Cisco Digital Network Architecture: Key Features of the New Platform
At the end of June, Cisco unveiled an update of its SDN (Sofware Defined Network) implementation for campus networks as part of its Cisco Digital Network Architecture (DNA) concept. DNA is a software and hardware solution for campus networks based on the latest generations of network equipment supporting management via the REST API using YANG models. The updates concern the network management system, monitoring, analytics, including those processed using machine learning technology, and feedback between them, which makes it possible to react proactively to possible network problems and network threats.
Now the business is increasingly asking for flexibility in changes in IT infrastructure. The introduction of Cisco DNA just means for companies to move to a more flexible model of managing network infrastructure, understanding within the company: who, where, when, came in and how much data was transmitted or received.
')
The Cisco Digital Network Architecture (DNA) digital network architecture provides customers with a variety of tools and features, including both software and hardware solutions. Let's talk about them in more detail.
DNA Center is a network management system, the main focus of which is on simplicity and ease of access. Cisco decided to abandon the cumbersome, multi-level menus, preferring the intuitive approach. The system fully covers the processes associated with the configuration and design of the network, as well as associated with a variety of policies and implementations.
The information provided by the DNA Center allows you to centrally manage all network functions and optimize network and application performance. Through the control system, you can control all devices (no matter, ten or hundreds of them), configure their automatic installation, and also significantly reduce the number of errors during automatic network maintenance. This is achieved due to the fact that the system receives in real-time information, which contains data on the operation of the network as a whole, the connected network devices and the applications running on them. Based on the analysis, in which the methods of machine learning are applied, the user receives information about the presence of certain problems, their sources and ways to solve.
Another important aspect of working with Cisco DNA Center is applying policies not to network devices, but to users and applications. This allows you to significantly save time (especially in large networks with thousands of devices), since you do not need to configure policies for specific devices or their groups. For example, you can configure a security policy for a specific group of users without affecting the device — this policy will regulate user access to devices and regulate what operations can be performed on them. That is, instead of setting up dozens of devices, you can set the settings for users once and for all. It also reduces the number of errors associated with the human factor, which is also important in large networks.
Software-Defined Access (SD-Access, software-defined access) is a solution used to automate policy enforcement, identify users and devices, as well as their mobility, network segmentation. It allows you to significantly simplify the access of users and devices to the network. SD-Access automates the configuration, configuration and debugging of the network, thereby significantly reducing the time spent on these procedures in manual mode. And this is done on any part of the network - from a small department to the cloud. SD-Access provides tools for configuring key functions, such as employee access to the network from any location, secure network segmentation, guest access, integration with the Internet of Things (IoT), data centers, and clouds.
This technology also ensures the security of the organization, dividing the traffic used by employees, devices and applications without the need to reconfigure the network and ensuring the implementation of various policies (including security) by users and devices at the automatic level. This is realized through hardware virtualization.
As part of SD-Access, at the end of June, Cisco introduced a new generation of network access equipment, core and aggregation optimized for the DNA concept and SDN tasks. This is the Cisco Catalyst 9300, 9400, 9500 Series.
Network Data Platform and Assurance (NDP) is an analytical platform responsible for collecting data. This tool is able to classify and analyze large amounts of information that is transmitted over the network. It also includes information from users, devices and applications. Based on the processing of this data, DNA Center Assurance provides analytics and operational information on the status of the network, and also makes forecasts. To work with this information, a convenient panel is provided, where you can easily access all the requested functions, for example, to manage analytical tasks.
Let's give an example. The Cisco Network Data Platform (NDP) tool collects NetFlow records, Simple Network Management Protocol (SNMP) events, wireless network controller activities, and real-time system logs to constantly monitor how devices, users, and applications work. Based on this data, the tool determines the normal behavior and then monitors abnormal activity and unusual bursts of traffic. This processed information is promptly transmitted to the control panel, where it is already possible to determine the cause of the abnormal behavior of a particular user or device and find a solution to this problem.
