Cisco Connect Halifax 2018 Cisco dna - deeper dive

© 2017 Cisco and/or its affiliates. All rights reserved. 1
Cisco Digital Network Architecture –
Deeper Dive,
“From the Gates to the GUI”
Don Orlik (don.orlik@cisco.com)
Enterprise Networking Sales
April 4, 2018
Cisco
Connect

Session Abstract
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Come to this session to learn how the latest advances in Cisco Enterprise silicon development – programmable, flexile
ASIC (Application Specific Integrated Circuit) hardware which provides a key foundational element of Cisco's Digital
Network Architecture portfolio – are driving industry innovations such as Cisco’s new Catalyst 9000 family of switches, as
well as exciting new solutions such as ETA (Encrypted Traffic Analytics) and Software-Defined Access.
Attendees at this session will gain greater insight into how ASICs are designed and built –showcasing the advanced
capabilities and functionality delivered by Cisco's latest switching silicon innovations provided by UADP (Unified Access
Data Plane), as well as the latest advancements in Cisco’s wireless silicon. Most importantly, this session will show the
continuum of Cisco’s evolution – from the gates (silicon gates, that is) to the latest advanced GUIs that solutions such as
SD-Access are enabled with – allow customers to move faster, innovate rapidly, and drive significant cost savings for their
organizations.
Come to this session to “double-click” on how Cisco is revolutionizing the Enterprise network with DNA! This is the second
of two sessions – an optional introduction to the principles of DNA, as well as an exploration of the new DNA Center GUI
and the Automation and Assurance aspects of the Cisco Digital Network Architecture it supports – are explored in the
preceding companion session.

Agenda
• Industry Trends
• The Network Intuitive
• Cisco DNA and the Importance of Flexible Hardware
• The Evolution of the Application Specific Integrated Circuit
• DNA/Software Defined Access
• DNA Center
• Encrypted Traffic Analytics
• Catalyst 9000
• Summary, Q&A

We are going to try to cover
Cisco Innovation
from
“The Gates to the GUI”

Innovation - The world’s 50 most innovative
companies
# 37. Cisco Systems
2017 patent grants: 967
2016 patent grants: 978
$6.5 Billion annual investment in
R&D, $133 Million in Canada.
Source - 24/7 Wall St. Jan 12, 2018

From
Innovations
in
Silicon
and
Software
…
… to
Innovations
in Platforms
and Solutions

And Why
These
Innovations
Matter

8© 2017 Cisco and/or its affiliates. All rights reserved.
Cisco DNA and the
Importance of
Network Innovation

Advanced Persistent
Threats
Devices per Person
3.64
Mobile world requires access
to everything everywhere
Mobility
Devices per Admin
100K
Agility and New
Consumption Models
Cloud
IoT
Things Connected
7.5BUnmanned devices
growing at rapid pace
Enterprise Trends Driving Digital Transformation

Enterprise Trends – Skills shortages
Blockchain, artificial intelligence, 5G mobile networks, 3D printing and
virtual reality are creating a need for digital skills that will see a
demand for an estimated 216,000 additional technology workers by
2021, according to a new report.

Source: Forrester Source: Open Compute Project
Time IT spends on operations80% CEOs are worried about IT strategy
not supporting business growth57%
Network Expenses Deployment Speed
0 10 100 1000
Computing Networking
Seconds
0
100%
CAPEX OPEX
33% 67%
The Need for Agility
Changing Enterprise Requirements

VLAN 1 VLAN 2 VLAN 3
WAN
BranchA
VLAN 1 BranchA VLAN 3
Remote
VLAN 2
HQ
ACL 1 ACL 2
ACL 2
ACL 3
Traditional Networks Cannot Meet the Demand
Users, Device and IoT
Segmentation
Enabling Seamless
Mobility
Secure Connectivity
to the Cloud
Setting Up
End-End Security

Cisco Digital Network Architecture
Principles
Insights and
experiences
Automation
and assurance
Security and
compliance
Automation
Abstraction and policy
control from core to edge
Open and programmable | Standards-based
Open APIs | Developers environment
Cloud service management
Policy | Orchestration
Physical and virtual infrastructure | App hosting
Network data,
contextual insights
Network-enabled applications
Cloud-enabled | Software-delivered
Analytics
Virtualization

Intent-based
Network Infrastructure
DNA Center
AnalyticsPolicy Automation
I N T E N T C O N T E X T
S E C U R I T Y
L E A R N I N G
The Network. Intuitive.
Constantly learning, adapting and protecting.
Informed
by Context
Visibility into traffic
and threat patterns
Who, What, When,
Where, How
Powered
by Intent
Translate Business Intent
to Network Policy
Automate the management
and provisioning millions of
devices instantly

