Новинки дизайна cisco sda · cisco® ise discover and classify assets active...

Андрей ОврашкоСистемный инженер

15 июня 2020

Новинки дизайна Cisco SDA

Online

… и не только

© 2019 Cisco and/or its affiliates. All rights reserved.

Agenda

• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain


Trends


AI/ML/DL Assurance

Trends

Security Zero Trust

BigData

X-DomainSDN

IoT Extended Enterprise

Automation Digitization

Speaker nameSpeaker titleDate

Subtitle goes here

Presentation Title Goes Here

Released April 2017

Cisco DNA – Digital Network ArchitectureСеть как платформа ведения цифрового бизнеса


Big Story

DNA-C

Cisco ACIS

c9200L vs c2960X

Innovations

NetFlow

StealthWatch

DNA Assurance

AVC

DevNet.cisco.com

Programmability

ISE

ETA

TrustSec

X-Domain

SD-WAN

SDA


Cisco Intent-Based / Software-Defined Networking

Software-Defined Campus Access (SDA)

Catalyst 9000

Software-Defined WAN (SD-WAN)

ACIA ny wher e

Software-Defined Data Center Networking (SDN)

Nexus 9000

ACIThe network

made simple


Zero Trust

Basic Tenant of Zero Trust

The effect of Zero Trust is

Ubiquitous Least-Privilege

Access(i.e. grant access,

but make it specific!)


Market Response to Workplace Zero Trust

Cisco is #1 in Forrester Wave ranking for ZT ISE’s repeat recognition for NAC leadership

SD-Access adoption is accelerating

950+Deployments

NetworkServices

We establish trust by verifying:• Multi-factors of User Identity

• Device context and Identity

• Device posture & health

• Location

• Relevant attributes and context

We continuously verify:• Original tenets used to

establish trust are still true

• Traffic is not threat traffic

• Behavior for any risky, anomalous or malicious actions

• If compromised, then the trust is broken

We enforce least privilege access to:• Networks

• Applications

• Resources

• Users & Things

Establish Trust

EnforceTrust-Based

Access

Continuous Trust

Verification

How does Cisco Zero Trust work?3 Step Cyclical Process


EndpointVisibility

SecureAccess

NetworkSegmentation

EndpointCompliance

Rapid Threat Containment

The five pillars of Workplace Zero Trust Security


Moving from excessive trust to “Zero Trust”A comprehensive approach to securing all access across your networks, applications, and environment.

WorkforceEnsure only the right users and secure

devices can access applications.

WorkloadsSecure all connections within your

apps, across multi-cloud.

WorkplaceSecure all user and device connections

across your network, including IoT.


Segmentation


Integrating Security into the NetworkStop threats and protect operations

Networksegmentation

Cisco® ISE

Discover and classify assets

Active monitoringUnderstand behavior and identify Threats

Secure Hardware and SWEnforce policyCisco TrustSec

Cisco Software-Defined Access

Cisco Stealthwatch®

ETA

Streaming telemetry

AVC

VLANs, Secure Groups, Access Control

Runtime defense

Trusted Anchor

Shift in IT Landscape

Remote Users,Contractors &Third-Parties

Personal &Mobile

Devices

IoT Devices

CloudSaaS

Hybrid CloudInfrastructure

CloudIaaS

DisappearingPerimeter

Users, devices, and apps are everywhere


Workforce

Duo delivers secure access from any user, any device, to any app

Connecting trusted users anddevices to trusted services

… meets Workplace


ISE and Duo Integration for Multi-Factor Auth (MFA)

John

Bob

Alice

CONTRACTORS

EMPLOYEES

John connected via Switch-SJC01

Bob connected via AP-SJC03

Al ice connected via SSID ”CORP”

ISE Session Database

GUESTS

Cisco ISEDuo Auth Proxy

On-premiseMicrosoft

Active Directory

Network Access and Segmentation with DUO MFA and ISE Configuration Guide

https://community.cisco.com/t5/security-documents/network-access-and-segmentation-with-duo-mfa-and-ise/ta-p/3752831


Access ProblemCisco ISE Cisco Duo Cisco ISE + Duo

User + Device(On-Premise)

On-PremiseApplications

No MFAWeb Only

IOT Device(On-Premise)


User + Device(Off-Premise)


VPN Based

Web Only

User / Device(On-Premise)

User / Device(On-Premise)

User + Device(On-Premise)

CloudApplications

No MFA No n/w security

User + Device(Off-Premise)

CloudApplications

Solving the access problem with Duo and ISE


Локальная сетьQ?: Сегментация и контроль

сетевого доступа

TrustSec

802.1x

SDA

DefCon

RTC


Identity with ISE is Secures the Enterprise

- Users

- Devices

- Things

- Switches

- WLCs / Aps

- VPN gateways

- Standalone ISE

- Multi-node ISE

- VM/Appliance

- AD/LDAP

- MDM

- SAML/MFA

Network DevicesEndpoints Cisco ISE Identity Services

Cisco ISE

- Stealthwatch

- Firepower

- Partners

Security Services

Enterprise Security


ISE Authentication CapabilitiesMachine User Strength Experience Method

✅ ✅ ★★★★ 🙂 802.1X User + Machine (EAP-FAST / TEAP)

✅ ✅ ★★★★ 😕 802.1X Machine + 802.1X User

✅ ✅ ★★★ 😕 802.1X Machine + Easy Connect

✅ ✅ ★★★ ☹️ 802.1X Machine + WebAuth

✅ ✅ ★★★ 😕/☹️ 802.1X User + MAC Binding

✅ ✅ ★★ 😕 MAB + Easy Connect (Passive Identity)

✅ ✅ ★★ ☹️ MAB + WebAuth

❌ ✅ ★★ 🙂 802.1X User Authentication

✅ ❌ ★★ 😁 802.1X Machine Authentication

✅ ❌ ★ 🙂 MAC Authentication Bypass (MAB)

❌ ✅ ★ ☹️ Web Authentication

❌ ✅ ★ 😕 Authentication VLAN

❌ ❌ - 😁 Open Access


Cегментация: традиционный подходVLAN, SSID, ACL

access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384

Сетевая политика

IPАДРЕСА

▪ Находят тебя▪ Определяют тебя▪ Ограничивают тебя

IP Address “означает”

ПЕРЕГРУЗКУ

Информация о пользователе/устройстве

VLAN 10

SSID B

SSID A

VLAN 20

VLAN 40

SSID D

SSID C

VLAN 30


Cisco SDA

© 2019 Cisco and/or its affiliates. All rights reserved.© 2019 Cisco and/or its affiliates. All rights reserved

Zero-Trust: SDAGroup-Based Access/PolicyGroup-based

Policy

Segmentation

Endpoint Visibility

Secure Access

Segmentation


Cisco SD-AccessWhy Fabric ?

Network Considerations

• Simplified deployment and automation• Consistent policy for Wired/Wireless networks• End to End Segmentation/Optimize User Experience• Scaling Flexibility for Endpoints, Network Devices, Policy • Topology Independent Layer2, Layer 3 Connectivity• Flood Domain restricted to local switch• Layer 2 Mobility/Roaming, No STP• Traffic Steering for Guest or Internet• Able to achieve end to end segmentation across SDWAN/ACI domains

Security Considerations

• Faster Infosec compliance for E-W isolation, traffic steering to DMZ • Scaled Policy deployments with Macro (VN) and Micro (SGT) segmentation & automated

inline SGT propagation


Cisco SDA segmentation


Why: Simplifying Security Policy

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-listip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-listip access-list

ip access-list

ip access-list

ip access-list

ip access-list

ip access-list


Segmentation: Expectation V/S RealityExpectation

Employees

Common_Services

50°

50°

Building Management

Contractors

Printers

Reality

?

?

??

? ?

? ?

Common_Services

Employees


Why: Simplifying Security Policy

Employees Guests

IoT Servers

IoTDevices

InternalServices


Can You See the Business Intent Here:


Can You See the Business Intent Here:

DMZ-Pod1#show cts role-based permissions

IPv4 Role-based permissions default:

Permit IP-00

IPv4 Role-based permissions from group 4:Employees to group 12:Development_Servers:

Deny IP-00

IPv4 Role-based permissions from group 8:Developers to group 12:Development_Servers:

Permit IP-00


SD-Access Virtual Network (=VRF)

Virtual Network maintains a separate Routing & Switching instance for the devices within it.

• Control Plane uses Instance ID to maintain separate VRF topologies

• Nodes add VNID to the Fabric encapsulation

• Endpoint ID prefixes (Host Pools) are advertised within Virtual Networks

• Uses standard “vrf definition” configuration, along with RD & RT for remote advertisement (Border)

• Known as ‘Macro-Segmentation’

UnknownNetworks

KnownNetworks

C

VN“A”

VN“B”

VN“C”

B B


SD-Access Scalable Group (=SGT)

UnknownNetworks

KnownNetworks

C

Scalable Group is a logical ID object to “group” Users and/or Devices.

• “Scalable Groups” used to ID and assign a unique Scalable Group Tag (SGT) to Endpoints

• Nodes add SGT to the Fabric encapsulation

• SGTs used to manage address-independent “Group-Based Policies”

• Edge or Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs)

• Known as ‘Micro-Segmentation’

SGT7

SGT3

SGT23

SGT4 SGT

8

SGT6

SGT12

SGT11

SGT19

SGT25

B B


Segmentation Operation in SD-Access Fabric

Employee SGT (5)10.1.100.1

Contractor SGT (10)10.2.200.6

Cisco ISE

Authc/Authz

Cisco DNA Center

Contractor

Deny All

Permit All

Deny AllEmployee

PLC

Contractor

Employee

Permit All

Permit All

Deny All

Sour

ce

Destination

Egress Policy

Policy download

Policy download

• Classification: Dynamic/ISE• Propagation: SGT in VXLAN• Enforcement: Egress Fabric Edge


Cisco DNA Center Supporting VN Agnostic SGTsZero Trust Simplified

Cisco DNA Center supports VN agnostic SGTs from release 1.3.1 (Groups can now officially reside in different VNs)

Use-Case: Different Industrial Control Systems segregated at Macro/VN Level but have same SGT/Policy at Micro Level

Industrial Automation and Control Systems (IACS)

Programmable Logic Controller (PLC)

B

VN:IACS VN:PLC

IACS

SGT: IOT SGT: IOTSame SGT, same policy

x


Policy Extended Node - Zero Trust Extended

Similar to provision as ‘Extended Node’ but inline tagging enabled on uplink and policy now handled by the Policy Extended Node itself.

Initially IE3400 and IE3400H supported

Fabric

Site

Policy Extended Node

BBB

PLC-1SGT19 PLC

E

Inline tagging

E

Host 2

VXLANFE1 FE2

SGT4 Employees


New tool to build segmentation policies

SSH

WEB

Employees

Streaming

Alerts

Media Servers

Log Servers

?

?

Cameras

Cameras RTP

WWW

Syslog Any

Policy Modeling – With traffic patterns

No policy on the network, yet

Observe and fine-tune for days/weeks

Unearth critical access that

must be allowed / denied

Group-based policy analytics (Magellan)

Q2CY20


Deploy segmentation policies with confidence

SSH

WEB

Employees

Streaming

Alerts

Media Servers

Log Servers

?

?

Cameras

Cameras RTP

WWW

Syslog Any

Group-based Policies – for segmentation

No policy on the network, yet

Deploy

Cameras RTP

WWW

Syslog Any

Policy download


Continuous Monitoring for Policy Assurance

SSH

WEB

Employees

Streaming

Alerts

Media Servers

Log Servers

?

?

Cameras

Cameras

Group-based Policies – for segmentation

Cameras RTP

WWW

Syslog Any

85%

Policy logs

(to DNA Center)

Policy roll-out

assurance

Policy hit

counts


Bring it all together

Cameras

SSH

WEB

Streaming

Alerts

2. Policy Analytics

Group-based Policy

Context-based

Scalable Group

assignments

Log Servers

Employees

Med

ia S

erv

ers

Cam

era

s

3. Policy Enforcement

1. Endpoint Classification

4. Policy Assurance

MAC/IP Address

?

Endpoint Context

Identity& Group

Trust Score

L M E

C

Log Servers

Media Servers Employees

Cameras

Cisco DNAC and ISE

Visibility Driven Segmentation


Cisco ISE


Rapid Threat

Containment

Compliance

SegmentationSecure

Access

Endpoint

Visibility

ISE is at the heart of Cisco’s Zero Trust Solution

3.0


We are enhancing ISE experience further

New UI

Consistent UI experience between ISE and DNA Center

Faster & Reliable ISE UpgradesMenu Help

10.10.0.42

10.10.0.44

10.10.0.45

10.10.0.61

10.10.0.63

Primary PAN

Secondary PAN

PSN

PSN

PSN

75%

Upgrade: Phase 2 (Run) in progress …

Completed: OS Upgrade and ISE InstallStatus: Importing data

75%

75%

75%

75%





Lesser/Zero downtime. Better reliability and monitoring. API support for orchestration.

ISE Manager on DNA Center

Monitor and manage ISE system. Perform patching and upgrades. License, certificate management and others.

Q3CY20


“Trust” based network access

En

cry

pte

d/C

lear

co

mm

un

icatio

ns

Posture Status

Anomalous behavior

Vulnerability Info

Threat Metrics

Security Ecosystem

Change of Authorization

Endpoint Telemetry

ML

Access Control and Threat

Containment based on

continuous trust evaluation

Network Infrastructure

Trust Score

10 1

5

Bringing it all together

Q3CY20

DNANC & ISE

Original Three Tenets of a Zero Trust Network

Eliminate network trust

Assume all traffic, regardless of location, is threat traffic until it is verified that it is authorized, inspected,

and secured.

Segment network access

Adopt a least privilege strategy and strictly enforce access control only to the resources users need to

perform their job.

Gain network visibility and analytics

Continuously inspect and log all traffic internally as well as

externally for malicious activity with real-time protection capabilities.

