Sei sulla pagina 1di 91

#CLUS

Why SD-Access?
Journey - Traditional to Modern Networks

Prabhjit Singh Bagga, Technical Marketing Engineer


@Prabhjit_bagga
BRKARC-2009

#CLUS
New QA Employee QA Team

New Dev Employee

IT Team
Developer Team

Networking Team
Who has seen this?
access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286
access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191
access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721
access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716
access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533
access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539
access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570
access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754
access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
1 Why SD-Access?
Traditional Campus, Journey, Issues

2 Introduction - Intent Based Networking


Automation, Security, Assurance

3 SD-Access Concepts
Roles, Terminologies

4 SD-Access Fundamentals
How does it work?

5 Demo
Take Away

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#BRKARC-2009


by the speaker until June 16, 2019.

#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Sessions are available Online @ CiscoLive.com

Cisco Software-Defined Access


Cisco Live San Diego - Session Map You Are Here

Monday (June 10) Tuesday (June 11) Wednesday (June 12) Thursday (June 13)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00

BRKCRS-2818 BRKCRS-2821 BRKCRS-2825 BRKCRS-1501 BRKNMS-2814


Connect SDWAN Integration Scaling Validated Design Assurance

BRKARC-2020 BRKARC-2009
Troubleshoot Why SDA

BRKCRS-2810 BRKCRS-2811 BRKCRS-2815 BRKCRS-2816 BRKCRS-2817 BRKCRS-3810


Fundamentals Connect Outside Connect Sites Underlay Extension Deep Dive

BRKCRS-2812 BRKSEC-2025 BRKCRS-2819


Migration Security Cross-Domain

BRKCRS-3811
Policy

BRKEWN-2021 BRKEWN-2020
Live Setup Wireless

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Why SD-Access
(SDA)?
Key Challenges for Traditional Networks

Difficult to Segment Complex to Manage Slower Issue Resolution

Ever increasing number of Multiple steps, Separate user policies for


users and endpoint types user credentials, complex wired and wireless networks
interactions
Ever increasing number of Unable to find users
VLANs and IP Subnets Multiple touch-points when troubleshooting

Traditional Networks Cannot Keep Up!


#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Diverse end-points and applications served across a
multidomain network
Classes of end-points Classes of Applications

User devices IT services Non-IT services


(Printers, audio, video, (Lighting, alarms, (on-premise or private
(Laptops, phones, PCs) (Public cloud hosted)
displays) surveillance) cloud hosted)

• Consistent access across • Service discovery for • Network and power HA for • Application visibility and
wired/wireless printing, Apple TV emergency control
• Granular quality of service • network timing for audio • Traffic monitoring for • Seamless experience with
and AVC and video surveillance on-premise and cloud

Network requirements

Increased Scale, Complexity & Growing Security


#CLUS © 2019Threats
Cisco and/or its affiliates. All rights reserved. Cisco Public
Unprecedented Demands on the Network
Digitization Complexity Security

Scale Cost Risk

Lack of Business Slow and Error Prone Unconstrained Attack


and IT Insights Operations Surface

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Modern Networking with Cisco Catalyst 9000

IoT
Secure convergence Mobility Cloud
• Support industry IoT • Fabric-enabled • DevOps toolkit
• Malware detection in
encrypted traffic device protocols wireless • NETCONF/YANG
• Micro and macro • Classify wide range • Embedded Catalyst models
segmentation of IoT devices 9800 WLC • Streaming telemetry
• Greater Network • Uninterrupted PoE • Common policy for • Patching/GIR
visibility wired and wireless
• Wired and wireless • Application hosting
guest access

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco Software Defined Access
The Foundation for Cisco’s Intent-Based Network
Cisco DNA Center
One Automated
Network Fabric
Policy Automation Assurance Single fabric for Wired and
Wireless with full automation
Outside

B B
Identity-Based
C
Policy and Segmentation
Policy definition decoupled
from VLAN and IP address

AI-Driven
Insights and Telemetry
SD-Access
Extension Client Mobility Analytics and visibility into
User and Application experience
Policy follows User

IoT Network Employee Network #CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Intent Based Networking
Tell your network
What you Want
and let it figure out
How to do That
#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Correlate Information from Multiple Sensors
to provide Deeper Insights and Suggest Actions

