Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper dive, from the gates to the GUI

© 2016 Cisco and/or its affiliates. All rights reserved. 1
Your Time Is Now
Connect
Cisco

© 2016 Cisco and/or its affiliates. All rights reserved. 2
Dave Zacks
Distinguished Engineer
Enterprise Networks Business
November, 2017
#HighBitRate
Cisco Digital Network Architecture –
Deeper Dive,
“From the Gates to the GUI”
The Importance of Hardware in a Software Defined World

I am a Distinguished Engineer in Cisco’s Enterprise Networking Business,
based in Vancouver, and have been with Cisco for 18 years.
As a DTME within the Enterprise Networks Architecture team, I work primarily
on capabilities and solutions that are anywhere from 12 to 36+ months out,
helping to define these projects and then assisting as they progress
towards and through design, development, and solution introduction.
I have a strong background in, and focus on, customer requirements,
and integrating these into the products and solutions Cisco builds.
I have a special interest in Flexible Hardware and Fabric architectures.
Dave Zacks
Distinguished TME
dzacks@cisco.com @DaveZacks
By Way of Introduction …

© 2016 Cisco and/or its affiliates. All rights reserved. 4Cisco Public
This is an
ambitious
presentation

We are going to try to cover
Cisco Innovation
from
“The Gates to the GUI”

No,
I don’t
mean
this
Gates …

I mean these gates …
SILICON Gates 

From
Innovations
in
Silicon
and
Software
…
… to
Innovations
in Platforms
and Solutions

And Why
These
Innovations
Matter

It’s going to be
Quite a Ride

So
Buckle Up,
and Let’s Get Started!

12© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA and the
Importance of
Network Innovation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Innovation in
the network

Source: Forrester Source: Open Compute Project
Time IT spends on operations80% CEOs are worried about IT strategy
not supporting business growth57%
Network Expenses Deployment Speed
0 10 100 1000
Computing Networking
Seconds
0
100%
CAPEX OPEX
33% 67%
The Need for Agility
Changing Enterprise Requirements

Advanced Persistent
Threats
Devices per Person
3.64
Mobile world requires access
to everything everywhere
Mobility
Devices per Admin
100K
Agility and New
Consumption Models
Cloud
IoT
Things Connected
7.5BUnmanned devices
growing at rapid pace
Enterprise Trends Driving Digital Transformation

VLAN 1 VLAN 2 VLAN 3
WAN
BranchA
VLAN 1 BranchA VLAN 3
Remote
VLAN 2
HQ
ACL 1 ACL 2
ACL 2
ACL 3
Traditional Networks Cannot Meet the Demand
Users, Device and IoT
Segmentation
Enabling Seamless
Mobility
Secure Connectivity
to the Cloud
Setting Up
End-End Security

Security
Automation Analytics
Virtualization
Cloud Service Management
Programmable Physical and Virtual infrastructure
Intent-based
Network Infrastructure
DNA Center
AnalyticsPolicy Automation
E x p r e s s
I N T E N T
E x t r a c t
C O N T E X T
I m p l e m e n t w i t h
S E C U R I T Y
P e r f o r m
L E A R N I N G
The Network. Intuitive.
Based on Cisco’s DNA
Cisco DNA
Digital Network
Architecture

Relevant IrrelevantDefault
• These applications directly
support business objectives
• Applications should be
classified, marked and treated
marked according to industry
best-practice recommendations
• These applications may/may not
support business objectives (e.g.
HTTP/HTTPS/SSL)
• Applications of this type should be
treated with a Default Forwarding
service
• These applications do not support
business objectives and are
typically consumer-oriented
• Applications of this type should be
treated with a “less-than Best
Effort” service
RFC 4594 RFC 2474 RFC 3662
IMPORTANT UNIMPORTANTNEUTRALPROTECT PENALIZELEAVE ALONE
Simplifying Networking via Intent
Example with EasyQoS

Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
Catalyst 4500
1P7Q1T
Catalyst 6500
1P3Q4T
1P7Q4T
2P6Q4T
…
Nexus 7700
F3: 1P7Q1T
WLC
PEP
ASR/ISRs
MQC
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Southbound APIs translate
business intent to platform-
specific configurations
Network Operators express
high-level business intent to the
EasyQoS app
EasyQoS
Operation
Network
Controller

