welcome to: up-to-speed-on-cisco · built on top of a simple physical underlay network. an overlay...
TRANSCRIPT
Per Jensen / Renè Andersen Cisco SD-Access how it works
Partner Session - April 2020
Welcome to:UP-TO-SPEED-ON-CISCO
Intent-Based Networks simplify management and reduce OpEx
Intent-Based
NetworkingComprehensive automation
Consistent security
Enterprise wide visibility &
assurance
Enterprise+ Multicloud
Policy
Business
Intent
AutomationAnalytics
CB B
Cisco DNA & SD-AccessNetworking at the Speed of Software!
Automated Network Fabric
Single Fabric for Wired & Wireless with simple Automation
Insights & Telemetry
Analytics and Insights into User and Application behavior
Identity-Based Policy & Segmentation
Decouples Security & QoS from VLAN and IP Address
IoT Network Employee Network
User Mobility
Policy stays with User
Outside
DNA Center
AnalyticsAutomationPolicy
3
SDA Extension
A Fabric is an OverlayAn Overlay network is a logical topology used to virtually connect devices, built on top of a simple physical Underlay network.
An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay.
• GRE / mGRE
• MPLS / VPLS
• IPSec / DMVPN
• CAPWAP
• LISP
• OTV
• DFA
• ACI
Examples of Network Overlays
SD-AccessWhat exactly is a Fabric?
4
SD-AccessCampus Fabric - Key Components
1. Control-Plane based on LISP
2. Data-Plane based on VXLAN
3. Policy-Plane based on CTSKey Differences
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)
5
CB B
SD-AccessFabric Roles & Terminology
6
NCP
ISE NDP
▪ Control-Plane Nodes – Map System that manages Endpoint to Device relationships
▪ Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric
▪ Identity Services – NAC & ID Systems (e.g. ISE) for dynamic Endpoint to Group mapping and Policy definition
▪ Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric
Identity Services
Intermediate Nodes (Underlay)
Fabric Border Nodes
Fabric Edge Nodes
▪ DNA Center – provides simple GUI management and intent based automation (e.g. NCP) and context sharing
DNA Center
▪ Analytics Engine – Data Collectors (e.g. NDP) analyze Endpoint to App flows and monitor fabric status
Analytics Engine
Control-PlaneNodes
▪ Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SDA Fabric
Fabric WirelessController
CampusFabric
B
C
B
Lan Automation
Layer 3Layer 2
Cisco DNA Center
AssuranceAutomationPolicy
Primary Seed Secondary Seed
Automated Onboarding
Cisco DNA-Center can detect and
onboard devices two hops
downstream from the
Seed
7
Lan Automation – Step 1
Layer 3Layer 2
Cisco DNA Center
AssuranceAutomationPolicy
Primary
Seed
Secondary
Seed
Cisco DNA-Center configures DHCP server on the seed.
1. Device boots up. Sends a DHCP request on vlan1
2. The DHCP server on the seed releases an IP with option 43 pointing to the Cisco DNA-Center controller.
3. The Cisco DNA-Center adds the new switch into its inventory.
All the devices get discovered and added to the Cisco DNA-Center
1
2
3
8
Lan Automation – Step 2
Layer 3Layer 2
Cisco DNA Center
AssuranceAutomationPolicy
Primary
Seed
Secondary
Seed
Cisco DNA-Center onboards the new switch
9
Planning for Lan Automation
Layer 3Layer 2
Primary
Seed
Secondary
Seed
Automated
Onboarding
Cisco DNA-Center
• The IP subnet size depends on the number of devices that need to be onboarded.
• Cisco DNA-C expects a minimum /25 subnet
10
Planning for Lan Automation
Layer 3Layer 2
Primary
Seed
Secondary
Seed
Automated
Onboarding
Cisco DNA-Center
Routed access underlaySD Access Fabric
Cisco DNA-Center
B B
11
Planning for Lan Automation - Border
SD Access Fabric
Cisco DNA-Center
B B
• Border automation step in Fabric deployment automates the configuration on the border devices
• On switches, vrf lite is deployed to hand off overlay subnets to the non fabric network.
• Prep for this at the Lan automation stage by configuring the North bound interfaces to be trunks.
12
Planning for Lan Automation - Border
SD Access Fabric
Cisco DNA-Center
B B
• When discovering the seed devices via the Cisco DNA-Center use the loopback0 IP
• Ensure the loopback0 has reachability to
ISE, DHCP server and Cisco DNA-C
• Cisco DNA-Center uses eBGP when automating the Border handoff for the Fabric
• You can use any routing protocol between
the Border and Next hop for the underlay.
13
Planning for Lan Automation – Native Multicast
SD Access Fabric
Cisco DNA-Center
B B
• If you need to enable native multicast in your fabric network
• Check the box to automate the underlay configuration for it.
