Tech Update Oktober Rene Andersen / Ib Hansen

Transcription

1 Tech Update Oktober 2017 Rene Andersen / Ib Hansen

2 DNA Solution Cisco Enterprise Portfolio DNA Center Simple Workflows DESIGN PROVISION POLICY ASSURANCE Identity Services Engine DNA Center APIC-EM Network Data Platform Routers Switches Wireless Controllers Wireless APs

3 Key Concepts What is Software Defined Access?

4 4

5 What is SD-Access? Campus Fabric + DNA Center (Automation & Assurance) ISE APIC-EM 1.X 2.0 DNA Center NDP SD-Access Available Aug 2017 GUI approach provides automation & assurance of all Fabric configuration, management and group-based policy. Leverages DNA Center to integrate external Service Apps, to orchestrate your entire LAN, Wireless LAN and WAN access network. B B Campus Fabric Shipping Now Campus Fabric C CLI or API form of the new overlay Fabric solution for your enterprise Campus access networks. CLI approach provides backwards compatibility and customization, Box-by-Box. API approach provides automation via NETCONF / YANG. APIC-EM, ISE, NDP are all separate. 5

6 Roles & Terminology What is Software Defined Access? 1. High-Level View 2. Roles & Platforms 3. Fabric Constructs

7 What is SD-Access? Fabric Roles & Terminology Identity Services Fabric Border Nodes Intermediate Nodes (Underlay) Fabric Edge Nodes ISE B APIC-EM B Campus Fabric NDP C DNA Controller Analytics Engine Fabric Wireless Controller Control-Plane Nodes DNA Controller Enterprise SDN Controller (e.g. DNA Center) provides GUI management and abstraction via Apps that share context Identity Services External ID System(s) (e.g. ISE) are leveraged for dynamic Endpoint to Group mapping and Policy definition Analytics Engine External Data Collector(s) (e.g. NDP) are leveraged to analyze Endpoint to App flows and monitor fabric status Control-Plane Nodes Map System that manages Endpoint to Device relationships Fabric Border Nodes A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric Fabric Edge Nodes A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric Fabric Wireless Controller A Fabric device (WLC) that connects Wireless Endpoints to the SDA Fabric 7

8 Roles & Terminology What is Software Defined Access? 1. High-Level View 2. Roles & Platforms 3. Fabric Constructs

9 SD-Access Fabric Control-Plane Nodes A Closer Look Control-Plane Node runs a Host Tracking Database to map location information A simple Host Database that maps Endpoint IDs to a current Location, along with other attributes Host Database supports multiple types of Endpoint ID lookup types (IPv4, IPv6 or MAC) Known Networks C Unknown Networks Receives Endpoint ID map registrations from Edge and/or Border Nodes for known IP prefixes Resolves lookup requests from Edge and/or Border Nodes, to locate destination Endpoint IDs 9 9

10 SD-Access Control-Plane Platform Support Catalyst 3K Catalyst 9500 NEW Catalyst 6K ASR1K, ISR4K & CSRv Catalyst /10G SFP 10/40G NM Cards IOS-XE Catalyst /40G SFP/QSFP 10/40G NM Cards IOS-XE Catalyst 6800 Sup2T/6T 6880-X or 6840-X IOS SY+ CSRv ASR 1000-X/HX ISR 4430/4450 IOS-XE

11 SD-Access Fabric Edge Nodes A Closer Look Edge Node provides first-hop services for Users / Devices connected to the Fabric Responsible for Identifying and Authenticating Endpoints (e.g. Static, 802.1X, Active Directory) Register the specific Endpoint ID info (e.g. /32 or /128) with the Control-Plane Node(s) Known Networks C Unknown Networks Provide an Anycast L3 Gateway for connected Endpoints (same IP address on all Edge nodes) Performs encapsulation / de-encapsulation of data traffic to and from all connected Endpoints 11 11

12 SD-Access Edge Node Platform Support NEW Catalyst 9300 Catalyst 3K Catalyst 3650/3850 1/MGIG RJ45 10/40G NM Cards IOS-XE NEW Catalyst /MGIG RJ45 10/40/mG NM Cards IOS-XE Catalyst 4K Catalyst 4500 Sup8E/9E (Uplinks) 4700 Cards (Down) IOS-XE Catalyst 9400 Catalyst 9400 Sup1E 9400 Cards IOS-XE

13 SD-Access Fabric Border Nodes A Closer Look Border Node is an Entry / Exit point for all data traffic going In / Out of the Fabric There are 2 Types of Border Node! Fabric Border Used for Known Routes in your company! C? Known Networks B B Unknown Networks Default Border Used for Unknown Routes outside your company 13 13

14 SD-Access Fabric Border Nodes A Closer Look Fabric Border advertises Endpoints to outside, and known Subnets to inside Connects to any known IP subnets attached to the outside network (e.g. DC, WLC, FW, etc.) Exports all internal IP Pools to outside (as aggregate), using a traditional IP routing protocol(s). Known Networks B C B Unknown Networks Imports and registers (known) IP subnets from outside, into the Control-Plane Map System Hand-off requires mapping the context (VRF & SGT) from one domain to another

15 SD-Access Fabric Border Nodes A Closer Look Default Border is a Gateway of Last Resort for unknown destinations Connects to any unknown IP subnets (e.g. Internet) Exports all internal IP Pools outside (as aggregate) into traditional IP routing protocol(s). Known Networks B C B Unknown Networks Does NOT import unknown routes. It is a default exit, if no other entry available in Control-Plane. Hand-off requires mapping the context (VRF & SGT) from one domain to another

16 SD-Access Border Node Platform Support Catalyst 3K Catalyst 9500 NEW Catalyst 6K ASR1K & ISR4K Nexus 7K Catalyst /10G SFP+ 10/40G NM Cards IOS-XE Catalyst G QSFP 10/40G NM Cards IOS-XE Catalyst 6800 Sup2T/6T 6880-X or 6840-X IOS SY+ ASR 1000-X/HX ISR 4430/4450 1/10G/40G IOS-XE Nexus 7700 Sup2E M3 Cards NXOS

17 Roles & Terminology What is Software Defined Access? 1. High-Level View 2. Roles & Platforms 3. Fabric Constructs

18 SD-Access Fabric Virtual Network A Closer Look Virtual Network maintains a separate Routing & Switching instance for each VN Control-Plane uses Instance ID to maintain separate VRF topologies ( Default VRF is Instance ID 4097 ) Nodes add VNID to the Fabric encapsulation Known Networks Unknown Networks Endpoint ID prefixes (Host Pools) are advertised within one (or more) Virtual Networks Uses standard vrf definition configuration, along with RD & RT for remote advertisement (Border Node) VN A VN B VN C 18 18

19 SD-Access Fabric Scalable Groups A Closer Look Scalable Group is a logical ID object to group Users and/or Devices CTS uses Scalable Groups to ID and assign a unique Scalable Group Tag (SGT) to Host Pools Nodes add SGT to the Fabric encapsulation Known Networks Unknown Networks CTS SGTs used to manage address-independent Group-Based Policies SG 1 SG 4 SG 7 Edge or Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs) SG 2 SG 3 SG 5 SG 6 SG 8 SG

20 SD-Access Fabric Host Pools A Closer Look Host Pool provides basic IP functions necessary for attached Endpoints Edge Nodes use a Switch Virtual Interface (SVI), with IP Address /Mask, etc. per Host Pool Fabric uses Dynamic EID mapping to advertise each Host Pool (per Instance ID) Known Networks Unknown Networks Fabric Dynamic EID allows Host-specific (/32, /128, MAC) advertisement and mobility Pool 2 Pool 1 Pool 3 Pool 5 Pool 4 Pool 6 Pool 8 Pool 7 Pool 9 Host Pools can be assigned Dynamically (via Host Authentication) and/or Statically (per port) 3420

21 Campus Fabric Virtual Network A Closer Look Anycast GW provides a single L3 Default Gateway for IP capable endpoints Similar principles and behavior as HSRP / VRRP with a shared Virtual IP and MAC address The same Switch Virtual Interface (SVI) is present on EVERY Edge, with the same Virtual IP and MAC Known Networks Unknown Networks Control-Plane with Fabric Dynamic EID mapping creates a Host (Endpoint) to Edge relationship If (when) a Host moves from Edge 1 to Edge 2, it does not need to change it s IP Default Gateway! GW GW GW 2121

22 Fabric Fundamentals What is Campus Fabric? 1. Fabric Basics 2. Control-Plane 3. Data-Plane 4. Policy-Plane

23 SD-Access What exactly is a Fabric? A Fabric is an Overlay An Overlay network is a logical topology used to virtually connect devices, built on top of some arbitrary physical Underlay topology. An Overlay network network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay. Examples of Network Overlays GRE or mgre LISP MPLS or VPLS OTV IPSec or DMVPN DFA CAPWAP ACI 23 15

24 SD-Access Fabric Terminology Overlay Network Overlay Control Plane Encapsulation Edge Device Edge Device Hosts (End-Points) Underlay Network Underlay Control Plane 24

25 SD-Access Fabric Underlay Manual vs. Automated Manual Underlay You can reuse your existing IP network as the Fabric Underlay! Key Requirements IP reach from Edge to Edge/Border/CP Can be L2 or L3 We recommend L3 Can be any IGP We recommend ISIS Key Considerations MTU (Fabric Header adds 50B) Latency (RTT of =/< 100ms) Automated Underlay Prescriptive fully automated Global and IP Underlay Provisioning! Key Requirements Leverages standard PNP for Bootstrap Assumes New / Erased Configuration Uses a Global Underlay Address Pool Key Considerations PNP pre-setup is required 100% Prescriptive (No Custom) 25

26 Fabric Fundamentals What is Campus Fabric? 1. Fabric Basics 2. Control-Plane 3. Data-Plane 4. Policy-Plane

27 SD-Access Campus Fabric - Key Components 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on CTS Key Differences L2 + L3 Overlay -vs- L2 or L3 Only Host Mobility with Anycast Gateway Adds VRF + SGT into Data-Plane Virtual Tunnel Endpoints (Automatic) NO Topology Limitations (Basic IP) 2727

28 SD-Access Fabric Key Components LISP 1. Control-Plane based on LISP Host Mobility Routing Protocols = Big Tables & More CPU with Local L3 Gateway LISP DB + Cache = Small Tables & Less CPU with Anycast L3 Gateway BEFORE IP Address = Location + Identity Prefix Next-hop Prefix Next-hop Endpoint Routes are Consolidated to LISP DB AFTER Separate Identity from Location Prefix Next-hop Prefix RLOC Mapping Database Prefix Next-hop Prefix Next-hop Prefix Next-hop Topology + Endpoint Routes Only Local Routes Topology Routes Endpoint Routes 2828

29 Fabric Fundamentals What is Campus Fabric? 1. Fabric Basics 2. Control-Plane 3. Data-Plane 4. Policy-Plane

30 SD-Access Fabric Key Components VXLAN 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN ETHERNET IP PAYLOAD ORIGINAL PACKET Supports L3 Overlay ETHERNET ETHERNET IP IP UDP UDP VXLAN LISP ETHERNET IP IP PAYLOAD PAYLOAD PACKET IN LISP PACKET IN VXLAN Supports L2 & L3 Overlay 3030

31 VXLAN-GPO Header MAC-in-IP with VN ID & Group ID Dest. MAC 48 Source MAC 48 Next-Hop MAC Address Src VTEP MAC Address VLAN Type 0x Bytes (4 Bytes Optional) IP Header Misc. Data 72 VLAN ID 16 Protocol 0x11 (UDP) 8 Underlay Outer MAC Header Outer IP Header Ether Type 0x Source Port 16 Header Checksum Source IP Dest. IP Bytes Src RLOC IP Address Dst RLOC IP Address UDP Header VXLAN Header Dest Port UDP Length Checksum 0x Bytes Hash of inner L2/L3/L4 headers of original frame. Enables entropy for ECMP load balancing. UDP 4789 Inner (Original) MAC Header Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 Allows 64K possible SGTs Overlay Original Payload Segment ID VN ID Reserved Bytes Allows 16M possible VRFs 31

32 Fabric Fundamentals What is Campus Fabric? 1. Fabric Basics 2. Control-Plane 3. Data-Plane 4. Policy-Plane

33 SD-Access Fabric Key Components CTS 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on CTS VRF + SGT Virtual Routing & Forwarding Scalable Group Tagging ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD 3333

34 Cisco TrustSec Simplified access control with Group Based Policy Enforcement Group Based Policies ACLs, Firewall Rules Shared Services Application Servers Propagation Carry Group context through the network using only SGT Enforcement Enterprise Backbone DC Switch or Firewall ISE Classification Static or Dynamic SGT assignments Campus Switch Campus Switch DC switch receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN A VLAN B 34

35 Packet Flow in SD-Access Fabric VN & SGT in VXLAN-GPO Encapsulation Encapsulation IP Network Decapsulation Edge Node 1 Edge Node 2 VXLAN VXLAN VN ID SGT ID VN ID SGT ID Classification Static or Dynamic VN and SGT assignments Propagation Carry VN and Group context across the network Enforcement Group Based Policies ACLs, Firewall Rules 35

36 Controller Fundamentals What is DNA Center? 1. DNAC Architecture 2. DNAC User Interface 3. DNAC Workflows

37 SD-Access DNA Center Service Components API DNA Center 1.0 API DNA Center Appliance Design Policy Provision Assurance API Cisco ISE 2.3 Identity Services Engine API Cisco APIC-EM 2.0 App Policy Infra Controller EN Module API Cisco NDP 1.0 Network Data Platform NETCONF SNMP SSH AAA RADIUS EAPoL Campus Fabric HTTPS NetFlow Syslogs Cisco Switches Cisco Routers Cisco Wireless 37

38 SD-Access Wireless: why would you care?

39 CUWN Architecture - Centralized Overview Policy Definition Single point of Ingress Enforcement Point to wired network Client keeps for same Wi-Fi IP clients Wireless VLANs are address while roaming centrally defined WLC WLC AAA AD LDAP MDM IPAM DNS NTP SMTP DHCP Anchor WLC Internet Architecture Benefits: Overlay: works on any wired network Simplified Access switch configuration Single point of Ingress for wireless traffic Easy seamless mobility Simplified IP addressing for wireless Centralized Management Easy wireless Guest tunneling solution SW DMZ Policy Definition and Enforcement Point for wired clients Traditional Campus Switch 1 Switch 2 AP1 Traditional switches Customers may NOT like: Limited scalability for East-West traffic Separated policies for wired and wireless Different enforcement point for wired and wireless Lack of visibility between WLC and APs SSID Employee SSID Guest Local mode AP Packet to wired CAPWAP Control & Data EoIP Tunnel 39

40 CUWN Architecture - FlexConnect Overview Data Center Centralized Management for all branches WLC AAA AD LDAP MDM IPAM DNS NTP SMTP DHCP Architecture Benefits: Overlay: works on any wired network Centralized Management / Lean IT Branch cookie cutter configuration Distributed data plane Reduced hardware footprint at the branch Built-in resiliency (WAN survivability for locally switched traffic) SW DMZ Distributed Data plane Traditional switches WAN Internet No Controller at the branch Customers may NOT like: Separated policies for wired and wireless Different enforcement point for wired and wireless No Layer 3 roaming support Limited seamless roaming scope (FlexConnect Group) Additional configuration on the access switch (trunk and allowed VLANs) Flex mode AP CAPWAP Control & Data dot1q trunk Branch 40

41 Converged Access Architecture Overview MC WLC MA Guest Tunnel through the MC WLC AAA AD LDAP MDM IPAM DNS NTP SMTP DHCP Anchor WLC Internet Architecture Benefits Distributed Data Plane: scalability One Policy enforcement point for wired Reduced HW footprint and less devices to manage (branch is the sweet spot) One common software Policies enforced at the edge Wireless traffic visibility at the edge SW DMZ Easy wireless Guest tunneling solution Switch is the Policy Enforcement for wired and wireless SSID Employee CA Network Switch 1 Switch 2 Packet to wired For roaming, traffic is anchored back to the original switch SSID Guest MA Switch with Mobility Agent Local mode AP CAPWAP Control & Data MA to MA tunnels EoIP tunnel Customers may NOT like: Distributed Management plane Multiple wireless touch points Wired and wireless software dependencies Anchoring solutions for seamless mobility Support for Local mode AP only Lack of feature parity with CUWN 41

42 What is the Problem? Policy Model Today Network Policy Enterprise Network QoS Security Redirect/copy Traffic engineering etc. SRC DST PAYLOAD DATA DSCP PROT IP SRC IP DST PORT PORT Policy is based on 5 Tuple Only Transitive information Survives end to end 42

43 What is the Problem? Policy Model Today Network Policy access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 Enterprise Network access-list 102 permit tcp gt lt 4384 SRC DST PAYLOAD DATA DSCP PROT IP SRC IP DST PORT PORT IP ADDRESSES Locate you Identify you Drive treatment Constrain you IP Address meaning OVERLOAD VLAN 20 VLAN 30 SSID D SSID C User/device info? SSID A VLAN 10 VLAN 40 SSID B 43

44 What is the Problem? User Group policy rollout - Today 1. Define Groups in AD Production Servers Developer Servers Multiple Steps and Touch Points LAN Core L3 Switch Trunk WLAN 4. Implement Policy What Trunks if You Need to Add Another Define Group ACLs & Policy? Apply ACLs L2 Switch One SSID AAA DHCP AD 2. Define Policies VLAN/subnet based 3. Implement VLANs/Subnets Create VLANs Define DHCP scope Create subnets and L3 interfaces Routing for new subnets Map SSID to Interface/VLAN 5. Many different User Interfaces. AAA WLC Devices CLI BYOD Employee Contractor 44

45 What is the Problem? User Group policy rollout - Today Production Servers Developer Servers LAN Core AAA DHCP AD Customer requirements Three user Groups One single SSID Differentiated policies per Group Guest segmentation (wired and wireless) Network Touch Points L3 Switch L2 Switch Trunks Trunk One SSID WLC Customer Policy Customer Policy requirements: Employee BYOD Contractor Production Serv. Developer Serv. BYOD Employee Contractor 45

46 SD-Access Wireless Architecture

47 SD-Access Fabric Architecture Roles and Terminology Group Repository Fabric Border Intermediate Nodes (Underlay) ISE / AD B B C DNA Controller Fabric Mode WLC Control-Plane Nodes DNA Controller Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share information Group Repository External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition Control-Plane (CP) Node Map System that manages Endpoint ID to Location relationships. Also known as Host Tracking DB (HTDB) Border Nodes A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric Edge Nodes A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric Fabric Edge Nodes SD-Access Fabric Fabric Mode APs Fabric Wireless Controller Wireless Controller (WLC) fabric-enabled, participate in LISP control plane Fabric Mode APs Access Points that are fabric-enabled. Wireless traffic is VXLAN encapsulated at AP 47

48 SD-Access Wireless Architecture Bringing the best of both architectures by... 1 Simplifying the Control & Management Plane 2 Optimizing the Data Plane 3 Integrating Policy & Segmentation E2E 48

49 SD-Access Wireless Architecture Simplifying the Control Plane CAPWAP Cntrl plane LISP Cntrl plane ISE / AD B DNAC B Policy Abstraction and Configuration Automation WLC Fabric enabled WLC: WLC is part of LISP control plane 1 Automation DNAC simplifies the Fabric deployment, Including the wireless integration component Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN SD-Access Fabric C LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP 49

50 SD-Access Wireless Architecture Optimizing the Data Plane CAPWAP Cntrl plane LISP Cntrl plane VXLAN Data plane ISE / AD B DNAC B SD-Access Fabric Policy Abstraction and Configuration Automation C VXLAN (Data Plane) WLC Fabric enabled WLC: WLC is part of LISP control plane Fabric enabled AP: AP encapsulates Fabric SSID traffic in VXLAN 2 Automation DNAC simplifies the Fabric deployment, Including the wireless integration component Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP Optimized Distributed Data Plane Fabric overlay with Anycast GW + Stretched subnet VLAN extension with no complications All roaming are Layer 2 VXLAN from the AP Carrying hierarchical policy segmentation starting from the edge of the network 50

51 SD-Access Wireless Architecture Optimizing the Data Plane: Stretched subnets A Closer Look 2 Fabric Mode AP integrates with the VXLAN Data Plane Wireless Data Plane is distributed across APs Fabric mode AP is a local mode AP and needs to be directly connected to FE CAPWAP control plane goes to the WLC using Fabric Fabric is enabled per SSID: For Fabric enabled SSID, AP converts traffic to and encapsulates it into VXLAN encoding VNI and SGT info of the client Forwards client traffic based on forwarding table as programmed by the WLC. Usually VXLAN DST is first hop switch. AP applies all wireless specific feature like SSID policies, AVC, QoS, etc. VXLAN (Data) CAPWAP Control plane 51

52 SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B IP payload IP AP removes the header EID IP payload IP VXLAN UDP underlay IP 2 AP adds the 802.3/VXLAN/underlay IP header 52

53 SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B R Client SGT Client VRF R EID IP payload IP VXLAN UDP underlay IP Hierarchical Segmentation: 1. Virtual Network (VN) == VRF - isolated Control Plane + Data Plane 2. Scalable Group Tag (SGT) User Group identifier 2 APs embed the Policy information in the VXLAN header and forwards it 53

54 SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B Client is placed in the right VRF EID IP payload IP VXLAN UDP underlay IP 3 FE removes the outer IP header, looks at the L2 VNID and maps it to the VLAN and L2 LISP instance. Then encapsulates to the destination FE 54

55 SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B SGT policy is applied Client Policy is carried end to end in the overlay EID IP payload IP VXLAN UDP underlay IP 4 FE removes the outer IP header, looks at the L2 VNID maps it to the VLAN. Also looks at the SGT and apply the policy before forwarding the packet 55

56 SD-Access Wireless Benefits User Group policy rollout Production Servers Developer Servers DNA Center LAN core AAA DHCP AD 1. Define Groups in AD 2. Design and Deploy in DNA-C Create Virtual Network for Corporate Define Policies Role/Group based Apply Policies SGT based L3 Switch Trunk WLC Production Serv. SGT 10 Developer Serv. SGT 20 VN ID Contractor BYOD Employee SGT VXN HDR Fabric SRC Fabric DST Employee SGT 100 Corporate VN L3 Switch BYOD SGT 200 Touch Point Original packet One SSID BYOD Employee Contractor Contractor SGT Upon user authentication, Policy is automatically applied and carried end to end 56

57 SD-Access Wireless Benefits User Group policy rollout Production Servers Developer Servers IoT/HVAC Virtual Network L3 Switch Guest Virtual Network Corporate VN L3 Switch DNA Center LAN core Trunk AAA DHCP AD WLC 1. Define Groups in AD 2. Design and Deploy in DNA-C Create Virtual Network for Corporate Define Policies Role/Group based Apply Policies SGT based Employee SGT 100 BYOD SGT 200 Production Serv. SGT 10 One Touch Point Developer Serv. SGT 20 Touch Point One SSID BYOD Employee Contractor Contractor SGT Upon user authentication, Policy is automatically applied and carried end to end 57

58 What products make this Architecture?

59 SD-Access Fabric Wireless Platform Support 3504 WLC NEW 5520 WLC 8540 WLC Wave 2 APs *with Caveats Wave 1 APs AIR-CT3504 1G/mGig AireOS 8.5+ AIR-CT5520 No G/10G SFP+ AireOS 8.5+ AIR-CT supported 1G/10G SFP+ AireOS /2800/ ac Wave2 APs 1G/MGIG RJ45 AireOS /2700/ ac Wave1 APs* 1G RJ45 AireOS

60 SD-Access Wireless Design Considerations

61 Wireless Integration in SDA Fabric CUWN wireless Over The Top (OTT) SD-Access Wireless ISE / AD APIC-EM ISE / AD APIC-EM B B Non-Fabric WLC CAPWAP Cntrl plane B B Fabric enabled WLC CAPWAP Cntrl & Data SD-Access Fabric C VS. VXLAN Data plane SD-Access Fabric C Non-Fabric APs Fabric enabled APs CAPWAP for Control Plane and Data Plane SDA Fabric is just a transport Supported on any WLC/AP software and hardware Migration step to full SDA CAPWAP Control Plane, VXLAN Data plane WLC/APs integrated in Fabric, SD-Access advantages Requires software upgrade (8.5+) Optimized for ac Wave 2 APs

62 CUWN Over the Top (OTT) Definition: Wireless OTT: this CAPWAP wireless overlay to Fabric: traditional CAPWAP deployment connected to Fabric overlay. Fabric is a transport for CAPWAP Why wireless OTT? Migration step: customers wants/need to first migrate wired (different Ops teams managing wired and wireless, get familiar with Fabric, different buying cycles, etc.) Longer term solution: customer doesn t want/cannot migrate to Fabric (new software, no n, wireless too critical to make changes) CAPWAP tunnel SD-Access Fabric Non Fabric AP Non Fabric WLC

63 Key Takeaways

64 SDA for Mobility Innovate Faster with Fabric-Enabled Wireless DNA Center Software Defined Wireless Centralized management across wired-wireless Seamless L2 roam across Campus Consistent Policy for Wired/Wireless Secure Policy based Automation Optimized distributed traffic flows for future scalability Simplified enablement of Wi-Fi Services Policy stays with user Simplified Provisioning Optimized data plane with Campus-Wide Roaming Easy end to end Virtualization Wired and Wireless and Segmentation Policy Consistency 64

65 SD-Access Wireless NDP and Assurance

66 Network quality is a complex, end-to-end problem Affects Join/Roam Affects Quality/Throughput Client firmware Affects Both* WAN Uplink usage Affects Both*... Affects Quality/Throughput End-User services Affects Both* Configuration AP coverage Client density Affects Both* WLC Capacity Affects Both* Affects Quality/Throughput Affects Join/Roam WAN QoS, Routing,... Authentication RF Noise/Interf. Affects Join/Roam Addressing CUCM ISE WAN DHCP Mobile clients APs Office site Network services DC Cisco Prime Local WLCs * Both = Join/roam and quality/throughput

67

68 Predict performance in wireless Components of DNA Assurance Test your network anywhere at any time Synthetic tests on both network and application performance across wired and wireless network provide proactive monitoring capability - Various options: AP as a sensor, XOR radio, dedicated sensor (AP1800) Access point - Intelligent algorithm identifies excessive radios and transparently converts those into sensor mode without client effect R1 AP as a sensor Dedicated Sensor Flexible Radio Sensors act as clients Real clients

69 Wi-Fi analytics building the network intuitive Crowdsource device telemetry to enable of network Automatically correlate client and network data to provide insights Deliver resolution of issues and faster

70 Client as a sensor (IOS 10)

71 Client as a sensor (IOS 11) Sendt fra IOS 11 Device

72 Client as a sensor (IOS 11)

73 Key Takeaways

74 Software-Defined Access Summary Manage Business Outcomes Instead of Managing the Network Policy Automation Use policy-based automated provisioning from edge to cloud. Services Enablement Quickly enable network services across a complete ecosystem Network Analytics Look at the entire network as a single entity and find problems before your users do. Lower OpEx DNAC automates the Design, Policy and Provision Brownfield Integration for investment protection Policy-based Automation Complete Network Visibility Fast, Easy Service Enablement 74

75 Thank you