Cisco SD-Access Policy Driven Manageability

Transcription

1

2 BRKCRS-3811 Cisco SD-Access Policy Driven Manageability Victor Moreno, Distinguished Engineer

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcrs Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Agenda Introduction SD-Access Fundamentals Policy in SD-Access Cross Domain Policy Federation Conclusion

5 Cisco s Intent-based Networking Learning DNA Center The Network. Intuitive. Policy Automation Analytics Powered by Intent. Informed by Context. Intent Context Network Infrastructure Switching Routers Wireless Security BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Software Defined Access Policy, Automation and Assurance for an Intent-based Network Infrastructure Branch DNA Center L E A R N I N G WAN Wireless Control Policy Automation Analytics I N T E N T C O N T E X T Intent-based Network Infrastructure Campus Fabric Fabric Control S E C U R I T Y Wired + Wireless Mobility Segmentation 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Scale

7 Software Defined Access Cisco Live Barcelona - Session Map Missed One? Sessions are available CiscoLive.com You Are Here Tuesday (Jan 30) Wednesday (Jan 31) Thursday (Feb 01) Friday (Feb 02) 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 BRKEWN-2021 SDA Wireless Setup BRKEWN-2020 Wireless Overview BRKDCN-2489 DC Integration BRKCRS-3811 Policy Management BRKCRS-2810 Solution Overview BRKCRS-2816 Routed Underlay BRKCRS-2814 Assurance BRKCRS-2811 External Connect BRKCRS-2815 Design & Scale BRKCRS-2812 Migration LTRCRS-2810 (1) Hands-On Lab LTRCRS-2810 (2) Hands-On Lab 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

8 SD-Access Fundamentals

9 SD-Access Fabric Roles & Terminology Identity Services DNA-Center DNA Controller DNA Controller Enterprise SDN Controller (e.g. DNA Center) provides GUI management and abstraction via Apps that share context Identity Services Dynamic Endpoint to Group mapping and Policy definition Fabric Border Nodes Intermediate Nodes (Underlay) Fabric Edge Nodes B B Campus Fabric C Analytics Engine Fabric Wireless Controller Control Plane Nodes Analytics Engine Assurance and analysis of Endpoint to App flows and monitor fabric status Control Plane Nodes Map System that manages Endpoint to Device relationships Fabric Border Nodes A Fabric device (e.g. Core) that connects External L3 network(s) to the SD-Access Fabric Fabric Edge Nodes A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SD-Access Fabric Fabric Wireless Controller A Fabric device (WLC) that connects Wireless Endpoints to the SD-Access Fabric BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Overlay Virtual Networks Control and Data Plane Separation Overlay Virtual Networks Logical topology used to virtually connect devices, built on top of a physical Underlay topology. Overlay Control Plane Encapsulation Edge Devices An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay. Underlay Network Hosts (end-points) Underlay Control Plane BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 SD-Access Macro Segmentation Network Virtual Network (VN) First level Segmentation that ensures zero communication between specific groups. Ability to consolidate multiple networks into one management plane. Building Management VN Campus Users VN BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 SD-Access - Micro Segmentation Network Scalable Group (SG) Second level Segmentation ensures role based access control between two groups within a Virtual Network. Provides the ability to segment the network into either line of businesses or functional blocks. Building Management VN Finance SG Employee SG Campus Users VN BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Fabric Enabled Segmentation Virtual Networks Virtual Networks Outer/Transport IP-UDP Header VXLAN Header Original IP Packet or L2 Frame Underlay Network Virtual Network Identifier (24 bits) Group Policy Identifier (16 bits) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Micro-segmentation Enforcement Ingress Classification with Egress Enforcement User Authenticated = Classified as Marketing (5) FIB Lookup = Destination MAC = SGT 20 Destination Classification CRM: SGT 20 Web: SGT 30 SRC: Catalyst 3k/4k/6k/9k SRC: DST: SGT: 5 WLC5508 Enterprise Backbone DST SRC Catalyst/ISR/Nexus 5 5 Egress Enforcement (SGACL) CRM (20) Web (30) Marketing (5) Permit Deny BYOD (7) Deny Permit CRM DST: SGT: 20 Web DST: SGT: 30 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Policy in SD-Access

16 Policy types Access Policy Authentication/ Authorization Who goes in which group Based on which criteria Authentication methods Access Control Policy Who can access what Rules for x-group access Permit group to app Permit group to group Application Policy Traffic treatment QoS for Application Path Optimization Application compression Application caching DB 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

17 User/Device Groups & Virtual Networks Users/Devices users things Identity Services / AAA groups DNA Center Virtual Network 1 Virtual Network 2 virtual networks BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Access Policy in SD-Access Authentication and Authorization

19 Access Policy Authentication and Authorization Access Policy Authentication/ Authorization Who goes in which group Based on which criteria Authentication methods 802.1X / MAB / Easy Connect / WebAuth BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Authentication- Identity Store Integrations Cisco ISE Validate Endpoints via External Identity Sources BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Authentication - MAC Authentication Bypass (MAB) Endpoints without supplicant will fail 802.1X authentication! Bypassing Known MAC Addresses 802.1X Network Device Cisco ISE AA-1F-38 Network Device Cisco ISE LAN 802.1X Timeout EAP: What s your Id? No 802.1X MAB Any Packet User: AA-1F-38 ACCESS-ACCEPT BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Authentication x Credentials Endpoint (Certificate / Password / Token) (Supplicant) Network Device (Authenticator) Cisco ISE (Authentication Server) Active Directory (Identity Store) EAP EAP 802.1X EAP RADIUS EAP RADIUS: ACCESS-REQUEST RADIUS SERVICE-TYPE: FRAMED EAP: EAP-RESPONSE-IDENTITY EAP: Extensible Authentication Protocol Supplicant: Software running on the client that provides credentials to the authenticator (Network Device). BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Authentication x Endpoint (Supplicant) Network Device (Authenticator) Cisco ISE (Authentication Server) Active Directory (Identity Store) Port-Authorized EAP 802.1X EAP RADIUS RADIUS: ACCESS-ACCEPT EAP: EAP-SUCCESS Port-Unauthorized (If authentication fails) EAP: Extensible Authentication Protocol Supplicant: Software running on the client that provides credentials to the authenticator (Network Device). BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Authentication - Easy Connect DOMAIN\bob DOMAIN CONTROLLER Bob logged in DHCP NTP DNS AD ISE retrieves user-id and user s AD membership LIMITED FULL ACCESS CoA: Limited Full Access UNKNOWN EMPLOYEES LIMITED ACCESS FULL ACCESS No 802.1X SWITCH-1 Enterprise Network CISCO ISE Immediate value Leverage existing infrastructure Increased visibility into active network sessions Flexible deployment co-operates with other auth methods BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Authentication - Central Web Authentication (CWA) Endpoint Network Device Cisco ISE NETWORK Initial packet Google.com MAB Request Initial AuthZ Limited Access ACL + URL-Redirect to ISE Got your MAC, need your ID alice... ISE login page Username + password CoA Full Access ACL BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 Authentication - Policy Endpoint Policies RADIUS Attributes Service type NAS IP Username SSID EAP Types EAP-FAST EAP-Chaining EAP-TLS PEAP Host lookup, etc Identity Source Internal/Certificate Active Directory LDAPv3 RADIUS Identity Sequence Authentication Options 802.1X / MAB / Any Connect / WebAuth 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

27 Authentication Network Template Application MAB MAB 802.1x EasyConnect Cisco ISE interface GigabitEthernet1/0/3 description Client Wired-2 switchport mode access switchport voice vlan 4000 device-tracking attach-policy IPDT_MAX_10 authentication control-direction in authentication event server dead action authorize vlan 3999 authentication event server dead action authorize voice authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

28 SD-Access Policy Authorization DNA-Center Credentials Posture Profiling SIEM Identity (e.g. Active Directory) users things CASB pxgrid Identity Services Engine / AAA Location Behavior Analytics Vulnerability Scalable Groups BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 Authorization Policy Endpoint Policies 802.1X / MAB / Easy Connect / CWA Authorization Condition(s) Authorization Profile (s) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Authorization Profiles - VLAN Name = IP Subnet & VN Name VN_IoT BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 ISE authorization for VN assignment Authorization Result = Virtual Network Virtual Network Identity Services VN_IoT Virtual Network BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 ISE authorization for VN and SGT assignment Authorization Result = Virtual Network + SGT Users/Devices Virtual Network SGT Identity Services VN_IoT Virtual Network Scalable Group Tag BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Authorization Policy - Authorization Profiles VN_IoT IoT_Devices SGT VN_IOT VN_IoT VN_IoT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

34 SD-Access Users and Devices Group Registry Registry of Groups created in different domains 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

35 SD-Access Users and Devices Custom Groups Custom groups may be created in the registry 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

36 Access Control Policy in SD-Access

37 NETWORK ACCESS Access Control Policy Access Control Policy Who can access what Certificates PROTECTED SERVERS SHARED SERVICES PUBLIC NETWORK Rules for x-group access Permit group to app Permit group to group EMPLOYEE CONTRACTOR Passwords alice ***** DB SOURCE DESTINATION Who are you? What can you access? BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Sources SD-Access Micro-segmentation Identity Services Engine (ISE) enabled AAA ISE authenticates Network Devices for a trusted domain SGT & SGT Names Centrally defined Endpoint ID Groups Scalable Group ACL Destinations SGACL Name Table Cisco ISE SGT & SGT Names Scalable Group Tags 3: Employee 4: Contractors 8: PCI_Servers 9: App_Servers SGACL - Name Table Policy matrix to be pushed down to the network devices ISE dynamically authenticates endpoint users and devices, and assigns SGTs Rogue Device(s) Dynamic SGT Assignment MAB, 802.1x, Easy Connect Static SGT Assignment BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 39

39 Micro-segmentation Enforcement Ingress Classification with Egress Enforcement User Authenticated = Classified as Marketing (5) FIB Lookup = Destination MAC = SGT 20 Destination Classification CRM: SGT 20 Web: SGT 30 SRC: Catalyst 3k/4k/6k/9k SRC: DST: SGT: 5 WLC5508 Enterprise Backbone DST SRC Catalyst/ISR/Nexus 5 5 Egress Enforcement (SGACL) CRM (20) Web (30) Marketing (5) Permit Deny BYOD (7) Deny Permit CRM DST: SGT: 20 Web DST: SGT: 30 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 40

40 Cisco DNA Center Single Pane of Glass across the Enterprise DNA Center Network Controller Identity, Context and Security Policy Network Provisioning Analytics And Assurance PROVISION MONITOR TROUBLESHOOT Wireless LAN WAN Cloud Remote Access BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 41

41 ISE and DNA-C integration for Policy Automation Cisco Identity Services Engine Authentication Authorization Policies Groups and Policies Campus Fabric pxgrid REST APIs Fabric Management Policy Authoring Workflows Cisco DNA Center BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 42

42 Communication channels for integration SSH To establish trust relationship 22/TCP SSH Service REST To program ISE 443/TCP ERS Read/Write pxgrid Service DNA-Center pxgridcontext & TrustSec Meta Data pxgrid* ISE * 5222/TCP, 7400/TCP, 8910/TCP, 12001/TCP, details: BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 43

43 Virtual Network Rollout Virtual Network Segmentation CISCO DNA CENTER SSH Border eid-table vrf Campus instance-id 4098 ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit B B B Edge instance-id 4098 service ipv4 eid-table vrf Campus exit-service-ipv4! exit-instance-id E E E 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

44 Scalable Groups Assignment to VNs A Scalable Group is assigned to a single VN Virtual Network 1 Virtual Network 2 Virtual Network 3 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 46

45 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

46 SD-Access Access Control Policies Source VN-X Contract Destination VN-Y CONTRACT GREEN Classifier Port Number IP Address Application Type Action Permit Deny FCS all groups in a Policy must belong to the same Virtual Network 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

47 Scalable Group Policy rollout FABRIC POLICIES Source Destination CISCO DNA CENTER Employees Contract PERMIT Production API Employees Contractors Production Development CISCO ISE POLICY DOWNLOAD FABRIC NODES BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 49

48 SD-Access Policy Authoring 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

49 SD-Access Policy Authoring Access Contracts 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

50 SD-Access Policy List View BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 52

51 SD-Access Policy Matrix View 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

52 Application Policy in SD-Access

53 Application Policy - QoS Application Policy Traffic treatment QoS for Application Path Optimization Application compression Application caching App X App Y App Z 3 Treatment Profiles Application Registry DNAC Normalize QoS diversity Application X IP-Prefix / URL = x.x.x.x /24 UDP/TCP Ports = Application Y IP-Prefix / URL =y.y.y.y /22 UDP/TCP Ports = 80 Polaris (3K), IOS-XE (4K), IOS (6K), NX-OS (N7K), AireOS Catalyst 3650/3850 Catalyst 9300/9400/ 9500 Catalyst 4500 (Sup8E) Catalyst 6500/6800 Nexus 7700 (M3) WLC 5500/8500 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 55

54 SD-Access Application Definition classifiers application end-points Application Name End-point addresses IP/URL/Source-Group Classifiers TCP/UDP port numbers DSCP Implicit Policy Traffic Class Path Preference BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 56

55 SD-Access Application Registry Application Registry classifiers end-points classifiers end-points classifiers end-points Sources: AVC/NBAR ACI DNS-AS Other repository of application information Custom Application Configuration BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 57

56 SD-Access Application Registry - Applications 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

57 SD-Access Application Registry - Applications 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

58 SD-Access Application Registry Application Sets 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

59 Solicit Application Business-Relevance Relevant These applications directly supports business objectives Applications should be classified and marked according to RFC 4594-based rules Default These applications may/may not support business objectives E.g. HTTP/HTTPS Alternatively, administrator may not know the application (or how its being used in the org) Applications in this class should be marked DF and provisioned with a default best-effort service (RFC 2474) Irrelevant These applications are known and do not directly support any business objectives; this class includes all personal/consumer applications Applications in this class should be marked CS1 and provisioned with a less-than-best-effort service, per (RFC 3662) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 61

60 SD-Access Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

61 Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

62 Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

63 SD-Access Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

64 SD-Access Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

65 SD-Access Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

66 Application Policy - Traffic Copy Traffic Copy Policy Mirror Traffic (ERSPAN) ERSPAN for specific endpoint and traffic Employee 1 Edge Switch Finance Servers monitor session 1 type erspandestination destination interface Gi0/2/2 source erspan-id 1 ip address B C 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public B B E E E ip access-list extended erspan-session-1 permit ip any monitor session 1 type erspan-source source interface Gi1/0/4 filter ip access-group erspan-session-1 destination erspan-id 1 ip address ip ttl 32 origin ip address

67 Traffic Copy Policy Traffic Copy Policy Mirror Traffic (ERSPAN) ERSPAN for specific endpoint and traffic Edge Switch Employee 1 Finance Servers BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 69

68 Policy End-to-end

69 Unified Policy Language across Domains consumer Policy Element/Object Exchange Contract Web Users consumer Allow only web traffic in/out Sessions must be logged Violations must be inspected. Web Servers provider Network Operator Access Domain (Campus/Branch/WAN) Security Domain Data Center A Data Center B Network Operator Security Operator 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

70 Federated Identity Cross Domain Group awareness / Independent Policy User-App Application Prioritization DB C User to App Contracts Web DNA-Center User-User Access Control: SG-ACL Web1 Qo Se rvi ce App1 Qo S Filt er App to App Contracts DB SaaS/IaaS Exchange Policy Groups Web ISE DB BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 72

71 Multi-domain Identity Exchange Campus access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 Wireles s Control WAN ACI Fabric Fabri c Contr ol Campus Firewall Border Leaf s PXGRID Groups+IP Web DNA-Center BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 73

72 Network + Host Based Segmentation C Web Segmentation Agent? c users Enforce at Network Edge Enforce at Segmentation Agent applications things Access Network Data Center Enforcement footprint will vary BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 74

73 Integration with Policy Orchestrators Centralization of Policy Visibility & Compliance Automatic Provisioning Cloud Campus / Branch SD-Access Policy Domain ISE B C B B Cisco Firewall APIC Data Center APIC Policy Domain Employee SD-Access Fabric 3 rd party Firewall Web ACI Fabric App BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 75

74 Network Layer Controller Layer Campus Fabric SGT Info Used in ACI Policies Campus Fabric Policy Domain ISE ACI Policy Domain Auditor SRC: DST: SGT: 5 Campus Fabric ISE Retrieves: ISE Exchanges: EPG Name: SGT PCI Name: EPG Auditor EPG Binding = SGT Binding = SRC: DST: Plain Ethernet (no CMD) EPG Name = Auditor Groups= SRC: DST: EPG ACI Border Leaf (N9K) ACI Spine (N9K) PCI EPG ACI Leaf (N9K) SGT Groups available in ACI Policies Controller Layer Network Layer PCI BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 76

75 Required connectivity for ACI-Campus Campus scope of Management All outside EPGs learnt from ISE will be assigned to a single VRF DC scope of management Campus Border Router DC Border Leaf Web1 VRF A VRF B VRF C VRF D N:M VRF 1 VRF 2 VRF 1 VRF 2 Web2 SGTs in VXLAN VRF-lite (SXP) EPGs in VXLAN In the initial releases, ISE does not support VRF/VN semantics It is assumed that connectivity between campus VRFs and DC VRFs is provisioned In the future, xvrf connectivity should be driven from x-group policies 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

76 Policy Driven Segment Connectivity x-domain C Web User to App Contracts Domain A Border Router Domain A Segmentation Space VRF A VRF B VRF C VRF D N:M Domain B Segmentation Space VRF 1 VRF 2 Domain B Border Router VRF 1 VRF 2 Domain B Segmentation Space Domain A Data Plane Handoff Domain B Data Plane BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 78

77 Fabric Enabled Segmentation Virtual Networks Virtual Networks Outer/Transport IP-UDP Header VXLAN Header Original IP Packet or L2 Frame Underlay Network Virtual Network Identifier (24 bits) Group Policy Identifier (16 bits) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 79

78 ISE and APIC data plane translation SD-Access Policy Domain ACI Policy Domain APIC-EM Security Groups IP, SGT mappings Cisco ISE 2.3 ISE & APIC Exchange Groups and Member information ISE creates SGT to EPG translation table Send translation table to ASR 1K/N7K End Point Groups Cisco APIC-DC IP-ClassId, VNI bindings SD-Access User Classification Switch Router* Nexus9000 Nexus9000 Server Spine Leaf LISP,SGT & VXLAN BGP EVPN, EPG &VXLAN APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure *ASR1K (ship) N7K (plan) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

79 Use Case - Cloud User to Cloud Access Control Workflow Virtual Firewall or SGACL-capable virtual routers in cloud environments FTDv, ASAv, CSR-1000v, ISRv Workloads / groups provisioned by Cisco or 3 rd party provisioning tools AWS Security Groups Prod App Dev App Prod App Dev App Azure Network Security Groups IP-SGT bindings pushed to ISE REST APIs ISE SXP/PxGrid updates enforcement point Zero policy changes as new workloads are provisioned in clouds ISE Ent Policy Domain Employee Tag Developer Tag Guest Tag Non-Compliant Tag Consistent Policy Dev Apps Prod Apps Remediation Internet Employee Developer X X Non Compliant Employee Voice Voice Employee Developer Guest Non Compliant Guest X X BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 81

80 Conclusion

81 What to Do Next? Technical Advisory Managed Implementation Optimization Training SD-Access Capable DNA Center Cisco Services Refresh your Hardware & Software Deploy the DNA Center Engage with Cisco Services Get SD-Access Capable Devices with DNA Advantage OS License Get DNA Center Appliances with DNA Center Software Cisco Services can help you to Test - Migrate - Deploy BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 84

82 The First Step #NewEra #CiscoDNA #NetworkIntuitive 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

83 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcrs Cisco and/or its affiliates. All rights reserved. Cisco Public

84 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

85 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 88

86 Thank you

87