14
On the Seed device – Initial configuration- MTU 9100
- SVI on Vlan 1
- Interface connecting to the new device as an access port in Vlan 1
- IS-IS on Vlan 1
- IS-IS on loopback0
- DHCP server
1. Network
2. Default gateway
3. Option 43 pointing to the Cisco DNA-Center See Notes for more details
15
On the Seed device - After Stop
- Cleans out the DHCP server configuration
- Deletes Vlan 1 SVI
- Interfaces connecting to the new device
- L3 interface with IP address
- IS-IS routing
- Bfd
16
On the new device – Initial
- Host name
- On vlan1
1. DHCP IP
2. IS-IS routing
- Crypto key (mod 1024)
- SSH v2
- SCP server
- VTP mode transparent
- RPVST
- Edge node configured as the
STP root.
- Enable IP routing
- MTU to 9100
- SNMP RW string
- Enable password
- Local username and
password
- IS-IS routing protocol
- Loopback0
1. DHCP IP
2. IS-IS routing
- Multicast (if enabled)
1. Multicast routing
2. PIM SSM
3. PIM RP
- Archive logging
17
On the new device – After Stop
- Deletes Vlan 1 SVI
- Interfaces connecting to the new device
- L3 interface with IP address
- IS-IS routing
- Bfd
18
Provision – Configuration Summary
Add Seed systems to Site
Start Underlay Network discovery and automation
Stop Underlay Network discovery and automation
Step-1
Step-2
Step-3
Step-4
19
Can You See the Business Intent Here:
Can You See the Business Intent Here:
DMZ-Pod1#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 4:Employees to group 12:Development_Servers:
Deny IP-00
IPv4 Role-based permissions from group 8:Developers to group 12:Development_Servers:
Permit IP-00
Secure onboarding of users and devicesSegmentation and Access Control
Before SD-Access After SD-Access
• VLAN and IP address based
• Create IP based ACLs for access policy
• Deal with policy violations and errors manually
• No VLAN or subnet dependency for segmentation and access control
• Define one consistent policy
• Policy follows Identity
Group-Based Policy Policy follows IdentityCompletely Automated
Drag policy to apply
Users
Devices
Apps
Employee Virtual Network
IoT Virtual Network
Guest Virtual Network
Group 5
Group 3
Group 1
Group 6
Group 4
Group 2
First level Segmentation that ensures zero Communication between Building systems and Users
1
Virtual Networks
Second level Segmentation within a Virtual Network that ensures role
based access control between Two Groups
Groups
1
2
Identity-based Policy – Segmentation & Access ControlSoftware-Defined Access
IoT Virtual Network
Group 3
Employee Virtual Network
Group 1 Group 2
Routers Switches Wireless AP WLC
Group 4
Group 5
2
Default Permit
Custom Deny
Default Deny
Cisco SDA TrustSecSimplified access control with Group Based Policy
24
Campus Switch
DC Switch
or Firewall
Application
Servers
ISE
Enterprise
Backbone
Enforcement
Campus Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
Shared
Services
Employee Tag
Supplier Tag
Non-Compliant Tag
DC switch receives policy
for only what is connected
Classification
Static or Dynamic
SGT assignments
Propagation
Carry “Group” context
through the network
using only SGT
Enforcement
Group Based Policies
ACLs, Firewall Rules
Endpoints
High Fidelity Visibility
Rapidly reduce unknowns by aggregating various source of device fingerprints
ML Analytics
EndpointProfiling
DataAggregation
Network Telemetry
Probes
Easy Onboarding
Tools
RF Fingerprinting
(Roadmap)
DPI-based Fingerprint/
Behavior
CMDB Connector
3rd Party Visibility
Tool
Endpoint Analytics on Cisco DNA Center
The power of ‘Deep Packet Inspection (DPI)’
Traditional Profilers
DHCPClass-ID
MSFT
Endpoint Type: Windows-Workstation
Probes
GE Optima CT Scanner 540(Runs Windows 7)
L7
L6
DICOM:
GE CT540
Deep Packet Inspection
DCS
Endpoint Type:CT Scanner
Operating System: MS Windows 7
Manufacturer: General Electric (GE)
Model: Optima CT 540
Multifa
cto
r Cla
ssificatio
n
EA
EA: Endpoint Analytics | NBAR-based DPI – Supported on Cat9200/9300 with IOS-XE 7.1
Endpoint Analytics – Multi Factor ClassificationClassifying endpoints using four independent label categories for more flexible profiling
Device Type Hardware Model Hardware Manufacturer Operating System
MacBook ProLaptop Apple macOS 10.14.6
CT Scanner Optima CT540 GE Windows 8
Smartphone Galaxy S8 Samsung Android 9.0
DPI available for all deployment scenarios
Cisco DNA Traffic -Telemetry Appliance (TTA)
Distribution Layer
Legacy Cisco Switches / 3rd party devices
SPAN
Cat9000
Cisco ISEWeb User Interface
DCS web interface to show device classification
results associated with endpointsPolicy
DNAC (EA)
Context
WLC
Endpoints
NBAR (SD-AVC Agent)
Q3CY20
Better Classification reduces unauthorized access
Cisco ISE
DNAC
SGT 10 SGT 11 SGT 12
ML Analytics
EndpointProfiling
Data
AggregationEndpoint Type:
CT Scanner
Operating System: MS Windows 7
Manufacturer: General Electric (GE)
Model: Optima CT 540
Multifacto
r C
lass
ific
ation
Cisco DNA Center
Introduction to Group-Based Policy Analytics
• High profile attacks driving customers towards internal segmentation
• Internal network largely unknown
• Difficult to understand network behaviour of people and things
• Customers asking for help in creating network segmentation policy
Challenge
Application on Cisco DNA Center providing:
Discovery of required policy: visibility and behaviour
Modeling of candidate groups and policies
Help to micro-segment (author) the network
Solution
First release just covers Discovery
Introduction to Group-Based Policy Analytics
Policy Modeling
Policy Enforcement
Policy Discovery
Endpoint Group-GroupActivity
Endpoint Analytics
MFC
ISE Scalable Groups and
Profiles
Stealthwatch Host Groups
Flow Info
Cisco DNA Center
Group-Based Policy Analytics Use-Cases
Confidential Servers
Employees
Guests
DESTINATIONScalable Groups
SOURCEScalable Groups
Email Servers
Guests
Contractors
Unknown
Databases
MRI Machines
• Understand communications patterns: identify Group-Group relationships• Identify the specific ports/protocols needed in access control policies
Demo: Group-Based Policy Analytics
✓Automated Inter-Site Connectivity
✓Consistent Enterprise-Wide Policy
✓ Enhanced Resiliency & Local Isolation
✓Direct Internet Access per Site
▪ Individual Fabric Sites contain local Border and Control Planes nodes
▪ Local Border nodes can hand-off to an IP-based WAN or an SD-Access Transit
▪ Transit has a unique Control Plane node, to connect local and remote Sites
▪ Transit does not have Fabric Edge nodes
Fabric Site 1Fabric Site 2
Fabric Site 3
Transit
B
C
B
C
B BC
C
B B
Distributed CampusEnhanced Resiliency and Scale for Large Deployments
34
A Fabric Domain may consist of one or more Fabric Sites + Transit
Multiple Fabric Sites are connected to each other using a Transit Site
There are two types of Transit:
• SD-Access Transit - Enables a native SD-Access (LISP,VXLAN,CTS) fabric, with a domain-wide Control Plane node for inter-site communication
• IP-Based Transit - Leverages a traditional IP-based (VRF-LITE, MPLS) network, which requires remapping of VRFs and SGTs between sites
SD-Access Multi SiteTransits and Domains
35
• A Fabric Domain can consist of one or more individual Fabric Sites
• Each Site is a unique fabric with its own Control Plane and Border nodes
• The Fabric Domain will also have a domain-wideTransit Control Plane node to facilitateinter-site communication
SD-Access Transit
C
Fabric
Site 1
B
C
B
Fabric
Site 2
B
C
Fabric
Site 3B
C
SD-Access for Distributed Campus Multi-Site Architecture
36
DNA Center
SDA/SDWAN Interoperation today
* Last option
SD-Access Fabric Site #1
SD-WANFabric
LISP
1
12
LISPOMP
vManage
SD-Access Fabric Site #2
B
B C
C
BGP
SD-AccessIP VRF-LiteIPSecSD-Access
B C
B C
BGP
IP VRF-Lite
B
C
SDA Border Node
SDA CP Node
cEdge
SDA Fabric Node
Current deployments
• Cisco DNA Center automates SD-Access Sites
• SD-Access Border hands off to cEdge using IP Transit
• Manual handoff between SDA Border and cEdge
• Challenge with SGT propagation using SXP.
DNA-Center
Policy Plane Integration Today
ACI
APICSGT and EPGAssociated IPs
Border Leaf
• Policy Plane Integration using ISE and APIC
• SGT/EPG exchange between ISE & APIC
• SGT/EPG mapping and translation at SDA/ACI
borders
• Policy enforcement possible in SDA or ACI or both
Management& Policy
SGT and EPG
Fusion
SXP
Current deployment
B B
LISP BGP/IGP
CONTROL-PLANE
VXLAN+SGT VRF-LITE
DATA-PLANE