cisco digital network architecture
Post on 13-Feb-2017
249 Views
Preview:
TRANSCRIPT
Evolution of the Enterprise Network
The CiscoDigital Network Architecture
BRKCRS-2700
Matt Falkner
Dave Zacks
Distinguished Technical Marketing Engineer
Distinguished System Engineer
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKCRS-2700 – Session Overview and Objectives
Enterprise business operations are reaching new levels of digitization as multimedia applications or the internet of things start to proliferate. An increasing number of business processes are structured around digital communication and media infrastructures. The experience that network consumers are seekingis also increasingly shaped by digitization, for example with networked machines, or home appliances and automation. As a result, Enterprise networks are becoming the platform for digitization, empowering business efficiency and innovation by simplifying and automating business processes while protectingand securing the global enterprise.
Cisco's Digital Network Architecture (DNA) offers a new architectural approach to meet the requirementsof the digitized enterprise. This session introduces the motivation for an architecture evolution ofEnterprise networks, and provides details on each of the building blocks. In particular, the conceptsof network fabrics, virtualization, controllers, policy-based networking and cloud enablementare explored as main architecture shifts.
The session also provides an insight into concrete examples on how to automate and simplifyapplication visibility and QoS deployments for network operators.
The Cisco Digital Network ArchitectureEvolution of the Enterprise Network
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Your Instructors Today … Matthias Falkner and Dave Zacks•
Matthias is a Distinguished Engineer, Technical Marketing and has been with Cisco for 16 years. Matthias currently focuses on the evolution of Enterprise and SP network architectures, particularlyon end-to-end networking, virtualization and orchestration. Matthias has held various positionsin both Sales and the Business Unit.
Dave is a Distinguished System Engineer, and has been with Cisco for 16 years.Dave works primarily with large, high-performance Enterprise network architectures,designs, and systems. Dave has over 20 years of experience with designing,implementing, and supporting solutions with many diverse network technologies.
We both have a strong interest in Cisco DNAand it’s components – a passion we hope toshare with you via this presentation!
Dave ZacksDistinguished SE
Matt FalknerDistinguished TME
The Cisco Digital Network ArchitectureEvolution of the Enterprise Network
DNA – Introduction and Overview
DNA Components
APIC-EM & Orchestration
Enterprise Silicon
The New QoS Paradigm
NfV and Cloud
Programmability
Analytics
Network Fabrics
DNA – Wrap Up and Conclusions
Agenda
Dave Zacks, DSE
Matt Falkner, DTME
Cisco Digital Network ArchitectureThe Evolution of the Enterprise Network BRKCRS-2700
Matt Falkner, DTME
Dave Zacks, DSE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKCRS-2700
DNA –Introduction and Overview
Cisco Digital Network Architecture –The Evolution ofthe Enterprise Network BRKCRS-2700
Matt Falkner, DTME
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
UPS My Choice
Delivery Control
Personalized Service
Customer Experience
Physical and Virtual
RFID Content
Workforce Efficiency
WIP Inventory and
Part Tracking
American Express
Personalized Service
Through Mobile
Starbucks Apps
Order Ahead
Skip the Line
Digital Transformation is Moving IT to the Boardroom
BRKCRS-2700 7© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Insights &Experiences
Drive Business
Innovations
Security & Compliance
Real-time and Dynamic
Threat Defense
Automation& Assurance
Speed, Simplicity
& Visibility
The Network Enables Digital Business
Network Requirements for the Digital Organization
BRKCRS-2700 8
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKCRS-2700
Insights &Experiences
Security & Compliance
Automation& Assurance
Drive Business Innovations Real-time and Dynamic Threat DefenseSpeed, Simplicity
& Visibility
• Visibility into Users behavior, Applications,
Network performances
• Customer has the elements to make
decision faster
Abstraction layer
• Abstraction, Intent, Policy Automation
• Verification of Desired Result Assurance
Wi-Fi Core WAN Cloud
APIC EM
Using the Network as a Sensor for
security threats and then Enforce
Compliancy through Segmentation
Network Requirements for the Digital Organization
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Open
APIs
Network
Function
Virtualization
Policy
Cloud
Analytics
Controllers
Overlays
Open
Flow
Open
Compute
Standards
How do I delivernew applications?
How do I improve security?
How do I achieve speed & simplicity?
How do I learnnew software skills?
Model
Driven
Cisco Digital Network ArchitectureOpen | Extensible | Software-driven
How does thiscome together?
Evolution of Networking Software
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automation
Abstraction & Policy Control
from Core to Edge
Open & Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service Management
Policy | Orchestration
Virtualization
Physical & Virtual Infrastructure | App Hosting
Analytics
Network Data,
Contextual Insights
Insights &
Experiences
Automation
& Assurance
Security &
Compliance
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles
Cisco Digital Network Architecture
BRKCRS-2700 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Digital Network Architecture – Vision APIs
APIs
WAN VNFs Campus VNFs DC VNFs Cloud VNFs
UNI UNI
IntentTelemetry
Service Definition & Orchestration
Enterprise Controller
(Policy Determination)
Clou
d
Data Center
Internet
Campus
Int. Acc
PEP
PEP
PEP
PEP
PEP
PEP
PEP
WAN / Branch
PEPPEP Apps
Apps
Apps
SP
WAN AggBranch
Branch
Network Interface (UNI)
PEP: Policy Enforcement Point
Cloud Service ManagementPolicy | Orchestration
Enterprise Fabric
Network Function Virtualization
Cloud
PEP
BRKCRS-2700 12
DNA Components –
APIC-EM andOrchestration
Matt Falkner, DTME
Cisco Digital Network Architecture –The Evolution ofthe Enterprise Network BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Any given “custom”
configuration has a very
high probability of not being
tested exactly as deployed
“individually—as a one
off…” which introduces
potential issues…
Risk BugsUncertainty Problems
Combinatorial Issues…
Trust
AutomationController-Led Networking Deployment
The automated configuration deployed by the controller will have gone through…
• Joint development by the Cisco Product Teams, the Architects developing
Best Practices, and the Controller Team—“Blessed Configurations”
• Testing by Cisco’s Solution, System, and Devtest teams
against the deployment use cases developed jointly, above
• And will be deployed by 1000’s, with any unforeseen situations
addressed ASAP due to widespread and standardized deployment
Greatly increasedprobability of success
Controller-Led NetworkingBridging the Gap to Increased Success in Network Deployment and Use
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Analytics
Instrumentation Telemetry Correlation
Measure and Adjust
Click here to Correct
Always Correct this way (and never ask me again)
Applications
Automated Deployment
Network
Endpoints
Run Reports
Discover user insights
Deliver relevant content
APIC EM
Deploy, Report, Measure, Adjust, Repeat
BRKCRS-2700 15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Evolution to a Policy Model• Express Business Intent
• Translate into device specific policy/configuration
• Leverage Abstraction (the controller knows about the device specifics)
• Automate the Deployment across the Network
• Insure Fidelity to the Expressed Intent (keep everything in sync)
User policy based on user identity
and user-to-group mapping
Employee
(managed asset)
Employee
(Registered BYOD)
Employee
(Unknown BYOD)
ENG VDI System
PERMIT
PERMIT
DENY
DENY
DENY
DENY
DENY
PERMIT
PERMIT
PERMIT
PERMIT
PERMIT
Production Servers Development Servers Internet Access
Protected Assets
So
urc
e
De-coupling of
User Identity and Topology
Much easier to translate business objectives to
network functionality—Lowers TCO
Con
fig
ura
tio
n
Controller-based AutomationToday
Traditional Traditional
Policy
Traditional
Policy Policy
Policy based Configuration—
Dynamic, able to be automated by the Controller
Over time—Policy grows, static shrinks
AutomationController-Led
Networking Deployment
BRKCRS-2700 16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC-EM Policy Construct
Actions Action Properties
• User-identifier (tenant/user)
• Application
• Device Type
• Location
• Permit
• Deny
• Copy
• Monitor
• Redirect (L3, L4, L7)
• No copy
• No redirect
• Priority Level
• Resource Level
• Experience Level
• Trust Level
• Destination
• Sample Rate
Resources
• User-identifier (tenant/user)
• Application
• Device Type
• Location
Network Users
• Policy Creator
• Policy Name
• Policy Scope
• Policy Priority
• Policy Time:
• Start Time
• End Time
• Hard timeout
• Idle timeout
• recurrence
Policy Properties
Event Triggers
• High Level Business Intent Policies
• Automatically converted to Network Language
• Conflict Detection and Resolution
• Extensible
• Supports different patterns of policies:
• Access Policies
• Event – Condition – Action
• Includes Collections (Ex: a group of userids, a group of applications, etc.)
• Choose custom tags for policies
• Choose multiple attributes in each category
BRKCRS-2700 17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC-EM – Services and Apps
Grapevine
APIC-EM
Services
APIC-EM
Applications
NIB
DAS
Pxgrid Client + LDAP client
AD Client + LDAP client
Radius Proxy + LDAP client
Inventory
Topology
QoS Compliance
ACL Analysis
Statistics Manager
NetFlow Collector
ZTD
Application Visibility
User Identity Helper Services
Application Identity Helper Services
Basic Services
Policy Creation Services
Policy Helper Services
Network Information Base
Legacy Support Services
Inventory Visualizer
Topology Visualizer
Application Visualizer
Discovery
NETWORK
Easy QoS Visualizer
Network Discovery
Network Programmer
Policy Programmer
Network Tapping
Easy QoS
Network Events
Compliance Check
ACL Visualizer
ZTD
Network Tapping
Policy Engine
Conflict Detection and Resolution
(BI and NI)
Business Intent to Network Intent
Conversion
Policy Manager Policy Analysis Services
IWAN(PfR, WaaS)
IWAN Services
IWANApp
Northbound REST APIs
BRKCRS-2700 18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Information Base – Device InventorySingle Source of Truth
• Real‐time network device inventory and asset service management
• Includes all network devices with an abstraction for the entire network –
• Full knowledge of network
• Awareness of the overall operational health of the physical network
• Detailed inventory information for easier consumption by controller services and applications
• Allows applications to be device agnostic
• Inventory service runs in the background to maintain the DB accurate
• SNMP traps sent by devices during link up/down; APIC-EM runs discovery on that device (*)
(*) GA1BRKCRS-2700 19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC-EM – Device Inventory
BRKCRS-2700 20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Real‐time host and end-point inventory (PCs, Wireless devices, IP Phones, Printers etc.)