Internal

External

Zero Trust:Segment Network Access

SD-Access Policy Evolution

New Policy Views

Policy Migration / Sync with ISE

Start Migration

Policy Migration / Sync with ISE Successful

ISE Read-Only Views


Fusion Firewall

Zero Trust with NGFW FMC/FTD 6.5• Learns IP/SGT via PxGrid, Expanded Use-Cases, Insert FTD anywhere in designs

• Flow processing

• If packet tagged, tag honored

• If packet not tagged, lookup PxGrid information to derive tag

• If packet not tagged, no PxGrid info, no matching rules with tag

* Rel 6.5 supports destination SGT and Static IP:SGT Mappings

Up to 2000 unique SGTs, 64K total user identity entries per FMC

Firepower 6.6 notable changes relevant to SDA• IP:SGT bindings learned from ISE over PxG increased from 64K to 300K

• Supports IPv4 and IPv6• VRF-lite support via virtual routers

• Route import/export not supported• Route between virtual routers. Check 6.6 configuration guide for supported scenarios• Note 6.6 docs for max supported VRs per FTD model


Multi-site Border


Multi-Site Remote Border

FabricSite 1

CB

FabricSite 2

CB

FabricSite 3

CB

Anchoring

Guest Employee

Employee Employee Anchoring

Guest

Anchoring

Guest

DMZ

CBFabric

Site 4Anchored

Guest

WLC WLCWLC

Employee

Guest

Why ?

• Without Multi-Site Remote Border, it is necessary to assign a subnet for each site mapped to a VN as subnets are unique to site and cannot be stretched across sites.

• With Multi-Site Remote Border, all traffic for any VN, example guest at each site will tunnel back to central location over VXLAN allowing a single subnet to be deployed across all sites.

• Since this allows for a more centralized and simplified subnet structure, the use of VN anchoring is an ideal use case in environments where the requirement is for all untrusted traffic to be sent to firewall at DMZ.

• This is applicable to any VN for which the traffic needs to be terminated at a remote site.



FabricSite 1

CB

FabricSite 2

CB

FabricSite 3

CB

Anchoring

Guest VN

Anchoring

IoT VNEmployee

VNEmployee

VN

Employee

VNAnchoring

IoT VNAnchoring

Guest VN

Anchored

IoT VN

Anchoring

Guest VN

DMZ

CB FabricSite 4

Anchored

Guest VN

Cat9800 Appliance

Wireless ControllerCat9800 Cloud

Wireless Controller

• Common VN to which the traffic from other VNs arrive is called “Anchored VN”.

• VN which sends the traffic to Anchored VN which has common control plane and Border nodes is called “Anchoring VN or Inherited VN”.

• Employee VN traffic is going through Site Local Border.

• Guest VN traffic is being served through Remote Border at DMZ.

• IOT VN traffic is selected to go through Border at Site 2.

• WLC can be AireOS or Cat9800

• WLCs in each siteTake the traffic out the way you want

This is Border for Multiple sites and thus the name


Multi-Site Remote BorderDesign Considerations

FabricSite 1 Fabric

Site 2

Guest Employee Employee Guest

DMZ

CB FabricSite 3

Guest

WLC

WLC

Employee VN

Guest VN

B B CC

IP/SDA Transit

• MTU should be taken care of between Anchored/Anchoring VNs as overlay traffic terminates at B/CP of Anchored VN site.

• Edge nodes in Anchoring Sites need IP reachability to RLOC of CP/Border in Anchored site and edges across sites.

• AireOS WLC can hold up to 2 CP pair entries.

• Catalyst 9800 can hold up to 16 CP pairs.

• Border and CP can be co-located or distributed at Anchored site.

• IP Pool limit per site will remain the same.

• Multiple VNs can be Anchored across sites.

• Seamless roaming isn’t supported.


• Customer can either have Wireless Guest VN or Anchor VN but not both.

• If a Guest VN with Guest devices is present, then VN Anchoring is not allowed. Existing sites with dedicated Guest Border-CP will continue to operate.

• New addition of Guest devices is not permitted with this new release. Multi-Site remote Border is recommended way to achieve Guest workflow.

• If new Guest Border-CP needs to be added, then remove the old Guest flow and use the config flow of Multi-Site remote Border.

Multi-Site Remote BorderMigration



E

Cisco SD-Access Site 4 E

IP Transit

Cisco SD-Access Site 23

B CCB

Anchoring IoT

Anchored IoT

192.168.0.16192.168.0.32


Flex Connect with Over the Top (OTT) in SD-Access Wireless

✓ IPv6 for SD-Access Wireless – C9800, C9800-CL, Embedded Wireless

• Flex Connect with Over the Top (OTT) in SD-Access Wireless

• N+1 HA and Rolling AP upgrade with C9800 and AireOS

Features

Features coming in 2.1.1.1

Use-Case – Why?

Flex Over The Top (OTT) – Why is this needed?

• Flex Connect enables customers to configure and control access points (AP) in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office.

• With Flex OTT we could support central switched SSID and local switched SSID.

