-Jul-2015
transcript
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Agenda
• Introduction
• Quick Tour
• Use cases
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Common Policy will Drive End-to-End Solutions
4
Consistent Policy Across Cloud, DC, WAN and Access
Cloud Data Center WAN Access
Application Network ProfileSLA, Security, QoS, Load Balancing
User/Things Network ProfileQoS, Security, SLA, Device
APIC APICAPIC APIC
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Introducing Cisco APIC Enterprise Module
Advanced Visualization
for low risk SDN adoption
Elastic Services
for scalability &
HA
Existing & New Installations
Catalyst, ISR, ASR
Agile
Integration Model
Network Abstraction and Automation
APIC
Masking Network Complexity, Exposing Network Intelligence.
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Cisco APIC Enterprise Module Architecture
Abstracts Network Devices to Mask Complexity
Treat Network as a System
Exposes Network Intelligence
For Business Innovation
Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network DevicesCatalyst, ASR, ISR
Network Info Database
PolicyInfrastructure
Automation
REST API
Southbound Interface: CLI
Security QoS IWAN Network PnP
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
APIC-EM: Services Layered View
NB REST API
Pxgrid Client + LDAP client
Radius Proxy + LDAP client
Inventory
Topology
Policy Analysis
PnP
Network Discovery
Network Programmer
Policy Programmer (QoS, ACL)
Network Tapping
Easy QoS
Network Events
Policy Manager
Conflict Detection and Resolution (BI and NI)
Business Intent to Network Intent
Conversion
NETWORK
MODEL
DEVICE
MODEL
DEVICE
INTERFACE
Application Visibility
PfR
APIC
-EM
Serv
ices
APIC
-EM
Apps
IWAN Services
APIC-EM Services
IWAN Services
Basic Services for Controller Availability
Inventory Visualizer
Topology Visualizer
Application Visualizer
Discovery
Easy QoS Visualizer
Compliance Check
ACL Visualizer
Network PnP
Network Tapping Visualizer
Policy Manager
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
RESTful services exposed
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Understanding the tables{"id": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"hostname": "SDN-BRANCH-3750-STACK",
"managementIpAddress": "40.0.2.18",
"macAddress": "1C:DF:0F:08:20:C2",
"type": "SWITCH",
"vendor": "Cisco",
"family": "C3750X",
"serialNumber": "FDO1432K0MC",
"platformId": "WS-C3750X-48P",
"softwareVersion": "15.2(1)E2",
"imageName": "c3750e-universalk9-mz.152-1.E2.bin",
"upTime": "26 weeks, 3 hours, 8 minutes",
"memorySize": "262144K",
"interfaceCount": "109",
"role": "Access",
"roleSource": "auto",
"lineCardCount": "5",
"lineCardId": "3220b22a-a74c-4f9e-9898-
c9afc01dc5dd,9ef0da99-963c-4289-9087-7f861c969ea3,e5b911e4-
2c1c-4a95-9214-dd9877dd2b92,f5996432-3c89-4045-ac8b-
46a6bf873845",
"lastUpdated": "2014-09-29 16:19:17.627273-07",
"portRange": "FastEthernet0, Vlan1, GigabitEthernet1/0/1-48,
GigabitEthernet1/1/1-4, GigabitEthernet2/0/1-48,
