BRKCRS-2502 Optimizing Enterprise Networks through SD-AVC (Software Define Application Visibility and Control) Guy Keinan
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcrs-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Guy Keinan SW Development Manager NBAR2 & SD-AVC BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
This is me BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Agenda Introduction Why? NBAR2 SD-AVC Q&A Homework Wrap up
Unprecedented Demands on the Network Digital Disruption Complexity Security 63 million new devices online every second by 2020 1 3X spend on network operations vs network 2 6 months to detect breach 3 Lack of Business and IT Insights Slow and Error Prone Operations Unconstrained Attack Surface 1: Gartner Report - Gartner s 2017 Strategic Roadmap for Networking 2. McKinsey Study of Network Operations for Cisco 2016 3. Ponemon Research Institute Study on Malware Detection, Mar 2016 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Main Operational Challenges 95% 70% 75% Network Changes Performed Manually Policy Violations Due to Human Error OpEx spent on Network Visibility and Troubleshooting Source: 2016 Cisco Study Traditional Networking CANNOT Keep Pace with the Demands of Digital Business 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Application Recognition SD-AVC/NBAR2 Application Recognition Fuels several core solutions: Cisco SD-WAN Cisco EasyQoS Assurance Security The Network. Intuitive. BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
NBAR2
Cisco Application Recognition NBAR2 is a powerful Network Based Application Recognition Engine A complete remake Variety of features: Pack hitless upgrade, attributes, sub-cls & more... Wide Cross pin support (same code everywhere): Routers: ISR4K, ASR1K, CSR1K, ISRv, ISR1100, ISRG2 Switches: Cat3K, Cat9K Wireless: AireOS WLC, IOS Aps 5520/8540, NG Aps 3800/1850 NAM BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
NBAR2 Classification Main things to keep in mind Stateful classification per session (5 tuple flow) Not only Deep Packet Inspection (DPI) but a combination of different techniques: - DNS snooping - Statistical classification (Machine Learning) - Behavioral classification - Learning of main services and servers - Customization Slow-Path and Fast-Path Model BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Application Recognition Rising Challenges BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
The Cisco Live US 2017 Challenge
NBAR2/SD-AVC @ CLUS17 With NBAR2 this is what we DID see Encrypted Apps 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2/SD-AVC @ CLUS17 With NBAR2 this is what we DID see Encrypted Apps 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2/SD-AVC @ CLUS17 With NBAR2 this is what we DID see Encrypted Apps Encrypted Apps Encrypted Apps 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Application Recognition CLUS 17 Less than 1% unknown Less than 1% unclassified encrypted traffic 10G of traffic in less than 14% CPU utilization (ASR1002-HX) Very good classification for encrypted traffic, in pretty good performance BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Ready to Dive? BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
NBAR2 Classification A bit terminology Flow == A session. Identified by 5 tuple (src IP, src Port, dst IP, dst Port, vrf) Socket == Identified by 3 tuple (dst IP, dst Port, vrf). Usually a server FIF == First packet In the Flow Bypass == No processing, just quick forwarding BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
NBAR2 Classification HL overview Slow Path: Classifies the flow, based on packet processing Potentially first packet (First In Flow FIF classification) Programs the Fast Path with classification result Fast Path: Completely bypasses NBAR2 processing Uses the programmed classification Slow Path (NBAR2) ~5% Fast Path (Flow Table) ~95% BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
NBAR2 Classification Simplified (Slow Path) FIF Payload Advanced Cache Provisioned L3/4 SD-AVC More than 80% of the flows BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
NBAR2 Classification Simplified FIF Payload Advanced Cache Result Pattern matching Multi-packet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
NBAR2 Classification Simplified FIF Payload Advanced Cache result Machine Learning Behavioral Cross Flow BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
NBAR2 Classification Detailed FIF only (1) L3/L4 Custom IP Cache Socket cache Pre-Flow Cross flow Look- Up Table Flow Table NBAR bypass mng App tracker listener Multiprotocol Multiprotocol Text Parser (MTP) multi-packet (3) Multi-Packet Engine (MPE) (MPE) statistical IANA or VM first payload Only (2) Custom WKPpayload WKP Entry Heuristic logic Single-Packet Single-Packet Engine (SPE) (SPE) on fail success success/fail engine helper WKP = Well Known Packet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
NBAR2 Classification Detailed Flow FiF FIF only (1) L3/L4 DNS-AS Socket cache L3 LUT Cache Bundle Payload packets Flow Table NBAR bypass mng App tracker Store Set for for current next packets flow multi-packet (3) listner MTP MPE Processing Store for future flows statistical IANA Cross flow LUT or VM first payload Only (2) Custom WKPpayload WKP Heuristic logic SPE on fail success success/fail engine helper BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
NBAR2 Socket Cache Classification - Example Full classification + Learning the socket MySQL 10.10.10.1:3306 MySQL server 10.10.10.1:3306 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
NBAR2 Socket Cache Classification - Example Full classification + Learning the socket MySQL 10.10.10.1:3306 MySQL Server 10.10.10.1:3306 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
NBAR2 Socket Cache Classification - Example Full classification + Learning the socket MySQL 10.10.10.1:3306 MySQL Server 10.10.10.1:3306 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
NBAR2 Socket Cache Classification - Example Cache in Socket-Cache Full classification + Learning the socket MySQL 10.10.10.1:3306 Dst IP Dst Port Application 10.10.10.1 3306 MySQL MySQL Server 10.10.10.1:3306 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
NBAR2 Socket Cache Classification - Example No Processing. Using Cache! MySQL 10.10.10.1:3306 Dst IP Dst Port Application 10.10.10.1 3306 MySQL MySQL Server 10.10.10.1:3306 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
NBAR2 Socket Cache Classification - Example Dst IP Dst Port Application 10.10.10.1 3306 MySQL MySQL Server 10.10.10.1:3306 Re-validate the socket every time interval BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Classification and Encryption BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
NBAR2/SD-AVC Encrypted traffic techniques Outside the organization (usually non collaborative): SSL handshake analysis certificate, Server Name Indication (SNI) DNS traffic analysis Machine learning/statistical classification Inside the organization (usually collaborative): Customization of SSL certificates and DNS domains Server and client discovery based on NBAR2 SD-AVC External Sources (more on this later ) BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
NBAR2 Encryption Classification Automatic (Signature) Custom "(.*[.])?((youtube(-nocookie)? ytimg googlevideo)[.]com) youtu[.]be" cisco(config)#ip nbar custom CCSOC composite server-name "*ccsocdev.net" BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
NBAR2 DNS Classification - Example Regex Pattern Matching DNS Request [cisco.webex.com] DNS Server Webex 10.10.10.1 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
NBAR2 DNS Classification - Example DNS Response [10.10.10.1] IP Cache IP Application 10.10.10.1 webex Webex 10.10.10.1 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
NBAR2 DNS Classification - Example First Packet webex 10.10.10.1 IP Application 10.10.10.1 webex Encrypted Webex 10.10.10.1 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
NBAR2 Encrypted Traffic Classification Summary Most of the traffic is encrypted traffic and is SSL/TLS Testing shows more than 80% of SSL traffic is classified by NBAR2 All major internet/cloud applications are supported Hundreds of applications NBAR2 classifies both cloud and local encrypted traffic NBAR2/SD-AVC use a variety of techniques to classify encrypted traffic BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Performance BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
NBAR2 Performance Optimization Techniques Optimized C code engines Optimized processing skips most of the traffic Wise caching techniques we ve added many of these NBAR2 Default (Performance-Optimized) Mode: Application Classification Supported on all platforms NBAR2 Fine-Grain Mode: Analytics (Deep DPI) Supported on routers-only BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
NBAR2 Performance Testing Results Fast Path Validated in real live networks and Tested on Enterprise Traffic Mix (EMIX) benchmark BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
NBAR2 Performance Ongoing Improvements 40% Improvement in just 2 releases Based on a generic Enterprise Traffic Mix (EMIX) BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
NBAR2 Protocol Discovery Performance Most XE routers: Line rate in working point of 70% CPU utilization 9300: 2000 CPS, 10,000 b-directional flows for each 24 ports. CPU at ~50% (HTTP profile) BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
No. of Apps/Domains Recognized Application Recognition: NBAR Evolution Network Level Analytics External Sources ~1500 Apps ~150 Encrypted Apps DPI, Signatures, Custom Apps Heuristic, Statistical+Behaviorial Standard Port based 100s of Apps DPI, Signatures, Custom Apps Pre-NBAR NBAR Version 1 NBAR Version 2 SD-AVC BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Application Recognition at Network Level SD-AVC
Why SD-AVC? Useful and easy Application BW monitoring at a network level Better application recognition in asymmetric environments Better application recognition for encrypted applications Better first packet classification for path selection and marking policies Improved performance Automatic protocol pack deployment at a network level Serviceability and troubleshooting tools for application recognition issues Key for Cisco solutions such as SD-WAN, EasyQoS, Assurance. BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Why SD-AVC? Reduce Operational Complexity Improve Application Visibility & Policy Efficiency BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
SD-AVC HL Concept Service automation SD-AVC Analytics & Telemetry MS Office365 DNS Catalyst 3850 ASR1001x ASR1001x BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
What is SD-AVC? A network service which ensures Application recognition for visibility, Analytics and application based policy solutions. Analytics processing at a network level Synchronizing application state between network nodes Serves as a gateway for external sources, provisioning into Cisco Network Auto-learning and auto-signature algorithms Provides pack update capability at a network level for thousands of devices BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
What is SD-AVC? Current form factor Hosted on IOS-XE devices using Linux container (LXC) as a virtual-service (Future: DNA-C) 3G RAM and 4 CPUs Serve more than 6K devices BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
How Does SD-AVC work? (Basics) SD-AVC defines Sensors and Consumers in the network data plane Sensors are network devices (with NBAR2) that produce classification information and export it to the SD-AVC network service Up to 2Kbps for a small branch router Consumers are network devices that consume classification information from the SD-AVC network service A network device can be a sensor, a consumer or both BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
How Does SD-AVC work? (Basics) Sensors with NBAR2, classify traffic & cache results in the form of Application Rules Application Rule is defined as an L3/L4 to App-ID mapping Application Rule Example: id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name #hits black weight rating ============================================================================================================================== 0 64.103.117.145 5902 TCP 0 global 100 13 100 vnc 1 no 69 1 BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
How SD-AVC works? (Basics) cont. The SD-AVC service compiles application rules received from the different network sensors (as well as external authoritative sources) The service generates an Application Rules Pack Consumers pull the application rules pack from the SD-AVC service and install the application rules in their data-plane On-device classification is enhanced with the newly installed SD-AVC application rules This process is periodic BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
SD-AVC Asymmetric Webex example branch NBAR2 Classify first flow as Webex (based on Certificate) MPLS NBAR2 Classify first flow upstream as Webex (based on Certificate) Webex br1 hub rtr Corporate Servers 176.70.168.183 Webex DNS br0 Webex br2 mc Path Policy: Webex => MPLS Internet The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
SD-AVC Asymmteric Webex example branch NBAR2 Classify first flow as Webex (based on Certificate) MPLS NBAR2 Classify first flow upstream as Webex (based on Certificate) Webex br1 hub rtr Corporate Servers 176.70.168.183 Webex DNS br0 mc Webex br2 SD- AVC Path Policy: Webex => MPLS Internet The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Exported sockets: ================= SD-AVC Asymmteric Webex example id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name black =========================================================================================== NBAR2 1 179.36.9.210 5901 TCP 2 Mgt 100 13 100 vnc Classify first flow upstream as no branch MPLS Webex (based on Certificate) hub 2 179.36.9.205 5901 TCP 2 Mgt 100 13 100 vnc no 3 179.36.9.208 5901 TCP 2 Mgt 100 13 100 vnc no 4 176.70.168.183 443 NBAR2 TCP 2 Mgt 1306 13 414 webex-meeting no Classify first flow Webex br1 as Webex (based on Certificate) rtr Corporate Servers 176.70.168.183 Webex DNS br0 mc Webex br2 SD- AVC Path Policy: Webex => MPLS Internet The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Exported sockets: ================= SD-AVC Asymmteric Webex example id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name black =========================================================================================== NBAR2 1 179.36.9.210 5901 TCP 2 Mgt 100 13 100 vnc Classify first flow upstream as no branch MPLS Webex (based on Certificate) hub 2 179.36.9.205 5901 TCP 2 Mgt 100 13 100 vnc no 3 179.36.9.208 5901 TCP 2 Mgt 100 13 100 vnc no 4 176.70.168.183 443 NBAR2 TCP 2 Mgt 1306 13 414 webex-meeting no Classify first flow Webex br1 as Webex (based on Certificate) rtr Corporate Servers 176.70.168.183 Webex DNS br0 mc Webex br2 SD- AVC Path Policy: Webex => MPLS Internet The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
SD-AVC Asymmetric Webex example branch NBAR2 Classify first flow as Webex (based on Certificate) MPLS NBAR2 Classify first flow upstream as Webex (based on Certificate) Webex br1 hub rtr Corporate Servers 176.70.168.183 Webex DNS br0 mc Webex br2 SD- AVC Path Policy: Webex => MPLS Internet The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
SD-AVC Asymmetric Webex example Imported sockets: ================= branch NBAR2 Classify first flow br0 MPLS NBAR2 Classify first flow upstream as Webex (based on Certificate) Webex id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name black as Webex ========================================================================================== (based on = Certificate) 1 179.36.9.210 5901 TCP 2 Mgt 100 13 100 vnc no 2 179.36.9.205 5901 TCP 2 Mgt 100 13 100 vnc no 3 179.36.9.208 5901 TCP 2 Mgt 100 13 100 vnc no 4 176.70.168.183 443 TCP 2 Mgt 1306 13 414 webex-meeting no Webex br1 br2 hub rtr mc SD- AVC Corporate Servers 176.70.168.183 Path Policy: Webex => MPLS Webex DNS Internet The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
SD-AVC Asymmetric Webex example branch NBAR2 Classify first flow as Webex (based on Certificate) MPLS NBAR2 Classify first flow upstream as Webex (based on Certificate) Webex br1 hub rtr Corporate Servers 176.70.168.183 Webex DNS br0 mc Webex br2 SD- AVC Path Policy: Webex => MPLS Internet Imported sockets: ================= id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name black =========================================================================================== 1 179.36.9.210 5901 TCP 2 Mgt 100 13 100 vnc no 2 179.36.9.205 5901 TCP 2 Mgt 100 13 100 vnc no 3 179.36.9.208 5901 TCP 2 Mgt 100 13 100 vnc no 4 176.70.168.183 443 TCP 2 Mgt 1306 13 414 webex-meeting no The problem: Webex downstream Is routed via Internet due to bad classification NBAR2 Can t classify flow in the downstream (no certificate) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Asymmetric Fixed Webex example - with SD-AVC branch MPLS NBAR2 Classify first flow upstream as Webex (based on Certificate) hub NBAR2 Classify first flow as Webex (based on Certificate) Webex br1 rtr Corporate Servers 176.70.168.183 Webex DNS br0 mc SD- AVC Path Policy: Webex => MPLS br2 Internet Imported sockets: ================= id IP port L4 vrf-id vrf name app-id eng-id sel-id app-name black =========================================================================================== 1 179.36.9.210 5901 TCP 2 Mgt 100 13 100 vnc no 2 179.36.9.205 5901 TCP 2 Mgt 100 13 100 vnc no 3 179.36.9.208 5901 TCP 2 Mgt 100 13 100 vnc no 4 176.70.168.183 443 TCP 2 Mgt 1306 13 414 webex-meeting no Webex Downstream Is routed via MPLS NBAR2 Classify Webex Downstream (based on SD-AVC) internet BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
SD-AVC External Sources BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
SD-AVC and External sources The SD-AVC service connects with external authoritative sources to enrich application classification dynamically and seamlessly Enables us to: Connect Cisco Security databases Provide real-time Cloud/SaaS information Provision Home-grown Applications Example use cases are: Automatic Enrichment of Cloud/SaaS applications (MS RSS, CASI) Automatic Learning of Enterprise Local or Private apps (Infoblox/ACI/CUCM) BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
SD-AVC Operation (Data Flow) CloudLock 2 Application Rules Pack Generation Network Service SD-AVC 4 MS RSS Infoblox Controller 5 Network Layer 3 Application Rules pack Cached application rules (JSON) Application Rules Pack 3 1 Consumer Sensor & Consumer BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SD-AVC Connectors Microsoft Office 365 contains geolocation and world wide FQDN and URL information (PoC) CASI contains 10,000 applications with domain and certificate information - Provides DNS information for home grown applications (PoC) BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
SD-AVC and Microsoft Office365
Using Microsoft RSS How does it work? Office 365 URLs and IP address ranges Requires connectivity to the internet (from the SD-AVC service) XML format Huge list of IP addresses and ranges Much more robust list of domains BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Using Microsoft RSS How does it work? BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Using Microsoft RSS How does it work? Imported Data from Microsoft Cisco Protocol Pack Application Data New Domain Information from Microsoft Example: jpn.delve.office.com BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Using Microsoft RSS How does it work? Imported Data from Microsoft Cisco Protocol Pack Application Data New Domain Information from Microsoft jpn.delve.office.com BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Using Microsoft RSS How does it work? (Second step) 1. Find the correct application for the new domains 2. Using machine learning based on the previous learning set of Office 365 and existing host mappings supplied by Cisco NBAR2 Protocol Pack Algorithm: Given a the previous learning set and a new domain that we want to map it to an application: host1 host2 host3 app1 app2 app3 jpn.delve.office.com ms-office365??? BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Using Microsoft RSS How does it work? (Third Step) Compile a new pack with the new signature and make it available for the devices The secondary pack is installed along side with Cisco NBAR2 protocol-pack New domains are now supported automatically SD-AVC BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Demo
What we ll show in the Demo We will demonstrate how complete asymmetric devices can teach each other with classification information, using SD-AVC. We will show how external sources can enhance application recognition We will show these new automatic signatures help the application recognition in an asymmetric scenario with SD-AVC BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Microsoft Office365 RSS SD-AVC Pull Application Rules Data Analytics (JSON) Pull Application Rules Data Analytics (JSON) CSR1Kv CSR-Demoupstream Down Stream Down Stream CSR1Kv csr-demodownstream Upstream Trex Traffic Generator Upstream BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Demo Script Note: We expedited some of the timers, this may lead to skew in status indications 1. Downstream Setup Not connected to SD-AVC 2. Connect Downstream to the SD-AVC Network Service First level of Asymmetry fix 3. Enrich the devices with a Secondary Pack based on MS Office365 Cloud Info 4. Downstream Setup classifies based on the MS Info using SD-AVC Second level of Asymmetry fix BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
SD-AVC and Cloudlock CASI
SD-AVC and Cloudlock CASI Why? Database synchronization between Cloudlock SaaS Security Index and SD-AVC/NBAR Better SaaS application recognition leveraging on Cloudlock Security Cloud infrastructure Better response time to the application and domain changes Cloudlock Shadow IT visibility leveraging SD-AVC on Cisco enterprise network BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
SD-AVC and Cloudlock Self-Learning Network Application database & Shadow-IT Cloudlock Analysis & Feedback SD-AVC Learning Network Device BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
How it works? Cloudlock CASI Enterprise Network SD-AVC 1 Learning process of unfamiliar domains BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
How it works? Cloudlock CASI 2 Enterprise Network SD-AVC BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
How it works? Cloudlock CASI 2 Enterprise Network SD-AVC BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
How it works #2? Cloudlock CASI 2 Enterprise Network SD-AVC 1 Update CASI with offline application information from NBAR/CASI R&D BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
SD-AVC Delivery Plan
SD-AVC Delivery plan Phase 1 (FCS- Oct 2017) IWAN 2.2.1: SD-AVC hosted on XE Container Improved application recognition in Hub Asymmetric Routing environment Improved first packet classification decision Application recognition function serviceability Protocol Pack automatic update Phase 2 (FCS Jan 2018) Cloud/SaaS automatic signatures push (MS RSS) High scale of SD-AVC sensors (6K) support asymmetrical routing in branch routers Support IWAN 2.3 DCA (Direct Cloud Access) FCS March 2018 Furture Unknown and Generic Traffic Discovery High scale custom application support (1000+) Viptela vmanage integration DNA-C App-Policy/EasyQoS use cases Wireless & Switching BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Q&A
Homework
What you can do? - Use Application Visibility on WebUI (Device level visibility) - XE routers supported 3.16 and up - Cat3K/9K supported 16.6.1 and up - Download and install SD-AVC on a router (network level visibilty) - Enlist to NBAR2/SD-AVC announcements send an email with SUBSCRIBE to cisco-nbar2-pp-announcement@cisco.com BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Wrap up - NBAR2 has evolved and matured to tackle today s networks challenges - SD-AVC introduces new innovation and advances to network level using analytics and external sources - The evolution Cisco application recognition technology unleashes great capabilities both in the device side and controller side, to provide application based solutions like SD-WAN, EasyQoS, Assurance and Security BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Wrap up SD-AVC makes the network more intuitive. BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcrs-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education Come and meet us on DevNet zone SD-AVC Demo Pod Whisper Suite Meet the Engineer 1:1 meetings BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Thank you
BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
BRKCRS-2502 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106