Inside Cisco IT: The New Catalyst 9000 Series and Software ... · 4. Cloud Internet Exchange 5....
Transcript of Inside Cisco IT: The New Catalyst 9000 Series and Software ... · 4. Cloud Internet Exchange 5....
Inside Cisco IT: The New Catalyst 9000 Series and Software Defined Access
John Moe, Cisco IT Member of Technical Staff
BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOC-2299
• Cisco IT Overview
• DNA and the Next Generation Network
• Catalyst 9000 Series and Open IOS-XE
• Software Defined Access (SDA)
Agenda
Cisco IT Overview
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
More Than 150,000 People
Worldwide in the Extended
Cisco Family
• 300+ Locations in 93 Countries
• 500+ Buildings
• 70,000+ Employees
• 50,000+ Contractors
• 200+ Business/Support Partners
• 6000+ Switches
• 5000+ Routers
• 600+ WLCs
• 11,000+ APs
• 1000+ Labs Worldwide
• 5 Production Data Centers
• 40 Non-prod Data Centers
• 13,000+ UCS Servers
• 60,000+ Virtual Machines
• 5000+ Business Applications
6BRKCOC-2299
Cisco IT Overview
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKCOC-2299
Cisco IT Global WAN Backbone
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8BRKCOC-2299
Branch Office WAN Classifications and LAN Topologies
Business Performance (2A/2A+) Business Essential (2B) Business Ready (2C)
Headcount >300 or Business justified Headcount >25 or Business justified Headcount <25
Small Office• Single WAN router
• No wiring closets or physical infrastructure
• Equipment located in portable comm rack
• Low LAN SLA configuration
Medium Office• Dual WAN routers
• Typically single floor and VLAN domain
• 1 or more wiring closets with cabling infra
to the primary wiring closet
• High LAN SLA configuration
Large Office
• Dual WAN routers
• Typically multiple floors and VLAN domains
• 1 or more wiring closets per floor with
cabling infra to the primary wiring closet
• High LAN SLA configuration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKCOC-2299
Secure Internet OfficeHybrid WAN for Cost Savings
Private
(active)
Current state
Private
(backup)
Branch
(2B) 75%25%
Private
(active)
Phase 1
iVPN
(active)
Branch
(2B) 85%15%
Private
(active)
Phase 2
iVPN + DIA
(active)
Branch
(2B) 90%10%
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10BRKCOC-2299
Cisco IT’s Cloudport Solution
Cisco
Data Centre
1. Internet
2. Branch Office Connectivity
3. Backbone Connectivity
4. Cloud Internet Exchange
5. Private Cloud Interconnect
6. Extranet Partners
7. Media/SIP service
Carrier
Neutral
Facility
Dark Fiber DWDM Ring
Campus Location
Sales Office
1
2
3
4
5
6
7
SIP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKCOC-2299
Workspace Optimization
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
130,643
Corporate
Provided
Devices
(CYOD)
12BRKCOC-2299
Cisco IT Device Landscape (November 30th, 2017)
78,287 46,3915,965
-0.1% -4.5% +0.5%
66,804
Mobile
Devices
(BYOD)
1.17devices / user
18 month Sparkline
Growths Based on a 3 Month Period
-3.1%
357
-1.2%
7,617
+4.3%
13,950
+5.2%
44,880
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13BRKCOC-2299
Cisco IT UC and Video Platform Services
131,000
IP Phones
68,000
Soft Clients
1,759
Immersive7,000
Desktop /
Personal
97,000
WebEx Clients
Unified Communications Manager (UCM)
33 clusters in 12 Sites
Telepresence Management Suite (TMS)
1 cluster, 73 VCS / VCS Expressway nodes
8,700
Video Conference
Bridge Ports
67,000
Mobile Devices
Unity Connection (Voicemail)
19 clusters in 9 Sites
6,600
Contact Center
Clients
Unified Contact Center Enterprise (UCCE)
6 clusters, 12 IVR,s, 2 ICMs in 6 Sites
DNA and the Next Generation Network
