Tech Update Oktober Rene Andersen / Ib Hansen

Similar documents
SD-Access Wireless: why would you care?

Več kot SDN - SDA arhitektura v uporabniških omrežjih

Cisco Campus Fabric Introduction. Vedran Hafner Systems engineer Cisco

Evolving your Campus Network with. Campus Fabric. Shawn Wargo. Technical Marketing Engineer BRKCRS-3800

Software-Defined Access 1.0

Cisco.Network.Intuitive FastLane IT Forum. Andreas Korn Systems Engineer

Campus Fabric. How To Integrate With Your Existing Networks. Kedar Karmarkar - Technical Leader BRKCRS-2801

Cisco Software Defined Access (SDA)

Cisco Software-Defined Access

Software-Defined Access 1.0

Software-Defined Access Wireless

DNA Campus Fabric. How to Migrate The Existing Network. Kedar Karmarkar - Technical Leader BRKCRS-2801

SD-Access Wireless Design and Deployment Guide

Software-Defined Access Wireless

Software-Defined Access Wireless

Software-Defined Access Design Guide

Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 3650 Switches)

P ART 3. Configuring the Infrastructure

Cisco SD-Access Policy Driven Manageability

Cisco SD-Access Hands-on Lab

Implementing VXLAN. Prerequisites for implementing VXLANs. Information about Implementing VXLAN

THE NETWORK. INTUITIVE. Powered by intent, informed by context. Rajinder Singh Product Sales Specialist - ASEAN August 2017

Cisco Software-Defined Access

P ART 2. BYOD Design Overview

Configure Devices Using Converged Access Deployment Templates for Campus and Branch Networks

Borderless Networks. Tom Schepers, Director Systems Engineering

Cisco SD-Access Building the Routed Underlay

Routing Underlay and NFV Automation with DNA Center

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

DNA SA Border Node Support

Next Gen Enterprise Management and Operations with Cisco DNA

CertKiller q

Network as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.

Implementing VXLAN in DataCenter

Cisco Enterprise Silicon

Cisco SD-Access: Enterprise Networking Made Fast and Flexible. November 2017

Data Center Configuration. 1. Configuring VXLAN

INTRODUCTION 2 DOCUMENT USE PREREQUISITES 2

Intelligent WAN Multiple VRFs Deployment Guide

Multi-site Datacenter Network Infrastructures

Cisco Virtual Networking Solution for OpenStack

VXLAN Overview: Cisco Nexus 9000 Series Switches

Supported Platforms for Cisco Path Trace, Release x. This document describes the supported platforms for the Cisco Path Trace, Release x.

Identity Based Network Access

Securing BYOD with Cisco TrustSec Security Group Firewalling

Transforming the Network for the Digital Business

Cisco Exam Questions & Answers

CVP Enterprise Cisco SD-WAN Retail Profile (Hybrid WAN, Segmentation, Zone-Based Firewall, Quality of Service, and Centralized Policies)

IP Mobility Design Considerations

TrustSec (NaaS / NaaE)

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Cisco TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3

Network Automation and Branch Agility The Network Helps Enable Digital Business. Rajinder Singh Product Sales Specialist June 2016

Cisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation

2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003

Deploying and Administering Cisco s Digital Network Architecture (DNA) and Intelligent WAN (IWAN) (DNADDC)

CCIE Wireless v3 Lab Video Series 1 Table of Contents

Performing Path Traces

Optimizing Layer 2 DCI with OTV between Multiple VXLAN EVPN Fabrics (Multifabric)

APIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks

VXLAN Design with Cisco Nexus 9300 Platform Switches

Cisco Group Based Policy Platform and Capability Matrix Release 6.4

Automatisierung im LAN Der Start in eine neue Ära des Networkings

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Ciprian Stroe Senior Presales Consultant, CCIE# Cisco and/or its affiliates. All rights reserved.

Cisco Catalyst 6500 Series Wireless LAN Services Module: Detailed Design and Implementation Guide

Ports and Interfaces. Ports. Information About Ports. Ports, page 1 Link Aggregation, page 5 Interfaces, page 10

OpenFlow: What s it Good for?

Cisco Software-Defined Access. Enabling Intent-based Networking

Exam Code: Exam Code: Exam Name: Advanced Borderless Network Architecture Systems Engineer test.

