How Cisco IT uses Prime Infrastructure to Manage the Cisco Network
BRKNMS-2447
Mohit Agrawal, Sr. Architect – Cisco IT Network Management
Mark Basinski, Product Manager – Enterprise Infrastructure & Solutions
Agenda
Cisco IT Network Management Overview
1. Network Management Introduction
2. Prime Infrastructure Deployment in IT
3. Network Management Case Studies
o Wireless Management
o Zero-Touch Deployment of New Devices
o Configuration Management
o Network Assurance & Event Correlation
4. IT & Prime Infrastructure – Looking Ahead
Data Center
Campus
Cisco IT Network – Network Segment & Scale
Remote Access & CVO
30,000 CVO Routers24 Remote Access Routers 50+ VPN Gateway ASA's
WAN Aggregation
50 WAN Aggregation60 Regional Backbones75 Global Backbones
Internal Labs
520+ Lab Routers
Extranet
24 Extranet Hubs200+ Extranet Partner Sites530 Extranet Gateways
Data Center
30 DC Locations 200+ DC Gateway Routers
DMZ
15 DMZ Env28 Corp Firewalls 80 DMZ Lab Routers200+ DMZ Routers
Remote Office
375+ FSO Locations850+ FSO Routers
Internet Edge
15 Internet PoP’s30 ISP Gateway Routers72 Web Security Appls
Campus WIFI
670 Controllers11k Aps560k+ wired ports
Core/Distribution
1500+ Core Switches
Top 5 Network Infrastructure Challenges
Application
Visibility &
Migration
End-User
Experience
Operational Excellence
Configurationand Policy
Implementation (Speed)
Security
• One integrated architecture to manage wired and wireless devices
• Built-in Integration with other products (NAMs, MSEs, APIC-EM, APICs, UCSM, vCenter, ISE,
Prime Collab)
• Distributed Systems Architecture with Central Ops Experience
Cisco IT
Transition to
Cisco Prime…
• Network config & change Management
• WAN Traffic Analysis (Netflow, NBAR)
• Network Performance Mgmt (AVC, PFR)
• Software Image Management
• Compliance Management
• Capacity Management
• Network Security Management
• Access Control Management
• Zero Touch deployment
• IP Address Management
Network Management Capabilities
Cisco Network
Network Devices: 40,000+
Applications: 4000+
End Points: 300,000+
Wireless Clients: 120,000+
Network Management in IT
Our Vision: One intelligent network, One management, One policy
• End User Experience (IPSLA)
• Unified Access Wired and Wireless
• Event Correlation & Runbook Automation
• Device Lifecycle Mgmt
• Configuration Optimization
Vision: Key Take Aways
Situation: Multiple systems and scripts to deliver point features.
Many capabilities are not integrated and therefore cause
operational challenges
Proposal: ‘Integrated Architecture’ to manage wired and wireless network.
Value: Increase speed to delivery, reduce outages and better
operational experience
Cisco IT Deployment –Prime Infrastructure 2.2
• PI & PnP 2.2 across globe (6 sites)
• Research Triangle Park
• San Jose
• Richardson
• Almere (EMEA)
• Bangalore
• Singapore
• 3 MSEs per site
• Context Aware Service
• Location Analytics Service
• Wireless Intrusion Protection (wIPS)
• Wireless Management (All production, 11k APs, 670 WLC)
• Assurance (AP, WLC, MSE, WiFi Coverage)
• Config & Image Management (WLC)
• Security Compliance Mgmt (AP)
• Inventory Management
• Group Management (AP & WLC)
• Location/Map Service (AP)
• Usage Analysis & Notification (AP)
• Zero Touch Deployment (ZTD)
• Cisco 45xx
• Cisco 3750/3850
• ASR1K/Cat65K
• Cisco 44xx
• Wired Management (Align w/ ZTD)
• Config Lifecycle Management
• Device Inventory
• Image Management
IoE Location Service
Wireless Management
Configuration Management
Network Topology, Config
Discovery
Network Assurance
Zero Touch Provisioning &
Deployment
Runbook Automation
Application Visibility
DC AssuranceBranch Office Automation
IP Address Management
WAN Capacity Management
Prime Infra + MSE Prime Infra + MSE Prime Infra Prime Infra + APIC-EM
IT Network Management – Prime Portfolio Usage Map
In Use In Planning
Prime Infra Prime Infra + PnP Process OrchestratorPrime Infra, Collab & NAM
Prime Infra + Prime InsightPrime Infra, vCenter, UCSM Prime Infra Prime Network Registrar
Wireless Network Management: Case Study
• Global Wireless Management (11K APs, 670 Controllers)• Assurance (AP, Controller, Mobility Services Engine, WIFI Coverage)
• Configuration & Image Management (Controller)
• Switch Port Tracing
• Inventory Management
• Group Management (AP & Controller)
• Location / Map Service (AP)
• Usage Analysis & Notification (AP)
• IoE Use Case• Asset Tracking (Active RFID)
Wireless Ops Management & IoE Implementation
Smart PhoneLaptop
Active RFID Tag
Access Point Access Point
Wireless LAN Controllers
CAPWAP CAPWAP
NMSP
SNMP
Cisco Prime Infrastructure
HTTPS
Client BrowserThird PartyLocation Applications
SOAP/XML
WLANLocation
Appliance
SOAP/XML
SNMP Trap
Notifications for Telemetry, Location, Battery level ..
EMAILSYSLOG
SOAP/XMLSNMP TRAP
On-demand location tracking of asset tags
Access Point
802.11 Compatible RFID Tags on End points
CAPWAP
Wireless Technology Powers IoE Implementation
Wireless Network Management
1. Better QoS with ‘clean air’.
2. Rogue AP detection with ‘wIPS’
3. Troubleshooting client’s connection
4. AP planning with ‘location service’
5. Asset tracking with ‘context aware service’
Top 5 Business Values
What is Zero Touch Deployment - Case Study
• Capability to securely automate the following activities associated with a device:
• Provisioning
• Deployment
• Upgrades
Rack, Stack, Cable Upgrade Operate Provision Deploy
Reasons to pursue ZTD
Save money !!!
• Cut incident rates due to inconsistent configurations
• Reduce skills level necessary to deploy production network devices
• Shorten time to deploy
Two step deployment model for Routers & Switches using PI –based ZTD
1. Implementation engineer (at Central site) publishes the design based configuration (Golden Config)
2. PnP App operator (at local site) deploys day 0 config to initiate full config deployment.
Remote ISR
Prime Infrastructure
Internal
network
PnP Gateway
USB Console
cable
3G/4G
ISE
Network Engineer
(Prime Infrastructure)
How It Works
Onsite Local Operator
(PnP App)
12
Where we are going• Reduces the need to travel to site
• Other than Rack/Stack/Cabling, all will be done remotely.
• All devices at a site are automated
• Engineers duration at site will be shortened
• Not all devices at site are automated
• Engineers at site same duration to support non-automated devices
Zero Touch
Deployment
Configuration Management: Case Study
Configuration & Compliance Management: (Current Situation)
Total Configuration Templates: 1,500 to 7,500
(6-7 Places in Network) * (5-7 topologies per PIN) * (5-10 cut-sheets per topology) * (10-15 templates per cut-sheet)
Configurations are managed in cookbooks (word docs) and cutsheets (excel)
Significant # of network related outages are caused by config changes
9649
4135
0
2000
4000
6000
8000
10000
12000
Simple Complex
Image Upgrade FY13/14
Device Count
Image Management: (Current Situation)
Simple Image Upgrade: Automated (<30 mins per device)
Complex Image Upgrade: Manual (>3 hours per device)
Opportunity to simplify – What?
• Centralized & certified golden configuration repository
• Eliminate cutsheets from cookbook
• Track config changes (who, what & when) for better accountability & accuracy
• Reduce error (unify configurations and solve fat finger problem)
• Optimize configuration creation
• Reusable blocks of sub-configurations (templates)
• Object-oriented configuration structure (recursive composite templates)
• Automate configuration hand-off process
• RBAC & Approval process among design, implementation, field-deployment & ops engineers.
Prime
Infrastructure
API’s
Production
Golden Config
Subversion Version Control
Cisco Process Orchestrator Approval System
How It Works
New Device
New Service
Configuration Update
Development
Config
*Design/Impl
*Design/Impl/Ops
Future Transition
1. User Experience: Services based network automation experience
2. Ops Excellence & Security: Policies based configuration enforcement
3. Speed to Deliver: Network Intelligence based configuration adjustments
Top 3 transition areas
Network Assurance & Event Correlation: Case Study28% of business impacting incidents are recurring50%+ of Critical to Medium incidents are reported by end users
By inference:
Fault and availability monitoring is not enough to report all issues.
Correlation Engine critical to reduce MTTR for recurring issues.
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Q4-FY13 Q1-FY14 Q2-FY14 Q3-FY14
IT Recurring Incidents
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
All Infra Only
UserReported
SystemReported
Q3/14 Q4/14 Q1/15 Q2/15
Glo
ba
l
Pre
se
nce
Cisco Enterprise LandscapeNetwork Assurance is key to troubleshoot enterprise landscape
Corporate Border
Branch Office
Data Center
Corporate Office
Glo
ba
l Infra
Se
rvic
es
Public Cloud(IaaS, PaaS, SaaS)
Collab Experience(UC/V)
Global network(private, public)
Private Cloud (IaaS, PaaS, SaaS)
Bord
erle
ss
En
d Z
on
es
Home OfficeCoffee
ShopCustomers
Office
UsersMobile
User Partners
User & Application traffic monitoring over Network
Operational Goals to Achieve– How?
