Cisco is going all-in on Intent-Based Networking (IBN).
IBN is an emerging concept for network operations that aims to translate high-level business objectives into configuration instructions that can be automatically applied across the network infrastructure to achieve a desired outcome, such as provisioning network connectivity for a new application.
Several startups including Apstra Networks, Veriflow, and Forward Networks have done much of the grunt work to carve out IBN as a distinct market.
However, Cisco has moved with surprising speed to adopt (and some might argue co-opt) the concepts and marketing language of IBN, and now has debuted a new product in its IBN portfolio: Network Assurance Engine.
Cisco announced Network Assurance Engine at its Cisco Live Europe event in January 2018. I was recently briefed on the product. I’ll share notes from the briefing but first, let’s set the table on IBN.
A Brief View Of Intent Based Networking
To my mind, you can put “intent” products into two broad categories: automation and verification.
Automation: A network engineering team ‘intends’ for the network to deliver a service with a distinct set of criteria based on high-level business requirements.
A set of software tools takes those high-level requirements, translates them into low-level device instructions, and automatically programs all the necessary infrastructure (routers, switches, firewalls, load balancers, etc.) to deliver that service.
In other words, the business describes an outcome, and it’s up to the intent platform to handle the nerd-knobbery to deliver it.
Verification: A network engineering team has configured the infrastructure a certain way with the intent to deliver specific services and meet explicit business and security policies.
A real-time network model, built from continuous polling of device configurations and other state data, allows that team to verify whether the intended state of the network matches the actual state of the network.
In other words, when I configured X, I intended an outcome of Y. Have I achieved that outcome?
Note: Some IBN vendors blend these concepts so that the IBN platform can automatically configure the infrastructure, and then collect and analyze telemetry data to both confirm that the changes were made, and to monitor the network to ensure that the original business criteria are still being met over time.
The telemetry and analytics components may not create a network state model, but they do provide essential feedback to create a closed loop between intention and result.
Cisco’s Network Assurance Engine falls into the verification category.
Network Assurance Engine is a software package for data center networks. Its high-level goal is to provide network engineers with a near-real-time model of the state of the network. (Just how real-time depends on the intervals at which you pull state data and refresh the model. Cisco says it can update its model in 5- to 15-minute intervals).
The software builds the model by collecting non-packet data such as switch configurations, device resource usage, and data-plane state. It uses APIs to get this information, or it can log into devices via SSH to pull device and configuration data.
With the state information in hand, the software then uses mathematical techniques known as formal verification to build a working model of the data center.
The startups Veriflow and Forward Networks are also built around the concepts of formal verification.
Network engineers and operators can query the model to understand how endpoints are connected, where security policies may overlap or be missing, whether configurations comply with business requirements, and so on.
Cisco outlines three main use cases for the network model:
1. Test the impact of changes: Engineers can test changes in the model before they put them in production to see if those changes break something or cause unwanted outcomes.
2. Verify network-wide behavior: Engineers can query the network to see if business intent and policies align with the actual configuration of the network.
3. Assure compliance and correctness: Engineers can check network compliance with security policies and business rules, as well as analyze where policies might overlap, could be pruned, or conflict.
The Network Assurance Engine software runs on three VMs and can be deployed on the server hardware of your choice. Hardware compute and storage requirements will depend on how much data you need to analyze and store.
In its first iteration, Network Assurance Engine is only available for Cisco ACI-based data center fabrics, and you’ll need an ACI license to use it.
Cisco plans to add support for third-party products throughout 2018, including F5, Citrix, Splunk, and Turbnomic.
Cisco also aims to bring intent-based concepts of automation to managing campus and branch networks through platforms such as SD-Access, and the recently released DNA Center dashboard. But that’s for another post.