C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential The Network. Intuitive. Catalina Niculita Systems Engineering Manager Cisco Romania
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
The Network. Intuitive.
Catalina NiculitaSystems Engineering Manager
Cisco Romania
1 million new devices online every hour
Mobile, IoT, Cloud, AI, Machine Learning
Explosion of data
3X spend on network operations vs network
80 - 95% manual operations
Dynamic user, devices, apps environment
3 months to detect breach
$4M average cost per breach
Increased attack surface and sophistication
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
The Network. Intuitive.
Constantly learning, adapting, protecting
Applied intelligence Seeing all threats Giving IT time back
• Adaptive learning through
deep visibility and an
understanding of
network traffic
• Stop 20 million threats a
day and learn from every
one of them
• Turn days of work into
hours and hours of work
into seconds
Powered byintent
Informed by context
The Cisco Story
1
2
3
4
DNA-Centre
Assurance
Software Defined Acces
Embedded Security
5 SDWAN
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
The Network. Intuitive.
Cisco DNA Center
Cisco DNA™ Center:
Simple workflows
Design Provision
PolicyAssurance
Wireless access points
Wireless LAN controllers
Switches
Catalyst 9000
Routers
SD-WAN
AUTOMATIONAPIC-EM
POLICYIdentity Services Engine
(ISE)
ASSURANCENetwork Data Platform
(NDP)
Software-Defined Access
Embedded Security
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
New Era of Networking
Cisco DNA Center
Cisco DNA™ Center:
Simple workflows
Design Provision
PolicyAssurance
Wireless access points
Wireless LAN controllers
Switches
Catalyst 9000
Routers
SD-WAN
AUTOMATIONAPIC-EM
POLICYIdentity Services Engine
(ISE)
ASSURANCENetwork Data Platform
(NDP)
Software-Defined Access
Embedded Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DNA Center ComponentsDNA Center consists of automation and assurance
Automation
Design
• Global settings
• Site profiles
• DDI, SWIM, PNP
• User access
Provision
• Fabric domains
• Device on-boarding
• Device inventory
• Host on-boarding
Policy
• Virtual networks
• ISE, AAA, Radius
• Access control
• Application control
Assurance
• Issues and trends
• Performance
• Proactive
troubleshooting
Planning, installation and migration
Proactive and predictive network, client and application assurance
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
New Era of Networking
Cisco DNA Center
Cisco DNA™ Center:
Simple workflows
Design Provision
PolicyAssurance
Wireless access points
Wireless LAN controllers
Switches
Catalyst 9000
Routers
SD-WAN
AUTOMATIONAPIC-EM
POLICYIdentity Services Engine
(ISE)
ASSURANCENetwork Data Platform
(NDP)
Software-Defined Access
Embedded Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DNA Assurance: The How?
Analytics
engine
Cisco DNA™ Assurance Engine
Data collection and ingestion Data correlation and analysis
Network
telemetry
Contextual
data
Relationship between
data flows
TimeData behavior
LocationUser profiles
Topology
AttributesDevice type and
software/image version
Contextual information
Relationship
DNA Center™ shows
insights view with
guided remediation
actions
16
data sources
Network
device logs
Actionable insights and visibility in real time
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
New Era of Networking
Cisco DNA Center
Cisco DNA™ Center:
Simple workflows
Design Provision
PolicyAssurance
Wireless access points
Wireless LAN controllers
Switches
Catalyst 9000
Routers
SD-WAN
AUTOMATIONAPIC-EM
POLICYIdentity Services Engine
(ISE)
ASSURANCENetwork Data Platform
(NDP)
Software-Defined Access
Embedded Security
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Traditional networks cannot keep up
Common user policy for the branch, campus, WAN, and cloud
Inconsistent user experience
Complex to configure
Difficult to segment
More users and endpoints
More VLANs and subnetsMultiple steps to give
users credentials
Difficult to maintain policy
Separate user policies
for wired and wireless networks
Unable to find users
when troubleshooting
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure Segmentation and OnboardingSecure On-boarding of devices and users
Before SD-Access After SD-Access
• VLAN and IP address
based
• Create IP
based ACLs for
access policy
• Deal with policy
violations and errors
manually
• No VLAN or subnet
dependency for
segmentation and
access control
• Define one consistent
policy
• Policy follows Identity
Group-Based Policy Policy follows IdentityCompletely Automated
Drag policy
to apply
Users
Devices
Apps
Employee Virtual Network
IoT Virtual Network
Guest Virtual Network
Group 5
Group 3
Group 1
Group 6
Group 4
Group 2
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
‘Shadow’ Internet of Things Coming to Every Business
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Controller-based Management
Programmable Overlay
Simplified L3 Underlay
DNA
Center
Software Defined Access (SD-Access)Bringing Everything Together
#WWST #CISCOVT
#CISCOSE
SD-Access Fabric ArchitectureRoles and Terminology
ISE / AD
Control-Plane (CP) Node – Map System that manages Endpoint ID to Location relationships. Also known as Host Tracking DB (HTDB)
Edge Nodes – A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric
Group Repository – External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition
Border Nodes – A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric
Group
Repository
SD-Access Fabric
Intermediate
Nodes (Underlay)
Fabric Mode
WLC
Fabric Edge
Nodes
DNA Controller – Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share information
DNA Center
CControl-Plane
Nodes
B
Fabric Wireless Controller – Wireless Controller (WLC) fabric-enabled, participate in LISP control planeFabric
Mode APs Fabric Mode APs – Access Points that are
fabric-enabled. Wireless traffic is VXLAN encapsulated at AP
Fabric Border
B
23
DHCP
APIC-EM
NDP
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-Access SupportA single fabric for your digital ready network
WirelessRoutingSwitching
AIR-CT5520
AIR-CT8540
Wave 2 APs (1800, 2800,3800)
Wave 1 APs* (1700, 2700,3700)
Catalyst 9400
Catalyst 9300
Catalyst 9500
Catalyst 4500E Catalyst 6K Nexus 7700
Catalyst 3850 and 3650
AIR-CT3504
*with Caveats
**Future
NEW
NEW
NEWNEW
Subtended
Catalyst Digital Building
Catalyst 3560-CX
NEW
IE Switches** (2K/3K/4K/5K)
ASR-1000-X
ASR-1000-HX
ISR 4430
ISR 4450
ENCS 5400**
ISR 4351**
ISR 4331**
CSRv
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
New Era of Networking
Cisco DNA Center
Cisco DNA™ Center:
Simple workflows
Design Provision
PolicyAssurance
Wireless access points
Wireless LAN controllers
Switches
Catalyst 9000
Routers
SD-WAN
AUTOMATIONAPIC-EM
POLICYIdentity Services Engine
(ISE)
ASSURANCENetwork Data Platform
(NDP)
Software-Defined Access
Embedded Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Catalyst 9000 platform transitions
Catalyst
9000
Series
Cisco®
Catalyst® 9400
Cisco Catalyst 9300 Cisco Catalyst 9500
Cisco Catalyst 3850 Copper Cisco Catalyst 4500-E Cisco Catalyst 4500XCisco Catalyst 3850 Fiber 48
Port
Access switching Backbone switching
App Hosting (PerfSonar, Wireshark)
Patching
Increased SD-Access Scale
ETA (encrypted traffic analytics)
C9K Differentiators vs C3K and C4KHigh Density mGig,
High Density 40/100G for fixed agg.
Support for SDA Extension
(IE, Compact and CDB)
256-bit MACsec
40G
256
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
New Era of Networking
Cisco DNA Center
Cisco DNA™ Center:
Simple workflows
Design Provision
PolicyAssurance
Wireless access points
Wireless LAN controllers
Switches
Catalyst 9000
Routers
SD-WAN
AUTOMATIONAPIC-EM
POLICYIdentity Services Engine
(ISE)
ASSURANCENetwork Data Platform
(NDP)
Software-Defined Access
Embedded Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Trustworthy Systems
Technology
Certifications
Process Policy
People
Secure
Development
Lifecycle
Secure Boot of
Signed Images
Trust Anchor
TechnologiesFIPS / USGv6
ISO 27034
DoD APL
FIPS / USGv6
ISO 27034
DoD APL
FIPS / USGv6
ISO 27034
DoD APL
FIPS / USGv6
ISO 27034
DoD APL
FIPS / USGv6
ISO 27034
DoD APL
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Visibility and Enforcement (NVE) Provide visibility, control, and automation you need to enable better security
Dynamic control & enforcement
Enforce consistent policy and
access and centralize control
360°visibility
Real-time analysis of data and
traffic, including encrypted, for
visibility & intelligence across the
network
Digital Network Architecture
Network Enforcement
(ISE)
Network Visibility
(Stealthwatch)
Intent-based networking
Integrated networking solutions
that enhance capabilities &
automate processes
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Enhanced Network as a Sensor
Secure and manage your digital network in real time, all the time, everywhere
Encrypted traffic
Nonencrypted
traffic
Industry’s first network with the ability to find threats in encrypted trafficAvoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Encrypted Traffic Analytics Visibility and Malware Detection without Decryption
ETA algorithms analyze
multiple network data sources
Detect Malware in Encrypted Traffic
Automatically quarantine threats
using ISE and SDA.
Quickly Quarantine Threats
• Audit for TLS policy violations
• Passive detection of
Ciphersuite vulnerabilities
Cryptographic
Compliance
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Malware detection using cognitive analytics
All three elements reinforce each other inside the analytics engine using them.
Global Risk
Map
Initial Data Packet
Sequence of Packet Lengths and Times
Cognitive
analytics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
#WWST #CISCOVT
#CISCOSE
The Cisco Catalyst 9000 Series enables enhanced network as a sensor with ETARapidly mitigate malware and vulnerabilities in encrypted traffic
Stealthwatch®
pxGrid
Mitigation
Encrypted Traffic
Analytics
ISE
Machine learning
with enhanced
behavior analytics
• Industry’s most pervasively deployable
solution for Encrypted Traffic Analytics
• Complements other encrypted traffic
management solutions
Globally
correlated
threat intel
Network
telemetry based
(no decryption)
Line-rate
performance
Investment
optimization
Simplified
management
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
New Era of Networking
Cisco DNA Center
Cisco DNA™ Center:
Simple workflows
Design Provision
PolicyAssurance
Wireless access points
Wireless LAN controllers
Switches
Catalyst 9000
Routers
SD-WAN
AUTOMATIONAPIC-EM
POLICYIdentity Services Engine
(ISE)
ASSURANCENetwork Data Platform
(NDP)
Software-Defined Access
Embedded Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
TRUE ENTERPRISE CLASS
Scale, Brownfield,
Extensible Architectures
VIPTELA FABRIC – NG OVERLAY
SD-WAN, Network-as-a-service,
IoT, Cloud
FLEXIBLE MODEL
Physical/Virtual, Cloud/
On-Premise, SW Consumption
CLOUD NATIVE ARCHITECTURE
IaaS/SaaS, Hosted,
Delivered, Managed
Viptela is now Cisco SD-WAN
39© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco SD-WAN Architecture
Data Center Campus Branch Home Office
Control Plane (Containers or VMs)
Data Plane(Physical or Virtual)
Management Plane(Multi-tenant or Dedicated)
Orchestration Plane
vManage
vSmartvBond
vEdge
vOrchestrator
API
4GINTERNET MPLS
CONTROL
ANALYTICSORCHESTRATION
MANAGEMENT
Viptela Confidential40
Variety Of Deployment Models
Secure Virtual Fabric Secure Tunnel
ExistingRouter
ExistingRouter
Site B
Site A
InternetMPLS
vEdge
vEdge
Site B
MPLS
Site A
Internet
ExistingRouter
ExistingRouter vEdge
vEdge
Site B
Site A
vEdge
vEdge vEdge
vEdge
InternetMPLS
Side-by-Side Hybrid With Fallback Full SDWAN
Viptela Confidential41
Simplified Management
REST NETCONF SyslogFlow
ExportSNMPCLI Linux Shell
Power Tools
Single Pane Of Glass Rich Analytics & Monitoring
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
The Network. Intuitive.
Constantly learning, adapting, protecting
Applied intelligence Seeing all threats Giving IT time back
• Adaptive learning through
deep visibility and an
understanding of
network traffic
• Stop 20 million threats a
day and learn from every
one of them
• Turn days of work into
hours and hours of work
into seconds
Powered byintent
Informed by context
C97-739103-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Thank you!
Eveniment sutinut de