forward networks - networking field day 13 presentation

57
NETWORKING FIELD DAY 13 November 17 th , 2016 David Erickson, PhD CEO & Co-Founder

Upload: andrew-wesbecher

Post on 13-Apr-2017

76 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: Forward Networks - Networking Field Day 13 presentation

NETWORKING FIELD DAY 13

November 17th, 2016

David Erickson, PhDCEO & Co-Founder

Page 2: Forward Networks - Networking Field Day 13 presentation

AGENDA

+ An Introduction to Forward Networks

+ Platform Demo

+ Use Case: Outage Diagnosis & Resolution

+ Use Case: Network Auditing

+ Closed Session

Page 3: Forward Networks - Networking Field Day 13 presentation

Today’s Networks – Large, Complex, & Heterogeneous

+ IPv4 routes+ ACLs+ MAC tables+ Spanning tree

+ NAT+ VLAN+ Multicast+ PBR

+ Cisco+ Arista+ HPE + Fortinet

+ Juniper+ F5+ Palo Alto + Checkpoint

Thousands of devices Millions of rules Dozens of vendors

Switches Routers

Load balancers Firewalls

Page 4: Forward Networks - Networking Field Day 13 presentation

Manual Operations Inadequate Tooling High Rate of Error

+ Device-by-device management+ Limited end-to-end visibility + Hard to debug & test

+ Lack of innovation in tooling+ Solutions are 20+years old+ Ping, traceroute, SNMP, etc.

+ Networks rife with misconfiguration

+ 80% of outages caused by error1

+ 50% due to change config issues2

1&2Gartner Group, Top Seven Considerations for Configuration Management for Virtual and Cloud Infrastructures, 2010

Network Operations – Manual & Error Prone

Page 5: Forward Networks - Networking Field Day 13 presentation

Business Impacting

Expensive to Repair

Brand-Damaging

Networks Failures & Data Center Outages

$

Page 6: Forward Networks - Networking Field Day 13 presentation

NETWORK ASSURANCEReducing the complexity of networks while eliminating the

human error, misconfiguration, and policy violations that lead to outages.

Page 7: Forward Networks - Networking Field Day 13 presentation

Unorganized real world data

Own data model of real world

Apps on top using data model

Revolutionary algorithm

SEARCH VERIFY APIPREDICT

A NEW APPROACH TO NETWORK OPERATIONS

Page 8: Forward Networks - Networking Field Day 13 presentation

Unorganized real world data

Own data model of real world

Apps on top using data model

Revolutionary algorithm

SEARCH VERIFY APIPREDICT

THE FORWARDPLATFORM

A NEW APPROACH TO NETWORK OPERATIONS

Page 9: Forward Networks - Networking Field Day 13 presentation

SEARCH VERIFY PREDICT

THE FORWARD PLATFORM

CAPABILITIES OVERVIEW

Page 10: Forward Networks - Networking Field Day 13 presentation

What is my network’s behavior?

Index your network and search your devices and

behavior on top of an interactive topology

SEARCH

Is it doing what it should?Validate network correctness and audit your network for

compliance & security

VERIFY

Will this change work?Simulate configuration

changes to ensure they are correct and secure before

rolling into production

PREDICT

THE FORWARD PLATFORM

CAPABILITIES OVERVIEW

Page 11: Forward Networks - Networking Field Day 13 presentation

Customer Network

Forward Applications

PLATFORM ARCHITECTURE

Page 12: Forward Networks - Networking Field Day 13 presentation

PLATFORM DEMO

Brandon Heller, PhDCTO & Co-Founder

Page 13: Forward Networks - Networking Field Day 13 presentation

- Interface Counters- Flow Counters (NetFlow)- Sampled Counters (sFlow)- Probes (Ping, Traceroute)

+ Packet In -> Packet Out (and all details) (for any packet, seen or not)

Observed Traffic All Potential TrafficWhat we don’t do What we do

Page 14: Forward Networks - Networking Field Day 13 presentation

USE CASENetwork Outage and Resolution

Behram Mistree, PhDProduct Engineer

Page 15: Forward Networks - Networking Field Day 13 presentation

NETWORK

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

Page 16: Forward Networks - Networking Field Day 13 presentation

NETWORK

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

Page 17: Forward Networks - Networking Field Day 13 presentation

ROBUST CONNECTIVITY BETWEEN CLIENT AND SERVER WANTED

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

Page 18: Forward Networks - Networking Field Day 13 presentation

REQUIREMENTS

1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

Page 19: Forward Networks - Networking Field Day 13 presentation

REQUIREMENTS

1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

Page 20: Forward Networks - Networking Field Day 13 presentation

REQUIREMENTS

1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

Page 21: Forward Networks - Networking Field Day 13 presentation

REQUIREMENTS

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel

Page 22: Forward Networks - Networking Field Day 13 presentation

IS YOUR NETWORK WORKING?

Page 23: Forward Networks - Networking Field Day 13 presentation

Traditional Approach

FORWARD VERIFY™

IS YOUR NETWORK WORKING?

Page 24: Forward Networks - Networking Field Day 13 presentation

TRADITIONAL APPROACH

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel

Page 25: Forward Networks - Networking Field Day 13 presentation

Traditional Approach

FORWARD VERIFY™

ping 18.10.11.2 show route show lacp interfaces

IS YOUR NETWORK WORKING?

Traffic can flow Multiple paths Port channels

Page 26: Forward Networks - Networking Field Day 13 presentation

FORWARD VERIFY™

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel

Page 27: Forward Networks - Networking Field Day 13 presentation

Traditional Approach

FORWARD VERIFY™

ping 18.10.11.2 show route show lacp interfaces

IS YOUR NETWORK WORKING?

Traffic can flow Multiple paths Port channels

Page 28: Forward Networks - Networking Field Day 13 presentation
Page 29: Forward Networks - Networking Field Day 13 presentation

REQUIREMENTS

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel

Page 30: Forward Networks - Networking Field Day 13 presentation

REPLACE INTERFACE ON LAX

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

Page 31: Forward Networks - Networking Field Day 13 presentation

REPLACE INTERFACE ON LAX

CLIENT SJCCE

LAX MIA

LGA

IAD SERVER(18.10.11.2)

SEA

1. Set ISIS overload bit

Page 32: Forward Networks - Networking Field Day 13 presentation

REPLACE INTERFACE ON LAX

1. Set ISIS overload bit2. Replace line card

CLIENT SJCCE

LAX MIA

LGA

IAD SERVER(18.10.11.2)

SEA

Page 33: Forward Networks - Networking Field Day 13 presentation

REPLACE INTERFACE ON LAX

1. Set ISIS overload bit2. Replace line card3. Verify

CLIENT SJCCE

LAX MIA

LGA

IAD SERVER(18.10.11.2)

SEA

Page 34: Forward Networks - Networking Field Day 13 presentation

VERIFICATION COMPARISION

Traditional Approach

FORWARD VERIFY™

1. Check port channel up

1. Single button press

2. Ping LAX to SERVER

3. Ping LAX to CLIENT

TRANSIT TRAFFIC DISALLOWED

TRANSIT TRAFFIC DISALLOWED

✔ Fixed

Page 35: Forward Networks - Networking Field Day 13 presentation

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

Latent misconfigurationTraditional

Approach

FORWARD VERIFY™

VERIFICATION COMPARISION

Page 36: Forward Networks - Networking Field Day 13 presentation

Traditional Approach

FORWARD VERIFY™

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

VERIFICATION COMPARISION

Latent misconfiguration

Page 37: Forward Networks - Networking Field Day 13 presentation

Traditional Approach

FORWARD VERIFY™

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

CLIENT SJCCE

SEA

LAX MIA

LGA

IAD SERVER(18.10.11.2)

VERIFICATION COMPARISION

Latent misconfiguration

Page 38: Forward Networks - Networking Field Day 13 presentation

FORWARD VERIFY™

PREVENTS OUTAGESInstantly see failing checks during service

windowFix network issues as soon as they appear

SIMPLIFIES DIAGNOSIS

Using historical snapshots, we could reconstruct where traffic was going, what had

changed, and why

Page 39: Forward Networks - Networking Field Day 13 presentation

USE CASENetwork Audit

Behram Mistree, PhDProduct Engineer

Page 40: Forward Networks - Networking Field Day 13 presentation

FORWARD’S MISSION

We want to help you build networks that work and that you can trust because you’ve verified them

FORWARD VERIFY™

PREDEFINED

CHECKS

Page 41: Forward Networks - Networking Field Day 13 presentation

AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS

Page 42: Forward Networks - Networking Field Day 13 presentation

AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS

CLASSIC DC SPINE LEAF

Page 43: Forward Networks - Networking Field Day 13 presentation

CLASSIC DC

“UPTIME BANK” SERVERS

Peer

Core

Aggregation

Access

Page 44: Forward Networks - Networking Field Day 13 presentation

CVE-2016-7810XXX

CVE-ID CVE-2016-7810XXXDATE 20161117REFERENCES http://example.comDESCRIPTION

Page 45: Forward Networks - Networking Field Day 13 presentation

CVE-2016-7810XXX

CVE-ID CVE-2016-7810XXXDATE 20161117REFERENCES http://example.comDESCRIPTION Your switch has a massive security vulnerability

Page 46: Forward Networks - Networking Field Day 13 presentation

CLASSIC DC

“UPTIME BANK” SERVERS

Peer

Core

Aggregation

Access

Both need upgrade

Page 47: Forward Networks - Networking Field Day 13 presentation

CLASSIC DC

“UPTIME BANK” SERVERS

Peer

Core

Aggregation

Access

AGG-1-0

AGG-1-1

ACC-1-1

VRRP

Page 48: Forward Networks - Networking Field Day 13 presentation

LIVE DEMO

Page 49: Forward Networks - Networking Field Day 13 presentation

WHAT’S HAPPENING

“UPTIME BANK” SERVERS

Server Down?Interfaces Down?Spanning Tree?

Guesswork starts

AGG-1-0

AGG-1-1

ACC-1-1

IGP Issues?Peering Issue?Application Down?

“I don’t know!”

VRRP

Page 50: Forward Networks - Networking Field Day 13 presentation

AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS

CLASSIC DC SPINE LEAF

Page 51: Forward Networks - Networking Field Day 13 presentation

Peer

Border

Spine

Leaf

SPINE LEAF

SPINE-1

LEAF-1

SPINE-0

Page 52: Forward Networks - Networking Field Day 13 presentation

SPINE LEAF

Peer

Border

Spine

Leaf

“UPTIME BANK” SERVERS

SPINE-1

LEAF-1

SPINE-0

Page 53: Forward Networks - Networking Field Day 13 presentation

SPINE LEAF

Peer

Border

Spine

Leaf

“UPTIME BANK” SERVERS

Needs reboot to install firmware

Page 54: Forward Networks - Networking Field Day 13 presentation

AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS

TODAY FORWARD VERIFY™

VLAN Consistency ✘outage ✔ prevents outageMTU Consistency ✘outage ✔ prevents outage

Page 55: Forward Networks - Networking Field Day 13 presentation

AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS

TODAY FORWARD VERIFY™

VLAN Consistency ✘outage ✔ prevents outageMTU Consistency ✘outage ✔ prevents outageDuplex Consistency ✘outage ✔ prevents outageLink Speed Consistency ✘outage ✔ prevents outageNo Forwarding Loop ✘outage ✔ prevents outagePort Channel Consistency ✘outage ✔ prevents outageShortest Path ✘outage ✔ prevents outageTrunk Whitelist ✘outage ✔ prevents outageIP Address Uniqueness ✘outage ✔ prevents outageVLAN Existence ✘outage ✔ prevents outage

Page 56: Forward Networks - Networking Field Day 13 presentation

I WILL NEVER TRUST A NETWORK …There is no such thing as a network that works, just a network that hasn’t broken

yet

Page 57: Forward Networks - Networking Field Day 13 presentation

www.forwardnetworks.com @fwdnetworks