software defined access - cisco meetup group · network function virtualization gui prescriptive...

AJ Shah

SE

2018

Software Defined Access

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential

Built-In Security

Automated

Software DrivenHardware Centric

Manual

Fragmented Security

Network Data Business Insights

Traditional Network The New Network

Powered by

Cisco DNA™

Cisco Is Rewriting the Network Playbook

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Catalyst 9000 – Built for SD-Access

First in enterprise

• x86 CPU with app hosting

• Programmable ASIC

• Software patching

Future-Proofed

• IEEE 802.11ax ready

• 100W PoE (IEEE 802.3bt) ready

• 25G Ethernet ready

Industry’s unmatched

• High Availability

• MultiGigabit density

• UPOE scale

SD-Access

integrated

Converged

ASIC

Single Image

Common

Licensing

UADP 2.0

IOS® XE Software

Catalyst 9000 Series 9300 – Fixed Access, 9400 – Modular Access,

9500 – Fixed Core

Security IoT convergence CloudMobility


Catalyst 9K Platform Transitions

Catalyst 3850 Fiber 48 portCatalyst 4500X

Backbone Switching Access Switching

9000 Series

Catalyst 9400

Catalyst 9500Catalyst 9300

Catalyst 3850 Copper Catalyst 4500-E

Network

Provisioning Time

Savings

67%

Improve Issue

Resolution

80%

Reduced Security

Breach Impact

48%

Reduced Operating

Expense

61%

Shift IT Time to Business Focus

Controller-based ManagementFabric Orchestration and Visibility

Single User Interface for Fabric Management

Software Defined AccessUnderlay, Overlay, and Controller

DNA-C Programmable Overlay

Connects Users and Devices to each other, w/ policy control

Standards-based control plane (LISP)

Standards-based data plane (VXLAN)

Prescriptive UnderlayConnects the network elements to each other

Automated, standardized deployment and operation

Leverages existing network topologies(not restricted to spine/leaf)

Cisco Internal Use Only – Do Not Distribute Externally without NDA

TODAY

CLIs and scripts

Manual configurations

Script maintenance

Wired access only

Static network environments

Slow and unpredictable workload change

Hardware-centric

FUTURE

Simple user interface

Autonomic with control and visibility

Orchestration with data models

Extensibility with native 3rd party app hosting

Open sourced programmable interfaces

Seamless wired and wireless access

Programmable using software

Standards Based

Object Model APIs

TCO Savings

Enterprise Automation Key Benefits

TCO Savings

Traditional network management cannot

provide sufficient dynamic management

• Focus has been on Day0/1

automation

• CLI not built for volumes of changes in

machine real time

Controller based networking supports

dynamic policy change

• Controller allows network to be

managed as a system

• Policy management is automated

and abstracted

Digital Business DriversRequirement for Dynamic Policy Changes

An “Overlay” is a logical topology used to virtually connect devices, built on top of an arbitrary physical “Underlay” topology.

An “Overlay” network often uses alternate forwarding attributes to provide additional services, not provided by the “Underlay”.

• GRE or mGRE

• L2TPv2 or L2TPv3

• MPLS or VPLS

• IPSec or DMVPN

• CAPWAP

• LISP

• OTV

• DFA

• ACI

We Live in a World of L2/L3 Overlays

How is Fabric Different from an Overlay?Fabric is an Overlay

© 2018 Cisco and/or its affiliates. All rights reserved.

You can reuse your existing IP network

as the Fabric Underlay!

• Key Requirements

• IP reach from Edge to Edge/Border/CP

• Can be L2 or L3 – We recommend L3

• Can be any IGP – We recommend ISIS

• Key Considerations

• MTU (Fabric Header adds 50B)

• Latency (max RTT =/< 100ms)

Manual Underlay

Prescriptive fully automated Global

and IP Underlay Provisioning!

