SD-Access Wireless: why would you care?

Transcription

1 SD-Access Wireless: why would you care?

2 CUWN Architecture - Centralized Overview Policy Definition Enforcement Point for Wi-Fi clients Client keeps same IP address while roaming WLC Single point of Ingress to wired network Wireless VLANs are centrally defined WLC AAA AD LDAP MDM IPAM DNS NTP SMTP DHCP Anchor WLC Internet Architecture Benefits: Overlay: works on any wired network Simplified Access switch configuration Single point of Ingress for wireless traffic Easy seamless mobility Simplified IP addressing for wireless Centralized Management Easy wireless Guest tunneling solution SW DMZ Policy Definition and Enforcement Point for wired clients Traditional Campus Switch 1 Switch 2 AP1 Traditional switches Customers may NOT like: Limited scalability for East-West traffic Separated policies for wired and wireless Different enforcement point for wired and wireless Lack of visibility between WLC and APs SSID Employee SSID Guest Local mode AP Packet to wired CAPWAP Control & Data EoIP Tunnel 2

3 CUWN Architecture - FlexConnect Overview Data Center Centralized Management for all branches WLC AAA AD LDAP MDM IPAM DNS NTP SMTP DHCP Architecture Benefits: Overlay: works on any wired network Centralized Management / Lean IT Branch cookie cutter configuration Distributed data plane Reduced hardware footprint at the branch Built-in resiliency (WAN survivability for locally switched traffic) SW DMZ Distributed Data plane Traditional switches WAN Internet No Controller at the branch Customers may NOT like: Separated policies for wired and wireless Different enforcement point for wired and wireless No Layer 3 roaming support Limited seamless roaming scope (FlexConnect Group) Additional configuration on the access switch (trunk and allowed VLANs) Flex mode AP CAPWAP Control & Data dot1q trunk Branch 3

4 Converged Access Architecture Overview MC WLC MA Guest Tunnel through the MC WLC AAA AD LDAP MDM IPAM DNS NTP SMTP DHCP Anchor WLC Internet Architecture Benefits Distributed Data Plane: scalability One Policy enforcement point for wired Reduced HW footprint and less devices to manage (branch is the sweet spot) One common software Policies enforced at the edge Wireless traffic visibility at the edge SW DMZ Easy wireless Guest tunneling solution Switch is the Policy Enforcement for wired and wireless SSID Employee CA Network Switch 1 Switch 2 Packet to wired For roaming, traffic is anchored back to the original switch SSID Guest MA Switch with Mobility Agent Local mode AP CAPWAP Control & Data MA to MA tunnels EoIP tunnel Customers may NOT like: Distributed Management plane Multiple wireless touch points Wired and wireless software dependencies Anchoring solutions for seamless mobility Support for Local mode AP only Lack of feature parity with CUWN 4

5 What is the Problem? Policy Model Today Network Policy Enterprise Network QoS Security Redirect/copy Traffic engineering etc. SRC DST PAYLOAD DATA DSCP PROT IP SRC IP DST PORT PORT Policy is based on 5 Tuple Only Transitive information Survives end to end 5

6 What is the Problem? Policy Model Today Network Policy access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 Enterprise Network access-list 102 permit tcp gt lt 4384 SRC DST PAYLOAD DATA DSCP PROT IP SRC IP DST PORT PORT IP ADDRESSES Locate you Identify you Drive treatment Constrain you IP Address meaning OVERLOAD VLAN 20 VLAN 30 SSID D SSID C User/device info? SSID A VLAN 10 VLAN 40 SSID B 6

7 What is the Problem? User Group policy rollout - Today 1. Define Groups in AD Production Servers Developer Servers Multiple Steps and Touch Points LAN Core L3 Switch Trunk WLAN 4. Implement Policy What Trunks if You Need to Add Another Define Group ACLs & Policy? Apply ACLs L2 Switch One SSID AAA DHCP AD 2. Define Policies VLAN/subnet based 3. Implement VLANs/Subnets Create VLANs Define DHCP scope Create subnets and L3 interfaces Routing for new subnets Map SSID to Interface/VLAN 5. Many different User Interfaces. AAA WLC Devices CLI BYOD Employee Contractor 7

8 What is the Problem? User Group policy rollout - Today Production Servers Developer Servers LAN Core AAA DHCP AD Customer requirements Three user Groups One single SSID Differentiated policies per Group Guest segmentation (wired and wireless) L3 Switch Trunks Trunk WLC Customer Policy Customer Policy requirements: Employee Production Serv. Developer Serv. L2 Switch BYOD Network Touch Points Contractor One SSID BYOD Employee Contractor 8

9 SD-Access Wireless Architecture BRKE

10 SD-Access Fabric Architecture Roles and Terminology Group Repository Fabric Border Intermediate Nodes (Underlay) ISE / AD B B C DNA Controller Fabric Mode WLC Control-Plane Nodes DNA Controller Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share information Group Repository External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition Control-Plane (CP) Node Map System that manages Endpoint ID to Location relationships. Also known as Host Tracking DB (HTDB) Border Nodes A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric Edge Nodes A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric Fabric Edge Nodes SD-Access Fabric Fabric Mode APs Fabric Wireless Controller Wireless Controller (WLC) fabric-enabled, participate in LISP control plane Fabric Mode APs Access Points that are fabric-enabled. Wireless traffic is VXLAN encapsulated at AP 1 0

11 SD-Access Wireless Architecture Bringing the best of both architectures by... 1 Simplifying the Control & Management Plane 2 Optimizing the Data Plane 3 Integrating Policy & Segmentation E2E 1 1

12 SD-Access Wireless Architecture Simplifying the Control Plane CAPWAP Cntrl plane LISP Cntrl plane ISE / AD B DNAC B Policy Abstraction and Configuration Automation WLC Fabric enabled WLC: WLC is part of LISP control plane 1 Automation DNAC simplifies the Fabric deployment, Including the wireless integration component Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN SD-Access Fabric C LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP 1 2

13 SD-Access Wireless Architecture Optimizing the Data Plane CAPWAP Cntrl plane LISP Cntrl plane VXLAN Data plane ISE / AD B DNAC B SD-Access Fabric Policy Abstraction and Configuration Automation C VXLAN (Data Plane) WLC Fabric enabled WLC: WLC is part of LISP control plane Fabric enabled AP: AP encapsulates Fabric SSID traffic in VXLAN 2 Automation DNAC simplifies the Fabric deployment, Including the wireless integration component Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP Optimized Distributed Data Plane Fabric overlay with Anycast GW + Stretched subnet VLAN extension with no complications All roaming are Layer 2 VXLAN from the AP Carrying hierarchical policy segmentation starting from the edge of the network 1 3

14 SD-Access Wireless Architecture Optimizing the Data Plane: Stretched subnets A Closer Look 2 Fabric Mode AP integrates with the VXLAN Data Plane Wireless Data Plane is distributed across APs Fabric mode AP is a local mode AP and needs to be directly connected to FE CAPWAP control plane goes to the WLC using Fabric Fabric is enabled per SSID: For Fabric enabled SSID, AP converts traffic to and encapsulates it into VXLAN encoding VNI and SGT info of the client Forwards client traffic based on forwarding table as programmed by the WLC. Usually VXLAN DST is first hop switch. AP applies all wireless specific feature like SSID policies, AVC, QoS, etc. VXLAN (Data) CAPWAP Control plane 1 4

15 SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B IP payload IP AP removes the header EID IP payload IP VXLAN UDP underlay IP 2 AP adds the 802.3/VXLAN/underlay IP header 1 5

16 SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B R Client SGT Client VRF R EID IP payload IP VXLAN UDP underlay IP Hierarchical Segmentation: 1. Virtual Network (VN) == VRF - isolated Control Plane + Data Plane 2. Scalable Group Tag (SGT) User Group identifier 2 APs embed the Policy information in the VXLAN header and forwards it 1 6

17 SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B Client is placed in the right VRF EID IP payload IP VXLAN UDP underlay IP 3 FE removes the outer IP header, looks at the L2 VNID and maps it to the VLAN and L2 LISP instance. Then encapsulates to the destination FE 1 7

18 SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B SGT policy is applied Client Policy is carried end to end in the overlay EID IP payload IP VXLAN UDP underlay IP 4 FE removes the outer IP header, looks at the L2 VNID maps it to the VLAN. Also looks at the SGT and apply the policy before forwarding the packet 1 8

19 SD-Access Wireless Benefits User Group policy rollout Production Servers Developer Servers DNA Center LAN core AAA DHCP AD 1. Define Groups in AD 2. Design and Deploy in DNA-C Create Virtual Network for Corporate Define Policies Role/Group based Apply Policies SGT based Corporate VN L3 Switch L3 Switch VN ID Contractor BYOD Employee SGT VXN HDR Trunk Fabric SRC Fabric DST WLC Employee SGT 100 BYOD SGT 200 Production Serv. SGT 10 Developer Serv. SGT 20 Touch Point Original packet One SSID BYOD Employee Contractor Contractor SGT Upon user authentication, Policy is automatically applied and carried end to end 1 9

20 SD-Access Wireless Benefits User Group policy rollout Production Servers Developer Servers IoT/HVAC Virtual Network L3 Switch Guest Virtual Network Corporate VN L3 Switch DNA Center LAN core Trunk AAA DHCP AD WLC 1. Define Groups in AD 2. Design and Deploy in DNA-C Create Virtual Network for Corporate Define Policies Role/Group based Apply Policies SGT based Employee SGT 100 BYOD SGT 200 Production Serv. SGT 10 One Touch Point Developer Serv. SGT 20 Touch Point One SSID BYOD Employee Contractor Contractor SGT Upon user authentication, Policy is automatically applied and carried end to end 2 0

21 DEMO

22 SDA Wireless Automation Install of new AP

23 SDA Wireless Site and Profiles

24 SDA Guest Creation of a Guest Network

25 What products make this Architecture? BRKE

26 SD-Access Fabric Wireless Platform Support 3504 WLC NEW 5520 WLC 8540 WLC Wave 2 APs *with Caveats Wave 1 APs AIR-CT3504 1G/mGig AireOS 8.5+ AIR-CT5520 No G/10G SFP+ AireOS 8.5+ AIR-CT supported 1G/10G SFP+ AireOS /2800/ ac Wave2 APs 1G/MGIG RJ45 AireOS /2700/ ac Wave1 APs* 1G RJ45 AireOS

27 SD-Access Wireless Design Considerations

28 Wireless Integration in SDA Fabric CUWN wireless Over The Top (OTT) SD-Access Wireless ISE / AD APIC-EM ISE / AD APIC-EM CAPWAP Cntrl & Data B B SD-Access Fabric C Non-Fabric WLC VS. CAPWAP Cntrl plane VXLAN Data plane B B SD-Access Fabric C Fabric enabled WLC Non-Fabric APs Fabric enabled APs CAPWAP for Control Plane and Data Plane SDA Fabric is just a transport Supported on any WLC/AP software and hardware Migration step to full SDA CAPWAP Control Plane, VXLAN Data plane WLC/APs integrated in Fabric, SD-Access advantages Requires software upgrade (8.5+) Optimized for ac Wave 2 APs

29 CUWN Over the Top (OTT) Definition: Wireless OTT: this CAPWAP wireless overlay to Fabric: traditional CAPWAP deployment connected to Fabric overlay. Fabric is a transport for CAPWAP Why wireless OTT? Migration step: customers wants/need to first migrate wired (different Ops teams managing wired and wireless, get familiar with Fabric, different buying cycles, etc.) Longer term solution: customer doesn t want/cannot migrate to Fabric (new software, no n, wireless too critical to make changes) CAPWAP tunnel SD-Access Fabric Non Fabric AP Non Fabric WLC

30 Key Takeaways BRKE

31 SDA for Mobility Innovate Faster with Fabric-Enabled Wireless DNA Center Software Defined Wireless Centralized management across wired-wireless Consistent Policy for Wired/Wireless Secure Policy based Automation Optimized distributed traffic flows for future scalability Simplified enablement of Wi-Fi Services Seamless L2 roam across Campus Policy stays with user Simplified Provisioning Optimized data plane with Campus-Wide Roaming Easy end to end Virtualization and Segmentation Wired and Wireless Policy Consistency BRKE 3 1

32 Thank you