Inside Cisco IT: The New Catalyst 9000 Series and Software Defined Access

Transcription

1

2 Inside Cisco IT: The New Catalyst 9000 Series and Software Defined Access John Moe, Cisco IT Member of Technical Staff

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Agenda Cisco IT Overview DNA and the Next Generation Network Catalyst 9000 Series and Open IOS-XE Software Defined Access (SDA)

5 Cisco IT Overview

6 Cisco IT Overview More Than 150,000 People Worldwide in the Extended Cisco Family 300+ Locations in 93 Countries 500+ Buildings 70,000+ Employees 50,000+ Contractors 200+ Business/Support Partners Switches Routers 600+ WLCs 11,000+ APs Labs Worldwide 5 Production Data Centers 40 Non-prod Data Centers 13,000+ UCS Servers 60,000+ Virtual Machines Business Applications 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Cisco IT Global WAN Backbone 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Branch Office WAN Classifications and LAN Topologies Business Performance (2A/2A+) Business Essential (2B) Business Ready (2C) Headcount >300 or Business justified Headcount >25 or Business justified Headcount <25 Large Office Dual WAN routers Typically multiple floors and VLAN domains 1 or more wiring closets per floor with cabling infra to the primary wiring closet High LAN SLA configuration Medium Office Dual WAN routers Typically single floor and VLAN domain 1 or more wiring closets with cabling infra to the primary wiring closet High LAN SLA configuration Small Office Single WAN router No wiring closets or physical infrastructure Equipment located in portable comm rack Low LAN SLA configuration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Secure Internet Office Hybrid WAN for Cost Savings Current state Phase 1 Phase 2 Private (active) Private (backup) Private (active) ivpn (active) Private (active) ivpn + DIA (active) Branch (2B) 25% 75% Branch (2B) 15% 85% Branch (2B) 10% 90% 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Cisco IT s Cloudport Solution Cisco Data Centre Campus Location Dark Fiber DWDM Ring Carrier Neutral Facility 4 1. Internet 2. Branch Office Connectivity 3. Backbone Connectivity 4. Cloud Internet Exchange 5. Private Cloud Interconnect 6. Extranet Partners Sales Office 7 SIP 5 7. Media/SIP service Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Workspace Optimization 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Cisco IT Device Landscape (November 30th, 2017) 18 month Sparkline -0.1% -4.5% +0.5% 78,287 46,391 5, ,643 Corporate Provided Devices (CYOD) -1.2% +5.2% +4.3% -3.1% 66,804 Mobile Devices (BYOD) 7,617 44,880 13, devices / user Growths Based on a 3 Month Period 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Cisco IT UC and Video Platform Services 131,000 IP Phones 68,000 Soft Clients 97,000 WebEx Clients 67,000 Mobile Devices 1,759 Immersive 7,000 Desktop / Personal 8,700 Video Conference Bridge Ports 6,600 Contact Center Clients Unified Communications Manager (UCM) 33 clusters in 12 Sites Unity Connection (Voic ) 19 clusters in 9 Sites Telepresence Management Suite (TMS) 1 cluster, 73 VCS / VCS Expressway nodes Unified Contact Center Enterprise (UCCE) 6 clusters, 12 IVR,s, 2 ICMs in 6 Sites 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 DNA and the Next Generation Network

