Per Jensen / Renè Andersen Cisco SD-Access how it works

Partner Session - April 2020

Welcome to:UP-TO-SPEED-ON-CISCO

Intent-Based Networks simplify management and reduce OpEx

Intent-Based

NetworkingComprehensive automation

Consistent security

Enterprise wide visibility &

assurance

Enterprise+ Multicloud

Policy

Business

Intent

AutomationAnalytics

CB B

Cisco DNA & SD-AccessNetworking at the Speed of Software!

Automated Network Fabric

Single Fabric for Wired & Wireless with simple Automation

Insights & Telemetry

Analytics and Insights into User and Application behavior

Identity-Based Policy & Segmentation

Decouples Security & QoS from VLAN and IP Address

IoT Network Employee Network

User Mobility

Policy stays with User

Outside

DNA Center

AnalyticsAutomationPolicy

3

SDA Extension

A Fabric is an OverlayAn Overlay network is a logical topology used to virtually connect devices, built on top of a simple physical Underlay network.

An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay.

• GRE / mGRE

• MPLS / VPLS

• IPSec / DMVPN

• CAPWAP

• LISP

• OTV

• DFA

• ACI

Examples of Network Overlays

SD-AccessWhat exactly is a Fabric?

4

SD-AccessCampus Fabric - Key Components

1. Control-Plane based on LISP

2. Data-Plane based on VXLAN

3. Policy-Plane based on CTSKey Differences

• L2 + L3 Overlay -vs- L2 or L3 Only

• Host Mobility with Anycast Gateway

• Adds VRF + SGT into Data-Plane

• Virtual Tunnel Endpoints (Automatic)

• NO Topology Limitations (Basic IP)

5

CB B

SD-AccessFabric Roles & Terminology

6

NCP

ISE NDP

▪ Control-Plane Nodes – Map System that manages Endpoint to Device relationships

▪ Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric

▪ Identity Services – NAC & ID Systems (e.g. ISE) for dynamic Endpoint to Group mapping and Policy definition

▪ Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric

Identity Services

Intermediate Nodes (Underlay)

Fabric Border Nodes

Fabric Edge Nodes

▪ DNA Center – provides simple GUI management and intent based automation (e.g. NCP) and context sharing

DNA Center

▪ Analytics Engine – Data Collectors (e.g. NDP) analyze Endpoint to App flows and monitor fabric status

Analytics Engine

Control-PlaneNodes

▪ Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SDA Fabric

Fabric WirelessController

CampusFabric

B

C

B

Lan Automation

Layer 3Layer 2

Cisco DNA Center

AssuranceAutomationPolicy

Primary Seed Secondary Seed

Automated Onboarding

Cisco DNA-Center can detect and

onboard devices two hops

downstream from the

Seed

7

Lan Automation – Step 1

Layer 3Layer 2

Cisco DNA Center

AssuranceAutomationPolicy

Primary

Seed

Secondary

Seed

Cisco DNA-Center configures DHCP server on the seed.

1. Device boots up. Sends a DHCP request on vlan1

2. The DHCP server on the seed releases an IP with option 43 pointing to the Cisco DNA-Center controller.

3. The Cisco DNA-Center adds the new switch into its inventory.

All the devices get discovered and added to the Cisco DNA-Center

1

2

3

8

Lan Automation – Step 2

Layer 3Layer 2

Cisco DNA Center

AssuranceAutomationPolicy

Primary

Seed

Secondary

Seed

Cisco DNA-Center onboards the new switch

9

Planning for Lan Automation

Layer 3Layer 2

Primary

Seed

Secondary

Seed

Automated

Onboarding

Cisco DNA-Center

• The IP subnet size depends on the number of devices that need to be onboarded.

• Cisco DNA-C expects a minimum /25 subnet

10

Planning for Lan Automation

Layer 3Layer 2

Primary

Seed

Secondary

Seed

Automated

Onboarding

Cisco DNA-Center

Routed access underlaySD Access Fabric

Cisco DNA-Center

B B

11

Planning for Lan Automation - Border

SD Access Fabric

Cisco DNA-Center

B B

• Border automation step in Fabric deployment automates the configuration on the border devices

• On switches, vrf lite is deployed to hand off overlay subnets to the non fabric network.

• Prep for this at the Lan automation stage by configuring the North bound interfaces to be trunks.

12

Planning for Lan Automation - Border

SD Access Fabric

Cisco DNA-Center

B B

• When discovering the seed devices via the Cisco DNA-Center use the loopback0 IP

• Ensure the loopback0 has reachability to

ISE, DHCP server and Cisco DNA-C

• Cisco DNA-Center uses eBGP when automating the Border handoff for the Fabric

• You can use any routing protocol between

the Border and Next hop for the underlay.

13

Planning for Lan Automation – Native Multicast

SD Access Fabric

Cisco DNA-Center

B B

• If you need to enable native multicast in your fabric network

• Check the box to automate the underlay configuration for it.

14

On the Seed device – Initial configuration- MTU 9100

- SVI on Vlan 1

- Interface connecting to the new device as an access port in Vlan 1

- IS-IS on Vlan 1

- IS-IS on loopback0

- DHCP server

1. Network

2. Default gateway

3. Option 43 pointing to the Cisco DNA-Center See Notes for more details

15

On the Seed device - After Stop

- Cleans out the DHCP server configuration

- Deletes Vlan 1 SVI

- Interfaces connecting to the new device

- L3 interface with IP address

- IS-IS routing

- Bfd

16

On the new device – Initial

- Host name

- On vlan1

1. DHCP IP

2. IS-IS routing

- Crypto key (mod 1024)

- SSH v2

- SCP server

- VTP mode transparent

- RPVST

- Edge node configured as the

STP root.

- Enable IP routing

- MTU to 9100

- SNMP RW string

- Enable password

- Local username and

password

- IS-IS routing protocol

- Loopback0

1. DHCP IP

2. IS-IS routing

- Multicast (if enabled)

1. Multicast routing

2. PIM SSM

3. PIM RP

- Archive logging

17

On the new device – After Stop

- Deletes Vlan 1 SVI

- Interfaces connecting to the new device

- L3 interface with IP address

- IS-IS routing

- Bfd

18

Provision – Configuration Summary

Add Seed systems to Site

Start Underlay Network discovery and automation

Stop Underlay Network discovery and automation

Step-1

Step-2

Step-3

Step-4

19

Can You See the Business Intent Here:

Can You See the Business Intent Here:

DMZ-Pod1#show cts role-based permissions

IPv4 Role-based permissions default:

Permit IP-00

IPv4 Role-based permissions from group 4:Employees to group 12:Development_Servers:

Deny IP-00

IPv4 Role-based permissions from group 8:Developers to group 12:Development_Servers:

Permit IP-00

Secure onboarding of users and devicesSegmentation and Access Control

Before SD-Access After SD-Access

• VLAN and IP address based

• Create IP based ACLs for access policy

• Deal with policy violations and errors manually

• No VLAN or subnet dependency for segmentation and access control

• Define one consistent policy

• Policy follows Identity

Group-Based Policy Policy follows IdentityCompletely Automated

Drag policy to apply

Users

Devices

Apps

Employee Virtual Network

IoT Virtual Network

Guest Virtual Network

Group 5

Group 3

Group 1

Group 6

Group 4

Group 2

First level Segmentation that ensures zero Communication between Building systems and Users

1

Virtual Networks

Second level Segmentation within a Virtual Network that ensures role

based access control between Two Groups

Groups

1

2

Identity-based Policy – Segmentation & Access ControlSoftware-Defined Access

IoT Virtual Network

Group 3

Employee Virtual Network

Group 1 Group 2

Routers Switches Wireless AP WLC

Group 4

Group 5

2

Default Permit

Custom Deny

Default Deny

Cisco SDA TrustSecSimplified access control with Group Based Policy

24

Campus Switch

DC Switch

or Firewall

Application

Servers

ISE

Enterprise

Backbone

Enforcement

Campus Switch

Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant

Shared

Services

Employee Tag

Supplier Tag

Non-Compliant Tag

DC switch receives policy

for only what is connected

Classification

Static or Dynamic

SGT assignments

Propagation

Carry “Group” context

through the network

using only SGT

Enforcement

Group Based Policies

ACLs, Firewall Rules

Endpoints

High Fidelity Visibility

Rapidly reduce unknowns by aggregating various source of device fingerprints

ML Analytics

EndpointProfiling

DataAggregation

Network Telemetry

Probes

Easy Onboarding

Tools

RF Fingerprinting

(Roadmap)

DPI-based Fingerprint/

Behavior

CMDB Connector

3rd Party Visibility

Tool

Endpoint Analytics on Cisco DNA Center

The power of ‘Deep Packet Inspection (DPI)’

Traditional Profilers

DHCPClass-ID

MSFT

Endpoint Type: Windows-Workstation

Probes

GE Optima CT Scanner 540(Runs Windows 7)

L7

L6

DICOM:

GE CT540

Deep Packet Inspection

DCS

Endpoint Type:CT Scanner

Operating System: MS Windows 7

Manufacturer: General Electric (GE)

Model: Optima CT 540

Multifa

cto

r Cla

ssificatio

n

EA

EA: Endpoint Analytics | NBAR-based DPI – Supported on Cat9200/9300 with IOS-XE 7.1

Endpoint Analytics – Multi Factor ClassificationClassifying endpoints using four independent label categories for more flexible profiling

Device Type Hardware Model Hardware Manufacturer Operating System

MacBook ProLaptop Apple macOS 10.14.6

CT Scanner Optima CT540 GE Windows 8

Smartphone Galaxy S8 Samsung Android 9.0

DPI available for all deployment scenarios

Cisco DNA Traffic -Telemetry Appliance (TTA)

Distribution Layer

Legacy Cisco Switches / 3rd party devices

SPAN

Cat9000

Cisco ISEWeb User Interface

DCS web interface to show device classification

results associated with endpointsPolicy

DNAC (EA)

Context

WLC

Endpoints

NBAR (SD-AVC Agent)

Q3CY20

Better Classification reduces unauthorized access

Cisco ISE

DNAC

SGT 10 SGT 11 SGT 12

ML Analytics

EndpointProfiling

Data

AggregationEndpoint Type:

CT Scanner

Operating System: MS Windows 7

Manufacturer: General Electric (GE)

Model: Optima CT 540

Multifacto

r C

lass

ific

ation

Cisco DNA Center

Introduction to Group-Based Policy Analytics

• High profile attacks driving customers towards internal segmentation

• Internal network largely unknown

• Difficult to understand network behaviour of people and things

• Customers asking for help in creating network segmentation policy

Challenge

Application on Cisco DNA Center providing:

Discovery of required policy: visibility and behaviour

Modeling of candidate groups and policies

Help to micro-segment (author) the network

Solution

First release just covers Discovery

Introduction to Group-Based Policy Analytics

Policy Modeling

Policy Enforcement

Policy Discovery

Endpoint Group-GroupActivity

Endpoint Analytics

MFC

ISE Scalable Groups and

Profiles

Stealthwatch Host Groups

Flow Info

Cisco DNA Center

Group-Based Policy Analytics Use-Cases

Confidential Servers

Employees

Guests

DESTINATIONScalable Groups

SOURCEScalable Groups

Email Servers

Guests

Contractors

Unknown

Databases

MRI Machines

• Understand communications patterns: identify Group-Group relationships• Identify the specific ports/protocols needed in access control policies

Demo: Group-Based Policy Analytics

✓Automated Inter-Site Connectivity

✓Consistent Enterprise-Wide Policy

✓ Enhanced Resiliency & Local Isolation

✓Direct Internet Access per Site

▪ Individual Fabric Sites contain local Border and Control Planes nodes

▪ Local Border nodes can hand-off to an IP-based WAN or an SD-Access Transit

▪ Transit has a unique Control Plane node, to connect local and remote Sites

▪ Transit does not have Fabric Edge nodes

Fabric Site 1Fabric Site 2

Fabric Site 3

Transit

B

C

B

C

B BC

C

B B

Distributed CampusEnhanced Resiliency and Scale for Large Deployments

34

A Fabric Domain may consist of one or more Fabric Sites + Transit

Multiple Fabric Sites are connected to each other using a Transit Site

There are two types of Transit:

• SD-Access Transit - Enables a native SD-Access (LISP,VXLAN,CTS) fabric, with a domain-wide Control Plane node for inter-site communication

• IP-Based Transit - Leverages a traditional IP-based (VRF-LITE, MPLS) network, which requires remapping of VRFs and SGTs between sites

SD-Access Multi SiteTransits and Domains

35

• A Fabric Domain can consist of one or more individual Fabric Sites

• Each Site is a unique fabric with its own Control Plane and Border nodes

• The Fabric Domain will also have a domain-wideTransit Control Plane node to facilitateinter-site communication

SD-Access Transit

C

Fabric

Site 1

B

C

B

Fabric

Site 2

B

C

Fabric

Site 3B

C

SD-Access for Distributed Campus Multi-Site Architecture

36

DNA Center

SDA/SDWAN Interoperation today

* Last option

SD-Access Fabric Site #1

SD-WANFabric

LISP

1

12

LISPOMP

vManage

SD-Access Fabric Site #2

B

B C

C

BGP

SD-AccessIP VRF-LiteIPSecSD-Access

B C

B C

BGP

IP VRF-Lite

B

C

SDA Border Node

SDA CP Node

cEdge

SDA Fabric Node

Current deployments

• Cisco DNA Center automates SD-Access Sites

• SD-Access Border hands off to cEdge using IP Transit

• Manual handoff between SDA Border and cEdge

• Challenge with SGT propagation using SXP.

DNA-Center

Policy Plane Integration Today

ACI

APICSGT and EPGAssociated IPs

Border Leaf

• Policy Plane Integration using ISE and APIC

• SGT/EPG exchange between ISE & APIC

• SGT/EPG mapping and translation at SDA/ACI

borders

• Policy enforcement possible in SDA or ACI or both

Management& Policy

SGT and EPG

Fusion

SXP

Current deployment

B B

LISP BGP/IGP

CONTROL-PLANE

VXLAN+SGT VRF-LITE

DATA-PLANE