View
255
Download
1
Category
Preview:
Citation preview
Optimizing Enterprise Networks through SD-AVC(Software Define Application Visibility and Control)
Guy Keinan
BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Guy Keinan SW Development Manager
NBAR2 & SD-AVC
4BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6BRKCRS-2502
This is me
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKCRS-2502
• Introduction
• Why?
• NBAR2
• SD-AVC
• Q&A
• Homework
• Wrap up
Agenda
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Digital
Disruption
Lack of Business
and IT Insights
63 millionnew devices
online every second by 20201
Complexity
Slow and Error
Prone Operations
3X spend on network operations
vs network2
Security
Unconstrained
Attack Surface
6 months to detect breach3
Unprecedented Demands on the Network
1: Gartner Report - Gartner’s 2017 Strategic Roadmap for Networking
2. McKinsey Study of Network Operations for Cisco – 2016
3. Ponemon Research Institute Study on Malware Detection, Mar 2016
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Source: 2016 Cisco Study
Traditional Networking CANNOT Keep Pace with the Demands of Digital Business
OpEx spent on Network
Visibility and
Troubleshooting
75%
Policy Violations Due to Human Error
70%
Network Changes Performed Manually
95%
Main Operational Challenges
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Application Recognition
SD-AVC/NBAR2 Application Recognition Fuels several core solutions:
Cisco SD-WAN
Cisco EasyQoS
Assurance
Security
The Network. Intuitive.
11BRKCRS-2502
NBAR2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Application Recognition
• NBAR2 is a powerful Network Based Application Recognition Engine
• A complete remake
• Variety of features: Pack hitless upgrade, attributes, sub-cls & more...
• Wide Cross pin support (same code everywhere):
• Routers: ISR4K, ASR1K, CSR1K, ISRv, ISR1100, ISRG2
• Switches: Cat3K, Cat9K
• Wireless: AireOS WLC, IOS Aps 5520/8540, NG Aps 3800/1850
• NAM
13BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stateful classification per session (5 tuple flow)
Not only Deep Packet Inspection (DPI) …but a combination of different techniques:
- DNS snooping- Statistical classification (Machine Learning)- Behavioral classification- Learning of main services and servers- Customization
Slow-Path and Fast-Path Model
NBAR2 Classification – Main things to keep in mind
BRKCRS-2502 14
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Recognition – Rising Challenges
BRKCRS-2502 15
The Cisco Live US 2017 Challenge
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2/SD-AVC @ CLUS17
Encrypted Apps
With NBAR2 – this is what we DID see
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2/SD-AVC @ CLUS17
Encrypted Apps
With NBAR2 – this is what we DID see
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2/SD-AVC @ CLUS17
Encrypted Apps Encrypted AppsEncrypted Apps
With NBAR2 – this is what we DID see
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Application Recognition – CLUS ‘17
• Less than 1% unknown
• Less than 1% unclassified encrypted traffic
• 10G of traffic in less than 14% CPU utilization (ASR1002-HX)
Very good classification for encrypted traffic, in pretty good performance
20BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Ready to Dive?
21BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Classification – A bit terminology
• Flow == A session. Identified by 5 tuple (src IP, src Port, dst IP, dst Port, vrf)
• Socket == Identified by 3 tuple (dst IP, dst Port, vrf). Usually a server
• FIF == First packet In the Flow
• Bypass == No processing, just quick forwarding
BRKCRS-2502 22
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Classification – HL overview
Slow Path:• Classifies the flow, based on packet processing• Potentially first packet (First In Flow – FIF classification)• Programs the Fast Path with classification result
Slow Path (NBAR2)
~95%
~5%
Fast Path (Flow Table)
Fast Path:• Completely bypasses NBAR2 processing• Uses the programmed classification
BRKCRS-2502 23
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Classification Simplified (Slow Path)
24
FIF Payload Advanced
CacheProvisioned L3/4SD-AVC
More than 80% of the flows
BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Classification Simplified
25
FIF Payload Advanced
Pattern matchingMulti-packet
Cache Result
BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Classification Simplified
26
FIF Payload Advanced
Machine LearningBehavioralCross Flow
Cache result
BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Classification – Detailed
Multiprotocol
Text Parser
(MTP)
Multi-Packet
Engine
(MPE)
WKP = Well Known Packet
Single-Packet
Engine
(SPE)
FlowTable
multi-packet (3)
listenerMultiprotocol Text Parser
(MTP)
Multi-PacketEngine (MPE)
FIF only (1)
IP
CachePre-Flow
first payload Only (2)
WKPEntry
Heuristiclogic
Custom
WKP-
payload
Single-PacketEngine(SPE)
statistical
IANA
Cross flow
Look-
Up
Table
or
VM
App
tracker
on fail success success/fail engine helper
NBAR
bypass
mng
Socketcache
L3/L4
Custom
BRKCRS-2502 27
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Flow
Table
multi-packet (3)
listner MTP MPE
FIF only (1)
Socket
cache
L3
LUT
L3/L4
DNS-ASBundle
first payload Only (2)
WKPHeuristic
logic
Custom
WKP-
payload
SPE
statistical
IANA
Cross
flow
LUT
or
VM
App
tracker
on fail success success/fail engine helper
NBAR
bypass
mng
Cache
FiF
Store for next packets
NBAR2 Classification – Detailed Flow
ProcessingSet for current flow
Sto
re fo
r futu
re flo
ws
Payload
packets
BRKCRS-2502 28
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.10.10.1:3306
MySQL server
10.10.10.1:3306
NBAR2 Socket Cache Classification - Example
MySQL
Full classification +
Learning the socket
BRKCRS-2502 32
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.10.10.1:3306
MySQL Server
10.10.10.1:3306
NBAR2 Socket Cache Classification - Example
MySQL
Full classification +
Learning the socket
BRKCRS-2502 33
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.10.10.1:3306
MySQL Server
10.10.10.1:3306
NBAR2 Socket Cache Classification - Example
MySQL
Full classification +
Learning the socket
BRKCRS-2502 34
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.10.10.1:3306
NBAR2 Socket Cache Classification - Example
MySQL
Full classification +
Learning the socket Cache in
Socket-Cache
Dst IP Dst Port Application
10.10.10.1 3306 MySQL
MySQL Server
10.10.10.1:3306
BRKCRS-2502 35
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.10.10.1:3306
NBAR2 Socket Cache Classification - Example
MySQL
No Processing.
Using Cache!
MySQL Server
10.10.10.1:3306Dst IP Dst Port Application
10.10.10.1 3306 MySQL
BRKCRS-2502 36
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Socket Cache Classification - Example
Re-validate the
socket every time
interval
Dst IP Dst Port Application
10.10.10.1 3306 MySQL
BRKCRS-2502 37
MySQL Server
10.10.10.1:3306
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38BRKCRS-2502
Classification and Encryption
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outside the organization (usually non collaborative):
• SSL handshake analysis – certificate, Server Name Indication (SNI)• DNS traffic analysis• Machine learning/Statistical classification
Inside the organization (usually collaborative):
• Customization of SSL certificates and DNS domains• Server and client discovery based on NBAR2• SD-AVC External Sources (more on this later…)
NBAR2/SD-AVC Encrypted traffic – techniques
BRKCRS-2502 39
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
"(.*[.])?((youtube(-nocookie)?|ytimg|googlevideo)[.]com)|youtu[.]be" cisco(config)#ip nbar custom CCSOC composite server-name "*ccsocdev.net"
NBAR2 Encryption Classification
CustomAutomatic (Signature)
BRKCRS-2502 40
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Webex
10.10.10.1
DNS Request [cisco.webex.com]
DNS Server
NBAR2 DNS Classification - Example
Regex Pattern
Matching
BRKCRS-2502 41
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNS Response [10.10.10.1]
IP Application
10.10.10.1 webexWebex
10.10.10.1IP Cache
NBAR2 DNS Classification - Example
BRKCRS-2502 42
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10.10.10.1
webex
Webex
10.10.10.1Encrypted
First Packet
NBAR2 DNS Classification - Example
BRKCRS-2502 43
IP Application
10.10.10.1 webex
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Encrypted Traffic Classification Summary
• Most of the traffic is encrypted traffic and is SSL/TLS
• Testing shows more than 80% of SSL traffic is classified by NBAR2
• All major internet/cloud applications are supported• Hundreds of applications
• NBAR2 classifies both cloud and local encrypted traffic
• NBAR2/SD-AVC use a variety of techniques to classify encrypted traffic
BRKCRS-2502 44
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45BRKCRS-2502
Performance
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Performance Optimization Techniques
• Optimized C code engines
• Optimized processing
• skips most of the traffic
• Wise caching techniques
• we’ve added many of these…
• NBAR2 Default (Performance-Optimized) Mode: Application Classification
• Supported on all platforms
• NBAR2 Fine-Grain Mode: Analytics (Deep DPI)
• Supported on routers-only
BRKCRS-2502 46
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Performance Testing Results
Validated in real live networks and Tested on Enterprise Traffic Mix
(EMIX) benchmark
Fast Path
BRKCRS-2502 47
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
NBAR2 Performance Ongoing Improvements
Based on a generic
Enterprise Traffic Mix
(EMIX)40% Improvement in just 2 releases
BRKCRS-2502 48
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Most XE routers: Line rate in working point of 70% CPU utilization
• 9300: 2000 CPS, 10,000 b-directional flows for each 24 ports. CPU at ~50%
(HTTP profile)
NBAR2 Protocol Discovery Performance
BRKCRS-2502 49
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50BRKCRS-2502
Application Recognition: NBAR Evolution
No
. o
f A
pp
s/D
om
ain
s R
eco
gn
ize
d
Pre-NBAR
Standard Port based
NBAR
Version 1
100s of Apps
DPI, Signatures, Custom Apps
NBAR
Version 2
~1500 Apps
~150 Encrypted Apps
DPI, Signatures, Custom Apps
Heuristic, Statistical+Behaviorial
SD-AVC
Network Level
Analytics
External Sources
Application Recognition at Network Level
SD-AVC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why SD-AVC?
• Useful and easy Application BW monitoring at a network level
• Better application recognition in asymmetric environments
• Better application recognition for encrypted applications
• Better first packet classification for path selection and marking policies
• Improved performance
• Automatic protocol pack deployment at a network level
• Serviceability and troubleshooting tools for application recognition issues
52BRKCRS-2502
Key for Cisco solutions such as SD-WAN, EasyQoS , Assurance.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why SD-AVC?
53BRKCRS-2502
Reduce
Operational Complexity
Improve
Application Visibility & Policy Efficiency
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC
Analytics &
Telemetry
ASR1001xASR1001xCatalyst 3850
Service
automation
DNS
54BRKCRS-2502
SD-AVC – HL Concept
MS Office365
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is SD-AVC?
A network service which ensures Application recognition for visibility, Analytics and application based policy solutions.
• Analytics processing at a network level
• Synchronizing application state between network nodes
• Serves as a gateway for external sources, provisioning into Cisco Network
• Auto-learning and auto-signature algorithms
• Provides pack update capability at a network level for thousands of devices
55BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is SD-AVC? Current form factor
• Hosted on IOS-XE devices using Linux container (LXC) as a virtual-service(Future: DNA-C)
• 3G RAM and 4 CPUs – Serve more than 6K devices
56BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
How Does SD-AVC work? (Basics)
• SD-AVC defines Sensors and Consumers in the network data plane
• Sensors are network devices (with NBAR2) that produce classification information and export it to the SD-AVC network service
• Up to 2Kbps for a small branch router
• Consumers are network devices that consume classification information from the SD-AVC network service
• A network device can be a sensor, a consumer or both
57BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
How Does SD-AVC work? (Basics)
• Sensors with NBAR2, classify traffic & cache results in the form of Application Rules
• Application Rule is defined as an L3/L4 to App-ID mapping
• Application Rule Example:
58BRKCRS-2502
id | IP | port | L4 | vrf-id | vrf name | app-id | eng-id | sel-id | app-name | #hits | black | weight| rating
==============================================================================================================================
0 | 64.103.117.145 | 5902 | TCP | 0 | global | 100 | 13 | 100 | vnc | 1 | no | 69 | 1
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
How SD-AVC works? (Basics) cont.
• The SD-AVC service compiles application rules received from the different network sensors (as well as external authoritative sources)
• The service generates an Application Rules Pack
• Consumers pull the application rules pack from the SD-AVC service and install the application rules in their data-plane
• On-device classification is enhanced with the newly installed SD-AVC application rules
• This process is periodic
59BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC – Asymmetric Webex example
br0
branch
br1
br2
hubMPLS
Internet
mc
internet
Corporate Servers
rtrDNS
Webex
Webex
Path Policy: Webex => MPLS
NBAR2 Can’t classify flow in the downstream (no certificate)
NBAR2 Classify first flow upstream as Webex (based on Certificate)
WebexNBAR2 Classify first flowas Webex (based on Certificate)
The problem:Webex downstreamIs routed via Internet due to bad classification
176.70.168.183
BRKCRS-2502 60
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC – Asymmteric Webex example
br0
branch
br1
br2
hubMPLS
Internet
mc
internet
Corporate Servers
rtrDNS
Webex
Webex
Path Policy: Webex => MPLS
NBAR2 Can’t classify flow in the downstream (no certificate)
NBAR2 Classify first flow upstream as Webex (based on Certificate)
WebexNBAR2 Classify first flowas Webex (based on Certificate)
The problem:Webex downstreamIs routed via Internet due to bad classification
176.70.168.183
BRKCRS-2502 61
SD-
AVC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC – Asymmteric Webex example
br0
branch
br1
br2
hubMPLS
Internet
mc
internet
Corporate Servers
rtrDNS
Webex
Webex
Path Policy: Webex => MPLS
NBAR2 Can’t classify flow in the downstream (no certificate)
NBAR2 Classify first flow upstream as Webex (based on Certificate)
WebexNBAR2 Classify first flowas Webex (based on Certificate)
The problem:Webex downstreamIs routed via Internet due to bad classification
176.70.168.183
BRKCRS-2502 61
Exported sockets:
=================
id | IP | port | L4 | vrf-id | vrf name | app-id | eng-id | sel-id | app-name | black |
===========================================================================================
1 | 179.36.9.210 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
2 | 179.36.9.205 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
3 | 179.36.9.208 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
4 | 176.70.168.183 | 443 | TCP | 2 | Mgt | 1306 | 13 | 414 | webex-meeting | no |
SD-
AVC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC – Asymmteric Webex example
br0
branch
br1
br2
hubMPLS
Internet
mc
internet
Corporate Servers
rtrDNS
Webex
Webex
Path Policy: Webex => MPLS
NBAR2 Can’t classify flow in the downstream (no certificate)
NBAR2 Classify first flow upstream as Webex (based on Certificate)
WebexNBAR2 Classify first flowas Webex (based on Certificate)
The problem:Webex downstreamIs routed via Internet due to bad classification
176.70.168.183
BRKCRS-2502 61
Exported sockets:
=================
id | IP | port | L4 | vrf-id | vrf name | app-id | eng-id | sel-id | app-name | black |
===========================================================================================
1 | 179.36.9.210 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
2 | 179.36.9.205 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
3 | 179.36.9.208 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
4 | 176.70.168.183 | 443 | TCP | 2 | Mgt | 1306 | 13 | 414 | webex-meeting | no |
SD-
AVC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC – Asymmetric Webex example
br0
branch
br1
br2
hubMPLS
Internet
mc
internet
Corporate Servers
rtrDNS
Webex
Webex
Path Policy: Webex => MPLS
NBAR2 Can’t classify flow in the downstream (no certificate)
NBAR2 Classify first flow upstream as Webex (based on Certificate)
WebexNBAR2 Classify first flowas Webex (based on Certificate)
The problem:Webex downstreamIs routed via Internet due to bad classification
176.70.168.183
BRKCRS-2502 64
SD-
AVC
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC – Asymmetric Webex example
br0
branch
br1
br2
hubMPLS
Internet
mc
internet
Corporate Servers
rtrDNS
Webex
Webex
Path Policy: Webex => MPLS
NBAR2 Can’t classify flow in the downstream (no certificate)
NBAR2 Classify first flow upstream as Webex (based on Certificate)
WebexNBAR2 Classify first flowas Webex (based on Certificate)
The problem:Webex downstreamIs routed via Internet due to bad classification
176.70.168.183
BRKCRS-2502 65
SD-
AVC
Imported sockets:
=================
id | IP | port | L4 | vrf-id | vrf name | app-id | eng-id | sel-id | app-name | black |
==========================================================================================
=
1 | 179.36.9.210 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
2 | 179.36.9.205 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
3 | 179.36.9.208 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
4 | 176.70.168.183 | 443 | TCP | 2 | Mgt | 1306 | 13 | 414 | webex-meeting | no |
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC – Asymmetric Webex example
br0
branch
br1
br2
hubMPLS
Internet
mc
internet
Corporate Servers
rtrDNS
Webex
Webex
Path Policy: Webex => MPLS
NBAR2 Can’t classify flow in the downstream (no certificate)
NBAR2 Classify first flow upstream as Webex (based on Certificate)
WebexNBAR2 Classify first flowas Webex (based on Certificate)
The problem:Webex downstreamIs routed via Internet due to bad classification
176.70.168.183
BRKCRS-2502 66
SD-
AVC
Imported sockets:
=================
id | IP | port | L4 | vrf-id | vrf name | app-id | eng-id | sel-id | app-name | black |
===========================================================================================
1 | 179.36.9.210 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
2 | 179.36.9.205 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
3 | 179.36.9.208 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
4 | 176.70.168.183 | 443 | TCP | 2 | Mgt | 1306 | 13 | 414 | webex-meeting | no |
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Asymmetric Fixed Webex example - with SD-AVC
br0
branch
br1
br2
hubMPLS
Internet
mc
internet
Corporate Servers
rtrDNS
Webex
Path Policy: Webex => MPLS
NBAR2 Classify WebexDownstream(based on SD-AVC)
Webex
SD-
AVC
Webex DownstreamIs routed via MPLS
NBAR2 Classify first flow upstream as Webex (based on Certificate)
NBAR2 Classify first flowas Webex (based on Certificate)
176.70.168.183
Imported sockets:
=================
id | IP | port | L4 | vrf-id | vrf name | app-id | eng-id | sel-id | app-name | black |
===========================================================================================
1 | 179.36.9.210 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
2 | 179.36.9.205 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
3 | 179.36.9.208 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |
4 | 176.70.168.183 | 443 | TCP | 2 | Mgt | 1306 | 13 | 414 | webex-meeting | no |
BRKCRS-2502 67
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68BRKCRS-2502
SD-AVC External Sources
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC and External sources
• The SD-AVC service connects with external authoritative sources to enrich application classification dynamically and seamlessly
Enables us to:• Connect Cisco Security databases
• Provide real-time Cloud/SaaS information
• Provision Home-grown Applications
• Example use cases are:• Automatic Enrichment of Cloud/SaaS applications (MS RSS, CASI)• Automatic Learning of Enterprise Local or Private apps (Infoblox/ACI/CUCM)
69BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC Operation (Data Flow)
70BRKCRS-2502
3
Consumer Sensor & Consumer
Network Layer
SD-AVC
Network Service
Application Rules
pack Cached application
rules (JSON)
Application Rules Pack
Generation
Application Rules
Pack
1
3
2
Controller
MS RSS
Infoblox4
5
CloudLock
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC Connectors
Microsoft Office 365 – contains geolocation and world wide FQDN and URL information
CASI – contains 10,000 applications with domain and certificate information (PoC)
- Provides DNS information for home grown applications (PoC)
BRKCRS-2502 71
SD-AVC and Microsoft Office365
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using Microsoft RSS – How does it work?
Office 365 URLs and IP address ranges
• Requires connectivity to the internet (from the SD-AVC service)
• XML format
• Huge list of IP addresses and ranges
• Much more robust list of domains
BRKCRS-2502 73
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using Microsoft RSS – How does it work?
BRKCRS-2502 74
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using Microsoft RSS – How does it work?
BRKCRS-2502 75
New Domain Information from Microsoft
Example: jpn.delve.office.com
Cisco Protocol Pack Application Data
Imported Data from Microsoft
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using Microsoft RSS – How does it work?
BRKCRS-2502 76
New Domain Information from Microsoft
Cisco Protocol Pack Application Data
Imported Data from Microsoft
jpn.delve.office.com
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
(Second step)
1. Find the correct application for the new domains
2. Using machine learning based on the previous learning set of Office 365 and existing host mappings supplied by Cisco NBAR2 Protocol Pack
Algorithm:
Given a the previous learning set and a new domain that we want to map it to an application:
host1
host2
host3
app1
app2
app3
jpn.delve.office.com ???ms-office365
Using Microsoft RSS – How does it work?
77BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC
Using Microsoft RSS – How does it work?
(Third Step)
Compile a new pack with the new signature and make it available for the devices
The secondary pack is installed along side with Cisco NBAR2 protocol-pack
New domains are now supported automatically
78BRKCRS-2502
Demo
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What we’ll show in the Demo
We will demonstrate how complete asymmetric devices can teach each other with classification information, using SD-AVC.
We will show how external sources can enhance application recognition
We will show these new automatic signatures help the application recognition in an asymmetric scenario with SD-AVC
80BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC
CSR1KvCSR-Demo-
upstream
CSR1Kvcsr-demo-
downstream
Trex
Traffic
Generator
Down
Stream
Down
Stream
UpstreamUpstream
Pull
Application
Rules
Data
Analytics
(JSON)
Data
Analytics
(JSON)
Pull
Application
Rules
Microsoft
Office365
RSS
BRKCRS-2502 81
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demo Script
Note: We expedited some of the timers, this may lead to skew in status indications
1. Downstream Setup Not connected to SD-AVC
2. Connect Downstream to the SD-AVC Network Service• First level of Asymmetry fix
3. Enrich the devices with a Secondary Pack based on MS Office365 Cloud Info
4. Downstream Setup classifies based on the MS Info using SD-AVC• Second level of Asymmetry fix
82BRKCRS-2502
SD-AVC and Cloudlock CASI
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Database synchronization between Cloudlock SaaS Security Index and SD-AVC/NBAR
• Better SaaS application recognition leveraging on Cloudlock Security Cloud infrastructure
• Better response time to the application and domain changes
• Cloudlock Shadow IT visibility leveraging SD-AVC on Cisco enterprise network
SD-AVC and Cloudlock CASI – Why?
BRKCRS-2502 84
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Learning
Analysis & Feedback
Application database & Shadow-IT
Network Device
Cloudlock
SD-AVC
SD-AVC and Cloudlock – Self-Learning Network
BRKCRS-2502 85
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloudlock
CASI
SD-AVC
How it works?
Enterprise Network
BRKCRS-2502 86
1
Learning process of unfamiliar domains
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloudlock
CASI
SD-AVC
How it works?
2 Enterprise Network
BRKCRS-2502 87
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloudlock
CASI
SD-AVC
How it works?
2 Enterprise Network
BRKCRS-2502 88
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloudlock
CASI
SD-AVC
How it works #2?
1
2
Update CASI with offline application information from NBAR/CASI R&D
Enterprise Network
BRKCRS-2502 89
SD-AVC Delivery Plan
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AVC Delivery plan
• Phase 1 (FCS- Oct 2017)
• IWAN 2.2.1: SD-AVC hosted on XE Container
• Improved application recognition in Hub Asymmetric Routing environment
• Improved first packet classification decision
• Application recognition function serviceability
• Protocol Pack automatic update
• Phase 2 (FCS Jan 2018)
• Cloud/SaaS automatic signatures push (MS RSS)
• High scale of SD-AVC sensors (6K) – support asymmetrical routing in branch routers
• Support IWAN 2.3 DCA (Direct Cloud Access) – FCS March 2018
• Furture
• Unknown and Generic Traffic Discovery
• High scale custom application support (1000+)
• Viptela vManage integration
• DNA-C App-Policy/EasyQoS use cases
• Wireless & Switching
91BRKCRS-2502
Q&A
Homework
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What you can do?
- Use Application Visibility on WebUI(Device level visibility)
- XE routers – supported 3.16 and up- Cat3K/9K – supported 16.6.1 and up
- Download and install SD-AVC on a router (network level visibilty)
- Enlist to NBAR2/SD-AVC announcements send an email with SUBSCRIBE to
cisco-nbar2-pp-announcement@cisco.com
94BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wrap up
- NBAR2 has evolved and matured to tackle today’s networks challenges
- SD-AVC introduces new innovation and advances to network level using analytics and external sources
- The evolution Cisco application recognition technology unleashes great capabilities both in the device side and controller side, to provide application based solutions like SD-WAN, EasyQoS, Assurance and Security
95BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wrap up
96BRKCRS-2502
SD-AVC makes the network more intuitive.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCRS-2502
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Come and meet us on DevNet zone SD-AVC Demo Pod
• Whisper Suite
• Meet the Engineer 1:1 meetings
99BRKCRS-2502
Thank you
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2502 102
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2502 103
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2502 104
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2502 105
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2502 106
Recommended