Software Defined Access - Cisco Meetup Group · Network Function Virtualization GUI Prescriptive...
Transcript of Software Defined Access - Cisco Meetup Group · Network Function Virtualization GUI Prescriptive...
AJ Shah
SE
2018
Software Defined Access
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Built-In Security
Automated
Software DrivenHardware Centric
Manual
Fragmented Security
Network Data Business Insights
Traditional Network The New Network
Powered by
Cisco DNA™
Cisco Is Rewriting the Network Playbook
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Catalyst 9000 – Built for SD-Access
First in enterprise
• x86 CPU with app hosting
• Programmable ASIC
• Software patching
Future-Proofed
• IEEE 802.11ax ready
• 100W PoE (IEEE 802.3bt) ready
• 25G Ethernet ready
Industry’s unmatched
• High Availability
• MultiGigabit density
• UPOE scale
SD-Access
integrated
Converged
ASIC
Single Image
Common
Licensing
UADP 2.0
IOS® XE Software
Catalyst 9000 Series 9300 – Fixed Access, 9400 – Modular Access,
9500 – Fixed Core
Security IoT convergence CloudMobility
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Catalyst 9K Platform Transitions
Catalyst 3850 Fiber 48 portCatalyst 4500X
Backbone Switching Access Switching
9000 Series
Catalyst 9400
Catalyst 9500Catalyst 9300
Catalyst 3850 Copper Catalyst 4500-E
© 2018 Cisco and/or its affiliates. All rights reserved. 5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network
Provisioning Time
Savings
67%
Improve Issue
Resolution
80%
Reduced Security
Breach Impact
48%
Reduced Operating
Expense
61%
Shift IT Time to Business Focus
Controller-based ManagementFabric Orchestration and Visibility
Single User Interface for Fabric Management
Software Defined AccessUnderlay, Overlay, and Controller
DNA-C Programmable Overlay
Connects Users and Devices to each other, w/ policy control
Standards-based control plane (LISP)
Standards-based data plane (VXLAN)
Prescriptive UnderlayConnects the network elements to each other
Automated, standardized deployment and operation
Leverages existing network topologies(not restricted to spine/leaf)
Cisco Internal Use Only – Do Not Distribute Externally without NDA
TODAY
CLIs and scripts
Manual configurations
Script maintenance
Wired access only
Static network environments
Slow and unpredictable workload change
Hardware-centric
FUTURE
Simple user interface
Autonomic with control and visibility
Orchestration with data models
Extensibility with native 3rd party app hosting
Open sourced programmable interfaces
Seamless wired and wireless access
Programmable using software
Standards Based
Object Model APIs
TCO Savings
Enterprise Automation Key Benefits
TCO Savings
Traditional network management cannot
provide sufficient dynamic management
• Focus has been on Day0/1
automation
• CLI not built for volumes of changes in
machine real time
Controller based networking supports
dynamic policy change
• Controller allows network to be
managed as a system
• Policy management is automated
and abstracted
Digital Business DriversRequirement for Dynamic Policy Changes
An “Overlay” is a logical topology used to virtually connect devices, built on top of an arbitrary physical “Underlay” topology.
An “Overlay” network often uses alternate forwarding attributes to provide additional services, not provided by the “Underlay”.
• GRE or mGRE
• L2TPv2 or L2TPv3
• MPLS or VPLS
• IPSec or DMVPN
• CAPWAP
• LISP
• OTV
• DFA
• ACI
We Live in a World of L2/L3 Overlays
How is Fabric Different from an Overlay?Fabric is an Overlay
© 2018 Cisco and/or its affiliates. All rights reserved.
You can reuse your existing IP network
as the Fabric Underlay!
• Key Requirements
• IP reach from Edge to Edge/Border/CP
• Can be L2 or L3 – We recommend L3
• Can be any IGP – We recommend ISIS
• Key Considerations
• MTU (Fabric Header adds 50B)
• Latency (max RTT =/< 100ms)
Manual Underlay
Prescriptive fully automated Global
and IP Underlay Provisioning!
• Key Requirements
• Leverages standard PNP for Bootstrap
• Assumes New / Erased Configuration
• Uses a Global “Underlay” Address Pool
• Key Considerations
• PNP pre-setup is required
• 100% Prescriptive (No Custom)
Automated Underlay
Underlay Network
SD-AccessManual vs. Automated Underlay
12
© 2017 Cisco and/or its affiliates. All rights reserved.Enterprise Switching and Wireless
APIs
APIs
WAN VNFs Campus VNFs DC VNFs Cloud VNFs
UNI UNI
IntentTelemetry
Service Definition & Orchestration
Enterprise Controller(Policy Determination)
Cloud
Data Center
Internet
PEPCampus
Int. Acc
PEP
PEP
PEP
PEP
PEP
PEP
PEP
WAN / Branch
PEPPEP Apps
Apps
Apps
SP
WAN AggBranch
Branch
Network Interface (UNI) PEP: Policy Enforcement Point
Network Enabled Applications
Network Function Virtualization
GUI
Prescriptive
Customized
Model-based
Topology
Easy QoS Plug & PlayPath Optimization
Service Instantiation
Analytics
Segmentation 1
Segmentation 2
Segmentation 3
Localized or network-wide
Service Chaining
Cisco Digital Network Architecture
13
SD-
WANWAN Fabric
ACIDC Fabric
DNA CenterAPIC-EM, ISE, NDP
SDACampus Fabric
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ISE in Enterprise
MOBILITY
TRUSTSEC
ANALYTICS
DEVICE ADMIN (TACACS+)
SD-ACCESS
Cisco ISE is critical for several enterprise networking solutions
© 2018 Cisco and/or its affiliates. All rights reserved.
Key ConceptsWhat is SD-Access?
1. High-Level View
2. Roles & Platforms
3. Fabric Constructs
© 2018 Cisco and/or its affiliates. All rights reserved.
SD-AccessFabric Roles & Terminology
16
NCP
ISE NDP
Control-Plane Nodes – Map System that manages Endpoint to Device relationships
Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric
Identity Services – NAC & ID Systems (e.g. ISE) for dynamic Endpoint to Group mapping and Policy definition
Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric
Identity
Services
Intermediate
Nodes (Underlay)
Fabric Border
Nodes
Fabric Edge
Nodes
DNA Center – provides simple GUI management and intent based automation (e.g. NCP) and context sharing
DNA
Center
Analytics Engine – Data Collectors (e.g. NDP) analyze Endpoint to App flows and monitor fabric status
Analytics
Engine
Control-Plane
Nodes
Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SDA Fabric
Fabric Wireless
Controller
Campus
Fabric
B
C
B
© 2018 Cisco and/or its affiliates. All rights reserved.
Control-Plane Node runs a Host Tracking Database to map location information
SD-Access FabricControl-Plane Nodes – A Closer Look
Unknown
Networks
Known
Networks
• A simple Host Database that maps Endpoint IDs to a
current Location, along with other attributes
• Host Database supports multiple types of Endpoint ID
lookup types (IPv4, IPv6 or MAC)
• Receives Endpoint ID map registrations from Edge
and/or Border Nodes for “known” IP prefixes
• Resolves lookup requests from Edge and/or Border
Nodes, to locate destination Endpoint IDs
17
B
C
B
© 2018 Cisco and/or its affiliates. All rights reserved.
SD-Access PlatformsControl-Plane Nodes
Catalyst 9500
• Catalyst 9500
• 10/40G SFP/QSFP
• 10/40G NM Cards
• IOS-XE 16.6.3+
Catalyst 3K
• Catalyst 3850
• 1/10G SFP
• 10/40G NM Cards
• IOS-XE 16.6.3+
Catalyst 6K*
• Catalyst 6800
• Sup2T/6T
• 6840/6880-X
• IOS 15.4.1SY4+
NEW* Wired Only
18
ASR1K, ISR4K & CSRv
• CSRv
• ASR 1000-X/HX
• ISR 4300/4400
• IOS-XE 16.6.2+
© 2018 Cisco and/or its affiliates. All rights reserved.
Edge Node provides first-hop services for Users / Devices connected to a Fabric
SD-Access FabricEdge Nodes – A Closer Look
Unknown
Networks
Known
Networks
• Responsible for Identifying and Authenticating
Endpoints (e.g. Static, 802.1X, Active Directory)
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)
• Provide an Anycast L3 Gateway for the connected
Endpoints (same IP address on all Edge nodes)
• Performs encapsulation / de-encapsulation of data
traffic to and from all connected Endpoints
19
B
C
B
© 2018 Cisco and/or its affiliates. All rights reserved.
Catalyst 9400
• Catalyst 9400
• Sup1/XL
• 9400 Cards
• IOS-XE 16.6.3+
Catalyst 4K
• Catalyst 4500
• Sup8E/9E (Uplink)
• 4700 Cards
• IOS-XE 3.10.1E+
Catalyst 3K
• Catalyst 3650/3850
• 1/10G RJ45, SFP
• 10/40G NM Cards
• IOS-XE 16.6.3+
Catalyst 9300
• Catalyst 9300
• 1/10G RJ45, SFP
• 10/40/MG NM Cards
• IOS-XE 16.6.3+
NEW NEW
SD-Access PlatformsEdge Nodes
20
© 2018 Cisco and/or its affiliates. All rights reserved.
SD-Access FabricBorder Nodes – A Closer Look
Unknown
Networks
Known
Networks
21
B
C
B
Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric
There are 2 Types of Border Node!
• Internal Border• Used for “Known” Routes inside your company
• External Border (or Default)• Used for “Unknown” Routes outside your company
© 2018 Cisco and/or its affiliates. All rights reserved.
Nexus 7K*
• Nexus 7700
• Sup2E
• M3 Cards
• NXOS 8.2.1+
Catalyst 3K
• Catalyst 3850
• 1/10G SFP+
• 10/40G NM Cards
• IOS-XE 16.6.3+
Catalyst 6K
• Catalyst 6800
• Sup2T/6T
• 6840/6880-X
• IOS 15.4.1SY4+
SD-Access PlatformsBorder Nodes
* External Border Only
Catalyst 9K
• Catalyst 9500
• 10/40G SFP/QSFP
• 10/40G NM Cards
• IOS-XE 16.6.3+
NEW
22
ASR1K & ISR4K
• ASR 1000-X/HX
• ISR 4300/4400
• 1/10G/40G
• IOS-XE 16.6.3+
© 2018 Cisco and/or its affiliates. All rights reserved.
Internal Border advertises Endpoints to outside, and known Subnets to inside
SD-Access FabricBorder Nodes - Internal
• Connects to any “known” IP subnets available from
the outside network (e.g. DC, WLC, FW, etc.)
• Exports all internal IP Pools to outside (as aggregate),
using a traditional IP routing protocol(s).
• Imports and registers (known) IP subnets from
outside, into the Control-Plane Map System
• Hand-off requires mapping the context (VRF & SGT)
from one domain to another.
23
Unknown
Networks
Known
Networks
B
C
B
© 2018 Cisco and/or its affiliates. All rights reserved.
External Border is a “Gateway of Last Resort” for any unknown destinations
SD-Access FabricBorder Nodes - External
• Connects to any “unknown” IP subnets, outside of the
network (e.g. Internet, Public Cloud)
• Exports all internal IP Pools outside (as aggregate)
into traditional IP routing protocol(s).
• Does NOT import unknown routes! It is a “default”
exit, if no entry is available in Control-Plane.
• Hand-off requires mapping the context (VRF & SGT)
from one domain to another.
Unknown
Networks
Known
Networks
B
C
B
© 2018 Cisco and/or its affiliates. All rights reserved.
Public Cloud
Internet
B B
SD-Access - Border Deployment External Border : Connecting to Unknown Networks
C
SD-Access Fabric
Unknown Networks
27
© 2018 Cisco and/or its affiliates. All rights reserved. 28
SD-Access @ DNA CenterBorder Nodes
© 2018 Cisco and/or its affiliates. All rights reserved.
SD-Access SupportFabric ready platforms for your digital ready network
ASR-1000-X
ASR-1000-HX
ISR 4430
ISR 4450
WirelessRoutingSwitching
AIR-CT5520
AIR-CT8540
Wave 2 APs (1800, 2800,3800)
Wave 1 APs* (1700, 2700,3700)
Catalyst 9400
Catalyst 9300
Catalyst 4500E Catalyst 6800 Nexus 7700
Catalyst 3650 and 3850
AIR-CT3504
ISRv/CSRv
* with Caveats
Extended
Cisco Digital Building
Catalyst 3560-CX
NEW
NEW
NEW
NEW
29
IE Series (4K/5K)
NEW
Catalyst 9500NEW
© 2018 Cisco and/or its affiliates. All rights reserved.
* Some caveats with Wave1 APs.
Wave 2 APs
• 1800/2800/3800
• 11ac Wave2 APs
• 1G/mGIG RJ45
• AireOS 8.5.1+
5500 WLC
• AIR-CT5520
• 1500 APs
• 1G/10G SFP+
• AireOS 8.5.1+
8500 WLC
• AIR-CT8540
• 5000 APs
• 1G/10G SFP+
• AireOS 8.5.1+
Wave 1 APs*
• 1700/2700/3700
• 11ac Wave1 APs
• 1G RJ45
• AireOS 8.5.1+
3504 WLC
• AIR-CT3504
• 150 APs
• 1G/mGig RJ45
• AireOS 8.5.1+
NEW NEW
SD-Access PlatformsFabric Wireless
30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Wireless ArchitectureSimplifying the Control Plane
ISE / AD
WLC
DNAC
SD-AccessFabric
BB
Policy
Abstraction and
Configuration
Automation
Automation
DNAC simplifies the Fabric deployment,
Including the wireless integration component
C
Fabric enabled WLC:
WLC is part of LISP control plane
Centralized Wireless Control Plane
WLC still provides client session management
AP Mgmt, Mobility, RRM, etc.
Same operational advantages of CUWN
CAPWAP
Cntrl plane
LISP
Cntrl plane
1
LISP control plane Management
WLC integrates with LISP control plane
WLC updates the CP for wireless clients
Mobility is integrated in Fabric thanks to LISP CP
BRKEWN-2020 31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE / AD
WLC
CAPWAP (Control)
Simplified IP addressing? WLC as mobility
Anchor
Yes with WLCSimplified operations?
CAPWAPNetwork Overlay?
WLC as Mobility
AnchorL3 roaming across Campus?
Foreign-AnchorGuest traffic segmentation?
Centralized Unified Wireless Network Strengths
CAPWAP (Data)
BRKEWN-2020 32
© 2018 Cisco and/or its affiliates. All rights reserved.
Fabric Enabled WLC is integrated into Fabric for SDA Wireless clients
SD-Access Fabric Fabric Enabled Wireless – A Closer Look
Unknown
Networks
Known
Networks
• Connects to Fabric via Border (Underlay)
• Fabric Enabled APs connect to the WLC (CAPWAP)
using a dedicated Host Pool (Overlay)
• Fabric Enabled APs connect to the Edge via VXLAN
• Wireless Clients (SSIDs) use regular Host Pools for
data traffic and policy (same as Wired)
• Fabric Enabled WLC registers Clients with the
Control-Plane (as located on local Edge + AP)
Data: VXLAN
Ctrl: CAPWAP
33
B
C
B
© 2018 Cisco and/or its affiliates. All rights reserved.
SD-Access FabricScalable Groups – A Closer Look
Scalable Group is a logical policy object to “group” Users and/or Devices
• Nodes use “Scalable Groups” to ID and assign a
unique Scalable Group Tag (SGT) to Endpoints
• Nodes add a SGT to the Fabric encapsulation
• SGTs are used to manage address-independent
“Group-Based Policies”
• Edge or Border Nodes use SGT to enforce local
Scalable Group ACLs (SGACLs)
34
Unknown
Networks
Known
Networks
B
C
B
SGT
17
SGT
3SGT
23
SGT
4 SGT
8
SGT
12
SGT
11
SGT
19
SGT
25
DNA Center AssuranceTransforming network operation through actionable insights and simplicity
Aug 2018
AJ Shah
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco DNA Center – Easy to Start with Assurance
Intent-Based Networking
Traditional Cisco and 3rd Party Networks Cisco DNA-Ready Networks
Telemetry protocols:
NetFlow, SNMP, Syslog, streamingCLI, SNMP, PnP, NETCONF
Cisco DNA Center Assurance
Cisco DNA Center
Cisco DNA Center Security
Cisco - SD Access
Wireless AP
.11ac Wave 2
Catalyst(R)
3850Catalyst 9000 IE Catalyst WLC ISR4K NFV-ISWireless
AP
Catalyst(R)
2000/3000
Catalyst
4000/6000
Cisco
Nexus(R)
7000
WLC ISR/ASR
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Digital Disruption
Lack of Business
and IT Insights
63 million new devices online every second
by 20201
Complexity
Slow and Error
Prone Operations
3X spend on network operations
vs network2
Security
Unconstrained
Attack Surface
6 months to detect breach3
1. Gartner Report - Gartner’s 2017 Strategic Roadmap for Networking
2. McKinsey Study of Network Operations for Cisco – 2016
3. Ponemon Research Institute Study on Malware Detection, Mar 2016
Unprecedented Demands on the Network
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The guarantee that the infrastructure
is doing what you intended it to do.
Continuous verification
Configs, Changes, Routing, Security, Services, VMs,
Compliance, Audits
What is Assurance?
Insights & visibility
Guided Remediation, Automated Updates, System optimization
Corrective actions
Visibility, Context, Historical Insights,
Prediction
Successful IT
Rollouts
Minimize Downtime,
User Productivity
IT Productivity
Network Assurance Vision
Surface Undetected Client, Network
& Application Issues
Learn
Automate tools to discover
outliers
Infrastructure Data
Sensor Data
Fix Real-Time Issues and Gain
Insights into Historic Events
Fix
Root cause issues in a
few Clicks
Machine Learning
Crowd Sourcing
01001011000101110010010101100
1011000010101100110
Predict Issues before they Occur
Predict
Build Resilient and Reliable
Networks
Insights
Analytics
Overall Network Health
• Overall health summary
of network and clients
• Where in the world and on
which site most serious
issues are happening
• Quick drill down to a site or
Toggle between Geo, List or
Topology View
• Top 10 Global Insights
End-to-end visibility
• Client Health Summary
• Onboarding, RF and Client Profile info
• Network Health Summary
• Control, Data, Policy Plane and Health info
360°Visibility
• Single location for all user
information and every user device
• History of performance for each
user device
• Proactive identification of any
issues affecting user’s experience
• Single location for all user device
related user information
• Connectivity graph with
health score of all device on
the path
• Application performance
• Device KPIs
Enterprise Switching and Wireless
Roles & TerminologyFabric Constructs
Technical decision maker presentation
Encrypted Traffic Analytics TDM Presentation (Enhanced Network as a Sensor)
Rapid Problem Resolution
Predicting the Future
Increasing 802.1X authentication time
Looking Back in Time
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
60daysIndustry average time to contain a breach
$3.8MAverage cost of a data breach
200daysIndustry average detection time for a breach
Network threats are getting smarter
Motivated and targeted
adversaries
Increased attack
surface
Increased attack
sophistication
• State sponsored
• Financial/espionage motives
• $1T cybercrime market
• BYOD blurring perimeter
• Public cloud services
• Enterprise IOT
• Advanced persistent threats
• Encrypted malware
• Zero-day exploits
Scale too many alertsComplexity securing
everything
Sophistication
Keeping up against attackers
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Detecting encrypted threats with network telemetry
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure and manage your digital network in real time, all the time, everywhere
Enhanced network as a sensor
Industry’s first network with the ability to find threats in encrypted traffic without decryptionAvoid, stop, or mitigate threats faster then ever before | Real-time flow analysis for better visibility
Encrypted traffic Non-Encrypted traffic
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Malware traffic
Benign traffic
Watchlist
address
Prevalent
addresscisco.com
c15c0.com
afb32d75.com
Unusual fingerprint
Unusual cert
Typical fingerprint
Typical cert
Self-Signed Certificate
Data Exfiltration
C2 Message
Google search
Bestafera
ETA data featuresCisco research
TCP/IP DNS TLS SPLT
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Make the most of the
unencrypted fields
Identify the content type through
the size and timing of packets
Initial data packetSequence of packet
lengths and times
How can we inspect encrypted traffic?
Self-Signed certificate
Data exfiltration
C2 message
Who’s who of the Internet’s
dark side
Threat
intelligence map
Broad behavioral information about the
servers on the Internet.
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Malware detection using Cognitive Analytics
Initial data packetThreat
Intelligence Map
Sequence of packet
lengths and times
Cloud-based
machine
learning
All three elements reinforce each other inside the analytics engine using them.
C97-739122-01 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Finding malicious activity in encrypted traffic
Cisco Stealthwatch
Cognitive Analytics
Malware
detection
and
cryptographi
c compliance
New Catalyst 9K*
NetFlow
Enhanced
NetFlow
Telemetry for
encrypted malware detection
and cryptographic compliance
* Other devices will be supported soon
Enhanced analytics
and machine learning
Global-to-local
knowledge correlation
Enhanced NetFlow from
Cisco’s newest switches and
routers
Continuous
Enterprise-wide compliance
Leveraged network Faster investigation Higher precision Stronger protection
Metadata
© 2018 Cisco and/or its affiliates. All rights reserved.
Anycast GW provides a single L3 Default Gateway for IP capable endpoints
SD-Access FabricAnycast Gateway– A Closer Look
• Similar principle and behavior as HSRP / VRRP with a
shared “Virtual” IP and MAC address
• The same Switch Virtual Interface (SVI) is present on
EVERY Edge, with the same Virtual IP and MAC
• Control-Plane with Fabric Dynamic EID mapping
maintains the Host to Edge relationship
• When a Host moves from Edge 1 to Edge 2, it does
not need to change it’s Default Gateway
GW GW GW
61
Unknown
NetworksKnown
Networks
B
C
B
GW GW