15 Cisco IT - Location as a Service Use Case Wayfinding Space Utilization Asset Management Active RFID Tracking Asset Detection Customer Cisco IT WPR Cisco Labs Supply Chain Security Application Cisco Maps Phunware Beam Pro Rifiniti IoT Platform TagIt Face Recognition Foundational Infrastructure and Service CMX Location Data (via API) Wireless Network Infrastructure (Hyperlocation/CleanAir/BLE) Endpoints ios, Android, macos, Windows, RFID tags, BLE tags 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Rifiniti Space Utilization 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Suitable Technologies Beam Pro Wi-Fi LBS Integration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Cisco IT - Lighting as a Service Use Case Workspace Personalization Customized Lighting Emergency Pathway Out First Responder In Customer Application Cisco IT Cisco Maps Cisco IT Cisco Proximity Safety/Security Flash lights or illuminate path Safety/Security Flash lights or illuminate path Foundational Infrastructure and Service Lighting Control Data (via API) Wired Network Infrastructure Endpoints NuLED, CREE, Philips 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Personalized Control of Lighting Environment Cool white Warm white 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 A Ten Year Journey 2020 Today Changing Expectations 2007 Any Device, Mobility Pervasive Video 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Expectations have changed Here s some of what happened Business Demands Digital Transformation Security is a Board Room Conversation Fierce Competition and Cost Pressures Multi-Cloud World is Now a Reality 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 A Ten Year Journey 2020 Today Changing Expectations 2007 Any Device, Mobility Pervasive Video 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Modern Network Environment is Vast and Complex Drivers of cost and complexity 45,000 Network Devices 40,000 Configuration Assurance Policy Violations 1,100 Network Changes Per Month 80% 95% Human Mistake Performed Manually Manual Configuration & Refresh No centralized access No Plug-n-play Complicated Equipment Portfolio Can t keep skills up Convoluted maintenance & troubleshooting Lack of visibility Lack of analytics Tool Proliferation Multiple interfaces Increased tool errors 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Digital Network Architecture Roadmap 1 Base automation Automated deployment across greenfield and brownfield 2 Controller-based networking with assurance across WAN/LAN and wireless SDN / Automated enterprise 3 Advanced security and network analytics Next generation threat and application analytics 4 Automated user to application policy (access and priority) across enterprise and DC domains Single cross-domain orchestration 5 Self-driving Enabling policy based compliance, assurance driven optimization Simplicity Lower Risk Business enablement Customer outcomes Lower TCO Service quality 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

26 From Task Automation to Service Orchestration and Beyond We re Here! Closed-loop Orchestration Ad-hoc Scripting Re-useable Frameworks Centrally managed frameworks, templates accelerate delivery Service Orchestration NSO Model-driven config lifecycle CrUD automation in one place Business-level intent, dynamic optimization based on real-time network state Engineers run one-off scripts and tools, device-by-device 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 DNA and Next Generation Network Highlights Leverage network data from existing networks for new use cases Network consolidation and new IoT devices are driving up endpoint count Changing expectations caused us to think about how we work and organize differently... now we have to make sure that we are ahead of the curve Modern network environment is vast and complex and prone to human mistakes Journey from task automation to closed loop service orchestration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Catalyst 9000 Series and Open IOS-XE

29 Cisco IT Network Landscape 2017 C4510/8E (1301) C6807/2T (39) C6509E/2T (463) ASR 1006 (251) ASR 1004 (187) ASR 1002 (19) C3850 (1671) C3750 (296) C6880-X (186) IE3010 (19) 3560C (7) C4500-X (606) ISR 4451-X (944) ISR 3900 (1173) ISR 2900 (702) ISR 800 (30K) Access Distribution/Core WAN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Catalyst 9000 Series Catalyst 9400 Modular Access Open IOS-XE Catalyst 9300 Fixed Access Catalyst 9500 Fixed Core x86 CPU and Containers UADP 2.0 Converged ASIC Single Image Common Licensing With the Catalyst 9000 Series - 1 Common HW Architecture (UADP 2.0) 1 Software Image (Open IOS-XE) Device Bootstrap and Onboarding Standards-based, structured programmability Apps and services embedded in fabric 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 Perpetual and Fast PoE Perpetual PoE: With Perpetual PoE, the PoE power is maintained during a switch reload. This is important for IoT endpoints such as PoE-powered lights, so that there is no disruption during switch reboot Fast PoE: When power is restored to a switch, PoE starts delivering power to endpoints without waiting for the operating system to fully load, thereby speeding up the time for the endpoint to start up Catalyst 9300 Fixed Access Catalyst 9400 Modular Access 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Infrastructure Foundation Embedded Security - Encrypted Traffic Analytics ISE Context & Mitigation StealthWatch Machine Learning Primary Use-case Malware in Encrypted Traffic Encrypted Traffic Analytics Secondary Use-case Cryptographic Audits 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Cisco IT Catalyst 9000 Migration Path C slot Sup1, mgig C6807-XL/2T C6509E/2T C6880-X ASR 1006 ASR 1004 C port mgig C X ISR 4451-X Access Distribution/Core WAN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Open IOS-XE 16 - Hardware Migration Strategy Network Function Capacity Criteria Current Hardware Comments Target Hardware Hardware Status CORE/AG GW ASR 1006 RP1, ESP5, ESP10, SIP10 not supported RP2, ESP40/100/200, SIP40 General Deployment WAN GW LAN GW LAN SW LAB GW Voice GW Console GW > GE WAN <= GE WAN > 40 ports <= 40 ports > 192 ports <= 192 ports no HVAC > 16 ports <= 16 ports CUBE/SIP SRST > 64 async <= 64 async DC Voltage ASR 1004 ISR 4451-X CAT 6500/6800/Sup2T CAT 4500-X CAT 4510/Sup8E CAT 3850-UPOE IE 3010 CAT 6880-X ISR 4451-X ASR 1002 ISR 4451-X ISR G ISR G ISR G RP1, ESP5, ESP10, SIP10 not supported Support thru 2024, will not support Open IOS-XE Support thru 2024, will not support Open IOS-XE Support thru 2024, will not support Open IOS-XE Runs Open IOS-XE, UADP v1 Will not support Open IOS-XE RP2, ESP40, SIP40 ISR 4451-X TBD CAT 9500 Support thru 2024, will not support Open IOS-XE CAT 9500 ISR 4451-X CAT slot, dual Sup-1, mgig CAT 9300 mgig CAT 9300 mgig 1002 chassis, RP1, ESP5/10 SIP10 not supported ASR 1004, RP2, ESP40 ISR 4451-X HW end of sale 12/2017 HW end of sale 12/2017 HW end of sale 12/2017 ISR 4451-X, NIM-24A, CAN-ASYNC-8 ISR 4331, AC PS, NIM-24A, CAN-ASYNC-8 ISR 4331, DC PS, NIM-24A, CAN-ASYNC-8 General Deployment General Deployment Participate in EFT Limited Deployment Limited Deployment Limited Deployment Limited Deployment Participate in EFT General Deployment General Deployment General Deployment General Deployment General Deployment General Deployment NFV N/A Investigate Network Function Virtualization ENCS 5412 vbranch demo at Cisco Live Cancun WLC WiSM2 WLC Converged Access WLC 5520 Virtualized controller for C9K Limited Deployment Participate in EFT APs 3700 Series Will not support IPv6, AVC in DNA/SDA NG AP Participate in EFT WAAS AppNav Core/Campus Large Medium Small Core/Large Medium Small WAVE 8541 WAVE 7571 WAVE 694 ISR-WAAS WAE 594 w/10ge WAE 694 AppNav-XE UCS UCS-C vwaas50k, C9K vwaas UCS-E, UCS-C, ENCS-5412-W, C9K vwaas ISR-WAAS UCS-C AppNav-XE AppNav-XE SVL testing in progress SVL testing in progress SVL testing in progress SVL testing in progress SVL testing in progress SVL testing in progress SVL testing in progress 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Open IOS-XE 16 and IOS Migration Status Platform Rommon Version IOS Version Device Count Future Target IOS ASR 1000/RP2 (RP1,ESP10,SIP10 unsupported) 16.3(2r) *required (CCO target 02/02/18) (3/30) ISR 4451 ISR (1r) 16.4(3r) vedge 1000 N/A (CCO target 02/02/18) (3/30) ENCS 5412 BIOS 2.4, NFVIS (CCO target 02/02/18) (3/30) ISR G ISR G (1r)M M 41 CAT 9500 N/A (CCO target 02/02/18) (3/30) CAT 9400 N/A (CCO target 02/02/18) (3/30) CAT 9300 N/A (CCO target 02/02/18) (3/30) CAT 6500/2T 12.2(50r)SYS4 15.4(1)SY (1)SY1 (CCO target 01/25/18) CAT 4500/8E CAT 4500-X 15.1(1r)SG (1r)SG E E (CCO target 02/21/18) CAT 3850 N/A (CCO target 02/21/18) WiSM2, 5508 N/A (MR1) 5520 N/A (MR1) Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 Cisco Fleet Technology Release Process Solution Verification Lab Pilot Deployment Limited Deployment Network Refresh( Fleet) Verifies new designs, hardware, software and processes Funnels technology and capabilities for small pilot and testing Pilot for evaluation in production network Ongoing upgrade cycle for all products in all sites Holistic testing with automation Provides certification testing services Mirror of Production Network Limited to a few locations Monitored to ensure issues can be mitigated quickly Ensures the IT Network s hardware and software are current 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Catalyst 9000 Series and Open IOS-XE Highlights Strategy to stop investing in older hardware and start deployment of C9K HW 24 C9300s deployed in North Sydney, 2 C9300s deployed in Sendai 7 deployment stopper defects identified and fixes integrated to and Common hardware and single IOS-XE image will reduce our OPEX Plug n Play, image management, and config automation important to reduce cost ETA export from 2 C9300 sites, 2 ISR4K sites, and 2 ASR1K WAN Aggregation Thousand Eye performance agent running on C9K, ISR4K, ASR1K, ENCS5K Analyze network infrastructure for Open IOS-XE 16 unsupported hardware Some platforms require rommon upgrades prior to installing Open IOS-XE 16 Be aware of potential speed negotiation issues for mgig models and modules 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Software Defined Access (SDA)

39 DNA Center - High-Level Architecture ISE Northbound Open REST APIs APIC-EM 2.0 Cisco DNA Center Northbound Open REST APIs NDP IPAM (3 rd Party) Meraki Dashboard API Telemetry protocols: NetFlow, SNMP, Syslog, streaming CLI, SNMP, PnP, NETCONF Cisco Meraki Meraki dashboard Wireless AP Catalyst(R) 2000/3000 Catalyst 4000/6000 Cisco Nexus(R) 7000 WLC ISR/ASR NFV-IS Physical, virtual, and cloud network infrastructure 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 DNA Center Next-Gen platform to enable digital capabilities Predictive Machine learning-based detection of problems prior to occurrence Closed Loop Profiles Standardized configurations for multi-pin services Proactive Faster troubleshooting with problems and trends correlation and dynamic thresholding Assurance Automation Policy Abstraction Expressing the business intent rather than a feature E2E Visibility Scalable data collection and reporting for reactive troubleshooting and planning Validation Machine learning-based network-wide configuration validation prior to deployment Self-Optimizing Enterprise WAN and access networks Wired and wireless 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 DNA-Center High-Level Deployment Schedule Q4 CY17 Proof of concept and evaluation Collaborate with BU on IT use-cases for: Contextual Dashboard Image management ITSM Integration Setup lab environment for DNA-C, ISE, C9K, and SDA Q1 CY18 Coordinate Global Installation 3 regional pairs Monitor 2 sites in 2 weeks post FCS Monitor 10 sites in 4 weeks post FCS Beyond Additional pilots SDA PnP (ZTP) Assurance NDP PathTrace SD-WAN 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Secure Network Access at Cisco StealthWatch Identity Services Engine WSA, ESA + AMP The 4 Stages: 1. Profiling 2. Authentication 3. Posture 4. Enforcement Cisco Core Network Device Management Wired Network Devices Wireless Devices Adaptive Security Appliance Home Access (CVO) AnyConnect VPN (All Mobile) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Cisco IT ISE Production Deployment ~14K Guest/Week CWA Central Web Auth Internet Only ISE 1.2, 8 VMs, 2 DCs 580 WLC; ~200K EP ISE 2.1, 24 VMs, 8 DCs 27K CVO; ~60K EP 70 ASA; ~90K EP 2K SW; ~200K EP 8 Sites; ~8K EP Corporate Access WLAN, CVO, VPN, LAN 1.5 Million active profiled Endpoints Max ~450K Concurrent Endpoints 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 What is a Fabric? Users or Devices Device Management Secure risky IoT devices, mobile devices, printers Programmable Overlay Dynamic Path Setup and Client Mobility Network Segmentation via Virtual Networks (VNs) User/Device Segmentation via Segments (Groups) Prescriptive Underlay Topology and Protocol Independent Leverage Standards-based Network Infrastructure Optimized Forwarding, Load-Balancing & Scale 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Software Defined Access Campus Fabric + Wireless Integration + Automation & Orchestration Campus Fabric SD-Access B B C Campus Fabric SmartCLI Macros Simple User Inputs Customized Workflows Box-by-Box Management Wireless overlay Programmable APIs REST / NETCONF Automated Workflows Centralized Management Wireless Overlay DNA Center Automated Workflows Design, Provision, Policy Assurance Wireless Integration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

46 What is unique about SDA Fabric? Key components Control-Plane based on LISP Data-Plane based on VXLAN Policy-Plane with Cisco TrustSec (CTS) Key Differences L2 + L3 Overlay -vs- L2 or L3 Only Host Mobility with Anycast Gateway Adds VRF + SGT into Data-Plane Virtual Tunnel Endpoints (No Static) No Topology Limitations (Basic IP) Cisco Hardware and Software innovations UADP and QFP allow for Flexibility Key to Supporting the Evolution to Network Fabrics 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 SD-Access Fabric Architecture Roles and Terminology Group Repository Fabric Border Intermediate Nodes (Underlay) ISE / AD B B C DNA Controller Fabric Mode WLC Control-Plane Nodes DNA Controller Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share information Group Repository External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition Control-Plane (CP) Node Map System that manages Endpoint ID to Location relationships. Also known as Host Tracking DB (HTDB) Border Nodes A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric Edge Nodes A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric Fabric Edge Nodes SD-Access Fabric Fabric Mode APs Fabric Wireless Controller Wireless Controller (WLC) fabric-enabled, participate in LISP control plane Fabric Mode APs Access Points that are fabric-enabled. Wireless traffic is VXLAN encapsulated at AP 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 SD-Access Wireless Architecture Simplifying the Control Plane CAPWAP Control plane LISP Control plane ISE / AD B DNAC B Policy Abstraction and Configuration Automation WLC Fabric enabled WLC: WLC is part of LISP control plane Automation DNAC simplifies the Fabric deployment, Including the wireless integration component Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN SD-Access Fabric C LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 SD-Access Wireless Architecture Optimizing the Data Plane DNAC CAPWAP Control plane ISE / AD Policy Abstraction and Configuration Automation LISP Control plane VXLAN Data plane B B WLC Fabric enabled WLC: WLC is part of LISP control plane SD-Access Fabric C VXLAN (Data Plane) Fabric enabled AP: AP encapsulates Fabric SSID traffic in VXLAN Optimized Distributed Data Plane Fabric overlay with Anycast GW + Stretched subnet VLAN extension with no complications All roaming are Layer 2 VXLAN from the AP Carrying hierarchical policy segmentation starting from the edge of the network 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 SD-Access Platform Support Switching Routing Wireless Subtended Nodes Catalyst 9400 ASR-1000-X AIR-CT5520 Catalyst 9500 Catalyst 9300 ASR-1000-HX AIR-CT8540 CDB ISR 4430 AIR-CT3504 Catalyst 4500E Catalyst 6K Nexus 7700 ISR 4450 Wave 2 Aps (1800, 2800,3800) 2960-CX 3560-CX Catalyst 3850 and 3650 CSRv Wave 1 Aps (1700, 2700,3700)* 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Cisco IT Analysis - Software Defined Access Gains with SDA... Agile use of virtual networks Easy segmentation & enforcement Decouple identity from location IPv4 subnet consolidation Cisco confidence in its technology and Ops experience Fabric wide RBAC/DUP Improved segment lifecycle Losses with SDA IPv6 (maybe able to use AnyConnect) Non-optimal multicast path Centralized architecture exposure to large fault domain Increased support skillset required Migrate to Cisco ONE SW licensing, new CAPEX/OPEX model 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 SDA High Level Architecture DC DCDC Campus Campus Campus Remote Offices Fabrics will allow us to divide into easily managed virtual networks For each virtual network, logical security groups can be formed that abstracts the underlying network address used DC DC DC Core Core Core DC DCDC Campus Campus Remote Offices Remote Offices Campus Campus 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

