Documente Academic
Documente Profesional
Documente Cultură
Di gital Vortex: How Digital Disruption Is Ci s co estimates $14.4 Trillion of digital value at stake across Lea ding Digital: Turning Technology
Redefining Industries. Global Center for pri va te i ndustries between 2013-22 Where to begin your i nto Business Transformation
Di gital Business Transformation, 2015. journey to digital value in the private sector.
Creating New Priorities for Digital Organization
First Line Conduit for Bridge for Engagement IoT Full Business
of Defense Critical Apps Scalability Visibility
Automation Analytics
Principles Abstraction and Policy Control Network Data, Save Money
from Core to Edge Contextual Insights
Cloud-enabled | Software-delivered
MODULE 2: CISCO DNA AUTOMATION
APIC-EM System Requirements
Physical Appliance Specification: Virtual Appliance Requirements:
Server: 64-bit x86 VMware ESXi Version: 5.1/5.5
CPU (cores): 6 Server: 64-bit x86
CPU speed: 2.4 GHz Virtual CPU (vCPU): 6
RAM: 64 GB (Single Node), 32 GB (Per Host for CPU speed: 2.4 GHz
Multi-Node) RAM: 64 GB (Single Node), 32 GB (Per Host for
Storage: 500 GB of available or usable storage Multi-Node)
after hardware RAID Storage: 500 GB of available or usable storage
RAID level: Hardware-based RAID at RAID level 10 after hardware RAID
Disk I/O speed: 200 MBps RAID level: Hardware-based RAID at RAID level 10
Network adapter: 1 or more Disk I/O speed: 200 MBps
Browser: Chrome (44.0 or later) Network adapter: 1 or more
Web access required: Outbound secure web Browser: Chrome (44.0 or later)
(HTTPS) access from the Cisco APIC-EM to the Web access required: Outbound secure web
Internet for automatic updates of the controller (HTTPS) access from the Cisco APIC-EM to the
software Internet for automatic updates of the
APIC-EM Form Factors
The Cisco APIC-EM is available in two form factors: virtual appliance and hardware
appliance.
The virtual appliance can be downloaded free of charge from Cisco Software
Central or Ciscos DevNet community service.
The hardware appliance can be purchased directly from Cisco or through Cisco
resellers.
APIC-EM Architecture
APIC-EM Architecture Explained
APIC-EM is the SDN controller from Cisco, in our previous module, we talked about the SDN Controllers and
their roles.
The architectural diagram in the previous slide, details that APIC-EM is built on the elastic platform of
Grapevine. Grapevine allows APIC-EM to run multiple services, and to grow or create multiple instances of
these services, as per the requirement of APIC-EM.
The Discovery function uses the following protocols and methods to retrieve the information about
your network:
Cisco Discovery Protocol (CDP)
Community-based Simple Network Management Protocol Version 2 (SNMPv2c)
Simple Network Management Protocol version 3 (SNMPv3)
Link Layer Discovery Protocol (LLDP)
IP Device Tracking (IPDT)IPDT is enabled automatically for all devices by the controller. For this
configuration, privileges must be given to the controller during discovery.
LLDP-MEDIP phones and possibly some servers are discovered using LLDP Media Endpoint
Discovery
About Device Discovery - Screens
Device Inventory View
The Device Inventory window displays the results of the discovery scan. After the initial discovery, network
devices are polled every 30 minutes. Polling occurs for each device, link, host, and interface. Only devices that
have been active for less than a day are displayed. This prevents any stale device data from being displayed. On
average, polling 500 devices takes approximately 20 minutes. From APIC-EM 1.4 onwards, you can also add
individual devices, directly from the Device Inventory Screen.
About Topology Visualization
The Topology window displays a graphical view of your network. Using the discovery settings that you have
configured, the Cisco APIC-EM discovers and maps devices to a physical topology with detailed device-level
data.
The Cisco Network Plug and Play solution provides a simple, secure, unified, and integrated
offering for enterprise network customers to ease new branch or campus device rollouts or
for provisioning updates to an existing network. The solution provides a unified approach to
provision enterprise networks comprised of Cisco routers, switches, and wireless devices
with a near zero touch deployment experience.
It reduces the burden on enterprises by greatly simplifying the process of deploying new
devices. An installer at the site can deploy a new device without any CLI knowledge, while a
network administrator centrally manages device configuration.
PnP Solution Features
Simplified and consistent deployment of Cisco network devices
Converged solution for Cisco routers, switches, and wireless access point devices
Devices can automatically discover the APIC-EM controller through DHCP, DNS, or a proxy server, and
predefined configurations and images can be pushed out as devices come online.
Configuration templates allow an administrator to define a template of CLI commands that can be
used to consistently configure multiple network devices, reducing deployment time. Configuration
templates are supported in Cisco Network Plug and Play version 1.3 and later.
Mobile iOS or Android application helps the device installer to bootstrap devices and monitor
installation from remote site
Secure device authentication and communication using secure unique device identifiers (SUDI), and
certificates stored in a Cisco managed trustpool bundle, which is a special store of certificates signed
by trusted certificate authorities and published by Cisco InfoSec.
Cisco Network Plug and Play Architectural Overview
PnP Solution Components
The Cisco Network Plug and Play solution includes the following components:
Cisco Plug and Play Mobile App for iOS and Android devices
Alternately, you can choose to set up a private VPN link so that the controller is reachable via
VPN, without using a generic proxy.
PnP - Remote Branch / Site Deployment
Prerequisite: Cisco network devices are running Cisco IOS images that support the Cisco Plug
and Play IOS Agent.
a) On the APIC-EM controller, the network administrator uses the Cisco Network Plug and Play
application to pre-provision the remote site and device information in the application. This
includes entering device information and setting up a bootstrap configuration, full
configuration, and IOS image for each device to be installed. The bootstrap configuration
enables the Plug and Play Agent and typically specifies the device interface to be used and
configures a static IP address for it.
b) The device installer uses the Deploy Devices function in the Cisco Plug and Play Mobile App
to deliver the bootstrap configuration to the Cisco network device and trigger deployment.
c) The network device connects to the Cisco Network Plug and Play application on the APIC-EM
controller, identifies itself by serial number, and downloads its full configuration and,
optionally, an IOS image, which were pre-provisioned by the network administrator
PnP - Unplanned Device Deployment
Prerequisite: Cisco network devices are running Cisco IOS images that support the Cisco Plug
and Play IOS Agent.
a) The network administrator sets up a DHCP server in the network to respond to client
discover requests with DHCP option 43, which contains the APIC-EM controller IP address
and port information. Alternatively, DNS can be used to locate the controller.
b) The device installer installs and powers up the Cisco network device.
c) The device auto-discovers the APIC-EM controller by using DHCP or DNS. The device is
listed as an unplanned device in the Cisco Network Plug and Play application, identified by
IP address and product ID.
d) The network administrator uses the Cisco Network Plug and Play application to claim the
device and configure it with a new configuration and IOS image. For details on using the
Cisco Network Plug and Play application, see the Configuration Guide for Cisco Network
Plug and Play on Cisco APIC-EM .
About Path Trace
With Path Trace, the controller reviews and collects network topology and routing data from
discovered devices. Then it uses this data to calculate a path between two hosts or Layer 3
interfaces. Optionally, you can choose to collect interface, QoS, device, and Performance
Monitor statistics for a path.
This information gathered though Path Trace App can be used to monitor and debug traffic
paths that are distributed among the various devices throughout your network.
Administrator performs these tasks by running a path trace between two nodes in your
network. The two nodes can be a combination of wired or wireless hosts and/or Layer 3
interfaces. In addition, administrator can specify the protocol for the controller to use to
establish the path trace connection, either TCP or UDP.
Path Trace and Path Visualization
Path trace can identify the following information about the devices and paths:
HSRP
SVI
Layer 2
Layer 2 Port Channel
Layer 3 Routing Protocol
ECMP/TR
Netflow
ECMP over SVI
Subinterface
EIGRP
Level 3 Recursive Loop
VRF
ACLs
Module 3: Secure Access WAN
Need for IWAN
Evolving the Network to Enable the Journey to
the Cloud
Business and IT are changing like never before
Internet Becoming an Extension of Enterprise WAN
Emerging Branch Demands
WAN Spending Trends
Why Move to Internet as WAN?
When users complain about Application Problem
What the users see What network admins see What can happen
Server Problem
Network
Admin User Problem
39
Module 3: Secure Access WAN
IWAN Explained
IWAN: SD-WAN Requirements Analysis
IWAN Solution Architecture & Components
AVC Private
ASR1000
Cloud
Internet
Virtual
ISR-AX Private
Cloud
3G/4G-LTE
Branch
MPLS Public
WAAS PfR Cloud
DMVPN IPsec overlay design Performance Routing (PfR) AVC: Application monitoring Certified strong encryption
Consistent operational model Application best path based with Application Visibility and Comprehensive threat
on delay, loss, jitter, path Control defense with ASA and IOS
Simple provider migrations
preference WAAS: App Acceleration firewall/IPS
Scalable and modular design
Load balancing for full utilization and bandwidth savings
Cloud Web Security (CWS)
of all bandwidth Akamai Connect: Content for scalable secure direct
Improved network availability (HTTP/S) Caching Internet access
Cisco AX Routers
IWAN Capabilities Embedded in the Router
One Network
UNIFIED SERVICES Visibility
Control
ASR1000-AX
Optimization
ISR-AX
Simplify Transport
Application Independent Secure
Delivery Routing
Reporting Tools
Application Reporting
Perf. Tool
Collection &
Exporting
Management Tool Control
Recognition
52
Application Visibility and Control
App Visibility &
User Experience Report
App BW Transaction
Time
Reporting Tools
Application Reporting
Perf. Tool
Collection &
Management Tool Control
Recognition Exporting
Unified Monitoring
- Traffic Statistics
NBAR2 - Response Time Cisco Prime QoS (w/ NBAR2)
Metadata - Voice/Video Infrastructure PfR
Monitoring
- URL Collection
53
What do we want to monitor?
Application Response
Traffic Statistics URL Visibility Time Media Performance
Application Usage per Most visited web-site Per-application end-to- Per-stream jitter and
client IP/subnet/site Per-URL application end latency packet loss
Top clients per response time Application response RTP conversations
application time & transaction time
Application processing
time
Top conversation per
application
Evolution of Applications
COLLABORATION INFORMATION SaaS
voice, data)
What if user experience is not meeting business
needs?
NBAR2
New DPI engine provides Advanced Application Classification and Field Extraction Capabilities
from SCE
Protocol Pack allows adding more applications without upgrading or reloading IOS
NBAR2 Protocol List - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6558/ps6616/product_bulletin_c25-
627831.html
NBAR2 and Encryption 70+
http://www.cnn.com/US Se0/0/0
(IP=192.168.100.100) www.cnn.com
(IP=157.166.255.18)
Ability to extract information from HTTP message
GigabitEthernet0/0/3
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
30sec Bit Rate (bps) 30sec Bit Rate (bps)
30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps)
------------- ------------------------ ------------------------
63
Check and Install the Correct Protocol Packs
(Just an Example Slide)
64
Most Accessed URLs & URL Response Times
Quality of Service
Where Can We Classify?
Where Can we Take Actions?
SET MUTATE
ACL
NBAR
Classification DCSP
without
Marking/Mutation Line
Rate Traffic Shaping
with Traffic
Shaped Shaping
Rate
Shaping/Policiing
Traffic shaping limits the transmit rate to a value lower than line rate
Queueing Line
Rate
without Policing
with Policing
Policed
Rate
Bandwidth Allocation
Policing discards traffic which exceeds policed rate
Intelligent Path Control with PfR
Voice and Video Use-Case
Voice/Video take the best
delay, jitter, and/or loss path
MPLS Private
Cloud
Branch
Virtual
Internet Private
Other traffic is load balanced to maximize
Voice/Video will be rerouted Cloud
bandwidth
if the current path degrades
below policy thresholds
PfR monitors network performance and PfR load balances traffic based upon link
routes applications based on application utilization levels to efficiently utilize all available
performance policies WAN bandwidth
68
What PfR Does
Protecting Critical Applications While Increasing Bandwidth Utilization
Hybrid IWAN Dual Internet iWAN
Detect Loss
Detect
Greater Than 10%
High Jitter
Business App and Load-Balancing Policy Multimedia and Critical Data Policy
Protect business Increase WAN bandwidth Protect voice and video Voice and video preferred
cloud applications efficiency by load-sharing quality path SP-A
from brownouts traffic over all WAN paths, Latency < 150 ms; VDI preferred path SP-B
Loss < 5% MPLS + Internet Jitter < 20 ms
Increase utilization
Preferred path for Protect VDI applications by load sharing
business applications: SP1 from brownouts
(MPLS) Loss < 5%
Performance RoutingComponents
The Decision Maker: Master Controller (MC) Data
Center
Discover BRs, collect statistics
Apply policy, verification, reporting
MC
Optimize By:
Reachability, Delay, Loss, Jitter, MOS,
Throughput, Load, and/or $Cost Branch
MC+BR
How PfR Works
Key Operations
ISR G2 Traffic
Classes Performance
A SR1K Learning Measurements
MC MC MC
Active TCs Best
Path
BR BR BR BR BR BR
MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR MC+BR
Define Your Traffic Policy Learn the Traffic Measurement Path Enforcement
Identify Traffic Classes based ISR G2 and ASR Learn traffic Measure the traffic flow and Master Controller commands
on Applications or Transport classes flowing through network performance actively path changes based on your
Classifiers Border Routers (BRs) based or passively and traffic
on your report metrics to the Master policy definitions
policy definitions Controller
Performance RoutingControl Loop
5 Verify New Path:
Verify traffic is flowing on new path
1 Learn Your Traffic Classes:
Prefix-based flows
Revert to previous path if performance ACL-based flows
remains out-of-policy Application flows
PfR
4 Send Good path to BRs for each
Select Path: 2 Network Performance
Measure:
Respond
Destination App Ingres Egres
DSCP Delay Jitter Loss BR Exit
Prefix Id BW BW
MC+BR Branch
10.1.1.1/32 EF 60 10 0 20 40 BR1 Gi1/1
10.1.10.0/24 AF31 110 15 0 52 60 BR1 Gi1/2
0 89 26 1 34 10 BR2 Gi1/1
Load Balancing
Maximizing Link Utilization to Increase Available Bandwidth
Customer needs feature Customer wants Customer looking for Customer wants
configurable enterprise massive simplicity and advanced monitoring and advanced provisioning,
network management operational automation visualization life cycle management,
and end-to-end and customized policies
monitoring Use-Case Point-n-Click Network troubleshooting
Network Configuration and QoS/ PfR/ AVC Multi-tenant
One Assurance across configuration
Cisco portfolio from Highly consistent network System-wide network
Branch to Datacenter requirement with Real-time analytics and consistency assurance
prescriptive Cisco flow/device scalability
IT Network Team Validated Designs Lean IT OR IT Network
IT Network team team
Cisco Intelligent WAN APIC-EM APP
The IWAN App for the APIC-EM simplifies network management in an intuitive browser-based GUI and
enables IT automation through centrally-managed policies.
Embedded
Trust Devices Deploy,
Search,
Retrieve,
AX Revoke
80
Performance Routing IWAN Platform Support
Cisco CSR-1000
MC
Cisco ASR-1000
BR
data breaches
continue
Threat Actors
Aggressors:
Network
Devices
Non-NetFlow
Capable Device
NetFlow / NBAR / NSEL
Generate
NetFlow
SPAN
StealthWatch Collect and analyze
StealthWatch Up to 4,000 sources
FlowSensor FlowCollector Up to 240,000 FPS sustained
Identity
Firewall
Routers &
Switches
Better
Identify
Understand /
Discovery additional
Respond to an
IOCs
IOC:
Incident Network
Visibility Threat Detection User Monitoring
Response Diagnostics
Context-aware Advanced In-depth, flow- Application Cisco ISE
visibility into Persistent Threats based forensic Awareness Monitor
network, Insider Threat analysis of Capacity privileged access
application and DDoS suspicious Planning Policy
user activity incidents Performance enforcement
Botnet (CnC)
BYOD Detection Scalable Monitoring
Cloud monitoring repository of Troubleshooting
Data Exfiltration security
IPv6 Network information
East-West Traffic Reconnaissance
monitoring Retrace the step-
Network Behavior by-step actions
Network Anomaly of a potential
segmentation Detection attacker
Firewall rule Cisco Cyber On-demand
auditing Threat Defense packet capture
Solution
MODULE 5: Cisco StealthWatch
DNA and StealthWatch
Importance of DNA Analytics and Telemetry
Applications
DNA Analytics and Telemetry Applications can provide feedback
mechanisms, that are built into the architecture to offer continuous
and relevant information about the operational state of the network.
Analytics and telemetry support is offered in the following three ways:
Data collection
Data analysis
Feedback and control
DNA Data collection
The DNA network elements are enhanced to collect data about all
aspects of the network, including the state of the network elements
and the traffic flows pertaining to the services offered by the network.
The data is collected from the following sources:
Routers, Switches, WLC and Access Points
Virtualized Network Functions (CSR 1000v, ASAv)
AAA Servers, layer 4-7 functions
Cisco Adaptive Security Appliance (ASA)
Cisco Identity Service Engine (ISE)
An Architectural Approach
Policy Violations
Audits transaction for policy violations even when perimeter defenses arent available
Incident response
Capable of recording EVERY transaction
Speeds up knowledge of lateral movement post threat identification
Forensic investigation for post mortem
Sourcefire FireSIGHT Core Functionality
Sourcefire FireSIGHT and Lancope StealthWatch are primarily aimed at solving different problems
FireSIGHT is an integral part of the Sourcefire NGFW and NGIPS solution and is not a purpose-built
NBA solution
Profile the network and attached devices to provide context for the prioritization and correlation
of IPS event data
Develop detailed host profiles though OS, service, protocol and application identification
Determine relevant vulnerabilities based on host attributes
Provide targeted traffic modeling
Detect policy and usage violations. I.e., hosts running non-business applications
Import third party host information such as vulnerability scan data
FireSIGHT Capability Comparison
Feature Sourcefire FireSIGHT Lancope StealthWatch
Data Source Enriched flow data generated by NetFlow/IPFIX from Cisco router, switches and
dedicated sensors, creates detailed firewalls, StealthWatch FlowSensor, and other
network host map flow sources
Storage 500M events and 500M flow summaries, Up to 4TB of storage per collector, usually many
usually weeks of data or less months or more. Many Collectors attached to a
single Manager
Event Rate Up to 10,000 events per second, based 120,000+ flows per second per collector
on appliance model appliance. 3M+ flows per second in large
deployments per management appliance
Scalability Based on Defense Center event database Horizontal, support queries across multiple
max FlowCollectors
Scalability of data sources Single Defense Center can support over Up to 50,000 sources
100 sensors, one database
Summary of Differences FireSight/Lancope
Sourcefire FireSIGHT is part of a NGIPS and NGFW solution StealthWatch is a dedicated flow analysis system for threat
and presents flow information in a way that optimizes detection, behavioral analysis and forensic investigations.
intrusion event analysis
StealthWatch is focused on Security but has applicability for
Sourcefire FireSIGHT is protocol aware and determines Network Operations teams as well.
operating systems
StealthWatch uses a mix of behavioral profiles, statistical
Sourcefire FireSIGHT builds a real time host map and profiles modeling and user-defined policy violations for alerting.
risk for up to 300,000 IPs on a single Defense Center
StealthWatch can monitor traffic across an entire enterprise (up
to 1M+ unique hosts per collector or 25M+ hosts per manager).
File analysis is not 100 percent effective but those that are Detection of IOCs can find malware created to evade file analysis
detected are quarantined. or packet inspection but remediation often requires re-imaging of
hosts
Retrospective detection can alert to older malware when new User activity recorded and available for both real time and for
intelligence is added to the cloud historic analysis of suspect hosts spanning months/years.
Client support depends on platform. Network inspection requires Monitors all host activity regardless of machine type, recording
a distributed deployment of FirePOWER devices. transactions for analysis.
FireAMP shows machines infected chronologically but does not StealthWatch has extensive history of all network communication
show flow information, how the file moved and proliferated made by infected hosts to determine the potential exposure
MODULE 6: Cisco ISE
Need for Cisco ISE
What Keeps CIOs/CISOs Up at Night?
BUSINESS SECURITY
TRENDS CONCERNS
WHO
Business-Relevant
WHERE
Policies
ISE
WHEN
Wired VPN
HOW Wireless
Policy Management
Cisco Identity Services Engine (ISE) Cisco Prime Infrastructure
Policy Information
User Directory Profiling from Cisco Infrastructure Posture from End-Point Agents
Policy Enforcement
Cisco Infrastructure: Switches, Wireless Controllers, Firewalls, Routers
MODULE 6: Cisco ISE
ISE Features
ISE Policy Platform
What is Profiling ?
Classifies based on Device fingerprint
NMAP Classification
NetFlow
HTTP
SNMP
DHCP
LLDP
Radius
Collection
Process of collecting data to be used
for identifying devices
Uses Probes for collecting device Classifies based on Device fingerprint
attributes
Rich, Contextual Profiling in ISE
Simple Identity Simply Isnt Helpful Enough Anymore
Personaone or
more of: Single ISE node Single inline
Administration (appliance or posture node
Monitoring VM) (appliance only)
Policy service
Cisco ISE Nodes and Personas
Implementing Nodes, Personas, and Roles
Admin Node
Policy Service Node
Monitoring Node
pxGrid Services
Collector Agent
Inline Posture Node
Policy Server Node
Policy Synchronization
Cisco ISE Deployment Options
Up to 40 PSNs
Supported
Cisco ISE Communication Model
Cisco ISE with TrustSecPolicy Enforcement
Leverage Existing Cisco TrustSec-enabled Network Hardware
Doctor / Laptop
Doctor / iPad Switch Router DC FW DC Switch
Guest / Laptop Distributed Enforcement throughout Network
Guest / iPad
ISE Simplifies Enterprise Secure Access
Utilize Vast Network Telemetry for Contextual Access Control
Confidential
Patient Records
Who: Doctor
What: Laptop
Where: Office
When: 10 am
Internal Employee
Intranet
Who: Doctor
What: iPad
Where: Office
When: 09 am
Internet
Who: Guest
What: iPad
Where: Office
When: 11 am
Transform plain English rules into network policy
Secure Access based on user, device, location, etc.
Leverage TrustSec-enabled HW to enforce at ingress
Only Cisco ISE Delivers
The Cisco pxGrid (Platform Exchange Grid) is an open, scalable and IETF
standards-driven data-sharing and threat control platform. It allows
multiple security products to work together. Security operations teams can
automate to get answers faster and contain threats faster.
The Cisco Platform Exchange Grid (pxGrid) allows you to integrate your
application into the pxGrid, a multivendor, cross-platform network system
that pulls together different parts of an IT infrastructure such as security
monitoring and detection systems, network policy platforms, asset and
configuration management, identity and access management platforms, to
name a few.
pxGRID Information Exchange Platform
pxGrid - Key Features
Context Sharing Control - Because pxGrid is customizable, your can publish only the specific
information (context) that you want to share and you can control which other pxGrid partner platforms
that it gets shared with.
Bidirectional context sharing pxGrid enables partner platforms such as yours and others to
either publish context or to subscribe to context; you orchestrate and secure what is published and what
is subscribed through the pxGrid controller which resides on Cisco Identity Service Engine (ISE).
Share context data in native formats you share contextual information in pxGrid using the native data
format of your platform - pxGrid does the rest.
Connect to multiple platforms simultaneously pxGrid enables you to publish only the context data that
is relevant to pxGrid partner subscribers. You can customize numerous context topics for a variety of
partner platforms, yet always shared via the same reusable pxGrid framework. By sharing only relevant
data both publishing and subscribing platforms are able to scale by eliminating irrelevant data.
Comprehensive SDK The SDK for pxGrid contains tutorials, sample code, client libraries (in Java and C),
sample data output, testing guides, testing resources and tools, as well as release notes; everything that
you need to get started.
Cisco platform support Cisco Identity Services Engine (ISE) is the first Cisco platform to implement
pxGrid, you should look to see more Cisco security platforms supporting pxGrid throughout 2015. And you
can start to support pxGrid at any time.
MODULE 6: Cisco ISE
ISE and StealthWatch Integration
Cisco pxGrid Components
pxGrid controller: The controller orchestrates connections between
platforms. It authorizes what contextual information gets shared
between those platforms. This control function is provided by Cisco
ISE.