Cisco Software Define Access

The Network intuitive

Renzo Revilla Iglesias

Systems Engineer
Enero 2018

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Transform Processes Empower Workforce New Customer
and Business Models Innovations Experiences

Connect and Secure Everything

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Technology Transformations Driving the Market

Cloud
Mobility Applications Security

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Technology Transformations Driving the Market

Cloud Cyber
IoT Infrastructure Security

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Challenge for Enterprise IT - Doing more with Less

Data growth
Connected devices $$$$ Spent of
Network
Threat surface areas Operations

Organizations

3xmore intend to be
digital-ready
Resources within 2 years

An evolved world needs a network evolved.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Traditional Networks cannot meet the demands of
a Digital Network
VLAN 2

Remote

WAN
HQ

ACL 1 ACL 2
Branch A Branch A
VLAN 1 VLAN 2 VLAN 3 ACL 2 ACL 3

VLAN 1 VLAN 3

Setting Up Enabling Seamless Users, Device and Secure Connectivity

End-End Security
© 2017 Cisco and/or its affiliates. All rights reserved. Mobility
Cisco Confidential IOT Segmentation to the Cloud
Rewriting the Networking Playbook
with Intent-based Networking

“Intent-based networking systems monitor,

identify and react in real time to changing
network conditions”
– Gartner
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Autonomous Car

“Intent-based networking is a combination

of Artificial intelligence and autonomous
learning”
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Enterprise Network Needs
a Whole New Approach
Today’s Networks Tomorrow’s Networks
Open & Software
Manual delivered Powered
Complex by Intuition
Inefficient
Driven by intent
Fragmented Protected by
Rigid Informed vigilance
Opaque by Context
With an IBN, the administrator determines the "what,"
& the system then figures out the "how." Zeus Kerravala
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco’s Intent-based Networking
Learning

DNA Center Powered By Intent.

Informed by Context.
Policy Automation Analytics

Intent Context
Intent-Based
Network Infrastructure

Switching Routers Wireless

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Security
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

11
 Cisco Software-Defined Access
First Intent-Based Networking Solution

DNA Center
Identity-based
Policy & Segmentation
Policy Automation Analytics Decoupled security policy
definition from VLAN and IP
Industry’s first policy based Address
automation from edge-to-cloud
Automated
Networking at the
Network Fabric
speed of Software!
Single Fabric for Wired & Wireless
with Workflow-based Automation

Insights
& Telemetry
SDA-Extension User Mobility Analytics and insights into
Policy stays with
user and application behavior
© 2017 Cisco and/or its affiliates. All rights reserved. user
Cisco Confidential

IoT Network Employee Network

DNA Solution DNA Center:
Cisco Enterprise Portfolio Simple Workflows

DESIGN PROVISION POLICY ASSURANCE

DNA Center

Software-Defined Access
Network Data Platform Network Control Platform Identity Services Engine
(Analytics) (Automation) (Security)

Routers Switches Wireless AP WLC

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Adopt IoT at scale
End-to-end Segmentation

Before SDA DNA After SDA

Center
• Complex • Intuitive identity-
segmentation of IoT based segmentation
and user traffic with device profiling
• Chase down IP • Built-in visibility and
addresses for granular policy
troubleshooting control
• Expensive high- • Optimized for low-
voltage Deployments voltage building
deployments
Connected IP Users and
Lighting Surveillance Devices

Purpose Built Switches

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automatic Provisioning Automatic Security and
for Digital Building and Policy Segmentation
SD-Access Fabric
Virtual Network– A Closer Look

Virtual Network maintains a separate Routing & Switching instance for each VN

• Control-Plane uses Instance ID to maintain separate

VRF topologies (“Default” VRF is Instance ID
Unknown
“4097”)
Known
Networks Networks

• Nodes add VNID to the Fabric encapsulation

• Endpoint ID prefixes (Host Pools) are advertised VN VN VN

within one (or more) Virtual Networks “A” “B” “C”

• Uses standard “vrf definition” configuration, along

with RD & RT for remote advertisement (Border
Node)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

15
 Faster onboarding of users and devices
Policy Automation

Before SDA After SDA

• VLAN and IP address Group 1 Group 2
• No IP address
Users
based Employee Virtual Network dependency for
• Create IP segmentation
based ACLs for • Define one consistent
access policy Devices Group 3 Group 4
policy
• Deal with policy • Policy follows user
violations and errors Drag policy IoT Virtual Network
from Edge to Cloud
manually to apply
Apps
Group 5 Group 6

