Claudiu Boar - Cluj Connecting Day · Securing these devices is hard Unsophisticated devices ... Cisco Catalyst 9500 Series switches Lead fixed core Industry’s first 100G, 40G and

Claudiu BoarNetworking Manager, Brinel

Catalina NiculitaSystems Engineering Manager, Cisco Romania

Va multumesc !

www.clujconnectingday.ro

C97-738949-02 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

20 years challange

20 Years Challange

Cisco demonstrates a voice

over IP link between Taiwan

and USA. (Jan 99)

Cisco introduces next-

generation stacking with

new Catalyst 3500

Series XL.(May 99)In 1999 Cisco introduces the Catalyst 6500

Ethernet Switch. The Catalyst 6500 today has

25,000 customers and

700,000 chassis installed worldwide


20 years challange

20 Years Challange


20 years challange

20 Years Challange


IoT devices on the corporate network introduce additional security challenges

Users, devices, and things are coming onto the network

ITUsers

Mobile Laptops/PCs Bonjour Audio Video Healthcare Printers Securitycameras

Fire alarm system

Badging system

Sensors

Lighting

HVAC

Securing these devices is hard

Unsophisticated devices

• Limited security and crypto

capabilities, prone to hacks

Endpoint identity

• No support for standard

authentication mechanisms

Policy ownership (IT, OT, Mfg)

• Who defines policy? Who

holds liability?

Non-I

T

The network needs to offer an extended trust domain, with scalable device classification and policy


Key Operational Challenges for Traditional Networks

Slower Issue ResolutionComplex to ManageDifficult to Segment

Ever increasing number of

users and endpoint types

Ever increasing number of

VLANs and IP Subnets

Multiple steps,

user credentials, complex

interactions

Multiple touch-points

Separate user policies for

wired and wireless networks

Unable to find users

when troubleshooting

Traditional Networks Cannot Keep Up!


A new era in intent-based networking

Cisco® Catalyst®

9000 switching family

Software-Defined

Access

(SD-Access)

Previous era New era

Video

Voice

Data

Security

Multicloud

IoT

Mobility

SD-Access: Policy-based automation from edge to cloud


• DevOps toolkit

• NETCONF/YANG models

• Streaming telemetry

• Patching/GIR

• Application hosting*

• Fabric-enabled wireless

• Embedded WLC*

• Distributed wireless scale

• Unified control and policy

• Wired and wireless guest access

• Constrained Application Protocol

(CoAP) and IoT device profiling

• Cisco DNA Service for Bonjour*

• Perpetual PoE

• IEEE 1588 Audio Video

Bridging (AVB)*

• Encrypted Traffic Analytics*

• MACsec-256 bit encryption+

• Trustworthy solutions

• Group-based policy

• Full Flexible NetFlow for Cisco

Stealthwatch®

Cisco Catalyst 9000 switching platform at a glanceEnabling a new era of intent-based networking

Cisco Catalyst 9200 Series switches

Simple branch and midmarket fixed access


Lead fixed access


Lead modular access


Lead fixed core

Industry’s first

100G, 40G and 25G

enterprise-grade

switches

Platform innovations

Secure IoT convergence Mobility Multicloud

Cloud ready


NEW

Cisco Catalyst 9000 switching transitions

Cisco Catalyst

9400 Series

Cisco Catalyst

9300 Series

Cisco Catalyst

9500 Series

Cisco Catalyst

3850 copperCisco Catalyst

4500-E/6500Cisco Catalyst

3850F/4500-X

Cisco Catalyst

6840-X/ 6880-X

Access switching Core switching

Cisco Catalyst

9200 Series

Cisco Catalyst

2960 X/XR

Greater flexibility to the branch and to small and medium sized businesses

who require low-end fixed access switching.


The Access Network Is Where It Starts

Access SwitchesAccess Points Aggregation Switches Wireless Controller

Catalyst Catalyst9300/9400 Series9200/ 9500 Series

Catalyst9800 Series

Automation Security AnalyticsBuilt for intent-

based networking

The Full Experience End to End


powered by Cisco IOS XE

Catalyst 9800

Next Generation Wireless Controller

Cisco Catalyst Next Gen Wireless Architecture

The most deployed

controller on

the planet

RF excellence

Device ecosystem

Wireless assurance

High Availability

Programmability

Scale

A modern modular

operating system

Bringing together network leadership with RF innovation


Deploy It the Way You Want It

Catalyst 9800-806000 APs, 64K Clients, 80 Gbps

Catalyst 9800-402000 APs, 32K Clients, 40 Gbps

Catalyst 9800-CL6000 APs, 64K Clients^

Catalyst 9800-CL+

1000 APs, 10K Clients

Catalyst 9800-SW*200 APs, 4K Clients

Catalyst 9800-CL3000 APs, 32K Clients

200 APs 1000 APs 6000 APs2000 APs 3000 APs

*SD-Access only+C9800-CL for Public Cloud with Flexconnect; GCP for EFT only

^Future

SD-Access Ready

ENCS


Principles of Intent-Based Networking

Powered by Cisco IOS XE

Physical and VirtualInfrastructure

ASIC

Applications

APIs

Cisco DNA Center

Bridging intent-based networking portfolio

Built-in security, streaming telemetry and

rich analytics

Open programmable architecture

Presentation ID 18

ASICs are a Pillar of Cisco Innovation…


© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CiscoLiveLA

Traditional Networking ASICs - Fixed Pipelines

Fixed Pipeline

MAC

Look

up

IPv4

Look

up

ACL

Look

up

QoS

Look

up

Fixed Parser

…

Look

up

…

Look

up

ACL

Look

up

QoS

Look

up

Fast Memory Lookup Tables

Traditional ASIC

Parses & Understands Fixed number of Bytes

Can lookup these Fields

IP PayloadEther

net

GREIPEthern

etIP Payload

Ethern

et

VXLA

NUDPIP

Ether

netIP Payload

Ether

net

LabelEthern

etIP Payload

GRE

VXLAN

MPLS

Not Supported in Hardware

BRKARC-2035 19



New ASICs for New Technology ?

Building a new ASIC takes a lot of time & money

2 – 4 Years

Marketing

RequirementsArchitecture RTL Design Synthesis Floor Planning Fabrication

BRKARC-2035 20



How about CPUs ?

CPUs are highly

Programmable

CPUs are not as fast

BRKARC-2035 21



Traditional Networking ASICs vs CPUs

Traditional

Networking ASIC

General Purpose

CPU

Performance

Flexibility

Performance

Flexibility

General Purpose – Highly FlexiblePurpose Built – High Performance

BRKARC-2035 22



Cisco Innovation – UADP ASIC

In 2013 Cisco Introduced UADP

(Unified Access Data Plane)

Performance

Flexibility

Programmability

UADP brings Flexibility without compromise on Performance

BRKARC-2035 23



UADP Evolution

Catalyst 3850 Copper Catalyst 3650 Catalyst SFP Fiber

UADP 1.0

1.6 Billion Transistors36 nm

UADP 1.1

3.2 Billion Transistors36 nm

Catalyst 3850 Multigigabit

Catalyst 3850 SFP+

Catalyst 3650Multigigabit

Catalyst 3650 Mini

BRKARC-2035 24


UADP 2.0 & 3.0 : a new generation of enterprise ASIC

Catalyst 9K Family

UADP 3.0

~20B transistors16-nm technology

3x scaleUp to 1.6T

bandwidth

UADP 2.0

~7.4 B transistors28-nm technology



Catalyst 9K Family - x86 CPU

x86 CPU

x86 based 3rd Party Apps

x86 Multi-core CPU

x86 CPU enables hosting containers and 3rd party apps

BRKARC-2035 26



Open IOS XE – A Modern Operating System

IOS XE 16

Hosted AppsIOSd

LXC

LXC

IOS-XE

DB

Common Infrastructure / HA

Management Interface

Module Drivers

Kernel

KVM

Wireshark

IOSd BlobIOS Sub Systems

IOS Sub SystemsIOS Sub Systems

Open and Extensible IOS-XE

Open, Model Driven & Secure Operating System

BRKARC-2035 27


Machine Learning:Neural Networks


Neural Networks: Image Recognition

Desired output vector of the neural network when shown images



Backpropagation

Training Images Adjust weights

Eventually, you train model to

recognize “car”



Backpropagation

Adjust weights

Eventually, you train model to recognize

“plane”


Examples of AI in Cisco Product Portfolio

400+Employees in AI / ML

Webex team

90Patent Filings in ML/AI

700+Registered for ML Training in CTG

Encompassed in 10+ products across the portfolio

Talos Stealthwatch AppDynamics Webex

Teams

Cognitive Threat Analytics

AMPEncrypted

Traffic Analytics

Cloudlock

TetrationIntersight


Why Cisco?

Network

Footprint

Data: High

volume and

diverse

Talent,

Innovation,

Product Breadth

Machine Learning Success


Security problem: Encrypted traffic

Premises Internet

TLS

• String-matching solutions are ineffective

• Snort, OpenAppID, NBAR…

• Transport Layer Security (TLS) (and other encryption) usage increases

• Benign and malware

• Man-in-the-middle problems: Deployment, expense, privacy


Encrypted Traffic Analytics

Telemetry from switch analytics

• NetFlow data: SrcIP, DstIP, SrcPort, DstPort,

Proto, #Bytes, #Packets

• Intraflow data: Sequence of Packet Lengths and

Times (SPLT), byte distribution, …

• TLS metadata: Extensions, ciphersuites, Server

Name Indication (SNI), certificate strings, …

Cryptographic auditsMalware in encrypted traffic

Primary use case Secondary use case


Stealthwatch + Cognitive Intelligence

Extended Visibility

and Behavioral

Analytics

Advanced Threat

Detection

Local to GlobalWeb Proxy

Cognitive

Intelligence

Stealthwatch

Management

Console

Stealthwatch

Flow Collector

cognitive.cisco.com

Netflow exporting

infrastructure

Proxy Data

Web access logs

HQ

Web Security

Gateways

https://cognitive.cisco.com/


Software-definedNetworking


Software Defined <networking>

Software-Defined

Campus Access (SDA)

Catalyst 9000

Software-Defined

WAN (SD-WAN)

ACIAnywhere

Software-Defined

Data Center Networking

(SDN)

Nexus 9000

ACI

The network

made simple


Cisco Software-Defined Access (SD-Access)

Cisco DNA Center

AnalyticsPolicy Automation

IoT network Employee network

SD-Access

Extension User

mobilityPolicy stays with user

Automated network fabricSingle fabric for wired and wireless with

workflow-based automation

Insights and telemetryAnalytics and insights into user and

application behavior

Identity-based policy and segmentationSecurity policy definition decoupled from

VLAN and IP address


Secure onboarding of users and devicesSegmentation and access control

Group-based policy Policy follows identityCompletely automated

Users

Devices

Apps

Drag policy

to apply

Group 1 Group 2

Employee virtual network

Group 3 Group 4

IoT virtual network

Group 5 Group 6

Guest virtual network

After SD-Access

• No VLAN or subnet

dependency for

segmentation and

access control

• Define one consistent

policy

• Policy follows Identity

• VLAN and IP address

based

• Create IP-based ACLs

for access policy

• Deal with policy

violations and errors

manually

Before SD-Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco DNA Center

Policy AssuranceDesignProvision

Physical and virtual infrastructure

Cisco and third party

Cisco DNA Center Appliance Complete network

management system

Automation for provisioning

Platform for extensibility

Analytics for assurance

Cisco DNA Center

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco DNA AssuranceFrom network data to business insights

Metadata

extraction

Complex

correlation

Steam Processing

Clients Baseline

Application NetworkIPAM

CMXAppD

IPSLA

SNMP

OID

Telnet

DNS

MIB

Ping

CLI

DHCP

Wireless

AAA

Syslog

Router

NetFlow

Traceroute

Network telemetry

contextual data

Complex event

processing

Correlated

insights

Suggested

remediation

Over 150 actionable insightsClients | Applications | Wireless | Switching | Routing

Everything as a sensor



The bridge for the world

Documents

Claudiu Boar - Cluj Connecting Day · Securing these devices is hard Unsophisticated devices ... Cisco Catalyst 9500 Series switches Lead fixed core Industry’s first 100G, 40G and