128 Technology Networking Platform Overview

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
good morning everyone I'm sue Graham Johnston I'm the resident here at 1:28 technology and I want to add my warm welcome to Tom's introduction thank you all for traveling here to be with us and we've got an exciting day full of Technology and full of helping you understand how our product is solving some really fundamental problems in the networking world today so our thesis is that companies actually use networks to deliver applications and services they actually don't want to worry too much about the network itself and when you focus on that and you're dealing with the challenges of cloud and mobility and security you recognize that the network is actually misaligned with how companies want to use it today and we've got a team full of serial entrepreneurs and diehard technologists that really step back and took a deep look at this problem and understood that if we just reorient networking to focus on the session we can get rid of about 30 years worth of technology workarounds and overlays simplify the network itself and help businesses achieve their goals so we've been around for five years we hit our five-year anniversary this month in July and with that we've been delivering continual innovations so now when you face some of these challenges whether it's a skinny pipe and dealing with the fact that current technologies add a lot of overhead to that or dealing with high bandwidth applications and managing the fact that things get locked onto a single core we've effectively innovated around many of those problems and are able to deliver a single technology that scales from very low bandwidth to very high bandwidth and actually works and implements security frameworks and application delivery whether you're in the cloud whether you're still on Prem and no matter what applications you're delivering so we have a full team of folks today who are going to talk to you about what our technology does how it works so in the morning we'll go really really deep on what we do and how it all works and then in the afternoon you'll see lots of demos about how its applied and the different problems that we solve so with that I'm going to turn it over to Ritesh who's going to talk you through an overview on the company and more about our technology thank you I hope you guys have a great day morning everybody my name is Ritesh Mukherjee I'm gonna walk you through an overview of the product what the product does my job is pretty easy today I only have to tell you what it does and then there'll be some other guys who'll tell you how and everything it works then you guys can ask the more tough questions at that point but having said that I'm gonna give an overview of why we are different what we do and so on first of all what we make we make session based software routers we make only software outers our routers rock and run or any other hardware that deleverage capabilities of the hardware and of course achieve line rate forwarding why we are different from any other company or any other networking company is because we are session based routers in general they forward packets when they get them they learn routes they forward packets if you want to block things in certain directions you put ACLs you want to change things you make tunnels you want to add at the capabilities you service chain things in our case we are session based in the sense we keep track but flow which routers don't do they are stateless in our case we are stateful and the advantage of doing that is we're able to collapse all other functions into the router itself and also achieve a lot of other benefits I'm gonna talk about some of these benefits and some of the high level capabilities of what the product does first of all why we decided to make something which is very different the reason is the age-old like sued mentioned the age-old paradigm doesn't work anymore networks have changed user data is now everywhere we regularly face questions from people like my data is and slack is in Google is in is in ServiceNow office365 how to protect everything also the way people operate has changed it was easier to have walled gardens and the reason was you had big computers which were placed in branch sites you didn't take them out you didn't move them around it was easy to you know create a parameter today you can't have a parameter mainly because you have laptops your mobile phones people are using these they move around they work from home they work from Starbucks we actually have our developers here they were from a coffee shop they come back here and they plug the ethernet cable into the data center and start working well they just bypass the firewall if they do that and we want to prevent these kind of things from happening also organizations are moving their data into public clouds one of the advantages of doing that obviously is you get all the benefits of resource sharing and everything else but also the disadvantage is everyone does things a slightly different way so now you have a problem of having consistency with regards to security policy management and so on in public and private clouds we want to solve that and of course the world is moving towards white boxes today the capabilities we get from white boxes is far superior to what we can get with even ASIC based hardware and I'm going to talk about how some of these companies have used white boxes why we believe also why that's the right way to go and that's the right way to deliver software if you look at how the network has been built traditionally you had routers which was stateless I just spoke about it they forwarded packets if you want to do something special like block things in certain directions you added firewalls if you wanted to move loads in one direction over the other you are at load balancers you wanted to find out what these things do and what they mean you had a deep packet inspection and finally if you wanted to move things in one direction over the other you added tunnels tunnels helped you build you know pathways which allow you to not follow traditional routing but do special things what we noticed is every row every other other than the router every other device in the network that you're adding and keep State and it works on flows rather than working on packets alone what we decided is we can add statefulness to the router itself we can collapse all of these middle boxes and all of these functionality into the router itself by doing that we'll be able to make the router more intelligent we will achieve for the benefits like we don't use overlays we don't eliminate tunnels bandwidth savings very high scaled very high performance and of course you'll need costs and lower power usage and everything else as well so how did we do that we added four capabilities to the router but before that we look at things as sessions for us all communication between any two parties on the Internet or on the network is a session for example a conversation between me and YouTube is one session I ask YouTube to sends me packets and YouTube sends me packets that's one session between me and YouTube that's a valid session if YouTube sends me packets without me having asked YouTube to send me packets that's an attack on me we can learn many things from sessions this way sessions can be directional they can have source and destination IP addresses they also have a lot of capabilities which enable us to perform different tasks on them we believe that the network exists to deliver sessions which is applications and services and that's how you should configure networks we've also changed the way we configure networks rather than having 10.10 talk to 1.1 all the time we follow service based models for forwarding traffic and I'll talk about that in our in a little bit we have done four things to enable things in the router I'm going to talk about this and then I'm going to talk about how we apply that in the network itself we are mean throughout the session aware which means we keep state per flu it's a transient state only maintained during that during the duration of the flu this tells us many things for example it tells us source and destinations we can do directionality we also understand many things based on session state and we forward based on this state the router we're on existing beam existing traditional routing protocols like BGP OSPF eius eius with other routers in the network we learn all routes from them but we don't forward based on those routes we forward based on what the service tells us in the sense what these sessions tell us for example you can create a service saying give sales access to Salesforce and you can have some sort of SLA associated with it and we would follow that SLA we would create a state when we see a packet going towards a flow going towards Salesforce and we would forward based on that State I'll go through a packet walk to say how we do that as well we are made the route a service centric in the sense it's similar to intent based networking but having said that what we wanted is instead of we're having tunnels talking to 10.10 21.1 all the time we wanted to make routers work as services so that they followed your business policies for example if you wanted to have same example if you want sales to dr. Salesforce you can define a service saying Salesforce is located on the internet and you just tell all the routers hey give sales access to Salesforce and they all understand that whenever sales traffic comes in they have to send it towards the internet because that's where the service is located it's service based it's name based the advantage of doing that is every time you make changes in the network you don't have to go and configure IP addresses again and again you can do it by using names Waypoint settings we wanted to control the paths in the network just like you do with tunnels but without daf of course having the overhead and creating tunnels we do that by using waypoints waypoints are basically the interface IP address of the router itself is the IP address of the interface on the router and we're following these IP addresses we can create a path in the network similar to segment routing but without any overhead the routers keep state on how to forward this traffic and they do not add any overhead on the packet itself it'll be clear when I do the packet walk in the next slide and finally we wanted to establish a logical connection between two entities in the network we do that by using our intelligent cookie which we add only in the first packet and it's called metadata we add it to the first payload section of the packet and that tells the other side what's the logical understanding between these two routers we never have to send that metadata again because the router does keep state and they forward based on that state these are the four things which enable us to do many cool things in the network and we're gonna let's go and talk about how we do that I'm gonna do a packet walk to explain what a secure vector routing we call it secure vector routing because obviously it's it's secure it's a secure connection it has directionality in belt we can also do encryption and authentication via FIPS 140 - 2 certification and it's vectors in the sense it's directional so that's why we call it secure vector routing that's the way we forward packets let's look at how we would do that let's say you have a source and destination you want to send packets from source to destination you have two of our outers in the middle you could have many let's say you have two it doesn't matter what the underlay is this could be MPLS internet LTE VSAT any any sort of connection WP 1 + WP 2 are the interface IP addresses of the routers itself we're gonna use that for forwarding this like I mentioned let's say you want to send packets from source to destination like I said we are Adonai by default or a firewall as well so did I by default router or a firewall in the sense we we have the opposite of a router you have to have policies to forward forward packets rather than having ACLs to block packets you don't need to have a seals in our case we just have firewall rules similar to that you have service rules in our in our routers when a new session comes in based on this five tuple we figured out have we seen this back this session before or not let's assume we have not seen this session this is a new session and we want to create state for it and have it forward traffic we would of course check if it has policies associated with there if it has no policy associated with it we would drop packets we wanted to work like a firewall we want to be a zero trust network it is there is no way you can spoof the router into believing hey this is a malformed packet just forward it somehow the router would say I just don't have a service route or a route to forward you we have to create a route first and have a valid policy for it to forward traffic let's say this has a valid policy and we wanna forward this traffic what we would do is we would take the source and destination IP addresses from the packet and we would put it in the metadata portion of the payload this is the extra information we're adding to the payload only in the first packet the payload is the metadata is signed and authenticated so that no one can tamper it we then do an at the NAT basically changes the source and destination IP addresses of the of the packet to WP 1 + WP 2 so now every router in the middle is thinking it's sending packets from WP 1 WP to the waypoint 1 to Waypoint do that's how we control the path in the network you can have a series of wait points and you can control the entire path if you wanted to finally we apply any other policies associated with the with the session for example if you want to encrypt it we want to do some Q of s we want to do anything else we would do all of those those functions we would send those packets out every router in the middle things sending package from WP 1 to WP 2 it forwards that traffic when of course it reaches WP 2 we extract the metadata we know from the metadata what the source and destination IP addresses are we doin that then that changes the WP 1 + WP to the source and destination and the packet is sent towards the destination this way we established at this point these two routers will keep state for that flow they keep a state telling it how to not packets with the packet number 2 - n how you do that how you keep state how you forward things are you not it back the advantage of doing this is the destination never sees a change in the packet what happens in the network if there is link failures or node failures or any sort of failures or session migration we migrate from let's say Internet to MPLS or LTE or any other pathway that is always hidden from the destination any change in the network the reverse path also is guaranteed now the routers know that if the reverse traffic they have to send it from WP 2 to WP 1 this establishes symmetry of paths in the network by having a symmetrical path we are able to better control QoS and everything else in the in the network itself this is how the routers keeps state and forward traffic any questions on this before we go to what the benefits this brings now so you talked about the first packet that comes through this sets up this state how then does return traffic and the traffic following know to maintain that state how do you identify that flow then absolutely so what it does is basically based on the five tuple which is the source destination IP addresses the port protocol at the port the station source and destination product port and the protocol the routers keeps state that hey anytime you see this five tuple you forward you do not this way and you send this packet out and whatever are the service associated things you have to do with that for example security or anything else and in the reverse flow they do the reverse they keep that state as well then any packet going from destination to source now you not it this way and send it back right but your state table when traffic comes in let's say it's the third packet not the first how does the receiving router know floo it's part of from because here so from the 5-tuple because now when he sees anything let's say the receiving router here sees w p1 w p2 and he has picked a destination port here on this router so from that v he knows it's a unique flow and he had analyzed there's a unique yes a unique port assigned each flow right so when originating router then sends to that port absolutely so what this guy will do when the source router when he when he knows he has to send traffic to this guy he picks a combination of W p2 and port unique port address so that we know the combination and then those ports are transient like the flow is down that gets torn yeah we have a reserved port number absolutely we have and we have a results set I mean in the sense we use part of the results set and the next next not the next session by the session after that they're going to go in more details on which once we pick but you're absolutely right we will pick a unique so that we know this session is unique otherwise you won't be able to distinguish it in the session is another I always say it's session oriented true through it because the session based post session we will do everything are you looking into the state of the underlying transport protocol as well you're looking for a syn packet and the first thing so you're right yeah we we do keep a state machine v we do follow the TCP sync ACK and everything else because we also keep that in mind so if we don't see a flow for a while we know how to or if we see a fin come back then we know we can we can delete that State for UDP we maintain a timer after after a while when we don't see any more packets we will reduce that we will take away that state so we do use that of flow we you we do participate in the syn ack ack exchange so that we know what is happening also be used for many other things in the sense for TCP optimization and other things other features we have which we'll cover later but we want to follow the TCP Sendak window sizing and so on first segment you receive is a is a mid flow segment is that ok or is that an error it is possible that you may receive mid flow for example it's possible in the receiving side let's say there is a failure in the network and now you choose another path in that case that it would make a mid flow from another interface but because he has stayed he knows that this is mid flow for the previous session he recreates it back I'm imagining a network convergence event over on the yes I mean maybe that that first 128 router didn't see the beginning of the flow because it took some other path by default and reject we have a setting that can override the TCP state machine if that's desired and I can be set on like a per service basis actually and I think I understand you maintain path symmetry between Waypoint addresses that's correct because they believe the more routers you add the better symmetry you get yes sir yeah how do you enforce symmetry on the return path from the host I mean what if you know the network on the right side believes there's a better way to reach back to the source that's not through 128 routers ah you mean if it bypasses these routers instead of sending it back to this disrupt I have like a real circuit that for some reason is chosen as the return path if it's possible that this then the destination may choose in that case it will be established as a different flow we will have two flows in the sense when it comes back here he will think there's another session state and he will forward based on that it doesn't have to be that they have to be symmetrical but it will keep both there is a state for one one direction and a state for another direction okay so that that's okay that's okay too yeah yeah yeah thank you let's talk about network virtualization before we before we talk about the benefits like I said we have a very unique data model and it's gonna be covered in more detail in one of the sections here but having said that what we want is we want to drive things towards services like I said we don't want to always configure 10.10 1.1 and so on ultimately that's what the network does and that's what the routers do they obviously work on IP addresses but to configure them what we have done is we have got names and how it works is you can have tenants tenants are basically groups of users they can be based on interface address based on virtual interface address or anything else you can define ways how you identify tenants we also have we also working on you know you can do that from Active Directory or LDAP and other things you can identify tenants but I have said that their groups of users for example sales can be a tenant and services what the tenant has access to for example it can be a Facebook it can be Salesforce it can be your own private application it could be IP phones or anything else service routes are basically where that service is located for example it could be located in your data center it could be located in your in a public cloud or anywhere else the advantage of doing this though of configuring networks this way is we can have policies per session unique policies per session and we can also make it location independent in the sense for example if I have my own data center and I have a service hosted there I tell everybody hey cents sales traffic to that database which is located in my data center once I see that the load is increasing on the data center I could enable the same service and that's a AWS and all the routers in the network would understand hey now I have a new service for the same service I have a new service route it's in the data center I can load balance to that as well if I want to and so on so it makes it very elastic it makes it mobile it makes it location independent and that's how we configure routers in our in our policy also these policies are global in the sense once you tell any of our outers or the conductor which I'll come to in a second the conductor which is basically telling every router where everything is located they all understand how to forward traffic based on that you don't have to go and configure ACLs or policies per router itself you don't have to do that it's a global data model if you look at the way networks are configured today you need to have works for segregating traffic you create verbs you import export verbs you do encapsulations and tunnels you use routes to this grub distributions you have firewall rules NAT rules ACLs and so on to configure networks for example if you let's say have user sales games phones and they have to access services which are on this side and we're going to use this example in some of our demos as well you would create works for each of these you would put them in verbs you would you know make sure that all the routers understand those verbs in the middle set policies accordingly and configure the network it's a very flat way of configuring networks you have to go and configure everything on its own it's not end-to-end it's not directional its static and it's a flat topology if you were to do the same thing in let's say the 128th context you would have it this way in the sense you would have your authority which is your global authority and then you would have tenants and who have access to services and all routers understand this this logic and the forward based on this even our management tools and everything will show you in this graphical way you can add modify remove things for example if I added a new service here and I gave it to surveillance you would see another another leg here which would give which would give that access to the service the advantage of configuring thing this way it's it's n2n its directional its dynamic and it's hierarchical it makes it very easy to configure networks you don't have to go and make changes per router and so on any questions and services before I go to us the routing functions so I guess I do have a question on how you how are you determining it so I guess the question here is identity right so you're identifying services and you're identifying sources I mean is that all just based off of IP ranges or is there any more intelligence and higher determining identity identity of the users we have integration with LDAP and so on also you can use that for doing we have some integrations with nack network access control like Jenny ins and others whom you can have endpoint agents and we can take feedback from that agent and then also identify traffic and of course the traditional way is by doing interface IP address and so on all of those exists as well so you do have some deeper options freebase alright how are user authenticates the network right all right we do have some some other capabilities I mean I wouldn't say we have integration with all that clients but many yeah yeah and it's an N as it acquired we will yeah we will add more that's true how does the router deal with traffic that it doesn't originate from it so like if a client or whatever initiates a zoom call with somebody behind one of your routers just just treat it as a regular session or right so if there are there are a couple of cases which may happen one is let's say there's only one 128 on the path in that case it would not do this it would work as a normal router it would forward packets it it because it already understands routes it would not at the metadata it would not do a sphere it would work as a normal router the other option is like he mentioned if it bypasses our router by by some sort the client bypasses like zoom and other things they can do intelligent port mapping to do bypass if they do that then it'll be established as two sets two separate sessions and it would forward traffic that way it would not add the svr metadata if it doesn't see the upstream 128 on the path that's true let's talk about some of the functions now because we are not having tunnels and we don't have this overhead what would happen for us we have failsafe delivery at all time in an in the state in the sense any failure we did we monitor all paths in the network using PFD using an enhanced BFD we no delay jitter loss in every way if there are sessions on that path we can color the sessions and from that we know how much delay jitter losses on those paths any time we see a degradation or a link failure or a node failure we move sessions to other paths in case of tunnels you would when you do that you have to reestablish a backup tunnel or you have these backup tunnels up all the time which you know introduces scale challenges and so on in our case failures are always sub-second in the sense anytime there's a