You are on page 1of 20

2017 Cisco and/or its affiliates. All rights reserved.

2
What is SD-Access?
Campus Fabric + DNA Center (Automation & Assurance)
SD-Access Available Aug 2017
APIC-EM
APIC-EM
2.0
1.X GUI approach provides automation &
assurance of all Fabric configuration,
ISE NDP
management and group-based policy.
DNA Center
Leverages DNA Center to integrate
external Service Apps, to orchestrate
your entire LAN, Wireless LAN and
WAN access network.

B B Campus Fabric Shipping Now

CLI or API form of the new overlay


C
Fabric solution for your enterprise
Campus access networks.
Campus CLI approach provides backwards
Fabric compatibility and customization,
Box-by-Box. API approach provides
automation via NETCONF / YANG.

APIC-EM, ISE, NDP are all separate.

2017 Cisco and/or its affiliates. All rights reserved. 3


What is SD-Access?
Fabric Roles & Terminology
DNA DNA Controller Enterprise SDN Controller
provides GUI management and abstraction
Identity APIC-EM Controller
via Service Apps, that share information
Services
ISE NDP Identity Services External ID Systems
Analytics (e.g. ISE) are leveraged for dynamic Endpoint
to Group mapping and Policy definition
Engine
Analytics Engine External Data Collectors
(e.g. NDP) are leveraged to analyze Endpoint
Fabric Border Fabric Wireless to App flows and monitor fabric status
Nodes Controller
B B Control-Plane Nodes Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate C Fabric Border Nodes A Fabric device (e.g.
Nodes
Nodes (Underlay) Core) that connects External L3 network(s)
to the SDA Fabric
Campus Fabric Edge Nodes A Fabric device (e.g.
Access or Distribution) that connects Wired
Fabric Edge
Nodes
Fabric Endpoints to the SDA Fabric
Fabric Wireless Controller A Fabric device
(WLC) that connects Wireless Endpoints to
the SDA Fabric

2017 Cisco and/or its affiliates. All rights reserved. 4


SD-Access Control-Plane
Platform Support
NEW

Catalyst 3K Catalyst 9500 Catalyst 6K ASR1K, ISR4K & CSRv

Catalyst 3850 Catalyst 9500 Catalyst 6800 CSRv


1/10G SFP 10/40G SFP/QSFP Sup2T/6T ASR 1000-X/HX
10/40G NM Cards 10/40G NM Cards 6880-X or 6840-X ISR 4430/4450
IOS-XE 16.6.1+ IOS-XE 16.6.1+ IOS 15.5.1SY+ IOS-XE 16.6.1+

2017 Cisco and/or its affiliates. All rights reserved. 5


SD-Access Border Node
Platform Support
NEW

Catalyst 3K Catalyst 9500 Catalyst 6K ASR1K & ISR4K Nexus 7K

Catalyst 3850 Catalyst 9500 Catalyst 6800 ASR 1000-X/HX Nexus 7700
1/10G SFP+ 40G QSFP Sup2T/6T ISR 4430/4450 Sup2E
10/40G NM Cards 10/40G NM Cards 6880-X or 6840-X 1/10G/40G M3 Cards
IOS-XE 16.6.1+ IOS-XE 16.6.1+ IOS 15.5.1SY+ IOS-XE 16.6.1+ NXOS 7.3.2+

2017 Cisco and/or its affiliates. All rights reserved. 6


SD-Access Edge Node
Platform Support
NEW NEW

Catalyst 3K Catalyst 9300 Catalyst 4K Catalyst 9400

Catalyst 3650/3850 Catalyst 9300 Catalyst 4500 Catalyst 9400


1/MGIG RJ45 1/MGIG RJ45 Sup8E/9E (Uplinks) Sup1E
10/40G NM Cards 10/40/mG NM Cards 4700 Cards (Down) 9400 Cards
IOS-XE 16.6.1+ IOS-XE 16.6.1+ IOS-XE 3.10.1+ IOS-XE 16.6.1+

2017 Cisco and/or its affiliates. All rights reserved. 7


SD-Access Fabric Wireless
Platform Support
* Some caveats with Wave 1 APs. Check release notes.
NEW NEW

