APIC-EM - Deployment and Operations

Transcription

1

2 APIC-EM - Deployment and Operations Adam Radford, Distinguished Systems Engineer

3 Agenda Overview Installation/Network Discovery Plug and Play (PnP) EasyQos Intelligent WAN (IWAN SD-WAN) Next Steps

4 Contrasting DNA from Traditional Network Management Controller Abstraction Best Practices Based Integrated Security Common Orchestration Big Data Analytics IT Process Integration Policy is the new network language Design IP embedded in software Not just network policy / configuration Across physical and virtual functions Delivers insights, not just information Focus on ecosystem integration 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

5 Installation/Network Discovery

6 Before You Deploy: Scalability Network Devices: Access Points: ` End Hosts: 100,000 Note: These scale numbers are for the APIC-EM platform and the base applications. Some other APIC-EM applications might have different scale numbers. Note: APIC-EM Release Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Read the System Requirements To Verify disk IO # dd if=/dev/zero of=/tmp/foo bs=1m count=512 conv=fdatasync records in records out bytes (537 MB) copied, s, 22.7 MB/s 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Verify the ISO 90% of install issues are due to host resource or ISO download issues 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 High-Availability (HA) Design Multiple instances GrapeVine (GV) root across different physical hosts and operating in Active-Active Data persistence layer that has instances spread across different physical nodes Today need to be on same L2 subnet Non-HA deployment (single/dual hosts): Supports SW failure (APIC-EM services) No support for HW (host) failure HA deployment (3 hosts): Supports SW failure (APIC-EM services) Supports HW failure of single host Node 1 Grapevine Root APIC-EM Services Service A Service B Service C APIC-EM Cluster Node 2 Grapevine Root APIC-EM Services Service M Service N Service O Node 3 Grapevine Root APIC-EM Services Service X Service Y Service Z 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Demo

11 Discovery Quick, easy and efficient network discovery Based on CDP and IP Address Range Initiated via UI or NB REST APIs Supported Capabilities: Easy identification of devices with failures for faster troubleshooting Editing of Existing Discovery Jobs Cloning of Discovery Jobs to quickly create new ones Discovery History to track changes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Notes on Discovery CDP is required to discover neighbours and for topology CDP discovery will discover by the adjacent IP address IP Range will allow discovery via loopback etc To discover hosts, you need IP device Tracking (1.4 option to auto enable) As of 1.4, you can change the time between updates (25min) SNMP traps also used to provide faster notifications of host changes Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Network Plug and Play

