Cisco Digital Network Architecture

Evolution of the Enterprise Network

The CiscoDigital Network Architecture

BRKCRS-2700

Matt Falkner

Dave Zacks

Distinguished Technical Marketing Engineer

Distinguished System Engineer

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

BRKCRS-2700 – Session Overview and Objectives

Enterprise business operations are reaching new levels of digitization as multimedia applications or the internet of things start to proliferate. An increasing number of business processes are structured around digital communication and media infrastructures. The experience that network consumers are seekingis also increasingly shaped by digitization, for example with networked machines, or home appliances and automation. As a result, Enterprise networks are becoming the platform for digitization, empowering business efficiency and innovation by simplifying and automating business processes while protectingand securing the global enterprise.

Cisco's Digital Network Architecture (DNA) offers a new architectural approach to meet the requirementsof the digitized enterprise. This session introduces the motivation for an architecture evolution ofEnterprise networks, and provides details on each of the building blocks. In particular, the conceptsof network fabrics, virtualization, controllers, policy-based networking and cloud enablementare explored as main architecture shifts.

The session also provides an insight into concrete examples on how to automate and simplifyapplication visibility and QoS deployments for network operators.

The Cisco Digital Network ArchitectureEvolution of the Enterprise Network


Your Instructors Today … Matthias Falkner and Dave Zacks•

Matthias is a Distinguished Engineer, Technical Marketing and has been with Cisco for 16 years. Matthias currently focuses on the evolution of Enterprise and SP network architectures, particularlyon end-to-end networking, virtualization and orchestration. Matthias has held various positionsin both Sales and the Business Unit.

Dave is a Distinguished System Engineer, and has been with Cisco for 16 years.Dave works primarily with large, high-performance Enterprise network architectures,designs, and systems. Dave has over 20 years of experience with designing,implementing, and supporting solutions with many diverse network technologies.

We both have a strong interest in Cisco DNAand it’s components – a passion we hope toshare with you via this presentation!

Dave ZacksDistinguished SE

Matt FalknerDistinguished TME


DNA – Introduction and Overview

DNA Components

APIC-EM & Orchestration

Enterprise Silicon

The New QoS Paradigm

NfV and Cloud

Programmability

Analytics

Network Fabrics

DNA – Wrap Up and Conclusions

Agenda

Dave Zacks, DSE

Matt Falkner, DTME

Cisco Digital Network ArchitectureThe Evolution of the Enterprise Network BRKCRS-2700

Matt Falkner, DTME

Dave Zacks, DSE

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKCRS-2700

DNA –Introduction and Overview

Cisco Digital Network Architecture –The Evolution ofthe Enterprise Network BRKCRS-2700

Matt Falkner, DTME



UPS My Choice

Delivery Control

Personalized Service

Customer Experience

Physical and Virtual

RFID Content

Workforce Efficiency

WIP Inventory and

Part Tracking

American Express

Personalized Service

Through Mobile

Starbucks Apps

Order Ahead

Skip the Line

Digital Transformation is Moving IT to the Boardroom

BRKCRS-2700 7© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public


Insights &Experiences

Drive Business

Innovations

Security & Compliance

Real-time and Dynamic

Threat Defense

Automation& Assurance

Speed, Simplicity

& Visibility

The Network Enables Digital Business

Network Requirements for the Digital Organization

BRKCRS-2700 8

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKCRS-2700

Insights &Experiences

Security & Compliance

Automation& Assurance

Drive Business Innovations Real-time and Dynamic Threat DefenseSpeed, Simplicity

& Visibility

• Visibility into Users behavior, Applications,

Network performances

• Customer has the elements to make

decision faster

Abstraction layer

• Abstraction, Intent, Policy Automation

• Verification of Desired Result Assurance

Wi-Fi Core WAN Cloud

APIC EM

Using the Network as a Sensor for

security threats and then Enforce

Compliancy through Segmentation



Open

APIs

Network

Function

Virtualization

Policy

Cloud

Analytics

Controllers

Overlays

Open

Flow

Open

Compute

Standards

How do I delivernew applications?

How do I improve security?

How do I achieve speed & simplicity?

How do I learnnew software skills?

Model

Driven

Cisco Digital Network ArchitectureOpen | Extensible | Software-driven

How does thiscome together?

Evolution of Networking Software


Automation

Abstraction & Policy Control

from Core to Edge

Open & Programmable | Standards-Based

Open APIs | Developers Environment

Cloud Service Management

Policy | Orchestration

Virtualization

Physical & Virtual Infrastructure | App Hosting

Analytics

Network Data,

Contextual Insights

Insights &

Experiences

Automation

& Assurance

Security &

Compliance

Network-enabled Applications

Cloud-enabled | Software-delivered

Principles

Cisco Digital Network Architecture

BRKCRS-2700 11


Digital Network Architecture – Vision APIs

APIs

WAN VNFs Campus VNFs DC VNFs Cloud VNFs

UNI UNI

IntentTelemetry

Service Definition & Orchestration

Enterprise Controller

(Policy Determination)

Clou

d

Data Center

Internet

Campus

Int. Acc

PEP

PEP

PEP

PEP

PEP

PEP

PEP

WAN / Branch

PEPPEP Apps

Apps

Apps

SP

WAN AggBranch

Branch

Network Interface (UNI)

PEP: Policy Enforcement Point

Cloud Service ManagementPolicy | Orchestration

Enterprise Fabric

Network Function Virtualization

Cloud

PEP

BRKCRS-2700 12

DNA Components –

APIC-EM andOrchestration

Matt Falkner, DTME


© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 13


Any given “custom”

configuration has a very

high probability of not being

tested exactly as deployed

“individually—as a one

off…” which introduces

potential issues…

Risk BugsUncertainty Problems

Combinatorial Issues…

Trust

AutomationController-Led Networking Deployment

The automated configuration deployed by the controller will have gone through…

• Joint development by the Cisco Product Teams, the Architects developing

Best Practices, and the Controller Team—“Blessed Configurations”

