Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to [Cisco Connect 2018 - Vietnam] Cisco connect 2018 sanjay - cisco sda v1.0-hcm vn
Similar to [Cisco Connect 2018 - Vietnam] Cisco connect 2018 sanjay - cisco sda v1.0-hcm vn (20)
More from Nur Shiqim Chok
More from Nur Shiqim Chok (20)
Recently uploaded
Recently uploaded (20)
[Cisco Connect 2018 - Vietnam] Cisco connect 2018 sanjay - cisco sda v1.0-hcm vn
- 1. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
- 2. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Cisco Software Defined Access (SDA) TransformationalApproach to Network Design & Provisioning Sanjay Kumar Regional Manager- ASEAN, Cisco Systems
- 3. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public What is network about? Today...In the past... Voice Video Data Mobility Security Cloud IOT Source: google.de images Source: google.de images What really matters !!!
- 4. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU The Challenge. “I want to design and deploy a network.” Platform choices Best practices Manageable Design options On time Future ready Within budget
- 5. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Typical Traditional Campus Data Centre WAN/BRANCH Access Points Core Switches Aggregation Switches Access Switches WLC ETHERCHANNEL HSRP SPANNING TREECLI L2/L3 AVC VLANS ACL 802.1x FNF Very powerful and feature rich but: - Complex to operate - Difficult to scale - Difficult to secure - Inflexible and closed architecture - And you manage it all with CLI… Internet
- 6. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Traditional Network Design & Build Work Flow spanning-tree mode rapid-pvst spanning-tree portfast bpduguard default udld enable errdisable recovery cause all vtp mode transparent load-interval 30 Spanning Tree Protection across the LAN access-list 55 permit 10.4.48.0 0.0.0.255 line vty 0 15 access-class 55 in ! snmp-server community [SNMP RO] RO 55 snmp-server community [SNMP RW] RW 55 SNMPv2c access ntp server 10.4.48.17 ntp update-calendar ! clock timezone PST -8 clock summer-time PDT recurring ! service timestamps debug datetime msec localtime service timestamps log datetime msec localtime Global LAN Switch Configuration vlan 10 name Data vlan 20 name Voice vlan 30 name Management Uplink Interfaces Mgmt VLAN 30 Data VLAN 10 Voice VLAN 20 Client Facing Interfaces Access Layer Virtual LANs
- 7. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU How we build Traditional Network Box by Box Manual | Error Prone ip domain-name cisco.local no ip http server ip http secure-server ip ssh version 2 ip scp server enable line vty 0 15 transport input ssh transport preferred none Manually Repetitive Steps CLI Skill | Time | Effort
- 8. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Key Challenges for Traditional Networks Difficult to Segment Ever increasing number of users and endpoint types Ever increasing number of VLANs and IP Subnets Complex to Manage Multiple steps, user credentials, complex interactions Multiple touch-points Slower Issue Resolution Separate user policies for wired and wireless networks Unable to find users when troubleshooting Traditional Networks Cannot Keep Up!
- 9. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Automated Network Fabric Single Fabric for Wired & Wireless with Workflow-based Automation Insights & Telemetry Analytics and insights into user and application behavior Identity-based Policy & Segmentation Decoupled security policy definition from VLAN and IP Address Software-Defined Access Networking at the speed of Software! DNA Center AnalyticsPolicy Automation IoT Network Employee Network SDA-Extension User Mobility Policy stays with user
- 10. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU What is SD-Access? Campus Fabric + DNA Center (Automation & Assurance) APIC-EM 1.X Campus Fabric ISE PI Automation Policy Assurance DNA Center B C B  Campus Fabric An Overlay network is a logical topology used to virtually connect devices Separated management systems  SD-Access GUI approach provides automation & assurance of all Fabric configuration, management and group-based policy DNA Center integrates multiple systems, to orchestrate your LAN, Wireless LAN and WAN access
- 11. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Software-Defined Access AssuranceAutomation Policy Routers Switches Wireless AP WLC DNA Center DESIGN PROVISION POLICY ASSURANCE DNA Center: Simple Workflows Solution Components
- 12. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU SDA Network Design & Build Work Flow Assure Assure Design Network Hierarchy Network Settings Image Management Network Profiles Policy Virtual Networks Access Control Application Priority
- 13. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU SDA Network Design & Build Work Flow Assure Provision Assure Provision Device Onboarding Host Onboarding Device Inventory Fabric Administration Assurance Network Health Score Client 360 Device 360 Application 360
- 14. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public L2 Switch L3 Switch Trunks Trunk BYOD Employee Contractor One SSID Production Servers AAA DHCP AD WLAN Developer Servers LAN Core Multiple Steps and Touch Points 1. Define Groups in AD 2. Define Policies  VLAN/subnet based 3. Implement VLANs/Subnets  Create VLANs  Define DHCP scope  Create subnets and L3 interfaces  Routing for new subnets  Map SSID to Interface/VLAN 4. Implement Policy  Define ACLs  Apply ACLs 5. Many different User Interfaces AAA WLC Devices CLI …. What if You Need to Add Another Group & Policy? Network Segmentation Policy RolloutToday
- 15. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU How SDA Simplifies Network Segmentation Access Layer Enterprise Backbone Voice VLAN Voice Data VLAN Employee Aggregation Layer Supplier Guest VLAN BYOD BYOD VLAN Non-Compliant Quarantine VLAN VLAN Address DHCP Scope Redundancy Routing Static ACL VACL Security Policy based on Topology High cost and complex maintenance Voice VLAN Voice Data VLAN Employee Supplier BYODNon-Compliant Use existing topology and automate security policy to reduce OpEx ISE No VLAN Change No Topology Change Central Policy Provisioning Micro/Macro Segmentation Employee Tag Supplier Tag Non-Compliant Tag Access Layer Enterprise Backbone DC Firewall / Switch DC Servers Policy TrustSecTraditional Segmentation
- 16. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Employees Contractors Production Development Source Destination FABRIC NODES Contract CISCO DNA CENTER CISCO ISE FABRIC POLICIES PERMIT Employees Production Employees Production API POLICY DOWNLOAD SDA Segmentation Policy Automation
- 17. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Network quality is a complex, end-to-end problem * Both = Join/roam and quality/throughput APs Local WLCs Network services DCOffice site ISE DHCP Mobile clients CUCM Client firmware AP coverage WAN Uplink usage WAN QoS, Routing, ... End-User services RF Noise/Interf. Client density ... Cisco Prime™ Configuration Addressing Authentication Affects Join/Roam Affects Quality/Throughput WLC Capacity Affects Both* Affects Both*Affects Both* Affects Both* Affects Both* Affects Quality/Throughput Affects Quality/Throughput Affects Join/Roam Affects Join/Roam WAN
- 18. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU When users complain about Application Problem Wireless Network Issue Increased Latency WAN Network Issue Application Problem Server Problem User Problem Network is so slow I cannot get any work done today I do not see anything wrong End Users Network Admin What the users see What network admins see What can happen ping – OK show ip route - OK traceroute - OK show interface - OK
- 19. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Reverse Path Lookup SDA Assurance Path Visualization Enhanced App Flow Visibility
- 20. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU SDA Real-time dashboard & analytics Global health - Network and clients Application and compliance health require DNA advantage.
- 21. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU SDA Ready Platforms ASR-1000-X ASR-1000-HX ISR 4430 ISR 4450 WIRELESSROUTINGSWITCHING AIR-CT5520 AIR-CT8540 Wave 2 APs (1800, 2800,3800) Wave 1 APs* (1700, 2700,3700) Catalyst 9400 Catalyst 9300 Catalyst 9500 Catalyst 4500E Catalyst 6K Nexus 7700 Catalyst 3850 and 3650 AIR-CT3504 CSR 1000V *with Caveats
- 22. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Catalyst 9000 Platform World’s Most Advanced Enterprise Switches Catalyst 9300 Fixed Access Catalyst 9400 Modular Access Catalyst 9500 Fixed Core Programmable Mobile Ready Cloud Ready Design Integrated Security IoT Ready
- 23. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU 4000+ Customers Wins Gaining Momentum with the Catalyst 9000!
- 24. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Some Early Recognitions…
- 25. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Catalyst 9300 1G Data mGig UPOE 1G UPOE/POE+ 2.5G at the Price of 1G 40G at the Price of 10G New Generation of Fixed Access 24 Ports Modular Power SuppliesModular UplinksModular Fans UADP 2.0 Open IOS-XE SD-Access X86 CPU & Containers Encrypted Traffic Analytics (ETA)* 256 bit MACSEC* Trustworthy Systems StackWise Virtual* IEEE1588 & AVB* NBAR2 Perpetual/Fast PoE Model Driven Programmability Patching/GIR Catalyst 9K Leadership Streaming Telemetry 48 Ports 8x10G 2x40G 4x mGig 4x1G 350W 715W 1100W Only Stackable Switch with 8X 10G Uplinks Highest 2.5G/mGig Density in the Industry
- 26. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Catalyst 9400 New Generation of Modular Access 4-Slot* 7-Slot 10-Slot Power Supply 3200W AC 3200W DC* 2400W AC* Core Linecards 24x 10G SFP+* 48x1G SFP* 24x1G SFP* Access Linecards 24xmGig + 24xUPOE* 48xUPoE 48xPoE+* 48xData Supervisor Sup-1: 80G/Slot Access Optimized Sup-1XL*: 120G/Slot Core Optimized Redundancy is now Table-stake Industry’s Highest PoE Scale 9Tbps System b/w UADP 2.0 Open IOS-XE SD-Access X86 CPU & Containers Encrypted Traffic Analytics* 256 bit MACSEC* Trustworthy Systems StackWise Virtual* IEEE1588 & AVB* NBAR2 Perpetual PoE* Model Driven Programmability Patching/GIR Catalyst 9K Leadership Streaming Telemetry* *not available at FCS
- 27. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU Catalyst 9500 Catalyst 9500-40X Catalyst 9500-24Q Catalyst 9500-12Q New Generation of Purpose Built Fixed Core/Aggregation UADP 2.0 Open IOS-XE SD-Access X86 CPU & Containers Encrypted Traffic Analytics* 256 bit MACSEC* Trustworthy Systems StackWise Virtual IEEE1588 & AVB* NBAR2 Model Driven Programmability Patching/GIR Catalyst 9K Leadership Streaming Telemetry* 40G at the Price of 10G 8X Buffering vs. Competition Industry’s First 40G Enterprise Switch
- 28. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CISCO CONNECT 2018 . IT’S ALL YOU The Journey to the Software Defined Access (SDA) Infrastructure Readiness Open and Programmable Policy Based Automation Simplify, scale network deployment for Cloud, Mobile, IoT Intent-based Network Constantly learning, adapting, protecting Analytics for Assurance Predictive performance with machine learning Secure Foundation Rapid threat detection and mitigation Software-Driven Innovation
- 29. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Editor's Notes
- This is a typical campus network that many of our customers & you will be familiar with. [Build slide up showing different layers, protocols, policy, management, controller etc…] Whilst the network is critical for every business and offers powerful features, enterprise networks are complex and we have tied policy to an IP address - that is why you build with VLAN’s, per switch, you put subnets against ACL’s, you implement Spanning-Tree and then HSRP, VSS, the list goes on… And there we see it. Very powerful and feature rich but: Complex to operate Difficult to scale Difficult to secure Inflexible and closed architecture And you manage it all with CLI…
- There are 2 main components of SD-Access: Campus Fabric + DNA Center. Campus Fabric are all of the features and protocols (control-plane, data-plane, policy-plane) to operate the network infrastructure. DNA Center provides all of the wired & wireless automation & assurance aspects, along with Cisco ISE for security aspects. If you manage the solution via the CLI or API, it is considered Campus Fabric. If you manage the Campus Fabric with DNA Center, it is SD-Access!
- Traditional segmentation could be based on topology. Those could be VLANs, Subnets, VRF, and statically configured Access Control List. When you create a VLAN, you can definitely isolates endpoints as long as you configure those VLANs are not communicating. VLAN is easy to setup in the lab. But in a real world, when you are trying to setup additional VLAN to implement security policy, you are not just adding one VLAN. You need same VLAN per floor, per building, and per location. Adding VLAN involves additional adjustments in the topology. You have to make sure that you have enough address space for those VLANs, changes in DHCP pools (and possibly DNS), probably adding VLAN to gateway redundancy like HSRP, and adding segments to the routing. After all of those additional works, you will use VACL or L3 IP ACL statically to enforce traffic. You want to make sure that you have enough TCAM space on the box. And you are going to keep adding ACL again, and again, and again… We’ve been seeing customers trying to understand what those 1000’s lines of ACLs on their routers because IP address does not tell you exactly what’s behind it. Even servers or applications are decommissioned, you are keeping those ACLs because you don’t know exactly what type of security hole you are making. With TrustSec, you can simply leverage your customer’s existing VLAN design. We simply assign SGT or Security Group Tag to the endpoints (not just endpoint but also destination as well) and user such tag information to enforce traffic. ISE automates the whole ACL provisioning process. When a device is connected, then switch will ask ISE what type of policy ISE has for this endpoint. If there is any policy exists, then switch automatically get that policy right away.
- All this is changing (mobile, VDI, cloud) is real and coming now. To reduce your costs, you need to look at your WAN BW costs because that’s where the money is being spent! So let’s talk about what we can do to manage that...
- What’s great about SDA is that you can get started today. @ C3K – Includes all models of C3650 & 3850 (copper) family, with C3K scale & features (UADP 1.0 or 1.1) @ C9K – Includes all models of C9300 & 9400 (copper) family, with C9K scale & features (UADP 2.0) @ C4K – Includes all models of C4500-E series chassis. C6500-E requires Sup8E or Sup9E uplinks for fabric encap (FGPA on Sup ONLY). Other cards (e.g. WS-X4700) can be used for non-fabric connections (outside). @ C6K – Includes C6880-X and all models of C6840-X-LE family. Includes all models of C6500-E series chassis. C6807-XL / 6500-E requires Sup2T or Sup6T, with C6800 10G or WS-X6900 cards for fabric encap (FGPA on PFC4/DFC4). Other cards (e.g. WS-X6700) can be used for non-fabric connections (outside). @ ASR1K – Only X or HX series. Includes 1001-X or 1002-X. Does not include other/older ASR1000 (non-X) series. @ ISR4K – Only 4400 series. Includes 4431 and 4451. Does not include other/older models of ISR (e.g. G2) series. NOTE: CSRv & ISRv (IOS CSR / ISR Virtual Machine) is also an option, but is not currently listed due to inherent underlay/reachability complexities (between network [RLOC] to remote CP node [e.g. via DC]) @ N7K – Includes all models of N7700 series chassis. Does not include N7000 series. N7700 requires Sup2E, with M3 cards for fabric encap (F3 SOC 2.0). Other cards (e.g. F3) can be used for non-fabric connections (outside).
- SLIDE 4: Catalyst 9000 While our intent driven IOS software can be deployed on existing equipment to transform deployed networks, we are also announcing a new lineup of our award willing Catalyst campus switches – the 9000 series. Built from the ground up for the world of cloud, IoT, Mobility and Advanced Persistent Threats these platforms are the most advanced enterprise switches in the world. ----------------------------------------------------------- Key innovations include: Programmable: High-performance, programmable ASICs. Cisco’s own ASIC for maximum performance and feature richness. It’s programmable to adapt to future innovations, a breakthrough in silicon technology. Integrated Security: Rapid threat detection with Encrypted Traffic Analytics. We’ll say more about this later – the ability for the network to find and block the most sophisticated cyber-attacks. IoT Ready: Instantly discover, onboard, and automatically segment IoT traffic. Built for IoT and the huge diversity of devices that will connect to enterprise networks. The ability to automatically configure the network for security – separating IoT devices from other traffic. Mobile Ready: Built-in wired and wireless controller. Cloud Ready: Secure Access to Cloud Apps 3rd Party App Hosting. These platforms are built for extensibility and open computing. They can host third party applications on a built in x86 compute complex. Allowing our customers to run their applications in containers or virtual machines. We can now extend the cloud all the way to the user. Design: With these platforms we’ve taken a user-centered design approach every step of the way – from the software design to the operations to even the hardware design. The physical chassis have been designed and engineered by the famous Italian design firm Pininfarina to make them easy to install and maintain
- http://wikicentral.cisco.com/display/PROJECT/Cetus+%28C6807-XL%29
- How should customers implement our vision for a more intuitive network….Its through a phased approach Infrastructure Readiness – To get to the network intuitive, you need to have the right infrastructure foundation in place – one that is flexbile, available, secure, and scalable. The Cisco infrastructure provides an open and programmable infrastructure which enables the powerful software-driven value around security, automation, and analytics. Secure Foundation - The enterprise has become a loosely coupled collection of networks and clouds, the business actors have changing roles. This is why the cloud-agile network we envision needs to rely on a flexible, powerful policy model, and pervasively deliver security everywhere to support a network as a sensor/enforcer. Policy Based Automation – the concept of a digital business wouldn’t even exist without the universal connectivity we have so successfully delivered on. Our networks are the engines that connect digital business to their customers, and we are looking to automate everywhere we can with our APIC EM controller strategy to simplify and speed up IT. With automation business intent can be translated into network configurations immediately, dynamically. Network services like IWAN can more efficiently use bandwidth or EasyQoS can dynamically update the network for application prioritization. Analytics for Assurance - With DNA Center, Automation, and Analytics and Assurance, only Cisco combines analytics and network automation into a single, closed loop network management solution to power the self-driving network. Actionable insights from DNA Analytics and Assurance are driven by 30years of Cisco domain expertise. This foundation delivers the a more intuitive network, a network that is constantly learning, adapting and protecting. The NETWORK. INTUITIVE.