• Historically with SD-Access solution, there was a requirement to have a Wireless LAN Controller in every SD-Access Site.

• Supported Platforms: • WLC 5520, 8540, C9800, C9800-CL• AP-1800, AP-2800, AP-3800, AP-4800• AP-9115, AP-9117, AP-9120, AP-9130

Traditional Use-Case

What is Over the Top (OTT) in SD-Access?

• WLCs connect external to fabric

• Border advertises WLC Management subnet to the Fabric

• Border advertises Fabric prefixes to the WLC Management network

• One subnet for APs across the entire Fabric in Campus

• APs get registered in the Host Tracking Database (CP) as wired clients

• Simplified IP design for AP onboarding (one subnet)

Feature – How?

Flex Over The Top (OTT) – How does it work?

• Flex WLC is connected to Fabric site – SJC24 which is Campus or Head Quarters. AP’s are connected directly to the Fabric Edge nodes of SJC22 branch.

• AP’s learn about the Flex WLC in SJC24 via DHCP server option 43 and creates a CAPWAP tunnel between AP in SJC22 and Flex WLC in SJC24.

• Over the Top (OTT) SD-Access capability is used where CAPWAP tunnels between the APs and WLC and run as overlays to the fabric network.

• The fabric is a transport for CAPWAP

• Control Plane traffic goes to centralized Flex WLC. Data traffic is locally switched in the fabric.

• WLC is not fabric enabled.

CampusSJC24

CBCB

Flex WLC

BranchSJC22

Cisco DNAC Workflow

Create Flex SSID


Brownfields R&S to SD-Access Migration

• SDA compatibility matrix

http://cs.co/sda-compatibility-matrix

• Please note the Cisco recommended versions for stability. Do not upgrade simply because the option is available

Cisco recommended versions

http://cs.co/sda-compatibility-matrix


SDA now for both greenfield & brownfield networks

Fabric Edge

Cisco SD-Access

Macro segmentation Micro segmentation

Model: Macro and micro-segmentation with Fabric and routed access.

Model: Layer-2 access with Cat9K as “Policy Extended Node” PEN. SDA fabric from distribution layer.

Model: Cisco DNAC templates for traditional GBAC (TrustSec) configuration.

Sell to architecture buyers. Sell to customers that wants to retain their L2 access policies.

Sell to customers with “SDA-ready” infrastructure but haven’t moved to routed access yet.

Core

Distribution

Access( Routed Access)

Inline Tagging with no fabric

GBAC without Fabric

Core

Distribution

Access( L2 Access)

C9K as PEN

Fabric Edge

SDA Policy Extended Node

Core

Distribution

Access( L2 Access)


• Group-Based Policy: ACA, DCS, Magellan, and ISE

• Network Segmentation leverages Fabric for VN definition & Group Segmentation • Automated connectivity

• Wireless: Fabric Enabled Wireless, FlexConnect• Preferred by Architecture Buyers

When to use C9K as Policy Extended Node(PEN):• Brownfield migration

• Customers with existing C9K infra as L2 access. • Customers don’t want to change the existing L2 configurations

• Customers want to keep Routed access at distribution• Achieve VLAN by VLAN (port by port)migration into fabric

Core

Distribution

Access

Inline Tagging with no fabric

Macro segmentation Micro segmentation Micro segmentation

Group based policy across | Deployment Flexibility | SD-Access caters to every Network

Core

Distribution

Access( Routed Access)

Fabric Edge

Core

Distribution

Access(L2)

C9K as PEN

Fabric Edge

• Group-Based Policy: ACA, DCS, Magellan, and ISE

• No Fabric. Only Group Segmentation.• Manual or template programmer-based Network Segmentation

• Wireless: Flex AP or Centralized Wireless• Preferred by Mid-Market Buyers or for Branches (simpler or legacy

networks)• Unlock segmentation value with “SDA-Ready” Infra Refresh

Network & Group SegmentationWith Fabric-based Network Automation

SD-Access with group segmentation

What does the customer need?Fabric Fabric with Policy Extended Node* GBAC without Fabric*

Macro segmentation Micro segmentation

Network • End to end L2 mobility(wireless and IOT segments) across network

• Flexibility to deploy Integrated wireless deployment – Network and Policy

• VN at access layer to enable Policy-based Traffic Steering for Guest or Internet

• Scale beyond 6K endpoints per distribution cluster -- function of FE@Access

• Flooding domain restricted to local access switch

• Topology independence- Access switches can connect with more than a pair of distribution switches

• Cannot change to routed access• Needs VLAN by VLAN (port by port) traditional policy

migration to fabric-based GBAC• Has less than 6K endpoints per distribution cluster –

function of fabric edge @ distribution• Okay with Flooding domain expanded up to distribution

layer & its associated access layer switches.• Okay with Limited topology- L2 access switch can

connect to a pair of Distribution running in SVL mode –working as one fabric edge

• If Vlan is migrated to fabric, then FEW is supported if its not then it behaves like traditional wireless

• All Fabric Network Considerations in Option A, apply starting at FE@Distribution

• Okay with Network Automation using Templates or network already setup

• Intermediate devices need to be capable of inline tagging • Doesn’t need Fabric Benefits for Network such as

• Flood domain reduction• Integrated Wireless• Traffic steering with VNs• Topology Independent Layer2, Layer3 Connectivity

Security • VN at access for Infosec Compliance• east-west isolation• Traffic steering to DMZ for

untrusted traffic• Scaled Policy deployments with Macro (VN)

and Micro (SGT) segmentation & automated inline SGT propagation

• All Fabric Security Considerations in Option A, apply starting at FE@Distribution

• Micro (SGT) Segmentation only

* Roadmap

FE access port with unintelligent switch• Use extended node if possible• An “intelligent” switch consumes EAPoL, which breaks 802.1X between FE and endpoints• “Unintelligent switch” is one that does not consume EAPoL

• Finding a switch that behaves this way is responsibility of partner / customer• Unintelligent switch tradeoffs:

• Microsegmentation between endpoints physically connected to unintelligent switch is lost• Assurance and automation not possible for unintelligent switch• Cisco TAC do not support the unintelligent switch

• Unintelligent switch connected to FE is supported • Make sure tradeoffs are clearly understood• Each endpoint can dynamically authorised into a different network and SGT

• FE edge port supports maximum 10 IP addresses. 11th IP address is dropped by FE• IPv6 hosts will have multiple IP address, typically 3-4 per host

E

FE trunk port with 3rd party intelligent switch• Use extended node if possible• 3rd party intelligent switch tradeoffs:

• Microsegmentation between endpoints physically connected to 3rd party switch is lost• Assurance and automation not possible for 3rd party switch• Cisco TAC do not support the 3rd party switch• FE server port does not authenticate downstream endpoints

• 3rd party switch connected to FE “server” port is supported • Make sure tradeoffs are clearly understood

• 3rd party switch must be manually configured with trunk uplink and access ports to match DNAC automated FE VLANs

• FE server port (trunk) supports maximum 100 IP addresses. 101st IP address is dropped by FE• IPv6 hosts will have multiple IP address, typically 3-4 per host

E

SVI1SGT1

SVI2SGT2

Trunk

DNAC automated

Manually configured


SDA and L2

L2 flooding in SDA• Disabled in IP pool by default. Enable selectively and sparingly

• If enabled in an IP pool, the pool floods Ethernet broadcast and link local multicast in overlay

• Does not flood unknown unicast

• L2 flooding in some scenarios helps register to CP silent hosts connected to fabric. Next slide elaborates

• Else we can force a silent host to register with LISP CP by hardcoding IP/MAC into IPDT on FE switch CLI. Not a scalable work around, but effective:

• Wake on LAN where source and destination in same subnet works with L2 flooding because it uses Ethernet broadcast

• Wake on LAN where source is remote does not work well yet – directed broadcast

• There is some workarounds, please consult technical presales team

• Permanent and automated fix is on roadmap for later this year

Stackwise Virtual 9500 and 9500H supported in 1.3.3+ with 16.12.2t+

SDA Fabric

B

Host 1IP: 10.1.1.0/24

Host 2IP: 10.1.1.0/24

Hosts attached to SDA Fabric Edge nodes in Address Pool (1024)

Host 3IP: 10.1.1.0/24

Hosts attached to traditional Access switches in VLAN (300)

Port-channel trunk port

E E E

Stackwise Virtual Layer 2 Border

B

* Dual-Homing requires L2 MEC to prevent L2 loops

L2 border – deployment model

For your reference

Other platforms also supported in

L2 border role. See BRKCRS-3493 or SDA TDM for more details

of platforms and restrictions

SDA Fabric

L2 border for gateway outside of fabric• Always try and use anycast SVI on fabric edge switches instead of external default gateway

• FE SVI = routing efficiency, no hairpin on external gateway

• FE SVI = E-W SGT more easily preserved

• If not possible then solve requirement using L2 border. Please consult with your technical presales team on suitability and design before proceeding

• Proper / final DNAC workflow to solve this scenario is roadmap

Host 1IP: 10.1.1.22/24Default gateway: 10.1.1.1

Host 2IP: 10.1.1.33/24Default gateway: 10.1.1.1

E E

External gateway e.g. firewall or captive portalIP: 10.1.1.1/24

Layer 2 BorderSingle chassis or 9500/9500H

Stackwise Virtual

B

What about L2 intersite?

• Multi-site Remote Border (previously known as VN anchoring) should become the preferred solution as of SDA 2.1.1 release, it:• Is DNAC automated

• Tunnels traffic in VXLAN over existing underlay. No L2 border and L2HO required• Inherently preserves VN and SGT information, via VXLAN• Should solve all the same use cases as L2 intersite

• Please check with SME if there’s an potential L2 intersite use case that’s not solved by Multi-Site Remote Border

For your reference

L2 intersite was introduced in SDA 1.3.3. It enables extension of IP pools between fabric sites over L2 borders


SDA User Defined Network (UDN)


University Campus

Key Benefits

✓ Home like user experience

✓ Limit access to personal devices

✓ Ability to invite users in personal

network

✓ Secure on-boarding of personal

devices

✓ Ability to register devices from home

network thru app

✓ Restrict mDNS, UPnP, broadcast and

unicast traffic

✓ Complete visibility with Cisco DNA

Assurance

Dorm .1X SSIDDorm PSK SSID

Dorm .1X SSIDDorm PSK SSID

Eddy Mary

Mary ’s iPad

Connected to the network

Microsoft | 00:34:FE:57:871E

My dev ices

My guests

User Private Network

Add another device

Add a guest to my network

Eddy ’s Alexa


Amazon | 00:34:FE:57:871E

Eddy ’s Apple TV


Apple | 00:34:FE:57:871E

Eddy ’s iPhone


Apple | 00:34:FE:57:871E

Eddy ’s Xbox


Microsoft | 00:34:FE:57:871E

UDN - User Defined NetworkEnriching user experience in shared network environments


SDA and SDWAN

SDA Deployments

SD-Access Fabric Site #1

Transit

1

12

Transit


B

B C

C

SD-AccessSD-Access

B C

B C

B

C

SDA Border Node

SDA CP Node

Router

SDA Fabric Node

Current deployments-Alternatives

• DMVPN • Manual Mapping & Routing of VNs• Macro/Micro segmentation works• TCP adjust MSS

• Cisco SD-Access Transit• DNAC provides automation• SGTs and VNs are preserved• MTU consideration• TCP adjust MSS.

DNA-CenterIse

SDA/SDWAN Interoperation today

* Last option


SD-WANFabric

LISP

1

12

LISPOMP

vManage


B

B C

C

BGP

SD-AccessIP VRF-LiteIPSecSD-Access

B C

B C

BGP

IP VRF-Lite

B

C

SDA Border Node

SDA CP Node

cEdge

SDA Fabric Node

Current deployments

• Cisco DNA Center automates SD-Access Sites

• SD-Access Border hands off to cEdge using IP Transit

• Manual handoff between SDA Border and cEdge

• Challenge with SGT propagation using SXP.

DNA-Center

SD-Access to SD-WAN Phase 1 Integration

SDA to SDW-Supported Deployment ModelsOne-Box

What is in Ph1?

• Enable SDA for Distributed Enterprise

• Deployment flexibility for lean branch

• Co-located SDA Border, CP and SD-WAN Edge on Single ISR/ASR (cEdge) device

• DNAC configures SDA border node via vManage

• Context Transport over SD-WAN

• LISP-OMP route redistribution on control path

• Extract and transport SGT across SD-WAN data plane.

• EFT in April and then LA by 2.1.1.x and GA by July

• Supported from 17.2.1 and later

SD-Access Fabric Site

ASD-WAN

Fabric

LISP1CONTROL-PLANE

12DAT A-PLANE

DNA-Center

LISPOMP

vManage

B C

B C

SD-Access Fabric Site

B

B C

B C

VXLAN Header

VNID (24 bits)

SGT (16 bits)VXLAN Header

VNID (24 bits)

SGT (16 bits)IPSec Header

MPLS Labels VNID (2bits)

CMD Header SGT (16 bits)

B

C

SDA Border Node

SDA CP Node

cEdge

SDA Fabric Node

Platform Support

• ISR 433X (8G and above), and 44XX models

• ASR 1001X/HX, 1002 X/HX

• No support on • ISR 42XX

• vEdges

• ISRv/CSR

• ISR C1100 Series

Management ModelDNA-Center vManage

vBondvSmart

NETCONF/YANG

OMP

Syslog/SNMP

SDA Side

• vManage Credentials• Service-level VN Configuration• SDA Side Routing Configuration

– Interfaces, VXLAN– Routing (LISP)

• Provision SDA LAN Automation Subnet• SDA VN to SD-WAN VPN mapping• Assurance: Syslog/SNMP config

REST Calls

Read Permission Write Permission

WAN Side

• All SDWAN configuration and policy except

– No LAN side templates (greyed)

– All Assurance– Syslog/SNMP override (if

desired)

SDA Side WAN Side

WAN Underlay

NOTE: cEdge must have no existing Service Sideconfiguration before it can be designated as a border


SDA and ACIPh2

Policy Plane Integration Today

ACI

APICSGT and EPGAssociated IPs

Border Leaf

• Policy Plane Integration using ISE and APIC

• SGT/EPG exchange between ISE & APIC

• SGT/EPG mapping and translation at SDA/ACI

borders

• Policy enforcement possible in SDA or ACI or both

Design Considerations:

• IP-SGT mapping scale of SDA border

• /32 host mapping scale of border leaf

• ISE is not “VRF aware”

• Single ACI Tenant

Management& Policy

SGT and EPG

Fusion

SXP

Current deployment

B B

LISP BGP/IGP

CONTROL-PLANE

VXLAN+SGT VRF-LITE

DATA-PL ANE

SDA to ACI Integration

Users

1

BorderASR 1K

• Tentative plan is to have EFT in June and GA

in July/August.

• Automation of SDA Border and ACI Border

leaf devices (VXLAN and BGP-EVPN between

campus and ACI)

• Multi VRF Support

• Group exchange between ISE/APIC

• Group mapping and translation at SDA/ACI

borders

• Policy enforcement possible in SDA or ACI or

both.

More details will be provided closer to release

ACI

SD-Access

Border Leaf

Control Plane

Data Plane

Management& Policy

What is Ph2 ?

1iVXLAN

Header VNID (24 bits)

EPG (16 bits)VXLAN Header VNID (24 bits)

SGT (16 bits)

LISP COOP

iVXLAN Header

VNID (24 bits)

SGT (16 bits)

BGP/EVPN

CLASS ID (24 bits)

EPG-SGT Translate SGT-EPG

Translate

App Groups, VRFs, BGP neighbors APIC

User & Device Groups, BGP neighbor, VN

App Groups, VRFs, BGP neighbors, IP-EPG


SDA and ACIPh2

Cisco’s new architecture is integrated to interconnect EVERY domain of the expanded enterprise

OT CAM PUS B RAN CH DC CLOU D S P S ECURITY

ONLY CISCO

Multidomain innovations

Multidomain: SDA and SD-WAN IntegrationSDWAN transit transparently connects user groups to Branch/DC

SD-WAN Fabric

SDA Fabric

VN 3VN 2VN 1

BC

VN1

DNA Center

vManage

cEdge cEdge &

SDA Border

B

SDA Border

(2-boxes)

(One-box)

REST APIs

Overlay interconnect between SDA and SD-WAN

End-to-End Segmentation between SDA sites

SGT Transport over SD-WAN

DNA-C and vManageIntegration for Configuration

Single pane of glass to manage

multi-domain policies

VNs → SD-WAN VPNSGT-o-IPSec

• One-box automation: Cyclops • 2-box automation: Roadmap

Bra

nch

Cam

pus

Q3CY20

Multidomain: SDA and ACI IntegrationConsistent access policies throughout the enterprise

Users

Campus SDA Fabric

Automated Mappings SGT and EPG

BG P -EVPNVXLAN

New York City ACI Data Center

San Francisco ACI Data Center

Underlay Network

VXLAN Header VNID (24 bits)

SGT (16 bits) iVXLANHeader VNID (24 bits)

E PG (16 bits)

COOP

EPG-SGT Translate & Re-classify IP into SGT

SGT-EPG Translate & Re-classify IP into EPG

1VXLAN Header VNID (24 bits)

SGT (16 bits)

LISP

APIC

App Groups

User Groups

Overlay interconnect automation (BGP-EVPN & VXLAN)

Multi-VRF Support

SGT/EPG mapping and t ranslation at SDA/ACI borders

Policy enforcement in SDA/ACI borders

• SDA-ACI mappings: Shipping• Scalable Data Plane Integration: Cyclops • Multi-site ACI: Roadmap

Q3CY20

Security as a Service with Firewall integrationFirewall as a fabric gateway

SDA-FABRIC

IoT V

N

Contra

cto

r VN

M a intenance M aintenance Audi tor

Audi tor

HVAC

HVAC IPTV IPTV

Cisco ASA Firewall

as a default gateway

INTER VN

INTER SGT*

DN

AC

M

anaged

* With SGT+VLAN assignment and Layer2 flooding enabled

Addresses Compliance & Security

Audits needs for certain industries

ASA 5500 Series Firewall device

management in DNAC

Stateful traffic inspection between

VNs & SGTs* in a fabric

Layer-2 Flooding

Under IP Pool Settings

• DNAC border handoff to ASA firewall automation: Roadmap (1HCY21)


✓ Кросс-доменная интеграция

➢ Must have для любой сети

➢ иначе отдельные домены SDN политик будут каждый «вещью в себе»

✓ Кросс-доменная интеграция в Cisco

➢ ACI - SDA

➢ SDA - SDWAN

➢ ACI - SDWAN

➢ SDN + Security

❑ Cisco создает мосты между разными SDN доменами,

объединяя их в единую инфраструктуру

Take aways: X-Domain

Новинки дизайна cisco sda · cisco® ise discover and classify assets active...

Documents