14 Demo

15 PnP Components PnP Helper App Delivers bootstrap status and troubleshooting checks PnP Protocol Runs between Agent and Server Open schema PnP Agent Runs on Cisco switches, routers, and wireless access points Automates the deployment process PnP Server Central server - APIC-EM Manages sites, devices, images, licenses Provides northbound REST APIs 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 PnP Server Discovery Options Switches (Catalyst ) Routers (ISR, ASR) Wireless Access Points 1 DHCP Server DHCP with options 60 and 43 2 DNS Server DNS lookup 3 Cloud re-direction - roadmap (Q2CY2017) 4 USB-key based bootstrapping 5 Manual - using the Cisco Installer App iphone, ipad, Android, (roadmap - Windows mobile and PC) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Some tools $./src/watch_provision.py FDO1732Q00B Watching unclaimed for serial:fdo1732q00b 20:48:05: Duration (0) Getting Device Info 20:50:46: Duration (160) Establishing Secure Channel 20:50:54: Duration (168) Getting Device Info 20:52:14: Duration (248) Waiting for Resource 20:53:17: Duration (311) Deploying Device Certificate 20:53:25: Duration (320) Deploying Config 20:55:54: Duration (468) Provisioned 20:55:56: Completed (468): PROVISIONED Shows each step in process and the amount of time it took 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Simple Switch Deployment Modes 1 Non Vlan1 for Management 2 Non Vlan1 for Management Trunk 3 Non Vlan1 for Management Trunk Etherchannel 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 1 Non Vlan1 for Management pnp startup-vlan 14 interface GigabitEthernet1/0/5 description PNP switch 3650->g1/0/1 switchport access vlan 14 Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version , RELEASE SOFTWARE (fc3) Technical Support: Copyright (c) by Cisco Systems, Inc. Compiled Tue 02-Aug-16 17:33 by mcpre <SNIPPED> *Oct 6 01:24:29.204: %SYS-5-CONFIG_I: Configured from console by tty100 *Oct 6 01:24:29.666: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan14, changed state to down *Oct 6 01:24:52.796: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan14, changed state to up *Oct 6 01:24:58.352: %PNPA-DHCP Op-43 Msg: Process state = READY <SNIPPED> *Oct 6 01:24:59.298: %PNPA-DHCP Op-43 Msg: _pdoon.2.ina=[vlan14] *Oct 6 01:24:59.298: %PNPA-DHCP Op-43 Msg: _papdo.2.cot=[5a1d;b2;k4;i ;j80] lot=[5a1d;b2;k4;i ;j80] <SNIPPED> *Oct 6 01:24:59.302: %PNPA-DHCP Op-43 Msg: _pdokp.2.kil=[pnpa_dhcp_op43] pid=359 idn=[vlan14] *Oct 6 01:24:59.302: XML-UPDOWN: Vlan14 XML Interface(102) SHUTDOWN(101). PID=359 *Oct 6 01:24:59.411: %DHCP-6-ADDRESS_ASSIGN: Interface Vlan14 assigned DHCP address , mask , hostname % Generating 2048 bit RSA keys, keys will be non-exportable... got vend id vend spec. info ret: succeed *Oct 6 01:25:13.341: %PNP-6-HTTP_CONNECTING: PnP Discovery trying to connect to PnP server *Oct 6 01:25:13.351: %PNP-6-HTTP_CONNECTED: PnP Discovery connected to PnP server [OK] (elapsed time was 9 seconds) PnP Switch Console Log 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 PnP Switch pre-deployment Switch#show run int g1/0/1 Building configuration... Current configuration : 100 bytes! interface GigabitEthernet1/0/1 switchport access vlan 14 macro description CISCO_SMI_EVENT end Any Active ports are placed in vlan 14 Switch# show ip int br Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES unset administratively down down Vlan YES DHCP up up VLAN1 shutdown VLAN14 DHCP Can Overwrite the DHCP address with a static IP during provisioning. PnP process will continue 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 2 Non Vlan1 for Management/Trunk pnp startup-vlan 14 Switch#show run int g1/0/1 Building configuration... Current configuration : 100 bytes! interface GigabitEthernet1/0/1 switchport access vlan 14 macro description CISCO_SMI_EVENT end Need CDP to run on Native-VLAN to set up vlan14 interface GigabitEthernet1/0/5 description PNP switch 3650->g1/0/1 switchport mode dynamic desirable Switch#show int g1/0/1 trunk Port Mode Encapsulation Status Native vlan Gi1/0/1 auto 802.1q trunking 1 Port Vlans allowed on trunk Gi1/0/ Port Vlans allowed and active in management domain Gi1/0/1 1,14 Port Vlans in spanning tree forwarding state and not pruned Gi1/0/1 1,14 PnP Switch pre-deployment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 3 NV1 for Mgmt/Trunk/EtherChannel pnp startup-vlan 14 interface Port-channel1 switchport mode dynamic desirable no port-channel standalone-disable interface GigabitEthernet1/0/5 description PNP switch 3650->g1/0/1 switchport mode dynamic desirable channel-protocol lacp channel-group 1 mode passive interface GigabitEthernet1/0/6 description 2nd link to 3650 etherchannel test switchport mode dynamic desirable channel-protocol lacp channel-group 1 mode passive Switch#show int g1/0/1 trunk Port Mode Encapsulation Status Native vlan Gi1/0/1 auto 802.1q trunking 1 Port Vlans allowed on trunk Gi1/0/ Port Vlans allowed and active in management domain Gi1/0/1 1,14 Port Vlans in spanning tree forwarding state and not pruned Gi1/0/1 1,14 Switch#show int g1/0/2 trunk Port Mode Encapsulation Status Native vlan Gi1/0/1 auto 802.1q trunking 1 Port Vlans allowed on trunk Gi1/0/ VLAN 1 blocked on one uplink Port Vlans allowed and active in management domain Gi1/0/1 1,14 Port Vlans in spanning tree forwarding state and not pruned Gi1/0/ Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Upstream Switch 3850-core#show int g1/0/5 etherchannel Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl Channel group = 1 Mode = Active Gcchange = - Port-channel = null GC = - Pseudo port-channel = Po1 Port index = 0 Load = 0x00 Protocol = LACP Etherchannel members are singleport Flags: S - Device is sending Slow LACPDUs A - Device is in active mode. F - Device is sending fast LACPDUs. P - Device is in passive mode. Local information: LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Gi1/0/5 SA indep x1 0x1 0x106 0x7D Age of the port in the current state: 0d:00h:06m:09s 3850-core#show spanning-tree vlan 14 blockedports Name Blocked Interfaces List VLAN0014 Gi1/0/6 Management VLAN is blocked on one of downlinks Number of blocked ports (segments) in vlan 14: Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Things to avoid Management VLAN > 1024 (not all switches will support the creation of them) VLAN creation on device (for non-native vlan 1 etc). Some switches will need extra commands to create the vlan outside of the config "aaa command authorisation" fixed in 16.3 code, also see blog post for workaround. 5/next-generation-network-deployment-plug-and-play-part7 Etherchannel fix in 16.5 Management Interface (VRF) support in 16.5 Make sure a configuration file has "end" as the last line 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Advanced Switch Deployment Modes 4 Non Vlan1 for Management Trunk /Etherchannel Non Native Vlan1 5 Non Vlan1 for Management Trunk /Etherchannel Non Native Vlan1 Stacked 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 4 NV1 for Mgmt/Trunk/Etherchannel/Non Native Vlan1 pnp startup-vlan 14 interface Port-channel1 switchport mode dynamic desirable switchport trunk native vlan 999 no port-channel standalone-disable interface GigabitEthernet1/0/5 description PNP switch 3650->g1/0/1 switchport mode dynamic desirable switchport trunk native vlan 999 channel-protocol lacp channel-group 1 mode passive interface GigabitEthernet1/0/6 description 2nd link to 3650 etherchannel test switchport mode dynamic desirable switchport trunk native vlan 999 channel-protocol lacp channel-group 1 mode passive VLAN 1 blocked due to Native vlan mismatch Switch#show int g1/0/1 trun Port Mode Encapsulation Status Native vlan Gi1/0/1 auto 802.1q trunking 1 Port Vlans allowed on trunk Gi1/0/ Port Vlans allowed and active in management domain Gi1/0/1 1,14 Port Vlans in spanning tree forwarding state and not pruned Gi1/0/1 14 Switch#show int g1/0/2 trun Port Mode Encapsulation Status Native vlan Gi1/0/1 auto 802.1q trunking 1 Port Vlans allowed on trunk Gi1/0/ Port Vlans allowed and active in management domain Gi1/0/1 1,14 Port Vlans in spanning tree forwarding state and not pruned Gi1/0/ Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 5 Stacking Stack rules will match on any serial number just pick one Need to fill out licensing for stacks Licensing only applies to stacks Accept EULA as well 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Notes on Stacks Some commands (e.g. switch priority) need to be done outside of the config (EEM to the rescue). Switch member number needs to be done with care. Boot up order at present wait 20sec between powering on stack members Licensing is important, if licenses differ, stack will fragment My stacking blog Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 BootStrap Configuration What if no DHCP, how to get IP address/discovery mechanism? Smartphone app or USB to upload bootstrap config Make sure last statement in file is "end" same as a config file 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Management Interface Management interface in separate vrf on routers 16.5 on switches Can use bootstrap config workaround 3850-core#show run int g0/0 Building configuration... Current configuration : 94 bytes! interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf no ip address negotiation auto end interface GigabitEthernet0/0 vrf forwarding Mgmt-vrf ip address dhcp negotiation auto no shutdown! ip http client source-interface GigabitEthernet0/0! pnp profile PnP-profile transport https ipv port 443 source GigabitEthernet0/0 end 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 What about jinja2 templates? {% from "macros.jnja" import user_port, ap_port, uplink_trunk with context%} {% extends "base.jnja" %} {% block interfaces %} {% for stack_num in range(1,5) %} interface range g{{ stack_num }}/0/1-44 {{ user_port() }} int range g{{ stack_num }}/0/44-48 {{ ap_port() }} int ten{{ stack_num }}/1/4 {{ uplink_trunk() }} Script will - Generate config - Upload to APIC-EM - Create a rule in a project {% endfor %} {% endblock %} four_switch.jinja 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Device Clean up If you are testing multiple devices, need to make sure totally back to factory defaults. Most times a "wr er" is enough, but full clean up is below (including standby)!remove the certificates on active and standby delete /force nvram:*.cer delete /force stby-nvram:*.cer!remove vlan data based from active and standby delete /force flash-1:vlan.dat delete /force flash-2:vlan.dat!remove certificates from memory. NOTE: you will not be able to SSH after this conf t crypto key zeroize yes end! Write erase wr er 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 EasyQoS

