SDN Led IT Operations Management with APIC-EM and Prime Infrastructure Ronnie Ray BRKNMS-1036
Agenda Introduction to Campus / Branch SDN Evolution to SDN led IT Operations SDN led Provisioning SDN led Monitoring and Assurance SDN led IT Process Automation SDN led Management Product Packaging Conclusion
Introduction to Campus/Branch SDN
SDN Ground Zero
http://yuba.stanford.edu/~casado/vns_sigcse.pdf
Since then the SDN market has exploded
4800% VC investment growth in SDN since 2007
419 SDN Companies in the Market
$35B Expected Size of SDN Market in 2018
Numerous SDN technologies have flooded the market OpenFlow SDK s Overlays ASICs Controllers Virtual Switch/Router NFV SDN Network Devices
Confused?
Lets hit the pause button for a moment and consider the WHY?
Drivers for SDN Too many manual processes 40% Change/Config management difficulties 36% Maintenance Window inhibits new technology implementation 29% Provisioning difficulties 28%
Capex:Opex Ratio for Branch Management 25% 75% Annual Cost of Capex Annual Cost of Opex
Network Automation and Simplification Higher Application Awareness and Programmability These goals are shaping enterprise SDN strategy
Dimensions of SDN Led Network Change Transformation Innovation Manual Automated Closed Systems Open and Programmable Device by device Network-wide Network Data Business Intelligence Configuration Policy New Installations Legacy + New Installations Enterprise Networks Become More Agile, Effective, and Efficient to Operate
SDN Stack for Automation and Flexibility REST API Plug & Play SDN Stack Model Simplicity via Controllers (one manageable source of truth to base network changes) Automation via Apps (rapid translation of intended business outcomes to required network behavior) Flexibility via Loosely Coupled Abstractions (harmonizes disparate network pieces to create a network as a system )
RISK : COMPLEXITY SDN Applications Lower Risk and Cost High Risk Device / Platform 100 s- 1000 s of Features End User Validate and Test High Operational Cost Low Risk Cisco Validated Designs and Best Practices Policy Abstraction of Best Practices through SDN Cisco Solution Validated SDN Automated Medium Operational cost Cost savings through Automation MANUAL : COST
Cisco APIC-EM: Campus/ Branch SDN Controller Software or Appliance Based NB RESTful APIs Existing and New Device Support Agile Integration Model Masking Network Complexity, Exposing Network Intelligence
Evolution to SDN Led Management in the Campus/Branch
Changing Nature of IT Ops with SDN led Management Traditional Management Customer developed provisioning tools, manual CLI changes, and run book automation for IT Operations support Feature Configuration Management (NMS) NE NE NE NE SDN Led Management Customer input on business / service intent Automation (Workflow / Orchestration) Policy Automation Management (Provisioning and Assurance) Controller (APIC-EM) NE NE NE NE
Systemic View of Management / Control Roles Orchestrates sequential changes and enables IT process execution Network Infra Stores, processes and visualizes all historical data for monitoring and network change Owns the communication to/from the network and drives programmability
System Components for SDN Led Management System of Record Benefits Network Management Business intent applications Policy driven automation Best Practices Embedded Cisco Validated Designs API programmability System of Automation Business Intent Applications System of Change Network Control Policy / Intent Definition Policy Automation & Compliance Cisco Applications RESTful APIs 3 rd Party Applications Events / Data via RESTful APIs & E2E Visibility Feature Config. Prime Infra Southbound Protocols
Two Levels of API Programmability FEATURE PROGRAMMABILITY Traditional mode of network management focused on custom network design and individual feature configuration and deployment Network programmability through REST API s for feature configuration and monitoring data Gradual progression into SDN-led automation through Zero Touch Deployment, Secure key automation and other core network services Needs deep technical expertise in Network Engineering (design) and IT Ops (deployment) POLICY PROGRAMMABILITY Intent based policy abstraction of network wide device configuration with embedded CVDs and best practices Network programmability through NB API s for policy deployment and telemetry access Rich selection of policy prescriptive apps that can be complemented with custom applications to suit organization needs Needs clear understanding of intent rather than deep Network Engineering expertise Direction of market evolution with need for greater simplicity, agility and automation.
