cisco digital network architecture – deeper dive, “from the gates to the gui

© 2017 Cisco and/or its affiliates. All rights reserved. 1

Cisco Digital Network Architecture –

Deeper Dive,“From the Gates to the GUI”

Wade CrickCustomer Solutions Architect

January 2018 CiscoConnect Your Time

Is Now

© 2016 Cisco and/or its affiliates. All rights reserved. 2Cisco Public

Session Abstract

Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI

Come to this session to learn how the latest advances in Cisco Enterprise silicon development – programmable, flexile ASIC (Application Specific Integrated Circuit) hardware which provides a key foundational element of Cisco's Digital Network Architecture portfolio – are driving industry innovations such as Cisco’s new Catalyst 9000 family of switches, as well as exciting new solutions such as ETA (Encrypted Traffic Analytics) and Software-Defined Access.

Attendees at this session will gain greater insight into how ASICs are designed and built –showcasing the advanced capabilities and functionality delivered by Cisco's latest switching silicon innovations provided by UADP (Unified Access Data Plane), as well as the latest advancements in Cisco’s wireless silicon. Most importantly, this session will show the continuum of Cisco’s evolution – from the gates (silicon gates, that is) to the latest advanced GUIs that solutions such as SD-Access are enabled with – allow customers to move faster, innovate rapidly, and drive significant cost savings for their organizations.

Come to this session to “double-click” on how Cisco is revolutionizing the Enterprise network with DNA! This is the second of two sessions – an optional introduction to the principles of DNA, as well as an exploration of the new DNA Center GUI and the Automation and Assurance aspects of the Cisco Digital Network Architecture it supports – are explored in the preceding companion session.

Agenda• Industry Trends

• The Network Intuitive

• Cisco DNA and the Importance of Flexible Hardware

• The Evolution of the Application Specific Integrated Circuit

• DNA/Software Defined Access

• DNA Center

• Encrypted Traffic Analytics

• Catalyst 9000

• Summary, Q&A


We are going to try to cover

from

“The Gates to the GUI”


Innovation - The world’s 50 most innovative companies

# 37. Cisco Systems

2017 patent grants: 9672016 patent grants: 978

Source - 24/7 Wall St. Jan 12, 2018


FromInnovationsinSiliconandSoftware

…

… to Innovationsin Platformsand Solutions


And Why

These

8© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco DNA and theImportance ofNetwork Innovation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Advanced Persistent Threats

Devices per Person3.64

Mobile world requires access to everything everywhere

Mobility

Devices per Admin100K

Agility and NewConsumption Models

Cloud

IoTThings Connected

7.5BUnmanned devicesgrowing at rapid pace

Enterprise Trends Driving Digital Transformation


Source: Forrester Source: Open Compute Project

Time IT spends on operations80% CEOs are worried about IT strategynot supporting business growth57%

Network Expenses Deployment Speed

0 10 100 1000

Computing Networking

Seconds0

100%

CAPEX OPEX

33% 67%

The Need for AgilityChanging Enterprise Requirements


VLAN 1 VLAN 2 VLAN 3

WAN

Branch A

VLAN 1 Branch A VLAN 3

RemoteVLAN 2

HQ

ACL 1 ACL 2

ACL 2 ACL 3

Traditional Networks Cannot Meet the Demand

Users, Device and IoTSegmentation

Enabling Seamless Mobility

Secure Connectivityto the Cloud

Setting Up End-End Security

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Digital Network Architecture

Principles

Insights and experiences

Automationand assurance

Security and compliance

Automation

Abstraction and policy control from core to edge

Open and programmable | Standards-based

Open APIs | Developers environment

Cloud service managementPolicy | Orchestration

Physical and virtual infrastructure | App hosting

Network data, contextual insights

Network-enabled applications

Cloud-enabled | Software-delivered

Analytics

Virtualization


The Network. Intuitive.

Intent-Based Network Infrastructure

DNA Center

AnalyticsPolicy Automation

Switching Routers Wireless

Powered By Intent.Informed by Context.

