Software Defined Access - sccug.net

1 AJ ShahSE2018 Software Defined Access 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner ConfidentialBuilt-In SecurityAutomatedSoftware DrivenHardware CentricManualFragmented SecurityNetwork DataBusiness InsightsTraditional NetworkThe New NetworkPowered by Cisco DNA Cisco Is Rewriting the Network Playbook 2017 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialCisco Catalyst 9000 Built for SD-AccessFirst in enterprise x86 CPU with app hosting Programmable ASIC Software patchingFuture-Proofed IEEE ready 100W PoE (IEEE ) ready 25G Ethernet ready Industry s unmatched High Availability MultiGigabitdensity UPOE scaleSD-AccessintegratedConvergedASIC Single ImageCommonLicensingUADP XE SoftwareCatalyst 9000 Series 9300 Fixed Access , 9400 Modular Access , 9500 Fixed CoreSecurityIoTconvergenceCloudMobility 2017 Cisco and/or its affiliates.

2 All rights reserved. Cisco ConfidentialCatalyst 9K Platform TransitionsCatalyst 3850 Fiber 48 portCatalyst 4500 XBackbone Switching Access Switching 9000 SeriesCatalyst 9400 Catalyst 9500 Catalyst 9300 Catalyst 3850 CopperCatalyst 4500-E 2018 Cisco and/or its affiliates. All rights reserved. 5 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicNetwork Provisioning Time Savings67%Improve Issue Resolution80%Reduced Security Breach Impact48%Reduced Operating Expense61%Shift IT Time to Business FocusController-based ManagementFabric Orchestration and VisibilitySingle User Interface for Fabric ManagementSoftware Defined AccessUnderlay, Overlay, and ControllerDNA-CProgrammable OverlayConnects Users and Devices to each other, w/ policy controlStandards-based control plane (LISP)Standards-based data plane (VXLAN)

3 Prescriptive UnderlayConnects the network elements to each otherAutomated, standardized deployment and operationLeverages existing network topologies(not restricted to spine/leaf)Cisco Internal Use Only Do Not Distribute Externally without NDATODAYCLIs and scriptsManual configurationsScript maintenanceWired Access onlyStatic network environmentsSlow and unpredictable workload changeHardware-centricFUTURES impleuser interfaceAutonomicwith control and visibilityOrchestrationwith data modelsExtensibilitywith native 3rd party app hostingOpen sourced programmable interfacesSeamlesswired and wireless accessProgrammable using softwareStandards Based Object Model APIsTCO SavingsEnterprise Automation Key

4 BenefitsTCO SavingsTraditional network management cannot provide sufficient dynamic management Focus has been on Day0/1 automation CLI not built for volumes of changes in machine real timeController based networking supports dynamic policy change controller allows network to be managed as a system Policy management is automated and abstractedDigital Business DriversRequirement for Dynamic Policy ChangesAn Overlay is a logical topologyused to virtually connect devices, built on top of an arbitrary physical Underlay topology.

5 An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay . GRE or mGRE L2 TPv2 or L2 TPv3 MPLS or VPLS IPSec or DMVPN CAPWAP LISP OTV DFA ACIWe Live in a World of L2/L3 OverlaysHow is Fabric Different from an Overlay?Fabric is an Overlay 2018 Cisco and/or its affiliates. All rights reserved. You can reuse your existing IP network as the Fabric Underlay! Key Requirements IP reach from Edge to Edge/Border/CP Can be L2 or L3 We recommend L3 Can be any IGP We recommend ISIS Key Considerations MTU (Fabric Header adds 50B) Latency (max RTT =/< 100ms)Manual UnderlayPrescriptive fully automated Global and IP Underlay Provisioning!

6 Key Requirements Leverages standard PNP for Bootstrap Assumes New / Erased Configuration Uses a Global Underlay Address Pool Key Considerations PNP pre-setup is required 100% Prescriptive (No Custom)Automated UnderlayUnderlay NetworkSD-AccessManual vs. Automated Underlay12 2017 Cisco and/or its affiliates. All rights Switching and WirelessAPIsAPIsWAN VNFsCampus VNFsDC VNFsCloud VNFsUNIUNII ntentTelemetryService Definition & OrchestrationEnterprise controller (Policy Determination)CloudData CenterInternetPEPC ampusInt.

7 AccPEPPEPPEPPEPPEPPEPPEPWAN / BranchPEPPEPAppsAppsAppsSPWAN AggBranchBranchNetwork Interface (UNI)PEP: Policy Enforcement PointNetwork Enabled ApplicationsNetwork Function VirtualizationGUIP rescriptiveCustomizedModel-basedTopology Easy QoSPlug & PlayPath OptimizationService InstantiationAnalyticsSegmentation 1 Segmentation 2 Segmentation 3 Localized or network-wide Service ChainingCisco Digital Network Architecture13SD-WANWAN FabricACIDC FabricDNA CenterAPIC-EM, ISE, NDPSDAC ampus Fabric 2017 Cisco and/or its affiliates.

8 All rights reserved. Cisco ConfidentialISE in EnterpriseMOBILITYTRUSTSEC ANALYTICSDEVICE ADMIN (TACACS+)SD-ACCESSC isco ISE is critical for several enterprise networking solutions 2018 Cisco and/or its affiliates. All rights reserved. Key ConceptsWhat is SD- Access ? & Constructs 2018 Cisco and/or its affiliates. All rights reserved. SD-AccessFabric Roles & Terminology16 NCPISENDP Control-Plane Nodes Map System that manages Endpoint to Device relationships Fabric Edge Nodes A Fabric device ( Access or Distribution) that connects Wired Endpoints to the SDA Fabric Identity Services NAC & ID Systems ( ISE) for dynamic Endpoint to Group mapping and Policy definition Fabric Border Nodes A Fabric device ( Core) that connects External L3 network(s) to the SDA FabricIdentity ServicesIntermediate Nodes (Underlay)

9 Fabric Border NodesFabric Edge Nodes DNA Center provides simple GUI management and intent based automation ( NCP) and context sharingDNA Center Analytics Engine Data Collectors ( NDP) analyze Endpoint to App flows and monitor fabric status Analytics EngineControl-PlaneNodes Fabric Wireless controller A Fabric device (WLC) that connects APs and Wireless Endpoints to the SDA FabricFabric WirelessControllerCampusFabricBCB 2018 Cisco and/or its affiliates. All rights reserved. Control-Plane Node runs a Host Tracking Database to map location informationSD- Access FabricControl-Plane Nodes A Closer LookUnknownNetworksKnownNetworks A simple Host Database that maps Endpoint IDs to a current Location, along with other attributes Host Database supports multiple types of Endpoint ID lookup types (IPv4, IPv6 or MAC)

10 Receives Endpoint ID map registrations from Edge and/or Border Nodes for known IP prefixes Resolves lookup requests from Edge and/or Border Nodes, to locate destination Endpoint IDs 17 BCB 2018 Cisco and/or its affiliates. All rights reserved. SD- Access PlatformsControl-Plane NodesCatalyst 9500 Catalyst 9500 10/40G SFP/QSFP 10/40G NM Cards IOS-XE +Catalyst 3K Catalyst 3850 1/10G SFP 10/40G NM Cards IOS-XE +Catalyst 6K* Catalyst 6800 Sup2T/6T 6840/6880-X IOS +NEW* Wired Only18 ASR1K, ISR4K & CSRv CSRv ASR 1000-X/HX ISR 4300/4400 IOS-XE + 2018 Cisco and/or its affiliates.