optimizing enterprise networks through sd-avc · optimizing enterprise networks through sd-avc...

Optimizing Enterprise Networks through SD-AVC(Software Define Application Visibility and Control)

Guy Keinan

BRKCRS-2502

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCRS-2502


Guy Keinan SW Development Manager

NBAR2 & SD-AVC

4BRKCRS-2502


This is me

• Introduction

• Why?

• NBAR2

• SD-AVC

• Q&A

• Homework

• Wrap up

Agenda


Digital

Disruption

Lack of Business

and IT Insights

63 millionnew devices

online every second by 20201

Complexity

Slow and Error

Prone Operations

3X spend on network operations

vs network2

Security

Unconstrained

Attack Surface

6 months to detect breach3

Unprecedented Demands on the Network

1: Gartner Report - Gartner’s 2017 Strategic Roadmap for Networking

2. McKinsey Study of Network Operations for Cisco – 2016

3. Ponemon Research Institute Study on Malware Detection, Mar 2016

http://www.gartner.com/reprints/cisco-v6-us1?id=1-3YQCDRO&ct=170425&st=sb

http://www.ponemon.org/blog/new-ponemon-study-on-malware-detection-prevention-released


Source: 2016 Cisco Study

Traditional Networking CANNOT Keep Pace with the Demands of Digital Business

OpEx spent on Network

Visibility and

Troubleshooting

75%

Policy Violations Due to Human Error

70%

Network Changes Performed Manually

95%

Main Operational Challenges


Cisco Application Recognition

SD-AVC/NBAR2 Application Recognition Fuels several core solutions:

Cisco SD-WAN

Cisco EasyQoS

Assurance

Security

The Network. Intuitive.

11BRKCRS-2502


Cisco Application Recognition

• NBAR2 is a powerful Network Based Application Recognition Engine

• A complete remake

• Variety of features: Pack hitless upgrade, attributes, sub-cls & more...

• Wide Cross pin support (same code everywhere):

• Routers: ISR4K, ASR1K, CSR1K, ISRv, ISR1100, ISRG2

• Switches: Cat3K, Cat9K

• Wireless: AireOS WLC, IOS Aps 5520/8540, NG Aps 3800/1850

• NAM

13BRKCRS-2502


Stateful classification per session (5 tuple flow)

Not only Deep Packet Inspection (DPI) …but a combination of different techniques:

- DNS snooping- Statistical classification (Machine Learning)- Behavioral classification- Learning of main services and servers- Customization

Slow-Path and Fast-Path Model

NBAR2 Classification – Main things to keep in mind

BRKCRS-2502 14


Application Recognition – Rising Challenges

BRKCRS-2502 15

The Cisco Live US 2017 Challenge


NBAR2/SD-AVC @ CLUS17

Encrypted Apps

With NBAR2 – this is what we DID see


NBAR2/SD-AVC @ CLUS17

Encrypted Apps Encrypted AppsEncrypted Apps

With NBAR2 – this is what we DID see


Cisco Application Recognition – CLUS ‘17

• Less than 1% unknown

• Less than 1% unclassified encrypted traffic

• 10G of traffic in less than 14% CPU utilization (ASR1002-HX)

Very good classification for encrypted traffic, in pretty good performance

20BRKCRS-2502


Ready to Dive?

21BRKCRS-2502


NBAR2 Classification – A bit terminology

• Flow == A session. Identified by 5 tuple (src IP, src Port, dst IP, dst Port, vrf)

• Socket == Identified by 3 tuple (dst IP, dst Port, vrf). Usually a server

• FIF == First packet In the Flow

• Bypass == No processing, just quick forwarding

BRKCRS-2502 22


NBAR2 Classification – HL overview

Slow Path:• Classifies the flow, based on packet processing• Potentially first packet (First In Flow – FIF classification)• Programs the Fast Path with classification result

Slow Path (NBAR2)

~95%

~5%

Fast Path (Flow Table)

Fast Path:• Completely bypasses NBAR2 processing• Uses the programmed classification

BRKCRS-2502 23


NBAR2 Classification Simplified (Slow Path)

24

FIF Payload Advanced

CacheProvisioned L3/4SD-AVC

More than 80% of the flows

BRKCRS-2502


NBAR2 Classification Simplified

25


Pattern matchingMulti-packet

Cache Result

BRKCRS-2502


NBAR2 Classification Simplified

26


Machine LearningBehavioralCross Flow

Cache result

BRKCRS-2502


NBAR2 Classification – Detailed

Multiprotocol

Text Parser

(MTP)

