More Related Content Similar to Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI (20) More from Cisco Canada (20) Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI1. © 2017 Cisco and/or its affiliates. All rights reserved. 1
Cisco Digital Network Architecture –
Deeper Dive,
“From the Gates to the GUI”
Wade Crick
Customer Solutions Architect
January 2018
Cisco
Connect Your Time
Is Now
2. © 2016 Cisco and/or its affiliates. All rights reserved. 2Cisco Public
Session Abstract
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Come to this session to learn how the latest advances in Cisco Enterprise silicon development – programmable, flexile
ASIC (Application Specific Integrated Circuit) hardware which provides a key foundational element of Cisco's Digital
Network Architecture portfolio – are driving industry innovations such as Cisco’s new Catalyst 9000 family of switches, as
well as exciting new solutions such as ETA (Encrypted Traffic Analytics) and Software-Defined Access.
Attendees at this session will gain greater insight into how ASICs are designed and built –showcasing the advanced
capabilities and functionality delivered by Cisco's latest switching silicon innovations provided by UADP (Unified Access
Data Plane), as well as the latest advancements in Cisco’s wireless silicon. Most importantly, this session will show the
continuum of Cisco’s evolution – from the gates (silicon gates, that is) to the latest advanced GUIs that solutions such as
SD-Access are enabled with – allow customers to move faster, innovate rapidly, and drive significant cost savings for their
organizations.
Come to this session to “double-click” on how Cisco is revolutionizing the Enterprise network with DNA! This is the second
of two sessions – an optional introduction to the principles of DNA, as well as an exploration of the new DNA Center GUI
and the Automation and Assurance aspects of the Cisco Digital Network Architecture it supports – are explored in the
preceding companion session.
3. Agenda
• Industry Trends
• The Network Intuitive
• Cisco DNA and the Importance of Flexible Hardware
• The Evolution of the Application Specific Integrated Circuit
• DNA/Software Defined Access
• DNA Center
• Encrypted Traffic Analytics
• Catalyst 9000
• Summary, Q&A
4. © 2016 Cisco and/or its affiliates. All rights reserved. 4Cisco Public
We are going to try to cover
from
“The Gates to the GUI”
5. © 2016 Cisco and/or its affiliates. All rights reserved. 5Cisco Public
Innovation - The world’s 50 most innovative
companies
# 37. Cisco Systems
2017 patent grants: 967
2016 patent grants: 978
Source - 24/7 Wall St. Jan 12, 2018
6. © 2016 Cisco and/or its affiliates. All rights reserved. 6Cisco Public
From
Innovations
in
Silicon
and
Software
…
… to
Innovations
in Platforms
and Solutions
7. © 2016 Cisco and/or its affiliates. All rights reserved. 7Cisco Public
And Why
These
8. 8© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA and the
Importance of
Network Innovation
9. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Advanced Persistent
Threats
Devices per Person
3.64
Mobile world requires access
to everything everywhere
Mobility
Devices per Admin
100K
Agility and New
Consumption Models
Cloud
IoT
Things Connected
7.5BUnmanned devices
growing at rapid pace
Enterprise Trends Driving Digital Transformation
10. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Source: Forrester Source: Open Compute Project
Time IT spends on operations80% CEOs are worried about IT strategy
not supporting business growth57%
Network Expenses Deployment Speed
0 10 100 1000
Computing Networking
Seconds
0
100%
CAPEX OPEX
33% 67%
The Need for Agility
Changing Enterprise Requirements
11. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
VLAN 1 VLAN 2 VLAN 3
WAN
Branch A
VLAN 1 Branch A VLAN 3
Remote
VLAN 2
HQ
ACL 1 ACL 2
ACL 2
ACL 3
Traditional Networks Cannot Meet the Demand
Users, Device and IoT
Segmentation
Enabling Seamless
Mobility
Secure Connectivity
to the Cloud
Setting Up
End-End Security
12. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
13. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
14. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Digital Network Architecture
Principles
Insights and
experiences
Automation
and assurance
Security and
compliance
Automation
Abstraction and policy
control from core to edge
Open and programmable | Standards-based
Open APIs | Developers environment
Cloud service management
Policy | Orchestration
Physical and virtual infrastructure | App hosting
Network data,
contextual insights
Network-enabled applications
Cloud-enabled | Software-delivered
Analytic
s
Virtualization
15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Network. Intuitive.
Intent-Based
Network Infrastructure
DNA Center
AnalyticsPolicy Automation
Switching Routers Wireless
Powered By Intent.
Informed by Context.
DNA Center 1.1
General Availability
Software-Defined Access
Meraki Visibility
Extended Enterprise
16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Journey to Intent-based Networking
Intent-based
Networking
Constantly Learning
Constantly Adapting
Constantly ProtectingPolicy-Based
Automation
Business Policy
Translation
Segmentation
Analytics &
Assurance
Everything as a sensor
Telemetry
Historical & Real-time
Digital—Ready
Infrastructure
Secure foundation
Programmability
Virtualization
Machine
Learning & AI
Policy Validation
Predictive
Self-healing
The Network. Intuitive.
Powered by intent. Informed by context.
Based on Cisco’s DNA
We are here
Scaling (via Cloud)
17. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Self-Driving Automation
Future
Closed Loop through Network
Analytics and Machine Learning
DNA Center
BB
Campus
Fabric
SDA
Automated Deployment
Plug and Play,
Day 0 Deployment
Exists Today
HTTP
Proxy
Internet
Admin
Installer
Step 1
Network admin
previsions devices in
Cisco Network Plug
and Play applications
Step 2
Onsite installer with
mobile app installs and
powers on devices,
triggers deployment,
checks status
Step 3
New devices contact
Cisco Network Plug and
Play application to get
provisioned
Network admin can
remotely monitor
install status
Basic Advanced
One Point of Management – All from Cisco DNA Center
Configure once and deploy
everywhere - SD-Access
DNA Center
Campus
Fabric
SDA
New
Consistent Across Network Fabric
The Network Intuitive.
Moving From Manual to Automated
18. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Quality of Service – Intuitive?
19. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
Catalyst 4500
1P7Q1T
Catalyst 6500
1P3Q4T
1P7Q4T
2P6Q4T
…
Nexus 7700
F3: 1P7Q1T
WLC
PEP
ASR/ISRs
MQC
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Southbound APIs translate
business intent to platform-
specific configurations
Network Operators express
high-level business intent to the
EasyQoS app
EasyQoS
Operation
Network
Controller
20. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Network
Controller
EasyQoS will seamlessly interconnect
all types of hardware and software queuing models
to achieve consistent and compatible end-to-end treatments –
aligned with the expressed business intent
EasyQoS
Results
21. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
ip access-list extended APIC_EM-MM_STREAM-ACL
remark citrix - Citrix
permit tcp any any eq 1494
permit udp any any eq 1494
permit tcp any any eq 2598
permit udp any any eq 2598
remark citrix-static - Citrix-Static
permit tcp any any eq 1604
permit udp any any eq 1604
permit tcp any any range 2512 2513
permit udp any any range 2512 2513
remark pcoip - PCoIP
permit tcp any any eq 4172
permit udp any any eq 4172
permit tcp any any eq 5172
permit udp any any eq 5172
remark timbuktu - Timbuktu
permit tcp any any eq 407
permit udp any any eq 407
remark xwindows - XWindows
permit tcp any any range 6000 6003
remark vnc - VNC
permit tcp any any eq 5800
permit udp any any eq 5800
permit tcp any any range 5900 5901
permit udp any any range 5900 5901
exit
ip access-list extended APIC_EM-SIGNALING-ACL
remark h323 - H.323
permit tcp any any eq 1300
permit udp any any eq 1300
permit tcp any any range 1718 1720
Your Choice …
22. 22© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA and the
Importance of
Flexible Hardware
23. © 2016 Cisco and/or its affiliates. All rights reserved. 23Cisco Public
EISG
Architecture Team
David Goeckeler
Cisco SVP,
Security and Networking
Cisco Live Las Vegas 2016
ASICs are a
pillar of Cisco
innovation …
24. © 2016 Cisco and/or its affiliates. All rights reserved. 24Cisco Public
Logic Design Choices
• General Purpose CPU
• Field Programmable Gate Arrays
• Application Specific Integrated
Circuits
• System on Chip
• Graphics Processing Unit
25. © 2016 Cisco and/or its affiliates. All rights reserved. 25Cisco Public
How is an ASIC built?How is an ASIC built?
26. © 2016 Cisco and/or its affiliates. All rights reserved. 26Cisco Public
It all starts with the Transistor
• The first bipolar junction transistors were invented by Bell Labs in
1948.
• Transistors can be an amplifier (linear region operation) or a switch
(saturation region operation).
• In switch mode +VCC =1, Gnd = 0 for binary operations.
27. © 2016 Cisco and/or its affiliates. All rights reserved. 27Cisco Public
An example of a Transistor AND Gate
Fairchild DM7408 Quad 2-Input AND Gates
Truth Table
28. © 2016 Cisco and/or its affiliates. All rights reserved. 28Cisco Public
An example of a Transistor NAND Gate
29. © 2016 Cisco and/or its affiliates. All rights reserved. 29Cisco Public
We are talking
transistors…
and how many we can pack
in an ASIC die …
“The number of transistors
incorporated into a chip
will approximately double
every 18 - 24 months …”
“Moore’s Law” - 1975
Transistor Width
measured in
Nanometers
Nanometer = One Billionth of a Meter
TSMC currently plans to start manufacturing
7nm chips in 2018.
“This past September, we announced our plan
for the world's first 3-nanometer fab
located in the Tainan science park. This fab
could cost upwards of $20 billion and represents
TSMC's commitment to drive technology
forward," TSMC executive Mark Liu.
NVIDIA TITAN V GPU is fabricated on TSMC 12
nm FFN (FinFET NVIDIA) process. 21.1 billion
transistors.
Apple iPhone X 10nm
30. © 2016 Cisco and/or its affiliates. All rights reserved. 30Cisco Public
Then, it starts with coding…
Verilog
VHDL
Synthesis Process
Converts code into
logical gate constructs (Netlist)
ASICs – From Definition to Deployment
31. © 2016 Cisco and/or its affiliates. All rights reserved. 31Cisco Public
Discrete
transistor
MOSFET
(metal oxide semiconductor
field effect transistor)
FinFET
(Fin Field
Effect Transistor - "3D" )
NAND gate
NOR Gate
Universal
Gates
XOR Gate
AND Gate
OR Gate NOT Gate
XNOR Gate
… which can be used to build any of
the other logic gates …
… mostly used @
22nm and above
Intel in 2012 used 22-
nm in Ivy Bridge
processors
… which, when we put millions
of them together on a silicon
die, produce a chip!
Silicon wafer
32. © 2016 Cisco and/or its affiliates. All rights reserved. 32Cisco Public
And we have an ASIC…
33. © 2016 Cisco and/or its affiliates. All rights reserved. 33Cisco Public
Why Does
Cisco Develop
Our Own Silicon?
Simpler Deployment Options
Better Insight and Optimization
Increased Security
Most Appropriate Scalability
Flexibility and Investment Protection
via Programmability
Simpler Deployment Options
Better Insight and Optimization
Increased Security
Most Appropriate Scalability
Flexibility and Investment Protection
via Programmability
34. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
• Cisco spent US$1.567 Billion last quarter (Q2, FY2018) on R&D,
some of which was on custom ASICs.
• Vast major of Cisco products include custom ASICs
• Custom ASICs in:
• Catalyst 3000, 9000
• Nexus 5000, 7000, 9000
• ISR, ASR 1000 (Quantum Flow Processor)
• Wireless
• …
Cisco Investments
35. © 2016 Cisco and/or its affiliates. All rights reserved. 35Cisco Public
Up to 32MB
Packet Buffer
Up to 64K x2
Netflow RecordsEmbedded
Microcontrollers
Shared
Lookup
Up to 240GE
Bandwidth
384K Flex
Counters,
Up to 2X to 4X
Forwarding + TCAM
Universal Deployments
Adaptable Tables
Enhanced Scale/Buffering
Multicore resource share
Investment Protection
Flexible Pipeline
7.46B
Transistors
28nm Technology
UADP 2.0 – Next Generation of ASIC Innovation
Mobile Ready
Security/Trustsec/MACsec
Enhanced Netflow Programmable High Performance
Recirculation (tunneling -
GRE, VXLAN, etc)
Flexible Pipeline
36. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Traditionally the ASIC
processing pipeline is
FIXEDIPv4
IPv6
Traditional Fixed ASIC Processing Pipeline
37. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
… and has challenges
handling NEW
PROTOCOLS …
MPLS
Traditional Fixed ASIC Processing Pipeline
38. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Flex
Rewrite
Flex
Rewrite
Cisco’s UADP ASIC
delivers
FLEXIBILITY …
Flex
Parser
Flex
Parser
Flexible, Programmable Processing Pipeline
GRE
If IPv7 were
invented
tomorrow …
... we could probably handle it
via the Programmable
Pipeline!
Flex CountersFlex Counters
Stage 1 Stage 2 Stage 3 Stage n
IPv4
IPv6
VXLAN
MPLS
IPv7
Unified Access Data Plane – Processing Pipeline
39. © 2016 Cisco and/or its affiliates. All rights reserved. 39Cisco Public
So where can
Flexible ASICs help us?
So where can
Flexible ASICs help us?
40. © 2016 Cisco and/or its affiliates. All rights reserved. 40Cisco Public
DNA Flexible Infrastructure – Programmable ASIC Silicon
41. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
ASIC Evolution – Over Time
UADP 2.0: 7.46B transistors!
2,160,000 lines of code
New!New!
Catalyst 9300 /
9400 / 9500 – 2017
Catalyst 3550
Circa 2003
60M transistors
47,226 lines of code
Catalyst 3750
Circa 2008
210M transistors
86,220 lines of code
Catalyst 3850
Circa 2013
UADP 1.0 – 1.3B transistors
UADP 1.1 – 3.0B transistors
1,490,000 lines of code
All Cisco-developed silicon
Driving the benefits of vertical integration –
Hardware and software working together!
Just like some other famous examples …
42. © 2016 Cisco and/or its affiliates. All rights reserved. 42Cisco Public
What does all of this
mean for me?
43. © 2016 Cisco and/or its affiliates. All rights reserved. 43Cisco Public
Cisco Programmable Hardware
equals
FLEXIBILITY
ADAPTABILITY
Enabling Network Evolution –
a critical requirement
for DNA
44. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Digital Network Architecture
How DNA Center embraces the Cisco DNA
Principles
Insights and
experiences
Automation
and assurance
Security and
compliance
Automation
Abstraction and policy
control from core to edge
Open and programmable | Standards-based
Open APIs | Developers environment
Cloud service management
Policy | Orchestration
Physical and virtual infrastructure | App hosting
Network data,
contextual insights
Network-enabled applications
Cloud-enabled | Software-delivered
Analytic
s
Virtualization
DNA Center
APIC-EM, ISE, Analytics &
Assurance
45. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
June 2017 - What we announced:
• DNA Center
• Built-in expertise to manage and deploy end-to-end network
services with a central management
• DNA Analytics & Assurance
• Analytics collects data from users, devices, and applications
and uses machine learning to proactively identify problems
• Software-Defined Access
• Dynamically adapt to changing needs with policy-based
management of the network fabric
• Enhanced Network as a Sensor
• Uncover threats hidden in encrypted traffic without
decryption.
• Catalyst 9000 Series Switches
• First infrastructure devices purposely designed for DNA
Software Subscription Licensing | DNA Advisory, Technical, Support Services
46. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
47. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
48. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
49. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Software-Defined Access
Industry’s first policy-based automation from the edge to the cloud
Single
Network Fabric
Automate User
Access Policy
End-to-End
Segmentation
Keep user, device and applications
traffic separate without redesigning
the network
Apply the right policies for user or
device to any application across the
network
Enable a consistent user
experience anywhere without
compromising on security
Common user policy for the branch, campus, WAN and cloud
50. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
51. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
52. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Controller-based Management
Programmable Overlay
Simplified L3 Underlay
DNA
Center
Software Defined Access (SD-Access)
Bringing Everything Together
53. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1. Control Plane based on LISP
2. Data-Plane based on VXLAN
3. Policy-Plane based on TrustSec
Key Components of SD-Access
Key Differences
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (No Static)
• No Topology Limitations (Basic IP)
53
54. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
APIC-EM
ISE NDP
Control-Plane Nodes – Map System that
manages Endpoint ID to Device relationships
Edge Nodes – A Fabric device (e.g. Access
or Distribution) that connects Wired Endpoints
to the SDA Fabric
Identity Services – External ID Systems
(e.g. ISE) are leveraged for dynamic User or
Device to Group mapping and Policy definition
Border Nodes – A Fabric device (e.g. Core)
that connects External L3 network(s) to the
SDA Fabric
Identity
Services
Intermediate
Nodes (Underlay)
Fabric Border
Nodes
Fabric Edge
Nodes
DNA Controller – Enterprise SDN Controller
provides GUI management and abstraction via
multiple Service Apps, that share information
DNA Center
Analytics Engine – External Data Collectors
(e.g. NDP) are leveraged to analyze User or
Device to App flows and monitor fabric status
Analytics
Engine
C
Control-Plane
Nodes
B
SD-Access
Roles & Terminology
B
Fabric Wireless Controller – A Fabric device
(WLC) that connects Wireless Endpoints to
the SDA Fabric
54
Fabric Wireless
LAN Controller
55. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-Access Support
A single fabric for your digital ready network
WirelessRoutingSwitching
AIR-CT5520
AIR-CT8540
Wave 2 APs (1800, 2800,3800)
Wave 1 APs* (1700, 2700,3700)
Catalyst 9400
Catalyst 9300
Catalyst 9500
Catalyst 4500E Catalyst 6K Nexus 7700
Catalyst 3850 and 3650
AIR-CT3504
*with Caveats
**Future
NEW
NEW
NEW
NEW
Subtended
Catalyst Digital Building
Catalyst 3560-CX
NEW
IE Switches** (2K/3K/4K/5K)
ASR-1000-X
ASR-1000-HX
ISR 4430
ISR 4450
ENCS 5400**
ISR 4351
ISR 4331
CSRv
56. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DNA Center: Design, Policy, Provision, Assurance
A better way to manage your network
DNA Center: Design, provision,
automate policy and assure
services from one place
Logical workflow to design,
provision, set policy
Respond to changes faster
Monitor end-to-end
network performance
Predict and act on problems
before they happen
Pinpoint problems faster
Reduce downtime with an
end-to-end view instead of
hop by hop
Manage hardware and
software lifecycles
Keep up to date, meet
compliance and plan for refresh
57. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Select Areas, Building,
Floors
• Configure Network
Settings
• Set IP Address Pools
Design
Design | Provision | Policy | Assurance
58. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Assign Devices to
Locations
• Provision Network
Fabric
• On-board Hosts
Provision
Design | Provision | Policy | Assurance
59. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Create Virtual
Networks
• Register End Point
Types
• Administer Context-
Based Policy
Policy
Design | Provision | Policy | Assurance
60. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Network and Device
Performance
• Client Access,
Connectivity, Monitoring
and Troubleshooting
• Application Experience
Monitoring & Acceleration
Assurance
Design | Provision | Policy | Assurance
61. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Analyze netflow metadata
without decrypting traffic
flows
• Global-to-local knowledge
correlation - 99.99%
threat detection accuracy
• Encrypted traffic analytics
from Cisco’s newest
switches and routers
Encrypted Traffic
Analytics
Security with Privacy
62. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enhanced Network as a Sensor
Encrypted Traffic Non-Encrypted
Traffic
Secure and manage your digital network in real time, all the time, everywhere
Industry’s first network with the ability to find threats in encrypted traffic without decryption
Avoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility
63. C97-739122-02 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A closer look at the science
behind ETA
64. C97-739122-02 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Encrypted traffic – mining usable information
https://1.2.3.4
https://123.123.123.123
https://234.234.234.234
https://22.33.44.55
https://21.21.21.21
We can see the TLS session
properties
We can see the channel behavior We (often) know the
server
• TLS session properties
• Channel behavior
• Domain identity (often)
65. C97-739122-02 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• HTTPS header contains several
information-rich fields.
• Server name provides domain information.
• Crypto information educates us on
client and server behavior and
application identity.
• Certificate information is similar to whois
information for a domain.
• And much more can be understood when we
combine the information with global data.
Initial data packet
IPHeader
TCPHeader
TLS Header
TLS version
SNI (Server Name)
Ciphersuites
Certificate
Organization
Issuer
Issued
Expires
Initial data packet
Initial data
packet
66. C97-739122-02 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sequence of packet lengths and times
Sequence of packet lengths and times
Flow start Time
• Size and timing of the first packets allow us to estimate the type of data inside the
encrypted channel.
• We can distinguish video, web, API calls, voice, and other data types from one another and
characterize the source within the class.
67. C97-739122-02 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco’s threat intelligence map
Image: http://census2012.sourceforge.net/images.html
• Who’s who of the internet’s dark side
• Models use up to 20 features of
150 million malicious, risky, or otherwise
security-relevant endpoints on the internet.
• These data features include domain data,
whois data, TLS certificate data, usage
statistics, and behavioral data for
each server.
68. C97-739122-02 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Finding malicious activity in encrypted traffic
Cisco Stealthwatch®
Cognitive
Analytics
Malware
detection and
cryptographic
compliance
New Catalyst® 9000*
NetFlow
Enhanced
NetFlow
Telemetry for
encrypted malware detection
and cryptographic compliance
* ISR, ASR are supported
Enhanced analytics
and machine learning
Global-to-local
knowledge correlation
Enhanced NetFlow from
Cisco’s newest switches and
routers
Continuous
Enterprise-wide compliance
Leveraged network Faster investigation Higher precision Stronger protection
Metadata
69. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Catalyst 9000: The platform for the new era
First in enterprise
• x86 CPU with application hosting
• Programmable ASIC
• Software patching
Future-Proofed
• IEEE 802.11ax ready
• 100W PoE (IEEE 802.3bt) ready
• 25G Ethernet ready
Industry’s unmatched
• High availability
• Multigigabit density
• UPOE scale
SD-Access
integrated
Converged
ASIC
Single image
Common
licensing
Security IoT convergence CloudMobility
UADP 2.0
Cisco IOS® XE Software
70. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Kanata R&D Team
3rd Largest Cisco Engineering site worldwide
71. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Catalyst 9000 - CRN's 2017 Products Of The Year
72. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SDA - Show me the money
73. Cisco Public 73© 2016 Cisco and/or its affiliates. All rights reserved.
Summary –
Innovation Across
the Network. Intuitive.
74. © 2016 Cisco and/or its affiliates. All rights reserved. 74Cisco Public
From the Hardware …
… to the Software and
Protocols, with Integrated Security …
to the
Whole
Solution …
Cisco Innovations – In Hardware, Software, and Solutions – Tie It All Together
“From the Gates – to the GUI”
Integrated
Security
Innovation All The Way Up the Stack
Hardware, Software, and Solutions