Cisco Digital Network Architecture

Similar documents
Cisco DNA. Digital Network Architecture.

Simplify and automate your network with Cisco DNA

Routing Underlay and NFV Automation with DNA Center

Delivering Enterprise SDN. Now. Simplify and Automate Your Network for Digital Transformation

Simplify and Automate Your Network with Cisco DNA. Brink Sanders Managing Director, Software and Network Transformation 12 May 2017

Network Automation and Branch Agility The Network Helps Enable Digital Business. Rajinder Singh Product Sales Specialist June 2016

Networking in the Digital Era

Enterprise Network Compute System (ENCS)

Cisco Digital Network Architecture:

Identity Based Network Access

DNA Automation Services Offerings

THE NETWORK. INTUITIVE. Powered by intent, informed by context. Rajinder Singh Product Sales Specialist - ASEAN August 2017

Cisco SD-WAN. Intent-based networking for the branch and WAN. Carlos Infante PSS EN Spain March 2018

Borderless Networks. Tom Schepers, Director Systems Engineering

Cisco Digital Network Architecture The Network Enables Digital Business. Rene Andersen Cisco DK

Cisco ISR G2 Management Overview

Next generation branch with SD-WAN and NFV

Transforming the Network for the Digital Business

Cisco.Network.Intuitive FastLane IT Forum. Andreas Korn Systems Engineer

Cisco SD-WAN and DNA-C

Več kot SDN - SDA arhitektura v uporabniških omrežjih

Digital Network Architecture

Deploying and Administering Cisco s Digital Network Architecture (DNA) and Intelligent WAN (IWAN) (DNADDC)

APIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks

Cisco Exam Questions & Answers

Distributed Branch Deployment Costs

Exam Code: Exam Code: Exam Name: Advanced Borderless Network Architecture Systems Engineer test.

Cisco ONE for Access Wireless

Prepare for Digital Network Architecture, NFV, and SDN with Cisco ONE Software

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Cisco Exam Questions & Answers

2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Compare Security Analytics Solutions

vbranch Introduction and Demo

Cisco ONE for Access Wireless

One Management Realized, with Cisco Prime Infrastructure Manage Complexity. Manage Effectively. Manage Intelligently. Closing

2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco APIC-EM Components and Architecture, page 3. About the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM), page 1

Cisco ONE Software BRKRST Dan Lohmeyer Senior Director, Software Strategy and Operations

Cisco Software-Defined Access

P ART 3. Configuring the Infrastructure

Simplifying the Branch Network

Next Gen Enterprise Management and Operations with Cisco DNA

Unleashed & Cloud Wi-Fi Updates

Cisco DNA Center FAQ

CertKiller q

Cisco Virtual Networking Solution for OpenStack

User Identity Sources

ForeScout Extended Module for MobileIron

Get Hands On With DNA Center APIs for Managing Intent

HiveManager Local Cloud

ForeScout Agentless Visibility and Control

Cisco ONE New Way Buying & Consuming Cisco NW Software! Thomas Latzer Enterprise Networking Lead Cisco Systems

Cisco APIC Enterprise Module Simplifies Network Operations

Cisco Secure Access Control

Cisco Software Defined Access (SDA)

Cisco Network Admission Control (NAC) Solution

Configuring Cisco Network Plug and Play

Supported Platforms for Cisco Path Trace, Release x. This document describes the supported platforms for the Cisco Path Trace, Release x.

ForeScout Extended Module for MaaS360

Extensive Secure Borderless Network Cisco and/or its affiliates. All rights reserved. 1

CISCO EXAM QUESTIONS & ANSWERS

Modelos de Negócio na Era das Clouds. André Rodrigues, Cloud Systems Engineer

Delivering the Wireless Software-Defined Branch

Video-Aware Networking: Automating Networks and Applications to Simplify the Future of Video

The network s impact on student and staff experience. Client-centric Analytics and Assurance Darren Smith Aruba Networks

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Title DC Automation: It s a MARVEL!

Cisco.Realtests v by.TAMMY.29q. Exam Code: Exam Name: CXFF - Cisco Express Foundation for Field Engineers

Aruba Central. Tech Webinar, October 6 th Christian Dupont, Britto Jagadesh & Barath Srinivasan

PnP Deep Dive Hands-on with APIC-EM and Prime Infrastructure

User-to-Data-Center Access Control Using TrustSec Design Guide

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

SD-Access Wireless: why would you care?

Configuring Cisco Mobility Express controller

PSOACI Tetration Overview. Mike Herbert

ForeScout Extended Module for VMware AirWatch MDM

VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

WHITE PAPER ARUBA SD-BRANCH OVERVIEW

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

Cisco Tetration Analytics

Automating Enterprise Networks with Cisco DNA Center

IWAN APIC-EM Application Cisco Intelligent WAN

Cisco - ASA Lab Camp v9.0

Cisco Virtual Managed Services

WHITE PAPER. Applying Software-Defined Security to the Branch Office

Read the following information carefully, before you begin an upgrade.

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Cisco Software-Defined Access

CMX Dashboard Visitor Connect

Intelligent Edge Protection

Secure IT consumeration (BYOD), users will like you How to make secure access for smart mobile devices

Cisco Wide Area Bonjour Solution Overview

Driving Performance with Application Velocity. Marc van Hoof, Product Manager Service Routing Tech Group

Delivering a Secure BYOD Solution with XenMobile MDM and Cisco ISE

Cisco ONE Software Overview. October 2017

A Practical Look at DNA Center: A better way to manage your network in the digital era. Hands-On Lab

Configuring Application Visibility and Control

Software-Defined Access 1.0

Transcription:

Cisco Digital Network Architecture CCIE Technical Series Webinar Jerome Henry jerhenry@cisco.com June 2016

CCIE Webinar Series OpenStack Technical Sessions focused on new technologies 4 6 Sessions per year OpenStack May 2015 Fog Architecture Fog Architecture August 2015 Cisco NetFlow and Big Data Analytics for Cybersecurity October 2015 OpenStack Neutron Deep Dive February 2016 DNA Deep Dive June 2016 Cisco NetFlow & Big Data Analytics https://learningnetwork.cisco.com/community/archived_events/ccie-community-events

Never Received an Invitation? Opt-In http://mkto.cisco.com/ccie-opt-in.html

Cisco DNA: Deep Dive

Cisco Digital Network Architecture Principles Network-enabled Applications Cloud Service Management Open APIs Developers Environment Automation Abstraction & Policy Control from Core to Edge Policy Orchestration Open & Programmable Standards-Based Virtualization Analytics Network Data, Contextual Insights Physical & Virtual Infrastructure App Hosting Insights & Experiences Automation & Assurance Security & Compliance Cloud-enabled Software-delivered

What s New: Cisco DNA Innovations New! New! New! APIC-EM Automation Platform Completely New Platform Available Now Base Automation: Plug and Play Available Now Cloud version Controlled Availability, May 2016 Policy Services: IWAN App & Easy QoS Available Now March 2016, respectively Enterprise NFV Branch Service Virtualization Controlled Availability, March 2016 CMX Cloud Presence Analytics and Connect Available Now, globally as local laws permit Network-enabled Applications Cloud Service Management Open APIs Developers Environment Automation Abstraction & Policy Control from Core to Edge Policy Orchestration Open & Programmable Standards-Based Virtualization Analytics Network Data, Contextual Insights Physical & Virtual Infrastructure App Hosting Cloud-enabled Software-delivered Available on DNA-Ready Infrastructure through Cisco ONE Software

Configuration Source Evolution to a Policy Model Express Business Intent Translate into device specific policy/configuration Leverage Abstraction (the controller knows about the device specifics) Automate the Deployment across the Network Insure Fidelity to the Expressed Intent (keep everything in sync) Automation Controller-Led Networking Deployment Protected Assets De-coupling of Production Servers Development Servers Internet Access Employee User Identity PERMIT anddeny Topology PERMIT (managed asset) Employee PERMIT DENY PERMIT (Registered BYOD) Much easier to translate business Employee (Unknown BYOD) DENY DENY PERMIT objectives to network functionality ENG VDI System Lowers DENY TCO PERMIT PERMIT Policy based Configuration Dynamic, able to be automated by the Controller Over time Policy grows, static shrinks Today Controller-based Automation Policy Policy Policy User policy based on user identity and user-to-group mapping Traditional Traditional Traditional