Guest Virtual Network

Policy from Edge

Completely Automated
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Group-Based Policy
to Cloud
SD-Access Fabric
Scalable Groups – A Closer Look

Scalable Group is a logical ID object to “group” Users and / or Devices

• CTS uses “Scalable Groups” to ID and assign a

unique Scalable Group Tag (SGT) to Host Pools
Known Unknown
Networks Networks
• Nodes add SGT to the Fabric encapsulation

• CTS SGTs used to manage address-independent

“Group-Based Policies” SG
1
SG
4
SG
7
SG SG SG SG SG SG
• Edge or Border Nodes use SGT to enforce local 2 3 5 6 8 9

Scalable Group ACLs (SGACLs)

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

17
 Seamless wired and wireless access
A single network fabric

Before SDA DNA After SDA

Center
• Repeated policy work • Consistent
for wired-wireless management across
• Roaming issues wired-wireless
across L3 domains • Optimal traffic flows
• Chase down IP with seamless
addresses for roaming
troubleshooting • Seamless roaming in
Fabric and non-
Seamless Roam Policy stays Fabric domains
Roam is L2 with user

Wired and Wireless

Simplified Provisioning
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Campus-Wide Roaming
Consistency
 See and Act on Threats (Now For Encrypted Traffic)
ISE
(Identity Services Engine)
Automated policy
enforcement for
segmentation
Encrypted
through SD-Access
Traffic Analytics
NetFlow with
Machine
learning Spot malware in
encrypted traffic
99%
• Analyze metadata
enhanced Threat
without Detection
decrypting
1110110110000 telemetry at
line rate Accuracy*
traffic flows
0100011110011 Stealthwatch
• Global-to-local
1101001000100
001 0.01%
knowledge correlation
• Automate policy and
segmentation across
Catalyst 9K False Positives*
the entire network
Switch

*Source : Identifying Encrypted Malware

Traffic with Contextual Flow Data, Oct 2016
Cognitive Analytics
 Intent-based Networking Journey
Closing the loop with context

Intent Context

Infrastructure Secure Policy Based Analytics Intent-based

Readiness Foundation Automation and Assurance Network
Constantly learning,
Open and Programmable Rapid threat detection Simplify, scale network End-to-end view of the adapting, protecting
and mitigation deployment for Cloud, network with full context
Mobile, IoT through data and insights

troduction
Marchof‘16:
TheIntroduction
Network.Intuitive.
of
Center,
Digital
Catalyst
Network TODAY
9000,
Architecture
ETA
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CONTEXT
MATTERS

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Network Quality is a Complex, End-to-End Problem
Affects Join/Roam

Affects Quality/Throughput

Client firmware Affects Both*

WAN Uplink usage End-User services

Client density AP coverage Configuration

WLC Capacity WAN QoS, Routing, ... Authentication

RF Noise/Interf.
Addressing
CUCM
ISE

What
WAN is the problem?
There are
100+ points of DHCP
Office site Where is theNetwork
problem?
services DC
failure Mobile
betweenclients
APs Cisco Prime™

user and app Local WLCs

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How can I fix the problem fast?
* Both = Join/roam and quality/throughput
In This Environment, Context is Key

Cisco Context
Time
360-degree Visibility
Users Network
Devices Applications
Data Granularity

Location
Historical, Real-time, Future

Rich Context Increase Business Productivity and Frees Up IT Time

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Contextual Correlation and Property Graph
Business Applications

Finance George Baker

App ID: 18

Src IP: 1.1.1.2 Dest Port: 3600 ?

1.1.1.1 Dest IP: 2.2.2.2

? Forwarding
problem here…
CISCO
DC

Client density
WAN QoS problem here...
problem here...
SJC-9 2nd Floor

Netflow AVC
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DDI ISE/Radius Topology CMX, DNAC Device
 Introducing DNA Assurance & Analitics

End-to-End Visibility Proactive & Predictive Insights Guided Remediation

360º view across network Proactive to get ahead Today—Remediate

Historical view of the problem with user input

Ability to follow the Predictive to stay ahead Future—Automated

network path Assessment to see remediation
impact of changes

Transforming network operations through actionable insights and simplicity

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 End-to-end visibility – Network/Client Health

• Client Health Summary • Network Health Summary

• Onboarding, RF and Client Profile info • Control, Data, Policy Plane and Health info
 End-to-end visibility –360 views of users & devices

• Single location for all user

information and every user device
• History of performance for each
user device
• Proactive identification of any
issues affecting user’s experience

• Single location for all user device

related user information
• Connectivity graph with
health score of all device on
the path
• Application performance
• Device KPIs
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Insights with Guided Remediation Actions

• Detailed drill downs to identify the

impact quickly

• Guided Actions to help remediate

issues quickly
 Proactive Insights - Sensors

Create sensor test schedule and • Sensor tests raise issues/insights

define the applications and test to run • Detailed results shown at the floor level
Optimized RF - Flexible Radio Assignment
Default operating mode
5GHz 2.4GHz
Serving Serving Serve Clients on both 2.4GHz and 5GHz

Dual 5GHz Support, both radios serving clients on 5GHz

5GHz 5GHz
Serving Serving Maximum over the air data rate up to 5.2Gbps

Wireless Security Monitoring

5GHz Wireless
Security Scan both 2.4GHz and 5GHz for security threats
Serving
Monitor Serve Client of 5GHz

Wireless Service Assurance*

5GHz Wireless Proactively monitors the network performance

Serving Service
Serve Client of 5GHz
Assurance*

Enhanced Location*

5GHz Enhanced Improves the client location accuracy

Serving Location* Serve Client of 5GHz

* Denotes feature availability post-FCS

Intent Based Infrastructure – Powered by IOS-XE
Rebuilt and Unified for the Digital Age

Feature Rich Open Programmable Modular

Routers Switches Wireless

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Catalyst 9000 – Built for SD-Access
First in enterprise
IOS® XE Software • x86 CPU with app hosting
SD-Access • Programmable ASIC
integrated • Software patching
UADP 2.0
Converged Industry’s unmatched
ASIC • High Availability
• MultiGigabit density
Single Image • UPOE scale

Common Future-Proofed

Licensing Catalyst 9000 Series • IEEE 802.11ax ready

• 100W PoE (IEEE 802.3bt) ready
9300 – Fixed Access, 9400 – Modular Access,
9500 – Fixed Core • 25G Ethernet ready

Security IoT convergence Mobility Cloud

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-Access Support
A single fabric for your digital ready network
Switching Routing Wireless
Catalyst 9400
NEW
ASR-1000-X AIR-CT5520
NEW Catalyst 9300

AIR-CT8540
ASR-1000-HX
NEW
Catalyst 9500 AIR-CT3504
ISR 4430

Wave 2 Aps (1800, 2800,3800)

Catalyst 4500E Catalyst 6K Nexus 7700 ISR 4450

Catalyst 3850 and 3650 CSR 1000V Wave 1 Aps (1700, 2700,3700)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Control-Plane Nodes

SD-Access - Product Support (Summary) Catalyst 9500

16.6.2
Catalyst 6800/6500
Sup2T / 6T
Automation & Analytics IOS 15.5.1SY+
DN1-HW-APL
Identity / Access Appliance Controller Catalyst 6880-X/6840-X
WLC (AirOS 8.5+)
policy
WLC5520 Catalyst 3850 1G/10G Fiber
2.3 recommended
WLC8540 IOS-XE 16.6.2
WLC8510
WLC3504 CSRV Switching
DNA Center Cisco ISR44XX (16.4+)
Cisco ISR43XX
ISE Cisco 4221 Mobility
Cisco ASR1K
ENCS**
Fabric Domain (overlay):
Border Nodes
Routing
VxLAN Data Plane
LISP Control Plane Catalyst 9500
16.6.1+
Nexus 7700
Sup2E

B C C M3 Only
B NXOS 7.3.2+
Fabric Edge Nodes
Catalyst 3650 Catalyst 6800/6500
Catalyst 3850 Sup2T / 6T
Catalyst 9300 IOS 15.5.1SY+
Copper / Fiber
IOS-XE 16.6.2 Catalyst 6880-X/6840-X

Catalyst 4500E Catalyst 3850 1G/10G Fiber

Sup8E/9E IOS-XE 16.6.2
4700 cards
IOS-XE 3.10.1+ Cisco ISR44XX (16.4+)
Cisco ISR43XX
SD-Extended Nodes Cisco 4221
Fabric Intermediate
CDB (DNAC1.2) Any L3 Forwarder Cisco ASR1K
3560-CX (DNAC1.2) ENCS** *with Caveats
IE Switches** **Future

Access Points
- Wave1 AP*, Wave2 AP
Cisco SD-Access
Delivering real outcomes today…..

67% 80% 48% 61%

Network Improve Issue Reduced Security Reduced
Provisioning Resolution Breach Impact Operating
Time Savings Expense

* Source: Internal TCO Analysis with Large Enterprise Customer (actual results may vary)
** Capex Reduction based on converging NOT Networks

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential