Новинки дизайна cisco sda · cisco® ise discover and classify assets active...
TRANSCRIPT
Андрей ОврашкоСистемный инженер
15 июня 2020
Новинки дизайна Cisco SDA
Online
… и не только
© 2019 Cisco and/or its affiliates. All rights reserved.
Agenda
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
Trends
© 2019 Cisco and/or its affiliates. All rights reserved.
AI/ML/DL Assurance
Trends
Security Zero Trust
BigData
X-DomainSDN
IoT Extended Enterprise
Automation Digitization
Speaker nameSpeaker titleDate
Subtitle goes here
Presentation Title Goes Here
Released April 2017
Cisco DNA – Digital Network ArchitectureСеть как платформа ведения цифрового бизнеса
© 2019 Cisco and/or its affiliates. All rights reserved.
Big Story
DNA-C
Cisco ACIS
c9200L vs c2960X
Innovations
NetFlow
StealthWatch
DNA Assurance
AVC
DevNet.cisco.com
Programmability
ISE
ETA
TrustSec
X-Domain
SD-WAN
SDA
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco Intent-Based / Software-Defined Networking
Software-Defined Campus Access (SDA)
Catalyst 9000
Software-Defined WAN (SD-WAN)
ACIA ny wher e
Software-Defined Data Center Networking (SDN)
Nexus 9000
ACIThe network
made simple
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
Zero Trust
Basic Tenant of Zero Trust
The effect of Zero Trust is
Ubiquitous Least-Privilege
Access(i.e. grant access,
but make it specific!)
© 2019 Cisco and/or its affiliates. All rights reserved.
Market Response to Workplace Zero Trust
Cisco is #1 in Forrester Wave ranking for ZT ISE’s repeat recognition for NAC leadership
SD-Access adoption is accelerating
950+Deployments
NetworkServices
We establish trust by verifying:• Multi-factors of User Identity
• Device context and Identity
• Device posture & health
• Location
• Relevant attributes and context
We continuously verify:• Original tenets used to
establish trust are still true
• Traffic is not threat traffic
• Behavior for any risky, anomalous or malicious actions
• If compromised, then the trust is broken
We enforce least privilege access to:• Networks
• Applications
• Resources
• Users & Things
Establish Trust
EnforceTrust-Based
Access
Continuous Trust
Verification
How does Cisco Zero Trust work?3 Step Cyclical Process
© 2019 Cisco and/or its affiliates. All rights reserved.
EndpointVisibility
SecureAccess
NetworkSegmentation
EndpointCompliance
Rapid Threat Containment
The five pillars of Workplace Zero Trust Security
© 2019 Cisco and/or its affiliates. All rights reserved.
Moving from excessive trust to “Zero Trust”A comprehensive approach to securing all access across your networks, applications, and environment.
WorkforceEnsure only the right users and secure
devices can access applications.
WorkloadsSecure all connections within your
apps, across multi-cloud.
WorkplaceSecure all user and device connections
across your network, including IoT.
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
Segmentation
© 2019 Cisco and/or its affiliates. All rights reserved.
Integrating Security into the NetworkStop threats and protect operations
Networksegmentation
Cisco® ISE
Discover and classify assets
Active monitoringUnderstand behavior and identify Threats
Secure Hardware and SWEnforce policyCisco TrustSec
Cisco Software-Defined Access
Cisco Stealthwatch®
ETA
Streaming telemetry
AVC
VLANs, Secure Groups, Access Control
Runtime defense
Trusted Anchor
Shift in IT Landscape
Remote Users,Contractors &Third-Parties
Personal &Mobile
Devices
IoT Devices
CloudSaaS
Hybrid CloudInfrastructure
CloudIaaS
DisappearingPerimeter
Users, devices, and apps are everywhere
© 2019 Cisco and/or its affiliates. All rights reserved.
Workforce
Duo delivers secure access from any user, any device, to any app
Connecting trusted users anddevices to trusted services
… meets Workplace
© 2019 Cisco and/or its affiliates. All rights reserved.
ISE and Duo Integration for Multi-Factor Auth (MFA)
John
Bob
Alice
CONTRACTORS
EMPLOYEES
John connected via Switch-SJC01
Bob connected via AP-SJC03
Al ice connected via SSID ”CORP”
ISE Session Database
GUESTS
Cisco ISEDuo Auth Proxy
On-premiseMicrosoft
Active Directory
Network Access and Segmentation with DUO MFA and ISE Configuration Guide
© 2019 Cisco and/or its affiliates. All rights reserved.
Access ProblemCisco ISE Cisco Duo Cisco ISE + Duo
User + Device(On-Premise)
On-PremiseApplications
No MFAWeb Only
IOT Device(On-Premise)
On-PremiseApplications
User + Device(Off-Premise)
On-PremiseApplications
VPN Based
Web Only
User / Device(On-Premise)
User / Device(On-Premise)
User + Device(On-Premise)
CloudApplications
No MFA No n/w security
User + Device(Off-Premise)
CloudApplications
Solving the access problem with Duo and ISE
© 2019 Cisco and/or its affiliates. All rights reserved.
Локальная сетьQ?: Сегментация и контроль
сетевого доступа
TrustSec
802.1x
SDA
DefCon
RTC
© 2019 Cisco and/or its affiliates. All rights reserved.
