Cisco DNA Enablement Session

MODULE 1: Introduction to Cisco DNA

Digital Disruption Impact to Business

40% $14T 26%

Of incumbents are at risk Of digital value at stake How much more profitable
of being displaced in the across private industries are organizations that
next 5 years between 2013-22 master digital

Di gital Vortex: How Digital Disruption Is Ci s co estimates $14.4 Trillion of digital value at stake across Lea ding Digital: Turning Technology
Redefining Industries. Global Center for pri va te i ndustries between 2013-22 Where to begin your i nto Business Transformation
Di gital Business Transformation, 2015. journey to digital value in the private sector.
Creating New Priorities for Digital Organization

Transform Processes Empower Workforce Personalize Customer/

and Business Models Efficiency and Innovation Citizen Experience

Innovations Increased Productivity Increased Loyalty

Faster Time to Market Better Retention Greater Insight

Mobility IoT Analytics Cloud

Mobile traffic will exceed IoT devices will triple 75% of companies planning to 80% of organizations will
wired traffic by 2017 by 2020 or investing in big data primarily use SaaS by 2018
 Digital Transformation Starts
with the Right Foundation

First Line Conduit for Bridge for Engagement IoT Full Business
of Defense Critical Apps Scalability Visibility

The Network: Cornerstone Where Digital Success

Presentatio is Realized or Lost 10
n ID
 Cisco Digital Network Architecture
Network-enabled Applications

Cloud Service Management

Policy | Orchestration

Open APIs | Developers Environment Make Money

Automation Analytics
Principles Abstraction and Policy Control Network Data, Save Money
from Core to Edge Contextual Insights

Open and Programmable | Standards-based

Reduce Risk
Virtualization
Physical and Virtual Infrastructure | App Hosting

Cloud-enabled | Software-delivered
MODULE 2: CISCO DNA AUTOMATION
APIC-EM System Requirements
Physical Appliance Specification:
Server: 64-bit x86
CPU (cores): 6
CPU speed: 2.4 GHz
RAM: 64 GB (Single Node), 32 GB (Per Host for
Multi-Node)
Storage: 500 GB of available or usable storage
after hardware RAID
RAID level: Hardware-based RAID at RAID level 10
Disk I/O speed: 200 MBps
Network adapter: 1 or more
Browser: Chrome (44.0 or later)
Web access required: Outbound secure web
(HTTPS) access from the Cisco APIC-EM to the
Internet for automatic updates of the controller
software
Virtual Appliance Requirements:
VMware ESXi Version: 5.1/5.5
Server: 64-bit x86
Virtual CPU (vCPU): 6
CPU speed: 2.4 GHz
RAM: 64 GB (Single Node), 32 GB (Per Host for
Multi-Node)
Storage: 500 GB of available or usable storage
after hardware RAID
RAID level: Hardware-based RAID at RAID level 10
Disk I/O speed: 200 MBps
Network adapter: 1 or more
Browser: Chrome (44.0 or later)
Web access required: Outbound secure web
(HTTPS) access from the Cisco APIC-EM to the
Internet for automatic updates of the
APIC-EM Form Factors

The Cisco APIC-EM is available in two form factors: virtual appliance and hardware
appliance.
The virtual appliance can be downloaded free of charge from Cisco Software
Central or Ciscos DevNet community service.
The hardware appliance can be purchased directly from Cisco or through Cisco
resellers.
APIC-EM Architecture
APIC-EM Architecture Explained
APIC-EM is the SDN controller from Cisco, in our previous module, we talked about the SDN Controllers and
their roles.
The architectural diagram in the previous slide, details that APIC-EM is built on the elastic platform of
Grapevine. Grapevine allows APIC-EM to run multiple services, and to grow or create multiple instances of
these services, as per the requirement of APIC-EM.

Some of the APIC-EM services running in grapevine are mentioned below:

Inventory Manager
Role Based Access Control
Policy Analysis
Policy Programmer
Topology Services
Data Access Service
Network PnP
IWAN Services
APIC-EM Architecture Explained
APIC-EM Applications which communicate with the grapevine services to provide
functional applications for the administrators are listed below:
Device/Host Discovery Application
Network/Host Inventory View
Plug and Play Application
Intelligent Wide Area Network Application
Path Trace Application
Topology Visualizer
About Device Discovery
The Discovery function scans the devices and hosts in your network and populates the Cisco APIC-
EM database with the information that it retrieves. To do this, you need to tell the controller some
information about your network, so that the Discovery function can reach as many of the devices in
your network as possible and gather as much information as it can.

The Discovery function uses the following protocols and methods to retrieve the information about
your network:
Cisco Discovery Protocol (CDP)
Community-based Simple Network Management Protocol Version 2 (SNMPv2c)
Simple Network Management Protocol version 3 (SNMPv3)
Link Layer Discovery Protocol (LLDP)
IP Device Tracking (IPDT)IPDT is enabled automatically for all devices by the controller. For this
configuration, privileges must be given to the controller during discovery.
LLDP-MEDIP phones and possibly some servers are discovered using LLDP Media Endpoint
Discovery
About Device Discovery - Screens
Device Inventory View
The Device Inventory window displays the results of the discovery scan. After the initial discovery, network
devices are polled every 30 minutes. Polling occurs for each device, link, host, and interface. Only devices that
have been active for less than a day are displayed. This prevents any stale device data from being displayed. On
average, polling 500 devices takes approximately 20 minutes. From APIC-EM 1.4 onwards, you can also add
individual devices, directly from the Device Inventory Screen.
About Topology Visualization
The Topology window displays a graphical view of your network. Using the discovery settings that you have
configured, the Cisco APIC-EM discovers and maps devices to a physical topology with detailed device-level
data.

The topology map includes the following key features:

Auto-visualization of Layer 2 and 3 topologies on top of the physical topology provides a granular view
for design planning and simplified troubleshooting.
For a Layer 2 topology, the controller discovers configured VLANs within your network to display in the
Topology window. For a Layer 3 topology, the controller discovers all forms of a Layer 3 topology (OSPF,
IS-IS, etc.), depending on what is currently configured and in use within your network to display in the
Topology window.
You can click on a device icon to display information about that device.
You can perform a path trace and then view the trace in the topology map.
Topology Visualization Screen
PnP Solution Overview
Need for Plug n Play:
Major costs incurred to install and deploy devices.
Typically, every device has to be pre-staged by a skilled installer and loaded, through a
console connection.
Traditional method is costly, time consuming, and error-prone
Customers want to increase speed and reduce complexity

The Cisco Network Plug and Play solution provides a simple, secure, unified, and integrated
offering for enterprise network customers to ease new branch or campus device rollouts or
for provisioning updates to an existing network. The solution provides a unified approach to
provision enterprise networks comprised of Cisco routers, switches, and wireless devices
with a near zero touch deployment experience.