Basics:
1. Wireless device and quality assurance – Prime Infra
2. Application visibility & network traffic troubleshooting - NAMs
3. Wired device assurance metrics collection – Prime Infra
Transition in Network Assurance
1. Application Centric Network Assurance
2. Big data driven Network Visibility
3. Config Compliance/Network Policies is Assurance
4. Controllers will drive ‘self-healing’ model
5. Quality-of-Service will become de-facto of Network SLA Assurance
Top 5 patterns
Prime Infrastructure Operations CenterCentralized Visualization of Multiple PI Instances
Distributed
• Supports up to 10 Prime Infrastructure instances
• Addresses geographic distribution, scalability, resiliency and
visibility
• Single pane of glass monitoring with click-through
management
Centralized
• Central view of assets, alarms and clients
• Single sign-on
• Dashlets aggregated from PI instances
Scalable
• Consolidated view of network health
• Consolidated view of health of each PI instance
• Reports scheduling from one interface
End-to-end visibility for service-aware networking by
applications, services, and end users
Out-of-the-box support for Cisco® advanced technologies,
including AVC 2.0, NetFlow, Flexible NetFlow, NBAR2,
Performance Agent, Medianet, and more
Service health dashboard allows quick health check on your
business-critical applications
Simplified troubleshooting of applications and
client access issues
Multi-NAM management
• Traffic analysis
• Application response time metrics
• Packet capture and decode
AssuranceApplication Experience and End User Experience
Initial use case: Visualization of Faults
o Network Topology Page
o Topology Dashlets
o Device 360 “N-Hop” contextual topology view
Planned use cases
o Data Center Topology
o Geographical Maps
o Link Utilization & Traffic Visualization
o Wireless / Mobility Service View
o Additional Logical / Service Views
o Integration Into Provisioning Workflows
Network Topology
Extends One Management – Visibility of infrastructure
and assurance from Branches all the way through
campus and data center
Cisco UCS B and C series – Discovery, inventory of
compute infrastructure and mapping that back to the
network elements of the data center
Fault and Root cause analysis – Identify and isolate the source of
the problem. Help pin point the issues to the right network or
compute elements. Understand the impact of network problems onto
the compute infrastructure. Remediate the issues at its source
Availability and Performance – Monitor the availability status
of the UCS physical servers. Provides visibility to the UCS
ports health status and performance
Server 360 Degree view – Concise and easy to
consume server details accessible from any where
in the product. Allows for quick troubleshooting
UCS Server ManagementBridging Network and Compute
Branch Service Automation is a Cisco management capability to design,
catalog, deploy and automatically manage different branch types, including
IWAN, Access and WLAN architectures leveraging SDN controller driven ACI
policy automation and application level SLA enforcement
The Value of Branch Service Automation is to dramatically reduce TCO of large-
scale Branch roll out through automation and to ensure continuous
operational consistency, security and compliance to policy across ‘000s of
sites
What is Branch Service Automation?
Branch Service Automation – Process Architecture
Service
Design
Service
CatalogService
Request
Service
Operations
Service
Management
• Drag and drop
design of branch
infrastructure, PINs
and associated
services
• Definition of
application policies
for QoE (end user
SLA’s), Security and
Access
• Branch designs (e.g.
Small, Medium,
Large) committed to
Service Catalog as a
service offering
• Setting up of
business entities
and groups for
which services can
be ordered
• Ordering of Branch
type when new
site(s) or new
services are needed
• Orchestration of
device and network
as a service
enablement for the
Branch using ZTD
• Automated
monitoring,
correlation and
troubleshooting of
Branch services and
infrastructure
• APIC-EM Controller
led changes to
enforce policy
compliance
Network Admin Network Admin Network Operations Network Operations Network Operations
High Cost, Skilled Resource, One Time Automated (Low TCO), Low Skill, Continuous
• Business and
application level
dashboarding and
reporting for SLA’s,
Security and
Network Changes
• Tie-in of branch
service impact due
to application
delivery in DC /
Cloud
Ro
leP
roce
ss
Enterprise Stack North Star
Network Compute Storage WAN Access WLAN
Prime Service Automation - PSA (New)
APIC APIC-EM
Prime Enterprise (Prime Infra+ APIC-EM Apps + DCNM + vNAM + Insight)
Data Center Enterprise Network
Policy Driven Automation
PSA + UCSD+ ESC/ OSP
Policy Driven Automation
PSA + APIC-EM
Design, Catalog, Orchestrate
and Manage Lifecycle of end-
to-end Services (physical and
virtual)
Drive Business Outcomes
through Management
Simplify/ Automate network
with Controllers and ACI
DC, WAN & Branch NfV
Policy Driven Automation
PSA+UCSD+APIC
Physical
Performance Management
Service / Management
Capacity / Analytics
Fault/ Events Correlation
Change / Compliance
Multi-tenant / Op Center
Reporting / Visualization
Control Points
Physical
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings