This is a typical campus network that many of our customers & you will be familiar with.
[Build slide up showing different layers, protocols, policy, management, controller etc…]
Whilst the network is critical for every business and offers powerful features, enterprise networks are complex and we have tied policy to an IP address - that is why you build with VLAN’s, per switch, you put subnets against ACL’s, you implement Spanning-Tree and then HSRP, VSS, the list goes on…
And there we see it. Very powerful and feature rich but:
Complex to operate
Difficult to scale
Difficult to secure
Inflexible and closed architecture
And you manage it all with CLI…
There are 2 main components of SD-Access: Campus Fabric + DNA Center.
Campus Fabric are all of the features and protocols (control-plane, data-plane, policy-plane) to operate the network infrastructure.
DNA Center provides all of the wired & wireless automation & assurance aspects, along with Cisco ISE for security aspects.
If you manage the solution via the CLI or API, it is considered Campus Fabric.
If you manage the Campus Fabric with DNA Center, it is SD-Access!
Traditional segmentation could be based on topology. Those could be VLANs, Subnets, VRF, and statically configured Access Control List.
When you create a VLAN, you can definitely isolates endpoints as long as you configure those VLANs are not communicating. VLAN is easy to setup in the lab. But in a real world, when you are trying to setup additional VLAN to implement security policy, you are not just adding one VLAN. You need same VLAN per floor, per building, and per location. Adding VLAN involves additional adjustments in the topology. You have to make sure that you have enough address space for those VLANs, changes in DHCP pools (and possibly DNS), probably adding VLAN to gateway redundancy like HSRP, and adding segments to the routing. After all of those additional works, you will use VACL or L3 IP ACL statically to enforce traffic. You want to make sure that you have enough TCAM space on the box. And you are going to keep adding ACL again, and again, and again…
We’ve been seeing customers trying to understand what those 1000’s lines of ACLs on their routers because IP address does not tell you exactly what’s behind it. Even servers or applications are decommissioned, you are keeping those ACLs because you don’t know exactly what type of security hole you are making.
With TrustSec, you can simply leverage your customer’s existing VLAN design.
We simply assign SGT or Security Group Tag to the endpoints (not just endpoint but also destination as well) and user such tag information to enforce traffic. ISE automates the whole ACL provisioning process. When a device is connected, then switch will ask ISE what type of policy ISE has for this endpoint. If there is any policy exists, then switch automatically get that policy right away.
All this is changing (mobile, VDI, cloud) is real and coming now. To reduce your costs, you need to look at your WAN BW costs because that’s where the money is being spent! So let’s talk about what we can do to manage that...
What’s great about SDA is that you can get started today.
@ C3K – Includes all models of C3650 & 3850 (copper) family, with C3K scale & features (UADP 1.0 or 1.1)
@ C9K – Includes all models of C9300 & 9400 (copper) family, with C9K scale & features (UADP 2.0)
@ C4K – Includes all models of C4500-E series chassis. C6500-E requires Sup8E or Sup9E uplinks for fabric encap (FGPA on Sup ONLY). Other cards (e.g. WS-X4700) can be used for non-fabric connections (outside).
@ C6K – Includes C6880-X and all models of C6840-X-LE family. Includes all models of C6500-E series chassis. C6807-XL / 6500-E requires Sup2T or Sup6T, with C6800 10G or WS-X6900 cards for fabric encap (FGPA on PFC4/DFC4). Other cards (e.g. WS-X6700) can be used for non-fabric connections (outside).
@ ASR1K – Only X or HX series. Includes 1001-X or 1002-X. Does not include other/older ASR1000 (non-X) series.
@ ISR4K – Only 4400 series. Includes 4431 and 4451. Does not include other/older models of ISR (e.g. G2) series.
NOTE: CSRv & ISRv (IOS CSR / ISR Virtual Machine) is also an option, but is not currently listed due to inherent underlay/reachability complexities (between network [RLOC] to remote CP node [e.g. via DC])
@ N7K – Includes all models of N7700 series chassis. Does not include N7000 series. N7700 requires Sup2E, with M3 cards for fabric encap (F3 SOC 2.0). Other cards (e.g. F3) can be used for non-fabric connections (outside).
SLIDE 4: Catalyst 9000
While our intent driven IOS software can be deployed on existing equipment to transform deployed networks, we are also announcing a new lineup of our award willing Catalyst campus switches – the 9000 series.
Built from the ground up for the world of cloud, IoT, Mobility and Advanced Persistent Threats these platforms are the most advanced enterprise switches in the world.
-----------------------------------------------------------
Key innovations include:
Programmable: High-performance, programmable ASICs. Cisco’s own ASIC for maximum performance and feature richness. It’s programmable to adapt to future innovations, a breakthrough in silicon technology.
Integrated Security: Rapid threat detection with Encrypted Traffic Analytics. We’ll say more about this later – the ability for the network to find and block the most sophisticated cyber-attacks.
IoT Ready: Instantly discover, onboard, and automatically segment IoT traffic. Built for IoT and the huge diversity of devices that will connect to enterprise networks. The ability to automatically configure the network for security – separating IoT devices from other traffic.
Mobile Ready: Built-in wired and wireless controller.
Cloud Ready: Secure Access to Cloud Apps 3rd Party App Hosting. These platforms are built for extensibility and open computing. They can host third party applications on a built in x86 compute complex. Allowing our customers to run their applications in containers or virtual machines. We can now extend the cloud all the way to the user.
Design: With these platforms we’ve taken a user-centered design approach every step of the way – from the software design to the operations to even the hardware design. The physical chassis have been designed and engineered by the famous Italian design firm Pininfarina to make them easy to install and maintain
How should customers implement our vision for a more intuitive network….Its through a phased approach
Infrastructure Readiness – To get to the network intuitive, you need to have the right infrastructure foundation in place – one that is flexbile, available, secure, and scalable. The Cisco infrastructure provides an open and programmable infrastructure which enables the powerful software-driven value around security, automation, and analytics.
Secure Foundation - The enterprise has become a loosely coupled collection of networks and clouds, the business actors have changing roles. This is why the cloud-agile network we envision needs to rely on a flexible, powerful policy model, and pervasively deliver security everywhere to support a network as a sensor/enforcer.
Policy Based Automation – the concept of a digital business wouldn’t even exist without the universal connectivity we have so successfully delivered on. Our networks are the engines that connect digital business to their customers, and we are looking to automate everywhere we can with our APIC EM controller strategy to simplify and speed up IT. With automation business intent can be translated into network configurations immediately, dynamically. Network services like IWAN can more efficiently use bandwidth or EasyQoS can dynamically update the network for application prioritization.
Analytics for Assurance - With DNA Center, Automation, and Analytics and Assurance, only Cisco combines analytics and network automation into a single, closed loop network management solution to power the self-driving network. Actionable insights from DNA Analytics and Assurance are driven by 30years of Cisco domain expertise.
This foundation delivers the a more intuitive network, a network that is constantly learning, adapting and protecting. The NETWORK. INTUITIVE.