Deep dive into Cisco’s latest SD-WAN announcements and innovations

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello and welcome to networking field day 19 we are here this morning with Cisco we've got some brand new special announcements coming your way from the folks at Cisco this is a great time we get a chance to kind of see what's on the horizon for technology and it's great opportunity for the folks around the table to kind of give you their thoughts and their feedback about what's going on it looks like we're gonna be talking a little bit about SD wanne that's a hot new topic that I think a lot of people are very interested to learn a little bit more about because Cisco's had a really great history with SD win for a long time both you know back when it was kind of at the forefront of the technology with their I win product but also now that they've acquired patella fact I see some of my fellow friends hanging out in the back we're probably gonna hear from them pretty soon so you're gonna want to stay tuned to this whole presentation we've got a lot of great content headed your way you can interact with us right now it's really easy to do all you have to do is get online and go to Facebook live where you're probably watching this video right now you can leave comments on this video you can also get on Twitter tweet out your thoughts using the hash tag in FD 19 we'd love to hear what you have to say about this what your perspective is on everything this is gonna be a really great time I'm gonna go ahead and turn it over to our host here at Cisco because I know they got a lot of great content coming your way we're gonna be going for two and a half hours this morning so we've got a lot of great stuff coming up so don't miss it all right thank you Tom great to see all of you I just got reminded of the fact that it was exactly two years ago that this crew was talking to us grilling us asking a lot of nice questions and out came a whole bunch of new innovations from there so first off I want to thank you guys for doing this we have a lot of new and exciting stuff to talk about today around SD van the whole evolution that we are seeing with respect to cloud security we're not just going to talk about it we're going to show this in action as well so a lot of demos today for sure right so let me introduce myself Ramesh Prabhu Grenier on product management for Cisco SD when I come in through the web tile acquisition which is where I met you guys last I was running product management there and we have an all-star crew today from Rohan - David - Hamza - Crowley - like a whole bunch of folks that'll be talking about Estevan and all the innovations there let me help just set up the problem and and kind of where we are and then I'll turn it off - Rohan to go through the rest of the details so back in 2016 and I'm not going to go too far back just go back to 2016 it was really early stages I would say right the technology was was there early customers had deployed it that's the face that I would fall as the s divine uprising right like the first hundred customers who like really dived deep into the into the pool were able to see the value of that and they were able to deploy as well the genesis of s Devan as we all know was really around how do I take expensive impaler circuits add to broadband and will the fabric out of that and get the cost efficiencies and and the cost arbitrage that came with it along with that we saw a whole bunch of deployments around segmentation how do i do merges and acquisitions how do i segment my network for line of business for compliance and so on and so forth so those were kind of the the early adopters of the technology really focused on on this along with kind of how do I bring business partners into the mix and give them access to the infrastructure so this was two years ago last year was was the face I would call as his divine maturing mainly because there are a couple of acquisitions the pioneers who actually jumped into the deep end of the pool were able to see the deployments work and available to scale it to like thousands of sites and in some cases as well and the focus at that time was okay now I got the cost arbitrage and the efficiency is there how do I get security to work how do I do a direct Internet access into office 365 and how do I have an on-ramp into into a double user and and so forth so those so dia and DCA were really key topics of conversation amongst all of her customers last year and so we built a lot of technologies and innovations around that it was also the time that managed service providers large telcos in particular jumped in and said hey I have a managed service offering so if you are an enterprise customer you can actually get this as a service from me I'll give you the circuit I'll give you the managed capabilities on top you don't have to worry about your network respective whether it's hundred sites or thousands of sites and with that also came kind of virtualization I have a really cool technology in the form of s divine I'll bring security into the mix I'll bring elements of optimization and I'll offer everything in a virtualized form factor so that was last year fast forward to this year and I'm sure many of you have seen the stats around this in the next two years ninety percent of the enterprises are going to make a decision on sd-1 it's not a it's no longer a question of if it's purely a question on on rent and that's one of the reasons why you saw Gartner as well issue the Magic Quadrant and it helps separate how I would call the men from the boys there are a few vendors who show up and on the top right because they have the credibility and the deployments to show this year every single van conversation that we are having inside of this coin and as Cisco you should expect us to be like in the in the in the table at least on on many of these van conversations every single one of those van conversation is an SD van conversation right across every vertical be it public sector or or our utilities retail manufacturing financials and and so forth so every single one of them is a van conversation and there are two things in particular that keep coming up time and again one is how do I use this opportunity to revamp my security architecture entirely and how do I build efficient on-ramps into the cloud so all the innovations that we will talk about today and show you in action are going to be revolving around what are we doing with respect to cloud what are we doing with respect to security while at the same time making sure that you get a really good view into how we are we migrating customers from their traditional network architecture to the architecture of today so those are the kind of the main topics that that we have I'm going turn this over to Rohan we'll talk about problem and what we are doing about it as well thank you Ramesh before I get started quick introduction my name is Rohan Grover I'm part of the product management team in sd1 and I'm going to double click into few of the things that Ramesh was talking about specifically around the new innovations on security and multi-cloud and they're a clicker here so this picture should be fairly familiar to you guys we are we are in a world sorry this we're in a world where your traditional campus and branch is no longer the same we're in a world where you have mobility that is pervasive everywhere IOT devices are becoming the norm everyone wants to connect to everything at any point of time on any device and our traditional concept of where applications set is fundamentally changing there used to be a time when it was the data center and a private cloud it's no longer that you still have that along with things like IAS and SAS and it is truly a multi cloud world with all the conversations we've had with our customers more than 85 to 90 percent of our customer base is looking to have applications in more than a single cloud right so everybody is looking at whether it's AWS or as your office a 65 or Salesforce there are multiple clouds now the Wang is really the the connecting fiber between all of these and and this connectivity is no longer through internet through MPLS circuits we are depending on internet connectivity and internet connectivity is now becoming business critical and it's no longer a best-effort kind of transport anymore enterprises are looking at Internet as the way to access their applications across the multi cloud now this becomes important because when you are doing this you have to ensure the same level of reliability as well as security over the internet links that you expected over MPLS and you're talking about enterprises that have few campuses some branches and thousands of users that are all move that are all mobile right so this is a fairly complicated problem statement that we're trying to solve and all of these interconnections are making life harder for network administrator's not necessarily easier the cloud makes users lives easier it doesn't necessarily make the network admitted as life easier yes oh yeah I could you got a question no I'm listening intently though thank you wait so the new paradigm that we see is that there is certainly this gap between users devices IOT things and multi cloud and this gap is creating a new paradigm called the cloud edge the cloud edge in our mind is where networking and security and cloud all come together right and this is going to become or this is currently the new battleground on on the wine side right and we need to figure out how we are going to protect the crowd cloud edge there's clearly a level of exposure now with internet becoming pervasive and business critical that didn't exist in the past security is fundamental to securing the cloud edge application experience MPLS provided you a guaranteed SLA and metrics because you were paying for that the Internet is no longer that guaranteed purveyor of SaaS we have to make sure that the experience is consistent whether you are going over an MPLS circuit over there going over an Internet circuit and it has to be give you the same level of performance characteristics that MPLS used to give you and complexity of course you have to make sure that the van is intelligent enough to be able to take the best part with the most secure part to anywhere you want to go so let's dive into the security piece of this how do we do security today in a branch there's typically four ways of doing security in a branch and I'll go over all of them and there's pros and cons to each of them so the the traditional way of doing it is you want to get access to the Internet you basically go from your branch location backhaul it to your data center and then go to the Internet now this pros and cons here security is easier here because your security parameter is actually in your data center and you have all of your security appliances sitting the user experience is not as good when you're going to a SAS application or to the multi cloud through a data center you're going to have performance implications the second way that we would do this is through cloud security let the security be handled directly by the cloud there are a number of vendors out there that say that we can handle your security you don't actually need security sitting in your branch you can do it all in the cloud now while that may be fairly simple there's not any effort required by the enterprise to do this a lot of large enterprises get very nervous when you talk about essentially outsourcing your security to the cloud right there's a level of control that they lose and they don't like it right so while this is doable this is probably not the model that a lot of enterprises are going to do the third model is you're really paranoid about security you want to deploy a unified threat management system in every branch right so this gives you a level of control that you didn't have with option two however this does get you a lot of complexities it is more expensive to have a dedicated UTM appliance sitting in every branch and management becomes the problem you have two different points of management for your routing and Estevan as well as for your security appliances lastly you could do all of this where you could deploy all of these in some form or fashion and a lot of intervals actually do this today like there's no one single answer here but again this increases complexity and this reduces control based on what you do in which branch so we believe that we actually have an answer that might be better than all of these the question really is how can I maintain choice and control when you're connecting to a cloud force and a multi cloud kind of world so what we are really announcing today to begin with is a full stack security embedded within our routing portfolio with sd1 so we introduced as Devan the web tell our stack in the is our iOS code base in July and now along with that we are embedding our core security functions which is application-aware firewalls IPS IDs URL filtering in the SD Wang iOS router self you get a full-stack solution so that you can deploy this in one place and manage it consistently from one dashboard which is our we manage dashboard so one place to deploy security one place to manage it one place to monitor it so this is a I think a key innovation all of our install base already out there has millions of is ours they can be enabled with SD ban today with the firmware upgrade and now you can add security to it so qualification here so this if I'm running the patellar stack on my is our router that's all I'm running right isn't that how that goes i turn on dipped Ella and then that's my my routing stack and now I'm adding your of an ounce in security to that so that's all gonna be within the patella container