Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI

© 2017 Cisco and/or its affiliates. All rights reserved. 1
Cisco Digital Network Architecture –
Deeper Dive,
“From the Gates to the GUI”
Wade Crick
Customer Solutions Architect
January 2018
Cisco
Connect Your Time
Is Now

© 2016 Cisco and/or its affiliates. All rights reserved. 2Cisco Public
Session Abstract
Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI
Come to this session to learn how the latest advances in Cisco Enterprise silicon development – programmable, flexile
ASIC (Application Specific Integrated Circuit) hardware which provides a key foundational element of Cisco's Digital
Network Architecture portfolio – are driving industry innovations such as Cisco’s new Catalyst 9000 family of switches, as
well as exciting new solutions such as ETA (Encrypted Traffic Analytics) and Software-Defined Access.
Attendees at this session will gain greater insight into how ASICs are designed and built –showcasing the advanced
capabilities and functionality delivered by Cisco's latest switching silicon innovations provided by UADP (Unified Access
Data Plane), as well as the latest advancements in Cisco’s wireless silicon. Most importantly, this session will show the
continuum of Cisco’s evolution – from the gates (silicon gates, that is) to the latest advanced GUIs that solutions such as
SD-Access are enabled with – allow customers to move faster, innovate rapidly, and drive significant cost savings for their
organizations.
Come to this session to “double-click” on how Cisco is revolutionizing the Enterprise network with DNA! This is the second
of two sessions – an optional introduction to the principles of DNA, as well as an exploration of the new DNA Center GUI
and the Automation and Assurance aspects of the Cisco Digital Network Architecture it supports – are explored in the
preceding companion session.

Agenda
• Industry Trends
• The Network Intuitive
• Cisco DNA and the Importance of Flexible Hardware
• The Evolution of the Application Specific Integrated Circuit
• DNA/Software Defined Access
• DNA Center
• Encrypted Traffic Analytics
• Catalyst 9000
• Summary, Q&A

We are going to try to cover
from
“The Gates to the GUI”

Innovation - The world’s 50 most innovative
companies
# 37. Cisco Systems
2017 patent grants: 967
2016 patent grants: 978
Source - 24/7 Wall St. Jan 12, 2018

From
Innovations
in
Silicon
and
Software
…
… to
Innovations
in Platforms
and Solutions

And Why
These

8© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA and the
Importance of
Network Innovation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Advanced Persistent
Threats
Devices per Person
3.64
Mobile world requires access
to everything everywhere
Mobility
Devices per Admin
100K
Agility and New
Consumption Models
Cloud
IoT
Things Connected
7.5BUnmanned devices
growing at rapid pace
Enterprise Trends Driving Digital Transformation

Source: Forrester Source: Open Compute Project
Time IT spends on operations80% CEOs are worried about IT strategy
not supporting business growth57%
Network Expenses Deployment Speed
0 10 100 1000
Computing Networking
Seconds
0
100%
CAPEX OPEX
33% 67%
The Need for Agility
Changing Enterprise Requirements

VLAN 1 VLAN 2 VLAN 3
WAN
Branch A
VLAN 1 Branch A VLAN 3
Remote
VLAN 2
HQ
ACL 1 ACL 2
ACL 2
ACL 3
Traditional Networks Cannot Meet the Demand
Users, Device and IoT
Segmentation
Enabling Seamless
Mobility
Secure Connectivity
to the Cloud
Setting Up
End-End Security

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Digital Network Architecture
Principles
Insights and
experiences
Automation
and assurance
Security and
compliance
Automation
Abstraction and policy
control from core to edge
Open and programmable | Standards-based
Open APIs | Developers environment
Cloud service management
Policy | Orchestration
Physical and virtual infrastructure | App hosting
Network data,
contextual insights
Network-enabled applications
Cloud-enabled | Software-delivered
Analytic
s
Virtualization

The Network. Intuitive.
Intent-Based
Network Infrastructure
DNA Center
AnalyticsPolicy Automation
Switching Routers Wireless
Powered By Intent.
Informed by Context.
DNA Center 1.1
General Availability
Software-Defined Access
Meraki Visibility
Extended Enterprise

Journey to Intent-based Networking
Intent-based
Networking
Constantly Learning
Constantly Adapting
Constantly ProtectingPolicy-Based
Automation
Business Policy
Translation
Segmentation
Analytics &
Assurance
Everything as a sensor
Telemetry
Historical & Real-time
Digital—Ready
Infrastructure
Secure foundation
Programmability
Virtualization
Machine
Learning & AI
Policy Validation
Predictive
Self-healing
The Network. Intuitive.
Powered by intent. Informed by context.
Based on Cisco’s DNA
We are here
Scaling (via Cloud)

Self-Driving Automation
Future
Closed Loop through Network
Analytics and Machine Learning
DNA Center
BB
Campus
Fabric
SDA
Automated Deployment
Plug and Play,
Day 0 Deployment
Exists Today
HTTP
Proxy
Internet
Admin
Installer
Step 1
Network admin
previsions devices in
Cisco Network Plug
and Play applications
Step 2
Onsite installer with
mobile app installs and
powers on devices,
triggers deployment,
checks status
Step 3
New devices contact
Cisco Network Plug and
Play application to get
provisioned
Network admin can
remotely monitor
install status
Basic Advanced
One Point of Management – All from Cisco DNA Center
Configure once and deploy
everywhere - SD-Access
DNA Center
Campus
Fabric
SDA
New
Consistent Across Network Fabric
The Network Intuitive.
Moving From Manual to Automated

Quality of Service – Intuitive?

Wireless AP
Trust Boundary
PEP
4Q (WMM)
Catalyst 3650
Trust Boundary
PEP
2P6Q3T
Catalyst 4500
1P7Q1T
Catalyst 6500
1P3Q4T
1P7Q4T
2P6Q4T
…
Nexus 7700
F3: 1P7Q1T
WLC
PEP
ASR/ISRs
MQC
Catalyst 2960-X
Trust Boundary
PEP
1P3Q3T
Wireless AP
Trust Boundary
PEP
4Q (WMM)
Southbound APIs translate
business intent to platform-
specific configurations
Network Operators express
high-level business intent to the
EasyQoS app
EasyQoS
Operation
Network
Controller

Network
Controller
EasyQoS will seamlessly interconnect
all types of hardware and software queuing models
to achieve consistent and compatible end-to-end treatments –
aligned with the expressed business intent
EasyQoS
Results

ip access-list extended APIC_EM-MM_STREAM-ACL
remark citrix - Citrix
permit tcp any any eq 1494
permit udp any any eq 1494
remark citrix-static - Citrix-Static
permit tcp any any range 2512 2513
permit udp any any range 2512 2513
remark pcoip - PCoIP
remark timbuktu - Timbuktu
remark xwindows - XWindows
remark vnc - VNC
permit udp any any range 5900 5901
exit
ip access-list extended APIC_EM-SIGNALING-ACL
remark h323 - H.323
Your Choice …

22© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA and the
Importance of
Flexible Hardware

EISG
Architecture Team
David Goeckeler
Cisco SVP,
Security and Networking
Cisco Live Las Vegas 2016
ASICs are a
pillar of Cisco
innovation …

Logic Design Choices
• General Purpose CPU
• Field Programmable Gate Arrays
• Application Specific Integrated
Circuits
• System on Chip
• Graphics Processing Unit

How is an ASIC built?How is an ASIC built?

It all starts with the Transistor
• The first bipolar junction transistors were invented by Bell Labs in
1948.
• Transistors can be an amplifier (linear region operation) or a switch
(saturation region operation).
• In switch mode +VCC =1, Gnd = 0 for binary operations.

An example of a Transistor AND Gate
Fairchild DM7408 Quad 2-Input AND Gates
Truth Table

An example of a Transistor NAND Gate

We are talking
transistors…
and how many we can pack
in an ASIC die …
“The number of transistors
incorporated into a chip
will approximately double
every 18 - 24 months …”
“Moore’s Law” - 1975
Transistor Width
measured in
Nanometers
Nanometer = One Billionth of a Meter
TSMC currently plans to start manufacturing
7nm chips in 2018.
“This past September, we announced our plan
for the world's first 3-nanometer fab
located in the Tainan science park. This fab
could cost upwards of $20 billion and represents
TSMC's commitment to drive technology
forward," TSMC executive Mark Liu.
NVIDIA TITAN V GPU is fabricated on TSMC 12
nm FFN (FinFET NVIDIA) process. 21.1 billion
transistors.
Apple iPhone X 10nm

Then, it starts with coding…
Verilog
VHDL
Synthesis Process
Converts code into
logical gate constructs (Netlist)
ASICs – From Definition to Deployment

Discrete
transistor
MOSFET
(metal oxide semiconductor
field effect transistor)
FinFET
(Fin Field
Effect Transistor - "3D" )
NAND gate
NOR Gate
Universal
Gates
XOR Gate
AND Gate
OR Gate NOT Gate
XNOR Gate
… which can be used to build any of
the other logic gates …
… mostly used @
22nm and above
Intel in 2012 used 22-
nm in Ivy Bridge
processors
… which, when we put millions
of them together on a silicon
die, produce a chip!
Silicon wafer

And we have an ASIC…

Why Does
Cisco Develop
Our Own Silicon?
Simpler Deployment Options
Better Insight and Optimization
Increased Security
Most Appropriate Scalability
Flexibility and Investment Protection
via Programmability
Simpler Deployment Options
Better Insight and Optimization
Increased Security
Most Appropriate Scalability
Flexibility and Investment Protection
via Programmability

• Cisco spent US$1.567 Billion last quarter (Q2, FY2018) on R&D,
some of which was on custom ASICs.
• Vast major of Cisco products include custom ASICs
• Custom ASICs in:
• Catalyst 3000, 9000
• Nexus 5000, 7000, 9000
• ISR, ASR 1000 (Quantum Flow Processor)
• Wireless
• …
Cisco Investments

Up to 32MB
Packet Buffer
Up to 64K x2
Netflow RecordsEmbedded
Microcontrollers
Shared
Lookup
Up to 240GE
Bandwidth
384K Flex
Counters,
Up to 2X to 4X
Forwarding + TCAM
Universal Deployments
Adaptable Tables
Enhanced Scale/Buffering
Multicore resource share
Investment Protection
Flexible Pipeline
7.46B
Transistors
28nm Technology
UADP 2.0 – Next Generation of ASIC Innovation
Mobile Ready
Security/Trustsec/MACsec
Enhanced Netflow Programmable High Performance
Recirculation (tunneling -
GRE, VXLAN, etc)
Flexible Pipeline

Traditionally the ASIC
processing pipeline is
FIXEDIPv4
IPv6
Traditional Fixed ASIC Processing Pipeline

… and has challenges
handling NEW
PROTOCOLS …
MPLS
Traditional Fixed ASIC Processing Pipeline

Flex
Rewrite
Flex
Rewrite
Cisco’s UADP ASIC
delivers
FLEXIBILITY …
Flex
Parser
Flex
Parser
Flexible, Programmable Processing Pipeline
GRE
If IPv7 were
invented
tomorrow …
... we could probably handle it
via the Programmable
Pipeline!
Flex CountersFlex Counters
Stage 1 Stage 2 Stage 3 Stage n
IPv4
IPv6
VXLAN
MPLS
IPv7
Unified Access Data Plane – Processing Pipeline

So where can
Flexible ASICs help us?
So where can
Flexible ASICs help us?

DNA Flexible Infrastructure – Programmable ASIC Silicon

ASIC Evolution – Over Time
UADP 2.0: 7.46B transistors!
2,160,000 lines of code
New!New!
Catalyst 9300 /
9400 / 9500 – 2017
Catalyst 3550
Circa 2003
60M transistors
47,226 lines of code
Catalyst 3750
Circa 2008
210M transistors
86,220 lines of code
Catalyst 3850
Circa 2013
UADP 1.0 – 1.3B transistors
UADP 1.1 – 3.0B transistors
1,490,000 lines of code
All Cisco-developed silicon
Driving the benefits of vertical integration –
Hardware and software working together!
Just like some other famous examples …

What does all of this
mean for me?

Cisco Programmable Hardware
equals
FLEXIBILITY
ADAPTABILITY
Enabling Network Evolution –
a critical requirement
for DNA

Cisco Digital Network Architecture
How DNA Center embraces the Cisco DNA
Principles
Insights and
experiences
Automation
and assurance
Security and
compliance
Automation
Abstraction and policy
control from core to edge
Open and programmable | Standards-based
Open APIs | Developers environment
Cloud service management
Policy | Orchestration
Physical and virtual infrastructure | App hosting
Network data,
contextual insights
Network-enabled applications
Cloud-enabled | Software-delivered
Analytic
s
Virtualization
DNA Center
APIC-EM, ISE, Analytics &
Assurance

June 2017 - What we announced:
• DNA Center
• Built-in expertise to manage and deploy end-to-end network
services with a central management
• DNA Analytics & Assurance
• Analytics collects data from users, devices, and applications
and uses machine learning to proactively identify problems
• Software-Defined Access
• Dynamically adapt to changing needs with policy-based
management of the network fabric
• Enhanced Network as a Sensor
• Uncover threats hidden in encrypted traffic without
decryption.
• Catalyst 9000 Series Switches
• First infrastructure devices purposely designed for DNA
Software Subscription Licensing | DNA Advisory, Technical, Support Services

Software-Defined Access
Industry’s first policy-based automation from the edge to the cloud
Single
Network Fabric
Automate User
Access Policy
End-to-End
Segmentation
Keep user, device and applications
traffic separate without redesigning
the network
Apply the right policies for user or
device to any application across the
network
Enable a consistent user
experience anywhere without
compromising on security
Common user policy for the branch, campus, WAN and cloud

Controller-based Management
Programmable Overlay
Simplified L3 Underlay
DNA
Center
Software Defined Access (SD-Access)
Bringing Everything Together

1. Control Plane based on LISP
2. Data-Plane based on VXLAN
3. Policy-Plane based on TrustSec
Key Components of SD-Access
Key Differences
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (No Static)
• No Topology Limitations (Basic IP)
53

APIC-EM
ISE NDP
 Control-Plane Nodes – Map System that
manages Endpoint ID to Device relationships
 Edge Nodes – A Fabric device (e.g. Access
or Distribution) that connects Wired Endpoints
to the SDA Fabric
 Identity Services – External ID Systems
(e.g. ISE) are leveraged for dynamic User or
Device to Group mapping and Policy definition
 Border Nodes – A Fabric device (e.g. Core)
that connects External L3 network(s) to the
SDA Fabric
Identity
Services
Intermediate
Nodes (Underlay)
Fabric Border
Nodes
Fabric Edge
Nodes
 DNA Controller – Enterprise SDN Controller
provides GUI management and abstraction via
multiple Service Apps, that share information
DNA Center
 Analytics Engine – External Data Collectors
(e.g. NDP) are leveraged to analyze User or
Device to App flows and monitor fabric status
Analytics
Engine
C
Control-Plane
Nodes
B
SD-Access
Roles & Terminology
B
 Fabric Wireless Controller – A Fabric device
(WLC) that connects Wireless Endpoints to
the SDA Fabric
54
Fabric Wireless
LAN Controller

SD-Access Support
A single fabric for your digital ready network
WirelessRoutingSwitching
AIR-CT5520
AIR-CT8540
Wave 2 APs (1800, 2800,3800)
Wave 1 APs* (1700, 2700,3700)
Catalyst 9400
Catalyst 9300
Catalyst 9500
Catalyst 4500E Catalyst 6K Nexus 7700
Catalyst 3850 and 3650
AIR-CT3504
*with Caveats
**Future
NEW
NEW
NEW
NEW
Subtended
Catalyst Digital Building
Catalyst 3560-CX
NEW
IE Switches** (2K/3K/4K/5K)
ASR-1000-X
ASR-1000-HX
ISR 4430
ISR 4450
ENCS 5400**
ISR 4351
ISR 4331
CSRv

DNA Center: Design, Policy, Provision, Assurance
A better way to manage your network
DNA Center: Design, provision,
automate policy and assure
services from one place
Logical workflow to design,
provision, set policy
Respond to changes faster
Monitor end-to-end
network performance
Predict and act on problems
before they happen
Pinpoint problems faster
Reduce downtime with an
end-to-end view instead of
hop by hop
Manage hardware and
software lifecycles
Keep up to date, meet
compliance and plan for refresh

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Select Areas, Building,
Floors
• Configure Network
Settings
• Set IP Address Pools
Design
Design | Provision | Policy | Assurance

• Assign Devices to
Locations
• Provision Network
Fabric
• On-board Hosts
Provision

• Create Virtual
Networks
• Register End Point
Types
• Administer Context-
Based Policy
Policy

• Network and Device
Performance
• Client Access,
Connectivity, Monitoring
and Troubleshooting
• Application Experience
Monitoring & Acceleration
Assurance

• Analyze netflow metadata
without decrypting traffic
flows
• Global-to-local knowledge
correlation - 99.99%
threat detection accuracy
• Encrypted traffic analytics
from Cisco’s newest
switches and routers
Encrypted Traffic
Analytics
Security with Privacy

Enhanced Network as a Sensor
Encrypted Traffic Non-Encrypted
Traffic
Secure and manage your digital network in real time, all the time, everywhere
Industry’s first network with the ability to find threats in encrypted traffic without decryption
Avoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility

Encrypted traffic – mining usable information
https://1.2.3.4
https://123.123.123.123
https://234.234.234.234
https://22.33.44.55
https://21.21.21.21
We can see the TLS session
properties
We can see the channel behavior We (often) know the
server
• TLS session properties
• Channel behavior
• Domain identity (often)

• HTTPS header contains several
information-rich fields.
• Server name provides domain information.
• Crypto information educates us on
client and server behavior and
application identity.
• Certificate information is similar to whois
information for a domain.
• And much more can be understood when we
combine the information with global data.
Initial data packet
IPHeader
TCPHeader
TLS Header
TLS version
SNI (Server Name)
Ciphersuites
Certificate
Organization
Issuer
Issued
Expires
Initial data packet
Initial data
packet

Sequence of packet lengths and times
Sequence of packet lengths and times
Flow start Time
• Size and timing of the first packets allow us to estimate the type of data inside the
encrypted channel.
• We can distinguish video, web, API calls, voice, and other data types from one another and
characterize the source within the class.

Cisco’s threat intelligence map
Image: http://census2012.sourceforge.net/images.html
• Who’s who of the internet’s dark side
• Models use up to 20 features of
150 million malicious, risky, or otherwise
security-relevant endpoints on the internet.
• These data features include domain data,
whois data, TLS certificate data, usage
statistics, and behavioral data for
each server.

Finding malicious activity in encrypted traffic
Cisco Stealthwatch®
Cognitive
Analytics
Malware
detection and
cryptographic
compliance
New Catalyst® 9000*
NetFlow
Enhanced
NetFlow
Telemetry for
encrypted malware detection
and cryptographic compliance
* ISR, ASR are supported
Enhanced analytics
and machine learning
Global-to-local
knowledge correlation
Enhanced NetFlow from
Cisco’s newest switches and
routers
Continuous
Enterprise-wide compliance
Leveraged network Faster investigation Higher precision Stronger protection
Metadata

Cisco Catalyst 9000: The platform for the new era
First in enterprise
• x86 CPU with application hosting
• Programmable ASIC
• Software patching
Future-Proofed
• IEEE 802.11ax ready
• 100W PoE (IEEE 802.3bt) ready
• 25G Ethernet ready
Industry’s unmatched
• High availability
• Multigigabit density
• UPOE scale
SD-Access
integrated
Converged
ASIC
Single image
Common
licensing
Security IoT convergence CloudMobility
UADP 2.0
Cisco IOS® XE Software

Kanata R&D Team
3rd Largest Cisco Engineering site worldwide

Catalyst 9000 - CRN's 2017 Products Of The Year

SDA - Show me the money

From the Hardware …
… to the Software and
Protocols, with Integrated Security …
to the
Whole
Solution …
Cisco Innovations – In Hardware, Software, and Solutions – Tie It All Together
“From the Gates – to the GUI”
Integrated
Security
Innovation All The Way Up the Stack
Hardware, Software, and Solutions

Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI

Similar to Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Cisco Digital Network Architecture – Deeper Dive, “From the Gates to the GUI