• Testing by Cisco’s Solution, System, and Devtest teams

against the deployment use cases developed jointly, above

• And will be deployed by 1000’s, with any unforeseen situations

addressed ASAP due to widespread and standardized deployment

Greatly increasedprobability of success

Controller-Led NetworkingBridging the Gap to Increased Success in Network Deployment and Use


Analytics

Instrumentation Telemetry Correlation

Measure and Adjust

Click here to Correct

Always Correct this way (and never ask me again)

Applications

Automated Deployment

Network

Endpoints

Run Reports

Discover user insights

Deliver relevant content

APIC EM

Deploy, Report, Measure, Adjust, Repeat

BRKCRS-2700 15


Evolution to a Policy Model• Express Business Intent

• Translate into device specific policy/configuration

• Leverage Abstraction (the controller knows about the device specifics)

• Automate the Deployment across the Network

• Insure Fidelity to the Expressed Intent (keep everything in sync)

User policy based on user identity

and user-to-group mapping

Employee

(managed asset)

Employee

(Registered BYOD)

Employee

(Unknown BYOD)

ENG VDI System

PERMIT

PERMIT

DENY

DENY

DENY

DENY

DENY

PERMIT

PERMIT

PERMIT

PERMIT

PERMIT

Production Servers Development Servers Internet Access

Protected Assets

So

urc

e

De-coupling of

User Identity and Topology

Much easier to translate business objectives to

network functionality—Lowers TCO

Con

fig

ura

tio

n

Controller-based AutomationToday

Traditional Traditional

Policy

Traditional

Policy Policy

Policy based Configuration—

Dynamic, able to be automated by the Controller

Over time—Policy grows, static shrinks

AutomationController-Led

Networking Deployment

BRKCRS-2700 16


APIC-EM Policy Construct

Actions Action Properties

• User-identifier (tenant/user)

• Application

• Device Type

• Location

• Permit

• Deny

• Copy

• Monitor

• Redirect (L3, L4, L7)

• No copy

• No redirect

• Priority Level

• Resource Level

• Experience Level

• Trust Level

• Destination

• Sample Rate

Resources

• User-identifier (tenant/user)

• Application

• Device Type

• Location

Network Users

• Policy Creator

• Policy Name

• Policy Scope

• Policy Priority

• Policy Time:

• Start Time

• End Time

• Hard timeout

• Idle timeout

• recurrence

Policy Properties

Event Triggers

• High Level Business Intent Policies

• Automatically converted to Network Language

• Conflict Detection and Resolution

• Extensible

• Supports different patterns of policies:

• Access Policies

• Event – Condition – Action

• Includes Collections (Ex: a group of userids, a group of applications, etc.)

• Choose custom tags for policies

• Choose multiple attributes in each category

BRKCRS-2700 17


APIC-EM – Services and Apps

Grapevine

APIC-EM

Services

APIC-EM

Applications

NIB

DAS

Pxgrid Client + LDAP client

AD Client + LDAP client

Radius Proxy + LDAP client

Inventory

Topology

QoS Compliance

ACL Analysis

Statistics Manager

NetFlow Collector

ZTD

Application Visibility

User Identity Helper Services

Application Identity Helper Services

Basic Services

Policy Creation Services

Policy Helper Services

Network Information Base

Legacy Support Services

Inventory Visualizer

Topology Visualizer

Application Visualizer

Discovery

NETWORK

Easy QoS Visualizer

Network Discovery

Network Programmer

Policy Programmer

Network Tapping

Easy QoS

Network Events

Compliance Check

ACL Visualizer

ZTD

Network Tapping

Policy Engine

Conflict Detection and Resolution

(BI and NI)

Business Intent to Network Intent

Conversion

Policy Manager Policy Analysis Services

IWAN(PfR, WaaS)

IWAN Services

IWANApp

Northbound REST APIs

BRKCRS-2700 18


Network Information Base – Device InventorySingle Source of Truth

• Real‐time network device inventory and asset service management

• Includes all network devices with an abstraction for the entire network –

• Full knowledge of network

• Awareness of the overall operational health of the physical network

• Detailed inventory information for easier consumption by controller services and applications

• Allows applications to be device agnostic

• Inventory service runs in the background to maintain the DB accurate

• SNMP traps sent by devices during link up/down; APIC-EM runs discovery on that device (*)

(*) GA1BRKCRS-2700 19


APIC-EM – Device Inventory

BRKCRS-2700 20


• Real‐time host and end-point inventory (PCs, Wireless devices, IP Phones, Printers etc.)

• Detailed information about each host/end-point –

• Network attachment point for the host to the network device

• Host Name, IP and Mac-Address information

• Host Inventory service runs in the background to maintain the accuracy of the database –

• Information collected via CDP, LLDP and IP Device Tracking DB lookup

• SNMP Traps used to update host inventory DB

(*)

Network Information Base – Host InventorySingle Source of Truth

BRKCRS-2700 21


Network Information Base – DiscoverySingle Source of Truth


• Quick, easy and efficient network discovery

• Flexible Discovery options –

• CDP and IP Address Range

• Ability to Start, Stop and Delete the scan at anytime

• Auto-discovery of newly added network devices

• Initiate via UI or NB REST APIs

BRKCRS-2700 22


Device Information

Topology Visualizer – Embedded Device Information


APIC-EM Architecture

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24BRKCRS-2700 24

Cisco APIC Enterprise Module

Cisco and Third Party Applications

Network DevicesCatalyst, ASR, ISR

REST API

Security QoS IWAN Network PnP

Masking Network Complexity, Exposing Network Intelligence.


ESA Intelligent Template Selection and Management

• Goal: create branch architecture profiles based on Business INTENT

• Prescriptive or customized templates

• Intent derived by intelligent template selection based on CVD questions• Internet access characteristics

• Bandwidth

• Wireless

• …

• ESA proposes suitable templates

BRKCRS-2700 25

DNA Components –

EnterpriseSilicon

Dave Zacks, DSE




Programmable Custom ASICs

Industry Leading

Wired & Wireless | Stacking | TrustSec | SDN

Advanced Functionality

Programmable Pipeline | Flexibility | Recirculation

Optimized for Campus

Integrated Stacking | Visibility | Security

Future Proofed

Long Life Cycle | Investment Protection

`

Network Enabled Applications

Collaboration | Mobility | IoT | Security

Automation and Analytics

Controller | Visible | Programmable | Open

Virtualization

Segmentation | L2 Flexibility

Designed for Evolution

Strong Foundational Capabilities | HA

Converged Software Services

+

Driving Innovations Through Technology Investments

Foundational PillarsFor the Digital Network Architecture


“People that are really serious about software should build their own hardware”

Key Consideration

BRKCRS-2700 28


The Hardware Makes It All PossibleBuilt on a Strong Foundation of Innovation

• Fully Programmable –excellent flexibility, ability to handle new encapsulations(CAPWAP, VXLAN, etc) – hardware speed, software elasticity

• Scalable –Massive recirculation bandwidth and low recirculation latency provide excellent tunneling and services support for traffic flows

• Advanced on-chip QoS –client–level granularity, sophisticated bandwidth shaping, with integrated on-chip NetFlow for visibility

• Secure –integrated on-chip support for MACsec encryption

• Extensible Architecture –ability to scale both up and down – the foundation for along-lived family of high-performance, flexible switching silicon


UADPUnified Access Data Plane

Flexible, Programmable, High-Performance Switching Silicon

BRKCRS-2700 29


The Hardware Makes It All PossibleBuilt on a Strong Foundation of Innovation

• Fully Programmable –leveraging the many features of IOS-XEwith hardware performance

• Scalable –Massive nmber of CPU cores (40 / 64), ability tocascade multiple CPUs = consistent high performance

• Advanced on-chip QoS –100,000+ hardware-based queues,sophisticated traffic shaping and control

• Secure –linkage to high-performance crypto capability for secure WAN transport

• Extensible Architecture –ability to scale both up and down – the foundation for along-lived family of high-performance, flexible routing silicon

QFPQuantumFlow Processor

Advanced,Multi-Core,Feature-RichRouting Silicon


BRKCRS-2700 30

Diving into Hardware –The Need for Programmability


Traditionally the pipeline is

FIXED

ASIC Processing Pipeline

BRKCRS-2700 32


Industry Trends – SDN

BRKCRS-2700 33

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 34

Programmable ASICs –DNA Hardware Innovation


So where can

Programmable ASICs help us?

The Big Question …

BRKCRS-2700 36


Striking the Right Balance

BRKCRS-2700 37


ProgrammabilityIntroduces Flexible Pipelines …



Modify processing behavior

without incurring re-spin

ASIC Programmable Pipeline



Unified Access Data Plane

Programmable Switching Silicon

BRKCRS-2700 40

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-2700 41© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public



Parse depth

of 256 Bytes

15 programmable stages

Up to 250 frames across

stages at one time…

BRKCRS-2700 43


What does this mean for me?

BRKCRS-2700 44


UADP Programmable Hardware

equals

FLEXIBILITY

INVESTMENT PROTECTION

BRKCRS-2700 45


Traffic Visibilitye.g. Netflow

ControlWired / Wireless QoS / Security

Scalability802.11ac



MPLS

VXLAN

TRILL*

SPB*

and more…

Possible Future UADP Use Cases

* Not Committed

BRKCRS-2700 47



QuantumFlow Processor

Programmable Routing Silicon

BRKCRS-2700 49





What does this mean for me?

BRKCRS-2700 53


QFP Programmable Hardware

equals

FLEXIBILITY

PERFORMANCE

BRKCRS-2700 54



QFP Feature Velocity

Over 2600 featuresBRKCRS-2700 56© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public



Critical Role of ASICsBRKCRS-2700 58


Cisco Programmable Silicon – Want to Know More?

http://vimeo.com/155635184

Attend session BRKARC-3467,Tuesday morning,8:00am to 9:30am! Tropics B, Lower Level

Peter Jones, PE Dave Zacks, DSE

And watch us on …

BRKCRS-2700 59

http://vimeo.com/155635184

DNA Components –

The New QoS Paradigm


Dave Zacks, DSE



The Why / How / What of Enterprise Networking

Transform our customers’ businesses

through powerful yet simple networks.

Why

Cisco Enterprise

Vision

How

BRKCRS-2700 61


• Strategic QoS Policy (WHY)

• reflects business intent

• not constrained by any technical or administrative limitation

• end-to-end

• Tactical QoS Policy (HOW)

• expresses the strategic business intent with maximum fidelity

• limited by tactical constraints, including:• Media (e.g. WLAN has only 4 levels of service)

• Platform (e.g. Catalyst 3750 has only 4 hardware queues)

• Interface (e.g. T1 WAN link has limited bandwidth)

• Role (e.g. CE may need to map into reduced sub-set of SP Classes-of-Service)

Levels of QoS Policy AbstractionStrategic vs. Tactical

BRKCRS-2700 62

APIC-EM / EasyQoS


• Provides End-to-End Orchestration of QoS in the Enterprise Network

• Simple and easy to deploy with an operator expressing business relevance for

applications and the controller doing the rest “under-the-hood”

• Works for and both Greenfield and Brownfield deployments

• Business Intent Driven while abstracting platform/media/capability details

• End-to-End provisioning done in minutes (vs. months) leveraging industry standards

and Cisco Validated Designs

• Reduces time to onboard new applications and allows SLA compliance

Business Value of EasyQoS

BRKCRS-2700 64


• QoS is application-centric

• QoS is pervasive

• QoS is complex

• SDN presents new QoS capabilities

(e.g. Dynamic QoS)

Why Deploy an SDN QoS Solution?

BRKCRS-2700 65


Relevant IrrelevantDefault

• These applications directly support business objectives

• Applications should be classified, marked and treated marked according to industry best-practice recommendations

• These applications may/may not support business objectives (e.g. HTTP/HTTPS/SSL)

• Applications of this type should be treated with a Default Forwarding service

• These applications do not support business objectives and are typically consumer-oriented

• Applications of this type should be treated with a “less-than Best Effort” service

RFC 4594 RFC 2474 RFC 3662

Determining Business RelevanceHow Important is an Application to Your Business?

BRKCRS-2700 66


Apply RFC 4594-based Marking / Queuing / Dropping TreatmentsApplication

Class

Per-Hop

Behavior

Queuing &

Dropping

Application

Examples

VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)

Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV

Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence

Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx

Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)

Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE

Signaling CS3 BW Queue SCCP, SIP, H.323

Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog

Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps

Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution

Default Forwarding DF Default Queue + RED Default Class

Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox LiveIrrelevant

Default

Relevant

What Do We Do Under-the-Hood?

BRKCRS-2700 67


EasyQoS Solution

Wireless AP

Trust Boundary

PEP

4Q (WMM)

Catalyst 3650

Trust Boundary

PEP

2P6Q3T

Catalyst 4500

1P7Q1T

Catalyst 6500

1P3Q4T

1P7Q4T

2P6Q4T

…

Nexus 7700

F3: 1P7Q1T

WLC

PEP

ASR/ISRs

MQC

Catalyst 2960-X

Trust Boundary

PEP

1P3Q3T

Wireless AP

Trust Boundary

PEP

4Q (WMM)

EM

Applications can interact with APIC-EM via Northbound

APIs, informing the network of application-specific and

dynamic QoS requirements

Southbound APIs translate

business-intent to platform-

specific configurations

Network Operators express high-level

business-intent to APIC-EM EasyQoS

BRKCRS-2700 68

Dynamic QoS


• No need to open a wide UDP port-range in your trust boundary, making your network more secure

• No Need for DPI at the edge

• Classification becomes application-aware, yet lightweight

• Support wireless & BYOD devices without client software upgrades

• Supports brownfield deployments

Business Value of Dynamic QoS

BRKCRS-2700 70


Application Driven Network DynamicsDynamic Policy Management for Cisco Jabber / MS-Lync Audio / Video

Client A calls

client B

QoS policy enabled

on network device

Application

Dynamic Policy

Management

Call ends

Client sends call setup

info to App server

Client sends call teardown

info to App Server

QoS policy removed

from network device

Application

Dynamic Policy

Management

App Server calls APIC-EM

to setup policy

APIC

EM

SDN API

App Server calls APIC-EM

to delete policy

APIC

EM

SDN API

BRKCRS-2700 71


APIC-EM EasyQoS At-A-Glance

BRKCRS-2700 72

DNA Components –

NfV and Cloud

Matt Falkner, DTME




Hosted and Hosting Network Functions

vBranch

IP

NFVIS

WAAS

IPS

vSwitch

vBranch

IP

NFVIS

WAAS

IPS

vSwitch

Network Interface (UNI)

PEP: Policy Enforcement Point

VirtualizationPhysical & Virtual Infrastructure | App Hosting

VPCEnterprise Fabric

Encryption

Encryption

Encryption

PEP

Public Cloud

VPC

WAN Agg

Apps

Apps

WAAS

IPS

WAAS

IPS

UNI

AWS

VPC

BRKCRS-2700 74

Leaning Forward …into DNA Enterprise Network Function Virtualization


Quickly roll out new services and locations

Gives you flexible deployment options

Simplify day-to-day operations

Simple and easy

to design, provision,

and manage the trusted

services that are critical

to your business

What Enterprise NfV Can Do For You

BRKCRS-2700 76


Enterprise NfV Solution Architecture

ISR-4K + UCS-E UCS x86 Server

NFVIS

ISRv ASAv WAAS vWLC3rd

VNFn

App1 AppnApp2

Orchestration & Management

… …

Various Host

options for

different Branch

Sizes

Software host

managing

virtualization and

hardware

VNF and

Application

hosting with 3rd

party support

Common

Orchestration and

Management

across virtual &

physical network

API

Interface

Platform

ManagementHypervisor

Virtual

Switching

NFVIS = Network Function Virtualization Infrastructure Software

ENCS

BRKCRS-2700 77


• NFVIS – a common, linux-based host OS across physical hosts to facilitate virtualization

• Enhances router-based virtualization

Full NfV

VM1 VMn

L4-7 NfV Router-integrated NFV

VM1 VMn

NFVIS

Linux

PnP Client Web UI Security

Licensing Monitor LCM

VM1 VMn

NFVIS

Linux


Licensing Monitor LCMNFVIS

Linux


Licensing Monitor LCM

eIOS XEeIOS XE

Router-based virtualization

IOS XE Container

eIOS XE

VM1 VMn

Enterprise NfVVirtualization Models

BRKCRS-2700 78


Branch Profile DesignEnterprise Service AutomationUpload Devices to

be shipped

Upload the Branch

locations

Custom Design a

Profile

Map to

Branch(s)Associate the

templates & attributes

Pick validated

topologies

Select functions

1 2

3

56

7

4

BRKCRS-2700 79


LinuxPlatform

Drivers

Interface

Drivers

NFVIS

Virtualization Layer – Hypervisor & vSwitch

Orchestration

APIHTTPS

Plug-n-Play

Client

Plug-n-Play

Server

Console

/SSHYANG

APIC-

EM/Prime

CLI NETCONF REST

Health Monitor

Device Web

Portal

Power in SoftwareNFVIS Software Stack

BRKCRS-2700 80


Orchestration & Management for Day 0/1

WAN

SN

, IP fo

r host

Office

NFVIS

IPS

WAAS

vSwitch

Pro

file

to S

N

mappin

g

Pro

vis

ionin

gP

rovis

ionin

g

• ESA, PI and APIC-EM collaborate in the initial bring-up / provisioning of a branch

APIC-EM / Prime Infrastructure PnPDay 0/1 config

repository

ISR-4K + x86 on UCS-E

UCS x86 Server

NFVIS

CSR 1000v

ASAv WAAS vWLC 3rd

VNFn

App1 Appn App2

ESA + APIC-EM + Prime Infrastructure

… …

API

Interface

Platform

Management Hypervisor

Virtual

Switching

vNAM

REST

ESC-Lite

Enterprise Services Automation (ESA)

BRKCRS-2700 81


Best-of-Breed Trusted Services from CiscoConsistent Software Across Physical and Virtual

ASAv/FTD vWAAS vWLCISRv

High Performance

Rich Features

End-to-end Support

Proven Software

Application Optimization

Superior Caching with

Akamai Connect

Survivability & Scale

Consistency across the

Data Center and Switches

Built for small and medium

branches

Comprehensive Protection

Full DC-class Featured

Functionality

Designed for NFV

Cost-effective with NFV

*

Windows 2012 and Linux Server also supported

BRKCRS-2700 82

Leaning Forward …into DNA Cloud Edge


Plug & PlayCMX

Business Analysis

Branch TeleworkerCampus/HQ

TelemetryContinuous Innovation

Cloud-based Audits

Cloud ConnectedSimplicity | Speed

Branch

TeleworkerCampus/HQ

Hybrid Cloud

AWS | Rackspace| Azure|

CSR1000V

VPC / vDC

vASAFTDvStrataWatch

WAN

Cloud DeliveredInnovation | Insights

Cloud EdgeIaaS Scale | Flexibility

Branch TeleworkerCampus/HQ

Cloud-Enabled NetworkingOverview

BRKCRS-2700 84


VPC

Enterprise Fabric

vBranch

WAN

Agg

Network Interface (UNI) PEP: Policy Enforcement Point

Encryption

NFVIS

IPS

WAAS

vSwitch

vBranch

NFVIS

IPS

WAAS

vSwitch

IPS

WAASOrches.

EMS.

Public

Cloud

En

cry

ptio

n

PEP

Example: DNA Cloud Edge

• Cisco CSR 1000v for VPC & remote worker connectivity

• Leverage SSLVPN access via Anyconnect, IPSec (e.g. IWAN)

• Support for Amazon AWS, Microsoft Azure

BRKCRS-2700 85

DNA Components –

Programmability

Matt Falkner, DTME




Configuration Management Today

jafrazie$ ssh [email protected]

[email protected]'s password:

cho# conf t

Enter configuration commands, one per line. End with CNTL/Z.

cho(config)#

Task

Oriented

Human

Friendly

Easy To

Replay

No

Special

Tools

Software Unfriendly Syntax/format changesNo Common Data

ModelNo Error Reporting

BRKCRS-2700 87

mailto:[email protected]


Open Device Programmability

Other vendors…

RESTCONF NETCONF gRPC

Data Model

Configuration

StandardDevice Specific

Device Features

Interface BGP QoS ACL …

Operational

StandardDevice Specific

Open Device Programmability

Physical and Virtual Network Infrastructure

AutomateSet Get

BRKCRS-2700 88


Embracing Tools

DevopsOrchestration

Automation

tcollector

Monitoring/ Analytics

BRKCRS-2700 89

DNA Components –

Analytics

Matt Falkner, DTME




Analytics

Instrumentation Telemetry Correlation

Measure and Adjust

Click here to Correct

Always Correct this way (and never ask me again)

Applications

Automated Deployment

Network

Endpoints

Run Reports

Discover user insights

Deliver relevant content

APIC EM

Deploy, Report, Measure, Adjust, Repeat

BRKCRS-2700 91


Automation for FasterResults

RevealHidden Patterns

Make DataDriven Decisions

Focus on Important Things

Network Analytics Enable New Insights and Outcomes

BRKCRS-2700 92


DNA Analytics ArchitectureData sources

• Data can be gathered from multiple different sources:

• Network Devices

• Sensors

• Applications

• Identity Servers

• TAC cases

• Users Location

• Etc.

• Facts about sourcing data:

• It’s in different types

• It’s in different formats

• It’s BIG (lots of bandwidth)

Users & Devices

Enterprise IoT

Network Devices & Sensors

Cloud or on Prem Apps,Repositories,

Social info, etc.

BRKCRS-2700 93


DNA Analytics ArchitectureInstrumentation = extracting the data

• Not all the information is relevant

• It’s important to decide what data to collect…

• Data can be in the ASICS but need to be exposed by software

• Facts on Instrumentation :

• Sampling of MIBs, Flows and other parameters

• Accuracy is KEY

• Generating and transport the right Data can be expensive

BRKCRS-2700 94


DNA Analytics ArchitectureDistributed on-device Analytics

• Since gathering and processing Data can be expensive...

• Distributed Analytics

• Put the smart into the network

• Analytics pre-processing

• Streaming Smart and not raw data

• Dynamically extract information depending on current conditions

• Facts on Distributed Analytics:

• Brings Analytics closer to the source

• “Just In Time” dynamic configuration, adaptation

Distributed Data processing

Distributed Analytics Agent

Servers &

Collectors

BRKCRS-2700 95


DNA Analytics ArchitectureTelemetry

• Telemetry is about streaming the data efficiently

• Network devices are hardware sensors

• Devices can be Sensors through a software agent

• Multiple types of data:

• Events and Logs

• Metrics data

• Multiple Protocols

• SNMP, Netflow, NMSP, Logs, REST, AAA, etc.

• Facts about streaming data:

• Multiple sources

• Multiple protocols

• Multiple “collectors”

• Bandwidth can be a concern

Events Metrics

Multiple different protocols

Servers &

Collectors

Logs

BRKCRS-2700 96


…..

