Embed Size (px)
Citation preview
System Engineer
René Andersen & Per Jensen
2017
TechUpdate Januar
Automation I Netværk
Netværksstatus og udviklingtrends i markedet
Automation, Sikkerhed og Central styring.
Demonstration af netværksløsning i daglig drift
APIC-EM PnP, ISE templates, 802.1x, EasyQoS
Cisco netværksdesign og næste skridt
16.3.X SW update, AVC.
Update Catalyst serien
Software via C1. Prime/APIC-EM/ISE/EW
Agenda Cisco Automation Netværk
IT Priorities for Digital Transformation
IT Must Simplify to Accelerate Digital Innovation
FasterInnovation
Reduce Cost& Complexity
Lower Risk
Static budgetsOnly 30% of digital projects will succeed
More devices, apps, usersTechnology innovation speed
OpEx 2-3 X the CapExSlow IT processes
Cost of business disruption
80 days to discover threats
New regulations
Examples of IT Challenges
0 10 100 1000
Computing Networking
Seconds
Source: Open Compute Project Deployment Speed
Slo
w
0
100%
Source: Forrester
CAPEX OPEX
33% 67%
Network Expenses
Exp
en
sive
Dep
loyi
ng
WA
N
1. Long Time • Many Locations
2. Complex• Device by Device Config
3. Expensive• Truck Rolls & Flights
“Headquarters”
Au
tom
atio
n &
Po
licy
1. Applications• Visibility & Control
2. Business requirements• Fast rollout
3. Security and Governance• Policy and QoS changes
FasterInnovation
Reduce Cost& Complexity
Lower Risk
Network Requirements for the Digital Organization
Insights &Experiences
Visibility and Analytics users | devices | applications | threats
Automation & Assurance
Speed and Simplicity
Security & Compliance
Real-time & Dynamic Threat Defense
Delivering Digital Capabilities with Cisco DNA
Workforce Experience
Customer Experience
Branch Agility
Security
Business Needs
Virtualization
Automation
Analytics
Cloud
Network Requirements
Faster Innovation |
Reduced Cost and Complexity | Lower Risk
DNA Technologies:
Unified Access| IWAN |
APIC-EM | E-NFV |CMX |
NAAS/E | .......
| Partner Ecosystem
Services:
Cisco and partner
services
What is Cisco Digital Network Architecture?
Cisco Digital Network Architecture
DNA:
An open and extensible, software-driven network architecture designed to rapidly deliver services that enable IT to innovate faster, reduce costs and complexity, lower risk, and comply with regulatory requirements.
Cisco Digital Network Architecture
Automation
Abstraction & Policy Control
from Core to Edge
Open & Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service Management
Policy | Orchestration
Virtualization
Physical & Virtual Infrastructure | App Hosting
Analytics
Network Data,
Contextual Insights
Insights & Experiences
Automation& Assurance
Security & Compliance
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles
Automation: Cisco APIC-EM Automation Platform
Complete Lifecycle | Consistent End to End
Open and Extensible
Enterprise Scale and Resiliency
Automation and Services
Industry-Leading Network Controller
Open APIs
Group-based Policy
Clustering Technology
Cloud Connected Telemetry
CompleteAbstraction
Cisco® APIC-EM
IOS ASIC
“Unlike other SDN solutions, APIC-EM can be deployed on our existing
infrastructure so we can move quickly with minimum risk and maximum
investment protection. ”
“The inherent programmability of Cisco APIC-EM allows us to drive
innovation and improve on user experience on a world-class
infrastructure. It is a solid foundation to embark on a journey to SDN.
”
1000sOf DevNetDevelopers
160+Customers
Deployments running up to
4000 devices
Customer Momentum
Raj Gulani, Director Product ManagementCitrix
CJ Singh, Chief Technology OfficerBackcountry.com
Backcountry.com
Citrix
Automation: Plug and PlayPnP Available Now
PnP Cloud May 2016 (controlled
availability)
Lower deployment costs
79%
”
Plug and play means no more IT engineers in the field – faster time to market and dramatically lowered costs.
“
New!
Eliminates
Staging Truck Roll
Cloud-Based Plug and Play
Plug in and Cloud Provision
Order Controller-Based Management
Cisco ONE Foundation
SWIIM
PnP: Pre-provisioning and Discover Workflows
Plug & Play
Enterprise-wide scale
Automated workflow
79% lower deployment costs
Pre-provision1 Discovery2 Secure Deployment3
Discovery1 Un-claimed Devices2 Secure Deployment3
Network PnP app pre-provisioned with device SR number
Configure device discovery• DHCP Option-43 or DNS
• Installer powers on devices• Devices download image and
configuration
• Installer powers on devices• Devices securely connect
to APIC-EM server, waiting to be ‘claimed’
• Network admin claims devices based on device information
• Device downloads image and configuration
Configure device discovery• DHCP Option-43 or DNS
Network PnP app on APIC-EM
AdminEM
DHCPServer
DNSServer
OR
PnP-Agent PnP-Agent
EM
Device Authentication
Download Image and Configure
Installer
Network PnP app on APIC-EM
AdminEM
DHCPServer
DNSServer
OR
PnP-Agent PnP-Agent
EM
Device Authentication
Download Image and Configure
Installer
Network Plug and Play (PnP) – Templates
PnP Templates
• Introduced in 1.3
• Based on Apache Velocity
• UI Support
• API Support
Network Plug and Play (PnP)
Switches (Catalyst®)
Routers (ISR, ASR)
Wireless Access Points
New PnP Features in APIC-EM 1.3
Configuration Templates
Template UI
Text / Form / Preview
Default variable substitution
Device AAA Configuration Support
Credential configuration (username & pwd)
Global / device specific credentials
Configuration Validation
Syntax check
Flag Non-ASCII & Control characters
Per Device Management IP and Credentials
PnP agent IPv6 Support
Network Plug and Play (PnP)
DiscoveryDevice can reach PnP Server on APIC-EM
1
DeploymentDevice receives target image and configuration
2
No StagingNo Staging RequiredPnP Runs from Cisco Factory-Default Configuration
Switches (Catalyst®)
Routers (ISR, ASR)
Wireless Access Points
Network Plug and Play (PnP) – Components
PnP AgentRuns on Cisco® switches, routers, and wireless access points
Automates the deployment process
PnP ServerCentral Server on APIC-EM
Manages sites, devices, images, licenses, workflow
Provides Northbound REST APIs
PnP ProtocolRuns between Agent and Server
Open Schema
PnP Helper App[ Optional ]
Delivers bootstrap, status and troubleshooting checks
Redpark RJ45Apple 30pin
Redpark RJ45Apple 8pin
GetConsoleAirconsole2.0
Bluetooth Adapter
Cloud Redirect Service[ Optional ]
Roadmap APIC-EM 1.4
PnP – Simple & Secure & Consistent
Switches(Catalyst)
Routers (ISR/ASR 1000)
Wireless AP
APIC-EM PnP Dashboard
APIC-EM Bulk Import/Export
APIC-EM PnP REST API Support
Python
APIC-EM API
PnP REST API
Customer’s Existing Automation Frameworks
Automation Framework(i.e. Python scripts, configuration generator, etc)
Device Repository and Database
N-PnP Cloud Redirection Service
PnP-Agent APIC EM
Server
PnP-Agent
Where’s my PnP Server?
PnP Cloud Redirection Service
CustomerOr Partner
APIC-EM IP
PnP Protocol
CISCO
CUSTOMERCisco Commerce Workspace
Supply-Chain Customer DB
Customer Order
SmartAccount DB
Device SR# Device SR#
Download Image & Config
APIC-EM Registers IP Address w/ Cloud
Controlled Availability (GA – Q2CY17) APIC-EM1.4
`
APIC-EM Delivers IT Flexibility
Enabling Automation Through Innovative Management Principles
OPEN
Static Programmable
Expert CLI Policy + GUI
Greenfield Brownfield + Greenfield
SIMPLE
A B
Manual Automated
Box-Centric Network-wide
Provision in Months Hours
Controller Architecture for Service & PolicyISE / TrustSec policy capabilities working seamlessly with DNA
Identify User and Endpoints
Profile and Classify devices
Automate On-Boarding
Automated Security Policy
Provisioning Inside/outside fabric
Sync groups with security apps
and other controllers
Discover Network Asset & Services
Check Network Service Readiness
Provision & Manage Configuration
Enable additional services instantly
Provision Network Service Changes
Security
Policy
Service
Provisioning
APIC
EM
Gi1/0/4 Access Point
Gi1/0/1 Printer Port
Port configs as Templates
Configuration by Reference:
• Service Templates
• Port 1 Printer Vlan 10
• Port 2 Phone Vlan 20
• Port 3 User Vlan 30
• Port 4 Access Point Vlan 40
Dynamic Configuration Done the Right Way
Gi1/0/2 Phone Port
Gi1/0/3 User Port
20
Physical Interfaces
Templates Idea Catalyst Switching Cisco ISE eller
Interface templates
Interface template 3
Interface template 2 Interface template 4
Interface template 5 Interface template 1
Per port configurations
Interface TemplatesBenefits Overview
Configuration file Readability and Manageability
Smaller Configuration files
Built-in Interface Templates for ease of use
All Interface Templates are Customizable
Advantages over Auto Smart Ports
Templates updates immediately ripple to interfaces
Per session or Per port templates
No change to running-config
Full rollback and precedence management
Compatible with Session Networking/AutoConf
Switch# show template interface brief
Template-Name
-------------
AP_INTERFACE_TEMPLATE
DMP_INTERFACE_TEMPLATE
IP_CAMERA_INTERFACE_TEMPLATE
IP_PHONE_INTERFACE_TEMPLATE
LAP_INTERFACE_TEMPLATE
MSP_CAMERA_INTERFACE_TEMPLATE
MSP_VC_INTERFACE_TEMPLATE
PRINTER_INTERFACE_TEMPLATE
ROUTER_INTERFACE_TEMPLATE
SWITCH_INTERFACE_TEMPLATE
TP_INTERFACE_TEMPLATE
<partial output>
11 Built-in Templates based on common end devices
ISE Central template topology
C3850-1
MS AD
ISE
WIN-770:11:24:8D:4B:7E
IP-Phone88:75:56:51:51:D9
802.1X MAB
Windows 7 will be authenticated and authorized by ISE ServerIP Phone will be authenticated and authorized by ISE Server
Differentiated Authentication
ISE 2.x Can use authentications like 802.1x,Web and MAC
LAN
Authenticator
RADIUSServer
MAB
RADIUS
Cisco ISE Profiling
Asset Visibility
Feed Service(Online/Offline)
Netflow DHCP DNS HTTP RADIUS NMAP SNMP
CDP LLDP DHCP HTTP H323 SIP MDNS
ACTIVE PROBES
DEVICE SENSOR
1.5 million
550+
250+
devices with ‘50’ attributes each can be stored
High-level canned profiles. +Periodic feeds
Medical device profiles
Cisco ISE
Cisco Network
ACIDEX AD
Quickly see value with ‘Easy Connect’
EMPLOYEES
UNKNOWN LIMITED ACCESS
FULL ACCESS
DHCP DNS
NTP AD
DOMAIN\bob
Enterprise
Network
CISCO ISESWITCH-1
DOMAIN
CONTROLLER
LIMITED ACCESS
ISE retrieves user-ID and
user’s AD membership
Limited AccessCoA: Full AccessFULL ACCESS
No 802.1X
Bob logged in
Increased visibility into active network sessions
Flexible deployment co-operates with
other auth methods
Immediate valueLeverage existing infrastructure
ISE 2.1
Passive Identity Active Identity
MAC Authentication Bypass
Easy Connect ®
Access Control
Network Access Control
ENTERPRISE NETWORK AD / LDAP / SQL
Active Directory
LDAP Servers
SQL Server
External Identity Stores
Passwords / Tokens
ASP: Auto Smart Port
Built-in CA
50
0,0
00
con
curr
ent
sess
ion
s5
00
,00
0
Up to 100KNetwork Devices
Up to 50 distinct AD join point support
300K Internal Users
Native Supplicants / Cisco AnyConnect
80
2.1
X
IEEE 802.1X
Web Authentication
Central WebAuth
Local WebAuth
DeeperVisibility
CentralizedControl
Superior Protection
Control It All from a Single LocationNetwork, Data, and Application
Remote User
ContractorGuest
WirelessWired
Secure access from any location, regardless of
connection type
Apply access and usage policies across
entire network
Monitor access, activity, and compliance of
noncorporate assets, take containment actions when
needed
Admin
Enterprise Mobility
Partner
VPN
BranchHeadquarters
Improve Guest Experiences Without Compromising Security
Guest
Guest
GuestSponsor
Internet
Internet
Internet and Network
Immediate, UncredentialedInternet Access
with Hotspot
Simple Self-Registration
Role-Based Access with Employee Sponsorship
Give The Right People On The Right Devices The Right Access To The Right Resources with Cisco TrustSec
Who: Guest
What: iPad
Where: Office
Who: Receptionist
What: iPad
Where: Office
Internet
Confidential Patient Records
Internal Employee Intranet
Who: Doctor
What: Laptop
Where: Office
Implement Granular Control on Traffic, Users, and Assets
Enforce Business Role policies for All Network Services
and Decisions
Define Security Groups and Access Policies Based
on Business Roles
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
with Cisco TrustSec
Traditional Security Policy
Cisco TrustSec®
Security Policy
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Network Fabric
Switch Router DC FW DC SwitchWireless
Flexible and Scalable Policy Enforcement
Software-definedSegmentation
Visibility with Threat & Vulnerability
ISE 2.1
Cisco ISE and APIC-EM/Prime fits likepieces in a puzzle:
ISE 2.X
Voice Employee Supplier BYOD
Campus / Branch / Non-ACI DCTrustSec Policy Domain
VoiceVLAN
DataVLAN
The new DNA for network automation, security and central control
Resources and Starting Points• Demos in dCloud and DevNet Sandboxes
APIC-EM @ CCO: www.cisco.com/go/apicem
• APIC-EM @ DevNet: https://developer.cisco.com/site/apic-em/
Cisco YouTube
https://www.youtube.com/watch?v=mUY5Er-fjOs
