Juniper Networks Live Demo with Contrail SD-WAN

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

and quickly go through a couple of slides just to show that this is the demo topology I have a sub X device and that is connected to a selects hub and the blue lines represent the overlay tunnels from the spoke to the hub okay so this is the very simplistic demo topology and Cantrell is Devan or CSO control service orchestration the software itself that is actually hosted on the cloud I will also have some sites which are like what I call this multihoming because it is connected to more than one hub okay and essentially just to show that it can go to connect with multiple different hubs each of these devices can also cluster so each of this can actually be a dual CPE also okay so this is the very high-level topology diagrams and then these are the things that I'm planning to cover today mostly starting off with application visibility because that is the key thing about Estevan that you identify the applications before taking a informed decision as to what to do with the applications next we will see the intent based Estevan policy management that is where we will actually create some policies we will see how to set the SLS in CSO and see some of the cool things about what happens when SLA is breached then we will see some security I will show the site provisioning workflow it's a very simple workflow that has very few steps and then I will try to show some of the other things like the dynamic meshing between sites ok and finally shows some role based access control related multi-tenancy related capabilities so let me end the presentation here and go to the so I'll just log in to my CSU's so I'm just logging into a couple of different windows so I have now logged in to CSO and here you will see that there are different contexts here so first let me show one of the tenants so this particular tenant is called the product tool so essentially just carrying off from where Tony left that there is a trial thing and the users can easily actually register and get to the website so this is the product tool and here once the user logs in I if they like are there for the first time and want to see what is going on you can actually open intro here it shows like the stuff explains a little bit of it about it like how to browse through and what to see where so you can actually browse through the intro thing or you can skip it if you are an advanced user and essentially once you land on this - body will realize first of all with your own login it will be empty so the dashboard is user customizable it's different for every user okay so you can drag and drop the widgets that are available here so if I just drag and drop a widget and I can set the timeline here I can actually select what type of graph I want to see whether it's a bar graph or a time series graph or something so I can arrange and design my own dashboard so the dashboard actually gives a enterprise-wide view of what is actually happening in the whole enterprise for example which are the top applications which are consuming the maximum amount of bandwidth that maybe the first question that administrator might want to see so you can see here that these are some of the applications consuming the maximum amount of bandwidth who are the users who are consuming that amount of bandwidth so the stop sources then for example for some specific branches you may want to view how is the throughput so this shows the throughput graph like in the last one hour so you can actually get a overview of the system right from the dashboard widgets now moving on from the dashboard widgets you can get to the monitoring tab which shows much more information about the sites ok so here we see that there is a global topology here so there is a map and these are all different sites so let me zoom in a little bit ok it seems a little bit cluttered but if i zoom in that is where you see that there are a lot of sites here in the US in Europe and all these places and then there are some which are hubs and then there are some which are sites ok and you can actually see the top applications running there if there are any outstanding alarms so the nice thing is that I mean if you if there are any alarms for example if there are any minor alarms it will actually show up with yellow if there are any major alarms it will show up the site itself will change color ok so you will get to see that instantly from the Geo map like ok there is some problem with some site in probably North America ok just yeah she like a really bad question mobile friendly so we are actually going there so this one also you can open on mobile and you can see that doesn't look but yeah but there is a mobile version that is actually coming up ok and you would be able to see the I know it's a yes kind of a lame question but it's a it's a real question it's so yes so there is a there's a Russian oil person that is coming up actually more than the overview you get an enterprise-wide view if you know any links are not performing any sites are down right there you know and in one screen right yes so this provides the very high-level overview and then for any of these sites user can easily click on more information to go and see the details about that particular site okay so you'll see that we moved to the resources tab automatically from the monitoring tab and in the resources tab if I just go there and click on site management I'll be able to see all these sites actually here okay so this is a listing of all the sites it shows that these sites are provisioned operational State is up and then if we actually click on one of the sides we get to see the details about these sites okay and like what are the devices okay and then which are the land segments which are connected so we can see much more details about this size so for example from the resources site management we can actually see the number of devices connected here yeah so here we can see that some devices some sites have four devices so what are these let me click on one of these and we can see that there are associated devices connected here okay so there are like couple of access points and there is one switch here so e^x device connected to a selects 345 and couple of access points we can actually go and see the e X device configured the X device and then we can actually cross launch the missed portal and it automatically does this context switching to that particular access point so this was the question earlier about the e acts in the list together yeah so it automatically goes there and you can here then get information about that particular access point and all these applications and all and those same applications are what you will able be able to see from here so if I click on this side and you see that this site is actually multihoming to two different hubs okay and these hubs it has got two connections and these are the different applications the top applications that are running for that site okay so this is what you get in the product tool so once you go there you will be able to go there and see the various top applications enterprise-wide view and then customers can actually configure their own systems and know like what to expect what can they see from the system okay I will also go to another tenant so I'll quickly login to another tenant which I'll be primarily using for my demo today so because I have a set of devices connected there and what I'm going to do is I am going to go to the SDN workflow which is the most important end of interest here and here you see that I am now in Enterprise 101 ok earlier I was in the product two tenant because I am actually a super administrator of the system so there are different levels of hierarchy and the tenant administrator once they log in they will be able to see just that particular tenant whereas the service provider administrator which is the role that I have right now I'll be able to see all the tenants that are under me okay so here moving on I will quickly go to the is the ran perspective so on this particular tenant if I go to monitor tab and I want to see what is happening so this is like my topology here I have sites New York connected to a hub in Dallas I have sites Los Angeles connected to Dallas I have Seattle connected to Denver some of the sites like Chicago and Atlanta are connected to both the hubs ok so they are doing multihoming here and there are some side to side tunnels like New York is connected directly to Atlanta ok so this is the scenario here and in this scenario if I want to see what is happening for this particular enterprise I see that these are the top applications that are there for this particular enterprise and now if I want to see what happened in like the last 1 hour then it will show me that these are the top applications that are running in the last 1 hour now if I want to drill down and see what is happening say for example in New York and if I click ok so then it shows me that this is what is happening the New York branch site so then I can see if I go to the grid view it will actually get me the top applications that are running the top users who are consuming the maximum amount of bandwidth what are the type of applications for example there are like some web category infrastructure category what are the characteristics of those applications so and then it does a risk profiling also of those applications so we see all these different details here now let's say you we have identified that some users are consuming a lot of bandwidth and we want to see what are those users actually doing for example this user seems to be consuming a lot of bandwidth okay so I can go to the grid view and find out okay so one particular user has consumed like 11 GB of data in the last one day and then if I want to drill down and see what are the applications that the user has been using so it shows me those details so this is like getting and drilling down into each and every branch site each and every user and you can actually see the user name if it's integrated with the active directory then we want to now it is what I just want to highlight this kind of highlights the the application visibility aspect and the the visibility that we provide for the whole enterprise of what's actually running on the network and that's really enabled by the application awareness of the st1 solution that I talked about over there particularly is the service writer admin and whatever level that you're in it wraps that are showing like the total bandwidth and everything like that is specific to that less specific to that limit yes or just one of years so yes so it's only for that this particular tenant yes so now let's see the SD event policy management part because this is the key part about CSO so here now if I go to Sdn policy we will see that there are some policies that are set here we'll get to the policy part but before policy we need to decide now what to do with these applications so for example option one we can go to the local breakout ok stuff just goes directly to Internet so that is one option then we can say that ok I have some preferences I want to take my traffic some of the applications which I think are important which are going probably to the data center or