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Cisco IT - Location as a Service
CMX Location Data (via API)
Wayfinding
Cisco IT
Cisco Maps
Phunware
Beam Pro
Space
Utilization
WPR
Rifiniti
Asset
Management
Cisco Labs
IoT Platform
Active RFID
Tracking
Supply Chain
TagIt
Asset
Detection
Security
Face
Recognition
Wireless Network Infrastructure (Hyperlocation/CleanAir/BLE)
Customer
Use Case
iOS, Android, macOS, Windows, RFID tags, BLE tags
Application
Foundational
Infrastructure
and Service
Endpoints
BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16BRKCOC-2299
Rifiniti Space Utilization
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2299 17
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18BRKCOC-2299
Suitable Technologies Beam Pro Wi-Fi LBS Integration
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19BRKCOC-2299
Cisco IT - Lighting as a Service
Lighting Control Data (via API)
Workspace
Personalization
Cisco IT
Cisco Maps
Wired Network Infrastructure
Customer
Use Case
NuLED, CREE, Philips
Application
Foundational
Infrastructure
and Service
Endpoints
Emergency
Pathway Out
Safety/Security
Flash lights or
illuminate path
First
Responder In
Safety/Security
Flash lights or
illuminate path
Customized
Lighting
Cisco IT
Cisco Proximity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20BRKCOC-2299
Personalized Control of Lighting Environment
Cool white Warm white
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21BRKCOC-2299
A Ten Year Journey…
2020
2007
Today
Any
Device,
Mobility
Pervasive
Video
Changing
Expectations
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Expectations have changed…Here’s some of what happened…
Multi-Cloud World is Now a Reality
Fierce Competition and Cost Pressures
Security is a Board Room Conversation
Business Demands Digital Transformation
BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
A Ten Year Journey…
2007
Today
Any
Device,
Mobility
Pervasive
Video
Changing
Expectations
2020
BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Modern Network Environment is Vast and Complex
40,000
Configuration
Assurance Policy
Violations
1,100
Network
Changes Per
Month
Human Mistake
80%
Performed Manually
95%
45,000
Network
Devices
Manual Configuration & Refresh
• No centralized access
• No Plug-n-play
Complicated Equipment Portfolio
• Can’t keep skills up
Convoluted maintenance & troubleshooting
• Lack of visibility
• Lack of analytics
Tool Proliferation
• Multiple interfaces
• Increased tool errors
Drivers of cost and complexity
BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25BRKCOC-2299
Digital Network Architecture Roadmap
Base
automation
Automated deployment
across greenfield and
brownfield
1
SDN /
Automated
enterprise
Controller-based
networking with
assurance across
WAN/LAN and wireless
2
Advanced
security and
network
analytics
Next generation threat
and application analytics
3
Single
cross-domain
orchestration
Automated user to application
policy (access and priority)
across enterprise and DC
domains
4
Self-driving
Enabling policy based
compliance, assurance
driven optimization
5
Simplicity
Lower Risk
Business enablement
Lower TCO
Service quality
Customer
outcomes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
From Task Automation to Service Orchestration… and Beyond
Ad-hoc Scripting
Engineers run one-off scripts
and tools, device-by-device
Re-useable Frameworks
Centrally managed frameworks,
templates accelerate delivery
Service Orchestration
Model-driven config lifecycle –
CrUD automation in one place
NSO
Closed-loop
Orchestration
Business-level intent, dynamic
optimization based on real-time
network state
We’re Here!
BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA and Next Generation Network Highlights
• Leverage network data from existing networks for new use cases
• Network consolidation and new IoT devices are driving up endpoint count
• Changing expectations caused us to think about how we work and organize differently... now we have to make sure that we are ahead of the curve
• Modern network environment is vast and complex and prone to human mistakes
• Journey from task automation to closed loop service orchestration
27BRKCOC-2299
Catalyst 9000 Series and Open IOS-XE
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Cisco IT Network Landscape 2017
Access Distribution/Core WAN
IE3010 (19)
C3850 (1671)
C3750 (296)
3560C (7) C4500-X (606)
C6880-X (186)
C6509E/2T (463)
C6807/2T (39)
ISR 3900 (1173)
ISR 800 (30K)ISR 2900 (702)
ISR 4451-X (944)
ASR 1002 (19)
ASR 1006 (251)
ASR 1004 (187)C4510/8E (1301)
BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30BRKCOC-2299
Catalyst 9000 Series
Catalyst 9300
Fixed Access
Catalyst 9400
Modular Access
Catalyst 9500
Fixed Core
Converged
ASIC
Single
Image
Common
Licensing
UADP 2.0
Open IOS-XE
With the Catalyst 9000 Series -
• 1 Common HW Architecture (UADP 2.0)
• 1 Software Image (Open IOS-XE)
• Device Bootstrap and Onboarding
• Standards-based, structured programmability
• Apps and services embedded in fabric
x86 CPU and
Containers
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Perpetual and Fast PoE
• Perpetual PoE: With Perpetual PoE, the PoE power is maintained during a switch reload. This is important for IoT endpoints such as PoE-powered lights, so that there is no disruption during switch reboot
• Fast PoE: When power is restored to a switch, PoE starts delivering power to endpoints without waiting for the operating system to fully load, thereby speeding up the time for the endpoint to start up
31BRKCOC-2299
Catalyst 9400
Modular Access
Catalyst 9300
Fixed Access
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Infrastructure FoundationEmbedded Security - Encrypted Traffic Analytics
StealthWatch
Context &
Mitigation
ISE
Machine Learning
Encrypted
Traffic Analytics
Malware in Encrypted
Traffic
Primary Use-case
Cryptographic Audits
Secondary Use-case
BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Cisco IT Catalyst 9000 Migration Path
Access Distribution/Core WAN
C9400 10-slot
Sup1, mGig
C9300 48-port mGig
C6880-X
C6509E/2T
C6807-XL/2T
ISR 4451-X
ASR 1006
ASR 1004
BRKCOC-2299
C9500 40X
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Open IOS-XE 16 - Hardware Migration StrategyNetwork
Function
Capacity
Criteria
Current Hardware Comments Target Hardware Hardware Status
CORE/AG GW ASR 1006 RP1, ESP5, ESP10, SIP10 not supported RP2, ESP40/100/200, SIP40 General Deployment
WAN GW > GE WAN
<= GE WAN
ASR 1004
ISR 4451-X
RP1, ESP5, ESP10, SIP10 not supported RP2, ESP40, SIP40
ISR 4451-X
General Deployment
General Deployment
LAN GW > 40 ports
<= 40 ports
CAT 6500/6800/Sup2T
CAT 4500-X
Support thru 2024, will not support Open IOS-XE
Support thru 2024, will not support Open IOS-XE
TBD
CAT 9500
Participate in EFT
Limited Deployment
LAN SW > 192 ports
<= 192 ports
no HVAC
CAT 4510/Sup8E
CAT 3850-UPOE
IE 3010
Support thru 2024, will not support Open IOS-XE
Runs Open IOS-XE, UADP v1
Will not support Open IOS-XE
CAT 9400 10-slot, dual Sup-1, mGig
CAT 9300 mGig
CAT 9300 mGig
Limited Deployment
Limited Deployment
Limited Deployment
LAB GW > 16 ports
<= 16 ports
CAT 6880-X
ISR 4451-X
Support thru 2024, will not support Open IOS-XE CAT 9500
ISR 4451-X
Participate in EFT
General Deployment
Voice GW CUBE/SIP
SRST
ASR 1002
ISR 4451-X
1002 chassis, RP1, ESP5/10 SIP10 not supported ASR 1004, RP2, ESP40
ISR 4451-X
General Deployment
General Deployment
Console GW > 64 async
<= 64 async
DC Voltage
ISR G2 3945
ISR G2 2901
ISR G2 2911
HW end of sale 12/2017
HW end of sale 12/2017
HW end of sale 12/2017
ISR 4451-X, NIM-24A, CAN-ASYNC-8
ISR 4331, AC PS, NIM-24A, CAN-ASYNC-8
ISR 4331, DC PS, NIM-24A, CAN-ASYNC-8
General Deployment
General Deployment
General Deployment
NFV N/A Investigate Network Function Virtualization ENCS 5412 vBranch demo at Cisco Live Cancun
WLC WiSM2
WLC 5508
3850 Converged Access
WLC 5520
Virtualized controller for C9K
