The image part with relationship ID rid2 was not found in the file. The image part with relationship ID rid2 was not found in the file. Как развернуть кампусную сеть Cisco за 10 минут? Новые технологии для автоматизации и аналитики в корпоративных сетях Cisco. Денис Коденцев Инженер-консультант, CCIE
Новая эра сетей Cisco анонс 20 июня 2017 DNA Center Инновационное решение для внедрения и управления корпоративной сетью и сетевыми сервисами DNA Assurance & Analytics Анализ и проактивное обнаружение проблем Software-Defined Access Универсальная сетевая фабрика с динамической микросегментацией Enhanced Network as a Sensor Обнаружение вредоносного ПО в зашифрованном обмене (без расшифровки) Коммутаторы Catalyst 9000 Первые специально созданные в рамках DNA коммутаторы Лицензирование с поддержкой подписки Дополнительные сервисы от Cisco
Тратится на эксплуатацию $60B * сетевой инфраструктуры в год во всем мире (зарплата, инструментальные средства) Почему компании тратят настолько много? Рост трафика в 10x* к 2019 ИТ службы вынуждены поддерживать больше подключенных устройств (как пользовательских, так и других IoT как пример) ИТ службы вынуждены работать с большим числом уязвимостей и угроз безопасности
Корпоративные сети сегодня сложные WAN Remote VLAN B VLAN 1 VLAN 2 VLAN 3 HQ Branch A VLAN A Branch A VLAN B Управление множеством VLAN Работа с различными сетями Работа с множеством разных политик - LAN, WLAN, WAN, ЦОД Масштабирование увеличивает сложность эксплуатации 4
Cisco Digital Network Architecture DNA Overview Network-enabled Applications Principles Cloud Service Management Open APIs Developers Environment Automation Abstraction & Policy Control from Core to Edge Policy Orchestration DNA Center Analytics Network Data, Contextual Insights Insights & Experiences Automation & Assurance Open & Programmable Standards-Based SD-A, SD-WAN Virtualization& ENFV Physical & Virtual Infrastructure App Hosting Security & Compliance Cloud-enabled Software-delivered 5
DNA Center единый интерфейс для автоматизации и аналитики DNA Center Simple Workflows DESIGN PROVISION POLICY ASSURANCE DNA Center Identity Services Engine APIC-EM Network Data Platform Routers Switches Wireless Controllers Wireless APs
Зачем нам DNA-Center?
Что такое SD-Access? Основные понятия и терминология Identity Services Fabric Border Nodes Intermediate Nodes (Underlay) Fabric Edge Nodes ISE B B Campus Fabric C DNA Controller Analytics Engine Fabric Wireless Controller Control-Plane Nodes DNA Controller Enterprise SDN Controller (e.g. DNA Center) provides GUI management and abstraction via Apps that share context Identity Services External ID System(s) (e.g. ISE) are leveraged for dynamic Endpoint to Group mapping and Policy definition Analytics Engine External Data Collector(s) (e.g. NDP) are leveraged to analyze Endpoint to App flows and monitor fabric status Control-Plane Nodes Map System that manages Endpoint to Device relationships Fabric Border Nodes A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric Fabric Edge Nodes A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric Fabric Wireless Controller A Fabric device (WLC) that connects Wireless Endpoints to the SDA Fabric 8
Зачем нам Software Defined Access? Is your Campus Network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network Segmentation (w/o implementing MPLS) Role-based Access Control (w/o end-to-end TrustSec) Common Policy for Wired and Wireless (w/o using multiple tools) Consistency Across Campus, WAN and Branch (w/o using multiple tools) With DNA SD-Access, you can overcome these challenges and provide your organization with the infrastructure required to meet your business objectives. Come to this session to get a look into the DNA SD-Access architecture, including a closer look at each of the technologies that bring this to life! J 9 9
Как устроен Cisco DNA-Center?
