Network Programmability with APIC‐EM
Cluj‐Napoca
Doinea Bogdan
Heroes
WEB 1.0
Internet Heroes
Prac4cally invented TCP/IP
Designed most of the IPv6 format
Strong contributor to the IoT concept.
Lead architect for 6LoWPAN
Made switching loops something we
could all live with
Co‐invented IS‐IS
Worked extensively to create TRILL
What did they create?
"The truth in no online database will replace your
daily newspaper, no CD‐ROM can take the place of
a competent teacher and no computer network will
change the way government works.”
Clifford Stoll, Astronomer
"I think there is a world market for maybe five
computers." ‐‐ Thomas Watson, chairman of IBM,
1943.
We will never make a 32‐bit operaOng system.
– Bill Gates, 1989
Where are we now?
Evolution comes with its challenges
How are we addressing it?
• From STP ‐> MST ‐> VSS/Stacking ‐> more&more layer 3 LAN design
• From VLAN ‐> VXLAN ‐> OTV/LISP/EVPN
• From sta4c IP ‐> link‐state RP ‐> BGP ‐> MPLS ‐> Hybrid WANs(iWAN)
• From bare metal ‐> VMs ‐> Containers
• From firewalls/VPNs ‐> IPSs ‐> anomaly‐based ‐> retrospec4ve security
• From local HDD ‐> SANs ‐> SDS ‐> Hyper convergence
• From 1 CCIE to ‐> x different CCIEs where x is …? 7
8 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Digital Business Demands Operational Efficiency and Agility
Time IT spends on operations CEOs are worried about IT strategy not supporting business growth 80% 57%
0
100%
Source: Forrester
CAPEX OPEX
33% 67%
0 10 100 1000
Computing Networking
Seconds
Source: Open Compute Project
“…While other components of the IT infrastructure have become more programmable and allow for faster, automated provisioning,
installing network circuits is still a painstakingly manual process...” —TechTarget/Network Evolution, April 2015
Network Expenses Deployment Speed
Problems we want to solve
• Network agility is too slow ‐ both service implementa4on and vendor go‐to‐market
• Network flexibility is too small – waterfall model, not agile model
• Applica4ons can’t really talk to the network in a standard way
• There is no ONE WAY to provision, manage and orchestrate all the networking equipment
• “Problems are not stop signs, they are guidelines”, Robert H. Schuller
SDN as a Solution
• SDN = soeware defined networking. Solu4on for: FastIT, Agile Networking, scaling the Internet of Things, handling Big Data(Hadoop, MapReduce, Lucene etc)
• Basic Concept(2008): • In every smart device we have Control Plane and Data Plane
• Decouple the two
APIC Controller
Switch Router
Polic
y
Polic
y
Polic
y Polic
y Polic
y
State State
SDN
Mature Concept(2016)
• Current intelligence needs to remain in every device, but provide and Open API (fast)
• “what happens if the controller fails or fore some reason a dumb switch does not know how to treat a new packet?”
• A smooth transi4on needs to be insured (reliable)
• “IPv6 thought us there is no transi4on silver‐bullet. We need the mechanisms to do it gradually”
• A policy model is much beker than an impera4ve model (simple)
• “To eliminate complexity, we need to tell the network what we want from it, not how we want it to be implemented”
APIC-EM – Enterprise Controller
Applica4ons
Security Orchestration Automation Collaboration
SOUTHBOUND ABSTRACTION LAYER
CATALYST | ISR | ASR | WIRELESS
REST API
Fast – it has an Open API – you can
build an applica4on over it, today!
Reliable – southbound abstrac4on
layer speaks IOS CLI to devices
Simple – a REST API Policy model of
“what I need”, not “how I need it” to
applica4ons
Switches (Catalyst®) Routers (ISR, ASR) Wireless Access Points
CLI
What is REST?