Deployment Modes for SDN led Provisioning Device Scope A FEATURE CONFIGURABLE NMS with APIC-EM Device Scope B POLICY PRESCRIPTIVE APPS on APIC-EM Prime Infra NMS integrated with APIC-EM providing full GUI based configuration and FCAPS management leveraging Network automation like PnP/PKI Custom apps utilizing feature programmability via Prime NB APIs for configuration and data Cisco developed modular, policy automated management apps with common UI/UX framework with and embedded service automation Custom apps utilizing policy programmability via APIC-EM NB REST APIs Prime Infrastructure Customer, Partner or 3 rd party developed Automation App App App App App App.... Customer, Partner or 3 rd party developed Apps APIC-EM (Discovery, Inventory, Topology, PnP, PKI ) Common Controller Services Across the Enterprise
Core Value of Deployment Approaches FEATURE CONFIGURABLE POLICY PRESCRIPTIVE Customizable Templates Guided Workflows Full CLI Access Massive Simplification Policy Automated NO CLI Changes
Policy Maturity to Cover Enterprise System of Change Use Cases will Evolve Over Time configuration Today Controller-based Automation ACI policy policy policy Policy based Configuration: Dynamic, able to be automated, managed by the controller; Policy grows, static shrinks traditional traditional traditional Time
SDN Led Provisioning Zero Touch Deployment
Plug and Play Application on APIC-EM
Prime Infrastructure Integration with APIC-EM - PnP Support for Routers and Switches Leverage PI configuration templates for Day0/Day 1 configuration Bulk Add/Update device configuration for branch sites Automated monitoring of devices Integration with configuration compliance Network Router/Switch supporting Plug and Play (with Cisco PnP Agent) Data Center APIC-EM ZTD service Prime App API PKI service
Prime Infra and APIC-EM PnP Workfow PnP Agent Switch Plugged into network 1 DHCP option 43 and 60 PnP server IP Internet DHCP Request PnP Service APIC EM Trust Manager Service Prime Infrastructure 2 DHCP Response PnP Server IP Available PnP Agent on switch sends the serial # 3 PnP Server upgrades IOS image if needed 4
SDN Led Provisioning Policy Based Automation
Business Policy Construct Who What Where When Endpoints Access to Resources Scope Time Based To and From Monitoring Location Event Triggered
Business Policy Examples Engineering Group (Who: From) Engineering Applications (Who: To) Laptop (Who: Device Type) Permit (What: Action) Properties: priority level - high, trust level high (What: Action Properties) Tom (Who: From) Netflix(Who: To) Permit (What: Action) Properties: priority level Low, trust level low (What: Action Properties) Cafeteria (Where: Location) 11AM-1PM (When: Time)
SDN Led Policy Deployment Conventional Model Conventional ACI Policy Model Admin Driven The What Security Policy for Branches A-N The How Change ACLs in the Following Elements The What Security Policy for Branches A-N The How Change ACLs in the Following Elements Admin Driven APIC EM Driven Lower OPEX and Better LOB Alignment Agility
What s Happening Under the Covers in APIC- EM {"policyname": tomweballow","policyowner":"admin","policypriority":4095, networkuser":{"useridentifiers :[ tom"]},"resource":{"applications":["80,80,tcp"]}, "actions":["permit"] CompositeNetworkPolicy [networkpolicy=networkpolicy [policyid=902000be-adaf-4f41-bfb7- d1d9ee01e0f8, creatoruserid=admin, policyname=bradweballow, policypriority=4095, businesspolicyid=10d7e374-c1e0-4190-b3f8-58b3a49b4a90, flowid=7ba2034a-3cb0-4877-ae14-4a6c33aac312, actionid=70fb3b4c-ccf8-4561-b49c-684e5dc8d3cd, ], flow=flow [flowid=7ba2034a-3cb0-4877-ae14-4a6c33aac312, srcip=10.10.30.2, srcipmask=32, dscp=-1, protocol=tcp, srctptportlower=0, srctptportupper=0, dsttptportlower=80, dsttptportupper=80], flowaction=flowaction [actionid=70fb3b4c-ccf8-4561-b49c-684e5dc8d3cd, action=permit, actionpropdscp=-1, ]] CLI = config t, ip access-list extended User-Acl--8653840507576742282, 10 permit tcp host 10.10.30.2 any eq 80, interface GigabitEthernet1/0/4, ip access-group User-Acl--8653840507576742282 in, end 20:22:28.992 EST DEBUG c.c.c.qos.acl.aclpolicy - Acl Policy Created Successfully on the Device : d29d175f-aacc-4c9c-a290-2392fc80a0e3 Only Non-EoL Device versions are supported
