sd-access wireless: why would you care? · ad ldap mdm ipam sw dmz internet architecture benefits:...

SD-Access Wireless:why would you care?

Traditional Campus

WLCDHCP

DNSNTPSMTP

AAAADLDAPMDM

IPAM

SWDMZInternet

Architecture Benefits:• Overlay: works on any wired network• Simplified Access switch configuration• Single point of Ingress for wireless traffic • Easy seamless mobility• Simplified IP addressing for wireless• Centralized Management• Easy wireless Guest tunneling solution

Customers may NOT like:• Limited scalability for East-West traffic• Separated policies for wired and

wireless • Different enforcement point for wired

and wireless• Lack of visibility between WLC and APs

SSIDEmployee

SSIDGuest

Packettowired

PolicyDefinitionEnforcementPointforWi-Ficlients

PolicyDefinitionandEnforcementPointfor

wiredclients

ClientkeepssameIPaddresswhileroaming

WLC

AP1

Switch1 Switch2

AnchorWLC

WirelessVLANsarecentrallydefined

SinglepointofIngresstowirednetwork

CAPWAP Control & Data

Local mode AP

Traditional switches

EoIP Tunnel

CUWN Architecture - CentralizedOverview

2

WLC

DHCPDNSNTPSMTP

AAAADLDAPMDM

IPAM

SWDMZ

InternetWAN

Architecture Benefits:• Overlay: works on any wired network• Centralized Management / Lean IT• Branch cookie cutter configuration• Distributed data plane• Reduced hardware footprint at the branch• Built-in resiliency (WAN survivability for locally

switched traffic)

Customers may NOT like:• Separated policies for wired and wireless • Different enforcement point for wired and wireless• No Layer 3 roaming support• Limited seamless roaming scope (FlexConnect

Group)• Additional configuration on the access switch (trunk

and allowed VLANs)

CentralizedManagementforall

branches

DistributedDataplane

DataCenter

Branch

NoControlleratthebranch

CAPWAPControl&Data

FlexmodeAP

Traditionalswitches

dot1qtrunk

CUWN Architecture - FlexConnectOverview

3

CA Network

WLC

Switch1 Switch2

WLCDHCP

DNSNTPSMTP

AAAADLDAPMDM

IPAM

SWDMZ

Architecture Benefits• Distributed Data Plane: scalability• One Policy enforcement point for wired• Reduced HW footprint and less devices

to manage (branch is the sweet spot)• One common software• Policies enforced at the edge• Wireless traffic visibility at the edge• Easy wireless Guest tunneling solution

Customers may NOT like:• Distributed Management plane• Multiple wireless touch points• Wired and wireless software

dependencies• Anchoring solutions for seamless

mobility• Support for Local mode AP only• Lack of feature parity with CUWNSSID

Employee

SSIDGuest

SwitchisthePolicyEnforcementforwired

andwireless

GuestTunnelthroughtheMC

Packettowired

Forroaming,trafficisanchoredbacktothe

originalswitch

AnchorWLC

MC MAMAMA

CAPWAPControl&Data

LocalmodeAP

SwitchwithMobilityAgent

MAtoMAtunnels

MA

EoIPtunnel

Internet

Converged Access ArchitectureOverview

4

Enterprise NetworkPAYLOADDATA IPSRC IPDSTPROTDST

PORTSRCPORTDSCP

• OnlyTransitiveinformation• Survivesendtoend

Policyisbasedon“5Tuple”

• QoS

• Security

• Redirect/copy

• Traffic engineering

• etc.

Network Policy

What is the Problem?Policy Model Today

5

Enterprise NetworkPAYLOADDATA IPSRC IPDSTPROTDST

PORTSRCPORTDSCP

User/deviceinfo?

Network Policy

IP ADDRESSES

§ Locateyou§ Identifyyou§ Drive“treatment”§ Constrainyou

IPAddress“meaning”OVERLOAD

VLAN 10

SSID B

SSID A

VLAN 20

VLAN 40

SSID D

SSID C

VLAN 30

access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165

access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959

access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111

access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384

What is the Problem?Policy Model Today

6

L2 Switch

L3 Switch

Trunks

Trunk

BYOD Employee Contractor

One SSID

ProductionServers

AAA

DHCP

WLAN

DeveloperServers

LAN Core

Multiple Steps and Touch Points

1. Define Groups in AD

2. Define Policies§ VLAN/subnet based

3. Implement VLANs/Subnets§ Create VLANs§ Define DHCP scope§ Create subnets and L3 interfaces§ Routing for new subnets§ Map SSID to Interface/VLAN

4. Implement Policy§ Define ACLs§ Apply ACLs

5. Many different User Interfaces

AAA WLC Devices CLI

….

What is the Problem?User Group policy rollout - Today

What if You Need to Add Another Group & Policy?

