Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
The Network Architecture for Digital Organizations
Cisco Digital Network Architecture
Ljubljana, Slovenia, April 20th 2016
Petr Pavlu ([email protected])
Director Technical Sales Organization
EMEAR Central, Cisco
• Introducing DNA
• Examples of DNA components
• Virtualization
• Automation
• Analytics
• Summary
Agenda
IT Priorities for Digital Transformation
IT Must Simplify to Accelerate Digital Innovation
Faster
Innovation
Reduce Cost
& ComplexityLower Risk
Static budgetsOnly 30% of digital projects will succeed
More devices, apps, usersTechnology innovation speed
OpEx 2-3 X the CapExSlow IT processes
Cost of business disruption
80 days to discover threats
New regulations
Faster
Innovation
Reduce Cost
& ComplexityLower Risk
Network Requirements for the Digital Organization
Insights &
Experiences
Visibility and Analytics users | devices | applications | threats
Automation &
Assurance
Speed and Simplicity
Security &
Compliance
Real-time & Dynamic
Threat Defense
Digital Business – Application-Driven Agility
Time IT spends on operationsCEOs are worried about IT strategy
not supporting business growth80% 57%
0
100%
Source: Forrester
CAPEX OPEX
33% 67%
0 10 100 1000
Computing Networking
Seconds
Source: Open Compute Project
“…While other components of the IT infrastructure have become more programmable and allow for faster, automated provisioning,
installing network circuits is still a painstakingly manual process...”
—Andrew Lerner, Gartner Research
Network Expenses Deployment Speed
Cisco Digital Network Architecture
Automation
Abstraction & Policy Control
from Core to Edge
Open & Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service Management
Policy | Orchestration
Virtualization
Physical & Virtual Infrastructure | App Hosting
Analytics
Network Data,
Contextual Insights
Insights &
Experiences
Automation
& Assurance
Security &
Compliance
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles
Cisco Digital Network Architecture
Automation
Abstraction & Policy Control
from Core to Edge
Open & Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service Management
Policy | Orchestration
Virtualization
Physical & Virtual Infrastructure | App Hosting
Analytics
Network Data,
Contextual Insights
Insights &
Experiences
Automation
& Assurance
Security &
Compliance
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles
Why Virtualization for the Network?
Lower operating costs
AND
IoTMobility Analytics CloudMobile traffic will Exceed
wired traffic by 2017
IoT Devices will
triple by 2020
76% of companies planning
to or investing in Big Data
80% of organizations will
primarily use SaaS by 2018
Deploy new capabilities faster
What is a Service Container?Service Containers use virtualization technology
(LXC and KVM) to provide a hosting environment
on Cisco routers/switches for applications which
may be developed and released independent of
platform release cycles.
Virtualized environment on a cisco device.
Use Case Cisco Virtual Services:
• Lightweight Application Hosting
• Example: ISR-WAAS ( KVM )
• Example: SNORT ( LXC )
Use Case Third Party Services:
• KVM Hosted Applications
Container
Network OS
Virtual Service
Linux OS
IOSd
Control PlaneSnort
KVM
IOS-XE Service Container Architecture
Cisco Apps
ISR-WAAS
Customer and 3rd Party
Applications (KVM only)
Platform-Specific Data Plane AppNav
Virtual Ethernet
ISR 4K + UCS E-Series
UCS C-SeriesNFV Platform
(coming soon)
Network Functions Virtualization Infrastructure Software (NFVIS)
Enterprise Service Automation (ESA)
Introducing: Cisco Enterprise NFVNetwork services in minutes, on any platform
Virtual Router
(ISRv)
Virtual Firewall
(ASAv)
Virtual WAN
Optimization
(vWAAS)
Virtual Wireless
LAN Controller
(vWLC)
3rd Party VNFs
Option 2b
• Enterprise NFV aims to offer virtualized NETWORK services and APPLICATION hosting
• Reduce hardware landscape in the branch
• Support for both Cisco and non-Cisco VNFs and applications
• Number of VNFs / Application depends on host resource availability
VNF and Applications in Enterprise NFV
Additional List of Cisco VNF Candidates
VNF Function
Firepower Threat Defense IPS/IDS
SRST VoIP Call Control
Unity Cxn VoIP Voicemail / AA
WSAv Web security
CUBE SIP Trunking
Enterprise NFV Phase 1 VNFs & Applications
VNF Function
ISRv L3-L7 integrated routing
vASA Firewall
vWAAS WAN Optimization
vWLC Wireless LAN Controller
Juniper SRX Firewall
Windows / Linux server Applications (DNS, File Servers etc)
Branch Virtualization – On premise Options
BranchVirtualized L4-7 service on external x86 with ISR4K-4K
Transport
• ISR4K-4K + UCS
• ISR4K-4K performs L3/L4 transport functions
• Services (Firewall, WAAS..) virtualized on external server