It reduces the burden on enterprises by greatly simplifying the process of deploying new
devices. An installer at the site can deploy a new device without any CLI knowledge, while a
network administrator centrally manages device configuration.
PnP Solution Features
Simplified and consistent deployment of Cisco network devices

Automated and centrally managed remote device deployment from APIC-EM

Converged solution for Cisco routers, switches, and wireless access point devices

Devices can automatically discover the APIC-EM controller through DHCP, DNS, or a proxy server, and
predefined configurations and images can be pushed out as devices come online.

Configuration templates allow an administrator to define a template of CLI commands that can be
used to consistently configure multiple network devices, reducing deployment time. Configuration
templates are supported in Cisco Network Plug and Play version 1.3 and later.

Mobile iOS or Android application helps the device installer to bootstrap devices and monitor
installation from remote site

Secure device authentication and communication using secure unique device identifiers (SUDI), and
certificates stored in a Cisco managed trustpool bundle, which is a special store of certificates signed
by trusted certificate authorities and published by Cisco InfoSec.
Cisco Network Plug and Play Architectural Overview
PnP Solution Components
The Cisco Network Plug and Play solution includes the following components:

Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM)

Cisco Network Plug and Play application

Cisco Plug and Play IOS Agent

Cisco Plug and Play Mobile App for iOS and Android devices

Cisco SMI Proxy

Generic HTTP Proxy

Alternately, you can choose to set up a private VPN link so that the controller is reachable via
VPN, without using a generic proxy.
PnP - Remote Branch / Site Deployment
Prerequisite: Cisco network devices are running Cisco IOS images that support the Cisco Plug
and Play IOS Agent.

a) On the APIC-EM controller, the network administrator uses the Cisco Network Plug and Play
application to pre-provision the remote site and device information in the application. This
includes entering device information and setting up a bootstrap configuration, full
configuration, and IOS image for each device to be installed. The bootstrap configuration
enables the Plug and Play Agent and typically specifies the device interface to be used and
configures a static IP address for it.

b) The device installer uses the Deploy Devices function in the Cisco Plug and Play Mobile App
to deliver the bootstrap configuration to the Cisco network device and trigger deployment.

c) The network device connects to the Cisco Network Plug and Play application on the APIC-EM
controller, identifies itself by serial number, and downloads its full configuration and,
optionally, an IOS image, which were pre-provisioned by the network administrator
PnP - Unplanned Device Deployment
Prerequisite: Cisco network devices are running Cisco IOS images that support the Cisco Plug
and Play IOS Agent.

a) The network administrator sets up a DHCP server in the network to respond to client
discover requests with DHCP option 43, which contains the APIC-EM controller IP address
and port information. Alternatively, DNS can be used to locate the controller.

b) The device installer installs and powers up the Cisco network device.

c) The device auto-discovers the APIC-EM controller by using DHCP or DNS. The device is
listed as an unplanned device in the Cisco Network Plug and Play application, identified by
IP address and product ID.

d) The network administrator uses the Cisco Network Plug and Play application to claim the
device and configure it with a new configuration and IOS image. For details on using the
Cisco Network Plug and Play application, see the Configuration Guide for Cisco Network
Plug and Play on Cisco APIC-EM .
About Path Trace
With Path Trace, the controller reviews and collects network topology and routing data from
discovered devices. Then it uses this data to calculate a path between two hosts or Layer 3
interfaces. Optionally, you can choose to collect interface, QoS, device, and Performance
Monitor statistics for a path.

This information gathered though Path Trace App can be used to monitor and debug traffic
paths that are distributed among the various devices throughout your network.

Administrator performs these tasks by running a path trace between two nodes in your
network. The two nodes can be a combination of wired or wireless hosts and/or Layer 3
interfaces. In addition, administrator can specify the protocol for the controller to use to
establish the path trace connection, either TCP or UDP.
Path Trace and Path Visualization
Path trace can identify the following information about the devices and paths:
HSRP
SVI
Layer 2
Layer 2 Port Channel
Layer 3 Routing Protocol
ECMP/TR
Netflow
ECMP over SVI
Subinterface
EIGRP
Level 3 Recursive Loop
VRF
ACLs
Module 3: Secure Access WAN
Need for IWAN
Evolving the Network to Enable the Journey to
the Cloud
Business and IT are changing like never before
Internet Becoming an Extension of Enterprise WAN
Emerging Branch Demands
WAN Spending Trends
Why Move to Internet as WAN?
 When users complain about Application Problem
What the users see What network admins see What can happen

Your network is so Wireless Network Issue

slow I cannot get
any work done
today Increased Latency
I do not see ping OK
anything show ip route - OK
traceroute - OK WAN Network Issue
wrong
End Users show interface - OK
Application Problem

Server Problem
Network
Admin User Problem
39
Module 3: Secure Access WAN
IWAN Explained
IWAN: SD-WAN Requirements Analysis
 IWAN Solution Architecture & Components
AVC Private
ASR1000
Cloud
Internet
Virtual
ISR-AX Private
Cloud
3G/4G-LTE

Branch
MPLS Public
WAAS PfR Cloud

Transport Intelligent Application Secure

Independent Path Control Optimization Connectivity

DMVPN IPsec overlay design
Consistent operational model
Simple provider migrations
Scalable and modular design
Performance Routing (PfR)
Application best path based
on delay, loss, jitter, path
preference
Load balancing for full utilization
of all bandwidth
Improved network availability
AVC: Application monitoring
with Application Visibility and
Control
WAAS: App Acceleration
and bandwidth savings
Akamai Connect: Content
(HTTP/S) Caching
Certified strong encryption
Comprehensive threat
defense with ASA and IOS
firewall/IPS
Cloud Web Security (CWS)
for scalable secure direct
Internet access
Cisco AX Routers
IWAN Capabilities Embedded in the Router

One Network
UNIFIED SERVICES Visibility

Control
ASR1000-AX
Optimization
ISR-AX

Simplify Transport
Application Independent Secure
Delivery Routing

Cisco AX Routers 3900 | 2900 | 1900 | 800 | 4400 | 4300 | ASR1000

Flexible Secure IWAN Over Any Transport
IWAN Transport Independent Design
with Dynamic Multipoint VPN (DMVPN)
Dynamic Multipoint VPN
Build Highly Resilient WANs
Redundancy and Path Diversity Matter
Hybrid WAN Designs
Traditional and IWAN
IWAN Transport Independence
Consistent deployment Models Simplify Operations
IWAN Automated Secure VPN
IWAN Transport Best Practices
Application Visibility and Control
App Visibility &
User Experience Report
App BW Transaction
Time

