Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) is a software controller that automates and simplifies network configuration, provisioning, and management. APIC-EM SDN controller auto-translates business policy into network device-level policy and can enable policy enforcement across an end-to-end network.</p>
<p>The APIC EM is highly programmable through open APIs allowing customers and developers to create innovative network services and applications to fuel business growth.</p>
<p>During this lab, participants will install the controller followed by hands-on experience on multiple SDN applications including inventory, discovery, topology, policy, path visualization, EasyQoS (both static and dynamic) and Secure Network Plug and Play (for zero touch deployment). Participants will also have the opportunity to visualize the IWAN App. Lastly, participants will experience the programmability aspects of APIC-EM by leveraging Swagger and Chrome Postman scripting.</p>
<p>The first version of this lab was created and delivered by the speakers at Cisco Live Berlin. This second and enhanced version of this lab will be available for Cisco Connect Toronto and Cisco Live Las Vegas.
1. Cisco ConfidentialŠ 2015 Cisco and/or its affiliates. All rights reserved. 1
Cisco Application Policy
Infrastructure Controller
Enterprise Module (APIC-EM) -
Hands on Lab
Saurav Prasad
Technical Marketing Engineer
San Jose, USA
Lila Rousseaux â CCIE#6899
Technical Solutions Architect
Canada
Jim Galvez,
Technical Solutions Architect
Oregon, USA
2. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
House Keeping Notes
Thank you for attending Cisco Connect Toronto 2016, here are a few housekeeping notes
to ensure we all enjoy the session today.
â˘âŻ Ask Questions!!
Please ensure your
cellphones / laptops are
set on silent to ensure
no one is disturbed
during the session
A power bar is available
under each desk in
case you need to
charge your laptop
3. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Agenda
â˘âŻ Introduction to APIC-EM
â˘âŻ APIC-EM Apps
â˘âŻ APIâs
â˘âŻ Lab Overview
â˘âŻ Get started with the Lab!
â˘âŻ Letâs get back together for APIC-EM GA1.2 Preview
â˘âŻ Elastic Services (Grapevine)
4. Cisco ConfidentialŠ 2015 Cisco and/or its affiliates. All rights reserved. 4
Introduction to APIC-EM
5. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Conventional Model
The What
âSecurity Policy for
Branches A-Nâ
The How
âChange ACLs in
the following
elementsâ
Admin
Driven
System
Driven
Controller Led Policy
Deployment
The What
âSecurity Policy for
Branches A-Nâ
The How
âChange ACLs in
the following
flementsâ
Admin
Driven
Manual Policy
Deployment
Manual to Systemic Policy Deployment
6. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Agnostic SB interface supporting multiple protocols
APIC-EM: Cisco Enterprise SDN
Software or Appliance
Based
NB RESTful APIs
Existing and New
Device Support
Cisco, Partner or Customer
Developed Apps
Open, Programmable App Platform for
Enterprise Network Transformation
EM
7. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
SECURITY COLLABORATION ORCHESTRATIONSERVICES WAN
Cisco APIC Enterprise Module Architecture
Network Element Layer
Policy Infrastructure AutomationNetwork Information
Database
CLI, SNMP
Abstracts Network
Devices to Mask
Complexity
Treat Network as a
System
Exposes Network
Intelligence
For Business
Innovation
8. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
APIC-EM Applications at GA1
PLUG-AND-PLAY
Zero touch deployment of
routers / switches / APs
Accelerated roll-out:
Eliminates tech visits and
shrinks deployment from
months to minutes
Cisco IWAN (SDWAN)
Guided, fast auto-
provisioning of IWAN solution
From 250 CLI commands to
5 GUI clicks per branch:
1000% IWAN deployment
acceleration
Path Trace
Discover path between two
end points based on 5 tuple
Rapidly troubleshoot
congestion and ACL issues
and lower Opex for trouble
ticket processing by 500%
Static QoS
Configure QoS automatically
and end to end based on
Cisco Best Practices
Dynamic QoS
Dynamic QoS for Jabber/MS
Lync
EasyQoS
10. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Network Information Base â Device Inventory
â˘âŻ Realâtime network device inventory and
asset service management
â˘âŻ Includes all network devices with an
abstraction for the entire network â
â˘âŻFull knowledge of network
â˘âŻAwareness of the overall operational
health of the physical network
â˘âŻDetailed inventory information for
easier consumption by controller
services and applications
â˘âŻAllows applications to be device
agnostic
â˘âŻ Inventory service runs in the
background to maintain the DB
accurate
â˘âŻ SNMP traps sent by devices during
link up/down; APIC-EM runs
discovery on that device (*)
(*) GA1
11. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Network Information Base â Host Inventory
â˘âŻ Realâtime host and end-point inventory
(PCs, Wireless devices, IP Phones,
Printers etc.)
â˘âŻ Detailed information about each host/
end-point â
â˘âŻNetwork attachment point for the host
to the network device
â˘âŻHost Name, IP and Mac-Address
information
â˘âŻ Host Inventory service runs in the
background to maintain the accuracy of
the database â
â˘âŻ Information collected via CDP, LLDP
and IP Device Tracking DB lookup
â˘âŻ SNMP Traps used to update host
inventory DB
12. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Network Information Base â Discovery
â˘âŻQuick, easy and efficient network
discovery
â˘âŻ Flexible Discovery options â
â˘âŻ CDP and IP Address Range
â˘âŻAbility to Start, Stop and Delete
the scan at anytime
â˘âŻAuto-discovery of newly added
network devices
â˘âŻInitiate via UI or NB REST APIs
13. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Topology Visualizer
â˘âŻAuto discovers and maps devices
to a physical topology
â˘âŻDetailed device level data
â˘âŻAlways up-to-date network
topology
â˘âŻLayer 2 and 3 topologies on top of
Physical provides granular view for
design planning, simplified
troubleshooting etc.
â˘âŻVisualize Device TAGs on top of
the Physical network topology
â˘âŻAdvanced HTML 5 Javascript
based visualizer that utilizes
REST APIs
â˘âŻHighly interactive application
experience
14. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
APIC-EM Path Trace Application
Accelerate Trouble-Ticket Processing
User Trouble Ticket IT Path Trace
NETWORK
Open
Architecture
Network,
Applications
Monitoring
Simple Workflow
BENEFITS
SDN
Easy visual discovery of trouble spots in the
communication path based on 5-tuple info
OpEx for ticket processing decreased by 98%
from 1.6 hours to 1 minute
15. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Path Trace App: 5-Tuple Input Through
User Interface
Note: Layer 4 port and protocol information is optional but highly recommended for accurate path calculation
Required Information
SRC and DEST IP address
[End host or L3 interface]
Optional Information
SRC and DEST L4 port numbers;
L4 protocol (TCP or UDP)
16. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Path Trace App: Enhanced Application
Flow Visibility
CAPWAP Tunnel
Visualization
Accuracy Note
(in a percentage)
Link Source
Information
Ingress/Egress
Interface
Interface/QOS Stats
17. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Device On-boarding â Customer Challenges
Central Staging
Facility
Site-1
â˘âŻ Install OS
â˘âŻ Install base
config
Network
Admin
Installer
Todayâs Process
Customer,
Partner
Ships
equipment
Operational Challenges
To Final
Site
Direct Costs
â˘âŻPre-staging &
Shipping costs
â˘âŻTravel costs
Security
â˘âŻ3rd party not secure
â˘âŻRogue devices
Time/Productivity
â˘âŻManual process
â˘âŻShipping , Storage,
Travel
Complexity
â˘âŻConfiguration errors
â˘âŻDifferent products,
IOS Releases
Pre-staging Cost $$ Re-shipment Cost $$ Techy Installer $$
Travel cost $$
18. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Device On-boarding â Network Plug and Play
Network Plug and Play Process
Ships
equipmentNetwork
Admin
NOC
Pre Provision
Config and OS
Operational Benefits
Unskilled Installer
Consistent Campus/
Branch SecureGUI Based
Greenfield &
Brownfield
Monitor device
installation
Network Admin
NOC
Site-1
Installer
Racks, cable &
Power-on devices
19. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
PnP Server
Use Case Example
Device Deployment in Campus
DHCP Server
Switch running
PnP Agent
<..snip..>
CISCO_PNP.pnpserver
"5A;B2;K4;I10.11.11.11;J80";
<..snip..>
Device validates serverâs loca/on and
establishes a communica/on with the
server
Installer
Remote Installer
â˘âŻ Mount and cable
devices
â˘âŻ Power-on
Day 1
Network Admin remotely
monitors status of install
while in progress.
Day 1
IP Address
10.11.11.11
Cisco IOSÂŽ
Config
fileâŚ.
20. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Network-PnP: Pre-provisioning Workflow
PnP-Agent PnP-Agent
Device
Authentication
Installer
N-PnP app on APIC-EM
Download
Image & Config
Admin
EM
DHCP
Server
DNS
Server
N-PnP App pre-provisioned w/
device SR#
Configure device discovery
â˘âŻ DHCP Option-43
â˘âŻ or DNS
Secure Deployment
â˘âŻ Installer powers-on devices
â˘âŻ Devices securely downloads
Image & Configuration
OR
DiscoveryPre-provision
EM
21. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Network-PnP: Claim-device Workflow
PnP-Agent PnP-Agent
Device
Authentication
Installer
N-PnP app on APIC-EM
Admin
EM
DHCP
Server
DNS
Server
â˘âŻ Network admin claims devices
based on device information
â˘âŻ Device downloads Image &
configuration
Configure device discovery
mechanism
â˘âŻ DHCP Option-43
â˘âŻ or DNS
Secure Deployment
â˘âŻ Installer powers-on devices
â˘âŻ Devices securely connects to
APIC-EM Server, waiting to be
âClaimedâ
OR
Un-claimed DevicesDiscovery
EM
22. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Intelligent WAN
WAN Transport
Branch
MPLS
$$$
Low Cost Circuit,
Internet, 4G
$
Private
Cloud
Virtual
Private Cloud
Direct Internet
Access
Internet backhaul
Cisco
Cloud
Web Security
Public
Cloud
ß⯠Secure WAN transport across MPLS
and/or Internet for private cloud / DC
access
Increase WAN Capacity Improve App Performance Scale Security at the Branch
ß⯠Leverage Low Cost path for public cloud
and Internet access
23. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
24. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
EasyQoS App
No more Box-by-Box configuration
Config.
Cisco Validated
Design- Based Templates
Control
Transactio
nalData
RealtimeBestEffort
Cisco Validated
Design {CVD}
Business
Relevant
Business
Irrelevant
Default /
Maybe / Unknown
25. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Converting Business Intent to Tactical Policies
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
Catalyst 4500
Trust DSCP
1P7Q1T
Catalyst 6500
Trust DSCP
1P3Q4T
1P7Q4T
2P6Q4T
âŚ
Nexus 7700
Trust DSCP
F3: 1P7Q1T
WLC
PEP
ASR/ISRs
Trust DSCP
HQoS
MQC
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Wireless AP
Trust Boundary
PEP
4Q (WMM)
EM
â˘âŻ the principle goal of the tactical QoS policy is
to express the strategic QoS policy with
maximum fidelity
â˘âŻ QoS design best practices will be used to generate
platform-specific configurations
â˘âŻ QoS features will be selectively enabled if they
directly contribute to expressing the strategic policy on
a given platform
26. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Determining Business Relevance
How Important is a Given Application to Business Objectives
Business
Relevant
Business
Irrelevant
Default /
Maybe / Unknown
â˘âŻ These applications directly
supports business objectives
â˘âŻ Applications should be
classified and marked
according to RFC 4594-
based rules
â˘âŻ These applications may/may not
support business objectives
â˘âŻ E.g. HTTP/HTTPS
â˘âŻ Alternatively, administrator may
not know the application (or how
its being used in the org)
â˘âŻ Applications in this class should
be marked DF and provisioned
with a default best-effort service
(RFC 2474)
â˘âŻ These applications are known
and do not directly support any
business objectives; this class
includes all personal/consumer
applications
â˘âŻ Applications in this class should
be marked CS1 and provisioned
with a âless-than-best-effortâ
service (RFC 3662)
27. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
What Do We Do Under-the-Hood?
Apply RFC 4594-based Marking / Queuing / Dropping Treatments
Application
Class
Per-Hop
Behavior
Queuing &
Dropping
Application
Examples
VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence
Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx
Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps
Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution
Default Forwarding DF Default Queue + RED Default Class
Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox LiveIrrelevant
Default
Relevant
28. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
EasyQoS
EM
Applications can interact with APIC-EM via
Northbound APIs, informing the network of
application-specific and dynamic QoS
requirements
Southbound APIs translate
business-intent to platform-
specific configurations
Network Operators express
high-level business-intent to
APIC-EM EasyQoS
29. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Dynamic QoS Classification for Jabber Video/MS
Lync
Enterprise Network
3945/ISRG23945/ISRG2
3945/ISRG2
Cat 3750
Cat 3750
Single policy request produces automated change across all
network elements enabling high quality user experience
QoS Changes
Collaboration
App
Session
Policy
AP
Pre-QOS change â Default Classification
Post QoS change - Video
Example: The default port range for Jabber
Video to receive media is 21,000-21,900.
Jabber Video for TelePresence 4.6
31. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Once more thought: APIC-EM Exposes APIs for
customized applications
32. Cisco ConfidentialŠ 2015 Cisco and/or its affiliates. All rights reserved. 32
Introduction to the lab
34. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
JUMP PC
128.107.91.20X
JUMP PC
Username: admin
Password: Uabootcamp1
35. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
APIC-EM
IWAN App Visualization (exercise 7 only)
36. Š 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36