Context
Automated Network Fabric - Day 0/1
#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Simplifying Automation with New Toolsets
IP Address Management
Image Management
Upgrading your network elements
#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
SD-Access
moves to IDENTITY
Joshua Susan Alan Nathan

192.168.3.47 192.168.12.213 192.168.8.89 192.168.37.149

Moving away from an IP Address Centric View


It starts with a User
or a device or thing
We move the user into a
group…
We place the group into a
Virtual Network…
This is where
Segmentation happens
How does it come
together?
Process starts with a user
connecting to the
network…
User authenticates with
the Identity Services
Engine…
ISE configuration of user
and network element…
User becomes part of a
Fabric Overlay…
Only sees other users
from SAME virtual
network…
Now for the
Fabric Overlay !
Data transported in the
overlay network…

Policy enforced in the


overlay network…
With user/device
mobility, the SAME
policy stays intact…

The connected tunnel


AUTOMATICALLY re-
establishes…
#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Overall Network Health Map
Network Health Score
Network split by device

Client Health Score


Clients split by wired/wireless

Top 10 issues
Network Health Map
Network Health Score
Split by 15min/24 hour

Network Health by Device


Access | Core | Distribution | Wireless

Network Device List


Device Health Timeline
Device Issues
Physical Neighbor Topology
Path Trace
Detailed Device Info
Client Health Map
All of Client Health Score
Split by Wired/Wireless

Client Metrics
Client Onboarding
Connectivity RSSI
Connectivity Physical Link

Client List
Client Health Timeline
Client Issues
Client Onboarding Map
Path Trace
Detailed Client Info
For more details: cs.co/sda-compatibility-matrix

SD-Access Support
Digital Platforms for your Cisco Digital Network Architecture

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
What is SD-Access?
Roles & Terminology
What is SD-Access?
Campus Fabric + Cisco DNA Center (Automation & Assurance)
 SD-Access
APIC-EM
NCP
1.X GUI approach provides automation &
ISE NDP
PI assurance of all Fabric configuration,
management and group-based policy
Cisco DNA
Center Cisco DNA Center integrates multiple
management systems, to orchestrate
LAN, Wireless LAN and WAN access

B B
 Campus Fabric
CLI or API approach to build a LISP +
C
VXLAN + CTS Fabric overlay for your
enterprise Campus networks
Campus CLI provides backwards compatibility,
Fabric but management is box-by-box.
API provides device automation via
NETCONF/YANG

Separate management systems

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
SD-Access
What exactly is a Fabric?

A Fabric is an Overlay
An Overlay network is a logical topology used to virtually connect devices,
built over an arbitrary physical Underlay topology.
An Overlay network often uses alternate forwarding attributes to provide
additional services, not provided by the Underlay.

Examples of Network Overlays


• GRE, mGRE • LISP
• MPLS, VPLS • OTV
• IPSec, DMVPN • DFA
• CAPWAP • ACI

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
SD-Access
Fabric Terminology

Overlay Network Overlay Control Plane

Encapsulation

Edge Device Edge Device

Hosts
(End-Points)

Underlay Network Underlay Control Plane

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
SD-Access
Fabric Underlay – Manual vs. Automated

Manual Underlay LAN Automation


You can reuse your existing IP Fully automated prescriptive IP
network as the Fabric Underlay! network Underlay Provisioning!
• Key Requirements • Key Requirements
• IP reach from Edge to Edge/Border/CP • Leverages standard PNP for Bootstrap
• Can be L2 or L3 – We recommend L3 • Assumes New / Erased Configuration
• Can be any IGP – We recommend ISIS • Uses a Global “Underlay” Address Pool

• Key Considerations • Key Considerations


• MTU (Fabric Header adds 50B) • Seed Device pre-setup is required
• Latency (RTT of =/< 100ms) • 100% Prescriptive (No Custom)