Multi-Packet

Engine

(MPE)

WKP = Well Known Packet

Single-Packet

Engine

(SPE)

FlowTable

multi-packet (3)

listenerMultiprotocol Text Parser

(MTP)

Multi-PacketEngine (MPE)

FIF only (1)

IP

CachePre-Flow

first payload Only (2)

WKPEntry

Heuristiclogic

Custom

WKP-

payload

Single-PacketEngine(SPE)

statistical

IANA

Cross flow

Look-

Up

Table

or

VM

App

tracker

on fail success success/fail engine helper

NBAR

bypass

mng

Socketcache

L3/L4

Custom

BRKCRS-2502 27


Flow

Table

multi-packet (3)

listner MTP MPE

FIF only (1)

Socket

cache

L3

LUT

L3/L4

DNS-ASBundle

first payload Only (2)

WKPHeuristic

logic

Custom

WKP-

payload

SPE

statistical

IANA

Cross

flow

LUT

or

VM

App

tracker

on fail success success/fail engine helper

NBAR

bypass

mng

Cache

FiF

Store for next packets

NBAR2 Classification – Detailed Flow

ProcessingSet for current flow

Sto

re fo

r futu

re flo

ws

Payload

packets

BRKCRS-2502 28


10.10.10.1:3306

MySQL server

10.10.10.1:3306

NBAR2 Socket Cache Classification - Example

MySQL

Full classification +

Learning the socket

BRKCRS-2502 32


10.10.10.1:3306

MySQL Server

10.10.10.1:3306


MySQL


Learning the socket

BRKCRS-2502 33


10.10.10.1:3306

MySQL Server

10.10.10.1:3306


MySQL


Learning the socket

BRKCRS-2502 34


10.10.10.1:3306


MySQL


Learning the socket Cache in

Socket-Cache

Dst IP Dst Port Application

10.10.10.1 3306 MySQL

MySQL Server

10.10.10.1:3306

BRKCRS-2502 35


10.10.10.1:3306


MySQL

No Processing.

Using Cache!

MySQL Server

10.10.10.1:3306Dst IP Dst Port Application

10.10.10.1 3306 MySQL

BRKCRS-2502 36



Re-validate the

socket every time

interval

Dst IP Dst Port Application

10.10.10.1 3306 MySQL

BRKCRS-2502 37

MySQL Server

10.10.10.1:3306


Classification and Encryption


Outside the organization (usually non collaborative):

• SSL handshake analysis – certificate, Server Name Indication (SNI)• DNS traffic analysis• Machine learning/Statistical classification

Inside the organization (usually collaborative):

• Customization of SSL certificates and DNS domains• Server and client discovery based on NBAR2• SD-AVC External Sources (more on this later…)

NBAR2/SD-AVC Encrypted traffic – techniques

BRKCRS-2502 39


"(.*[.])?((youtube(-nocookie)?|ytimg|googlevideo)[.]com)|youtu[.]be" cisco(config)#ip nbar custom CCSOC composite server-name "*ccsocdev.net"

NBAR2 Encryption Classification

CustomAutomatic (Signature)

BRKCRS-2502 40


Webex

10.10.10.1

DNS Request [cisco.webex.com]

DNS Server

NBAR2 DNS Classification - Example

Regex Pattern

Matching

BRKCRS-2502 41


DNS Response [10.10.10.1]

IP Application

10.10.10.1 webexWebex

10.10.10.1IP Cache


BRKCRS-2502 42


10.10.10.1

webex

Webex

10.10.10.1Encrypted

First Packet


BRKCRS-2502 43

IP Application

10.10.10.1 webex


NBAR2 Encrypted Traffic Classification Summary

• Most of the traffic is encrypted traffic and is SSL/TLS

• Testing shows more than 80% of SSL traffic is classified by NBAR2

• All major internet/cloud applications are supported• Hundreds of applications

• NBAR2 classifies both cloud and local encrypted traffic

• NBAR2/SD-AVC use a variety of techniques to classify encrypted traffic

BRKCRS-2502 44


Performance


NBAR2 Performance Optimization Techniques

• Optimized C code engines

• Optimized processing

• skips most of the traffic

• Wise caching techniques

• we’ve added many of these…

• NBAR2 Default (Performance-Optimized) Mode: Application Classification

• Supported on all platforms

• NBAR2 Fine-Grain Mode: Analytics (Deep DPI)

• Supported on routers-only

BRKCRS-2502 46


NBAR2 Performance Testing Results

Validated in real live networks and Tested on Enterprise Traffic Mix

(EMIX) benchmark

Fast Path

BRKCRS-2502 47


NBAR2 Performance Ongoing Improvements

Based on a generic

Enterprise Traffic Mix

(EMIX)40% Improvement in just 2 releases

BRKCRS-2502 48


• Most XE routers: Line rate in working point of 70% CPU utilization

• 9300: 2000 CPS, 10,000 b-directional flows for each 24 ports. CPU at ~50%

(HTTP profile)

NBAR2 Protocol Discovery Performance

BRKCRS-2502 49


Application Recognition: NBAR Evolution

No

. o

f A

pp

s/D

om

ain

s R

eco

gn

ize

d

Pre-NBAR

Standard Port based

NBAR

Version 1

100s of Apps

DPI, Signatures, Custom Apps

NBAR

Version 2

~1500 Apps

~150 Encrypted Apps

DPI, Signatures, Custom Apps

Heuristic, Statistical+Behaviorial

SD-AVC

Network Level

Analytics

External Sources

Application Recognition at Network Level

SD-AVC


Why SD-AVC?

• Useful and easy Application BW monitoring at a network level

• Better application recognition in asymmetric environments

• Better application recognition for encrypted applications

• Better first packet classification for path selection and marking policies

• Improved performance

• Automatic protocol pack deployment at a network level

• Serviceability and troubleshooting tools for application recognition issues

52BRKCRS-2502

Key for Cisco solutions such as SD-WAN, EasyQoS , Assurance.


Why SD-AVC?

53BRKCRS-2502

Reduce

Operational Complexity

Improve

Application Visibility & Policy Efficiency


SD-AVC

Analytics &

Telemetry

ASR1001xASR1001xCatalyst 3850

Service

automation

DNS

54BRKCRS-2502

SD-AVC – HL Concept

MS Office365


What is SD-AVC?

A network service which ensures Application recognition for visibility, Analytics and application based policy solutions.

• Analytics processing at a network level

• Synchronizing application state between network nodes

• Serves as a gateway for external sources, provisioning into Cisco Network

• Auto-learning and auto-signature algorithms

• Provides pack update capability at a network level for thousands of devices

55BRKCRS-2502


What is SD-AVC? Current form factor

• Hosted on IOS-XE devices using Linux container (LXC) as a virtual-service(Future: DNA-C)

• 3G RAM and 4 CPUs – Serve more than 6K devices

56BRKCRS-2502


How Does SD-AVC work? (Basics)

• SD-AVC defines Sensors and Consumers in the network data plane

• Sensors are network devices (with NBAR2) that produce classification information and export it to the SD-AVC network service

• Up to 2Kbps for a small branch router

• Consumers are network devices that consume classification information from the SD-AVC network service

• A network device can be a sensor, a consumer or both

57BRKCRS-2502


How Does SD-AVC work? (Basics)

• Sensors with NBAR2, classify traffic & cache results in the form of Application Rules

• Application Rule is defined as an L3/L4 to App-ID mapping

• Application Rule Example:

58BRKCRS-2502

id | IP | port | L4 | vrf-id | vrf name | app-id | eng-id | sel-id | app-name | #hits | black | weight| rating

==============================================================================================================================

0 | 64.103.117.145 | 5902 | TCP | 0 | global | 100 | 13 | 100 | vnc | 1 | no | 69 | 1


How SD-AVC works? (Basics) cont.

• The SD-AVC service compiles application rules received from the different network sensors (as well as external authoritative sources)

• The service generates an Application Rules Pack

• Consumers pull the application rules pack from the SD-AVC service and install the application rules in their data-plane

• On-device classification is enhanced with the newly installed SD-AVC application rules

• This process is periodic

59BRKCRS-2502


SD-AVC – Asymmetric Webex example

br0

branch

br1

br2

hubMPLS

Internet

mc

internet

Corporate Servers

rtrDNS

Webex

Webex

Path Policy: Webex => MPLS

NBAR2 Can’t classify flow in the downstream (no certificate)

NBAR2 Classify first flow upstream as Webex (based on Certificate)

WebexNBAR2 Classify first flowas Webex (based on Certificate)