SAP 3M 150 ms High

Sharepoint 10M 500 ms
NFv9/IPFIX Med
Low

Reporting Tools

Application Reporting
Perf. Tool
Collection &
Exporting
Management Tool Control
Recognition

Identify applications Collect application Advanced reporting Control application

using L3 to L7 performance metrics, tool aggregates and network usage to
information and export to reports application improve application
management tool performance performance

52
Application Visibility and Control
App Visibility &
User Experience Report
App BW Transaction
Time

SAP 3M 150 ms High

Sharepoint 10M 500 ms
NFv9/IPFIX Med
Low

Reporting Tools

Application Reporting
Perf. Tool
Collection &
Management Tool Control
Recognition Exporting

Unified Monitoring
- Traffic Statistics
NBAR2 - Response Time Cisco Prime QoS (w/ NBAR2)
Metadata - Voice/Video Infrastructure PfR
Monitoring
- URL Collection

53
What do we want to monitor?

Application Response
Traffic Statistics URL Visibility Time Media Performance

Application Usage per Most visited web-site Per-application end-to- Per-stream jitter and
client IP/subnet/site Per-URL application end latency packet loss
Top clients per response time Application response RTP conversations
application time & transaction time
Application processing
time
Top conversation per
application
 Evolution of Applications
COLLABORATION INFORMATION SaaS

Static port classification is no

longer enough
More and more apps are opaque FTP IM
Increasing use of encryption and obfuscation
Application consists of multiple sessions (video, SOAP RPC Video

voice, data)
What if user experience is not meeting business
needs?

HTTP IS THE NEW TCP

 Application Recognition in Enterprise

ACL, DPI and Metadata

ACL and NBAR2 Interact with application to go
deeper into the end user flows
ACL +1400 signatures in NBAR2
+1400 signatures in NBAR2
Up to the application level
Up to Layer 4 analysis
Up to the application level
Next Generation NBAR (NBAR2)
SCE Classification
+1400 Signatures Innovations
Advanced Classification Techniques Native IPv6 Classification
IOS NBAR
Open API
+150 Signatures

NBAR2

New DPI engine provides Advanced Application Classification and Field Extraction Capabilities
from SCE
Protocol Pack allows adding more applications without upgrading or reloading IOS
NBAR2 Protocol List - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-
627831.html
NBAR2 and Encryption 70+

Using heuristics based classification, NBAR can classify 70+ encrypted

applications.
NBAR2 HTTP Field Extraction

http://www.cnn.com/US Se0/0/0

(IP=192.168.100.100) www.cnn.com
(IP=157.166.255.18)
Ability to extract information from HTTP message

collect application GET /weather/getForecast?time=37&&zipCode=95035 HTTP/1.1

http url Host: svcs.cnn.com collect application http host
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0)
Gecko/20100101 Firefox/14.0.1
collect application Accept:
http user-agent text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.cnn.com/US/
collect application
http referer
Better Visibility with NBAR2
Show ip nbar Protocol-discovery Top-n Reporting Tools Display
Top Client and Server

Router#show ip nbar protocol-discover top-n 10

GigabitEthernet0/0/3
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
30sec Bit Rate (bps) 30sec Bit Rate (bps)
30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps)
------------- ------------------------ ------------------------

webex-meeting 45807530 163458047

2497543722 129842885217
115000 5998000
152000 7799000
bittorrent 59667396 156155174
12768822744 103187176646
555000 4715000
697000 5077000
 Simplify Application Management with NBAR2
NBAR2 attribute provides grouping of similar types of applications
Use attributes to report on group of applications or to simplify QoS classification
6 pre-defined attributes per application (can be reassigned by users)

Category First level grouping of applications with similar functionalities

Sub-category Second level grouping of applications with similar functionalities

Application-group Grouping of applications based on brand or application suite

P2P-technology? Indicate application is peer-to-peer

Encrypted? Indicate application is encrypted

Tunneled? Indicate application uses tunneling technique

Define Your Own Application in NBAR2

Port Payload HTTP URL

Search the first 255 bytes of TCP/UDP
TCP or UDP payload URI regex
16 static ports per application ASCII (16 characters) Host regex
Range of ports (1000 maximum) Hex (4 bytes)
Decimal
(1-4294967295)
Variable (4 bytes Hex)
 Prime

Simplified Protocol Pack Management Infrastructure

63
Check and Install the Correct Protocol Packs
(Just an Example Slide)

Check the current / active

PP on the Device

Can install new PP if an

upgrade is required

64
Most Accessed URLs & URL Response Times
 Quality of Service
Where Can We Classify?
Where Can we Take Actions?

Classification De-Coupled Action

On INGRESS or EGRESS On EGRESS

Classify Based On - Actions

NBAR2 (sub-category, App-ID) Marking
ACL (Subnets, Ports) Policing
DSCP Bandwidth Allocation
Shaping
QoS Functions EF 0

SET MUTATE
ACL
NBAR
Classification DCSP

without
Marking/Mutation Line
Rate Traffic Shaping
with Traffic
Shaped Shaping
Rate

Shaping/Policiing
Traffic shaping limits the transmit rate to a value lower than line rate

Queueing Line
Rate
without Policing

with Policing
Policed
Rate

Bandwidth Allocation
Policing discards traffic which exceeds policed rate
 Intelligent Path Control with PfR
Voice and Video Use-Case
Voice/Video take the best
delay, jitter, and/or loss path

MPLS Private
Cloud

Branch

Virtual
Internet Private
Other traffic is load balanced to maximize
Voice/Video will be rerouted Cloud
bandwidth
if the current path degrades
below policy thresholds

PfR monitors network performance and PfR load balances traffic based upon link
routes applications based on application utilization levels to efficiently utilize all available
performance policies WAN bandwidth
68
What PfR Does
Protecting Critical Applications While Increasing Bandwidth Utilization
Hybrid IWAN Dual Internet iWAN
Detect Loss
Detect
Greater Than 10%
High Jitter

Business App Voice and Video VDI

Best-Effort Traffic Best-Effort Traffic

SP1 (MPLS) ISP (Internet) ISP-1 (Cable) ISP-2 (DSL)