if you will running on my is our that's all gonna be embedded in the iOS code along with the Abdullah stack right so the mechanism of how we embedded it depends on what from start you're talking about the IPS for example is a snort base IPS okay that's running in a container for snort so it can do all of the signature analysis and all that but it is all natively in built into the iOS image that is running sd1 okay so it's an iOS image now have just got more correct more elements that you have you've got more elements in addition to the HD vine capabilities that we announced in July would but it's not a kind of a thing is that what you were saying yeah is it's a unit is one image it's what I always image yeah is it an integration of FTD or just components of that or we work very closely with our security team we have the best of breed security assets and all of this is in conjunction with our security team and we have taken elements of the firewalls the containers the IPS IDs along with the threat management with Talos so when you when you integrate these security capabilities in an ISR and whether you buy any of these in any form factor whether it's an ISR and appliance you get the Talos threat detection capabilities along with this that's one of the key differentiators we believe for our solution where this is by far the largest read database in in the world and you get this is fully functional as if I were running fire power appliances yes obviously there's limitations on scale yeah and would that be the major difference then in the sense of why why why would I correct so we'll talk a little bit about deployment models like there are clearly this is not the answer when you're running security in a campus or the headend and you need dedicated security appliances because the scale and performance matters okay in a branch deployment and depending on the size of the branch and the number of users this is a clearly viable solution it reduces capex it reduces management and and really this is also intersection of net ops and say cops right you also have to look at your organizational capabilities and how you're set off steam and the top team is going to work together to to make this a reality those organization boundaries are going away and we're seeing that going away but it's just going to be awhile before say cops and I talks actually talk to each other right so I'm being told that I'm gonna run out of time fairly quickly so I'm gonna go through these and double click into this for the next hour and a half so the second piece that we are announcing is integration with our umbrella stack for cloud security so it's not just your embedded branch security that we're talking about we're also adding elements from cloud security stack which is cisco umbrella and integrating that with p is ours so now you get a system that is fully secure wherever your users are connected in the branch or whether they are roaming around and connected through Starbucks or some other place right mobility the last piece of this is the multi cloud piece today we already have solutions for cloud on-ramp where we can connect and accelerate performance to 14 SAS applications using our cloud on-ramp which is a shipping feature for the last year what we are announcing is we partner with office 365 and we added enhancements show that capability so that we can get you better performance by reaching to the closest oh three sixty five location from where your branches so you don't have the performance penalty of essentially going across the world or going across the country to go to a sci-fi location we will make sure that you reach the T nearest location to your deployment and we actually have a demo that will show you this 40% performance improvement of turning this feature on versus doing the traditional way of backhauling from your data center so the next hour or so will show you them of this closest is defined by latency yes there's a well there's a lead-in see and jitter the parameter that we monitor okay so you're going to see a fairly double click on this I'm going to go over this slide very quickly when we talk about embedded branch security what we're talking about is enterprise firewalls we recognize 1,400 applications so this is application-aware firewalls we have the IPS which I just talked about the snot base IPS the most widely deployed IPS on the planet URL filtering with 80 web categories as well as the cloud security with umbrella and who really is going to talk about this in extensive detail so I'm going to move forward from Cisco standpoint we believe that we are going to give you the right security in the right place and there's a lot of different places where you want to deploy security starting from your data center private cloud SAS is and this is just kind of giving you a quick cheat sheet on where we believe certain elements of security should be deployed now when you're talking about multi-factor authentication which is our duo acquisition and we are not talking about integration we do it today but duo is clearly something that you would use in mobile users and devices and things and and that is something that needs to be done alongside the brand security and the cloud security and I am talking about to get you a full-fledged stack then you have the rest of the capabilities that I am talking about today which is firewall yes URL filtering and cloud but depending on where you are in the network you need a pervasive security stack and cisco has all of the elements to give you that and as I just mentioned we now have a common security architecture that spans across both our whipped Ella as well as my rocky portfolio all of them powered by our Talos architecture right so whether you are using a SD van security stack by whipped Ella or by Meraki you have a common security architecture all of it using the best of breed security assets in Cisco this is the demo that we are actually going to show you regardless of how you are reaching to a SAS application specifically o365 we will provide you the fastest and best part to get there right and this is my last slide I'm being asked to to cut this because I probably gone over time so I guess we'll ask the rest of our appellate team to step up and get into deep dive details on this we will talk about this one right yes we're gonna talk about all of this for the next hour and a half and give you like the deep dive details on how this works awesome thank you folks thank you for being here and thank you for listening thank you [Music] all right aha it works okay mic is on right all right all right good morning everybody it's good to see familiar faces here some of you have met in person some of you have met online but yeah so we're all happy to host you here my name is David Clemen of I'm a leader in Cisco ESD when Technical Marketing organization I came through the VTL acquisition Romesh and I spent many wonderful years back in Nutella so today we're going to talk about a couple of topics we're going to be double clicking just like Ramesh and Rohan mentioned in the beginning I'm gonna be double clicking on several web several items um so there are some foundational things that I wanted to make sure that we are all sort of in agreement on and if you have any questions then obviously feel free to ask me anything that comes to mind um I OS X CSD one is one of those foundational things that we want to cover today because it's a foundational element of some of the things we we're going to double click on later on in regard to a cloud in regard to security so I want to make sure that we understand sort of the premise behind our OS X test1 what is IO SX est when and how do you migrate to iOS X CSD when from what you have today right obviously it's a very loaded topic migration could take hours just just on its own so I won't be able to cover all of that but at least we'll give you a flavor of the art of possible what you can do with with iOS 6 ast 1 so that's going to be our kind of a three topics for today first we're good talk about kind of the architectural recap because my session is kind of the first one that is generic to some degree right we're not going to be kind of heavily double-clicking into cloud and and security so I'm gonna spend maybe a couple of minutes to just setting the baseline of what a Cisco SD when architecture is and what are the elements of Cisco as do an architecture in case you know some of you need a refresher right so we call this is a recap then we're going to talk about those migration best practices of how to adopt Cisco 60s d1 and then I'm gonna give you a brief demonstration of some of the operational elements that we are we're improving in our Cisco V managed platform which is our single pane of glass for for the entire st1 solution okay so as an architectural kind of recap we are an SDM system so we're we're a very firm believers in software-defined networking principles which identify three distinct architectural tiers of data plane control plane and management plane and that's exactly how our solution is built today one on the if you kind of follow from bottom up on the bottom you have a collection of when edge devices and this come in different shapes and forms physical virtual we're gonna have a slide after this one just to recap what our different platform capabilities but these are the traditional V edge appliances physical or virtual that were brought into Cisco from Litella these are also the Cisco the cisco routing platforms the Isar 1000 the Isar 4000 the ASR 1000 the csr a virtual router so it's a whole slew of a platform choices that our customers have when they sort of embark on this cisco sd1 journey right we also see this when edge is being critically important for the features such as multi cloud and on ramping into the cloud that all happens from the edge the security features which is pushing the security into the perimeter of the network because the closer security it is to users the more efficient it is and the application quality of experience so we're not going to spend time today talk about application quality of experience but think about this as you build this entire architecture because you want to transport applications over it you want to make sure that the quality of experience for applications be those on Prem applications or a cloud applications is as best as it can be right so these are kind of the three key services anchored on the data plane now the data plane talks to the cloud and the cloud is a collection of controllers of different types the first one is the V smart controller which is the control plane controller it's used to really establish the fabric to distribute control plane context around in regard to routing security different attributes it runs our overlay management protocol which is an extensible control plane protocol that runs over certificate authenticated TLS or DTLS connections that get established in a 0-0 touch fashion between the routers and the V smart controllers so the smart controllers live in a cloud we're gonna see what are the options where that cloud could be and then at the end you have the V manage which is the single pane of glass that's what you would expect from sort of a system where this is the place you go this is your GUI this is your API so that you can leverage for any programmatic work and scripting anyone of anyone who wants to kind of you know do things with the Python scripting and make REST API calls to automate some of the workflows inside if you manage beyond what the graphical user interface gives you and we have kind of a growing interest from the community to do kind of all of those DevOps things on top of you manager M so these are the three distinct layers of of the solution in addition to that we have the layer of analytics which takes the telemetry from the network and basically analyzes that provides this sort of a predictive analysis as to capacity planning capacity forecasting some performance base lining things like that we purposefully separated that from the D managed system because it requires a little bit more of that sort of a compute power and analysis rather than just v managers being a pure operations tool when you go provision things troubleshoot things deploy things things like that separated into a different system it's an optional element but we have a really good traction around a customers adopting a analytics platform so that's kind of like a refresher for you guys to keep in mind we're what Cisco sd1 is and what are those elements of it now I mentioned platforms right so our customers have a wide variety of classrooms they can choose from right so if I go again physical platforms a choices of either isar platforms or the traditional whip teller VH appliances those are the physical platforms so many of our customers would prefer to consume this this technology in the form of an appliance a router it's more predictable more recognizable to the network teams they have operational procedures around that so they don't want to disturb that they want to continue consuming that in a physical form factor and for that they have a choice of of platforms obviously because we're talking about iOS X CSD when we're going to be focusing in this session on the Cisco is our and ASR platforms which actually run the iOS XE software and now for some of our customers that want to deploy this in a completely virtualized form factor and they're free to deploy our software on top of any x86 platform or they can deploy this on top of our en CS platform which is cisco grey box solution it's an x86 platform which is also a router as the management on it runs hypervisor KVM a base hypervisor so it's kind of like a little bit friendlier than just a generic x86 server but our customers