Segmentation. Threat Defense. Visibility

Deploying LISP Host Mobility with an Extended Subnet

Cisco SD-WAN and DNA-C

Cisco 440X Series Wireless LAN Controllers Deployment Guide

Introduction to External Connectivity

TestOut Routing and Switching Pro - English 6.0.x COURSE OUTLINE. Modified

Intelligent WAN : CVU update

VXLAN Deployment Use Cases and Best Practices

Cisco Integrated Services Virtual Router

Problem: Traditional network management tools are limited and do not address network needs

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

MP-BGP VxLAN, ACI & Demo. Brian Kvisgaard System Engineer, CCIE SP #41039 November 2017

Automating Enterprise Networks with Cisco DNA Center

Choice of Segmentation and Group Based Policies for Enterprise Networks

Licenses & Networking for everybody: DNA

TrustSec Configuration Guides. TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points

Configuring Application Visibility and Control

Deploying Cisco Wireless Enterprise Networks

Network Virtualization

Mobility Groups. Information About Mobility

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Policy Defined Segmentation with Cisco TrustSec

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Enterprise SD-WAN Financial Profile (Hybrid WAN, Segmentation, Quality of Service, Centralized Policies)

Cisco Certified Network Associate ( )

Exam Questions Demo Cisco. Exam Questions

Converged Access CT 5760 AVC Deployment Guide, Cisco IOS XE Release 3.3

Architecting Network for Branch Offices with Cisco Unified Wireless

Transcription:

Tech Update 10 12 Oktober 2017 Rene Andersen / Ib Hansen

DNA Solution Cisco Enterprise Portfolio DNA Center Simple Workflows DESIGN PROVISION POLICY ASSURANCE Identity Services Engine DNA Center APIC-EM Network Data Platform Routers Switches Wireless Controllers Wireless APs

Key Concepts What is Software Defined Access?

4

What is SD-Access? Campus Fabric + DNA Center (Automation & Assurance) ISE APIC-EM 1.X 2.0 DNA Center NDP SD-Access Available Aug 2017 GUI approach provides automation & assurance of all Fabric configuration, management and group-based policy. Leverages DNA Center to integrate external Service Apps, to orchestrate your entire LAN, Wireless LAN and WAN access network. B B Campus Fabric Shipping Now Campus Fabric C CLI or API form of the new overlay Fabric solution for your enterprise Campus access networks. CLI approach provides backwards compatibility and customization, Box-by-Box. API approach provides automation via NETCONF / YANG. APIC-EM, ISE, NDP are all separate. 5

Roles & Terminology What is Software Defined Access? 1. High-Level View 2. Roles & Platforms 3. Fabric Constructs

What is SD-Access? Fabric Roles & Terminology Identity Services Fabric Border Nodes Intermediate Nodes (Underlay) Fabric Edge Nodes ISE B APIC-EM B Campus Fabric NDP C DNA Controller Analytics Engine Fabric Wireless Controller Control-Plane Nodes DNA Controller Enterprise SDN Controller (e.g. DNA Center) provides GUI management and abstraction via Apps that share context Identity Services External ID System(s) (e.g. ISE) are leveraged for dynamic Endpoint to Group mapping and Policy definition Analytics Engine External Data Collector(s) (e.g. NDP) are leveraged to analyze Endpoint to App flows and monitor fabric status Control-Plane Nodes Map System that manages Endpoint to Device relationships Fabric Border Nodes A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric Fabric Edge Nodes A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric Fabric Wireless Controller A Fabric device (WLC) that connects Wireless Endpoints to the SDA Fabric 7

Roles & Terminology What is Software Defined Access? 1. High-Level View 2. Roles & Platforms 3. Fabric Constructs

SD-Access Fabric Control-Plane Nodes A Closer Look Control-Plane Node runs a Host Tracking Database to map location information A simple Host Database that maps Endpoint IDs to a current Location, along with other attributes Host Database supports multiple types of Endpoint ID lookup types (IPv4, IPv6 or MAC) Known Networks C Unknown Networks Receives Endpoint ID map registrations from Edge and/or Border Nodes for known IP prefixes Resolves lookup requests from Edge and/or Border Nodes, to locate destination Endpoint IDs 9 9

SD-Access Control-Plane Platform Support Catalyst 3K Catalyst 9500 NEW Catalyst 6K ASR1K, ISR4K & CSRv Catalyst 3850 1/10G SFP 10/40G NM Cards IOS-XE 16.6.1+ Catalyst 9500 10/40G SFP/QSFP 10/40G NM Cards IOS-XE 16.6.1+ Catalyst 6800 Sup2T/6T 6880-X or 6840-X IOS 15.5.1SY+ CSRv ASR 1000-X/HX ISR 4430/4450 IOS-XE 16.6.1+ 10 10

SD-Access Fabric Edge Nodes A Closer Look Edge Node provides first-hop services for Users / Devices connected to the Fabric Responsible for Identifying and Authenticating Endpoints (e.g. Static, 802.1X, Active Directory) Register the specific Endpoint ID info (e.g. /32 or /128) with the Control-Plane Node(s) Known Networks C Unknown Networks Provide an Anycast L3 Gateway for connected Endpoints (same IP address on all Edge nodes) Performs encapsulation / de-encapsulation of data traffic to and from all connected Endpoints 11 11

SD-Access Edge Node Platform Support NEW Catalyst 9300 Catalyst 3K Catalyst 3650/3850 1/MGIG RJ45 10/40G NM Cards IOS-XE 16.6.1+ NEW Catalyst 9300 1/MGIG RJ45 10/40/mG NM Cards IOS-XE 16.6.1+ Catalyst 4K Catalyst 4500 Sup8E/9E (Uplinks) 4700 Cards (Down) IOS-XE 3.10.1+ Catalyst 9400 Catalyst 9400 Sup1E 9400 Cards IOS-XE 16.6.1+ 1212

SD-Access Fabric Border Nodes A Closer Look Border Node is an Entry / Exit point for all data traffic going In / Out of the Fabric There are 2 Types of Border Node! Fabric Border Used for Known Routes in your company! C? Known Networks B B Unknown Networks Default Border Used for Unknown Routes outside your company 13 13

SD-Access Fabric Border Nodes A Closer Look Fabric Border advertises Endpoints to outside, and known Subnets to inside Connects to any known IP subnets attached to the outside network (e.g. DC, WLC, FW, etc.) Exports all internal IP Pools to outside (as aggregate), using a traditional IP routing protocol(s). Known Networks B C B Unknown Networks Imports and registers (known) IP subnets from outside, into the Control-Plane Map System Hand-off requires mapping the context (VRF & SGT) from one domain to another. 14 14

SD-Access Fabric Border Nodes A Closer Look Default Border is a Gateway of Last Resort for unknown destinations Connects to any unknown IP subnets (e.g. Internet) Exports all internal IP Pools outside (as aggregate) into traditional IP routing protocol(s). Known Networks B C B Unknown Networks Does NOT import unknown routes. It is a default exit, if no other entry available in Control-Plane. Hand-off requires mapping the context (VRF & SGT) from one domain to another. 15 15

SD-Access Border Node Platform Support Catalyst 3K Catalyst 9500 NEW Catalyst 6K ASR1K & ISR4K Nexus 7K Catalyst 3850 1/10G SFP+ 10/40G NM Cards IOS-XE 16.6.1+ Catalyst 9500 40G QSFP 10/40G NM Cards IOS-XE 16.6.1+ Catalyst 6800 Sup2T/6T 6880-X or 6840-X IOS 15.5.1SY+ ASR 1000-X/HX ISR 4430/4450 1/10G/40G IOS-XE 16.6.1+ Nexus 7700 Sup2E M3 Cards NXOS 7.3.2+ 16 16

Roles & Terminology What is Software Defined Access? 1. High-Level View 2. Roles & Platforms 3. Fabric Constructs

SD-Access Fabric Virtual Network A Closer Look Virtual Network maintains a separate Routing & Switching instance for each VN Control-Plane uses Instance ID to maintain separate VRF topologies ( Default VRF is Instance ID 4097 ) Nodes add VNID to the Fabric encapsulation Known Networks Unknown Networks Endpoint ID prefixes (Host Pools) are advertised within one (or more) Virtual Networks Uses standard vrf definition configuration, along with RD & RT for remote advertisement (Border Node) VN A VN B VN C 18 18

SD-Access Fabric Scalable Groups A Closer Look Scalable Group is a logical ID object to group Users and/or Devices CTS uses Scalable Groups to ID and assign a unique Scalable Group Tag (SGT) to Host Pools Nodes add SGT to the Fabric encapsulation Known Networks Unknown Networks CTS SGTs used to manage address-independent Group-Based Policies SG 1 SG 4 SG 7 Edge or Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs) SG 2 SG 3 SG 5 SG 6 SG 8 SG 9 19 19

SD-Access Fabric Host Pools A Closer Look Host Pool provides basic IP functions necessary for attached Endpoints Edge Nodes use a Switch Virtual Interface (SVI), with IP Address /Mask, etc. per Host Pool Fabric uses Dynamic EID mapping to advertise each Host Pool (per Instance ID) Known Networks Unknown Networks Fabric Dynamic EID allows Host-specific (/32, /128, MAC) advertisement and mobility Pool 2 Pool 1 Pool 3 Pool 5 Pool 4 Pool 6 Pool 8 Pool 7 Pool 9 Host Pools can be assigned Dynamically (via Host Authentication) and/or Statically (per port) 3420

Campus Fabric Virtual Network A Closer Look Anycast GW provides a single L3 Default Gateway for IP capable endpoints Similar principles and behavior as HSRP / VRRP with a shared Virtual IP and MAC address The same Switch Virtual Interface (SVI) is present on EVERY Edge, with the same Virtual IP and MAC Known Networks Unknown Networks Control-Plane with Fabric Dynamic EID mapping creates a Host (Endpoint) to Edge relationship If (when) a Host moves from Edge 1 to Edge 2, it does not need to change it s IP Default Gateway! GW GW GW 2121

Fabric Fundamentals What is Campus Fabric? 1. Fabric Basics 2. Control-Plane 3. Data-Plane 4. Policy-Plane

SD-Access What exactly is a Fabric? A Fabric is an Overlay An Overlay network is a logical topology used to virtually connect devices, built on top of some arbitrary physical Underlay topology. An Overlay network network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay. Examples of Network Overlays GRE or mgre LISP MPLS or VPLS OTV IPSec or DMVPN DFA CAPWAP ACI 23 15

SD-Access Fabric Terminology Overlay Network Overlay Control Plane Encapsulation Edge Device Edge Device Hosts (End-Points) Underlay Network Underlay Control Plane 24

SD-Access Fabric Underlay Manual vs. Automated Manual Underlay You can reuse your existing IP network as the Fabric Underlay! Key Requirements IP reach from Edge to Edge/Border/CP Can be L2 or L3 We recommend L3 Can be any IGP We recommend ISIS Key Considerations MTU (Fabric Header adds 50B) Latency (RTT of =/< 100ms) Automated Underlay Prescriptive fully automated Global and IP Underlay Provisioning! Key Requirements Leverages standard PNP for Bootstrap Assumes New / Erased Configuration Uses a Global Underlay Address Pool Key Considerations PNP pre-setup is required 100% Prescriptive (No Custom) 25

Fabric Fundamentals What is Campus Fabric? 1. Fabric Basics 2. Control-Plane 3. Data-Plane 4. Policy-Plane

SD-Access Campus Fabric - Key Components 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on CTS Key Differences L2 + L3 Overlay -vs- L2 or L3 Only Host Mobility with Anycast Gateway Adds VRF + SGT into Data-Plane Virtual Tunnel Endpoints (Automatic) NO Topology Limitations (Basic IP) 2727

SD-Access Fabric Key Components LISP 1. Control-Plane based on LISP Host Mobility Routing Protocols = Big Tables & More CPU with Local L3 Gateway LISP DB + Cache = Small Tables & Less CPU with Anycast L3 Gateway BEFORE IP Address = Location + Identity Prefix Next-hop 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 Prefix Next-hop 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 Endpoint Routes are Consolidated to LISP DB AFTER Separate Identity from Location Prefix Next-hop 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 Prefix RLOC 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 Mapping Database 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 Prefix Next-hop 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 Prefix Next-hop 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 Prefix Next-hop 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 Topology + Endpoint Routes 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 189.16.17.89...171.68.226.120 22.78.190.64...171.68.226.121 172.16.19.90...171.68.226.120 192.58.28.128...171.68.228.121 Only Local Routes Topology Routes Endpoint Routes 2828

Fabric Fundamentals What is Campus Fabric? 1. Fabric Basics 2. Control-Plane 3. Data-Plane 4. Policy-Plane

SD-Access Fabric Key Components VXLAN 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN ETHERNET IP PAYLOAD ORIGINAL PACKET Supports L3 Overlay ETHERNET ETHERNET IP IP UDP UDP VXLAN LISP ETHERNET IP IP PAYLOAD PAYLOAD PACKET IN LISP PACKET IN VXLAN Supports L2 & L3 Overlay 3030

VXLAN-GPO Header MAC-in-IP with VN ID & Group ID Dest. MAC 48 Source MAC 48 Next-Hop MAC Address Src VTEP MAC Address VLAN Type 0x8100 16 14 Bytes (4 Bytes Optional) IP Header Misc. Data 72 VLAN ID 16 Protocol 0x11 (UDP) 8 Underlay Outer MAC Header Outer IP Header Ether Type 0x0800 16 Source Port 16 Header Checksum Source IP Dest. IP 16 32 32 20 Bytes Src RLOC IP Address Dst RLOC IP Address UDP Header VXLAN Header Dest Port UDP Length Checksum 0x0000 16 16 16 8 Bytes Hash of inner L2/L3/L4 headers of original frame. Enables entropy for ECMP load balancing. UDP 4789 Inner (Original) MAC Header Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 Allows 64K possible SGTs Overlay Original Payload Segment ID VN ID Reserved 16 24 8 8 Bytes Allows 16M possible VRFs 31

Fabric Fundamentals What is Campus Fabric? 1. Fabric Basics 2. Control-Plane 3. Data-Plane 4. Policy-Plane

SD-Access Fabric Key Components CTS 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on CTS VRF + SGT Virtual Routing & Forwarding Scalable Group Tagging ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD 3333

Cisco TrustSec Simplified access control with Group Based Policy Enforcement Group Based Policies ACLs, Firewall Rules Shared Services Application Servers Propagation Carry Group context through the network using only SGT Enforcement Enterprise Backbone DC Switch or Firewall ISE Classification Static or Dynamic SGT assignments Campus Switch Campus Switch DC switch receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN A VLAN B 34

Packet Flow in SD-Access Fabric VN & SGT in VXLAN-GPO Encapsulation Encapsulation IP Network Decapsulation Edge Node 1 Edge Node 2 VXLAN VXLAN VN ID SGT ID VN ID SGT ID Classification Static or Dynamic VN and SGT assignments Propagation Carry VN and Group context across the network Enforcement Group Based Policies ACLs, Firewall Rules 35

Controller Fundamentals What is DNA Center? 1. DNAC Architecture 2. DNAC User Interface 3. DNAC Workflows

SD-Access DNA Center Service Components API DNA Center 1.0 API DNA Center Appliance Design Policy Provision Assurance API Cisco ISE 2.3 Identity Services Engine API Cisco APIC-EM 2.0 App Policy Infra Controller EN Module API Cisco NDP 1.0 Network Data Platform NETCONF SNMP SSH AAA RADIUS EAPoL Campus Fabric HTTPS NetFlow Syslogs Cisco Switches Cisco Routers Cisco Wireless 37

SD-Access Wireless: why would you care?

CUWN Architecture - Centralized Overview Policy Definition Single point of Ingress Enforcement Point to wired network Client keeps for same Wi-Fi IP clients Wireless VLANs are address while roaming centrally defined WLC WLC AAA AD LDAP MDM IPAM DNS NTP SMTP DHCP Anchor WLC Internet Architecture Benefits: Overlay: works on any wired network Simplified Access switch configuration Single point of Ingress for wireless traffic Easy seamless mobility Simplified IP addressing for wireless Centralized Management Easy wireless Guest tunneling solution SW DMZ Policy Definition and Enforcement Point for wired clients Traditional Campus Switch 1 Switch 2 AP1 Traditional switches Customers may NOT like: Limited scalability for East-West traffic Separated policies for wired and wireless Different enforcement point for wired and wireless Lack of visibility between WLC and APs SSID Employee SSID Guest Local mode AP Packet to wired CAPWAP Control & Data EoIP Tunnel 39

CUWN Architecture - FlexConnect Overview Data Center Centralized Management for all branches WLC AAA AD LDAP MDM IPAM DNS NTP SMTP DHCP Architecture Benefits: Overlay: works on any wired network Centralized Management / Lean IT Branch cookie cutter configuration Distributed data plane Reduced hardware footprint at the branch Built-in resiliency (WAN survivability for locally switched traffic) SW DMZ Distributed Data plane Traditional switches WAN Internet No Controller at the branch Customers may NOT like: Separated policies for wired and wireless Different enforcement point for wired and wireless No Layer 3 roaming support Limited seamless roaming scope (FlexConnect Group) Additional configuration on the access switch (trunk and allowed VLANs) Flex mode AP CAPWAP Control & Data dot1q trunk Branch 40

Converged Access Architecture Overview MC WLC MA Guest Tunnel through the MC WLC AAA AD LDAP MDM IPAM DNS NTP SMTP DHCP Anchor WLC Internet Architecture Benefits Distributed Data Plane: scalability One Policy enforcement point for wired Reduced HW footprint and less devices to manage (branch is the sweet spot) One common software Policies enforced at the edge Wireless traffic visibility at the edge SW DMZ Easy wireless Guest tunneling solution Switch is the Policy Enforcement for wired and wireless SSID Employee CA Network Switch 1 Switch 2 Packet to wired For roaming, traffic is anchored back to the original switch SSID Guest MA Switch with Mobility Agent Local mode AP CAPWAP Control & Data MA to MA tunnels EoIP tunnel Customers may NOT like: Distributed Management plane Multiple wireless touch points Wired and wireless software dependencies Anchoring solutions for seamless mobility Support for Local mode AP only Lack of feature parity with CUWN 41

What is the Problem? Policy Model Today Network Policy Enterprise Network QoS Security Redirect/copy Traffic engineering etc. SRC DST PAYLOAD DATA DSCP PROT IP SRC IP DST PORT PORT Policy is based on 5 Tuple Only Transitive information Survives end to end 42

What is the Problem? Policy Model Today Network Policy access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 Enterprise Network access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 SRC DST PAYLOAD DATA DSCP PROT IP SRC IP DST PORT PORT IP ADDRESSES Locate you Identify you Drive treatment Constrain you IP Address meaning OVERLOAD VLAN 20 VLAN 30 SSID D SSID C User/device info? SSID A VLAN 10 VLAN 40 SSID B 43

What is the Problem? User Group policy rollout - Today 1. Define Groups in AD Production Servers Developer Servers Multiple Steps and Touch Points LAN Core L3 Switch Trunk WLAN 4. Implement Policy What Trunks if You Need to Add Another Define Group ACLs & Policy? Apply ACLs L2 Switch One SSID AAA DHCP AD 2. Define Policies VLAN/subnet based 3. Implement VLANs/Subnets Create VLANs Define DHCP scope Create subnets and L3 interfaces Routing for new subnets Map SSID to Interface/VLAN 5. Many different User Interfaces. AAA WLC Devices CLI BYOD Employee Contractor 44

What is the Problem? User Group policy rollout - Today Production Servers Developer Servers LAN Core AAA DHCP AD Customer requirements Three user Groups One single SSID Differentiated policies per Group Guest segmentation (wired and wireless) Network Touch Points L3 Switch L2 Switch Trunks Trunk One SSID WLC Customer Policy Customer Policy requirements: Employee BYOD Contractor Production Serv. Developer Serv. BYOD Employee Contractor 45

SD-Access Wireless Architecture

SD-Access Fabric Architecture Roles and Terminology Group Repository Fabric Border Intermediate Nodes (Underlay) ISE / AD B B C DNA Controller Fabric Mode WLC Control-Plane Nodes DNA Controller Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share information Group Repository External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition Control-Plane (CP) Node Map System that manages Endpoint ID to Location relationships. Also known as Host Tracking DB (HTDB) Border Nodes A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric Edge Nodes A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric Fabric Edge Nodes SD-Access Fabric Fabric Mode APs Fabric Wireless Controller Wireless Controller (WLC) fabric-enabled, participate in LISP control plane Fabric Mode APs Access Points that are fabric-enabled. Wireless traffic is VXLAN encapsulated at AP 47

SD-Access Wireless Architecture Bringing the best of both architectures by... 1 Simplifying the Control & Management Plane 2 Optimizing the Data Plane 3 Integrating Policy & Segmentation E2E 48

SD-Access Wireless Architecture Simplifying the Control Plane CAPWAP Cntrl plane LISP Cntrl plane ISE / AD B DNAC B Policy Abstraction and Configuration Automation WLC Fabric enabled WLC: WLC is part of LISP control plane 1 Automation DNAC simplifies the Fabric deployment, Including the wireless integration component Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN SD-Access Fabric C LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP 49

SD-Access Wireless Architecture Optimizing the Data Plane CAPWAP Cntrl plane LISP Cntrl plane VXLAN Data plane ISE / AD B DNAC B SD-Access Fabric Policy Abstraction and Configuration Automation C VXLAN (Data Plane) WLC Fabric enabled WLC: WLC is part of LISP control plane Fabric enabled AP: AP encapsulates Fabric SSID traffic in VXLAN 2 Automation DNAC simplifies the Fabric deployment, Including the wireless integration component Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP Optimized Distributed Data Plane Fabric overlay with Anycast GW + Stretched subnet VLAN extension with no complications All roaming are Layer 2 VXLAN from the AP Carrying hierarchical policy segmentation starting from the edge of the network 50

SD-Access Wireless Architecture Optimizing the Data Plane: Stretched subnets A Closer Look 2 Fabric Mode AP integrates with the VXLAN Data Plane Wireless Data Plane is distributed across APs Fabric mode AP is a local mode AP and needs to be directly connected to FE CAPWAP control plane goes to the WLC using Fabric Fabric is enabled per SSID: For Fabric enabled SSID, AP converts 802.11 traffic to 802.3 and encapsulates it into VXLAN encoding VNI and SGT info of the client Forwards client traffic based on forwarding table as programmed by the WLC. Usually VXLAN DST is first hop switch. AP applies all wireless specific feature like SSID policies, AVC, QoS, etc. VXLAN (Data) CAPWAP Control plane 51

SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B IP payload IP 802.11 1 AP removes the 802.11 header EID IP payload 802.3 IP VXLAN UDP underlay IP 2 AP adds the 802.3/VXLAN/underlay IP header 52

SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B R Client SGT Client VRF R EID IP payload 802.3 IP VXLAN UDP underlay IP Hierarchical Segmentation: 1. Virtual Network (VN) == VRF - isolated Control Plane + Data Plane 2. Scalable Group Tag (SGT) User Group identifier 2 APs embed the Policy information in the VXLAN header and forwards it 53

SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B Client is placed in the right VRF EID IP payload 802.3 IP VXLAN UDP underlay IP 3 FE removes the outer IP header, looks at the L2 VNID and maps it to the VLAN and L2 LISP instance. Then encapsulates to the destination FE 54

SD-Access Wireless Architecture Simplifying policy and Segmentation 3 VXLAN (Data) FE A C B SD Fabric FE B SGT policy is applied Client Policy is carried end to end in the overlay EID IP payload 802.3 IP VXLAN UDP underlay IP 4 FE removes the outer IP header, looks at the L2 VNID maps it to the VLAN. Also looks at the SGT and apply the policy before forwarding the packet 55

SD-Access Wireless Benefits User Group policy rollout Production Servers Developer Servers DNA Center LAN core AAA DHCP AD 1. Define Groups in AD 2. Design and Deploy in DNA-C Create Virtual Network for Corporate Define Policies Role/Group based Apply Policies SGT based L3 Switch Trunk WLC Production Serv. SGT 10 Developer Serv. SGT 20 VN ID Contractor BYOD Employee SGT VXN HDR Fabric SRC Fabric DST Employee SGT 100 Corporate VN L3 Switch BYOD SGT 200 Touch Point Original packet One SSID BYOD Employee Contractor Contractor SGT 300 3. Upon user authentication, Policy is automatically applied and carried end to end 56

SD-Access Wireless Benefits User Group policy rollout Production Servers Developer Servers IoT/HVAC Virtual Network L3 Switch Guest Virtual Network Corporate VN L3 Switch DNA Center LAN core Trunk AAA DHCP AD WLC 1. Define Groups in AD 2. Design and Deploy in DNA-C Create Virtual Network for Corporate Define Policies Role/Group based Apply Policies SGT based Employee SGT 100 BYOD SGT 200 Production Serv. SGT 10 One Touch Point Developer Serv. SGT 20 Touch Point One SSID BYOD Employee Contractor Contractor SGT 300 3. Upon user authentication, Policy is automatically applied and carried end to end 57

What products make this Architecture?

SD-Access Fabric Wireless Platform Support 3504 WLC NEW 5520 WLC 8540 WLC Wave 2 APs *with Caveats Wave 1 APs AIR-CT3504 1G/mGig AireOS 8.5+ AIR-CT5520 No 5508 1G/10G SFP+ AireOS 8.5+ AIR-CT8540 8510 supported 1G/10G SFP+ AireOS 8.5+ 1800/2800/3800 11ac Wave2 APs 1G/MGIG RJ45 AireOS 8.5+ 1700/2700/3700 11ac Wave1 APs* 1G RJ45 AireOS 8.5+ 59

SD-Access Wireless Design Considerations

Wireless Integration in SDA Fabric CUWN wireless Over The Top (OTT) SD-Access Wireless ISE / AD APIC-EM ISE / AD APIC-EM B B Non-Fabric WLC CAPWAP Cntrl plane B B Fabric enabled WLC CAPWAP Cntrl & Data SD-Access Fabric C VS. VXLAN Data plane SD-Access Fabric C Non-Fabric APs Fabric enabled APs CAPWAP for Control Plane and Data Plane SDA Fabric is just a transport Supported on any WLC/AP software and hardware Migration step to full SDA CAPWAP Control Plane, VXLAN Data plane WLC/APs integrated in Fabric, SD-Access advantages Requires software upgrade (8.5+) Optimized for 802.11ac Wave 2 APs

CUWN Over the Top (OTT) Definition: Wireless OTT: this CAPWAP wireless overlay to Fabric: traditional CAPWAP deployment connected to Fabric overlay. Fabric is a transport for CAPWAP Why wireless OTT? Migration step: customers wants/need to first migrate wired (different Ops teams managing wired and wireless, get familiar with Fabric, different buying cycles, etc.) Longer term solution: customer doesn t want/cannot migrate to Fabric (new software, no 802.11n, wireless too critical to make changes) CAPWAP tunnel SD-Access Fabric Non Fabric AP Non Fabric WLC

Key Takeaways

SDA for Mobility Innovate Faster with Fabric-Enabled Wireless DNA Center Software Defined Wireless Centralized management across wired-wireless Seamless L2 roam across Campus Consistent Policy for Wired/Wireless Secure Policy based Automation Optimized distributed traffic flows for future scalability Simplified enablement of Wi-Fi Services Policy stays with user Simplified Provisioning Optimized data plane with Campus-Wide Roaming Easy end to end Virtualization Wired and Wireless and Segmentation Policy Consistency 64

SD-Access Wireless NDP and Assurance

Network quality is a complex, end-to-end problem Affects Join/Roam Affects Quality/Throughput Client firmware Affects Both* WAN Uplink usage Affects Both*... Affects Quality/Throughput End-User services Affects Both* Configuration AP coverage Client density Affects Both* WLC Capacity Affects Both* Affects Quality/Throughput Affects Join/Roam WAN QoS, Routing,... Authentication RF Noise/Interf. Affects Join/Roam Addressing CUCM ISE WAN DHCP Mobile clients APs Office site Network services DC Cisco Prime Local WLCs * Both = Join/roam and quality/throughput

Predict performance in wireless Components of DNA Assurance Test your network anywhere at any time Synthetic tests on both network and application performance across wired and wireless network provide proactive monitoring capability - Various options: AP as a sensor, XOR radio, dedicated sensor (AP1800) Access point - Intelligent algorithm identifies excessive radios and transparently converts those into sensor mode without client effect R1 AP as a sensor Dedicated Sensor Flexible Radio Sensors act as clients Real clients

Wi-Fi analytics building the network intuitive Crowdsource device telemetry to enable of network Automatically correlate client and network data to provide insights Deliver resolution of issues and faster

Client as a sensor (IOS 10)

Client as a sensor (IOS 11) Sendt fra IOS 11 Device

Client as a sensor (IOS 11)

Key Takeaways

Software-Defined Access Summary Manage Business Outcomes Instead of Managing the Network Policy Automation Use policy-based automated provisioning from edge to cloud. Services Enablement Quickly enable network services across a complete ecosystem Network Analytics Look at the entire network as a single entity and find problems before your users do. Lower OpEx DNAC automates the Design, Policy and Provision Brownfield Integration for investment protection Policy-based Automation Complete Network Visibility Fast, Easy Service Enablement 74

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback