BRKCRS-3811 Cisco SD-Access Policy Driven Manageability Victor Moreno, Distinguished Engineer
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcrs-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda Introduction SD-Access Fundamentals Policy in SD-Access Cross Domain Policy Federation Conclusion
Cisco s Intent-based Networking Learning DNA Center The Network. Intuitive. Policy Automation Analytics Powered by Intent. Informed by Context. Intent Context Network Infrastructure Switching Routers Wireless Security BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Software Defined Access Policy, Automation and Assurance for an Intent-based Network Infrastructure Branch DNA Center L E A R N I N G WAN Wireless Control Policy Automation Analytics I N T E N T C O N T E X T Intent-based Network Infrastructure Campus Fabric Fabric Control S E C U R I T Y Wired + Wireless Mobility Segmentation 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Scale
Software Defined Access Cisco Live Barcelona - Session Map Missed One? Sessions are available online @ CiscoLive.com You Are Here Tuesday (Jan 30) Wednesday (Jan 31) Thursday (Feb 01) Friday (Feb 02) 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 BRKEWN-2021 SDA Wireless Setup BRKEWN-2020 Wireless Overview BRKDCN-2489 DC Integration BRKCRS-3811 Policy Management BRKCRS-2810 Solution Overview BRKCRS-2816 Routed Underlay BRKCRS-2814 Assurance BRKCRS-2811 External Connect BRKCRS-2815 Design & Scale BRKCRS-2812 Migration LTRCRS-2810 (1) Hands-On Lab LTRCRS-2810 (2) Hands-On Lab 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Fundamentals
SD-Access Fabric Roles & Terminology Identity Services DNA-Center DNA Controller DNA Controller Enterprise SDN Controller (e.g. DNA Center) provides GUI management and abstraction via Apps that share context Identity Services Dynamic Endpoint to Group mapping and Policy definition Fabric Border Nodes Intermediate Nodes (Underlay) Fabric Edge Nodes B B Campus Fabric C Analytics Engine Fabric Wireless Controller Control Plane Nodes Analytics Engine Assurance and analysis of Endpoint to App flows and monitor fabric status Control Plane Nodes Map System that manages Endpoint to Device relationships Fabric Border Nodes A Fabric device (e.g. Core) that connects External L3 network(s) to the SD-Access Fabric Fabric Edge Nodes A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SD-Access Fabric Fabric Wireless Controller A Fabric device (WLC) that connects Wireless Endpoints to the SD-Access Fabric BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Overlay Virtual Networks Control and Data Plane Separation Overlay Virtual Networks Logical topology used to virtually connect devices, built on top of a physical Underlay topology. Overlay Control Plane Encapsulation Edge Devices An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay. Underlay Network Hosts (end-points) Underlay Control Plane BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
SD-Access Macro Segmentation Network Virtual Network (VN) First level Segmentation that ensures zero communication between specific groups. Ability to consolidate multiple networks into one management plane. Building Management VN Campus Users VN BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
SD-Access - Micro Segmentation Network Scalable Group (SG) Second level Segmentation ensures role based access control between two groups within a Virtual Network. Provides the ability to segment the network into either line of businesses or functional blocks. Building Management VN Finance SG Employee SG Campus Users VN BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Fabric Enabled Segmentation Virtual Networks Virtual Networks Outer/Transport IP-UDP Header VXLAN Header Original IP Packet or L2 Frame Underlay Network Virtual Network Identifier (24 bits) Group Policy Identifier (16 bits) BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Micro-segmentation Enforcement Ingress Classification with Egress Enforcement User Authenticated = Classified as Marketing (5) FIB Lookup = Destination MAC = SGT 20 Destination Classification CRM: SGT 20 Web: SGT 30 SRC: 10.1.10.220 Catalyst 3k/4k/6k/9k SRC: 10.1.10.220 DST: 10.1.100.52 SGT: 5 WLC5508 Enterprise Backbone DST SRC Catalyst/ISR/Nexus 5 5 Egress Enforcement (SGACL) CRM (20) Web (30) Marketing (5) Permit Deny BYOD (7) Deny Permit CRM DST: 10.1.100.52 SGT: 20 Web DST: 10.1.200.100 SGT: 30 BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Policy in SD-Access
