Forward Networks - Networking Field Day 13 presentation
-
Upload
andrew-wesbecher -
Category
Technology
-
view
76 -
download
0
Transcript of Forward Networks - Networking Field Day 13 presentation
![Page 1: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/1.jpg)
NETWORKING FIELD DAY 13
November 17th, 2016
David Erickson, PhDCEO & Co-Founder
![Page 2: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/2.jpg)
AGENDA
+ An Introduction to Forward Networks
+ Platform Demo
+ Use Case: Outage Diagnosis & Resolution
+ Use Case: Network Auditing
+ Closed Session
![Page 3: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/3.jpg)
Today’s Networks – Large, Complex, & Heterogeneous
+ IPv4 routes+ ACLs+ MAC tables+ Spanning tree
+ NAT+ VLAN+ Multicast+ PBR
+ Cisco+ Arista+ HPE + Fortinet
+ Juniper+ F5+ Palo Alto + Checkpoint
Thousands of devices Millions of rules Dozens of vendors
Switches Routers
Load balancers Firewalls
![Page 4: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/4.jpg)
Manual Operations Inadequate Tooling High Rate of Error
+ Device-by-device management+ Limited end-to-end visibility + Hard to debug & test
+ Lack of innovation in tooling+ Solutions are 20+years old+ Ping, traceroute, SNMP, etc.
+ Networks rife with misconfiguration
+ 80% of outages caused by error1
+ 50% due to change config issues2
1&2Gartner Group, Top Seven Considerations for Configuration Management for Virtual and Cloud Infrastructures, 2010
Network Operations – Manual & Error Prone
![Page 5: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/5.jpg)
Business Impacting
Expensive to Repair
Brand-Damaging
Networks Failures & Data Center Outages
$
![Page 6: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/6.jpg)
NETWORK ASSURANCEReducing the complexity of networks while eliminating the
human error, misconfiguration, and policy violations that lead to outages.
![Page 7: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/7.jpg)
Unorganized real world data
Own data model of real world
Apps on top using data model
Revolutionary algorithm
SEARCH VERIFY APIPREDICT
A NEW APPROACH TO NETWORK OPERATIONS
![Page 8: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/8.jpg)
Unorganized real world data
Own data model of real world
Apps on top using data model
Revolutionary algorithm
SEARCH VERIFY APIPREDICT
THE FORWARDPLATFORM
A NEW APPROACH TO NETWORK OPERATIONS
![Page 9: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/9.jpg)
SEARCH VERIFY PREDICT
THE FORWARD PLATFORM
CAPABILITIES OVERVIEW
![Page 10: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/10.jpg)
What is my network’s behavior?
Index your network and search your devices and
behavior on top of an interactive topology
SEARCH
Is it doing what it should?Validate network correctness and audit your network for
compliance & security
VERIFY
Will this change work?Simulate configuration
changes to ensure they are correct and secure before
rolling into production
PREDICT
THE FORWARD PLATFORM
CAPABILITIES OVERVIEW
![Page 11: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/11.jpg)
Customer Network
Forward Applications
PLATFORM ARCHITECTURE
![Page 12: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/12.jpg)
PLATFORM DEMO
Brandon Heller, PhDCTO & Co-Founder
![Page 13: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/13.jpg)
- Interface Counters- Flow Counters (NetFlow)- Sampled Counters (sFlow)- Probes (Ping, Traceroute)
+ Packet In -> Packet Out (and all details) (for any packet, seen or not)
Observed Traffic All Potential TrafficWhat we don’t do What we do
![Page 14: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/14.jpg)
USE CASENetwork Outage and Resolution
Behram Mistree, PhDProduct Engineer
![Page 15: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/15.jpg)
NETWORK
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
![Page 16: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/16.jpg)
NETWORK
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
![Page 17: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/17.jpg)
ROBUST CONNECTIVITY BETWEEN CLIENT AND SERVER WANTED
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
![Page 18: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/18.jpg)
REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
![Page 19: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/19.jpg)
REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
![Page 20: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/20.jpg)
REQUIREMENTS
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
![Page 21: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/21.jpg)
REQUIREMENTS
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
![Page 22: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/22.jpg)
IS YOUR NETWORK WORKING?
![Page 23: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/23.jpg)
Traditional Approach
FORWARD VERIFY™
IS YOUR NETWORK WORKING?
![Page 24: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/24.jpg)
TRADITIONAL APPROACH
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
![Page 25: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/25.jpg)
Traditional Approach
FORWARD VERIFY™
ping 18.10.11.2 show route show lacp interfaces
IS YOUR NETWORK WORKING?
Traffic can flow Multiple paths Port channels
![Page 26: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/26.jpg)
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
![Page 27: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/27.jpg)
Traditional Approach
FORWARD VERIFY™
ping 18.10.11.2 show route show lacp interfaces
IS YOUR NETWORK WORKING?
Traffic can flow Multiple paths Port channels
![Page 28: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/28.jpg)
![Page 29: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/29.jpg)
REQUIREMENTS
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
1. Traffic should flow from CLIENT to SERVER2. Traffic should take multiple paths from CLIENT to SERVER3. Traffic should flow on all interfaces in a port channel
![Page 30: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/30.jpg)
REPLACE INTERFACE ON LAX
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
![Page 31: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/31.jpg)
REPLACE INTERFACE ON LAX
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER(18.10.11.2)
SEA
1. Set ISIS overload bit
![Page 32: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/32.jpg)
REPLACE INTERFACE ON LAX
1. Set ISIS overload bit2. Replace line card
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER(18.10.11.2)
SEA
![Page 33: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/33.jpg)
REPLACE INTERFACE ON LAX
1. Set ISIS overload bit2. Replace line card3. Verify
CLIENT SJCCE
LAX MIA
LGA
IAD SERVER(18.10.11.2)
SEA
![Page 34: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/34.jpg)
VERIFICATION COMPARISION
Traditional Approach
FORWARD VERIFY™
1. Check port channel up
1. Single button press
2. Ping LAX to SERVER
3. Ping LAX to CLIENT
TRANSIT TRAFFIC DISALLOWED
TRANSIT TRAFFIC DISALLOWED
✔ Fixed
![Page 35: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/35.jpg)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
Latent misconfigurationTraditional
Approach
FORWARD VERIFY™
VERIFICATION COMPARISION
![Page 36: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/36.jpg)
Traditional Approach
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
VERIFICATION COMPARISION
Latent misconfiguration
![Page 37: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/37.jpg)
Traditional Approach
FORWARD VERIFY™
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
CLIENT SJCCE
SEA
LAX MIA
LGA
IAD SERVER(18.10.11.2)
VERIFICATION COMPARISION
Latent misconfiguration
![Page 38: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/38.jpg)
FORWARD VERIFY™
PREVENTS OUTAGESInstantly see failing checks during service
windowFix network issues as soon as they appear
SIMPLIFIES DIAGNOSIS
Using historical snapshots, we could reconstruct where traffic was going, what had
changed, and why
![Page 39: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/39.jpg)
USE CASENetwork Audit
Behram Mistree, PhDProduct Engineer
![Page 40: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/40.jpg)
FORWARD’S MISSION
We want to help you build networks that work and that you can trust because you’ve verified them
FORWARD VERIFY™
PREDEFINED
CHECKS
![Page 41: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/41.jpg)
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
![Page 42: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/42.jpg)
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
CLASSIC DC SPINE LEAF
![Page 43: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/43.jpg)
CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
![Page 44: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/44.jpg)
CVE-2016-7810XXX
CVE-ID CVE-2016-7810XXXDATE 20161117REFERENCES http://example.comDESCRIPTION
![Page 45: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/45.jpg)
CVE-2016-7810XXX
CVE-ID CVE-2016-7810XXXDATE 20161117REFERENCES http://example.comDESCRIPTION Your switch has a massive security vulnerability
![Page 46: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/46.jpg)
CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
Both need upgrade
![Page 47: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/47.jpg)
CLASSIC DC
“UPTIME BANK” SERVERS
Peer
Core
Aggregation
Access
AGG-1-0
AGG-1-1
ACC-1-1
VRRP
![Page 48: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/48.jpg)
LIVE DEMO
![Page 49: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/49.jpg)
WHAT’S HAPPENING
“UPTIME BANK” SERVERS
Server Down?Interfaces Down?Spanning Tree?
Guesswork starts
AGG-1-0
AGG-1-1
ACC-1-1
IGP Issues?Peering Issue?Application Down?
“I don’t know!”
VRRP
![Page 50: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/50.jpg)
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
CLASSIC DC SPINE LEAF
![Page 51: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/51.jpg)
Peer
Border
Spine
Leaf
SPINE LEAF
SPINE-1
LEAF-1
SPINE-0
![Page 52: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/52.jpg)
SPINE LEAF
Peer
Border
Spine
Leaf
“UPTIME BANK” SERVERS
SPINE-1
LEAF-1
SPINE-0
![Page 53: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/53.jpg)
SPINE LEAF
Peer
Border
Spine
Leaf
“UPTIME BANK” SERVERS
Needs reboot to install firmware
![Page 54: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/54.jpg)
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
TODAY FORWARD VERIFY™
VLAN Consistency ✘outage ✔ prevents outageMTU Consistency ✘outage ✔ prevents outage
![Page 55: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/55.jpg)
AUDITING WITH PREDEFINED CHECKS LEADS TO SAFER NETWORKS
TODAY FORWARD VERIFY™
VLAN Consistency ✘outage ✔ prevents outageMTU Consistency ✘outage ✔ prevents outageDuplex Consistency ✘outage ✔ prevents outageLink Speed Consistency ✘outage ✔ prevents outageNo Forwarding Loop ✘outage ✔ prevents outagePort Channel Consistency ✘outage ✔ prevents outageShortest Path ✘outage ✔ prevents outageTrunk Whitelist ✘outage ✔ prevents outageIP Address Uniqueness ✘outage ✔ prevents outageVLAN Existence ✘outage ✔ prevents outage
![Page 56: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/56.jpg)
I WILL NEVER TRUST A NETWORK …There is no such thing as a network that works, just a network that hasn’t broken
yet
![Page 57: Forward Networks - Networking Field Day 13 presentation](https://reader036.fdocuments.net/reader036/viewer/2022081605/58ef33501a28ab36518b462b/html5/thumbnails/57.jpg)
www.forwardnetworks.com @fwdnetworks