Identity with ISE is Secures the Enterprise
- Users
- Devices
- Things
- Switches
- WLCs / Aps
- VPN gateways
- Standalone ISE
- Multi-node ISE
- VM/Appliance
- AD/LDAP
- MDM
- SAML/MFA
Network DevicesEndpoints Cisco ISE Identity Services
Cisco ISE
- Stealthwatch
- Firepower
- Partners
Security Services
Enterprise Security
© 2019 Cisco and/or its affiliates. All rights reserved.
ISE Authentication CapabilitiesMachine User Strength Experience Method
✅ ✅ ★★★★ 🙂 802.1X User + Machine (EAP-FAST / TEAP)
✅ ✅ ★★★★ 😕 802.1X Machine + 802.1X User
✅ ✅ ★★★ 😕 802.1X Machine + Easy Connect
✅ ✅ ★★★ ☹️ 802.1X Machine + WebAuth
✅ ✅ ★★★ 😕/☹️ 802.1X User + MAC Binding
✅ ✅ ★★ 😕 MAB + Easy Connect (Passive Identity)
✅ ✅ ★★ ☹️ MAB + WebAuth
❌ ✅ ★★ 🙂 802.1X User Authentication
✅ ❌ ★★ 😁 802.1X Machine Authentication
✅ ❌ ★ 🙂 MAC Authentication Bypass (MAB)
❌ ✅ ★ ☹️ Web Authentication
❌ ✅ ★ 😕 Authentication VLAN
❌ ❌ - 😁 Open Access
© 2019 Cisco and/or its affiliates. All rights reserved.
Cегментация: традиционный подходVLAN, SSID, ACL
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Сетевая политика
IPАДРЕСА
▪ Находят тебя▪ Определяют тебя▪ Ограничивают тебя
IP Address “означает”
ПЕРЕГРУЗКУ
Информация о пользователе/устройстве
VLAN 10
SSID B
SSID A
VLAN 20
VLAN 40
SSID D
SSID C
VLAN 30
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco SDA
© 2019 Cisco and/or its affiliates. All rights reserved.© 2019 Cisco and/or its affiliates. All rights reserved
Zero-Trust: SDAGroup-Based Access/PolicyGroup-based
Policy
Segmentation
Endpoint Visibility
Secure Access
Segmentation
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco SD-AccessWhy Fabric ?
Network Considerations
• Simplified deployment and automation• Consistent policy for Wired/Wireless networks• End to End Segmentation/Optimize User Experience• Scaling Flexibility for Endpoints, Network Devices, Policy • Topology Independent Layer2, Layer 3 Connectivity• Flood Domain restricted to local switch• Layer 2 Mobility/Roaming, No STP• Traffic Steering for Guest or Internet• Able to achieve end to end segmentation across SDWAN/ACI domains
Security Considerations
• Faster Infosec compliance for E-W isolation, traffic steering to DMZ • Scaled Policy deployments with Macro (VN) and Micro (SGT) segmentation & automated
inline SGT propagation
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco SDA segmentation
© 2019 Cisco and/or its affiliates. All rights reserved.
Why: Simplifying Security Policy
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-listip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-listip access-list
ip access-list
ip access-list
ip access-list
ip access-list
ip access-list
© 2019 Cisco and/or its affiliates. All rights reserved.
Segmentation: Expectation V/S RealityExpectation
Employees
Common_Services
50°
50°
Building Management
Contractors
Printers
Reality
?
?
??
? ?
? ?
Common_Services
Employees
© 2019 Cisco and/or its affiliates. All rights reserved.
Why: Simplifying Security Policy
Employees Guests
IoT Servers
IoTDevices
InternalServices
© 2019 Cisco and/or its affiliates. All rights reserved.
Can You See the Business Intent Here:
© 2019 Cisco and/or its affiliates. All rights reserved.
Can You See the Business Intent Here:
DMZ-Pod1#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 4:Employees to group 12:Development_Servers:
Deny IP-00
IPv4 Role-based permissions from group 8:Developers to group 12:Development_Servers:
Permit IP-00
© 2019 Cisco and/or its affiliates. All rights reserved.
SD-Access Virtual Network (=VRF)
Virtual Network maintains a separate Routing & Switching instance for the devices within it.
• Control Plane uses Instance ID to maintain separate VRF topologies
• Nodes add VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are advertised within Virtual Networks
• Uses standard “vrf definition” configuration, along with RD & RT for remote advertisement (Border)
• Known as ‘Macro-Segmentation’
UnknownNetworks
KnownNetworks
C
VN“A”
VN“B”
VN“C”
B B
© 2019 Cisco and/or its affiliates. All rights reserved.
SD-Access Scalable Group (=SGT)
UnknownNetworks
KnownNetworks
C
Scalable Group is a logical ID object to “group” Users and/or Devices.
• “Scalable Groups” used to ID and assign a unique Scalable Group Tag (SGT) to Endpoints
• Nodes add SGT to the Fabric encapsulation
• SGTs used to manage address-independent “Group-Based Policies”
• Edge or Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs)
• Known as ‘Micro-Segmentation’
SGT7
SGT3
SGT23
SGT4 SGT
8
SGT6
SGT12
SGT11
SGT19
SGT25
B B
© 2019 Cisco and/or its affiliates. All rights reserved.
Segmentation Operation in SD-Access Fabric
Employee SGT (5)10.1.100.1
Contractor SGT (10)10.2.200.6
Cisco ISE
Authc/Authz
Cisco DNA Center
Contractor
Deny All
Permit All
Deny AllEmployee
PLC
Contractor
Employee
Permit All
Permit All
Deny All
Sour
ce
Destination
Egress Policy
Policy download
Policy download
• Classification: Dynamic/ISE• Propagation: SGT in VXLAN• Enforcement: Egress Fabric Edge
© 2019 Cisco and/or its affiliates. All rights reserved.© 2019 Cisco and/or its affiliates. All rights reserved
© 2019 Cisco and/or its affiliates. All rights reserved.© 2019 Cisco and/or its affiliates. All rights reserved
© 2019 Cisco and/or its affiliates. All rights reserved.© 2019 Cisco and/or its affiliates. All rights reserved
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco DNA Center Supporting VN Agnostic SGTsZero Trust Simplified
Cisco DNA Center supports VN agnostic SGTs from release 1.3.1 (Groups can now officially reside in different VNs)
Use-Case: Different Industrial Control Systems segregated at Macro/VN Level but have same SGT/Policy at Micro Level
Industrial Automation and Control Systems (IACS)
Programmable Logic Controller (PLC)
B
VN:IACS VN:PLC
IACS
SGT: IOT SGT: IOTSame SGT, same policy
x
© 2019 Cisco and/or its affiliates. All rights reserved.
Policy Extended Node - Zero Trust Extended
Similar to provision as ‘Extended Node’ but inline tagging enabled on uplink and policy now handled by the Policy Extended Node itself.
Initially IE3400 and IE3400H supported
Fabric
Site
Policy Extended Node
BBB
PLC-1SGT19 PLC
E
Inline tagging
E
Host 2
VXLANFE1 FE2
SGT4 Employees
© 2019 Cisco and/or its affiliates. All rights reserved.
New tool to build segmentation policies
SSH
WEB
Employees
Streaming
Alerts
Media Servers
Log Servers
?
?
Cameras
Cameras RTP
WWW
Syslog Any
Policy Modeling – With traffic patterns
No policy on the network, yet
Observe and fine-tune for days/weeks
Unearth critical access that
must be allowed / denied
Group-based policy analytics (Magellan)
Q2CY20
© 2019 Cisco and/or its affiliates. All rights reserved.
Deploy segmentation policies with confidence
SSH
WEB
Employees
Streaming
Alerts
Media Servers
Log Servers
?
?
Cameras
Cameras RTP
WWW
Syslog Any
Group-based Policies – for segmentation
No policy on the network, yet
Deploy
Cameras RTP
WWW
Syslog Any
Policy download
© 2019 Cisco and/or its affiliates. All rights reserved.
Continuous Monitoring for Policy Assurance
SSH
WEB
Employees
Streaming
Alerts
Media Servers
Log Servers
?
?
Cameras
Cameras
Group-based Policies – for segmentation
Cameras RTP
WWW
Syslog Any
85%
Policy logs
(to DNA Center)
Policy roll-out
assurance
Policy hit
counts
© 2019 Cisco and/or its affiliates. All rights reserved.
Bring it all together
Cameras
SSH
WEB
Streaming
Alerts
2. Policy Analytics
Group-based Policy
Context-based
Scalable Group
assignments
Log Servers
Employees
Med
ia S
erv
ers
Cam
era
s
3. Policy Enforcement
1. Endpoint Classification
4. Policy Assurance
MAC/IP Address
?
Endpoint Context
Identity& Group
Trust Score
L M E
C
Log Servers
Media Servers Employees
Cameras
Cisco DNAC and ISE
Visibility Driven Segmentation
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco ISE
© 2019 Cisco and/or its affiliates. All rights reserved.
Rapid Threat
Containment
Compliance
SegmentationSecure
Access
Endpoint
Visibility
ISE is at the heart of Cisco’s Zero Trust Solution
3.0
© 2019 Cisco and/or its affiliates. All rights reserved.
We are enhancing ISE experience further
New UI
Consistent UI experience between ISE and DNA Center
Faster & Reliable ISE UpgradesMenu Help
10.10.0.42
10.10.0.44
10.10.0.45
10.10.0.61
10.10.0.63
Primary PAN
Secondary PAN
PSN
PSN
PSN
75%
Upgrade: Phase 2 (Run) in progress …
Completed: OS Upgrade and ISE InstallStatus: Importing data
75%
75%
75%
75%
Completed: OS Upgrade and ISE InstallStatus: Importing data
Completed: OS Upgrade and ISE InstallStatus: Importing data
Completed: OS Upgrade and ISE InstallStatus: Importing data
Completed: OS Upgrade and ISE InstallStatus: Importing data
Lesser/Zero downtime. Better reliability and monitoring. API support for orchestration.
ISE Manager on DNA Center
Monitor and manage ISE system. Perform patching and upgrades. License, certificate management and others.
Q3CY20
© 2019 Cisco and/or its affiliates. All rights reserved.
