southern california cisco users group catalyst 9000 and ...€¦ · hybrid (l2 + l3) overlays offer...
TRANSCRIPT
SouthernCaliforniaCiscoUsersGroupCatalyst9000and
SoftwareDefinedAccessMatthewTaite,SystemsEngineer
Agenda
• Programmability– 20minutes• Catalyst9000– 10minutes• SoftwareDefinedAccess(SDA)– 20minutes• Demo– 20minutes• Licensing– 10minutes
Programmability“NoMoreMiddleClassIT”™
http://blog.hackerearth.com/2016/11/top-programming-language-2017.html
MustHaveTools
• Postman• https://www.getpostman.com
• CiscoConfParse• https://github.com/mpenning/ciscoconfparse
MustHaveTools
• NAPALM
MustHaveTools
• Catalyst w/Py2.7.11*
• ISRw/Py2.7.5
GuestShell onIOSXE
*GuestShell liteonC3650/C3850
Catalysteria™IntroducingtheCatalyst9000
CataLust ™
• HARDWARE• UADP2.0- NextGenerationofASICInnovation• ExternalStorageupto1TBSATA/SSDforLocalLogging– 3rdPartyAppHosting– Containers• PerpetualUPOE(HWreadyfor100W)• FastUPOE(PDrestorewithin30seconds)• POE2-eventclassificationfor1-2secondpowernegotiation• DedicatedX86CPUandexpandedmemoryforon-boxcontainer/NFVsupport• Built-inRFID• BluetoothConnectivityforfiletransferanddevicemanagement
• SOFTWARE• OpenIOS-XEallowsformodel-drivenprogrammability(i.e NETCONForPython),streamingtelemetry,andprocesspatching• Single.binImageacrossallC9Kplatforms• EmbeddedWireshark• GIRw/SystemSnapshots
Catalyst9KInnovations
SoftwareDefinedAccess
WhySDA
UniqueDevice/UserIdentification
LogicalSegmentation
SecureControlbetweenSegments
UnifiedPolicyacrossNetwork
LittleSwitch,BigSwitch™
• GRE / mGRE
• MPLS / VPLS
• GETVPN / DMVPN
• CAPWAP
• LISP
• OTV
• DFA
• ACI
Examples of Network Overlays
What exactly is a Fabric?
A “Fabric” is an “Overlay”An “Overlay” is a logical topology used to virtually connect devices,
built on top of an arbitrary “Underlay” physical topology.
An “Overlay” network often uses alternate forwarding attributes to
provide additional services, not provided by the “Underlay”.
What exactly is a Fabric?Types of Overlays
Layer 2 Overlays• Emulates a LAN segment
• Transport Ethernet Frames (IP & non-IP)
• Single subnet mobility (L2 domain)
• Exposure to open L2 flooding
• Useful in emulating physical topologies
Layer 3 Overlays• Abstract IP-based connectivity
• Transport IP Packets (IPv4 & IPv6)
• Full mobility regardless of Gateway
• Contain network related failures (floods)
• Useful to abstract connectivity and policy
Hybrid (L2 + L3) Overlays offer the Best of Both Worlds
Switch1(config)# cts sxp mapping network-map 10000Switch1(config)# cts role-based sgt-map 10.10.10.0/30 sgt 101Switch1(config)# cts role-based sgt-map 11.11.11.0/29 sgt11111Switch1(config)# cts role-based sgt-map 192.168.1.0/28 sgt65000
• https://tools.ietf.org/html/draft-smith-vxlan-group-policy-03
• IncreasecampusLANdefaultnetworkMTU(9100recommended)
• Layer3totheaccesslayerwithoutneedforloopavoidanceprotocols
• Point-to-pointlinksforquickestconvergenceandstability
• SingleAreaIGPprocessforthefabricfromedgetoborder
• Loopbackpropagationoutsidefabric(/32)
Underlayrequirements
• DHCP/TFTP
• ISE/AAA
• IPAM
• NTP
• Netflow Collector
• Syslog
• FabricandNon-FabricWLC
• ActiveDirectory/DomainController
• DNAC/APIC-EM/NDP
• CUCM/CME/CUBE
• Etc…
SharedServicesStack
APIC-EM
ISE NDP
§ Control-PlaneNodes– MapSystemthatmanagesEndpointIDtoDevicerelationships
§ EdgeNodes– AFabricdevice(e.g.AccessorDistribution)thatconnectsWiredEndpointstotheSDAFabric
§ IdentityServices– ExternalIDSystems(e.g.ISE)areleveragedfordynamicUserorDevicetoGroupmappingandPolicydefinition
§ BorderNodes– AFabricdevice(e.g.Core)thatconnectsExternalL3network(s)totheSDAFabric
IdentityServices
IntermediateNodes(Underlay)
FabricBorderNodes
FabricEdgeNodes
§ DNAController– EnterpriseSDNControllerprovidesGUImanagementandabstractionviamultipleServiceApps,thatshareinformation
DNACenter
§ AnalyticsEngine– ExternalDataCollectors(e.g.NDP)areleveragedtoanalyzeUserorDevicetoAppflowsandmonitorfabricstatus
AnalyticsEngine
This image cannot currently be displayed.
