Professional Documents
Culture Documents
AJ Shah
SE
2018
Cisco Is Rewriting the Network Playbook
Manual Automated
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Cisco Catalyst 9000 – Built for SD-Access
First in enterprise
IOS® XE Software • x86 CPU with app hosting
SD-Access • Programmable ASIC
integrated • Software patching
UADP 2.0
Converged Industry’s unmatched
ASIC • High Availability
• MultiGigabit density
Single Image • UPOE scale
Future-Proofed
Common
Catalyst 9000 Series • IEEE 802.11ax ready
Licensing • 100W PoE (IEEE 802.3bt) ready
9300 – Fixed Access, 9400 – Modular Access,
9500 – Fixed Core • 25G Ethernet ready
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Catalyst 9K Platform
Transitions
Catalyst 9400
9000 Series
Catalyst 9500
Catalyst 9300
Catalyst 3850 Copper Catalyst 4500-E Catalyst 4500X Catalyst 3850 Fiber 48 port
Access Switching
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Backbone Switching
© 2018 Cisco and/or its affiliates. All rights reserved. 5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Shift IT Time to Business Focus
67% 80%
Network Improve Issue
Provisioning Time Resolution
Savings
48% 61%
Reduced Security Reduced Operating
Breach Impact Expense
Software Defined Access
Underlay, Overlay, and Controller
Controller-based Management
Fabric Orchestration and Visibility
Single User Interface for Fabric Management
Prescriptive Underlay
Connects the network elements to each other
Automated, standardized deployment and
operation
Leverages existing network topologies
(not restricted to spine/leaf)
TODAY FUTURE
CLIs and scripts Simple user interface
Manual configurations Autonomic with control and visibility
Script maintenance Orchestration with data models
Wired access only
Extensibility with native 3rd party app hosting
Static network
environments Open sourced programmable interfaces
Slow and unpredictable Seamless wired and wireless access
workload change Programmable using software
Hardware-centric
Digital Business Drivers
Requirement for Dynamic Policy Changes
Underlay Network
© 2018 Cisco and/or its affiliates. All rights reserved. 12
Cisco Digital Network Architecture APIs
Network Enabled Applications
UNI UNI
GUI Customized
Prescriptive Service Definition & Orchestration Model-based
Service
Instantiation
DNA Center Telemetry
Enterprise Controller
Intent
Topology
Easy QoS
APIC-EM, ISE, NDP
(Policy Determination) Analytics
APIs
SDA ACI
PEP Branch WAN Agg PEP
SP
WAN
PEP Branch PEP Apps Internet
PEP Campus
SegmentationFabric
1 DC Fabric
Segmentation 2 Int. Acc PEP PEP Apps
PEP
WAN Fabric Segmentation 3
Cloud
WAN VNFs Campus VNFs DC VNFs Cloud VNFs
Localized or
network-wide
Network Function Virtualization
Service Chaining
Enterprise Switching and Wireless © 2017 Cisco and/or its affiliates. All rights reserved. 13
ISE in Enterprise
MOBILITY
TRUSTSEC
ANALYTICS
SD-ACCESS
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Concepts
What is SD-Access?
1. High-Level View
2. Roles & Platforms
3. Fabric Constructs
B B
• Host Database supports multiple types of Endpoint ID
lookup types (IPv4, IPv6 or MAC)
Edge Node provides first-hop services for Users / Devices connected to a Fabric
B B
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)
NEW NEW
Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric
B B
• Internal Border
• Used for “Known” Routes inside your company
• Catalyst 3850 • Catalyst 9500 • Catalyst 6800 • ASR 1000-X/HX • Nexus 7700
• 1/10G SFP+ • 10/40G SFP/QSFP • Sup2T/6T • ISR 4300/4400 • Sup2E
• 10/40G NM Cards • 10/40G NM Cards • 6840/6880-X • 1/10G/40G • M3 Cards
• IOS-XE 16.6.3+ • IOS-XE 16.6.3+ • IOS 15.4.1SY4+ • IOS-XE 16.6.3+ • NXOS 8.2.1+
B B
• Exports all internal IP Pools to outside (as aggregate),
using a traditional IP routing protocol(s).
B B
• Exports all internal IP Pools outside (as aggregate)
into traditional IP routing protocol(s).
C Public Cloud
B B
Internet
SD-Access Fabric
Unknown Networks
AIR-CT3504
ISR 4430 NEW
Catalyst 3560-CX
Wave 2 APs (1800, 2800,3800)
Catalyst 4500E Catalyst 6800 Nexus 7700 ISR 4450
IE Series (4K/5K)
Catalyst 3650 and 3850 ISRv/CSRv Wave 1 APs* (1700, 2700,3700)
* with Caveats
3504 WLC 5500 WLC 8500 WLC Wave 2 APs Wave 1 APs*
ISE / AD Automation
Policy DNAC simplifies the Fabric deployment,
Abstraction and
Including the wireless integration component
Configuration
CAPWAP Automation
Cntrl plane
LISP Centralized Wireless Control Plane
Cntrl plane WLC still provides client session management
AP Mgmt, Mobility, RRM, etc.
B B
WLC Same operational advantages of CUWN
Fabric enabled WLC:
WLC is part of LISP control plane
BRKEWN-2020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Centralized Unified Wireless Network Strengths
ISE / AD
WLC
CAPWAP (Control)
CAPWAP (Data) Network Overlay? CAPWAP
WLC as Mobility
L3 roaming across Campus? Anchor
WLC as mobility
Simplified IP addressing?
Anchor
BRKEWN-2020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
SD-Access Fabric
Fabric Enabled Wireless – A Closer Look
Fabric Enabled WLC is integrated into Fabric for SDA Wireless clients
Ctrl: CAPWAP
Data: VXLAN
•
Networks Networks
Fabric Enabled APs connect to the WLC (CAPWAP)
B B
using a dedicated Host Pool (Overlay)
B B
• Nodes add a SGT to the Fabric encapsulation
SGT
SGT SGT SGT
• SGTs are used to manage address-independent 17
4
SGT
8 25
AJ Shah
Aug 2018
Cisco DNA Center – Easy to Start with Assurance
Intent-Based Networking
Cisco DNA Center
Cisco - SD Access
Cisco DNA Center Security
Cisco DNA Center Assurance
Telemetry protocols:
CLI, SNMP, PnP, NETCONF
NetFlow, SNMP, Syslog, streaming
Wireless Catalyst(R) Catalyst Cisco WLC ISR/ASR Wireless AP Catalyst(R) Catalyst 9000 IE Catalyst WLC ISR4K NFV-IS
AP 2000/3000 4000/6000 Nexus(R) .11ac Wave 2 3850
7000
01001011000101110010010101100
1011000010101100110
Automate tools to discover Root cause issues in a Build Resilient and Reliable
outliers few Clicks Networks
Overall Network Health
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Detecting encrypted threats
with network telemetry
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enhanced network as a sensor
Industry’s first network with the ability to find threats in encrypted traffic without decryption
Avoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility
Secure and manage your digital network in real time, all the time, everywhere
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ETA data features
Cisco research
Bestafera
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How can we inspect encrypted traffic?
Sequence of packet Threat
Initial data packet
lengths and times intelligence map
Make the most of the Identify the content type through Who’s who of the Internet’s
unencrypted fields the size and timing of packets dark side
C2 message
Data exfiltration
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Malware detection using Cognitive Analytics
Threat
Initial data packet
Cloud-based Intelligence Map
machine
learning
Sequence of packet
lengths and times
All three elements reinforce each other inside the analytics engine using them.
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Finding malicious activity in encrypted traffic
New Catalyst 9K* Cisco Stealthwatch
* Other devices will be supported soon
NetFlow Cognitive
Analytics
Malware
detection
Telemetry for Metadata and
encrypted malware detection cryptographi
and cryptographic compliance c compliance
Enhanced
NetFlow
C
• Similar principle and behavior as HSRP / VRRP with a Known Unknown
B B
• The same Switch Virtual Interface (SVI) is present on
EVERY Edge, with the same Virtual IP and MAC