Business App and Load-Balancing Policy Multimedia and Critical Data Policy
Protect business Increase WAN bandwidth Protect voice and video Voice and video preferred
cloud applications efficiency by load-sharing quality path SP-A
from brownouts traffic over all WAN paths, Latency < 150 ms; VDI preferred path SP-B
Loss < 5% MPLS + Internet Jitter < 20 ms
Increase utilization
Preferred path for Protect VDI applications by load sharing
business applications: SP1 from brownouts
(MPLS) Loss < 5%
Performance RoutingComponents
The Decision Maker: Master Controller (MC) Data
Center
Discover BRs, collect statistics
Apply policy, verification, reporting
MC

No packet forwarding/inspection required

BR BR

The Forwarding Path: Border Router (BR)

Gain network visibility in forwarding path (Learn, measure)
Enforce MCs decision (path enforcement)
Does all packet forwarding DSL Cable

Optimize By:
Reachability, Delay, Loss, Jitter, MOS,
Throughput, Load, and/or $Cost Branch
MC+BR
 How PfR Works
Key Operations
ISR G2 Traffic
Classes Performance
A SR1K Learning Measurements
MC MC MC
Active TCs Best
Path
BR BR BR BR BR BR

MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR

Define Your Traffic Policy Learn the Traffic Measurement Path Enforcement

Identify Traffic Classes based
on Applications or Transport
Classifiers
ISR G2 and ASR Learn traffic
classes flowing through
Border Routers (BRs) based
on your
policy definitions
Measure the traffic flow and
network performance actively
or passively and
report metrics to the Master
Controller
Master Controller commands
path changes based on your
traffic
policy definitions
 Performance RoutingControl Loop
5 Verify New Path:
Verify traffic is flowing on new path
1 Learn Your Traffic Classes:
Prefix-based flows
Revert to previous path if performance ACL-based flows
remains out-of-policy Application flows

PfR
4 Send Good path to BRs for each
Select Path: 2 Network Performance
Measure:

traffic class Passive: Netflow Data (Throughput)

BRs inject best path into FIB Active: IPSLA Probes (Jitter, Delay)
Gather new path performance info Network Availability
Reachability and Topology Info via Routing
Processe

3 Apply Your Traffic Policy:

Compute Path Performance
Compare to defined policy per traffic class
Passive Mode: BW, Delay (TCP), Loss (TCP)
Active Mode: Delay, Loss, Jitter, MOS
Defining Application Performance Policy
Choose your policy actions for various traffic classes FLEXIBLE CRITERIA
Alternate path selection based on flexible criteria Application
Example: Reachability
1. Link-Group: Path-A
Delay
2. Loss
Voice/Video Loss
3. Jitter
MOS
4. Delay
Jitter

1. Link-Group: Path-B Link

Critical Application 2. Loss Load Balancing
4. Delay Max Utilization
Link-Group Path Preference
Remaining Traffic Load-Balance Bandwidth Costs ($)
 Measuring Network and Application Performance
Passive Measurement
For data or best effort applications
Ingress/Egress Bandwidth and TCP loss and delay derived from Netflow Data
Active Measurement Center

For Video, Voice and delay sensitive data applications

IPSLA Responder
MC
Path Jitter, Delay, Loss and MOS derived from IPSLA synthetic traffic probes
PfR automatically enables Netflow and IPSLA BR Respond BR

No knowledge or configuration experience needed

MC performance database to determine policy enforcement actions
Dedicated IPSLA responder to offload probing from branch in large
deployments
DSL Cable

Respond
Destination App Ingres Egres
DSCP Delay Jitter Loss BR Exit
Prefix Id BW BW
MC+BR Branch
10.1.1.1/32 EF 60 10 0 20 40 BR1 Gi1/1
10.1.10.0/24 AF31 110 15 0 52 60 BR1 Gi1/2
0 89 26 1 34 10 BR2 Gi1/1
Load Balancing
Maximizing Link Utilization to Increase Available Bandwidth

External link Load Balancing is enabled by default

PfR Distributes traffic across a set of links to maintain efficient utilization levels with
a defined percentage range. Default utilization range is +/- 20%
External links can have different available bandwidth,e.g., Int 1/0 = 1.5Mbps,
Int 1/1 = 15Mbps
Load Balancing defaults can be modified by CLI
Utilization Range
50% 15Mbps = 7.5Mbps
Max Utilization 90%
Internet
ASR 1000
WAN

MPLS ASR 1000 Data Center

50% T1 = 750kbps
Module 3: Secure Access WAN
Simplified IWAN Deployment Options
Management Solutions for Cisco Infrastructure
Management Solutions for Cisco Infrastructure
On- Premises Cloud-Based

Prime Cisco APIC - EM

Infrastructure IWAN APP
Enterprise Network Prescriptive Application Aware Advanced
Mgmt and Monitoring Policy Automation Performance Mgmt Orchestration

Customer needs feature Customer wants Customer looking for Customer wants
configurable enterprise massive simplicity and advanced monitoring and advanced provisioning,
network management operational automation visualization life cycle management,
and end-to-end and customized policies
monitoring Use-Case Point-n-Click Network troubleshooting
Network Configuration and QoS/ PfR/ AVC Multi-tenant
One Assurance across configuration
Cisco portfolio from Highly consistent network System-wide network
Branch to Datacenter requirement with Real-time analytics and consistency assurance
prescriptive Cisco flow/device scalability
IT Network Team Validated Designs Lean IT OR IT Network
IT Network team team
Cisco Intelligent WAN APIC-EM APP
The IWAN App for the APIC-EM simplifies network management in an intuitive browser-based GUI and
enables IT automation through centrally-managed policies.