Controller-Led Networking Bridging the Gap to Increased Success in Network Deployment and Use Any given custom configuration has a very high probability of not being tested exactly as deployed individually as a one off which introduces potential issues The automated configuration deployed by the controller will have gone through Joint development by the Cisco Product Teams, the Architects developing Best Practices, and the Controller Team Blessed Configurations Testing by Cisco s Solution, System, and Devtest teams against the deployment use cases developed jointly, above And will be deployed by 1000 s, with any unforeseen situations addressed ASAP due to widespread and standardized deployment Automation Controller-Led Networking Deployment Risk Bugs Trust Uncertainty Problems Combinatorial Issues Greatly increased probability of success

Deploy, Report, Measure, Adjust, Repeat Analytics Network Data, Contextual Insights APIC EM Run Reports Deliver relevant content Applications Discover user insights Instrumentation Telemetry Correlation Network Measure and Adjust Click here to Correct Always Correct this way (and never ask me again) Analytics Endpoints Automated Deployment

Embracing Tools Devops Orchestration Automation tcollector Monitoring/ Analytics

What does this mean for You? (if you are old school networking) Hardware is specialized SW is tailored for specialized HW and functions Each device, each function is configured individually (and manually) Limited interfaces, optimized to handle route updates Engineered for DPI Different ASIC, can route close to HW speed Access switch (no L3) Hardware company spirit: Yesterday

What does this mean for You? (if you are old-school networking) Network has places and functions Still need efficient HW, but: Functions need to be flexible (add a function, not a box) Well-known tasks should be automated (tell me your business intent, the tool takes care of the details) Visibility into the flows allows you to improve your operations Deploy and manage as your business needs (centralized, distributed, standalone) Controller Virtualized Service Virtualized Service Virtualized Service Choose your function, press, done. Most customers just want a coffee: brn br1 Virtualization Int-n Int-1 OS Tomorrow

DNA Under-the-Hood

Automation: Plug and Play New! Cisco ONE Foundation Cloud-Based Plug and Play Order Plug in and Cloud Provision Controller-Based Management 79% Lower deployment costs PnP Available Now PnP Cloud May 2016 (controlled availability) Eliminates Plug and play means no more IT engineers in the field faster time to market and dramatically lowered costs. Staging Truck Roll

PnP: Pre-provision & Discover 1. Pre-provision 2. Discovery 3. Secure Deployment N-PnP App pre-provisioned w/ device SR# N-PnP app on APIC-EM Configure device discovery DHCP Option-43 or DNS Installer powers-on devices Devices securely downloads Image and Configuration Device Authentication Plug & Play Enterprise-wide Scale Automated workflow EM 1. Discovery 2. Un-claimed Devices 3. Secure Deployment Configure device discovery DHCP Option-43 or DNS Admin DHCP Server OR DNS Server Installer powers-on devices Devices securely connects to APIC-EM Server, waiting to be Claimed Device Authentication PnP-Agent PnP-Agent Download Image and Configure EM Installer Network admin claims devices based on device information Device downloads Image and configuration N-PnP app on APIC-EM DHCP Server OR DNS Server PnP-Agent PnP-Agent Download Image and Configure EM Installer EM Admin

1. Pre-provisioning Step 1a: Create Site Step 1a. The network admin creates a site for any new deployment on the Cisco APIC-EM PnP app Name the site and click Create `

1. Pre-provisioning Step 1b: Upload IOS Image File Upload allows to to save the image in APIC-EM. Once uploaded, the image is available across sites. Images tab allows to upload/manage images for the devices ` Step 1b. Network admin uploads the IOS images All available images, previous uploads, and new uploads will be listed here.

1. Pre-provisioning Step 1c: Upload Configuration File Upload saves the configuration in APIC-EM. Once uploaded, the configuration is available across sites. Configurations tab allows to upload/manage the configurations for the devices. Step 1c. Network admin uploads configuration files ` All available configurations, previous uploads, and new uploads will be listed here.

