Network Programmability with APIC‐EM 

Cluj‐Napoca  

Doinea Bogdan

Heroes

WEB 1.0 

Internet Heroes

Prac4cally invented TCP/IP  

Designed most of the IPv6 format 

Strong contributor to the IoT concept. 

Lead architect for 6LoWPAN 

Made switching loops something we 

could all live with  

Co‐invented IS‐IS  

Worked extensively to create TRILL 

 

What did they create?

"The truth in no online database will replace your 

daily newspaper, no CD‐ROM can take the place of 

a competent teacher and no computer network will 

change the way government works.” 

Clifford Stoll, Astronomer 

"I think there is a world market for maybe five 

computers." ‐‐ Thomas Watson, chairman of IBM, 

1943. 

We will never make a 32‐bit operaOng system. 

– Bill Gates, 1989 

Where are we now?

Evolution comes with its challenges

How are we addressing it?

•  From STP ‐> MST ‐> VSS/Stacking ‐> more&more layer 3 LAN design 

•  From VLAN ‐> VXLAN ‐> OTV/LISP/EVPN 

•  From sta4c IP ‐> link‐state RP ‐> BGP ‐> MPLS ‐> Hybrid WANs(iWAN) 

•  From bare metal ‐> VMs ‐> Containers 

•  From firewalls/VPNs ‐> IPSs ‐> anomaly‐based ‐> retrospec4ve security 

•  From local HDD ‐> SANs ‐> SDS ‐> Hyper convergence 

•  From  1 CCIE to ‐> x different CCIEs where x is …? 7

8 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Digital Business Demands Operational Efficiency and Agility

Time IT spends on operations CEOs are worried about IT strategy not supporting business growth 80% 57%

0

100%

Source: Forrester

CAPEX OPEX

33% 67%

0 10 100 1000

Computing Networking

Seconds

Source: Open Compute Project

“…While other components of the IT infrastructure have become more programmable and allow for faster, automated provisioning,

installing network circuits is still a painstakingly manual process...” —TechTarget/Network Evolution, April 2015

Network Expenses Deployment Speed

Problems we want to solve

• Network agility is too slow ‐ both service implementa4on and vendor go‐to‐market 

• Network flexibility is too small – waterfall model, not agile model 

• Applica4ons can’t really talk to the network in a standard way  

•  There is no ONE WAY to provision, manage and orchestrate all the networking equipment  

•  “Problems are not stop signs, they are guidelines”, Robert H. Schuller 

SDN as a Solution

•  SDN = soeware defined networking. Solu4on for: FastIT, Agile Networking, scaling the Internet of Things, handling Big Data(Hadoop, MapReduce, Lucene etc) 

• Basic Concept(2008):  •  In every smart device we have Control Plane and Data Plane 

•  Decouple the two 

 

 

APIC Controller 

Switch  Router 

Polic

y 

Polic

y 

Polic

y Polic

y Polic

y 

State  State 

SDN 

Mature Concept(2016)

• Current intelligence needs to remain in every device, but provide and Open API (fast)  

•  “what happens if the controller fails or fore some reason a dumb switch does not know how to treat a new packet?” 

• A smooth transi4on needs to be insured (reliable) 

•  “IPv6 thought us there is no transi4on silver‐bullet. We need the mechanisms to do it gradually” 

• A policy model is much beker than an impera4ve model (simple) 

•  “To eliminate complexity, we need to tell the network what we want from it, not how we want it to be implemented” 

APIC-EM – Enterprise Controller

Applica4ons 

Security Orchestration Automation Collaboration

SOUTHBOUND ABSTRACTION LAYER  

CATALYST | ISR | ASR | WIRELESS

REST API

Fast – it has an Open API – you can 

build an applica4on over it, today!  

 

Reliable – southbound abstrac4on 

layer speaks IOS CLI to devices 

 

Simple – a REST API Policy model of 

“what I need”, not “how I need it” to 

applica4ons 

Switches (Catalyst®) Routers (ISR, ASR) Wireless Access Points

CLI 

What is REST?

