introducing cisco network - clnv.s3.amazonaws.com · cs.co/ciscolivebot#brkaci-2403 ... network...

Introducing Cisco Network Assurance Engine

Sundar Iyer, Distinguished Engineer Head Cisco Network Assurance Engine Team

Dhruv Jain, Director of Product Marketing Data Center Switching Business Unit

BRKACI-2403

Intent Based Networking for Data Centers

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKACI-2403


Network Assurance Engine (Candid) @ Cisco Live

Why

Continuous

Assurance Will

Transform

Data Center

Networks

Tuesday, Jan 30

11:15 am to 12:45 pm

[BRKACI-2403]

Making

Predictive

Operations in

Data Center

Networks a

Reality

Wednesday, Jan 31st

1:15 pm to 2:15 pm

[PSODCT-4590]

Increase

Operational

Agility & SLAs

in Modern

ACI Data

Centers

Implementing

Network

Assurance

in

ACI

Environments

Wednesday, Jan 31st

5 pm to 5:45 pm

[DEVNET-1699]

Walk-in Lab

9am-7pm

[LABACI-2030]

BRKACI-2403 4

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2403

Problem: DC Paradigms Are Fundamentally Reactive

Intent Frequently Breaks …

Operational Troubleshoot

We Always React …

An Inability to Assure Intent Proactively

Leaving Us With …

Security Scramble to fix it

Compliance Fail audits

Change Undo changes

5


... Creating a Major Assurance Gap

VM

Controllers How can I have confidence that I

haven’t made an error?

How do I rapidly analyze the

network to identify issues?

How do I easily understand the

state of my entire infrastructure?

Intent

Infrastructure

6


Intent Assurance

The guarantee that the

infrastructure is doing what

you intended it to do

Intent Encompasses Data Center Operations

Configs, Changes, Routing, VMs, Security, … Compliance, Audits

7


Introducing Cisco Network Assurance Engine

Comprehensive, Intelligent, Continuous

Based on mathematical models

of the network

Continuously verifies and validates

the entire network

Delivers the confidence that

the network is operating correctly

8


• Drive change agility

• Minimize human errors and eliminate configuration drift

• Accelerate migrations

PREDICT THE IMPACT OF CHANGES

• Ensure connectivity

• Proactively eliminate potential network outages or vulnerabilities

• Enhance SLAs

PROACTIVELY VERIFY NETWORK-WIDE BEHAVIOR

• Reduce security risk

• Achieve provable compliance by design, continuously

ASSURE NETWORK SECURITY POLICY AND COMPLIANCE

Use Case & BenefitsAchieving Higher Operational Maturity, Faster

BRKACI-2403 9


Comprehensive Network

Modeling

Mathematically accurate models

spanning underlay, overlay and

virtualization layers

5000+ domain knowledge-based

error scenarios built-in, codified

remediation steps

Data Collection

Captures all non-packet data:

intent, policy, state across

data center network

Intelligent Analysis

Cisco Network Assurance Engine: How It Works

BRKACI-2403 10


PREDICT THE IMPACT OF CHANGES

Challenge

• Mainframe misconfiguration

in DR site

Potential Impact

• Mainframe cluster inaccessible

in case of fail-over event

Benefit

• Identify latent misconfigurations

before outages happen

• Avoid $$ in lost revenue

PROACTIVELY VERIFY NETWORK-WIDE BEHAVIOR

Challenge

• Overlapping subnets due to

routes leaked across VRFs

Potential Impact

• Connectivity loss for Skype VoIP

and Video users

Benefit

• Continuous & proactive network-

wide dynamic state analysis

• Save days in downtime

ASSURE NETWORK SECURITY POLICY AND COMPLIANCE

Challenge

• TCAM utilization hitting capacity,

inefficient security policy

definitions

Potential Impact

• Degraded security posture &

inability to deploy policies

Benefit

• Identified 17,000 unused policies

• Surfaced opportunity for 20-70%

TCAM optimization

Stories from Customer Trials

BRKACI-2403 11


Change

Management

Compliance and

Visualization

Incidence and

Problem Management

User Interface: Centered Around “Smart Events”

Smart Events: What, Where, Why, and How

BRKACI-2403 12

Demo: Network Security Policy Assurance

1. Use Case: Visualization, Search, Filters (Radial View, Green Arc)

2. Use Case: Compliance: Isolation (Disjointed Arcs)

3. Use Case: Incident Management: (Needle in the Haystack” – Red Arc)

4. Smart Events: with Human Readable Next Steps


Assure Network Security Policies & Compliance

BRKACI-2403 14


IdeaEvery device performs a mathematical

transformation on a packet

Leaf1

Spine

Leaf2

Header Data

0110101Header Data

1000101

FW

We Can Build Comprehensive Mathematical Models of Network Behavior

Core Technology

BRKACI-2403 15


Policies, TCAM Rules

x1

x2 x2

x3 x3

0 1

d

Reduced Order

Binary Decision Diagrams

Questions You Can Ask

• Who all can EPG-A talk to?

• Can EPG-A talk to EPG-B?

• Are any policies conflicting?

• Are policies aliased?

• Did upgrade to a new version change my

existing security policy enforcement?

• Are the configured policies compliant?

• Which exact policy is violated ?

Analyze millions of policies, answer questions in real-time

What can a Model Answer?Example : Tenant Security

BRKACI-2403 16

Comprehensive | Intelligent | Continuous

Demo: Network Assurance Engine


Change

Management

Compliance and

Visualization

Incidence and

Problem Management

User Interface: Centered Around “Smart Events”

Smart Events: What, Where, Why, and How

BRKACI-2403 18


User Interface: Dashboard with “Smart Events”

19



20



21



22



23



24


Transforming Change Management with NAE

BRKACI-2403 25


Automated Gold Standard

Faster Approval Cycles

Dramatically Reduce #

of Changes Reqd.

Reduce Risk of Outage

Faster, Confident

Change Cycles

Drastically Reduce Outages

ROADMAP

Make Changes

in Test Env.

Verify Instantly

with Candid

Present Report

to CAB

Make Changes

in ProductionVerify Instantly

with Candid

Model Changes

in Candid

Multiple Changes,

Long WindowsShrink Change

Windows

Long CAB

Approval Process

Analyze Configs,

Verify in CandidPush Changes

to Production

De-Risk Changes, Increase Change Agility

BRKACI-2403 26


• Analyze • Static configurations of VLANs, IPs, MACs ..

• Dynamic EP Learning, Mobility, …

• EP Connectivity, Communication …

• Common issues found• Duplicate IPs: human error, NIC teaming, migrations, …

• DHCP errors

• EPs deployed against leafs without BD subnet

• EP table consistency across fabric …

Tenant End-point Assurance

BRKACI-2403 27


Tenant Forwarding Assurance

BRKACI-2403 28


Network Audit Trail with Candid TimelineDVR for Network State, Connectivity, Issues

BRKACI-2403 29


Comprehensive

Capture, analyze and correlate

entire network state: switch

configurations + hardware

data-plane state

Intelligent

5000+ built-in failure

scenarios, powering

Smart Events with

remediation steps

Continuous

Runs Continuously

Near real-time: collection,

modeling, analysis

What Makes Us Different?

BRKACI-2403 30


Customer Fabrics

Analyzed

Critical / Major

Issues Found

Potential Outages

Detected Proactively

40+

1500+

35+

“ The User Interface is

professional and easy to use.”

“The ease of getting started is pretty

fantastic.”

“…quickly pointed out things we

should resolve. …very impressed...”

Early Customers: Impact & Feedback

BRKACI-2403 31


Availa

ble

Now ACI Data Center

Fabric

Availa

ble

20

18

Cross-platform

Network Integration Firewall

VirtualMachine Manager

Vision : Assurance EverywhereCross Platform, Multi-cloud

Integration with

Operations Toolchains Under Certification

BRKACI-2403 32


Cisco Network Assurance Engine

Deployment Model

No sensors

Read only credentials

Time to Value

30 mins to deploy

60 mins to value

Form Factors

Software only OVA

Lightweight: 3 VMs (v1.0)

Available Now 30 Day Free Trial Subscription Licensing

BRKACI-2403 33


Intent

Assurance

Configuration Analysis

“Very Large State-Space”

Analytics

Traffic Analysis

“Lots of Data”

Guarantees

Compliance

Consistency

Policy

ADM

Monitoring

Forensics

Tetration

Network

Assurance Engine

Intent-Based Data Center

Policy

BRKACI-2403 34

Thank you


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKACI-2403


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs• Tetration Hands-on Lab from Deployment to Operations [LTRACI-2184]

• Whitelist policy and security enforcement through Tetration Analytics [LABACI-2020]

• An Introduction to Tetration and Policy Deployment [LABDCN-1206]

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

BRKACI-2403 48

Thank you

introducing cisco network - clnv.s3.amazonaws.com · cs.co/ciscolivebot#brkaci-2403 ... network...

Documents