The problem:Webex downstreamIs routed via Internet due to bad classification

176.70.168.183

BRKCRS-2502 60


SD-AVC – Asymmteric Webex example

br0

branch

br1

br2

hubMPLS

Internet

mc

internet

Corporate Servers

rtrDNS

Webex

Webex






176.70.168.183

BRKCRS-2502 61

SD-

AVC


SD-AVC – Asymmteric Webex example

br0

branch

br1

br2

hubMPLS

Internet

mc

internet

Corporate Servers

rtrDNS

Webex

Webex






176.70.168.183

BRKCRS-2502 61

Exported sockets:

=================

id | IP | port | L4 | vrf-id | vrf name | app-id | eng-id | sel-id | app-name | black |

===========================================================================================

1 | 179.36.9.210 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |

2 | 179.36.9.205 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |

3 | 179.36.9.208 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |

4 | 176.70.168.183 | 443 | TCP | 2 | Mgt | 1306 | 13 | 414 | webex-meeting | no |

SD-

AVC



br0

branch

br1

br2

hubMPLS

Internet

mc

internet

Corporate Servers

rtrDNS

Webex

Webex






176.70.168.183

BRKCRS-2502 64

SD-

AVC



br0

branch

br1

br2

hubMPLS

Internet

mc

internet

Corporate Servers

rtrDNS

Webex

Webex






176.70.168.183

BRKCRS-2502 65

SD-

AVC

Imported sockets:

=================


==========================================================================================

=

1 | 179.36.9.210 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |

2 | 179.36.9.205 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |

3 | 179.36.9.208 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |




br0

branch

br1

br2

hubMPLS

Internet

mc

internet

Corporate Servers

rtrDNS

Webex

Webex






176.70.168.183

BRKCRS-2502 66

SD-

AVC

Imported sockets:

=================


===========================================================================================

1 | 179.36.9.210 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |

2 | 179.36.9.205 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |

3 | 179.36.9.208 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |



Asymmetric Fixed Webex example - with SD-AVC

br0

branch

br1

br2

hubMPLS

Internet

mc

internet

Corporate Servers

rtrDNS

Webex


NBAR2 Classify WebexDownstream(based on SD-AVC)

Webex

SD-

AVC

Webex DownstreamIs routed via MPLS


NBAR2 Classify first flowas Webex (based on Certificate)

176.70.168.183

Imported sockets:

=================


===========================================================================================

1 | 179.36.9.210 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |

2 | 179.36.9.205 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |

3 | 179.36.9.208 | 5901 | TCP | 2 | Mgt | 100 | 13 | 100 | vnc | no |


BRKCRS-2502 67


SD-AVC External Sources


SD-AVC and External sources

• The SD-AVC service connects with external authoritative sources to enrich application classification dynamically and seamlessly

Enables us to:• Connect Cisco Security databases

• Provide real-time Cloud/SaaS information

• Provision Home-grown Applications

• Example use cases are:• Automatic Enrichment of Cloud/SaaS applications (MS RSS, CASI)• Automatic Learning of Enterprise Local or Private apps (Infoblox/ACI/CUCM)

69BRKCRS-2502


SD-AVC Operation (Data Flow)

70BRKCRS-2502

3

Consumer Sensor & Consumer

Network Layer

SD-AVC

Network Service

Application Rules

pack Cached application

rules (JSON)

Application Rules Pack

Generation

Application Rules

Pack

1

3

2

Controller

MS RSS

Infoblox4

5

CloudLock


SD-AVC Connectors

Microsoft Office 365 – contains geolocation and world wide FQDN and URL information

CASI – contains 10,000 applications with domain and certificate information (PoC)

- Provides DNS information for home grown applications (PoC)

BRKCRS-2502 71

SD-AVC and Microsoft Office365


Using Microsoft RSS – How does it work?

Office 365 URLs and IP address ranges

• Requires connectivity to the internet (from the SD-AVC service)

• XML format

• Huge list of IP addresses and ranges

• Much more robust list of domains

BRKCRS-2502 73

https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2



BRKCRS-2502 74



BRKCRS-2502 75

New Domain Information from Microsoft

Example: jpn.delve.office.com

Cisco Protocol Pack Application Data

Imported Data from Microsoft



BRKCRS-2502 76

New Domain Information from Microsoft

Cisco Protocol Pack Application Data

Imported Data from Microsoft

jpn.delve.office.com


(Second step)

1. Find the correct application for the new domains

2. Using machine learning based on the previous learning set of Office 365 and existing host mappings supplied by Cisco NBAR2 Protocol Pack

Algorithm:

Given a the previous learning set and a new domain that we want to map it to an application:

host1

host2

host3

app1

app2

app3

jpn.delve.office.com ???ms-office365


77BRKCRS-2502


SD-AVC


(Third Step)

Compile a new pack with the new signature and make it available for the devices

The secondary pack is installed along side with Cisco NBAR2 protocol-pack

New domains are now supported automatically

78BRKCRS-2502


What we’ll show in the Demo

We will demonstrate how complete asymmetric devices can teach each other with classification information, using SD-AVC.