• Multi-vendor options for Services
F/D2WAN
Branch
Fully virtualized Branch
• L3/L4 transport and network services virtualized
• UCS platform hosting all service functions
• Multi-vendor options for Services
F/D3
WAN
1
Branch Integrated L4-7 services
• ISR4K-4K + UCS-E or ISR4K-4K + Service Containers
• ISR4K-4K performs L3/L4 and transport functions
• Services (Firewall, WAAS..) virtualized on UCS-E
• Multi-vendor options for Services
F/D
WAN
Cisco Digital Network Architecture
Automation
Abstraction & Policy Control
from Core to Edge
Open & Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service Management
Policy | Orchestration
Virtualization
Physical & Virtual Infrastructure | App Hosting
Analytics
Network Data,
Contextual Insights
Insights &
Experiences
Automation
& Assurance
Security &
Compliance
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles
Automation: Cisco APIC-EM Automation Platform
Complete Lifecycle | Consistent End to End
“Unlike other SDN solutions, APIC-EM can be
deployed on our existing infrastructure so we can
move quickly with minimum risk and maximum
investment protection.
CJ Singh, Chief Technology Officer
Backcountry.com
”
Open and
Extensible
Enterprise Scale
and Resiliency
Automation and
Services
“The inherent programmability of Cisco APIC-EM
allows us to drive innovation and improve on user
experience on a world-class infrastructure. It is a
solid foundation to embark on a journey to SDN.
Raj Gulani, Director Product Management
Citrix
”
Industry-Leading Network Controller
Open
APIs
Group-based
Policy
Clustering
Technology
Cloud Connected
Telemetry
Complete
Abstraction
Cisco APIC-EM
1000sOf DevNet
Developers
160+Customers
Deployments
running up to
4000 devices
Customer MomentumIOS ASIC
Northbound REST API
APIC-EM Platform Architecture
APIC-EM Applications
Elastic Controller Infrastructure (Grapevine )
Network
PnPIWAN
Path
Trace
Network
Inventory
Advanced Topology Visualizer
APIC-EM Services
Inventory
ManagerRBAC Policy Analysis
Policy
Programmer
Network PnPData Access
Service
Topology
Services
IWAN
Services
Applications built on top of APIC-EM
Applications packaged with APIC-EM
Core Applications bundled
IWAN Application separately licensed
Open and Documented REST API
(http://developer.cisco.com)
Core Services
Applications Specific Services
Provides Scale and High Availability
Introducing APIC-EM and Early Apps
Day 0 : Plug-and-Play App
Zero touch deployment of routers / switches / APs
Shrinks deployment from months to minutes
Day 1 : Cisco IWAN App
Guided, fast auto-provisioning of IWAN solution with Cisco experts’ best practices
From 1000s of CLI commands to a few policy deployments with a few GUI clicks per branch
Day 2 : Path Trace App
Discover path between two end points based
Lower OPEX for trouble ticket processing by 98%
3 N E W A P P L I C A T I O N S
Applications
SecurityOrchestration Automation Collaboration
SOUTHBOUND ABSTRACTION LAYER
CATALYST | ISR | ASR | WIRELESS
REST API
E N T E C H N O L O G Y D I F F E R E N T I A T I O N
APIC-EM Packaging and Deployment
Built as a
Linux Container
Grapevine
Root
LXC
Container
LXC
Container
GV
Client
GV
Client
Operation System
Server / Machine
Standalone or
Resilient Deployment
3 Nodes• active-active-active
• Scale and HA- Software failure- HW failure of 1 node
1 or 2 Nodes• active-active
• Scale and HA- Software failure only
Download or
Preinstalled Appliance
Download• .iso image including
ubuntu 14.04 64bit
• available from:- software.cisco.com- devnet.cisco.com
Cisco Appliance• APIC-EM installed
• ready-to-go
• or SKU:- APIC-EM-APL-R-K9- APIC-EM-APL-G-K9
Coming: APIC-EM QoS Automation - EasyQoS
EM
Applications can ALSO interact with APIC-EM via
Northbound APIs, informing the network of application-
specific and dynamic QoS requirements
Southbound APIs translate
business-intent to platform-
specific configurations
Network Operators express high-level
business-intent to APIC-EM EasyQoS
Southbound APIs translate
business-intent to platform-
specific configurations as
they are needed
STATIC QoSDYNAMIC QoS
Cisco Digital Network Architecture
Automation
Abstraction & Policy Control
from Core to Edge
Open & Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service Management
Policy | Orchestration
Virtualization
Physical & Virtual Infrastructure | App Hosting
Analytics
Network Data,
Contextual Insights
Insights &
Experiences
Automation
& Assurance
Security &
Compliance
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles
AVC (Application Visibility And Control)
NBAR2
Protocol Pack
Custom Signature
URL PortIP
AddressSSL PPDK
Flexible NetFlow
PerfMon
Application Recognition
Reporting of Usage (BW, Top Users,
Perf Metrics)
Troubleshoot applications.
Business policy driven routing
Delivers
Ac
ross
NBAR1000+ Signatures
Advanced Classification Techniques
Native IPv4/ IPv6
ClassificationAdvanced
Field Extraction
Custom Signature
Builder
• Classification of L4-L7 Application traffic -NBAR is used as Deep Packet Inspection (DPI) engine
• Can be used with Protocol Discovery to get an idea of traffic patterns in network
• Can be used with MQC (Modular QoS CLI) to control the traffic patterns in the network
• Supported devices: ISR-G2 (86x, 88x, 89x, 19xx, 29xx, 39xx), 44xx, ASR1k, CSR1kV, WLC (2508, 8500, 7500, 55xx), 3850/5760 (AP based)
• Protocol Pack allows adding more applications without upgrading or reloading IOS
• Classifies 140+ encrypted traffic
Recognizes
1400+ Apps
Network Based Application Recognition
Gain Insights & Innovate with Cisco CMX
• Presence and location detection
• Visibility (Wi-Fi, BLE)
• Easy Wi-Fi login, custom or social
• Zone-based, custom
splash pages
• App-based mobile engagement
• Context-aware in-venue
experiences
DETECT CONNECT ENGAGE
Presence Location SocialANALYTICS
Gain Business Insights Through Analytics
Presence & Analytics Heat Maps Correlation
Visitors vs. Passerbys
Repeat vs. New Visitors
Dwell Time
Busiest Hour, Day
Visitor Sentiment
Conversion Rate
Building/Floor
Where do visitors spend time? Which paths
did visitors take?
Now available as a cloud service: https://cmxcisco.com/
Timeframe Parameters Heat Map
Visibility with Cisco Identity Services Engine (ISE)Discover Known and Unknown in Your Network
ACCESS POLICY
Network / User Context
How
WhatWho
WhereWhen
Partner Context Data
PxGrid
Consistent Secure Access Policy Across Wired, Wireless, and VPN
Network as a Sensor: Lancope StealthWatch
Real-time visibility at all network layers
• Data intelligence throughout network
• Assets discovery
• Network profile
• Security policy monitoring
• Anomaly detection
• Accelerated incident response
Cisco ISE
NetFlow
Context Information
Mitigation Action
PxGrid
access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467
Network as an Enforcerwith TrustSec
Traditional Security Policy
TrustSec Security PolicyNetwork Fabric
Switch Router DC FW DC SwitchWireless
Flexible and Scalable Policy Enforcement
segmentationsoftware defined
Security Control Automation
Simplified Access Management
Improved Security Efficacy
Digital Transformation Builds Digital Organizations
Customer Experience
Delivery Control
Personalized Service
Customer Experience
Physical and Virtual
RFID Content
Workforce Efficiency
WIP Inventory and
Part Tracking
Customer Experience
Personalized Service
Through Mobile
Business Operations
Order Ahead
Skip the Line
Digital Organizations NeedThe Right Network Architecture
Cisco Digital Network Architecture
Network Architecture for Digital Organizations
Automation
Abstraction & Policy Control
from Core to Edge
Open & Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service Management
Policy | Orchestration
Virtualization
Physical & Virtual Infrastructure | App Hosting
Analytics
Network Data,
Contextual Insights
Insights &
Experiences
Automation
& Assurance
Security &
Compliance
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles