Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
NETWORKING FIELD DAY 13
November 17th, 2016
David Erickson, PhD
CEO & Co-Founder
AGENDA
+ An Introduction to Forward Networks
+ Platform Demo
+ Use Case: Outage Diagnosis & Resolution
+ Use Case: Network...
Today’s Networks – Large, Complex, & Heterogeneous
+ IPv4 routes
+ ACLs
+ MAC tables
+ Spanning tree
+ NAT
+ VLAN
+ Multic...
Manual Operations Inadequate Tooling High Rate of Error
+ Device-by-device management
+ Limited end-to-end visibility
+ Ha...
Business Impacting Expensive to Repair Brand-Damaging
Networks Failures & Data Center Outages
$
NETWORK ASSURANCE
Reducing the complexity of networks while eliminating the human
error, misconfiguration, and policy viol...
Unorganized real world data
Own data model of real world
Apps on top using data model
Revolutionary algorithm
SEARCH VERIF...
What is my network’s behavior?
Index your network and search
your devices and behavior on top
of an interactive topology
S...
Customer Network
Forward Applications
PLATFORM ARCHITECTURE
PLATFORM DEMO
Brandon Heller, PhD
CTO & Co-Founder
SEARCH VERIFY PREDICT
THE FORWARD PLATFORM
CAPABILITIES OVERVIEW
Customer Network
Forward Applications
PLATFORM ARCHITECTURE
- Interface Counters
- Flow Counters (NetFlow)
- Sampled Counters (sFlow)
- Probes (Ping, Traceroute)
+ Packet In -> Packe...
PLATFORM DEMO
USE CASE
Network Outage and Resolution
Behram Mistree, PhD
Product Engineer
NETWORK
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
NETWORK
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
ROBUST CONNECTIVITY BETWEEN CLIENT AND SERVER WANTED
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. T...
REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. T...
REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. T...
REQUIREMENTS
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traffic ...
IS YOUR NETWORK WORKING?
Traditional Approach
FORWARD VERIFY™
IS YOUR NETWORK WORKING?
TRADITIONAL APPROACH
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. ...
Traditional Approach
FORWARD VERIFY™
ping 18.10.11.2 show route show lacp interfaces
IS YOUR NETWORK WORKING?
Traffic can ...
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traff...
Traditional Approach
FORWARD VERIFY™
ping 18.10.11.2 show route show lacp interfaces
IS YOUR NETWORK WORKING?
Traffic can ...
REQUIREMENTS
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traffic ...
REPLACE INTERFACE ON LAX
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
REPLACE INTERFACE ON LAX
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
SEA
1. Set ISIS overload bit
REPLACE INTERFACE ON LAX
1. Set ISIS overload bit
2. Replace line card
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
SEA
REPLACE INTERFACE ON LAX
1. Set ISIS overload bit
2. Replace line card
3. Verify
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER
(18.1...
VERIFICATION COMPARISION
Traditional Approach
FORWARD VERIFY™
1. Check port channel up
1. Single button press
2. Ping LAX ...
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
Latent misconfig...
Traditional Approach
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD...
Traditional Approach
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD...
FORWARD VERIFY™
PREVENTS OUTAGES
Instantly see failing checks during service window
Fix network issues as soon as they app...
USE CASE
Network Audit
Behram Mistree, PhD
Product Engineer
FORWARD’S MISSION
We want to help you build networks that work and
that you can trust because you’ve verified them
FORWARD...
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
CLASSIC DC SPINE LEAF
CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
CVE-2016-7810XXX
CVE-ID CVE-2016-7810XXX
DATE 20161117
REFERENCES http://example.com
DESCRIPTION
CVE-2016-7810XXX
CVE-ID CVE-2016-7810XXX
DATE 20161117
REFERENCES http://example.com
DESCRIPTION Your switch has a massive...
CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
Both need upgrade
CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
AGG-1-0 AGG-1-1
ACC-1-1
VRRP
LIVE DEMO
WHAT’S HAPPENING
“UPTIME BANK” SERVERS
Server Down?
Interfaces Down?
Spanning Tree?
Guesswork starts
AGG-1-0 AGG-1-1
ACC-1...
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
CLASSIC DC SPINE LEAF
Peer
Border
Spine
Leaf
SPINE LEAF
SPINE-1
LEAF-1
SPINE-0
SPINE LEAF
Peer
Border
Spine
Leaf
“UPTIME BANK” SERVERS
SPINE-1
LEAF-1
SPINE-0
SPINE LEAF
Peer
Border
Spine
Leaf
“UPTIME BANK” SERVERS
Needs reboot to
install firmware
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
TODAY FORWARD VERIFY™
VLAN Consistency ✘outage ✔ prevents outage
M...
I WILL NEVER TRUST A NETWORK …
There is no such thing as a network that
works, just a network that hasn’t broken yet
www.forwardnetworks.com @fwdnetworks
Forward Networks - Networking Field Day 13 presentation
Upcoming SlideShare
Loading in …5
×

Forward Networks - Networking Field Day 13 presentation

1,789 views

Published on

On November 17th, 2016, Forward Networks conducted its first public unveiling of its Network Assurance platform at Networking Field Day 13. Visit https://www.forwardnetworks.com/ for more details.