Policy types Access Policy Authentication/ Authorization Who goes in which group Based on which criteria Authentication methods Access Control Policy Who can access what Rules for x-group access Permit group to app Permit group to group Application Policy Traffic treatment QoS for Application Path Optimization Application compression Application caching DB 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
User/Device Groups & Virtual Networks Users/Devices users things Identity Services / AAA groups DNA Center Virtual Network 1 Virtual Network 2 virtual networks BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Access Policy in SD-Access Authentication and Authorization
Access Policy Authentication and Authorization Access Policy Authentication/ Authorization Who goes in which group Based on which criteria Authentication methods 802.1X / MAB / Easy Connect / WebAuth BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Authentication- Identity Store Integrations Cisco ISE Validate Endpoints via External Identity Sources BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Authentication - MAC Authentication Bypass (MAB) Endpoints without supplicant will fail 802.1X authentication! Bypassing Known MAC Addresses 802.1X Network Device Cisco ISE 00-10-23-AA-1F-38 Network Device Cisco ISE LAN 802.1X Timeout EAP: What s your Id? No 802.1X MAB Any Packet User: 00-10-23-AA-1F-38 ACCESS-ACCEPT BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Authentication - 802.1x Credentials Endpoint (Certificate / Password / Token) (Supplicant) Network Device (Authenticator) Cisco ISE (Authentication Server) Active Directory (Identity Store) EAP EAP 802.1X EAP RADIUS EAP RADIUS: ACCESS-REQUEST RADIUS SERVICE-TYPE: FRAMED EAP: EAP-RESPONSE-IDENTITY EAP: Extensible Authentication Protocol Supplicant: Software running on the client that provides credentials to the authenticator (Network Device). BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Authentication - 802.1x Endpoint (Supplicant) Network Device (Authenticator) Cisco ISE (Authentication Server) Active Directory (Identity Store) Port-Authorized EAP 802.1X EAP RADIUS RADIUS: ACCESS-ACCEPT EAP: EAP-SUCCESS Port-Unauthorized (If authentication fails) EAP: Extensible Authentication Protocol Supplicant: Software running on the client that provides credentials to the authenticator (Network Device). BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Authentication - Easy Connect DOMAIN\bob DOMAIN CONTROLLER Bob logged in DHCP NTP DNS AD ISE retrieves user-id and user s AD membership LIMITED FULL ACCESS CoA: Limited Full Access UNKNOWN EMPLOYEES LIMITED ACCESS FULL ACCESS No 802.1X SWITCH-1 Enterprise Network CISCO ISE Immediate value Leverage existing infrastructure Increased visibility into active network sessions Flexible deployment co-operates with other auth methods BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Authentication - Central Web Authentication (CWA) Endpoint Network Device Cisco ISE NETWORK Initial packet Google.com MAB Request Initial AuthZ Limited Access ACL + URL-Redirect to ISE Got your MAC, need your ID alice... ISE login page Username + password CoA Full Access ACL BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Authentication - Policy Endpoint Policies RADIUS Attributes Service type NAS IP Username SSID EAP Types EAP-FAST EAP-Chaining EAP-TLS PEAP Host lookup, etc Identity Source Internal/Certificate Active Directory LDAPv3 RADIUS Identity Sequence Authentication Options 802.1X / MAB / Any Connect / WebAuth 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication Network Template Application MAB MAB 802.1x EasyConnect Cisco ISE interface GigabitEthernet1/0/3 description Client Wired-2 switchport mode access switchport voice vlan 4000 device-tracking attach-policy IPDT_MAX_10 authentication control-direction in authentication event server dead action authorize vlan 3999 authentication event server dead action authorize voice authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication periodic authentication timer reauthenticate server authentication timer inactivity server dynamic mab dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Policy Authorization DNA-Center Credentials Posture Profiling SIEM Identity (e.g. Active Directory) users things CASB pxgrid Identity Services Engine / AAA Location Behavior Analytics Vulnerability Scalable Groups BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Authorization Policy Endpoint Policies 802.1X / MAB / Easy Connect / CWA Authorization Condition(s) Authorization Profile (s) BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Authorization Profiles - VLAN Name = IP Subnet & VN Name VN_IoT BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
ISE authorization for VN assignment Authorization Result = Virtual Network Virtual Network Identity Services VN_IoT Virtual Network BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
ISE authorization for VN and SGT assignment Authorization Result = Virtual Network + SGT Users/Devices Virtual Network SGT Identity Services VN_IoT Virtual Network Scalable Group Tag BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Authorization Policy - Authorization Profiles VN_IoT IoT_Devices SGT VN_IOT VN_IoT VN_IoT 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Users and Devices Group Registry Registry of Groups created in different domains 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Users and Devices Custom Groups Custom groups may be created in the registry 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access Control Policy in SD-Access
NETWORK ACCESS Access Control Policy Access Control Policy Who can access what Certificates PROTECTED SERVERS SHARED SERVICES PUBLIC NETWORK Rules for x-group access Permit group to app Permit group to group EMPLOYEE CONTRACTOR Passwords alice ***** DB SOURCE DESTINATION Who are you? What can you access? BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Sources SD-Access Micro-segmentation Identity Services Engine (ISE) enabled AAA ISE authenticates Network Devices for a trusted domain SGT & SGT Names Centrally defined Endpoint ID Groups Scalable Group ACL Destinations SGACL Name Table Cisco ISE SGT & SGT Names Scalable Group Tags 3: Employee 4: Contractors 8: PCI_Servers 9: App_Servers SGACL - Name Table Policy matrix to be pushed down to the network devices ISE dynamically authenticates endpoint users and devices, and assigns SGTs Rogue Device(s) Dynamic SGT Assignment MAB, 802.1x, Easy Connect Static SGT Assignment BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Micro-segmentation Enforcement Ingress Classification with Egress Enforcement User Authenticated = Classified as Marketing (5) FIB Lookup = Destination MAC = SGT 20 Destination Classification CRM: SGT 20 Web: SGT 30 SRC: 10.1.10.220 Catalyst 3k/4k/6k/9k SRC: 10.1.10.220 DST: 10.1.100.52 SGT: 5 WLC5508 Enterprise Backbone DST SRC Catalyst/ISR/Nexus 5 5 Egress Enforcement (SGACL) CRM (20) Web (30) Marketing (5) Permit Deny BYOD (7) Deny Permit CRM DST: 10.1.100.52 SGT: 20 Web DST: 10.1.200.100 SGT: 30 BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Cisco DNA Center Single Pane of Glass across the Enterprise DNA Center Network Controller Identity, Context and Security Policy Network Provisioning Analytics And Assurance PROVISION MONITOR TROUBLESHOOT Wireless LAN WAN Cloud Remote Access BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
ISE and DNA-C integration for Policy Automation Cisco Identity Services Engine Authentication Authorization Policies Groups and Policies Campus Fabric pxgrid REST APIs Fabric Management Policy Authoring Workflows Cisco DNA Center BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Communication channels for integration SSH To establish trust relationship 22/TCP SSH Service REST To program ISE 443/TCP ERS Read/Write pxgrid Service DNA-Center pxgridcontext & TrustSec Meta Data pxgrid* ISE * 5222/TCP, 7400/TCP, 8910/TCP, 12001/TCP, details: http://bit.ly/pxgrid-ports-23 BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Virtual Network Rollout Virtual Network Segmentation CISCO DNA CENTER SSH Border eid-table vrf Campus instance-id 4098 ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit B B B Edge instance-id 4098 service ipv4 eid-table vrf Campus exit-service-ipv4! exit-instance-id E E E 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scalable Groups Assignment to VNs A Scalable Group is assigned to a single VN Virtual Network 1 Virtual Network 2 Virtual Network 3 BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Access Control Policies Source Group @ VN-X Contract Destination Group @ VN-Y CONTRACT GREEN Classifier Port Number IP Address Application Type Action Permit Deny Copy @ FCS all groups in a Policy must belong to the same Virtual Network 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Scalable Group Policy rollout FABRIC POLICIES Source Destination CISCO DNA CENTER Employees Contract PERMIT Production API Employees Contractors Production Development CISCO ISE POLICY DOWNLOAD FABRIC NODES BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
SD-Access Policy Authoring 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Policy Authoring Access Contracts 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Policy List View BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
SD-Access Policy Matrix View 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Policy in SD-Access
Application Policy - QoS Application Policy Traffic treatment QoS for Application Path Optimization Application compression Application caching App X App Y App Z 3 Treatment Profiles Application Registry DNAC Normalize QoS diversity Application X IP-Prefix / URL = x.x.x.x /24 UDP/TCP Ports = 63837-64101 Application Y IP-Prefix / URL =y.y.y.y /22 UDP/TCP Ports = 80 Polaris (3K), IOS-XE (4K), IOS (6K), NX-OS (N7K), AireOS Catalyst 3650/3850 Catalyst 9300/9400/ 9500 Catalyst 4500 (Sup8E) Catalyst 6500/6800 Nexus 7700 (M3) WLC 5500/8500 BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
SD-Access Application Definition classifiers application end-points Application Name End-point addresses IP/URL/Source-Group Classifiers TCP/UDP port numbers DSCP Implicit Policy Traffic Class Path Preference BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
SD-Access Application Registry Application Registry classifiers end-points classifiers end-points classifiers end-points Sources: AVC/NBAR ACI DNS-AS Other repository of application information Custom Application Configuration BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
SD-Access Application Registry - Applications 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Application Registry - Applications 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Application Registry Application Sets 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Solicit Application Business-Relevance Relevant These applications directly supports business objectives Applications should be classified and marked according to RFC 4594-based rules Default These applications may/may not support business objectives E.g. HTTP/HTTPS Alternatively, administrator may not know the application (or how its being used in the org) Applications in this class should be marked DF and provisioned with a default best-effort service (RFC 2474) Irrelevant These applications are known and do not directly support any business objectives; this class includes all personal/consumer applications Applications in this class should be marked CS1 and provisioned with a less-than-best-effort service, per (RFC 3662) BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
SD-Access Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Application Policy 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Policy - Traffic Copy Traffic Copy Policy Mirror Traffic (ERSPAN) ERSPAN for specific endpoint and traffic Employee 1 Edge Switch Finance Servers monitor session 1 type erspandestination destination interface Gi0/2/2 source erspan-id 1 ip address 6.6.6.6 B C 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public B B E E E ip access-list extended erspan-session-1 permit ip any 100.110.0.0 0.0.255.255 monitor session 1 type erspan-source source interface Gi1/0/4 filter ip access-group erspan-session-1 destination erspan-id 1 ip address 6.6.6.6 ip ttl 32 origin ip address 172.27.252.193
Traffic Copy Policy Traffic Copy Policy Mirror Traffic (ERSPAN) ERSPAN for specific endpoint and traffic Edge Switch Employee 1 Finance Servers BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Policy End-to-end
Unified Policy Language across Domains consumer Policy Element/Object Exchange Contract Web Users consumer Allow only web traffic in/out Sessions must be logged Violations must be inspected. Web Servers provider Network Operator Access Domain (Campus/Branch/WAN) Security Domain Data Center A Data Center B Network Operator Security Operator 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Federated Identity Cross Domain Group awareness / Independent Policy User-App Application Prioritization DB C User to App Contracts Web DNA-Center User-User Access Control: SG-ACL Web1 Qo Se rvi ce App1 Qo S Filt er App to App Contracts DB SaaS/IaaS Exchange Policy Groups Web ISE DB BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Multi-domain Identity Exchange Campus access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 Wireles s Control WAN ACI Fabric Fabri c Contr ol Campus Firewall Border Leaf s PXGRID Groups+IP Web DNA-Center BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Network + Host Based Segmentation C Web Segmentation Agent? c users Enforce at Network Edge Enforce at Segmentation Agent applications things Access Network Data Center Enforcement footprint will vary BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Integration with Policy Orchestrators Centralization of Policy Visibility & Compliance Automatic Provisioning Cloud Campus / Branch SD-Access Policy Domain ISE B C B B Cisco Firewall APIC Data Center APIC Policy Domain Employee SD-Access Fabric 3 rd party Firewall Web ACI Fabric App BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Network Layer Controller Layer Campus Fabric SGT Info Used in ACI Policies Campus Fabric Policy Domain ISE ACI Policy Domain Auditor 10.1.10.220 5 SRC:10.1.10.220 DST: 10.1.100.52 SGT: 5 Campus Fabric ISE Retrieves: ISE Exchanges: EPG Name: SGT PCI Name: EPG Auditor EPG Binding = 10.1.100.52 SGT Binding = 10.1.10.220 SRC:10.1.10.220 DST: 10.1.100.52 Plain Ethernet (no CMD) EPG Name = Auditor Groups= 10.1.10.220 17000 SRC:10.1.10.220 DST: 10.1.100.52 EPG ACI Border Leaf (N9K) ACI Spine (N9K) PCI EPG 10.1.100.52 ACI Leaf (N9K) SGT Groups available in ACI Policies Controller Layer Network Layer PCI 10.1.100.52 BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Required connectivity for ACI-Campus Campus scope of Management All outside EPGs learnt from ISE will be assigned to a single VRF DC scope of management Campus Border Router DC Border Leaf Web1 VRF A VRF B VRF C VRF D N:M VRF 1 VRF 2 VRF 1 VRF 2 Web2 SGTs in VXLAN VRF-lite (SXP) EPGs in VXLAN In the initial releases, ISE does not support VRF/VN semantics It is assumed that connectivity between campus VRFs and DC VRFs is provisioned In the future, xvrf connectivity should be driven from x-group policies 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Driven Segment Connectivity x-domain C Web User to App Contracts Domain A Border Router Domain A Segmentation Space VRF A VRF B VRF C VRF D N:M Domain B Segmentation Space VRF 1 VRF 2 Domain B Border Router VRF 1 VRF 2 Domain B Segmentation Space Domain A Data Plane Handoff Domain B Data Plane BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Fabric Enabled Segmentation Virtual Networks Virtual Networks Outer/Transport IP-UDP Header VXLAN Header Original IP Packet or L2 Frame Underlay Network Virtual Network Identifier (24 bits) Group Policy Identifier (16 bits) BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
ISE and APIC data plane translation SD-Access Policy Domain ACI Policy Domain APIC-EM Security Groups IP, SGT mappings Cisco ISE 2.3 ISE & APIC Exchange Groups and Member information ISE creates SGT to EPG translation table Send translation table to ASR 1K/N7K End Point Groups Cisco APIC-DC IP-ClassId, VNI bindings SD-Access User Classification Switch Router* Nexus9000 Nexus9000 Server Spine Leaf LISP,SGT & VXLAN BGP EVPN, EPG &VXLAN APIC - Application Policy Infrastructure Controller, ACI - Application Centric Infrastructure *ASR1K (ship) N7K (plan) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case - Cloud User to Cloud Access Control Workflow Virtual Firewall or SGACL-capable virtual routers in cloud environments FTDv, ASAv, CSR-1000v, ISRv Workloads / groups provisioned by Cisco or 3 rd party provisioning tools AWS Security Groups Prod App Dev App Prod App Dev App Azure Network Security Groups IP-SGT bindings pushed to ISE REST APIs ISE SXP/PxGrid updates enforcement point Zero policy changes as new workloads are provisioned in clouds ISE Ent Policy Domain Employee Tag Developer Tag Guest Tag Non-Compliant Tag Consistent Policy Dev Apps Prod Apps Remediation Internet Employee Developer X X Non Compliant Employee Voice Voice Employee Developer Guest Non Compliant Guest X X BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Conclusion
What to Do Next? Technical Advisory Managed Implementation Optimization Training SD-Access Capable DNA Center Cisco Services Refresh your Hardware & Software Deploy the DNA Center Engage with Cisco Services Get SD-Access Capable Devices with DNA Advantage OS License Get DNA Center Appliances with DNA Center Software Cisco Services can help you to Test - Migrate - Deploy BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
The First Step #NewEra #CiscoDNA #NetworkIntuitive 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brkcrs-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/. 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKCRS-3811 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Thank you