1. Pre-provisioning Step 1d: Create device entry If any external TFTP server is used for configurations and images, for a given site information must be entered here. This is not recommended. Step 1d. Create a device entry for the site created Add device Serial number Map Image (Optional) and Configuration file Name of device Device type Serial Number of device ` Select the image from an available list already loaded into the APIC-EM Drag and drop the device configuration here as a txt file or select from uploaded configurations

3. Device Deployment Step3a: DHCP based server discovery DHCP Server PnP Server The device receives PnP Server (APIC-EM) IP from DHCP option 43 Switch running PnP Agent The network admin remotely monitors the status of installation while in progress Installer Remote Installer Mount and cable devices Power on The device after authentication & authorization establishes Secure communication with PnP server

3. Device Deployment Step3a: Optional - DNS based server discovery DNS Server PnP Server Optionally devices resolves hostname pnpserver.localdomain to get PnP Server (APIC-EM) IP address The network admin remotely monitors the status of installation while in progress Installer Remote Installer Mount and cable devices Power on The device after authentication & authorization establishes Secure communication with PnP server

3. Device Deployment Step3b: Monitor device installation Click on Details to see full workflow details in APIC-EM Step 3b. Verify installation of devices ` Once devices get config, image, and certificates, the APIC-EM will show the device as provisioned.

APIC-EM IWAN is more than PnP Enterprise Network BRANCH Public Cloud Day 0 Plug-and-Play App Zero touch deployment of routers / switches / APs Accelerated roll-out: Eliminates tech visits and shrinks deployment from months to minutes Day 1 Cisco IWAN App Guided, fast auto-provisioning of IWAN solution with Cisco experts best practices From 1000 CLI commands to 10 GUI clicks per branch Day 2 Path Trace App Discover path between two end points based on 5-tuple flow Rapidly troubleshoot network issues and lower OPEX for trouble tickets

APIC-EM QoS Automation - Easy QoS Network Operators express high-level business-intent to APIC-EM EasyQoS Applications can ALSO interact with APIC-EM via Northbound APIs, informing the network of applicationspecific and dynamic QoS requirements EM Southbound APIs translate business-intent to platformspecific configurations as they are needed STATIC QoS DYNAMIC QoS

REST API REST API New: APIC-EM QoS Automation - Easy QoS CUCM calls APIC-EM 1. Client A calls Client B 2. 3. to setup Policy QoS Policy enabled on network device Optimal Experience Dynamic QoS in 250 ms Reduce voice jitter by 300% 50% improvement for video traffic CUCM calls APIC-EM 1. Calls End 2. 3. to setup Policy QoS Policy enabled on network device

Determining Business Relevance How Important is an Application to Your Business? Relevant These applications directly support business objectives Applications should be classified, marked and treated marked according to industry best-practice recommendations Default These applications may/may not support business objectives (e.g. HTTP/HTTPS/SSL) Applications of this type should be treated with a Default Forwarding service Irrelevant These applications do not support business objectives and are typically consumer-oriented Applications of this type should be treated with a less-than Best Effort service RFC 4594 RFC 2474 RFC 3662

EasyQoS GUI Step 1: Select a Scope for Policy Application

EasyQoS GUI Step 1: Select a Scope for Policy Application

EasyQoS GUI Step 2: (Optional) Change Application Business-Relevance

EasyQoS GUI Step 3: (Optional) Add Custom Applications

Security: StealthWatch and ISE Cisco ONE Adv. Security Extend Security Everywhere Rapid Threat Containment Quickly detect and stop threats General Availability in Cisco ONE May 2016 Wi-Fi Core WAN Cloud Network as a Sensor: Real-time situational awareness and rapid threat detection everywhere Infrastructure-Enforced Policy Network as an Enforcer: Software-defined segmentation with TrustSec for assurance and compliance Scales to handle dramatic threat increase The network touches every element of the digital enterprise every business process, device, customer, employee and therefore has the unique ability to detect, analyze, and prevent new forms of attack by flagging unusual network behavior.

Network as a Sensor (NaaS) Solution overview Collection & Behavior Analysis Enrichment with Global Threat Intelligence Unmatched Threat Protection The StealthWatch FlowCollector collects and analyzes data from various flow sources. Correlated flow data collected in (1) with a global threat feed (SLIC) Additional threat context by revealing what infected hosts are doing within the network.

Flexible Netflow = Wealth of Information Router# show flow monitor CYBER-MONITOR cache IPV4 SOURCE ADDRESS: 192.168.100.100 IPV4 DESTINATION ADDRESS: 192.168.20.6 TRNS SOURCE PORT: 47321 TRNS DESTINATION PORT: 443 INTERFACE INPUT: Gi0/0/0 IP TOS: 0x00 IP PROTOCOL: 6 ipv4 next hop address: 192.168.20.6 tcp flags: 0x1A interface output: Gi0/1.20 counter bytes: 1482 counter packets: 23 timestamp first: 12:33:53.358 timestamp last: 12:33:53.370 ip dscp: 0x00 ip ttl min: 127 ip ttl max: 127 application name: nbar secure-http

Enable Netflow in 3 easy steps 1 2 3 Configure Exporter Configure Flow Record Configure Monitor Where to Send This is usually IP Address of StealthWatch FlowCollector Router(config)# flow exporter my-exporter Router(config-flowexporter)# destination 172.27.1.1 What to Send Traffic flow record can be Customized to include certain fields from flow record Router(config)# flow record my-record Router(config-flowrecord)# match ipv4 destination address Router(config-flowrecord)# match ipv4 source address Router(config-flowrecord)# collect counter bytes Apply to Send Router(config)# flow monitor my-monitor Router(config-flowmonitor)# exporter myexporter Router(config-flowmonitor)# record myrecord Router(config)# interface s3/0 Router(config-if)# ip flow monitor my-monitor input

Locating Services and Application Search for assets based on transactional data: Ex. Protocol (HTTP Servers, FTP Server, etc) Identify servers and assets

Full Context Visibility Username Active directory details View Flows Devices and sessions

ID & Profiling Data NaaE (TrustSec) Segmentation based on roles Not based on IP addresses, VLANs etc Role based on context AD, LDAP attributes, device type, location, time, access methods, etc Use Tagging technology To represent logical group (Classification) To enforce policy on switches, routers, firewalls Software Defined Policy managed centrally Policy provisioned automatically on demand Policy invoked anywhere on the network dynamically Employee Company asset Device Type: Apple ipad User: Mary Group: Employee Corporate Asset: No Along with authentication, various data is sent to ISE for device profiling Personal asset AP Classification Result: Personal Asset SGT NetFlow DCHP DNS HTTP OUI RADIUS NMAP Wireless SNMP LAN Controller ISE Profiling ISE (Identity Services Engine) SGT Security Group Policy Distributed Enforcement based on Security Group Classify Propagate Enforce DC Resource Access Restricted Internet Only

NFV: Why Virtualization for the Enterprise Network? Mobility IoT Analytics Cloud Mobile traffic will Exceed wired traffic by 2017 IoT Devices will triple by 2020 76% of companies planning to or investing in Big Data 80% of organizations will primarily use SaaS by 2018 Multiple Devices Routers, Appliances, Servers Difficult to Manage Device integration and operation Costly to Operate Upgrades, refresh cycles, site visits

Introducing: Cisco Enterprise NFV Network services in minutes, on any platform Enterprise Service Automation (ESA) on APIC-EM Virtual Router (ISRv) Virtual Firewall (ASAv) Virtual WAN Optimization (vwaas) Virtual Wireless LAN Controller (vwlc) 3 rd Party VNFs Network Functions Virtualization Infrastructure Software (NFVIS) ISR 4000 + UCS E-Series UCS C-Series COTS

Freedom of Choice Cisco Intelligent Branch Traditional Enterprise NFV Physical Router Physical Router Virtual Services Virtual Router Virtual Services ISR 4000 Series ISR 4000 Series + UCS E-Series UCS C-Series/COTS Centralized Services Fixed Integrated Services Conservative Upgradable H/W Deterministic Routing Performance Late Adopter Elastic Routing and Services Performance Early Adopter Cisco ONE Access to Ongoing Innovation License Portability Investment Protection

Power in Software NFVIS Software Stack Plug-n-Play Server Console /SSH YANG APIC- EM/Prime Device Web Portal NFVIS CLI NETCONF REST Plug-n-Play Client Health Monitor HTTPS Orchestration API Virtualization Layer Hypervisor & vswitch Interface Drivers Linux Platform Drivers

Automated Orchestration, Management, Policy Enterprise Service Automation (ESA) Create standard profiles for different types of branches Cisco tested and validated designs Embedded approval process and versioning Zero-touch deployment Automated orchestration of platform and VNFs Service chaining and licensing Health monitoring Dynamic scaling of services Operational SLA management

ESA Intelligent Template Selection & Management Goal: create branch architecture profiles based on Business INTENT Prescriptive or customized templates Intent derived by intelligent template selection based on CVD questions Internet access characteristics Bandwidth Wireless ESA proposes suitable templates

Branch Profile Design Enterprise Service Automation Upload Devices to be shipped 1 2 Upload the Branch locations Custom Design a Profile 3 Select functions ISRv ASAv WAAS vwlc API Interface ESA + APIC-EM + Prime Infrastructure Platform Management ISR-4K + x86 on UCS-E vnam 4 NFVIS NFVIS = Network Function Virtualization Infrastructure Software 3 rd App VNF 1 App 2 App n n Hypervisor UCS x86 Server Virtual Switching Map to Branch(s) 7 Associate the templates & attributes 6 Pick validated topologies 5

Digital Services: CMX Cloud New! Cisco ONE Advanced Customer Insights and Engagement Presence Analytics Zone-based location analytics Connect Drag-and-drop customizable portal on demand Data on Storefront Conversion Frictionless Guest Onboarding Available Now CMX Cloud has helped us quickly gain business insights, so we can enhance the shopper experience at Santana Row with easy Wi-Fi onboarding, increased customer data, and improved customer engagement.

How CMX Cloud Works WLC 8.2 (today) Built on the Cisco Unified Access Platform Access Points WLAN Controller nmsp Connector (Proxy) https CMX Cloud (10.x) Web auth redirect Connect Captive Portal Presence Analytics Data Generate Customer Insights Increase Mobile Engagement Boost Customer Satisfaction

How CMX Cloud Works- WLC 8.3 (Summer) Built on the Cisco Unified Access Platform Access Points WLAN Controller https CMX Cloud Future WLC versions will have native proxy functionality and not require external box. Web auth redirect Connect Captive Portal Presence Analytics Data Generate Customer Insights Increase Mobile Engagement Boost Customer Satisfaction

The Cisco Validated Design (CVD) program Enhanced for DNA! Cisco Validated Design Program Design Guide The What & Why Deployment Guides & Tools The How Reference Network Architecture(s) Campus LAN and Wireless LAN Design Guide Enterprise Security Baseline for LAN, Wireless LAN, and WAN Campus LAN L2 Access with Simplified Distribution Deployment Cisco WAN Design Guide Intelligent WAN Technology Design Guide Internet Edge Design Guide User-to-Data-Center Access Control Using TrustSec IWAN Security for Remote Site DIA and Guest Wireless Technology Design Guide IWAN Application Optimization using Cisco WAAS and Akamai Connect Technology Design Guide Easy QoS Design Guide http://www.cisco.com/go/designzone

Training for a Next Generation Network Educate Enable Integrate Technology Tracks Learning Paths DevNet Zone DevNet membership 350,000+ 300+ Network Partners and Growing Roadshows and Pop-up Events DevNet Express Getting Started and API Reference Guides Sample Applications 1500+ Solutions Structured Training elearning Instructor-Led 40+ DevNet Learning Labs Community and Pay-for Developer Support 250+ Compatible Network Solutions Certification Program Coming in 2017 40+ Developer Sandboxes 9800+ Developers 4400+ Companies Cisco Professional Services 2500+ Partners Strong

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback