Cisco Connect Toronto 2017 - Introducing the Network Intuitive

© 2016 Cisco and/or its affiliates. All rights reserved. 1
Cisco
Connect
Enterprise Networks - Cisco Digital
Network Architecture - Introducing
the Network Intuitive
Matthias Falkner, DTME
Tim Szigeti, PTME
October 12, 2017

It’s a Digital World!
Automating your network with DNA
Center
Gaining Deep Insights with Assurance
And Analytics
Summary
Matt – 40 min
Tim– 30 min
Agenda
Cisco DNA – Introducing the Network
Intuitive

4© 2016 Cisco and/or its affiliates. All rights reserved.
It’s a digital world!
Matt
Falkner,
DTME

Digital Disruption
Lack of Business
and IT Insights
63 million new devices
online every second
by 20201
Complexity
Slow and Error
Prone Operations
3X spend on
network operations
vs network2
Security
Unconstrained
Attack Surface
6 months to
detect breach3
Unprecedented Demands on the Network
1: Gartner Report - Gartner’s 2017 Strategic Roadmap for Networking
2. McKinsey Study of Network Operations for Cisco – 2016
3. Ponemon Research Institute Study on Malware Detection, Mar 2016

The Need for
a New Network Constantly Learning
Support 100X new devices, apps, users
Constantly Adapting
Respond Instantly to business demands with
limited staff and budget
Constantly Protecting
See and predict issues
and threats and respond fast
The more you use it,
the wiser it gets.

Intent-based
Network Infrastructure
DNA Center
AnalyticsPolicy Automation
I N T E N T C O N T E X T
S E C U R I T Y
L E A R N I N G
The Network. Intuitive.
Powered by Intent. Informed by Context.

Built on Cisco Digital Network Architecture
Security
Automation Analytics
Virtualization
Cloud Service Management
Programmable Physical and Virtual infrastructure
Principles
Insights and
Experiences
Automation
and Assurance
Security and
Compliance
Open
API Driven
Programmable

Underneath it all: the DNA Blueprint

Automating your Network with
DNA Center
Matt
Falkner,
DTME

Impediments to Automation
• Organizational structures
Different groups
• Lack of internal standards
Snowflakes!
• History
e.g. ACL CLIs
• Standard vs.non-standard changes
Enterprise
Network
change
requests.
65%
Standard
changes
35%
New
initiatives
12%
New lab configurations
10% Hardware upgrades
21% ACL updates
7%
Fleet standardizations
7% Feature configs:
IP/Routing
4% Power shut-downs
8% Hardware upgrades
3% Feature configs:
Security
2% ACL updates
15% Other
12% Other

BRKNMS-1499
What are Standard Network Changes ??
AAA Configuration
DNS/DHCP Servers
NTP Servers
Syslog Servers
Netflow Collectors
SNMP/SSH/Telnet
Interfaces Configuration
ACL’s
Dial Plans
Vrf
Routing Protocols
Tunnels/DMVPN
Security/Crypto
QOS
AVC
AAA Configuration
DNS/DHCP Servers
NTP Servers
Syslog Servers
Netflow Collectors
SNMP/SSH/Telnet
Interfaces Configuration
Spanning Tree
VLAN
Security/Crypto
QOS
AVC
AAA Configuration
DNS/DHCP Servers
NTP Servers
Syslog Servers
Netflow Collectors
SNMP/SSH/Telnet
SSID’s
RF
Security/Crypto
QOS
AVC
Routers Switches WLC’s
Standard Changes :
o No Approval Required
o Minimal to Zero Disruption
Non-Standard Changes :
o Requires Approval
o May require service
disruption
o May need co-ordination
with other teams (App,DC
etc) during change window
15

Introducing DNA Center
Realizing vision of the intent-powered intuitive network
Decouple Policy from
Network Topology
Industry Best-Practices
Configuration and Policy
Compliance
Proactive Issue
Identification and
Resolution
Policy Automation
Assurance and
Analytics
Translate business intent
into network policy
Reduce manual operations
and cost associated with
human errors
Use context to turn data into
intelligence

DNA Solution
Cisco Enterprise Portfolio
Automation AnalyticsIdentity Services Engine
Routers Switches Wireless APs
DNA Center
DNA Center
Simple Workflows
Wireless Controllers
DESIGN PROVISION POLICY ASSURANCE

Network
Design
Deployment
Standardization
Network
Compliance
Before
During
After
Profile Based
Deployment
 Plan for the network deployment
 Feature and Capabilities to be
enabled based on requirements
 Topology for network
deployment
 Automated Day 0 Deployment
 Version management of Profile
for Day 2 Change Management
 Configuration Compliance
Validation against Profile
 Remediation of Configuration to
Golden Config
Network Deployment Consistency using Profile
Driven Automation
Configuration Consistency
Simplified Network
Deployment
Integrated IT
Process Flows
DESIGN

Workflows are foundational to Automation!
• Drive consistency into the architecture via design profiles for WAN and Campus
Both physical and virtual
Add Site
Properties under
Network Settings
Customize Network
Settings and
Credentials per Sub
Area or Site
Create sub
pools for
Services,
LAN,
Management
at sub area or
site
Select golden
image for
NFVIS, virtual
services
Open Design
> Network
Hierarchy
Add Areas and
Buildings
Add or
Import IP
Pools
Add SP
Profile
Add
appropriate
images into
repository
Add custom
CLI configs
Save and
associate Site
Select device, WAN and
LAN settings, add
required virtual Services
Create WAN
Profile
DESIGN

Use Case:
• Adding a new Syslog (Ex:
Splunk) in the network
• SoX requirements to update
password every 6 months
AAA
Server
Site1
North
America
South
America
Site2
Africa
EMEAR
AAA
Server
DNS
Server
Syslog
Server
Syslog
Server
DHCP
Server
Benefits:
• Repeated manual error prone
tasks automated
• Eng get additional time to focus
on design and deployment
• Standard change automation
removes the lead time to make
changes
Network Settings Update (Standard) DESIGN

Example: Designing Virtual Branch Profiles

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
informed by context.
THE NETWORK.
INTUITIVE.

ip access-list extended APIC_EM-MM_STREAM-ACL
remark citrix - Citrix
permit tcp any any eq 1494
permit udp any any eq 1494
remark citrix-static - Citrix-Static
permit tcp any any range 2512 2513
permit udp any any range 2512 2513
remark pcoip - PCoIP
remark timbuktu - Timbuktu
remark xwindows - XWindows
remark vnc - VNC
permit udp any any range 5900 5901
exit
ip access-list extended APIC_EM-SIGNALING-ACL
remark h323 - H.323
permit udp any any eq 1300 25
Intent-Based
Application PolicyLegacy QoS Policy

• Express Business Intent
• Translate into device specific policy/configuration
• Leverage Abstraction (the controller knows about the device specifics)
• Automate the Deployment across the Network
• Insure Fidelity to the Expressed Intent (keep everything in sync)
User policy based on user identity
and user-to-group mapping
Employee
(managed asset)
Employee
(Registered BYOD)
Employee
(Unknown BYOD)
ENG VDI System
PERMIT
PERMIT
DENY
DENY
DENY
DENY
DENY
PERMIT
PERMIT
PERMIT
PERMIT
PERMIT
Production Servers Development Servers Internet Access
Protected Assets
Source
De-coupling of
User Identity and Topology
Much easier to translate business objectives to
network functionality—Lowers TCO
Configuration
Controller-based AutomationToday
Traditional Traditional
Policy
Traditional
Policy Policy
Policy based Configuration—
Dynamic, able to be automated by the Controller
Over time—Policy grows, static shrinks
Automation
Controller-Led
Networking Deployment
Evolution to a Policy Model
26
POLICY

Policy types
Access Policy
↓
Authentication/
Authorization
Group Assignment
Based on
Authentication methods
Access Control Policy
↓
Who can access what
Rules for x-group access
Permit group to app
Permit group to group
Application Policy
↓
Traffic treatment
QoS for Application
Path Optimization
Application compression
Application caching
DB
The image part with relationship ID rId2 was not found in the file.
✓
POLICY

1. Access Policies
• Access to the network is governed by ISE
users
things
Authenticate&
Authorize
(AAA)
Groups &
Policy
ISE
Network
Scalable
Groups
Credentials
Posture
Profiling
POLICY

2. Access Control Policies
• Access Control (who can talk to who) is governed by DNA Center
Leverages ISE for group assignments
users
things
Authenticate&
Authorize
(AAA) Groups &
Policy
ISE DNA Center
Policy Authoring
Workflows
Fabric Management
Network
POLICY

DNA Automation – Access Control Policy Authoring

DNA Center automates the Deployment and Operations
• Plug-and-play
• Software / config / license management
• Ensuring that Hardware is not EoL
(Cisco Active Advisor)
• Software Image management (SWIM)
PnP Agent
Runs on Cisco® switches,
routers,
and wireless AP
Automates discovery and
provisioning
PnP Server
Centralized server
Auto-provision device w/ images
& configs.
Northbound REST APIs
PnP Protocol
HTTPS/XML based
Open schema
protocol
Network PnP
Application UI
IWAN
App
Topology
Discovery
REST API
PnP Service
DNA Center
Controller
PROVISION

Visualize Software Images
• For a given Device Family,
view :
All images
Image Version
Number of Devices using a
particular image
• Image Repository to
centrally store Software
Images, VNF Images and
Network Container Images
33

Platform extensibility for building
custom apps
API and Data Models across multiple
stages in DNA Stack
Integrations with complimentary
platforms *
Open Interfaces and Integrations
Firehose *
Connectors
Graph API
Contextual Search
Cisco Assets
Industry
Integrations
Flexibility Accessibility Expansibility
* : roadmap post FCS

Gaining Deep Insights with
Assurance and Analytics
Tim
Szigeti,
PTME

Source: 2016 Cisco Study
Traditional Networking CANNOT Keep Pace with the Demands of Digital Business
OpEx spent on
Network Visibility and
Troubleshooting
75%
Policy Violations
Due to Human Error
70%
Network Changes
Performed Manually
95%
Main Operational Challenges

Make Data
Driven Decisions
Reveal
Hidden Patterns
Automation for Faster
Results
Focus on
Important Things
Business Value Propositions of Network Analytics

Collect relevant metrics
Architectural Requirement #1: Instrumentation
ASSURANCE

Categorize metrics by degrees of relevance
Architectural Requirement #2: On-Device Analytics
ASSURANCE

Upload critical metrics off the device to collector(s)
(optimally via model-based streaming-telemetry)
Architectural Requirement #3: Telemetry
EM
Collector
ASSURANCE

Provision long-term storage, retrieval and representation of network metrics and events
Architectural Requirement #4: Scalable Storage
ASSURANCE

Identify anomalies and trends
Architectural Requirement #5: Analytics Engine
ASSURANCE

Correlate all data points and permutations for cognitive and predictive analytics
Architectural Requirement #6: Machine Learning
ASSURANCE

Identify root cause of issues by contextually correlating data
Architectural Requirement #7: Guided Troubleshooting
EM
Analytics
Engine
ASSURANCE

Present actionable insights to the operator
Solicit input to remediate the root cause
Present a self-remediation option
Architectural Requirement #8: Self-Remediation
EM
Analytics
EngineEM
Network
Controller
Do you want to take the
recommended action?
Yes No
Do you want to take the
recommended action?
Yes NoAlwaysAlways
ASSURANCE

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
THE NETWORK.
INTUITIVE.

DNA Software Capabilities
Virtualization
DNA-Ready Physical and Virtual infrastructure
Security
Cisco DNA Architecture

Virtualization
Cisco DNA Architecture—Automation and Analytics
EM
NDP
EM
NDP:
Network Data Platform
(Analytics Engine)
APIC-EM:
Application Policy
Infrastructure Controller—
Enterprise Module EM
NCP
NCP
Network Controller Platform
(Network Controller)

Virtualization
Cisco DNA Architecture—Automation and Analytics
EM
NDP
NDP:
(Analytics Engine)
Abstraction layer
Intent OutcomeDelivering the Intent
Analyzing the Outcome
within the Context of the
expressed Intent
Assuring
the Intent
EM
NCP
NCP
Network Controller Platform
(Network Controller)

Cisco DNA Architecture—DNA Center
EM
NDP
DNA Center Appliance
EM
NCP
DNA Center User Interface
A single pane of glass for Design, Policy, Provisioning, and Assurance

Cisco DNA Architecture—DNA Center: Assurance
å

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
THE NETWORK.
INTUITIVE.

Transforming the Network with Big Data Analytics
Data
Insight
Information
Action
Create value at the right timeExtract meaningful insights from data
Volume
Data size
• TB per day
• Streaming telemetry,
NetFlow, Syslog, SNMP, logs
Velocity
Data speed
• Firehose
• Streaming, low-latency
push/pull
Variety
Data forms
• Structured, unstructured
• Switch, router, AP,
IoT sensor, firewall,
load balancer, DHCP, DNS
Veracity
Data trustworthiness
• Quality, validity
• Internal, partner, public
Analytics

EM
NDP
Network
Telemetry
Contextual Data
Data Collection and Ingestion
FW LB WLC Sensor
AAA
DNS DHCP
LDAP TOPOLOGY
INVENTORY
LOCATION
POLICY
ITSM
ITFM
Streaming
TelemetrySNMP NetFlow Syslog
Data Visualization and Action
Network Assurance netWorth
Collector and Analytics Pipeline SDK
...
Data Models and Restful APIs
Time Series Analysis
System Management Portal
Data Correlation and Analysis
Machine Learning
in the Cloud
CEP (*) Correlation
CEP = Complex Event Processing
Network Data Platform (Internal) Architecture

NetFlow
AVC
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Contextual Correlation Example
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
?
?
?
NetFlow

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
?
?
?