HTTP GET 

•  Using HTTP/HTTPS to communicate between 2 soeware components wriken in any 

language, over any environment  

•  Using HTTP GET/POST/PUT/DELETE to make a remote func4on call 

•  Using JSON to pass the parameters to the func4on call   

Example - Policy for Security

https://test-apic/api/v0/policy POST

{

"policyName": "deny_some",

"policyOwner": "Admin",

"actions": ["DENY"],

"networkUser": {"userIdentifiers": ["40.0.0.15"]},

"resource": {"userIdentifiers": ["10.10.20.3"], "applications":[{"raw": "81;TCP"}]}

}

1)  deny tcp host 40.0.0.15 host 10.10.20.3 eq 81

REST API Structure - Setup

15 

/discovery  /network‐device 

/interface 

/host 

/loca4on 

/link 

/user 

/radius‐server‐config 

/ldap‐server‐config 

/external‐aaa‐server‐

config 

/external‐aaa‐server‐

keystore‐file 

Swagger

17 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Demo – APIC-EM online

Introducing APIC-EM and 3 Apps

Day 0 : Plug‐and‐Play App 

Zero touch deployment of  routers / switches / APs 

Shrinks deployment from months to minutes 

Day 1 : Cisco IWAN App 

Guided, fast auto‐provisioning of IWAN solu4on with Cisco experts’ best prac4ces 

From 1000s of CLI commands to a few policy deployments with a few GUI clicks per branch 

Day 2 : Path Trace App 

Discover path between two end points based  

Lower OPEX for trouble 4cket processing by 98% 

3 N E W A P P L I C A T I O N S

Applica4ons 

Security Orchestration Automation Collaboration

SOUTHBOUND ABSTRACTION LAYER

 

CATALYST | ISR | ASR | WIRELESS

REST API

E N T E C H N O L O G Y D I F F E R E N T I A T I O N

Northbound REST API

APIC-EM Platform Architecture

APIC‐EM Applica4ons 

Elastic Controller Infrastructure (Grapevine )

Network 

PnP IWAN  Path Trace 

Network 

Inventory 

Advanced Topology Visualizer 

APIC-EM Services

Inventory 

Manager RBAC  Policy Analysis 

Policy 

Programmer 

Network PnP Data Access 

Service 

Topology 

Services 

IWAN 

Services 

Applica4ons built on top of APIC‐EM 

Applica4ons packaged with APIC‐EM 

Core Applica4ons bundled  

IWAN Applica4on separately licensed 

Open and Documented REST API 

Core Services 

Applica4ons Specific Services 

Provides Scale and High Availability 

20 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.

APIC-EM Packaging and Deployment

Built as a Linux Container

Grapevine Root

LXC Container

LXC Container

GV Client

GV Client

Operation System

Server / Machine

Standalone or Resilient Deployment

3 Nodes •  active-active-active

•  Scale and HA - Software failure - HW failure of 1 node

1 or 2 Nodes •  active-active

•  Scale and HA - Software failure only

Download or Preinstalled Appliance

Download •  .iso image including

ubuntu 14.04 64bit

•  available from: - software.cisco.com - devnet.cisco.com

Cisco Appliance •  APIC-EM installed

•  ready-to-go

•  or SKU: - APIC-EM-APL-R-K9 - APIC-EM-APL-G-K9

21 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.

Network Plug and Play (PnP) – Components

PnP Agent Runs on Cisco® switches, routers, and wireless access points

Automates the deployment process

PnP Server Central Server on APIC-EM

Manages sites, devices, images, licenses, workflow

Provides Northbound REST APIs

PnP Protocol Runs between Agent and Server

Open Schema

PnP Helper App [ Optional ]

Delivers bootstrap, status and troubleshooting checks

Redpark RJ45

Apple 30pin

Redpark RJ45

Apple 8pin

GetConsole

Airconsole2.0

Bluetooth Adapter

Cloud Redirect Service [ Optional ]

Roadmap Phase 2

22 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.

`

Three main areas:

1.  Hub site and settings

2.  Administration of application policy

3.  Branch site setup

IWAN App on APIC-EM

Policy-Driven IWAN Site Deployment including PnP and Monitoring

Step-by-Step Network and Hub Settings

Simple Policy Definition and Customization

23 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.

`

Application priority policy setting in IWAN app

  Path preference: Set primary and action on

threshold crossing, which

can be a second path or drop traffic

  Drag and drop business buckets

Drag and Drop a business category among: business

critical | scavenger | default

24 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.

`

Path Trace App: Enhanced Application Flow Visibility

CAPWAP Tunnel

Visualization

Accuracy Note

(in a percentage)

Link Source

Information

Ingress/Egress

Interface

25 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.

Path Trace App: Topology View

`

26 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Demo – iWAN App

27 APIC-EM alive © 2015 Cisco and/or its affiliates. All rights reserved.

•  Full ACL Management, QoS,Smart Troubleshooting and other applications coming

•  Test it – it’s free!

•  By default includes the PnP and Path Trace App for free – iWAN is under cost, but included for free trough Cisco One

•  Get used to software – the question is not “if SDN will…”, it’s “when SDN will…”

What’s next?