On November 17th, 2016, Forward Networks conducted its first public unveiling of its Network Assurance platform at Networking Field Day 13. Visit https://www.forwardnetworks.com/ for more details.

1. NETWORKING FIELD DAY 13
November 17th, 2016
David Erickson, PhD
CEO & Co-Founder

2. AGENDA
+ An Introduction to Forward Networks
+ Platform Demo
+ Use Case: Outage Diagnosis & Resolution
+ Use Case: Network Auditing
+ Closed Session

3. Today’s Networks – Large, Complex, & Heterogeneous
+ IPv4 routes
+ ACLs
+ MAC tables
+ Spanning tree
+ NAT
+ VLAN
+ Multicast
+ PBR
+ Cisco
+ Arista
+ HPE
+ Fortinet
+ Juniper
+ F5
+ Palo Alto
+ Checkpoint
Thousands of devices Millions of rules Dozens of vendors
Switches Routers
Load balancers Firewalls

4. Manual Operations Inadequate Tooling High Rate of Error
+ Device-by-device management
+ Limited end-to-end visibility
+ Hard to debug & test
+ Lack of innovation in tooling
+ Solutions are 20+years old
+ Ping, traceroute, SNMP, etc.
+ Networks rife with misconfiguration
+ 80% of outages caused by error1
+ 50% due to change config issues2
1&2
Network Operations – Manual & Error Prone

5. Business Impacting Expensive to Repair Brand-Damaging
Networks Failures & Data Center Outages
$

6. NETWORK ASSURANCE
Reducing the complexity of networks while eliminating the human
error, misconfiguration, and policy violations that lead to outages.

7. Unorganized real world data
Own data model of real world
Apps on top using data model
Revolutionary algorithm
SEARCH VERIFY APIPREDICT
THE FORWARD
PLATFORM
A NEW APPROACH TO NETWORK OPERATIONS

8. What is my network’s behavior?
Index your network and search
your devices and behavior on top
of an interactive topology
SEARCH
Is it doing what it should?
Validate network correctness and
audit your network for compliance
& security
VERIFY
Will this change work?
Simulate configuration changes to
ensure they are correct and secure
before rolling into production
PREDICT
THE FORWARD PLATFORM
CAPABILITIES OVERVIEW

9. Customer Network
Forward Applications
PLATFORM ARCHITECTURE

10. PLATFORM DEMO
Brandon Heller, PhD
CTO & Co-Founder

11. SEARCH VERIFY PREDICT
THE FORWARD PLATFORM
CAPABILITIES OVERVIEW

12. Customer Network
Forward Applications
PLATFORM ARCHITECTURE

13. - Interface Counters
- Flow Counters (NetFlow)
- Sampled Counters (sFlow)
- Probes (Ping, Traceroute)
+ Packet In -> Packet Out
(and all details)
(for any packet, seen or not)
Observed Traffic All Potential Traffic
What we don’t do What we do

14. PLATFORM DEMO

15. USE CASE
Network Outage and Resolution
Behram Mistree, PhD
Product Engineer

16. NETWORK
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)

17. NETWORK
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)

18. ROBUST CONNECTIVITY BETWEEN CLIENT AND SERVER WANTED
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)

19. REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)

20. REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)

21. REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)

22. REQUIREMENTS
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel

23. IS YOUR NETWORK WORKING?

24. Traditional Approach
FORWARD VERIFY™
IS YOUR NETWORK WORKING?

25. TRADITIONAL APPROACH
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel

26. Traditional Approach
FORWARD VERIFY™
ping 18.10.11.2 show route show lacp interfaces
IS YOUR NETWORK WORKING?
Traffic can flow Multiple paths Port channels

27. FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel

28. Traditional Approach
FORWARD VERIFY™
ping 18.10.11.2 show route show lacp interfaces
IS YOUR NETWORK WORKING?
Traffic can flow Multiple paths Port channels

30. REQUIREMENTS
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER
2. Traffic should take multiple paths from CLIENT to SERVER
3. Traffic should flow on all interfaces in a port channel

31. REPLACE INTERFACE ON LAX
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)

32. REPLACE INTERFACE ON LAX
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
SEA
1. Set ISIS overload bit

33. REPLACE INTERFACE ON LAX
1. Set ISIS overload bit
2. Replace line card
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
SEA

34. REPLACE INTERFACE ON LAX
1. Set ISIS overload bit
2. Replace line card
3. Verify
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
SEA

35. VERIFICATION COMPARISION
Traditional Approach
FORWARD VERIFY™
1. Check port channel up
1. Single button press
2. Ping LAX to SERVER 3. Ping LAX to CLIENT
TRANSIT TRAFFIC DISALLOWED
TRANSIT TRAFFIC DISALLOWED
✔ Fixed

36. CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
Latent misconfigurationTraditional Approach
FORWARD VERIFY™
VERIFICATION COMPARISION

37. Traditional Approach
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
VERIFICATION COMPARISION
Latent misconfiguration

38. Traditional Approach
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER
(18.10.11.2)
VERIFICATION COMPARISION
Latent misconfiguration

39. FORWARD VERIFY™
PREVENTS OUTAGES
Instantly see failing checks during service window
Fix network issues as soon as they appear
SIMPLIFIES DIAGNOSIS
Using historical snapshots, we could reconstruct
where traffic was going, what had changed, and why

40. USE CASE
Network Audit
Behram Mistree, PhD
Product Engineer

41. FORWARD’S MISSION
We want to help you build networks that work and
that you can trust because you’ve verified them
FORWARD VERIFY™
PREDEFINED
CHECKS

42. AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS

43. AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
CLASSIC DC SPINE LEAF

44. CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access

45. CVE-2016-7810XXX
CVE-ID CVE-2016-7810XXX
DATE 20161117
REFERENCES http://example.com
DESCRIPTION

46. CVE-2016-7810XXX
CVE-ID CVE-2016-7810XXX
DATE 20161117
REFERENCES http://example.com
DESCRIPTION Your switch has a massive security vulnerability

47. CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
Both need upgrade

48. CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
AGG-1-0 AGG-1-1
ACC-1-1
VRRP

49. LIVE DEMO

50. WHAT’S HAPPENING
“UPTIME BANK” SERVERS
Server Down?
Interfaces Down?
Spanning Tree?
Guesswork starts
AGG-1-0 AGG-1-1
ACC-1-1
IGP Issues?
Peering Issue?
Application Down?
“I don’t know!”
VRRP

51. AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
CLASSIC DC SPINE LEAF

52. Peer
Border
Spine
Leaf
SPINE LEAF
SPINE-1
LEAF-1
SPINE-0

53. SPINE LEAF
Peer
Border
Spine
Leaf
“UPTIME BANK” SERVERS
SPINE-1
LEAF-1
SPINE-0

54. SPINE LEAF
Peer
Border
Spine
Leaf
“UPTIME BANK” SERVERS
Needs reboot to
install firmware

55. AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
TODAY FORWARD VERIFY™
VLAN Consistency ✘outage ✔ prevents outage
MTU Consistency ✘outage ✔ prevents outage
Duplex Consistency ✘outage ✔ prevents outage
Link Speed Consistency ✘outage ✔ prevents outage
No Forwarding Loop ✘outage ✔ prevents outage
Port Channel Consistency ✘outage ✔ prevents outage
Shortest Path ✘outage ✔ prevents outage
Trunk Whitelist ✘outage ✔ prevents outage
IP Address Uniqueness ✘outage ✔ prevents outage
VLAN Existence ✘outage ✔ prevents outage

56. I WILL NEVER TRUST A NETWORK …
There is no such thing as a network that
works, just a network that hasn’t broken yet

57. www.forwardnetworks.com @fwdnetworks