“Trust” based network access
En
cry
pte
d/C
lear
co
mm
un
icatio
ns
Posture Status
Anomalous behavior
Vulnerability Info
Threat Metrics
Security Ecosystem
Change of Authorization
Endpoint Telemetry
ML
Access Control and Threat
Containment based on
continuous trust evaluation
Network Infrastructure
Trust Score
10 1
5
Bringing it all together
Q3CY20
DNANC & ISE
Original Three Tenets of a Zero Trust Network
Eliminate network trust
Assume all traffic, regardless of location, is threat traffic until it is verified that it is authorized, inspected,
and secured.
Segment network access
Adopt a least privilege strategy and strictly enforce access control only to the resources users need to
perform their job.
Gain network visibility and analytics
Continuously inspect and log all traffic internally as well as
externally for malicious activity with real-time protection capabilities.
Internal
External
Zero Trust:Segment Network Access
SD-Access Policy Evolution
New Policy Views
Policy Migration / Sync with ISE
Start Migration
Policy Migration / Sync with ISE Successful
ISE Read-Only Views
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
Fusion Firewall
Zero Trust with NGFW FMC/FTD 6.5• Learns IP/SGT via PxGrid, Expanded Use-Cases, Insert FTD anywhere in designs
• Flow processing
• If packet tagged, tag honored
• If packet not tagged, lookup PxGrid information to derive tag
• If packet not tagged, no PxGrid info, no matching rules with tag
* Rel 6.5 supports destination SGT and Static IP:SGT Mappings
Up to 2000 unique SGTs, 64K total user identity entries per FMC
Firepower 6.6 notable changes relevant to SDA• IP:SGT bindings learned from ISE over PxG increased from 64K to 300K
• Supports IPv4 and IPv6• VRF-lite support via virtual routers
• Route import/export not supported• Route between virtual routers. Check 6.6 configuration guide for supported scenarios• Note 6.6 docs for max supported VRs per FTD model
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
Multi-site Border
© 2019 Cisco and/or its affiliates. All rights reserved.
Multi-Site Remote Border
FabricSite 1
CB
FabricSite 2
CB
FabricSite 3
CB
Anchoring
Guest Employee
Employee Employee Anchoring
Guest
Anchoring
Guest
DMZ
CBFabric
Site 4Anchored
Guest
WLC WLCWLC
Employee
Guest
Why ?
• Without Multi-Site Remote Border, it is necessary to assign a subnet for each site mapped to a VN as subnets are unique to site and cannot be stretched across sites.
• With Multi-Site Remote Border, all traffic for any VN, example guest at each site will tunnel back to central location over VXLAN allowing a single subnet to be deployed across all sites.
• Since this allows for a more centralized and simplified subnet structure, the use of VN anchoring is an ideal use case in environments where the requirement is for all untrusted traffic to be sent to firewall at DMZ.
• This is applicable to any VN for which the traffic needs to be terminated at a remote site.
© 2019 Cisco and/or its affiliates. All rights reserved.
Multi-Site Remote Border
FabricSite 1
CB
FabricSite 2
CB
FabricSite 3
CB
Anchoring
Guest VN
Anchoring
IoT VNEmployee
VNEmployee
VN
Employee
VNAnchoring
IoT VNAnchoring
Guest VN
Anchored
IoT VN
Anchoring
Guest VN
DMZ
CB FabricSite 4
Anchored
Guest VN
Cat9800 Appliance
Wireless ControllerCat9800 Cloud
Wireless Controller
• Common VN to which the traffic from other VNs arrive is called “Anchored VN”.
• VN which sends the traffic to Anchored VN which has common control plane and Border nodes is called “Anchoring VN or Inherited VN”.
• Employee VN traffic is going through Site Local Border.
• Guest VN traffic is being served through Remote Border at DMZ.
• IOT VN traffic is selected to go through Border at Site 2.
• WLC can be AireOS or Cat9800
• WLCs in each siteTake the traffic out the way you want
This is Border for Multiple sites and thus the name
© 2019 Cisco and/or its affiliates. All rights reserved.
Multi-Site Remote BorderDesign Considerations
FabricSite 1 Fabric
Site 2
Guest Employee Employee Guest
DMZ
CB FabricSite 3
Guest
WLC
WLC
Employee VN
Guest VN
B B CC
IP/SDA Transit
• MTU should be taken care of between Anchored/Anchoring VNs as overlay traffic terminates at B/CP of Anchored VN site.
• Edge nodes in Anchoring Sites need IP reachability to RLOC of CP/Border in Anchored site and edges across sites.
• AireOS WLC can hold up to 2 CP pair entries.
• Catalyst 9800 can hold up to 16 CP pairs.
• Border and CP can be co-located or distributed at Anchored site.
• IP Pool limit per site will remain the same.
• Multiple VNs can be Anchored across sites.
• Seamless roaming isn’t supported.
© 2019 Cisco and/or its affiliates. All rights reserved.
• Customer can either have Wireless Guest VN or Anchor VN but not both.
• If a Guest VN with Guest devices is present, then VN Anchoring is not allowed. Existing sites with dedicated Guest Border-CP will continue to operate.
• New addition of Guest devices is not permitted with this new release. Multi-Site remote Border is recommended way to achieve Guest workflow.
• If new Guest Border-CP needs to be added, then remove the old Guest flow and use the config flow of Multi-Site remote Border.
Multi-Site Remote BorderMigration
© 2019 Cisco and/or its affiliates. All rights reserved.
Multi-Site Remote Border
E
Cisco SD-Access Site 4 E
IP Transit
Cisco SD-Access Site 23
B CCB
Anchoring IoT
Anchored IoT
192.168.0.16192.168.0.32
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
Flex Connect with Over the Top (OTT) in SD-Access Wireless
✓ IPv6 for SD-Access Wireless – C9800, C9800-CL, Embedded Wireless
• Flex Connect with Over the Top (OTT) in SD-Access Wireless
• N+1 HA and Rolling AP upgrade with C9800 and AireOS
Features
Features coming in 2.1.1.1
Use-Case – Why?
Flex Over The Top (OTT) – Why is this needed?
• Flex Connect enables customers to configure and control access points (AP) in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office.
• With Flex OTT we could support central switched SSID and local switched SSID.
• Historically with SD-Access solution, there was a requirement to have a Wireless LAN Controller in every SD-Access Site.
• Supported Platforms: • WLC 5520, 8540, C9800, C9800-CL• AP-1800, AP-2800, AP-3800, AP-4800• AP-9115, AP-9117, AP-9120, AP-9130
Traditional Use-Case
What is Over the Top (OTT) in SD-Access?
• WLCs connect external to fabric
• Border advertises WLC Management subnet to the Fabric
• Border advertises Fabric prefixes to the WLC Management network
• One subnet for APs across the entire Fabric in Campus
• APs get registered in the Host Tracking Database (CP) as wired clients
• Simplified IP design for AP onboarding (one subnet)
Feature – How?
Flex Over The Top (OTT) – How does it work?
• Flex WLC is connected to Fabric site – SJC24 which is Campus or Head Quarters. AP’s are connected directly to the Fabric Edge nodes of SJC22 branch.
• AP’s learn about the Flex WLC in SJC24 via DHCP server option 43 and creates a CAPWAP tunnel between AP in SJC22 and Flex WLC in SJC24.
• Over the Top (OTT) SD-Access capability is used where CAPWAP tunnels between the APs and WLC and run as overlays to the fabric network.
• The fabric is a transport for CAPWAP
• Control Plane traffic goes to centralized Flex WLC. Data traffic is locally switched in the fabric.
• WLC is not fabric enabled.
CampusSJC24
CBCB
Flex WLC
BranchSJC22
Cisco DNAC Workflow
Create Flex SSID
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
Brownfields R&S to SD-Access Migration
• SDA compatibility matrix
http://cs.co/sda-compatibility-matrix
• Please note the Cisco recommended versions for stability. Do not upgrade simply because the option is available
Cisco recommended versions
© 2019 Cisco and/or its affiliates. All rights reserved.
SDA now for both greenfield & brownfield networks
Fabric Edge
Cisco SD-Access
Macro segmentation Micro segmentation
Model: Macro and micro-segmentation with Fabric and routed access.
Model: Layer-2 access with Cat9K as “Policy Extended Node” PEN. SDA fabric from distribution layer.
Model: Cisco DNAC templates for traditional GBAC (TrustSec) configuration.
Sell to architecture buyers. Sell to customers that wants to retain their L2 access policies.
Sell to customers with “SDA-ready” infrastructure but haven’t moved to routed access yet.
Core
Distribution
Access( Routed Access)
Inline Tagging with no fabric
GBAC without Fabric
Core
Distribution
Access( L2 Access)
C9K as PEN
Fabric Edge
SDA Policy Extended Node
Core
Distribution
Access( L2 Access)
© 2019 Cisco and/or its affiliates. All rights reserved.
• Group-Based Policy: ACA, DCS, Magellan, and ISE
• Network Segmentation leverages Fabric for VN definition & Group Segmentation • Automated connectivity
• Wireless: Fabric Enabled Wireless, FlexConnect• Preferred by Architecture Buyers
When to use C9K as Policy Extended Node(PEN):• Brownfield migration
• Customers with existing C9K infra as L2 access. • Customers don’t want to change the existing L2 configurations
• Customers want to keep Routed access at distribution• Achieve VLAN by VLAN (port by port)migration into fabric
Core
Distribution
Access
Inline Tagging with no fabric
Macro segmentation Micro segmentation Micro segmentation
Group based policy across | Deployment Flexibility | SD-Access caters to every Network
Core
Distribution
Access( Routed Access)
Fabric Edge
Core
Distribution
Access(L2)
C9K as PEN
Fabric Edge
• Group-Based Policy: ACA, DCS, Magellan, and ISE
• No Fabric. Only Group Segmentation.• Manual or template programmer-based Network Segmentation
• Wireless: Flex AP or Centralized Wireless• Preferred by Mid-Market Buyers or for Branches (simpler or legacy
networks)• Unlock segmentation value with “SDA-Ready” Infra Refresh
Network & Group SegmentationWith Fabric-based Network Automation
SD-Access with group segmentation
What does the customer need?Fabric Fabric with Policy Extended Node* GBAC without Fabric*
Macro segmentation Micro segmentation
Network • End to end L2 mobility(wireless and IOT segments) across network
• Flexibility to deploy Integrated wireless deployment – Network and Policy
• VN at access layer to enable Policy-based Traffic Steering for Guest or Internet
• Scale beyond 6K endpoints per distribution cluster -- function of FE@Access
• Flooding domain restricted to local access switch
• Topology independence- Access switches can connect with more than a pair of distribution switches
• Cannot change to routed access• Needs VLAN by VLAN (port by port) traditional policy
migration to fabric-based GBAC• Has less than 6K endpoints per distribution cluster –
function of fabric edge @ distribution• Okay with Flooding domain expanded up to distribution
layer & its associated access layer switches.• Okay with Limited topology- L2 access switch can
connect to a pair of Distribution running in SVL mode –working as one fabric edge
• If Vlan is migrated to fabric, then FEW is supported if its not then it behaves like traditional wireless
• All Fabric Network Considerations in Option A, apply starting at FE@Distribution
• Okay with Network Automation using Templates or network already setup
• Intermediate devices need to be capable of inline tagging • Doesn’t need Fabric Benefits for Network such as
• Flood domain reduction• Integrated Wireless• Traffic steering with VNs• Topology Independent Layer2, Layer3 Connectivity
Security • VN at access for Infosec Compliance• east-west isolation• Traffic steering to DMZ for
untrusted traffic• Scaled Policy deployments with Macro (VN)
and Micro (SGT) segmentation & automated inline SGT propagation
• All Fabric Security Considerations in Option A, apply starting at FE@Distribution
• Micro (SGT) Segmentation only
* Roadmap
FE access port with unintelligent switch• Use extended node if possible• An “intelligent” switch consumes EAPoL, which breaks 802.1X between FE and endpoints• “Unintelligent switch” is one that does not consume EAPoL
• Finding a switch that behaves this way is responsibility of partner / customer• Unintelligent switch tradeoffs:
• Microsegmentation between endpoints physically connected to unintelligent switch is lost• Assurance and automation not possible for unintelligent switch• Cisco TAC do not support the unintelligent switch
• Unintelligent switch connected to FE is supported • Make sure tradeoffs are clearly understood• Each endpoint can dynamically authorised into a different network and SGT
• FE edge port supports maximum 10 IP addresses. 11th IP address is dropped by FE• IPv6 hosts will have multiple IP address, typically 3-4 per host
E
FE trunk port with 3rd party intelligent switch• Use extended node if possible• 3rd party intelligent switch tradeoffs:
• Microsegmentation between endpoints physically connected to 3rd party switch is lost• Assurance and automation not possible for 3rd party switch• Cisco TAC do not support the 3rd party switch• FE server port does not authenticate downstream endpoints
• 3rd party switch connected to FE “server” port is supported • Make sure tradeoffs are clearly understood
• 3rd party switch must be manually configured with trunk uplink and access ports to match DNAC automated FE VLANs
• FE server port (trunk) supports maximum 100 IP addresses. 101st IP address is dropped by FE• IPv6 hosts will have multiple IP address, typically 3-4 per host
E
SVI1SGT1
SVI2SGT2
Trunk
DNAC automated
Manually configured
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
SDA and L2
L2 flooding in SDA• Disabled in IP pool by default. Enable selectively and sparingly
• If enabled in an IP pool, the pool floods Ethernet broadcast and link local multicast in overlay
• Does not flood unknown unicast
• L2 flooding in some scenarios helps register to CP silent hosts connected to fabric. Next slide elaborates
• Else we can force a silent host to register with LISP CP by hardcoding IP/MAC into IPDT on FE switch CLI. Not a scalable work around, but effective:
• Wake on LAN where source and destination in same subnet works with L2 flooding because it uses Ethernet broadcast
• Wake on LAN where source is remote does not work well yet – directed broadcast
• There is some workarounds, please consult technical presales team
• Permanent and automated fix is on roadmap for later this year
Stackwise Virtual 9500 and 9500H supported in 1.3.3+ with 16.12.2t+
SDA Fabric
B
Host 1IP: 10.1.1.0/24
Host 2IP: 10.1.1.0/24
Hosts attached to SDA Fabric Edge nodes in Address Pool (1024)
Host 3IP: 10.1.1.0/24
Hosts attached to traditional Access switches in VLAN (300)
Port-channel trunk port
E E E
Stackwise Virtual Layer 2 Border
B
* Dual-Homing requires L2 MEC to prevent L2 loops
L2 border – deployment model
For your reference
Other platforms also supported in
L2 border role. See BRKCRS-3493 or SDA TDM for more details
of platforms and restrictions
SDA Fabric
L2 border for gateway outside of fabric• Always try and use anycast SVI on fabric edge switches instead of external default gateway
• FE SVI = routing efficiency, no hairpin on external gateway
• FE SVI = E-W SGT more easily preserved
• If not possible then solve requirement using L2 border. Please consult with your technical presales team on suitability and design before proceeding
• Proper / final DNAC workflow to solve this scenario is roadmap
Host 1IP: 10.1.1.22/24Default gateway: 10.1.1.1
Host 2IP: 10.1.1.33/24Default gateway: 10.1.1.1
E E
External gateway e.g. firewall or captive portalIP: 10.1.1.1/24
Layer 2 BorderSingle chassis or 9500/9500H
Stackwise Virtual
B
What about L2 intersite?
• Multi-site Remote Border (previously known as VN anchoring) should become the preferred solution as of SDA 2.1.1 release, it:• Is DNAC automated
• Tunnels traffic in VXLAN over existing underlay. No L2 border and L2HO required• Inherently preserves VN and SGT information, via VXLAN• Should solve all the same use cases as L2 intersite
• Please check with SME if there’s an potential L2 intersite use case that’s not solved by Multi-Site Remote Border
For your reference
L2 intersite was introduced in SDA 1.3.3. It enables extension of IP pools between fabric sites over L2 borders
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
SDA User Defined Network (UDN)
© 2019 Cisco and/or its affiliates. All rights reserved.
University Campus
Key Benefits
✓ Home like user experience
✓ Limit access to personal devices
✓ Ability to invite users in personal
network
✓ Secure on-boarding of personal
devices
✓ Ability to register devices from home
network thru app
✓ Restrict mDNS, UPnP, broadcast and
unicast traffic
✓ Complete visibility with Cisco DNA
Assurance
Dorm .1X SSIDDorm PSK SSID
Dorm .1X SSIDDorm PSK SSID
Eddy Mary
Mary ’s iPad
Connected to the network
Microsoft | 00:34:FE:57:871E
My dev ices
My guests
User Private Network
Add another device
Add a guest to my network
Eddy ’s Alexa
Connected to the network
Amazon | 00:34:FE:57:871E
Eddy ’s Apple TV
Connected to the network
Apple | 00:34:FE:57:871E
Eddy ’s iPhone
Connected to the network
Apple | 00:34:FE:57:871E
Eddy ’s Xbox
Connected to the network
Microsoft | 00:34:FE:57:871E
UDN - User Defined NetworkEnriching user experience in shared network environments
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
SDA and SDWAN
SDA Deployments
SD-Access Fabric Site #1
Transit
1
12
Transit
SD-Access Fabric Site #2
B
B C
C
SD-AccessSD-Access
B C
B C
B
C
SDA Border Node
SDA CP Node
Router
SDA Fabric Node
Current deployments-Alternatives
• DMVPN • Manual Mapping & Routing of VNs• Macro/Micro segmentation works• TCP adjust MSS
• Cisco SD-Access Transit• DNAC provides automation• SGTs and VNs are preserved• MTU consideration• TCP adjust MSS.
DNA-CenterIse
SDA/SDWAN Interoperation today
* Last option
SD-Access Fabric Site #1
SD-WANFabric
LISP
1
12
LISPOMP
vManage
SD-Access Fabric Site #2
B
B C
C
BGP
SD-AccessIP VRF-LiteIPSecSD-Access
B C
B C
BGP
IP VRF-Lite
B
C
SDA Border Node
SDA CP Node
cEdge
SDA Fabric Node
Current deployments
• Cisco DNA Center automates SD-Access Sites
• SD-Access Border hands off to cEdge using IP Transit
• Manual handoff between SDA Border and cEdge
• Challenge with SGT propagation using SXP.
DNA-Center
SD-Access to SD-WAN Phase 1 Integration
SDA to SDW-Supported Deployment ModelsOne-Box
What is in Ph1?
• Enable SDA for Distributed Enterprise
• Deployment flexibility for lean branch
• Co-located SDA Border, CP and SD-WAN Edge on Single ISR/ASR (cEdge) device
• DNAC configures SDA border node via vManage
• Context Transport over SD-WAN
• LISP-OMP route redistribution on control path
• Extract and transport SGT across SD-WAN data plane.
• EFT in April and then LA by 2.1.1.x and GA by July
• Supported from 17.2.1 and later
SD-Access Fabric Site
ASD-WAN
Fabric
LISP1CONTROL-PLANE
12DAT A-PLANE
DNA-Center
LISPOMP
vManage
B C
B C
SD-Access Fabric Site
B
B C
B C
VXLAN Header
VNID (24 bits)
SGT (16 bits)VXLAN Header
VNID (24 bits)
SGT (16 bits)IPSec Header
MPLS Labels VNID (2bits)
CMD Header SGT (16 bits)
B
C
SDA Border Node
SDA CP Node
cEdge
SDA Fabric Node
Platform Support
• ISR 433X (8G and above), and 44XX models
• ASR 1001X/HX, 1002 X/HX
• No support on • ISR 42XX
• vEdges
• ISRv/CSR
• ISR C1100 Series
Management ModelDNA-Center vManage
vBondvSmart
NETCONF/YANG
OMP
Syslog/SNMP
SDA Side
• vManage Credentials• Service-level VN Configuration• SDA Side Routing Configuration
– Interfaces, VXLAN– Routing (LISP)
• Provision SDA LAN Automation Subnet• SDA VN to SD-WAN VPN mapping• Assurance: Syslog/SNMP config
REST Calls
Read Permission Write Permission
WAN Side
• All SDWAN configuration and policy except
– No LAN side templates (greyed)
– All Assurance– Syslog/SNMP override (if
desired)
SDA Side WAN Side
WAN Underlay
NOTE: cEdge must have no existing Service Sideconfiguration before it can be designated as a border
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
SDA and ACIPh2
Policy Plane Integration Today
ACI
APICSGT and EPGAssociated IPs
Border Leaf
• Policy Plane Integration using ISE and APIC
• SGT/EPG exchange between ISE & APIC
• SGT/EPG mapping and translation at SDA/ACI
borders
• Policy enforcement possible in SDA or ACI or both
Design Considerations:
• IP-SGT mapping scale of SDA border
• /32 host mapping scale of border leaf
• ISE is not “VRF aware”
• Single ACI Tenant
Management& Policy
SGT and EPG
Fusion
SXP
Current deployment
B B
LISP BGP/IGP
CONTROL-PLANE
VXLAN+SGT VRF-LITE
DATA-PL ANE
SDA to ACI Integration
Users
1
BorderASR 1K
• Tentative plan is to have EFT in June and GA
in July/August.
• Automation of SDA Border and ACI Border
leaf devices (VXLAN and BGP-EVPN between
campus and ACI)
• Multi VRF Support
• Group exchange between ISE/APIC
• Group mapping and translation at SDA/ACI
borders
• Policy enforcement possible in SDA or ACI or
both.
More details will be provided closer to release
ACI
SD-Access
Border Leaf
Control Plane
Data Plane
Management& Policy
What is Ph2 ?
1iVXLAN
Header VNID (24 bits)
EPG (16 bits)VXLAN Header VNID (24 bits)
SGT (16 bits)
LISP COOP
iVXLAN Header
VNID (24 bits)
SGT (16 bits)
BGP/EVPN
CLASS ID (24 bits)
EPG-SGT Translate SGT-EPG
Translate
App Groups, VRFs, BGP neighbors APIC
User & Device Groups, BGP neighbor, VN
App Groups, VRFs, BGP neighbors, IP-EPG
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.
SDA and ACIPh2
Cisco’s new architecture is integrated to interconnect EVERY domain of the expanded enterprise
OT CAM PUS B RAN CH DC CLOU D S P S ECURITY
ONLY CISCO
Multidomain innovations
Multidomain: SDA and SD-WAN IntegrationSDWAN transit transparently connects user groups to Branch/DC
SD-WAN Fabric
SDA Fabric
VN 3VN 2VN 1
BC
VN1
DNA Center
vManage
cEdge cEdge &
SDA Border
B
SDA Border
(2-boxes)
(One-box)
REST APIs
Overlay interconnect between SDA and SD-WAN
End-to-End Segmentation between SDA sites
SGT Transport over SD-WAN
DNA-C and vManageIntegration for Configuration
Single pane of glass to manage
multi-domain policies
VNs → SD-WAN VPNSGT-o-IPSec
• One-box automation: Cyclops • 2-box automation: Roadmap
Bra
nch
Cam
pus
Q3CY20
Multidomain: SDA and ACI IntegrationConsistent access policies throughout the enterprise
Users
Campus SDA Fabric
Automated Mappings SGT and EPG
BG P -EVPNVXLAN
New York City ACI Data Center
San Francisco ACI Data Center
Underlay Network
VXLAN Header VNID (24 bits)
SGT (16 bits) iVXLANHeader VNID (24 bits)
E PG (16 bits)
COOP
EPG-SGT Translate & Re-classify IP into SGT
SGT-EPG Translate & Re-classify IP into EPG
1VXLAN Header VNID (24 bits)
SGT (16 bits)
LISP
APIC
App Groups
User Groups
Overlay interconnect automation (BGP-EVPN & VXLAN)
Multi-VRF Support
SGT/EPG mapping and t ranslation at SDA/ACI borders
Policy enforcement in SDA/ACI borders
• SDA-ACI mappings: Shipping• Scalable Data Plane Integration: Cyclops • Multi-site ACI: Roadmap
Q3CY20
Security as a Service with Firewall integrationFirewall as a fabric gateway
SDA-FABRIC
IoT V
N
Contra
cto
r VN
M a intenance M aintenance Audi tor
Audi tor
HVAC
HVAC IPTV IPTV
Cisco ASA Firewall
as a default gateway
INTER VN
INTER SGT*
DN
AC
M
anaged
* With SGT+VLAN assignment and Layer2 flooding enabled
Addresses Compliance & Security
Audits needs for certain industries
ASA 5500 Series Firewall device
management in DNAC
Stateful traffic inspection between
VNs & SGTs* in a fabric
Layer-2 Flooding
Under IP Pool Settings
• DNAC border handoff to ASA firewall automation: Roadmap (1HCY21)
© 2019 Cisco and/or its affiliates. All rights reserved.
✓ Кросс-доменная интеграция
➢ Must have для любой сети
➢ иначе отдельные домены SDN политик будут каждый «вещью в себе»
✓ Кросс-доменная интеграция в Cisco
➢ ACI - SDA
➢ SDA - SDWAN
➢ ACI - SDWAN
➢ SDN + Security
❑ Cisco создает мосты между разными SDN доменами,
объединяя их в единую инфраструктуру
Take aways: X-Domain
• Trends• Zero Trust• Segmentation• SDA• ISE• Fusion Firewall• Multi-site Border• FlexConnect• Brownfield• L2• UDN• SDA-2-SDWAN• SDA-2-ACI• X-Domain
© 2019 Cisco and/or its affiliates. All rights reserved.