Published in: Technology
  • Be the first to comment

Forward Networks - Networking Field Day 13 presentation

  1. 1. NETWORKING FIELD DAY 13 November 17th, 2016 David Erickson, PhD CEO & Co-Founder
  2. 2. AGENDA + An Introduction to Forward Networks + Platform Demo + Use Case: Outage Diagnosis & Resolution + Use Case: Network Auditing + Closed Session
  3. 3. Today’s Networks – Large, Complex, & Heterogeneous + IPv4 routes + ACLs + MAC tables + Spanning tree + NAT + VLAN + Multicast + PBR + Cisco + Arista + HPE + Fortinet + Juniper + F5 + Palo Alto + Checkpoint Thousands of devices Millions of rules Dozens of vendors Switches Routers Load balancers Firewalls
  4. 4. Manual Operations Inadequate Tooling High Rate of Error + Device-by-device management + Limited end-to-end visibility + Hard to debug & test + Lack of innovation in tooling + Solutions are 20+years old + Ping, traceroute, SNMP, etc. + Networks rife with misconfiguration + 80% of outages caused by error1 + 50% due to change config issues2 1&2 Network Operations – Manual & Error Prone
  5. 5. Business Impacting Expensive to Repair Brand-Damaging Networks Failures & Data Center Outages $
  6. 6. NETWORK ASSURANCE Reducing the complexity of networks while eliminating the human error, misconfiguration, and policy violations that lead to outages.
  7. 7. Unorganized real world data Own data model of real world Apps on top using data model Revolutionary algorithm SEARCH VERIFY APIPREDICT THE FORWARD PLATFORM A NEW APPROACH TO NETWORK OPERATIONS
  8. 8. What is my network’s behavior? Index your network and search your devices and behavior on top of an interactive topology SEARCH Is it doing what it should? Validate network correctness and audit your network for compliance & security VERIFY Will this change work? Simulate configuration changes to ensure they are correct and secure before rolling into production PREDICT THE FORWARD PLATFORM CAPABILITIES OVERVIEW
  9. 9. Customer Network Forward Applications PLATFORM ARCHITECTURE
  10. 10. PLATFORM DEMO Brandon Heller, PhD CTO & Co-Founder
  11. 11. SEARCH VERIFY PREDICT THE FORWARD PLATFORM CAPABILITIES OVERVIEW
  12. 12. Customer Network Forward Applications PLATFORM ARCHITECTURE
  13. 13. - Interface Counters - Flow Counters (NetFlow) - Sampled Counters (sFlow) - Probes (Ping, Traceroute) + Packet In -> Packet Out (and all details) (for any packet, seen or not) Observed Traffic All Potential Traffic What we don’t do What we do
  14. 14. PLATFORM DEMO
  15. 15. USE CASE Network Outage and Resolution Behram Mistree, PhD Product Engineer
  16. 16. NETWORK CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2)
  17. 17. NETWORK CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2)
  18. 18. ROBUST CONNECTIVITY BETWEEN CLIENT AND SERVER WANTED CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2)
  19. 19. REQUIREMENTS 1. Traffic should flow from CLIENT to SERVER 2. Traffic should take multiple paths from CLIENT to SERVER 3. Traffic should flow on all interfaces in a port channel CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2)
  20. 20. REQUIREMENTS 1. Traffic should flow from CLIENT to SERVER 2. Traffic should take multiple paths from CLIENT to SERVER 3. Traffic should flow on all interfaces in a port channel CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2)
  21. 21. REQUIREMENTS 1. Traffic should flow from CLIENT to SERVER 2. Traffic should take multiple paths from CLIENT to SERVER 3. Traffic should flow on all interfaces in a port channel CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2)
  22. 22. REQUIREMENTS CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2) 1. Traffic should flow from CLIENT to SERVER 2. Traffic should take multiple paths from CLIENT to SERVER 3. Traffic should flow on all interfaces in a port channel
  23. 23. IS YOUR NETWORK WORKING?
  24. 24. Traditional Approach FORWARD VERIFY™ IS YOUR NETWORK WORKING?
  25. 25. TRADITIONAL APPROACH CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2) 1. Traffic should flow from CLIENT to SERVER 2. Traffic should take multiple paths from CLIENT to SERVER 3. Traffic should flow on all interfaces in a port channel
  26. 26. Traditional Approach FORWARD VERIFY™ ping 18.10.11.2 show route show lacp interfaces IS YOUR NETWORK WORKING? Traffic can flow Multiple paths Port channels
