Software Defined Access

AJ Shah
SE
2018
Cisco Is Rewriting the Network Playbook

Traditional Network The New Network

Hardware Centric Software Driven

Manual Automated

Fragmented Security Built-In Security

Powered by
Network Data Business Insights Cisco DNA™

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Cisco Catalyst 9000 – Built for SD-Access
First in enterprise
IOS® XE Software • x86 CPU with app hosting
SD-Access • Programmable ASIC
integrated • Software patching
UADP 2.0
Converged Industry’s unmatched
ASIC • High Availability
• MultiGigabit density
Single Image • UPOE scale

Future-Proofed
Common
Catalyst 9000 Series • IEEE 802.11ax ready
Licensing • 100W PoE (IEEE 802.3bt) ready
9300 – Fixed Access, 9400 – Modular Access,
9500 – Fixed Core • 25G Ethernet ready

Security IoT convergence Mobility Cloud

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Catalyst 9K Platform
Transitions

Catalyst 9400
9000 Series
Catalyst 9500
Catalyst 9300

Catalyst 3850 Copper Catalyst 4500-E Catalyst 4500X Catalyst 3850 Fiber 48 port

Access Switching
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Backbone Switching
© 2018 Cisco and/or its affiliates. All rights reserved. 5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Shift IT Time to Business Focus

67% 80%
Network Improve Issue
Provisioning Time Resolution
Savings

48% 61%
Reduced Security Reduced Operating
Breach Impact Expense
Software Defined Access
Underlay, Overlay, and Controller
Controller-based Management
Fabric Orchestration and Visibility
Single User Interface for Fabric Management

DNA-C Programmable Overlay

Connects Users and Devices to each other,
w/ policy control
Standards-based control plane (LISP)
Standards-based data plane (VXLAN)

Prescriptive Underlay
Connects the network elements to each other
Automated, standardized deployment and
operation
Leverages existing network topologies
(not restricted to spine/leaf)

Cisco Internal Use Only – Do Not Distribute Externally without NDA

 Enterprise Automation Key Benefits
Standards Based
Object Model APIs
TCO Savings
TCO Savings

TODAY FUTURE
CLIs and scripts Simple user interface
Manual configurations Autonomic with control and visibility
Script maintenance Orchestration with data models
Wired access only
Extensibility with native 3rd party app hosting
Static network
environments Open sourced programmable interfaces
Slow and unpredictable Seamless wired and wireless access
workload change Programmable using software
Hardware-centric
Digital Business Drivers
Requirement for Dynamic Policy Changes

Traditional network management cannot Controller based networking supports

provide sufficient dynamic management dynamic policy change
• Focus has been on Day0/1 • Controller allows network to be
automation managed as a system
• CLI not built for volumes of changes in • Policy management is automated
machine real time and abstracted
How is Fabric Different from an Overlay?
Fabric is an Overlay
An “Overlay” is a logical topology used to virtually connect devices, built
on top of an arbitrary physical “Underlay” topology.
An “Overlay” network often uses alternate forwarding attributes to provide
additional services, not provided by the “Underlay”.

We Live in a World of L2/L3 Overlays

• GRE or mGRE • LISP
• L2TPv2 or L2TPv3 • OTV
• MPLS or VPLS • DFA
• IPSec or DMVPN • ACI
• CAPWAP
SD-Access
Manual vs. Automated Underlay
Manual Underlay
You can reuse your existing IP network
as the Fabric Underlay!
• Key Requirements
• IP reach from Edge to Edge/Border/CP
• Can be L2 or L3 – We recommend L3
• Can be any IGP – We recommend ISIS
• Key Considerations
• MTU (Fabric Header adds 50B)
• Latency (max RTT =/< 100ms)
Underlay Network
Automated Underlay
Prescriptive fully automated Global
and IP Underlay Provisioning!
• Key Requirements
• Leverages standard PNP for Bootstrap
• Assumes New / Erased Configuration
• Uses a Global “Underlay” Address Pool
• Key Considerations
• PNP pre-setup is required
• 100% Prescriptive (No Custom)
© 2018 Cisco and/or its affiliates. All rights reserved. 12
 Cisco Digital Network Architecture APIs
Network Enabled Applications

UNI UNI
GUI Customized
Prescriptive Service Definition & Orchestration Model-based

Service
Instantiation
DNA Center Telemetry

Enterprise Controller
Intent

Plug & Play

Path Optimization

Topology
Easy QoS
APIC-EM, ISE, NDP
(Policy Determination) Analytics

APIs

SD- WAN / Branch Campus

PEP
Data Center
PEP
Apps

SDA ACI
PEP Branch WAN Agg PEP

SP
WAN
PEP Branch PEP Apps Internet
PEP Campus
SegmentationFabric
1 DC Fabric
Segmentation 2 Int. Acc PEP PEP Apps
PEP
WAN Fabric Segmentation 3
Cloud
WAN VNFs Campus VNFs DC VNFs Cloud VNFs

Localized or
network-wide
Network Function Virtualization
Service Chaining

Network Interface (UNI) PEP: Policy Enforcement Point

Enterprise Switching and Wireless © 2017 Cisco and/or its affiliates. All rights reserved. 13
ISE in Enterprise

MOBILITY

TRUSTSEC

ANALYTICS

DEVICE ADMIN (TACACS+)

SD-ACCESS

Cisco ISE is critical for several enterprise networking solutions

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Concepts
What is SD-Access?

1. High-Level View
2. Roles & Platforms
3. Fabric Constructs

© 2018 Cisco and/or its affiliates. All rights reserved.

SD-Access
Fabric Roles & Terminology
DNA  DNA Center – provides simple GUI
management and intent based automation
Identity NCP Center
(e.g. NCP) and context sharing
Services
ISE NDP  Identity Services – NAC & ID Systems
Analytics (e.g. ISE) for dynamic Endpoint to Group
Engine mapping and Policy definition
 Analytics Engine – Data Collectors
(e.g. NDP) analyze Endpoint to App flows
Fabric Border Fabric Wireless and monitor fabric status
Nodes Controller
B B  Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Intermediate Control-Plane
C Nodes  Fabric Border Nodes – A Fabric device
Nodes (Underlay) (e.g. Core) that connects External L3
network(s) to the SDA Fabric
 Fabric Edge Nodes – A Fabric device
Campus (e.g. Access or Distribution) that connects
Fabric Edge
Nodes Fabric Wired Endpoints to the SDA Fabric
 Fabric Wireless Controller – A Fabric device
(WLC) that connects APs and Wireless
Endpoints to the SDA Fabric

© 2018 Cisco and/or its affiliates. All rights reserved. 16

SD-Access Fabric
Control-Plane Nodes – A Closer Look

Control-Plane Node runs a Host Tracking Database to map location information

• A simple Host Database that maps Endpoint IDs to a C

Known Unknown
current Location, along with other attributes Networks Networks

B B
• Host Database supports multiple types of Endpoint ID
lookup types (IPv4, IPv6 or MAC)

• Receives Endpoint ID map registrations from Edge

and/or Border Nodes for “known” IP prefixes

• Resolves lookup requests from Edge and/or Border

Nodes, to locate destination Endpoint IDs

© 2018 Cisco and/or its affiliates. All rights reserved. 17

SD-Access Platforms
Control-Plane Nodes
* Wired Only
NEW

Catalyst 3K Catalyst 9500 Catalyst 6K* ASR1K, ISR4K & CSRv

• Catalyst 3850 • Catalyst 9500 • Catalyst 6800 • CSRv

• 1/10G SFP • 10/40G SFP/QSFP • Sup2T/6T • ASR 1000-X/HX
• 10/40G NM Cards • 10/40G NM Cards • 6840/6880-X • ISR 4300/4400
• IOS-XE 16.6.3+ • IOS-XE 16.6.3+ • IOS 15.4.1SY4+ • IOS-XE 16.6.2+

© 2018 Cisco and/or its affiliates. All rights reserved. 18

SD-Access Fabric
Edge Nodes – A Closer Look

Edge Node provides first-hop services for Users / Devices connected to a Fabric

• Responsible for Identifying and Authenticating C

Known Unknown
Endpoints (e.g. Static, 802.1X, Active Directory) Networks Networks

B B
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)

• Provide an Anycast L3 Gateway for the connected

Endpoints (same IP address on all Edge nodes)

• Performs encapsulation / de-encapsulation of data

traffic to and from all connected Endpoints

© 2018 Cisco and/or its affiliates. All rights reserved. 19

SD-Access Platforms
Edge Nodes

NEW NEW

Catalyst 3K Catalyst 9300 Catalyst 4K Catalyst 9400

• Catalyst 3650/3850 • Catalyst 9300 • Catalyst 4500 • Catalyst 9400

• 1/10G RJ45, SFP • 1/10G RJ45, SFP • Sup8E/9E (Uplink) • Sup1/XL
• 10/40G NM Cards • 10/40/MG NM Cards • 4700 Cards • 9400 Cards
• IOS-XE 16.6.3+ • IOS-XE 16.6.3+ • IOS-XE 3.10.1E+ • IOS-XE 16.6.3+

