Как развернуть кампусную сеть cisco за 10 минут? · Что...

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

The image part with relationship ID rId2 was not found in the file.

The image part with relationship ID rId2 was not found in the file.

Как развернуть кампуснуюсеть Cisco за 10 минут?

Новые технологии для автоматизации и аналитики в корпоративных сетях Cisco.

Денис Коденцев

Инженер-консультант, CCIE


DNA Center

• Инновационное решение для внедрения и управления корпоративной сетью и сетевыми сервисами

DNA Assurance & Analytics

• Анализ и проактивное обнаружение проблем

Software-Defined Access

• Универсальная сетевая фабрика с динамической микросегментацией

Enhanced Network as a Sensor

• Обнаружение вредоносного ПО в зашифрованном обмене (без расшифровки)

Коммутаторы Catalyst 9000

• Первые специально созданные в рамках DNA коммутаторыЛицензирование с поддержкой подписки | Дополнительные сервисы от Cisco

Новая эра сетей Cisco – анонс 20 июня 2017


Рост трафикав 10x* к 2019

ИТ службы вынуждены поддерживать больше

подключенных устройств(как пользовательских, так и

других – IoT как пример)

ИТ службы вынуждены работать с бОльшим числом уязвимостей

и угроз безопасности

Почему компании тратят настолько много?

$60BТратится на эксплуатацию сетевой инфраструктуры в год во всем мире (зарплата, инструментальные средства)

*


Корпоративные сети сегодня – сложные …

Работа с различными сетями

Работа с множеством разных

политик - LAN, WLAN, WAN, ЦОД

Масштабирование увеличивает сложность

эксплуатации

Управление множеством VLAN

VLAN 1 VLAN 2 VLAN 3

WAN

Branch A

VLAN A

Branch A

VLAN B

RemoteVLAN B

HQ

4


AutomationAbstraction&PolicyControl

fromCoretoEdge

Open&Programmable|Standards-Based

OpenAPIs|DevelopersEnvironment

CloudServiceManagementPolicy|Orchestration

VirtualizationPhysical&VirtualInfrastructure|AppHosting

AnalyticsNetworkData,

ContextualInsights

Network-enabledApplications

Cloud-enabled|Software-delivered

Principles

Cisco Digital Network ArchitectureDNA Overview

SD-A, SD-WAN & ENFV

DNA Center

5

Insights&Experiences

Automation&Assurance

Security&Compliance


DNA Centerединый интерфейс для автоматизации и аналитики

APIC-EM Network Data PlatformIdentity Services Engine

Routers Switches Wireless APs

DNA Center

DESIGN PROVISION POLICY ASSURANCE

DNA Center Simple Workflows

Wireless Controllers

Зачем нам DNA-Center?


ISE

§ Control-Plane Nodes – Map System that manages Endpoint to Device relationships

§ Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric

§ Identity Services – External ID System(s) (e.g. ISE) are leveraged for dynamic Endpoint to Group mapping and Policy definition

§ Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric

Identity Services

Intermediate Nodes (Underlay)

Fabric Border Nodes

Fabric Edge Nodes

§ DNA Controller – Enterprise SDN Controller (e.g. DNA Center) provides GUI management and abstraction via Apps that share context

DNA Controller

§ Analytics Engine – External Data Collector(s) (e.g. NDP) are leveraged to analyze Endpoint to App flows and monitor fabric status

Analytics Engine

CControl-Plane

Nodes

B

Что такое SD-Access?Основные понятия и терминология

B

§ Fabric Wireless Controller – A Fabric device (WLC) that connects Wireless Endpoints to the SDA Fabric

8

Fabric WirelessController

CampusFabric


Зачем нам Software Defined Access?

Is your Campus Network facing some, or all, of these challenges?

• Host Mobility (w/o stretching VLANs)

• Network Segmentation (w/o implementing MPLS)

• Role-based Access Control (w/o end-to-end TrustSec)

• Common Policy for Wired and Wireless (w/o using multiple tools)

• Consistency Across Campus, WAN and Branch (w/o using multiple tools)

With DNA SD-Access, you can overcome these challenges and provide your organization with the infrastructure required to meet your business objectives.

Come to this session to get a look into the DNA SD-Access architecture, including a closer look at each of the technologies that bring this to life! J

9 9

Как устроен Cisco DNA-Center?


DNA-Center

DNAAutomationAppPolicyInfraController– ENModule

CiscoISE2.3IdentityServicesEngine

DNAAssuranceNetworkDataPlatform

CiscoSwitches|CiscoRouters|CiscoWireless

GUI

AAARADIUSEAPoL

HTTPSNetFlowSyslogs

NETCONFSNMPSSH

API API

API

API

API

SDAFabric

Автоматизация и аналитика DNAАрхитектура

Design |Provision |Policy |Assurance

11


Автоматизация полного цикла

DNA Center

DNA Assurance

DNAAutomation

Streaming telemetry & network data

Network and telemetry configuration

Telemetry, alerts, violations

Network inventory, topology, and configuration


Интеграция ISE и DNA Center Автоматизация политик и контроля доступа

Campus Fabric

Authentication Authorization

Policies

Fabric Management

Policy Authoring Workflows

Groups and Policies

PxGridREST APIs

Cisco Identity Services Engine

Cisco DNA Center

13


Корреляция и машинное обучение

0I000III0I 0I I00I0II0 0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II

Ingest Network & Contextual Telemetry 0I000III0I 0I I00I0II0 0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II



Process and Analyze Streams of Data

Complex Event Processing

• Data cleaning• Feature creation• Data

normalization & enrichment

• Baselining & trending

• Relationship modeling

• Behavior analysis

• Anomaly detection

• Pattern recognition

Machine Learning

• Event clustering & correlation

• Prediction• Natural language

processing• Recommendation

Data Processing

Phase 1 Phase 2 Phase 3

Visualize and Act

Real-time visibility

One click (drill down) root cause analysis


Анализ состояния каждого клиента сетиSummary: Is the client connected and is the link connection good?

Wired Client Health

Connected

Onboarding

Throughput issues

Authenticated, IP

• Link Error

• Yes/No

Port Up/down • Yes/No

Key Services • DNS reachable

BRKCRS-2814 15


Потоковая телеметрия

NETCONF RESTconf GNMI

Device features

InterfaceBGP

QoS ACL …

SNMP

YANG data model

Open Native Open Native

Configuration Operational

Physical and virtual network infrastructure

ProgrammableInterfaces

Публикация• Periodic or on change• Structured data • Priority subscriptions• Customized to recipient• XML or JSON encoding

• NETCONF or HTTP/2 transport

• Increased scale

• Reduced CPU and bandwidth consumption

Подписка

With streaming telemetry (FCS in July in the 16.6 train) we will support collection of many KPIs as close as possible to real time

Расширенная телеметрия там и тогда, когда это требуется


Сбор контекстной информации – ISE

Telemetry

SGT applied to port

Policy Enforcement Status

SGT Counters

Device level enforcement and changes Access policy application and changes Identity and end user information

pxGrid

SGT bindings, Group based policies

Access Policy Push

Notification of end user authentication and authorization (positive/negative)

Notification on group-based policy being downloaded by devices

End user identity and context

End to End visibility


Сбор контекстной информации – IPAM

Grid PublishGrid Subscribe

Infoblox

General Information:

- Pool Name or ID

- Pool State (Enabled / Disabled)

General Stats (per pool and per client device):

- Any latency values

- # Discovers

- # Offers

- # Requests

- # ACKS

- # Declines

- # NAKs

RESTful API, SNMP

Per Pool:

- Network Block

- Start / End Address

- Lease Time

- Addresses Assigned

- Options Assigned

pxGrid


Простота использования : Пример 1Главная страница – какие главные проблемы наблюдаются в вашей сети?

Landing page tells you:

Where in the worldthe most serious issues are happening

Overall health ofyour network, clients,and applications

Your top 10 issuesand trends


Variety

Velocity

Volume

Veracity

Live end-to-end visibility brings together multiple data sources at

high volumes and speeds

Reliable scoring to assess client health in real-time

Incorporation of diversenetwork data types

Accurate alerting for fast root cause analysis


Простота использования : Пример 3Мгновенное обнаружение причин проблем с SDA-фабрикой и/или политиками CTS

Quick visual of the fabric overlay tells youwhere you might have issues

Assurance-enabled path trace tells youwhere policies are failing

1 2

Как выглядит жизненный цикл сети с DNA-Center?


DNA Center - DesignSetup Management & Underlay Reachability

1

1. Setup Sites, Buildings & Floors• Organize your Regions, Cities & Buildings

• Import floorplans in CAD, PNG or JPG

• Virtual layout of Routers, Switches & APs

2. Setup Global & Site-Specific Settings• Establish a common set of Global Servers

• Each Site inherits settings from level above

• Override Global settings with Site-Specific

3. Setup IP Address Pools or IPAM• IP Address Management uses Site hierarchy

• Add or modify IP Pools manually

• You can also import from IPAM tools via APIs

4. Setup Wireless SSID Settings• Manage Fabric Wireless WLANs per Site

• Associate the SSIDs with IP Pools

• Automated setup of the WLC & APs via APIs

23


DNA Center - PolicySetup VNs & EIGs and Policies

1. Setup Virtual Networks• Add Scalable Groups to a Virtual Network

• A “Default” Virtual Network created automatically

• Option to add / remove new Virtual Networks

• Enables VN ID on SDA enabled Devices*

2. Setup Scalable Groups• Option to import Groups from ISE (or AD)

• Option to create Groups via Static Mapping

• Enables SGT ID on SDA enabled Devices*

3. Manage Group Policies• Groups provide native SGT based segmentation

• Intra-VN policies set to Default Permit or Deny

• Create simple To / From Group-Based Policies

4. Manage VN Policies *• VNs provide native VRF network segmentation

• Inter-VN policies mapped to Firewall instances*

* External Connect requires manual configuration. Automation planned for a later release. 24

2


DNA Center - ProvisionSetup Overlay Control & Data-Plane

1. Setup Fabric Domains• Add Devices to one of the configured Sites

• A “Default” Fabric Domain created automatically

• Option to add / remove new Fabric Domains

2. Add Devices & Assign Roles• Add SDA capable Devices to the Fabric Domain

• Designate 1+ Devices as Border and Control

• All other Devices are configured as an Edge

3. Setup Host Onboarding• Add various IP Pools to the Fabric Domain

• Designate IP Pools for Wired or Wireless

• Define the Host Authentication and options

• Option to Static Assignment of Pools to Ports

4. Advanced Settings• (Optional) Enable Multicast in the Fabric Domain

25

3


DNA Center - AssuranceReal-Time Data-Collection & Event Correlation

1. Assurance Dashboard• Network Health Scores (based on 360 Views)

• Graphical status view of Health and Alarms

• Track common Network Issues & Trends

• Universal search for elements of the Network

2. Device 360 Views• Summary and Real-time Device statistics

• Track Issues and Trends of each Device

• View connected Neighbors, Clients & Apps

3. Client 360 Views• Summary and Real-time Client statistics

• Track Issues and Trends of each Client

• Initiate Pathtrace per Client Application

4. Application 360 Views• Summary and Real-time App statistics

• Track Issues and Trends of each App

4

26

Как насчет демонстрации?

А как жеCisco Enterprise NFV?


Ранее для ENFV нужны были 3 системы…

© 2017 Cisco and/or its affiliates. All rights reserved. 29

WAN

SN

, IP fo

r host

Office

IP

NFVIS

IPS

WAAS

vSwitch

Pro

file to S

N

mappin

g

Pro

visi

onin

gP

rovi

sionin

g

• ESA, PI и APIC-EM совместно работают при запуске филиала

APIC-EM / Prime Infrastructure PnPDay 0/1 config

repository

REST

Enterprise Services Automation (ESA)


…теперь достаточно одной – DNA-Center


…в том числе и для Enterprise NFV

Подводя итог…


Возможности DNA Center = Подписка DNA Software

Cisco ONE Suites or Ala Carte Model

ADVANTAGEESSENTIALSFull L3, Segmentation,

Software Defined Access, ETA & Assurance

Layer 2, Routed Access, Base Automation and

Monitoring

Ongoing Innovation

License Portability

Software SupportIncluded

OpExPreference

Lower Entry Costs

Available for Current Catalyst 3K, 4K, 6K and Next Generation Catalyst 9K SeriesCisco ONE Suite – Essentials Includes ISE Base

33


Network/OS License

DNA Center, ISE, StealthWatch

Switches, Access Points, Routers

DNA License

ISE Base & Plus & StealthWatch

Что Вам понадобится: Упрощенный вид

DNA CenterConsole

ISEConsole

Сеть

Сервер

ПОВключено вCisco ONE Advantage

Поставляется с устройством

Спасибо! Вопросы?

Как развернуть кампусную сеть cisco за 10 минут? · Что...

Documents