Self-Driving Automation
Future
Closed Loop through Network
Analytics and Machine Learning
DNA Center
BB
Campus
Fabric
SDA
Automated Deployment
Plug and Play,
Day 0 Deployment
Exists Today
HTTP
Proxy
Internet
Admin
Installer
Step 1
Network admin
previsions devices in
Cisco Network Plug
and Play applications
Step 2
Onsite installer with
mobile app installs and
powers on devices,
triggers deployment,
checks status
Step 3
New devices contact
Cisco Network Plug and
Play application to get
provisioned
Network admin can
remotely monitor
install status
Basic Advanced
One Point of Management – All from Cisco DNA Center
Configure once and deploy
everywhere - SD-Access
DNA Center
Campus
Fabric
SDA
New
Consistent Across Network Fabric
The Network Intuitive.
Moving From Manual to Automated

Quality of Service – Intuitive?

Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
Catalyst 4500
1P7Q1T
Catalyst 6500
1P3Q4T
1P7Q4T
2P6Q4T
…
Nexus 7700
F3: 1P7Q1T
WLC
PEP
ASR/ISRs
MQC
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Southbound APIs translate
business intent to platform-
specific configurations
Network Operators express
high-level business intent to the
EasyQoS app
Application Policy
Operation
Network
Controller

Network
Controller
Application Policy will seamlessly interconnect
all types of hardware and software queuing models
to achieve consistent and compatible end-to-end treatments –
aligned with the expressed business intent
Application Policy
Results

ip access-list extended APIC_EM-MM_STREAM-ACL
remark citrix - Citrix
permit tcp any any eq 1494
permit udp any any eq 1494
remark citrix-static - Citrix-Static
permit tcp any any range 2512 2513
permit udp any any range 2512 2513
remark pcoip - PCoIP
remark timbuktu - Timbuktu
remark xwindows - XWindows
remark vnc - VNC
permit udp any any range 5900 5901
exit
ip access-list extended APIC_EM-SIGNALING-ACL
remark h323 - H.323
22
Intent-Based
Application PolicyLegacy QoS Policy

Cisco DNA and the
Importance of
Flexible Hardware

Logic Design Choices
• General Purpose CPU
• Field Programmable Gate Arrays
• Application Specific Integrated
Circuits
• System on Chip
• Graphics Processing Unit

Why Does
Cisco Develop
Our Own Silicon?
Simpler Deployment Options
Better Insight and Optimization
Increased Security
Most Appropriate Scalability
Flexibility and Investment Protection
via Programmability

• Vast major of Cisco products include custom ASICs
• Custom ASICs in:
Catalyst 3000, 9000
Nexus 5000, 7000, 9000
ISR, ASR 1000 (Quantum Flow Processor)
Wireless
…
Cisco R&D Investments

Up to 32MB
Packet Buffer
Up to 64K x2
Netflow RecordsEmbedded
Microcontrollers
Shared
Lookup
Up to 240GE
Bandwidth
384K Flex
Counters,
Up to 2X to 4X
Forwarding + TCAM
Universal Deployments
Adaptable Tables
Enhanced Scale/Buffering
Multicore resource share
Investment Protection
Flexible Pipeline
7.46B
Transistors
28nm Technology
UADP 2.0 – Next Generation of ASIC Innovation
Mobile Ready
Security/Trustsec/MACsec
Enhanced Netflow Programmable High Performance
Recirculation (tunneling -
GRE, VXLAN, etc)
Flexible Pipeline

Traditionally the ASIC
processing pipeline is
FIXEDIPv4
IPv6
Traditional Fixed ASIC Processing Pipeline

… and has challenges
handling NEW
PROTOCOLS …
MPLS
Traditional Fixed ASIC Processing Pipeline

Flex
Rewrite
Cisco’s UADP ASIC
delivers
FLEXIBILITY …
Flex
Parser
Flexible, Programmable Processing Pipeline
GRE
If IPv7 were
invented
tomorrow …
... we could probably handle it
via the Programmable
Pipeline!
Flex Counters
Stage 1 Stage 2 Stage 3 Stage n
IPv4
IPv6
VXLAN
MPLS
IPv7
Unified Access Data Plane – Processing Pipeline

So where can
Flexible ASICs help us?

DNA Flexible Infrastructure – Programmable ASIC Silicon

What does all of this
mean for me?

Cisco Programmable Hardware
equals
FLEXIBILITY
ADAPTABILITY
Enabling Network Evolution –
a critical requirement
for DNA

Cisco Digital Network Architecture
How DNA Center embraces the Cisco DNA
Principles
Insights and
experiences
Automation
and assurance
Security and
compliance
Automation
Abstraction and policy
control from core to edge
Open and programmable | Standards-based
Open APIs | Developers environment
Cloud service management
Policy | Orchestration
Physical and virtual infrastructure | App hosting
Network data,
contextual insights
Network-enabled applications
Cloud-enabled | Software-delivered
Analytics
Virtualization
DNA Center
Automation, ISE, Analytics &
Assurance

June 2017 - What we announced:
• DNA Center
Built-in expertise to manage and deploy end-to-end network
services with a central management
• DNA Analytics & Assurance
Analytics collects data from users, devices, and applications
and uses machine learning to proactively identify problems
• Software-Defined Access
Dynamically adapt to changing needs with policy-based
management of the network fabric
• Enhanced Network as a Sensor
Uncover threats hidden in encrypted traffic without
decryption.
• Catalyst 9000 Series Switches
First infrastructure devices purposely designed for DNA
Software Subscription Licensing | DNA Advisory, Technical, Support Services

New Announcements:
• DNA Center with Assurance
• Cisco Wi-Fi Analytics for iOS
• Cisco Aironet Active Sensor
• Cisco Operational Insights
• Cisco Meraki Insight
• Cisco SD-WAN vAnalytics
Cisco Live Barcelona January 30, 2018

Software-Defined Access
Industry’s first policy-based automation from the edge to the cloud
Single
Network Fabric
Automate User
Access Policy
End-to-End
Segmentation
Keep user, device and applications
traffic separate without redesigning
the network
Apply the right policies for user or
device to any application across
the network
Enable a consistent user
experience anywhere without
compromising on security
Common user policy for the branch, campus, WAN and cloud

Controller-based Management
Programmable Overlay
Simplified L3 Underlay
DNA
Center
Software Defined Access (SD-Access)
Bringing Everything Together

APIC-EM
ISE NDP
§ Control-Plane Nodes – Map System that
manages Endpoint ID to Device relationships
§ Edge Nodes – A Fabric device (e.g. Access
or Distribution) that connects Wired Endpoints
to the SDA Fabric
§ Identity Services – External ID Systems
(e.g. ISE) are leveraged for dynamic User or
Device to Group mapping and Policy definition
§ Border Nodes – A Fabric device (e.g. Core)
that connects External L3 network(s) to the
SDA Fabric
Identity
Services
Intermediate
Nodes (Underlay)
Fabric Border
Nodes
Fabric Edge
Nodes
§ DNA Controller – Enterprise SDN Controller
provides GUI management and abstraction via
multiple Service Apps, that share information
DNA Center
§ Analytics Engine – External Data Collectors
(e.g. NDP) are leveraged to analyze User or
Device to App flows and monitor fabric status
Analytics
Engine
C
Control-Plane
Nodes
B
SD-Access
Roles & Terminology
B
§ Fabric Wireless Controller – A Fabric device
(WLC) that connects Wireless Endpoints to
the SDA Fabric
Fabric Wireless
LAN Controller

Enterprise Network
PAYLOAD DATA IP SRC IP DSTPROT
DST
PORT
SRC
PORT
DSCP
• Only Transitive information
• Survives end to end
Policy is based on “5 Tuple”
• QoS
• Security
• Redirect/copy
• Traffic engineering
• etc.
Network Policy
Policy in Today’s Networks

Enterprise Network
PAYLOAD DATA IP SRC IP DSTPROT
DST
PORT
SRC
PORT
DSCP
User/device info?
Network Policy
IP
ADDRESSES
§ Locate you
§ Identify you
§ Drive “treatment”
§ Constrain you
IP Address
“meaning”
OVERLOAD
VLAN 10
SSID B
SSID A
VLAN 20
VLAN 40
SSID D
SSID C
VLAN 30
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
What is the Problem?

L2 Switch
L3 Switch
Trunks
Trunk
BYOD Employee Contractor
One SSID
Production
Servers
AAA
DHCP
AD
WLAN
Developer
Servers
LAN Core
Multiple Steps and
Touch Points
1. Define Groups in AD
2. Define Policies
§ VLAN/subnet based
3. Implement VLANs/Subnets
§ Create VLANs
§ Define DHCP scope
§ Create subnets and L3 interfaces
§ Routing for new subnets
§ Map SSID to Interface/VLAN
4. Implement Policy
§ Define ACLs
§ Apply ACLs
5. Many different User Interfaces
AAA WLC Devices CLI
….
What if You Need to Add Another Group & Policy?
Group Policy Rollout Today

Automated
Network Fabric
Single Fabric for Wired & Wireless
with Workflow-based Automation
Insights
& Telemetry
Analytics and insights into
user and application behavior
Identity-based
Policy & Segmentation
Decoupled security policy definition
from VLAN and IP Address
Networking at the speed of Software!
DNA Center
AnalyticsPolicy Automation
IoT Network Employee Network
SDA-Extension User Mobility
Policy stays with
user

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure onboarding of users and devices
Segmentation and Access Control
Before SD-Access After SD-Access
• VLAN and IP address
based
• Create IP
based ACLs for
access policy
• Deal with policy
violations and errors
manually
• No VLAN or subnet
dependency for
segmentation and
access control
• Define one consistent
policy
• Policy follows Identity
Group-Based Policy Policy follows IdentityCompletely Automated
Drag policy
to apply
Users
Devices
Apps
Staff/Admin Virtual Network
IoT Virtual Network
Guest Virtual Network
Group 5
Group 3
Group 1
Group 6
Group 4
Group 2

Consistent wired and wireless management
A single network fabric
Before SDA After SDA
• Repeated policy work
for wired-wireless
• Roaming issues
across L3 domains
• Chase down IP
addresses for
troubleshooting
• Consistent
management across
wired-wireless
• Optimal traffic flows
with seamless
roaming
• Seamless roaming in
Fabric and non-Fabric
domains
Campus-Wide Roaming
Wired and Wireless
Consistency
Simplified Provisioning
Roam
is L2
Seamless
Roam
Policy stays
with user

Automate IoT Deployments at Scale
SD-Access Extension
Connected
Lighting
Employee
Network A
Employee
Network B
Before SDA After SDA
• Complex
segmentation of IoT
and user traffic
• Chase down IP
addresses for
troubleshooting
• Static endpoint
management
• Intuitive identity-
based segmentation
with device profiling
• Built-in visibility and
granular policy control
• Dynamic endpoint
management
Users, Device and IoT
Segmentation
Policy based
Automation
Purpose Built Switches
for IoT
IP
Surveillance
Extension Node

First level Segmentation that ensures
zero Communication between
Building systems and Users
1
Virtual Networks
Second level Segmentation within a
Virtual Network that ensures role
based access control between Two
Groups
Groups
1
2
Identity-based Policy – Segmentation & Access Control
IoHT Virtual Network
Group 3
Clinical/Admin Virtual Network
Group 1 Group 2
Routers Switches Wireless AP WLC
Group 4
Group 5
2
Default Permit
Custom Deny
Default Deny

Cisco DNA Center
DNA Center appliance
DNA Center™
Router Wireless LAN
controller
Access
point
Switch
A complete system for intent-based networking
Design your network using
physical maps and logical
topologies for quick visual
reference
Design
Define user and device
profiles that facilitate highly
secure access and network
segmentation based on
business needs
Policy
Use policy-based automation to
deliver services to the network
based on business priority and
to simplify device deployment
Provision
Combine deep insights with rich
context to deliver a consistent
experience and proactively
optimize your network
Assurance

• Select Areas, Building,
Floors
• Configure Network
Settings
• Set IP Address Pools
Design
Design | Provision | Policy | Assurance

• Assign Devices to
Locations
• Provision Network
Fabric
• On-board Hosts
Provision

• Create Virtual
Networks
• Register End Point
Types
• Administer Context-
Based Policy
Policy

• Network and Device
Performance
• Client Access,
Connectivity, Monitoring
and Troubleshooting
• Application Experience
Monitoring & Acceleration
Assurance

• Analyze netflow metadata
without decrypting traffic
flows
• Global-to-local knowledge
correlation - 99.99%
threat detection accuracy
• Encrypted traffic analytics
from Cisco’s newest
switches and routers
Encrypted Traffic
Analytics
Security with Privacy

A closer look at the science behind
ETA

C97-739122-02 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure and manage your digital network in real time, all the time, everywhere
Striking a Balance - Security and Privacy
Industry’s first network with the ability to find threats in encrypted traffic without decryption
Avoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility
Encrypted traffic Non-encrypted traffic

Make the most of the
unencrypted fields
Identify the content type through
the size and timing of packets
Initial data packet
Sequence of packet
lengths and times
How can we inspect encrypted traffic?
Self-Signed certificate
Data exfiltration
C2 message
Who’s who of the Internet’s
dark side
Threat
intelligence map
Broad behavioral information about the servers
on the Internet.

• HTTPS header contains several
information-rich fields.
• Server name provides domain information.
• Crypto information educates us on
client and server behavior and
application identity.
• Certificate information is similar to whois
information for a domain.
• And much more can be understood when we
combine the information with global data.
Initial Data Packet
IPHeader
TCPHeader
TLS Header
TLS version
SNI (Server Name)
Ciphersuites
Certificate
Organization
Issuer
Issued
Expires
Initial data packet
Initial data packet

Sequence of packet lengths and times
Sequence of packet lengths and times
Flow start Time
• Size and timing of the first packets allow us to estimate the type of data inside the
encrypted channel.
• We can distinguish video, web, API calls, voice, and other data types from one another and
characterize the source within the class.

Behavioral Patterns w.r.t. Packet Lengths/Times
Bestafera
Self-Signed Certificate
Data Exfiltration
C2 Message
Google Search
Initial Page Load
Page Refresh
Autocomplete

Finding malicious activity in encrypted traffic
Cisco Stealthwatch®
Cognitive
Analytics
Malware detection
and cryptographic
compliance
New Catalyst® 9000*
NetFlow
Enhanced
NetFlow
Telemetry for
encrypted malware detection
and cryptographic compliance
* ISR, ASR are supported
Enhanced analytics
and machine learning
Global-to-local
knowledge correlation
Enhanced NetFlow from
Cisco’s newest switches
and routers
Continuous
Enterprise-wide compliance
Leveraged network Faster investigation Higher precision Stronger protection
Metadata

Cisco Catalyst 9000: The platform for the new era
First in enterprise
• x86 CPU with application hosting
• Programmable ASIC
• Software patching
Future-Proofed
• IEEE 802.11ax ready
• 100W PoE (IEEE 802.3bt) ready
• 25G Ethernet ready
Industry’s unmatched
• High availability
• Multigigabit density
• UPOE scale
SD-Access
integrated
Converged
ASIC
Single image
Common
licensing
Security IoT convergence CloudMobility
UADP 2.0
Cisco IOS® XE Software

Kanata R&D Team
3rd Largest Cisco Engineering site worldwide

Catalyst 9000 - CRN's 2017 Products Of The Year

Assurance - Context brings real intelligence
Analytics
engine
Cisco DNA™ Assurance Engine
Data collection and ingestion Data correlation and analysis
Network telemetry
Contextual
data
Relationship
between
data flows
TimeData behavior
LocationUser profiles
Topology
Attributes
Device type and
software/image version
Contextual information
Relationship
DNA Center™
receives telemetry
from 16 sources and
correlates this with
contextual
information:
FW, LB, WLC, Sensor, SNMP,
NetFlow, Syslog, Streaming
Telemetry, LDAP, AAA, Topology,
Location, ITSM, DNS, DHCP,
Inventory, Policy, ITFM
16
data sources
Network
device logs
Actionable insights and visibility in real time

End-to-end visibility – Network/Client health
• Client health summary
• Onboarding, RF, and client profile info
• Network health summary
• Control, data, policy plane, and health info

End-to-end visibility – 360-degree
views of users and devices
• Single location for all user
information and every user device
• History of performance for each
user device
• Proactive identification of any
issues affecting user’s experience
• Single location for all device-
related user information
• Connectivity graph with health score of
all devices on the path
• Application performance
• Device KPIs

Network time travel – Go back in time to understand
network state when issue occurred
• History shows critical events
• Identifies when issues occurred
• Rewind time to when the
issue occurred
• All information on the user or
network device reverts to the
selected time

Path trace – Troubleshoot issues along
the network path
• Run path trace from source
to destination to quickly get
key performance statistics
for each device along the
network path
• Identify Access Control
Lists (ACLs) that may be
blocking or affecting the
traffic flow

Insights with guided remediation actions
• Guided actions to help remediate
issues quickly
• Detailed drill-downs to identify
the impact quickly

Summary –
Innovation Across
the Network. Intuitive.

From the Hardware …
… to the Software and
Protocols, with Integrated Security …
to the
Whole
Solution …
Cisco Innovations – In Hardware, Software, and Solutions – Tie It All Together
“From the Gates – to the GUI”
Integrated
Security
Innovation All The Way Up the Stack
Hardware, Software, and Solutions

Cisco Connect Halifax 2018 Cisco dna - deeper dive

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Cisco Connect Halifax 2018 Cisco dna - deeper dive

Ähnlich wie Cisco Connect Halifax 2018 Cisco dna - deeper dive (20)

Mehr von Cisco Canada

Mehr von Cisco Canada (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cisco Connect Halifax 2018 Cisco dna - deeper dive