failure failure in the network we would go through and re-establish an another path and since we are we use in-band signaling even if we go through any firewall changes or any nad devices in the network we recreate those sessions back we don't see any any any issues in the in the bit of a change of IP address or anything else and the advantages immediately establishment in any in any scenario it doesn't matter if the flows because we don't have any tunnel establishment time or any delays failures are always sub-second in our case as long as there's a path it would find another path which meets that SLA and and failover to that network the conversation below it's not related to the church by someone get into flavor or capability to technical capability of the solution one of the things that I'm a little bit unclear and I might have missed it earlier is there's a very ambitious product from a capabilities were spam so most of the time when competitors are come in and talk to talking to me of my clients about this type of solution or similar XP LAN solution is very used case specific you know replace your MPLS do some reductions and overhead or VPN what what's the like predominant use case for what customers are considering this so there are a couple of cases when when the it's a general-purpose router sort can be used in all scenarios but having said that there are couple of scenarios in which the solution really shines through and one of them is when there are large number of sites for example if there are thousands of sites and you want to make a full mesh of tunnels let's say you have 5,000 sites it's impossible for any branch router to maintain 5,000 times 5,000 tunnels per branch router to talk to everybody or to make a full mesh so then you have to do hub-and-spoke it increases complexity at that time because ours is and any to any connection at any point of time that provides high scale and high performance so when the number of sites are higher this solution really really shines through the other cases when there is low throughput lengths like satellite or any low latency running low throughput links like DSL or R or others because we don't use we're gonna we're gonna you know they're not using tunnels I'm gonna do a comparison later on on the on the overhead sizes and so on but having said that you'll see a 30 to 40 percent reduction bandwidth usage because we're not adding a full IP header which tunnels do the advantage of doing that is obviously we will lower the bandwidth usage you will see better performance of applications so congestion will be lower so when low throughput links are there this solution really shines through LTE or other connections are there it really works really well so those two scenarios I would think it works the best also for multi cloud scenarios we were just discussing yesterday that since cloud providers they charge you based on the size of the instance and also based on the amount of traffic you will send outside the network if you reduce your you reduce the bandwidth users by 30% you automatically pay them less so those are the scenarios in which this really makes a huge difference the amount of data you're sending is high low throughput links and of course large number of sites because as I'm thinking through as you're trying to display some comments and also compete with other SP web providers most of the solutions out there are additive and then to say I'm going to replace my general-purpose router with these solutions that's the scary pavement to me to most enterprise customers especially when you're talking about into thousands like they're there's so much that goes into that decision I'm just really struggling with kind of the business case around why I hate what's going to technologies normally when we go talk to your customer we're not out there trying to do it full scale swap of their entire network with 120 routers I mean if they want to do that for happy to do it obviously but we usually try to seek out what are their real problems in networking like what sort of a problem what are the problems that they have to solve and and help them solve that problem and then from there you know obviously gain traction and see where else we can deploy but we're not out actively seeking to replace somebody's full skill network we'll work with existing legacy routing frameworks you know other routers cisco juniper other products you know we want to go where we want to be in the network where it makes sense and where we can help solve specific problems and and I think that's the one other question I had not you can get back is where where it makes sense like so traditionally I see had to win at the win but again general purpose router I can put a general purpose router anywhere on my network like is the wind the number one use case that yeah is going out there are we seeing the these in other parts of the network other than the wind right so the we have actually some days use case in the second half of the of D of the day but having said that van is of course one of the biggest multi-site connectivity any edge connectivity is big for us cloud multi-cloud is big for us data center interconnect or hybrid hybrid interconnect any sort of you know data center movement is is is is those are the I mean those are the main areas where we are being used today and the deployments are large in those areas having said that some also use this for internet peering and so on but those are those are a little more rarer I would say today it's more in for later yeah we also have all sorts of existing functionality like you see in traditional routers QoS you can do break us with our routers granular control you since we don't aggravate things into into into tunnels and just copy the toast bits outs we per session you can define any sorts of SLA is you can tell what to do with that and we will do QoS for that we have great load balancing capabilities like I said you can create elastic policies so you can define our very loath loads go and it will balance those loads we have different kinds of round round-robin hunt different kind of policies you can apply to you know 50/50 split fill this later Center up first then others 70/30 any sorts of all that kind of distributed load management we also have a lot of man op capabilities in the router itself we can do TCP acceleration to improve poor performance so you don't need to have caching and so on in all other devices doing that you can do that in the routers as well all the session based capabilities you can do in our router today you say caching on the way and after only four first session basis yeah we don't do CDN but it's not caching for future sessions we would not do that but yeah what we would do is we would maintain a few do a fast stack and we would maintain packets for that session so that we can replay them quickly okay yeah zero to a security there's a session on security later on but I just wanted to touch upon some other capabilities we have like I said we are denied by a default router so the traditional way of doing is based on parameters you put firewalls in the parameters or you take your traffic your trombone it to a cloud gateway where you scrub the traffic and you send it out in our case what we want is every router to be the firewall itself and like I gave the example do this you can bypass firewalls because you have bring your own devices devices are moving or you can bypass firewalls by doing that in our case what we want is every router is the firewall itself so for every every router itself it'll do hop-by-hop authentication so exam for example if you had packets going towards one direction if they're malformed we wouldn't send them to the endpoint and it would not cause a DNS attack or a bit not DNS attack we would drop them as on the source itself we have another feature which is called adaptive encryption basically it detects TLS and IPSec encrypted flows and doesn't rien crypt them if you want you can set policies that 80% of the world's traffic today is already TLS encrypted so you don't need to re-enter it them that may doesn't make any sense it just takes a performance hit if you do that so we can detect it and not rien crypt it we are a distributed firewall we have ICS a certification we just got it last month we are fully layer two to layer four i csa certified firewall we deny by default in the sense just like a firewall you need to have rules for services the rules can be very generic you can say send all traffic to Internet or you can say very specific things like only send sales traffic to Salesforce and so on and of course we follow directionality I already gave some examples how directionality helps us detect things and we don't forward traffic unless it's in the right direction some of our compliance we keep getting asked encapsulation doesn't give you encryption encryption requires aes-256 just encapsulating a packet is not what gives you encryption we also do nothing so it's the same as IPSec we masquerade traffic in fact I would say it's better than I be saying because IPSec you can see the inner header in our case there is no inner header so you save so you save bandwidth and also you get all the encryption capabilities we can do a es 256 any other AES 128 H max sha 256 any other things we have certified we also have PCI and FISMA compliance we have also ICS a certification from PCA from four PCI compliance so you can build PCI compliant and HIPAA compliant netbooks using us and like I said we are all the corporate firewall certified product firewalls applause multi-cloud in concept so you know what's a OS in an AWS it's not the same what OS is this and that's not the same as a VM instance so wow I may have the same general firewall across the infrastructure I don't have the same endpoint concepts or what are you guys doing to help with that applying a consistent policy across yeah I mean one of the challenges is consistency across multiple clouds because everything like you mentioned everyone does it a slightly different way of configuring things in our case all the policies are global and when we do the demo you'll see so many many make a change it applies globally to all routers in the network or all our routers in the authority in in the group of routers you have so any it's always consistent across the group of routers in in the network they'll all follow the same policies the names of same service models in the sense directionality any restrictions you have or any QoS settings or anything else it would follow that all the time globally so the advantage of doing that is in a poor router basis you don't have to go to AWS and configure things separately or go to Azure and configure things separately if they are both in the same Authority in the sense under the same domain they would be configured similar way and they would work similarly so that's how we achieve a consistency and policy across multiple clouds okay so we're going to go we're going to go deep into yeah build short demo and actually we have a demo on that yet service assurance so we monitor all Pat's in the network different parts in the network if we have traffic like I said we'll monitor that traffic we can color the traffic and monitor it if we don't have traffic we can use BFD to monitor the path we use it'll enhance version of BFD so we get delay jitter and loss being we have sequence numbers in there so we can get delay jitter loss on all paths you also know the loads on every path so what we can do is anytime there is a there is a session which had needs a certain amount of SLA we put it on that path if let's say things change and session degrades we would immediately modify what we would we would change its path and we would send it over another path and the network would meets that SLA if there's no no path which means the SLA will use best effort and will create an event it will tell you that we are doing best effort right now but failures in our cases are like I mentioned a sub second all the time so any degradation and path you will see instantaneous failover to another path in the network we can also send the same packets over two paths in the network if it's a very high value traffic and you want to make sure that no node or link failure on any path causes any any degradation of the flow what it does is basically this router will remove duplicates and send only one of the the paths out we can do that for heterogeneous networks as well you can duplicate flows before I sum up and let others go into a little more detail analysis of what of what the routers do all of our routers they have capability you can access them by a CLI or a GUI each of the routers can they have a GUI itself you can go into that and you can configure things we also have a network monitoring and management tool called the conductor the 128th D conductor which itself is based on our rest and that confi PI's you can access that you can use that to manage all of our routers the the tool is mainly an Orchestrator in the sense it doesn't participate any routing decisions or doesn't need to thrombin traffic routers do not need to wait for it it only uses it to disseminate policy so it tells everybody what the policies are you can also take our API you can integrate it with third-party tools any existing third-party tools you have you can also use that for doing big data analytics you can export the data and use it for doing big data analytics using Splunk data logic or other things and of course you can use any devops tools to manage your routers you can also you routers using OpenStack VMware vCloud director many of ICS use different different tools for different customers deployments puppet chefs all danceable they're all used to manage routers that means you're exposing an API that any of those devices can consume yeah so it's we have a swagger API which you can use you can see ever see old all the commands and yeah you have to make the right calls to make those calls and of course the routers will do that yeah a flexible deployments just to give an idea of finally now we talked about all of this thing we talked about all the software how do you make it run and how do you how do you do what what is required the speed of the performance of the routers depends on how many cores we will have so for example I have taken some examples to give you an idea of the performance of the routers on a two core let's say an Intel platform or a two core Intel platform or a four core Intel platform we will do about 10 Meg to 1 Gbps throughput it's very high performance because like I said we use DP DK we program hardware so everything works and works and at the line rate the two core are the four core devices I don't know they are about 350 400 dollars depending on on the platforms you choose if you go for higher end let's say for Intel Xeon processors you can use that 10 core 12 core Xeon processor and you'll get about 10 10 gig of traffic through it and the higher you go let's say you use 22 core you can get about 80 gig 100 gig throughput through it obviously Zeon's give you much better performance than the atoms the low-end atoms but it depends on the number of cores you will have it pretty much linearly increases with the number of cores you give our software if you service china's with somebody else in the box like for example a security vnf or something then it depends on how many cores you assign us your m Nicko's you assign them depending on the course your Sinus you'd get that much performance and the same thing for for our cloud deployments depending on the size of the instance the size of the ec2 instance or the size of the instance you choose that's the performance or throughput you get in the network it scales linearly with the number of cores you gave us pretty much partnerships obviously we have a lot of partnerships for doing different different kinds of things we have technology partnerships with of course we use Intel you're big on Intel we have partnerships with Palo Alto Z scalar for service chaining for higher layer 7 functionality security functionality and so on we have hardware partnerships with with all of these all of these partners you can choose from any of them we can recommend you to our partners as well who can set it as an appliance to you we have cloud partnerships we are available in all the three marketplaces you can go to any of their marketplaces we can search for the 128 T a networking platform and you'll see us you get zero touch deployments you can just deploy them there we have support partnerships for delivering services and support your managed service partners who deploy us in different parts in the network and in different different geographies as well and we have sales partnerships with with many of them who who enable us who use our solutions in their in their managed service solutions and so on in the network on the cloud deployments that just means I'm the point of 120 80 endpoints a router effectively into one of those clouds my V PC well that's correct and you can use it to you know connect to your branch sites or anything else or between the multi clouds you can do that so there's no like special partnerships you oh we do have yeah so we have coastal partnerships with Microsoft and others so they recommend us and their solutions we do the same we have coastal partnerships with with Microsoft Anna and the DWS yeah an example of some of our deployments these are some of the public reference customers we have I took a look at a couple of varied ones to give you a flavor we're going to talk more about the use cases in the second half but a quick introduction is one of the customers we have CMC networks they are the largest pan African and Middle East carrier they use our software today to provide enterprise connectivity to their their enterprises one of the challenges they face is because they are located in Africa the bandwidths are not very great in many paths paths they operate in and to do that they have to use and they have essays with these customers so they need to make sure they meet those SSL ease by using some of our solutions have been able to guarantee that they mean those SL A's they're able to support hours of sites and since we don't use bandwidth overhead it improves their connectivity improves their speeds improves congestion they actually have done an analysis in which they say that just because they don't have to pay the penalties now they are able to recover most of their costs just because the elemental penalties about materials they are a construction company in the Midwest in the tri-state area they they have remote sites which they need a video feed to come through all the time because they monitor the number of trucks going through that that's how they then they need that feed all the time otherwise they are in the dark there were you able to use our solution and advanced QoS and they have LTE connections and point-to-point wireless which they use and they have seen a lowering of 50% to 50% TCO and they believe that there's a saving of 1 K per truck per day bakery because they are now able to judge better how much materials they'll get what will happen in the network and so on finally revision systems they are a unified communications provider to 300 hospitals in the US and Canada one of the challenges they face is that the middle network which they don't control may have issues and then the quality of experience is degrades for the hospital by you placing our routers at the hospital sites and by using multipath connectivity by using LTE as backup and so on they're able to bypass the problems they face with the with the service provider in the middle and be able to guarantee s LA's they actually say that now they can extend their SLA from the data center to the customer site and because they're able to use our they have done some integrations and they're able to onboard customers faster now they've improved uptime and an SLA x' which they have overall before I hand it to the next presenter to go in more details on the on the data model I just want to sum it up by saying overall the one Vendetti networking platform we do a couple of things we make things simple we remove tunnels and overlays we are not we are completely software based so you can use white boxes for deploying us it makes it very simple to use we are agile the reason is because of the service-oriented nature of the way you can figure things in on that work in a network built by us you'll be a very agile you can you can add remove modify services on the fly which makes it very useful we're at zero plus we follow a zero trust model we can authenticate encrypt and segment traffic for us each session itself is a separate hyper segmented flow you don't aggregate things into tunnels you don't do any of that using our solution because we use no overhead you have bandwidth savings in the network low congestion high scale we already spoke about some of these things you can do dynamic optimization and of course savings based on all that because you're reducing the bandwidth usage and you have improved any of reduce your cost of middleboxes and and hardware you have better cost savings in the network any questions before I hand it to the next presenter to talk about the data model you get five minutes left so I'm gonna try and use the pause yeah let's do that nice all right so one of the things that I'm not completely understanding is the intend value of the solution as I'm looking at moderate solutions that are as aggressive as this they're taking a look at all we've from the endpoint in the cloud through the wide area network and the management of that so can you tell me a little bit more about the management story of why I would choose a 128 technology solution when I can get a antion solution that kind of has a antion vision of traffic and network flow one of the things we we always notice is that even though like for example even though you have two routers in the middle and you're sending traffic people say oh I'm sending ten gig yeah I'm sending ten gig but most of them are retransmission so the application doesn't see those benefits but the advantage of our solution is we monitor everything on a session level so per session we can tell you what happened in the network we monitor all packets in the network what was sending the traffic how many were retransmitted how many were dropped and so on so you have excellent visibility using our using our solution into what what happened in the network you can generate reports you can actually use those report to tell customers a this is exactly what I did with all the packets you gave me this is what happened in the network so you actually have very good monitoring of every path it took what happened in the network which router which packets were dropped or whatever in a QoS what happened happened in the network regarding the end-to-end story I already mentioned we do use integrations with others others to you know provide an end end-to-end story if you do have parts of the network which of course not not with 128 then you can extract the data from our routers and in extrapolate it combined it with others to do big data analytics or whatever merge with other other things in the network but we do have great analytics or capabilities to analytics because of the session data we maintain like per session we know everything what has happened in the network and we can tell you what's going on and we also have some advanced capabilities which is which is the team is working on and they will talk to you and then in the second half it's called step basically we have will have a central repository which will have all this data not only the data on what happened with the package but also performance and SLA data for different links so at any point it's like a heat map you can see what was going on in the network and what happened in the network at different times and you can replay them you can you can you know see alarms and events happening so you can judge based on that hey five o'clock just like Google Maps tells you tomorrow 10:00 o'clock traffic is going to be like that based on all this historical data you have you can tell tomorrow five o'clock what's going to happen in the network or what is the congestion you'll see and so on they will be able to talk to me little more about that stealthy capability so operationally you know everyone loves the white box story until they have to actually deploy and manage white boxes so you know one of the advantages of sealed solution is that when it comes to alerts operating system management all that stuff that makes a network actually work what what are some of the tools and mitigations you guys give us for when it comes to hardware failure failure in the white box and managing that is that a separate is that managed separately or is that part of the one tool again solutions we are trying more and more to take that on in the sense we currently we have all capabilities in our in our solution itself to see memory usage throughput anything happening with the hardware itself the how much memory is being used is there's a memory spike if there's no CPU overloaded as temperature or anything happening we take all that data and we show you in the 128 we want to given of course like an appliance like feel to it even though you're using white boxes once you put our our solution on the white box we wanted to have like an appliance like field so we do take all that data and show it to you including like for example if using LTE will show you stats from the LTE driver and what happened you know how much how much is the throughput and everything what frequencies have been used we do have those api's now and it shows you all in the in the in our product itself having said that you know sometimes the rare case it does happen people go into the next and try to do things but we are trying to avoid that and take more of the functionality and give appliance like feel using our software alone going how does this platform work in a country like China that blocks VPNs currently people won't get blocked if that happens but having said that it's not our intention to bypass the security settings they have or anything like that but that's true that we don't use VPNs so we would actually go through their network today but having said that that is not the intention it's just the way we work we don't use VPNs having said that of course they can use IP addresses and so on to block us today yeah I mean we have seen instances where it is possible to use that in those functions as well yeah
Info
Channel: Tech Field Day
Views: 2,841
Rating: 4.8461537 out of 5
Keywords:
Id: DGP95kMiGbI
Channel Id: undefined
Length: 52min 43sec (3163 seconds)
Published: Thu Jul 25 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.