AD

7

What is the Problem?User Group policy rollout - Today

§ Customer Policy requirements:

Customer requirements

CustomerPolicy

§ Three user Groups§ One single SSID§ Differentiated policies per Group§ Guest segmentation (wired and wireless)

Employee

BYOD

Contractor

Production Serv. Developer Serv.

L2 Switch

L3 Switch

Trunks

Trunk


One SSID

ProductionServers

AAA

DHCP

AD

WLC

DeveloperServers

LAN Core

NetworkTouch Points

8

SD-Access Wireless Architecture

BRKEWN-

SD-Access Fabric ArchitectureRoles and Terminology

ISE / AD

§ Control-Plane (CP) Node – Map System that manages Endpoint ID to Location relationships.Also known as Host Tracking DB (HTDB)

§ Edge Nodes – A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric

§ Group Repository – External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition

§ Border Nodes – A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric

Group Repository

SD-Access Fabric

Intermediate Nodes (Underlay)

Fabric Mode WLC

Fabric Edge Nodes

§ DNA Controller – Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share informationDNA

Controller

CControl-Plane

Nodes

B

§ Fabric Wireless Controller – Wireless Controller (WLC) fabric-enabled, participate in LISP control planeFabric

Mode APs§ Fabric Mode APs – Access Points that are

fabric-enabled. Wireless traffic is VXLAN encapsulated at AP

Fabric Border

B

10

SD-Access Wireless ArchitectureBringing the best of both architectures by...

1

2

3

Simplifying the Control & Management Plane

Optimizing the Data Plane

Integrating Policy & Segmentation E2E

11

SD-Access Wireless ArchitectureSimplifying the Control Plane

ISE / AD

WLC

DNAC

SD-AccessFabric

BB

Policy Abstraction and Configuration Automation

Automation§ DNAC simplifies the Fabric deployment, § Including the wireless integration component

C

Fabric enabled WLC:WLC is part of LISP control plane

Centralized Wireless Control Plane§ WLC still provides client session management§ AP Mgmt, Mobility, RRM, etc.§ Same operational advantages of CUWN

CAPWAPCntrl plane

LISPCntrl plane

1

LISP control plane Management§ WLC integrates with LISP control plane§ WLC updates the CP for wireless clients§ Mobility is integrated in Fabric thanks to LISP CP

12

ISE / AD

WLC

DNAC

SD-AccessFabric

BB

Policy Abstraction and Configuration Automation

C

Fabric enabled WLC:WLC is part of LISP control plane

VXLAN from the AP§ Carrying hierarchical policy segmentation starting

from the edge of the network

Optimized Distributed Data Plane § Fabric overlay with Anycast GW + Stretched subnet§ VLAN extension with no complications§ All roaming are Layer 2Fabric enabled AP:

AP encapsulates Fabric SSID traffic in VXLAN

CAPWAPCntrl plane

VXLANData plane

LISPCntrl plane

VXLAN (Data Plane)

2SD-Access Wireless ArchitectureOptimizing the Data Plane

Automation§ DNAC simplifies the Fabric deployment, § Including the wireless integration component

Centralized Wireless Control Plane§ WLC still provides client session management§ AP Mgmt, Mobility, RRM, etc.§ Same operational advantages of CUWN

LISP control plane Management§ WLC integrates with LISP control plane§ WLC updates the CP for wireless clients§ Mobility is integrated in Fabric thanks to LISP CP

13

SD-Access Wireless ArchitectureOptimizing the Data Plane: Stretched subnets – A Closer Look

§ Fabric mode AP is a local mode AP and needs to be directly connected to FE

§ CAPWAP control plane goes to the WLC using Fabric

§ Fabric is enabled per SSID:• For Fabric enabled SSID, AP converts 802.11 traffic to 802.3 and

encapsulates it into VXLAN encoding VNI and SGT info of the client

• Forwards client traffic based on forwarding table as programmed by the WLC. Usually VXLAN DST is first hop switch.

§ AP applies all wireless specific feature like SSID policies, AVC, QoS, etc.

Fabric Mode AP integrates with the VXLAN Data PlaneWireless Data Plane is distributed across APs

2

VXLAN (Data)

CAPWAPControl plane

14

SD-Access Wireless ArchitectureSimplifying policy and Segmentation

SD Fabric

BCVXLAN

(Data)

IPpayload 802.11IP

IPpayload 802.3EIDIP VXLAN underlay

IPUDP

AP removes the 802.11 header

AP adds the 802.3/VXLAN/underlay IP header

2

1

3

FE A

FE B

15


SD Fabric

BCVXLAN

(Data)


IPUDP

2

R ClientSGT Client VRF R

APs embed the Policy information in the VXLAN header and forwards it

Hierarchical Segmentation:1. Virtual Network (VN) == VRF - isolated Control Plane + Data Plane2. Scalable Group Tag (SGT) – User Group identifier

3

FE A

FE B

16


SD Fabric

BCVXLAN

(Data)


IPUDP

FE removes the outer IP header, looks at the L2 VNID and maps it to the VLAN and L2 LISP instance.

Then encapsulates to the destination FE

3

Client is placed in the right VRF

3

FE A

FE B

17


SD Fabric

BCVXLAN

(Data)


IPUDP

FE removes the outer IP header, looks at the L2 VNID maps it to the VLAN.

Also looks at the SGT and apply the policy before forwarding the packet

4

SGT policy is applied

Client Policy is carried end to end in the

overlay

3

FE A

FE B

18

L3 Switch

LAN core

Touch Point


2. Design and Deploy in DNA-C§ Create Virtual Network for Corporate§ Define Policies

• Role/Group based§ Apply Policies

• SGT based

3. Upon user authentication, Policy is automatically applied and carried end to end

TrunkWLC

DNA Center

L3 Switch

VNID BYOD SGT VXN

HDRFabricSRC

Fabric DSTEmployeeContractor

Original packet


One SSID

ProductionServers

DeveloperServers

AAA

DHCP

AD

EmployeeSGT 100

BYODSGT 200

ContractorSGT 300

Production Serv.SGT 10

Developer Serv.SGT 20

Corporate VN

SD-Access Wireless Benefits User Group policy rollout

19

L3 Switch

LAN core

Touch Point


2. Design and Deploy in DNA-C§ Create Virtual Network for Corporate§ Define Policies

• Role/Group based§ Apply Policies

• SGT based

3. Upon user authentication, Policy is automatically applied and carried end to end

TrunkWLC

DNA Center

L3 Switch


One SSID

ProductionServers

DeveloperServers

AAA

DHCP

AD

EmployeeSGT 100

BYODSGT 200

ContractorSGT 300

Production Serv.SGT 10

Developer Serv.SGT 20

Corporate VN

SD-Access Wireless Benefits User Group policy rollout

Guest Virtual Network

IoT/HVAC Virtual Network

One Touch Point

20

SDA Wireless AutomationInstall of new AP

SDA WirelessSite and Profiles

SDA Guest Creation of a Guest Network

What products make this Architecture?

BRKEWN-

3504 WLC

• AIR-CT3504• 1G/mGig• AireOS 8.5+

SD-Access – Fabric WirelessPlatform Support

Wave 2 APs

• 1800/2800/3800• 11ac Wave2 APs• 1G/MGIG RJ45• AireOS 8.5+

5520 WLC

• AIR-CT5520• No 5508• 1G/10G SFP+• AireOS 8.5+

8540 WLC

• AIR-CT8540• 8510 supported• 1G/10G SFP+• AireOS 8.5+

Wave 1 APs

• 1700/2700/3700• 11ac Wave1 APs*• 1G RJ45• AireOS 8.5+

*with CaveatsNEW

26

SD-Access Wireless

Design Considerations

ISE / AD

SD-Access Fabric

C

BB

APIC-EM ISE / AD

SD-Access Fabric

C

BB

APIC-EM

Wireless Integration in SDA FabricSD-Access WirelessCUWN wireless Over The Top (OTT)

VS.

Non-Fabric WLC

Non-Fabric APs

Fabric enabledAPs

Fabric enabled WLC

§ CAPWAP for Control Plane and Data Plane§ SDA Fabric is just a transport§ Supported on any WLC/AP software and hardware§ Migration step to full SDA

§ CAPWAP Control Plane, VXLAN Data plane§ WLC/APs integrated in Fabric, SD-Access advantages§ Requires software upgrade (8.5+)§ Optimized for 802.11ac Wave 2 APs

CAPWAPCntrl & Data

CAPWAPCntrl plane

VXLANData plane

CUWN Over the Top (OTT)

• Definition:• Wireless OTT: this CAPWAP wireless overlay to Fabric: traditional CAPWAP

deployment connected to Fabric overlay. Fabric is a transport for CAPWAP

• Why wireless OTT?• Migration step: customers wants/need to first migrate wired (different Ops teams

managing wired and wireless, get familiar with Fabric, different buying cycles, etc.)• Longer term solution: customer doesn’t want/cannot migrate to Fabric (new software,

no 802.11n, wireless too critical to make changes)

SD-Access Fabric

Non Fabric AP Non Fabric WLC

CAPWAP tunnel

Key Takeaways

BRKEWN-

BRKEWN-

31

SDA for MobilityInnovate Faster with Fabric-Enabled Wireless

Software Defined Wireless§ Centralized management across wired-wireless

§ Secure Policy based Automation

§ Optimized distributed traffic flows for future scalability

§ Simplified enablement of Wi-Fi Services

Simplified Provisioning

Optimized data plane with Campus-Wide Roaming

Wired and Wireless Policy Consistency

Seamless L2 roam across Campus

Policy stays with user

Consistent Policy for Wired/Wireless

Easy end to end Virtualization and Segmentation

DNA Center

Thank you

sd-access wireless: why would you care? · ad ldap mdm ipam sw dmz internet architecture benefits:...

Documents