GigabitEthernet2/1/1-4, TenGigabitEthernet1/1/1-2,
TenGigabitEthernet2/1/1-2",
"avgUpdateFrequency": 300,
"numUpdates": 30,
"reachabilityStatus": "In Progress",
"reachabilityFailureReason": "Unreachable"
}, Cisco Confidential
{
"id": "8f41bef8-698c-4701-af14-471e910ed9ff",
"hostMac": "00:50:56:8A:27:A3",
"hostIp": "40.0.5.12",
"hostType": "WIRED",
"connectedNetworkDeviceId": "7895a45f-47aa-42ee-9d06-
c66d3b784594",
"connectedNetworkDeviceIpAddress": "40.0.2.18",
"connectedInterfaceId": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",
"connectedInterfaceName": "GigabitEthernet2/0/2",
"vlanId": "1",
"lastUpdated": "September 29, 2014 1:54:13 PM PDT",
"numUpdates": 1,
"userStatus": "Active",
"source": 200
},
$python host.py | sort
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Understanding topology• Nodes
Cisco Confidential
"deviceType": "SWITCH",
"label": "SDN-BRANCH-3750-STACK",
"id": "7895a45f-47aa-42ee-9d06-c66d3b784594", /network-device
"nodeType": "device",
"deviceType": "WIRED",
"label": "40.0.5.12",
"id": "8f41bef8-698c-4701-af14-471e910ed9ff", /host
"nodeType": "host",
"source": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"startPortID": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",
"target": "8f41bef8-698c-4701-af14-471e910ed9ff",
"endPortID": "",
"linkStatus": "UP"
• Links
https://test-apic/api/v0/topology/physical-topology
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
/acl/trace
/routing-path
/application /qos
App -> Class -> Mapping (cvd)
Queuing on interfaces
Bandwidth allocation to classes
QoS Marking
/policy
/network-
device/{tags}
/host
/user
ACL
QoS Marking
Traffic Redirection
Path verification
ACL -> App mapping
REST API Structure - Policy
12
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Policy Construct
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Three Classes of Use Case
Cisco Confidential
NetOps Net Integration Net Innovation
"HOW" to "WHAT"
Cultural change: "TEST and VERIFY" "TRUST"
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Tags - Adding
https://test-apic/api/v0/network-device/tag POST
{"networkDeviceId" : "7895a45f-47aa-42ee-9d06-c66d3b784594", "tag" : "branch"}
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Automating Tagging..
$ ./tag_device.py BRANCH +branch
Adding tag: branch to device SDN-BRANCH-3750-STACK(7895a45f-47aa-42ee-9d06-c66d3b784594)
202
TAGGED {u'url': u'/api/v0/task/3e934c30-43f1-4157-b4e8-a4291ba6c198', u'taskId':
u'3e934c30-43f1-4157-b4e8-a4291ba6c198'}
Adding tag: branch to device SDN-BRANCH-3850-TB1(526c8fc6-f732-41a9-9faf-5876293a2e8c)
202
TAGGED {u'url': u'/api/v0/task/3714ef69-11ef-411b-945f-db52bba47db0', u'taskId':
u'3714ef69-11ef-411b-945f-db52bba47db0'}
Adding tag: branch to device SDN-BRANCH-ASR1002(cceaf2fe-c3d9-4d37-bf14-fba071c27d6e)
202
TAGGED {u'url': u'/api/v0/task/8c85d4cf-6bc7-40b8-8616-938af7a446b1', u'taskId':
u'8c85d4cf-6bc7-40b8-8616-938af7a446b1'}
Adding tag: branch to device SDN-BRANCH-C4K(a36bc35a-94ed-4b2c-a66c-e46dddd5e037)
202
TAGGED {u'url': u'/api/v0/task/dfa84ff2-d92a-4fea-9e7a-707bf3d18cb1', u'taskId':
u'dfa84ff2-d92a-4fea-9e7a-707bf3d18cb1'}
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
IPAM - All Subnets
{
"id": "5bcc0bc0-c7bd-458d-9ad6-b606970017cf",
"deviceId": "526c8fc6-f732-41a9-9faf-5876293a2e8c",
"interfaceType": "Physical",
"portName": "GigabitEthernet1/0/5",
"portType": "Gigabit Ethernet",
"portMode": "routed",
"connectorType": "RJ-45",
"macAddress": "18:9C:5D:16:FC:E4",
"ipv4Address": "40.0.3.1",
"ipv4Mask": "30",
"serialNo": "FOC1743X0CJ",
"pid": "WS-C3850-48P",
"status": "down",
"vendor": "Cisco",
"lastUpdated": "2014-09-29 16:17:14.995619-07",
"duplex": false,
"avgUpdateFrequency": 180,
"numUpdates": 49,
"speed": 1000000}
{
"id": "2fdb927f-a5a7-47b2-bbed-8499c1c12105",
"deviceId": "526c8fc6-f732-41a9-9faf-5876293a2e8c",
"interfaceType": "Physical",
"portName": "GigabitEthernet1/0/4",
"portType": "Gigabit Ethernet",
"portMode": "routed",
"connectorType": "RJ-45",
"macAddress": "18:9C:5D:16:FC:F6",
"ipv4Address": "40.0.2.5",
"ipv4Mask": "30",
"serialNo": "FOC1743X0CJ",
"pid": "WS-C3850-48P",
"status": "up",
"vendor": "Cisco",
"connectedNeighbor": "a632c6e8-89bf-4949-8e4d-a249105f2c7c",
"lastUpdated": "2014-09-29 16:17:14.980705-07",
"connectedNeighborType": "Network_Device",
"ospfSupport": true,
"duplex": true,
"avgUpdateFrequency": 180,
"numUpdates": 49,
"speed": 1000000}
https://test-apic/api/v0/interface GET
$python all-interfaces.py | sort
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Netops
• Previous examples
– Access to datastore
– Find/filter/report etc
• routing-path similar to topology– /routing-path/{src}/{dst}
– /routing-path/40.0.0.15/40.0.5.12
Cisco Confidential
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Path has nodes and links"nodes": [
{
"deviceType": "WIRED",
"label": "40.0.0.15",
"id": "51a75ce9-d5c9-4fe2-95a0-6fc01410e201",
"nodeType": "host"
},{
"deviceType": "SWITCH",
"label": "SDN-CAMPUS-C3850",
"id": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
"nodeType": "device",
}
........
Some nodes removed
...........
{
"deviceType": "SWITCH",
"label": "SDN-BRANCH-3750-STACK",
"id": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"nodeType": "device",
},
{
"deviceType": "WIRED",
"label": "40.0.5.12",
"id": "8f41bef8-698c-4701-af14-471e910ed9ff",
"nodeType": "host"
}
* NOTE: Some attributed removed
Cisco Confidential
"links":{
"source": "51a75ce9-d5c9-4fe2-95a0-6fc01410e201",
"startPortID": "",
"target": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
"endPortID": "16e94527-33fd-4968-a0d7-0f7265b72904",
"linkStatus": "UP"
}, {
"id": "459d7b7b-01c3-449a-841d-489e0250b8da",
"source": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
"startPortID": "0e841ab3-6192-4514-9736-d3ef63ed67f5",
"target": "e5f93514-3ae5-4109-8b52-b9fa876e1eae",
"endPortID": "02b1a0a6-3772-4b71-b2da-6d7cd87a5ec2",
"linkStatus": "UP"
},
….... …………
Some nodes removed
……………………….
{
"source": "7895a45f-47aa-42ee-9d06-c66d3b784594",
"startPortID": "30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",
"target": "8f41bef8-698c-4701-af14-471e910ed9ff",
"endPortID": "",
"linkStatus": "UP"
}
$python show-path.py
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Netops
ACL
– Get ACL for a Devicehttps://test-apic/api/v0/acl/device/cceaf2fe-c3d9-4d37-bf14-fba071c27d6e
– Get ACL for Interface GigabitEthernet0/0/0https://test-apic/api/v0/acl/interface/ad8c543b-c698-468b-bb64-e0a418d6c517
• Check for consistency of an ACLhttps://test-apic/api/v0/acl/conflict/dea7a366-4cdd-4006-ad51-27f0a0b2fb40
Cisco Confidential
$python check-acl.py
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Combine PATH with ACL https://test-apic/api/v0/acl/trace POST
{
"destIp": "40.0.0.15",
"sourceIp": "40.0.0.12",
"applicationId": "46de799b-7f51-4a5e-8d08-46e2e78ff619",
"interfaceIds": [
"",
"16e94527-33fd-4968-a0d7-0f7265b72904",
"4556c2eb-0df4-41b3-8558-05f04be02fe0",
"" ]
}
Cisco Confidential
$python show-path-acl.pyContent-Type = application/json
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Combine PATH with ACL https://test-apic/api/v0/acl/trace POST
{
"destIp": "40.0.0.15",
"sourceIp": "40.0.5.12",
"applicationId": "46de799b-7f51-4a5e-8d08-46e2e78ff619",
"interfaceIds": ["",
"16e94527-33fd-4968-a0d7-0f7265b72904",
"0e841ab3-6192-4514-9736-d3ef63ed67f5",
"02b1a0a6-3772-4b71-b2da-6d7cd87a5ec2",
"54683dd7-1c17-41f6-b7ac-47935d20fe3f",
"a8c71f5e-dd31-457f-8160-556b91dd6320",
"87bb850b-6223-4540-8729-ff4c276097ea",
"82481ce8-fe7b-493f-9ca1-0390bfa71be0",
"ad8c543b-c698-468b-bb64-e0a418d6c517",
"c4a8fe79-fa1b-4349-ac37-90146554f0ff",
"2fdb927f-a5a7-47b2-bbed-8499c1c12105",
"d3054716-73ed-4a6c-89c9-095ebe7f3445",
"42a5e927-1ed6-4483-bd66-555d9d6d2f89",
"86ff5af0-4c5a-46e1-9edb-8aa3df5e9d95","30bb14c1-8fb6-45c4-8f6d-5b845a7f448c",""]
}
Cisco Confidential
$python show-path-acl.pyContent-Type = application/json
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Result:"devices": [ {
"deviceName": "SDN-CAMPUS-C3850",
"deviceId": "f8c3fc68-cd26-4576-bcec-51f9b578f71e",
"deviceType": "SWITCH",
"deviceRole": "Access",
"deviceIp": "40.0.0.3",
"interfaces": [{
"interfaceName": "GigabitEthernet1/0/12",
"interfaceId": "16e94527-33fd-4968-a0d7-0f7265b72904",
"aclName": null,
"aclId": null,
"ingress": true,
"blockType": "none",
"relevantAces": [],
"implicitDenies": []
},{
"interfaceName": "GigabitEthernet1/0/1",
"interfaceId": "0e841ab3-6192-4514-9736-d3ef63ed67f5",
"aclName": null,
"aclId": null,
"ingress": false,
"blockType": "none",
"relevantAces": [],
"implicitDenies": []
}]
},
{ "interfaceName": "GigabitEthernet0/0/0",
"interfaceId": "ad8c543b-c698-468b-bb64-e0a418d6c517",
"aclName": "one_big_acl_for_conflict",
"aclId": "dea7a366-4cdd-4006-ad51-27f0a0b2fb40",
"ingress": false,
"blockType": "complete",
"relevantAces": [{
"aceIndex": 10,
"ace": {
"id": "f175c041-da1f-46cd-b9a6-0a4df6b5e15c",
"aclId": "dea7a366-4cdd-4006-ad51-27f0a0b2fb40",
"priority": 100, "action": "DENY", "protocol": "TCP",
"srcAddr": null,"srcAddrMask": "32",
"srcPort": 0,
"srcPortUpper": 0,
"destAddr": null, "destAddrMask": "32",
"destPort": 458,
"destPortUpper": 458,
"dscp": 0,
"attributeInfo": {}
},
"sourcePortInfoList": [],
"destPortInfoList": [
{
"protocol": "tcp",
"ports": "458"
} ]},
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Applications{"id": "46de799b-7f51-4a5e-8d08-46e2e78ff619",
"applicationGroup": "other",
"category": "voice-and-video",
"subCategory": "consumer-video-streaming",
"encrypted": "false",
"p2pTechnology": "false",
"tunnel": "false",
"name": "appleqtc",
"enabled": "true",
"nbarId": "92",
"engineId": "3",
"globalId": "L4:458",
"selectorId": "458",
"helpString": "apple quick time",
"longDescription": "Apple QuickTime is an extensible proprietary multimedia framework developed by Apple Inc.,
capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity.
QuickTime is available for Windows XP and later, as well as Mac OS X Leopard and later operating systems.",
"appProtocol": "tcp/udp",
"tcpPorts": "458",
"udpPorts": "458",
"references": "http://www.apple.com/quicktime/",
"url": "",
"valid": true
}
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Reference
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Integration(s)
• Collaboration – Phase 1 – (lower trust threshold)
Marking -> voice clients
E.g. UCM, Citrix
• Security – Phase 2 – (higher trust threshold)Copy --- lowerDeny – higher (e.g. SourceFire)
Cisco Confidential
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Policy based QoS
https://test-apic/api/v0/policy POST
{
"policyOwner": "Admin",
"networkUser": {"userIdentifiers":["40.0.0.15"],"applications":[{"raw": "12340;UDP"}]},
"actionProperty": {"priorityLevel": "46"},
"actions": [ "PERMIT"],
"policyName": "voice:audio:40.0.0.15"
}
Cisco Confidential
$python set-qos.py < qos-input-small.txt
{
"response": {
"taskId": "f5c07be7-ae8e-4350-80b0-1971874803c8",
"url": "/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8"
},
"version": "0.0"
}
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Task for Policy creation - success
https://adam-gv/api/v0/task/4bd6767d-b332-4d20-b689-05473833e0c8 GET{
"response": {
"id": "4bd6767d-b332-4d20-b689-05473833e0c8",
"rootId": "4bd6767d-b332-4d20-b689-05473833e0c8",
"serviceType": "Policy Service",
"progress": "767952d1-e5b5-4c9f-bcca-02e3e6515210",
"startTime": 1409885977316,
"endTime": 1409885985944
},
"version": "0.0"
}
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Task for Policy creation - failure
https://test-apic/api/v0/task/f5c07be7-ae8e-4350-80b0-1971874803c8 GET
"response": {
"id": "f5c07be7-ae8e-4350-80b0-1971874803c8",
"rootId": "f5c07be7-ae8e-4350-80b0-1971874803c8",
"serviceType": "Policy Service",
"progress": "Policy Creation Failed",
"errorCode": "PartialSuccess",
"failureReason": "04ea2f11-1e9d-435a-9db2-ded3fbcd732f: Inactive Policy - Interfaces
where this policy needs to be programmed are not within the same policy scope. Hence skipping
policy creation for this policy.",
"isError": true,
"startTime": 1412425907975,
"endTime": 1412425910331
},
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
Policy for Securityhttps://test-apic/api/v0/policy POST
{
"policyName": "deny_some",
"policyOwner": "Admin",
"actions": ["DENY"],
"networkUser": {"userIdentifiers": ["40.0.0.15"]},
"resource": {"userIdentifiers": ["10.10.20.3"], "applications":[{"raw":
"81;TCP"}]}
}
Cisco Confidential
Sourcefire use case.
<<<<<THIS CAN BE DANGEROUS IN A SHARED LAB>>>>
Remove "resource" components (10.10.4.2)1) deny tcp host 40.0.0.15 host 10.10.20.3 eq 81
2) deny tcp host 40.0.0.15 any eq 81
3) deny ip host 40.0.0.15 any
© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public DevNet @
For more information…
• SDN BOF 1:30PM classroom
• Other Sessions
– DevNet-1044 – Create Hello World with APIC-EM