Как развернуть кампусную сеть Cisco за 10 минут? Новые технологии для автоматизации и аналитики в корпоративных сетях Cisco

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The image part with relationship ID rId2 was not found in the ﬁle.
The image part with
relationship ID rId2
was not found in the
ﬁle.
Как развернуть кампусную
сеть Cisco за 10 минут?
Новые технологии для
автоматизации и аналитики в
корпоративных сетях Cisco.
Денис Коденцев
Инженер-консультант, CCIE

DNA Center
• Инновационное решение для внедрения и управления
корпоративной сетью и сетевыми сервисами
DNA Assurance & Analytics
• Анализ и проактивное обнаружение проблем
Software-Defined Access
• Универсальная сетевая фабрика с динамической
микросегментацией
Enhanced Network as a Sensor
• Обнаружение вредоносного ПО в
зашифрованном обмене (без расшифровки)
Коммутаторы Catalyst 9000
• Первые специально созданные в рамках DNA
коммутаторыЛицензирование с поддержкой подписки | Дополнительные сервисы от Cisco
Новая эра сетей Cisco – анонс 20 июня 2017

Рост трафика
в 10x* к 2019
ИТ службы вынуждены
поддерживать больше
подключенных устройств
(как пользовательских, так и
других – IoT как пример)
ИТ службы вынуждены работать
с бОльшим числом уязвимостей
и угроз безопасности
Почему компании тратят настолько много?
$60B
Тратится на эксплуатацию
сетевой инфраструктуры в
год во всем мире (зарплата,
инструментальные
средства)
*

Корпоративные сети сегодня – сложные …
Работа с
различными сетями
Работа с
множеством разных
политик - LAN,
WLAN, WAN, ЦОД
Масштабирование
увеличивает
сложность
эксплуатации
Управление
множеством VLAN
VLAN 1 VLAN 2 VLAN 3
WAN
Branch A
VLAN A
Branch A
VLAN B
Remote
VLAN B
HQ
4

Automation
Abstraction & Policy Control
from Core to Edge
Open & Programmable | Standards-Based
Open APIs | Developers Environment
Cloud Service Management
Policy | Orchestration
Virtualization
Physical & Virtual Infrastructure | App Hosting
Analytics
Network Data,
Contextual Insights
Network-enabled Applications
Cloud-enabled | Software-delivered
Principles
Cisco Digital Network Architecture
DNA Overview
SD-A, SD-WAN & ENFV
DNA Center
5
Insights &
Experiences
Automation
& Assurance
Security &
Compliance

DNA Center
единый интерфейс
для автоматизации и
аналитики
APIC-EM Network Data PlatformIdentity Services Engine
Routers Switches Wireless APs
DNA Center
DESIGN PROVISION POLICY ASSURANCE
DNA Center
Simple Workflows
Wireless Controllers

ISE
§ Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
§ Fabric Edge Nodes – A Fabric device (e.g.
Access or Distribution) that connects Wired
Endpoints to the SDA Fabric
§ Identity Services – External ID System(s)
(e.g. ISE) are leveraged for dynamic Endpoint
to Group mapping and Policy definition
§ Fabric Border Nodes – A Fabric device (e.g.
Core) that connects External L3 network(s)
to the SDA Fabric
Identity
Services
Intermediate
Nodes (Underlay)
Fabric Border
Nodes
Fabric Edge
Nodes
§ DNA Controller – Enterprise SDN Controller
(e.g. DNA Center) provides GUI management
and abstraction via Apps that share context
DNA
Controller
§ Analytics Engine – External Data Collector(s)
(e.g. NDP) are leveraged to analyze Endpoint
to App flows and monitor fabric status
Analytics
Engine
C
Control-Plane
Nodes
B
Что такое SD-Access?
Основные понятия и терминология
B
§ Fabric Wireless Controller – A Fabric device
(WLC) that connects Wireless Endpoints to
the SDA Fabric
8
Fabric Wireless
Controller
Campus
Fabric

Зачем нам Software Defined Access?
Is your Campus Network facing some, or all, of these challenges?
• Host Mobility (w/o stretching VLANs)
• Network Segmentation (w/o implementing MPLS)
• Role-based Access Control (w/o end-to-end TrustSec)
• Common Policy for Wired and Wireless (w/o using multiple tools)
• Consistency Across Campus, WAN and Branch (w/o using multiple tools)
With DNA SD-Access, you can overcome these challenges and provide your
organization with the infrastructure required to meet your business objectives.
Come to this session to get a look into the DNA SD-Access architecture,
including a closer look at each of the technologies that bring this to life! J
9 9

Как устроен
Cisco DNA-Center?

DNA-Center
DNA Automation
App Policy Infra Controller – EN Module
Cisco ISE 2.3
Identity Services Engine
DNA Assurance
Network Data Platform
Cisco Switches | Cisco Routers | Cisco Wireless
GUI
AAA
RADIUS
EAPoL
HTTPS
NetFlow
Syslogs
NETCONF
SNMP
SSH
API API
API
API
API
SDA Fabric
Автоматизация и аналитика DNA
Архитектура
Design | Provision | Policy | Assurance
11

Автоматизация полного цикла
DNA Center
DNA
Assurance
DNA
Automation
Streaming telemetry
& network data
Network and telemetry
configuration
Telemetry, alerts,
violations
Network inventory,
topology, and
configuration

Интеграция ISE и DNA Center
Автоматизация политик и контроля доступа
Campus Fabric
Authentication
Authorization
Policies
Fabric
Management
Policy
Authoring
Workflows
Groups and
Policies
PxGrid
REST APIs
Cisco Identity Services Engine
Cisco DNA Center
13

Корреляция и машинное обучение
0I000I
II0I0II
00I
0II0
0I0I00
I0II
II0I000
0I000I
II00
I0I0
0I0000
0II0
0II
IIII00I
0I0
00I
II0I
I0II00I
00II0I0I
I000III
I00I
00II
Ingest Network & Contextual Telemetry
0I000I
II0I0II
00I
0II0
0I0I00
I0II
II0I000
0I000I
II00
I0I0
0I0000
0II0
0II
IIII00I
0I0
00I
II0I
I0II00I
00II0I0I
I000III
I00I
00II
0I000I
II0I0II
00I
0II0
0I0I00
I0II
II0I000
0I000I
II00
I0I0
0I0000
0II0
0II
IIII00I
0I0
00I
II0I
I0II00I
00II0I0I
I000III
I00I
00II
0I000I
II0I0II
00I
0II0
0I0I00
I0II
II0I000
0I000I
II00
I0I0
0I0000
0II0
0II
IIII00I
0I0
00I
II0I
I0II00I
00II0I0I
I000III
I00I
00II
Process and Analyze Streams of Data
Complex Event
Processing
• Data cleaning
• Feature creation
• Data
normalization &
enrichment
• Baselining &
trending
• Relationship
modeling
• Behavior
analysis
• Anomaly
detection
• Pattern
recognition
Machine Learning
• Event clustering
& correlation
• Prediction
• Natural language
processing
• Recommendation
Data Processing
Phase 1 Phase 2 Phase 3
Visualize and Act
Real-time visibility
One click (drill down)
root cause analysis

Анализ состояния каждого клиента сети
Summary: Is the client connected and is the link connection good?
Wired Client
Health
Connected
Onboarding
Throughput
issues
Authenticated, IP
• Link Error
• Yes/No
Port Up/down • Yes/No
Key Services • DNS reachable
BRKCRS-2814 15

Потоковая телеметрия
NETCONF RESTconf GNMI
Device features
Interface
BG
P
QoS ACL …
SNMP
YANG data model
Open Native Open Native
Configuration Operational
Physical and virtual network infrastructure
Programmable
Interfaces
Публикация
• Periodic or on change
• Structured data
• Priority subscriptions
• Customized to recipient
• XML or JSON encoding
• NETCONF or HTTP/2 transport
• Increased scale
• Reduced CPU and
bandwidth consumption
Подписка
With streaming telemetry (FCS in July in the 16.6 train) we will support
collection of many KPIs as close as possible to real time
Расширенная телеметрия там и тогда, когда это требуется

Сбор контекстной информации – ISE
Telemetry
SGT applied to port
Policy Enforcement Status
SGT Counters
Device level enforcement and changes Access policy application and changes Identity and end user information
pxGrid
SGT bindings, Group based policies
Access Policy Push
Notification of end user authentication and authorization (positive/negative)
Notification on group-based policy being downloaded by devices
End user identity and context
End to End visibility

Сбор контекстной информации – IPAM
Grid Publish
Grid Subscribe
Infoblox
General Information:
- Pool Name or ID
- Pool State (Enabled / Disabled)
General Stats (per pool and per client device):
- Any latency values
- # Discovers
- # Offers
- # Requests
- # ACKS
- # Declines
- # NAKs
RESTful API, SNMP
Per Pool:
- Network Block
- Start / End Address
- Lease Time
- Addresses Assigned
- Options Assigned
pxGrid

Простота использования : Пример 1
Главная страница – какие главные проблемы наблюдаются в вашей сети?
Landing page tells you:
Where in the world
the most serious
issues are happening
Overall health of
your network, clients,
and applications
Your top 10 issues
and trends

Variety
Velocity
Volume
Veracity
Live end-to-end visibility brings
together multiple data sources at
high volumes and speeds
Reliable scoring to assess
client health in real-time
Incorporation of diverse
network data types
Accurate alerting for fast root
cause analysis

Простота использования : Пример 3
Мгновенное обнаружение причин проблем с SDA-фабрикой и/или политиками CTS
Quick visual of the fabric overlay tells you
where you might have issues
Assurance-enabled path trace tells you
where policies are failing
1 2

Как выглядит жизненный
цикл сети с DNA-Center?

DNA Center - Design
Setup Management & Underlay Reachability
1
1. Setup Sites, Buildings & Floors
• Organize your Regions, Cities & Buildings
• Import floorplans in CAD, PNG or JPG
• Virtual layout of Routers, Switches & APs
2. Setup Global & Site-Specific Settings
• Establish a common set of Global Servers
• Each Site inherits settings from level above
• Override Global settings with Site-Specific
3. Setup IP Address Pools or IPAM
• IP Address Management uses Site hierarchy
• Add or modify IP Pools manually
• You can also import from IPAM tools via APIs
4. Setup Wireless SSID Settings
• Manage Fabric Wireless WLANs per Site
• Associate the SSIDs with IP Pools
• Automated setup of the WLC & APs via APIs
23

DNA Center - Policy
Setup VNs & EIGs and Policies
1. Setup Virtual Networks
• Add Scalable Groups to a Virtual Network
• A “Default” Virtual Network created automatically
• Option to add / remove new Virtual Networks
• Enables VN ID on SDA enabled Devices*
2. Setup Scalable Groups
• Option to import Groups from ISE (or AD)
• Option to create Groups via Static Mapping
• Enables SGT ID on SDA enabled Devices*
3. Manage Group Policies
• Groups provide native SGT based segmentation
• Intra-VN policies set to Default Permit or Deny
• Create simple To / From Group-Based Policies
4. Manage VN Policies *
• VNs provide native VRF network segmentation
• Inter-VN policies mapped to Firewall instances*
* External Connect requires manual configuration. Automation planned for a later release. 24
2

DNA Center - Provision
Setup Overlay Control & Data-Plane
1. Setup Fabric Domains
• Add Devices to one of the configured Sites
• A “Default” Fabric Domain created automatically
• Option to add / remove new Fabric Domains
2. Add Devices & Assign Roles
• Add SDA capable Devices to the Fabric Domain
• Designate 1+ Devices as Border and Control
• All other Devices are configured as an Edge
3. Setup Host Onboarding
• Add various IP Pools to the Fabric Domain
• Designate IP Pools for Wired or Wireless
• Define the Host Authentication and options
• Option to Static Assignment of Pools to Ports
4. Advanced Settings
• (Optional) Enable Multicast in the Fabric Domain
25
3

DNA Center - Assurance
Real-Time Data-Collection & Event Correlation
1. Assurance Dashboard
• Network Health Scores (based on 360 Views)
• Graphical status view of Health and Alarms
• Track common Network Issues & Trends
• Universal search for elements of the Network
2. Device 360 Views
• Summary and Real-time Device statistics
• Track Issues and Trends of each Device
• View connected Neighbors, Clients & Apps
3. Client 360 Views
• Summary and Real-time Client statistics
• Track Issues and Trends of each Client
• Initiate Pathtrace per Client Application
4. Application 360 Views
• Summary and Real-time App statistics
• Track Issues and Trends of each App
4
26

Как насчет демонстрации?

А как же
Cisco Enterprise NFV?

Ранее для ENFV нужны были 3 системы…
© 2017 Cisco and/or its affiliates. All rights reserved. 29
WAN
SN,IPforhost
Office
IP
NFVIS
IPS
WAAS
vSwitch
ProfiletoSN
mapping
Provisioning
Provisioning
• ESA, PI и APIC-EM совместно работают при запуске филиала
APIC-EM / Prime Infrastructure PnP
Day 0/1 config
repository
REST
Enterprise Services Automation (ESA)

…теперь достаточно одной – DNA-Center

…в том числе и для Enterprise NFV

Возможности DNA Center = Подписка DNA Software
Cisco ONE
Suites or Ala
Carte Model
ADVANTAGEESSENTIALS
Full L3, Segmentation,
Software Defined Access,
ETA & Assurance
Layer 2, Routed Access,
Base Automation and
Monitoring
Ongoing
Innovation
License
Portability
Software Support
Included
OpEx
Preference
Lower
Entry Costs
Available for Current Catalyst 3K, 4K, 6K and Next Generation Catalyst 9K Series
Cisco ONE Suite – Essentials Includes ISE Base
33

Network/OS License
DNA Center, ISE, StealthWatch
Switches, Access Points, Routers
DNA License
ISE Base & Plus & StealthWatch
Что Вам понадобится:
Упрощенный вид
DNA Center
Console
ISE
Console
Сеть
Сервер
ПО
Включено в
Cisco ONE Advantage
Поставляется с
устройством

Спасибо! Вопросы?

Как развернуть кампусную сеть Cisco за 10 минут? Новые технологии для автоматизации и аналитики в корпоративных сетях Cisco

More Related Content

What's hot (20)

Similar to Как развернуть кампусную сеть Cisco за 10 минут? Новые технологии для автоматизации и аналитики в корпоративных сетях Cisco (20)

More from Cisco Russia (20)

Recently uploaded (20)

Как развернуть кампусную сеть Cisco за 10 минут? Новые технологии для автоматизации и аналитики в корпоративных сетях Cisco