• Detailed information about each host/end-point –
• Network attachment point for the host to the network device
• Host Name, IP and Mac-Address information
• Host Inventory service runs in the background to maintain the accuracy of the database –
• Information collected via CDP, LLDP and IP Device Tracking DB lookup
• SNMP Traps used to update host inventory DB
(*)
Network Information Base – Host InventorySingle Source of Truth
BRKCRS-2700 21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Information Base – DiscoverySingle Source of Truth
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22BRKCRS-2700
• Quick, easy and efficient network discovery
• Flexible Discovery options –
• CDP and IP Address Range
• Ability to Start, Stop and Delete the scan at anytime
• Auto-discovery of newly added network devices
• Initiate via UI or NB REST APIs
BRKCRS-2700 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Information
Topology Visualizer – Embedded Device Information
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC-EM Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24BRKCRS-2700 24
Cisco APIC Enterprise Module
Cisco and Third Party Applications
Network DevicesCatalyst, ASR, ISR
REST API
Security QoS IWAN Network PnP
Masking Network Complexity, Exposing Network Intelligence.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ESA Intelligent Template Selection and Management
• Goal: create branch architecture profiles based on Business INTENT
• Prescriptive or customized templates
• Intent derived by intelligent template selection based on CVD questions• Internet access characteristics
• Bandwidth
• Wireless
• …
• ESA proposes suitable templates
BRKCRS-2700 25
DNA Components –
EnterpriseSilicon
Dave Zacks, DSE
Cisco Digital Network Architecture –The Evolution ofthe Enterprise Network BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Programmable Custom ASICs
Industry Leading
Wired & Wireless | Stacking | TrustSec | SDN
Advanced Functionality
Programmable Pipeline | Flexibility | Recirculation
Optimized for Campus
Integrated Stacking | Visibility | Security
Future Proofed
Long Life Cycle | Investment Protection
`
Network Enabled Applications
Collaboration | Mobility | IoT | Security
Automation and Analytics
Controller | Visible | Programmable | Open
Virtualization
Segmentation | L2 Flexibility
Designed for Evolution
Strong Foundational Capabilities | HA
Converged Software Services
+
Driving Innovations Through Technology Investments
Foundational PillarsFor the Digital Network Architecture
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
“People that are really serious about software should build their own hardware”
Key Consideration
BRKCRS-2700 28
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Hardware Makes It All PossibleBuilt on a Strong Foundation of Innovation
• Fully Programmable –excellent flexibility, ability to handle new encapsulations(CAPWAP, VXLAN, etc) – hardware speed, software elasticity
• Scalable –Massive recirculation bandwidth and low recirculation latency provide excellent tunneling and services support for traffic flows
• Advanced on-chip QoS –client–level granularity, sophisticated bandwidth shaping, with integrated on-chip NetFlow for visibility
• Secure –integrated on-chip support for MACsec encryption
• Extensible Architecture –ability to scale both up and down – the foundation for along-lived family of high-performance, flexible switching silicon
“People that are really serious about software should build their own hardware”
UADPUnified Access Data Plane
Flexible, Programmable, High-Performance Switching Silicon
BRKCRS-2700 29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Hardware Makes It All PossibleBuilt on a Strong Foundation of Innovation
• Fully Programmable –leveraging the many features of IOS-XEwith hardware performance
• Scalable –Massive nmber of CPU cores (40 / 64), ability tocascade multiple CPUs = consistent high performance
• Advanced on-chip QoS –100,000+ hardware-based queues,sophisticated traffic shaping and control
• Secure –linkage to high-performance crypto capability for secure WAN transport
• Extensible Architecture –ability to scale both up and down – the foundation for along-lived family of high-performance, flexible routing silicon
QFPQuantumFlow Processor
Advanced,Multi-Core,Feature-RichRouting Silicon
“People that are really serious about software should build their own hardware”
BRKCRS-2700 30
Diving into Hardware –The Need for Programmability
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditionally the pipeline is
FIXED
ASIC Processing Pipeline
BRKCRS-2700 32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Industry Trends – SDN
BRKCRS-2700 33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 34
Programmable ASICs –DNA Hardware Innovation
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
So where can
Programmable ASICs help us?
The Big Question …
BRKCRS-2700 36
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Striking the Right Balance
BRKCRS-2700 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
ProgrammabilityIntroduces Flexible Pipelines …
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Modify processing behavior
without incurring re-spin
ASIC Programmable Pipeline
BRKCRS-2700 39© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unified Access Data Plane
Programmable Switching Silicon
BRKCRS-2700 40
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 41© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 42© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Parse depth
of 256 Bytes
15 programmable stages
Up to 250 frames across
stages at one time…
BRKCRS-2700 43
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What does this mean for me?
BRKCRS-2700 44
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
UADP Programmable Hardware
equals
FLEXIBILITY
INVESTMENT PROTECTION
BRKCRS-2700 45
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traffic Visibilitye.g. Netflow
ControlWired / Wireless QoS / Security
Scalability802.11ac
BRKCRS-2700 46© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
MPLS
VXLAN
TRILL*
SPB*
and more…
Possible Future UADP Use Cases
* Not Committed
BRKCRS-2700 47
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 48
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
QuantumFlow Processor
Programmable Routing Silicon
BRKCRS-2700 49
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 50
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 51
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 52© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What does this mean for me?
BRKCRS-2700 53
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
QFP Programmable Hardware
equals
FLEXIBILITY
PERFORMANCE
BRKCRS-2700 54
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 55
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
QFP Feature Velocity
Over 2600 featuresBRKCRS-2700 56© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 57
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Critical Role of ASICsBRKCRS-2700 58
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Programmable Silicon – Want to Know More?
http://vimeo.com/155635184
Attend session BRKARC-3467,Tuesday morning,8:00am to 9:30am! Tropics B, Lower Level
Peter Jones, PE Dave Zacks, DSE
And watch us on …
BRKCRS-2700 59
DNA Components –
The New QoS Paradigm
Cisco Digital Network Architecture –The Evolution ofthe Enterprise Network BRKCRS-2700
Dave Zacks, DSE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Why / How / What of Enterprise Networking
Transform our customers’ businesses
through powerful yet simple networks.
Why
Cisco Enterprise
Vision
How
BRKCRS-2700 61
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Strategic QoS Policy (WHY)
• reflects business intent
• not constrained by any technical or administrative limitation
• end-to-end
• Tactical QoS Policy (HOW)
• expresses the strategic business intent with maximum fidelity
• limited by tactical constraints, including:• Media (e.g. WLAN has only 4 levels of service)
• Platform (e.g. Catalyst 3750 has only 4 hardware queues)
• Interface (e.g. T1 WAN link has limited bandwidth)
• Role (e.g. CE may need to map into reduced sub-set of SP Classes-of-Service)
Levels of QoS Policy AbstractionStrategic vs. Tactical
BRKCRS-2700 62
APIC-EM / EasyQoS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Provides End-to-End Orchestration of QoS in the Enterprise Network
• Simple and easy to deploy with an operator expressing business relevance for
applications and the controller doing the rest “under-the-hood”
• Works for and both Greenfield and Brownfield deployments
• Business Intent Driven while abstracting platform/media/capability details
• End-to-End provisioning done in minutes (vs. months) leveraging industry standards
and Cisco Validated Designs
• Reduces time to onboard new applications and allows SLA compliance
Business Value of EasyQoS
BRKCRS-2700 64
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• QoS is application-centric
• QoS is pervasive
• QoS is complex
• SDN presents new QoS capabilities
(e.g. Dynamic QoS)
Why Deploy an SDN QoS Solution?
BRKCRS-2700 65
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Relevant IrrelevantDefault
• These applications directly support business objectives
• Applications should be classified, marked and treated marked according to industry best-practice recommendations
• These applications may/may not support business objectives (e.g. HTTP/HTTPS/SSL)
• Applications of this type should be treated with a Default Forwarding service
• These applications do not support business objectives and are typically consumer-oriented
• Applications of this type should be treated with a “less-than Best Effort” service
RFC 4594 RFC 2474 RFC 3662
Determining Business RelevanceHow Important is an Application to Your Business?
BRKCRS-2700 66
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Apply RFC 4594-based Marking / Queuing / Dropping TreatmentsApplication
Class
Per-Hop
Behavior
Queuing &
Dropping
Application
Examples
VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence
Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx
Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps
Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution
Default Forwarding DF Default Queue + RED Default Class
Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox LiveIrrelevant
Default
Relevant
What Do We Do Under-the-Hood?
BRKCRS-2700 67
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
EasyQoS Solution
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
Catalyst 4500
1P7Q1T
Catalyst 6500
1P3Q4T
1P7Q4T
2P6Q4T
…
Nexus 7700
F3: 1P7Q1T
WLC
PEP
ASR/ISRs
MQC
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Wireless AP
Trust Boundary
PEP
4Q (WMM)
EM
Applications can interact with APIC-EM via Northbound
APIs, informing the network of application-specific and
dynamic QoS requirements
Southbound APIs translate
business-intent to platform-
specific configurations
Network Operators express high-level
business-intent to APIC-EM EasyQoS
BRKCRS-2700 68
Dynamic QoS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• No need to open a wide UDP port-range in your trust boundary, making your network more secure
• No Need for DPI at the edge
• Classification becomes application-aware, yet lightweight
• Support wireless & BYOD devices without client software upgrades
• Supports brownfield deployments
Business Value of Dynamic QoS
BRKCRS-2700 70
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Driven Network DynamicsDynamic Policy Management for Cisco Jabber / MS-Lync Audio / Video
Client A calls
client B
QoS policy enabled
on network device
Application
Dynamic Policy
Management
Call ends
Client sends call setup
info to App server
Client sends call teardown
info to App Server
QoS policy removed
from network device
Application
Dynamic Policy
Management
App Server calls APIC-EM
to setup policy
APIC
EM
SDN API
App Server calls APIC-EM
to delete policy
APIC
EM
SDN API
BRKCRS-2700 71
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC-EM EasyQoS At-A-Glance
BRKCRS-2700 72
DNA Components –
NfV and Cloud
Matt Falkner, DTME
Cisco Digital Network Architecture –The Evolution ofthe Enterprise Network BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 73BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hosted and Hosting Network Functions
vBranch
IP
NFVIS
WAAS
IPS
vSwitch
vBranch
IP
NFVIS
WAAS
IPS
vSwitch
Network Interface (UNI)
PEP: Policy Enforcement Point
VirtualizationPhysical & Virtual Infrastructure | App Hosting
VPCEnterprise Fabric
Encryption
Encryption
Encryption
PEP
Public Cloud
VPC
WAN Agg
Apps
Apps
WAAS
IPS
WAAS
IPS
UNI
AWS
VPC
BRKCRS-2700 74
Leaning Forward …into DNA Enterprise Network Function Virtualization
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Quickly roll out new services and locations
Gives you flexible deployment options
Simplify day-to-day operations
Simple and easy
to design, provision,
and manage the trusted
services that are critical
to your business
What Enterprise NfV Can Do For You
BRKCRS-2700 76
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise NfV Solution Architecture
ISR-4K + UCS-E UCS x86 Server
NFVIS
ISRv ASAv WAAS vWLC3rd
VNFn
App1 AppnApp2
Orchestration & Management
… …
Various Host
options for
different Branch
Sizes
Software host
managing
virtualization and
hardware
VNF and
Application
hosting with 3rd
party support
Common
Orchestration and
Management
across virtual &
physical network
API
Interface
Platform
ManagementHypervisor
Virtual
Switching
NFVIS = Network Function Virtualization Infrastructure Software
ENCS
BRKCRS-2700 77
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
