Cisco’s APIC-EM, or Application Policy Infrastructure Controller Enterprise Module is an OpenDayLight based SDN (Software Defined Network) controller. You could also possibly call it Cisco’s attempt to Merakify the Enterprise. On the bright side, it’s a free virtual appliance and no license is required.

One of the biggest features of APIC-EM is called Network Plug and Play

At a high level, the Cisco switch or router talks to the APIC-EM to streamline workflows and automate deployments. Switches and routers, known as agents discover the controller using any of the following mechanisms in order:

dhcp option 43 or dns (below), usb key, cloud discovery (currently beta), or the smartphone app.

DHCP

option 43 ascii "5A1N;B2;K4;I172.19.45.222;J80"

The option 43 string has the following components, delimited by semicolons:

  • 5A1N;—Specifies the DHCP suboption for Plug and Play, active operation, version 1, no debug information. It is not necessary to change this part of the string.
  • B2;—IP address type:
    • B1 = hostname
    • B2 = IPv4 (default)
  • Ixxx.xxx.xxx.xxx ;—IP address or hostname of the APIC-EM controller (following a capital letter i). In this example, the IP address is 172.19.45.222.
  • Jxxxx —Port number to use to connect to the APIC-EM controller. In this example, the port number is 80. The default is port 80 for HTTP and port 443 for HTTPS.
  • K4;—Transport protocol to be used between the Cisco Plug and Play IOS Agent and the server:
    • K4 = HTTP (default)
    • K5 = HTTPS

DNS

APIC-EM: pnpserver.<customerdomain>.com
NTP Server: pnpntpserver.<customerdomain>.com

The DHCP pool will need to either be on vlan 1, or you’ll need to specify a staging vlan on the upstream switch:

pnp startup-vlan 55

That brings me to another caveat of of Plug and Play is that the firmware needs to be supported, and may not match the shipping version of the hardware!

Another feature of APIC-EM is called Easy QoS

I actually really like this use-case for network programmability. It’s important for the policies to match end-to-end in QoS, so being able to roll out policies and get insights into your policy-maps holistically is kind of a big deal.

APIC-EM documentation gives the concept of Northbound, which is the REST API you can use for custom applications, and Southbound in which APIC-EM talks to hardware using SNMP and CLI. Cisco states “future APIC-EM releases will leverage other southbound technology such as NetConf as they become available”.

I found some Postman collections from CiscoDevNet’s Github page here. Postman collections are a great way to learn by doing.

APIC-EM Firmware Compatibility

Official Getting Started Guide

Suppose we are a service provider carrying multiple tenants across our network. This is actually pretty simple and doesn’t require carrier-grade equipment.

In this example we’ll have an inner tag (customer) and an outer tag (provider). We’ll add 14 to the max mtu size on the provider switch to accommodate for the second tag.

The outer tag uses both the “switchport mode access” to define the customer and “switchport mode dot1q-tunnel” to tell that it’s twice encapsulated.

You can “hop off” the outer tag at the CPE depending on what vlan you assign them.

This is the basics of q-in-q. With this you can provide “metro-e” or “private clouds” really its just basic vlans inside of vlans!
8021qinq

 

So can you also do router-on-a-router-on-a-stick ? Sure can..

2921(config)# interface gigabitethernet 0/1/0
2921(config-if)# dot1q tunneling ethertype 0x9100
2921(config-if)# interface gigabitethernet 1/1/0.1
2921(config-subif)# encapsulation dot1q 100 second-dot1q 200

Read more about it : at cisco’s site

monitor session 1 type erspan-source
erspan-id 1
vrf default
destination ip 10.1.x.y
source vlan 1-2,4,6-7,10,12,14,16,18,20,22,28,30,33,40,50,60,100,122,199-200,202 both
source vlan 211-212,222,230,236,240,998-999 both
no shut

monitor erspan origin ip-address y.y.y.y global

destination ip is of course your L3 based sniffing tool…like ExtraHop
y.y.y.y in this example is a management IP on my default VRF.

Sometimes your asked to tune down certain hosts only during business hours to conserve bandwidth. I always tell them the easiest way to control this is at the switch at a physical level using tcl scripts and scheduled kron jobs. In this example, the port is limited to 1MB at 8:00 AM daily, but the limit is removed at 5:00PM.

First, create the script

You can do this in notepad and upload using tftp. I prefer using the cli directly:

switch#tclsh
switch(tcl)#puts [open “flash:portlimit1.tcl” w+] { ios_config “interface Gi1/0/10” “speed 10” “bandwidth 10” “srr-queue bandwidth limit 10” }
switch(tcl)#puts [open “flash:portlimit0.tcl” w+] { ios_config “interface Gi1/0/10” “speed 1000” “bandwidth 1000” “no srr-queue bandwidth limit 10” }

Next, define the kron policies

kron policy-list turnUp
tclsh portlimit0.tcl

kron policy-list turnDown
tclsh portlimit1.tcl

Then, schedule the kron job

kron occurence open at 08:00 recurring
policy-list turnDown

kron occurence closed at 17:00 recurring
policy-list turnUp

It surprises me how many times people invest the money in having a redundant edge, but fail to do the simple things: plug into different power sources and have their switch be a single point of failure. With this configuration, you could lose a power source, a firewall, a switch in the stack, and 75% of your cables and still function!

hapair2

Configure Switch Stack:

vlan 10
name LAN

vlan 777
name ISP1

interface Port-channel1
description Primary ASA
switchport trunk allowed vlan 10,777
switchport mode trunk
!
interface Port-channel2
description Secondary ASA
switchport trunk allowed vlan 10,777
switchport mode trunk
!
interface GigabitEthernet1/0/47
description Primary ASA
switchport trunk allowed vlan 10,777
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet1/0/48
description Secondary ASA
switchport trunk allowed vlan 10,777
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet2/0/47
description Primary ASA
switchport trunk allowed vlan 10,777
switchport mode trunk
channel-group 1 mode active
!
interface GigabitEthernet2/0/48
description Secondary ASA
switchport trunk allowed vlan 10,777
switchport mode trunk
channel-group 2 mode active
!

Configuration Primary ASA:

interface GigabitEthernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Port-channel1
no nameif
no security-level
no ip address
!
interface Port-channel1.10
vlan 10
nameif LAN
security-level 100
ip address 172.17.10.10 255.255.255.0 standby 172.17.10.11
!
interface Port-channel1.777
vlan 777
nameif ISP1
security-level 0
ip address 24.222.111.25 255.255.255.240

interface GigabitEthernet0/5
description LAN/STATE Failover Interface

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/5
failover link failover GigabitEthernet0/5
failover interface ip failover 10.255.255.1 255.255.255.252 standby 10.255.255.2
monitor-interface LAN

Configure Secondary ASA:

failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/5
failover link failover GigabitEthernet0/5
failover interface ip failover 10.255.255.1 255.255.255.252 standby 10.255.255.2
monitor-interface LAN

class-map match-all Voice
match ip dscp ef
match protocol rtp
class-map match-any Signaling
match protocol h323
match protocol rtcp
match protocol rtsp
match protocol sip
match protocol skinny
!
policy-map QoS-Policy-1
class Voice
set dscp ef
priority percent 30
class Signaling
set dscp cs3
bandwidth percent 5
class class-default
fair-queue

interface Outside
bandwidth xxxxxx <– be sure to define bandwidth kilobits
service-policy output QoS-Policy-1

interface GigabitEthernet0/0
description Internet
ip address 24.175.29.2 255.255.255.252
crypto map VPN

interface GigabitEthernet0/1.10
description Data
ip address 10.2.0.1 255.255.0.0
ip policy route-map RM-PBR

interface GigabitEthernet0/1.20
description Voice
ip address 10.200.0.1 255.255.0.0
ip policy route-map RM-PBR

interface GigabitEthernet0/2
description Metro-E
ip address 10.120.0.2 255.255.255.0

track 1 ip sla 1 reachability
delay down 5 up 5
!
track 2 ip sla 2 reachability
delay down 5 up 5

route-map RM-PBR permit 10
description Prefer Data out VPN
match ip address ACL-Data
set ip next-hop verify-availability 24.175.29.1 10 track 1
set ip next-hop verify-availability 10.120.0.1 20 track 2

route-map RM-PBR permit 20
description Prefer Voice out Metro
match ip address ACL-Voice
set ip next-hop verify-availability 10.120.0.1 10 track 2
set ip next-hop verify-availability 24.175.29.1 20 track 1

ip sla 1
icmp-echo 8.8.8.8
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 10.120.0.1
frequency 10
ip sla schedule 2 life forever start-time now
ip sla auto discovery

ip access-list extended ACL-Data
permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 10.2.0.0 0.0.255.255 10.3.0.0 0.0.255.255

ip access-list extended ACL-Voice
permit ip 10.200.0.0 0.0.255.255 10.100.0.0 0.0.255.255
permit ip 10.200.0.0 0.0.255.255 10.300.0.0 0.0.255.255

interface Vlan99
description guest
ip address 10.99.99.1 255.255.255.0
ip access-group Public-Out in

ip access-list extended Public-Out
permit udp any any eq bootps
deny   ip 10.99.99.0 0.0.0.255 192.168.0.0 0.0.255.255
deny   ip 10.99.99.0 0.0.0.255 172.16.0.0 0.0.15.255
deny    ip 10.99.99.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.99.99.0 0.0.0.255 any

monitor capture buffer CAPTURE_IN size 8096 max-size 9000 circular
monitor capture buffer CAPTURE_OUT size 8096 max-size 9000 circular
monitor capture point ip cef CAP_in GigabitEthernet0/0 both
monitor capture point ip cef CAP_out GigabitEthernet0/1.98 both

monitor capture point associate CAP_in CAPTURE_IN
monitor capture point associate CAP_out CAPTURE_OUT

***************************************************

monitor capture point start CAP_in
monitor capture point start CAP_out

monitor capture point stop CAP_in
monitor capture point stop CAP_out

 

to download pcap:
monitor capture buffer CAPTURE_IN export tftp://1.1.1.2//Capturein.pcap
monitor capture buffer CAPTURE_OUT export tftp://1.1.1.2//Captureout.pcap

https://supportforums.cisco.com/docs/DOC-32870

Verification Commands:

1) show monitor capture PCAP buffer dump

2) show monitor capture PCAP parameter

 

Troubleshooting Commands:

1) debug epc capture-point

2) debug epc provision