CControl-Plane
Nodes
B
WhatisSD-Access?Roles&Terminology
B
§ FabricWirelessController– AFabricdevice(WLC)thatconnectsWirelessEndpointstotheSDAFabric
This image cannot currently be displayed.
22
FabricWirelessLANController
EdgeNode providesfirst-hopservicesforUsers&DevicesconnectedtotheFabric
SD-AccessFabricEdgeNodes– ACloserLook
• ResponsibleforIdentifyingandAuthenticatingEndpoints(e.g.Static,802.1X,ActiveDirectory)
• RegisterthespecificEndpointIDinfo(e.g./32or/128)withtheControl-PlaneNode(s)
• ProvidetheAnycast L3GatewayforconnectedEndpoints(sameIPaddressonallEdgenodes)
• Performsencapsulation/de-encapsulationofdatatraffictoandfromallconnectedEndpoints
23
UnknownNetworks
KnownNetworks
C
B B
FabricEdgeNodes
Control-PlaneNoderunsaHostTrackingDatabasetomaplocationinformation
SD-AccessFabricControlPlaneNodes– ACloserLook
• AsimpleHostDatabase,thattracksEndpointIDtoLocationmappings,alongwithotherattributes
• HostDatabasesupportsmultipletypesofEndpointIDlookupkeys(IPv4,IPv6orMAC)
• ReceivesEndpointIDmapregistrationsfromEdgeandBorderNodesfor“known”IPprefixes
• ResolveslookuprequestsfromEdgeandBorderNodes,tolocatedestinationEndpointIDs
24
UnknownNetworks
KnownNetworks
C
B B
FabricEdgeNodes
FabricBorder,AnyandalltrafficenteringorleavingtheFabricgoesthroughthistypeofnode
SD-AccessFabricBorderNodes– ACloserLook
25
• ConnectstraditionalL3networksand/ordifferentFabricdomainstothelocaldomain
• WheretwodomainsexchangeEndpointreachabilityandpolicyinformation
• Responsiblefortranslationofcontext(VRF&SGT)fromonedomaintoanother
• ProvidesadomainexitpointforallEdgeNodes
UnknownNetworks
KnownNetworks
C
B B
FabricEdgeNodes
BorderNode isanentry&exitpointforalldatatrafficgoingin&outoftheFabric
Thereare2TypesofBorderNode!
• FabricBorder• Usedfor“Known”Routesinyourcompany
• DefaultBorder• Usedfor“Unknown”Routesoutsideyourcompany
26
UnknownNetworks
KnownNetworks
BB
C
SD-AccessBorderBorderNodes– ACloserLook
FabricEdgeNodes
SD-AccessBorderBorderNodes– BorderandDefaultBorder
Border• ConnectstheCampusFabrictoKnownnetworks.(Usecase2.1and2.2)• partofyourcompanynetwork
• KnownnetworksaregenerallyWAN,DC,SharedServices,etc.
• Responsibleforadvertisingprefixesto(import)andfrom(export)thelocalfabricandexternaldomain.
DefaultBorder
• ConnectstheCampusFabrictoUn-Knownnetworks(Usecase1)• notpartofthecompanynetwork
• Un-knownnetworksaregenerallytheInternetand/orPublicCloud.
• Responsibleforadvertisingprefixesonlyfrom(export)thelocalfabrictoexternaldomain.
KnownNetworks
BUnknownNetworks
B
SD-Access– BorderNodePlatformSupport
Nexus7K
• Nexus7700• Sup2E• M3Cards• NXOS7.3.2+
Catalyst3K
• Catalyst3850• 1/10GSFP+• 10/40GNMCards• IOS-XE16.6.1+
ASR1K&ISR4K
• ASR1000-X/HX• ISR4451/4431• 1/10G/40G• IOS-XE16.6.1+
Catalyst9K
• Catalyst9300• Catalyst9400• Catalyst9500• 40GQSFP• 10/40GNMCards• IOS-XE16.6.1+
Catalyst6K
• Catalyst6800• Catalyst6500• Sup2T/6T• 6880-Xor6840-X• IOS15.5.1SY+
Nexus7KCatalyst3K
§ VirtualNetworks:64§ SGT’sinFabric:4K§ SGTACL’s:1350§ SecurityACL’s:3K§ IPv4TCAM: 16K/8K
ASR1K&ISR4K
§ VirtualNetworks:4K§ SGT’sinFabric:64K§ SGTACL’s:64K§ SecurityACL’s:4K§ IPv4TCAM: 1M
Catalyst9500
§ VirtualNetworks:256§ SGT’sinFabric:32K§ SGTACL’s:32K§ SecurityACL’s:18K§ IPv4TCAM:96K/48K
Catalyst6K
§ VirtualNetworks:512§ SGT’sinFabric:30K§ SGTACL’s:30K§ SecurityACL’s:32K§ IPv4TCAM:256K
§ VirtualNetworks:500§ SGT’sinFabric:64K§ SGTACL’s:64K§ SecurityACL’s:128K§ IPv4TCAM:1M
SD-Access– BorderNodeScalePlatformScale
• NumberslistedareHWscalelimits,SWnumbersmightbedifferent
Catalyst3850 Catalyst9500 Catalyst6K ASR1K&ISR4K Nexus7K
Catalyst3K
• Catalyst3850• 1/10GSFP+• 10/40GNMCards• IOS-XE16.6.1+
ASR1K/ISR4KandCSR1Kv
• ASR1000-X/HX• ISR4430/4450• 1/10G/40G• IOS-XE16.6.1+
SD-Access– Control-PlanePlatformSupport
Catalyst6K
• Catalyst6800/6500• Sup2T/6T• 6880-Xor6840-X• IOS15.5.1SY+
Catalyst9K
• Catalyst9300• Catalyst9500• 40GQSFP• 1/10GNMCards• IOS-XE16.6.1+
TECCRS-3810
Catalyst3850
• 4KHostentries
ASR1K/ISR4KandCSR1Kv
• 200KHostentries
SD-Access– Control-PlaneNodeScalePlatformScale
Catalyst6K
• 25KHostentries
Catalyst9500
• 96KHostentries
DNACenterLimitations
Demo
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Catalyst 9K: Advantage vs. Essentials
Full Routing Functionality BGP, HSRP, OSPF, ISIS, HSRP,GLBP
Flexible Network SegmentationVRF, VXLAN, LISP, Trustsec, Wireless Client and Guest, MPLS L3VPN
Enhanced Security ControlsMACSEC-256
IoT & MobilityCoAP
Optimize Bandwidth Utilization with Multicast MSDP, mVPN, AutoRP, PIM-BIDIR
Software-defined AccessPolicy-based Automation and Assurance, SD-Wireless
Security & IoTEncrypted Traffic Analytics,mDNS GW, NAT/PAT
Telemetry & VisibilityERSPAN, AVC, NBAR2
Network Advantage (Inclusive of Network Essentials)
DNA Advantage (Inclusive of DNA Essentials)
Assurance & AnalyticsNetwork insights from analytics and machine learning, clients and applications covering on-boarding, connectivity and performance
Essential Switch CapabilitiesLayer 2, Routed Access (RIP, EIGRP Stub, OSPF (1000 routes) ,PBR, PIM Stub Multicast (up to 1000 routes)), PIM Stub, PVLAN, VRRP, PBR, CDP, QoS, FHS, 802.1x, Macsec-128, CoPP, Trustsec SXP, IP SLA Responder, SSO
DevOps IntegrationProgrammability with Open Models and Netconf/Restconf, PnP Agent, ZTP
Telemetry & VisibilitySampled NetFlow, SPAN,RSPAN
Basic AutomationPlug and Play,EasyQOS Configuration*
Basic Monitoring CapabilitiesEasyQOS Monitoring*, Client and Device 360, PSIRT Compliance*
Element ManagementImage Management, Topology and Discovery
Cisco DifferentiatorsContainers, Python, EEM, ANI,Full FNF, Wireshark
DNA Essentials
Network Essentials
Perp
etua
l
Perp
etua
l
3,5,
7 Ye
ar T
erm
s
3,5,
7 Ye
ar T
erm
s
Advantage Essentials
High Availability & ResiliencyNSF, GIR, Stackwise Virtual, ISSU
* Future
Element ManagementPatch Management
SDA Ready
§ C9K HW includes the Perpetual Network OS (Essentials or Advantage) § Mandatory to attach DNA License when ordering C9K§ DNA License includes Switch and DNA Center Features
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Catalyst 9K: Switch vs. DNA-C FeaturesFeatures Network
EssentialsNetwork
AdvantageDNA
EssentialsDNA
AdvantageSwitch Features
Switch fundamentalsLayer 2, Routed Access (RIP, EIGRP Stub, OSPF (1000 routes) ,PBR, PIM Stub Multicast (up to 1000 routes)), PVLAN, VRRP, PBR, CDP, QoS, FHS, 802.1x, Macsec-128, CoPP, Trustsec SXP, IP SLA Responder, SSO
� � � �
Advanced switch capabilities and scaleBGP, EIGRP, HSRP, IS-IS, BSR, MSDP, PIM-BIDIR, LSM, IP SLA, Full OSPF � � � �
Network segmentationVRF, VXLAN, LISP, Trustsec, Wireless Client and Guest, MPLS, L3VPN, mVPN � � � �
Optimized network deployments mDNS gateway* � � � �
AutomationNetconf/YANG, PnP Agent, ZTP/Open PnP � � � �
Advanced automationContainers, Python, Guest Shell, EEM, ANI � � � �
Telemetry and visibilityStreaming telemetry, sampled NetFlow, SPAN, RSPAN � � � �
Advanced telemetry and visibilityFull Flexible NetFlow, Wireshark � � � �
Optimized telemetry a visibilityERSPAN, AVC, NBAR2 � � � �
High availability and resiliency NSF, GIR, ISSU, StackWise Virtual � � � �
High availability and resiliency Patching � � � �
SecurityMACsec-256 � � � �
Advanced securityEncrypted Traffic Analytics (ETA) � � � �
IOT integrationAVB, PTP, CoAP � � � �
Cisco DNA Center FeaturesDay 0 network bring-up automation Cisco Network Plug-n-Play application, network settings, device credentials � � � �
Element management Discovery, inventory, topology, software image, licensing, and configuration management � � � �
Element management Patch Management � � � �
Network monitoringEasyQoS Configuration and Monitoring*, Client and Device 360, PSIRT Compliance* � � � �
SD-AccessPolicy-based Automation and Assurance, SD-Access Wireless � � � �
Network assurance and analyticsInsights driven from analytics and machine learning for the network, clients and applications that cover onboarding, connectivity, and performance � � � �
Perpetual 3,5,7-yr Terms* FutureSDA Ready