Extending Policy to Cross-Domain Use Cases Consistent Policy Across Cloud, DC, WAN and Access GBE Group Based Engine (Policy Orchestrator) APIC DC APIC EM Application Network Profile SLA, Security, QoS, Load Balancing User/Things Network Profile QoS, Security, SLA, Device Cloud Data Center WAN Access
Cisco Intelligent WAN App for APIC-EM IWAN is a Prescriptive Solution Available Summer 2015 Business Policy: App SLA IWAN APP APIC-EM DMVPN SLA QoS Security Path Selection NETWORK IT Admin Access Application Network Profile SDN Simple Workflow Templates Plug and Play Network, Applications Monitoring Business Level Policies Business Policy Dictates Network Action Open Architecture
IWAN Application Home Dashboard
Datacenter design options
Site topology choices
Site link type selection
Application priority policy settings Path preference Drag & Drop business buckets
Map view with Geo location
Site summary from map view
SDN Led Provisioning Feature Configuration
Step 1: Start IWAN Workflow Guided Workflow to help design and deploy IWAN on your branch or hub
Step 2: Role Selection Select the PIN (hub or branch) Identify the device role Select the IWAN features to be configured: DMVPN PFR AVC QOS
Step 3: Device Selection Select the devices - Hub device - Branch devices by location - Enables configuration of more than one branch
Step 4: DMVPN Configuration DMVPN Configuration - Can be part of Hub or Spoke configuration
Step 5: PfR Configuration PfR Configuration - PfR Policy on Hub - PfR at the spoke with reference to MC - Out of the Box 3 class model
Step 6: Quality of Service Configuration QoS Configuration - On the hub (8 class model) - On the spoke (8 class model) - NBAR based classification and shaping
Step 7: AVC Configuration AVC Configuration - Pick and choose the technologies to enable - Out of the box Cisco CVD design
SDN Led Monitoring and Assurance
Typical End to End IWAN Management IWAN APP APIC-EM Rest APIs Prime Infrastructure 3.0 Plug and Play Secure PKI certificate automation IWAN CVD provisioning (DMVPN, QoS, PfR, AVC) Centralized business policy definition Definition of application categories path preference Configuration archive End to end assurance Detailed Network level monitoring (CPU, Mem, Interfaces) Day 2 monitoring for PfR, L7 App visibility, QoS
Performance Routing Dashboard
Link Details Link details Detailed Site View Threshold Crossings
SDN Led IT Process Automation
Typical Tasks in Remote Branch Management Device Rack/Stack and LAN Cabling Can be done by local tech New Device Onboarding New Device Configuration New Services Configuration Existing device OS upgrade/reimaging Existing device reconfiguration Existing services reconfiguration Requires expert personnel usually from central IT/Network engineering team or Outsourced Consulting Service Provider (~2 Branch visits / year) Management tool integration Branch Network Operations Performed remotely by central IT Ops
Branch Service Automation Design, catalog, deploy with zero touch and automatically manage different branch types including IWAN, Access and WLAN architectures The value of Branch Service Automation is to dramatically reduce TCO of large-scale Branch roll out across 10 s to 1000 s of sites Automation Operational consistency Compliance to security and application policy
Role Process Branch Service Automation Process Flow Service Design Service Catalog Service Request Service Provisioning Service Management Branch Design for Wireless, Routing and Switching Embedded CVD best practices Custom and prescriptive designs User, Application, Security, Access and Quality of Experience policy definition Branch designs (e.g. Small, Medium, Large) committed to Service Catalog as a service offering Setting up of business entities and groups for which services can be ordered Ordering of Branch type when new site(s) or new services are needed Approval workflow with embedded test / validation SLA definition for branch users and applications Orchestration of devices and network services enablement for the Branch using PnP and PKI Automation on APIC- EM APIC-EM led Policy compliance enforcement Business and Service level dash boarding / reporting for Network, SLA s, Security Status and Changes Drill down into events, monitoring and analytics tools for troubleshooting Network Architect, Security Admin Network Architect, Security Admin Network Operations, Application Admin Network Operations, Security Operations Network Operations, Security Operations High Cost, Skilled Resource, One Time Automated (Low TCO), Low Skill, Continuous
SDN Led One Assurance Prime Infrastructure
Cisco Prime Infrastructure One Management from the Branch to the Datacenter Lifecycle Converged Management with Integrated Best Practices Assurance End-to-End Application Experience and Visibility Data Center Simplified Operations Management Convergence Consolidation Cisco Advantage
Full Support of Cisco WAN/Access Infrastructure Unified Access On-Premise Meraki IWAN Large Campus Controllers Stackable Switches Switching Platform Wired Components Available in Future Release ISR 800 1900 2900 5760 Small to Midsize Enterprise 5508 Feature-Optimized Enterprise 3850 3650 High-Density Enterprise Low Profile High Powered Catalyst Larger Deployments MR3 4* 3900 4300 4400 UCS MR2 6* ASR 1700 2700 w/hdx CUWN 8.0 3700 w/hdx IOS-XE 3.6 1530 1570 IOS-XE 3.7 1550 MR1 8* 1000 1001 1002 MR1 2* 1004 1006 1013
Application Visibility Across the Enterprise Prime Infrastructure Cisco ISR & NAM on SRE NBAR2, PA, Medianet NAM Appliance (23XX) NBAR2, Voice, ART, SPAN, ERSPAN Cisco ASR NBAR2, AVC, Medianet NGA 3240 Netflow, SPAN, ERSPAN Netflow, NAM module AP 3700 NBAR2 Wireless Controllers NBAR2 Cisco Catalyst 3850-X w/ 3K-X 10G Netflow, MediaNet Cisco 6800 & NAM Blade Netflow, MediaNet SNMP/CLI Polling SPAN/ ERSPAN Netflow WAAS PA MEDIANET NBAR NBAR2
Wireless Management with Cisco Prime Infrastructure Network Configuration Network Health Troubleshooting Discovery, inventory, SWIM, compliance PSIRT Controller and access point deployment, configuration audit Network configuration, guest access, RRM Integration with Cisco MSE and ISE Maps-based planning for access point placement Sites and virtual domains Rogue, security, voice audit, mesh Performance reporting and fault management End-user troubleshooting authentication and access Users and devices, and applications Client tracking Visualization of users, rogues, interferers through maps
Wired Management with Cisco Prime Infrastructure Network Configuration and Health Lifecycle Management Plug and Play (New device in network) Discovery and Inventory Configuration Archive and SWIM Fault Management (Syslog and Trap Processing) Performance Management Configuration (Features: ACL, VLAN, etc) Platforms Supported ISR ASR Catalyst Nexus Performance and Application Assurance SNMP polling Overlay Monitoring (vpc, VDC, VXLAN) Quality of Service App Visibility with NAM Packet Capture Network and Application Assurance
Full Coverage of Datacenter Infrastructure Edge Network ASR 9000/1000 Core and Distribution Nexus 9000, Nexus 7000/5000, Nexus 3000, Nexus 2000, CAT 6500, 6800 Compute and Storage UCS B and C Series, MDS Switches Network Services ASA, CAT 6500 w/fwsm Virtualized Network Services CSR1000v, Nexus 1000v, VSG, vasa, vnam, vwaas
Rich Interface for Visualization and Troubleshooting Zoom & Pan controls Grey: Disconnected AP Yellow: AP w/ unresolved non-critical alarms Red: AP w/ critical alarms 802.11u location specific service Active rogue APs
Network Topology Visualization Device & Site Connectivity
Network Topology Visualization Device 360 Launch to Topology N-Hop Drill Down
Service Health for Sites, Users and Applications Automated Base lining Proactive Performance Troubleshooting Service Health Dashboard AVC Configuration for ISR/ASR One-click AVC Configuration AVC Monitoring Customization NBAR2 Custom Applications Embedded Packet Capture for ASR Top URL/Domain Views
User 360 Views and Diagnostics Simplified troubleshooting and remediation improves application, services and end user experience Brings together multiple sources of information for effective problem isolation Quick Prime 360 Views: User 360: Quickly isolate and fix end-user or end-point issues Device 360: Identify and fix device related problems Interface 360: Identify application load and related stats