The IWAN App features:

Simplified workflows use case driven with step-by-step provisioning
Zero-touch provisioning plug-and-play for remote devices without user intervention
Business-level policies application rules drive network actions and abstraction of
underlying policy configurations
Open architecture northbound API for third party GUIs, Scripting,or Reporting
Network and application monitoring status, alerting of network issues
Plug-n-Play Options
No CLI Skills Required

USB stick to bootstrap the ISR

PnP 1 Installer connects LAN/WAN cables
ISR loads bootstrap config from USB memory stick

Prime Plug-n-Play Application

PnP 2 Installer connects LAN/WAN cables + a USB console cable to a Laptop/iPhone/iPad
PnP Application bootstraps the router

Cisco Configuration Professional Express (ISR Device GUI)

PnP 3 Installer connects LAN/WAN cables + a PC to a LAN port
CCP Express Application to bootstrap the router
IWAN Automated Secure VPN with APIC IWAN APP 1H215

Embedded
Trust Devices Deploy,
Search,
Retrieve,
AX Revoke

4G Secure Boot Strap

IWAN App, Prime, 3rd Party
Campus
Automatic Configuration and Trust
Establishment
Metro-E Configuration
AX Orchestration
Enterprise
Dynamic VPN Establishment APIC
Large WAN Core Key and
Site MPLS Certificate
Automatic Session Key Refresh Controller
Resilient WAN (IKEv2)
POP
AX
Trust Revocation DC
ISP
Branch
Intelligent
Branch Optional External
Certificate Authority

80
 Performance Routing IWAN Platform Support

Cisco CSR-1000

MC
Cisco ASR-1000
BR

Cisco ISR 4000 MC

BR
4400
Cisco ISR G2 family 4300
3900-AX AX License
2900-AX MC
1900-AX BR
890
MC
BR Application Visibility & Control (AVC)
Performance Routing (PFR)
Cisco IWAN In Summary
Uncompromised Experience Over Any Connection

Lower Costs without Tradeoffs

Maximize Your WAN Investment

Unleash Your Business Potential

MODULE 5: Cisco StealthWatch
Detecting the Unknown
Is Your Network Secured Like a House or Like a
Bank?
If someone breaks into your house, trying to figure where they went
and what they took is pretty difficult because, unlike a bank, you dont
have cameras in your house, you dont have motion sensors, says
Jason Syversen, chief executive officer of Siege Technologies, a security
firm in Manchester, N.H. In terms of cybersecurity, most companies
are more like a house than a bank.
Perimeter Security
Much of the practice of computer
security has to do with making sure the
doors are locked.
When we have incidents we spend
more money on prevention
We tend to assume that if the bad
guys are in, its game over
Systems will stop working or
money will be instantly stolen
Millions Of Stolen Records

Despite $32 billion spent on

conventional tools, threats
continue to evade detection

data breaches
continue
Threat Actors
Aggressors:

Activist Organized Crime Nation States Insider

Ideology Money Geopolitical Diverse
Meet Emily Williams
Fictional CSE created to abstract sensitive
information from a specific target. She
graduated from MIT and had 10 years of
experience despite she was 28 years old.

Despite the fake profile, she was offered

sensitive information from our targets AM
and CSEs. She had friends in large partner
vendors and even offered dinner invitations
from male friends.
The Impact of Social Media
10 minutes: 20 Facebook connections
6 LinkedIn Connections

15 hours: 60 Facebook connections

55 LinkedIn Connections

24 hours: 3 job offers

Total Connections: 170 Employees

71 Cisco; 22 NetApp; 10 EMC;
35 McAfee
300+ Facebook friends

Endorsements: 22 LinkedIn Endorsements

For Expertise and Experience
From Partners and co-workers

Offers: 4 job offers, Laptop and office

equipment, network access.
Advanced Detection Methods

Signature = Object against blacklist Signature

IPS, Antivirus, Content Filter

Behavior = Inspect Victim behavior against blacklist
Malware Sandbox, NBAD, HIPS, SEIM Anomaly Behavior

Anomaly = Inspect Victim behavior against whitelist

NBAD, Quantity/Metric basednot Signature based
Signature Behavior Anomaly
Known Exploits BEST Good Limited
0-day Exploits Limited BEST Good
Credential Abuse Limited Limited BEST
NetFlow - A Light in the Darkness
Low cost monitoring solution
Uses existing infrastructure and Visibility Fabric with GigaSMART
Single or small number of regional collectors support an infrastructure
No agents
Generate NetFlow from anywhere
Any network TAP can be used for NetFlow
Non-Cisco environments
Data centers where unsampled NetFlow may not be available
Accounting data stores well
Fractions of a percentage of storage needed for Packet Capture
Common format means its easy to write to tables for analysis
 StealthWatch: System Overview

Network
Devices
Non-NetFlow
Capable Device
NetFlow / NBAR / NSEL
Generate
NetFlow
SPAN
StealthWatch Collect and analyze
StealthWatch Up to 4,000 sources
FlowSensor FlowCollector Up to 240,000 FPS sustained

StealthWatch Management and reporting

Management Up to 25 FlowCollectors
Console Up 6 million FPS globally
NetFlow for Security
Your Network Is Your Sensor
WHERE
WHEN
WHAT
HOW
WHO

Visibility, Context, and Control

Devices Internal Network Context

Identity

Firewall

Routers &
Switches

Unify Into a Single

Use NetFlow Data to
Enrich Flow Data with Identity, Events and Pane of Glass for Detection,
Extend Visibility to the Investigation and Reporting
Hardware-enabled Application to Create Context
Access Layer
NetFlow Switch
NetFlow Analysis with StealthWatch Provides

Better
Identify
Understand /
Discovery additional
Respond to an
IOCs
IOC:

Identify business Policy and Audit trail of all

critical applications Segmentation host-to-host
and services across communication
the network Network Behaviour
Anomaly Detection
(NBAD)
Detailed Visibility
Drilling into a single flow provides a
plethora of information
Solution Areas

Incident Network
Visibility Threat Detection User Monitoring
Response Diagnostics
Context-aware Advanced In-depth, flow- Application Cisco ISE
visibility into Persistent Threats based forensic Awareness Monitor
network, Insider Threat analysis of Capacity privileged access
application and DDoS suspicious Planning Policy
user activity incidents Performance enforcement
Botnet (CnC)
BYOD Detection Scalable Monitoring
Cloud monitoring repository of Troubleshooting
Data Exfiltration security
IPv6 Network information
East-West Traffic Reconnaissance
monitoring Retrace the step-
Network Behavior by-step actions
Network Anomaly of a potential
segmentation Detection attacker
Firewall rule Cisco Cyber On-demand
auditing Threat Defense packet capture
Solution
MODULE 5: Cisco StealthWatch
DNA and StealthWatch
Importance of DNA Analytics and Telemetry
Applications
DNA Analytics and Telemetry Applications can provide feedback
mechanisms, that are built into the architecture to offer continuous
and relevant information about the operational state of the network.
Analytics and telemetry support is offered in the following three ways:
Data collection
Data analysis
Feedback and control
DNA Data collection
The DNA network elements are enhanced to collect data about all
aspects of the network, including the state of the network elements
and the traffic flows pertaining to the services offered by the network.
The data is collected from the following sources:
Routers, Switches, WLC and Access Points
Virtualized Network Functions (CSR 1000v, ASAv)
AAA Servers, layer 4-7 functions
Cisco Adaptive Security Appliance (ASA)
Cisco Identity Service Engine (ISE)

