Autonomic Networking: Simplifying Service Provider Access Deployments BRKSPG-2447
Akshat Sharma, Technical Marketing Engineer
Meet Marco!
He is a CCIE –
Works for SwiftChase Networks
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
In charge of design, deployment and operations
Cisco Public
3
His Task for the week: Bring up… 50 Carrier-Ethernet customer sites
with the following constraints:
and a complete Mobile-Backhaul island
Core
Time: 1 Week
Core
Metro Ethernet Cloud
Least Cost
CAP-EX
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
OP-EX
4
‟Camp out with the subject.” • - Michael Stevens,
Deconstruct the Deployment Paradigm
Deployment and Operations: Current Methodology
Purchase
Service Activation
Installation (Truck Roll) Handling Misconfigurations (Truck Roll)
Management/ Customization
Pre-Staging
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
7
Need to ask the right questions Can I avoid truck-rolls due to misconfigurations?
Which steps can I eliminate?
Without pre-staging, how do I ensure security ?
Can Zero-touch Solutions help?
Is Pre-staging really necessary?
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
What about Post-deployment operations? – should I consider SDN?
Cisco Public
8
Pre-Staging is superfluous!
Pre-Staging Facility
Purchase
Can I eliminate Pre-Staging altogether ?
Installation Site
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
9
Enter: Zero-Touch Solutions DHCP, DNS, TFTP servers
Layer2 or Pre-staged helper network
Auto
Bootstrap config to reach Install Provisioning Server Provisioning Server
Device Authentication + Config / Image Download
Works well for an Enterprise. But Service Provider deployments are a lot more complex….. BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
Zero-Touch gaps in Service Providers •
Expensive: DHCP/DNS servers per access site Aggregation
•
Bootstrap Config necessary: Third-party MetroEthernet clouds impede automatic discovery
•
Security is a concern: Rogue device gets network access before validation
Third–Party Metro Ethernet Cloud
Who identifies the Rogue Device ?
Requirements:
Security
Central Provisioning Server
How do I reach the Central Server ?
Discovery
*without* servers or configuration BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
New Device Cisco Public
11
Plugging the gap
Security
Zero-Touch Deployment Solutions
Discovery
*without* servers or configuration Pre-Staging Facility
Potentially huge savings! BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
Handling Misconfigurations •
Remote devices can potentially go offline
•
Typical Misconfigurations: Initial configuration errors, AAA, accidental interface shuts, etc.
•
Solution? The dreaded Truck Rolls
Aggregation
Central Provisioning Server
OOPS!
Third–Party Metro Ethernet Cloud
Requirement:
Consistent Reachability
AAA Misconfig: Device offline
`
Access
across misconfigurations BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
Building a Consolidated Solution Space
Requirement 1: A base infrastructure • Security (New device validation) • Discovery (Services, VLANs etc.) and • Reachability (across misconfigurations) need to be resolved automatically, in a holistic manner
Consistent Reachability
Security
a Discovery
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
Requirement 2: Applications Both solution spaces have similar requirements. Can’t they just function as applications ?
•
Provisioning solution of your choice
Zero Touch Deployment Solutions
•
Flexibility is key
•
EEM, PRIME or SDN controllers – must work seamlessly
Management/ Customization
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
Consolidating the requirements Management/ Customization
Zero-Touch Deployment
(EEM / PRIME/ SDN controller)
Consistent Reachability
Security
a Discovery
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
Circling back… Thus, the most efficient workflow eliminates PreStaging and unnecessary truck rolls:
Purchase
BRKSPG-2447
Installation (Truck Roll)
© 2013 Cisco and/or its affiliates. All rights reserved.
Service Activation
Cisco Public
Management/ Customization
19
Easier said than done….. Consistent Reachability
Security Network
a Discovery
Architecturally, this sounds right…..
BRKSPG-2447
But, is such an infrastructure even possible?
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
Introducing: Autonomic Networking
Autonomic Networking : The Vision Self-Managing
Self-Configuring
Self-Optimizing
Self-Protecting
Self-Healing
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
Autonomic Networking: Under the hood
“True” Zero Touch Bootstrap Nope! Do you have a unique identifier?
hmm, do I need a bootstrap Config ?
Michael
Dark Layer 2 Cloud
Registrar
I have a SUDI! Perfect, Let’s talk! BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
24
Channel Discovery VLAN noted
VLAN noted
Michael
BRKSPG-2447
Dark Layer 2 Cloud
© 2013 Cisco and/or its affiliates. All rights reserved.
Registrar
Cisco Public
25
Domain Certificates Secure by Default
Validate UDI against local whitelist
Michael
BRKSPG-2447
Dark Layer 2 Cloud
© 2013 Cisco and/or its affiliates. All rights reserved.
Registrar
Cisco Public
26
Autonomic Control Plane (ACP)
Dark Layer 2 Cloud
Michael
Registrar
Router # show autonomic device UDI Device ID Domain ID Domain Certificate Device Address
BRKSPG-2447
Router-1 cisco.com (sub:) cn=Router-1:cisco.com FD08:2EEF:C2EE::D253:5185:5472
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
Proxy Bootstrap Hi Michael, I’m Steve. What do I need to configure to join ?
Nothing! Welcome to AN. I’ll be your guide.
Michael Steve
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Dark Layer 2 Cloud
Registrar
Cisco Public
28
Tree-like Control plane build-up
Michael Steve
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Dark Layer 2 Cloud
Cisco Public
Registrar
29
Virtual Out Of Band Channel (VOOB) AAA Misconfig / Interface admin-shut
` Michael Steve
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Dark Layer 2 Cloud
Cisco Public
Registrar
30
Service Discovery AAA Server
Automatic discovery and distribution of core services – AAA, DNS, TFTP etc. over the ACP
Michael Steve
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Dark Layer 2 Cloud
Cisco Public
Registrar
31
The Autonomic Networking Infrastructure
Consistent Reachability
Security
a
Network
•
SUDI /UDI validation
•
Domain Certificates
•
Autonomic Control Plane
BRKSPG-2447
Discovery
•
Channel Discovery
•
Service Discovery
© 2013 Cisco and/or its affiliates. All rights reserved.
•
Autonomic Control Plane
•
Indestructible, virtual out-ofband channel
Cisco Public
32
Missing piece of the puzzle?
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
Time to get cracking!
Before we dive in….. • • •
Baseline release: IOS-XE 3.13 Supported platforms in Baseline Release: • ASR901, ASR903, ASR901S, ME3600 / ME3800 Look out for the following indicators:
Real world Customer use case
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Planned for future releases
Cisco Public
36
Set up the Management Applications/Servers •
Which servers and applications would I need?
(Every application and server –other than the CA – MUST be IPv6 capable)
AAA Server
Certificate Authority (CA)
Critical BRKSPG-2447
Zero Touch Deployment Server
Deployment Centric © 2013 Cisco and/or its affiliates. All rights reserved.
SDN Controller / NMS Applications •
Topology app*
•
Intent interpreter*
•
Autonomic Domain Manager*
•
Registrar functionality*
Powerful * Future Releases Cisco Public
37
Certificate Authority: Native IOS or External? •
A Registrar validates new devices joining the Autonomic domain
•
There are two options (IOS-XE 3.13 and beyond):
CA
Registrar
Registrar
CA co-located with AN registrar: •
IOS CA functionality - no need to set up external server
•
Single point of failure in the network
•
Redundant Registrars?
BRKSPG-2447
External CA •
Complete flexibility with CA selection
•
Registrar acts as Registration Authority (RA)
•
Uses SCEP to obtain certificates from CA for newly accepted AN devices
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
38
Zero Touch: Which Server should I choose? •
Application on top of the Autonomic infrastructure
•
Config download to Trusted devices using the ACP
•
Subsequent Image download over data plane
Zero Touch Deployment Server
PnP
TFTP •
Cisco Plug-n-Play (PnP) solution*
•
Any open-source IPv6-capable TFTP server
•
Integrates with Cisco Prime
•
Free to use and deploy, but limited feature-set
•
•
Support Model: No Vendor support
XMPP based Pub-Sub – build your own deployment applications!
•
Support Model: Full Cisco Support
* Future releases BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
Typical Deployment Workflow
Create a Whitelist •
Devices joining the domain must be validated before handing out certificates
•
Create a whitelist (text file) of UDIs that are allowed to join
•
•
Automatically generated by Cisco (from Bill of Sale) for new devices
•
Updated by Customer for existing devices
Load whitelist on the Registrar (manually)
Cisco creates whitelist for New devices Registrar
Purchase BRKSPG-2447
Bill of Sale
Customer updates for Existing devices
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
41
Configure a Registrar Router#configure terminal Router(config)#autonomic registrar
Enter Autonomic Registrar Config mode
Router(config-registrar)#domain-id cisco.com
Configure domain-id – any name will do
Router(config-registrar)#whitelist disk:whitelist.txt
Specify a local whitelist (Optional)
Router(config-registrar)#external-CA url <>
Specify an external CA’s url (Optional)
Router(config-registrar)#no shut
Unshut the Registrar – You’re done!
•
If external-CA url is not specified, Registrar runs an IOS CA locally
•
Can the whitelist be made optional?
CA
Registrar
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
Registrar Redundancy •
•
A Registrar in an Autonomic domain: •
validates new devices (whitelist)
•
Hands out domain certificates
1 Registrar failure no new devices can join the autonomic domain! Registrar
•
Good practice to configure multiple registrars
•
Registrars can be distributed – no need to be neighbors!
Registrar
Identical Configuration
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
Bring up Remote Sites: Channel Discovery •
•
Newly installed device is always passive – Registrars start probing
CA Registrar
Registrar
Typically, VLAN based E-LINE services - each NID permits one VLAN Outer VLAN
•
Channel discovery helps discover the allowed VLAN
•
ACP is kept separate from Data plane using QinQ service instance with fixed inner vlan = 4094
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Third-Party Metro-Ethernet Cloud
Inner VLAN
NID only allows VLAN 416
Probe for VLAN = 416 passes through
Cisco Public
44
Channel Discovery Limitations: Two issues with Generic channel discovery:
•
Potentially would have to scan through 4k VLANs – time consuming!
•
Selecting available VLANs at random could eat into pre-defined (but not used) ranges Started scan from VLAN 2000…how long should I wait ?
Registrar
Registrar
VLANS 415, 416 allowed BRKSPG-2447
VLANs: 2000-2100, Reserved for Customers!
VLAN 2002 is available, right?
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
45
Introducing….Controlled Channel Discovery •
Configure Channel Discovery probe range on the Registrar
! autonomic control-plane
•
•
Automatically disseminate probe range to devices as they are bootstrapped
vlan outer 400-420 vlan inner 4092 end
CLI is subject to change
!
Registrar
Registrar
Begin Probe on VLAN 400
VLANS 415, 416 allowed BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
46
Bring up Remote Sites: ACP • •
Autonomic Control Plane comes up using discovered channel IPv6 connectivity to Pre-Aggregation devices (ASR903) established
CA Registrar
Registrar
Third–Party Metro Ethernet Cloud
FD08:2EEF:C2EE::D253:5185:547A
FD08:2EEF:C2EE::D253:5185:5237 BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
47
Bring up Remote Sites: Proxy Bootstrap •
Remote Sites come up without any config
CA Registrar
•
Registrar
Proxy bootstrap by the Pre-Agg layer
•
Connected via ACP
•
Ready to learn Services!
BRKSPG-2447
Third–Party Metro Ethernet Cloud
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
48
Connect the outside world to the ACP Connect Services: DNS, AAA, PnP etc. to ACP:
CA AAA Server
! interface Gig0/3
Registrar
Registrar
PnP
autonomic connect ipv6 address 2000::10/64 end
Third–Party Metro Ethernet Cloud
!
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Interface GigabitEthernet0/3
Cisco Public
49
Reap the benefits
Service Discovery •
Services automatically learnt by all the devices
•
Note: These are services in the Autonomic domain context, not Global
CA AAA Server
Registrar
Registrar PnP
Router#show autonomic service Service
IP-Addr
Syslog
2000::1 UNKNOWN
AAA
2000::1 UNKNOWN
AAA Accounting Port
1813
AAA AAAAuthorization Authorization Port Port
1812
Autonomic registrar
FD08:2EEF:C2EE::D253:5185:5472
TFTP Server
2000::1 UNKNOWN
DNS Server
2000::1 UNKNOWN
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Third–Party Metro Ethernet Cloud
Cisco Public
51
Automatic Configuration Download •
•
Accomplish Config download using PnP server* or existing TFTP servers
Registrar
TFTP Third–Party Metro Ethernet Cloud
Bring up Services!
BRKSPG-2447
Registrar
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
52
DEMO!
DEMO!
Oh…What about the Carrier Ethernet Topology? •
Works in exactly the same way
•
Autonomic interactions are independent of topology!
•
CA
Registrar
Registrar
Set up the Registrar and watch the magic unfold
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
55
Phew! Time for a Holiday Stats for the week: • One Mobile backhaul island •
50 Carrier-Ethernet Customer sites
•
Time: 1 week
•
Cost: Minimal Pre-staging and unnecessary truck-rolls eliminated!
•
Further benefits: •
Enhanced Security
•
Robust Connectivity
•
Base infrastructure to build powerful applications! BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
56
Where do we go from here?
Script distribution over the Autonomic Control Plane •
Custom policies using EEM scripts
•
Automatic script download and distribution over the ACP Registrar
•
Registrar
Intrinsically secure!
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
61
Build applications to leverage AN infrastructure* •
Topology applications display the overlay Autonomic Control Plane
•
Extract data points such as services discovered, IPv6 addresses, quarantined devices to build custom applications!
* Future releases
BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
63
Reach out to us! • Send your queries, requests and suggestions to the core Autonomic team at [email protected] • Want to learn more about our standardization efforts? - follow our progress at the IETF http://datatracker.ietf.org/doc/draft-behringer-autonomic-network-framework/ http://tools.ietf.org/html/draft-pritikin-bootstrapping-keyinfrastructures-00 http://tools.ietf.org/html/draft-behringer-homenet-trust-bootstrap-01). http://www.ietf.org/id/draft-behringer-default-secure-00.txt •
References: Base Marco Artwork: http://www.123rf.com/profile_texelart Slide 22: History: IBM’s “Autonomic Computing” (2001) http://www.ibm.com/developerworks/autonomic/library/ac-edge4/ BRKSPG-2447
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
64
Call to Action… Visit the World of Solutions: Cisco Campus Walk-in Labs Technical Solutions Clinics Meet the Engineer
Lunch Time Table Topics, held in the main Catering Hall Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014 BRKSPG-2447
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
65
Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt
BRKSPG-2447
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Public
66