Secure Automated Campus & Fabric Connect Nuno Rocha Senior System Engineer March 2019

Customer-Driven Networking Campus Networking Data Center Networking Edge/Campus/ Software Management Edge/Campus Networking Wireless Networking Extreme is a Customer Driven Networking company…. We build and deliver solutions that deliver customer outcomes…our focus is on helping our customers deliver outcomes…customer driven means outside in…. And we’ve come along way in building our competency in delivering customer outcomes… Our heritage…. We have assembled best of breed technologies from each of these companies….put together the best in class features/functions for our from Campus, DC, Edge, Wireless, Core….management….to build our solution pillars Solution pillars Agile data center Automated campus Smart OmniEdge And brought to customer driven outcomes with the applications, services and support for our customers in verticals…

Automated Campus

Automated Campus – Value Pillars Simple Secure Intelligent Policy-Driven Automation for Compelling Business Outcomes This is a good place to talk about one of the success stories and tie the reasons for the win to these three value pillers. Simple: True network simplification from SPB (802.1aq or RFC 6329, one of the authors is our own Paul Unbahagen) Single pane of glass 100% application visibility Unified wired and wireless Secure: Ubiquitous Hyper-Segmentation / Stealth Policy-based control Comprehensive security ecosystem Intelligent: True 360 degree network view with context & scale Automated edge Automated network services Similar to the network edge, simplicity, security and intelligence are built into our campus solutions. We deliver simplicity through our innovative Fabric enabled architecture called Fabric Connect. This is a technology we acquired through the Avaya Networking acquisition and it is a technology that has been bringing simplicity and automation to customer networks for many years. It is a technology that has had a profound effect on the customers who have chosen to deploy it… it allows them to be more efficient. To stop performing manual repetitive tasks and focus on things that are much more strategic in nature. From a security perspective, we deliver strong encryption with our switching products and breach containment with Fabric’s hyper-segmentation capability. This offers the ability to create totally isolated secure networks - the benefit being if a breach occurs – the breach is contained just to that segment. It provides a dead-end for a hacker so they don’t compromise other parts of the network. Finally the intelligence of our software and management applications gives us the ability to have a true 360 degree network view.

Automated Campus Benefits and Outcomes Simple “Multicast w/o the complexity – 28x faster” “31x faster ramp to Digital Transformation” Secure “A network that isolates security breaches automatically” “Reduce human error” Intelligent “Network adapts to changing business needs” “Troubleshoot 7x faster” Compare and contrast how the same benefit needs to be articulated differently to a technical audience vs. a business audience Reference the white paper that is available. Source: Fabric Connect – The Quiet Revolution – White Paper

Virtual Network Connectivity Services Automated Campus End-to-End Network Services Layer 3 virtualized unicast Service Layer 3 unicast Service (shortcut) IPv6 virtualized* Service Layer 2 E-LAN Service E-Tree Service Network Services Layer 3* virtualized multicast Service Layer 3 multicast Service (shortcut) IPv6* Service VXLAN* Service E-Line Service Infrastructure Abstracting Service from Infrastructure: Network as a Plug & Play Utility *VSP only

11x Faster time to Service with Simple Edge Provisioning Automated Campus Status Quo NETWORK Video Surveillance Servers With Extreme Hop by hop provisioning Moves, adds and changes require core reconfiguration Vulnerable to human error during change Services coupled to physical topology Edge Provisioning only Core is hands-off Moves, adds, and changes on the fly (no more maintenance windows) Services abstracted from topology NETWORK Application Servers

END-TO-END CONTROL PLANE Enhanced Security with Hyper-Segmentation Prevents Lateral Movements Creating Dead Ends for Hackers Automated Campus Financial Systems Application Servers Personal Data Records END-TO-END CONTROL PLANE Limited VLAN chaining and VRF’s Campus VLANs and ACLs Without Hyper-Segmentation Isolation is fragmented and limited in scale VLAN Chaining With Hyper-Segmentation Zones effortlessly reach across entire network NETWORK Micro-segmentation in the data center Application Servers Here is a depiction of how network segmentation is generally done today. VLAN’s came about to form broadcast domains at the edge of the network. Access Control Lists simply map user permissions to systems. Micro segmentation secures connections mainly between servers in a data center. Attempts to create an end-to-end segment either involves a costly and complex MPLS LAN implementation or using VLAN chaining when IT organizations configure switch-by-switch a VLAN path across the network – including configuring the network core which becomes very risky. With hyper-segmentation, only the network end-points are configured and the end-to-end control plane takes care of everything else. In fact, by just plugging a device into the network a segment can be automatically configured on the network end-point – but more on that later. Because of the ease of configuration, creating hundreds or thousands of unique virtual networks becomes practical. The limit is 16 million. Once Hyper-segments are created, organizations experience a reduction in the attack surface, a quarantine function if a segment is breached, improvement of anomaly scanning, and greater firewall efficiency. Imagine being able to have secure isolated zones for financial transactions, customer records, video surveillance, physical security, R&D groups, executives, IoT devices, kiosks, etc… And one of the best parts is yet to come.

Automated Security Policy-Based Service Creation and Access Campus Financial Systems Application Servers Personal Data Records END-TO-END CONTROL PLANE Individual end-to-end segments deliver secure traffic separation: Hyper-Segmentation Isolate critical applications, information or users Hackers cannot hop from one compromised system to the next Limited VLAN chaining and VRF’s Here is a depiction of how network segmentation is generally done today. VLAN’s came about to form broadcast domains at the edge of the network. Access Control Lists simply map user permissions to systems. Micro segmentation secures connections mainly between servers in a data center. Attempts to create an end-to-end segment either involves a costly and complex MPLS LAN implementation or using VLAN chaining when IT organizations configure switch-by-switch a VLAN path across the network – including configuring the network core which becomes very risky. With hyper-segmentation, only the network end-points are configured and the end-to-end control plane takes care of everything else. In fact, by just plugging a device into the network a segment can be automatically configured on the network end-point – but more on that later. Because of the ease of configuration, creating hundreds or thousands of unique virtual networks becomes practical. The limit is 16 million. Once Hyper-segments are created, organizations experience a reduction in the attack surface, a quarantine function if a segment is breached, improvement of anomaly scanning, and greater firewall efficiency. Imagine being able to have secure isolated zones for financial transactions, customer records, video surveillance, physical security, R&D groups, executives, IoT devices, kiosks, etc… And one of the best parts is yet to come. Security Enhanced Without Increasing Complexity

Automated Security Policy-Based Service Creation and Access Campus Application Servers Personal Data Records Financial Systems Individual end-to-end segments deliver secure traffic separation: Hyper-Segmentation Isolate critical applications, information or users Hackers cannot hop from one compromised system to the next Extreme policy and/or control secures auto-attachment of Users/Devices to hyper-segment Enables granular control over who and what has access to a segment Both hyper-segmentation and policy enforcement for auto-attach are dynamic Limited VLAN chaining and VRF’s Security Enhanced Without Increasing Complexity Here is a depiction of how network segmentation is generally done today. VLAN’s came about to form broadcast domains at the edge of the network. Access Control Lists simply map user permissions to systems. Micro segmentation secures connections mainly between servers in a data center. Attempts to create an end-to-end segment either involves a costly and complex MPLS LAN implementation or using VLAN chaining when IT organizations configure switch-by-switch a VLAN path across the network – including configuring the network core which becomes very risky. With hyper-segmentation, only the network end-points are configured and the end-to-end control plane takes care of everything else. In fact, by just plugging a device into the network a segment can be automatically configured on the network end-point – but more on that later. Because of the ease of configuration, creating hundreds or thousands of unique virtual networks becomes practical. The limit is 16 million. Once Hyper-segments are created, organizations experience a reduction in the attack surface, a quarantine function if a segment is breached, improvement of anomaly scanning, and greater firewall efficiency. Imagine being able to have secure isolated zones for financial transactions, customer records, video surveillance, physical security, R&D groups, executives, IoT devices, kiosks, etc… And one of the best parts is yet to come.

Enhanced Security with Elasticity Eliminates Back Door Entry Points Automated Campus IoTs in Infusion Pump Zone IoT is removed -- zone is automatically contracted NETWORK Infusion Pump Monitor END-TO-END CONTROL PLANE IoT moved -- zone automatically expands appropriately NETWORK Infusion Pump Monitor END-TO-END CONTROL PLANE END-TO-END CONTROL PLANE NETWORK Infusion Pump Monitor

Video Surveillance Servers Fabric Connect is Resilient Delivering 2500X Faster Network Recovery (from mins to milliseconds) Automated Campus Load balanced, active/ active network Full network recovery in milliseconds (L2/3, even multicast) Eliminates the domino effect of protocol overlays Recovers so quick that upper layer communications protocols are unaffected Instantaneous Recovery Video Surveillance Servers Video Surveillance Cameras

Automated Campus - Summary Simple One Protocol, Simple Multicast, ZTP+, Unified Wired & Wireless, Single Pane of Glass Secure Hyper-Segmentation, Elasticity, Stealth, NAC, Policy, IGE, Defender Intelligent Fabric, Edge-only Provisioning, ASAP, Profiling, Workflows, Analytics

Fabric Connect – A Closer Look

Fabric Connect is Simple: From 4-10 Protocols to 1 Traditional MPLS Fabric Connect Benefits: BGP PIM Faster to Deploy Increased Stability Easier Troubleshooting Faster Resiliency Lower Costs OSPF Extreme Fabric Connect VLANS STP 1 Protocol (IEEE/ IETF Shortest Path Bridging) 802.1

Comments Q&A