One of the ways to visualize analytical information is to set “health points” of network components. They show places where performance problems are present, as well as their most likely cause. The system may suggest a way to fix the problem. It also assesses online trends and may indicate where the problems are likely to arise in the future. This allows you to identify problems before they affect the performance of the network.
Based on the information gathered by the analytical platform, administrators can make certain changes to the network. In order to test how the network will work after making changes, the Network Data Platform and Assurance allows you to run what-if scenarios. This allows you to see how these potential changes can affect network performance before you implement them.
Scheme of the analytical platform
Encrypted Traffic Analytics is an encrypted traffic analysis system. Its presence in Cisco DNA is due to the fact that today about half of cyber attacks occur through encrypted traffic. And, according to many experts, the number of such attacks over time will only increase. Encrypted Traffic Analytics, based on machine learning and statistics, allows you to detect a variety of threats in encrypted traffic without decrypting it. As a result, administrators receive significant time savings, and the confidentiality of the transmitted data remains intact. How does this happen? The system analyzes the stream of encrypted data using Cisco Talos , as well as using machine learning technology. According to company representatives, the accuracy of responding to the threats of this solution is 99%, and the number of false positives is less than 0.01%. In this way, it is possible to detect threats on the network that could go unnoticed for more than one hundred days — it is this cryptographic scheme that many cryptographers use, including WannaCry and Petya 2.0.
Catalyst 9000 series switches are a new line of switches designed with the latest models of work - using mobile and cloud technologies, the Internet of things, and also ensuring a high level of security. The switches of these series are built on the new Cisco ASIC UADP 2.0 . This line includes the following series:
The Catalyst 9300 is the next generation of access switches. These network switches provide up to 384 Cisco UPOE, PoE + and PoE ports, high security, integration with cloud services, and also support a set of IEEE standards (including 1588) that provide the best audio and video content within the network. In total, the line includes 14 models, you can get acquainted with their technical characteristics by the link .
The Catalyst 9400 is a modular switch that provides bandwidth up to 8 Tbit / s per chassis and up to 480 Gbit / s per slot. They have built-in security and the MACSEC256 encryption system, support most of the features and standards available in the Catalyst 9300, and support secure segmentation using the SD-Access tool. In the line there are ten- and seven-slot models, for more details on their functionality, you can follow the link .
Catalyst 9500 - the first 40-gigabit switches for the corporate sector. They support all the basic features of low-end models and are the best solutions for building the corporate architecture of Cisco Software-Defined Access. In the arsenal of the manufacturer there are three models of the Catalyst 9500 series, the detailed characteristics of which can be found at this link .
Along with the new Catalyst 9000 series switches, customers can subscribe to one or another proprietary software. It helps to solve the most urgent tasks of modern IT - it provides the ability to build branch networks, a secure data center network that works with public, private or hybrid clouds, as well as streaming (and not only) audio and video across the entire network. Licensing is quite flexible, it all depends on the specific needs. You can immediately subscribe to the full Cisco ONE software package, or you can order only the solutions you need, saving you money. When purchasing Cisco ONE solutions, customers receive them regardless of the number of machines on which they will be used. For example, if you expand your existing infrastructure and increase the number of servers and virtual machines, you will not need to purchase additional licenses, you can immediately deploy Cisco solutions to them at no additional cost. Also, these licenses are not tied to specific equipment, they can be used after the upgrade of available hardware.
The following Cisco ONE solutions are provided:
Cisco ONE for Access — access control tool;
Cisco ONE Subscription for Switching - switching solution;
Cisco ONE for WAN - a global network management tool;
Cisco ONE for Data Center Networking - a tool that simplifies the creation of scalable, reliable and secure data centers and cloud networks;
Cisco ONE for Advanced Security - a network security management tool.
In the dry residue
The Cisco Digital Network Architecture system provides users with a wide range of opportunities for building an intelligent network with the possibility of self-learning and a high degree of automation. This approach allows you to free up a large amount of IT resources and redirect them from performing routine tasks to solving more important issues. Such opportunities are provided both at the hardware and at the software level. The user also receives a reliable system of protection against modern cyber threats and the ability to choose exactly the components that are needed in the work.
Now the business is increasingly asking for flexibility in changes in IT infrastructure. The introduction of Cisco DNA just means for companies to move to a more flexible model of managing network infrastructure, understanding within the company: who, where, when, came in and how much data was transmitted or received.
')
The Cisco Digital Network Architecture (DNA) digital network architecture provides customers with a variety of tools and features, including both software and hardware solutions. Let's talk about them in more detail.
DNA Center is a network management system, the main focus of which is on simplicity and ease of access. Cisco decided to abandon the cumbersome, multi-level menus, preferring the intuitive approach. The system fully covers the processes associated with the configuration and design of the network, as well as associated with a variety of policies and implementations.
The information provided by the DNA Center allows you to centrally manage all network functions and optimize network and application performance. Through the control system, you can control all devices (no matter, ten or hundreds of them), configure their automatic installation, and also significantly reduce the number of errors during automatic network maintenance. This is achieved due to the fact that the system receives in real-time information, which contains data on the operation of the network as a whole, the connected network devices and the applications running on them. Based on the analysis, in which the methods of machine learning are applied, the user receives information about the presence of certain problems, their sources and ways to solve.
Another important aspect of working with Cisco DNA Center is applying policies not to network devices, but to users and applications. This allows you to significantly save time (especially in large networks with thousands of devices), since you do not need to configure policies for specific devices or their groups. For example, you can configure a security policy for a specific group of users without affecting the device — this policy will regulate user access to devices and regulate what operations can be performed on them. That is, instead of setting up dozens of devices, you can set the settings for users once and for all. It also reduces the number of errors associated with the human factor, which is also important in large networks.
Software-Defined Access (SD-Access, software-defined access) is a solution used to automate policy enforcement, identify users and devices, as well as their mobility, network segmentation. It allows you to significantly simplify the access of users and devices to the network. SD-Access automates the configuration, configuration and debugging of the network, thereby significantly reducing the time spent on these procedures in manual mode. And this is done on any part of the network - from a small department to the cloud. SD-Access provides tools for configuring key functions, such as employee access to the network from any location, secure network segmentation, guest access, integration with the Internet of Things (IoT), data centers, and clouds.
This technology also ensures the security of the organization, dividing the traffic used by employees, devices and applications without the need to reconfigure the network and ensuring the implementation of various policies (including security) by users and devices at the automatic level. This is realized through hardware virtualization.
As part of SD-Access, at the end of June, Cisco introduced a new generation of network access equipment, core and aggregation optimized for the DNA concept and SDN tasks. This is the Cisco Catalyst 9300, 9400, 9500 Series.
Network Data Platform and Assurance (NDP) is an analytical platform responsible for collecting data. This tool is able to classify and analyze large amounts of information that is transmitted over the network. It also includes information from users, devices and applications. Based on the processing of this data, DNA Center Assurance provides analytics and operational information on the status of the network, and also makes forecasts. To work with this information, a convenient panel is provided, where you can easily access all the requested functions, for example, to manage analytical tasks.
Let's give an example. The Cisco Network Data Platform (NDP) tool collects NetFlow records, Simple Network Management Protocol (SNMP) events, wireless network controller activities, and real-time system logs to constantly monitor how devices, users, and applications work. Based on this data, the tool determines the normal behavior and then monitors abnormal activity and unusual bursts of traffic. This processed information is promptly transmitted to the control panel, where it is already possible to determine the cause of the abnormal behavior of a particular user or device and find a solution to this problem.
One of the ways to visualize analytical information is to set “health points” of network components. They show places where performance problems are present, as well as their most likely cause. The system may suggest a way to fix the problem. It also assesses online trends and may indicate where the problems are likely to arise in the future. This allows you to identify problems before they affect the performance of the network.
Based on the information gathered by the analytical platform, administrators can make certain changes to the network. In order to test how the network will work after making changes, the Network Data Platform and Assurance allows you to run what-if scenarios. This allows you to see how these potential changes can affect network performance before you implement them.
Scheme of the analytical platform
Encrypted Traffic Analytics is an encrypted traffic analysis system. Its presence in Cisco DNA is due to the fact that today about half of cyber attacks occur through encrypted traffic. And, according to many experts, the number of such attacks over time will only increase. Encrypted Traffic Analytics, based on machine learning and statistics, allows you to detect a variety of threats in encrypted traffic without decrypting it. As a result, administrators receive significant time savings, and the confidentiality of the transmitted data remains intact. How does this happen? The system analyzes the stream of encrypted data using Cisco Talos , as well as using machine learning technology. According to company representatives, the accuracy of responding to the threats of this solution is 99%, and the number of false positives is less than 0.01%. In this way, it is possible to detect threats on the network that could go unnoticed for more than one hundred days — it is this cryptographic scheme that many cryptographers use, including WannaCry and Petya 2.0.
Catalyst 9000 series switches are a new line of switches designed with the latest models of work - using mobile and cloud technologies, the Internet of things, and also ensuring a high level of security. The switches of these series are built on the new Cisco ASIC UADP 2.0 . This line includes the following series:
The Catalyst 9300 is the next generation of access switches. These network switches provide up to 384 Cisco UPOE, PoE + and PoE ports, high security, integration with cloud services, and also support a set of IEEE standards (including 1588) that provide the best audio and video content within the network. In total, the line includes 14 models, you can get acquainted with their technical characteristics by the link .
The Catalyst 9400 is a modular switch that provides bandwidth up to 8 Tbit / s per chassis and up to 480 Gbit / s per slot. They have built-in security and the MACSEC256 encryption system, support most of the features and standards available in the Catalyst 9300, and support secure segmentation using the SD-Access tool. In the line there are ten- and seven-slot models, for more details on their functionality, you can follow the link .
Catalyst 9500 - the first 40-gigabit switches for the corporate sector. They support all the basic features of low-end models and are the best solutions for building the corporate architecture of Cisco Software-Defined Access. In the arsenal of the manufacturer there are three models of the Catalyst 9500 series, the detailed characteristics of which can be found at this link .
Along with the new Catalyst 9000 series switches, customers can subscribe to one or another proprietary software. It helps to solve the most urgent tasks of modern IT - it provides the ability to build branch networks, a secure data center network that works with public, private or hybrid clouds, as well as streaming (and not only) audio and video across the entire network. Licensing is quite flexible, it all depends on the specific needs. You can immediately subscribe to the full Cisco ONE software package, or you can order only the solutions you need, saving you money. When purchasing Cisco ONE solutions, customers receive them regardless of the number of machines on which they will be used. For example, if you expand your existing infrastructure and increase the number of servers and virtual machines, you will not need to purchase additional licenses, you can immediately deploy Cisco solutions to them at no additional cost. Also, these licenses are not tied to specific equipment, they can be used after the upgrade of available hardware.
The following Cisco ONE solutions are provided:
Cisco ONE for Access — access control tool;
Cisco ONE Subscription for Switching - switching solution;
Cisco ONE for WAN - a global network management tool;
Cisco ONE for Data Center Networking - a tool that simplifies the creation of scalable, reliable and secure data centers and cloud networks;
Cisco ONE for Advanced Security - a network security management tool.
In the dry residue
The Cisco Digital Network Architecture system provides users with a wide range of opportunities for building an intelligent network with the possibility of self-learning and a high degree of automation. This approach allows you to free up a large amount of IT resources and redirect them from performing routine tasks to solving more important issues. Such opportunities are provided both at the hardware and at the software level. The user also receives a reliable system of protection against modern cyber threats and the ability to choose exactly the components that are needed in the work.
Source: https://habr.com/ru/post/335592/
All Articles