Network
Controller
EasyQoS will seamlessly interconnect
all types of hardware and software queuing models
to achieve consistent and compatible end-to-end treatments –
aligned with the expressed business intent
EasyQoS
Results

ip access-list extended APIC_EM-MM_STREAM-ACL
remark citrix - Citrix
permit tcp any any eq 1494
permit udp any any eq 1494
remark citrix-static - Citrix-Static
permit tcp any any range 2512 2513
permit udp any any range 2512 2513
remark pcoip - PCoIP
remark timbuktu - Timbuktu
remark xwindows - XWindows
remark vnc - VNC
permit udp any any range 5900 5901
exit
ip access-list extended APIC_EM-SIGNALING-ACL
remark h323 - H.323
Your Choice …

Self-Driving Automation
Future
Closed Loop through Network
Analytics and Machine Learning
DNA Center
BB
Campus
Fabric
SDA
Automated Deployment
Plug and Play,
Day 0 Deployment
Exists Today
HTTP
Proxy
Internet
Admin
Installer
Step 1
Network admin
previsions devices in
Cisco Network Plug
and Play applications
Step 2
Onsite installer with
mobile app installs and
powers on devices,
triggers deployment,
checks status
Step 3
New devices contact
Cisco Network Plug and
Play application to get
provisioned
Network admin can
remotely monitor
install status
Basic Advanced
One Point of Management – All from Cisco DNA Center
Configure once and deploy
everywhere - SD-Access
DNA Center
Campus
Fabric
SDA
New
Consistent Across Network Fabric
The Network. Intuitive.
Moving From Manual to Automated

Security
Automation Analytics
Virtualization
Cloud Service Management
Programmable Physical and Virtual infrastructure
Open
API Driven
Principles
Insights and
Experiences
Automation
and Assurance
Security and
Compliance
Open
API Driven
Programmable Software Defined Access
Catalyst 9000
Flexible Network Hardware and Software
DNA Center
Encrypted Traffic Analytics
The Road to Intent-Based Networking
Our Journey Today - Overview

Cisco DNA and the
Importance of
Flexible Hardware

EISG
Architecture Team
David Goeckeler
Cisco SVP,
Security and Networking
Cisco Live Las Vegas 2016
Innovation in
the network
ASICs are a
pillar of Cisco
innovation …

How is an ASIC built?

Then, it starts with coding…
Verilog
VHDL
Synthesis Process
Converts code into
logical gate constructs (Netlist)
ASICs – From Definition to Deployment

Imprint design on
Silicon Wafer

Discrete
transistor
MOSFET
(metal oxide semiconductor
field effect transistor)
FinFET
(fin field
effect transistor)
NAND gate
NOR Gate
Universal
Gates
XOR Gate
AND Gate
OR Gate NOT Gate
XNOR Gate
… which can be used to build any of
the other logic gates …
… mostly used @
22nm and above
… mostly used @
16nm and below
… which, when we put millions
of them together on a silicon
die, produce a chip!
Silicon wafer

Discrete
transistor
MOSFET
(metal oxide semiconductor
field effect transistor)
FinFET
(fin field
effect transistor)
NAND gate
NOR Gate
Universal
Gates
XOR Gate
AND Gate
OR Gate NOT Gate
XNOR Gate
… which can be used to build any of
the other logic gates …
… mostly used @
28nm and above
… mostly used @
22nm and below
UADP 1.1
191M gates
UADP 2.0
270M gates
Catalyst 3850
mGig
Catalyst 9300,
9400, 9500

We put a man here …
… using this …
Apollo
Guidance
Computer
… which was built
from nothing but that …
4100 ICs,
each of which
contained a
single 3-input NOR gate
In other words …
we put a man on the moon with
less than 10,000 transistors …
It takes 7.46 billion transistors to
route your packets!
With the appropriate security, segmentation,
QoS, encryption, fragmentation, etc, etc …
Fun Fact!

We are talking
transistors…
and how many we can pack
in an ASIC die …
“The number of transistors
incorporated into a chip
will approximately double
every 18 - 24 months …”
“Moore’s Law” - 1975
Transistor Width
measured in
Nanometers
Nanometer = One Billionth of a Meter

A human hair is
~100,000
nanometers
in width
A Perspective

Red blood cell (7,000 nm)
rises to 10th floor
Empire State
Building =
1454 feet
to tip =
443 meters
ONE NANOMETER –
less than 1/4th of an inch!
… about the same thickness
as three pennies
on this scale …
… and we build transistors
measured in nanometers …
How SMALL
is SMALL?
Singlehumanhair
~ 100,000
nm
… and then we come to
this little pinprick over here …

Photoresist
SiO2 layer
Silicon substrate
Prepared
silicon wafer
Projected light
Mask
Lens
Patterns projected
onto wafer
Exposed
photoresist
removed
Exposed areas
etched by gases
Ions shower
etched areas,
doping them
Doped
region
New photoresist spun
on wafer, steps 2 – 4
repeated
Metal
connector
Similar cycle repeated to lay
down metal links between
transistors
About a month …
the same time it takes to make
one of these …
How Long
Does It Take to
Manufacture a Wafer?

Why Does
Cisco Develop
Our Own Silicon?
Simpler Deployment Options
Better Insight and Optimization
Increased Security
Most Appropriate Scalability
Flexibility and Investment Protection
via Programmability

Traditionally the ASIC
processing pipeline is
FIXEDIPv4
IPv6
Traditional Fixed ASIC Processing Pipeline

… and has challenges
handling NEW
PROTOCOLS …
MPLS
Traditional Fixed ASIC Processing Pipeline

Flexibility in Networking …
… disconnect with
traditional fixed
ASIC processing ….
Evolution of Business
Industry Trends – SDN

So where can
Flexible ASICs help us?

DNA Flexible Infrastructure – Programmable ASIC Silicon

ASIC Evolution – Over Time
UADP 2.0: 7.46B transistors!
2,160,000 lines of code
New!
Catalyst 9300 /
9400 / 9500 – 2017
Catalyst 3550
Circa 2003
60M transistors
47,226 lines of code
Catalyst 3750
Circa 2008
210M transistors
86,220 lines of code
Catalyst 3850
Circa 2013
UADP 1.0 – 1.3B transistors
UADP 1.1 – 3.0B transistors
1,490,000 lines of code
All Cisco-developed silicon
Driving the benefits of vertical integration –
Hardware and software working together!
Just like some other famous examples …

Flex
Rewrite
Cisco’s UADP ASIC
delivers
FLEXIBILITY …
Flex
Parser
Flexible, Programmable Processing Pipeline
GRE
If IPv7 were
invented
tomorrow …
... we could probably handle it
via the Programmable
Pipeline!
Flex Counters
Stage 1 Stage 2 Stage 3 Stage n
IPv4
IPv6
VXLAN
MPLS
IPv7
Unified Access Data Plane – Processing Pipeline

Parse depth
of 256 Bytes
15 programmable stages
Up to 250 frames across
stages at one time…
Underlay
Outer IP Header
Outer MAC Header
UDP Header
VXLAN Header
Overlay
Inner (Original)IP Header
Original Payload
Inner (Original) MAC Header
14 Bytes
(4 Bytes Optional)
Ether Type
0x0800
VLAN ID
VLAN Type
0x8100
Source MAC
Dest. MAC 48
48
16
16
16
Src VTEP MAC Address
Next-Hop MAC Address
20 Bytes
Dest. IP
Source IP
Header
Checksum
Protocol 0x11 (UDP)
IP Header
Misc. Data
72
8
16
32
32
Dst RLOC IP Address
Src RLOC IP Address
8 Bytes
Checksum 0x0000
UDP Length
VXLAN Port
Source Port 16
16
16
16 UDP 4789
Hash of inner L2/L3/L4 headers of original frame.
Enables entropy for ECMP load balancing.
8 Bytes
Reserved
VN ID
Segment ID
VXLAN Flags RRRRIRRR 8
16
24
8
Allows 16M
possible VRFs
Allows 64K
possible SGTs
VXLAN as a protocol had not even been invented
when UADP 1.0 was designed …
Yet UADP forwards VXLAN
in hardware, at high performance
in IOS-XE 16.3+ …
thanks to Flexibility!
in
VXLAN is a complex
protocol …

Flex
Rewrite
Flex
Parser
Cisco’s UADP ASIC
provides support for
TUNNELLING …IPv4
… a task at which Cisco’s
Programmable, Flexible ASICs excel!
Tunnelled traffic requires RECIRCULATION …
IPv4VXLAN
High-performance, low-latency recirculation path …
Flex Counters
Flexible, Programmable Processing Pipeline
Stage 1 Stage 2 Stage 3 Stage n
Unified Access Data Plane – Processing Pipeline

What does all of this
mean for me?

Cisco Programmable Hardware
equals
FLEXIBILITY
ADAPTABILITY
Enabling Network Evolution –
a critical requirement
for DNA

http://vimeo.com/155635184
Cisco Live US –
session BRKARC-3467,
“Cisco Enterprise Silicon”
Peter Jones,
Principal Engineer
Dave Zacks,
Distinguished Engineer
And watch us on …
90 minutes of awesome silicon
geekery with Dave and Peter –
this session, ++
Cisco Flexible Silicon – Want to Know More?

http://www.cisco.com/c/m/en_us/training-events/events-
webinars/webinars/techwise-tv/214-programmable-asics.html
Cisco Flexible Silicon – Want to Know More?

Network Innovation –
Flexible Switching Platforms,
Catalyst 9000 Series

Converged
OS
Open IOS-XE
Converged
Licensing
Catalyst 9300
Lead Fixed Access
Catalyst 9400
Lead Modular Access
Catalyst 9500
Lead Fixed Core
Built on Cisco’s Innovative UADP ASIC & Open IOS-XE
Converged
ASIC
UADP 2.0
Introducing the Catalyst 9K Family

Up to 32MB
Packet Buffer
Up to 64K x2
Netflow RecordsEmbedded
Microcontrollers
Shared
Lookup
Up to 240GE
Bandwidth
384K Flex
Counters
Up to 2X to 4X
Forwarding + TCAM
Universal Deployments
Adaptable Tables
Enhanced Scale/Buffering
Multicore resource share
Investment Protection
Flexible Pipeline
7.46B Transistors
28nm Technology
UADP 2.0 – Next Generation of ASIC Innovation

Leveraging Flexible Platforms for

Network Threats are Evolving to Leverage Encryption

Providing Security While Maintaining Privacy!
Encrypted Traffic
Non-Encrypted
Traffic
How do you Analyze threats without decrypting traffic flows?
Can We Actually Solve This?

• End to end confidentiality
• Channel integrity during inspection
• Adapts with encryption standards
Malware in Encrypted Traffic
Is the payload within
the TLS session malicious?
Malware Detection and Visibility without Decryption
• Audit for TLS policy violations
• Passive detection of Ciphersuite vulnerabilities
Cryptographic Compliance
How much of my digital business
uses strong encryption?
Overview

TLS field (in
ClientHello)
Inference
Offered Cyphersuites Browsers prefer heavy weight
and more secure encryption
algorithms,
Mobile applications prefer
efficient encryption
Extensions
Client: I support crypto!
Server: I support that
crypto, and I’m me!
Client: Take this secret
and let’s encrypt!
Server: Your secret looks
good; let’s encrypt!
Client/Server: encrypted
data!
ETA – Initial Data Packet (IDP)

Malware
Behavior
Network
Behavior
Communication with command
control server
Sequence of packet lengths
Write to the disk Time interval between packet
ETA – Sequence of Packet lengths and Times (SPLT)

Bestafera
Self-Signed Certificate
Data Exfiltration
C2 Message
Google Search
Initial Page Load
Page Refresh
Autocomplete
Detecting Malware by Behavior
IDP, SPLT, and Machine Learning

11101101100000
10001111001111
01001000100001
Catalyst 9K
Switch
Stealthwatch
NetFlow with
enhanced
telemetry at
line rate
Machine
learning Spot malware in
encrypted traffic
Cognitive Analytics
• Analyze metadata
without decrypting
traffic flows
• Global-to-local
knowledge correlation
• Automate policy and
segmentation across
the entire network
Encrypted
Traffic Analytics
*Source : Identifying Encrypted Malware
Traffic with Contextual Flow Data, Oct 2016
Threat Detection
Accuracy*
0.01%
False Positives*
99%
Solution Overview
UADP 2.0 ASIC

Leveraging Flexible Platforms for
Software Defined Access

Slower Issue ResolutionComplex to ManageDifficult to Segment
Ever increasing number of
users and endpoint types
Ever increasing number of
VLANs and IP Subnets
Multiple steps,
user credentials, complex
interactions
Multiple touch-points
Separate user policies for
wired and wireless networks
Unable to find users
when troubleshooting
Traditional Networks Cannot Keep Up!
Traditional Networks
Key Challenges

Automated
Network Fabric
Single Fabric for Wired & Wireless
with Workflow-based Automation
Insights
& Telemetry
Analytics and insights into
user and application behavior
Identity-based
Policy & Segmentation
Decoupled security policy definition
from VLAN and IP Address
DNA Center
AnalyticsPolicy Automation
SD-Access
Fabric
IoT Network Employee Network
User Mobility
Policy stays with
user
Networking at the Speed of Software!

DNA Center
TECCRS-2700 69
sioning

Automation Network AnalyticsIdentity Services Engine
Routers Switches Wireless APs
DNA Center
DESIGN PROVISION POLICY ASSURANCE
DNA Center
Simple Workflows
Wireless Controllers
DNA Center
Overview

Overlay – Flexible Virtual Services
Mobility - Map Endpoints to Edges
Services - Deliver using Overlay
Scalability - Reduce Protocol State
Flexible and Programmable
Underlay – Simple Transport Forwarding
Redundant Devices and Paths
Keep It Simple and Manageable
Optimize Packet Handling
Maximize Network Reliability (HA)
Separate the “Forwarding Plane” from the “Services Plane”
IT Challenge (Business): Network Uptime IT Challenge (Employee): New Services
The Boss YOU The User
The Power of The Fabric

Overlay encapsulation (VXLAN)
Fabric Underlay – Forwarding plane
• Connects the network elements to each other
• Optimized for traffic forwarding (scalability, performance)
• Networking constructs like IP, VLANs, live here
Overlay
control plane
(LISP)
Underlay
Overlay
Employee
Supplier
Devices
Fabric breaks the dependency between IP address and Policy.
In Fabric Polices are tied to User/Device Identity
Fabric brings Policy Simplification
DNA Center – Automation and Assurance
• Single User Interface for Fabric Management & Orchestration
• Policy definition based on User, Device or App Group
• Design, Deploy and Monitoring and Troubleshooting
Fabric Overlay – Services plane
• Dynamically connects Users/Devices/Things
• IP is an ID not used for traffic forwarding
• End to End Policies and Segmentation
What is Unique About SD-Access?
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
VLAN 20
SSID D
VLAN 30
SSID A
SSID C
VLAN 40
VLAN 10
SSID B

First level Segmentation
that ensures zero Communication
between Building systems and Users
1
Virtual Networks
Second level Segmentation
within a Virtual Network that
ensures role based access control
between Two Groups
Groups
1
2
IoT Virtual Network
Group 3
Employee Virtual Network
Group 1 Group 2
Routers Switches Wireless AP WLC
Group 4
Group 5
2
Default Permit
Custom Deny
Default Deny
Integrated Segmentation

Before SD-Access After SD-Access
• VLAN and
IP address based
• Create IP
based ACLs for
access policy
• Deal with policy
violations and errors
manually
• No VLAN or subnet
dependency for
segmentation and
access control
• Define one
consistent policy
• Policy follows Identity
Group-Based Policy Policy follows IdentityCompletely Automated
Drag policy
to apply
Users
Devices
Apps
Employee Virtual Network
IoT Virtual Network
Guest Virtual Network
Group 5
Group 3
Group 1
Group 6
Group 4
Group 2
Secure Onboarding of Users and Devices
Segmentation and Access Control Made Simple

Stretched
Subnets
+
No Spanning
Tree
+
ECMP
Distributed Anycast
Default Gateway
Limit Broadcast Domain
No STP
No HSRP / VRRP
Equal Cost
Multi-Path
Routed Access
10.1.0.0/16
Simplified Connectivity
SD-Access Fabric

AutomationIdentity & Policy
Identity Services Engine (ISE)
Assurance
Employees
Virtual Network
Group 1 Group 2
IoT
Virtual Network
Group 3 Group 4
Contextual Visibility
and Troubleshooting
Policy Mobility
with no Topology
Dependence
SD-Access Fabric
Stretched Subnets
DNA Center
Integrated Mobility,
with User / Device Identity
Solution at a Glance

Separation of the Forwarding and Services Planes
Overlay encapsulation
Fabric Underlay is the Forwarding Plane
• Connects Network Devices
• Leverages existing topologies
• Simple, best-practice deployment
Fabric Overlay is the Services Plane
• Connects Users and Devices
• Leverages standard technologies
• Address Independent End-to-End Policy
Overlay
control plane
Underlay
Overlay
Employee
Supplier
Devices
Cisco Flexible Silicon
allows for Flexibility –
Key to Supporting the
Evolution to Network
Fabrics
DNA Flexible Infrastructure
Supporting Fabric Evolution – and Software Defined Access

Critical Role of Flexible Silicon
Building on a Strong Foundation

From the Hardware …
… to the Software and
Protocols, with Integrated Security …
to the
Whole
Solution …
Cisco Innovations – In Hardware, Software, and Solutions – Tie It All Together
“From the Gates – to the GUI”
Integrated
Security
Innovation All The Way Up the Stack
Hardware, Software, and Solutions

Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper dive, from the gates to the GUI

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper dive, from the gates to the GUI

Similaire à Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper dive, from the gates to the GUI (20)

Plus de Cisco Canada

Plus de Cisco Canada (20)

Dernier

Dernier (20)

Cisco Connect Vancouver 2017 - Cisco's Digital Network Architecture - deeper dive, from the gates to the GUI