© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The image part with relationship ID rId2 was not found in the file.
The image part with relationship ID rId2 was not found in the file.
Как развернуть кампуснуюсеть Cisco за 10 минут?
Новые технологии для автоматизации и аналитики в корпоративных сетях Cisco.
Денис Коденцев
Инженер-консультант, CCIE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Center
• Инновационное решение для внедрения и управления корпоративной сетью и сетевыми сервисами
DNA Assurance & Analytics
• Анализ и проактивное обнаружение проблем
Software-Defined Access
• Универсальная сетевая фабрика с динамической микросегментацией
Enhanced Network as a Sensor
• Обнаружение вредоносного ПО в зашифрованном обмене (без расшифровки)
Коммутаторы Catalyst 9000
• Первые специально созданные в рамках DNA коммутаторыЛицензирование с поддержкой подписки | Дополнительные сервисы от Cisco
Новая эра сетей Cisco – анонс 20 июня 2017
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Рост трафикав 10x* к 2019
ИТ службы вынуждены поддерживать больше
подключенных устройств(как пользовательских, так и
других – IoT как пример)
ИТ службы вынуждены работать с бОльшим числом уязвимостей
и угроз безопасности
Почему компании тратят настолько много?
$60BТратится на эксплуатацию сетевой инфраструктуры в год во всем мире (зарплата, инструментальные средства)
*
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Корпоративные сети сегодня – сложные …
Работа с различными сетями
Работа с множеством разных
политик - LAN, WLAN, WAN, ЦОД
Масштабирование увеличивает сложность
эксплуатации
Управление множеством VLAN
VLAN 1 VLAN 2 VLAN 3
WAN
Branch A
VLAN A
Branch A
VLAN B
RemoteVLAN B
HQ
4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AutomationAbstraction&PolicyControl
fromCoretoEdge
Open&Programmable|Standards-Based
OpenAPIs|DevelopersEnvironment
CloudServiceManagementPolicy|Orchestration
VirtualizationPhysical&VirtualInfrastructure|AppHosting
AnalyticsNetworkData,
ContextualInsights
Network-enabledApplications
Cloud-enabled|Software-delivered
Principles
Cisco Digital Network ArchitectureDNA Overview
SD-A, SD-WAN & ENFV
DNA Center
5
Insights&Experiences
Automation&Assurance
Security&Compliance
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Centerединый интерфейс для автоматизации и аналитики
APIC-EM Network Data PlatformIdentity Services Engine
Routers Switches Wireless APs
DNA Center
DESIGN PROVISION POLICY ASSURANCE
DNA Center Simple Workflows
Wireless Controllers
Зачем нам DNA-Center?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE
§ Control-Plane Nodes – Map System that manages Endpoint to Device relationships
§ Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric
§ Identity Services – External ID System(s) (e.g. ISE) are leveraged for dynamic Endpoint to Group mapping and Policy definition
§ Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric
Identity Services
Intermediate Nodes (Underlay)
Fabric Border Nodes
Fabric Edge Nodes
§ DNA Controller – Enterprise SDN Controller (e.g. DNA Center) provides GUI management and abstraction via Apps that share context
DNA Controller
§ Analytics Engine – External Data Collector(s) (e.g. NDP) are leveraged to analyze Endpoint to App flows and monitor fabric status
Analytics Engine
CControl-Plane
Nodes
B
Что такое SD-Access?Основные понятия и терминология
B
§ Fabric Wireless Controller – A Fabric device (WLC) that connects Wireless Endpoints to the SDA Fabric
8
Fabric WirelessController
CampusFabric
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Зачем нам Software Defined Access?
Is your Campus Network facing some, or all, of these challenges?
• Host Mobility (w/o stretching VLANs)
• Network Segmentation (w/o implementing MPLS)
• Role-based Access Control (w/o end-to-end TrustSec)
• Common Policy for Wired and Wireless (w/o using multiple tools)
• Consistency Across Campus, WAN and Branch (w/o using multiple tools)
With DNA SD-Access, you can overcome these challenges and provide your organization with the infrastructure required to meet your business objectives.
Come to this session to get a look into the DNA SD-Access architecture, including a closer look at each of the technologies that bring this to life! J
9 9
Как устроен Cisco DNA-Center?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA-Center
DNAAutomationAppPolicyInfraController– ENModule
CiscoISE2.3IdentityServicesEngine
DNAAssuranceNetworkDataPlatform
CiscoSwitches|CiscoRouters|CiscoWireless
GUI
AAARADIUSEAPoL
HTTPSNetFlowSyslogs
NETCONFSNMPSSH
API API
API
API
API
SDAFabric
Автоматизация и аналитика DNAАрхитектура
Design |Provision |Policy |Assurance
11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Автоматизация полного цикла
DNA Center
DNA Assurance
DNAAutomation
Streaming telemetry & network data
Network and telemetry configuration
Telemetry, alerts, violations
Network inventory, topology, and configuration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Интеграция ISE и DNA Center Автоматизация политик и контроля доступа
Campus Fabric
Authentication Authorization
Policies
Fabric Management
Policy Authoring Workflows
Groups and Policies
PxGridREST APIs
Cisco Identity Services Engine
Cisco DNA Center
13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Корреляция и машинное обучение
0I000III0I 0I I00I0II0 0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II
Ingest Network & Contextual Telemetry 0I000III0I 0I I00I0II0 0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II
0I000III0I 0I I00I0II0 0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II
0I000III0I 0I I00I0II0 0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II
Process and Analyze Streams of Data
Complex Event Processing
• Data cleaning• Feature creation• Data
normalization & enrichment
• Baselining & trending
• Relationship modeling
• Behavior analysis
• Anomaly detection
• Pattern recognition
Machine Learning
• Event clustering & correlation
• Prediction• Natural language
processing• Recommendation
Data Processing
Phase 1 Phase 2 Phase 3
Visualize and Act
Real-time visibility
One click (drill down) root cause analysis
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Анализ состояния каждого клиента сетиSummary: Is the client connected and is the link connection good?
Wired Client Health
Connected
Onboarding
Throughput issues
Authenticated, IP
• Link Error
• Yes/No
Port Up/down • Yes/No
Key Services • DNS reachable
BRKCRS-2814 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Потоковая телеметрия
NETCONF RESTconf GNMI
Device features
InterfaceBGP
QoS ACL …
SNMP
YANG data model
Open Native Open Native
Configuration Operational
Physical and virtual network infrastructure
ProgrammableInterfaces
Публикация• Periodic or on change• Structured data • Priority subscriptions• Customized to recipient• XML or JSON encoding
• NETCONF or HTTP/2 transport
• Increased scale
• Reduced CPU and bandwidth consumption
Подписка
With streaming telemetry (FCS in July in the 16.6 train) we will support collection of many KPIs as close as possible to real time
Расширенная телеметрия там и тогда, когда это требуется
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Сбор контекстной информации – ISE
Telemetry
SGT applied to port
Policy Enforcement Status
SGT Counters
Device level enforcement and changes Access policy application and changes Identity and end user information
pxGrid
SGT bindings, Group based policies
Access Policy Push
Notification of end user authentication and authorization (positive/negative)
Notification on group-based policy being downloaded by devices
End user identity and context
End to End visibility
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Сбор контекстной информации – IPAM
Grid PublishGrid Subscribe
Infoblox
General Information:
- Pool Name or ID
- Pool State (Enabled / Disabled)
General Stats (per pool and per client device):
- Any latency values
- # Discovers
- # Offers
- # Requests
- # ACKS
- # Declines
- # NAKs
RESTful API, SNMP
Per Pool:
- Network Block
- Start / End Address
- Lease Time
- Addresses Assigned
- Options Assigned
pxGrid
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Простота использования : Пример 1Главная страница – какие главные проблемы наблюдаются в вашей сети?
Landing page tells you:
Where in the worldthe most serious issues are happening
Overall health ofyour network, clients,and applications
Your top 10 issuesand trends
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Variety
Velocity
Volume
Veracity
Live end-to-end visibility brings together multiple data sources at
high volumes and speeds
Reliable scoring to assess client health in real-time
Incorporation of diversenetwork data types
Accurate alerting for fast root cause analysis
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Простота использования : Пример 3Мгновенное обнаружение причин проблем с SDA-фабрикой и/или политиками CTS
Quick visual of the fabric overlay tells youwhere you might have issues
Assurance-enabled path trace tells youwhere policies are failing
1 2
Как выглядит жизненный цикл сети с DNA-Center?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Center - DesignSetup Management & Underlay Reachability
1
1. Setup Sites, Buildings & Floors• Organize your Regions, Cities & Buildings
• Import floorplans in CAD, PNG or JPG
• Virtual layout of Routers, Switches & APs
2. Setup Global & Site-Specific Settings• Establish a common set of Global Servers
• Each Site inherits settings from level above
• Override Global settings with Site-Specific
3. Setup IP Address Pools or IPAM• IP Address Management uses Site hierarchy
• Add or modify IP Pools manually
• You can also import from IPAM tools via APIs
4. Setup Wireless SSID Settings• Manage Fabric Wireless WLANs per Site
• Associate the SSIDs with IP Pools
• Automated setup of the WLC & APs via APIs
23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Center - PolicySetup VNs & EIGs and Policies
1. Setup Virtual Networks• Add Scalable Groups to a Virtual Network
• A “Default” Virtual Network created automatically
• Option to add / remove new Virtual Networks
• Enables VN ID on SDA enabled Devices*
2. Setup Scalable Groups• Option to import Groups from ISE (or AD)
• Option to create Groups via Static Mapping
• Enables SGT ID on SDA enabled Devices*
3. Manage Group Policies• Groups provide native SGT based segmentation
• Intra-VN policies set to Default Permit or Deny
• Create simple To / From Group-Based Policies
4. Manage VN Policies *• VNs provide native VRF network segmentation
• Inter-VN policies mapped to Firewall instances*
* External Connect requires manual configuration. Automation planned for a later release. 24
2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Center - ProvisionSetup Overlay Control & Data-Plane
1. Setup Fabric Domains• Add Devices to one of the configured Sites
• A “Default” Fabric Domain created automatically
• Option to add / remove new Fabric Domains
2. Add Devices & Assign Roles• Add SDA capable Devices to the Fabric Domain
• Designate 1+ Devices as Border and Control
• All other Devices are configured as an Edge
3. Setup Host Onboarding• Add various IP Pools to the Fabric Domain
• Designate IP Pools for Wired or Wireless
• Define the Host Authentication and options
• Option to Static Assignment of Pools to Ports
4. Advanced Settings• (Optional) Enable Multicast in the Fabric Domain
25
3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Center - AssuranceReal-Time Data-Collection & Event Correlation
1. Assurance Dashboard• Network Health Scores (based on 360 Views)
• Graphical status view of Health and Alarms
• Track common Network Issues & Trends
• Universal search for elements of the Network
2. Device 360 Views• Summary and Real-time Device statistics
• Track Issues and Trends of each Device
• View connected Neighbors, Clients & Apps
3. Client 360 Views• Summary and Real-time Client statistics
• Track Issues and Trends of each Client
• Initiate Pathtrace per Client Application
4. Application 360 Views• Summary and Real-time App statistics
• Track Issues and Trends of each App
4
26
Как насчет демонстрации?
А как жеCisco Enterprise NFV?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ранее для ENFV нужны были 3 системы…
© 2017 Cisco and/or its affiliates. All rights reserved. 29
WAN
SN
, IP fo
r host
Office
IP
NFVIS
IPS
WAAS
vSwitch
Pro
file to S
N
mappin
g
Pro
visi
onin
gP
rovi
sionin
g
• ESA, PI и APIC-EM совместно работают при запуске филиала
APIC-EM / Prime Infrastructure PnPDay 0/1 config
repository
REST
Enterprise Services Automation (ESA)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
…теперь достаточно одной – DNA-Center
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
…в том числе и для Enterprise NFV
Подводя итог…
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Возможности DNA Center = Подписка DNA Software
Cisco ONE Suites or Ala Carte Model
ADVANTAGEESSENTIALSFull L3, Segmentation,
Software Defined Access, ETA & Assurance
Layer 2, Routed Access, Base Automation and
Monitoring
Ongoing Innovation
License Portability
Software SupportIncluded
OpExPreference
Lower Entry Costs
Available for Current Catalyst 3K, 4K, 6K and Next Generation Catalyst 9K SeriesCisco ONE Suite – Essentials Includes ISE Base
33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network/OS License
DNA Center, ISE, StealthWatch
Switches, Access Points, Routers
DNA License
ISE Base & Plus & StealthWatch
Что Вам понадобится: Упрощенный вид
DNA CenterConsole
ISEConsole
Сеть
Сервер
ПОВключено вCisco ONE Advantage
Поставляется с устройством
Спасибо! Вопросы?