SDN

Experience

What is Cisco saying about security?

Micro-segments

Software Defined Access solution...

• Extend Micro-segmentation to the Campus Network for breach containment and to prevent lateral moves
• Policy-based control for access to segments.

Malware

Stealthwatch

• Cisco estimates that 70% of malware is in encrypted traffic

• Use of machine learning to identify encrypted malware

What is Cisco Saying about Assurance and SD-WAN?

SD-WAN

• Integration of Viptela into DNA architecture
• Simplify WAN and simplify interconnect to cloud based providers
• Extending fabric to the WAN via Viptela

Guidelines...

The Extreme Experience

Assign types of functionality to specific places in the network. Leverage proven repeatable configurations. Modularity divides these pieces up into manageable chunks. Each topology should be designed and configured using the same tools where possible

• Leverage policy and automation
• Filtering/aggregating reachability information
• Forwarding traffic over long(er) geographic distances

Manage Change

Decouple product complexity from network complexity, identify where we want to isolate faults. The problem is a network is not really a single system. It’s a group of interacting systems

• In principle, redundancy is easy, any system with more parallel paths through the system will fail less often
• Adding paths is a tradeoff.
• Increases MTBF in one layer
• Increases MTTR in another layer
• Devices within each fault domain only compute paths within their fault domain.

Adopt a Simple Approach

How would modular design help? Can you tolerate a reasonable degree of network downtime or degradation? How can a simple approach meet your expectations based on testing, best practices and a comprehensive "network centric" control plane?

• Once the topology reached a predetermined size can intentional design decision be made to meet future requirements.
• Leverage built-in intelligence avoid bolting-on additional technology?
• Build-out not up and increase the size of the hub don't just add a layer?

MTTR

MTBF

Identify the balance between Resilience and Redundancy...

The key is to establish a balance between MTBF and MTTR. In the real world, the point where MTTR and MTBF meet is between two and three parallel structures...

• One is almost always too little if you want resiliency.
• Four is almost always too many – And five is right out.
• This applies at all levels of redundancy.

• Circuit/link.
• Device.
• Modular Core.

What is Fast Convergence?

Detect

Calculate and Switch

Notify

Make each step as fast as possible but not at the cost of network stability

Three steps

– Detect

– Notify

Link State Flooding

– Tuned flooding timers

– Reduce flooding domain

Distance Vector

– Reduce update scope (query range)

– Calculate

– Switch

Respond

Management and Security Loop

Pivot

Detect

Management is normally a “slower” loop" which reacts to organic threats...

• Changes in the technology.
• Software Upgrades.
• Normal adds and moves.

Security is a "faster loop" which reacts to inorganic threats...

• Attacks designed to deny service, obtain access, discover information, etc.
• Designed to deny service, obtain access, discover information, etc.
• Looks to assure compliance and an assurance of best practices.

Know the...

• Business drivers
• Change Management
• Worst Case Analysis

Management Guidelines

Understand the...

• Design requirements
• Replacement Technology
• Policy Modification

Establish the...

• Documentation Baseline
• Performance Baseline
• Utilization Analysis

Analyze the...

• Best Fit
• Root Cause
• Best Practices

Make a plan for change...

Topology (Document the trade-offs in your design and know how to back out of the project).

• Layer 2 and 3 (Collapsed or Spine Leaf).
• Link utilization (Time of day or seasonal).
• Outside Services Used (MPLS or Metro).

Policy (Agree and document best practices).

• Where its applied? (Wire and Wireless).
• The intent behind the policy (Automation Security).
• Compliance requirements (HIPPA or PCI).

Modular Boundaries (Normal failure rates).

• Where they are the boundaries? (Campus or Multi-site).
• What is the intent behind the boundary? (Security or fault-based).
• How do you measure? (Does the design meet the business requirement?).

Make a Security Plan...

Crunchy on the outside, chewy in the middle.

• Ask every device to deliver some level of security.
• Establish Automatic (fast) feedback loops.
• Leverage vendor APIs to deliver Crunchy-ness through and through.