DNA Center 1.1General Availability

Software-Defined AccessMeraki VisibilityExtended Enterprise


Journey to Intent-based Networking

Intent-based Networking

Constantly Learning

Constantly Adapting

Constantly ProtectingPolicy-Based Automation

Business Policy

Translation

Segmentation

Analytics & Assurance

Everything as a sensor

Telemetry

Historical & Real-time

Digital—Ready Infrastructure

Secure foundation

Programmability

Virtualization

Machine Learning & AIPolicy Validation

Predictive

Self-healing

The Network. Intuitive.Powered by intent. Informed by context.Based on Cisco’s DNA

We are here

Scaling (via Cloud)


Self-Driving Automation

Future

Closed Loop through Network Analytics and Machine Learning

DNA Center

BB

CampusFabric

SDA

Automated Deployment

Plug and Play, Day 0 Deployment

Exists Today

HTTPProxy

Internet

Admin

Installer

Step 1Network admin previsions devices in Cisco Network Plug and Play applications

Step 2Onsite installer with mobile app installs and powers on devices, triggers deployment, checks status

Step 3New devices contact Cisco Network Plug and Play application to get provisioned

Network admin can remotely monitor install status

Basic Advanced

One Point of Management – All from Cisco DNA Center

Configure once and deploy everywhere - SD-Access

DNA Center

CampusFabric

SDA

New

Consistent Across Network Fabric

The Network Intuitive.Moving From Manual to Automated


Quality of Service – Intuitive?


Wireless APTrust Boundary

PEP4Q (WMM)

Catalyst 3650Trust Boundary

PEP2P6Q3T

Catalyst 45001P7Q1T

Catalyst 65001P3Q4T1P7Q4T2P6Q4T

…

Nexus 7700F3: 1P7Q1T

WLCPEP

ASR/ISRsMQC

Catalyst 2960-XTrust Boundary

PEP1P3Q3T

Wireless APTrust Boundary

PEP4Q (WMM)

Southbound APIs translate business intent to platform-

specific configurations

Network Operators expresshigh-level business intent to the EasyQoS app

EasyQoSOperation

NetworkController


Network Controller

EasyQoS will seamlessly interconnectall types of hardware and software queuing models

to achieve consistent and compatible end-to-end treatments –aligned with the expressed business intent

EasyQoSResults


ip access-list extended APIC_EM-MM_STREAM-ACLremark citrix - Citrixpermit tcp any any eq 1494permit udp any any eq 1494permit tcp any any eq 2598permit udp any any eq 2598remark citrix-static - Citrix-Staticpermit tcp any any eq 1604permit udp any any eq 1604permit tcp any any range 2512 2513permit udp any any range 2512 2513remark pcoip - PCoIPpermit tcp any any eq 4172permit udp any any eq 4172permit tcp any any eq 5172permit udp any any eq 5172remark timbuktu - Timbuktupermit tcp any any eq 407permit udp any any eq 407remark xwindows - XWindowspermit tcp any any range 6000 6003remark vnc - VNCpermit tcp any any eq 5800permit udp any any eq 5800permit tcp any any range 5900 5901permit udp any any range 5900 5901

exitip access-list extended APIC_EM-SIGNALING-ACLremark h323 - H.323permit tcp any any eq 1300permit udp any any eq 1300permit tcp any any range 1718 1720

Your Choice …

22© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco DNA and theImportance ofFlexible Hardware


EISGArchitecture TeamDavid Goeckeler

Cisco SVP,Security and NetworkingCisco Live Las Vegas 2016

ASICs are apillar of Ciscoinnovation …


Logic Design Choices

• General Purpose CPU• Field Programmable Gate Arrays• Application Specific Integrated

Circuits• System on Chip• Graphics Processing Unit


How is an ASIC built?How is an ASIC built?


It all starts with the Transistor• The first bipolar junction transistors were invented by Bell Labs in

1948. • Transistors can be an amplifier (linear region operation) or a switch

(saturation region operation).• In switch mode +VCC =1, Gnd = 0 for binary operations.