The continuous collection of such telemetry data always includes

timestamps, allowing timeseries analysis of all events.
DNA Data Analysis
In this solution the network acts as a security sensor and provides
network anomaly detection services to the operator. Data from various
sources is correlated to make inferences about the security aspects of
the network.
DNA Feedback and Control
The insights gained by an analytics engine can be used to drive events
and actions.
Network or security services can be optimized based on the analytics
results, for example, by instantiating new policies for particular
applications or user, or by modifying existing ones.
Cisco Lancope StealthWatch
Cisco Lancope StealthWatch is a DNA Analytics and Telemetry
Application, which can be used to perform all the functions highlighted
in previous slides, including:
Data collection
Data analysis
Feedback and control
MODULE 5: Cisco StealthWatch
StealthWatch Components
StealthWatch Management Console
The Stealthwatch Management Console provides a single vantage
point for disparate IT groups to see contextual information about all
activity across the network. The simple at-a-glance interface permits
operators to quickly spot trouble and respond accordingly.
The capacity of the console determines the volume of Netflow data
that can be analyzed and presented, as well as the number of
Stealthwatch Flow Collectors that can be deployed. The console is
available as a hardware appliance or a virtual machine.
StealthWatch Management Console Features
Major features of the StealthWatch Management Console include:
User identity tracking
Flexible deployment options, including virtual appliances
Quick root-cause analysis and troubleshooting
Relational flow maps
NAT stitching
Custom dashboards
Custom reports
Automated blocking, remediation, and rate limiting
Top n reports for applications, services, ports, protocols, hosts, peers, and
conversations
Traffic composition breakdown
StealthWatch Management Console Models

StealthWatch Management Console scalability:

StealthWatch Flow Sensor
The Flow Sensor is a component that produces Netflow data for
segments of the switching and routing infrastructure that do not
support Netflow.
It also works in environments where an overlay monitoring solution
better fits the operations model of the IT organization.
The Flow Sensor can provide Layer 7 application information for
environments where Cisco Network-Based Application Recognition
(NBAR) is not enabled.
StealthWatch Flow Sensor Features
Major features of Stealthwatch Flow Sensor include:
Layer 7 application context
Flow visibility
Netflow generation
Virtual environment visibility
Real-time updates for current threats
Round-trip time (RTT) and server response time (SRT) calculations for
TCP connections
StealthWatch Flow Sensor Specifications
MODULE 5: Cisco StealthWatch
StealthWatch vs Sourcefire
 If you knew you were going to
be compromised, would you do
security differently?
The New Security Model
Attack Continuum

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

Network Endpoint Mobile Virtual Cloud

Point in time Continuous

Mapping Technologies to the Model
Attack Continuum

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

Firewall Patch Mgmt IPS IDS AMD

App Control Vuln Mgmt Anti-Virus FPC Log Mgmt

VPN IAM/NAC Email/Web Forensics SIEM

Visibility and Context

Mapping Products to the Model
Attack Continuum

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

NGIPS Advanced Malware Protection

Firewall VPN
Web Security
NGFW UTM
Network Behavior Analysis
Email Security
NAC + Identity Services
Lancope StealthWatch System

Visibility and Context

During
Attack Continuum

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

NGIPS Advanced Malware Protection

Firewall VPN
Web Security
NGFW UTM
Network Behavior Analysis
Email Security
NAC + Identity Services
Lancope StealthWatch System

Visibility and Context

During
Attack Continuum

Monitor and profile traffic up to Host map and risk profile up to

DURING 25M+ hosts 300K hosts
Detect
Block Leverage application data from a Identify application and services
Defend
variety of sources (over 2000)
Monitor policy Identify Operating Systems
Provide intelligence to improve Leverage network awareness as a
defenses component of NGIPS
Identify precursors to an attack help tune policy

Visibility and Context

During
Attack Continuum

Leverages Cisco infrastructure for Network probes and host agents

DURING detection DPI & rules engine (Snort) to
Detect
Block Detection using behavioral profiles alert/block vulnerabilities
Defend & statistical modeling Detect/block known bad files for
Policy validation from across the specific host platforms
infrastructure Leverage sandboxing to identify
Detect attacks that do not violate known bad file activity
policy (low and slow attacks, data loss)
Detect ongoing attacks (DDoS)

Visibility and Context

After
Attack Continuum

Track infection spread Provide file interaction history

AFTER Create a forensic trail of network Detect and remediate known bad
Scope
Contain activities files
Remediate Investigate activities post mortem Limits the proliferation of known
Build a timeline of the attack bad files
Mix of behavioral profiles,
statistical modeling and user-
defined policy for detection

Visibility and Context

Cisco Sourcefire and Lancope Better Together
Attack Continuum

BEFORE DURING AFTER

Control Detect Scope
Enforce Block Contain
Harden Defend Remediate

NGIPS Advanced Malware Protection

Firewall VPN
Web Security
NGFW UTM
Network Behavior Analysis
Email Security
NAC + Identity Services
Lancope StealthWatch System

Visibility and Context

 Cisco Sourcefire and Lancope

An Architectural Approach

Pervasive visibility across the attack continuum

Focus on threats in addition to policy
Provide holistic view into all host-to-host communication
Reduce complexity, increase capabilities
A platform strategy addressing a broad range of attack vectors everywhere the
threat manifests
Enabled by world-class research & open source
Why Be Confused
Both products focus on identification of commodity and advanced malware, but do so differently and are
Complimentary, NOT Competitive to each other
StealthWatch focuses on Flow Analysis for Threat Detection
Looks holistically at connections and activities on the network to record & detect malicious
behavior even when signatures are not available. Threat detection is based solely on Flow
Analytics and Behavioral Modeling.
These analytics identify known attacks, but are differentiated by their ability to uncover the
unknown or 0-day issues
Flow retention allows for a number of other workflow related tasks such as compliance
validation and forensic workflow
Sourcefire NGIPS uses Deep Packet Analysis for gathering Context
Snort rules understand the conditions necessary to exploit a vulnerability in operating
systems, services and applications. Packet analysis builds detailed asset profiles and prioritizes
threats to aid event analysis.
Flow data may be consumed by Sourcefire appliances to add context to packet level or file
level analytics
Lancope StealthWatch Core Functionality
NetFlow collection and analysis
Visibility into all host to host communication
Large scale and long term storage for historical flow analysis
Behavioral analysis
Detection of suspicious and/or anomalistic behavior

Policy Violations
Audits transaction for policy violations even when perimeter defenses arent available

Incident response
Capable of recording EVERY transaction
Speeds up knowledge of lateral movement post threat identification
Forensic investigation for post mortem
Sourcefire FireSIGHT Core Functionality
Sourcefire FireSIGHT and Lancope StealthWatch are primarily aimed at solving different problems
FireSIGHT is an integral part of the Sourcefire NGFW and NGIPS solution and is not a purpose-built
NBA solution
Profile the network and attached devices to provide context for the prioritization and correlation
of IPS event data
Develop detailed host profiles though OS, service, protocol and application identification
Determine relevant vulnerabilities based on host attributes
Provide targeted traffic modeling
Detect policy and usage violations. I.e., hosts running non-business applications
Import third party host information such as vulnerability scan data
 FireSIGHT Capability Comparison
Feature Sourcefire FireSIGHT
Data Source Enriched flow data generated by
dedicated sensors, creates detailed
network host map
Storage 500M events and 500M flow summaries,
usually weeks of data or less
Event Rate Up to 10,000 events per second, based
on appliance model
Scalability Based on Defense Center event database
max
Scalability of data sources Single Defense Center can support over
100 sensors, one database
Lancope StealthWatch
NetFlow/IPFIX from Cisco router, switches and
firewalls, StealthWatch FlowSensor, and other
flow sources
Up to 4TB of storage per collector, usually many
months or more. Many Collectors attached to a
single Manager
120,000+ flows per second per collector
appliance. 3M+ flows per second in large
deployments per management appliance
Horizontal, support queries across multiple
FlowCollectors
Up to 50,000 sources
Summary of Differences FireSight/Lancope
Sourcefire FireSIGHT is part of a NGIPS and NGFW solution
and presents flow information in a way that optimizes
intrusion event analysis
Sourcefire FireSIGHT is protocol aware and determines
operating systems
Sourcefire FireSIGHT builds a real time host map and profiles
risk for up to 300,000 IPs on a single Defense Center
StealthWatch is a dedicated flow analysis system for threat
detection, behavioral analysis and forensic investigations.
StealthWatch is focused on Security but has applicability for
Network Operations teams as well.
StealthWatch uses a mix of behavioral profiles, statistical
modeling and user-defined policy violations for alerting.
StealthWatch can monitor traffic across an entire enterprise (up
to 1M+ unique hosts per collector or 25M+ hosts per manager).
StealthWatch is designed to identify attacks without the use of
signatures for broader detection capabilities.
StealthWatch collects flow data from existing infrastructure (up
to 50,000 sources, Cisco or other).
StealthWatch stores months of flow data, and consumes
application details from FlowSensors, Cisco, etc.
FireAMP Core Functionality
Discovers, analyzes and blocks advanced malware
Cloud-based detection allows all users to leverage very latest list of known and suspected malware
File hash created and sent to cloud to determine disposition
Continuous detection immediately and retrospectively
Previously seen and thought safe but now, according to the latest threat information are identified as malicious.
AMP for Networks, deployment
In-line detection
License option for FirePOWER appliances with NGIPS and NGFW
Stand-alone FireAMP appliance
Event analysis and reporting through the Sourcefire FireSIGHT Management appliance
AMP for End Point, deployment
Install Connector on PCs, Laptops, tablets, Smart phones
Small 10MB footprint
Designed to co-exist with other traditional anti-virus solutions
FireAMP and StealthWatch Comparison
Sourcefire FireAMP Lancope StealthWatch

Detection by file analysis Detection by Flow/Traffic Analysis

File analysis is not 100 percent effective but those that are Detection of IOCs can find malware created to evade file analysis
detected are quarantined. or packet inspection but remediation often requires re-imaging of
hosts

Retrospective detection can alert to older malware when new User activity recorded and available for both real time and for
intelligence is added to the cloud historic analysis of suspect hosts spanning months/years.

Client support depends on platform. Network inspection requires Monitors all host activity regardless of machine type, recording
a distributed deployment of FirePOWER devices. transactions for analysis.

FireAMP shows machines infected chronologically but does not StealthWatch has extensive history of all network communication
show flow information, how the file moved and proliferated made by infected hosts to determine the potential exposure
MODULE 6: Cisco ISE
Need for Cisco ISE
What Keeps CIOs/CISOs Up at Night?
BUSINESS SECURITY
TRENDS CONCERNS

33% of Global Visibility into WHO and

Companies already WHAT accesses
experienced a breach sensitive data

Over 15 Billion Associated Growth of

Connected Devices by Security & Compliance
2015 (3.3 per person!) Risks

28% of execs think Expanding Security &

virtualization increases Access Controls while
security risks Controlling Costs
Secure Policy Enforcement Demands Grow
Due to growing security awareness, enterprises
Adoption
demand more visibility and greater control over
users/devices on the network.
Internet of
Mobility Things

Procured & BYOD Explosion of network-

mobile device use enabled devices
Guest
Access
Gen 1
Simple Guest
Managed Endpoints Access
IT Procured/Managed

2007 2012 2015+ Time

Bottom Line: Whats Missing Today?
The ability to onboard and secure connected
devices across wired, wireless or remote
access

Rich, contextual information to grant the right

people & devices, the right levels of access to
the network

The capability to proactively limit the spread of

security threats across a highly-distributed
infrastructure
Securing access is more than simply deploying point solutions.
In a rapidly changing environment, enterprises need an
enterprise-class product from a strategic partner.
Cisco Identity Services Engine (ISE)
All-in-one Enterprise Policy Control

WHO

Identity Context Security Policy Attributes

WHAT

Business-Relevant
WHERE
Policies
ISE
WHEN

Wired VPN
HOW Wireless

VM client, IP device, guest, employee, remote user

Secure Access Enabled by Cisco ISE

Policy Management
Cisco Identity Services Engine (ISE) Cisco Prime Infrastructure

Policy Information
User Directory Profiling from Cisco Infrastructure Posture from End-Point Agents

Policy Enforcement
Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers
MODULE 6: Cisco ISE
ISE Features
ISE Policy Platform
What is Profiling ?
Classifies based on Device fingerprint

NMAP Classification
NetFlow
HTTP
SNMP
DHCP
LLDP
Radius

Collection
Process of collecting data to be used
for identifying devices
Uses Probes for collecting device Classifies based on Device fingerprint
attributes
Rich, Contextual Profiling in ISE
Simple Identity Simply Isnt Helpful Enough Anymore

POOR context awareness Simple Identity

- Who are you? IP Address 192.168.1.51

RESULT: Any user, on Any device, Anywhere can get on the

network

EXTENSIVE context awareness RICHER Identity

- Who are you? Bob
- Which Device? Tablet
- Where are you? Building 200, 1st Floor
- When? 11:00AM EST on April 10th

RESULT: The Right user, on Right device, from the Right

place is granted the RIGHT ACCESS
What is Posture ?
Posture = the state-of-compliance with the companys security
policy.

Is the system running the current Windows Patches?

Do you have Anti-Virus Installed? Is it Up-to-Date?

Do you have Anti-Spyware Installed? Is it Up-to-Date?

Operational Components of Cisco ISE
Cisco ISE High Level Flow
MODULE 6: Cisco ISE
ISE roles and deployment options
ISE Nodes and Personas
ISE ISE

Admin Monitoring Policy Service Inline Posture

Personaone or
more of: Single ISE node Single inline
Administration (appliance or posture node
Monitoring VM) (appliance only)
Policy service
Cisco ISE Nodes and Personas
Implementing Nodes, Personas, and Roles
Admin Node
Policy Service Node
Monitoring Node
pxGrid Services
Collector Agent
Inline Posture Node
Policy Server Node
Policy Synchronization
Cisco ISE Deployment Options

Up to 40 PSNs
Supported
Cisco ISE Communication Model
Cisco ISE with TrustSecPolicy Enforcement
Leverage Existing Cisco TrustSec-enabled Network Hardware

Desired Policy Simplifies policy implementation

Who can talk to whom

Enhances security and reduces complexity
Who can talk to which systems

Which systems can talk to other systems Accelerates Server Provisioning

Patient Employee Internet

Records Intranet

Doctor / Laptop
Doctor / iPad Switch Router DC FW DC Switch
Guest / Laptop Distributed Enforcement throughout Network
Guest / iPad
ISE Simplifies Enterprise Secure Access
Utilize Vast Network Telemetry for Contextual Access Control

Confidential
Patient Records
Who: Doctor
What: Laptop
Where: Office
When: 10 am
Internal Employee
Intranet
Who: Doctor
What: iPad
Where: Office
When: 09 am

Internet
Who: Guest
What: iPad
Where: Office
When: 11 am
Transform plain English rules into network policy
Secure Access based on user, device, location, etc.
Leverage TrustSec-enabled HW to enforce at ingress
Only Cisco ISE Delivers

Unmatched Unified Secure Device & Access Complexity

Visibility Access Policy Mgmt Security Reduction

Get a Clearer Picture The RIGHT Access, Detect and Intelligent

of Whats On Your for the RIGHT Remediate Network Contextual Access
Network Person, in the Threats Control
RIGHT Place
MODULE 6: Cisco ISE
pxGRID Overview
Cisco pxGrid
Integrate Your Security Technologies

The Cisco pxGrid (Platform Exchange Grid) is an open, scalable and IETF
standards-driven data-sharing and threat control platform. It allows
multiple security products to work together. Security operations teams can
automate to get answers faster and contain threats faster.

The Cisco Platform Exchange Grid (pxGrid) allows you to integrate your
application into the pxGrid, a multivendor, cross-platform network system
that pulls together different parts of an IT infrastructure such as security
monitoring and detection systems, network policy platforms, asset and
configuration management, identity and access management platforms, to
name a few.
pxGRID Information Exchange Platform
 pxGrid - Key Features
Context Sharing Control - Because pxGrid is customizable, your can publish only the specific
information (context) that you want to share and you can control which other pxGrid partner platforms
that it gets shared with.
Bidirectional context sharing pxGrid enables partner platforms such as yours and others to
either publish context or to subscribe to context; you orchestrate and secure what is published and what
is subscribed through the pxGrid controller which resides on Cisco Identity Service Engine (ISE).
Share context data in native formats you share contextual information in pxGrid using the native data
format of your platform - pxGrid does the rest.
Connect to multiple platforms simultaneously pxGrid enables you to publish only the context data that
is relevant to pxGrid partner subscribers. You can customize numerous context topics for a variety of
partner platforms, yet always shared via the same reusable pxGrid framework. By sharing only relevant
data both publishing and subscribing platforms are able to scale by eliminating irrelevant data.
Comprehensive SDK The SDK for pxGrid contains tutorials, sample code, client libraries (in Java and C),
sample data output, testing guides, testing resources and tools, as well as release notes; everything that
you need to get started.
Cisco platform support Cisco Identity Services Engine (ISE) is the first Cisco platform to implement
pxGrid, you should look to see more Cisco security platforms supporting pxGrid throughout 2015. And you
can start to support pxGrid at any time.
MODULE 6: Cisco ISE
ISE and StealthWatch Integration
Cisco pxGrid Components
pxGrid controller: The controller orchestrates connections between
platforms. It authorizes what contextual information gets shared
between those platforms. This control function is provided by Cisco
ISE.

pxGrid connection agent: A connection agent is integrated in the

partner platform to communicate with the pxGrid controller. The
platform configures what information to share and with which other
partner platforms.
 ISE and StealthWatch Integration
Cisco ISE integration provides:
Additional layers of valuable security
context
Identity Data
Device Data
Stealthwatch combines information
with Netflow data
Allows Stealthwatch to create unified
picture of everything happening on
an enterprise network
 Host Summary Screen StealthWatch GUI
Quarantine Host
By integrating with the latest version of
Cisco ISE, StealthWatch System also enables
security administrators to perform
mitigation actions such as quarantining
directly from the StealthWatch
Management Console (SMC).

Cisco ISE integration adds valuable security

context and mitigation capabilities to the
StealthWatch System.
How it Works?
StealthWatch is integrating with ISE through the Cisco Platform Exchange Grid (pxGrid), a
unified framework that enables multivendor, cross-platform network technology
collaboration. Cisco ISE and TrustSec deliver a wide range of identifying features including,
but not limited to:
User identity
Network authorization
End device identification
Operating system and patch level
Device security posture
The location from which the user is trying to gain access
Which security group the user belongs to
Which resources the user is trying to access
The time of day
How the user is trying to obtain access i.e., wired, wireless, VPN
Cisco ISE as Network Enforcer
Cisco ISE serves as a centralized policy engine that provides real-time
access control decisions for Cisco switches, routers, wireless and
security devices. This helps improve scalability and policy consistency.
Furthermore, when new threats are identified (for example, through
Lancope StealthWatch), Cisco ISE can send updated policy decisions for
the network to block attacks or compromised devices. This dynamic
policy capability:
Grants the right levels of access to the right users and devices
Limits the impact of data breaches through software-defined
segmentation and real-time threat response