Underlay Network
#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Cisco SD-Access
Fabric Roles & Terminology
 Network Automation – Simple GUI
Automation and APIs for intent-based Automation
Identity Cisco DNA Center of wired and wireless fabric devices
Cisco ISE
Services
 Network Assurance – Data Collectors
analyze Endpoint to Application flows
Assurance and monitor fabric network status
 Identity Services – NAC & ID Services
(e.g. ISE) for dynamic Endpoint to Group
Fabric Border IP Fabric Wireless mapping and Policy definition
Nodes Controllers
B B  Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate  Fabric Border Nodes – A fabric device
C Nodes
Nodes (Underlay)
(e.g. Core) that connects External L3
network(s) to the SD-Access fabric

Campus  Fabric Edge Nodes – A fabric device


(e.g. Access or Distribution) that connects
Fabric Edge
Nodes Fabric Fabric Wireless
Access Points
Wired Endpoints to the SD-Access fabric
 Fabric Wireless Controller – A fabric device
(WLC) that connects Fabric APs and
Wireless Endpoints to the SD-Access fabric

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
SD-Access Fabric
Border Nodes

Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric

There are 3 Types of Border Node! C


Known Unknown
Networks Networks

B B
• Internal Border (Rest of Company)
• connects ONLY to the known areas of the company

• External Border (Outside)


• connects ONLY to unknown areas outside the company

• Internal + External (Anywhere)


• connects transit areas AND known areas of the company

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms
Fabric Border Node
* EXTERNAL ONLY

Catalyst 3K Catalyst 6K Nexus 7K* ISR 4K ASR 1K

• Catalyst 3650/3850 • Catalyst 6500/6800 • Nexus 7700 • ISR 4300/4400 • ASR 1000-X/HX
• 1/mG RJ45 • Sup2T/Sup6T • Sup2E • AppX (AX) • AppX (AX)
• 1/10G SFP • C6800 Cards • M3 Cards • 1/10G RJ45 • 1/10G ELC/EPA
• 1/10/40G NM Cards • C6880/6840-X • LAN1K9 + MPLS • 1/10G SFP • 40G ELC/EPA

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
SD-Access Fabric
Control-Plane Nodes – A Closer Look

Control-Plane Node runs a Host Tracking Database to map location information

• A simple Host Database that maps Endpoint IDs to C


Known Unknown
a current Location, along with other attributes Networks Networks

B B
• Host Database supports multiple types of Endpoint
ID lookup types (IPv4, IPv6 or MAC)

• Receives Endpoint ID map registrations from Edge


and/or Border Nodes for “known” IP prefixes

• Resolves lookup requests from Edge and/or Border


Nodes, to locate destination Endpoint IDs

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms The Channelco®

Fabric Control Plane CRN®


Products of the Year
2017, 2018

Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600

• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600


• 1/mG RJ45 • Sup1XL • 40/100G QSFP • Sup1
• 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP • 9600 Cards

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
SD-Access Fabric
Edge Nodes – A Closer Look

Edge Node provides first-hop services for Users / Devices connected to a Fabric

• Responsible for Identifying and Authenticating C


Endpoints (e.g. Static, 802.1X, Active Directory)
Known Unknown
Networks Networks

B B
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)

• Provide an Anycast L3 Gateway for the connected


Endpoints (same IP address on all Edge nodes)

• Performs encapsulation / de-encapsulation of data


traffic to and from all connected Endpoints

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms The Channelco®

Fabric Edge Node CRN®


Products of the Year
2017, 2018

Catalyst 9200 Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600

• Catalyst 9200/L* • Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600
• 1/mG RJ45 • 1/mG RJ45 • Sup1/Sup1XL • 1/10/25G SFP • Sup1
• 1G SFP (Uplinks) • 10/25/40/mG NM • 9400 Cards • 40/100G QSFP • 9600 Cards

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms
Fabric Edge Node

Catalyst 3K Catalyst 4500E Catalyst 6K

• Catalyst 3650/3850 • Catalyst 4500E • Catalyst 6500/6800


• 1/mG RJ45 • Sup8E/Sup9E (Uplink) • Sup2T/Sup6T
• 1/10G SFP • 4600/4700 Cards (Host) • C6800 Cards
• 1/10/40G NM Cards • C6880/6840-X

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
SD-Access Fabric
Fabric Enabled Wireless – A Closer Look

Fabric Enabled WLC is integrated into Fabric for SD-Access Wireless clients
Ctrl: CAPWAP

Data: VXLAN

• Connects to Fabric via Border (Underlay) C


Known Unknown
Networks Networks
• Fabric Enabled APs connect to the WLC (CAPWAP)
B B
using a dedicated Host Pool (Overlay)

• Fabric Enabled APs connect to the Edge via VXLAN

• Wireless Clients (SSIDs) use regular Host Pools for


data traffic and policy (same as Wired)

• Fabric Enabled WLC registers Clients with the


Control-Plane (as located on local Edge + AP)

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
How does SD-Access
work?
SD-Access Fabric
Campus Fabric - Key Components

1. Control-Plane based on LISP


2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS

B B
Key Differences
C
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Fabric Operation
Control-Plane Roles & Responsibilities Control-Plane EID RLOC
a.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5

LISP Map Server / Resolver EID Space


EID
a.a.a.0/24
RLOC
w.x.y.1

(Control-Plane) b.b.b.0/24
c.c.c.0/24
d.d.0.0/16
x.y.w.2
z.q.r.5
z.q.r.5

• EID to RLOC mappings EID RLOC


Edge a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2

• Can be distributed across c.c.c.0/24


d.d.0.0/16
z.q.r.5
z.q.r.5
Non-LISP
multiple LISP devices Prefix Next-hop
w.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h
z.q.r.5 e.f.g.h
z.q.r.5 e.f.g.h

LISP Tunnel Router - XTR Border RLOC Space


(Edge & Internal Border)
• Register EID with Map Server
• Ingress / Egress (ITR / ETR) Edge

LISP Proxy Tunnel Router - PXTR EID Space


(External Border)
• EID = Endpoint Identifier
• Provides a Default Gateway
• Host Address or Subnet
when no mapping exists
• RLOC = Routing Locator
• Ingress / Egress (PITR / PETR) • Local Router Address

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Fabric Operation
Control Plane Register & Resolution

Branch

Fabric Edge
Cache Entry (on ITR) Where is 10.2.2.2?
10.2.2.2/32  (2.1.2.1) Fabric Control Plane
5.1.1.1

2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1

Database Mapping Entry (on ETR) Fabric Edges Database Mapping Entry (on ETR)
10.2.2.4/32  ( 3.1.2.1)
10.2.2.2/32  ( 2.1.2.1)

10.2.2.3/16 10.2.2.2/16 10.2.2.5/16 10.2.2.4/16

Subnet 10.2.0.0 255.255.0.0 stretched across


#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Fabric Operation
Fabric Internal Forwarding (Edge to Edge)

3 EID-prefix: 10.2.2.2/32
Mapping Locator-set: Path Preference
Entry Controlled
2.1.2.1, priority: 1, weight:100
by Destination Site
1
DNS Entry:
Branch Non-Fabric Non-Fabric
D.abc.com A 10.2.2.2
10.1.0.0/24

Fabric Borders
S Fabric Edge
2
1.1.1.1
10.1.0.1  10.2.2.2 5.3.3.3

IP Network 5.1.1.1 5.2.2.2


4 Mapping
System
1.1.1.1  2.1.2.1

10.1.0.1  10.2.2.2 2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1

5 Fabric Edges

10.1.0.1  10.2.2.2
D
10.2.2.3/16 10.2.2.2/16 10.2.2.4/16 10.2.2.5/16

Subnet 10.2.0.0 255.255.0.0 stretched across

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Would you like to know more?
Locator / ID Separation Protocol (LISP)

Suggested Reading
• BRKRST-3045 - LISP - A Next Generation Networking Architecture

• BRKRST-3047 - Troubleshooting LISP

• BRKCRS-3510 - LISP in Campus Networks

Other References
• Cisco LISP Site http://lisp.cisco.com
• Cisco LISP Marketing Site http://www.cisco.com/go/lisp/
• LISP Beta Network Site http://www.lisp4.net or http://www.lisp6.net
• IETF LISP Working Group http://tools.ietf.org/wg/lisp/
• Fundamentals of LISP https://www.youtube.com/watch?v=lKrV1qB8uqA

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
SD-Access Fabric
Key Components – VXLAN

1. Control-Plane based on LISP


2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay Only
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
VXLAN-GPO Header
MAC-in-IP with VN ID & Group ID

What to look for in Frame 1: 192 bytes on wire (1536 bits), 192 bytes captured (1536 bits)

a packet capture?
Ethernet II, Src: CiscoInc_c5:db:47 (88:90:8d:c5:db:47), Dst: CiscoInc_5b:58:fb (0c:f5:a4:5b:58:fb)
Internet Protocol Version 4, Src: 10.2.120.1, Dst: 10.2.120.3
User Datagram Protocol, Src Port: 65354 (65354), Dst Port: 4789 (4789)
Source Port: 65354
Destination Port: 4789
OUTER
Length: 158 HEADER
Checksum: 0x0000 (none)
[Stream index: 0]

Virtual eXtensible Local Area Network


Flags: 0x0800, VXLAN Network ID (VNI)
OVERLAY
Group Policy ID: 50
VXLAN Network Identifier (VNI): 4098
HEADER
Reserved: 0

Ethernet II, Src: CiscoInc_c5:00:00 (88:90:8d:c5:00:00), Dst: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)


Destination: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)
Source: CiscoInc_c5:00:00 (88:90:8d:c5:00:00) INNER
Type: IPv4 (0x0800) HEADER
Internet Protocol Version 4, Src: 10.2.1.89, Dst: 10.2.1.99
Internet Control Message Protocol

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
SD-Access Fabric
Key Components – Group Based Policy

1. Control-Plane based on LISP


2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS

Virtual Routing & Forwarding


Scalable Group Tagging
VRF + SGT

ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
SD-Access Policy
Two Level Hierarchy - Macro Level

Known Unknown
Networks Networks

SD-Access
VN VN VN
Fabric
Virtual Network (VN)
“A” “B” “C”
First level Segmentation ensures zero
communication between forwarding
domains. Ability to consolidate multiple
networks into one management plane.

Building Management Campus Users


VN VN

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
SD-Access Policy
Two Level Hierarchy - Micro Level

Known Unknown
Networks Networks

SG
SG
1
SG SG
SG
4
SG SG
SG
7
SG
SD-Access
Fabric
Scalable Group (SG)
2 3 5 6 8 9
Second level Segmentation ensures
role based access control between
two groups within a Virtual Network.
Provides the ability to segment the
network into either line of businesses
or functional blocks.

Building Management Campus Users


VN VN

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Group Propagation
VN & SGT in VXLAN-GPO Encapsulation

Encapsulation Decapsulation
IP Network

Edge Node 1 Edge Node 2

VXLAN VXLAN

VN ID SGT ID VN ID SGT ID

Classification Propagation Enforcement


Static or Dynamic VN Carry VN and Group Group Based Policies
and SGT assignments context across the network ACLs, Firewall Rules

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Policy Enforcement
Ingress Classification with Egress Enforcement

Destination Classification
CRM: SGT 20
Web: SGT 30
User Authenticated = FIB Lookup =
Classified as Marketing (5) Destination IP = SGT 20 ISE

Cat3850 Cat6800 Cat6800 Nexus 7000 Nexus 5500 Nexus 2248


CRM
Enterprise
5 Backbone 5 DST: 10.1.100.52
SRC: 10.1.10.220 SGT: 20
DST: 10.1.100.52
SRC: 10.1.10.220 SGT: 5 Web
DST: 10.1.200.100
Egress SGT: 30
Enforcement
(SGACL)
WLC5508
DST  CRM Web
 SRC (20) (30)
Marketing (5) Permit Deny
BYOD (7) Deny Permit

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Demo
Things to Remember

Take Away

85
What to Do Next?

SD-Access Cisco DNA Cisco


Capable Center Services

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
SD-Access Testimonials
Live Customer SD-Access Deployments

Network Services

375+ Production
Deployments

Cisco IT
www.cisco.com/c/en/us/solutions/enterprise-networks/network-architecture-customer-success-stories.html
#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Marriott Marquis San Diego

SD-Access @ CiscoLive US

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
SD-Access Resources
Would you like to know more?

cs.co/sda-resources
cs.co/sda-community

• Search from your Browser


• Indexed by Search Engines
• Discuss with experts & friends
• Supported by SDA TMEs
• 24-hour First Response
• Questions are marked Answered

#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.

#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Thank you

#CLUS