34 Demo

35 Converting Business Intent to Tactical Policies the principle goal of the tactical QoS policy is to express the strategic QoS policy with maximum fidelity EM QoS design best practices will be used to generate platform-specific configurations QoS features will be selectively enabled if they directly contribute to expressing the strategic policy on a given platform Wireless AP Trust Boundary PEP 4Q (WMM) Catalyst 3650 Trust Boundary PEP 2P6Q3T Catalyst 4500 Trust DSCP 1P7Q1T Catalyst 6500 Trust DSCP 1P3Q4T 1P7Q4T 2P6Q4T Nexus 7700 Trust DSCP F3: 1P7Q1T WLC PEP ASR/ISRs Trust DSCP HQoS MQC Catalyst 2960-X Trust Boundary PEP 1P3Q3T Wireless AP Trust Boundary PEP 4Q (WMM) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Determining Business Relevance How Important is a Given Application to Business Objectives Business Relevant These applications directly supports business objectives Applications should be classified and marked according to RFC based rules Default / Maybe / Unknown These applications may/may not support business objectives E.g. HTTP/HTTPS Alternatively, administrator may not know the application (or how its being used in the org) Applications in this class should be marked DF and provisioned with a default best-effort service (RFC 2474) Business Irrelevant These applications are known and do not directly support any business objectives; this class includes all personal/consumer applications Applications in this class should be marked CS1 and provisioned with a less-than-best-effort service (RFC 3662) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 What Do We Do Under-the-Hood? Apply RFC 4594-based Marking / Queuing / Dropping Treatments Application Class Per-Hop Behaviour Queuing & Dropping Application Examples VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729) Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx Relevant Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs) Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE Signalling CS3 BW Queue SCCP, SIP, H.323 Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps Default Irrelevant Bulk Data AF1 BW Queue + DSCP WRED , FTP, Backup Apps, Content Distribution Default Forwarding DF Default Queue + RED Default Class Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, itunes, BitTorrent, Xbox Live 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 What about the WAN? SP Profile defines the mapping into SP classes and the allocation of BW between classes. SP profiles are defined per interface. Use the #WAN# metadata in the interface description description CIRCUIT TO WE-ASR2 GIG #WAN#50M#SPP:test1# 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Custom BW allocations Prior to 1.4 BW allocations between classes were fixed. 1.4 allows a custom profile (one per scope) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 NBAR Router and Custom Apps (NBAR PP27) class-map match-any prm-marking_in#tunneled-nbar match protocol capwap-data match access-group name prm-marking_in#tunneled-nbar acl policy-map prm-marking_in class prm-marking_in#tunneled-nbar class prm-marking_in#voice set dscp ef ip access-list extended prm-marking_in#tunneled-nbar acl remark adam-app permit tcp any host eq 8888 class-map match-any prm-marking_in#bulk_data_custom match access-group name prm-marking_in#bulk_data_custom acl policy-map prm-marking_in class prm-marking_in#tunneled-nbar class prm-marking_in#voice_custom set dscp ef <snip> class prm-marking_in#trans_data_custom set dscp af21 ip access-list extended prm-marking_in#bulk_data_custom acl remark test permit tcp any host eq Prior to 1.4 and PP27, custom apps were just tunneled through a router. Needed to mark at switch downstream 1.4 and PP27, custom apps are marked by the router Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Dynamic QoS policy-map prm-dyn-gig1/0/11 class prm-dyn-gig1/0/11#dyn_voice set dscp ef class prm-dyn-gig1/0/11#dyn_realtime set dscp cs4 class prm-dyn-gig1/0/11#dyn_video set dscp af41 class-map match-any prm-dyn-gig1/0/11#dyn_video match access-group name prm-dyn-gig1/0/11#dyn_video acl class-map match-any prm-dyn-gig1/0/11#dyn_voice match access-group name prm-dyn-gig1/0/11#dyn_voice acl Need EasyQoS defined an applied first Just marks the traffic at ingress. Based on source IP address (which port is this host)? Dynamically updates the ACL for src/dst IP/Port class-map match-any prm-dyn-gig1/0/11#dyn_realtime ip access-list extended prm-dyn-gig1/0/10#dyn_video acl ip access-list extended prm-dyn-gig1/0/10#dyn_voice acl 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 All the details on HOW Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 IWAN

44 Demo

45 Cisco Intelligent WAN: Leveraging the Internet for Secure WAN Transport & Internet Access Branch Optimised Secure Transport MPLS (IP-VPN) Private Cloud Virtual Private Cloud Direct Internet Access Internet Public Cloud 1. IWAN Secure transport for private and virtual private cloud access 2. Leverage local Internet path for public cloud and Internet access Increase WAN Capacity Improve App Performance Scale Security at the Branch 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 IWAN SD-WAN Automation IWAN APP Cisco APIC-EM centralised policy expression and distribution Policy Expression Policy Rendering Data Centre or POP Data Centre or POP #2...n IWAN Domain Controller Distributed policy enforcement Automated application and topology discovery Application and network performance monitoring ` Policy Distribution and Domain Control Adaptive path selection and QoS to sustain policy 4G LTE MPLS (IP-VPN) Internet Performance analytics collected network-wide and reported centrally Distributed Policy Enforcement MC Branch MC Large Site MC Campus 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Interaction with EasyQoS IWAN devices have their own scope, that cannot be changed Hence you cannot put an IWAN device into EQ scope 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Next Steps

49 Upgrades Drag and drop upgrade app bundles Enable applications after install 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Community Help Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Q & A

52 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2017 Cap by completing the overall event evaluation and 5 session evaluations. All evaluations can be completed via the Cisco Live Mobile App. Caps can be collected Friday 10 March at Registration. Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Thank you

54