On November 17th, 2016, Forward Networks conducted its first public unveiling of its Network Assurance platform at Networking Field Day 13. Visit https://www.forwardnetworks.com/ for more details.
2. AGENDA
+ An Introduction to Forward Networks
+ Platform Demo
+ Use Case: Outage Diagnosis & Resolution
+ Use Case: Network Auditing
+ Closed Session
3. Today’s Networks – Large, Complex, & Heterogeneous
+ IPv4 routes
+ ACLs
+ MAC tables
+ Spanning tree
+ NAT
+ VLAN
+ Multicast
+ PBR
+ Cisco
+ Arista
+ HPE
+ Fortinet
+ Juniper
+ F5
+ Palo Alto
+ Checkpoint
Thousands of devices Millions of rules Dozens of vendors
Switches Routers
Load balancers Firewalls
4. Manual Operations Inadequate Tooling High Rate of Error
+ Device-by-device management
+ Limited end-to-end visibility
+ Hard to debug & test
+ Lack of innovation in tooling
+ Solutions are 20+years old
+ Ping, traceroute, SNMP, etc.
+ Networks rife with misconfiguration
+ 80% of outages caused by error1
+ 50% due to change config issues2
1&2
Network Operations – Manual & Error Prone
6. NETWORK ASSURANCE
Reducing the complexity of networks while eliminating the human
error, misconfiguration, and policy violations that lead to outages.
7. Unorganized real world data
Own data model of real world
Apps on top using data model
Revolutionary algorithm
SEARCH VERIFY APIPREDICT
THE FORWARD
PLATFORM
A NEW APPROACH TO NETWORK OPERATIONS
8. What is my network’s behavior?
Index your network and search
your devices and behavior on top
of an interactive topology
SEARCH
Is it doing what it should?
Validate network correctness and
audit your network for compliance
& security
VERIFY
Will this change work?
Simulate configuration changes to
ensure they are correct and secure
before rolling into production
PREDICT
THE FORWARD PLATFORM
CAPABILITIES OVERVIEW
13. - Interface Counters
- Flow Counters (NetFlow)
- Sampled Counters (sFlow)
- Probes (Ping, Traceroute)
+ Packet In -> Packet Out
(and all details)
(for any packet, seen or not)
Observed Traffic All Potential Traffic
What we don’t do What we do
19. REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
20. REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
21. REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
22. REQUIREMENTS
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel
25. TRADITIONAL APPROACH
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel
27. FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel
30. REQUIREMENTS
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel
32. REPLACE INTERFACE ON LAX
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
SEA
1. Set ISIS overload bit
33. REPLACE INTERFACE ON LAX
1. Set ISIS overload bit
2. Replace line card
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
SEA
34. REPLACE INTERFACE ON LAX
1. Set ISIS overload bit
2. Replace line card
3. Verify
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
SEA
35. VERIFICATION COMPARISION
Traditional Approach
FORWARD VERIFY™
1. Check port channel up
1. Single button press
2. Ping LAX to SERVER 3. Ping LAX to CLIENT
TRANSIT TRAFFIC DISALLOWED
TRANSIT TRAFFIC DISALLOWED
✔ Fixed
36. CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
Latent misconfigurationTraditional Approach
FORWARD VERIFY™
VERIFICATION COMPARISION
37. Traditional Approach
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
VERIFICATION COMPARISION
Latent misconfiguration
38. Traditional Approach
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
VERIFICATION COMPARISION
Latent misconfiguration
39. FORWARD VERIFY™
PREVENTS OUTAGES
Instantly see failing checks during service window
Fix network issues as soon as they appear
SIMPLIFIES DIAGNOSIS
Using historical snapshots, we could reconstruct
where traffic was going, what had changed, and why
41. FORWARD’S MISSION
We want to help you build networks that work and
that you can trust because you’ve verified them
FORWARD VERIFY™
PREDEFINED
CHECKS