Prime Infrastructure 3.

0 Overview

Gilles Clugnac

Technical Leader Engineering

October 2015

Cisco Prime Infrastructure

Realizing the Vision of One Management

Lifecycle
Converged management
with integrated best
practices

Data Center

Assurance

Simplified operations
management

Campus Branch to DC

End-to-end application
experience and visibility

Day 0 to Day N

Application-Centric

Agenda

PI 3.0 key new features overview

PnP with APIC-EM details

Configuration Compliance details

Licensing

PI 3.0 key new features

 New User Interface

HTML5, CSS3 based UI
No Flash
Improved Shell/Chrome
Simplified Layouts
Guided Workflows
Improved Accessibility, Web

Security

Support for multiple

languages

Supports all major browsers

and OS (99+% Market)

Platform Enhancements

New job dashboard

Composite Reports

EoL/EoS/PSIRT reports are back

Background task optimized

No more dependency between

tasks
Tasks run at scheduled intervals

Gen 1 Appliance supported with PI

3.0 MR2 release

In-line upgrade from PI 2.2 to PI 3.0

Inventory and Configuration

Access Points associated to Groups (Site/Location/Custom)

Config push for AP based on Groups

Wireless CLI configuration based on velocity templates (convergence

on Wireless and Wired CLI template engines)

Access Point Support Device Pack

New AP Support via

Device Pack

AP support at
existing feature
parity of WLC
release

Simple download
available via inproduct update

Client Troubleshooting Enhanced

Easy client status visualization

Easy to get to next steps

Status of client statistics

MS Lync Troubleshooting For Wireless

deployments

Integration with MS
Lync SDN Server

Configuration
Lync policy
Lync profiles

Monitoring

Site to site traffic

Wired vs Wireless
User specific metrics and
troubleshooting

Other Wireless Capabilities

HA monitoring for WLC

Redundant guest anchor

Channel Utilization breakdown per AP

ATF Monitoring

AVC on flex configuration and monitoring

WiFi interference awareness (configuration)

Mobility Express (3.0.1)

Bulk Update AP/Refresh AP

RMA AP with same AP model
Refresh infrastructure with new upgraded
AP eg Migrate from 1700 to 1850
Preserves the map location
Association to controller and AP group

PfR Monitoring : Site to Site Visibility

Metrics Crossing
Thresholds for each
Service Provider over
a selected period of
time
Visibility into Site To
Site PfR Events

12

Industry Class Config Baseline Compliance

Leveraged from Prime Network (SP Offering)

Works on most common Cisco platforms

IOS, IOS-XE, IOS-XR, NX-OS, ASA
Flexible Rules engine including
Input Parameters, Complex Logic,
Condition Checking

Customizable Policy including

Violation Message, Severity & Fix CLI

Ability to schedule recurring jobs

Compliance
Policy
Rule

Plug and Play Workflow

with APIC-EM

Plug & Play Using APIC-EM

Global PnP/ZtD Settings

APIC Mode Plug and Play using APIC-EM. When a valid apic-em added in prime, this mode auto
switch to apic-em mode.
CNS Mode Plug and Play using CNS gateway.

PI with Zero-Touch Deployment and PKI

Service in APIC-EM
Branch Location

Network Operations Center (NOC)

Enterprise or SP

DMZ

Internet OR MPLS

Router/Switch supporting Plug and

Play (with Cisco PnP Agent)

New Plug and Play Service

New Cisco IOS Plug and Play Agent support
Future Support for SUDI (Secure Unique Device
Identifier)
Plug and Play via local USB stick, local DHCP server
(option 43 or 60), future cloud-redirect service

APIC-EM

ZTD
service
PKI
service

Rest APIs

Prime
Infrastructure

Trust Manager (PKI Service)

APIs to the PKI service in the APIC-EM
The PKI service includes the PKI server (installed in APICEM as a core service)

PnP Logical Architecture with APIC-EM

Prime
Infra
3.0

IWAN
App
GUI

Other
Apps

APIC-EM
App Layer

IWAN App Services

NB APIs
PKI Service
Trust Manager

NB APIs
ZTD Service
Inventory

Grapevine APIC-EM
Device Abstraction
CLI, SNMP, etc.

Routers (ISRs, ASR1k, CSR1k)

APIC-EM
Core Layer

Create a Plug & Play Profile

Pre-provision the device in PI

Device is pre-provisioned in APIC-EM

Device is pre-provisioned in APIC-EM

The bootstrap must be deployed on the

device
There are different ways to deploy a

bootstrap.
This is a basic bootstrap

DHCP option 43 is one of them (Used in the

lab on Thursday) .

Device bootstrap: What do we see

console

PI PnP Status

APIC EM

Certificate Installation

The Configuration is deployed

Console

PI PnP status

APIC-EM

And finally the device is automatically

managed by PI

Compliance Management

Policy/Profile/Rules & Jobs

Profiles aggregates multiple compliance

policies (custom + system) into profile sets

Policies defines logic set based on

Rules for configuration or show

command

Profiles
Policy 1

Policy 2

Policy 3

Rules

Rules

Rules

Rules

Rules

Rules

Rules

Rules

Rules

Rules are the conditions & actions to

be audited
Jobs run policy Profiles against some

set of network devices to determine

policy compliance

Built-In Rules and Policies Examples

Audit and Management
Banners
Console Access
DHCP
Domain Name
Host Name
Logging and Syslog
Terminal Access
User Passwords

Configuration Policies
BPDU Filter Disabled on
Access Ports
BPDU-Guard Disabled
on Access Ports
CDP Enabled on Access
Ports
Channel Port in Auto
Mode
Loop Guard and Port
Fast Enabled on Ports
Non-channel Port in
Desirable Mode
Non-trunk Ports in
Desirable Mode
Port Fast Enabled on
Trunk Port
Port is in Error Disabled
State
Trunk Ports in Auto
Mode

Security
ACL on Interfaces
Distributed DoS Attacks
Firewall Traffic Rules
Land Attack
Martian Traffic
Null (Black Hole)
Routing
Risky Traffic
SMURF Attack
Traffic Rules

Switching
DHCP Snooping
Dynamic Trunking
Protocol
IEEE 802.1x Port-Based
Authentication
IEEE 802.3 Flow Control
IP Phone + Host Ports
IP Phone Ports
Management VLAN
Port Security
Spanning Tree Protocol
(STP)
Unidirectional Link
Detection (UDLD)
Unused Ports
VLAN 1
VLAN Trunking Protocol
(VTP)

AAA services
AAA Accounting
Commands
AAA Accounting
Connections
AAA AccountingExec
AAA Accounting
Network
AAA Accounting
System
AAA Authentication
Enable
AAA Authentication
Login
AAA Authorization
Commands
AAA Authorization
Configuration
AAA Authorization
Exec
AAA Authorization
Network
Checking atleast one of
Tacacs+ Radius LDAP
authentication
should be configured

Compliance Policies
Granular Feature-level Compliance Definition

Policy has 1 or more Rules

Each Rule has 4 parts
Rule Information Name, Description, Impact, Suggested Fix
Platform Selection IOS, IOS-XE, IOS-XR, NXOS
Rule Inputs (optional) string, IP address, boolean, etc

Conditions and Actions 1 or more (ordered list)

Compliance Policies can be exported/imported (XML file)

Rule Inputs (optional)

Used as parameter in
conditions and action
Execution: for auditing
and fix cli
Fix: fix cli only

Rule Condition Scope & Block Options

Scope controls what information is checked
Configuration
Command Outputs
Show commands, etc
Device Properties
Device Name, IP Address, OS Name, OS Version
Previously Matched Block

Block Options

Check inside config sub-mode blocks

Typical uses:
Interface
Router

Conditions and Actions

Condition operations

String compare (contains / does not contain)

Regular Expressions (match / doesnt match)
Evaluate Expression
Execute Function
Actions
Continue keep checking, go on to succeeding Condition

Does Not Raise a Violation stop checking, all is good, no more checking needed
Raise a Violation raise a violation and stop checking
Raise a Violation and Continue raise a violation and keep checking, go on to succeeding Condition

Conditions: String and Expression Matching

String Compare

Checks that line contains string

Rule Inputs can be inserted

Regular Expression Support

Single line regular expression
Parenthesis collect values

Reference previously collected values

<condition#.value#>
Option to test expression
Advanced Options control whether to generate
multiple violations for a given condition

Rule Conditions - Examples

Sequence of 1 or more conditions evaluated in order

Match & Does Not Match Action specified for every Conditions
Strings can reference Rule Input variables
Expressions can reference information collected in previous conditions

Actions: Violation Handling

Either Match or Does Not Match Condition could be a Violation

User definable Severity

Default or User Defined
Message Type
User Defined Violation Message
option enables 3 additional fields:
Message ID (optional)
Violation Message text
Fix CLI (optional)

Fix CLI can be invoked from Audit Job Result (to generate Fix Job)

Compliance Profiles
Profile is an aggregated set of Policies used to audit a set of network devices

Include multiple Policies

User defined or Pre-defined / Built-in

Policy Rule Input values can be specified

and persisted at Profile level or Fix Job
Select or de-select individual Rules
Select a Profile to run audit
Uses Prime Infrastructure Job framework
Select devices / device groups
Select config source (archive or device)
Schedule as desired

Compliance Jobs
Audit Jobs, Fix Jobs, Violation Summary
Audit Jobs perform audit
Results show violations

Fix Jobs apply Fix CLI

Generate from Audit Job
Preview Fix CLI commands
Schedule Fix Job

Violation Summary

List of all violations

Audit Job Results

Audit Job Failure Results provides details about all violations found
Violation Summary
Overview of all violations in Job

Violations by Device
Per-device violation details

Non-audited devices goes here

Fix Rule Inputs (optional)

Can be scoped to allow input either
for Profile or Fix Job

Preview Fix Commands

Per device, per policy

Schedule
Standard job options

Violation Summary

Audit Flow- Fix Preview

Fix rule inputs will be skipped, if there is no fix type inputs

defined in the fix cli of the custom policy. For system policy,
fix rule inputs are not defined.

Licensing

Traditional Management to SDN led Management

Traditional Management

SDN Led Management

Customer input on business /
service intent

Customer developed
provisioning tools, manual CLI
changes, and run book
automation for IT Operations
support

Automation
(Workflow / Orchestration)

Prime Infra (NMS)

(Provisioning and Assurance)

Controller
(APIC-EM)

Prime Infra (NMS)

NW (LF, AS)*, UCS

NE

NE

NE

NE

NE

NE

* LF: Lifecycle, AS: Assurance

NE

NE

Traditional Management to SDN led Management

Prime Infra + APIC EM (w/ Foundation Apps, Solution Apps, Advanced Apps)

Traditional Management

SDN Led Management

Customer input on
business / service intent

Customer developed
provisioning tools, manual CLI
changes, and run book
automation for IT Operations
support

MGMT 3.x Lic. ($$)

...
.

Prime Infra (NMS)

NE

NE

NE

NE

* LF: Lifecycle, AS: Assurance

NE

PI 3.x
Solution Apps
Ex. IWAN App

APIC-EM Foundation Apps ($0)

Ex: Inv., Topo., PnP..

Controller (APIC-EM)

NW (LF, AS)*, UCS

NE

Ex: BSA*, Prime Insight

Automation

PI 3.x (NMS)

NE

Advanced Apps ($$)

...

APIC-EM Controller SW ($0)

(Opt) UCS HW Platform($$)

NE
*BSA: Branch Services Automation

Cisco Enterprise Management 3.x : Align with Cisco One

PI 3.x Licenses are ordered in increment of one unit device license (No
more packs of 25, 50 ..etc)

PI 3.x Licenses are now linked to category / sub-category of network

devices

e.g., L-MGMT3x-LFAS-AP, L-MGMT3x-LFAS-3K , etc.

PI 3.x licenses will now combine Lifecycle (LF) and Assurance (AS)
License into one

Cisco Enterprise Management 3.x (some key

facts)
Category 1 (90 95% NW Devices fall into this category)

Wireless APs (all models), Cat 2K, 3Ks, ISR 1K

The licenses will be priced at $105 / Device

Each device license translates to One LF Token and One AS Token

E.g., L-MGMT3X-AP, L-MGMT3x-2K

Category 2 (5 10% NW Devices fall into this category):

Higher priced NW equipment such as catalyst 4K, 6K and Nexus Switches, Switch
stacks, Groups of Instant access switches, Fabric Extenders

The licenses will be priced at N X $105 / Device

Each device license translates to N LF Token and N AS Token

E.g., N = 2 for L-MGMT3X-4K; N = 3 for L-MGMT3x-6K

Cisco Management 3.x (some key facts)

When customers upgrade from PI 2.x to PI 3.X (MGMT 3.x)
-

Category 1 Licenses get translated 1:1

-

1 LF -> 1 LF; 1 AS -> 1 AS

Any unused licenses from PI 2.x also get translated 1:1
-

1 LF -> 1 LF; 1 AS -> 1 AS

Category 2 Licenses get grand-fathered licenses

-

Ex : If a customer has 10 Cat 4500

-

L-MGMT3X-4K (2 LF, 2 AS) * 10 Licenses

-

If you have 10 Cat 4500 switches they will have 20 LF, 20 AS tokens

In PI 2.x you would have had 10 LF, and 10 AS

-

When you upgrade from PI 2.x to PI 3.x => The system will translate 1 LF and 1 AS tokens belonging to Cat 4500 to
10 LF and 10 AS tokens on PI 3.x

Thank you.