HTTP GET
• Using HTTP/HTTPS to communicate between 2 soeware components wriken in any
language, over any environment
• Using HTTP GET/POST/PUT/DELETE to make a remote func4on call
• Using JSON to pass the parameters to the func4on call
Example - Policy for Security
https://test-apic/api/v0/policy POST
{
"policyName": "deny_some",
"policyOwner": "Admin",
"actions": ["DENY"],
"networkUser": {"userIdentifiers": ["40.0.0.15"]},
"resource": {"userIdentifiers": ["10.10.20.3"], "applications":[{"raw": "81;TCP"}]}
}
1) deny tcp host 40.0.0.15 host 10.10.20.3 eq 81
REST API Structure - Setup
15
/discovery /network‐device
/interface
/host
/loca4on
/link
/user
/radius‐server‐config
/ldap‐server‐config
/external‐aaa‐server‐
config
/external‐aaa‐server‐
keystore‐file
Swagger
17 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demo – APIC-EM online
Introducing APIC-EM and 3 Apps
Day 0 : Plug‐and‐Play App
Zero touch deployment of routers / switches / APs
Shrinks deployment from months to minutes
Day 1 : Cisco IWAN App
Guided, fast auto‐provisioning of IWAN solu4on with Cisco experts’ best prac4ces
From 1000s of CLI commands to a few policy deployments with a few GUI clicks per branch
Day 2 : Path Trace App
Discover path between two end points based
Lower OPEX for trouble 4cket processing by 98%
3 N E W A P P L I C A T I O N S
Applica4ons
Security Orchestration Automation Collaboration
SOUTHBOUND ABSTRACTION LAYER
CATALYST | ISR | ASR | WIRELESS
REST API
E N T E C H N O L O G Y D I F F E R E N T I A T I O N
Northbound REST API
APIC-EM Platform Architecture
APIC‐EM Applica4ons
Elastic Controller Infrastructure (Grapevine )
Network
PnP IWAN Path Trace
Network
Inventory
Advanced Topology Visualizer
APIC-EM Services
Inventory
Manager RBAC Policy Analysis
Policy
Programmer
Network PnP Data Access
Service
Topology
Services
IWAN
Services
Applica4ons built on top of APIC‐EM
Applica4ons packaged with APIC‐EM
Core Applica4ons bundled
IWAN Applica4on separately licensed
Open and Documented REST API
Core Services
Applica4ons Specific Services
Provides Scale and High Availability
20 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.
APIC-EM Packaging and Deployment
Built as a Linux Container
Grapevine Root
LXC Container
LXC Container
GV Client
GV Client
Operation System
Server / Machine
Standalone or Resilient Deployment
3 Nodes • active-active-active
• Scale and HA - Software failure - HW failure of 1 node
1 or 2 Nodes • active-active
• Scale and HA - Software failure only
Download or Preinstalled Appliance
Download • .iso image including
ubuntu 14.04 64bit
• available from: - software.cisco.com - devnet.cisco.com
Cisco Appliance • APIC-EM installed
• ready-to-go
• or SKU: - APIC-EM-APL-R-K9 - APIC-EM-APL-G-K9
21 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.
Network Plug and Play (PnP) – Components
PnP Agent Runs on Cisco® switches, routers, and wireless access points
Automates the deployment process
PnP Server Central Server on APIC-EM
Manages sites, devices, images, licenses, workflow
Provides Northbound REST APIs
PnP Protocol Runs between Agent and Server
Open Schema
PnP Helper App [ Optional ]
Delivers bootstrap, status and troubleshooting checks
Redpark RJ45
Apple 30pin
Redpark RJ45
Apple 8pin
GetConsole
Airconsole2.0
Bluetooth Adapter
Cloud Redirect Service [ Optional ]
Roadmap Phase 2
22 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.
`
Three main areas:
1. Hub site and settings
2. Administration of application policy
3. Branch site setup
IWAN App on APIC-EM
Policy-Driven IWAN Site Deployment including PnP and Monitoring
Step-by-Step Network and Hub Settings
Simple Policy Definition and Customization
23 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.
`
Application priority policy setting in IWAN app
Path preference: Set primary and action on
threshold crossing, which
can be a second path or drop traffic
Drag and drop business buckets
Drag and Drop a business category among: business
critical | scavenger | default
24 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.
`
Path Trace App: Enhanced Application Flow Visibility
CAPWAP Tunnel
Visualization
Accuracy Note
(in a percentage)
Link Source
Information
Ingress/Egress
Interface
25 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.
Path Trace App: Topology View
`
26 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demo – iWAN App
27 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.
• Full ACL Management, QoS,Smart Troubleshooting and other applications coming
• Test it – it’s free!
• By default includes the PnP and Path Trace App for free – iWAN is under cost, but included for free trough Cisco One
• Get used to software – the question is not “if SDN will…”, it’s “when SDN will…”
What’s next?