[Cisco Connect 2018 - Vietnam] Lam doan software-defined access-a transformational approach to network design and provisioning

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Software Defined Access (SDA)
Transformational Approach to Network Design & Provisioning
Doan Nguyen Lam
Cisco Solution Engineer, Cisco Systems

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Network about?
Today...In the past...
Voice
Video
Data
Mobility
Security
Cloud
IOT
Source: google.de images
Source: google.de images
What really matters !!!

CISCO CONNECT 2018 . IT’S ALL YOU
The Challenge.
“I want to design and deploy a network.”
Platform choices
Best practices
Manageable
Design options
On time
Future ready
Within budget

Typical Traditional Campus
Data
Centre
WAN/BRANCH
Access
Points
Core
Switches
Aggregation
Switches
Access
Switches
WLC
ETHERCHANNEL
HSRP SPANNING TREECLI
L2/L3
AVC
VLANS
ACL
802.1x
FNF
Very powerful and feature
rich but:
- Complex to operate
- Difficult to scale
- Difficult to secure
- Inflexible and closed
architecture
- And you manage it all
with CLI…
Internet

How we build Traditional Network
Box by Box
Manual | Error Prone
ip domain-name cisco.local
no ip http server
ip http secure-server
ip ssh version 2
ip scp server enable
line vty 0 15
transport input ssh
transport preferred none
Manually
Repetitive Steps
CLI
Skill | Time | Effort

Key Challenges for Traditional Networks
Difficult to Segment
Ever increasing number of
users and endpoint types
Ever increasing number of
VLANs and IP Subnets
Complex to Manage
Multiple steps,
user credentials, complex
interactions
Multiple touch-points
Slower Issue Resolution
Separate user policies for
wired and wireless networks
Unable to find users
when troubleshooting
Traditional Networks Cannot Keep Up!

Cisco’s Intent-based Networking
Intent Context
Security
Learning
Network Infrastructure
DNA Center
AnalyticsPolicy Automation
Switching Routers Wireless
Powered by Intent.
Informed by Context.
The Network. Intuitive.
7

Intent-based Networking Model – Industry Approach
Activation
Physical and Virtual Infrastructure
Translation
Assurance
Orchestrate policies
& configure systems
Capture business intent,
translate to policies, and
check integrity Continuous verification,
insights & visibility, and
corrective actions
Cisco DNA
Intent-based Networking
Industry Initiative
8

Automated
Network Fabric
Single Fabric for Wired & Wireless
with Workflow-based Automation
Insights
& Telemetry
Analytics and insights into
user and application behavior
Identity-based
Policy & Segmentation
Decoupled security policy definition
from VLAN and IP Address
Software-Defined Access
Networking at the speed of Software!
DNA Center
AnalyticsPolicy Automation
IoT Network Employee Network
SDA-Extension User Mobility
Policy stays with user

What is SD-Access?
Campus Fabric + DNA Center (Automation & Assurance)
APIC-EM
1.X
Campus
Fabric
ISE PI
Automation
Policy Assurance
DNA Center
B
C
B
 Campus Fabric
An Overlay network is a logical
topology used to virtually connect
devices
Separated management systems
 SD-Access
GUI approach provides
automation & assurance of all
Fabric configuration,
management and group-based
policy
DNA Center integrates multiple
systems, to orchestrate your
LAN, Wireless LAN and WAN
access

Software-Defined Access
AssuranceAutomation Policy
Routers Switches Wireless AP WLC
DNA Center
DESIGN PROVISION POLICY ASSURANCE
DNA Center:
Simple Workflows
Solution Components

You Need a Network that Drives your Digital Business
With SDA Cisco Rewriting the Networking
Playbook
Hardware Centric Software Driven
Manual (eg CLI) Automated
Silo’ed Security Integrated Security
Network Monitoring Analytics and Insights
Historicaly Digital-Ready Network

SDA Network Design & Build Work Flow
Assure
Assure
Design
Network Hierarchy
Network Settings
Image Management
Network Profiles
Policy
Virtual Networks
Access Control
Application Priority

SDA Network Design & Build Work Flow
Assure
Provision Assure
Provision
Device Onboarding
Host Onboarding
Device Inventory
Fabric Administration
Assurance
Network Health Score
Client 360
Device 360
Application 360

