DNA-C Assurance Ib Hansen
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
DNA-C Assurance Ib Hansen: ibhansen@cisco.com Maj 2018
Agenda
§ Hvorfor Assurance
§ Nyt i Assurance 1.2
§ AP4800
• Sensor
• Intelligent Packet Capture
Hvorfor Assurance ?
Why SD-Access Assurance?
50.0.0.1
Need to Troubleshoot
user red connectivity
to a DHCP server
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
CLI is the most common troubleshooting tool. It’s just a very bad troubleshooting tool.
50.0.0.1
Ø show ip dhcp snooping binding
Ø show ip vrf interfaces | inc 1021
Ø show sh lisp vrf Campus | i IID
Ø show lisp instance-id 4099 ipv4 map-cache
Ø show ip cef vrf Campus 50.0.0.1 internal
Ø traceroute 192.168.130.2
Ø ping 192.168.10.1
Ø show cdp nei g1/0/22
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
50.0.0.1
Ø ping 192.168.130.2
.....
Success rate is 0 percent (0/5)
Ø show ip route 192.168.130.2
Ø show cdp nei g1/0/23
Ø show run int g1/0/23
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
interface GigabitEthernet1/0/23
description border_cp g1/0/15 50.0.0.1
no switchport
ip address 192.168.15.1 255.255.255.252
ip router isis
ip access-group test out
Extended IP access list test
10 deny ip host 192.168.120.1 host 192.168.130.2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Today’s Tools
Too Limited – and Do Not Address Network Needs
Too Many Tools Reactive Systems Limited Insights
Fragmented visibility Always playing catch up Limited data that is not actionable
Closed interfaces / Silo’d views Not designed for analytics My report vs your report
Devices queried multiple times Inconsistent API architecture No view of state changes
Different protocols/mechanisms Specialized knowledge required Lacking context or feedback loop
Rigid Closed/Proprietary Lack of Intelligence
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why SD-Access Assurance?
Quick Isolation of Network Issues
SD-Access Assurance Reason #1
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why SD-Access Assurance?
Root Cause issue in a Few Clicks
SD-Access Assurance Reason #2
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicWhy SD-Access Assurance?
Network Troubleshooting Tool – Pathtrace
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicWhy SD-Access Assurance?
End-to-End Visibility
SD-Access Assurance Reason #3
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicSD-Access – Fabric Assurance Applications
Use Cases
Network Infrastructure
Clients
Services
Broad
Client
Control Plane Data Plane Policy Plane Device
Onboarding
Edge to Control Plane Border and Edge ISE connectivity Client / Device DHCP CPU, Memory
connectivity
Border to Control Plane Border node policy Client Authentication TCAM Tables
Border node health
CP performance Edge node policy Client Authorization Modules
Edge node health
Routing protocols Temperature
Device to Services
(DHCP, DNS, AAA) Power (POE)
Deep
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicSD-Access – DNA Center Provision
Fabric Proactive Monitoring
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicFabric Assurance
Monitor Fabric Connectivity
C
• IPSLA tests are run in the network fabric to B B
verify connectivity between Control Plane,
Fabric Border, and Fabric Edge nodes.
• IPSLA analyzes basic IP service levels for
common IP services, to reduce downtime E E E
and lower operational costs
• Includes path trace capability as part of IPSLA traffic
troubleshooting steps Automated via DNAC
ip sla 1
icmp-echo 192.168.110.1 source-ip 192.168.120.1
threshold 3
ip sla schedule 1 life forever start-time now
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicFabric Device 360
Click on the Fabric tab to see how Fabric metrics are going
1. Select Both options
2. Reachability tests are being performed in the Fabric underlay. This is the test results
2 1
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicFabric Assurance
Monitor Fabric Connectivity
• IPSLA tests are run in the network fabric to B B
verify connectivity between Fabric Border
and external services
• Monitor external services from fabric in the
underlay and overlay network (IPAM, AAA, E E E
DHCP ,DNS)
• Includes path trace capability as part of IPSLA traffic
troubleshooting steps Example
ip sla 3
icmp-echo 50.0.0.1 source-ip 7.1.1.5
vrf Campus
threshold 3
ip sla schedule 3 life forever start-time now
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicFabric Assurance
Monitor Fabric State – Proactive
C
• Fabric nodes query Control Plane to resolve B B
host locations, if they don’t have an entry in
their local database
• After receiving a map-reply, each fabric node
stores those entries in its cache database 10.2.120.3
• Fabric Assurance tracks the number of E E E
requests and state of active cache entries to
provide proactive trending analysis
Example
FE1# show ip lisp map-cache instance-id 4098
LISP IPv4 Mapping Cache for EID-table vrf Campus (IID 4098), 5 entries
10.2.1.89/32, uptime: 00:05:16, expires: 23:57:59, via map-reply, complete
Locator Uptime State Pri/Wgt 10.2.1.89/32
10.2.120.3 00:04:23 up 10/10
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicHealth Scores
Site Health Score function ( Client Health Score,
Device Health Score )
Client Health function ( Onboarding Score,
Score Connectivity Score )
Device Health function ( System Health Score,
Score Control Plane Score,
Data Plane Score )
Application Health Score function ( Traffic Class,
Latency, Packet Loss)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicWired Client Health
Monitor Fabric Connectivity
Summary: Is the client connected and is the link connection good?
Throughput • Link Error
issues
Connected
Wired Client
Health
Key Services • DNS reachable
Port Up/down • Yes/No
Onboarding
Authenticated, IP • Yes/No
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicFabric Assurance
How Do We Calculate Fabric Network Health Scores?
C
Collect relevant Key Performance Indicators B B
(KPIs) to determine Device Health
For example: Resources (CPU, DRAM, etc),
Link state and errors, Protocol state and
errors, Reachability to Control Plane, etc
Fabric Device Health has 3 Categories: E E E
• Control Plane
• Data Plane Fabric Device Score is the
• System Health Lowest of all Scores
Example
3850-SJC24-3
5
System Health Data Plane Control Plane
10 10 5
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicFabric Assurance
How Do We Calculate Fabric Network Health Scores?
C
Fabric Health score is picked from min of B B
each Category Score
Category Score is number of healthy
devices in that category to the total number
of devices
Fabric Health has 4 Categories: E E E
• Fabric Edge
• Fabric Border
Fabric Domain Score is the
• Fabric Control Plane
Lowest of all four Category
• Fabric Wireless
Scores
Fabric Network Health
Example
6
Fabric Wireless Fabric Edge Fabric Border Fabric Control Plane
8 10 6 10
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicDNA Center Assurance
From Network Data to Business Insights
Network Telemetry Complex Event Guided
Correlated Insights
Contextual Data Processing Remediation
001110101100110
Traceroute Complex
1010110010 Clients Baseline
Syslog Netflow correlation
00101101
AAA Router DHCP Metadata
0110100 extraction
Telnet Wireless CLI
1101101
DNS
OID IPSLA Ping 00101101 Steam
SNMP IPAM MIB 10101100110 Processing Application Network
AppD 101011000110011
CMX
Everything as a Sensor
150+ Actionable Insights
Client | Applications | Wireless | Switching | Routing
23Key Use Cases
Client Onboarding Sensor based Streamlined Ensure Better App
Proactive SLA Troubleshooting Experience
Monitoring
ü Analyze 240+ Onboarding ü Automate 15+ ü Real-time deep dive ü Monitor Business Critical
Events from WLC with Onboarding and with Path Trace and Apps through qualitative
Event Viewer Application Tests Intelligent Capture insights
ü Roaming Analysis with ü 1800s HW Sensor ü Guided Remediation ü Get visibility into 2400+
Client Location and RSSI ü AP as a Sensor for 150+ correlated NBAR2 Apps and Custom
Heatmap ü Radio as a Sensor Insights Apps
ü Onboarding Analytics ü Sensor Dashboard for ü Contextual Analysis of past ü Troubleshoot App
across the Enterprise Performance Summary problem with Time Travel experience issues with
per App 360 views and
performance metricsUse Case 1: Client On-boarding is taking a long time
Time to Resolution
User Reports Problem
DNA Center 5 Check Credentials
Replicate Issue
Radio Channel Analysis
Traditional 10 17 65 25
0 20 40 60 80 100 120
Time to resolve Issue in minutes
Proactively find slow on-
Reduce the time taken to Reduce troubleshooting
Success Metrics boarding before users
resolve the issues time with advanced tools.
report.Use Case 2: Client is having a poor wireless experience
Time to Resolution
User Reports Problem
DNA Center 5 55 10
10 Radio Channel Analysis
Replicate Issue
Site Visit
Traditional 25 65 120
DNA Center Time Travel
Aironet Network Sensor
0 50 100 150 200
Time to resolve Issue in minutes
iOS client insights provides Save time replicating issues Reduce troubleshooting
Success Metrics immediate information. with time travel feature. OPEX by solving remotelyDNA-C Wireless Assurance Cisco Live Barcelona
Overall Health Page
28Overall Health Page – Hierarchical Site View
29Client Health
30Client 360
31Client 360 – Issue Detail
32Client 360 – Issue Detail
33Client 360 – Onboarding Steps
34Wi-Fi analytics
Cisco Apple Wireless Features Journey
AireOS 8.3, 8.3 MR1 Phase 1
iOS 10.0+
QoS MacOS Analytics
Roaming
Optimizations Optimizations Optimizations
Optimizations
• 11k neighbor map: iOS
• Adaptive 802.11r: Fast • Fastlane: business- • Fastlane on Mac OS 11 client sends a list of
Transition is enabled relevant applications 10.13 and later. Upstream neighbor APs upon joining
automatically for iOS 10 prioritized QoS prioritization available the cell
clients on iOS and Mac OS • Disconnection reason:
iOS 11 client tells us why
• Auto 802.11k/v: 11k/v are
it disconnects
enabled by default and
• Identity: the iOS client
optimized to provide ‘best
tells us who it is (model,
next AP’
iOS version)
AireOS 8.3 Phase 2 AireOS 8.5+
Mac OS 10.13 iOS 11.0+Advanced Client Insights– Apple iOS Analytics
1 Device Profile
2 Wi-Fi Analytics 3 Assurance
Client shares these details Client shares these details Client shares these details
1. Model e.g. iPhone 7 1. BSSID Error code for why did it
2. OS Details e.g. iOS 11 2. RSSI previously disconnected
3. Channel #
Support per device-group Insights into the clients view Provide clarity into the
Policies and Analytics of the network reliability of connectivityAdvanced Client Insights– Apple iOS Analytics Detailed Client device profile information – device model, OS details Insights into the clients view of the network – Neighboring Access Points Provide clarity into the reliability of connectivity – client disassociation details Capability unique to Cisco Wireless Networks only !!
Client view vs AP view
Step 1 Step 2
• When choosing an AP, client scans (sends probe requests, • The client chooses an AP
receives probe responses from each AP) • But the infrastructure does not know why this AP was chosen,
• Client then evaluates the answer (which AP is best) because the infrastructure does not know how the client saw
the network
AssociationWhy is this a problem?
• Because without that view, the infrastructure
cannot help this (or other) client find the
“best AP”
AssociationHow do Apple and Cisco solve this issue?
• Right after association, the iOS 11 device sends
a 802.11k beacon report:
Association
I scanned 200 milliseconds ago and saw:
BSSID SSID Channe Signal Protocol
l
bb:bb:cc:dd:ee:ff Blizzard 52 -72 dBm 802.11ac
cc:bb:cc:dd:ee:ff Blizzard 149 -86 dBm 802.11n
dd:bb:cc:dd:ee:ff Blizzard 153 -68 dBm 802.11acHow does the client see the Network
How does the client see the network ?
The infrastructure does not know why this AP was chosen,
because the infrastructure does not know how the client
saw the network
Why is this a problem?
Because without that view, the infrastructure cannot help
this (or other) client find the “best AP”
How do Cisco and Apple solve this?
Right after successful key-exchange during association,
the iOS 11 device sends to its AP an 802.11k beacon
report ( Unsolicited mode )
This is how I see the network
BSSID Channel Signal
bb:bb:cc:dd:ee:ff 52 -72 dBm
cc:bb:cc:dd:ee:ff 149 -86 dBm
dd:bb:cc:dd:ee:ff 153 -68 dBmClient goes away • When a client roams or disconnects, it sends a de-association message • And it adds a proprietary reason code, we have a dozen various reasons Am out of here
Why did the Client go away ?
Do we know why client disassociated ?
When a client roams or disconnects, it sends a
disassociation message. The AP does not always know
Reasons for disassociation
why… bad signal? Something else?
DHCP Failed
How can we use this Reason Code ? Why I disassociated last EAP Timed out
• Help clients in the same location if there is an RF issue Reason Code
802.1x Failed
• Collect data to understand patterns Device Idle
Captive Portal security Failed
Decryption Failed
Why is this a problem? Interface Disabled
User-Triggered Disassociation
Without knowing why a client is gone, we cannot help
other clients in the same location (is this location okay? Is
there a better AP there? Is there incompatibility in config
at this location?
Reasons for disassociation
DHCP Failed
EAP Timed out
802.1x Failed Why I disassociated last
Device Idle Reason Code
Captive Portal security Failed
Decryption Failed
WiFi Interface Disabled
User-Triggered Disassoc
Peer-Triggered Disassoc
Beacon LossKnowing your Client
• After association, the iOS 11 client also provides
important information
Association
I am iOS 11.0, iPhone 7 plusHow does the Network see the device
How does the network see the device ?
Usually as an iPad or iPhone with DHCP and HTTP Device
profiling
When is this not enough?
When we need to analyze device model and OS specific
behaviors in the network
How do Cisco and Apple solve this?
After association, the iOS 11 client also tells us about
itself. We can the correlate platform, OS to behavior at
different points of time and space
Where can I see this on WLC ?
Client summary and client detail page
This is who I am
?
I am iOS 11.0, iPhone 7For the first time ever, know how your iPhone
or iPad “sees” the wireless network
Neighboring
AP’s
Client
Details
Previous
Disconnect
Disassociation
reason
The Client’s view of APsClient 360 – iOS Analytics
49Access Point AP 4800
Cisco Aironet Portfolio – Adding a New Tier
The best infrastructure leads to the best outcomes
Good - Enterprise class Better Best in class
Ideal for small to medium-sized deployments Mission critical High density
4800
3800 Series • 4 embedded radios
2800 Series • 4x4:3 SS 160 MHz (3 Wi-Fi and 1 BLE)
1815 Series 1830/1850 Series • 4x4:3 SS 160 MHz • 5 Gbps performance • 4x4:3 SS 160 MHz
Indoor/high-powered Indoor • 3x3:2 SS 80 MHz/4x4:3 • 5 Gbps performance • 2.4 and 5 GHz or
Wall plate/teleworker SS 80 MHz
• 5 Gbps performance
• 2.4 and 5 GHz or dual 5 GHz
• 2x2:2 SS 80 MHz 867 Mbps or 1.7 Gbps • 2.4 and 5 GHz or
• dual 5 GHz • 2 GE ports uplink or
performance 1 GE + 1 Multigigabit (5G) dual 5 GHz
• 867 Mbps performance • 2 GE ports uplink
• 1 or 2 GE ports uplink • Cisco CleanAir and ClientLink • 2 GE ports uplink or
• Tx beamforming • Cisco CleanAir® and 1 GE + 1 Multigigabit (5G)
• Integrated BLE1 • Internal or external antenna ClientLink • StadiumVision™
(1850) • Internal or external antenna
• Embedded Hyperlocation
• Max transmit power (dBm) • Internal or external antenna
per local regulations2 • Tx beamforming • Smart antenna connector • Real-time analytics and
• Smart antenna connector
• USB 2.0 packet capture
• 3 GE local ports, including • USB 2.0 • USB 2.0
1 PoE out3 • Modularity for investment
• Cisco CleanAir and
protection ClientLink
• Local ports 802.1X ready3
• USB 2.04
• Internal antenna
• USB 2.0
1 Future availability 2 Available for high-powered only 3
• Integrated4 Available
BLE for teleworker only
Available for wall plate and teleworker onlyBest in Class Wave-2 AP “or” Best in Class Location Based Services AP?
Customers had to choose which technology to deploy or perhaps deploy an overlay?…
< OR > True Client Location Accuracy
AP-2800 or AP-3800 Wave-2 AP-3600 or AP-3700
• 802.11ac Wave 2: High-Performance 5Gbps. With Hyperlocation module
• 2.4, 5GHz or Dual 5GHz.
• Analytics, Asset tracking, Proximity Marketing
• 4x4:3SS 160MHz.
• Navigation and Wayfinding “true blue dot” experience
• MU-MIMO
• 1 to 3 meter location accuracy (Wi-Fi Clients)
• 2 GE or 1 GE + 1 mGig (5G)
• BLE Beacon – Five centrally managed Beacons
• Flexible Radio Architecture
• FastLocate – Frequent location updates (Wi-Fi
• Dual 5 GHz Clients)
• DNA Sensor, Spectrum Intelligence and • Spectrum Intelligent Monitoring Radio and more…
more…New
Next-Generation Wave 2 802.11ac Access Point
• Industry leading 4x4 MIMO:3 spatial streams (SS)
Wave 2 802.11ac access points
• Tri-radio, 802.11ac Wave 2, 160 MHz
• Built-in BLE Radio
• Combined Data Rate of 5.2Gbps
• 2 x 5 GHz: 4x4: 3SS supporting
• SU-MIMO / MU-MIMO
• Flexible Radio Assignment: 2.4GHz, Dual-5GHz, Wireless Security
Monitoring, and DNA-C Assurance
• 1 x 2.4GHz/5GHz for DNA Analytics, Wireless Security
monitoring, and Hyperlocation
• Gigabit Ethernet and multi-Gigabit Ethernet (1G, 2.5G, 5G)
• Built-in Hyperlocation Antenna Array 16-elementsCombining Proven Technologies
Hyperlocation + AP-3800i + Additional Analytics Radio = AP-4800 AP-3800
AP-4800 Integrated Solution Dual 5GHz
Hyperlocation Monitor/Sensor
Components
Proven Hyperlocation + 3800 Technology in one
AP & 1 cable Drop
Cisco 16 element
Antenna Array Improved Capability
1-3m Accuracy • 802.11acW2
• WiFi & BLE AoA
Hyperlocation • Time Based solutions
Module • + All the core features of the AP-3800
40% smaller
AP-4800
Hyperlocation Hyperlocation
AP36/3700 + Analytics
Hyperlocation Antenna components
9.9x8.7” Components Inside AP-4800
12x12” Dual 5GHz XOR + another analytics
Hyperlocation XOR radioWireless Sensor
Use a powerful network testing
Aironet Active Sensors solution endpoint to put yourself
anywhere in your network.
Cisco’s network sensors IT
allow you to see the actual
performance of services from
a users point of view.Sensor Anywhere drives to a powerful & comprehensive DNA
Assurance
Proactively assessing performance & client-network trouble avoidance
Test your network anywhere at any time at real-world client level
Aironet 1800S Flexible Radio as Sensor
Ecosystem pervasiveness
Active Sensor (2800/3800)
Dual 5 GHz Flexible Radios
Software defined radios automatically adjust
to dual 5GHz
Purpose-built Hardware for Analytics
Flexible radios can to provide simultaneous in-line
monitoring to DNA for analytics and insights while
serving clients
Ne
w
v 2x2 with 2 spatial streams
v Multiple powering options
• PoE Power
• USB Type “C” power
• Direct AC Power Plug
v Integrated BLE*
v Ultra compact form factorActive Sensors test and provide client perspective
to ensure Wireless Service readiness
Onboarding Tests Network Services
• 802.11 Association • DNS
• 802.11 Authentication & Key • RADIUS
Exchange • First Hop Router/Default gateway
• IP Addressing DHCP • Intranet Host
• EAP-TLS • External Host
• WebAuth capture and redirect
App Connectivity App Performance*
• Email: POP3, IMAP, Outlook Web Access • Packet Loss
• File Transfer: FTP • Jitter
• Web: HTTP • Latency
• Speedtest
*RoadmappedWireless Provisioning Config: Step1
Create Wireless Provisioning SSID for AP1800S
When using the 1800s sensor (without the Ethernet
module) the sensor would be provisioned over the WLAN
Once 1800S
provisioning is enabled,
WLC creates Hidden
SSID and Local EAP
with EAP-TLS to
authenticate AP1800S
This will allow the sensor to connect AP wirelessly, and find the
DNAC IP over Wireless using DHCP Option 43 or through DNS.Backhaul SSID Configuration
§ Assign one of WLC SSID as “Sensor SSID”. This will be used by a sensor to
connect DNAC and communicate over the air.
§ Sensor SSID will be used to push sensor-test config, receive test results to the
DNAC
§ Ensure that the SSID name and security matches an existing WLANProvision AP1800S Sensor to DNAC: Step1
Create Wireless Provisioning SSID for AP1800S
1. Create Sensor Settings for WSA Channel
2. Create Sensor SSIDProvision AP1800S Sensor to DNAC: Step2
Assign Sensor Provision profile to Sensors
1. Go to [Provision] Menu then
2. go to [Unclaimed Devices], newly discovered AP1800S
1 will be appeared as “UNCLAIMED” Status
3. Select newly discovered AP1800 and click [Sensor Provision]
2
3Provision AP1800S Sensor to DNAC: Step3
Assign Sensor Provision profile to Sensors
Assign Site Assign Sensor SSIDProvision AP1800S Sensor to DNAC: Step4
Place Sensor to actual sensor location
Place Sensor to installed locationSchedule Sensor Testing: Step1
Create Sensor-Driven Test
1. Create Sensor-Driven Test
2. Add Test – Schedule, SSID selectionSchedule Sensor Testing: Step2
Select tests and Assign Sensor
Select Sensors that will run test
3. Select Tests
Target AP will be automatically
decided by sensor based on
RSSI
4. Select Test Sensor
Sensor can take only one test
config at a time. Don’t re-use System Auto Suggest Sensor
same same for 2 testingSensor Test Failure generates global Issue when more than 2 sensor test failed per floor
Thank you.
You can also read
