Autonomic Networking: Simplifying Service Provider Access Deployments BRKSPG-2447

Akshat Sharma, Technical Marketing Engineer

Meet Marco!

He is a CCIE –

Works for SwiftChase Networks

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

In charge of design, deployment and operations

Cisco Public

3

His Task for the week: Bring up… 50 Carrier-Ethernet customer sites

with the following constraints:

and a complete Mobile-Backhaul island

Core

Time: 1 Week

Core

Metro Ethernet Cloud

Least Cost

CAP-EX

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

OP-EX

4

‟Camp out with the subject.” • - Michael Stevens,

Deconstruct the Deployment Paradigm

Deployment and Operations: Current Methodology

Purchase

Service Activation

Installation (Truck Roll) Handling Misconfigurations (Truck Roll)

Management/ Customization

Pre-Staging

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

7

Need to ask the right questions Can I avoid truck-rolls due to misconfigurations?

Which steps can I eliminate?

Without pre-staging, how do I ensure security ?

Can Zero-touch Solutions help?

Is Pre-staging really necessary?

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

What about Post-deployment operations? – should I consider SDN?

Cisco Public

8

Pre-Staging is superfluous!

Pre-Staging Facility

Purchase

Can I eliminate Pre-Staging altogether ?

Installation Site

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

9

Enter: Zero-Touch Solutions DHCP, DNS, TFTP servers

Layer2 or Pre-staged helper network

Auto

Bootstrap config to reach Install Provisioning Server Provisioning Server

Device Authentication + Config / Image Download

Works well for an Enterprise. But Service Provider deployments are a lot more complex….. BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

10

Zero-Touch gaps in Service Providers •

Expensive: DHCP/DNS servers per access site Aggregation

•

Bootstrap Config necessary: Third-party MetroEthernet clouds impede automatic discovery

•

Security is a concern: Rogue device gets network access before validation

Third–Party Metro Ethernet Cloud

Who identifies the Rogue Device ?

Requirements:

Security

Central Provisioning Server

How do I reach the Central Server ?

Discovery

*without* servers or configuration BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

New Device Cisco Public

11

Plugging the gap

Security

Zero-Touch Deployment Solutions

Discovery

*without* servers or configuration Pre-Staging Facility

Potentially huge savings! BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

12

Handling Misconfigurations •

Remote devices can potentially go offline

•

Typical Misconfigurations: Initial configuration errors, AAA, accidental interface shuts, etc.

•

Solution?  The dreaded Truck Rolls

Aggregation

Central Provisioning Server

OOPS!

Third–Party Metro Ethernet Cloud

Requirement:

Consistent Reachability

AAA Misconfig: Device offline

`

Access

across misconfigurations BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

13

Building a Consolidated Solution Space

Requirement 1: A base infrastructure • Security (New device validation) • Discovery (Services, VLANs etc.) and • Reachability (across misconfigurations) need to be resolved automatically, in a holistic manner

Consistent Reachability

Security

a Discovery

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

16

Requirement 2: Applications Both solution spaces have similar requirements. Can’t they just function as applications ?

•

Provisioning solution of your choice

Zero Touch Deployment Solutions

•

Flexibility is key

•

EEM, PRIME or SDN controllers – must work seamlessly

Management/ Customization

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

17

Consolidating the requirements Management/ Customization

Zero-Touch Deployment

(EEM / PRIME/ SDN controller)

Consistent Reachability

Security

a Discovery

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

18

Circling back… Thus, the most efficient workflow eliminates PreStaging and unnecessary truck rolls:

Purchase

BRKSPG-2447

Installation (Truck Roll)

© 2013 Cisco and/or its affiliates. All rights reserved.

Service Activation

Cisco Public

Management/ Customization

19

Easier said than done….. Consistent Reachability

Security Network

a Discovery

Architecturally, this sounds right…..

BRKSPG-2447

But, is such an infrastructure even possible?

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

20

Introducing: Autonomic Networking

Autonomic Networking : The Vision Self-Managing

Self-Configuring

Self-Optimizing

Self-Protecting

Self-Healing

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

22

Autonomic Networking: Under the hood

“True” Zero Touch Bootstrap Nope! Do you have a unique identifier?

hmm, do I need a bootstrap Config ?

Michael

Dark Layer 2 Cloud

Registrar

I have a SUDI! Perfect, Let’s talk! BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

24

Channel Discovery VLAN noted

VLAN noted

Michael

BRKSPG-2447

Dark Layer 2 Cloud

© 2013 Cisco and/or its affiliates. All rights reserved.

Registrar

Cisco Public

25

Domain Certificates Secure by Default

Validate UDI against local whitelist

Michael

BRKSPG-2447

Dark Layer 2 Cloud

© 2013 Cisco and/or its affiliates. All rights reserved.

Registrar

Cisco Public

26

Autonomic Control Plane (ACP)

Dark Layer 2 Cloud

Michael

Registrar

Router # show autonomic device UDI Device ID Domain ID Domain Certificate Device Address

BRKSPG-2447

Router-1 cisco.com (sub:) cn=Router-1:cisco.com FD08:2EEF:C2EE::D253:5185:5472

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

27

Proxy Bootstrap Hi Michael, I’m Steve. What do I need to configure to join ?

Nothing! Welcome to AN. I’ll be your guide.

Michael Steve

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Dark Layer 2 Cloud

Registrar

Cisco Public

28

Tree-like Control plane build-up

Michael Steve

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Dark Layer 2 Cloud

Cisco Public

Registrar

29

Virtual Out Of Band Channel (VOOB) AAA Misconfig / Interface admin-shut

` Michael Steve

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Dark Layer 2 Cloud

Cisco Public

Registrar

30

Service Discovery AAA Server

Automatic discovery and distribution of core services – AAA, DNS, TFTP etc. over the ACP

Michael Steve

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Dark Layer 2 Cloud

Cisco Public

Registrar

31

The Autonomic Networking Infrastructure

Consistent Reachability

Security

a

Network

•

SUDI /UDI validation

•

Domain Certificates

•

Autonomic Control Plane

BRKSPG-2447

Discovery

•

Channel Discovery

•

Service Discovery

© 2013 Cisco and/or its affiliates. All rights reserved.

•

Autonomic Control Plane

•

Indestructible, virtual out-ofband channel

Cisco Public

32

Missing piece of the puzzle?

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

33

Time to get cracking!

Before we dive in….. • • •

Baseline release: IOS-XE 3.13 Supported platforms in Baseline Release: • ASR901, ASR903, ASR901S, ME3600 / ME3800 Look out for the following indicators:

Real world Customer use case

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Planned for future releases

Cisco Public

36

Set up the Management Applications/Servers •

Which servers and applications would I need?

(Every application and server –other than the CA – MUST be IPv6 capable)

AAA Server

Certificate Authority (CA)

Critical BRKSPG-2447

Zero Touch Deployment Server

Deployment Centric © 2013 Cisco and/or its affiliates. All rights reserved.

SDN Controller / NMS Applications •

Topology app*

•

Intent interpreter*

•

Autonomic Domain Manager*

•

Registrar functionality*

Powerful * Future Releases Cisco Public

37

Certificate Authority: Native IOS or External? •

A Registrar validates new devices joining the Autonomic domain

•

There are two options (IOS-XE 3.13 and beyond):

CA

Registrar

Registrar

CA co-located with AN registrar: •

IOS CA functionality - no need to set up external server

•

Single point of failure in the network

•

Redundant Registrars?

BRKSPG-2447

External CA •

Complete flexibility with CA selection

•

Registrar acts as Registration Authority (RA)

•

Uses SCEP to obtain certificates from CA for newly accepted AN devices

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

38

Zero Touch: Which Server should I choose? •

Application on top of the Autonomic infrastructure

•

Config download to Trusted devices using the ACP

•

Subsequent Image download over data plane

Zero Touch Deployment Server

PnP

TFTP •

Cisco Plug-n-Play (PnP) solution*

•

Any open-source IPv6-capable TFTP server

•

Integrates with Cisco Prime

•

Free to use and deploy, but limited feature-set

•

•

Support Model: No Vendor support

XMPP based Pub-Sub – build your own deployment applications!

•

Support Model: Full Cisco Support

* Future releases BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

39

Typical Deployment Workflow

Create a Whitelist •

Devices joining the domain must be validated before handing out certificates

•

Create a whitelist (text file) of UDIs that are allowed to join

•

•

Automatically generated by Cisco (from Bill of Sale) for new devices

•

Updated by Customer for existing devices

Load whitelist on the Registrar (manually)

Cisco creates whitelist for New devices Registrar

Purchase BRKSPG-2447

Bill of Sale

Customer updates for Existing devices

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

41

Configure a Registrar Router#configure terminal Router(config)#autonomic registrar

Enter Autonomic Registrar Config mode

Router(config-registrar)#domain-id cisco.com

Configure domain-id – any name will do

Router(config-registrar)#whitelist disk:whitelist.txt

Specify a local whitelist (Optional)

Router(config-registrar)#external-CA url <>

Specify an external CA’s url (Optional)

Router(config-registrar)#no shut

Unshut the Registrar – You’re done!

•

If external-CA url is not specified, Registrar runs an IOS CA locally

•

Can the whitelist be made optional?

CA

Registrar

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

42

Registrar Redundancy •

•

A Registrar in an Autonomic domain: •

validates new devices (whitelist)

•

Hands out domain certificates

1 Registrar  failure no new devices can join the autonomic domain! Registrar

•

Good practice to configure multiple registrars

•

Registrars can be distributed – no need to be neighbors!

Registrar

Identical Configuration

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

43

Bring up Remote Sites: Channel Discovery •

•

Newly installed device is always passive – Registrars start probing

CA Registrar

Registrar

Typically, VLAN based E-LINE services - each NID permits one VLAN Outer VLAN

•

Channel discovery helps discover the allowed VLAN

•

ACP is kept separate from Data plane using QinQ service instance with fixed inner vlan = 4094

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Third-Party Metro-Ethernet Cloud

Inner VLAN

NID only allows VLAN 416

Probe for VLAN = 416 passes through

Cisco Public

44

Channel Discovery Limitations: Two issues with Generic channel discovery:

•

Potentially would have to scan through 4k VLANs – time consuming!

•

Selecting available VLANs at random could eat into pre-defined (but not used) ranges Started scan from VLAN 2000…how long should I wait ?

Registrar

Registrar

VLANS 415, 416 allowed BRKSPG-2447

VLANs: 2000-2100, Reserved for Customers!

VLAN 2002 is available, right?

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

45

Introducing….Controlled Channel Discovery •

Configure Channel Discovery probe range on the Registrar

! autonomic control-plane

•

•

Automatically disseminate probe range to devices as they are bootstrapped

vlan outer 400-420 vlan inner 4092 end

CLI is subject to change

!

Registrar

Registrar

Begin Probe on VLAN 400

VLANS 415, 416 allowed BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

46

Bring up Remote Sites: ACP • •

Autonomic Control Plane comes up using discovered channel IPv6 connectivity to Pre-Aggregation devices (ASR903) established

CA Registrar

Registrar

Third–Party Metro Ethernet Cloud

FD08:2EEF:C2EE::D253:5185:547A

FD08:2EEF:C2EE::D253:5185:5237 BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

47

Bring up Remote Sites: Proxy Bootstrap •

Remote Sites come up without any config

CA Registrar

•

Registrar

Proxy bootstrap by the Pre-Agg layer

•

Connected via ACP

•

Ready to learn Services!

BRKSPG-2447

Third–Party Metro Ethernet Cloud

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

48

Connect the outside world to the ACP Connect Services: DNS, AAA, PnP etc. to ACP:

CA AAA Server

! interface Gig0/3

Registrar

Registrar

PnP

autonomic connect ipv6 address 2000::10/64 end

Third–Party Metro Ethernet Cloud

!

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Interface GigabitEthernet0/3

Cisco Public

49

Reap the benefits

Service Discovery •

Services automatically learnt by all the devices

•

Note: These are services in the Autonomic domain context, not Global

CA AAA Server

Registrar

Registrar PnP

Router#show autonomic service Service

IP-Addr

Syslog

2000::1 UNKNOWN

AAA

2000::1 UNKNOWN

AAA Accounting Port

1813

AAA AAAAuthorization Authorization Port Port

1812

Autonomic registrar

FD08:2EEF:C2EE::D253:5185:5472

TFTP Server

2000::1 UNKNOWN

DNS Server

2000::1 UNKNOWN

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Third–Party Metro Ethernet Cloud

Cisco Public

51

Automatic Configuration Download •

•

Accomplish Config download using PnP server* or existing TFTP servers

Registrar

TFTP Third–Party Metro Ethernet Cloud

Bring up Services!

BRKSPG-2447

Registrar

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

52

DEMO!

DEMO!

Oh…What about the Carrier Ethernet Topology? •

Works in exactly the same way

•

Autonomic interactions are independent of topology!

•

CA

Registrar

Registrar

Set up the Registrar and watch the magic unfold

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

55

Phew! Time for a Holiday  Stats for the week: • One Mobile backhaul island •

50 Carrier-Ethernet Customer sites

•

Time: 1 week

•

Cost: Minimal Pre-staging and unnecessary truck-rolls eliminated!

•

Further benefits: •

Enhanced Security

•

Robust Connectivity

•

Base infrastructure to build powerful applications! BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

56

Where do we go from here?

Script distribution over the Autonomic Control Plane •

Custom policies using EEM scripts

•

Automatic script download and distribution over the ACP Registrar

•

Registrar

Intrinsically secure!

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

61

Build applications to leverage AN infrastructure* •

Topology applications display the overlay Autonomic Control Plane

•

Extract data points such as services discovered, IPv6 addresses, quarantined devices to build custom applications!

* Future releases

BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

63

Reach out to us! • Send your queries, requests and suggestions to the core Autonomic team at [email protected] • Want to learn more about our standardization efforts? - follow our progress at the IETF http://datatracker.ietf.org/doc/draft-behringer-autonomic-network-framework/ http://tools.ietf.org/html/draft-pritikin-bootstrapping-keyinfrastructures-00 http://tools.ietf.org/html/draft-behringer-homenet-trust-bootstrap-01). http://www.ietf.org/id/draft-behringer-default-secure-00.txt •

References: Base Marco Artwork: http://www.123rf.com/profile_texelart Slide 22: History: IBM’s “Autonomic Computing” (2001) http://www.ibm.com/developerworks/autonomic/library/ac-edge4/ BRKSPG-2447

© 2013 Cisco and/or its affiliates. All rights reserved.

Cisco Public

64

Call to Action… Visit the World of Solutions: Cisco Campus  Walk-in Labs  Technical Solutions Clinics  Meet the Engineer

 Lunch Time Table Topics, held in the main Catering Hall  Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014 BRKSPG-2447

© 2014 Cisco and/or its affiliates. All rights reserved.

Cisco Public

65

Complete Your Online Session Evaluation  Complete your online session evaluation  Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt

BRKSPG-2447

© 2014 Cisco and/or its affiliates. All rights reserved.

Cisco Public

66