© 2018 Cisco and/or its affiliates. All rights reserved. 20

SD-Access Fabric
Border Nodes – A Closer Look

Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric

There are 2 Types of Border Node! C

Known Unknown
Networks Networks

B B
• Internal Border
• Used for “Known” Routes inside your company

• External Border (or Default)

• Used for “Unknown” Routes outside your company

© 2018 Cisco and/or its affiliates. All rights reserved. 21

SD-Access Platforms
Border Nodes
* External Border Only
NEW

Catalyst 3K Catalyst 9K Catalyst 6K ASR1K & ISR4K Nexus 7K*

• Catalyst 3850 • Catalyst 9500 • Catalyst 6800 • ASR 1000-X/HX • Nexus 7700
• 1/10G SFP+ • 10/40G SFP/QSFP • Sup2T/6T • ISR 4300/4400 • Sup2E
• 10/40G NM Cards • 10/40G NM Cards • 6840/6880-X • 1/10G/40G • M3 Cards
• IOS-XE 16.6.3+ • IOS-XE 16.6.3+ • IOS 15.4.1SY4+ • IOS-XE 16.6.3+ • NXOS 8.2.1+

© 2018 Cisco and/or its affiliates. All rights reserved. 22

SD-Access Fabric
Border Nodes - Internal

Internal Border advertises Endpoints to outside, and known Subnets to inside

• Connects to any “known” IP subnets available from C

Known Unknown
the outside network (e.g. DC, WLC, FW, etc.) Networks Networks

B B
• Exports all internal IP Pools to outside (as aggregate),
using a traditional IP routing protocol(s).

• Imports and registers (known) IP subnets from

outside, into the Control-Plane Map System

• Hand-off requires mapping the context (VRF & SGT)

from one domain to another.

© 2018 Cisco and/or its affiliates. All rights reserved. 23

SD-Access Fabric
Border Nodes - External

External Border is a “Gateway of Last Resort” for any unknown destinations

• Connects to any “unknown” IP subnets, outside of the C

Known Unknown
network (e.g. Internet, Public Cloud) Networks Networks

B B
• Exports all internal IP Pools outside (as aggregate)
into traditional IP routing protocol(s).

• Does NOT import unknown routes! It is a “default”

exit, if no entry is available in Control-Plane.

• Hand-off requires mapping the context (VRF & SGT)

from one domain to another.

© 2018 Cisco and/or its affiliates. All rights reserved.

SD-Access - Border Deployment
External Border : Connecting to Unknown Networks

C Public Cloud

B B

Internet

SD-Access Fabric

Unknown Networks

© 2018 Cisco and/or its affiliates. All rights reserved. 27

SD-Access @ DNA Center
Border Nodes

© 2018 Cisco and/or its affiliates. All rights reserved. 28

 SD-Access Support
Fabric ready platforms for your digital ready network

Switching Routing Wireless Extended

NEW Catalyst 9500
NEW Catalyst 9400 NEW
ASR-1000-X AIR-CT5520

NEW Catalyst 9300

AIR-CT8540 Cisco Digital Building
ASR-1000-HX NEW

AIR-CT3504
ISR 4430 NEW

Catalyst 3560-CX
Wave 2 APs (1800, 2800,3800)
Catalyst 4500E Catalyst 6800 Nexus 7700 ISR 4450

IE Series (4K/5K)
Catalyst 3650 and 3850 ISRv/CSRv Wave 1 APs* (1700, 2700,3700)
* with Caveats

© 2018 Cisco and/or its affiliates. All rights reserved. 29

SD-Access Platforms
Fabric Wireless
* Some caveats with Wave1 APs.
NEW NEW

3504 WLC 5500 WLC 8500 WLC Wave 2 APs Wave 1 APs*

• AIR-CT3504 • AIR-CT5520 • AIR-CT8540 • 1800/2800/3800 • 1700/2700/3700

• 150 APs • 1500 APs • 5000 APs • 11ac Wave2 APs • 11ac Wave1 APs
• 1G/mGig RJ45 • 1G/10G SFP+ • 1G/10G SFP+ • 1G/mGIG RJ45 • 1G RJ45
• AireOS 8.5.1+ • AireOS 8.5.1+ • AireOS 8.5.1+ • AireOS 8.5.1+ • AireOS 8.5.1+

© 2018 Cisco and/or its affiliates. All rights reserved. 30

SD-Access Wireless Architecture 1
Simplifying the Control Plane
DNAC

ISE / AD Automation
Policy  DNAC simplifies the Fabric deployment,
Abstraction and
 Including the wireless integration component
Configuration
CAPWAP Automation
Cntrl plane
LISP Centralized Wireless Control Plane
Cntrl plane  WLC still provides client session management
 AP Mgmt, Mobility, RRM, etc.
B B
WLC  Same operational advantages of CUWN
Fabric enabled WLC:
WLC is part of LISP control plane

C LISP control plane Management

 WLC integrates with LISP control plane
 WLC updates the CP for wireless clients
SD-Access  Mobility is integrated in Fabric thanks to LISP CP
Fabric

BRKEWN-2020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Centralized Unified Wireless Network Strengths
ISE / AD

Simplified operations? Yes with WLC

WLC

CAPWAP (Control)
CAPWAP (Data) Network Overlay? CAPWAP

WLC as Mobility
L3 roaming across Campus? Anchor

WLC as mobility
Simplified IP addressing?
Anchor

Guest traffic segmentation? Foreign-Anchor

BRKEWN-2020 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
SD-Access Fabric
Fabric Enabled Wireless – A Closer Look

Fabric Enabled WLC is integrated into Fabric for SDA Wireless clients
Ctrl: CAPWAP

Data: VXLAN

• Connects to Fabric via Border (Underlay) C

Known Unknown

•
Networks Networks
Fabric Enabled APs connect to the WLC (CAPWAP)
B B
using a dedicated Host Pool (Overlay)

• Fabric Enabled APs connect to the Edge via VXLAN

• Wireless Clients (SSIDs) use regular Host Pools for

data traffic and policy (same as Wired)

• Fabric Enabled WLC registers Clients with the

Control-Plane (as located on local Edge + AP)

© 2018 Cisco and/or its affiliates. All rights reserved. 33

SD-Access Fabric
Scalable Groups – A Closer Look

Scalable Group is a logical policy object to “group” Users and/or Devices

• Nodes use “Scalable Groups” to ID and assign a C

Known Unknown
unique Scalable Group Tag (SGT) to Endpoints Networks Networks

B B
• Nodes add a SGT to the Fabric encapsulation
SGT
SGT SGT SGT
• SGTs are used to manage address-independent 17
4
SGT
8 25

“Group-Based Policies” SGT SGT SGT 19 SGT

3 23 11 12

• Edge or Border Nodes use SGT to enforce local

Scalable Group ACLs (SGACLs)

© 2018 Cisco and/or its affiliates. All rights reserved. 34

DNA Center Assurance
Transforming network operation through actionable insights and simplicity

AJ Shah
Aug 2018
Cisco DNA Center – Easy to Start with Assurance
Intent-Based Networking
Cisco DNA Center
Cisco - SD Access
Cisco DNA Center Security
Cisco DNA Center Assurance

Telemetry protocols:
CLI, SNMP, PnP, NETCONF
NetFlow, SNMP, Syslog, streaming

Wireless Catalyst(R) Catalyst Cisco WLC ISR/ASR Wireless AP Catalyst(R) Catalyst 9000 IE Catalyst WLC ISR4K NFV-IS
AP 2000/3000 4000/6000 Nexus(R) .11ac Wave 2 3850
7000

Traditional Cisco and 3rd Party Networks

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco DNA-Ready Networks
Unprecedented Demands on the Network

Digital Disruption Complexity Security

63 million new devices 3X spend on

6 months to
online every second network operations
detect breach3
by 20201 vs network2

Lack of Business Slow and Error Unconstrained

and IT Insights Prone Operations Attack Surface
1. Gartner Report - Gartner’s 2017 Strategic Roadmap for Networking
2. McKinsey Study of Network Operations for Cisco – 2016
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3. Ponemon Research Institute Study on Malware Detection, Mar 2016
 What is Assurance?
The guarantee that the infrastructure
is doing what you intended it to do.

Continuous verification Insights & visibility Corrective actions

Configs, Changes, Routing, Visibility, Context, Guided Remediation,

Security, Services, VMs, Historical Insights, Automated Updates,
Compliance, Audits Prediction System optimization

Successful IT Minimize Downtime, IT Productivity

Rollouts User Productivity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Assurance Vision
Learn Fix Predict

Surface Undetected Client, Network Fix Real-Time Issues and Gain

Predict Issues before they Occur
& Application Issues Insights into Historic Events

01001011000101110010010101100
1011000010101100110

Infrastructure Data Machine Learning Insights

Sensor Data Crowd Sourcing Analytics

Automate tools to discover Root cause issues in a Build Resilient and Reliable
outliers few Clicks Networks
Overall Network Health

• Quick drill down to a site or

Toggle between Geo, List or
Topology View

• Where in the world and on

which site most serious
issues are happening

• Overall health summary

of network and clients

• Top 10 Global Insights

 End-to-end visibility

• Client Health Summary • Network Health Summary

• Onboarding, RF and Client Profile info • Control, Data, Policy Plane and Health info
360°Visibility

• Single location for all user

information and every user device
• History of performance for each
user device
• Proactive identification of any
issues affecting user’s experience

• Single location for all user device

related user information
• Connectivity graph with
health score of all device on
the path
• Application performance
• Device KPIs
 Roles & Terminology
Fabric Constructs

Enterprise Switching and Wireless

Encrypted Traffic Analytics TDM
Presentation (Enhanced Network as
a Sensor)
Technical decision maker presentation
Rapid Problem Resolution
Predicting the Future

Increasing 802.1X authentication time

Looking Back in Time
Network threats are getting smarter

Motivated and targeted Increased attack Increased attack

adversaries surface sophistication
• State sponsored • BYOD blurring perimeter • Advanced persistent threats
• Financial/espionage motives • Public cloud services • Encrypted malware
• $1T cybercrime market • Enterprise IOT • Zero-day exploits

Complexity securing Sophistication

Scale too many alerts
everything Keeping up against attackers

200days 60days $3.8M

Industry average detection time for a breach Industry average time to contain a breach Average cost of a data breach

C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Detecting encrypted threats
with network telemetry

C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enhanced network as a sensor
Industry’s first network with the ability to find threats in encrypted traffic without decryption
Avoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility

Encrypted traffic Non-Encrypted traffic

Secure and manage your digital network in real time, all the time, everywhere
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ETA data features
Cisco research

TCP/IP DNS TLS SPLT

Watchlist c15c0.com Unusual fingerprint C2 Message

address afb32d75.com Unusual cert Data Exfiltration

Malware traffic Self-Signed Certificate

Bestafera

Prevalent Typical fingerprint

cisco.com
address Typical cert
Benign traffic Google search

C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How can we inspect encrypted traffic?
Sequence of packet Threat
Initial data packet
lengths and times intelligence map
Make the most of the Identify the content type through Who’s who of the Internet’s
unencrypted fields the size and timing of packets dark side

C2 message
Data exfiltration

Self-Signed certificate Broad behavioral information about the

servers on the Internet.

C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Malware detection using Cognitive Analytics

Threat
Initial data packet
Cloud-based Intelligence Map
machine
learning

Sequence of packet
lengths and times

All three elements reinforce each other inside the analytics engine using them.
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Finding malicious activity in encrypted traffic
New Catalyst 9K* Cisco Stealthwatch
* Other devices will be supported soon

NetFlow Cognitive
Analytics
Malware
detection
Telemetry for Metadata and
encrypted malware detection cryptographi
and cryptographic compliance c compliance

Enhanced
NetFlow

Leveraged network Faster investigation Higher precision Stronger protection

Enhanced NetFlow from

Enhanced analytics Global-to-local Continuous
Cisco’s newest switches and
and machine learning knowledge correlation Enterprise-wide compliance
routers
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-Access Fabric
Anycast Gateway– A Closer Look

Anycast GW provides a single L3 Default Gateway for IP capable endpoints

C
• Similar principle and behavior as HSRP / VRRP with a Known Unknown

shared “Virtual” IP and MAC address Networks Networks

B B
• The same Switch Virtual Interface (SVI) is present on
EVERY Edge, with the same Virtual IP and MAC

• Control-Plane with Fabric Dynamic EID mapping

maintains the Host to Edge relationship

• When a Host moves from Edge 1 to Edge 2, it does GW GW GW GW GW

not need to change it’s Default Gateway 

© 2018 Cisco and/or its affiliates. All rights reserved. 61