have a choice of whether the one to run this on a NCS or just a plain vanila any x86 server and we reach into the public cloud by offering virtual the instances of virtual routers in three major cloud computing environments so that's kind of the lay of the land as far as what is your kind of a menu of choices that their customers have now obviously and many many of our customers are isar and ASR customers just like Rohan mentioned million routers are out there a lot of interest is how do I take those routers and move from a traditional routing box by box paradigm into an SD one port paradigm which is a networked solution which is which is a system centrally managed with a cloud-based a control plane all of these things right and for that the iOS X CSD when is really the driver behind it question any support for the CSR 1000 yes yeah I'll go back slide this so CSR 1000v is formally being supported in our release that is going to become an end of November we have a code release that is going to be end of November we call this 1610 and that is where we will support a CSR running iOS XE Sdn thank your watch questions they were functional difference between running the solution as our platform then on the edge 1000 for example excellent question yes there is and that's a good segue for M to this light right so what we'll have we really done with X CSD when right so think about an X CSUN is a foundational piece of software that runs on top of the Cisco IOS XE routers is Rs 1000 4000 and ASR 1000 so what we've done is we have embedded a VIP teller brought components with Terry patella intelligence for teller services into the iOS XE st1 now did we keep in iOS X est when sorry did we keep an eye or sexy in its entirety no we did not many of the services that exist in iOS XE are not fully compatible with the way that SD one operates many of the services are not largely adopted so we took this sort of like an approach of okay let's prune think so that we don't feel or compatible because Sdn is not just a router by a router solution it's a system and as a system it must operate as a system so we can't just have quote unquote sort of rogue functionality that you some of it is control through we manage some of it you have to log to the router and configure CLI or use some some other management tool that that does not work it has to be controlled by the manager right and s as such we decided on which elements of a traditional iOS sixy will make it into the xes t1 and which ones we decide to introduce at a later point so there is no 200% feature parity between iOS XE sd1 and the traditional with teller operating system and there is obviously some services from the traditional I always succeed that will also took out so there are some considerations that customers go through and when they convert their existing routers into the iOS X CSD when routers and it's an evaluation process in regard to what am i gaining by getting s different features and what am i quote unquote for filling by removing some of the things that we decided not to include but as you can see in here we're kind of sprinkled that we've tell intelligence within the iOS X CSD when code right and some of the key things that we brought from botella are obviously in here and particularly the overlay management protocol is in here our communication to the management system through confer confidence basically net conf communication obviously things that have to do with all the Sdn policies and yet side by side we kept some of the really solid proven iOS XE features in there right as you can see there are different buckets in here so security is a bucket of feature functionalities embedded in iOS 6 CST when we're think services obviously this is not a representative of everything inside the iOS 6 is the one but just so you understand that it's kind of like takin an i/o 60s t1 sprinkling those whip teller components in them embedded so it's not running as an external foreign entity as a container or whatnot it's embedded inside the wires i/o sexy image you guys say that there's some features that from the traditional the tell a platform that wouldn't make it in so you mentioned that right and you didn't specify I'm curious no but maybe this isn't the right time right is there anything in the what we would be familiar with in the iOS XE code that is now gone when you would upgrade right so you had two questions the first is the first one is what do you lose from the traditional patella so 15 months into acquisition obviously it's a very tremendous amount of work it goes into introducing the traditional patella features that we had developed four years into the ios6 CSD when a code right so it takes time so there is a certain road map of when the features that existed on the patella and we have a 75% of them already in Ex ESD when there's a certain amount of features that are still trickling in into the iOS xes d1 um you will have a complete full parity between what you had before and what you have after and so that's just a matter of a short time and the second question about what features of iOS iOS X a traditional one you lose quote-unquote by converting that your iOS 6 CSD one so there's some things for example the the the whole slew of IP VPN technologists that that exist in traditional us succeed dmvpn for example not there anymore we have our own mechanisms okay right so things like that right and some of the things that did not make it to the X CSD when initially are going to be introduced into the XS divided again it's a matter it's a factor of time some are the customers using the I saw especially in the assembly market for routing you see it is usually going to be part of the that code as well or absolutely um it is not there today and we have talked to you about when we talked about the migration today if you were to look at the AI OS X CSD well it does not have those traditional voice features such as you know srst functionality you know PRI termination for local voice breakouts at the branch offices we see a tremendous move specifically for you see we see a tremendous move into sip based communications in which case it's all basically just network right and building a better network gives you a better you know unified communication experience as long as it and we have many customers who are kind of departing from the traditional way of thinking about I have to do PRI circuits ethics or success circuits I have to make sure that I have srst because my Wang can go down by building a solid when many of those things just disappear on its own because now I have a fully redundant worm that never goes down right I don't need an SST functionality in it right do I need an a PRI breakouts well no I'm moving into sip-based trunking right so many of those voice specific things are actually not needed in the world of 2018 sort of choices you leave some customers in a pickle because there's school districts and hospitals and stuff that need a tract and this amount of analog backup so you can't just move away and say for sure I agree with you as far as what you're saying if this area what you're saying right it's a fair point right so keep in mind it's a matter of time until the things that that are not there today are going to make it into iOS XE st1 for that we have a customer-centric management team that works diligently on making sure that these things make it back again 15 months into acquisition we've done a lot somewhat related question and a few of the other sessions that we've had--we've around surrounding SD win we've been wondering about multicast yes so multicast is is a long-standing feature that we had from reptil 'days multicast again it's one of those features that is not there today on xes t1 and so it again just like I mentioned about voice it's going to make its way into the into the excess demand obviously the traditional XE is a very solid implementation of multicast it's just a matter of making sure that that is brought into the SDM domain under the be managed management to be smart controllers so it's a matter of time absolutely our plans are to have multicast as part of the iOS xes t1 M so good questions let me move a little bit further around migration sequences so the customers who are adopting iOS XE sd1 have to plan how to get on board XE SD well right some of those are easy and some of those require a little bit more kind of a you know considerations right so we typically see that adoption having three phases the first one is obviously establishing the controller footprint this is 95% of her customers opted for cloud controllers we have a fully automated cloud ops operation that spins up all this control infrastructure in our public cloud back-end so that's not sauce that's not something 95 percent of our customers ever have to get involved with beyond placing an order place an order magic happens controllers are spun up so nobody needs to do anything about that what the customers really focus on is transitioning data centers and more importantly introducing sd1 into 3d into an existing data centers and then performing the actual migration on the branches that's primarily where the bulk of the sort of the work goes into right obviously everything is zero touch but there are some certain considerations that you keep in mind so if we look at controllers controller deployment as I said fully automated and when it's deployed inside Cisco Cloud by the Cisco cloud ops team customers have a choice to deploy this in their own data centers a small subset of our customers that have some compliance or regulations that require them to host their own control infrastructure that absolutely do that in their own data centers works equally the same and we have an opportunity for our partners to deploy and host and manage those controllers in their own clouds so their own data centers their own caller facilities and whatnot so we have a slew of partners that basically see that as an opportunity for them to provide value-added services into the customers whatever the case may be those are all virtual elements they can live on any IP cloud customer cloud Cisco Cloud partner cloud now if we talk about data center um data center deployment usually revolves around topology that looks like this when in sd1 intelligence and in this case we're talking about iOS XE Sdn but it equally applies to the traditional patella operating system and traditional web patella routers as well so we're making kind of an emphasis on iOS XE sd1 here but equally applies to the v edge V edge routers and the web GL operating system as well these routers are inserted in a manner that is sort of like sandwiched in between the data center core and the front facing layer of MPI which is the MPLS routers and the firewalls that front end the Internet connectivity that already exists in the data center today before even started SD wend option right that's kind of a typical topology of the data center there are certain advantages of why that's a typical architecture and we're going to double click on some of them later so I don't want to linger too much but data centers are usually very straightforward it requires obviously very comprehensive support for routing protocols which we have because unlike branches that tend to be simpler data centers them to pretend to be more complicated and so obviously you have to make sure full support for routing protocols OSPF bgp before somebody asked about the edge erp yes we're adding a therapy but today it's OSPF and BGP um and obviously the interaction between the core switches the ampulla C II router so it's all kind of embedded into the data center routing topology because absolutely yes absolutely right overlay cannot live without underlay connectivity I need to have a foundational IP connectivity before I can establish any tunnels any control connections it's absolutely right migration scenarios before the very fair point very well taken yes yes your P is out there a lot and so we will be adding that in the meantime there's ways to do a distribution between OSPF and EIGRP on the core switches so there are ways around that matter of time here's your P will be there um if we look at branches right so let me run through a couple of quick scenarios about branches so a branch that looks like this it's a simple branch that has a single router no redundancy connected to an MPLS circuit has potentially maybe a land switch that is doing layer 3 again OSPF PGP or is just a way or to connect to subnet really simple maybe somewhere to switches sprinkled around and what we do in that case and the simplest one is to perform a software upgrade again it's a compatible platform so it's one of those platforms that a customer already has in their in their branch they just do a simple software upgrade load the software reboot the Box comes back up all the control plane stack comes online which means talks or EMP to the controller's toxnet conf to the V managed system for management interfaces with the southbound routing if there is any right performs potentially redistribution between OSPF BGP into OMP to advertise that out into the rest of the overlay so this entire sort of control and management stack just comes online zero touch right so the amount of effort that went into this is performing a software upgrade right again it's an opportunity to also diversify the connectivity so if there was an MPLS circuit keep it if you want to augment in an MPLS with internet add an Internet some of our customers add 4G LTE some of our customers discontinue MPLS circuits in some sites so it's a complete sort of freedom of choice as far as which transport is chosen will you continue to keep ymp or or the oh it's very good question would we consider to have an O MP or continue with o MP