maybe to the internet through the hub I will take those through the MPLS link I want to prefer my MPLS link or I want to prefer my internet link ok so I want to set some static rules by which I want to say that these applications should preferably use in Internet and if Internet is not available only then it goes to MPLS and then the final thing is that dynamic SLA where I actually said ah SLA where I say that this application must be able to long within these parameters what are those parameters something like packet loss latency jitter so those that is the final level where we can say that actually the SLA should be set so here for example we have breakout profiles so we can say that we create a profile the traffic should go to the Internet or the traffic should go to the cloud security on this killer ok so we can create profiles here similarly path based steering profiles we can say that something should go to the MPLS path or the internet path and then this is the part where we actually set up SLA let's say we have some collaboration apps which are important and then we want to say that this is a new SLA that I want to set for the collaboration set of applications for my voice and video set of applications so force and video is automatically classified with the class of service parameters okay so this is one thing about junipers Estevan where this is associated with the dhcp encoding at the back end automatically and here I can use the recommended settings just to alright just double click on that right so this is an important point we actually enable you to reclassify incoming traffic with a specific underlay cost parameter and map that into the overlay cause and then we maintain the underlay cause going out into the wine on the outer side of the tunnel as well right so we we make sure that quality of services maintained from the land to the wine to the overlay based on the SLA class yep and here the SLA parameters the threshold configurations we can use the recommended one if we are not sure as to what to set otherwise we can set some custom parameters okay let's say that I want to set something like packet loss 3 percent jitter maybe 10 and the round-trip time maybe hundred ok so I can actually set my custom values and then I can say that the SLA breach will happen if all these parameters are breached ok that is an end condition or if any of these parameters are breached that is a or condition ok so it's like if round-trip time is breached only even then it's considered a breach or if all the three have to be violated in order to be considered a celebrity so we can define that and then we can actually set application quality of experience sampling rate so what the SLA probing does this is where the actual probing comes into picture we can say that sample 5% of the traffic so that will actually sample 5% of the real zoom or Skype or WebEx traffic and then we can say how many times the violation should happen before we consider to move the application from the effect linked to the better link so let's say that the violation should happen at least twice over a period of let's say at least three seconds okay so what a period of three seconds if the violation happens at least twice only then move the application over otherwise keep the application as it is because it's a brownout condition it's not exactly that the link has come down completely the link comes down completely then you the application will move over anyways if there is huge amount of packet loss the application will move over anyways it is a brownout condition a latency condition a small amount of packet loss condition which is what we want to detect and then move the application over selectively then we just click the SLA and make it part of a policy so policy creation is very simple we just say that okay sorry Stan sir I just want to highlight so so what we're sort of going through is that we allow a very unfair eleven of granularity in the policy configuration we also have standard policies right but what you find is a lot of other solutions in the market just has high low medium right and you don't get to define what is high low medium we actually let you define we have high low medium but if you want to spread it so that a custom class we allow you to do that as well yeah and creating a policy is very easy so we just give a name we can give a description and all source now let's say we want it for all the sites on the Pacific coast let's say so this is a site group okay so all the brand sites which are on the pacific coast we can actually do that all in one go all the sites that are in the US all in one go or you want to selectively choose some sites that is also fine okay you can selectively pick and choose the number of sites and then applications so here also we can use a group let's say all the collaboration applications so if I just say CSO and all the collaboration applications are grouped together in some relation group you can define your own group you can just say that okay these are the applications that I use so I will just prioritize those you can just actually say for example in your organization you are just using WebEx no need to actually select the other stuff it just say WebEx okay and then you choose the SLA here so here we see that okay this is the SLA and then we click Save and then we can deploy okay so this is how we actually create the policies and it is absolutely I've been what the administrators can do in a few clicks so with any of these groups particularly I was thinking the the geographic based ones mm-hmm is there a hierarchy to it like if I had my West Coast one could I further go down to West Coast California yes Washington it's you can define groups in any way and you can have any number of sites in that but this is completely logical it will just the system is going to find out okay us complete Pacific is within us complete so if you select Pacific it is finally going to see that okay so many sites are within Pacific if you select Pacific and US so it is going to still see so many sites so it's just going to actually push it to devices finally so the system will actually figure it out so you can have any kind of understanding after you recreate the hierarchy it's not it's just a simple logical naming convention so that you can easily deploy too many devices so then you can easily deploy so now what happens when you deploy and then we already have some applications like for example for New York site for Los and Los Angeles some important applications like say SharePoint Concord YouTube here which are running and then outlook and then Google Hangouts zoom Skype so there are some things which I have already defined and what I have is a proxy browser so this is a proxy browser actually connecting on the land side of New York so what happens here whatever I do here essentially lands up as New York traffic okay so this is a this is the browser and let's say that I'll go and upload some file just to generate some traffic and maybe upload big file here so so here I have started a file upload so what has essentially started now is that there is traffic going on and traffic is passing through the Estevan site essentially traffic is passing the New York site okay so now what I am going to do is I am going to actually introduce some some breach in the SLA by introducing some amount of delay okay so I have some delay VMs and all configured so what I am going to do is so this is my kind of Ubuntu VM through which the traffic passes through so what planning to do here is just introduce a significant amount of delay and this is actually the site here so it immediately sees this huge amount of delay okay because I introduced that significant delay in the network and you see that it actually says that it is trying to meet this business SLA and now the full SLA is actually violated okay so here once we do this then traffic actually figures out that the probing mechanism figures out that there is a huge amount of latency in the network and it is going to then make a change in the path okay so we see that now is ASA ladies again met so what has actually happened I just wanted to show a little bit of that just to show because here it appears very quickly and yeah so here we see that a switch has happened and then certain applications moved over not all the applications move over okay so the only those applications which for which we defined the SLA so those applications move over so if I go to the application SLA performance so here I can actually see something's called scores so we scored a site we scored when links okay so we provide some automatic scoring mechanism by which we say that this number of sessions were actually affected out of total so many thousands and millions of sessions okay so based upon that we see New York is still doing good and the site SLA performance in the last one hour is actually descent so here all these different applications has been running so if I just go to the graph view so it shows us a scatter plot of the different applications and anything to the right is actually doing good and is green okay so here we see the when link the overlay performances okay and we can actually drill down to that application to find out how that application itself is doing so this is the score of that particular application so we see here that SharePoint is the application and it's trying to meet business SLA so this is the session that is going on or the set of sessions so there has been no packet loss this is the this is the SLA breach okay and the target was 150 milliseconds whereas the actual round-trip time was 509 dot something okay so the application moves over seamlessly to the alternate links which provides better SLA and that is what is brought about by that dynamic is eliciting okay so now one of the questions that came up was how security works along with all of these right so security works seamlessly with this so we have the firewall policy settings here and if I go to the all site firewall policy here you see here that I have set some generic policies here like these are department based firewall policies and I have also got site based policies like if I say that for New York and Los Angeles sites Facebook and Twitter are blocked okay whereas I am allowing everything else and I have also got UTM enabled okay so UTM innovatively means web filtering antivirus content filtering so those things also see here the upload is actually still going on the Internet is actually slow here so the web filtering I have blocked certain things for example I have blocked some shopping websites so if I just try to open some shopping website I'll see that it has been blocked so this is what the user the end user is going to see and it's very easy to modify that we can easily go to the web filtering profile and inside the web filtering profile if I click Edit this is the message that I am seeing right now and I have just shopping block I can edit here and I can essentially include any of these groups here I can deploy okay so it's pretty easy to make changes to the firewall policy and it's seamlessly integrated to the is Deven policies here are a couple of other things for example as soon as we go to SD van and I mean branches are open to more threats and these days users get a lot of these phishing emails so here is a like a phishing email lifetime uber rides for free and maybe somebody goes and clicks on that and actually it's taking the user to a malicious website okay it tries to download something but the user is protected from that so this is also like automatically antivirus in play okay so security part is here and now let me quickly move over and show very quickly the site onboarding process into five six minutes five minutes okay five sorry first rush so I quickly show the site onboarding process maybe I'll also do one thing I'll show the topology once and I will show for example Seattle when Seattle talks with Los Angeles it essentially has to go through two of the hubs Denver hub and Dallas up so that introduces delay in them for example here Seattle if I just ping Los Angeles I'll see that there is a big amount of latency like 16 milliseconds latency between Seattle to Los Angeles because it is going through the two hubs ok so we will see that the tunnel between the two sides come up automatically I will just leave the pings running here and I will show the site provisioning in the meantime so which is the sd1 site provisioning so let's say we are setting up a branch in Las Vegas and we choose that the branch is a Steven branch we choose which hubs it needs to connects to connect to so it can connect to maybe Dallas as the primary hub and Denver as the secondary hub it's optional whichever you can connect to one or you can kind to more you can choose the address and contact information these are all optional parameters here in the advanced configuration you can choose like which particular timezone it connects to so I just say okay Los Angeles and then we select SRX as is Devan CP okay because this is the SRX if I just enter let's say some serial number here I am just entering I imagine 81 and then here there are these options like for example for LTE what kind of link it is we just need to identify the link and then let's say if I enter this and then I can enter other values here so here the pppoe settings come up and this is actually pretty unique we actually do underlie integration with DSL as well which is not available with many other options as well so yeah so we can choose this parameters here and let's say the next one is let us say MPLS and that one is static IP so I can set static IPS and all so we can set something for Advanced Settings here or we can optionally go to the next step and okay I will just change this Ethernet and we can add some LAN segments initially if we want to or we can add those later on I mean essentially all our inputs are done all this autolearn if you don't add those line segments so if we do not have those LAN segments we'll eventually we can add those anytime later on the thing is all the security policies and all those things will also it can be also deployed automatically say for example a LAN segment actually belongs you can make it part of a department and then if that department has a policy like for example a department corporate it has got a policy that allow internet but block Facebook so that will also be automatically deployed as soon as the site is provisioned instantly after the provisioning of the side that is the advantage of having LAN here I mean you need to have a LAN or VLAN specified I mean you won't autolearn you need the port but what he's saying is you don't have to do it on site on board you can do it later at it later yeah you don't have to add it on these are all the inputs essentially you can also download something as JSON if you have a lot of sites you can use a site templates workflow to upload mini sites I just added one sitting single serial number you can add many of those if all your sites have a similarity of number of links or type of handling yeah so this is about like a four step workflow as you can see the bring a side on board you can see if the your VP end yeah a piano in and it were a little bit short on time so yeah so you see that actually I'll close the pings so the ping times if you see now is suddenly very less that is because at one point of time it made this transition you see suddenly from 15 or 16 milliseconds it suddenly went to one or two milliseconds and in the background what has happened is you will see something new on the map that Seattle is connected to Los Angeles directly so this is what actually happened and this is the ICMP traffic that is you see here this is the ICMP that was actually triggered that and it saw that the sites were connecting okay Thank You San soon or I mean that took up about two minutes yeah how does it normally take for a site to decide come on he decided to say tunnel yeah it takes about that yeah yeah a few minutes yeah is that regardless of how much traffic is traversing yet yeah it would have run a bigger payload would that have made a difference no no and I'll finish off with some reporting so we have security and Estevan reporting and we can just we have a lot of predefined ones and we have a lot of capability for custom reporting also so I have just generated some reports and I'll just show that what you can actually see all those applications top countries maybe if anything is blocked so then if you if there is a brownout condition you get an enterprise-wide view like top sites not meeting isolate top sites meeting SLA with switching so you get to see all these details in a nice report from the reports can be emailed as well yeah that's nice

Info

Channel: Tech Field Day

Views: 3,426

Rating: 4.7142859 out of 5

Keywords:

Id: 0msTH8q1tQY

Channel Id: undefined

Length: 37min 25sec (2245 seconds)

Published: Wed Nov 13 2019