Software-Defined Access

Enable secure and consistent network access

Vedran Hafner
Systems Engineer
February 27, 2018

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Challenge for Enterprise IT - Doing more with Less

Data growth
Connected devices
Threat surface areas
$60B Spent of
Network
Operations

Organizations

3xmore intend to be
digital-ready
Resources within 2 years

An evolved world needs a network evolved.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Network. Intuitive.
Constantly learning, adapting and protecting.
LEARNING

DNA Center

Policy Automation Analytics

INTENT CONTEXT

Intent-based
Network Infrastructure

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SECURITY
Key Challenges for Traditional Networks

Difficult to Segment Complex to Manage Slower Issue Resolution

Ever increasing number of users and Multiple steps, Separate user policies for
endpoint types user credentials, complex interactions wired and wireless networks
Ever increasing number of VLANs Multiple touch-points Unable to find users
and IP Subnets when troubleshooting

Traditional Networks Cannot Keep Up!

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Software-Defined Access

Identity-based Automated Insights

Policy & Segmentation Network Fabric & Telemetry
Decoupled security policy definition Automation across wired and wireless Analytics and insights into
from VLAN and IP Address to enable for optimized traffic flows, and user and application behavior for
rapid workflow-based management proactive issue identification
policy updates to provide consistency at scale and resolution

Networking at the Speed of Software!

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Software Defined Access (SD-Access)
Bringing Everything Together
DNA
Center Controller-based Management

Programmable Overlay

Simplified L3 Underlay

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 GUI

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-Access Architecture
Roles and Terminology
DNA DNA
Center Controller

APIC-EM
 DNA Controller
ISE / AD NDP
Enterprise SDN
Controller provides
APIC-EM is a central part of Cisco Digital
GUI management
abstraction via Network Architecture. It delivers software-
multiple Service defined networking to the enterprise branch,
Apps, which share campus, and WAN. Its simple user interface
information lets you automate policy-based application
profiles.
B B
Features Applications including:
Essential Apps
C
• Plug-and-Play
• Path Trace
• EasyQoS
• Apple Bonjour Service Discovery
Gateway
• Active Advisor
Advanced Apps
• Cisco Intelligent WAN (IWAN)
• Cisco Enterprise Service Automation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential (ESA)
• Software Defined Access (SD-Access)
SD-Access Architecture
Roles and Terminology
DNA
Center
Group
Repository
ISE / AD APIC-EM NDP

 Group Repository
External ID
Services (e.g.
ISE) is leveraged
for dynamic User
or Device to
Group mapping B B
and policy
definition Authenticate Users at Fabric Edge
C (802.1X, MAC Auth, …)

Segment traffic based on classified group

(SGT), not based on topology (VLAN, IP
subnet)

Regardless of location, the “policy” (SGT)

stays with users, devices, and applications

CTS simplifies ACL management for all

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential cross-domain traffic
SD-Access Architecture
Roles and Terminology
DNA Analytics
Center Engine

ISE / AD APIC-EM NDP  Analytics Engine

External Data
Collector (e.g. NAE)
is leveraged to
analyze User or
Device to App flows
and monitor fabric
status
B B

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-Access Architecture
Fabric Control-Plane Node Responsibilities
DNA
Center Fabric Control-Plane Node is based
on a LISP Map Server / Resolver
ISE / AD APIC-EM NDP Runs the Host Tracking Database to
provide overlay reachability information

• Receives prefix registrations from

Edge Nodes with local Endpoints
B B • Provides a simple Host Database, that
Control-Plane ties the Endpoint to the Edge Node
C Nodes where it resides (includes other
relevant attributes)
 Control-Plane Nodes
Map System that
manages Endpoint ID to • Resolves lookup requests from remote
Device relationships Edge Nodes, to locate local Endpoints

• Host Database supports multiple

Endpoint ID lookup keys (IPv4 /32,
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IPv6 /128 or MAC)
SD-Access Architecture
Fabric Border Node Responsibilities
DNA
Center
Fabric Border Node is based on a
ISE / AD APIC-EM NDP LISP Proxy Tunnel Router (PxTR)
All traffic entering or leaving the Fabric goes
through this type of node
Fabric Border
• Connects traditional L3 networks and / or
different Fabric domains to the local domain
 Border Nodes A
Fabric device B B
(e.g. Core) that • Where two domains exchange Endpoint
connects reachability and policy information
External L3 C
network(s) to
the SD-Access
• Responsible for translation of context (VRF
Fabric and SGT) from one domain to another

• Provides a domain exit point for all Edge

Nodes acting in many ways like a ‘Default-
Gateway’
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-Access Architecture
Fabric Edge Node Responsibilities
DNA
Center Fabric Edge Node is based on a LISP
Tunnel Router (xTR)
ISE / AD APIC-EM NDP Provides connectivity for Users and
Devices connected to the Fabric

• Responsible for Identifying and

Authenticating Endpoints as they
move around
B B
• Registers Endpoint ID information
with the Control-Plane Node(s)
C
Fabric Edge
Nodes • Provides Anycast L3 Gateway for
connected Endpoints removing the
 Edge Nodes A
need for HSRP and facilitating
Fabric device (e.g.
Access or seamless host mobility
Distribution) that
connects Wired • Must encapsulate / de-encapsulate
Endpoints to the host traffic to and from Endpoints
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-Access Fabric
connected to the Fabric
SD-Access Architecture
Fabric Mode WLC and AP Responsibilities
DNA
Center

ISE / AD APIC-EM NDP

Fabric Mode
WLC • Centralized control/management
plane, distributed data plane,
 Fabric Wireless Controller
Wireless Controller (WLC) that is with scalable consistent guest
fabric-enabled access
B B • WLC Communicates Client
Information to LISP Host Tracking
Database (HTDB). It is part of the
C LISP Control Plane
Fabric
Mode APs

 Fabric Mode APs

Access Points that
are fabric-enabled.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
 Secure onboarding of users and devices
Segmentation and Access Control

Before SD-Access After SD-Access

• VLAN and IP address Group 1 Group 2
• No VLAN or subnet
Users
based Employee Virtual Network dependency for
• Create IP segmentation and
based ACLs for access control
access policy Devices Group 3 Group 4
• Define one consistent
• Deal with policy policy
violations and errors Drag policy IoT Virtual Network
• Policy follows Identity
manually to apply
Apps
Group 5 Group 6

Guest Virtual Network

Completely Automated
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Group-Based Policy Policy follows Identity
 Consistent wired and wireless management
A single network fabric

Before SDA After SDA

• Repeated policy work • Consistent
for wired-wireless management across
• Roaming issues across wired-wireless
L3 domains • Optimal traffic flows
• Chase down IP with seamless roaming
addresses for • Seamless roaming in
troubleshooting Fabric and non-Fabric
domains
Seamless Roam Policy stays
Roam is L2 with user

Wired and Wireless

Simplified Provisioning
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Campus-Wide Roaming
Consistency
 See and Act on Threats (Now For Encrypted Traffic)
ISE
(Identity Services Engine)
Automated policy
enforcement for
segmentation through
Encrypted
SD-Access
Traffic Analytics
NetFlow with
Machine
learning Spot malware in
encrypted traffic
99%
• Analyze metadata
enhanced Threat Detection
without decrypting traffic
1110110110000010 telemetry at
line rate Accuracy*
flows
0011110011110100 Stealthwatch
• Global-to-local
1000100001
0.01%
knowledge correlation
• Automate policy and
segmentation across the
Catalyst 9K False Positives*
entire network
Switch
*Source : Identifying Encrypted Malware Traffic
with Contextual Flow Data, Oct 2016
Cognitive Analytics
 Automate IoT Deployments at Scale
Subtended Node

Before SDA After SDA

• Complex segmentation • Intuitive identity-based
of IoT and user traffic segmentation with
• Chase down IP device profiling
addresses for • Built-in visibility and
troubleshooting granular policy control
• Static endpoint • Dynamic endpoint
management Subtended Node
management

Connected IP Employee Employee

Lighting Surveillance Network A Network B

Purpose Built Switches for

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Users, Device and IoT Policy based Automation
IoT Segmentation
Software-Defined Access
Network Fabric – Normalized Transport for Wired & Wireless

Dynamic Logical Topologies with Overlays

(Stateless Tunnels)
Encapsulation
Traffic for Wired and Wireless is carried
Overlay Network inside Overlays

Policy Context is carried inline with Traffic

Underlay Network

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Software-Defined Access
Network Fabric – Any VLAN, Everywhere!

Stretched Subnets No Spanning Tree ECMP

Distributed Anycast Default

Gateway + No STP
No HSRP/VRRP
+ Equal Cost Multi-Path
Routed Access
Limit Broadcast Domain

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
10.1.0.0/16
Software-Defined Access
Identity-based Policy – Segmentation & Access Control
2 Custom Deny

Default Permit 1 Virtual Networks

First level Segmentation that ensures zero
Communication between Building
systems and Users

Group 3 Group 4
Default Deny

1
Group 5 Group 1 Group 2
2 Groups
Second level Segmentation within a
Employee Virtual Network
IoT Virtual Network
Virtual Network that ensures role based
access control between Two Groups

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Routers Switches Wireless AP WLC
Software-Defined Access
Identity-based Policy – Decoupled from VLAN and IP Address
Policy B3
Priority
HIGH

Policy Applied Fabric-wide

Policy DB

Fred – B3

 Flexible authentication Options including 802.1X,

MAB, AD, Static, Device Profiling, Guest Wireless Roam Policy stays
Wireless* with user
User A User A
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Employee Employee *Roadmap

Distinct Domains
Requiring Distinct Policy

Network Operator Network Operator

Access Domain Data Center Domain

(Campus/Branch/WAN)

Focused on User Access Focused on Applications

Wireless Integration Virtualization: VMs, Containers
User Identity / AAA Compute Integration
QoS / Path Engineering Agile Application Deployment
Hybrid Cloud Mobility

Fate Separation, Scale, Administrative Delineation

Distinct Doesn’t Necessarily Mean Different
Differences and Commonalities
SD-Access ACI Fabric
• Underlay • Underlay

• Overlay • Overlay

• Logical constructs • Logical constructs

• VNID • VNID
• SGT • EPG
• User Endpoint • App Endpoint

• Group Based Policy • Group Based Policy

 SD-Access and DC Policy Integration Design
VXLAN Data Plane Between SD-Access and ACI
VXLAN data plane between Internal Border the Cisco ACI fabric to establish communication with the different
domains and also to carry the information needed (SGT/EPG) for policy enforcement.

SDA Fabric Policy Domain ACI Policy Domain

Scalable Group Tags End Point Groups
SGT EPG
Exchange Groups and Member Information
Cisco APIC-DC
ISE creates SGT to EPG
translation table
Cisco ISE 2.2
Send translation table to Fabric
IP, SGT mappings Border Node (7K/ASR1K) IP-ClassId, VNI bindings

SD-Access
Fabric B

User Edge Nexus9000 Nexus9000 App

Border
Endpoint Spine Leaf Endpoint
Classification
LISP,SGT & VXLAN BGP EVPN, EPG &VXLAN
 SD-Access Platform Support
Complete Investment Protection
Switching Routing Wireless
NEW
Catalyst 9400
AIR-CT5520
NEW
ASR-1000-X

NEW
AIR-CT8540
Catalyst 9300
Catalyst 9500 ASR-1000-HX NEW

AIR-CT3504

ISR 4430

Wave 2 APs (1800, 2800,3800)

Catalyst 4500E Catalyst 6K Nexus 7700
ISR 4450

Catalyst 3850 and 3650

Wave 1 APs (1700, 2700,3700)*

* No IPv6 or AVC support

 New Era in Networking
Beyond Days of Convergence
Software Defined Access
(SD-Access)

Video
Security (9K Series)

Voice
Cloud
Data
IOT
Mobility

New Era
Previous Era
SD-Access - Policy Based Automation from Edge to Cloud
Catalyst 9300 2.5G at the
Price of 1G
40G at the
Highest
2.5G/mGig
Density in the
Only
Stackable
Switch with 8X
10G Uplinks
Price of 10G Industry

Next Generation Fixed Access

mGig UPOE
24xmGig

48xmGig (36 X
2.5G + 12 X 10G)

1G UPOE/POE+
24 Ports

48 Ports

1G Data
24 Ports

48 Ports

Modular Fans Modular Uplinks Modular Power Supplies

8x10G 2x40G 4x mGig 4x1G 350W 715W 1100W

Catalyst 9400 Industry’s
Highest PoE
Redundancy
is now
9Tbps
System b/w
Scale Table-stake
Next Generation Modular Access

4-Slot*

7-Slot 10-Slot

Supervisor Access Linecards Core Linecards Power Supply

Sup-1: 80G/Slot Access Optimized 24xmGig + 24xUPOE 24x 10G SFP+ 3200W AC
Sup-1XL*: 120G/Slot Core Optimized 48xUPoE 48x1G SFP* 3200W DC*
48xPoE+* 24x1G SFP* 2200W AC*
48xData
*not available at FCS
Catalyst 9500
Next Generation Fixed Core/Agg
8X Buffering Industry’s
40G at the First 40G
vs.
Price of 10G Enterprise
Competition
Switch
Redundant platinum rated power
supplies

Front to back airflow with N+1 Modular

Fans

RFID for Efficient Inventory

Management

USB3.0 Storage to host High End

Applications
Catalyst 9500-12Q Catalyst 9500-24Q Catalyst 9500-40X
Future of Enterprise Networking
Platform Transitions
Catalyst 9400

Catalyst 9300

Catalyst 9500 9000

Series

Catalyst 3850 Copper Catalyst 4500-E

Access Switching

Catalyst 4500X Catalyst 3850 Fiber 48 port

Backbone Switching
Fabric Control-Plane Node Catalyst 3K Catalyst 9500
Supported Hardware/Software
DNA
Center

ISE / AD APIC-EM NDP

• Catalyst 3850
• 1/10G SFP+ • Catalyst 9500
• 40G QSFP
• 10/40G NM
Cards • 1/10G NM Cards
• IOS-XE 16.6.1+ • IOS-XE 16.6.1+

B B Catalyst 6K ASR1K & ISR4K

Control-Plane
C Nodes

• Catalyst 6800 • ASR 1000-X/HX

• Sup2T/6T • ISR 4430/4450
• 6880-X or 6840- • 1/10G/40G
X • IOS-XE 16.6.1+
• IOS 15.5.1SY+
Fabric Border Node
Supported Hardware/Software
Catalyst 9500 Catalyst 6K
DNA
Center

ISE / AD APIC-EM NDP

Fabric Border • Catalyst 9500 • Catalyst 6800

• 40G QSFP • Sup2T/6T
• 10/40G NM Cards • 6880-X or 6840-X
• IOS-XE 16.6.1+ • IOS 15.5.1SY+
B B
Nexus 7K ASR1K & ISR4K Catalyst 3K
C

• Catalyst 3850
• ASR 1000-X/HX
• Nexus 7700 • 1/10G SFP+
• ISR 4430/4450
• Sup2E • 10/40G NM
• 1/10G/40G Cards
• M3 Cards
• IOS-XE 16.6.1+ • IOS-XE 16.6.1+
• NXOS 7.3.2+
Fabric Edge Node
Supported Hardware/Software Catalyst 3K Catalyst 9300
DNA
Center

ISE / AD APIC-EM NDP

• Catalyst 3650/3850 • Catalyst 9300

• 1/MGIG RJ45 • 1/MGIG RJ45
• 10/40G NM Cards • 10/40G NM Cards
• IOS-XE 16.6.1+ • IOS-XE 16.6.1+

B B Catalyst 4500E Catalyst 9400

C
Fabric Edge
Nodes

• Catalyst 4500 • Catalyst 9400

• Sup8E/9E (Uplinks) • Sup1E
• 4700 Cards (Down) • 9400 Cards
• IOS-XE 3.10.1+ • IOS-XE 16.6.1+
Fabric Mode WLC & APs
Supported Hardware/Software 5500 WLC 8500 WLC
DNA
Center

ISE / AD APIC-EM NDP • AIR-CT5520 • AIR-CT8520/40

Fabric Mode • No 5508 • No 8510
• 1G/10G SFP+ • 1G/10G SFP+
WLC • AireOS 8.5.1+ • AireOS 8.5.1+

WAVE 1 APs WAVE 2 APs

B B

C
Fabric
Mode APs
• 1700/2700/3700
• 11ac Wave1 APs
• 1800/2800/3800
• 1G RJ45
• 11ac Wave2 APs
• AireOS 8.5.1+ • 1G/MGIG RJ45
• AireOS 8.5.1+