Cisco Digital Network

Enterprise Networks - Cisco Digital
Network Architecture - Introducing

the Network Intuitive
Tammy Getschel, Channel Systems Engineer

Feb 2018
© 2016 Cisco and/or its affiliates. All rights reserved. 1

Agenda
• It’s a Digital World!
• Automating your network with DNA Center

• Gaining Deep Insights with Assurance and Analytics
• Summary

2
It’s a digital world!

What is the Risk of Digital Disruption?
• According to the Global Center for Digital Transformation in a survey of
941 companies:
40%
of today’s Top-10 incumbents
(in terms of market share)
will be digitally disrupted
in 5 within the next 5 years
https://www.imd.org/uupload/IMD.WebSite/DBT/Digital_Vortex_06182015.pdf
http://www.economist.com/news/business/21647317-messaging-services-are-rapidly-growing-beyond-online-chat-message-medium

Why Transform Digitally?
• According to Harvard Business Review, companies that master

digital transformation generate:
9% more revenue than their industry peers, and
26% more profits than their industry peers
https://hbr.org/product/leading-digital-turning-technology-into-business-transformation/17
Digital Transformation is Moving IT to the Boardroom
UPS My Choice Workforce Efficiency Starbucks Apps

Delivery Control WIP Inventory and Order Ahead
Personalized Service Part Tracking Skip the Line
Customer Experience American Express

Personalized Service
Physical and Virtual
Through Mobile
RFID Content
© 2016 Cisco and/or its affiliates. All rights reserved. TECCRS-2700 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 6
Cisco Enterprise Networking Vision
Transform our customers’ businesses

through powerful yet simple networks.
Digital Business Demands Application Agility
“…While other components of the IT infrastructure have become more

programmable and allow for faster, automated provisioning, installing
network circuits is still a painstakingly manual process...”
— Andrew Lerner, Gartner Research

Agility Requires Faster Network Provisioning
Deployment Speed
Network Expenses
Computing Networking
100%
67%
33%
0
Seconds 0 10 100 1000
CAPEX OPEX
Source: Forrester Source: Open Compute Project
80 % Time IT spends on operations 57 % CEOs are worried about IT strategy

not supporting business growth

KeyChallenges
Key Challengesfor
forTraditional
TraditionalNetworks
Networks
Difficult to Segment Complex to Manage Slower Issue Resolution
Ever increasing number of Multiple steps, Separate user policies for

users and endpoint types user credentials, complex wired and wireless networks
interactions
Ever increasing number of Unable to find users
VLANs and IP Subnets Multiple touch-points when troubleshooting
Traditional Networks Cannot Keep Up!

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
10
© 2016 Cisco and/or its affiliates. All rights reserved.
The Network.
Digital NetworkIntuitive.
Architecture (DNA)
Powered by Intent. Informed by Context.
LEARNING
Network-enabled Applications
DNA Center Cloud Service Management

Policy | Orchestration
Open APIs | Developers Environment Automation

& Assurance
Policy Automation Analytics
Automation Analytics
Principles IAbstraction
N T E Nand T Policy Control NetworkCData,
ONT EXT Security &
from Core to Edge Contextual Insights
Compliance
Intent-based
Open and Programmable | Standards-based
Network Infrastructure Insights &
Virtualization Experiences
Physical and Virtual Infrastructure | App Hosting
Cloud-enabled | Software-delivered
SECURITY
11
Introducing DNA Center
Realizing vision of the intent-powered intuitive network
Assurance and
Policy Automation
Analytics
Translate business intent Reduce manual operations Use context to turn data into
into network policy and cost associated with intelligence
human errors
Industry Best-Practices Proactive Issue

Decouple Policy from
Configuration and Policy Identification and
Network Topology
Compliance Resolution
DNA Solution DNA Center
Cisco Enterprise Portfolio Simple Workflows
DESIGN PROVISION POLICY ASSURANCE
DNA Center
Identity Services Engine Automation Analytics
Routers Switches Wireless Controllers Wireless APs