Limited Deployment
Participate in EFT
APs 3700 Series Will not support IPv6, AVC in DNA/SDA NG AP Participate in EFT
WAAS Core/Campus
Large
Medium
Small
WAVE 8541
WAVE 7571
WAVE 694
ISR-WAAS
UCS
UCS-C vWAAS50K, C9K vWAAS
UCS-E, UCS-C, ENCS-5412-W, C9K vWAAS
ISR-WAAS
SVL testing in progress
SVL testing in progress
SVL testing in progress
SVL testing in progress
AppNav Core/Large
Medium
Small
WAE 594 w/10GE
WAE 694
AppNav-XE
UCS-C
AppNav-XE
AppNav-XE
SVL testing in progress
SVL testing in progress
SVL testing in progress
34BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Open IOS-XE 16 and IOS Migration Status
Platform Rommon Version IOS Version Device Count Future Target IOS
ASR 1000/RP2
(RP1,ESP10,SIP10 unsupported)
16.3(2r) *required 16.6.2 17 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)
ISR 4451
ISR 4331
16.2(1r)
16.4(3r)
16.6.2 37 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)
vEdge 1000 N/A 17.2.1 4
ENCS 5412 BIOS 2.4, NFVIS 3.6.2 16.6.2 2 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)
ISR G2 3945
ISR G2 2901
15.0(1r)M16 15.7.3M 41
CAT 9500 N/A 16.6.2 2 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)
CAT 9400 N/A 16.6.2 0 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)
CAT 9300 N/A 16.6.2 26 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)
CAT 6500/2T 12.2(50r)SYS4 15.4(1)SY2 21 15.5(1)SY1 (CCO target 01/25/18)
CAT 4500/8E
CAT 4500-X
15.1(1r)SG10
15.0(1r)SG15
3.9.2E 30 3.10.1E (CCO target 02/21/18)
CAT 3850 N/A 16.3.5 0 16.3.6 (CCO target 02/21/18)
WiSM2, 5508 N/A 8.0.152 600+ 8.5.110(MR1)
5520 N/A 8.5.110(MR1) 2
35BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36BRKCOC-2299
Cisco Fleet – Technology Release Process
Solution Verification Lab
Verifies new designs, hardware, software and processes
Holistic testing with automation
Provides certification testing services
Pilot Deployment
Funnels technology and capabilities for small pilot and testing
Mirror of Production Network
Limited Deployment
Pilot for evaluation in production network
Limited to a few locations
Monitored to ensure issues can be mitigated quickly
Network Refresh( Fleet)
Ongoing upgrade cycle for all products in all sites
Ensures the IT Network’s hardware and software are current
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Catalyst 9000 Series and Open IOS-XE Highlights• Strategy to stop investing in older hardware and start deployment of C9K HW
• 24 C9300s deployed in North Sydney, 2 C9300s deployed in Sendai
• 7 deployment stopper defects identified and fixes integrated to 16.6.2 and 16.3.6
• Common hardware and single IOS-XE image will reduce our OPEX
• Plug n Play, image management, and config automation important to reduce cost
• ETA export from 2 C9300 sites, 2 ISR4K sites, and 2 ASR1K WAN Aggregation
• Thousand Eye performance agent running on C9K, ISR4K, ASR1K, ENCS5K
• Analyze network infrastructure for Open IOS-XE 16 unsupported hardware
• Some platforms require rommon upgrades prior to installing Open IOS-XE 16
• Be aware of potential speed negotiation issues for mGig models and modules
37BRKCOC-2299
Software Defined Access (SDA)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Center - High-Level Architecture
Telemetry protocols:
NetFlow, SNMP, Syslog, streaming
CLI, SNMP, PnP,
NETCONF
Northbound
Open REST APIs
Cisco DNA Center
NDPAPIC-EM 2.0ISE
Physical, virtual, and cloud network infrastructure
Meraki dashboardCisco Meraki™
Meraki®
Dashboard API
Wireless
AP
Catalyst(R)
2000/3000
Catalyst
4000/6000
Cisco
Nexus(R)
7000
WLC ISR/ASR NFV-IS
Northbound
Open REST APIs
IPAM (3rd Party)
BRKCOC-2299 39
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA CenterNext-Gen platform to enable digital capabilities
Assurance
PredictiveMachine learning-based detection
of problems prior to occurrence
ProactiveFaster troubleshooting with problems
and trends correlation and dynamic
thresholding
E2E Visibility Scalable data collection and reporting
for reactive troubleshooting and planning
Automation
ProfilesStandardized configurations
for multi-PIN services
Policy Abstraction Expressing the business intent
rather than a feature
ValidationMachine learning-based
network-wide configuration
validation prior to deployment
Enterprise WAN and access networks | Wired and wireless
Closed Loop
Self-Optimizing
BRKCOC-2299 40
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Proof of concept and evaluation
•Collaborate with BU on IT use-cases for:
• Contextual Dashboard
• Image management
• ITSM Integration
•Setup lab environment for DNA-C, ISE, C9K, and SDA
Q4 CY17
Coordinate Global Installation
• 3 regional pairs
• Monitor 2 sites in 2 weeks post FCS
• Monitor 10 sites in 4 weeks post FCS
Q1 CY18
Additional pilots
• SDA
• PnP (ZTP)
• Assurance
• NDP
• PathTrace
• SD-WAN
Beyond
41BRKCOC-2299
DNA-Center High-Level Deployment Schedule
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42BRKCOC-2299
Secure Network Access at Cisco
Identity Services Engine
Wireless Devices
AnyConnect VPN (All Mobile)
WSA, ESA + AMP
Wired Network Devices
Adaptive Security
Appliance
Cisco Core Network
Home Access (CVO)
Device Management
StealthWatch
The 4 Stages:1. Profiling
2. Authentication
3. Posture
4. Enforcement
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43BRKCOC-2299
Cisco IT ISE Production Deployment
Internet Only
Corporate Access
WLAN, CVO, VPN, LAN
ISE 1.2, 8 VMs, 2 DCs
ISE 2.1, 24 VMs, 8 DCs
1.5 Million active profiled “Endpoints”
Max ~450K Concurrent “Endpoints”
27K CVO; ~60K EP
580 WLC; ~200K EP
70 ASA; ~90K EP
2K SW; ~200K EP
8 Sites; ~8K EP
~14K Guest/WeekCWA
Central Web Auth
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44BRKCOC-2299
What is a Fabric?
Device Management
• Secure risky IoT devices, mobile devices, printers
Programmable Overlay
• Dynamic Path Setup and Client Mobility
• Network Segmentation via Virtual Networks (VNs)
• User/Device Segmentation via Segments (Groups)
Prescriptive Underlay
• Topology and Protocol Independent
• Leverage Standards-based Network Infrastructure
• Optimized Forwarding, Load-Balancing & Scale
Users or Devices
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus Fabric SD-Access
DNA Center
Automated Workflows
Design, Provision, Policy
Assurance
Wireless Integration
• Programmable APIs
• REST / NETCONF
• Automated Workflows
• Centralized Management
• Wireless Overlay
• SmartCLI Macros
• Simple User Inputs
• Customized Workflows
• Box-by-Box Management
• Wireless overlay
45BRKCOC-2299
Software Defined AccessCampus Fabric + Wireless Integration + Automation & Orchestration
Campus Fabric
C
BB
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46BRKCOC-2299
What is unique about SDA Fabric?
Key components
• Control-Plane based on LISP
• Data-Plane based on VXLAN
• Policy-Plane with Cisco TrustSec (CTS)
UADP and QFPallow for Flexibility –Key to Supporting theEvolution to Network
Fabrics
Cisco Hardware and Software innovationsKey Differences
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (No Static)
• No Topology Limitations (Basic IP)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47BRKCOC-2299
SD-Access Fabric ArchitectureRoles and Terminology
ISE / AD
Control-Plane (CP) Node – Map System that manages Endpoint ID to Location relationships. Also known as Host Tracking DB (HTDB)
Edge Nodes – A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric
Group Repository – External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition
Border Nodes – A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric
Group
Repository
SD-Access Fabric
Intermediate
Nodes (Underlay)
Fabric Mode
WLC
Fabric Edge
Nodes
DNA Controller – Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share information
DNA
Controller
CControl-Plane
Nodes
B
Fabric Wireless Controller – Wireless Controller (WLC) fabric-enabled, participate in LISP control planeFabric
Mode APs Fabric Mode APs – Access Points that are
fabric-enabled. Wireless traffic is VXLAN encapsulated at AP
Fabric Border
B
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48BRKCOC-2299
SD-Access Wireless ArchitectureSimplifying the Control Plane
ISE / AD
WLC
DNAC
SD-AccessFabric
BB
Policy
Abstraction and
Configuration
Automation
Automation
DNAC simplifies the Fabric deployment,
Including the wireless integration component
C
Fabric enabled WLC:
WLC is part of LISP control plane
Centralized Wireless Control Plane
WLC still provides client session management
AP Mgmt, Mobility, RRM, etc.
Same operational advantages of CUWN
CAPWAP
Control plane
LISP
Control plane
LISP control plane Management
WLC integrates with LISP control plane
WLC updates the CP for wireless clients
Mobility is integrated in Fabric thanks to LISP CP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE / AD
WLC
DNAC
SD-AccessFabric
BB
Policy
Abstraction and
Configuration
Automation
C
Fabric enabled WLC:
WLC is part of LISP control plane
VXLAN from the AP
Carrying hierarchical policy segmentation starting
from the edge of the network
Optimized Distributed Data Plane
Fabric overlay with Anycast GW + Stretched subnet
VLAN extension with no complications
All roaming are Layer 2Fabric enabled AP:
AP encapsulates Fabric
SSID traffic in VXLAN
CAPWAP
Control plane
VXLAN
Data plane
LISP
Control plane
VXLAN
(Data Plane)
49BRKCOC-2299
SD-Access Wireless ArchitectureOptimizing the Data Plane
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50BRKCOC-2299
SD-Access Platform Support
Switching Wireless
AIR-CT5520
AIR-CT8540
Wave 2 Aps (1800, 2800,3800)
Wave 1 Aps (1700, 2700,3700)*
Catalyst 9400
Catalyst 9300
Catalyst 9500
Catalyst 4500E Catalyst 6K Nexus 7700
Catalyst 3850 and 3650
Routing
ASR-1000-X
ASR-1000-HX
ISR 4430
CSRv
ISR 4450
Subtended
Nodes
CDB
2960-CX
3560-CX
AIR-CT3504
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51BRKCOC-2299
Cisco IT Analysis - Software Defined Access
Gains with SDA...
• Agile use of virtual networks
• Easy segmentation & enforcement
• Decouple identity from location
• IPv4 subnet consolidation
• Cisco confidence in its technology and Ops experience
• Fabric wide RBAC/DUP
• Improved segment lifecycle
Losses with SDA…
• IPv6 (maybe able to use AnyConnect)
• Non-optimal multicast path
• Centralized architecture – exposure to large fault domain
• Increased support skillset required
• Migrate to Cisco ONE SW licensing, new CAPEX/OPEX model
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SDA High Level Architecture
CoreDC
Campus
Remote
Offices
CampusCampus
DCDC
DCDCDC
CampusCampusCampus
Remote
Offices
Remote
Offices
DCDCDC
CampusCampusCampus
CoreCore
Fabrics will allow us to divide into
easily managed virtual networks
For each virtual network, logical
security groups can be formed
that abstracts the underlying
network address used
BRKCOC-2299 52
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Per-ISP Fabric Design
Internet
Campus Remote Office
Control Nodes
Internal Border NodesExternal Border Nodes
ISP-GW’sGB-GW’s
CAPNET
and
DC
Edge NodesEdge Nodes
Fusion Routers
BRKCOC-2299 53
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Campus Core
Edge Node
LAN-SW1
Loopback
10.1.x.1/32
Edge Node
LAN-SW2
Loopback
10.1.x.2/32
Edge Node
LAN-SW
Edge Node
LAN-SW
Edge Node
LAN-SW
Edge Node
LAN-SW
Desktop Gateway
Intermediate Node
Desktop Cluster Gateway
+Control Node
+Border Node
Building1Building2
Building Cluster1
Fabric1
Building Cluster2
Fabric2
Cisco Prod VN1:Host Cluster Pool 10.1.x.0/20 VN1:Host Cluster Pool 10.2.x.0/20
Summary Route: 10.1.x.0/20 Summary Route: 10.2.x.0/20
P2P: 10.1.x.0/30 P2P: 10.1.x.0/30
Desktop Cluster Gateway
+Control Node
+Border Node
Desktop Gateway
Intermediate Node
Desktop Gateway
Intermediate Node
Fusion Router - DHCP
Campus – Single Host Pool
BRKCOC-2299 54
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Global SDA fabrics and TrustSec
Core
Fabric1: 10.1.0.0/16 Fabric2: 10.2.0.0/16
SGT-IP Reflector
SGT:1
SGT:2
SGT:3
SGT:1
SGT:2
SGT:3
SGT Rules:
Permit SGT1 to SGT1
Deny SGT1 to SGT2
SGT Rules:
Permit SGT1 to SGT1
Deny SGT1 to SGT2
ISE: Policy
Endpoint to SGT mapping
Fabric and TrustSec
work together to provide a
scalable way to segment the
network
BRKCOC-2299 55
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco IT Analysis - SDA Gap Summary
IPv6 support essential• March release of SDA will support IPv6
Wireless support• 5508/WiSM2 no fabric support (OTT only) and 3700 Series APs are fabric aware
Non-fabric switch support• Ability to support non-fabric switches (e.g. IE switches for parking lots etc.) March release required
TrustSec IPv6 ACL support 4510/C9K• Major benefit of consolidating and segmenting network cannot be realized without IPv6 ACL support
in TrustSec in 4510 or C9K
DNA Center 10 fabric limit• Need 20-25 fabrics
Fabric 100 mSec limit• Needs to be increased to 150-200 mSec to support remote offices
BRKCOC-2299 56
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
APIC-EM Prime
Infra?ISE2.3 ND
P
Network Automation, Security, Management,
Analytics Stack (3xUCS 460)
Traditional SDAGreenfield deployment
Floor 1 SSID: Blizzard Floor 2 SSID: Blizzard-Beta
Border Router (9500)
+ WLC (5520)
Edge Router (9300)
Segment FW??
Wired only for users
on floor 2 who do
not want to partake
in Beta testing
Fabric
New Uplinks
Existing uplinks
WAN1 WAN2
Migrate Users over time
Expand Fabric over time
WLCWLCWLCWLC
AP’s connect into
fabric
Greenfield ApproachParallel build of SDA using latest HW
BRKCOC-2299 57
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Traditional
Floor 1 SSID: Blizzard
Fabric
New Uplinks
Existing uplinks
WAN1 WAN2
WLCWLC
BG (45xx)
EG (3850) (4510) (9300)
APIC-EM Prime
Infra?ISE2.3 NDP
Network Automation, Security, Management, Analytics
Stack (3xUCS 460)
AP’s initially tunneled over fabric
then eventually onto fabricTest group 6 week
testingTest group 6 week
testing
Test group 6 week
testing
Hardware
WLC: 5508/WISM2
Core switch: 4500/SUP8E
Distribution switch: 6500/2T
Brownfield ApproachUse existing HW creating a fabric foundation
BRKCOC-2299 58
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SDA Highlights• DNA Center lab environment and 3 regional production pairs upgraded to 1.1.1
• Providing training for network engineers on DNA Center and SDA configuration
• Cisco IT drivers for SDA deployment are centralized automation and orchestration and simplified deployment of hardware (PnP)
• Global ISE and StealthWatch infrastructure upgrades in progress for SDA/ETA
• Targeting DNA 1.2 release in March timeframe for IPv6 and PnP support
• 5508/WiSM2 no fabric support (OTT only) and 3700 Series APs are fabric aware
• 3 Production Pilot sites identified for greenfield deployment of SDA
59BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
This is a journey!
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCOC-2299
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63BRKCOC-2299
Come talk to our Cisco IT Experts!
CollaborationAppDynamics
ACI & TA
NSOvBranch
World of Solutions
Cisco on Cisco will have 5 demo booths placed around the Cisco Campus showcasing how Cisco IT designs, deploys, and manages our own solutions. Through these IT success stories you’ll see how Cisco solutions are driving transformational business benefits.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions
64BRKCOC-2299
Thank you