Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© 2019 Cisco and/or its affiliates. All rights reserved. Page 1 of 17
Intent-Based Networking’s Next Evolution: Policy
Integrations Between Multiple Domains
White Paper
Cisco public
© 2019 Cisco and/or its affiliates. All rights reserved. Page 2 of 17
Contents
Abstract 3
Introduction 3
Intent-based networks 5
Networking domains 6
Why integrate policies between domains 7
Multidomain integrations 9
Conclusion 16
© 2019 Cisco and/or its affiliates. All rights reserved. Page 3 of 17
Abstract
Multidomain policy integrations is a strategic next step that preserves and extends Cisco’s leadership in Intent-
Based Networking (IBN). It cements and reinforces IBN principles in Cisco® architectures in enterprise
networking domains including campus, branch, WAN, data center, and cloud. This paper provides a rationale for
why integration of policies between these domains is the best way to preserve the uniqueness of each domain
and yet achieve consistency of purpose throughout the enterprise, and how it can deal with the accelerating IT
complexity. It describes the currently supported integrations, customer benefits, and Cisco’s commitment and
vision for the road ahead.
This paper is targeted towards CIOs and network architects who are familiar, but not experts, with IBN and
Cisco’s networking architectures. It aims to educate them on the latest from Cisco in IBN and efforts in
simplifying networking across the enterprise. It is not overly technical but provides enough technical details to
bring clarity to integrations and show that they are real.
Introduction
Organizations in every industry are reworking their business strategies. In order to grow and compete
effectively, they are making increasing use of technology to improve their processes, deliver better experiences
to their customers, and better tools to their employees.
For example, manufacturing organizations are adding smart things such as sensors and actuators to give them
real-time feedback and control over their processes. They are also collecting vast amounts of data throughout
the value-chain from suppliers, distributors, partners, and customers, that they use for predictive analytics.
These sorts of digital initiatives transform their operations from traditional static manufacturing supply chains to
a dynamic and interconnected system, allowing them to deliver customized experiences for their customers,
increasing productivity of their employees, and making their processes more agile to keep pace with business
cycles.
In healthcare, telemedicine is helping patients in the most remote locations of the world receive quality
healthcare. Patients are using connected blood-pressure gauges, glucometers, heartrate monitors, and even
home EKG machines to upload vital information for remote monitoring and diagnoses. Specialized programs are
now preprocessing scans to supplement the work of human radiologists and use AI techniques to guide and
predict the efficacy of drugs.
Likewise, the financial industry is relying more and more on digital technology to sign contracts online, building
bank branches that feature virtual tellers, and even provide convenient banking facilities to millions of
underserved populations through the convenience of their mobile phones.
Clearly, digital transformation has positively impacted economic growth, accelerated innovation, brought about
better service delivery, and improved customer and employee experiences.
Gartner believes that “a full Intent-Based Networking System implementation can reduce network infrastructure
delivery times to business leaders by 50% to 90%, while simultaneously reducing the number and duration of
outages by at least 50%.”1
1 Andrew Lerner, Joe Skorupa, Sanjit Ganguli, Innovation Insight: Intent-based Networking Systems (IBNS), Gartner, Refreshed 13
April 2018
© 2019 Cisco and/or its affiliates. All rights reserved. Page 4 of 17
Figure 1.
Positive results from digital transformation efforts
Now, more than ever, these organizations’ IT strategies are essential for their business strategies to succeed.
For these digital initiatives to work, organizations need to ensure that a secure and robust infrastructure is in
place. Smart Internet of Things (IoT) devices are notorious for increasing the available attack surface and must
be properly secured. User experience that is crucial for any digital initiative to work needs a robust WAN
network that can prioritize application traffic appropriately. This type of network is even more essential as
applications are becoming more distributed and are not limited to the enterprise’s data center. Moreover, all
these processes must adhere to all applicable regulatory and compliance directives. As digital innovations
continue to evolve, infrastructure needs to be agile and adapt rapidly to changing priorities and needs of the
business.
Unsurprisingly, then, IT departments feel an increasing urgency to keep up with business pace and innovation.
IT must maintain the constant deluge of daily operations to drive optimal user experiences, while still innovating
and adopting modern techniques to deliver on business intent.
Business and IT initiatives ultimately depend on the underlying network to realize their goals. The organization’s
network needs to provide wired and wireless access to all users and IoT devices, take preventative measures to
minimize the threat surface, connect customers and employees entering through a variety of transport
mechanisms, and ensure high-quality application experience.
These multiple challenges of scale, complexity, security, and agility cannot easily be met with the traditional
ways of building, monitoring, and managing networks. In the past, network administrators have relied on site-
by-site and box-by-box configurations. That worked well when networks were relatively static with few
modifications. Now, with the new normal of hyper connectivity, manual changes do not scale. Similarly, much
troubleshooting has generally consisted of manually collecting information, reproducing the problem, and
pouring over logs to figure out where the problem might be. This strategy is also not scalable and will not
succeed in the current age of digital transformation.
© 2019 Cisco and/or its affiliates. All rights reserved. Page 5 of 17
Figure 2.
Network complexity due to scale, security, and connectivity is outpacing human capability to manage
Intent-based networks
Intent-based networking, or IBN, provides the answer. IBN seeks to make changes in monitoring and
management that will bring networks closer to the business intent—or desired outcomes, with network
automation and assurance.
Role of the network controller
Traditional models of network control in the past have varied from basic device control by dedicated Element
Management Systems (created specifically for a specific set of devices), network managers (that offered a
static set of extended functions but no integrations to make the network agile), and SDN Controllers (that
injected limited dynamism but did not go far enough). Enterprises had to deploy several management systems
that did not work with each other to control the network, resulting in excessive manual work to maintain the
network, poor business alignment, and high operational expenses.
To address this, new software-driven networking models that embrace automation, advanced analytics, and
open platforms are transforming networks – resulting in dramatically new ways of operating the networks.
Through a controller-led strategy, network operators can quickly set the business intent, and the controller will
translate it into network configuration and execution at scale, while continuously monitoring to assure
performance and security. This results in a closed-loop system that learns, optimizes, and protects. Using APIs,
network controllers integrate with business and IT processes in real-time, making the network responsive and
better equipped to achieve business objectives. These APIs also allow communications between controllers
enabling fulfillment of intent that spans across multiple controller led networks.
© 2019 Cisco and/or its affiliates. All rights reserved. Page 6 of 17
Figure 3.
Role of the network controller in intent-based networks
Networking domains
Today Cisco offers networking solutions using intent-based networking principles in several networking
domains. We define networking domain as a grouping of devices such as switches, routers, wireless APs, and
Wireless LAN Controllers (WLCs) that share rules and procedures and are governed by a common controller.
Figure 4.
Networking domains, their purpose, and their controllers
© 2019 Cisco and/or its affiliates. All rights reserved. Page 7 of 17
The division of networking responsibilities between domains results from the specific requirements that the
domains need to address. For example, a campus network is responsible for authenticating and onboarding
users and devices through wired and wireless means, authorizing them and granting them various privileges
based on their levels, and detecting and mitigating threats that such devices could be subject to. The WAN
network connects users to applications either in the data center, in one or more public clouds, or within a
Software as a Service (SaaS) provider. The WAN network is responsible for appropriate path selection and
prioritization and mitigation of threats that may originate from inside and outside. The data center network
manages compute resources among application workloads serving the needs of virtualized and distributed
applications and safeguards sensitive data.
Cisco Digital Network Architecture (Cisco DNA), Cisco SD-WAN, and Cisco Application Centric Infrastructure
(Cisco ACI®) are Cisco’s implementations of campus/branch, WAN, and data center networks. Each is governed
by a controller that sets policies within the domain—Cisco DNA Center, Cisco vManage, and Cisco Application
Policy Infrastructure Controller (APIC), respectively.
Because the functions they perform are so specialized, each domain must remain independent of others with its
own controller-based infrastructure optimized for its tasks. With significant differences in networking, security,
and performance requirements, collapsing these domains into one is not realistic. However, each domain
provides services that are meaningful in an end-to-end context and therefore must be visible across the
domains.
Cisco’s architecture for these domains follows intent-based networking principles. Each of the domain
controllers work through a set of policies, generated from business intent, that it translates into device
configurations. The controllers collect performance data from these devices, analyze it, and ensure that they are
meeting the intent. A single business intent might render into different domain-specific policies, but in order to
fulfil that single intent all these policies must be coherent and communicated across all domains.
Why integrate policies between domains
Intent-based networks allow users to define their intent—or desired outcomes—and stores them as policies. An
example of an intent in the campus network could be to separate IoT traffic from user traffic, and the
corresponding policy would specify that when IoT devices onboard, place them in a separate network segment
other than users. Similarly, in the data center, policies could dictate which applications are sensitive and must
be protected from indiscriminate access.
Business objectives, however, are enterprise wide and span domains. Therefore, all domains need to have a
consistent set of policies that work collaboratively to deliver the desired outcomes. For example, in healthcare
industry, we want doctors in hospitals to be able to run applications in the data center that access and update
their patients’ medical records. We also want them to do so securely, complying with all regulations, and with
good quality of experience. To make this happen, access policies defined for the doctor in the hospital
(campus) need to be mapped to the access policies defined in the data center for the medical application, so
that while the doctor can read and write medical data, unauthorized users are not able to, and thus the process
complies with regulations. Moreover, the WAN connecting the campus to the data center must be able to
recognize the application traffic and prioritize it appropriately.
© 2019 Cisco and/or its affiliates. All rights reserved. Page 8 of 17
Global Data: For an enterprise to be successful with intent-based networking, it needs to fully embrace
automation in the data center, the campus, the wide area network, and in the branch.2
- Mike Fratto, Senior Analyst, 451 Research
The above example illustrates the need for three key policy integrations, namely, network segmentation policies
that separate user traffic and create a permit/deny matrix with resources and applications; application
experience policies that allow data center network to interwork with the WAN; and security policies that are
consistent across all domains.
Figure 5.
Policy integrations between domains
Before such integrations, policy coordination between domains was done manually. Each time administrators
made a policy update in any one of the domains they needed to alert administrators in other domains so that
they could interpret and translate the policy change and apply it to their own domains. In contrast, an automated
exchange of policies makes the entire enterprise network work as one, be responsive to modifications, and
rapidly adopt policies end-to-end without errors.
From an intent-based networking perspective, these integrations represent the next logical step in extending
business intent across the enterprise.
2 Global Data: Enterprises Cannot Have Automation Commitment Issues and Be Successful, July 21, 2017, Mike Fratto, Senior Analyst,
Business Technology and Software
© 2019 Cisco and/or its affiliates. All rights reserved. Page 9 of 17
Multidomain integrations
Cisco offers a complete intent-based networking portfolio of devices and controllers for all networking domains
and therefore is in a unique position in the industry to offer such policy integrations that stitch together multiple
networking domains and make them whole.
Segmentation policy integrations
As more and more critical information is entrusted to the digital infrastructure, the risk of information being
compromised increases. Furthermore, as more devices are connected to the network, the paths by which
criminals may compromise information are substantially increased, and the available attack surface is expanded.
It is therefore critical to deliver a comprehensive and hardened set of security measures that allow the network
to be the first line of defense in the IT security strategy. Originally, network segmentation was aligned to a
strategy for improving network stability and performance. Over time, it has evolved to reflect a security strategy
in which the network is segmented or compartmentalized to enforce a policy by enabling controls within and
between segments. This segmentation is aimed at fragmenting the attack surface and reducing the scope of
lateral movement that malware may pursue during a security breach. For segmentation to be effective in limiting
the effectiveness of a security breach, the network must be segmented end-to-end because the attacker may
attempt lateral movements in the access, WAN, or data center.
When a security breach is identified, the offending endpoints can be quickly isolated into a segment built for the
purposes of quarantining attacks and malware. The ability to dynamically create quarantine segments, and
quickly assign an endpoint to such a segment in response to a detected threat, is possible in a Software-
Defined Networking (SDN) network like SD-Access in the campus and branch, and ACI in the data center.
Segmentation may be realized at a coarse level in the form of virtual networks or at a more granular level in the
form of groups of endpoints. These approaches to segmentation are referred to as macrosegmentation and
microsegmentation respectively. Microsegmentation provides a much more granular level of segmentation than
that provided by virtual networks and is also more elastic in its ability to rapidly change the group that an
endpoint belongs to, or alter the policy that governs the communication for a group. While traditionally,
microsegmentation is generally enforced by using Access Control Lists (ACLs) in a distributed manner across
the network infrastructure, modern microsegmentation leverages the concept of group-based access control
lists (also called Scalable Group Access Control Lists [SGACLs]) to enforce ACLs based on group membership,
rather than IP addressing, and thus provide an access control policy environment that is independent of IP
addressing or subnet boundaries.
© 2019 Cisco and/or its affiliates. All rights reserved. Page 10 of 17
Figure 6.
Macro and micro segmentation in SD-Access
The organization of hosts into groups and the resulting ability to author access control policies in terms of
groups, rather than IP addresses, has fundamental implications from a scalability and manageability perspective.
For instance, a group may have endpoints from 100 different subnets associated with it. In this case a traditional
IP-based ACL would have required each IP prefix in the group to have its own access control entry, leading to
very large ACLs that are complex to manage and consume a very large amount of hardware resources in the
network. With group-based ACLs, these hundreds of clauses become a single clause for the group, rather than
the one clause for each group member. To enforce this group-based ACL, traffic transiting the network is
tagged so that policies can be applied on the tag rather than its IP address.
Network segmentation in SD-Access
Within the SD-Access architecture, Cisco DNA Center and Cisco Identity Services Engine (ISE) work in unison to
provide the automation for planning, configuration, segmentation, identity, and policy services. Cisco ISE is
responsible for device profiling, identity services, and policy services, dynamically exchanging information with
Cisco DNA Center.
Segmentation within SD-Access is enabled through the combined use of both Virtual Networks (VNs), which are
synonymous with Virtual Routing and Forwarding (VRF), and Scalable Group Tags (SGTs). Whereas
segmentation can be accomplished using purpose-built virtual networks alone, Cisco TrustSec SGTs provide
logical segmentation based on group membership. SGTs provide an additional layer of granularity, allowing you
to use multiple SGTs within a single VN providing microsegmentation within the VN.
© 2019 Cisco and/or its affiliates. All rights reserved. Page 11 of 17
Network segmentation in ACI
A similar example in the data center, Cisco Application Centric Infrastructure (ACI), powered by the Cisco
Application Policy Infrastructure Controller (APIC), offers an architecture that can translate business
requirements into secured zones or enclaves. ACI has built-in segmentation and security as part of the
architecture. ACI uses the concept of tenants, contexts, and endpoint groups to deliver segmentation. A context
is equivalent to a virtual network and provides macrosegmentation using VRFs and bridge domains. Endpoint
Groups (EPGs) are equivalent to the Scalable Groups (SG) discussed in SD-Access and provide a level of
microsegmentation. With Cisco ACI deployed, contracts or policies can be created that allow only specific
communications between tiered applications, as well as access to external resources, whether applications or
users, while blocking all other unauthorized access. Within the Cisco ACI policy model, both VRFs as well as
group-based Endpoint Groups (EPGs)—similar in many ways to SGTs, even to the extent that they can be
translated—are used to provide segmentation.
Figure 7.
A grouping of HTTP and HTTPS services as a single group of endpoints known as an EPG
ACI thus provides a policy and segmentation environment that is consistent with the policy and segmentation
environment used in the SD-Access enabled access network. Further, with ACI Anywhere, the policy and
segmentation environment extends across the hybrid cloud to provide a single policy domain across diverse
public cloud facilities and the private on-premises data center. An ACI fabric can thus extend across Amazon
Web Services (AWS), Azure, and Google Infrastructure as a Service (IaaS) facilities, as well as private premises,
and present itself as a single multisite domain to the access network.
© 2019 Cisco and/or its affiliates. All rights reserved. Page 12 of 17
Segmentation integrations
Cisco is focused on delivering a truly integrated end-to-end segmented network in which the different domains
are integrated with each other to align connectivity and segmentation. Although the operational environments
are integrated, each domain remains independent so that the domain-specific functionality and domain-specific
vertical integration of the management and networking stacks are preserved in full for an ideal experience and
full set of functionalities within and across domains. For example, SD-Access is integrated with SD-WAN to
deliver a single network experience for the purposes of connectivity and segmentation, but endpoint onboarding
in the SD-Access and path engineering for Service Level Agreement (SLA) enforcement in SD-WAN operate
independently of each other. Likewise, SD-Access is integrated with ACI Data Center to enable the federation
of identity and the definition of end-to-end users to application segmentation policies.
Figure 8.
SD-Access and ACI exchange SGTs and EPGs
SD-Access to ACI integration allows the controllers in SD-Access (Cisco DNA Center) and ACI (APIC) domains
to interwork with each other and exchange identity information. SD-Access provides ACI with a list of groups
resulting from the classification of endpoints in the access, and ACI provides a list of application groups. With
this information, SD-Access and ACI domains now have enough user and application information to allow the
operator to author user- to-application policies using the group-based model. This gives the operators
consistency across the access and data center to effectively be able to produce an end-to-end segmentation
policy. Open APIs allow SD-Access ACI systems to integrate with threat and anomaly detection tools and adapt
the segmentation accordingly, thus providing the foundation for the IT infrastructure to prevent and remediate
security breaches leveraging end-to-end segmentation. As part of this integration, network control and data
planes are also integrated to maintain the semantics of macro- and microsegmentation across access and data
center domains.
Figure 9.
SD-WAN passes SGTs between segments of SD-Access so policy follows identity
© 2019 Cisco and/or its affiliates. All rights reserved. Page 13 of 17
SD-Access to SD-WAN integration automates the provisioning and assurance of the control and data plane
interface between SD-Access and SD-WAN domains. The Network-to-Network-Interface (NNI) between the
domains is distilled into a single network device (the edge router). This device is shared between the two
domains to simplify the handoff between domains and make them behave as closely as possible as a single
domain without losing the functionality independence of each domain. The management planes are integrated
so that any given device is managed by one controller and one controller only, which allows the system to
remain transactional and therefore reliable. The macrosegmentation semantics are mapped between the
domains to produce an end-to-end virtual network across access and WAN, without sacrificing functionality in
either domain. The microsegmentation semantics are transported opaquely by the WAN so that they can be
effective in the edge domains (campus, branch, and data center). With this integration, segmentation can be
defined once in Cisco DNA Center, and behavior is driven to the SD-Access domain and to the SD-WAN
domain through API-based controller integration. Two domains effectively appear as one for the tasks that
matter.
A network segmentation strategy developed to enforce security policy in support of an organization’s business
requirements is not limited to a single location or a single domain. A given network segment, and the policies it
represents, may be extended anywhere within an organization where one of the business-relevant applications
or functions reside. This range of function extends from the access through the WAN all the way to the
multicloud data center across the WAN and security domains.
User experience policy integrations
SD-WAN to ACI integration allows the ACI administrator to define service-level requirements for different
applications and to communicate those to the SD-WAN controller so that any necessary path selection, QoS, or
traffic engineering may be enforced in the WAN to deliver the required SLA. A single touchpoint can trigger the
rendering of the desired intent across multiple domains.
Figure 10.
Automatic service assurance integration to ensure quality of user experience
Security policy integrations
Security applications should not be bolted on but rather built into the network fabric that allows security and the
network to work together to reduce time to prevent, detect, and remediate threats. This level of integration
protects users and devices regardless of their physical location and the location of application they are trying to
get access—in the data centers, hybrid clouds, or within a SaaS provider.
Cisco defines integration between network and security as intent-based network security to emphasize that its
security applications apply to all intent-based networking domains. A secure intent-based network provides
visibility into who and what is on the network, contributes to a complete zero trust access model, and
continuously detects and contains threats.
© 2019 Cisco and/or its affiliates. All rights reserved. Page 14 of 17
Security point products that are made for specific threats allow their use in only a single networking domain. As
organizations transform their networks towards SD-Access, SD-WAN, and hybrid multicloud, and as user traffic
traverses multiple networking domains, it is imperative that security policy follows the traffic, and maintains the
security posture across all these networking domains.
Figure 11.
Security for the multidomain world
Cisco’s aptly named security architecture—intent-based network security—emphasizes the need for security to
work within the principles of intent-based networking. Intent-based network security addresses the critical
question: is security fulfilling the business intent?
Figure 12.
Cisco intent-based network security components and benefits
© 2019 Cisco and/or its affiliates. All rights reserved. Page 15 of 17
Intent-based network security approaches the problem holistically. It allows you to:
● Enable automated access policies from a simple and single interface to secure any user, any device, any
app, anywhere
● Stop propagation of data breaches using dynamic context, not location, for segmentation
● Ensure fast compliance by applying security to thousands of locations from one interface
● Streamline visibility to the SOC for reduced time to threat detection
● Automate threat responses from the SOC to remediate incidents in less time
Figure 13.
Cisco intent-based network security provides security across domains
Intent-based network security is based on three principles:
1. Continuous visibility: A full view of who and what is on the distributed network is critical to fills the gaps in
traditional perimeter and endpoint-based security solutions. Gaining a baseline understanding of all network
communications—even in the cloud—provides a full inventory that a group-based policy can be built around.
It enables monitoring of unusual behavior that could represent a threat or policy violation. Machine learning
can further classify all types of devices or workloads and more quickly identify anomalies from the baseline.
2. Zero-trust access: A zero-trust security model provides the ability to secure access regardless of where
access originates and minimizes the attack surface. This model contextually groups all users, devices,
things, and applications, and then logically segments them throughout the wired and wireless infrastructure
to secure the workplace. The segmentation model follows throughout the domains from the user in campus
or branch, to applications in the data center and cloud, through SD-WAN.
3. Constant protection: Network transformations, including SD-WAN and SD-Access, have resulted in a
distributed environment requiring security controls in hundreds to thousands of locations. Constant
protection can be achieved only by building threat prevention, detection, and response into every network
device—from the WAN edge to the campus core. An open, scalable multidomain architecture to push access
policy changes from the branch to the data center is critical to rapidly contain threats.
© 2019 Cisco and/or its affiliates. All rights reserved. Page 16 of 17
Cisco multidomain security applications
Cisco Advanced Malware Protection (AMP) works in endpoints by blocking malware at the point of entry, and
removes it from PCs, Macs, Linux, and mobile devices. Going beyond user devices, AMP also works within
Cisco SD-WAN to proactively block threats and protect users.
Cisco Stealthwatch® scales visibility and security analytics across the whole business, including endpoints in
campus and branch, data center, and cloud. And with Encrypted Traffic Analytics, Cisco Stealthwatch is the only
product that can detect malware in encrypted traffic and ensure policy compliance, without decryption.
Cisco Umbrella™ provides a Secure Internet Gateway (SIG) that provides the first line of defense against threats
on the internet wherever users go. Umbrella delivers complete visibility into internet activity across all locations,
devices, and users, and blocks threats before they ever reach your network or endpoints.
Security constructs built into Cisco SD-WAN apply consistent security across campus, branches, devices, and
users by shifting the security stack that enforces network segmentation, enterprise firewall, secure web
gateway, and DNS-layer security policies in the centralized data center DMZ to the distributed WAN and cloud
edge.
Conclusion
While IT is utilizing intent-based features in each of the networking domains, IT decision makers are realizing
that business intents span domains and that these domains must work together to fulfill those intents. While
each domain has policies that define its actions, integration of policies between domains serves as the most
elegant way to preserve their uniqueness and still provide the essential consistency and management. With
policy integration, each domain, while functioning independently, can collaborate with others for the benefit of
the enterprise network.
It’s not an intent-based network until you can tell the network what you want and let it figure out how to do it.
It’s not “one network” unless we have policy, automation, assurance, and security built in for continuous
visibility, zero-trust access, and constant protection, with security and assurance working seamlessly across
every domain.
Cisco is uniquely positioned to deliver multidomain integrations with these differentiators:
● Only Cisco has leadership and best-in-class purpose-built intent-based networks across campus,
branch, WAN, data center, colocation centers, and multicloud domains
● Only Cisco is executing on the vision of end-to-end intent-based networking—from any user anywhere to
any workload anywhere
● Only Cisco integrates security uniformly across all domains
© 2019 Cisco and/or its affiliates. All rights reserved. Page 17 of 17
For more information
● Read the blogs: 3 Ways Intent-Based Networking Fulfills Business Intent with Multidomain Integration, and
Extending Intent-Based Networking Across Domains
● Read the AAG: Cisco Multidomain Integrations for Intent-Based Networking At-a-Glance
● Experience it for yourself: Cisco ACI-ISE Integration Demo
● Dive deeper and listen to Cisco experts: Cisco Applications and End to End Infrastructure Policy (Tech
Field Day), and The Integrated Multi-Domain Network - Status and Evolution
● Watch Techwise TV: Multidomain Integrations for Intent-Based Networking
Printed in USA C11-742929-00 12/19