SDN and Splunk
-
Upload
cisco-public-sector -
Category
Technology
-
view
393 -
download
2
Transcript of SDN and Splunk
Copyright © 2014 Splunk Inc.
SDN and Splunk February 2015 Job-‐Sharing Team of Katy Mann and Pamela Sotnick Special Programs | Splunk> [email protected]
Disclaimer
2
During the course of this presentaLon, we may make forward looking statements regarding future events or the expected performance of the company. We cauLon you that such
statements reflect our current expectaLons and esLmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please
review our filings with the SEC. The forward-‐looking statements made in the this presentaLon are being made as of the Lme and date of its live presentaLon. If reviewed
aVer its live presentaLon, this presentaLon may not contain current or accurate informaLon. We do not assume any obligaLon to update any forward looking statements we may make. In addiLon, any informaLon about our roadmap outlines our general product direcLon and is subject to change at any Lme without noLce. It is for informaLonal purposes only and shall
not, be incorporated into any contract or other commitment. Splunk undertakes no obligaLon either to develop the features or funcLonality described or to include any such
feature or funcLonality in a future release.
EscalaLng IT Complexity…
SERVERS STORAGE NETWORKING
VITUALIZATION
INFRASTRUCTURE APPLICATIONS
PACKAGED APPLICATIONS
CUSTOM APPLICATIONS
IdenLty
VPN
IP Phone
HR
Finance
App Svr
DB
Web Svr SaaS/PaaS
IaaS
… Plaguing IT OperaLons
SERVERS STORAGE NETWORKING
VITUALIZATION
INFRASTRUCTURE APPLICATIONS
PACKAGED APPLICATIONS
CUSTOM APPLICATIONS
IdenLty
VPN
IP Phone
HR
Finance
App Svr
DB
Web Svr SaaS/PaaS
IaaS
Complex, silo-‐based technologies
Disconnected and outdated point soluLons
ReacLve brute-‐force problem resoluLon
Over 80% of Lme on maintaining not innovaLng
Our #1 Value is Reducing IT Complexity
6
Into This Splunk Turns this
[Thu Sep 24 14:57:33 2009] [error] [client 10.2.1.44] ap_proxy: trying GET /petstore/
enter_order_information.screen at backend host '127.0.0.1/7001; got exception 'CONNECTION_REFUSED [os error=0, line 1739 of ../nsapi/URL.cpp]: Error connecting to host
127.0.0.1:7001', referer: http://10.2.1.223/petstore/cart.do?action=purchase&itemId=EST-14
With a powerful ‘Google-‐like’ search interface and easy-‐to-‐build dashboards and alerts, you find the problem fast…so you can fix it fast!
And/or beCer sDll you’re able to monitor and prevent problems altogether.
Impress your Boss and Go Home Early!
Industry Leading Plalorm for Machine Data Machine Data: Any Loca9on, Type, Volume
Online Services Web
Services
Servers Security GPS
LocaLon
Storage Desktops
Networks
Packaged ApplicaLons
Custom ApplicaLons Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
On-‐ Premises
Private Cloud
Public Cloud
Pla>orm Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Answer Any Ques9on
Developer Pla>orm
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
Industry Leading Plalorm for Machine Data Machine Data: Any Loca9on, Type, Volume
Online Services Web
Services
Servers Security GPS
LocaLon
Storage Desktops
Networks
Packaged ApplicaLons
Custom ApplicaLons Messaging
Telecoms Online
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
On-‐ Premises
Private Cloud
Public Cloud
Pla>orm Support (Apps / API / SDKs)
Enterprise Scalability
Universal Indexing
Answer Any Ques9on
Developer Pla>orm
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
Any amount, any locaLon, any source
Schema-‐on-‐the-‐fly
Universal indexing
No back-‐end RDBMS
No need to filter data
Dev.splunk.com 40,000+ ques9ons and answers
600+ apps Local User Groups and
SplunkLive! events
10
Thriving Community
11
Applica9on Delivery & IT Ops Landscape
API SDKs UI
Server, Storage, Network
Server VirtualizaLon
OperaLng Systems
Custom ApplicaLons
Business ApplicaLons
Cloud Services
App Performance Monitoring TickeLng/Other
Web Intelligence
Mobile ApplicaLons
Cisco Specific Apps • Cisco Networks • Cisco Networks Add-‐on • Splunk Add-‐on for Cisco ACI • Splunk App for Cisco ACI • Cisco Meraki Presence Modular Input • Splunk App for Cisco Nexus 9k • Splunk for Cisco IdenLty Services (ISE) • Splunk Add-‐on for Cisco WSA • Splunk Add-‐on for Cisco ESA • Splunk Add-‐on for Cisco IdenLty Services
12
• Cisco Security Suite • Splunk for Cisco CDR • Splunk App for Cisco UCS • Cisco eStreamer for Splunk • Technology Add-‐on for Cisco Secure
Access Control Server (ACS) • Splunk Add-‐on for Cisco ASA • Splunk Add-‐on for Cisco IPS • Splunk Add-‐on for Cisco Sourcefire • Splunk Add-‐on for Cisco Nexus 9k
FREE ONLINE SANDBOX
FREE DOWNLOAD
FREE AMAZON MACHINE
IMAGES (AMI)
13
Easy to Try & Get Started
1 3 2
Why SoVware-‐defined Network? ! Changing traffic paserns in data centers
from north-‐south to east-‐west – Server and storage virtualizaLon – AutomaLon (rapid provisioning of
networking resources) – ElasLcity
! Scaling issues with tradiLonal resources driven by rapid rise in applicaLon traffic and virtual machines mobility
Splunk Value for SDN
16
Op9mizing Networking Resources for Applica9on
Needs
Correla9on Across Technology Silos & Virtual, Physical
Real-‐9me Visibility Into Dynamic Traffic
Flows
Real-‐Lme Visibility into Dynamic Flows
NE 2 Networking Element (NE) 1 (Physical or Virtual)
Host at HQ
Port A
Port B
SDN Controller (Network AbstracLon, Policy Mapping, Topology Database)
API
NE 3
Compute
Wan
OpLmizaLon
ApplicaLon Delivery Security Storage
Network VirtualizaLon
Wan Traffic Engineering
Service Chaining(CSP)
WAN Path Resiliency
Other ApplicaLons
Services
ApplicaLons
If match, forward to port A & port B
OpLmized Network for ApplicaLons Needs
NE2
NE1
SDN Controller (Network AbstracLon, Policy Mapping, Topology Database)
API
Compute
Wan OpLmizaLon
ApplicaLon Performance Security Storage
Network VirtualizaLon
Wan Traffic Engineering
Service Chaining(CSP)
WAN Path Resiliency
Other ApplicaLons
Services
ApplicaLons
NE3
OperaLonal Intelligence for IT and Business Users
19
IT OperaLons Management Web Intelligence
Business AnalyLcs ApplicaLon Management
Security and Compliance
LOB Owners/ Execu9ves
System Administrator
Opera9ons Teams
Security Analysts
IT Execu9ves
Applica9on Developers Auditors Website/Business
Analysts Customer Support
21
Load Balancer (ApplicaLon Visibility)
Performance Data
Security Events
21
Mobile Apps Data Center
SNMP NetFlow (sFlow, IPFIX)
Syslog Virt. Data (events, connect.)
Custom Scripts
Inventory Firewall Logs
What types of data from networks?
Wire Data
The Splunk App for Stream
Wire Data Enhances the Pla>orm for Opera9onal Intelligence
Efficient, Cloud-‐ready Wire Data Collec9on
Simple Deployment Supports Fast Time to Value
22
What is Wire Data?
• Machine Data • Poly-‐Structured • Record of the CommunicaLon between Hosts
23
tcpdump -‐qns 0 -‐A -‐r blah.pcap 20:57:47.368107 IP 205.188.159.57.25 > 67.23.28.65.42385: tcp 480 0x0000: 4500 0214 834c 4000 3306 f649 cdbc 9f39 [email protected] 0x0010: 4317 1c41 0019 a591 50fe 18ca 9da0 4681 C..A....P.....F. 0x0020: 8018 05a8 848f 0000 0101 080a ffd4 9bb0 ................ 0x0030: 2e43 6bb9 3232 302d 726c 792d 6461 3033 .Ck.220-‐rly-‐da03 0x0040: 2e6d 782e 616f 6c2e 636f 6d20 4553 4d54 .mx.aol.com.ESMT 0x0050: 5020 6d61 696c 5f72 656c 6179 5f69 6e2d P.mail_relay_in-‐ 0x0060: 6461 3033 2e34 3b20 5468 752c 2030 3920 da03.4;.Thu,.09. 0x0070: 4a75 6c20 3230 3039 2031 363a 3537 3a34 Jul.2009.16:57:4 0x0080: 3720 2d30 3430 300d 0a32 3230 2d41 6d65 7.-‐0400..220-‐Ame 0x0090: 7269 6361 204f 6e6c 696e 6520 2841 4f4c rica.Online.(AOL 0x00a0: 2920 616e 6420 6974 7320 6166 6669 6c69 ).and.its.affili 0x00b0: 6174 6564 2063 6f6d 7061 6e69 6573 2064 ated.companies.d
Wire Data (for our purposes) is data, recorded as events, that we capture using packet sniffing technology from a host’s network interface for a variety of standard protocols.
App for Stream
V6.0 • UDP • TCP
• HTTP • FTP • SMB • NFS
• POP3 • SMTP • IMAP
• MySQL (login/cmd/query) • Oracle(TNS) • PostgresSQL
• Sybase/SQL Server (TDS) • LDAP/AD • SIP
• DNS • DNCP • Radius
25
V. Future Based on Demand:
• ICMP
• MAPI
Linux 32-‐bit/64-‐bit and Mac OSX 64-‐Bit
Linux only
V. Future • Kerberos
• NetBios
• XMPP Skype
• AMQP
• WINS(NBNS)
• Gmail
• ARP
• BGP
• Nellow
• RIP
• RTP
• 3GPP
• Syslog
V. Future • TFTP
• ICA
• RDP
• Diameter
• SMPP
• S2S
• Windows 2008 &later(64bit)
Why Wire Data?
26
• Wire data compliments Log data
• Wire Data can contain IT and business informaLon not found in Log data and vice versa
• Wire Data can be passively gathered without any impact to producLon workloads without tagging, embedded code, or addiLonal agents
• Wire Data does not require semanLc logging by customer or byte-‐code instrumentaLon
• Wire Data can be gathered across many protocols (SSH, FTP, SMTP, IMAP/MAPI, TDS, MQTT, etc.)
• Can be A LOT of data!
Agribute Log Data Network Data
WIRE DATA / LOG DATA FOR HTTP WEB TRAFFIC
Cisco Specific Apps • Cisco Networks • Cisco Networks Add-‐on • Splunk Add-‐on for Cisco ACI
• Splunk App for Cisco ACI • Cisco Meraki Presence Modular Input • Splunk App for Cisco Nexus 9k • Splunk for Cisco IdenLty Services (ISE) • Splunk Add-‐on for Cisco WSA • Splunk Add-‐on for Cisco ESA • Splunk Add-‐on for Cisco IdenLty Services
28
• Cisco Security Suite • Splunk for Cisco CDR • Splunk App for Cisco UCS • Cisco eStreamer for Splunk • Technology Add-‐on for Cisco Secure
Access Control Server (ACS) • Splunk Add-‐on for Cisco ASA • Splunk Add-‐on for Cisco IPS • Splunk Add-‐on for Cisco Sourcefire • Splunk Add-‐on for Cisco Nexus 9k
CONTROLLER
OPEN RESTFUL APIS CENTRALIZED POLICY MODEL
OPEN SOURCE
POLICY MODEL
ACI
NEXUS 9500 and 9300
APIC
Cisco® ApplicaLons Centric Infrastructure
32
What It’s Like In the Trenches
Help Desk Applica9ons Admin Network Admin Database Admin VMware Admin
Logs call. Client web connecLons slow or not
going through.
Stops working on deploying new
apps. Checks web server logs. Web server connect. to
DB limited.
Checks DB logs and DB
connecLons not going through.
Suspects network issue.
Gathers logs from mulLple switches.
Measures bandwidth. IdenLfies
ESXi sucking up bandwidth.
Checks ESXis and VMs IdenLfies
Problem VM. Takes acLon to resolve.
Escalate. Escalate. Escalate. Escalate. >12-‐hour outage!
Single Console Visibility into ACI health
33
Eliminate silos and find root cause faster!
Security Admin Fabric Administrator
Help Desk Operator VMware Admin Tenant or
ApplicaLon Admin
Cisco ACI for Splunk
Why Cisco ACI for Splunk Enterprise App?
34
Opera9onal Analy9cs
Cross-‐9er Visibility
1 2 3 Central Proac9ve
Monitoring
Reduce cost & accelerate MTTR
Minimize outages, meet SLAs Fast 9me-‐to-‐value
Central ProacLve Monitoring
35
! ProacLve real-‐Lme and historical insights into health of Cisco ACI including, performance, inventory and logs across all enLLes – APICs, fabric, tenants, applicaLons, EPG – IdenLficaLon of root cause
! Flexible, per-‐admin role visibility into faults for troubleshooLng acceleraLon in mulLtenant environments
OperaLonal AnalyLcs
36
! Fabric health insights with path degradaLon visibility for opLmal throughput and prevenLon of network outages
! User and fabric analyLcs for security, audit and troubleshooLng
Cross-‐Ler OperaLonal Visibility
37
Correlate ACI data with machine data from any technology Ler including applicaLons, server, storage, OS , virtualizaLon and security data for
simplified troubleshooLng and reduced Lme-‐to-‐resoluLon
APIC Controller ACI App APIC
SERVERS STORAGE VITUALIZATION
App Architecture
Splunk Forwarders
API collec9on: Performance metrics every 5 min, inventory data every 1 hour
Dashboards, reports, field extrac9ons
Log data via syslog
ACI App
Splunk indexers and search head
APIC
Swag Time !!!
Q: What is Splunk’s mission? Q: Of the over 600+ apps available at hsp://apps.splunk.com, how many of them are ‘free’?
Bonus: Of the over 600+ apps available at hsp://apps.splunk.com, how many of them are directly related to Cisco products?
41
Swag Time !!!
Q: What is Splunk’s mission? Ans: Make machine data accessible, usable and valuable to everyone. Q: Of the over 600+ apps available at hsp://apps.splunk.com, how many of them are ‘free’? Ans: All but four (4). Bonus: Of the over 600+ apps available at hsp://apps.splunk.com, how many of them are directly related to Cisco products? Ans: Over 19.
42