2. Session Abstract
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Come to this session to learn how the latest advances in Cisco Enterprise silicon development – programmable, flexile
ASIC (Application Specific Integrated Circuit) hardware which provides a key foundational element of Cisco's Digital
Network Architecture portfolio – are driving industry innovations such as Cisco’s new Catalyst 9000 family of switches, as
well as exciting new solutions such as ETA (Encrypted Traffic Analytics) and Software-Defined Access.
Attendees at this session will gain greater insight into how ASICs are designed and built –showcasing the advanced
capabilities and functionality delivered by Cisco's latest switching silicon innovations provided by UADP (Unified Access
Data Plane), as well as the latest advancements in Cisco’s wireless silicon. Most importantly, this session will show the
continuum of Cisco’s evolution – from the gates (silicon gates, that is) to the latest advanced GUIs that solutions such as
SD-Access are enabled with – allow customers to move faster, innovate rapidly, and drive significant cost savings for their
organizations.
Come to this session to “double-click” on how Cisco is revolutionizing the Enterprise network with DNA! This is the second
of two sessions – an optional introduction to the principles of DNA, as well as an exploration of the new DNA Center GUI
and the Automation and Assurance aspects of the Cisco Digital Network Architecture it supports – are explored in the
preceding companion session.
3. Agenda
• Industry Trends
• The Network Intuitive
• Cisco DNA and the Importance of Flexible Hardware
• The Evolution of the Application Specific Integrated Circuit
• DNA/Software Defined Access
• DNA Center
• Encrypted Traffic Analytics
• Catalyst 9000
• Summary, Q&A
11. Source: Forrester Source: Open Compute Project
Time IT spends on operations80% CEOs are worried about IT strategy
not supporting business growth57%
Network Expenses Deployment Speed
0 10 100 1000
Computing Networking
Seconds
0
100%
CAPEX OPEX
33% 67%
The Need for Agility
Changing Enterprise Requirements
12. VLAN 1 VLAN 2 VLAN 3
WAN
BranchA
VLAN 1 BranchA VLAN 3
Remote
VLAN 2
HQ
ACL 1 ACL 2
ACL 2
ACL 3
Traditional Networks Cannot Meet the Demand
Users, Device and IoT
Segmentation
Enabling Seamless
Mobility
Secure Connectivity
to the Cloud
Setting Up
End-End Security
15. Cisco Digital Network Architecture
Principles
Insights and
experiences
Automation
and assurance
Security and
compliance
Automation
Abstraction and policy
control from core to edge
Open and programmable | Standards-based
Open APIs | Developers environment
Cloud service management
Policy | Orchestration
Physical and virtual infrastructure | App hosting
Network data,
contextual insights
Network-enabled applications
Cloud-enabled | Software-delivered
Analytics
Virtualization
16. Intent-based
Network Infrastructure
DNA Center
AnalyticsPolicy Automation
I N T E N T C O N T E X T
S E C U R I T Y
L E A R N I N G
The Network. Intuitive.
Constantly learning, adapting and protecting.
Informed
by Context
Visibility into traffic
and threat patterns
Who, What, When,
Where, How
Powered
by Intent
Translate Business Intent
to Network Policy
Automate the management
and provisioning millions of
devices instantly
35. Cisco Digital Network Architecture
How DNA Center embraces the Cisco DNA
Principles
Insights and
experiences
Automation
and assurance
Security and
compliance
Automation
Abstraction and policy
control from core to edge
Open and programmable | Standards-based
Open APIs | Developers environment
Cloud service management
Policy | Orchestration
Physical and virtual infrastructure | App hosting
Network data,
contextual insights
Network-enabled applications
Cloud-enabled | Software-delivered
Analytics
Virtualization
DNA Center
Automation, ISE, Analytics &
Assurance
36. June 2017 - What we announced:
• DNA Center
Built-in expertise to manage and deploy end-to-end network
services with a central management
• DNA Analytics & Assurance
Analytics collects data from users, devices, and applications
and uses machine learning to proactively identify problems
• Software-Defined Access
Dynamically adapt to changing needs with policy-based
management of the network fabric
• Enhanced Network as a Sensor
Uncover threats hidden in encrypted traffic without
decryption.
• Catalyst 9000 Series Switches
First infrastructure devices purposely designed for DNA
Software Subscription Licensing | DNA Advisory, Technical, Support Services
37. New Announcements:
• DNA Center with Assurance
• Cisco Wi-Fi Analytics for iOS
• Cisco Aironet Active Sensor
• Cisco Operational Insights
• Cisco Meraki Insight
• Cisco SD-WAN vAnalytics
Cisco Live Barcelona January 30, 2018
39. Software-Defined Access
Industry’s first policy-based automation from the edge to the cloud
Single
Network Fabric
Automate User
Access Policy
End-to-End
Segmentation
Keep user, device and applications
traffic separate without redesigning
the network
Apply the right policies for user or
device to any application across
the network
Enable a consistent user
experience anywhere without
compromising on security
Common user policy for the branch, campus, WAN and cloud
41. APIC-EM
ISE NDP
§ Control-Plane Nodes – Map System that
manages Endpoint ID to Device relationships
§ Edge Nodes – A Fabric device (e.g. Access
or Distribution) that connects Wired Endpoints
to the SDA Fabric
§ Identity Services – External ID Systems
(e.g. ISE) are leveraged for dynamic User or
Device to Group mapping and Policy definition
§ Border Nodes – A Fabric device (e.g. Core)
that connects External L3 network(s) to the
SDA Fabric
Identity
Services
Intermediate
Nodes (Underlay)
Fabric Border
Nodes
Fabric Edge
Nodes
§ DNA Controller – Enterprise SDN Controller
provides GUI management and abstraction via
multiple Service Apps, that share information
DNA Center
§ Analytics Engine – External Data Collectors
(e.g. NDP) are leveraged to analyze User or
Device to App flows and monitor fabric status
Analytics
Engine
C
Control-Plane
Nodes
B
SD-Access
Roles & Terminology
B
§ Fabric Wireless Controller – A Fabric device
(WLC) that connects Wireless Endpoints to
the SDA Fabric
Fabric Wireless
LAN Controller
45. Automated
Network Fabric
Single Fabric for Wired & Wireless
with Workflow-based Automation
Insights
& Telemetry
Analytics and insights into
user and application behavior
Identity-based
Policy & Segmentation
Decoupled security policy definition
from VLAN and IP Address
Software-Defined Access
Networking at the speed of Software!
DNA Center
AnalyticsPolicy Automation
IoT Network Employee Network
SDA-Extension User Mobility
Policy stays with
user
50. Cisco DNA Center
DNA Center appliance
DNA Center™
Router Wireless LAN
controller
Access
point
Switch
A complete system for intent-based networking
Design your network using
physical maps and logical
topologies for quick visual
reference
Design
Define user and device
profiles that facilitate highly
secure access and network
segmentation based on
business needs
Policy
Use policy-based automation to
deliver services to the network
based on business priority and
to simplify device deployment
Provision
Combine deep insights with rich
context to deliver a consistent
experience and proactively
optimize your network
Assurance
58. Make the most of the
unencrypted fields
Identify the content type through
the size and timing of packets
Initial data packet
Sequence of packet
lengths and times
How can we inspect encrypted traffic?
Self-Signed certificate
Data exfiltration
C2 message
Who’s who of the Internet’s
dark side
Threat
intelligence map
Broad behavioral information about the servers
on the Internet.
59. • HTTPS header contains several
information-rich fields.
• Server name provides domain information.
• Crypto information educates us on
client and server behavior and
application identity.
• Certificate information is similar to whois
information for a domain.
• And much more can be understood when we
combine the information with global data.
Initial Data Packet
IPHeader
TCPHeader
TLS Header
TLS version
SNI (Server Name)
Ciphersuites
Certificate
Organization
Issuer
Issued
Expires
Initial data packet
Initial data packet
60. Sequence of packet lengths and times
Sequence of packet lengths and times
Flow start Time
• Size and timing of the first packets allow us to estimate the type of data inside the
encrypted channel.
• We can distinguish video, web, API calls, voice, and other data types from one another and
characterize the source within the class.
62. Finding malicious activity in encrypted traffic
Cisco Stealthwatch®
Cognitive
Analytics
Malware detection
and cryptographic
compliance
New Catalyst® 9000*
NetFlow
Enhanced
NetFlow
Telemetry for
encrypted malware detection
and cryptographic compliance
* ISR, ASR are supported
Enhanced analytics
and machine learning
Global-to-local
knowledge correlation
Enhanced NetFlow from
Cisco’s newest switches
and routers
Continuous
Enterprise-wide compliance
Leveraged network Faster investigation Higher precision Stronger protection
Metadata
63. Cisco Catalyst 9000: The platform for the new era
First in enterprise
• x86 CPU with application hosting
• Programmable ASIC
• Software patching
Future-Proofed
• IEEE 802.11ax ready
• 100W PoE (IEEE 802.3bt) ready
• 25G Ethernet ready
Industry’s unmatched
• High availability
• Multigigabit density
• UPOE scale
SD-Access
integrated
Converged
ASIC
Single image
Common
licensing
Security IoT convergence CloudMobility
UADP 2.0
Cisco IOS® XE Software
66. Assurance - Context brings real intelligence
Analytics
engine
Cisco DNA™ Assurance Engine
Data collection and ingestion Data correlation and analysis
Network telemetry
Contextual
data
Relationship
between
data flows
TimeData behavior
LocationUser profiles
Topology
Attributes
Device type and
software/image version
Contextual information
Relationship
DNA Center™
receives telemetry
from 16 sources and
correlates this with
contextual
information:
FW, LB, WLC, Sensor, SNMP,
NetFlow, Syslog, Streaming
Telemetry, LDAP, AAA, Topology,
Location, ITSM, DNS, DHCP,
Inventory, Policy, ITFM
16
data sources
Network
device logs
Actionable insights and visibility in real time
67. End-to-end visibility – Network/Client health
• Client health summary
• Onboarding, RF, and client profile info
• Network health summary
• Control, data, policy plane, and health info
68. End-to-end visibility – 360-degree
views of users and devices
• Single location for all user
information and every user device
• History of performance for each
user device
• Proactive identification of any
issues affecting user’s experience
• Single location for all device-
related user information
• Connectivity graph with health score of
all devices on the path
• Application performance
• Device KPIs
69. Network time travel – Go back in time to understand
network state when issue occurred
• History shows critical events
• Identifies when issues occurred
• Rewind time to when the
issue occurred
• All information on the user or
network device reverts to the
selected time
70. Path trace – Troubleshoot issues along
the network path
• Run path trace from source
to destination to quickly get
key performance statistics
for each device along the
network path
• Identify Access Control
Lists (ACLs) that may be
blocking or affecting the
traffic flow
71. Insights with guided remediation actions
• Guided actions to help remediate
issues quickly
• Detailed drill-downs to identify
the impact quickly
74. From the Hardware …
… to the Software and
Protocols, with Integrated Security …
to the
Whole
Solution …
Cisco Innovations – In Hardware, Software, and Solutions – Tie It All Together
“From the Gates – to the GUI”
Integrated
Security
Innovation All The Way Up the Stack
Hardware, Software, and Solutions