Post on 13-Apr-2017
NETWORKING FIELD DAY 13
November 17th, 2016
David Erickson, PhDCEO & Co-Founder
AGENDA
+ An Introduction to Forward Networks
+ Platform Demo
+ Use Case: Outage Diagnosis & Resolution
+ Use Case: Network Auditing
+ Closed Session
Today’s Networks – Large, Complex, & Heterogeneous
+ IPv4 routes+ ACLs+ MAC tables+ Spanning tree
+ NAT+ VLAN+ Multicast+ PBR
+ Cisco+ Arista+ HPE + Fortinet
+ Juniper+ F5+ Palo Alto + Checkpoint
Thousands of devices Millions of rules Dozens of vendors
Switches Routers
Load balancers Firewalls
Manual Operations Inadequate Tooling High Rate of Error
+ Device-by-device management+ Limited end-to-end visibility + Hard to debug & test
+ Lack of innovation in tooling+ Solutions are 20+years old+ Ping, traceroute, SNMP, etc.
+ Networks rife with misconfiguration
+ 80% of outages caused by error1
+ 50% due to change config issues2
1&2Gartner Group, Top Seven Considerations for Configuration Management for Virtual and Cloud Infrastructures, 2010
Network Operations – Manual & Error Prone
Business Impacting
Expensive to Repair
Brand-Damaging
Networks Failures & Data Center Outages
$
NETWORK ASSURANCEReducing the complexity of networks while eliminating the
human error, misconfiguration, and policy violations that lead to outages.
Unorganized real world data
Own data model of real world
Apps on top using data model
Revolutionary algorithm
SEARCH VERIFY APIPREDICT
A NEW APPROACH TO NETWORK OPERATIONS
Unorganized real world data
Own data model of real world
Apps on top using data model
Revolutionary algorithm
SEARCH VERIFY APIPREDICT
THE FORWARDPLATFORM
A NEW APPROACH TO NETWORK OPERATIONS
SEARCH VERIFY PREDICT
THE FORWARD PLATFORM
CAPABILITIES OVERVIEW
What is my network’s behavior?
Index your network and search your devices and
behavior on top of an interactive topology
SEARCH
Is it doing what it should?Validate network correctness and audit your network for
compliance & security
VERIFY
Will this change work?Simulate configuration
changes to ensure they are correct and secure before
rolling into production
PREDICT
THE FORWARD PLATFORM
CAPABILITIES OVERVIEW
Customer Network
Forward Applications
PLATFORM ARCHITECTURE
PLATFORM DEMO
Brandon Heller, PhDCTO & Co-Founder
- Interface Counters- Flow Counters (NetFlow)- Sampled Counters (sFlow)- Probes (Ping, Traceroute)
+ Packet In -> Packet Out (and all details) (for any packet, seen or not)
Observed Traffic All Potential TrafficWhat we don’t do What we do
USE CASENetwork Outage and Resolution
Behram Mistree, PhDProduct Engineer
NETWORK
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
NETWORK
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
ROBUST CONNECTIVITY BETWEEN CLIENT AND SERVER WANTED
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
REQUIREMENTS
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
IS YOUR NETWORK WORKING?
Traditional Approach
FORWARD VERIFY™
IS YOUR NETWORK WORKING?
TRADITIONAL APPROACH
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
Traditional Approach
FORWARD VERIFY™
ping 18.10.11.2 show route show lacp interfaces
IS YOUR NETWORK WORKING?
Traffic can flow Multiple paths Port channels
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
Traditional Approach
FORWARD VERIFY™
ping 18.10.11.2 show route show lacp interfaces
IS YOUR NETWORK WORKING?
Traffic can flow Multiple paths Port channels
REQUIREMENTS
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
REPLACE INTERFACE ON LAX
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
REPLACE INTERFACE ON LAX
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER(18.10.11.2)
SEA
1. Set ISIS overload bit
REPLACE INTERFACE ON LAX
1. Set ISIS overload bit2. Replace line card
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER(18.10.11.2)
SEA
REPLACE INTERFACE ON LAX
1. Set ISIS overload bit2. Replace line card3. Verify
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER(18.10.11.2)
SEA
VERIFICATION COMPARISION
Traditional Approach
FORWARD VERIFY™
1. Check port channel up
1. Single button press
2. Ping LAX to SERVER
3. Ping LAX to CLIENT
TRANSIT TRAFFIC DISALLOWED
TRANSIT TRAFFIC DISALLOWED
✔ Fixed
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
Latent misconfigurationTraditional
Approach
FORWARD VERIFY™
VERIFICATION COMPARISION
Traditional Approach
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
VERIFICATION COMPARISION
Latent misconfiguration
Traditional Approach
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
VERIFICATION COMPARISION
Latent misconfiguration
FORWARD VERIFY™
PREVENTS OUTAGESInstantly see failing checks during service
windowFix network issues as soon as they appear
SIMPLIFIES DIAGNOSIS
Using historical snapshots, we could reconstruct where traffic was going, what had
changed, and why
USE CASENetwork Audit
Behram Mistree, PhDProduct Engineer
FORWARD’S MISSION
We want to help you build networks that work and that you can trust because you’ve verified them
FORWARD VERIFY™
PREDEFINED
CHECKS
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
CLASSIC DC SPINE LEAF
CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
CVE-2016-7810XXX
CVE-ID CVE-2016-7810XXXDATE 20161117REFERENCES http://example.comDESCRIPTION
CVE-2016-7810XXX
CVE-ID CVE-2016-7810XXXDATE 20161117REFERENCES http://example.comDESCRIPTION Your switch has a massive security vulnerability
CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
Both need upgrade
CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
AGG-1-0
AGG-1-1
ACC-1-1
VRRP
LIVE DEMO
WHAT’S HAPPENING
“UPTIME BANK” SERVERS
Server Down?Interfaces Down?Spanning Tree?
Guesswork starts
AGG-1-0
AGG-1-1
ACC-1-1
IGP Issues?Peering Issue?Application Down?
“I don’t know!”
VRRP
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
CLASSIC DC SPINE LEAF
Peer
Border
Spine
Leaf
SPINE LEAF
SPINE-1
LEAF-1
SPINE-0
SPINE LEAF
Peer
Border
Spine
Leaf
“UPTIME BANK” SERVERS
SPINE-1
LEAF-1
SPINE-0
SPINE LEAF
Peer
Border
Spine
Leaf
“UPTIME BANK” SERVERS
Needs reboot to install firmware
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
TODAY FORWARD VERIFY™
VLAN Consistency ✘outage ✔ prevents outageMTU Consistency ✘outage ✔ prevents outage
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
TODAY FORWARD VERIFY™
VLAN Consistency ✘outage ✔ prevents outageMTU Consistency ✘outage ✔ prevents outageDuplex Consistency ✘outage ✔ prevents outageLink Speed Consistency ✘outage ✔ prevents outageNo Forwarding Loop ✘outage ✔ prevents outagePort Channel Consistency ✘outage ✔ prevents outageShortest Path ✘outage ✔ prevents outageTrunk Whitelist ✘outage ✔ prevents outageIP Address Uniqueness ✘outage ✔ prevents outageVLAN Existence ✘outage ✔ prevents outage
I WILL NEVER TRUST A NETWORK …There is no such thing as a network that works, just a network that hasn’t broken
yet
www.forwardnetworks.com @fwdnetworks