Syslog
Server
SDA Design in DNA Center – Global Setup
AAA
Server
Site1
North
America
South
America
Site2
Africa
EMEAR
AAA
Server
DNS
Server
Syslog
Server
DHCP
Server
• Ability to Define
Global Settings
once and
replicate to all
sites/devices
• Automated
Provisioning

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
L2 Switch
L3 Switch
Trunks
Trunk
BYOD Employee Contractor
One SSID
Production
Servers
AAA
DHCP
AD
WLAN
Developer
Servers
LAN Core
Multiple Steps and
Touch Points
1. Define Groups in AD
2. Define Policies
 VLAN/subnet based
3. Implement VLANs/Subnets
 Create VLANs
 Define DHCP scope
 Create subnets and L3 interfaces
 Routing for new subnets
 Map SSID to Interface/VLAN
4. Implement Policy
 Define ACLs
 Apply ACLs
5. Many different User Interfaces
AAA WLC Devices CLI
….
What if You Need to Add Another Group & Policy?
Network Segmentation Policy Rollout Today

How SDA Simplifies Network Segmentation
Access Layer
Enterprise
Backbone
Voice
VLAN
Voice
Data
VLAN
Employee
Aggregation Layer
Supplier
Guest
VLAN
BYOD
BYOD
VLAN
Non-Compliant
Quarantine
VLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on Topology
High cost and complex maintenance
Voice
VLAN
Voice
Data
VLAN
Employee Supplier BYODNon-Compliant
Use existing topology and automate
security policy to reduce OpEx
ISE
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Employee Tag
Supplier Tag
Non-Compliant Tag
Access Layer
Enterprise
Backbone
DC Firewall / Switch
DC Servers
Policy
TrustSecTraditional Segmentation

Employees Contractors Production Development
Source Destination
FABRIC NODES
Contract
CISCO
DNA CENTER
CISCO ISE
FABRIC POLICIES
PERMIT
Employees Production
Employees Production
API
POLICY DOWNLOAD
SDA Segmentation Policy Automation

Network quality is a complex, end-to-end problem
* Both = Join/roam and quality/throughput
APs
Local WLCs
Network services DCOffice site
ISE
DHCP
Mobile clients
CUCM
Client firmware
AP coverage
WAN Uplink usage
WAN QoS, Routing, ...
End-User services
RF Noise/Interf.
Client density
...
Cisco Prime™
Configuration
Addressing
Authentication
Affects Join/Roam
Affects Quality/Throughput
WLC Capacity
Affects Both*
Affects Both*Affects Both*
Affects Both*
Affects Both*
Affects Quality/Throughput
Affects Quality/Throughput Affects Join/Roam
Affects Join/Roam
WAN

When users complain about Application Problem
Wireless Network Issue
Increased Latency
WAN Network Issue
Application Problem
Server Problem
User Problem
Network is so
slow I cannot get
any work done
today
I do not see
anything
wrong
End Users
Network
Admin
What the users see What network admins see What can happen
ping – OK
show ip route - OK
traceroute - OK
show interface - OK

Reverse Path
Lookup
SDA Assurance Path Visualization
Enhanced App Flow Visibility

SDA Real-time dashboard & analytics
Global health - Network and clients
Application and compliance health require DNA advantage.

Global health : Floor-level health score

Client/Sensor/Device health
360 view
offers
complete
troubleshooti
ng info on a
per client
basis.

SDA Application performance troubleshooting
Application Health shows you top apps
with performance issues.
From landing, drill down App Health to see which
applications have issues
1 2

SDA Ready Platforms
ASR-1000-X
ASR-1000-HX
ISR 4430
ISR 4450
WIRELESSROUTINGSWITCHING
AIR-CT5520
AIR-CT8540
Wave 2 APs (1800, 2800,3800)
Wave 1 APs* (1700, 2700,3700)
Catalyst 9400
Catalyst 9300
Catalyst 9500
Catalyst 4500E Catalyst 6K Nexus 7700
Catalyst 3850 and 3650
AIR-CT3504
CSR 1000V
*with Caveats

Catalyst 9000 Platform
World’s Most Advanced Enterprise Switches
Catalyst 9300
Fixed Access
Catalyst 9400
Modular Access
Catalyst 9500
Fixed Core
Programmable Mobile Ready
Cloud Ready
Design
Integrated Security
IoT Ready

The Catalyst 9K Family
Catalyst 9300
Catalyst 9400
Catalyst 9500
Stackable Access Modular Access Fixed Aggregation
Built on Cisco’s Innovative UADP ASIC & Open IOS-XE

4000+
Customers
Wins
Gaining Momentum with the Catalyst 9000!

Some Early Recognitions…

Catalyst 9300
1G Data
mGig UPOE
1G UPOE/POE+
2.5G at the
Price of 1G
40G at the
Price of 10G
New Generation of Fixed Access
24 Ports
Modular Power SuppliesModular UplinksModular Fans
UADP 2.0
Open IOS-XE
SD-Access
X86 CPU & Containers
Encrypted Traffic
Analytics (ETA)*
256 bit MACSEC*
Trustworthy Systems
StackWise Virtual*
IEEE1588 & AVB*
NBAR2
Perpetual/Fast PoE
Model Driven
Programmability
Patching/GIR
Catalyst 9K Leadership
Streaming Telemetry
48 Ports
8x10G 2x40G 4x mGig 4x1G 350W 715W 1100W
Only
Stackable
Switch with 8X
10G Uplinks
Highest
2.5G/mGig
Density in the
Industry

Catalyst 9400
New Generation of Modular Access
4-Slot* 7-Slot 10-Slot
Power Supply
3200W AC
3200W DC*
2400W AC*
Core Linecards
24x 10G SFP+*
48x1G SFP*
24x1G SFP*
Access Linecards
24xmGig + 24xUPOE*
48xUPoE
48xPoE+*
48xData
Supervisor
Sup-1: 80G/Slot Access Optimized
Sup-1XL*: 120G/Slot Core
Optimized
Redundancy
is now
Table-stake
Industry’s
Highest PoE
Scale
9Tbps
System
b/w
UADP 2.0
Open IOS-XE
SD-Access
Encrypted Traffic
Analytics*
256 bit MACSEC*
Trustworthy
Systems
StackWise Virtual*
IEEE1588 & AVB*
NBAR2
Perpetual PoE*
Model Driven
Programmability
Patching/GIR
Streaming Telemetry*
*not available at FCS

Catalyst 9500
Catalyst 9500-40X
Catalyst 9500-24Q
Catalyst 9500-12Q
New Generation of Purpose Built Fixed Core/Aggregation UADP 2.0
Open IOS-XE
SD-Access
Encrypted Traffic
Analytics*
256 bit MACSEC*
Trustworthy
Systems
StackWise Virtual
IEEE1588 & AVB*
NBAR2
Model Driven
Programmability
Patching/GIR
Streaming Telemetry*
40G at the
Price of 10G
8X Buffering
vs.
Competition
Industry’s
First 40G
Enterprise
Switch

Current three-tier packaging
IP Services
Full Layer 3 and Advanced Networking
IP Base
Traditional Access and Basic Layer 3 features
LAN Base
L2 Features
Simplified two-tier packaging
DNA Essentials
Simplified Network Operations Solution Package
DNA Advantage
Software Defined Access, Assurance and ETA
Solution Package
Network Advantage
Full L3 with flexible Segmentation and Network
Resiliency
Network Essentials
Competitive Parity with Full L2 and Routed Access
Catalyst 9K: Simplified packaging

Single
SKU
Prime
DNA Advantage
(Includes DNA Essentials)
DNA EssentialsDNA Essentials
Single
SKU
DNA Essentials
Cat 9K w/ Network Advantage
(Full Layer 3 Routing)
Cat 9K w/ Network Essentials
(Layer 2 & Routed Access)
Base Automation & Monitoring SDA & Assurance Capable
Stealthwatch
Single
SKU
ISE Base + ISE Plus
DNA Advantage
(Includes DNA Essentials)
SDA & Assurance Ready
DNA Advantage
Cisco ONE Advantage
Catalyst 9K Switching Software
Must Attach Cisco ONE Advantage or DNA Advantage or DNA Essentials as Subscription with 9K
• Available in 3/5/7 year subscriptions

[Cisco Connect 2018 - Vietnam] Lam doan software-defined access-a transformational approach to network design and provisioning

More Related Content

What's hot (20)

Similar to [Cisco Connect 2018 - Vietnam] Lam doan software-defined access-a transformational approach to network design and provisioning (20)

More from Nur Shiqim Chok (20)

Recently uploaded (20)

[Cisco Connect 2018 - Vietnam] Lam doan software-defined access-a transformational approach to network design and provisioning