What can my network do to make things crunchy through and through?

• Automated anomaly detection and leverage analytics on network traffic
• Understand the target or the type of attack? Decide what happens if you toss this traffic, scrub it, honeypot it, or... ??
• Determine if I need to change my edge policies? – Should you allow an automated process to handle edge policies as needed?

Understand the Attack Vector...

Crunchy on the Outside - One of my machines has been zombied – What is the address of the master host? On what port did they get through?

• Decide - Where do I implement new filters to stop this from happening in the future? What is the best way to block this specific attack?

• Act - Wait for a change window. Implement the new filters.

• Test - Avoid false positives impacting poor end-user experience.

Simplify the Edge

Edge

Services are provisioned at the edge.

From 4-10 Protocols to 1

Fabric

Services

Service your network like a Strategic Asset...

Cisco

DNA Strengths

Cisco Fabric is an EVPN derivative (Control plane based on LISP). It provides separation of location and identity. Cisco heavily promotes the value of its custom ASICs within the Catalyst 9300 and 9400 touting features such as 32MB packet buffers, 384K Flex Counters, 64K x2 Netflow records.

• Intent Based framework is complex and expensive.
• Using CLI breaks controller based deployments
• Requires Cisco Professional Services).

Cisco will be pitching their quantitative results in terms of reduced time to service, improved mean time repair, less on-boarding time etc. Their results look very similar to stats Extreme has had for many years.

Cisco talks about a two pronged strategy consisting of Software-Defined Access and Software-Defined WAN. Their installed base of WAN / CPE routers put them in a position of strength to migrate that base to SD-WAN.

Weaknesses

Response

Cisco is trying to create a financial lock-in. Cisco will position this OpEx model as a way to dis-aggregate the software investment from the hardware investment. Thus, customers are able to benefit from continuous innovation and maintain continuity of their software through generations of hardware churn. Cisco ONE has been designed around large Enterprises that don’t have price sensitivities, as Cisco owns the Fortune 100 practically unchallenged. The Cisco ONE pricing model allows them to position the Catalyst 9k at a 20% premium.

Is DNA going to be a another repeat of ACI which many customers could not get to work due to its complexity? To avoid this Cisco has introduced a host of DNA Services (Pro Services) to try to enable adoption. One of the major values that Cisco talks about is its zero-touch provisioning capabilities. Extreme offers a simpler approach with it’s Zero Touch Provisioning +.

Extreme is focused on using merchant silicon (like the rest of the industry) for faster time to service and so we can focus on what is really of value…. The software. Custom ASIC development is time consuming with new chips taking an average of 2-3 years.

Fabric

Extreme Platform

Extreme Strengths

Extreme’s Automated Campus offers a consistent architecture across wired and wireless. With support for Fabric Attach (on ExtremeWireless today, coming soon for WiNG) and consistent policy enforcement, analytics capabilities and management between wired (EXOS) and wireless, the Extreme Automated Campus offers a unified solution. The native security strengths of the Fabric are also nicely complemented by the capabilities of ExtremeAnalytics, allowing the extraction of metadata from DPI to feed other security tools in the architecture and deal with breaches that make it past the initial lines of defense.

Integrated XMC software delivers great time-to-value with consistent application visibility and fabric to edge policy enforcement. Our policy plus hyper-segmentation capabilities have been proven unbreakable in Hackathons at CalTech, Syracuse University and others.

• Security - Stealth, frictionless hyper-segmentation capabilities. Defender delivers security fore IoT.
• Analytics - Massive and customizable fingerprinting
• End to end - Consistent architecture for converged campus/ Data Centers

Weaknesses

Response

How many protocols do you want? Cisco Campus Fabric (LISP, VXLAN and TrustSec) is based on technologies that haven’t had market uptake. Plus, their fabric requires a L3 routed underlay to function; therefore, you are simply adding complex overlays to an already complex underlay.

Furthermore, Cisco is lacking consistency between the campus and data center architectures. Fabrics need to be stitched together via MG-BGP and segmentation and policy are different concepts that need to be manually patched together to achieve any sort of integration

Fabric Connect is based on Ethernet (MAC-in-MAC) and IP (IS-IS) – technologies all customers easily understand. It enables customers to migrate away from complex overlays.

• Ethernet 2.0 - Extreme Fabric runs native w/o additional protocols features flexible edge-only policy based provisioning.
• Simplicity - Fabric Connect is so logical and intuitive, customers have deployed on their own with only a 2hr hands-on introduction from an SE
• Multi-casting built-in featuring Distributed Virtual Routing.

Extreme XMC

DNA Center

Extreme Management Center is a fully integrated solution that offers a single tool for network management, access control and analytics. Only Extreme Offers Single Pane of Glass Management with a 360 degree view

Extreme provides consistent Layer 7 control and visibility across wired and wireless. Analytics data is merged with policy data and location data to provide customers a complete 360 degree view . This dramatically reduces the number of tools the customer needs for insight and visibility and simplifies the overall operations of the network.

In next generation networking, it’s the tool set and quality of experience that matters. And this is where Extreme and it’s carefully integrated solution really shines. Furthermore, applications at L7 (on wired and wireless) are automatically detected (regardless of port) and based on their identity have the right policy applied dynamically.

DNA Center (which is Cisco umbrella management system) is nothing but a marketing wrap that consists of multiple disjointed point products (ISE, APIC-EM, NDP) that are not integrated!

Cisco ISE is limited to Layer 4 policies, which do not provide the granularity required to control your network on a per device per user per application basis.

With their disaggregated tool set that doesn’t provide consistent Layer 7 control and visibility, Cisco doesn’t have the capabilities of Extreme to differentiate between network performance issues and application performance issues.

Although Cisco mentions support for wireless in its marketing materials; their solution is clearly wired-centric. Policy, control and analytics support has not changed for wireless with the introduction of DNA and remains disjointed. The only thing of note for wireless in the DNA architecture is that the Wireless LAN Controller (WLC) participates in the LISP control plane of the Fabric.

It comes down to...

With Cisco,

With Extreme,

you are going to have to buy more products. Integrate those products. Spend a fortune on pro-services to get everything working and deal with a mound of complexity when something breaks.

Cisco offers ACI in the Data Center and DNA in the campus. The controllers are different (APIC versus APIC-EM) and the underlying technologies are different (COOP versus LISP) requiring MP-BGP to be used to bridge the two together.

Ask your customer how much they are going to have to pay Cisco to actually deploy this solution? And how will they troubleshoot it when something breaks?

Cisco offers multiple disjointed tool sets for analytics that provide similar capabilities with varying degrees of integration. For example application recognition and location information require different tool sets.

Quality of Experience is everything. You will end up purchasing fewer products that fill the same need. Every part of your IT operations from deployment to daily management is vastly simplified through the fully integrated wired and wireless solution.

One architecture, one protocol and one operational model. What could be easier? Extreme offers edge-only policy based provisioning of Hyper-segments that are easy to deploy, manage and troubleshoot.

ExtremeAnalytics also offers network and application performance QoE by base lining response times for critical applications and alarming when something is out of range. Network operators can see impacted clients, create events and quickly drill down to troubleshoot.

Design Guidelines...

Adopt a Simple Approach

How would modular design help? Can you tolerate a reasonable degree of network downtime or degradation? How can a simple approach meet your expectations based on testing, best practices and a comprehensive "network centric" control plane?

• Once the topology reached a predetermined size can intentional design decision be made to meet future requirements.
• Leverage built-in intelligence avoid bolting-on additional technology?
• Build-out not up and increase the size of the hub don't just add a layer?

Manage Change

Decouple product complexity from network complexity, identify where we want to isolate faults. The problem is a network is not really a single system. It’s a group of interacting systems

• In principle, redundancy is easy, any system with more parallel paths through the system will fail less often
• Adding paths is a tradeoff.
• Increases MTBF in one layer
• Increases MTTR in another layer
• Devices within each fault domain only compute paths within their fault domain.

The Extreme Experience

Assign types of functionality to specific places in the network. Leverage proven repeatable configurations. Modularity divides these pieces up into manageable chunks. Each topology should be designed and configured using the same tools where possible

• Leverage policy and automation
• Filtering/aggregating reachability information
• Forwarding traffic over long(er) geographic distances

Identify the balance between Resilience and Redundancy...

The key is to establish a balance between MTBF and MTTR. In the real world, the point where MTTR and MTBF meet is between two and three parallel structures...

• One is almost always too little if you want resiliency.
• Four is almost always too many – And five is right out.
• This applies at all levels of redundancy.

• Circuit/link.
• Device.
• Modular Core.

MTTR

MTBF

What is Fast Convergence?

Make each step as fast as possible but not at the cost of network stability

Three steps

– Detect

– Notify

Link State Flooding

– Tuned flooding timers

– Reduce flooding domain

Distance Vector

– Reduce update scope (query range)

– Calculate

– Switch

Detect

Notify

Calculate and Switch

Management and Security Loop

Respond

Management is normally a “slower” loop" which reacts to organic threats...

• Changes in the technology.
• Software Upgrades.
• Normal adds and moves.

Security is a "faster loop" which reacts to inorganic threats...

• Attacks designed to deny service, obtain access, discover information, etc.
• Designed to deny service, obtain access, discover information, etc.
• Looks to assure compliance and an assurance of best practices.

Pivot

Detect

Management Guidelines

Establish the...

• Documentation Baseline
• Performance Baseline
• Utilization Analysis

Know the...

• Business drivers
• Change Management
• Worst Case Analysis

Analyze the...

• Best Fit
• Root Cause
• Best Practices

Understand the...

• Design requirements
• Replacement Technology
• Policy Modification

Make a plan for change...

Topology (Document the trade-offs in your design and know how to back out of the project).

• Layer 2 and 3 (Collapsed or Spine Leaf).
• Link utilization (Time of day or seasonal).
• Outside Services Used (MPLS or Metro).

Policy (Agree and document best practices).

• Where its applied? (Wire and Wireless).
• The intent behind the policy (Automation Security).
• Compliance requirements (HIPPA or PCI).

Modular Boundaries (Normal failure rates).

• Where they are the boundaries? (Campus or Multi-site).
• What is the intent behind the boundary? (Security or fault-based).
• How do you measure? (Does the design meet the business requirement?).

Make a Security Plan...

Crunchy on the outside, chewy in the middle.

• Ask every device to deliver some level of security.
• Establish Automatic (fast) feedback loops.
• Leverage vendor APIs to deliver Crunchy-ness through and through.

What can my network do to make things crunchy through and through?

• Automated anomaly detection and leverage analytics on network traffic
• Understand the target or the type of attack? Decide what happens if you toss this traffic, scrub it, honeypot it, or... ??
• Determine if I need to change my edge policies? – Should you allow an automated process to handle edge policies as needed?

Understand the Attack Vector...

Crunchy on the Outside - One of my machines has been zombied – What is the address of the master host? On what port did they get through?

• Decide - Where do I implement new filters to stop this from happening in the future? What is the best way to block this specific attack?

• Act - Wait for a change window. Implement the new filters.

• Test - Avoid false positives impacting poor end-user experience.

Fabric Attach

Simplifies

the Edge

Edge

From 4-10 Protocols to 1

Services are provisioned at the edge.

Benefits…

• Faster to Deploy
• Stability
• Faster Resiliency

Fabric

Service your network like a Strategic Asset...

Services

Cisco

Cisco Fabric is an EVPN derivative (Control plane based on LISP). It provides separation of location and identity. Cisco heavily promotes the value of its custom ASICs within the Catalyst 9300 and 9400 touting features such as 32MB packet buffers, 384K Flex Counters, 64K x2 Netflow records.

• Intent Based framework is complex and expensive.
• Using CLI breaks controller based deployments
• Requires Cisco Professional Services).

DNA Strengths

Weaknesses

Cisco will be pitching their quantitative results in terms of reduced time to service, improved mean time repair, less on-boarding time etc. Their results look very similar to stats Extreme has had for many years.

Cisco talks about a two pronged strategy consisting of Software-Defined Access and Software-Defined WAN. Their installed base of WAN / CPE routers put them in a position of strength to migrate that base to SD-WAN.

Response

Cisco is trying to create a financial lock-in. Cisco will position this OpEx model as a way to dis-aggregate the software investment from the hardware investment. Thus, customers are able to benefit from continuous innovation and maintain continuity of their software through generations of hardware churn. Cisco ONE has been designed around large Enterprises that don’t have price sensitivities, as Cisco owns the Fortune 100 practically unchallenged. The Cisco ONE pricing model allows them to position the Catalyst 9k at a 20% premium.

Is DNA going to be a another repeat of ACI which many customers could not get to work due to its complexity? To avoid this Cisco has introduced a host of DNA Services (Pro Services) to try to enable adoption. One of the major values that Cisco talks about is its zero-touch provisioning capabilities. Extreme offers a simpler approach with it’s Zero Touch Provisioning +.

Extreme is focused on using merchant silicon (like the rest of the industry) for faster time to service and so we can focus on what is really of value…. The software. Custom ASIC development is time consuming with new chips taking an average of 2-3 years.

Extreme Platform

Fabric

Extreme’s Automated Campus offers a consistent architecture across wired and wireless. With support for Fabric Attach (on ExtremeWireless today, coming soon for WiNG) and consistent policy enforcement, analytics capabilities and management between wired (EXOS) and wireless, the Extreme Automated Campus offers a unified solution. The native security strengths of the Fabric are also nicely complemented by the capabilities of ExtremeAnalytics, allowing the extraction of metadata from DPI to feed other security tools in the architecture and deal with breaches that make it past the initial lines of defense.

Extreme Strengths

Weaknesses

Integrated XMC software delivers great time-to-value with consistent application visibility and fabric to edge policy enforcement. Our policy plus hyper-segmentation capabilities have been proven unbreakable in Hackathons at CalTech, Syracuse University and others.

• Security - Stealth, frictionless hyper-segmentation capabilities. Defender delivers security fore IoT.
• Analytics - Massive and customizable fingerprinting
• End to end - Consistent architecture for converged campus/ Data Centers

How many protocols do you want? Cisco Campus Fabric (LISP, VXLAN and TrustSec) is based on technologies that haven’t had market uptake. Plus, their fabric requires a L3 routed underlay to function; therefore, you are simply adding complex overlays to an already complex underlay.

Furthermore, Cisco is lacking consistency between the campus and data center architectures. Fabrics need to be stitched together via MG-BGP and segmentation and policy are different concepts that need to be manually patched together to achieve any sort of integration

Response

Fabric Connect is based on Ethernet (MAC-in-MAC) and IP (IS-IS) – technologies all customers easily understand. It enables customers to migrate away from complex overlays.

• Ethernet 2.0 - Extreme Fabric runs native w/o additional protocols features flexible edge-only policy based provisioning.
• Simplicity - Fabric Connect is so logical and intuitive, customers have deployed on their own with only a 2hr hands-on introduction from an SE
• Multi-casting built-in featuring Distributed Virtual Routing.

Extreme XMC

DNA Center

Extreme Management Center is a fully integrated solution that offers a single tool for network management, access control and analytics. Only Extreme Offers Single Pane of Glass Management with a 360 degree view

Extreme provides consistent Layer 7 control and visibility across wired and wireless. Analytics data is merged with policy data and location data to provide customers a complete 360 degree view . This dramatically reduces the number of tools the customer needs for insight and visibility and simplifies the overall operations of the network.

In next generation networking, it’s the tool set and quality of experience that matters. And this is where Extreme and it’s carefully integrated solution really shines. Furthermore, applications at L7 (on wired and wireless) are automatically detected (regardless of port) and based on their identity have the right policy applied dynamically.

DNA Center (which is Cisco umbrella management system) is nothing but a marketing wrap that consists of multiple disjointed point products (ISE, APIC-EM, NDP) that are not integrated!

Cisco ISE is limited to Layer 4 policies, which do not provide the granularity required to control your network on a per device per user per application basis.

With their disaggregated tool set that doesn’t provide consistent Layer 7 control and visibility, Cisco doesn’t have the capabilities of Extreme to differentiate between network performance issues and application performance issues.

Although Cisco mentions support for wireless in its marketing materials; their solution is clearly wired-centric. Policy, control and analytics support has not changed for wireless with the introduction of DNA and remains disjointed. The only thing of note for wireless in the DNA architecture is that the Wireless LAN Controller (WLC) participates in the LISP control plane of the Fabric.

With Cisco,

It comes down to...

With Extreme,

you are going to have to buy more products. Integrate those products. Spend a fortune on pro-services to get everything working and deal with a mound of complexity when something breaks.

Cisco offers ACI in the Data Center and DNA in the campus. The controllers are different (APIC versus APIC-EM) and the underlying technologies are different (COOP versus LISP) requiring MP-BGP to be used to bridge the two together.

Ask your customer how much they are going to have to pay Cisco to actually deploy this solution? And how will they troubleshoot it when something breaks?

Cisco offers multiple disjointed tool sets for analytics that provide similar capabilities with varying degrees of integration. For example application recognition and location information require different tool sets.

Quality of Experience is everything. You will end up purchasing fewer products that fill the same need. Every part of your IT operations from deployment to daily management is vastly simplified through the fully integrated wired and wireless solution.

One architecture, one protocol and one operational model. What could be easier? Extreme offers edge-only policy based provisioning of Hyper-segments that are easy to deploy, manage and troubleshoot.

ExtremeAnalytics also offers network and application performance QoE by base lining response times for critical applications and alarming when something is out of range. Network operators can see impacted clients, create events and quickly drill down to troubleshoot.

Disruptive approach to networking is needed

Network as a Strategic Asset

Build your network as

a strategic asset.

Who owns your network?

Ownership

What is OpenFlow?

Reality

Goals

Competitive

v MPLS

Agility

Disaggregation

Spine Leaf Goals - Optimized for Performance while Ensuring Interoperability, Flexibility, Scalability...

• Delivers Investment Protection with the best total long-term costs
• Leverages Best-in-Class Storage, Compute, Orchestration, and Hypervisors
• No vendor lock-in – standards-based

Double every 18 Months

Moores Law

He has been right for 50 years

No Chassis Religion

No Chassis

Religion

but we recognize the use case.

Flexible

Cisco ONE Simplifies Software Purchasing

Licensing

What do you own?

Cisco One

Purpose Built Applications Ongoing Innovation License Portability & Flexibility

Cisco ONE

A-la-carte model continues to be available

• Simplified ordering and ongoing entitlement
• Updates and upgrades included (requires mandatory Cisco Software Support Service (SWSS) beyond year 1)
• Licenses portable for hardware refreshes (requires SWSS beyond year 1)
• Better together pricing i.e., discounted bundle
• Customers are more likely to be current on software versions

Details

Cisco ONE Competitive Analysis

Analysis

Extreme’s Competitive Advantages

• Secure Automated Campus – Security, Simplicity and Intelligence
• Fabric Connect – Proven Simplicity & Enhanced Security (Stealth & Hyper-segmentation)
• Extreme Management Center – Superior Analytics, Visibility & Control for Wired & Wireless
• Best of bread switching and wireless solutions
• Extreme’s existing product and services offers are simpler and have price advantages
• Extreme’s #1 ranked support

Design

The Why?

The Why

Assure

Plug n Play

Products

Value

Cat 9300 Pricing

Pricing

Cisco Catalyst 9400 (A New Era in Networking

Chassis

Application Policy Infrastructure Controller

APIC Controller

APIC-EM similarity to Smartphone - The APIC-EM has:

• A strong base platform for SDN use cases
• It has build in App’s (eg QoS, ACL, Policy etc)
• It offers an API to be used by ISV & App’s can be developed by many One App example – Jabber / Unified communication integration