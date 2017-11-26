© 2017 Cisco and/or its affiliates. All rights reserved. 1 Robert Zalobinski Nadir Lakhani Technical Solutions Architect T...
C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Pillars of Cisco’s Data Center S...
C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Data Center Use Cases Mult...
4© 2017 Cisco and/or its affiliates. All rights reserved. Nexus Switching
© 2017 Cisco and/or its affiliates. All rights reserved. 5 Portfolio at a Glance Nexus 7700 Series Nexus 7000 Series Nexus...
© 2017 Cisco and/or its affiliates. All rights reserved. 6 Areas of Investment CloudScale ASICs Nexus 9000 CloudScale Gene...
© 2017 Cisco and/or its affiliates. All rights reserved. 7 EX and FX Series Cloud Scale Switches Nexus 9200/9300 Nexus 950...
© 2017 Cisco and/or its affiliates. All rights reserved. 8 Nexus 9000 Cloud Scale Fabric Foundation with 2 Year Innovation...
© 2017 Cisco and/or its affiliates. All rights reserved. 9 Nexus 9000 Cloud Scale Addressing Customer Cloud Asks Visibilit...
© 2017 Cisco and/or its affiliates. All rights reserved. 10 Nexus 9300 Portfolio Modular Uplink Integrated Uplink 48x25G+6...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Programmable Fabric VXLAN EVPN multi-site solu...
12© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ACI Path to Agility in an App-Centric World
© 2017 Cisco and/or its affiliates. All rights reserved. 13 Cisco ACI: Industry Leader Ecosystem Partners Data Center Swit...
C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ACI Benefits Any workload Physic...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Remote PoD Multi-Pod / Multi-Site Hybrid Cloud...
© 2017 Cisco and/or its affiliates. All rights reserved. 16 What’s New in ACI 3.0? Hardware, Security, Scale, Usability, F...
© 2017 Cisco and/or its affiliates. All rights reserved. 17 ACI Software Enablement Nexus 9000 Platforms Nexus Foundation:...
© 2017 Cisco and/or its affiliates. All rights reserved. 18 Inter-Site IP Network Site A Site B Multi-Site Appliance Geogr...
© 2017 Cisco and/or its affiliates. All rights reserved. 19 First Step Towards Intuitive APIC GUI Usability • New Look and...
© 2017 Cisco and/or its affiliates. All rights reserved. 20 Gracefully isolate the node from fabric Troubleshoot (if requi...
© 2017 Cisco and/or its affiliates. All rights reserved. 21 Cisco ACI Virtual Edge Decoupled From Hypervisor Kernel API De...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Future ACI Infrastructure Extend ACI Policy to...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Connectivity Usability Maintenance Operations ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ACI: Cloud Automation Virtualization and Orche...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ACI Security Automated Security with Built In ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scale Improvements FEX Up to 650 / Fabric Up t...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ACI/NX-OS L4-7 Integrations: Interoperate and ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cloud Orchestration and ITSM Cloud Automation ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco ACI: App Center Programmable Infrastruct...
30© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Tetration Analytics Get to a Secure Zero-Trust Model in a...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rapid App Deployment Continuous Development Ap...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Holistic Approach to Server Protection Dynamic...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Operations Cisco Tetration Analytics Use Cases...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration Analytics Architecture Overvie...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration Analytics Data Sources Main fe...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Dedicated virtual machines on each host with...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Application Dependency and Cluster Grouping Ba...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Application clusters conversation views Policy...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Whitelist Policy Recommendation Application di...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Compliance, Policy Validation All Flows are tr...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential User-Uploaded asset tags • Discovered inventor...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Segmentation Policy: Express Policies in Human...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration Application Segmentation Polic...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Enforcement of Policy across any floor tile Az...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Policy-Related Notification Cisco Tetration An...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rule-Processing Order • Application owners nee...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rest API • Cisco Tetration flow search • Senso...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration: Bring your own data Main feat...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration: User authentication Cisco Tet...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration™ Cloud • Software deployed in ...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration Analytics Ecosystem Service vi...
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open In summary: Platform built for scale and ...
C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Data Center Reference Arch...
Thank you.
Upcoming SlideShare
Loading in …5
×

Gain Insight and Programmability with Cisco DC Networking

8 views

Published on

Gain Insight and Programmability with Cisco DC Networking

Published in: Technology
no profile picture user

  • Be the first to comment

  • Be the first to like this

Gain Insight and Programmability with Cisco DC Networking

  1. 1. © 2017 Cisco and/or its affiliates. All rights reserved. 1 Robert Zalobinski Nadir Lakhani Technical Solutions Architect Technical Solutions Architect November 28, 2017 Cisco DC Networking: Improved Insight and Programmability Cisco Connect Montreal Your Time Is Now
  2. 2. C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Pillars of Cisco’s Data Center Strategy Hardware innovationApplication awareMulticloud First Capture Intent
  3. 3. C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Data Center Use Cases Multicloud Mobility Security Modernize Infra. • Threat Intel • Multi-layer • Compliance • Performance • Security • Scale Analytics • Infra. • Apps. • Ops. Automation • Ops • Provision • Maint. • Benchmark • Policy • Blueprints
  4. 4. 4© 2017 Cisco and/or its affiliates. All rights reserved. Nexus Switching
  5. 5. © 2017 Cisco and/or its affiliates. All rights reserved. 5 Portfolio at a Glance Nexus 7700 Series Nexus 7000 Series Nexus F and M Series Line Cards Nexus 3200 Series Nexus 3100 Series Nexus 3600 R Series Nexus 5600 Series Nexus 2300 Series Nexus 9500 Series Nexus 97xx Series Line Cards Nexus 96xx-R Series Line Cards Nexus 9300 Series Nexus 9200 Series Nexus 7000 Series Modular Nexus 3000 Series Fixed Nexus 5000 and 2000 Series Fixed Nexus 9000 Series Modular Nexus 9000 Series Fixed
  6. 6. © 2017 Cisco and/or its affiliates. All rights reserved. 6 Areas of Investment CloudScale ASICs Nexus 9000 CloudScale General Data Center Design • High Speed Fabrics (ACI, NX-OS) • VXLAN, Segment Routing Broadcom Jericho Nexus 9000 Jericho Financials and Collapsed Core/Edge • Financial Multicast (UDP) • VXLAN, Segment Routing, MPLS • Large Routing Tables and WAN buffer requirements Cisco Custom ASICs Nexus 7000 Series General Data Center Design • Data Center Interconnect • DC and Campus Core • Cross Domain Policy Integration Broadcom T2+/T3/ TH/TH2/Jericho Nexus 3000 Series Merchant Silicon Alternative • Fabric Designs (customers specifically looking for BCOM based SOC) • Specific Use Cases (ULL, Data Path Programmability)
  7. 7. © 2017 Cisco and/or its affiliates. All rights reserved. 7 EX and FX Series Cloud Scale Switches Nexus 9200/9300 Nexus 9500 EX Cloud Scale • ACI and NX-OS • 10/25/40/100G • Tetration Hardware Sensor • Support for N2000 (FEX) FX Cloud Scale Enhancement • Line rate Encryption • UP (25GbE and 32G FC) • 25G RS FEC
  8. 8. © 2017 Cisco and/or its affiliates. All rights reserved. 8 Nexus 9000 Cloud Scale Fabric Foundation with 2 Year Innovation Advantage Nexus 9200/9300 Nexus 9500 Nexus 9000 Cloud Scale Innovations Integrated line rate flow capture Streaming analytics export off chip Integrated line rate encryption Smart Buffering Multi-speed ports 64p 100G line rate routing in single chip Unified ports—10/25GbE and 8/16/32G FC
  9. 9. © 2017 Cisco and/or its affiliates. All rights reserved. 9 Nexus 9000 Cloud Scale Addressing Customer Cloud Asks Visibility and telemetry at line rate Encryption at line rate Fastest available: 10/25/50/100G The right price point/50% lower system cost Multi-speed—upgrade when needed/ minimize disruption Dynamic Fabric Performance Optimization for Cloud Applications Better reliability Nexus 9200/9300 Nexus 9500 Nexus 9000 Cloud Scale
  10. 10. © 2017 Cisco and/or its affiliates. All rights reserved. 10 Nexus 9300 Portfolio Modular Uplink Integrated Uplink 48x25G+6x100G (Nexus 93180YC-EX) 48x10GT+6x100G (Nexus 93108TC-EX) 28p 40/50G+4p 100G (Nexus 93180LC-EX) 48x10GT+12x40G (Nexus 9396TX) 48x10G+12x40G (Nexus 9396PX) 96x10G+8x40G (Nexus 93128TX) 32x40G (Nexus 9332Q) 48x10GT+6x40G (Nexus 9372TX(E)) 48x10G+6x40G (Nexus 9372PX(E)) 96x10G+6x40G (Nexus 93120TX) Gen 1: 2 ASICs Gen 2: CloudScale (1 ASIC) 48x25G+6x100G (Nexus 93180YC-FX) (Q2CY17) 48x1GT+4x10/25G+2p 100G (Nexus 9348GC-FXP) 48x10GT+6x100G (Nexus 93108TC-FX) 1G 10GT 10/25G 40/50G
  11. 11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Programmable Fabric VXLAN EVPN multi-site solution VXLAN OAM, Tenant Multicast Segment Routing L3 EVPN DCNM Integration Visibility/Analytics Tetration Integration NX SW and HW Streaming Telemetry Netflow-v9 Security Secured Access Encryption (MacSec and CloudSec) High Availability Enhanced ISSU Automation DCNM Nexus Configuration Mgmt Modules (Puppet/Chef/Ansible) Industry Standard Data Models (OpenConfig / IETF YANG) Infrastructure NX-SDK Intelligent Services, PMN FCOE FC UP on FX Platforms Cisco NX-OS Innovations in Cisco NX-OS
  12. 12. 12© 2017 Cisco and/or its affiliates. All rights reserved. Cisco ACI Path to Agility in an App-Centric World
  13. 13. © 2017 Cisco and/or its affiliates. All rights reserved. 13 Cisco ACI: Industry Leader Ecosystem Partners Data Center Switching Growth ACI Customers ACI Attach Rate on N9K Ecosystem Partners 6%Y/YQ4 50+%4,000+ 65+
  14. 14. C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ACI Benefits Any workload Physical, Virtual, Containers Open Programmability Conducive for Automation/Orchestration Policy Driven Eliminates Network Dependencies Optimal DC Network Eliminates L2 Spanning-Tree Protocol L3 Fabric Integrated VXLAN Overlay Distributed L3 GW VMM Integration vCenter, HyperV, Openstack, Kubernetes Single Point of Configuration APIC Controller Secure White-list Model Next-Gen DC Fabric Spine / Leaf Network Services Integration Network Policy, Service Policy, Service Manager
  15. 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Remote PoD Multi-Pod / Multi-Site Hybrid Cloud Extension ACI Anywhere Any Workload, Any Location, Any Cloud ACI Anywhere IP WAN IP WAN Remote Location Public CloudOn Premise Security Everywhere Policy EverywhereAnalytics Everywhere
  16. 16. © 2017 Cisco and/or its affiliates. All rights reserved. 16 What’s New in ACI 3.0? Hardware, Security, Scale, Usability, Fabric Extension Policy-Driven Infrastructure Fabric Management • Multi-Site • Refreshed APIC GUI • Graceful Insertion and Removal • QinQ to EPG Mapping • TCAM Tile Infra • Latency and Precision Time Protocol Infrastructure • Nexus 9364C (Fixed Spine) • Nexus 9348GC-FXP (1G ToR) • N9K-X9736C-FX (Spine LC) • Ingress QoS Policing per EPG Virtualization • Kubernetes Support • VMM: Delayed EP detach/attach for DVS and AVS • AVS: QoS Marking Security • Micro-segmentation Enhancements • 802.1X – End Point Authentication • 2 Factor Authentication • First Hop Security
  17. 17. © 2017 Cisco and/or its affiliates. All rights reserved. 17 ACI Software Enablement Nexus 9000 Platforms Nexus Foundation: CloudScale Platforms Nexus 9300 Nexus 9500 Nexus 9000 ACI 3.0 Nexus 9364C – Fixed Spine 64p 40/100G QSFP ACI 3.0 Nexus 9736C-FX 36p 40/100G Line Card (4/8/16 slot) ACI 3.1 N9K-C9516-FM-E2 Fabric Module with 100G (16 slot) ACI 2.2(2) Nexus 93180YC-FX 48p 10/25G SFP + 6p 40/100G QSFP ACI 2.2(2) Nexus 93180TC-FX 48p 1/10GT + 6p 40/100G QSFP ACI 3.0 Nexus 9348GC-FXP 48p 100M/1G Base-T, 4p 10/25G SFP+
  18. 18. © 2017 Cisco and/or its affiliates. All rights reserved. 18 Inter-Site IP Network Site A Site B Multi-Site Appliance Geographically Dispersed Active/Active Data Centers Active/Standby Data Centers For Disaster Recovery Stretch VRF, EPG, BD Across Sites with VXLAN Up to 500ms to 1 sec Latency ACI Multisite Extends Network Virtualization, Policy & Services to Multiple Fabrics