An example of a Transistor AND Gate

Fairchild DM7408 Quad 2-Input AND Gates

Truth Table


An example of a Transistor NAND Gate


We are talking transistors…

and how many we can packin an ASIC die …

“The number of transistors incorporated into a chip

will approximately doubleevery 18 - 24 months …”

“Moore’s Law” - 1975

Transistor Width measured inNanometers

Nanometer = One Billionth of a Meter

TSMC currently plans to start manufacturing 7nm chips in 2018.

“This past September, we announced our plan for the world's first 3-nanometer fab located in the Tainan science park. This fab could cost upwards of $20 billion and represents TSMC's commitment to drive technology forward," TSMC executive Mark Liu.

NVIDIA TITAN V GPU is fabricated on TSMC 12 nm FFN (FinFET NVIDIA) process. 21.1 billion transistors.

Apple iPhone X 10nm


Then, it starts with coding…

VerilogVHDL

Synthesis ProcessConverts code into

logical gate constructs (Netlist)

ASICs – From Definition to Deployment


Discrete transistor

MOSFET(metal oxide semiconductor

field effect transistor)

FinFET(Fin Field

Effect Transistor - "3D" )

NAND gate

NOR Gate

Universal Gates

XOR GateAND Gate

OR Gate NOT Gate

XNOR Gate

… which can be used to build any of the other logic gates …

… mostly used @ 22nm and above

Intel in 2012 used 22-nm in Ivy Bridge

processors

… which, when we put millions of them together on a silicon

die, produce a chip!

Silicon wafer


And we have an ASIC…


Why DoesCisco Develop

Our Own Silicon?

Simpler Deployment OptionsBetter Insight and Optimization

Increased SecurityMost Appropriate Scalability

Flexibility and Investment Protectionvia Programmability

Simpler Deployment OptionsBetter Insight and Optimization

Increased SecurityMost Appropriate Scalability

Flexibility and Investment Protectionvia Programmability


• Cisco spent US$1.567 Billion last quarter (Q2, FY2018) on R&D, some of which was on custom ASICs.

• Vast major of Cisco products include custom ASICs

• Custom ASICs in:• Catalyst 3000, 9000• Nexus 5000, 7000, 9000• ISR, ASR 1000 (Quantum Flow Processor)• Wireless• …

Cisco Investments


Up to 32MBPacket Buffer

Up to 64K x2Netflow RecordsEmbedded

Microcontrollers

Shared Lookup

Up to 240GEBandwidth

384K Flex Counters,

Up to 2X to 4X

Forwarding + TCAM

Universal DeploymentsAdaptable Tables

Enhanced Scale/BufferingMulticore resource share

Investment ProtectionFlexible Pipeline

7.46BTransistors

28nm Technology

UADP 2.0 – Next Generation of ASIC Innovation

Mobile ReadySecurity/Trustsec/MACsec

Enhanced Netflow Programmable High PerformanceRecirculation (tunneling -

GRE, VXLAN, etc)

Flexible Pipeline


Traditionally the ASICprocessing pipeline is

FIXEDIPv4

IPv6

Traditional Fixed ASIC Processing Pipeline


… and has challengeshandling NEW

PROTOCOLS …MPLS

Traditional Fixed ASIC Processing Pipeline


Flex Rewrite

Flex Rewrite

Cisco’s UADP ASICdelivers

FLEXIBILITY …

Flex Parser

Flex Parser

Flexible, Programmable Processing Pipeline

GRE

If IPv7 were invented

tomorrow …

... we could probably handle it via the Programmable

Pipeline!

Flex Counters Flex Counters

Stage 1 Stage 2 Stage 3 Stage n

IPv4

IPv6

VXLAN

MPLS

IPv7

Unified Access Data Plane – Processing Pipeline


So where canFlexible ASICs help us?

So where canFlexible ASICs help us?


DNA Flexible Infrastructure – Programmable ASIC Silicon


ASIC Evolution – Over Time

UADP 2.0: 7.46B transistors!2,160,000 lines of code

New!New!

Catalyst 9300 / 9400 / 9500 – 2017

Catalyst 3550Circa 2003

60M transistors47,226 lines of code


210M transistors86,220 lines of code


UADP 1.0 – 1.3B transistorsUADP 1.1 – 3.0B transistors

1,490,000 lines of code

All Cisco-developed siliconDriving the benefits of vertical integration –Hardware and software working together!

Just like some other famous examples …


What does all of thismean for me?


Cisco Programmable Hardwareequals

FLEXIBILITYADAPTABILITY

Enabling Network Evolution –a critical requirement

for DNA


Cisco Digital Network ArchitectureHow DNA Center embraces the Cisco DNA

Principles

Insights and experiences

Automationand assurance

Security and compliance

Automation

Abstraction and policy control from core to edge

Open and programmable | Standards-based

Open APIs | Developers environment

Cloud service managementPolicy | Orchestration

Physical and virtual infrastructure | App hosting

Network data, contextual insights

Network-enabled applications

Cloud-enabled | Software-delivered

Analytics

Virtualization

DNA CenterAPIC-EM, ISE, Analytics &

Assurance


June 2017 - What we announced: • DNA Center

• Built-in expertise to manage and deploy end-to-end network services with a central management

• DNA Analytics & Assurance • Analytics collects data from users, devices, and applications

and uses machine learning to proactively identify problems

• Software-Defined Access• Dynamically adapt to changing needs with policy-based

management of the network fabric

• Enhanced Network as a Sensor• Uncover threats hidden in encrypted traffic without

decryption.

• Catalyst 9000 Series Switches • First infrastructure devices purposely designed for DNA

Software Subscription Licensing | DNA Advisory, Technical, Support Services


Software-Defined AccessIndustry’s first policy-based automation from the edge to the cloud

Single Network Fabric

Automate User Access Policy

End-to-End Segmentation

Keep user, device and applications traffic separate without redesigning

the network

Apply the right policies for user or device to any application across the

network

Enable a consistent user experience anywhere without

compromising on security

Common user policy for the branch, campus, WAN and cloud


Controller-based Management

Programmable Overlay

Simplified L3 Underlay

DNA Center

Software Defined Access (SD-Access)Bringing Everything Together


1. Control Plane based on LISP

2. Data-Plane based on VXLAN

3. Policy-Plane based on TrustSec

Key Components of SD-Access

Key Differences

• L2 + L3 Overlay -vs- L2 or L3 Only

• Host Mobility with Anycast Gateway

• Adds VRF + SGT into Data-Plane

• Virtual Tunnel Endpoints (No Static)

• No Topology Limitations (Basic IP)

53


APIC-EM

ISE NDP

Control-Plane Nodes – Map System that manages Endpoint ID to Device relationships

Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric

Identity Services – External ID Systems (e.g. ISE) are leveraged for dynamic User or Device to Group mapping and Policy definition

Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric

Identity Services

Intermediate Nodes (Underlay)

Fabric Border Nodes

Fabric Edge Nodes

DNA Controller – Enterprise SDN Controller provides GUI management and abstraction via multiple Service Apps, that share information

DNA Center

Analytics Engine – External Data Collectors (e.g. NDP) are leveraged to analyze User or Device to App flows and monitor fabric status

Analytics Engine

CControl-Plane

Nodes

B

SD-AccessRoles & Terminology

B

Fabric Wireless Controller – A Fabric device (WLC) that connects Wireless Endpoints to the SDA Fabric

54

Fabric WirelessLAN Controller


SD-Access SupportA single fabric for your digital ready network

WirelessRoutingSwitching

AIR-CT5520

AIR-CT8540

Wave 2 APs (1800, 2800,3800)

Wave 1 APs* (1700, 2700,3700)

Catalyst 9400

Catalyst 9300

Catalyst 9500

Catalyst 4500E Catalyst 6K Nexus 7700

Catalyst 3850 and 3650

AIR-CT3504

*with Caveats**Future

NEW

NEW

NEWNEW

Subtended

Catalyst Digital Building

Catalyst 3560-CX

NEW

IE Switches** (2K/3K/4K/5K)

ASR-1000-X

ASR-1000-HX

ISR 4430

ISR 4450

ENCS 5400**

ISR 4351

ISR 4331

CSRv


DNA Center: Design, Policy, Provision, Assurance A better way to manage your network

DNA Center: Design, provision, automate policy and assure services from one place

Logical workflow to design, provision, set policy

Respond to changes faster

Monitor end-to-end network performance

Predict and act on problems before they happen

Pinpoint problems faster Reduce downtime with an end-to-end view instead of

hop by hop

Manage hardware and software lifecycles

Keep up to date, meet compliance and plan for refresh

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Select Areas, Building, Floors

• Configure Network Settings

• Set IP Address Pools

Design

Design | Provision | Policy | Assurance


• Assign Devices to Locations

• Provision Network Fabric

• On-board Hosts

Provision



• Create Virtual Networks

• Register End Point Types

• Administer Context-Based Policy

Policy



• Network and Device Performance

• Client Access, Connectivity, Monitoring and Troubleshooting

• Application Experience Monitoring & Acceleration

Assurance



• Analyze netflow metadata without decrypting traffic flows

• Global-to-local knowledge correlation - 99.99% threat detection accuracy

• Encrypted traffic analytics from Cisco’s newest switches and routers

Encrypted Traffic Analytics

Security with Privacy


Enhanced Network as a Sensor

Encrypted Traffic Non-Encrypted Traffic

Secure and manage your digital network in real time, all the time, everywhere

Industry’s first network with the ability to find threats in encrypted traffic without decryptionAvoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility


Encrypted traffic – mining usable information

https://1.2.3.4

https://123.123.123.123

https://234.234.234.234

https://22.33.44.55

https://21.21.21.21

We can see the TLS session properties

We can see the channel behavior We (often) know the server

• TLS session properties• Channel behavior• Domain identity (often)


• HTTPS header contains several information-rich fields.

• Server name provides domain information.

• Crypto information educates us on client and server behavior and application identity.

• Certificate information is similar to whoisinformation for a domain.

• And much more can be understood when we combine the information with global data.

Initial data packet

IP H

ead

erT

CP

He

ade

r

TLS HeaderTLS version

SNI (Server Name)Ciphersuites

Certificate

Organization

Issuer

Issued

Expires

Initial data packet

Initial data packet


Sequence of packet lengths and times

Sequence of packet lengths and times

Flow start Time

• Size and timing of the first packets allow us to estimate the type of data inside theencrypted channel.

• We can distinguish video, web, API calls, voice, and other data types from one another and characterize the source within the class.


Cisco’s threat intelligence map

Image: http://census2012.sourceforge.net/images.html

• Who’s who of the internet’s dark side

• Models use up to 20 features of 150 million malicious, risky, or otherwise security-relevant endpoints on the internet.

• These data features include domain data, whois data, TLS certificate data, usage statistics, and behavioral data for each server.


Finding malicious activity in encrypted traffic

Cisco Stealthwatch®

Cognitive Analytics

Malware detection and cryptographic

compliance

New Catalyst® 9000*

NetFlow

Enhanced NetFlow

Telemetry for encrypted malware detectionand cryptographic compliance

* ISR, ASR are supported

Enhanced analytics and machine learning

Global-to-local knowledge correlation

Enhanced NetFlow from Cisco’s newest switches and

routers

Continuous Enterprise-wide compliance

Leveraged network Faster investigation Higher precision Stronger protection

Metadata


Cisco Catalyst 9000: The platform for the new era

First in enterprise• x86 CPU with application hosting

• Programmable ASIC

• Software patching

Future-Proofed• IEEE 802.11ax ready

• 100W PoE (IEEE 802.3bt) ready

• 25G Ethernet ready

Industry’s unmatched• High availability

• Multigigabit density

• UPOE scale

SD-Accessintegrated

ConvergedASIC

Single image

Commonlicensing

Security IoT convergence CloudMobility

UADP 2.0

Cisco IOS® XE Software


Kanata R&D Team3rd Largest Cisco Engineering site worldwide


Catalyst 9000 - CRN's 2017 Products Of The Year


SDA - Show me the money


From the Hardware …

… to the Software andProtocols, with Integrated Security …

to the Whole Solution …

Cisco Innovations – In Hardware, Software, and Solutions – Tie It All Together

“From the Gates – to the GUI”

IntegratedSecurity

Innovation All The Way Up the StackHardware, Software, and Solutions

Thank you.