Автоматизация и аналитика DNA Архитектура API GUI API DNA-Center Design Provision Policy Assurance API Cisco ISE 2.3 Identity Services Engine API DNA Automation App Policy Infra Controller EN Module API DNA Assurance Network Data Platform NETCONF SNMP SSH AAA RADIUS EAPoL SDA Fabric HTTPS NetFlow Syslogs Cisco Switches Cisco Routers Cisco Wireless 11
Автоматизация полного цикла DNA Center DNA Automation Telemetry, alerts, violations Network inventory, topology, and configuration DNA Assurance Network and telemetry configuration Streaming telemetry & network data
Интеграция ISE и DNA Center Автоматизация политик и контроля доступа Cisco Identity Services Engine Authentication Authorization Policies Groups and Policies Campus Fabric PxGrid REST APIs Fabric Management Policy Authoring Workflows Cisco DNA Center 13
Корреляция и машинное обучение Ingest Network & Contextual Telemetry Process and Analyze Streams of Data Visualize and Act 0I000I 0I000I 0I000I II0I 0I I II0I 0I I II0I 0I 00I I 0I000I 00I 00I 0II0 II0I 0II0 I 0II0 0I0 I000I 0I0 I00 0I0 I00 I0II 0II0 I0II I0II II0I 000 0I0 I00 II0I 000 II0I 000 0I000I I0II 0I000I 0I000I II00 II0I 000 II00 II00 I0I0 0I000I I0I0 I0I0 0I0 000 II00 0I0 000 0I0 000 0II0 I0I0 0II0 0II0 0 II 0I0 0000 II 0 II III I 00I 0II0 III I 00I III I 00I 0I0 0 II 0I0 0I0 00I III I 00I 00I II0I 0I0 II0I II0I I0II 00I 00I I0II 00I I0II 00I 00II II0I 0I0I00II 0I0I 00II I0 0I0I 0 I0II II 00I I0 0 0I II I0 0 I00I 0I II 00II I00I 0I0I I00I 00II I0 000II 0I II 00II I00I 00II Phase 1 Phase 2 Phase 3 Data Processing Data cleaning Feature creation Data normalization & enrichment Baselining & trending Relationship modeling Complex Event Processing Behavior analysis Anomaly detection Pattern recognition Machine Learning Event clustering & correlation Prediction Natural language processing Recommendation Real-time visibility One click (drill down) root cause analysis
Анализ состояния каждого клиента сети Summary: Is the client connected and is the link connection good? Connected Throughput issues Link Error Wired Client Health Key Services DNS reachable Onboarding Port Up/down Yes/No Authenticated, IP Yes/No BRKCRS-2814 15
Потоковая телеметрия Расширенная телеметрия там и тогда, когда это требуется With streaming telemetry (FCS in July in the 16.6 train) we will support collection of many KPIs as close as possible to real time Подписка Programmable Interfaces Physical and virtual network infrastructure NETCONF RESTconf GNMI Interface YANG data model Open Native Open Native Configuration Device features BG P QoS ACL Operational SNMP Публикация Periodic or on change Structured data Priority subscriptions Customized to recipient XML or JSON encoding NETCONF or HTTP/2 transport Increased scale Reduced CPU and bandwidth consumption
Сбор контекстной информации ISE Notification of end user authentication and authorization (positive/negative) Notification on group-based policy being downloaded by devices End user identity and context pxgrid SGT bindings, Group based policies Telemetry SGT applied to port Policy Enforcement Status SGT Counters Access Policy Push Device level enforcement and changes Access policy application and changes Identity and end user information End to End visibility
Сбор контекстной информации IPAM Infoblox Grid Publish pxgrid Grid Subscribe Per Pool: - Network Block - Start / End Address - Lease Time - Addresses Assigned - Options Assigned RESTful API, SNMP General Information: - Pool Name or ID - Pool State (Enabled / Disabled) General Stats (per pool and per client device): - Any latency values - # Discovers - # Offers - # Requests - # ACKS - # Declines - # NAKs
Простота использования : Пример 1 Главная страница какие главные проблемы наблюдаются в вашей сети? Landing page tells you: Overall health of your network, clients, and applications Where in the world the most serious issues are happening Your top 10 issues and trends
Reliable scoring to assess client health in real-time Incorporation of diverse network data types Variety Accurate alerting for fast root cause analysis Velocity Live end-to-end visibility brings together multiple data sources at high volumes and speeds Volume Veracity
Простота использования : Пример 3 Мгновенное обнаружение причин проблем с SDA-фабрикой и/или политиками CTS 1 Quick visual of the fabric overlay tells you 2 where you might have issues Assurance-enabled path trace tells you where policies are failing
Как выглядит жизненный цикл сети с DNA-Center?
DNA Center - Design Setup Management & Underlay Reachability 1 1. Setup Sites, Buildings & Floors Organize your Regions, Cities & Buildings Import floorplans in CAD, PNG or JPG Virtual layout of Routers, Switches & APs 2. Setup Global & Site-Specific Settings Establish a common set of Global Servers Each Site inherits settings from level above Override Global settings with Site-Specific 3. Setup IP Address Pools or IPAM IP Address Management uses Site hierarchy Add or modify IP Pools manually You can also import from IPAM tools via APIs 4. Setup Wireless SSID Settings Manage Fabric Wireless WLANs per Site Associate the SSIDs with IP Pools Automated setup of the WLC & APs via APIs 23
DNA Center - Policy Setup VNs & EIGs and Policies 2 1. Setup Virtual Networks Add Scalable Groups to a Virtual Network A Default Virtual Network created automatically Option to add / remove new Virtual Networks Enables VN ID on SDA enabled Devices* 2. Setup Scalable Groups Option to import Groups from ISE (or AD) Option to create Groups via Static Mapping Enables SGT ID on SDA enabled Devices* 3. Manage Group Policies Groups provide native SGT based segmentation Intra-VN policies set to Default Permit or Deny Create simple To / From Group-Based Policies 4. Manage VN Policies * VNs provide native VRF network segmentation Inter-VN policies mapped to Firewall instances* * External Connect requires manual configuration. Automation planned for a later release. 24
DNA Center - Provision Setup Overlay Control & Data-Plane 3 1. Setup Fabric Domains Add Devices to one of the configured Sites A Default Fabric Domain created automatically Option to add / remove new Fabric Domains 2. Add Devices & Assign Roles Add SDA capable Devices to the Fabric Domain Designate 1+ Devices as Border and Control All other Devices are configured as an Edge 3. Setup Host Onboarding Add various IP Pools to the Fabric Domain Designate IP Pools for Wired or Wireless Define the Host Authentication and options Option to Static Assignment of Pools to Ports 4. Advanced Settings (Optional) Enable Multicast in the Fabric Domain 25
DNA Center - Assurance Real-Time Data-Collection & Event Correlation 4 1. Assurance Dashboard Network Health Scores (based on 360 Views) Graphical status view of Health and Alarms Track common Network Issues & Trends Universal search for elements of the Network 2. Device 360 Views Summary and Real-time Device statistics Track Issues and Trends of each Device View connected Neighbors, Clients & Apps 3. Client 360 Views Summary and Real-time Client statistics Track Issues and Trends of each Client Initiate Pathtrace per Client Application 4. Application 360 Views Summary and Real-time App statistics Track Issues and Trends of each App 26
Как насчет демонстрации?
А как же Cisco Enterprise NFV?
Ранее для ENFV нужны были 3 системы Enterprise Services Automation (ESA) Provisioning Profile to SN mapping SN, IP for host APIC-EM / Prime Infrastructure Day 0/1 config repository PnP Provisioning REST Office IP vswitch WAAS IPS NFVIS WAN ESA, PI и APIC-EM совместно работают при запуске филиала 2017 Cisco and/or its affiliates. All rights reserved. 29
теперь достаточно одной DNA-Center
в том числе и для Enterprise NFV
Подводя итог
Возможности DNA Center = Подписка DNA Software Cisco ONE Suites or Ala Carte Model ESSENTIALS Layer 2, Routed Access, Base Automation and Monitoring ADVANTAGE Full L3, Segmentation, Software Defined Access, ETA & Assurance Available for Current Catalyst 3K, 4K, 6K and Next Generation Catalyst 9K Series Cisco ONE Suite Essentials Includes ISE Base Ongoing Innovation License Portability Software Support Included OpEx Preference Lower Entry Costs 33
Что Вам понадобится: Упрощенный вид DNA Center Console ISE Console ПО ISE Base & Plus & StealthWatch DNA License Network/OS License Включено в Cisco ONE Advantage Поставляется с устройством Сервер DNA Center, ISE, StealthWatch Сеть Switches, Access Points, Routers
Спасибо! Вопросы?