Cisco ACI For Enterprise: Phil Casini

Cisco ACI For Enterprise
Phil Casini
Director Product Management
Cloud and Virtualization Group
Cisco’s IT Company Transformation
Today’s Business New Business Operations

Operations
The Whole Becomes More

Effective Than
the Sum of the Parts
Business Applications and Seamlessly Fused Business Applications

Networking Components offered And Networking Components
With “Some Assembly Required” “Out of the Box”
Reducing the Need for Business Operations To Be Expert Network Technology Centers
Is A Catalyst for Aligning with New Business Goals
Presentation_ID © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Increasing Network Programmability
a Key Cisco Strategy
OPEX Savings Business Agility

Cisco Open Networking Environment Licenses
Cisco Advanced Support Services
Cisco Development Partners
Includes a New ISV Ecosystem for

Economically Customizable End to End IT Solutions
The Value of SDN:
Programmatically Connecting Applications to Networks via “Linked” Interfaces
Applications “Semantically Linked” Interfaces Allow

Abstraction Layers to Change While Maintaining
REST API the Stack Integrity
Customer Flexibility
Controllers Enables Use Case Evolution + Investment Protection
ODL SAL Vendor Flexibility

Allows Components to Mature Over Time While Preserving
Interoperability
Network Devices
Emerging Northbound and Southbound OpenDaylight Standards via Solidifies

Industry Support for Semantics
SDN Scorecard For Production Network Adoption
+ SDN Abstractions a Enables Flexible End to End Solutions
+ ODL SAL and REST Interfaces Ensure Industry Wide Adoption
- Consistent Policy Management Across All Domains
Cisco Taking A Leadership Role

Consistent Policy Management:
Application Centric Infrastructure (ACI)
• Introduced in November 2013 with the

Application Policy Infrastructure Controller (APIC)
• Initially Applied to Data Center Domain
• Now Being Extended to Include the Enterprise Network
A Controller that Can Manage Policies Across Network Domains is the Missing Piece
To Enabling the Adoption of Programmable END to END IT solutions
for Production Networks
ACI Enterprise Architecture
A Rich Portfolio of IT Solutions
SECURITY COLLABORATION SERVICES ORCHESTRATION IoE
Network Aware
Applications
Controllers APIC APIC

EM
Infrastructure
Endpoints
Data Center WAN Access

ACI Embraces The Changing Role of IT
Business Expectations
Growth & New Business Consistent Security &

Globalization
Innovation Models Experience Privacy
End to End IT Solutions A Key Component
New Breed Big Data & Internet of

Mobile Cloud of Apps Analytics Things
Technology Transitions
APIC for Enterprise:
Software VM for Servers
APIC
Features
OPEX Savings Business Agility
Abstracts Enables Dynamic

and Automates Policy Changes
Network Control Across the Network
Provides Foundation for Simplification via Solutions Approach

APIC- EM Release 1.0
Policy Enterprise
QoS ACL
Management Applications
Advanced Network Visualizer
APIC EM
REST APIs
Enterprise Inventory and Identity and Application Policy
Services State Location Awareness Enforcement
Elastic Infrastructure
SAL
CLI
CLI Provides Immediate Use with the Current Installed Base

Abstracting Conventional Policy Complexity
Conventional Model ACI Policy Model
The What
The What Admin Driven
“Security Policy for
“Security Policy for Branch A”
Admin Branch A”
Northbound APIs
Driven ACI Constructs
The How
The How
“Change ACLs in APIC EM
the Following “Change ACLs in
Elements” the Following
Elements”
ACI Abstracts System Management and Enables Programmable Driven Policies
SDN Innovation:
Network Information Base Provides One Source of Truth
• User Defined Group Tagging Allows Applications to Segment Analysis and Control (not shown here))
Abstracts
and Automates
Network Control
OPEX Savings Applications

Abstracting and Automating Network Control
Application:
QoS Classification Management
Application:
ACL Management
Post Release 1.0:
Zero Touch Deployment with APIC-EM
Easy to use
PreProvision IT Admin Configure devices • Work Flow Based
IOS image for update
Sites Configuration Text file
Build site topology
Scales to network size
Assign Installer
Define match policy
• Centralized controller
Secure
• HTTPS based information flow
Internet Unskilled onsite installer
• No CLI
• Installer App for assistance
Device Support
• All Campus and Branch devices (not AireOS)
Installer
Site-1
Zero Touch Automated Device installation
Site-2 Site-3
• No Manual intervention
Enables Dynamic
Policy Changes
Across the Network
Increasing Business Agility

Introducing Intent Policy Management
Policy Management Example:
Intent Based Policies
Auto-Translation of Business Intent into Device/Network Level Policies

Policy Construct
Event Triggers
Network Users Resources Actions Action Properties
• User-identifier • User-identifier • Permit • Priority Level

(tenant/user) (tenant/user) • Deny • Resource Level
• Application • Application • Copy • Experience Level
• Device Type • Device Type • Monitor • Trust Level
• Location • Location • Redirect (L3, L4, L7) • Destination
• No copy • Sample Rate
• No redirect
Policy Properties
• High Level Business Intent Policies
• Automatically converted to Network Language
• Policy Creator • Conflict Detection and Resolution
• Policy Name • Extensible
• Policy Scope
• Supports different patterns of policies:
• Policy Priority
• Policy Time: • Access Policies
• Start Time • Source-Destination Directional Policies
• End Time • Event – Condition – Action
• Hard timeout • Includes Collections (Ex: a group of userids, a group of applications, etc.)
• Idle timeout • Choose custom tags for policies
• recurrence • Choose multiple attributes in each category
Cisco Confidential
Policy Enforcement
Intent Attribute Available Technologies
802.1X, ISE – pxgrid, Radius

userid
Proxy, Active Directory
NBAR2, NETFLOW, DNS,

Application
Firewall, etc
MSE, Switch Configuration,

Location
Location Tags
Device-Type ISE, Posture Analysis, EEDGE
QoS – Marking, policing,

Priority-Level
Shaping, Queuing
Experience Level QoS, PFR, WAN Optimization,
ACL, Service Chaining, Firewall,

Trust Level
IPS, IDS, etc,
Copy SPAN, RSPAN, ERSPAN, DPSS
Cisco Confidential
Enables Dynamic
Policy Changes
Across the Network
Business Agility Solutions:

Utilizing Policy Management to Connect Other Applications
Business Agility Example:
Dynamic Branch Network Security APIC EM Controller
Notification
Controller
Remediation Policy SourceFire

Enforcement HQ Defence Center
EN Controller + Sourcefire Security
1. Malware/Javascript Infection from WAN
Internet Internet
Defense Center
Alert!!!!
2. SF Sensor detects threat

Malware Attack
3. SF DC notifies Controller
ISR ISR
Sensor Sensor
4. Remediation API event
5. Policy installed on Access switch port by

Controller.
X
Host Blocked or Put
6. Block or quarantine end-point (host A) in a Quarantine VLAN Video svr
Host A
QoS Video Classification Enables Enterprise Wide Jabber
APIC EM
Controller
QoS Changes
Pre-QOS change – Default Classification
Post QoS change - VideoQ
Enterprise Network
3945/ISRG2 3945/ISRG2
Cat 3750 3945/ISRG2
Sales Cat 3750

Branch Office A
Cat 3750 Branch
Office C
Branch Developer
Office B
• Single change across all network elements enables high quality user experience
• Optimizes Video Q combining high end fixed video stations and soft client video into same class
Cisco Solution: APIC EM + IWAN
AVC
DMVPN
WAAS PfR
IOS FW
Seamless LAN and WAN interoperability

Single policy management domain
Better Resource Utilization
Simplified Management
Central point of control for multiple services
Lower Operational Complexity
One click implementation of business context policies Easier Deployment
Centralized end to end network level view Greater control of Service Level Objectives for critical Apps
Complete service location and form factor

Higher Agility
transparency
Presentation_ID Smarter Branch, Simpler Operations, Faster Service Delivery

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC EM + Prime Infrastructure
Current Marketing Vision of APIC-EM and PI Roles
Operational Automation
Management Cisco IAC PRIME INFRASTRUCTURE APIC-EM Automated Service Provisioning
& UCSD & NAM Apps
Orchestration Network Aware Application
Layer Catalog/ Fault/ User / Data Performance Reporting /
Dynamic Service Assurance
Provisioning Events Management Monitoring Analytics
Visualization and Analytics

REST API (ONE DevKit)
Control
Network Intelligence
Cisco APIC
Layer Common ACI Architecture Device Layer Abstraction
APIC for datacenter APIC - Enterprise Module Network Control
CLI, OpenFlow, OnePK API Policy Enforcement & Network

Change
Device Cisco Devices
Layer Enterprise Networks, Data Center
APIC-EM + Management Unified
Service /Policy Performance Change Reporting /
Definition Management Management Visualization
System of Record Multi-tenant Analytics driven Compliance Trending / Capacity
Operations Center troubleshooting Management Planning
Prime Apps
Hourly – x years of
NB REST API
historical data
Element & N/W
Mgmt Shared Centralized Network Services
Functions
System of Change across Mgmt
and APIC-EM Common Controller Services
~ short span data Southbound Programming Layer
(Common Models, NE communication, APIs)
Infrastructure NE NE NE NE
Solution Demos Slides
List of Solution Demonstrations
• QoS Video Classification Enables Enterprise Wide Jabber

• Dynamic Policy Management for Lync Audio/Video
• Dynamic Network Branch security
• Investigation, Mitigation and Remediation using APIC-EM
• Optimizing Video for Citrix VDI
• Cisco APIC-EM Extension for Mission-Critical Apps – SAP HANA
Orchestrate QoS Classification Configuration Change on User Edge Devices
Before: Weeks After: Hours

Cisco
5-7 Lines of Manual Configuration APIC- Automated Configuration
Enterprise
on Every Edge Device (~5000) Module for Every Edge Device(~5000)
Manually Customize Configuration for Automatically Customized Configuration for

Each Type and Model of Device Each Type and Model of Device
Ad-hoc Script for Scale Just a Click
Manual Quarterly Compliance Check Automatic Compliance Check Whenever Desired
Benefit : Brownfield Network Integration Doesn’t Require IOS Upgrades

Cisco ACI APIC-EM Easy-QoS
Cisco
QO
1. Define new Application – Jabber Video APIC-
Enterprise S 2. Update QoS Policy
Module
3. Push Updated QoS Policy to Network Devices
Presentation_ID © 2014 Cisco and/or its affiliates. All rights reserved.

4.Cisco Public
Deploy Jabber Video Client
EN
Controller
APIC-EM
QoS Changes
Pre-QOS change – Default Classification
Post QoS change - VideoQ
Enterprise Network
3945/ISRG2 3945/ISRG2
Cat 3750 3945/ISRG2
Sales Cat 3750

Branch Office A
Cat 3750 Branch
Office C
Branch Developer
Office B
• Single change across all network elements enables high quality user experience
• Optimizes Video Q combining high end fixed video stations and soft client video into same class
Dynamic Policy Management for Lync Audio/Video
Application Driven Network Dynamics:
Dynamic Policy Management for Lync Audio/Video
Cisco APIC Enterprise Module
Policy
Policy
REST API
APIC Applicati
QoS Markin
g Policy on
Dynamic Policy
Management
Lync Client Lync Client
Traffic Queuing
Dynamic Network Branch Security
Network Threat Defense:
Dynamic Network Branch security
Controller
Notification
SDN Controller
1. BYOD Malware/Javascript Attack Remediation

Policy
SourceFire
HQ Defence
Enforcement
Center
2. SF Sensor detects threat
WAN Defense
3. SF DC notifies Controller Internet Center
Alert!!!!
4. Remediation API event

Malware Attack
5. Policy installed on Access switch
port by Controller. ISR
Sensor
ISR
Sensor
6. Block or quarantine end-point

Branch
Host Quarantined
Presentation_ID © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public SourceFire Senso
Investigation, Mitigation and Remediation using APIC-EM
• Demonstration of APIC-EM being used as an SDN Network orchestrator, to

integrate event information coming from a 3rd party SIEM (Splunk), and take an
action to program the network
What's New/Unique:
• Integration of APIC-EM with a 3rd Party SIEM (Splunk) to orchestrate inspection
escalation with SourceFire IDS
Identity
APIC Enterprise Module
Context Security Services pxGrid
Quarantine
Investigation, Mitigation,
SIEM Remediation ISE
Core Services
Network Data
(Netflow, WSA, IPS)
Other Data
Intranet
Catalyst 3850 ASA
Sensitive Data
NB-API Security Services pxGrid
Quarantine
Core Services
IPS
Investigate
Other Data
Intranet
Catalyst 3850 ASA
Sensitive Data
Quarantine
Core Services
Mitigate
Security Group Tag = Suspicious
Other Data
Intranet
Catalyst 3850 ASA
Sensitive Data
Quarantine
Core Services
Remediate
(Contain)
Other Data
Intranet
Catalyst 3850 ASA
Sensitive Data
Quarantine
Core Services
Mitigate
(Block)
Other Data
Intranet
Catalyst 3850 ASA
Sensitive Data
Optimizing Video for Citrix VDI
Optimizing Video for Citrix VDI
Cisco APIC Enterprise Module
Policy
Policy
APIC REST AP
I
QoS Mar
kin g Policy
Traffic Queuing
Cisco APIC-EM Extension for Mission-Critical Apps – SAP HANA
Real-time Automated Network Policy Updates in Response to

Instantaneous Changes in Workload Requirements for Mission-
Critical Applications. SAP HANA Example.
• Mission-critical applications need high network

performance. Especially apps that:
 Receive updates from large numbers of geographically
disbursed “things”
 Deliver functionality through private and public clouds
 Support business users via mobile devices.
• This demo leverages Cisco APIC-EM and ITPA (SAP IT
Process Automation by Cisco), to optimize network
policies, in real-time, to meet a stringent business need.
APPLICATION SAP BW on HANA
LAYER
• Provides a cross-layer solution that SAP Business Suite
Non-SAP
Apps
on HANA
optimizes the network for application SAP Legacy
Apps
Analytics on HANA
performance, in real-time, as business SAP HANA
Guided
Procedures
needs change in real-time.
Open
• Receives and processes real-time APIC-EM Apps-Driven
Network Dynamics Extension
SAP
Add-On
Interfac
e
performance data directly from the
application, database, and network. Plugin for SAP
Orchestration Management
• Isolates and remediates performance
Knowledge Base and Orchestrated Intelligent Actions
problems in the application, database Topology Mapping REST WS/CLI
and network, in real-time. Adapter Adapter
APIC-EM
• Listens to the application. Network Device Inventory Policy Management
3rd party Network Topology QoS Management

• Abstracts network control from the Manage
-ment
application. Auto Discovery ACL Analysis
Identity Management Controller Apps

PHARMACEUTICAL DISTRIBUTOR
ETL (Data SAP Distribution
Services) HANA Analytics
ITPA ELK
Data Center
PROVIDER
CAT 3850 Campus
Location Discovery Topology ELK Plugin QoS
onePK
ISR 2811

Cisco ACI For Enterprise: Phil Casini

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco ACI For Enterprise: Phil Casini

Uploaded by

Copyright:

Available Formats

Cisco ACI For Enterprise

Today’s Business New Business Operations

The Whole Becomes More

Business Applications and Seamlessly Fused Business Applications

OPEX Savings Business Agility

Cisco Advanced Support Services

Cisco Development Partners

Includes a New ISV Ecosystem for

Applications “Semantically Linked” Interfaces Allow

ODL SAL Vendor Flexibility

Emerging Northbound and Southbound OpenDaylight Standards via Solidifies

+ SDN Abstractions a Enables Flexible End to End Solutions

+ ODL SAL and REST Interfaces Ensure Industry Wide Adoption

- Consistent Policy Management Across All Domains

Cisco Taking A Leadership Role

• Introduced in November 2013 with the

Controllers APIC APIC

Data Center WAN Access

Growth & New Business Consistent Security &

End to End IT Solutions A Key Component

New Breed Big Data & Internet of

Abstracts Enables Dynamic

Provides Foundation for Simplification via Solutions Approach

Services State Location Awareness Enforcement

CLI Provides Immediate Use with the Current Installed Base

ACI Abstracts System Management and Enables Programmable Driven Policies

OPEX Savings Applications

Increasing Business Agility

Auto-Translation of Business Intent into Device/Network Level Policies

Network Users Resources Actions Action Properties

• User-identifier • User-identifier • Permit • Priority Level

802.1X, ISE – pxgrid, Radius

NBAR2, NETFLOW, DNS,

MSE, Switch Configuration,

Device-Type ISE, Posture Analysis, EEDGE

QoS – Marking, policing,

Experience Level QoS, PFR, WAN Optimization,

ACL, Service Chaining, Firewall,

Copy SPAN, RSPAN, ERSPAN, DPSS

Business Agility Solutions:

Remediation Policy SourceFire

2. SF Sensor detects threat

5. Policy installed on Access switch port by

Cat 3750 3945/ISRG2

Sales Cat 3750

Seamless LAN and WAN interoperability

Complete service location and form factor

Presentation_ID Smarter Branch, Simpler Operations, Faster Service Delivery

Visualization and Analytics

CLI, OpenFlow, OnePK API Policy Enforcement & Network

• QoS Video Classification Enables Enterprise Wide Jabber

Orchestrate QoS Classification Configuration Change on User Edge Devices

Before: Weeks After: Hours

Manually Customize Configuration for Automatically Customized Configuration for

Ad-hoc Script for Scale Just a Click

Manual Quarterly Compliance Check Automatic Compliance Check Whenever Desired

Benefit : Brownfield Network Integration Doesn’t Require IOS Upgrades

Cisco ACI APIC-EM Easy-QoS

3. Push Updated QoS Policy to Network Devices

Presentation_ID © 2014 Cisco and/or its affiliates. All rights reserved.

Cat 3750 3945/ISRG2

Sales Cat 3750

Cisco APIC Enterprise Module