• Key Requirements

• Leverages standard PNP for Bootstrap

• Assumes New / Erased Configuration

• Uses a Global “Underlay” Address Pool

• Key Considerations

• PNP pre-setup is required

• 100% Prescriptive (No Custom)

Automated Underlay

Underlay Network

SD-AccessManual vs. Automated Underlay

12

© 2017 Cisco and/or its affiliates. All rights reserved.Enterprise Switching and Wireless

APIs

APIs

WAN VNFs Campus VNFs DC VNFs Cloud VNFs

UNI UNI

IntentTelemetry

Service Definition & Orchestration

Enterprise Controller(Policy Determination)

Cloud

Data Center

Internet

PEPCampus

Int. Acc

PEP

PEP

PEP

PEP

PEP

PEP

PEP

WAN / Branch

PEPPEP Apps

Apps

Apps

SP

WAN AggBranch

Branch

Network Interface (UNI) PEP: Policy Enforcement Point

Network Enabled Applications

Network Function Virtualization

GUI

Prescriptive

Customized

Model-based

Topology

Easy QoS Plug & PlayPath Optimization

Service Instantiation

Analytics

Segmentation 1

Segmentation 2

Segmentation 3

Localized or network-wide

Service Chaining

Cisco Digital Network Architecture

13

SD-

WANWAN Fabric

ACIDC Fabric

DNA CenterAPIC-EM, ISE, NDP

SDACampus Fabric


ISE in Enterprise

MOBILITY

TRUSTSEC

ANALYTICS

DEVICE ADMIN (TACACS+)

SD-ACCESS

Cisco ISE is critical for several enterprise networking solutions


Key ConceptsWhat is SD-Access?

1. High-Level View

2. Roles & Platforms

3. Fabric Constructs


SD-AccessFabric Roles & Terminology

16

NCP

ISE NDP

Control-Plane Nodes – Map System that manages Endpoint to Device relationships

Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric

Identity Services – NAC & ID Systems (e.g. ISE) for dynamic Endpoint to Group mapping and Policy definition

Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric

Identity

Services

Intermediate

Nodes (Underlay)

Fabric Border

Nodes

Fabric Edge

Nodes

DNA Center – provides simple GUI management and intent based automation (e.g. NCP) and context sharing

DNA

Center

Analytics Engine – Data Collectors (e.g. NDP) analyze Endpoint to App flows and monitor fabric status

Analytics

Engine

Control-Plane

Nodes

Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SDA Fabric

Fabric Wireless

Controller

Campus

Fabric

B

C

B


Control-Plane Node runs a Host Tracking Database to map location information

SD-Access FabricControl-Plane Nodes – A Closer Look

Unknown

Networks

Known

Networks

• A simple Host Database that maps Endpoint IDs to a

current Location, along with other attributes

• Host Database supports multiple types of Endpoint ID

lookup types (IPv4, IPv6 or MAC)

• Receives Endpoint ID map registrations from Edge

and/or Border Nodes for “known” IP prefixes

• Resolves lookup requests from Edge and/or Border

Nodes, to locate destination Endpoint IDs

17

B

C

B


SD-Access PlatformsControl-Plane Nodes

Catalyst 9500

• Catalyst 9500

• 10/40G SFP/QSFP

• 10/40G NM Cards

• IOS-XE 16.6.3+

Catalyst 3K

• Catalyst 3850

• 1/10G SFP

• 10/40G NM Cards

• IOS-XE 16.6.3+

Catalyst 6K*

• Catalyst 6800

• Sup2T/6T

• 6840/6880-X

• IOS 15.4.1SY4+

NEW* Wired Only

18

ASR1K, ISR4K & CSRv

• CSRv

• ASR 1000-X/HX

• ISR 4300/4400

• IOS-XE 16.6.2+


Edge Node provides first-hop services for Users / Devices connected to a Fabric

SD-Access FabricEdge Nodes – A Closer Look

Unknown

Networks

Known

Networks

• Responsible for Identifying and Authenticating

Endpoints (e.g. Static, 802.1X, Active Directory)

• Register specific Endpoint ID info (e.g. /32 or /128)

with the Control-Plane Node(s)

• Provide an Anycast L3 Gateway for the connected

Endpoints (same IP address on all Edge nodes)

• Performs encapsulation / de-encapsulation of data

traffic to and from all connected Endpoints

19

B

C

B


Catalyst 9400

• Catalyst 9400

• Sup1/XL

• 9400 Cards

• IOS-XE 16.6.3+

Catalyst 4K

• Catalyst 4500

• Sup8E/9E (Uplink)

• 4700 Cards

• IOS-XE 3.10.1E+

Catalyst 3K

• Catalyst 3650/3850

• 1/10G RJ45, SFP

• 10/40G NM Cards

• IOS-XE 16.6.3+

Catalyst 9300

• Catalyst 9300

• 1/10G RJ45, SFP

• 10/40/MG NM Cards

• IOS-XE 16.6.3+

NEW NEW

SD-Access PlatformsEdge Nodes

20


SD-Access FabricBorder Nodes – A Closer Look

Unknown

Networks

Known

Networks

21

B

C

B

Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric

There are 2 Types of Border Node!

• Internal Border• Used for “Known” Routes inside your company

• External Border (or Default)• Used for “Unknown” Routes outside your company


Nexus 7K*

• Nexus 7700

• Sup2E

• M3 Cards

• NXOS 8.2.1+

Catalyst 3K

• Catalyst 3850

• 1/10G SFP+

• 10/40G NM Cards

• IOS-XE 16.6.3+

Catalyst 6K

• Catalyst 6800

• Sup2T/6T

• 6840/6880-X

• IOS 15.4.1SY4+

SD-Access PlatformsBorder Nodes

* External Border Only

Catalyst 9K

• Catalyst 9500

• 10/40G SFP/QSFP

• 10/40G NM Cards

• IOS-XE 16.6.3+

NEW

22

ASR1K & ISR4K

• ASR 1000-X/HX

• ISR 4300/4400

• 1/10G/40G

• IOS-XE 16.6.3+


Internal Border advertises Endpoints to outside, and known Subnets to inside

SD-Access FabricBorder Nodes - Internal

• Connects to any “known” IP subnets available from

the outside network (e.g. DC, WLC, FW, etc.)

• Exports all internal IP Pools to outside (as aggregate),

using a traditional IP routing protocol(s).

• Imports and registers (known) IP subnets from

outside, into the Control-Plane Map System

• Hand-off requires mapping the context (VRF & SGT)

from one domain to another.

23

Unknown

Networks

Known

Networks

B

C

B


External Border is a “Gateway of Last Resort” for any unknown destinations

SD-Access FabricBorder Nodes - External

• Connects to any “unknown” IP subnets, outside of the

network (e.g. Internet, Public Cloud)

• Exports all internal IP Pools outside (as aggregate)

into traditional IP routing protocol(s).

• Does NOT import unknown routes! It is a “default”

exit, if no entry is available in Control-Plane.

• Hand-off requires mapping the context (VRF & SGT)

from one domain to another.

Unknown

Networks

Known

Networks

B

C

B


Public Cloud

Internet

B B

SD-Access - Border Deployment External Border : Connecting to Unknown Networks

C

SD-Access Fabric

Unknown Networks

27

© 2018 Cisco and/or its affiliates. All rights reserved. 28

SD-Access @ DNA CenterBorder Nodes


SD-Access SupportFabric ready platforms for your digital ready network

ASR-1000-X

ASR-1000-HX

ISR 4430

ISR 4450

WirelessRoutingSwitching

AIR-CT5520

AIR-CT8540

Wave 2 APs (1800, 2800,3800)

Wave 1 APs* (1700, 2700,3700)

Catalyst 9400

Catalyst 9300

Catalyst 4500E Catalyst 6800 Nexus 7700

Catalyst 3650 and 3850

AIR-CT3504

ISRv/CSRv

* with Caveats

Extended

Cisco Digital Building

Catalyst 3560-CX

NEW

NEW

NEW

NEW

29

IE Series (4K/5K)

NEW

Catalyst 9500NEW


* Some caveats with Wave1 APs.

Wave 2 APs

• 1800/2800/3800

• 11ac Wave2 APs

• 1G/mGIG RJ45

• AireOS 8.5.1+

5500 WLC

• AIR-CT5520

• 1500 APs

• 1G/10G SFP+

• AireOS 8.5.1+

8500 WLC

• AIR-CT8540

• 5000 APs

• 1G/10G SFP+

• AireOS 8.5.1+

Wave 1 APs*

• 1700/2700/3700

• 11ac Wave1 APs

• 1G RJ45

• AireOS 8.5.1+

3504 WLC

• AIR-CT3504

• 150 APs

• 1G/mGig RJ45

• AireOS 8.5.1+

NEW NEW

SD-Access PlatformsFabric Wireless

30


SD-Access Wireless ArchitectureSimplifying the Control Plane

ISE / AD

WLC

DNAC

SD-AccessFabric

BB

Policy

Abstraction and

Configuration

Automation

Automation

DNAC simplifies the Fabric deployment,

Including the wireless integration component

C

Fabric enabled WLC:

WLC is part of LISP control plane

Centralized Wireless Control Plane

WLC still provides client session management

AP Mgmt, Mobility, RRM, etc.

Same operational advantages of CUWN

CAPWAP

Cntrl plane

LISP

Cntrl plane

1

LISP control plane Management

WLC integrates with LISP control plane

WLC updates the CP for wireless clients

Mobility is integrated in Fabric thanks to LISP CP

BRKEWN-2020 31


ISE / AD

WLC

CAPWAP (Control)

Simplified IP addressing? WLC as mobility

Anchor

Yes with WLCSimplified operations?

CAPWAPNetwork Overlay?

WLC as Mobility

AnchorL3 roaming across Campus?

Foreign-AnchorGuest traffic segmentation?

Centralized Unified Wireless Network Strengths

CAPWAP (Data)

BRKEWN-2020 32


Fabric Enabled WLC is integrated into Fabric for SDA Wireless clients

SD-Access Fabric Fabric Enabled Wireless – A Closer Look

Unknown

Networks

Known

Networks

• Connects to Fabric via Border (Underlay)

• Fabric Enabled APs connect to the WLC (CAPWAP)

using a dedicated Host Pool (Overlay)

• Fabric Enabled APs connect to the Edge via VXLAN

• Wireless Clients (SSIDs) use regular Host Pools for

data traffic and policy (same as Wired)

• Fabric Enabled WLC registers Clients with the

Control-Plane (as located on local Edge + AP)

Data: VXLAN

Ctrl: CAPWAP

33

B

C

B


SD-Access FabricScalable Groups – A Closer Look

Scalable Group is a logical policy object to “group” Users and/or Devices

• Nodes use “Scalable Groups” to ID and assign a

unique Scalable Group Tag (SGT) to Endpoints

• Nodes add a SGT to the Fabric encapsulation

• SGTs are used to manage address-independent

“Group-Based Policies”

• Edge or Border Nodes use SGT to enforce local

Scalable Group ACLs (SGACLs)

34

Unknown

Networks

Known

Networks

B

C

B

SGT

17

SGT

3SGT

23

SGT

4 SGT

8

SGT

12

SGT

11

SGT

19

SGT

25

DNA Center AssuranceTransforming network operation through actionable insights and simplicity

Aug 2018

AJ Shah


Cisco DNA Center – Easy to Start with Assurance

Intent-Based Networking

Traditional Cisco and 3rd Party Networks Cisco DNA-Ready Networks

Telemetry protocols:

NetFlow, SNMP, Syslog, streamingCLI, SNMP, PnP, NETCONF

Cisco DNA Center Assurance

Cisco DNA Center

Cisco DNA Center Security

Cisco - SD Access

Wireless AP

.11ac Wave 2

Catalyst(R)

3850Catalyst 9000 IE Catalyst WLC ISR4K NFV-ISWireless

AP

Catalyst(R)

2000/3000

Catalyst

4000/6000

Cisco

Nexus(R)

7000

WLC ISR/ASR


Digital Disruption

Lack of Business

and IT Insights

63 million new devices online every second

by 20201

Complexity

Slow and Error

Prone Operations

3X spend on network operations

vs network2

Security

Unconstrained

Attack Surface

6 months to detect breach3

1. Gartner Report - Gartner’s 2017 Strategic Roadmap for Networking

2. McKinsey Study of Network Operations for Cisco – 2016

3. Ponemon Research Institute Study on Malware Detection, Mar 2016

Unprecedented Demands on the Network

http://www.gartner.com/reprints/cisco-v6-us1?id=1-3YQCDRO&ct=170425&st=sb

http://www.ponemon.org/blog/new-ponemon-study-on-malware-detection-prevention-released


The guarantee that the infrastructure

is doing what you intended it to do.

Continuous verification

Configs, Changes, Routing, Security, Services, VMs,

Compliance, Audits

What is Assurance?

Insights & visibility

Guided Remediation, Automated Updates, System optimization

Corrective actions

Visibility, Context, Historical Insights,

Prediction

Successful IT

Rollouts

Minimize Downtime,

User Productivity

IT Productivity

Network Assurance Vision

Surface Undetected Client, Network

& Application Issues

Learn

Automate tools to discover

outliers

Infrastructure Data

Sensor Data

Fix Real-Time Issues and Gain

Insights into Historic Events

Fix

Root cause issues in a

few Clicks

Machine Learning

Crowd Sourcing

01001011000101110010010101100

1011000010101100110

Predict Issues before they Occur

Predict

Build Resilient and Reliable

Networks

Insights

Analytics

Overall Network Health

• Overall health summary

of network and clients

• Where in the world and on

which site most serious

issues are happening

• Quick drill down to a site or

Toggle between Geo, List or

Topology View

• Top 10 Global Insights

End-to-end visibility

• Client Health Summary

• Onboarding, RF and Client Profile info

• Network Health Summary

• Control, Data, Policy Plane and Health info

360°Visibility

• Single location for all user

information and every user device

• History of performance for each

user device

• Proactive identification of any

issues affecting user’s experience

• Single location for all user device

related user information

• Connectivity graph with

health score of all device on

the path

• Application performance

• Device KPIs

Enterprise Switching and Wireless

Roles & TerminologyFabric Constructs

Technical decision maker presentation

Encrypted Traffic Analytics TDM Presentation (Enhanced Network as a Sensor)

Rapid Problem Resolution

Predicting the Future

Increasing 802.1X authentication time

Looking Back in Time

C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

60daysIndustry average time to contain a breach

$3.8MAverage cost of a data breach

200daysIndustry average detection time for a breach

Network threats are getting smarter

Motivated and targeted

adversaries

Increased attack

surface

Increased attack

sophistication

• State sponsored

• Financial/espionage motives

• $1T cybercrime market

• BYOD blurring perimeter

• Public cloud services

• Enterprise IOT

• Advanced persistent threats

• Encrypted malware

• Zero-day exploits

Scale too many alertsComplexity securing

everything

Sophistication

Keeping up against attackers


Detecting encrypted threats with network telemetry


Secure and manage your digital network in real time, all the time, everywhere

Enhanced network as a sensor

Industry’s first network with the ability to find threats in encrypted traffic without decryptionAvoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility

Encrypted traffic Non-Encrypted traffic


Malware traffic

Benign traffic

Watchlist

address

Prevalent

addresscisco.com

c15c0.com

afb32d75.com

Unusual fingerprint

Unusual cert

Typical fingerprint

Typical cert

Self-Signed Certificate

Data Exfiltration

C2 Message

Google search

Bestafera

ETA data featuresCisco research

TCP/IP DNS TLS SPLT


Make the most of the

unencrypted fields

Identify the content type through

the size and timing of packets

Initial data packetSequence of packet

lengths and times

How can we inspect encrypted traffic?

Self-Signed certificate

Data exfiltration

C2 message

Who’s who of the Internet’s

dark side

Threat

intelligence map

Broad behavioral information about the

servers on the Internet.


Malware detection using Cognitive Analytics

Initial data packetThreat

Intelligence Map

Sequence of packet

lengths and times

Cloud-based

machine

learning

All three elements reinforce each other inside the analytics engine using them.


Finding malicious activity in encrypted traffic

Cisco Stealthwatch

Cognitive Analytics

Malware

detection

and

cryptographi

c compliance

New Catalyst 9K*

NetFlow

Enhanced

NetFlow

Telemetry for

encrypted malware detection

and cryptographic compliance

* Other devices will be supported soon

Enhanced analytics

and machine learning

Global-to-local

knowledge correlation

Enhanced NetFlow from

Cisco’s newest switches and

routers

Continuous

Enterprise-wide compliance

Leveraged network Faster investigation Higher precision Stronger protection

Metadata


Anycast GW provides a single L3 Default Gateway for IP capable endpoints

SD-Access FabricAnycast Gateway– A Closer Look

• Similar principle and behavior as HSRP / VRRP with a

shared “Virtual” IP and MAC address

• The same Switch Virtual Interface (SVI) is present on

EVERY Edge, with the same Virtual IP and MAC

• Control-Plane with Fabric Dynamic EID mapping

maintains the Host to Edge relationship

• When a Host moves from Edge 1 to Edge 2, it does

not need to change it’s Default Gateway

GW GW GW

61

Unknown

NetworksKnown

Networks

B

C

B

GW GW

software defined access - cisco meetup group · network function virtualization gui prescriptive...

Documents