53 Per-ISP Fabric Design CAPNET and DC Internet Fusion Routers GB-GW s ISP-GW s Internal Border Nodes External Border Nodes Control Nodes Campus Edge Nodes Remote Office Edge Nodes 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 Campus Single Host Pool Campus Core Building Cluster1 Fabric1 Summary Route: 10.1.x.0/20 Desktop Cluster Gateway + Control Node + Border Node Desktop Cluster Gateway + Control Node + Border Node Fusion Router - DHCP Summary Route: 10.2.x.0/20 Building Cluster2 Fabric2 Desktop Gateway Intermediate Node Building1 Desktop Gateway Intermediate Node Building2 Desktop Gateway Intermediate Node P2P: 10.1.x.0/30 P2P: 10.1.x.0/30 Edge Node LAN-SW1 Loopback Edge Node LAN-SW2 Loopback Edge Node LAN-SW Edge Node LAN-SW Edge Node LAN-SW Edge Node LAN-SW 10.1.x.1/ x.2/32 Cisco Prod VN1:Host Cluster Pool 10.1.x.0/20 VN1:Host Cluster Pool 10.2.x.0/ Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Global SDA fabrics and TrustSec SGT-IP Reflector Fabric and TrustSec work together to provide a scalable way to segment the network SGT:1 SGT Rules: Permit SGT1 to SGT1 Deny SGT1 to SGT2 SGT Rules: Permit SGT1 to SGT1 Deny SGT1 to SGT2 SGT:1 SGT:2 Core SGT:2 SGT:3 Fabric1: /16 Fabric2: /16 SGT:3 ISE: Policy Endpoint to SGT mapping 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

56 Cisco IT Analysis - SDA Gap Summary IPv6 support essential March release of SDA will support IPv6 Wireless support 5508/WiSM2 no fabric support (OTT only) and 3700 Series APs are fabric aware Non-fabric switch support Ability to support non-fabric switches (e.g. IE switches for parking lots etc.) March release required TrustSec IPv6 ACL support 4510/C9K Major benefit of consolidating and segmenting network cannot be realized without IPv6 ACL support in TrustSec in 4510 or C9K DNA Center 10 fabric limit Need fabrics Fabric 100 msec limit Needs to be increased to msec to support remote offices 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

57 Greenfield Approach Parallel build of SDA using latest HW Traditional SDA Greenfield deployment Network Automation, Security, Management, Analytics Stack (3xUCS 460) Fabric New Uplinks Existing uplinks WAN2 WAN1 APIC-EM Prime Infra? ISE2.3 ND P Segment FW?? WLC WLC WLC WLC Border Router (9500) + WLC (5520) Floor 1 SSID: Blizzard Wired only for users on floor 2 who do not want to partake in Beta testing Migrate Users over time Floor 2 SSID: Blizzard-Beta Edge Router (9300) AP s connect into fabric Expand Fabric over time 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Brownfield Approach Use existing HW creating a fabric foundation Traditional Hardware WLC: 5508/WISM2 Core switch: 4500/SUP8E Distribution switch: 6500/2T WAN2 WAN1 Network Automation, Security, Management, Analytics Stack (3xUCS 460) APIC-EM Prime Infra? ISE2.3 NDP Fabric New Uplinks Existing uplinks BG (45xx) WLC WLC EG (3850) (4510) (9300) Floor 1 SSID: Blizzard AP s initially tunneled over fabric then eventually onto fabric Test group 6 week testing Test group 6 week testing Test group 6 week testing 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 SDA Highlights DNA Center lab environment and 3 regional production pairs upgraded to Providing training for network engineers on DNA Center and SDA configuration Cisco IT drivers for SDA deployment are centralized automation and orchestration and simplified deployment of hardware (PnP) Global ISE and StealthWatch infrastructure upgrades in progress for SDA/ETA Targeting DNA 1.2 release in March timeframe for IPv6 and PnP support 5508/WiSM2 no fabric support (OTT only) and 3700 Series APs are fabric aware 3 Production Pilot sites identified for greenfield deployment of SDA 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 This is a journey! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

61 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

62 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

63 Come talk to our Cisco IT Experts! Cisco on Cisco will have 5 demo booths placed around the Cisco Campus showcasing how Cisco IT designs, deploys, and manages our own solutions. Through these IT success stories you ll see how Cisco solutions are driving transformational business benefits. World of Solutions Collaboration AppDynamics ACI & TA NSO vbranch 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Thank you

66