• NFVIS – a common, linux-based host OS across physical hosts to facilitate virtualization
• Enhances router-based virtualization
Full NfV
VM1 VMn
L4-7 NfV Router-integrated NFV
VM1 VMn
NFVIS
Linux
PnP Client Web UI Security
Licensing Monitor LCM
VM1 VMn
NFVIS
Linux
PnP Client Web UI Security
Licensing Monitor LCMNFVIS
Linux
PnP Client Web UI Security
Licensing Monitor LCM
eIOS XEeIOS XE
Router-based virtualization
IOS XE Container
eIOS XE
VM1 VMn
Enterprise NfVVirtualization Models
BRKCRS-2700 78
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Branch Profile DesignEnterprise Service AutomationUpload Devices to
be shipped
Upload the Branch
locations
Custom Design a
Profile
Map to
Branch(s)Associate the
templates & attributes
Pick validated
topologies
Select functions
1 2
3
56
7
4
BRKCRS-2700 79
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
LinuxPlatform
Drivers
Interface
Drivers
NFVIS
Virtualization Layer – Hypervisor & vSwitch
Orchestration
APIHTTPS
Plug-n-Play
Client
Plug-n-Play
Server
Console
/SSHYANG
APIC-
EM/Prime
CLI NETCONF REST
Health Monitor
Device Web
Portal
Power in SoftwareNFVIS Software Stack
BRKCRS-2700 80
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Orchestration & Management for Day 0/1
WAN
SN
, IP fo
r host
Office
NFVIS
IPS
WAAS
vSwitch
Pro
file
to S
N
mappin
g
Pro
vis
ionin
gP
rovis
ionin
g
• ESA, PI and APIC-EM collaborate in the initial bring-up / provisioning of a branch
APIC-EM / Prime Infrastructure PnPDay 0/1 config
repository
ISR-4K + x86 on UCS-E
UCS x86 Server
NFVIS
CSR 1000v
ASAv WAAS vWLC 3rd
VNFn
App1 Appn App2
ESA + APIC-EM + Prime Infrastructure
… …
API
Interface
Platform
Management Hypervisor
Virtual
Switching
vNAM
REST
ESC-Lite
Enterprise Services Automation (ESA)
BRKCRS-2700 81
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Best-of-Breed Trusted Services from CiscoConsistent Software Across Physical and Virtual
ASAv/FTD vWAAS vWLCISRv
High Performance
Rich Features
End-to-end Support
Proven Software
Application Optimization
Superior Caching with
Akamai Connect
Survivability & Scale
Consistency across the
Data Center and Switches
Built for small and medium
branches
Comprehensive Protection
Full DC-class Featured
Functionality
Designed for NFV
Cost-effective with NFV
*
Windows 2012 and Linux Server also supported
BRKCRS-2700 82
Leaning Forward …into DNA Cloud Edge
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Plug & PlayCMX
Business Analysis
Branch TeleworkerCampus/HQ
TelemetryContinuous Innovation
Cloud-based Audits
Cloud ConnectedSimplicity | Speed
Branch
TeleworkerCampus/HQ
Hybrid Cloud
AWS | Rackspace| Azure|
CSR1000V
VPC / vDC
vASAFTDvStrataWatch
WAN
Cloud DeliveredInnovation | Insights
Cloud EdgeIaaS Scale | Flexibility
Branch TeleworkerCampus/HQ
Cloud-Enabled NetworkingOverview
BRKCRS-2700 84
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VPC
Enterprise Fabric
vBranch
WAN
Agg
Network Interface (UNI) PEP: Policy Enforcement Point
Encryption
NFVIS
IPS
WAAS
vSwitch
vBranch
NFVIS
IPS
WAAS
vSwitch
IPS
WAASOrches.
EMS.
Public
Cloud
En
cry
ptio
n
PEP
Example: DNA Cloud Edge
• Cisco CSR 1000v for VPC & remote worker connectivity
• Leverage SSLVPN access via Anyconnect, IPSec (e.g. IWAN)
• Support for Amazon AWS, Microsoft Azure
BRKCRS-2700 85
DNA Components –
Programmability
Matt Falkner, DTME
Cisco Digital Network Architecture –The Evolution ofthe Enterprise Network BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 86BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configuration Management Today
jafrazie$ ssh admin@172.27.230.76
admin@172.27.230.76's password:
cho# conf t
Enter configuration commands, one per line. End with CNTL/Z.
cho(config)#
Task
Oriented
Human
Friendly
Easy To
Replay
No
Special
Tools
Software Unfriendly Syntax/format changesNo Common Data
ModelNo Error Reporting
BRKCRS-2700 87
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Open Device Programmability
Other vendors…
RESTCONF NETCONF gRPC
Data Model
Configuration
StandardDevice Specific
Device Features
Interface BGP QoS ACL …
Operational
StandardDevice Specific
Open Device Programmability
Physical and Virtual Network Infrastructure
AutomateSet Get
BRKCRS-2700 88
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Embracing Tools
DevopsOrchestration
Automation
tcollector
Monitoring/ Analytics
BRKCRS-2700 89
DNA Components –
Analytics
Matt Falkner, DTME
Cisco Digital Network Architecture –The Evolution ofthe Enterprise Network BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 90BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Analytics
Instrumentation Telemetry Correlation
Measure and Adjust
Click here to Correct
Always Correct this way (and never ask me again)
Applications
Automated Deployment
Network
Endpoints
Run Reports
Discover user insights
Deliver relevant content
APIC EM
Deploy, Report, Measure, Adjust, Repeat
BRKCRS-2700 91
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automation for FasterResults
RevealHidden Patterns
Make DataDriven Decisions
Focus on Important Things
Network Analytics Enable New Insights and Outcomes
BRKCRS-2700 92
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Analytics ArchitectureData sources
• Data can be gathered from multiple different sources:
• Network Devices
• Sensors
• Applications
• Identity Servers
• TAC cases
• Users Location
• Etc.
• Facts about sourcing data:
• It’s in different types
• It’s in different formats
• It’s BIG (lots of bandwidth)
Users & Devices
Enterprise IoT
Network Devices & Sensors
Cloud or on Prem Apps,Repositories,
Social info, etc.
BRKCRS-2700 93
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Analytics ArchitectureInstrumentation = extracting the data
• Not all the information is relevant
• It’s important to decide what data to collect…
• Data can be in the ASICS but need to be exposed by software
• Facts on Instrumentation :
• Sampling of MIBs, Flows and other parameters
• Accuracy is KEY
• Generating and transport the right Data can be expensive
BRKCRS-2700 94
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Analytics ArchitectureDistributed on-device Analytics
• Since gathering and processing Data can be expensive...
• Distributed Analytics
• Put the smart into the network
• Analytics pre-processing
• Streaming Smart and not raw data
• Dynamically extract information depending on current conditions
• Facts on Distributed Analytics:
• Brings Analytics closer to the source
• “Just In Time” dynamic configuration, adaptation
Distributed Data processing
Distributed Analytics Agent
Servers &
Collectors
BRKCRS-2700 95
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Analytics ArchitectureTelemetry
• Telemetry is about streaming the data efficiently
• Network devices are hardware sensors
• Devices can be Sensors through a software agent
• Multiple types of data:
• Events and Logs
• Metrics data
• Multiple Protocols
• SNMP, Netflow, NMSP, Logs, REST, AAA, etc.
• Facts about streaming data:
• Multiple sources
• Multiple protocols
• Multiple “collectors”
• Bandwidth can be a concern
Events Metrics
Multiple different protocols
Servers &
Collectors
Logs
BRKCRS-2700 96
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
…..
DNA Analytics ArchitectureAnalytics
On Prem
Security analytics APP
Fault Mgmt. APP
PerformanceMgmt. APP
Capacity Planning
Servers &
Collectors
Dashboards
& Tools
Prime, CMX, Stealthwatch, Log Servers, etc. CMX, WSA, CAND, etc.
• Network Analytics is not new…
• Lots of different use cases:
• Performance Insights
• Troubleshooting
• Security and Compliance
• Augment User Experience
• Typical Analytics solution:
• Multiple “collecting” protocols
• Lots of “Collectors”
• Multiple Analytics “consoles”
• Areas of major interest:
• Normalizing the Data
• Predictive issue resolutions
• Suggest actions to fix issues
• Automatically fix
and more….
SNMP AAA NMSP Netflow RESTLogs
BRKCRS-2700 97
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetFlow / NBAR / NSEL
Network
Devices
StealthWatch
FlowCollector
• Collect and analyze
• Up to 4,000 sources
• Up to 240,000 FPS sustained
SPAN
StealthWatch
FlowSensor
Generate
NetFlow
Non-NetFlow
Capable Device
• Management and reporting
• Up to 25 FlowCollectors
• Up 6 million FPS globally
StealthWatch
Management
Console
DNA Analytics Proof PointsNetwork as a Sensor (NaaS)
BRKCRS-2700 98
DNA Components –
Network Fabrics
Cisco Digital Network Architecture –The Evolution ofthe Enterprise Network BRKCRS-2700
Dave Zacks, DSE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 99BRKCRS-2700
Leaning Forward …into Network Fabrics
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise IT – Policy Model TodayOverview
EID DATA IP SRC IP DSTPROT
IP addresses (EIDs) are overloaded with “meaning” today
DSTPORT
SRCPORT
DSCP
They locate you(“your subnet is located at X place in the network”)
They identify you(“you are part of group X because you are in subnet Y”)
They are used to drive “traffic treatment”(“you are treated X way because you come from subnet Y”)
They constrain you(“You can’t stretch a subnet across the Campus …
It’s too hard / comes with too many tradeoffs”)The “5 Tuple”
All of today’s network policies (pass/drop, remark, redirect, copy, etc)are based on use of fields in the IP 5-tuple – these are the only fields thatsurvive (i.e. “are transitive”) end-to-end across the network with the IP packet.
There are no fields in the IP header that represents User / Device grouping …so we “overload” the IP addresses to provide this. This is why we assign users / devices intoVLANs … this is what leads to ACLs that are thousands of lines long … this is what leads tothe proliferation of VLANs and VRFs, and all the attendant complexity this brings …
App identification(less useful when all apps use a
small set of ports i.e.. 443)
PHBs(can run out of bits with
complex policies, usepolicy aggregation)
BRKCRS-2700 101
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
But What If …
If we could “break the dependence” between IP addressing and policy,
we could greatly simplifynetworks – and make networksmuch more functional.
… we could make your IP addressjust be a LOCATOR for you, and provide other ways to group users / devices to apply POLICY?
Key Assertion
BRKCRS-2700 102
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
With a Fabric …
You could build and run your network in a simpler way …
You could easily identify users and devices and apply policy …
You could provide end-to-end segmentation simply …
You could provide L2 / L3 flexibility as you need to …
If we could “break the dependence” between IP addressing and policy,
we could greatly simplifynetworks – and make networksmuch more functional.
… we could make your IP addressjust be a LOCATOR for you, and provide other ways to group users / devices to apply POLICY!
Key Assertion
BRKCRS-2700 103
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Provision
Simplified ProvisioningDeploy devices using “best practice”
configurations from a simple user interface
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SecuritySegmentation
X Simple Segmentation constructs
to build Secure boundaries for “users and things”
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mobility
Wired and Wireless
Host Mobilitybecause your address is no longer tied to your location
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Intelligent
Policy
Network Wide
Policy Enforcementbased on your identity, not on your address
What is a Fabric?
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
A Fabric is an OverlayAn “Overlay” is a logical topology used to virtually connect devices, built on top of an arbitrary physical “Underlay” topology.
An “Overlay” network often uses alternate forwarding attributes to provide additional services, not provided by the “Underlay”.
• GRE or mGRE
• MPLS or VPLS
• IPSec or DMVPN
• CAPWAP
• LISP
• OTV
• DFA
• ACI
Examples of Network Overlays
What Exactly is a Fabric?
BRKCRS-2700 109
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Flexible Virtual Services• Mobility – Track End-points at Edges
• Scalability – Reduce core state• Distribute state to network edge
• Flexibility & Programmability• Reduced number of touch points
Simple Transport Forwarding• Physical Devices and Paths
• Intelligent Packet Handling
• Maximize Network Availability
• Simple and Manageable
Separate the Forwarding Plane from the Services Plane
What Exactly is a Fabric?Why Overlays?
BRKCRS-2700 110
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overlay Control Plane
Underlay Control PlaneUnderlay Network
Hosts
(End-Points)
Edge DeviceEdge Device
Overlay Network
Encapsulation
What Exactly is a Fabric?Overlay Terminology
BRKCRS-2700 111
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hybrid L2 + L3 Overlays offer the Best of Both Worlds
Layer 2 Overlays
• Emulates a LAN segment
• Transport Ethernet Frames (IP & Non-IP)
• Single subnet mobility (L2 domain)
• Exposure to Layer 2 flooding
• Useful in emulating physical topologies
Layer 3 Overlays
• Abstract IP connectivity
• Transport IP Packets (IPv4 & IPv6)
• Full mobility regardless of Gateway
• Contain network related failures (floods)
• Useful to abstract connectivity and policy
What Exactly is a Fabric?Types of Overlays
BRKCRS-2700 112
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
LISP-based Control-Plane
Topology + Endpoint Routes
Prefix Next-hop189.16.17.89 ….1 .........71.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop189.16.17.89 ….1 .........71.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Endpoint
Routes are
Consolidated
to LISP DB
Flexible
Mapping
Database
Only Local Routes
Prefix RLOC192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121Prefix Next-hop189.16.17.89 ….1 ...71.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
Prefix Next-hop189.16.17.89 ….1 ...71.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
Prefix Next-hop189.16.17.89 ….1 ...71.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
Topology Routes
Endpoint Routes
Prefix Next-hop189.16.17.89 ….1 .........71.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU
BEFORE
IP Address = Location + Identity
AFTER
Separate Identity from Location
What Exactly is a Fabric?Control-Plane Options – LISP
BRKCRS-2700 113
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP core
Device IPv4 or IPv6
Address represents both
Identity and Location
Traditional Behavior -
Location + ID are “Combined”
10.1.0.1When the Device moves, it gets a
new IPv4 or IPv6 Address for its new
Identity and Location
20.2.0.9
Device IPv4 or IPv6
Address represents
Identity only
When the Device moves, it keeps
the same IPv4 or IPv6 Address.
It has the Same Identity
Overlay Behavior -
Location & ID are “Separated”IP core
Only the Location Changes
10.1.0.1
10.1.0.1
Location Is Here
Locator / ID Separation ProtocolLocation and Identity Separation
BRKCRS-2700 114
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Locator / ID Separation ProtocolLISP Mapping System
LISP “Mapping System” is analogous to a DNS lookup
‒ DNS resolves IP Addresses for queried Name Answers the “WHO IS” question
‒ LISP resolves Locators for queried Identities Answers the “WHERE IS” question
Host
DNS
Name -to- IP
URL Resolution
[ Who is lisp.cisco.com ] ?
DNS
Server
[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]
LISP
ID -to- Locator
Map Resolution
LISP
Router
LISP Map
System
[ Where is 2610:D0:110C:1::3 ] ?
[ Locator is 128.107.81.169, 128.107.81.170 ]
BRKCRS-2700 115
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
LISP-based Control-Plane
VXLAN-based Data-PlaneORIGINAL
PACKETPAYLOADETHERNET IP
PACKET IN
LISPPAYLOADIPLISPUDPIPETHERNET
PAYLOADETHERNET IPVXLANUDPIPETHERNETPACKET IN
VXLAN
Supports L2
& L3 Overlay
Supports L3
Overlay
What Exactly is a Fabric?Data-Plane Options – VXLAN
BRKCRS-2700 116
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
PAYLOADETHERNET IPVXLANUDPIPETHERNET
LISP-based Control-Plane
VXLAN-based Data-Plane
Integrated Cisco TrustSecVRF + SGT
Virtual Routing & Forwarding
Scalable Group Tagging
What Exactly is a Fabric?Data-Plane Options – VXLAN
BRKCRS-2700 117
Securing a Fabric Infrastructurewith Flexible Policy
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Layer
Enterprise
Backbone
Voice
VLAN
Voice
Data
VLAN
Employee
Aggregation Layer
Supplier
Guest
VLAN
BYOD
BYOD
VLAN
Non-Compliant
Quarantine
VLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL VACLLimits of Traditional
Segmentation
• Security Policy based
on Topology (Address)
• High cost and
complex maintenance
Applications
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Classification
Static or Dynamic
VLAN assignments
Propagation
Carry “Segment”
context through the
network using VLAN,
IP address, VRF
Enforcement
IP Based Policies -
ACLs, Firewall Rules
Cisco TrustSecSimplifying Security
BRKCRS-2700 119
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VLAN BVLAN A
Campus Switch
DC Switch
or Firewall
Application
Servers
ISE
Enterprise
Backbone
Enforcement
Campus Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
Shared
Services
Employee Tag
Supplier Tag
Non-Compliant Tag
DC switch receives policy
for only what is connected
Classification
Static or Dynamic
SGT assignments
Propagation
Carry “Group” context
through the network
using only SGT
Enforcement
Group Based Policies
ACLs, Firewall Rules
Cisco TrustSecSegmentation based on Groups
BRKCRS-2700 120
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SGACL - Name Table
Policy matrix to be
pushed down to the
network devices
SGT & SGT Names
Centrally defined
Endpoint ID Groups
802.1X Dynamic SGT
Assignment
ISE dynamically
authenticates endpoint
users and devices,
and assigns SGTs
Static SGT
Assignment
SGACL -
Name Table
So
urc
es
Destinations
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
Scalable Group ACL
NDACNetwork Device
Admission Control
Rogue
Device(s)
SGT &
SGT Names3: Employee
4: Contractors
8: PCI_Servers
9: App_Servers
Scalable Group Tags
NDAC authenticates
Network Devices for a
trusted CTS domain Cisco ISE
Cisco TrustSecISE Enables CTS
BRKCRS-2700 121
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
VLAN to SGT
L3 Interface (SVI) to SGT L2 Port to SGT
VM (Port Profile) to SGTSubnet to SGT
WLC Firewall Hypervisor SW
Campus
Access Distribution Core DC Core DC Access
Enterprise
Backbone
Static Classification
MAB
Dynamic Classification
Cisco TrustSecTwo Ways to assign SGTs
BRKCRS-2700 122
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Egress
Enforcement
(SGACL)
Cat3850 Cat6800 Nexus 2248
WLC5508
Cat6800 Nexus 7000
User Authenticated =
Classified as Marketing (5)FIB Lookup =
Destination MAC = SGT 20
DST: 10.1.100.52
SGT: 20
SRC: 10.1.10.220DST: 10.1.200.100
SGT: 30
CRM
Web
DST
SRC
CRM
(20)
Web
(30)
Marketing (5) Permit Deny
BYOD (7) Deny Permit
Destination Classification
CRM: SGT 20
Web: SGT 30
Enterprise
Backbone
123
Nexus 5500
SRC: 10.1.10.220DST: 10.1.100.52SGT: 5
5 5
Cisco TrustSecIngress Classification with Egress Enforcement
BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Heterogeneous
L2 / L3 Networks
TrustSec Capable
L2 / L3 Networks
124
WAN
WAN(GETVPN, DMVPN, IPSEC)
Switch Router Router Firewall DC Switch ServerUser
SGT over Fabric
or Ethernet
SGT over
VPN
ClassificationClassification
Switch Router Router Firewall DC Switch ServerUser
SXP SXP
SGFW
SGACL
Classification
SGACL SGACL
Switch
Switch
SGT over Fabric
or Ethernet
SGACL SGFW
Classification
Cisco TrustSecSGT Propagation and Enforcement Options
BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Suggested Reading:BRKCRS-2891 - Enterprise Network Segmentation with Cisco TrustSec
BRKSEC-2203 - Intermediate - Enabling TrustSec Software-Defined Segmentation
BRKSEC-2044 - Building an Enterprise Access Control Architecture Using ISE and TrustSec
Other References:Cisco TrustSec Marketing Site http://www.cisco.com/go/trustsec/
Cisco TrustSec Config Guide cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html
CTS Architecture Overview cisco.com/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
CTS 2.0 Design Guide cisco.com/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf
Fundamentals of TrustSec https://www.youtube.com/watch?v=78-GV7Pz18I
Cisco TrustSecAdditional Information
Fabrics – Summary
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SummaryBenefits of Fabric Deployment in Networks
Collabora on Security
Endpoints
APICEM
Branch
BusinessAgility
AutomatedEnterprise
ConsistentPolicy
InvestmentProtec on
IntegratedMobility
Analy cs
BRKCRS-2700 127
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SummaryWant to Know More About Fabrics?
Attend session BRKCRS-3800,"Evolved Campus Networks”!
Tuesday, 9:00am and 1:30pmWednesday, 1:30pm
Shawn Wargo, PTME
BRKCRS-2700 128
DNA –
Wrap-Up and Conclusions
Cisco Digital Network Architecture –The Evolution ofthe Enterprise Network BRKCRS-2700
Dave Zacks, DSE
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 129BRKCRS-2700
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automation
Abstraction & Policy Control
from Core to Edge
Open & Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service Management
Policy | Orchestration
Virtualization
Physical & Virtual Infrastructure | App Hosting
Analytics
Network Data,
Contextual Insights
Insights &
Experiences
Automation
& Assurance
Security &
Compliance
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles
Cisco Digital Network Architecture
BRKCRS-2700 130
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Faster Innovation Lower Risk
Insights and
Experiences
Security and
Compliance
Automation and
Assurance
Network Requirements for the Digital Organization
Reduced Cost
& Complexity
BRKCRS-2700 131
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Cisco DNA Customer Journey Starts Now
Base
Automation
Immediate value to
existing network
Policy
Services
Active control for
critical use cases:
Network, Collaboration
Advanced
Security
Network as a
Sensor and Enforcer
Complete
Software Control
End-to-end policy-
based automation
Digital
Services
Support lines of business:
analytics, IoT
Cisco ONE Foundation Cisco ONE Adv. Applications Cisco ONE ELA
BRKCRS-2700 132
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Digital Network Architecture
ARE YOU READY:
To automate network operations?
Save on WAN transport?
Enable richer collaboration experiences?
Gain business insights?
Deliver personalized customer experiences?
Detect and remediate threats rapidly?
To virtualize your branch?
Begin Your Digital Journey Today
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Do You Have a Better Understanding …
of what DNA is all about …
of the capabilities that DNA offers …
and how you can leverage DNAin your own networks?
Did We Achieve Our Objectives?
Don’t Forget
to fill out your evaluations!
The Cisco Digital Network ArchitectureEvolution of the Enterprise Network
Dave ZacksDistinguished SE
Matt FalknerDistinguished TME
134
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
BRKCRS-2700 135
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
BRKCRS-2700 136
Please join us for the Service Provider Innovation Talk featuring:
Yvette Kanouff | Senior Vice President and General Manager, SP Business
Joe Cozzolino | Senior Vice President, Cisco Services
Thursday, July 14th, 2016
11:30 am - 12:30 pm, In the Oceanside A room
What to expect from this innovation talk
• Insights on market trends and forecasts
• Preview of key technologies and capabilities
• Innovative demonstrations of the latest and greatest products
• Better understanding of how Cisco can help you succeed
Register to attend the session live now or
watch the broadcast on cisco.com
Thank you
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 138BRKCRS-2700
top related