The Network Architecture for Digital Organizations

Cisco Digital Network Architecture

Ljubljana, Slovenia, April 20th 2016

Petr Pavlu (ppavlu@cisco.com)

Director Technical Sales Organization

EMEAR Central, Cisco

• Introducing DNA

• Examples of DNA components

• Virtualization

• Automation

• Analytics

• Summary

Agenda

IT Priorities for Digital Transformation

IT Must Simplify to Accelerate Digital Innovation

Faster

Innovation

Reduce Cost

& ComplexityLower Risk

Static budgetsOnly 30% of digital projects will succeed

More devices, apps, usersTechnology innovation speed

OpEx 2-3 X the CapExSlow IT processes

Cost of business disruption

80 days to discover threats

New regulations

Faster

Innovation

Reduce Cost

& ComplexityLower Risk

Network Requirements for the Digital Organization

Insights &

Experiences

Visibility and Analytics users | devices | applications | threats

Automation &

Assurance

Speed and Simplicity

Security &

Compliance

Real-time & Dynamic

Threat Defense

Digital Business – Application-Driven Agility

Time IT spends on operationsCEOs are worried about IT strategy

not supporting business growth80% 57%

0

100%

Source: Forrester

CAPEX OPEX

33% 67%

0 10 100 1000

Computing Networking

Seconds

Source: Open Compute Project

“…While other components of the IT infrastructure have become more programmable and allow for faster, automated provisioning,

installing network circuits is still a painstakingly manual process...”

—Andrew Lerner, Gartner Research

Network Expenses Deployment Speed

Cisco Digital Network Architecture

Automation

Abstraction & Policy Control

from Core to Edge

Open & Programmable | Standards-Based

Open APIs | Developers Environment

Cloud Service Management

Policy | Orchestration

Virtualization

Physical & Virtual Infrastructure | App Hosting

Analytics

Network Data,

Contextual Insights

Insights &

Experiences

Automation

& Assurance

Security &

Compliance

Network-enabled Applications

Cloud-enabled | Software-delivered

Principles

Cisco Digital Network Architecture

Automation

Abstraction & Policy Control

from Core to Edge

Open & Programmable | Standards-Based

Open APIs | Developers Environment

Cloud Service Management

Policy | Orchestration

Virtualization

Physical & Virtual Infrastructure | App Hosting

Analytics

Network Data,

Contextual Insights

Insights &

Experiences

Automation

& Assurance

Security &

Compliance

Network-enabled Applications

Cloud-enabled | Software-delivered

Principles

Why Virtualization for the Network?

Lower operating costs

AND

IoTMobility Analytics CloudMobile traffic will Exceed

wired traffic by 2017

IoT Devices will

triple by 2020

76% of companies planning

to or investing in Big Data

80% of organizations will

primarily use SaaS by 2018

Deploy new capabilities faster

What is a Service Container?Service Containers use virtualization technology

(LXC and KVM) to provide a hosting environment

on Cisco routers/switches for applications which

may be developed and released independent of

platform release cycles.

Virtualized environment on a cisco device.

Use Case Cisco Virtual Services:

• Lightweight Application Hosting

• Example: ISR-WAAS ( KVM )

• Example: SNORT ( LXC )

Use Case Third Party Services:

• KVM Hosted Applications

Container

Network OS

Virtual Service

Linux OS

IOSd

Control PlaneSnort

KVM

IOS-XE Service Container Architecture

Cisco Apps

ISR-WAAS

Customer and 3rd Party

Applications (KVM only)

Platform-Specific Data Plane AppNav

Virtual Ethernet

ISR 4K + UCS E-Series

UCS C-SeriesNFV Platform

(coming soon)

Network Functions Virtualization Infrastructure Software (NFVIS)

Enterprise Service Automation (ESA)

Introducing: Cisco Enterprise NFVNetwork services in minutes, on any platform

Virtual Router

(ISRv)

Virtual Firewall

(ASAv)

Virtual WAN

Optimization

(vWAAS)

Virtual Wireless

LAN Controller

(vWLC)

3rd Party VNFs

Option 2b

• Enterprise NFV aims to offer virtualized NETWORK services and APPLICATION hosting

• Reduce hardware landscape in the branch

• Support for both Cisco and non-Cisco VNFs and applications

• Number of VNFs / Application depends on host resource availability

VNF and Applications in Enterprise NFV

Additional List of Cisco VNF Candidates

VNF Function

Firepower Threat Defense IPS/IDS

SRST VoIP Call Control

Unity Cxn VoIP Voicemail / AA

WSAv Web security

CUBE SIP Trunking

Enterprise NFV Phase 1 VNFs & Applications

VNF Function

ISRv L3-L7 integrated routing

vASA Firewall

vWAAS WAN Optimization

vWLC Wireless LAN Controller

Juniper SRX Firewall

Windows / Linux server Applications (DNS, File Servers etc)

Branch Virtualization – On premise Options

BranchVirtualized L4-7 service on external x86 with ISR4K-4K

Transport

• ISR4K-4K + UCS

• ISR4K-4K performs L3/L4 transport functions

• Services (Firewall, WAAS..) virtualized on external server

• Multi-vendor options for Services

F/D2WAN

Branch

Fully virtualized Branch

• L3/L4 transport and network services virtualized

• UCS platform hosting all service functions

• Multi-vendor options for Services

F/D3

WAN

1

Branch Integrated L4-7 services

• ISR4K-4K + UCS-E or ISR4K-4K + Service Containers

• ISR4K-4K performs L3/L4 and transport functions

• Services (Firewall, WAAS..) virtualized on UCS-E

• Multi-vendor options for Services

F/D

WAN

Cisco Digital Network Architecture

Automation

Abstraction & Policy Control

from Core to Edge

Open & Programmable | Standards-Based

Open APIs | Developers Environment

Cloud Service Management

Policy | Orchestration

Virtualization

Physical & Virtual Infrastructure | App Hosting

Analytics

Network Data,

Contextual Insights

Insights &

Experiences

Automation

& Assurance

Security &

Compliance

Network-enabled Applications

Cloud-enabled | Software-delivered

Principles

Automation: Cisco APIC-EM Automation Platform

Complete Lifecycle | Consistent End to End

“Unlike other SDN solutions, APIC-EM can be

deployed on our existing infrastructure so we can

move quickly with minimum risk and maximum

investment protection.

CJ Singh, Chief Technology Officer

Backcountry.com

”

Open and

Extensible

Enterprise Scale

and Resiliency

Automation and

Services

“The inherent programmability of Cisco APIC-EM

allows us to drive innovation and improve on user

experience on a world-class infrastructure. It is a

solid foundation to embark on a journey to SDN.

Raj Gulani, Director Product Management

Citrix

”

Industry-Leading Network Controller

Open

APIs

Group-based

Policy

Clustering

Technology

Cloud Connected

Telemetry

Complete

Abstraction

Cisco APIC-EM

1000sOf DevNet

Developers

160+Customers

Deployments

running up to

4000 devices

Customer MomentumIOS ASIC

Northbound REST API

APIC-EM Platform Architecture

APIC-EM Applications

Elastic Controller Infrastructure (Grapevine )

Network

PnPIWAN

Path

Trace

Network

Inventory

Advanced Topology Visualizer

APIC-EM Services

Inventory

ManagerRBAC Policy Analysis

Policy

Programmer

Network PnPData Access

Service

Topology

Services

IWAN

Services

Applications built on top of APIC-EM

Applications packaged with APIC-EM

Core Applications bundled

IWAN Application separately licensed

Open and Documented REST API

(http://developer.cisco.com)

Core Services

Applications Specific Services

Provides Scale and High Availability

Introducing APIC-EM and Early Apps

Day 0 : Plug-and-Play App

Zero touch deployment of routers / switches / APs

Shrinks deployment from months to minutes

Day 1 : Cisco IWAN App

Guided, fast auto-provisioning of IWAN solution with Cisco experts’ best practices

From 1000s of CLI commands to a few policy deployments with a few GUI clicks per branch

Day 2 : Path Trace App

Discover path between two end points based

Lower OPEX for trouble ticket processing by 98%

3 N E W A P P L I C A T I O N S

Applications

SecurityOrchestration Automation Collaboration

SOUTHBOUND ABSTRACTION LAYER

CATALYST | ISR | ASR | WIRELESS

REST API

E N T E C H N O L O G Y D I F F E R E N T I A T I O N

APIC-EM Packaging and Deployment

Built as a

Linux Container

Grapevine

Root

LXC

Container

LXC

Container

GV

Client

GV

Client

Operation System

Server / Machine

Standalone or

Resilient Deployment

3 Nodes• active-active-active

• Scale and HA- Software failure- HW failure of 1 node

1 or 2 Nodes• active-active

• Scale and HA- Software failure only

Download or

Preinstalled Appliance

Download• .iso image including

ubuntu 14.04 64bit

• available from:- software.cisco.com- devnet.cisco.com

Cisco Appliance• APIC-EM installed

• ready-to-go

• or SKU:- APIC-EM-APL-R-K9- APIC-EM-APL-G-K9

Coming: APIC-EM QoS Automation - EasyQoS

EM

Applications can ALSO interact with APIC-EM via

Northbound APIs, informing the network of application-

specific and dynamic QoS requirements

Southbound APIs translate

business-intent to platform-

specific configurations

Network Operators express high-level

business-intent to APIC-EM EasyQoS

Southbound APIs translate

business-intent to platform-

specific configurations as

they are needed

STATIC QoSDYNAMIC QoS

Cisco Digital Network Architecture

Automation

Abstraction & Policy Control

from Core to Edge

Open & Programmable | Standards-Based

Open APIs | Developers Environment

Cloud Service Management

Policy | Orchestration

Virtualization

Physical & Virtual Infrastructure | App Hosting

Analytics

Network Data,

Contextual Insights

Insights &

Experiences

Automation

& Assurance

Security &

Compliance

Network-enabled Applications

Cloud-enabled | Software-delivered

Principles

AVC (Application Visibility And Control)

NBAR2

Protocol Pack

Custom Signature

URL PortIP

AddressSSL PPDK

Flexible NetFlow

PerfMon

Application Recognition

Reporting of Usage (BW, Top Users,

Perf Metrics)

Troubleshoot applications.

Business policy driven routing

Delivers

Ac

ross

NBAR1000+ Signatures

Advanced Classification Techniques

Native IPv4/ IPv6

ClassificationAdvanced

Field Extraction

Custom Signature

Builder

• Classification of L4-L7 Application traffic -NBAR is used as Deep Packet Inspection (DPI) engine

• Can be used with Protocol Discovery to get an idea of traffic patterns in network

• Can be used with MQC (Modular QoS CLI) to control the traffic patterns in the network

• Supported devices: ISR-G2 (86x, 88x, 89x, 19xx, 29xx, 39xx), 44xx, ASR1k, CSR1kV, WLC (2508, 8500, 7500, 55xx), 3850/5760 (AP based)

• Protocol Pack allows adding more applications without upgrading or reloading IOS

• Classifies 140+ encrypted traffic

Recognizes

1400+ Apps

Network Based Application Recognition

Gain Insights & Innovate with Cisco CMX

• Presence and location detection

• Visibility (Wi-Fi, BLE)

• Easy Wi-Fi login, custom or social

• Zone-based, custom

splash pages

• App-based mobile engagement

• Context-aware in-venue

experiences

DETECT CONNECT ENGAGE

Presence Location SocialANALYTICS

Gain Business Insights Through Analytics

Presence & Analytics Heat Maps Correlation

Visitors vs. Passerbys

Repeat vs. New Visitors

Dwell Time

Busiest Hour, Day

Visitor Sentiment

Conversion Rate

Building/Floor

Where do visitors spend time? Which paths

did visitors take?

Now available as a cloud service: https://cmxcisco.com/

Timeframe Parameters Heat Map

Visibility with Cisco Identity Services Engine (ISE)Discover Known and Unknown in Your Network

ACCESS POLICY

Network / User Context

How

WhatWho

WhereWhen

Partner Context Data

PxGrid

Consistent Secure Access Policy Across Wired, Wireless, and VPN

Network as a Sensor: Lancope StealthWatch

Real-time visibility at all network layers

• Data intelligence throughout network

• Assets discovery

• Network profile

• Security policy monitoring

• Anomaly detection

• Accelerated incident response

Cisco ISE

NetFlow

Context Information

Mitigation Action

PxGrid

access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467

Network as an Enforcerwith TrustSec

Traditional Security Policy

TrustSec Security PolicyNetwork Fabric

Switch Router DC FW DC SwitchWireless

Flexible and Scalable Policy Enforcement

segmentationsoftware defined

Security Control Automation

Simplified Access Management

Improved Security Efficacy

Digital Transformation Builds Digital Organizations

Customer Experience

Delivery Control

Personalized Service

Customer Experience

Physical and Virtual

RFID Content

Workforce Efficiency

WIP Inventory and

Part Tracking

Customer Experience

Personalized Service

Through Mobile

Business Operations

Order Ahead

Skip the Line

Digital Organizations NeedThe Right Network Architecture

Cisco Digital Network Architecture

Network Architecture for Digital Organizations

Automation

Abstraction & Policy Control

from Core to Edge

Open & Programmable | Standards-Based

Open APIs | Developers Environment

Cloud Service Management

Policy | Orchestration

Virtualization

Physical & Virtual Infrastructure | App Hosting

Analytics

Network Data,

Contextual Insights

Insights &

Experiences

Automation

& Assurance

Security &

Compliance

Network-enabled Applications

Cloud-enabled | Software-delivered

Principles