BRKARC-3004 APIC-EM Controller Workflow and Use Cases

Presenter: Markus Harbek, CCIE, CCDE

Who knows what SDN stands for?

  • Still Don’t kNow
  • Still Does Nothing
  • Schnitzel Dinner Night

APIC – Application Policy Infrastructure Controller

  • Data center
  • n9000s
  • Focus on application network profile. SLA, Security, QOS, load balancing
  • Application intent

UCI – User Centric Infrastructure

APIC-EM – APIC Enterprise Module

  • Catalyst, ISR, N7k, n6k, n5k, WLAN
  • Focus on user, things, network profile, QoS, security, SLA, device
  • Application intent

Eventually, APIC and APIC-EM will have a common policy model so they can share policies across DC and enterprise. They will not integrate directly but will talk to a common policy orchestrator.

APIC-EM is really focussed on brownfield deployments because the assumption is that customers already have networks up and running hat APIC-EM needs to integrate into. APIC-EM won’t cconfigure OSPF and STP today, things like that, because they’re more than likely already running.

Imperative Control

  • Baggage handlers at an airport follow sequences of simple, basic instructions

Declarative control

  • ATC tells where to take off from but not how to fly the plane
  • ATC tells the “what”
  • Pilot figures out the “how” part
  • In the network, this would be like the admin wanting segmentation between tenants, controller decides which technology is best to use based on switch hardware and software versions.

Q: what if you don’t like what technology the controller has chosen? A: don’t use APIC-EM :-)

Controllers aren’t just about knowing your topology. It’s easy to understand your topology (sorta). Controllers also take inventory and help you understand capabilities in the network. Eg, can I enable trustsec in my network? (depends on hardware and software versions which the controller will know.

Southbound APIs:

  • CLI
  • SNMP
  • Web UI
  • XML
  • onePK
  • Openstack
  • OpenFlow

Northbound APIs:

  • Web UI
  • YANG
  • RESTful

Smartphone as an analogy to the controller

  • Good hardware
  • Good software
  • APIs from the manufacturer
  • Services from the mfg, like a camera
  • Mfg ships some apps (aka services) with the product

APIC-EM architecture:

  • Single ISO
  • Hypervisor agnostic or bare metal
  • Linux based
  • Services run inside a Linux container
  • Internal network connects containers to each other
  • HA with two APIC-EM instances (active/active)
  • Internet access for app/service updates
  • Service instances will auto scale out based on load and then close down when not needed (elastic)


  • Topology (L2, L3, different protocols, physical)
  • Inventory of devices
  • “Things” attached to the network. IP, MAC, username, attachment point
  • Full REST client onboard the controller (“API” button). Easy to test the API or help develop a script.

Use cases:

  • Network PnP (PnP new switches and routers)
  • Path Visualization (trace a flow through the network) (Path Trace) (Resolves ECMP paths, uses traceroute, Netflow data, ARP tables, MAC tables. Understand when CEF is disabled and can’t make a good determination. Understands L2 vs L3 paths) (Identifies unsuported devices along the path) (Button for “show reverse path”) (Looks inside CAPWAP tunnel and identifies the tunnel as part of the path).
  • EasyQoS and IWAN – campus and WAN QoS configuration, respectfully (drag and drop application names into one of 12 classes (RFC QoS classes)) (declarative; controller takes of “how”; you specific “what”, the intent)
  • IWAN (provisioning via smart wizard/workflow, supports PnP of branch routers, controller knows QoS markings of major providers, just pick your provider from the menu)
  • Sourcefire (FirePOWER informs APIC-EM of an infected host; APIC-EM writes a policy into the network to block that user/device) (policy follows you when you move around the network)
  • ACL analysis (identify shadow ACEs, redundant ACEs) (looks wicked)
  • TrustSec (assess environment for TrustSec readiness; recommend software versions; configure TrustSec)
  • Troubleshooting (configure SPAN/ERSPAN session)

Prime Infrastructure

  • Eventually… PI becomes an application that runs on the controller.
  • PI will be system of record
  • APIC-EM becomes system of change

What’s available today?

  • Will be on – Basic Services (incl TAC support as long as you manage devices under contract) free (as in beer)
  • Solution Apps – $$$
  • Q4CY15 – general availability
  • – sandbox demos; available to customers now, too!

Leave a Reply

Your email address will not be published. Required fields are marked *

Would you like to subscribe to email notification of new comments? You can also subscribe without commenting.