3504 WLC 5500 WLC 8500 WLC Wave 2 APs Wave 1 APs*

AIR-CT3504 AIR-CT5520 AIR-CT8540 1800/2800/3800 1700/2700/3700


1G/mGig No 5508 8510 supported 11ac Wave2 APs 11ac Wave1 APs*
AireOS 8.5+ 1G/10G SFP+ 1G/10G SFP+ 1G/mGIG RJ45 1G RJ45
AireOS 8.5+ AireOS 8.5+ AireOS 8.5+ AireOS 8.5+

2017 Cisco and/or its affiliates. All rights reserved. 8


SD-Access
Key Components

1. Control-Plane based on LISP


2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
Key Differences
L2 + L3 Overlay -vs- L2 or L3 Only
Host Mobility with Anycast Gateway
Adds VRF + SGT into Data-Plane
Virtual Tunnel Endpoints (No Static)
No Topology Limitations (Basic IP)

2017 Cisco and/or its affiliates. All rights reserved.


Location ID Separation Protocol
Map-Based On-Demand Host-Routing

Host
1. Control-Plane based on LISP Mobility

Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU
with Local L3 Gateway with Anycast L3 Gateway

BEFORE AFTER
IP Address = Location + Identity Separate Identity from Location
Prefix RLOC
1 9 2 .5 8 .2 8 .1 2 8 .....1 7 1 .6 8 .2 2 8.1 2 1
.....1 7 1 .6 8 .2 2 6.1 2 0
Prefix Next-hop 1 8 9 .1 6 .1 7 .8 9
2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1
1 8 9 .1 6 .1 7 .8 9 .....1 7 1 .6 8 .2 2 6.1 2 0 1 7 2 .1 6 .1 9 .9 0 .....1 7 1 .6 8 .2 2 6.1 2 0
2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1 1 9 2 .5 8 .2 8 .1 2 8 .....1 7 1 .6 8 .2 2 8.1 2 1
1 7 2 .1 6 .1 9 .9 0 .....1 7 1 .6 8 .2 2 6.1 2 0 1 9 2 .5 8 .2 8 .1 2 8 .....1 7 1 .6 8 .2 2 8.1 2 1
1 9 2 .5 8 .2 8 .1 2 8
1 8 9 .1 6 .1 7 .8 9
....1 7 1 .6 8 .2 2 8.1 2 1
....1 7 1 .6 8 .2 2 6.1 2 0
Prefix Next-hop 1 8 9 .1 6 .1 7 .8 9
2 2 .7 8 .1 9 0 .6 4
.....1 7 1 .6 8 .2 2 6.1 2 0
.....1 7 1 .6 8 .2 2 6.1 2 1
.....1 7 1 .6 8 .2 2 6.1 2 0

Mapping
1 8 9 .1 6 .1 7 .8 9
2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1 .....1 7 1 .6 8 .2 2 6.1 2 0

Endpoint
1 7 2 .1 6 .1 9 .9 0
2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1
1 7 2 .1 6 .1 9 .9 0 ......1 7 1 .6 8 .2 26 .1 2 0 1 9 2 .5 8 .2 8 .1 2 8 .....1 7 1 .6 8 .2 2 8.1 2 1
1 7 2 .1 6 .1 9 .9 0 .....1 7 1 .6 8 .2 2 6.1 2 0
1 9 2 .5 8 .2 8 .1 2 8 .....1 7 1 .6 8 .2 2 8.1 2 1
1 9 2 .5 8 .2 8 .1 2 8 ....1 7 1 .6 8 .2 2 8.1 2 1
1 8 9 .1 6 .1 7 .8 9 ....1 7 1 .6 8 .2 2 6.1 2 0
.....1 7 1 .6 8 .2 2 6.1 2 1

Database
2 2 .7 8 .1 9 0 .6 4
1 7 2 .1 6 .1 9 .9 0 ......1 7 1 .6 8 .2 26 .1 2 0
1 9 2 .5 8 .2 8 .1 2 8
1 8 9 .1 6 .1 7 .8 9
2 2 .7 8 .1 9 0 .6 4
1 7 2 .1 6 .1 9 .9 0
1 9 2 .5 8 .2 8 .1 2 8
......1 7 1 .6 8 .2 28 .1 2 1
.....1 7 1 .6 8 .2 2 6.1 2 0
......1 7 1 .6 8 .2 26 .1 2 1
.....1 7 1 .6 8 .2 2 6.1 2 0
.....1 7 1 .6 8 .2 2 8.1 2 1
Routes are
Consolidated
Prefix
1 8 9 .1 6 .1 7 .8 9
Next-hop
......1 7 1 .6 8 .2 26 .1 2 0
to LISP DB
2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1
1 7 2 .1 6 .1 9 .9 0 .....1 7 1 .6 8 .2 2 6.1 2 0
1 9 2 .5 8 .2 8 .1 2 8 ....1 7 1 .6 8 .2 2 8.1 2 1
1 8 9 .1 6 .1 7 .8 9 ....1 7 1 .6 8 .2 2 6.1 2 0 Prefix Next-hop
2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1 1 8 9 .1 6 .1 7 .8 9 .....1 7 1 .6 8 .2 2 6.1 2 0
1 7 2 .1 6 .1 9 .9 0 ......1 7 1 .6 8 .2 26 .1 2 0 2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1
1 9 2 .5 8 .2 8 .1 2 8 .....1 7 1 .6 8 .2 2 8.1 2 1 1 7 2 .1 6 .1 9 .9 0 .....1 7 1 .6 8 .2 2 6.1 2 0
1 8 9 .1 6 .1 7 .8 9 ....1 7 1 .6 8 .2 2 6.1 2 0 1 9 2 .5 8 .2 8 .1 2 8 ....1 7 1 .6 8 .2 2 8.1 2 1
2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1
1 7 2 .1 6 .1 9 .9 0 ......1 7 1 .6 8 .2 26 .1 2 0
1 9 2 .5 8 .2 8 .1 2 8 .....1 7 1 .6 8 .2 2 8.1 2 1
1 8 9 .1 6 .1 7 .8 9 .....1 7 1 .6 8 .2 2 6.1 2 0
2 2 .7 8 .1 9 0 .6 4 ......1 7 1 .6 8 .2 26 .1 2 1
1 7 2 .1 6 .1 9 .9 0 .....1 7 1 .6 8 .2 2 6.1 2 0
1 9 2 .5 8 .2 8 .1 2 8 .....1 7 1 .6 8 .2 2 8.1 2 1
Prefix Next-hop
Prefix Next-hop 1 8 9 .1 6 .1 7 .8 9 .....1 7 1 .6 8 .2 2 6.1 2 0
1 8 9 .1 6 .1 7 .8 9 .....1 7 1 .6 8 .2 2 6.1 2 0 2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1
2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1 1 7 2 .1 6 .1 9 .9 0 .....1 7 1 .6 8 .2 2 6.1 2 0
1 7 2 .1 6 .1 9 .9 0 .....1 7 1 .6 8 .2 2 6.1 2 0 1 9 2 .5 8 .2 8 .1 2 8 ....1 7 1 .6 8 .2 2 8.1 2 1
1 9 2 .5 8 .2 8 .1 2 8 ....1 7 1 .6 8 .2 2 8.1 2 1
1 8 9 .1 6 .1 7 .8 9 ....1 7 1 .6 8 .2 2 6.1 2 0
2 2 .7 8 .1 9 0 .6 4 .....1 7 1 .6 8 .2 2 6.1 2 1
1 7 2 .1 6 .1 9 .9 0 ......1 7 1 .6 8 .2 26 .1 2 0
1 9 2 .5 8 .2 8 .1 2 8 .....1 7 1 .6 8 .2 2 8.1 2 1

Only Local Routes


1 8 9 .1 6 .1 7 .8 9 ....1 7 1 .6 8 .2 2 6.1 2 0

Topology + Endpoint Routes 2 2 .7 8 .1 9 0 .6 4


1 7 2 .1 6 .1 9 .9 0
1 9 2 .5 8 .2 8 .1 2 8
.....1 7 1 .6 8 .2 2 6.1 2 1
......1 7 1 .6 8 .2 26 .1 2 0
.....1 7 1 .6 8 .2 2 8.1 2 1
1 8 9 .1 6 .1 7 .8 9
2 2 .7 8 .1 9 0 .6 4
.....1 7 1 .6 8 .2 2 6.1 2 0
......1 7 1 .6 8 .2 26 .1 2 1
Topology Routes
1 7 2 .1 6 .1 9 .9 0 .....1 7 1 .6 8 .2 2 6.1 2 0
1 9 2 .5 8 .2 8 .1 2 8 .....1 7 1 .6 8 .2 2 8.1 2 1

Endpoint Routes

2017 Cisco and/or its affiliates. All rights reserved.


Locator / ID Separation Protocol Map System
LISP Roles & Responsibilities EID
a.a.a.0/24
b.b.b.0/24
RLOC
w.x.y.1
x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5

EID RLOC
EID Space a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2

Map Server / Resolver c.c.c.0/24


d.d.0.0/16
z.q.r.5
z.q.r.5

EID RLOC
EID to RLOC Mappings ITR a.a.a.0/24
b.b.b.0/24
c.c.c.0/24
w.x.y.1
x.y.w.2
z.q.r.5
d.d.0.0/16 z.q.r.5
Non-LISP
Can be distributed across Prefix Next-hop
w.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h

multiple LISP devices z.q.r.5


z.q.r.5
e.f.g.h
e.f.g.h

PXTR RLOC Space


Tunnel Router - XTR
Edge Devices Encap / Decap
ETR
Ingress / Egress (ITR / ETR)

Proxy Tunnel Router - PXTR EID Space

Connects between LISP EID = End-point Identifier


and non-LISP domains Host Address or Subnet
RLOC = Routing Locator
Ingress / Egress (PITR / PETR) Local Router Address

2017 Cisco and/or its affiliates. All rights reserved. 11


SD-Access Fabric
Key Components Virtual eXtensible LAN

1. Control-Plane based on LISP


2. Data-Plane based on VXLAN
ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN

2017 Cisco and/or its affiliates. All rights reserved.


Next-Hop MAC Address

VXLAN-GPO Header Dest. MAC 48


Src VTEP MAC Address

MAC-in-IP with VN ID & Group ID Source MAC 48

VLAN Type 14 Bytes


16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type 16
0x0800 Header 16 20 Bytes
Outer MAC Header
Underlay

Checksum

Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address

16
UDP Header Dest Port
8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789

Inner (Original) MAC Header


Allows 64K
VXLAN Flags 8 possible SGTs
Inner (Original) IP Header RRRRIRRR
Overlay

Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs

2017 Cisco and/or its affiliates. All rights reserved. 13


SD-Access Fabric
Key Components Cisco TrustSec

1. Control-Plane based on LISP


2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
Virtual Routing & Forwarding
Scalable Group Tagging
VRF + SGT

ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD

2017 Cisco and/or its affiliates. All rights reserved.


Cisco TrustSec
Simplified access control with Group Based Policy

Enforcement
Shared Application
Group Based Policies Services Servers
ACLs, Firewall Rules

Enforcement DC Switch
or Firewall
Propagation
Carry Group context
through the network Enterprise
using only SGT Backbone
ISE

Classification
Static or Dynamic Campus Switch Campus Switch DC switch receives policy
for only what is connected
SGT assignments

Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag

VLAN A VLAN B

2017 Cisco and/or its affiliates. All rights reserved. 15


Packet Flow in Fabric
VXLAN Encapsulation

Encapsulation IP Network Decapsulation


Edge Node 1 Edge Node 2

VXLAN VXLAN

VN ID SGT ID VN ID SGT ID

Classification Propagation Enforcement


Static or Dynamic VN Carry VN and Group Group Based Policies
and SGT assignments context across the network ACLs, Firewall Rules

2017 Cisco and/or its affiliates. All rights reserved. 16


SD-Access
DNA Center Service Components

API DNA Center 1.0 API

Design | Provision | Policy | Assurance

API

Cisco ISE 2.3 Cisco APIC-EM 2.0 Cisco NDP 1.0


API API
Identity Services Engine App Policy Infra Controller EN Module Network Data Platform

NETCONF
SNMP
SSH

AAA
RADIUS
EAPoL
Campus Fabric HTTPS
NetFlow
Syslogs

Cisco Switches | Cisco Routers | Cisco Wireless

2017 Cisco and/or its affiliates. All rights reserved. 17


DNA Center
SD-Access 4 Step Workflow

Design Policy Provision Assurance


As s u re Pro v i s i on As s u re
As s u re As s u re

Global Settings Virtual Networks Fabric Domains Network Health


Site Profiles ISE, AAA, Radius CP, Border, Edge 360o Views
DDI, SWIM, PNP Endpoint Groups FEW / OTT WLAN FD, Device, Client
User Access Group Policies External Connect Path Traces

Planning & Preparation


Installation & Integration

2017 Cisco and/or its affiliates. All rights reserved. 18


The First Step

2017 Cisco and/or its affiliates. All rights reserved. 19


Thank you for watching!