absolutely OMP is the coolest thing we have it's a really foundational protocol within the within the sd1 fabric it's it's far superior to any other control plane mechanisms that we've seen out there what about interrupt interrupt we can talk about that interrupts the way we see that M is happening on the southbound the fabric itself the core of the fabric is has has to be compatible with with our sort of control plane right what's a good point potentially you know opens a good opportunity actually one of the first days at the patella actually asked why is there not an RFC for OMP so it's a good opportunity to have one um the next one is very similar and we're talking about redundancy in this case so a site that looks like this which basically has two routers right and one router is connected to MPLS network the other one is providing some back up connectivity through some sort of an IP VPN technology could be any flavor of VPN technology dmvpn GATT VPN whatever VP and X VPN technology that customers deploy very very popular design of active standby approach active MPLS everything goes to MPLS backup is IP VPN some sort of a first hop routing protocol in here um HSR PA vrrp whatever the choice is or potentially layer 3 switch with OSPF and BGP pretty straightforward the migration into XE Sdn is as simple as the case before is that both routers upgrade it obviously there is a way to do this one by one um my personal recommendation is to make it simple the simpler the better take a downtime on that site schedule a maintenance upgrade both routers let the control and management stack come online have that site fully migrated into SD one we're going to talk in a few minutes what happens to backwards connectivity to non as to insight but leave that for a second the actual site itself software algorithm both boxes and again first op routing protocol vrrp today and OSPF BGP nothing really changes right it's a same same philosophy that you had before just now under the control and management plain of SD 100 will be very transparent with you with this question upgrading code on production routers especially you know big chassis switches and that sort of thing seniors me sure not because it's not necessary but because it doesn't work all the time and you know it's two o'clock in the morning in a datacenter I can eat durian I do it I hate doing are you seeing a lot of just great success with upgrading the code to the iOS xes t-wayne code and no significant what so I share your concerns I was a network engineer and many years ago a butt reduction today is it a simple oh ok so the upgrade the before well that's a good question is it yeah so the the upgrade process itself is not dissimilar from a traditional router upgrade because this is the before is no ASD when present yet so I have to use my existing tools however I braid my routers does that you know bring in USB stick and plugging it to the usb port copying the file into boot flash changing boot parameters and rebooting maybe I want to do TFTP and upload this to the boot flash reboot so however I do this today the before is however people do this today once it's upgraded then the control and management stack kicks in and then I have we managed to do any subsequent upgrades within the SDN now I agree to your point the only thing I can say is that there's an operation on discipline you know file they change control doesn't work rollback right so there's there's very little to be said about that it's a software upgrade with all these sort of you know things that come with it it's if it's successful and I very I'm very confident that it will be successful but if something goes wrong you're all back that's where you have the maintenance windows for right so very there are design scenarios which unfortunately we don't have time to talk about that are more complicated and actually run the sd1 and non Sdn intelligence at the same time so you can be sort of like both you know both worlds and you can say is it it was that successful was that not successful I still have connectivity if it's not successful and so maybe shortens the maintenance window a less interruption and we have those designs and we'd love to engage with individuals that want to learn about those designs obviously they're a little bit more complicated require more skills around routing and interoperability between overlay and underlay so it tends to be more complicated do a little bit tends to be more complicated good question yes there's a slew of Cisco validated designs we're working on and it's a work in progress um specifically for a software upgrade we already have a lot of resources there's a there's a document that describes how the migration occurs not as migration from a system like I went into a system like Cisco Sdn but more like how do you perform an upgrade there's video recordings about this so for that specific piece of a software upgrade and we have that out there in our documentation and YouTube channel um but as a system migration from this to this I'm going to touch on that in slide or - yeah but CBD is a work in progress - exactly accommodate all of those scenarios migration - yes this is a good thing for a mesh yes so for configuration migration we have a tool that basically um you input your existing configuration from the copy paste your existing configuration from the router and it's then you can link it into your V managed instance it basically analyzes the configuration says which which lines of config are not compatible with Sdn it's going to flag those and it's going to ask you to remove those and then after everything checks out from the config it will actually reach out through API calls into the V manage and create all the configs inside the manager so there's a config tool that helps with that transition you said that we have to copy/paste yes there is no way for the tool to connect directly to the router and not today and check the configuration yeah today it's a it's a very fair point working on it um but today there's no day automation and right so the the thing is with traditional router you have you either have to SSH to it and then you know sock the config and analyze it so it's it's possible but today that config tool is taking a little bit more of that remaining approach you as an administrator it's a direction that absolutely yes yeah the idea is to explore the direction of quote unquote like sucking the config out of the existing router running through the logic analyzing spitting out we manage templates thank you in some of the cases we have routers that are either a managed router um which is this gray out guy actually it's this to begin with right it's a manager outer you can't really upgrade that because it's managed by a service provider and they may not offer Cisco as divine is a service and what you see once his quest event is a service to keep the reddit router and we build sd1 on top of that all right that's one option the second there could be some unsupported feature that would prevent you from upgrading this router that's just voice for example today or there could be things like underly backup which is kind of an advanced topic so what you do you basically don't touch that router you add the router it's an additional box that you add into the site to keep what you have today and you add an additional iOS X CSD one box into it and that box will build an SD one fabric on top of that it's very corner case and a couple of ifs and if those ifs exist then you have no choice and that your solution is to add an SD when intelligence side by side to existing router intelligence not my first choice but if you have to do it potentially that's the Ethan transition strategy though you it is the s3 affair when you slowly start moving exactly afterward you can do that yes but I share your facial expression that it's not the best but when you have to then you have areas where that's really what you're gonna need to do because reasons yeah yeah yeah I'm not going to touch on that but virtual branch I touched on that in the beginning fully supported en CS or any x86 box just load the vnfs on it you can do cisco a plug-and-play to bring it up in an automated fashion and so in case it's the NCS right a NCS and the sd1 vnfs on it potentially you can add additional vnfs such as one optimization v in a firewall vnf whatever vnf you want to add that it's a virtual branch solution right as far as the interoperability is concerned we really see data centers is the most optimal way to perform that and that interoperability and and that basically it boils down to routing you advertised Sdn subnets into the underlay you advertise the underlay subnets into SD when you perform their distribution of the two in the hub site which is the data center in a data center is kind of built like this data center core MPLS ee routers facing the MPLS oops apologies SD when routers estimate headings facing the sd1 fabric so we tend to look at that as a transition hubs many times this transition hubs are data centers and and that's where the overlay and under limit there are designs where overlay and underlay can meet at every single branch so I have sync every single branch that can do overlay and underlay to an MPLS sites not something that we advocate we've seen a fair share of issues with that starting from the routing routing loops every branch office becoming a transit side because you didn't filter the routes properly turns into an e CMP problem how do I reach that other side oh it's 100 branch offices that can take me there which is not true so how slow things that could happen so we really see those data center and data centers and those hubs to be sort of the anchor point now so how are you handling this is the hub is it just routing it's just routing ok so there's no magic tools or anything is gonna make this easier for me it's it's just more like a cisco validate designer right so you set up your routing like this to solve these yes exactly like when you had yeah me pm/et i jabbed a stub future yeah it's basically two worlds meeting at the data center core right now for those customers who are a little bit more geographically distributed and they're saying I like this approach I like the way that you're kind of safeguarding me from you know shooting myself in the foot but I'm very distributed and you asking me about data center can I use multiple data centers of course so we have some customers that have done this in a distributed fashion when they have geographically distributed data centers so Americas Europe Asia and again routing tricks to make sure that we attract the traffic from a specific region into the local hub symmetrically from both Sdn and the MPLS right again it's a little bit kind of a more involved design but comes down to just basically routing interaction between an overlay and underlined so that kept those capabilities around routing protocols in amateur routing protocol support field proven support that's it's critical in this case is it like this over this pattern I think we manage arranging the hires or MP preference or user needs to know that higher number or EMP is the best best bet right so it's when you are in SD one world you operate by the sd1 rules which is exactly the OMP preference and really this one says to draw the traffic that I'm trying to keep this within the region I have this hub which could be the European hub and I'm trying to stay within Europe right I'm trying to say SD one region in Europe and SD when or an MPLS region in Europe I want them to stay within Europe right and that's exactly what it's doing is that it's setting the higher preference for the subnets in the MPLS region down and it's actually my question so do I need to set the higher preference so it's a good point um today within the tool and it's down to the administrator to actually set the proper configurations and policies to make sure that it happens and there is no tool that we offer the dust is magically for you there's potentially an opportunity for somebody to write an API calls and that would that would you know execute on a logic like that it's nothing more than a logic between templates and configuration configuration templates and policies to make sure that you execute on this there's no voodoo magic in here it's very straightforward networking right so if you're a network engineer you understand how routing works you could execute on that okay so I do have it I'll skip on that one but I do have a demonstration to show you and maybe I will take one minute to show you this from the configuration standpoint can use an upgrade everybody will be you can if you have if you have a 15 minutes not to do anything but yes we actually have a videos out there that outline the whole upgrade process it has a lot of hits Hamza is one of the one of the presenters in that in that video him and Nikolaj they teamed up a on that there's a video on YouTube you can watch it 45 minutes I believe 30 minutes yes and it walks you through prerequisites configuration a tool and the actual upgrade itself not really fun the actual upgrade itself is really nothing but loading an image rebooting and waiting everything else once the one is once it's SD when device logic kicks in it's governed by the sd1 rules everything is centrally managed through he manage and so one thing I wanted to quickly show you is okay so this is the this is the V manage right if you haven't seen one this is the management tool right so one cool thing that we're doing is many many other customers they're kind of the simple customers so they don't look for a lot of complicated way of doing things right and so we said okay how can we simplify life for the easy deployments right I just want to spin up a couple of or maybe a lot of sites but they're really simple I'm not looking for anything extra elaborate or things like that right if I want to do those like crazy things like regional hubs and things like that obviously I need to be a little bit more involved but if I'm just trying to spin up something simple so how can I do that so we have a really simple thing in here that we call a network design so when I log into this I can create basically this tool allows me to visualize my configuration of the of the network so clouds are my transport and then I can go into the manage network I can say I want to add a branch and I can say this is redundant branch and I can say this is my private router profile and I can say what type of the router there is and these are all the routers we talked about and I would say which circuits it's connected to so this is going to be connected to MPLS great I want to add another profile and I want to call it a public router profile I will choose the same the same type of the same type of router there is and say this guy connects to the public network and obviously I messed it up okay but I would have if I would have saved that basically what I'm doing in here I'm creating this flow of templates or sort of the configuration of the templates but instead of me sort of going and defining things in more detailed way I just have this really simple flow of defining what the router is which VPNs are in there which interfaces are in there and it's all kind of a wizard driven next next next next and then it saves it and you can apply this configuration onto the air onto the routers right so one of the operational enhancements that we're doing within the V manage that really streamlines this simpler deployments okay I'm getting the sign can you do all of this programmatically absolutely excellent question everything you see on this GUI can be invoked through REST API calls anything so we have some customers that have an appetite for doing that absolutely you can automate anything that is beyond what you see in here you don't like the way we do it you want to do it your own you have your own GUI you have your own operation portal that you have for your ops team be my guest have it another website with you know Python scripting and API calls is your GUI and API consumer absolutely the API everything we do in the GUI is basically the same API calls that you can make to an to the D managed server all right so hope this was informative yet fast so I'll let Hamza take you through the next topic right Mike's working yes all right good morning everyone my name is Hamza card ami I'm a technical marketing engineer with the Cisco as d-man group I've been with Cisco for close to eight years working different technologies like security VPNs PKI and now I'm focused on our new as Niemann product so today we're gonna be talking about cloud on-ramp for SAS specifically focusing on office 365 and the kind of you know innovation that we've brought to market with a new product so let's take a step back and kind of see what's happening in the market today right we're looking at SAS adoption overall and this is on the rise all of us know this now to address this however we have a couple of impediments some blockers are along the way when we talk to our customers what we notice is two things always stand out one is performance so what they say is hey I want out of SAS but today my mine architecture tells me that after send my you know data traffic all the way out to a data center and then break out to the Internet to consume that SAS application that's a problem because that's not very optimal for the application itself then the number one blocker that we see is always network security so when we talk about security what we say is if I allow my user the branch to access the SAS application directly I'm gonna be sacrificing on security and visibility I may lose the ability to understand what's happening at what particular branch I have to you know tackle problems with routing I mean start attracting unnecessary traffic into my device by doing this sort of routing so I want to avoid those challenges and you know these were kind of the problems that we wanted to address with cloud of clairon Ram itself so again taking a look at traditional cloud adoption as office 365 and cs4 adoption has gone up we're still looking at this type of an architecture today we have users at a branch who will be using legacy wine or MPLS to go all the way to the data center now at the data center you have your central firewall that's doing your scrubbing inspection you have a you know enemies tools that are doing monitoring for you to get visibility into traffic flows and things like that and then you break out to the Internet and then finally get to the sass so the biggest problem with this is when we talk to sass vendors like all c-65 they tell us the biggest impediment to sass adoption is the network this design is what causes performance issues for them so instead of you know looking at it from a perspective of sass they have one of the largest backbone networks in the world they are already optimized access to their application within their particular tenants within their data centers however it is this last mile connectivity that becomes the problem from an optimization perspective to deliver the best user experience for applications you know t65 for example so this is kind of what we wanted to address so that's why cloud on down for sass comes in and this slide was kinda to talk about you know the building principles of the solution itself so the first thing was that this feature is going to be a part of SD man itself so the idea is when you use a Zima and you're gonna have multiple circuits you may have your existing MPLS and your augmenting that with cheap broadband you may even you know let go for MPLS altogether in that case in that case you have multiple ISPs at a particular branch location so we wanted a solution that can leverage those IDs and provide you a direct path to the cloud itself the next element of this was measured performance so the idea was that however many number circuits I have whatever the nature of circuits may be could be broadband MPLS LTE etc I should be able to measure metrics from a performance perspective to the end source application I should be able to measure loss and latency across all my circuits I should be able to get those metrics on a per application level to make educated decisions so what educated decisions am I talking about that's where the network intelligence piece comes in so here we're saying that based on those parameters of loss in latency my network and my system should be able to intelligently reroute traffic in the case that there's any problem in the network so all of this should be done without any user intervention come into play and of course then we talk about security so if I'm gonna say hey I'm gonna make a solution where I'm gonna do direct internet access at a branch how do I make sure that I don't compromise on security and my colleague will you be covering a lot on the security front but think of it like our solution what we will be doing from a security front is to make sure that you have the power to say that only a trusted Enterprise SAS application is allowed to break out to the Internet and only traffic that's returning for that SAS application is allowed back in you don't have to do any complex routing you don't have to just send anything and everything out to the internet using BIA so you have the power of policy to control that and not only that you can even make decisions via policy to say that I want this to occur to a very specific application at a particular branch for a particular vrf for a VPN and finally the foundational factor of the entire architecture itself is simplicity so we want to make sure that all of this is achievable we have few cool you know buttons on the GUI itself so let's talk about the first you know one common use case that you would come across with this particular solution here we talk about a dual dia so what we're saying is we have a particular vonage device so you have a branch you have two internet circuits connected over here and we want to understand okay can i leverage both of these circuits so I'm gonna be using cloud Express or cloud on-ramp for sass go write a policy automatically through we managed to say that let's use both of these circuits and enable breakout for a particular application in our case office 365 directly over those circuits so when we do this the first thing we do is DNS probing now what we've done is we've partnered with Microsoft and we've come up with a custom proving end point the idea with this custom proving end point is when you onboard office 365 as an application for cloud x4 cloud run and for sass on the wine edge automatically this device starts probing that custom endpoint across all available transports the idea with this custom probing endpoint is when we when we a return to a DNS response these happen to be any cost IP addresses now what Microsoft has promised us is that regardless of wherever you are in the world whatever wherever your branch will be located and whatever circuit it may be we will give you I P addresses that are reachable as quickly as possible from your particular site so when we do this probing from the one edge we are being returned IP addresses which will eventually reach out to as quickly as possible from each individual circuit and as a reason why we end up doing DNS probing on every path available there what we've also seen in the field is that sometimes you may end up you may end up seeing that it's possible to get to return the same IP address across multiple circuits however the difference happens to be in terms of latency and number of hops so what we notice is that sometimes we have some ISPs who have tie ups with o365 so they have you know you may see one is p takes maybe 10 hops to get to a particular service front off or 3 6 5 vs. isp to takes maybe 15 so the idea is for this solution to first determine what the closest front door is per isp and then sprinkle in some intelligence on top of that to make sure that we are reaching that front door in the best path possible best path possible so once we've been once we you know resolve DNS and we've understood ok over is p1 this one over here is the closest service front door 46 5 and over is p2 it may be another one over there we start doing layer 7 probes so these aren't just layer 3 layer 4 pings we are doing layer 7 HTTP probes that means we're sending HT probes all the way up to those particular service front doors and again when talking in Microsoft what they have told us is that as long as you can make sure that your application or client simulated flows can reach to me at that particular service front door it's my duty as a Microsoft's duty to make sure that everything within that particular data center and that tenant is accelerated so rather than you trying to go to a front door that's closest to you based on your knowledge it's better that you go to a front row that they advertised as being closest to you and once you get there they will make sure to get you to the end application whatever it may be as soon as possible and they guarantee even faster connectivity than a normal one so the idea is once we get those IP addresses and we start simulating these flows we start collecting performance metrics over each transport so we are collecting loss in latency and we're compiling the data understanding it over to be managed once we get this data now we have some kind of insight into the health of each eyes P so in this case let's say we determine that I speak to is not doing so well maybe it has high latency maybe it has some amount of loss that's beyond a threshold in that case now when we have a user who has to you know open up a session for office 365 they send the first thing they do is they're going to generate a DNS query that DNS query will come into my manager outer and now my a manager outer audrey has been proactively probing of the six files front doors and determining the best path so it knows that at this point a time is p1 is the best way to get to a six five so it's gonna make sure that this DNS query is intercepted and redirected over is p1 to make sure it also is resolved to that front door just like it was done for the wireless router itself and once we have that IP address that DNS response is sent back to the user so now the user will start the actual Luthi six five session and once I wrote this if I session comes to the wireless router will automatically learn it build a forwarding cache table entry so that's where dpi kicks in understands this is a six five and it begins routing it over that best path as well do you really see that when the user does that DNS query they might get a different response back than the probe doing it no because actually yes because what happens is from a user perspective they could have any DNS setting on the machine so it's possible that if you go to eight eight eight you may get returned an IP address that's different when I go to something else that's the reason why when when we develop the solution we make sure to intercept the DNS query yeah and send it to the same DNS server that we're using this is this is specific to office 365 this behavior is meaning the DNS resolution piece of it or you said you worked with Microsoft to set this up is yeah the custom probing endpoint yes that's specific to o365 yeah so Salesforce was up there on another screen though so there's integration with other sass providers yes we are working with other sass providers like David mentioned we have a little over a dozen SAS applications out there the reason we have a non boarded too many more is because it depends how you access the SAS application some vendors out there what happens is you know when we talk about an application there are tons of flows that get created you have a database you have you know images located somewhere else some email somewhere else video somewhere else they don't have an concept of centralized architecture they don't have a concept of a common service front door they kind of put it all over the place so if we start proving one thing you know maybe a part of your application will work fine another part of it may not with the good thing about what a 6'5 is they've kind of made these front doors globally available across the world one of the largest networks we've seen and what they do is and what or rather what they say is don't try and optimize you know per sub application in o365 because when you open up Skype that's you know tied into Outlook that's tied out to other applications like onedrive and things like that all they say is just come to my service front door as quickly as you can don't worry about anything beyond that I'll make it I'll make sure to get you to the other application as quickly as possible so that's kind of what we ended up doing here what you're saying sounds like maybe an evolution from what I've last heard on the topic of what Microsoft does because I'd understood it as when you do the DNS lookup it geo locates based on the resolver yes and then it moves data a closer to that point yes that was that's how it is even today in some places but the point of us getting this custom proven point was to go go away from that and they may move things around so some applications may cache and some may do something else yes yeah so another very very very common use case that we see in the field is doing a dia as well as a gateway site so what we mean over here is let's say you have a manager outter you already had MPLS you've used that MPLS to build as devan with another van it's located elsewhere to augment as demand you've purchased a cheap broadband circuit that's is p1 over there but you also know that there are other wireless devices that could potentially act as gateway sites in this entire deployment that vonage gateway could be a Colo facility where you've purchased you know services like Express route Direct Connect or even just a regional hub where you have this big fat MPLS pipe you know that or rather internet pipe that has a high-bandwidth low-latency so the idea is if you can identify sites like these the solution can be made intelligent enough to do probing not only for the local circuit itself but also you can designate that for these particular sites I'd like to use potentially another site like a Colo facility to act as a gateway and automatically when you on board an application into cloud or none for sass it will begin doing the same DNS probing you know discovery of applications across its particular links at both sites so in doing so maybe my branch over here is located somewhere in Australia and I'm getting result of front door here whereas this gateway is maybe located somewhere in Singapore closer to another data center there and that's being resolved over our ISP to to talk to particular first service friend over there so in that case we are being resolved to two different front doors and now the manage has intelligence to begin doing those probes across both those circuits so now the cool thing about the solution is we understand that over here we have a direct connectivity to the application itself so that means our probe you know exits out directly from the branch into that oh three six five service front door versus over here it's writing there's demand fabric to reach the one is gateway site and then the mileage gateway site itself is doing the probing so what happens is the managed intelligently understands that there is this as demand fabric in between so what it does is it it creates a composite metric so it says okay I'm gonna add in lost latency parameters that I have already you know and then I'm already doing probing for on the STM and fabric and I'm gonna add that intelligently to the loss and latency parameters that the probing at the one is gateways doing so we create a composite metric to understand is the part that I can break out from directly at the one edge better then me going through the STM and fabric through this gateway site or not and then based on that we start making a routing decision so this becomes pretty powerful because you may end up in scenarios where you know one particular ice P is not working that well so in this case here my local ISP had a brownout there's a problem with the application access so now I still have the intelligence and system so that when that DNS query that was sent out initially it has already been resolved vis be to I will be able to send my traffic through the Sdn fabric into that gateway site and then break out from that gateway site into the oh three six five front door that's accessible from that Colo location [Music] I'm sorry that's applicable to Cosby as well clients you see yes you could yes you could use that with Cosby as well some other stom vendors have a concept of like the cloud gateway or the pop that you connect to locally regionally there anything like that because I see branch edge and then office 360s for us it's more of a deployment model the idea is that if you have an idea to have a facility like this a Colo location somewhere where you wanna get in these you know better circuits express routes the idea is to drop awareness route over there as long as it has IP connectivity which is what you'll get with those DC and express routes you will build you as different fabric over them so the point is from the solution perspective you can say that I know you know I have these particular facilities at you know Singapore North America and maybe Australia I'll designate a signet the SAS my gateway sites for particular applications so the solution will automatically understand to do probing from those facilities so but we don't do something where we advocate going out and just creating something like that it's a matter of whether you want to get that service at that high you know IP connectivity at a particular location or not and if you do you just drop a manager out there and build as different fabric to it okay so if I'm at the the gateway based model can be an assist to the DIA model that's kind of what we have seen customers take this the reason for that is probably about like 80 90 percent of the time your internet access directly from the branch if it's connected for Tier one is P will give you the most optimal way to get into Microsoft so there's no real need for a gateway to do anything there but there might be cases packed what Hamza was mentioning where I need to go to an intermediate point like a Colo because my direct internet ex back access path is just experiencing like higher latency jitter and and so forth so I may take a u-turn through a gateway the Gateway based model essentially has a as an issue that you're bound by the scale of the Gateway the scale of the Gateway here being like how many gateways do I have really dictates performance and it's really hard if it's a really large geographically distributed enterprise to place the Gateway so you get optimal performance for everything for SAS applications in particular we have seen internet like dia be the prominent methodology what we offer is across dia and the Gateway path you actually have a fallback so if my da path fails then I can actually go through it through a gateway so we don't force the gateway conversation on customers but can be used as an assist on top of da thanks a mission thinks our garden by you why not obviously 365 is not doing this instead of - and the question why so 265 not not doing this because they optimized everything after you hit the front door or four of Microsoft they don't optimize kind of in the end the last mile of the madman based on where you are coming from or the NFIP okay let them do the proximity is rotting and let them you direct you to the optimal cop location somewhere the amazons like well are being the underlying network characteristics which one they are doing I don't know but why you are doing this so if stable - then all the other HD reminders for the benefit as well right yeah so question of Microsoft does it want to get into the network measurement understanding how network characteristics are and then route it around it I mean the DNS part can be answered that's straightforward but using the network characteristics to figure out like the most optimal path okay question so what this is all largely dns-based what if you're using the umbrella options with the SDI way and RSD when solution as well yes so even with umbrella there is the whole concept of having different facilities where you're doing dns again the idea over here is that we cause we using that custom endpoint you're still going to be returned in any cost IP and the idea with that any cost IP is that when the actual user resolution happens you'll get resolved to an IP over there so yes it is possible it may not be the closest one if you're gonna use umbrella but yeah the idea is with that any cost IP you're still getting something close enough and then you have the SD man fabric still doing those probes to make sure it's it can at least choose the best path among all the circuits you have to get you there all right so I think I'm running a little short on time so I have five minutes so I'm quickly going to go through a demo so in an effort to save time we've just kind of pre-recorded this let me maybe set the stage for this a little quick so for this demo right what we did is we have a branch router set up at sydney and we have a data center set up at mumbai and what we're trying to do is we have a file on onedrive sitting in data center buys so many are Singapore so traditionally what's going to happen is we're going to show you a file download what will happen is this will take the traditional path that means the file is going to flow through the data center and then all the way down to the branch and we're gonna see how long that file download takes and then we're gonna enable our on ramp or that political branch that means you can allow him to breakout directly and then we're gonna see how the file download how much time the file download takes after that all right so go ahead how real is this demo versus emulator these actually hosts that are in these locations you suggestin yes yeah so we we use actual hosts in these locations we actually set up a onedrive folder in a data center by Singapore to kind of simulate so it's not too far from both places and then we record it after that yeah yeah we wanted just to your point that this is very real this was done in in on a real environment the only reason we recorded that is because Internet's performance can vary and so we take sort of like an average approach not to react too fast to transit changes on there Internet so that's why it's a matter of minutes potentially that the reaction will happen we didn't want you guys to just sit and but other than that this is all done in real real life yep so like I mentioned so this is the PC that's sitting at a branch in Australia and we're gonna be downloading this particular file from onedrive so when we start the download we'll just take a quick look at how long it takes and it should just be not too long so this is again the file down would happening all the way if you know through the data center before we've enabled the flower express feature a clown Ram so that took like you know 56 seconds not too bad so now we're going to go to V manage we go ahead to the top right and we enable cloud express or chlorin and process so you'll see that it's already enabled right now 46 5 but at this point in time the only way out is via the Mumbai data center one quick thing maybe before this moves forward is you'll see something like the vqe score so what we've kind of done is instead of having a user trying you know interpret parameters of lost latency and how the impact applications and having to set esterday based on those we can't abstract all of that and put it into what we call a VQ a score a quality experience score so the idea is if you have anything it's a score from zero to ten if you have eight to ten your applications working really well if it's lower than eight like four to four seven its average and below that it's really bad and it needs attention so the idea here is you're looking at you know the score of the applications specifically fourth is six five is seven out of ten over here this traffic is going through the Mumbai data center and that's and the reason you're seeing an alarm over there is because it needs a little bit of attention it may not may not be the best experience from an application perspective here so what we go ahead and do is we click on managed cloud Express and we say let's you know make this particular branch at Australia a direct internet access enable branch so I'm going to click on the Australia branch added to my selected sites list and click on attach and that's pretty much all the config you have to do to enable this dia so here this is the part way we actually kind of just sped it up this is the part way it goes in applies the configuration in the background to the particular branch location and then the branch location will begin doing probing across all these transports so it knows already that it has a path through the Mumbai data center now we've told it that here you can also potentially break out directly from the branch and try and access or 3-6-5 from there so it's begun doing dns over there it has done probing etc and we've kind of just sped across that part of it so now you'll see that over here we see 403 65 is active on one side and now you'll see for this particular application through the Australia branch it looks like we're getting a perfect score of 10 right now so let's make sure this is you know really the cases whether from a download perspective so we'll go back to that host PC and we will just try the file download again and that should be it 11 seconds so if I don't my car drop it here but yeah on the on the BQE score are you able to tweak the metrics only or even per application yeah so today what we do inherently in the solution is we have baselines that we've determined based on some cloud endpoints to determine based latency loss parameters and based on that we have a based on that baseline we you know compare it to what the sd1 fabric is giving us in terms of data and that's how we give this course so today it's not tweakable as such it's something that's built into the system based on some parameters that we already know what's good for the application okay you don't know do the same file right yes what about the physical uplink were they the same bandwidth yeah we didn't change anything else from from that I think it means in the lab both locations to the web they work it's the same yes they are same circuits well the same as well right because you are downloading yes but I got an idea what this solution is your direct interest so it could be anything really it could be a bigger pipe or a smaller pipe the point is to see that if I can get as close as possible to the SAS application in our particular scenario we use the same bandwidth link on both sites on the internet and our MPLS link and the idea was to see that if I break out directly am I really getting asked you know quickly as possible to the 6'5 or not that score something I can drill down into and understand how it was scored 50 signatures is 11 seconds I mean that must be an astonishing latency yes yes yeah but pretty you cut on this code to understand the difference how you are calculating vqe scoff last case it is so it's there's an algorithm behind it so I'll need a little more time explained by the ideas based on the nature of SAS application lost latency traitor we take all of those parameters we have certain baselines around the world we say that ok with a 6'5 in North America these are based on parameters in Asia there's so many Oh baselining yeah so there's baselining and then we have an algorithm to kind of do some averaging based on that yeah you know so even to your point is that even though the score is abstracted right there's a score at the you can still go and you can get the actual raw readings of what those probes have discovered right so that you're not blind to that you know the score is just easy for you to consume but if you wanted to see the actual reading so you can do that disappointed think I was gonna put one of the pull-up bars that you put in the doorway will do okay thank you make it a three please hey David can we get some reports on when the score is better on one 102 circus let's say for example we have two paths to office sixty-five and and and one path the primary passing is not good at XYZ take some more coffee black I think it's on thousand 18 we still have figured out conference calling and we still have figured out how to do external screen twelve plus years initially started out as attack engineer put in my six and a half years there and took those technical marketing engineer role I'm focusing on Sdn security that everybody before me touched on we've talked to customers have been traveling all year since we started this st we're in security project and last October talked to hundreds of customers and we folded all of the use cases into these four buckets that you see a group of customers tell us that compliance is the main focus for them they want their enterprise branches to be compliant in this use case they tell us that they want a tunnel all of the traffic from the branch all the way to the headquarters that includes the internet bound traffic that of course provides suboptimal performance but that is the use case that's what they want to accomplish to be compliant we could leverage the enterprise firewall that is application aware and IPS solution that we have since there is no clear traffic that leaves the branch going to the internet the attack surface in this use case is very minimal another group of customers tell us that they have guests coming into their enterprise branches and they need to provide them good enough content filtering for this use case we can leverage the enterprise firewall that's application aware as well as URL filtering this is an unbox it one natively on iOS X ESD one image another group of customers tell us well I have my employees I don't want to haul all of their internet traffic to all the way to the headquarters and I want to pick and choose certain SAS applications to get optimal performance and break that out directly from the branch to the internet still continue to halt the rest of the internet traffic generated by the same employees to the headquarters we call this use case the direct cloud access use case picking and choosing certain SAS applications such as otero 365 that the harms are talked about now since in this use case we're exposing the employees Internet traffic and sending it in the clear right out of the branch now the attack surface is even wider than the previous use case that you see it another use case is what homes are touched on the direct internet access whether it is the employees Internet traffic generator is a branch or the guest traffic that is generated going to the Internet all of the Internet traffic will go from the branch directly to the Internet no Internet traffic is tunneled over all the way to the headquarters in this use case so we have the enterprise firewalls that is application-aware intrusion prevention DNS web layer security all of these can be leveraged at this branch in order to protect the assets that live behind the router now as CEO and security brings all of these security features the full stack into Vitelli Vee managed to provide that single pane of glass that they were clever not mentioned to be able to provide provisioning managing monitoring reporting as well as troubleshooting now this solution can be cloud hosted or or on-prem depending on the customers use case the controllers could be spun up in the cloud or at the customers data center know the security features the embedded unbox features I called them out I don't have a laser pointer but what you see in this bubble that's the enterprise firewall that's application-aware IPs URL filtering and advanced malware protection you're able to see the color difference here in this bubble that is grayed because that has been roadmap and committed to be delivered in March 2019 the rest of the features are coming in this November now the only cloud feature that we will be integrating is the DNS web layer protection we'll talk about each of the security features and look at the lives of not the recorded one now what features are coming in which platforms in all of the Cisco platforms is our 4k 1k our en CS which sighisoara v CS our ASR as well as via with Televi edges we're really talking about these are all gonna be baked into iOS XC - SD win correct as well as the depth L of the edge yes I called out a little asterisk here to see the ASR 1k will not get the IPS URL filtering or amp because those three applications we've run within the routers container we take the control plane course the spare course available we run these as services using those control plane cores and those that technology is available on the ASR 1k just not and of course to push all of the traffic that the ASR 1k is capable of processing and then the software would end up being a bottleneck for the power that the 1k has you're saying yes uh-huh it is capable of processing mode through but but the control plane cores are just not enough and the V edges these do not have the control plane concept of container concept so for that reason they won't get into the IPS you are filtering or amp which are the container based applications for the November release so on the SR 1k it's also a hidden box right so typically brand security is the is our platforms esr1 k is in a data center or in a hidden location where you would likely have dedicated security appliances anyways to do all of these so the enterprise firewall that is application-aware traditionally we've had a stateful firewall on our routers many many years we've integrated that with our n bar application detection engine so we're able to provide visibility into the 1,400 Plus applications that David talked about thank you you could block based on individual applications group of applications or category of applications and configure the firewall policy in one pane of glass this offers segmentation and helps with the PCI compliance of the enterprise branch of the intrusion prevention this is also an unbox capability that we run within the routers container the signatures are released by our Talos organization the highest efficacy in the industry V managed is the single pane a glass what it does is at the set interval it poll Cisco comm as and when new signature set is released it goes out and grabs that signature set the new signatures that that is released and pushes that down to all of the routers provisioned in V manage the options that we do provide is to whitelist signatures should you see a lot of false positives creating new signatures or tweaking existing signatures it's not supported for the November release although were considering that for the future the solution with our stateful firewall that is application-aware will make an enterprise branch PCI compliant branch URL filtering this also is an unbox capability that we're bringing in we could run natively on iOS xes do an image as a container application or service we provide about 82 different categories that you could block or allow also each IP address in the universe gets a reputation score on a scale of one to a hundred Laure potations high reputation suspicious websites medium reputation so the customer can choose to block or allow based on that as well some options we allow our custom blacklist or whitelist even in the blocked category you could specifically add one particular URL and say I'm just gonna whitelist us it doesn't matter which category it belongs to let the user go to that and the custom end-user notification so if a user behind is unable to go to a category then what do they see as a blocked page content you could either tell them a message or write a message that they will see or you could redirect them to call an 800 number 2 and reach out to the help desk the next one is the DNS web layer security whatever wonder that one many of any of them ask what you don't do with the HTTP traffic right so today no SSL decryption but what we do is watch the packets up until encryption starts so the client hello after the three-way handshake and the server hello' comes in the server presents its certificate so we have the server's IP address and the domain name so we're able to block based on that but this unbox feature looks within HTTP as well as HTTPS pockets before encryption starts how are you able to pass the like the block page if you want to say that - to redirect and say call this 800 number like you mentioned mm-hmm if there's like we I know I've seen it with firepower when you're doing HTTPS without decryption it's just like cannot be displayed that kind of stuff same thing with our solution to connection has been terminated as what you see but if it is HTTP were able to insert that blog page okay so pretty much same exact DNS web layer security this is providing content filtering at the DNS layer certain countries have lost against looking within HTTP or HTTPS packets so no way to provide content filtering if the solution looks with an HTTP HTTP packets so this solution intercepts the DNS packets doesn't matter where the destination is we fix it up we change the destination IP address to that of umbrella anycast resolvers and we ship the packet encrypted using the inner script after we add the inside clients IP address and the devices identity over to umbrella cloud now their umbrella cloud if you have a mirela subscription enabled then it sends the response back based on the policies configure there if the category is blocked then it sends its own block page in the DNS response and if it is an allowed category then it sends the end web service IP address in the DNS response so the clan can open up a connection to that web page now on the umbrella portal we do support the TLS decryption as well as intelligent proxy intelligent proxy is if the verdict is gonna be in the middle gray not white or black then what they do is send their own proxy IP address in the DNS response so when the client opens up a connection to the proxy then the connection is the nether session is proxy doubt and Umbrella gets the response to further look and see whether the web server or the response that comes back as malicious or not now advanced malware protection this has been road mapped committed to be delivered in March 2019 once our device is provision for amp what we do is we watch for files that get uploaded to the internet or downloaded from the internet over protocols such as HTTP FTP SMB and what we do is we generate an md5 hash for that and computer sha and we cross-check with the amp cloud to see if a test should seen the shop so if I'm Claire has seen it it will be able to give us the file reputation whether it is good or bad and if it hasn't seen it and if the device is also provisioned with threat grid what we have is the capability to send the entire file to thread grid so they do the sandboxing there and once they're done with the sandboxing they send the verdict back to the amp clock so in the future if the same file were to be uploaded from the internet or downloaded to the Internet uploaded to the Internet or downloaded from the internet we'll be able to hear from the amp cloud this is - you still see all of this through V managed not through FM C that is correct I'm moving on to this demo I put this entire as the UN security demo on my UCS server mmm it is an m2 server has a ton of memory and drive space so that's what I decided to do I don't want to take any hardware physical device and plug in cables in my home office so that's sitting right of my home office and the direct internet access is through my Google Fiber router at home now I have I am from RTP North Carolina so I put my headquarters in Raleigh North Carolina and down here I have two little branch offices and I have host sitting behind each of these so two for these hosts to talk to each other they used this MPLS router this MPLS router and the signage router they're running the traditional Iowa sexy image the other three routers one of the headquarters and two at the branch offices they are running the Iowa sexy sty an image now with these hosts behind all of these branches and headquarters want to go to the Internet they take this direct internet path the green line that you see talk to my I know router also we wouldn't my you see a server and out using the Google Fiber network they go out to the internet so let's see how the V managed policies all configured all right cool so once you're logged in to V mayonnaise under the configuration section we've added a security option here to be able to configure the security features yeah right all right under the security options we could create a new security policy so once you do that this is the intent-based use cases that we talked about if you pick compliance use case we show you the workflow for the features that are required for that particular use case if you choose the guest access use case we show you the workflow for the enterprise firewall and the URL filtering that we configure that can be run on the Box direct cloud access indirect internet access it's the same thing if you don't choose any of those four we can always go the custom route and proceed and start configuring your features if you're not interested in firewall just go next and go to the next feature but I'll show you the feet security policy that I have configured here let's edit this policy now under the firewall section I have added just four simple rules to be able to allow HTTP HTTPS DMS and ICMP to go from inside to outside this policy is going to be tied to the feature template and this is the one that is deployed to all of the three CSRs that you saw on the topology now for the intrusion prevention this UI is very intuitive the only two mandatory items that we ask you to provide is what signature set do you want to implement between balance security and connectivity we've already been asked from customers as to what the differences between the three and we're going to add this little eye that you see here right here by the signature set so that it will show you what the difference is the difference actually is the number of signatures that are enabled by default the other mandatory item that we ask is do you want i PS in line or do you want that in the detection more meaning it will only show you what's going on but will not be able to drop packets your a signature be fired and once that is done just for the sleek look we put anything that's not mandatory under the advanced option so this is where you would whitelist signatures should you see a lot of false positive and we show you how to import that from the local computer very easily you can add a new signature list if you do that we'll show you syntax how that whitelist file should look like open a notepad text edit and add those signatures in the syntax that we show you here and you can quickly import that from local computers just as simple as that and changing the log level so those are the two items that we buried under the advanced option so you get the slick look of the UI and finally enable that on the VPNs which VPN do you want both ingress and egress packets are subject to IPS now the MU URL filtering piece this is also a container based application very simple the UI is so slick you tell us whether you want to block or allow and what categories we pre populate all of the 82 categories here it's just a matter of putting checks on these boxes and that will show you the count that increases as well as soon as you do that and add that towards the end the two categories that we added and provide web reputation do you want your users to go to suspicious websites high-risk website I would never want our users to go so my choice is to allow only moderate and about so Laura scan trustworthy and anything else that's not mandatory for this feature to work we put that under the advanced option this is whether you could provide us a custom whitelist URL all rejects based blacklist URL as well as a block page content so if it is again HTTP page we will not see the the blocked page it's just going to show you connection timed out or if this character limitation that we have here I believe it's 256 characters if that isn't enough then we could simply redirect them to a completely different website that's hosted within their company or even that's me a DNS web layer security let's go ahead and edit that and take a look at this this feature you can apply per VPN so in this pub what we could say not the DNS piece you can pick VPNs and say for this particular VPN I want to redirect all the DNS packets to umbrella and for these VPNs I want to redirect the DNS packets to a completely different custom DNS server it could be a Google DNS server or you know route 53 or other DNS servers and under the advanced option the DNS crypt is enabled by default meaning we encrypt the packet after we add the edn as the metadata which includes the inside clients IP address as well as the routers identity once all of this is done we show you the policy summary page and here for the container based applications we can specify which log collector could be live action curate or any other Splunk log collector an external law collector the IP address of it and which VPN it needs to take in order to get to that now let's go and see how to tie in this policy to the device template so this particular device template the CSR 1000v template is the one that is attached to the three devices so I go here edit that and all the way down to the bottom is where we have the security policy you could have multiple security policies based on use cases based on different devices that you want to attach and the next one is the template for our application hosting so there is one little manual piece that needs to be done this container based application includes our runs a virtual image that we need to upload to the software repository so we go here and click on the virtual image this image is the one that runs our application in the container so all of the provisioning happens automatically but this is a manual step we need to go to CCO and this image lives exactly where the iowa sexy has divine image let's grab that upload it right here using the same UI and it gets provisioned automatically so now that the policy is all deployed let's take a look at the overall dashboard we've added three new widgets on the bottom that you see starting November released the 18.4 we manage will have these three widgets the iOS XE as dy and images 1610 one image that will be posted on CCO end of November so here's the firewall widget you can toggle between inspector and dropped this gives you an overview of all three routers in your enterprise at listen that I'm on top I have gives you one hour break and you could switch to 3 hours 6 hours 24 hours and 7 days so at any point you can click and say see how many sessions the firewall has inspected across the three routers and process that you could also toggle to dropped counters I have scripts running on these Ubuntu host so it constantly sends traffic to populate the data on the dashboard you can toggle you could look at the drop packets let's look at the past one hour how many packets that these three routers have dropped and at any point you can click on that and it shows the drops at that point where 78 drops and that happened on these three routers so you can click on that individual router it shows the system IP address but then we've asked we've been asked to include the host name instead of IP address and we will be including the host name for the FCS release so it shows you the reasons for which the firewall dropped these packets so that much that amount of drilling down is possible here what we do is generate show commands and keep sending them to the man and be managed populates that the amount of disk space that you allocate to be managed it's capable of holding data for a longer period of time and if you have an API capable device it can make an API call and grab all of this information that we manage has the IPS piece you could toggle between severity versus count the high severity is the color coded in red and the medium severity in blue and that again is the automatically goes to the 24-hour view you could toggle that to the three hours to see what signatures got triggered in the entire enterprise across the three routers in my topology so the two signatures have been triggered one that one 481 times and it's a medium severity and this one triggered about 460 times and that is the critical alert so you could click on this particular signature and we even show you the source IP address so one and VLAN 20 VLAN 30 and VLAN 10 on the topology and the destination IP address that they go to which VPN they belong to and how many times the signature had was triggered in the last 24 hours and now moving on to the URL filtering widget this could also be toggled between black vs. allowed so let's look at the allowed category it's not gonna populate all 82 categories here we populate the categories for which we see traffic if you look at the real estate category here in yellow this shows that we've allowed 12 thousand seven hundred and six sessions across three routers in the past 24 hours we give you a breakdown of the I know this is passed it needs to be renamed to sessions and it will be done we filed a defect to get that addressed as well as populate the hostname instead of the system IP address here that covers the overall dashboard now if we look at the individual device dashboard we go under the network I have three edges one in the carry one in doermann Rolly so we could click on particular device to see what options are available here under the security monitoring we have firewall intrusion prevention URL filtering as well as umbrella redirect it's the same amount of drilling down that we offer and we show you all of the protocols that we allowed HTTP HTTP DNS and ICMP and the breakdown anything else that you don't allow here it's gonna be cut in the class default and the intrusion prevention is the same thing that you saw in the overall dashboard URL filtering about the same thing that you saw maybe a little bit more drilling down I'm being asked to just finish this session but the umbrella redirect please peace I would like to show this clearly shows that this device has successfully registered with umbrella and we've been redirecting packets so at a what time and date of date and how many packets that we redirected we also provide an option to bypass local domains if it is an internal only domain for which we don't have an Erica created for the outside then there is no reason to redirect those DNF packets to umbrella cloud so this is again pattern matching based on regex I do have it configured but not enough traffic to bypass that for those DNS packets we don't even touch them we let that DNS packet to go wherever it was destined to go the rest of the DNS packets we intercept and fix up the destination IP address and that completes my demo today if you have any questions I'll take them at this time sorry I went over a few minutes to come for the technical difficulty that I had are you like the UI the dashboard overall dashboard the device specific dashboard it's good this is a very security focus I was just wondering for example we're going to manage that this tool has been very focused on net UPS versus set cups so that's why you don't see if you're familiar with the FMC me I spent old that is geared more towards the set cups and this is geared more towards than that up so anybody can take a look at it and understand what is going on I think even if you've looked at FMC before this is very familiar like when you got to the IPS part and you were talking about the different levels yeah it's worded the same as like David was talking about right we took or Rohan was talking about so we did it's the the firepower piece it's for IPS ABC URL filtering amp and the ACL piece right the access rule base so we separated the IPS and the AVC that they have just took the IPS piece and we're running that and not what you see the same signature set right it's the same when you get you see the signature set release for firepower you see the exact same signature set released for these that we get download from CCO thank you so much for your time today

Info

Channel: Cisco

Views: 17,368

Rating: 4.9540229 out of 5

Keywords: cisco systems, cisco sd-wan, sd-wan, cisco viptela, cisco, cisco enterprise networks

Id: M5mzI3JBDfo

Channel Id: undefined

Length: 127min 51sec (7671 seconds)

Published: Mon Nov 19 2018