DNA Analytics ArchitectureAnalytics

On Prem

Security analytics APP

Fault Mgmt. APP

PerformanceMgmt. APP

Capacity Planning

Servers &

Collectors

Dashboards

& Tools

Prime, CMX, Stealthwatch, Log Servers, etc. CMX, WSA, CAND, etc.

• Network Analytics is not new…

• Lots of different use cases:

• Performance Insights

• Troubleshooting

• Security and Compliance

• Augment User Experience

• Typical Analytics solution:

• Multiple “collecting” protocols

• Lots of “Collectors”

• Multiple Analytics “consoles”

• Areas of major interest:

• Normalizing the Data

• Predictive issue resolutions

• Suggest actions to fix issues

• Automatically fix

and more….

SNMP AAA NMSP Netflow RESTLogs

BRKCRS-2700 97


NetFlow / NBAR / NSEL

Network

Devices

StealthWatch

FlowCollector

• Collect and analyze

• Up to 4,000 sources

• Up to 240,000 FPS sustained

SPAN

StealthWatch

FlowSensor

Generate

NetFlow

Non-NetFlow

Capable Device

• Management and reporting

• Up to 25 FlowCollectors

• Up 6 million FPS globally

StealthWatch

Management

Console

DNA Analytics Proof PointsNetwork as a Sensor (NaaS)

BRKCRS-2700 98

DNA Components –

Network Fabrics


Dave Zacks, DSE


Leaning Forward …into Network Fabrics


Enterprise IT – Policy Model TodayOverview

EID DATA IP SRC IP DSTPROT

IP addresses (EIDs) are overloaded with “meaning” today

DSTPORT

SRCPORT

DSCP

They locate you(“your subnet is located at X place in the network”)

They identify you(“you are part of group X because you are in subnet Y”)

They are used to drive “traffic treatment”(“you are treated X way because you come from subnet Y”)

They constrain you(“You can’t stretch a subnet across the Campus …

It’s too hard / comes with too many tradeoffs”)The “5 Tuple”

All of today’s network policies (pass/drop, remark, redirect, copy, etc)are based on use of fields in the IP 5-tuple – these are the only fields thatsurvive (i.e. “are transitive”) end-to-end across the network with the IP packet.

There are no fields in the IP header that represents User / Device grouping …so we “overload” the IP addresses to provide this. This is why we assign users / devices intoVLANs … this is what leads to ACLs that are thousands of lines long … this is what leads tothe proliferation of VLANs and VRFs, and all the attendant complexity this brings …

App identification(less useful when all apps use a

small set of ports i.e.. 443)

PHBs(can run out of bits with

complex policies, usepolicy aggregation)

BRKCRS-2700 101


But What If …

If we could “break the dependence” between IP addressing and policy,

we could greatly simplifynetworks – and make networksmuch more functional.

… we could make your IP addressjust be a LOCATOR for you, and provide other ways to group users / devices to apply POLICY?

Key Assertion

BRKCRS-2700 102


With a Fabric …

You could build and run your network in a simpler way …

You could easily identify users and devices and apply policy …

You could provide end-to-end segmentation simply …

You could provide L2 / L3 flexibility as you need to …

If we could “break the dependence” between IP addressing and policy,

we could greatly simplifynetworks – and make networksmuch more functional.

… we could make your IP addressjust be a LOCATOR for you, and provide other ways to group users / devices to apply POLICY!

Key Assertion

BRKCRS-2700 103


Provision

Simplified ProvisioningDeploy devices using “best practice”

configurations from a simple user interface


SecuritySegmentation

X Simple Segmentation constructs

to build Secure boundaries for “users and things”


Mobility

Wired and Wireless

Host Mobilitybecause your address is no longer tied to your location


Intelligent

Policy

Network Wide

Policy Enforcementbased on your identity, not on your address

What is a Fabric?


A Fabric is an OverlayAn “Overlay” is a logical topology used to virtually connect devices, built on top of an arbitrary physical “Underlay” topology.

An “Overlay” network often uses alternate forwarding attributes to provide additional services, not provided by the “Underlay”.

• GRE or mGRE

• MPLS or VPLS

• IPSec or DMVPN

• CAPWAP

• LISP

• OTV

• DFA

• ACI

Examples of Network Overlays

What Exactly is a Fabric?

BRKCRS-2700 109


Flexible Virtual Services• Mobility – Track End-points at Edges

• Scalability – Reduce core state• Distribute state to network edge

• Flexibility & Programmability• Reduced number of touch points

Simple Transport Forwarding• Physical Devices and Paths

• Intelligent Packet Handling

• Maximize Network Availability

• Simple and Manageable

Separate the Forwarding Plane from the Services Plane

What Exactly is a Fabric?Why Overlays?

BRKCRS-2700 110


Overlay Control Plane

Underlay Control PlaneUnderlay Network

Hosts

(End-Points)

Edge DeviceEdge Device

Overlay Network

Encapsulation

What Exactly is a Fabric?Overlay Terminology

BRKCRS-2700 111


Hybrid L2 + L3 Overlays offer the Best of Both Worlds

Layer 2 Overlays

• Emulates a LAN segment

• Transport Ethernet Frames (IP & Non-IP)

• Single subnet mobility (L2 domain)

• Exposure to Layer 2 flooding

• Useful in emulating physical topologies

Layer 3 Overlays

• Abstract IP connectivity

• Transport IP Packets (IPv4 & IPv6)

• Full mobility regardless of Gateway

• Contain network related failures (floods)

• Useful to abstract connectivity and policy

What Exactly is a Fabric?Types of Overlays

BRKCRS-2700 112


LISP-based Control-Plane

Topology + Endpoint Routes

Prefix Next-hop189.16.17.89 ….1 .........71.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 …....171.68.228.121

189.16.17.89 …....171.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 …......171.68.226.120

192.58.28.128 ….....171.68.228.121

189.16.17.89 …....171.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 …......171.68.226.120

192.58.28.128 ….......171.68.228.121

189.16.17.89 ….....171.68.226.120

22.78.190.64 …......171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 ….....171.68.228.121

Prefix Next-hop189.16.17.89 ….1 .........71.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 …....171.68.228.121

189.16.17.89 …....171.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 …......171.68.226.120

192.58.28.128 ….....171.68.228.121

189.16.17.89 …....171.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 …......171.68.226.120

192.58.28.128 ….......171.68.228.121

189.16.17.89 ….....171.68.226.120

22.78.190.64 …......171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 ….....171.68.228.121

Endpoint

Routes are

Consolidated

to LISP DB

Flexible

Mapping

Database

Only Local Routes

Prefix RLOC192.58.28.128 ….....171.68.228.121

189.16.17.89 ….....171.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 ….....171.68.228.121

192.58.28.128 ….....171.68.228.121

189.16.17.89 ….....171.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 ….....171.68.228.121Prefix Next-hop189.16.17.89 ….1 ...71.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 …....171.68.228.121

Prefix Next-hop189.16.17.89 ….1 ...71.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 …....171.68.228.121

Prefix Next-hop189.16.17.89 ….1 ...71.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 …....171.68.228.121

Topology Routes

Endpoint Routes

Prefix Next-hop189.16.17.89 ….1 .........71.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 …....171.68.228.121

189.16.17.89 …....171.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 …......171.68.226.120

192.58.28.128 ….....171.68.228.121

189.16.17.89 …....171.68.226.120

22.78.190.64 ….....171.68.226.121

172.16.19.90 …......171.68.226.120

192.58.28.128 ….......171.68.228.121

189.16.17.89 ….....171.68.226.120

22.78.190.64 …......171.68.226.121

172.16.19.90 ….....171.68.226.120

192.58.28.128 ….....171.68.228.121

Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU

BEFORE

IP Address = Location + Identity

AFTER

Separate Identity from Location

What Exactly is a Fabric?Control-Plane Options – LISP

BRKCRS-2700 113


IP core

Device IPv4 or IPv6

Address represents both

Identity and Location

Traditional Behavior -

Location + ID are “Combined”

10.1.0.1When the Device moves, it gets a

new IPv4 or IPv6 Address for its new

Identity and Location

20.2.0.9

Device IPv4 or IPv6

Address represents

Identity only

When the Device moves, it keeps

the same IPv4 or IPv6 Address.

It has the Same Identity

Overlay Behavior -

Location & ID are “Separated”IP core

Only the Location Changes

10.1.0.1

10.1.0.1

Location Is Here

Locator / ID Separation ProtocolLocation and Identity Separation

BRKCRS-2700 114


Locator / ID Separation ProtocolLISP Mapping System

LISP “Mapping System” is analogous to a DNS lookup

‒ DNS resolves IP Addresses for queried Name Answers the “WHO IS” question

‒ LISP resolves Locators for queried Identities Answers the “WHERE IS” question

Host

DNS

Name -to- IP

URL Resolution

[ Who is lisp.cisco.com ] ?

DNS

Server

[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]

LISP

ID -to- Locator

Map Resolution

LISP

Router

LISP Map

System

[ Where is 2610:D0:110C:1::3 ] ?

[ Locator is 128.107.81.169, 128.107.81.170 ]

BRKCRS-2700 115



VXLAN-based Data-PlaneORIGINAL

PACKETPAYLOADETHERNET IP

PACKET IN

LISPPAYLOADIPLISPUDPIPETHERNET

PAYLOADETHERNET IPVXLANUDPIPETHERNETPACKET IN

VXLAN

Supports L2

& L3 Overlay

Supports L3

Overlay

What Exactly is a Fabric?Data-Plane Options – VXLAN

BRKCRS-2700 116


PAYLOADETHERNET IPVXLANUDPIPETHERNET


VXLAN-based Data-Plane

Integrated Cisco TrustSecVRF + SGT

Virtual Routing & Forwarding

Scalable Group Tagging

What Exactly is a Fabric?Data-Plane Options – VXLAN

BRKCRS-2700 117

Securing a Fabric Infrastructurewith Flexible Policy


Access Layer

Enterprise

Backbone

Voice

VLAN

Voice

Data

VLAN

Employee

Aggregation Layer

Supplier

Guest

VLAN

BYOD

BYOD

VLAN

Non-Compliant

Quarantine

VLAN

VLAN

Address

DHCP Scope

Redundancy

Routing

Static ACL VACLLimits of Traditional

Segmentation

• Security Policy based

on Topology (Address)

• High cost and

complex maintenance

Applications

access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384

Classification

Static or Dynamic

VLAN assignments

Propagation

Carry “Segment”

context through the

network using VLAN,

IP address, VRF

Enforcement

IP Based Policies -

ACLs, Firewall Rules

Cisco TrustSecSimplifying Security

BRKCRS-2700 119


VLAN BVLAN A

Campus Switch

DC Switch

or Firewall

Application

Servers

ISE

Enterprise

Backbone

Enforcement

Campus Switch

Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant

Shared

Services

Employee Tag

Supplier Tag

Non-Compliant Tag

DC switch receives policy

for only what is connected

Classification

Static or Dynamic

SGT assignments

Propagation

Carry “Group” context

through the network

using only SGT

Enforcement

Group Based Policies

ACLs, Firewall Rules

Cisco TrustSecSegmentation based on Groups

BRKCRS-2700 120


SGACL - Name Table

Policy matrix to be

pushed down to the

network devices

SGT & SGT Names

Centrally defined

Endpoint ID Groups

802.1X Dynamic SGT

Assignment

ISE dynamically

authenticates endpoint

users and devices,

and assigns SGTs

Static SGT

Assignment

SGACL -

Name Table

So

urc

es

Destinations

✕ ✓ ✕ ✓ ✓ ✓

✓ ✓ ✕ ✓ ✕ ✕

✕ ✓ ✓ ✕ ✕ ✕

Scalable Group ACL

NDACNetwork Device

Admission Control

Rogue

Device(s)

SGT &

SGT Names3: Employee

4: Contractors

8: PCI_Servers

9: App_Servers

Scalable Group Tags

NDAC authenticates

Network Devices for a

trusted CTS domain Cisco ISE

Cisco TrustSecISE Enables CTS

BRKCRS-2700 121


VLAN to SGT

L3 Interface (SVI) to SGT L2 Port to SGT

VM (Port Profile) to SGTSubnet to SGT

WLC Firewall Hypervisor SW

Campus

Access Distribution Core DC Core DC Access

Enterprise

Backbone

Static Classification

MAB

Dynamic Classification

Cisco TrustSecTwo Ways to assign SGTs

BRKCRS-2700 122


Egress

Enforcement

(SGACL)

Cat3850 Cat6800 Nexus 2248

WLC5508

Cat6800 Nexus 7000

User Authenticated =

Classified as Marketing (5)FIB Lookup =

Destination MAC = SGT 20

DST: 10.1.100.52

SGT: 20

SRC: 10.1.10.220DST: 10.1.200.100

SGT: 30

CRM

Web

DST

SRC

CRM

(20)

Web

(30)

Marketing (5) Permit Deny

BYOD (7) Deny Permit

Destination Classification

CRM: SGT 20

Web: SGT 30

Enterprise

Backbone

123

Nexus 5500

SRC: 10.1.10.220DST: 10.1.100.52SGT: 5

5 5

Cisco TrustSecIngress Classification with Egress Enforcement

BRKCRS-2700


Heterogeneous

L2 / L3 Networks

TrustSec Capable

L2 / L3 Networks

124

WAN

WAN(GETVPN, DMVPN, IPSEC)

Switch Router Router Firewall DC Switch ServerUser

SGT over Fabric

or Ethernet

SGT over

VPN

ClassificationClassification

Switch Router Router Firewall DC Switch ServerUser

SXP SXP

SGFW

SGACL

Classification

SGACL SGACL

Switch

Switch

SGT over Fabric

or Ethernet

SGACL SGFW

Classification

Cisco TrustSecSGT Propagation and Enforcement Options

BRKCRS-2700


Suggested Reading:BRKCRS-2891 - Enterprise Network Segmentation with Cisco TrustSec

BRKSEC-2203 - Intermediate - Enabling TrustSec Software-Defined Segmentation

BRKSEC-2044 - Building an Enterprise Access Control Architecture Using ISE and TrustSec

Other References:Cisco TrustSec Marketing Site http://www.cisco.com/go/trustsec/

Cisco TrustSec Config Guide cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html

CTS Architecture Overview cisco.com/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html

CTS 2.0 Design Guide cisco.com/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf

Fundamentals of TrustSec https://www.youtube.com/watch?v=78-GV7Pz18I

Cisco TrustSecAdditional Information

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=89129&backBtn=true



http://www.cisco.com/go/trustsec/

http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html

http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html

http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf

https://www.youtube.com/watch?v=78-GV7Pz18I

Fabrics – Summary


SummaryBenefits of Fabric Deployment in Networks

Collabora on Security

Endpoints

APICEM

Branch

BusinessAgility

AutomatedEnterprise

ConsistentPolicy

InvestmentProtec on

IntegratedMobility

Analy cs

BRKCRS-2700 127


SummaryWant to Know More About Fabrics?

Attend session BRKCRS-3800,"Evolved Campus Networks”!

Tuesday, 9:00am and 1:30pmWednesday, 1:30pm

Shawn Wargo, PTME

BRKCRS-2700 128

DNA –

Wrap-Up and Conclusions


Dave Zacks, DSE



Automation

Abstraction & Policy Control

from Core to Edge

Open & Programmable | Standards-Based

Open APIs | Developers Environment

Cloud Service Management

Policy | Orchestration

Virtualization

Physical & Virtual Infrastructure | App Hosting

Analytics

Network Data,

Contextual Insights

Insights &

Experiences

Automation

& Assurance

Security &

Compliance

Network-enabled Applications

Cloud-enabled | Software-delivered

Principles


BRKCRS-2700 130


Faster Innovation Lower Risk

Insights and

Experiences

Security and

Compliance

Automation and

Assurance


Reduced Cost

& Complexity

BRKCRS-2700 131


The Cisco DNA Customer Journey Starts Now

Base

Automation

Immediate value to

existing network

Policy

Services

Active control for

critical use cases:

Network, Collaboration

Advanced

Security

Network as a

Sensor and Enforcer

Complete

Software Control

End-to-end policy-

based automation

Digital

Services

Support lines of business:

analytics, IoT

Cisco ONE Foundation Cisco ONE Adv. Applications Cisco ONE ELA

BRKCRS-2700 132



ARE YOU READY:

To automate network operations?

Save on WAN transport?

Enable richer collaboration experiences?

Gain business insights?

Deliver personalized customer experiences?

Detect and remediate threats rapidly?

To virtualize your branch?

Begin Your Digital Journey Today


Do You Have a Better Understanding …

of what DNA is all about …

of the capabilities that DNA offers …

and how you can leverage DNAin your own networks?

Did We Achieve Our Objectives?

Don’t Forget

to fill out your evaluations!


Dave ZacksDistinguished SE

Matt FalknerDistinguished TME

134


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

BRKCRS-2700 135

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKCRS-2700 136

Please join us for the Service Provider Innovation Talk featuring:

Yvette Kanouff | Senior Vice President and General Manager, SP Business

Joe Cozzolino | Senior Vice President, Cisco Services

Thursday, July 14th, 2016

11:30 am - 12:30 pm, In the Oceanside A room

What to expect from this innovation talk

• Insights on market trends and forecasts

• Preview of key technologies and capabilities

• Innovative demonstrations of the latest and greatest products

• Better understanding of how Cisco can help you succeed

Register to attend the session live now or

watch the broadcast on cisco.com

Thank you


Documents

Cisco Digital Network Architecture