  19. 19. © 2017 Cisco and/or its affiliates. All rights reserved. 19 First Step Towards Intuitive APIC GUI Usability • New Look and Feel across Applications • Consistent Layout across Tabs • Collaborate by Sharing Objects • Simplified Topology Views • Release Bulletin • Troubleshooting • User Profiles • Alerts Operations • Personalized User Profile • Dashboard Widgets • Improved Health Score and Fault Counts Configuration • Best of both Basic and Advanced UI • Simplified Port Selectors • Workflows simplified • New APIC Postman App
  20. 20. © 2017 Cisco and/or its affiliates. All rights reserved. 20 Gracefully isolate the node from fabric Troubleshoot (if required) Re-commission the node 1 2 3 L2/L3 GIR diverts the data traffic to alternate paths and allows node troubleshooting, maintenance and upgrade. Graceful Insertion and Removal (GIR)
  21. 21. © 2017 Cisco and/or its affiliates. All rights reserved. 21 Cisco ACI Virtual Edge Decoupled From Hypervisor Kernel API Dependencies ACI Virtual Edge ACI Virtual Edge (AVE) Maintain Existing Operational Models Simple Transition/Migration AVS => AVE Policy Consistency Across Multiple Hypervisors AVS/AVE Feature Parity Legacy AVS (Today) Hypervisor Dependent Cisco AVE (Q1 CY18) Native vSwitch VM Switching + Policy Enforcement VM VM AVE Q2 FY18 Q1 CY18 Hypervisor Agnostic VM VM VM AVE AVS Policy Enforcement, Services, Telemetry UserSpaceKernel Future
  22. 22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Future ACI Infrastructure Extend ACI Policy to Satellite Data Centers Options 1. Remote Physical Leaf (Nexus 9K) ACI 3.1: Q1 CY 2018 2. Remote Pod (Virtual) (Futures) On Premise IP Network L2 / L3 Remote Data Center Nexus 9K Physical Leaf Remote PoD Virtual (Spine + Leaf) AVE AVE
  23. 23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Connectivity Usability Maintenance Operations ACI Infrastructure Enhancements Integration of Clustered Network Services IEEE 1588 and Latency (ACI 3.0) TCAM Profiles (ACI 2.3 and ACI 3.0) Maintenance Mode (ACI 3.0) Software Maintenance Update (SMU) Patching Support Mixed OS (ACI 2.3) EPG Contract Inheritance (ACI 2.3) New APIC GUI with Simplified Workflows (ACI 3.0) vSphere Tags (ACI 2.3) 100G Front Panel Port Support: 93180LC-EX (ACI 2.3) Breakout (93180LC-EX) (ACI 3.1) Flexible Port Configuration for Uplink/Downlink QSA (9364c) (ACI 3.1)
  24. 24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ACI: Cloud Automation Virtualization and Orchestration Deploy Tenant Deploy App Deploy Firewall vSphere 6.5, Tags (ACI 2.3) vCenter Plugin (RBAC) (ACI 3.0) NG-Application Virtual Switch AzurePack – VPN Termination (ASA, ASR 1K) AzureStack Newton Support, IPv6 (ACI 2.3) Bare-Metal Provisioning (Ironic) Ocata Support Cloud Automation Unified Networking (ACI 3.0) Integration of Kubernetes network policies and ACI policies Visibility
  25. 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ACI Security Automated Security with Built In Multi-Tenancy Q4 CY 2018 Micro-Segmentation DNS EPG, AD Based EPG (ACI 3.1) ACI 3.0 Contracts Inheritance, Intra- EPG Contracts Q4 CY 2017 Certifications FIPs and UC-APL Certified Common Criteria (in progress) ACI 3.1 MACSEC Encryption APIC Centralized Key Management ACI 2.3 ACI-TrustSec Integration Higher Scale (15K) ACI 3.0 First Hop Security IP Source Guard, DHCP Guard, DHCP Snooping, etc.
  26. 26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Scale Improvements FEX Up to 650 / Fabric Up to 20 / Leaf Leafs Up to 400 Per Fabric 8 Border Leafs per L3 Out Multicast Groups Up to 8,000 (S,G) routes with Convergence of 5 seconds Bridge Domains Up to 21,000 (L2), 15,000 (L3) Up to 1750 Bridge Domains/VRF 3967 VLANs per leaf 3967 VLANs + BDs EPGs Up to 15000 Up to 1k L3 EPGs/EX-Leaf 4k L3 EPGs for one tenant & one context 250 Isolated EPGs Other Up to 200 vCenters Up to 2,000 Contracts Up to 61k TCAM Rules 500 Service Graphs Per Cluster Up to 12 Pods in Multi-Pod Tenants Up to 3000 Layer-3 50 VRFs Per Tenant , 1k Ips/MAC
  27. 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential ACI/NX-OS L4-7 Integrations: Interoperate and Extend Automation Security EnforcementSecurity ManagementADC
  28. 28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cloud Orchestration and ITSM Cloud Automation and PaaS Monitoring NX-OS Rich Ecosystem with Cisco ACI and NX-OS
  29. 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco ACI: App Center Programmable Infrastructure: Open APIs For Value Added Applications Visually monitor externally routed interface states And next hop add/delete Monitoring and Troubleshooting Analytics Auto Provision ACI network by simply importing Tetration ADM Auto Provisioning cTrac Fault Analytics Tetration Intuitively analyze historical fault metrics and audit logs with variety of filters Infoblox v2.0 Connectors and Integrators ECOSYSTEM Sample Apps Improved UI with robust syncing. Configure and provision new DHCP ranges from the App
  30. 30. 30© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Tetration Analytics Get to a Secure Zero-Trust Model in an Application-Centric World Cisco Tetration Analytics
  31. 31. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rapid App Deployment Continuous Development Application Mobility Micro Services Policy Enforcement Heterogeneous Network Secure Zero-Trust Policy Compliance Security Challenges in Modern Data Centers Securing Applications Has Become Complex Applications Are Driving Modern Datacenter Infrastructure
  32. 32. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Holistic Approach to Server Protection Dynamic and heterogeneous environment Traffic visibility, server process baseline, and analytics Policy that enables application segmentation Segmentation Application control using whitelists Advanced behavior analysis Break organizational siloes
  33. 33. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Operations Cisco Tetration Analytics Use Cases Security Cisco Tetration™ Visibility and forensics Application insight Policy Neighborhood graphs Application segmentation Compliance Policy simulation Process inventory
  34. 34. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration Analytics Architecture Overview Software sensor and enforcement Embedded network sensors (telemetry only) ERSPAN sensors (telemetry only) Analytics engine Web GUI REST API Event notification Cisco Tetration apps Third-party sources (configuration data) Data collection layer Access mechanism Bring your own data (streaming telemetry)
  35. 35. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration Analytics Data Sources Main features ü Low CPU overhead (SLA enforced) ü Low network overhead ü New Enforcement point (software agents) ü Highly secure (code signed and authenticated) ü Every flow (no sampling) and no payload *Note: No per-packet telemetry; not an enforcement point Software sensors Universal* (basic sensor for other OS) Linux servers (virtual machine and bare metal) Windows servers (virtual machines and bare metal) Windows Desktop VM (virtual desktop infrastructure only) Cisco Nexus 9300 EX Cisco Nexus 9300 FX Network sensors Next-generation Cisco Nexus® Series Switches Third-party sources Asset tagging Load balancers IP address management CMDB … Third-party data sourcesAvailable today
  36. 36. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • Dedicated virtual machines on each host with 4 software sensors in each virtual machine • Each sensor binds to a separate vNIC • ERSPAN terminates on the virtual machine vNIC • Each sensor terminates one ERSPAN session • Sensor generates telemetry based on the data-plane traffic • Horizontally scalable Layer 3 connection ERSPAN Layer 3 switch Cisco Tetration telemetry: ERSPAN option Expanded telemetry collection option • Augment telemetry from other parts of the network • Useful when software sensor or hardware sensor is not feasible Cisco Tetration™ telemetry Cisco Tetration™ Platform Production network Production network
  37. 37. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Application Dependency and Cluster Grouping Bare-metal, VM, and switch telemetry Cisco Tetration Analytics™ platform Unsupervised machine learning Behavior analysis On-premises and cloud workloads (AWS) Bare-metal and VM telemetry VM telemetry (AMI …) BM VM BMVM VM BM BMVM BM VM BM VMVM Bare metal and VM BM VM VM BM Brownfield üüü ü BM VM VM BM üüü ü Network-only sensors, host-only sensors, or both (preferred) BM VM VM VM BM Cisco Nexus® 9000 Series ü
  38. 38. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Application clusters conversation views Policy details Application Conversation View
  39. 39. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Whitelist Policy Recommendation Application discovery { "src_name": "App", "dst_name": "Web", "whitelist": [ { "port": [0, 0], "proto": 1, "action": "ALLOW" }, { "port": [80, 80], "proto": 6, "action": "ALLOW" }, { "port": [443, 443], "proto": 6, "action": "ALLOW" } ] } Whitelist policy recommendation (available in JSON, XML, and YAML)
  40. 40. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Compliance, Policy Validation All Flows are tracked 4 ways • Permitted, bidirectional flows that match the policy • Misdropped, permitted traffic where we have dropped a packet • Escaped, bidirectional flows that are against the policy • Rejected, uni-directional flows that are against the policy
  41. 41. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential User-Uploaded asset tags • Discovered inventory • Uploaded inventory and metadata (32 arbitrary tags) • Inventory tracked in real time, along with historical trends User-uploaded tags Cisco Tetration Analytics™ sensor feed Real-time inventory merged with information with historical trends Cisco Tetration Analytics merge operation VMware vCenter (virtual machine attributes) AWS attributes (AWS tags)
  42. 42. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Segmentation Policy: Express Policies in Human Language Development can’t talk to production • Cisco Tetration™ knows who is production • Cisco Tetration knows who is development • Policies are continuously updated as applications change
  43. 43. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration Application Segmentation Policy Recommendation Cisco Tetration Analytics™ Application workspaces Application segmentation policy Public cloud Private cloud On-premise
  44. 44. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Enforcement of Policy across any floor tile Azure Amazon Cisco Tetration Analytics™ 1. Generates unique policy per workload 2. Pushes policy to all workloads 3. Workload securely enforces policy 4. Continuously recomputes policy from identity and classification changes Google Enforcement Compliance monitoring VirtualBare metal Cisco ACITMPublic cloud Traditional network
  45. 45. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Policy-Related Notification Cisco Tetration Analytics™ Kafka broker Northbound consumers Northbound consumers Message publish Kafka • Alerts every minute for enforcement • Policy compliance event notifications • Count of policy alerts until whitelisted • Alerts when IP tables or firewall is flushed or disabled by user • Alerts when enforcement sensor is disabled • Publishes policy differences between versions
  46. 46. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rule-Processing Order • Application owners need some amount of autonomy to make application-level changes quickly • Security and network teams need to control the global aspects of application interconnection and shared services • Cisco Tetration™ flattens intent in a deterministic order, prioritizing intent of higher-authority users over intent of application owners Security team rules Network team rules Application owner rules
  47. 47. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Rest API • Cisco Tetration flow search • Sensor management Push notification • Out-of-the-box events • User-defined events Cisco Tetration applications • Access to data lake • Write your own application Cisco Tetration Analytics Open API Northbound application Programmatic interface Rest API Kafka broker Northbound consumers Northbound consumers Message publish Cisco Tetration Analytics™ platform Kafka Cisco Tetration™ applications
  48. 48. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration: Bring your own data Main features ü Stream any JSON-based telemetry to a data sink ü Support up to 10 simultaneous streaming topics ü Bring up to 5 GB of data per hour per streaming topic ü Analyze and write your results through alerts or UI Northbound consumers Data sink Public Cloud Streaming JSON telemetry
  49. 49. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration: User authentication Cisco Tetration Analytics™Users and application owners and administrators Active Directory integration for authentication App 1, Role: Enforce App 2, Role: Execute App 3, Role: Read only Windows Server Active Directory WordPress SAP Authentication • External AAA server integration • Authentication through Kerberos or LDAP • Support for multiple domains • Default to local authentication and authorization, if not configured RBAC capabilities • Local users created automatically when they log in • Administrator maps users to specific roles and scopes for authorization • Administrator can set default role and scope for users without specific roles and scope mapping
  50. 50. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration™ Cloud • Software deployed in AWS • Suitable for deployments of less than 1000 workloads • AWS instance owned by customer Cisco Tetration™ Platform (large form factor) • Suitable for deployments of more than 5,000 workloads • Built-in redundancy • Scales to up to 25,000 workloads Includes: • 36 x Cisco UCS® C220 servers • 3 x Cisco Nexus® 9300 platform switches Cisco Tetration-M (small form factor) • Suitable for deployments of less than 5,000 workloads Includes: • 6 x Cisco UCS C220 servers • 2 x Cisco Nexus 9300 platform switches Tetration Analytics: Deployment Options Amazon Web Services On-premises options Public cloud
  51. 51. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Tetration Analytics Ecosystem Service visibility Layer 4-7 services integration Security orchestration Service assurance Insight exchange Cisco Tetration Analytics™
  52. 52. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open In summary: Platform built for scale and flexibility Real time and scalable Granular policy enforcement Easy to use • Every packet, every flow • Application segmentation for 1000s of applications • Long term data retention • Consistent policy enforcement • Identify policy deviations in near real-time • Support for workload mobility • One touch deployment • Self monitoring • Self diagnostics • Standard web UI • REST API (pull) • Event notification (push) • Tetration applications
  53. 53. C97-739634-00 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Data Center Reference Architecture Cisco Prime services catalog Cisco Nexus Cisco HyperFlex Cisco UCS Cisco MDS Cisco AzureStack Cisco Tetration Analytics Cisco Security Portfolio Cisco CloudCenter Cisco Turbonomics AppDynamics Cisco Tetration Analytics Cisco ACI Cisco ACI Cisco DCNM Cisco Intersight Cisco UCS-Director Cisco Tetration Analytics AppDynamics IT services consumption multicloud Private cloud/PaaS Integration DC Infrastructure Management and automation SecurityAnalytics ACI / Nexus Tetration
  54. 54. Thank you.

×