We will show how external sources can enhance application recognition

We will show these new automatic signatures help the application recognition in an asymmetric scenario with SD-AVC

80BRKCRS-2502


SD-AVC

CSR1KvCSR-Demo-

upstream

CSR1Kvcsr-demo-

downstream

Trex

Traffic

Generator

Down

Stream

Down

Stream

UpstreamUpstream

Pull

Application

Rules

Data

Analytics

(JSON)

Data

Analytics

(JSON)

Pull

Application

Rules

Microsoft

Office365

RSS

BRKCRS-2502 81


Demo Script

Note: We expedited some of the timers, this may lead to skew in status indications

1. Downstream Setup Not connected to SD-AVC

2. Connect Downstream to the SD-AVC Network Service• First level of Asymmetry fix

3. Enrich the devices with a Secondary Pack based on MS Office365 Cloud Info

4. Downstream Setup classifies based on the MS Info using SD-AVC• Second level of Asymmetry fix

82BRKCRS-2502

SD-AVC and Cloudlock CASI


• Database synchronization between Cloudlock SaaS Security Index and SD-AVC/NBAR

• Better SaaS application recognition leveraging on Cloudlock Security Cloud infrastructure

• Better response time to the application and domain changes

• Cloudlock Shadow IT visibility leveraging SD-AVC on Cisco enterprise network

SD-AVC and Cloudlock CASI – Why?

BRKCRS-2502 84


Learning

Analysis & Feedback

Application database & Shadow-IT

Network Device

Cloudlock

SD-AVC

SD-AVC and Cloudlock – Self-Learning Network

BRKCRS-2502 85


Cloudlock

CASI

SD-AVC

How it works?

Enterprise Network

BRKCRS-2502 86

1

Learning process of unfamiliar domains


Cloudlock

CASI

SD-AVC

How it works?

2 Enterprise Network

BRKCRS-2502 87


Cloudlock

CASI

SD-AVC

How it works?

2 Enterprise Network

BRKCRS-2502 88


Cloudlock

CASI

SD-AVC

How it works #2?

1

2

Update CASI with offline application information from NBAR/CASI R&D

Enterprise Network

BRKCRS-2502 89

SD-AVC Delivery Plan


SD-AVC Delivery plan

• Phase 1 (FCS- Oct 2017)

• IWAN 2.2.1: SD-AVC hosted on XE Container

• Improved application recognition in Hub Asymmetric Routing environment

• Improved first packet classification decision

• Application recognition function serviceability

• Protocol Pack automatic update

• Phase 2 (FCS Jan 2018)

• Cloud/SaaS automatic signatures push (MS RSS)

• High scale of SD-AVC sensors (6K) – support asymmetrical routing in branch routers

• Support IWAN 2.3 DCA (Direct Cloud Access) – FCS March 2018

• Furture

• Unknown and Generic Traffic Discovery

• High scale custom application support (1000+)

• Viptela vManage integration

• DNA-C App-Policy/EasyQoS use cases

• Wireless & Switching

91BRKCRS-2502

Homework


What you can do?

- Use Application Visibility on WebUI(Device level visibility)

- XE routers – supported 3.16 and up- Cat3K/9K – supported 16.6.1 and up

- Download and install SD-AVC on a router (network level visibilty)

- Enlist to NBAR2/SD-AVC announcements send an email with SUBSCRIBE to

[email protected]

94BRKCRS-2502


Wrap up

- NBAR2 has evolved and matured to tackle today’s networks challenges

- SD-AVC introduces new innovation and advances to network level using analytics and external sources

- The evolution Cisco application recognition technology unleashes great capabilities both in the device side and controller side, to provide application based solutions like SD-WAN, EasyQoS, Assurance and Security

95BRKCRS-2502


Wrap up

96BRKCRS-2502

SD-AVC makes the network more intuitive.


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCRS-2502


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Come and meet us on DevNet zone SD-AVC Demo Pod

• Whisper Suite

• Meet the Engineer 1:1 meetings

99BRKCRS-2502

Thank you

optimizing enterprise networks through sd-avc · optimizing enterprise networks through sd-avc...

Documents