Automating your Network with
DNA Center

Network Changes for Automation
Standard Change: Settings Update (Syslog, NTP)
• Automated Change Request Password Update

• No Approval Required
• Fully owned by Network Engg
team with minimal to zero Port Settings, VLAN changes
downtime
Network
Changes
Non-Standard Change
New device/site deployment
• Require Approval by Change

Board Software Update
• May require service disruption
• Co-ordination with Application New service/Update service
team during change window

Impediments to Automation
21% ACL updates
• Organizational structures 12%
New lab configurations
Different groups
10% Hardware upgrades
• Lack of internal standards 65%
Standard 7%
Snowflakes! changes Fleet standardizations
15% Other
• History Enterprise
Network
e.g. ACL CLIs change 8% Hardware upgrades
requests.
7% Feature configs:
• Standard vs.non-standard changes 35% IP/Routing
New
initiatives 4% Power shut-downs
3% Feature configs:
Security
2% ACL updates
12% Other

What are Standard Network Changes ??
Routers Switches WLC’s
AAA Configuration AAA Configuration AAA Configuration

DNS/DHCP Servers DNS/DHCP Servers DNS/DHCP Servers Standard Changes :
NTP Servers NTP Servers NTP Servers
Syslog Servers Syslog Servers Syslog Servers o No Approval Required
Netflow Collectors Netflow Collectors Netflow Collectors o Minimal to Zero Disruption
SNMP/SSH/Telnet SNMP/SSH/Telnet SNMP/SSH/Telnet
Non-Standard Changes :
Interfaces Configuration Interfaces Configuration SSID’s
ACL’s Spanning Tree RF

o Requires Approval
Dial Plans VLAN Security/Crypto
o May require service
Vrf Security/Crypto QOS
disruption
Routing Protocols QOS AVC
o May need co-ordination
Tunnels/DMVPN AVC
with other teams (App,DC
Security/Crypto etc) during change window
QOS
AVC
© 2016 Cisco and/or its affiliates. All rights reserved. 17 17

BRKNMS-1499
Network Settings Update (Standard) DESIGN
Use Case:
DHCP
Server DNS • Adding a new Syslog (Ex:
Server
North EMEAR Splunk) in the network
America
• SoX requirements to update
password every 6 months
Syslog South AAA

Site2
Server America Server
Benefits:
• Repeated manual error prone
Site1
Africa tasks automated
Syslog
• Eng get additional time to focus
Server on design and deployment
AAA • Standard change automation
Server removes the lead time to make
changes
Network Deployment Consistency using Profile DESIGN
Driven Automation § Plan for the network deployment

§ Feature and Capabilities to be
Network Before enabled based on requirements
Design § Topology for network
deployment
§ Automated Day 0 Deployment

Deployment During § Version management of Profile
for Day 2 Change Management
Standardization
Profile Based
Deployment § Configuration Compliance
Validation against Profile
Network After § Remediation of Configuration to
Compliance Golden Config
Simplified Network Integrated IT

Deployment
Configuration Consistency Process Flows 19
DESIGN
Workflows are foundational to Automation!

• Drive consistency into the architecture via design profiles for WAN and Campus
Both physical and virtual
Open Design Add Site Add or Add

Add Areas and Properties under appropriate Add SP Create WAN
> Network Import IP
Buildings images into Profile Profile
Hierarchy Network Settings Pools
repository
Select device, WAN and

Create sub LAN settings, add
Customize Network Select golden
pools for required virtual Services
Settings and image for
Credentials per Sub Services, NFVIS, virtual
Area or Site LAN, Add custom
services
Management CLI configs
at sub area or Save and
site associate Site

PROVISION
DNA Center automates the Deployment and Operations

Network PnP IWAN Topology
• Plug-and-play Application UI App Discovery
REST API
• Software / config / license management PnP Service

DNA Center
Controller
• Ensuring that Hardware is not EoL PnP Protocol
HTTPS/XML based
(Cisco Active Advisor) Open schema
PnP Server
protocol Centralized server

• Software Image management (SWIM) Auto-provision device w/ images
& configs.
Northbound REST APIs
PnP Agent
Runs on Cisco® switches,

routers,
and wireless AP
Automates discovery and
provisioning
Visualize Software Images
• For a given Device Family,

view :
All images
Image Version
Number of Devices using a
particular image
• Image Repository to
centrally store Software
Images, VNF Images and
Network Container Images

22 22
PROVISION
Manage Software Images

• Import Images/SMU from :
Cisco.com
URL(http/ftp)
Local PC
Another managed network device
• Remote File Server

Localized file server for software
distribution
File server mapped to site hierarchy

23
Open Interfaces and Integrations
Flexibility Accessibility Expansibility
Platform extensibility for building API and Data Models across multiple Integrations with complimentary
custom apps stages in DNA Stack platforms *
Firehose * Cisco Assets
Graph API
Industry
Connectors Contextual Search Integrations

* : roadmap post FCS 24
LEARNING
THE NETWORK.
INTUITIVE.
Powered by intent,
informed by context.
INTENT CONTEXT
SECURITY

Intent-Based
Legacy QoS Policy Application Policy
ip access-list extended APIC_EM-MM_STREAM-ACL
remark citrix - Citrix
permit tcp any any eq 1494
permit udp any any eq 1494
remark citrix-static - Citrix-Static
permit tcp any any range 2512 2513
permit udp any any range 2512 2513
remark pcoip - PCoIP
remark timbuktu - Timbuktu
remark xwindows - XWindows
remark vnc - VNC
permit udp any any range 5900 5901
exit
ip access-list extended APIC_EM-SIGNALING-ACL
remark h323 - H.323
POLICY
Evolution to a Policy Model

• Express Business Intent
• Translate into device specific policy/configuration
• Leverage Abstraction (the controller knows about the device specifics)
• Automate the Deployment across the Network
• Insure Fidelity to the Expressed Intent (keep everything in sync)
Protected Assets
Production Servers Development Servers Internet Access
Employee De-coupling DENY

PERMIT
of PERMIT
Automation
(managed asset)
Employee
User Identity and Topology Controller-Led
Networking Deployment
Source
PERMIT DENY PERMIT

(Registered BYOD)
Much easier to translate business objectives to
Employee
(Unknownnetwork functionality—Lowers TCOPERMIT
DENY DENY
BYOD)
ENG VDI System DENY PERMIT PERMIT
User policy based on user identity

and user-to-group mapping

POLICY
Policy types
Access Policy Access Control Policy Application Policy

↓ ↓ ↓
Authentication/ Who can access what Traffic treatment
Authorization
Group Assignment Rules for x-group access QoS for Application

Based on Permit group to app Path Optimization
Authentication methods Permit group to group Application compression
Application caching
DB
Th
Th
Th

POLICY
1. Access Policies
• Access to the network is governed by ISE
SIEM Identity (e.g. Active
Credentials
Directory)
CASB
pxGrid
Profiling
Authenticate & ISE Posture
Location
Vulnerability
Behavior
Analytics
Authorize
Groups &
(AAA)
Policy
users
things
Scalable
Groups
Network
POLICY
2. Access Control Policies

• Access Control (who can talk to who) is governed by DNA Center
Leverages ISE for group assignments
Authenticate & ISE DNA Center
Policy Authoring
Authorize
(AAA) Groups &
Policy Workflows
users
Fabric Management
things
Network

DNA Automation – Access Control Policy Authoring

DNA Automation – Access Control Policy Authoring

Gaining Deep Insights with
Assurance and Analytics

Main Operational Challenges
95% 70% 75%
Network Changes Policy Violations OpEx spent on

Performed Manually Due to Human Error Network Visibility and
Troubleshooting
Source: 2016 Cisco Study
Traditional Networking CANNOT Keep Pace with the Demands of Digital Business
Business Value Propositions of Network Analytics
Automation for Faster Reveal Make Data Focus on

Results Hidden Patterns Driven Decisions Important Things

ASSURANCE
Architectural Requirement #1: Instrumentation
Collect relevant metrics

ASSURANCE
Architectural Requirement #2: On-Device Analytics
Categorize metrics by degrees of relevance

ASSURANCE
Architectural Requirement #3: Telemetry
Collector
EM
Upload critical metrics off the device to collector(s)

(optimally via model-based streaming-telemetry)
ASSURANCE
Architectural Requirement #4: Scalable Storage
Provision long-term storage, retrieval and representation of network metrics and events

ASSURANCE
Architectural Requirement #5: Analytics Engine
Identify anomalies and trends

ASSURANCE
Architectural Requirement #6: Machine Learning
Correlate all data points and permutations for cognitive and predictive analytics

ASSURANCE
Architectural Requirement #7: Guided Troubleshooting
Analytics
Engine
EM
Identify root cause of issues by contextually correlating data

ASSURANCE
Architectural Requirement #8: Self-Remediation
Do you want to take the

recommended action?
Network Analytics
Controller Engine Yes No
Always No
EM EM
Present actionable insights to the operator

Solicit input to remediate the root cause
Present a self-remediation option

LEARNING
THE NETWORK.
INTUITIVE.
Powered by intent,
INTENT CONTEXT
SECURITY

Cisco DNA Architecture
DNA Software Capabilities

Cloud Service Management
Virtualization
DNA-Ready Physical and Virtual infrastructure
Security

Cisco DNA Architecture—Automation and Analytics
Virtualization
NCP NDP:
Network Controller Platform NDP Network Data Platform
NCP
(Network Controller) (Analytics Engine)
EM EM

Cisco DNA Architecture—Automation and Analytics
Virtualization
NCP Assuring
the Intent NDP:
Network Controller Platform NCP NDP Network Data Platform
(Network Controller) EM EM (Analytics Engine)
Abstraction layer
Analyzing the Outcome

Delivering the Intent Intent Outcome within the Context of the
expressed Intent
Cisco DNA Architecture—DNA Center
DNA Center User Interface
A single pane of glass for Design, Policy, Provisioning, and Assurance
NCP NDP
EM EM
DNA Center Appliance

Cisco DNA Architecture—DNA Center: Assurance
å

LEARNING
THE NETWORK.
INTUITIVE.
Powered by intent,
INTENT CONTEXT
SECURITY

Transforming the Network with Big Data Analytics
Volume Velocity
Data size Data speed Action

• TB per day • Firehose
• Streaming telemetry, • Streaming, low-latency
NetFlow, Syslog, SNMP, logs push/pull
Insight
Variety Veracity
Information
Data forms Data trustworthiness
• Structured, unstructured • Quality, validity
• Switch, router, AP, • Internal, partner, public
IoT sensor, firewall, Data
load balancer, DHCP, DNS
Extract meaningful insights from data Analytics Create value at the right time

Network Data Platform (Internal) Architecture NDP
EM
Data Collection and Ingestion Data Correlation and Analysis Data Visualization and Action
Network Assurance netWorth
FW LB WLC Sensor
Network
Telemetry CEP (*) Machine Learning Correlation
in the Cloud
Streaming
SNMP NetFlow Syslog Telemetry ...
Collector and Analytics Pipeline SDK
Data Models and Restful APIs

LDAP AAA TOPOLOGY LOCATION ITSM
Time Series Analysis

DNS DHCP INVENTORY POLICY ITFM
System Management Portal

Contextual Data
Network Data Platform

© 2016 Cisco and/or its affiliates. All rights reserved. CEP = Complex Event Processing 52
Contextual Correlation Example
NetFlow
AVC
DDI Dest IP: 2.2.2.2
NDP
Stream
ISE
Processing
Source IP: 1.1.1.2 Dest Port: 80
?
Topology
?
Location
Device
Dest Port: 80 ?
Dest IP: 3.2.2.2

NetFlow
AVC
NDP
Stream
ISE
Processing
Source IP: 1.1.1.2 Dest Port: 80 ?
Topology
?
Location
Device
Dest Port: 80 ?
Dest IP: 3.2.2.2

NetFlow
AVC
NDP
ISE Stream Source IP: 1.1.1.2 Dest Port: 80
Processing
Topology
?
Location
Dest Port: 80
Device
Dest IP: 3.2.2.2

Group: Marketing User: George Baker
NetFlow
AVC
NDP
Processing
Topology
Location
Dest Port: 80
Device
Dest IP: 3.2.2.2

NetFlow
AVC
NDP
Processing
Topology
Location
Dest Port: 80
Device
Dest IP: 3.2.2.2

NetFlow
AVC
NDP
Processing
Topology
Location
Dest Port: 80
Device Building 24 1st Floor
Dest IP: 3.2.2.2

NetFlow
AVC
NDP
Processing
Topology
Location
Dest Port: 80
Device Building 24 1st Floor
Dest IP: 3.2.2.2

Client Density
Problem Here...
LEARNING
THE NETWORK.
INTUITIVE.
Powered by intent,
INTENT CONTEXT
SECURITY

What is Machine Learning?
• Machine learning is an application of artificial intelligence (AI) that provides systems the ability to
automatically learn and improve from experience without being explicitly programmed to do so
• The process of learning begins with observations of data, and looking for patterns within the data so as to
make increasingly better correlations, inferences and predictions
• The primary aim is to allow these systems to learn automatically without human intervention or
assistance and adjust actions accordingly

Project Kairos Anomaly detection across hundred of thousands of
Machine Learning
For Wireless, Wired and IOT
devices, dozen of thousands of gears and hundreds
of heat maps
Netflix
Internet Video
Access Points
Facebook
Instagram
YouTube
Cognitive Analytics Device Type

Project
Machine Kairos
Learning
For Wireless, Wired and IOT
Identify and proactively adapt to a failure

before it happens
Cognitive Analytics Predictive Analytics

Anomaly detection

Machine Learning Algorithms
build their models using ~
hundreds of inputs ~
~ ~
~
~ ~
~
~ ~
RF & EDCA
~
behavioral
~
metrics,..
Application metrics, user

Device type, OS release, feedback, failure rate, ...
behavioral metrics, ... Queuing, Dropping, WRED
behavioral metrics…
CUCM ... and more
ISE
WAN & core
network metrics ..
WAN
DHCP
Office Site Network Services DC

APs APIC-EM
Mobile Clients
Local WLCs

LEARNING
THE NETWORK.
INTUITIVE.
Powered by intent,
INTENT CONTEXT
SECURITY

Can we Actually Solve This?
80% 41%
of organizations are Of attacks used encrypted
victims of malicious activity traffic to evade detection
How do you Analyze Metadata without decrypting traffic flows?
Encrypted Traffic
Non-Encrypted
Traffic
Providing Security While Maintaining Privacy!

Encrypted Traffic Analytics
Analyze netflow metadata without

decrypting traffic flows
Global-to-local knowledge correlation -

99.99% threat detection accuracy
Encrypted traffic analytics from

Cisco’s newest switches and routers
Security with Privacy

Summary

Key Takeaways
Intent Driven Networking Starts with Policy
Profile Based Deployment simplifies Day 0 Deployment and

Day 2 Change Management
Automation must be thought holistically, as some of the

simple tasks take the most amount of time
Assurance must be outcomes driven and not problem based

It’s a Journey!
Basic Advanced
Automated Deployment Consistent Across Network Fabric Self-Driving Automation

Plug and Play, Configure once and deploy Closed Loop through Network
Step 1 Day 0 Deployment everywhere - SD-Access Analytics and Machine Learning
Network admin
previsions devices in
Cisco Network Plug ISE / AD NAE / PI DNA Center
and Play applications Admin HTTP

Proxy DNA Center Network
APIC- Analytics
EM Platform
Step 2 Internet
Onsite installer with
mobile app installs and
powers on devices, B B
triggers deployment,
checks status Installer
Step 3 SDA SDA

New devices contact
Campus Campus
Cisco Network Plug and
Play application to get Fabric Fabric
provisioned
Network admin can

remotely monitor
Exists Today install status New Future
© 2016 Cisco and/or its affiliates. All rights reserved. One Point of Management: All from Cisco DNA Center 76
Thank you.

Cisco Digital Network

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cisco Digital Network

Hochgeladen von

Copyright:

Verfügbare Formate

Enterprise Networks - Cisco Digital

Network Architecture - Introducing

Tammy Getschel, Channel Systems Engineer

© 2016 Cisco and/or its affiliates. All rights reserved. 1

• Automating your network with DNA Center

© 2016 Cisco and/or its affiliates. All rights reserved. 2

© 2016 Cisco and/or its affiliates. All rights reserved. 3

in 5 within the next 5 years

© 2016 Cisco and/or its affiliates. All rights reserved. 4

• According to Harvard Business Review, companies that master

9% more revenue than their industry peers, and

26% more profits than their industry peers

UPS My Choice Workforce Efficiency Starbucks Apps

Customer Experience American Express

Transform our customers’ businesses

“…While other components of the IT infrastructure have become more

© 2016 Cisco and/or its affiliates. All rights reserved. 8

80 % Time IT spends on operations 57 % CEOs are worried about IT strategy

© 2016 Cisco and/or its affiliates. All rights reserved. 9

Difficult to Segment Complex to Manage Slower Issue Resolution

Ever increasing number of Multiple steps, Separate user policies for

Traditional Networks Cannot Keep Up!

DNA Center Cloud Service Management

Open APIs | Developers Environment Automation

Industry Best-Practices Proactive Issue

DESIGN PROVISION POLICY ASSURANCE

Routers Switches Wireless Controllers Wireless APs

© 2016 Cisco and/or its affiliates. All rights reserved. 13

© 2016 Cisco and/or its affiliates. All rights reserved. 14

• Automated Change Request Password Update

• Require Approval by Change

© 2016 Cisco and/or its affiliates. All rights reserved. 15

© 2016 Cisco and/or its affiliates. All rights reserved. 16

AAA Configuration AAA Configuration AAA Configuration

ACL’s Spanning Tree RF

© 2016 Cisco and/or its affiliates. All rights reserved. 17 17

Syslog South AAA

Driven Automation § Plan for the network deployment

§ Automated Day 0 Deployment

Simplified Network Integrated IT

Workflows are foundational to Automation!

Open Design Add Site Add or Add

Select device, WAN and

© 2016 Cisco and/or its affiliates. All rights reserved. 20

DNA Center automates the Deployment and Operations

• Software / config / license management PnP Service

protocol Centralized server

Runs on Cisco® switches,

• For a given Device Family,

© 2016 Cisco and/or its affiliates. All rights reserved.

Manage Software Images

• Remote File Server

© 2016 Cisco and/or its affiliates. All rights reserved. 23

Flexibility Accessibility Expansibility

© 2016 Cisco and/or its affiliates. All rights reserved.

© 2016 Cisco and/or its affiliates. All rights reserved. 25

Evolution to a Policy Model

Employee De-coupling DENY

PERMIT DENY PERMIT

ENG VDI System DENY PERMIT PERMIT

User policy based on user identity

© 2016 Cisco and/or its affiliates. All rights reserved. 27 27

Access Policy Access Control Policy Application Policy

Group Assignment Rules for x-group access QoS for Application