  27. 27. FORWARD VERIFY™ CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2) 1. Traffic should flow from CLIENT to SERVER 2. Traffic should take multiple paths from CLIENT to SERVER 3. Traffic should flow on all interfaces in a port channel
  28. 28. Traditional Approach FORWARD VERIFY™ ping 18.10.11.2 show route show lacp interfaces IS YOUR NETWORK WORKING? Traffic can flow Multiple paths Port channels
  29. 29. REQUIREMENTS CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2) 1. Traffic should flow from CLIENT to SERVER 2. Traffic should take multiple paths from CLIENT to SERVER 3. Traffic should flow on all interfaces in a port channel
  30. 30. REPLACE INTERFACE ON LAX CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2)
  31. 31. REPLACE INTERFACE ON LAX CLIENT SJCCE LAX MIA LGA IAD SERVER (18.10.11.2) SEA 1. Set ISIS overload bit
  32. 32. REPLACE INTERFACE ON LAX 1. Set ISIS overload bit 2. Replace line card CLIENT SJCCE LAX MIA LGA IAD SERVER (18.10.11.2) SEA
  33. 33. REPLACE INTERFACE ON LAX 1. Set ISIS overload bit 2. Replace line card 3. Verify CLIENT SJCCE LAX MIA LGA IAD SERVER (18.10.11.2) SEA
  34. 34. VERIFICATION COMPARISION Traditional Approach FORWARD VERIFY™ 1. Check port channel up 1. Single button press 2. Ping LAX to SERVER 3. Ping LAX to CLIENT TRANSIT TRAFFIC DISALLOWED TRANSIT TRAFFIC DISALLOWED ✔ Fixed
  35. 35. CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2) CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2) Latent misconfigurationTraditional Approach FORWARD VERIFY™ VERIFICATION COMPARISION
  36. 36. Traditional Approach FORWARD VERIFY™ CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2) CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2) VERIFICATION COMPARISION Latent misconfiguration
  37. 37. Traditional Approach FORWARD VERIFY™ CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2) CLIENT SJCCE SEA LAX MIA LGA IAD SERVER (18.10.11.2) VERIFICATION COMPARISION Latent misconfiguration
  38. 38. FORWARD VERIFY™ PREVENTS OUTAGES Instantly see failing checks during service window Fix network issues as soon as they appear SIMPLIFIES DIAGNOSIS Using historical snapshots, we could reconstruct where traffic was going, what had changed, and why
  39. 39. USE CASE Network Audit Behram Mistree, PhD Product Engineer
  40. 40. FORWARD’S MISSION We want to help you build networks that work and that you can trust because you’ve verified them FORWARD VERIFY™ PREDEFINED CHECKS
  41. 41. AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
  42. 42. AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS CLASSIC DC SPINE LEAF
  43. 43. CLASSIC DC “UPTIME BANK” SERVERS Peer Core Aggregation Access
  44. 44. CVE-2016-7810XXX CVE-ID CVE-2016-7810XXX DATE 20161117 REFERENCES http://example.com DESCRIPTION
  45. 45. CVE-2016-7810XXX CVE-ID CVE-2016-7810XXX DATE 20161117 REFERENCES http://example.com DESCRIPTION Your switch has a massive security vulnerability
  46. 46. CLASSIC DC “UPTIME BANK” SERVERS Peer Core Aggregation Access Both need upgrade
  47. 47. CLASSIC DC “UPTIME BANK” SERVERS Peer Core Aggregation Access AGG-1-0 AGG-1-1 ACC-1-1 VRRP
  48. 48. LIVE DEMO
  49. 49. WHAT’S HAPPENING “UPTIME BANK” SERVERS Server Down? Interfaces Down? Spanning Tree? Guesswork starts AGG-1-0 AGG-1-1 ACC-1-1 IGP Issues? Peering Issue? Application Down? “I don’t know!” VRRP
  50. 50. AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS CLASSIC DC SPINE LEAF
  51. 51. Peer Border Spine Leaf SPINE LEAF SPINE-1 LEAF-1 SPINE-0
  52. 52. SPINE LEAF Peer Border Spine Leaf “UPTIME BANK” SERVERS SPINE-1 LEAF-1 SPINE-0
  53. 53. SPINE LEAF Peer Border Spine Leaf “UPTIME BANK” SERVERS Needs reboot to install firmware
  54. 54. AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS TODAY FORWARD VERIFY™ VLAN Consistency ✘outage ✔ prevents outage MTU Consistency ✘outage ✔ prevents outage Duplex Consistency ✘outage ✔ prevents outage Link Speed Consistency ✘outage ✔ prevents outage No Forwarding Loop ✘outage ✔ prevents outage Port Channel Consistency ✘outage ✔ prevents outage Shortest Path ✘outage ✔ prevents outage Trunk Whitelist ✘outage ✔ prevents outage IP Address Uniqueness ✘outage ✔ prevents outage VLAN Existence ✘outage ✔ prevents outage
  55. 55. I WILL NEVER TRUST A NETWORK … There is no such thing as a network that works, just a network that hasn’t broken yet
  56. 56. www.forwardnetworks.com @fwdnetworks

×