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
?

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing
Topology

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing
Topology
Location
Building 24 1st Floor

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing
Topology
Location
Building 24 1st Floor
Device
Client Density
Problem Here...

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
THE NETWORK.
INTUITIVE.

What is Machine Learning?
• Machine learning is an application of artificial intelligence (AI) that provides systems the ability to
automatically learn and improve from experience without being explicitly programmed to do so
• The process of learning begins with observations of data, and looking for patterns within the data so as to
make increasingly better correlations, inferences and predictions
• The primary aim is to allow these systems to learn automatically without human intervention or
assistance and adjust actions accordingly

Project Kairos
For Wireless, Wired and IOT
Cognitive Analytics
Netflix
AccessPoints
Device Type
Internet Video
Facebook
Instagram
YouTube
Anomaly detection across hundred of thousands of
devices, dozen of thousands of gears and hundreds
of heat maps
Machine Learning

Project Kairos
For Wireless, Wired and IOT
Cognitive Analytics
Anomaly detection
Identify and proactively adapt to a failure
before it happens
Machine Learning
Predictive Analytics

Machine Learning Algorithms
build their models using
hundreds of inputs
APs
WAN
Local WLCs
Network Services DCOffice Site
ISE
DHCP
Mobile Clients
CUCM
APIC-EM
RF & EDCA
behavioral
metrics,..
Queuing, Dropping, WRED
behavioral metrics…
Device type, OS release,
behavioral metrics, ...
WAN & core
network metrics ..
Application metrics, user
feedback, failure rate, ...
... and more

Customer Datacenter
Cloud-platform
ML App Stack
NCP
DNA Center Assurance UI
Network Services DC
WAN
Office Site
DHCP
CMX
Customer Network
Network Control Points
Kairos UI
(Proxy)
Machine Learning
Stack
Graphical Models
Deep Learning
Time Series
Models
NLP/NLG
Public Cloud
Google Cloud Engine
Orchestrator
Southbound API
Northbound API
Protocols & APIs (SNMP, JSON, NetFlow, pxGrid, CLI, ...)
Metrics, Events, Config, ...
Control, Notifications, ...
Trained Models
Multi-Customer
Database
Strong Anonymization
Prediction Pipelines
APIs
Batch Pipelines
Training Data
ModelsETL Pipelines
Collectors
Public Broker Feature Constructors
Cloud-based Machine Learning Architecture

I N T E N T CONTEXT
S E C U R I T Y
LEARNING
Powered by intent,
THE NETWORK.
INTUITIVE.

Providing Security While Maintaining Privacy!
Encrypted Traffic
Non-Encrypted
Traffic
Can we Actually Solve This?
How do you Analyze Metadata without decrypting traffic flows?
80%
of organizations are
victims of malicious activity
41%
Of attacks used encrypted
traffic to evade detection

Encrypted Traffic Analytics
Encrypted traffic analytics from
Cisco’s newest switches and routers
Security with Privacy
Analyze netflow metadata without
decrypting traffic flows
Global-to-local knowledge correlation -
99.99% threat detection accuracy

Summary
Matt
Falkner,
DTME

Key Takeaways
Profile Based Deployment simplifies Day 0 Deployment and
Day 2 Change Management
Assurance must be outcomes driven and not problem based
Intent Driven Networking Starts with Policy
Automation must be thought holistically, as some of the
simple tasks take the most amount of time

Automated Deployment
It’s a Journey!
Self-Driving Automation
Plug and Play,
Day 0 Deployment
Configure once and deploy
everywhere - SD-Access
Exists Today
ISE / AD NAE / PI
DNA Center
Campus
Fabric
SDA
Future
Closed Loop through Network
Analytics and Machine Learning
Network
Analytics
Platform
DNA Center
BB
Campus
Fabric
SDA
APIC-
EM
HTTP
Proxy
Internet
Admin
Installer
New
Step 1
Network admin
previsions devices in
Cisco Network Plug
and Play applications
Step 2
Onsite installer with
mobile app installs and
powers on devices,
triggers deployment,
checks status
Step 3
New devices contact
Cisco Network Plug and
Play application to get
provisioned
Network admin can
remotely monitor
install status
Basic Advanced
One Point of Management: All from Cisco DNA Center
Consistent Across Network Fabric

Cisco Connect Toronto 2017 - Introducing the Network Intuitive

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Cisco Connect Toronto 2017 - Introducing the Network Intuitive

Similaire à Cisco Connect Toronto 2017 - Introducing the Network Intuitive (20)

Plus de Cisco Canada

Plus de Cisco Canada (20)

Dernier

Dernier (20)

Cisco Connect Toronto 2017 - Introducing the Network Intuitive