enterprise networks - cisco digital network architecture - introducing the network intuitive

© 2016 Cisco and/or its affiliates. All rights reserved. 1

Enterprise Networks - Cisco Digital Network Architecture - Introducing the Network IntuitiveTammy GetschelChannel Systems Engineer

Jan 2018

CiscoConnect


Agenda• It’saDigitalWorld!

• AutomatingyournetworkwithDNACenter

• GainingDeepInsightswithAssuranceandAnalytics

• Summary

2

3© 2016 Cisco and/or its affiliates. All rights reserved.

It’s a digital world!


What is the Risk of Digital Disruption?• According to the Global Center for Digital Transformation in a survey of

941 companies:

of today’s Top-10 incumbents

(in terms of market share)

will be digitally disrupted

within the next 5 years

https://www.imd.org/uupload/IMD.WebSite/DBT/Digital_Vortex_06182015.pdfhttp://www.economist.com/news/business/21647317-messaging-services-are-rapidly-growing-beyond-online-chat-message-medium

40%in 5


Why Transform Digitally?

• According to Harvard Business Review, companies that master digital transformation generate:

more revenue than their industry peers, and

more profits than their industry peers

https://hbr.org/product/leading-digital-turning-technology-into-business-transformation/17039E

9%26%


UPS My ChoiceDelivery Control

Personalized Service

Customer ExperiencePhysical and Virtual

RFID Content

Workforce EfficiencyWIP Inventory and

Part Tracking

American ExpressPersonalized Service

Through Mobile

Starbucks AppsOrder AheadSkip the Line

6

Digital Transformation is Moving IT to the Boardroom

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6TECCRS-2700


Cisco Enterprise Networking Vision

Transform our customers’ businesses through powerful yet simple networks.


Digital Business Demands Application Agility

“…While other components of the IT infrastructure have become more programmable and allow for faster, automated provisioning, installing network circuits is still a painstakingly manual process...”

— Andrew Lerner, Gartner Research


Agility Requires Faster Network Provisioning

Source: Forrester Source: Open Compute Project

Time IT spends on operations80% CEOs are worried about IT strategy not supporting business growth57%

Network Expenses Deployment Speed

0 10 100 1000

Computing Networking

Seconds0

100%

CAPEX OPEX

33% 67%


© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Key Challenges for Traditional Networks

Slower Issue ResolutionComplex to ManageDifficult to Segment

Ever increasing number of users and endpoint types

Ever increasing number of VLANs and IP Subnets

Multiple steps, user credentials, complex

interactions

Multiple touch-points

Separate user policies for wired and wireless networks

Unable to find users when troubleshooting

Traditional Networks Cannot Keep Up!

Key Challenges for Traditional Networks


Digital Network Architecture (DNA)

Open and Programmable | Standards-based

Open APIs | Developers Environment

Cloud Service ManagementPolicy | Orchestration

VirtualizationPhysical and Virtual Infrastructure | App Hosting

Insights & Experiences

Network-enabled Applications

Cloud-enabled | Software-delivered

Automation & Assurance

Security & Compliance

PrinciplesAutomation

Abstraction and Policy Control from Core to Edge

AnalyticsNetwork Data,

Contextual Insights


Intent-based Network Infrastructure

DNA Center

AnalyticsPolicy Automation

I N T E N T C O N T E X T

S E C U R I T Y

L E A R N I N G

The Network. Intuitive.Powered by Intent. Informed by Context.


Introducing DNA CenterRealizing vision of the intent-powered intuitive network

Decouple Policy from Network Topology

Industry Best-Practices Configuration and Policy

Compliance

Proactive Issue Identification and

Resolution

Policy AutomationAssurance and

Analytics

Translate business intent into network policy

Reduce manual operations and cost associated with

human errors

Use context to turn data into intelligence


DNA SolutionCisco Enterprise Portfolio

Automation AnalyticsIdentity Services Engine

Routers Switches Wireless APs

DNA Center

DNA Center Simple Workflows

Wireless Controllers

DESIGN PROVISION POLICY ASSURANCE


Automating your Network with DNA Center


Network Changes for AutomationStandard Change:

• Automated Change Request• No Approval Required• Fully owned by Network Engg

team with minimal to zero downtime

Non-Standard Change

• Require Approval by Change Board

• May require service disruption• Co-ordination with Application

team during change window

Settings Update (Syslog, NTP)

Password Update

Port Settings, VLAN changes

New device/site deployment

Software Update

New service/Update service

Network Changes


Impediments to Automation• Organizational structures

Different groups

• Lack of internal standardsSnowflakes!

• Historye.g. ACL CLIs

• Standard vs.non-standard changes

Enterprise Network change

requests.

65% Standard changes

35% New

initiatives

12% New lab configurations

10% Hardware upgrades

21% ACL updates

7% Fleet standardizations

7% Feature configs: IP/Routing

4% Power shut-downs

8% Hardware upgrades

3% Feature configs: Security

2% ACL updates

15% Other

12% Other

© 2016 Cisco and/or its affiliates. All rights reserved. 17BRKNMS-1499

What are Standard Network Changes ??

AAA ConfigurationDNS/DHCP ServersNTP ServersSyslog Servers Netflow CollectorsSNMP/SSH/Telnet

Interfaces ConfigurationACL’sDial PlansVrfRouting ProtocolsTunnels/DMVPNSecurity/CryptoQOSAVC


Interfaces ConfigurationSpanning TreeVLANSecurity/CryptoQOSAVC


SSID’sRFSecurity/CryptoQOSAVC

Routers Switches WLC’s

Standard Changes :

o No Approval Requiredo Minimal to Zero Disruption

Non-Standard Changes :

o Requires Approvalo May require service

disruptiono May need co-ordination

with other teams (App,DCetc) during change window

17


Use Case:

• Adding a new Syslog (Ex: Splunk) in the network

• SoX requirements to update password every 6 months

AAA Server

Site1

North America

South America Site2

Africa

EMEAR

AAA Server

DNS Server

Syslog Server

Syslog Server

DHCP Server

Benefits:

• Repeated manual error prone tasks automated

• Eng get additional time to focus on design and deployment

• Standard change automation removes the lead time to make changes

Network Settings Update (Standard)DESIGN


Network Design

Deployment Standardization

Network Compliance

Before

During

After

Profile Based Deployment

§ Plan for the network deployment § Feature and Capabilities to be

enabled based on requirements§ Topology for network

deployment

§ Automated Day 0 Deployment§ Version management of Profile

for Day 2 Change Management

§ Configuration Compliance Validation against Profile

§ Remediation of Configuration to Golden Config

Network Deployment Consistency using Profile Driven Automation

Configuration ConsistencySimplified Network Deployment

Integrated IT Process Flows

DESIGN


Workflows are foundational to Automation!• Drive consistency into the architecture via design profiles for WAN and Campus

Both physical and virtual

Add Site Properties under Network Settings

Customize Network Settings and

Credentials per Sub Area or Site

Create sub pools for Services,

LAN, Management at sub area or

site

Select golden image for

NFVIS, virtual services

Open Design > Network Hierarchy

Add Areas and Buildings

Add or Import IP

Pools

Add SP Profile

Add appropriate images into repository

Add custom CLI configsSave and

associate Site

Select device, WAN and LAN settings, add

required virtual Services

Create WAN Profile

DESIGN


DNA Center automates the Deployment and Operations

• Plug-and-play

• Software / config / license management

• Ensuring that Hardware is not EoL(Cisco Active Advisor)

• Software Image management (SWIM)

PnP Agent

Runs on Cisco® switches, routers, and wireless APAutomates discovery and provisioning

PnP Server

Centralized serverAuto-provision device w/ images & configs.Northbound REST APIs

PnP Protocol

HTTPS/XML based Open schema protocol

Network PnP Application UI

IWAN App

Topology Discovery

REST API

PnP Service DNA Center Controller

PROVISION


BRKNMS-

Visualize Software Images

• For a given Device Family, view :All images Image VersionNumber of Devices using a particular image

• Image Repository to centrally store Software Images, VNF Images and Network Container Images

22


Manage Software Images

BRKN23

• Import Images/SMU from :Cisco.comURL(http/ftp)Local PCAnother managed network device

• Remote File ServerLocalized file server for software distributionFile server mapped to site hierarchy

PROVISION


Platform extensibility for building custom apps

API and Data Models across multiple stages in DNA Stack

Integrations with complimentary platforms *

Open Interfaces and Integrations

Firehose *

Connectors

Graph API

Contextual Search

Cisco Assets

Industry Integrations

Flexibility Accessibility Expansibility

* : roadmap post FCS


I N T E N T CONTEXT

S E C U R I T Y

L E A R N I N G

Powered by intent, informed by context.

THE NETWORK.INTUITIVE.


ip access-list extended APIC_EM-MM_STREAM-ACLremark citrix - Citrixpermit tcp any any eq 1494permit udp any any eq 1494permit tcp any any eq 2598permit udp any any eq 2598remark citrix-static - Citrix-Staticpermit tcp any any eq 1604permit udp any any eq 1604permit tcp any any range 2512 2513permit udp any any range 2512 2513remark pcoip - PCoIPpermit tcp any any eq 4172permit udp any any eq 4172permit tcp any any eq 5172permit udp any any eq 5172remark timbuktu - Timbuktupermit tcp any any eq 407permit udp any any eq 407remark xwindows - XWindowspermit tcp any any range 6000 6003remark vnc - VNCpermit tcp any any eq 5800permit udp any any eq 5800permit tcp any any range 5900 5901permit udp any any range 5900 5901exitip access-list extended APIC_EM-SIGNALING-ACLremark h323 - H.323permit tcp any any eq 1300permit udp any any eq 1300permit tcp any any range 1718 1720

26

Intent-Based Application PolicyLegacy QoS Policy


• Express Business Intent• Translate into device specific policy/configuration• Leverage Abstraction (the controller knows about the device specifics)• Automate the Deployment across the Network• Insure Fidelity to the Expressed Intent (keep everything in sync)

User policy based on user identity and user-to-group mapping

Employee (managed asset)

Employee (Registered BYOD)

Employee (Unknown BYOD)

ENG VDI System

PERMIT

PERMIT

DENY

DENY

DENY

DENY

DENY

PERMIT

PERMIT

PERMIT

PERMIT

PERMIT

Production Servers Development Servers Internet Access

Protected Assets

Sour

ce

De-coupling ofUser Identity and Topology

Much easier to translate business objectives to network functionality—Lowers TCO

AutomationController-Led

NetworkingDeployment

Evolution to a Policy Model

27

POLICY


Policy types

Access Policy↓

Authentication/Authorization

Group Assignment Based on

Authentication methods

Access Control Policy↓

Who can access what

Rules for x-group accessPermit group to app

Permit group to group

Application Policy↓

Traffic treatment

QoS for ApplicationPath Optimization

Application compressionApplication caching

DBTh

ThTh

✓

POLICY


1. Access Policies• Access to the network is governed by ISE

users

things

Auth

entic

ate

& Au

thor

ize

(AAA

) Groups & Policy

ISE

Network

Identity (e.g. Active Directory)

SIEM

Location

Behavior Analytics

pxGridCASB

Vulnerability

Scalable Groups

CredentialsPosture

Profiling

POLICY


2. Access Control Policies• Access Control (who can talk to who) is governed by DNA Center

Leverages ISE for group assignments

users

things

Auth

entic

ate

& Au

thor

ize

(AAA

) Groups & Policy

ISE DNA Center

Policy Authoring Workflows

Fabric Management

Network

POLICY


DNA Automation – Access Control Policy Authoring


Gaining Deep Insights with Assurance and Analytics


Source: 2016 Cisco Study

Traditional Networking CANNOT Keep Pace with the Demands of Digital Business

OpEx spent on Network Visibility and

Troubleshooting

75%

Policy Violations Due to Human Error

70%

Network Changes Performed Manually

95%

Main Operational Challenges


Make DataDriven Decisions

RevealHidden Patterns

Automation for FasterResults

Focus on Important Things

Business Value Propositions of Network Analytics


Collect relevant metrics

Architectural Requirement #1: InstrumentationASSURANCE


Categorize metrics by degrees of relevance

Architectural Requirement #2: On-Device AnalyticsASSURANCE


Upload critical metrics off the device to collector(s) (optimally via model-based streaming-telemetry)

Architectural Requirement #3: Telemetry

EMCollector

ASSURANCE


Provision long-term storage, retrieval and representation of network metrics and events

Architectural Requirement #4: Scalable StorageASSURANCE


Identify anomalies and trends

Architectural Requirement #5: Analytics EngineASSURANCE


Correlate all data points and permutations for cognitive and predictive analytics

Architectural Requirement #6: Machine LearningASSURANCE


Identify root cause of issues by contextually correlating data

Architectural Requirement #7: Guided Troubleshooting

EM

AnalyticsEngine

ASSURANCE


Present actionable insights to the operatorSolicit input to remediate the root cause

Present a self-remediation option

Architectural Requirement #8: Self-Remediation

EM

AnalyticsEngineEM

NetworkController

Do you want to take the recommended action?

Yes No

Do you want to take the recommended action?

Yes NoAlwaysAlways

ASSURANCE


I N T E N T CONTEXT

S E C U R I T Y

L E A R N I N G




DNA Software Capabilities

Cloud Service Management

Automation Analytics

Virtualization

DNA-Ready Physical and Virtual infrastructure

Security

Cisco DNA Architecture




Virtualization

Cisco DNA Architecture—Automation and Analytics

EM

NDP

NDP:Network Data Platform (Analytics Engine)EM

NCP

NCPNetwork Controller Platform

(Network Controller)




Virtualization

Cisco DNA Architecture—Automation and Analytics

EM

NDPNDP:Network Data Platform (Analytics Engine)

Abstractionlayer

Intent OutcomeDelivering the IntentAnalyzing the Outcome

within the Context of the expressed Intent

Assuring the Intent

EM

NCP

NCPNetwork Controller Platform

(Network Controller)


Cisco DNA Architecture—DNA Center

EM

NDP

DNA Center Appliance

EM

NCP

DNA Center User InterfaceA single pane of glass for Design, Policy, Provisioning, and Assurance


Cisco DNA Architecture—DNA Center: Assurance

å


I N T E N T CONTEXT

S E C U R I T Y

L E A R N I N G




Transforming the Network with Big Data Analytics

Data

Insight

Information

Action

Create value at the right timeExtract meaningful insights from data

Volume

Data size• TB per day• Streaming telemetry,

NetFlow, Syslog, SNMP, logs

Velocity

Data speed• Firehose• Streaming, low-latency

push/pull

Variety

Data forms• Structured, unstructured • Switch, router, AP,

IoT sensor, firewall, load balancer, DHCP, DNS

Veracity

Data trustworthiness• Quality, validity• Internal, partner, public

Analytics


EM

NDP

NetworkTelemetry

Contextual Data

Data Collection and Ingestion

FW LB WLC Sensor

AAA

DNS DHCP

LDAP TOPOLOGY

INVENTORY

LOCATION

POLICY

ITSM

ITFM

StreamingTelemetrySNMP NetFlow Syslog

Data Visualization and Action

Network Assurance netWorth

Collector and Analytics Pipeline SDK

...

Data Models and Restful APIs

Time Series Analysis

System Management Portal

Network Data Platform

Data Correlation and Analysis

Machine Learning in the Cloud

CEP (*) Correlation

CEP = Complex Event Processing

Network Data Platform (Internal) Architecture


NetFlow

AVC

DDI

ISE

Topology

Location

Device

NDPStream

Processing

Contextual Correlation Example

Source IP: 1.1.1.2

Dest IP: 2.2.2.2

Dest Port: 80

Dest IP: 3.2.2.2

Dest Port: 80

?

?

?

NetFlow


AVC

NetFlow

DDI

ISE

Topology

Location

Device

NDPStream

ProcessingSource IP: 1.1.1.2

Dest IP: 2.2.2.2

Dest Port: 80

Dest IP: 3.2.2.2

Dest Port: 80

AVC


?

?

?


AVC

NetFlow

DDI

ISE

Topology

Location

Device

NDPStream


Dest IP: 2.2.2.2

Dest Port: 80

Dest IP: 3.2.2.2

Dest Port: 80

AVC


DDI

?


AVC

NetFlow

DDI

ISE

Topology

Location

Device

NDPStream


Dest IP: 2.2.2.2

Dest Port: 80

Dest IP: 3.2.2.2

Dest Port: 80

AVC


DDI

User: George Baker

ISE

Group: Marketing


AVC

NetFlow

DDI

ISE

Topology

Location

Device

NDPStream


Dest IP: 2.2.2.2

Dest Port: 80

Dest IP: 3.2.2.2

Dest Port: 80

AVC


DDI

User: George Baker

ISE

Group: Marketing

Topology


AVC

NetFlow

DDI

ISE

Topology

Location

Device

NDPStream


Dest IP: 2.2.2.2

Dest Port: 80

Dest IP: 3.2.2.2

Dest Port: 80

AVC


DDI

User: George Baker

ISE

Group: Marketing

Topology

Location

Building 24 1st Floor


AVC

NetFlow

DDI

ISE

Topology

Location

Device

NDPStream


Dest IP: 2.2.2.2

Dest Port: 80

Dest IP: 3.2.2.2

Dest Port: 80

AVC


DDI

User: George Baker

ISE

Group: Marketing

Topology

Location

Building 24 1st FloorDevice

Client Density Problem Here...


I N T E N T CONTEXT

S E C U R I T Y

L E A R N I N G




What is Machine Learning?• Machine learning is an application of artificial intelligence (AI) that provides systems the ability to

automatically learn and improve from experience without being explicitly programmed to do so• The process of learning begins with observations of data, and looking for patterns within the data so as to

make increasingly better correlations, inferences and predictions• The primary aim is to allow these systems to learn automatically without human intervention or

assistance and adjust actions accordingly


Project KairosFor Wireless, Wired and IOT

Cognitive Analytics

Netflix

Acce

ss P

oint

s

Device Type

Internet Video

Facebook

Instagram

YouTube

Anomaly detection across hundred of thousands of devices, dozen of thousands of gears and hundreds

of heat mapsMachine Learning


Project KairosFor Wireless, Wired and IOT

Cognitive Analytics Anomaly detection

Identify and proactively adapt to a failure before it happens

Machine Learning

Predictive Analytics


Machine Learning Algorithms build their models using hundreds of inputs

APs

WAN

Local WLCs

Network Services DCOffice Site

ISE

DHCP

Mobile Clients

CUCM

APIC-EM

~

~

~

~

~

~

~

~~

~

~

~

RF & EDCA behavioral metrics,..

Queuing, Dropping, WRED behavioral metrics…

Device type, OS release, behavioral metrics, ...

WAN & corenetwork metrics ..

Application metrics, user feedback, failure rate, ...

... and more


I N T E N T CONTEXT

S E C U R I T Y

LEARNING



© 2016 Cisco and/or its affiliates. All rights reserved. 72Providing Security While Maintaining Privacy!

Encrypted Traffic

Non-Encrypted Traffic

Can we Actually Solve This?

How do you Analyze Metadata without decrypting traffic flows?

80%of organizations are

victims of malicious activity

41%Of attacks used encrypted traffic to evade detection


Encrypted Traffic Analytics

Encrypted traffic analytics from Cisco’s newest switches and routers

Security with Privacy

Analyze netflow metadata without decrypting traffic flows

Global-to-local knowledge correlation -99.99% threat detection accuracy


Summary


Key Takeaways

Profile Based Deployment simplifies Day 0 Deployment and Day 2 Change Management

Assurance must be outcomes driven and not problem based

Intent Driven Networking Starts with Policy

Automation must be thought holistically, as some of the simple tasks take the most amount of time


Automated Deployment

It’s a Journey!

Self-Driving AutomationPlug and Play,

Day 0 DeploymentConfigure once and deploy everywhere - SD-Access

Exists Today

ISE / AD NAE / PI

DNA Center

CampusFabric

SDA

Future

Closed Loop through Network Analytics and Machine Learning

Network Analytics Platform

DNA Center

BB

CampusFabric

SDA

APIC-EM

HTTPProxy

Internet

Admin

Installer

New

Step 1Network admin previsions devices in Cisco Network Plug and Play applications

Step 2Onsite installer with mobile app installs and powers on devices, triggers deployment, checks status

Step 3New devices contact Cisco Network Plug and Play application to get provisioned

Network admin can remotely monitor install status

Basic Advanced

One Point of Management: All from Cisco DNA Center

Consistent Across Network Fabric

Thank you.

enterprise networks - cisco digital network architecture - introducing the network intuitive

Technology