Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.
Challenge for Enterprise IT - Doing more with Less
Data growth
Connected devices
Threat surface areas
$60B Spent of
Network
Operations
Organizations
3xmore intend to be
digital-ready
Resources within 2 years
DNA Center
INTENT CONTEXT
Intent-based
Network Infrastructure
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SECURITY
Key Challenges for Traditional Networks
Ever increasing number of users and Multiple steps, Separate user policies for
endpoint types user credentials, complex interactions wired and wireless networks
Ever increasing number of VLANs Multiple touch-points Unable to find users
and IP Subnets when troubleshooting
Programmable Overlay
Simplified L3 Underlay
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
GUI
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-Access Architecture
Roles and Terminology
DNA DNA
Center Controller
APIC-EM
DNA Controller
ISE / AD NDP
Enterprise SDN
Controller provides
APIC-EM is a central part of Cisco Digital
GUI management
abstraction via Network Architecture. It delivers software-
multiple Service defined networking to the enterprise branch,
Apps, which share campus, and WAN. Its simple user interface
information lets you automate policy-based application
profiles.
B B
Features Applications including:
Essential Apps
C
• Plug-and-Play
• Path Trace
• EasyQoS
• Apple Bonjour Service Discovery
Gateway
• Active Advisor
Advanced Apps
• Cisco Intelligent WAN (IWAN)
• Cisco Enterprise Service Automation
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential (ESA)
• Software Defined Access (SD-Access)
SD-Access Architecture
Roles and Terminology
DNA
Center
Group
Repository
ISE / AD APIC-EM NDP
Group Repository
External ID
Services (e.g.
ISE) is leveraged
for dynamic User
or Device to
Group mapping B B
and policy
definition Authenticate Users at Fabric Edge
C (802.1X, MAC Auth, …)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SD-Access Architecture
Fabric Control-Plane Node Responsibilities
DNA
Center Fabric Control-Plane Node is based
on a LISP Map Server / Resolver
ISE / AD APIC-EM NDP Runs the Host Tracking Database to
provide overlay reachability information
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Secure onboarding of users and devices
Segmentation and Access Control
Completely Automated
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Group-Based Policy Policy follows Identity
Consistent wired and wireless management
A single network fabric
Underlay Network
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Software-Defined Access
Network Fabric – Any VLAN, Everywhere!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
10.1.0.0/16
Software-Defined Access
Identity-based Policy – Segmentation & Access Control
2 Custom Deny
Group 3 Group 4
Default Deny
1
Group 5 Group 1 Group 2
2 Groups
Second level Segmentation within a
Employee Virtual Network
IoT Virtual Network
Virtual Network that ensures role based
access control between Two Groups
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Routers Switches Wireless AP WLC
Software-Defined Access
Identity-based Policy – Decoupled from VLAN and IP Address
Policy B3
Priority
HIGH
Fred – B3
• Overlay • Overlay
SD-Access
Fabric B
NEW
AIR-CT8540
Catalyst 9300
Catalyst 9500 ASR-1000-HX NEW
AIR-CT3504
ISR 4430
Video
Security (9K Series)
Voice
Cloud
Data
IOT
Mobility
New Era
Previous Era
SD-Access - Policy Based Automation from Edge to Cloud
Catalyst 9300 2.5G at the
Price of 1G
40G at the
Highest
2.5G/mGig
Density in the
Only
Stackable
Switch with 8X
10G Uplinks
Price of 10G Industry
48xmGig (36 X
2.5G + 12 X 10G)
1G UPOE/POE+
24 Ports
48 Ports
1G Data
24 Ports
48 Ports
4-Slot*
7-Slot 10-Slot
Sup-1: 80G/Slot Access Optimized 24xmGig + 24xUPOE 24x 10G SFP+ 3200W AC
Sup-1XL*: 120G/Slot Core Optimized 48xUPoE 48x1G SFP* 3200W DC*
48xPoE+* 24x1G SFP* 2200W AC*
48xData
*not available at FCS
Catalyst 9500
Next Generation Fixed Core/Agg
8X Buffering Industry’s
40G at the First 40G
vs.
Price of 10G Enterprise
Competition
Switch
Redundant platinum rated power
supplies
Catalyst 9300
Access Switching
Backbone Switching
Fabric Control-Plane Node Catalyst 3K Catalyst 9500
Supported Hardware/Software
DNA
Center
• Catalyst 3850
• 1/10G SFP+ • Catalyst 9500
• 40G QSFP
• 10/40G NM
Cards • 1/10G NM Cards
• IOS-XE 16.6.1+ • IOS-XE 16.6.1+
Control-Plane
C Nodes
• Catalyst 3850
• ASR 1000-X/HX
• Nexus 7700 • 1/10G SFP+
• ISR 4430/4450
• Sup2E • 10/40G NM
• 1/10G/40G Cards
• M3 Cards
• IOS-XE 16.6.1+ • IOS-XE 16.6.1+
• NXOS 7.3.2+
Fabric Edge Node
Supported Hardware/Software Catalyst 3K Catalyst 9300
DNA
Center
C
Fabric Edge
Nodes
C
Fabric
Mode APs
• 1700/2700/3700
• 11ac Wave1 APs
• 1800/2800/3800
• 1G RJ45
• 11ac Wave2 APs
• AireOS 8.5.1+ • 1G/MGIG RJ45
• AireOS 8.5.1+