Enterprise Networks - Cisco Digital Network Architecture - Introducing the Network Intuitive

© 2016 Cisco and/or its affiliates. All rights reserved. 1
Enterprise Networks - Cisco Digital
Network Architecture - Introducing
the Network Intuitive
Tammy Getschel
Channel Systems Engineer
Jan 2018
Cisco
Connect

Agenda
• It’s a Digital World!
• Automating your network with DNA Center
• Gaining Deep Insights with Assurance and Analytics
• Summary
2

3© 2016 Cisco and/or its affiliates. All rights reserved.
It’s a digital world!

What is the Risk of Digital Disruption?
• According to the Global Center for Digital Transformation in a survey of
941 companies:
of today’s Top-10 incumbents
(in terms of market share)
will be digitally disrupted
within the next 5 years
https://www.imd.org/uupload/IMD.WebSite/DBT/Digital_Vortex_06182015.pdf
http://www.economist.com/news/business/21647317-messaging-services-are-rapidly-growing-beyond-online-chat-message-medium
40%
in 5

Why Transform Digitally?
• According to Harvard Business Review, companies that master
digital transformation generate:
more revenue than their industry peers, and
more profits than their industry peers
https://hbr.org/product/leading-digital-turning-technology-into-business-transformation/17
9%
26%

UPS My Choice
Delivery Control
Personalized Service
Customer Experience
Physical and Virtual
RFID Content
Workforce Efficiency
WIP Inventory and
Part Tracking
American Express
Personalized Service
Through Mobile
Starbucks Apps
Order Ahead
Skip the Line
6
Digital Transformation is Moving IT to the Boardroom
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6TECCRS-2700

Cisco Enterprise Networking Vision
Transform our customers’ businesses
through powerful yet simple networks.

Digital Business Demands Application Agility
“…While other components of the IT infrastructure have become more
programmable and allow for faster, automated provisioning, installing
network circuits is still a painstakingly manual process...”
— Andrew Lerner, Gartner Research

Agility Requires Faster Network Provisioning
Source: Forrester Source: Open Compute Project
Time IT spends on operations80% CEOs are worried about IT strategy
not supporting business growth57%
Network Expenses
Deployment Speed
0 10 100 1000
Computing Networking
Seconds
0
100%
CAPEX OPEX
33%
67%

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Challenges for Traditional Networks
Slower Issue ResolutionComplex to ManageDifficult to Segment
Ever increasing number of
users and endpoint types
Ever increasing number of
VLANs and IP Subnets
Multiple steps,
user credentials, complex
interactions
Multiple touch-points
Separate user policies for
wired and wireless networks
Unable to find users
when troubleshooting
Traditional Networks Cannot Keep Up!
Key Challenges for Traditional Networks

Digital Network Architecture (DNA)
Open and Programmable | Standards-based
Open APIs | Developers Environment
Cloud Service Management
Policy | Orchestration
Virtualization
Physical and Virtual Infrastructure | App Hosting
Insights &
Experiences
Network-enabled Applications
Cloud-enabled | Software-delivered
Automation
& Assurance
Security &
Compliance
Principles
Automation
Abstraction and Policy Control
from Core to Edge
Analytics
Network Data,
Contextual Insights
Intent-based
Network Infrastructure
DNA Center
AnalyticsPolicy Automation
I N T E N T C O N T E X T
S E C U R I T Y
L E A R N I N G
The Network. Intuitive.
Powered by Intent. Informed by Context.

Introducing DNA Center
Realizing vision of the intent-powered intuitive network
Decouple Policy from
Network Topology
Industry Best-Practices
Configuration and Policy
Compliance
Proactive Issue
Identification and
Resolution
Policy Automation
Assurance and
Analytics
Translate business intent
into network policy
Reduce manual operations
and cost associated with
human errors
Use context to turn data into
intelligence

DNA Solution
Cisco Enterprise Portfolio
Automation AnalyticsIdentity Services Engine
Routers Switches Wireless APs
DNA Center
DNA Center
Simple Workflows
Wireless Controllers
DESIGN PROVISION POLICY ASSURANCE

Automating your Network with
DNA Center

Network Changes for Automation
Standard Change:
• Automated Change Request
• No Approval Required
• Fully owned by Network Engg
team with minimal to zero
downtime
Non-Standard Change
• Require Approval by Change
Board
• May require service disruption
• Co-ordination with Application
team during change window
Settings Update (Syslog, NTP)
Password Update
Port Settings, VLAN changes
New device/site deployment
Software Update
New service/Update service
Network
Changes

Impediments to Automation
• Organizational structures
Different groups
• Lack of internal standards
Snowflakes!
• History
e.g. ACL CLIs
• Standard vs.non-standard changes
Enterprise
Network
change
requests.
65%
Standard
changes
35%
New
initiatives
12%
New lab configurations
10% Hardware upgrades
21% ACL updates
7%
Fleet standardizations
7% Feature configs:
IP/Routing
4% Power shut-downs
8% Hardware upgrades
3% Feature configs:
Security
2% ACL updates
15% Other
12% Other

BRKNMS-1499
What are Standard Network Changes ??
AAA Configuration
DNS/DHCP Servers
NTP Servers
Syslog Servers
Netflow Collectors
SNMP/SSH/Telnet
Interfaces Configuration
ACL’s
Dial Plans
Vrf
Routing Protocols
Tunnels/DMVPN
Security/Crypto
QOS
AVC
AAA Configuration
DNS/DHCP Servers
NTP Servers
Syslog Servers
Netflow Collectors
SNMP/SSH/Telnet
Interfaces Configuration
Spanning Tree
VLAN
Security/Crypto
QOS
AVC
AAA Configuration
DNS/DHCP Servers
NTP Servers
Syslog Servers
Netflow Collectors
SNMP/SSH/Telnet
SSID’s
RF
Security/Crypto
QOS
AVC
Routers Switches WLC’s
Standard Changes :
o No Approval Required
o Minimal to Zero Disruption
Non-Standard Changes :
o Requires Approval
o May require service
disruption
o May need co-ordination
with other teams (App,DC
etc) during change window
17

Use Case:
• Adding a new Syslog (Ex:
Splunk) in the network
• SoX requirements to update
password every 6 months
AAA
Server
Site1
North
America
South
America
Site2
Africa
EMEAR
AAA
Server
DNS
Server
Syslog
Server
Syslog
Server
DHCP
Server
Benefits:
• Repeated manual error prone
tasks automated
• Eng get additional time to focus
on design and deployment
• Standard change automation
removes the lead time to make
changes
Network Settings Update (Standard) DESIGN

Network
Design
Deployment
Standardization
Network
Compliance
Before
During
After
Profile Based
Deployment
§ Plan for the network deployment
§ Feature and Capabilities to be
enabled based on requirements
§ Topology for network
deployment
§ Automated Day 0 Deployment
§ Version management of Profile
for Day 2 Change Management
§ Configuration Compliance
Validation against Profile
§ Remediation of Configuration to
Golden Config
Network Deployment Consistency using Profile
Driven Automation
Configuration Consistency
Simplified Network
Deployment
Integrated IT
Process Flows
DESIGN

Workflows are foundational to Automation!
• Drive consistency into the architecture via design profiles for WAN and Campus
Both physical and virtual
Add Site
Properties under
Network Settings
Customize Network
Settings and
Credentials per Sub
Area or Site
Create sub
pools for
Services,
LAN,
Management
at sub area or
site
Select golden
image for
NFVIS, virtual
services
Open Design
> Network
Hierarchy
Add Areas and
Buildings
Add or
Import IP
Pools
Add SP
Profile
Add
appropriate
images into
repository
Add custom
CLI configs
Save and
associate Site
Select device, WAN and
LAN settings, add
required virtual Services
Create WAN
Profile
DESIGN

DNA Center automates the Deployment and Operations
• Plug-and-play
• Software / config / license management
• Ensuring that Hardware is not EoL
(Cisco Active Advisor)
• Software Image management (SWIM)
PnP Agent
Runs on Cisco® switches,
routers,
and wireless AP
Automates discovery and
provisioning
PnP Server
Centralized server
Auto-provision device w/ images
& configs.
Northbound REST APIs
PnP Protocol
HTTPS/XML based
Open schema
protocol
Network PnP
Application UI
IWAN
App
Topology
Discovery
REST API
PnP Service
DNA Center
Controller
PROVISION

Visualize Software Images
• For a given Device Family,
view :
All images
Image Version
Number of Devices using a
particular image
• Image Repository to
centrally store Software
Images, VNF Images and
Network Container Images
22

Manage Software Images
23
• Import Images/SMU from :
Cisco.com
URL(http/ftp)
Local PC
Another managed network device
• Remote File Server
Localized file server for software
distribution
File server mapped to site hierarchy
PROVISION

Platform extensibility for building
custom apps
API and Data Models across multiple
stages in DNA Stack
Integrations with complimentary
platforms *
Open Interfaces and Integrations
Firehose *
Connectors
Graph API
Contextual Search
Cisco Assets
Industry
Integrations
Flexibility Accessibility Expansibility
* : roadmap post FCS

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
informed by context.
THE NETWORK.
INTUITIVE.

ip access-list extended APIC_EM-MM_STREAM-ACL
remark citrix - Citrix
permit tcp any any eq 1494
permit udp any any eq 1494
remark citrix-static - Citrix-Static
permit tcp any any range 2512 2513
permit udp any any range 2512 2513
remark pcoip - PCoIP
remark timbuktu - Timbuktu
remark xwindows - XWindows
remark vnc - VNC
permit udp any any range 5900 5901
exit
ip access-list extended APIC_EM-SIGNALING-ACL
remark h323 - H.323
permit udp any any eq 1300 26
Intent-Based
Application PolicyLegacy QoS Policy

• Express Business Intent
• Translate into device specific policy/configuration
• Leverage Abstraction (the controller knows about the device specifics)
• Automate the Deployment across the Network
• Insure Fidelity to the Expressed Intent (keep everything in sync)
User policy based on user identity
and user-to-group mapping
Employee
(managed asset)
Employee
(Registered BYOD)
Employee
(Unknown BYOD)
ENG VDI System
PERMIT
PERMIT
DENY
DENY
DENY
DENY
DENY
PERMIT
PERMIT
PERMIT
PERMIT
PERMIT
Production Servers Development Servers Internet Access
Protected Assets
Source
De-coupling of
User Identity and Topology
Much easier to translate business objectives to
network functionality—Lowers TCO
Automation
Controller-Led
Networking Deployment
Evolution to a Policy Model
27
POLICY

Policy types
Access Policy
↓
Authentication/
Authorization
Group Assignment
Based on
Authentication methods
Access Control Policy
↓
Who can access what
Rules for x-group access
Permit group to app
Permit group to group
Application Policy
↓
Traffic treatment
QoS for Application
Path Optimization
Application compression
Application caching
DB
Th
Th
Th
✓
POLICY

1. Access Policies
• Access to the network is governed by ISE
users
things
Authenticate&
Authorize
(AAA)
Groups &
Policy
ISE
Network
Identity (e.g. Active
Directory)
SIEM
Location
Behavior
Analytics
pxGrid
CASB
Vulnerability
Scalable
Groups
Credentials
Posture
Profiling
POLICY

2. Access Control Policies
• Access Control (who can talk to who) is governed by DNA Center
Leverages ISE for group assignments
users
things
Authenticate&
Authorize
(AAA) Groups &
Policy
ISE DNA Center
Policy Authoring
Workflows
Fabric Management
Network
POLICY

DNA Automation – Access Control Policy Authoring

Gaining Deep Insights with
Assurance and Analytics

Source: 2016 Cisco Study
Traditional Networking CANNOT Keep Pace with the Demands of Digital Business
OpEx spent on
Network Visibility and
Troubleshooting
75%
Policy Violations
Due to Human Error
70%
Network Changes
Performed Manually
95%
Main Operational Challenges

Make Data
Driven Decisions
Reveal
Hidden Patterns
Automation for Faster
Results
Focus on
Important Things
Business Value Propositions of Network Analytics

Collect relevant metrics
Architectural Requirement #1: Instrumentation
ASSURANCE

Categorize metrics by degrees of relevance
Architectural Requirement #2: On-Device Analytics
ASSURANCE

Upload critical metrics off the device to collector(s)
(optimally via model-based streaming-telemetry)
Architectural Requirement #3: Telemetry
EM
Collector
ASSURANCE

Provision long-term storage, retrieval and representation of network metrics and events
Architectural Requirement #4: Scalable Storage
ASSURANCE

Identify anomalies and trends
Architectural Requirement #5: Analytics Engine
ASSURANCE

Correlate all data points and permutations for cognitive and predictive analytics
Architectural Requirement #6: Machine Learning
ASSURANCE

Identify root cause of issues by contextually correlating data
Architectural Requirement #7: Guided Troubleshooting
EM
Analytics
Engine
ASSURANCE

Present actionable insights to the operator
Solicit input to remediate the root cause
Present a self-remediation option
Architectural Requirement #8: Self-Remediation
EM
Analytics
EngineEM
Network
Controller
Do you want to take the
recommended action?
Yes No
Do you want to take the
recommended action?
Yes NoAlwaysAlways
ASSURANCE

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
THE NETWORK.
INTUITIVE.

DNA Software Capabilities
Automation Analytics
Virtualization
DNA-Ready Physical and Virtual infrastructure
Security
Cisco DNA Architecture

Virtualization
Cisco DNA Architecture—Automation and Analytics
EM
NDP
NDP:
Network Data Platform
(Analytics Engine)EM
NCP
NCP
Network Controller Platform
(Network Controller)

Virtualization
Cisco DNA Architecture—Automation and Analytics
EM
NDP
NDP:
(Analytics Engine)
Abstraction layer
Intent OutcomeDelivering the Intent
Analyzing the Outcome
within the Context of the
expressed Intent
Assuring
the Intent
EM
NCP
NCP
Network Controller Platform
(Network Controller)

Cisco DNA Architecture—DNA Center
EM
NDP
DNA Center Appliance
EM
NCP
DNA Center User Interface
A single pane of glass for Design, Policy, Provisioning, and Assurance

Cisco DNA Architecture—DNA Center: Assurance
å

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
THE NETWORK.
INTUITIVE.

Transforming the Network with Big Data Analytics
Data
Insight
Information
Action
Create value at the right timeExtract meaningful insights from data
Volume
Data size
• TB per day
• Streaming telemetry,
NetFlow, Syslog, SNMP, logs
Velocity
Data speed
• Firehose
• Streaming, low-latency
push/pull
Variety
Data forms
• Structured, unstructured
• Switch, router, AP,
IoT sensor, firewall,
load balancer, DHCP, DNS
Veracity
Data trustworthiness
• Quality, validity
• Internal, partner, public
Analytics

EM
NDP
Network
Telemetry
Contextual Data
Data Collection and Ingestion
FW LB WLC Sensor
AAA
DNS DHCP
LDAP TOPOLOGY
INVENTORY
LOCATION
POLICY
ITSM
ITFM
Streaming
TelemetrySNMP NetFlow Syslog
Data Visualization and Action
Network Assurance netWorth
Collector and Analytics Pipeline SDK
...
Data Models and Restful APIs
Time Series Analysis
System Management Portal
Data Correlation and Analysis
Machine Learning
in the Cloud
CEP (*) Correlation
CEP = Complex Event Processing
Network Data Platform (Internal) Architecture

NetFlow
AVC
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Contextual Correlation Example
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
?
?
?
NetFlow

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
?
?
?

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
?

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing
Topology

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing
Topology
Location
Building 24 1st Floor

AVC
NetFlow
DDI
ISE
Topology
Location
Device
NDP
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing
Topology
Location
Building 24 1st Floor
Device
Client Density
Problem Here...

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
THE NETWORK.
INTUITIVE.

What is Machine Learning?
• Machine learning is an application of artificial intelligence (AI) that provides systems the ability to
automatically learn and improve from experience without being explicitly programmed to do so
• The process of learning begins with observations of data, and looking for patterns within the data so as to
make increasingly better correlations, inferences and predictions
• The primary aim is to allow these systems to learn automatically without human intervention or
assistance and adjust actions accordingly

Project Kairos
For Wireless, Wired and IOT
Cognitive Analytics
Netflix
AccessPoints
Device Type
Internet Video
Facebook
Instagram
YouTube
Anomaly detection across hundred of thousands of
devices, dozen of thousands of gears and hundreds
of heat maps
Machine Learning

Project Kairos
For Wireless, Wired and IOT
Cognitive Analytics
Anomaly detection
Identify and proactively adapt to a failure
before it happens
Machine Learning
Predictive Analytics

Machine Learning Algorithms
build their models using
hundreds of inputs
APs
WAN
Local WLCs
Network Services DCOffice Site
ISE
DHCP
Mobile Clients
CUCM
APIC-EM
~
~
~
~
~
~
~
~
~
~
~
~
RF & EDCA
behavioral
metrics,..
Queuing, Dropping, WRED
behavioral metrics…
Device type, OS release,
behavioral metrics, ...
WAN & core
network metrics ..
Application metrics, user
feedback, failure rate, ...
... and more

I N T E N T CONTEXT
S E C U R I T Y
LEARNING
Powered by intent,
THE NETWORK.
INTUITIVE.

Providing Security While Maintaining Privacy!
Encrypted Traffic
Non-Encrypted
Traffic
Can we Actually Solve This?
How do you Analyze Metadata without decrypting traffic flows?
80%
of organizations are
victims of malicious activity
41%
Of attacks used encrypted
traffic to evade detection

Encrypted Traffic Analytics
Encrypted traffic analytics from
Cisco’s newest switches and routers
Security with Privacy
Analyze netflow metadata without
decrypting traffic flows
Global-to-local knowledge correlation -
99.99% threat detection accuracy

Summary

Key Takeaways
Profile Based Deployment simplifies Day 0 Deployment and
Day 2 Change Management
Assurance must be outcomes driven and not problem based
Intent Driven Networking Starts with Policy
Automation must be thought holistically, as some of the
simple tasks take the most amount of time

Automated Deployment
It’s a Journey!
Self-Driving Automation
Plug and Play,
Day 0 Deployment
Configure once and deploy
everywhere - SD-Access
Exists Today
ISE / AD NAE / PI
DNA Center
Campus
Fabric
SDA
Future
Closed Loop through Network
Analytics and Machine Learning
Network
Analytics
Platform
DNA Center
BB
Campus
Fabric
SDA
APIC-
EM
HTTP
Proxy
Internet
Admin
Installer
New
Step 1
Network admin
previsions devices in
Cisco Network Plug
and Play applications
Step 2
Onsite installer with
mobile app installs and
powers on devices,
triggers deployment,
checks status
Step 3
New devices contact
Cisco Network Plug and
Play application to get
provisioned
Network admin can
remotely monitor
install status
Basic Advanced
One Point of Management: All from Cisco DNA Center
Consistent Across Network Fabric

Enterprise Networks - Cisco Digital Network Architecture - Introducing the Network Intuitive

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Enterprise Networks - Cisco Digital Network Architecture - Introducing the Network Intuitive

Similar a Enterprise Networks - Cisco Digital Network Architecture - Introducing the Network Intuitive (20)

Más de Cisco Canada

Más de Cisco Canada (20)

Último

Último (20)

Enterprise Networks - Cisco Digital Network Architecture - Introducing the Network Intuitive