Industry Class Configuration Baseline Compliance Leveraged from Prime Network Works on most common Cisco platforms IOS, IOS-XE, IOS-XR, NX-OS, StarOS Flexible Rules engine including Input Parameters, Complex Logic, Condition Checking Customizable Policy including Violation Message, Severity & Fix CLI Ability to schedule recurring jobs Compliance Policy Rule
DC Network and Compute Support Nexus 2K to 9K support VPC Monitoring UCS B series and C series VM (VMWare) Server -- Network mapping Fault and Impact Analysis VM Assurance Monitor Campus/Branch/ DC Network Physical to Virtual Mapping Network Compute
UCS Blade Server 360 View 77
Virtualization Management
Prime Infra DC Tech Pack 2 (H2 2015) Prime Infra GUI/Rest API Visualize and Troubleshoot DC PoD view Virtual overlay in topology Network Admin Topology Driven Workflow Automation via APIs UCS Service Profile Monitoring Service profile instance view Service profile Fault visualization Performance Monitoring UCS port monitoring, KPI graphing Storage & RAID (Inventory/Fault) Pod1 Pod2 Pod3 Platform Support Mini, M4, ISR module - UCS E series VDC VPC VXLAN QoS Service Profiles
SDN Led Management Product Packaging
Cisco ONE Software Suites Data Center WAN Access Advanced Security Threat Defense for Data Center Threat Defense for WAN Identity Services for Access Advanced Application Data Center Fabric Enterprise Cloud Suite WAN Collaboration Campus Fabric Advanced Mobility Services Foundation Foundation for Networking Foundation for Compute Foundation for WAN Foundation for Switching Foundation for Wireless Networking Compute WAN Switching Wireless
APIC EM Platform and Apps Business Model Solution Apps BASIC SERVICES & APPS Discovery, Inventory, Topology Policy, PnP REST APIs App-Service Extensions App-Services (Licensed based on Solution purchased includes API s) Basic-Services (Free platform and API s) GRAPEVINE ELASTIC ARCHITECTURE SDK for Extension Services Cisco Internal Only NB API s Access Available to all for every app service
New SDN Led Management Licensing PI 3.x.... Controller (APIC-EM) MGMT 3.x Device License (Charged) PI 3.x Solution App for Domain Ex. IWAN, WLAN, Access etc. Basic Services & Apps (Free) Ex: Inv., Topo., Policy, PnP etc. APIC-EM Controller (Free) UCS HW Platform (Charged) TAC Support for Physical Appliance, Platform and Basic services will be via SmartNet NB Apps development support will be via DevNet
Single MGMT 3.x License to Cover APIC EM Apps and Prime Infra (LF, AS) for a Domain EXAMPLE: Ordering the new Cisco MGMT License for Routing will include IWAN App Prime Infra (LF+AS) and the underlying base Platforms for APIC-EM and Prime Infra
Benefits of Single MGMT 3.x Licensing APIC-EM as a platform with a set of published apps and NB API s will be available for free on Devnet This will enable ISVs, Partner and your internal teams to build their own custom applications based on policy programmability Both traditional and SDN led applications for a particular device domain will be offered in a single license as part of Cisco ONE or a la carte For example, Prime Infrastructure Lifecycle & Assurance AND IWAN App on APIC-EM will be part of the WAN foundation offer for the Routing domain This will enable phased adoption at a pace that works for your organization For example, policy prescriptive apps could be used for deployment in simpler branch types first and then moved to more complex branch types as policy maturity evolves
Conclusion
Conclusion Cisco s SDN Led IT Operations Management will : Empower IT Ops to manage the Network as a System, not as a collection of resources Drive massive simplicity through intent based policy automation Deliver application-centric visibility from the Branch to Datacenter Support existing and new devices for full investment protection Offer open, programmable API s for bespoke innovation Realize cost savings from automation and abstraction Require new skills in intent based and programmable network management
Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings Related sessions
Thank you