Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns

Cisco Connect Montréal
2018
Vision mondiale.
Analyse locale.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Infrastructures Réseaux -
Dites adieu aux VLANs :
Retirer la complexité de vos réseaux avec
Cisco SD-Access

Cisco Connect Montreal
2018
Global vision.
Local knowledge.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Enterprise Networks –
Say goodbye to VLANs:
Removing the complexity of your networks
with Cisco SD-Access

© 2018 Cisco and/or its affiliates. All rights reserved.
Agenda
Key Benefits
Why do I care?
Key Concepts
What is SD Access?
What’s new?
SDA Roadmap
Demonstration
Time for some action!
Take-away
Things to Remember
1
2
3
4
5
5

Key Benefits
Why do I care?
6

Powered by intent,
informed by context.
THE NETWORK.
INTUITIVE.
I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G

Tell your network
What you Want
and let it figure out
How to do That

Correlate Information from Multiple Sensors
to provide Deeper Insights and Suggest Actions
Context

C
B B
Cisco DNA & SD-Access
Networking at the Speed of Software!
Automated
Network Fabric
Single Fabric for Wired & Wireless
with simple Automation
Insights &
Telemetry
Analytics and Insights into
User and Application behavior
Identity-Based
Policy & Segmentation
Decouples Security & QoS
from VLAN and IP Address
IoT Network Employee Network
User Mobility
Policy stays with User
Outside
DNA Center
AnalyticsAutomationPolicy
10
SDA
Extension

Key Concepts
What is SD-Access?
1. High-Level View
2. Roles & Platforms
3. Fabric Constructs
11

What is SD-Access?
Campus Fabric + DNA Center (Automation & Assurance)
13
§ Campus Fabric
CLI or API approach to build a LISP +
VXLAN + CTS Fabric overlay for your
enterprise Campus networks
CLI provides backwards compatibility
but management is box-by-box.
API provides device automation via
NETCONF/YANG
Separated management systems
APIC-EM
1.X
§ SD-Access
GUI approach provides automation &
assurance of all Fabric configuration,
management and group-based policy
DNA Center integrates multiple
systems, to orchestrate your LAN,
Wireless LAN and WAN access
Campus
Fabric
ISE PI
NCP
ISE NDP
DNA Center
B
C
B

Assure
15

Assure
17

A Fabric is an Overlay
An Overlay network is a logical topology used to virtually connect devices,
built on top of a simple physical Underlay network.
An Overlay network often uses alternate forwarding attributes to provide
additional services, not provided by the Underlay.
• GRE / mGRE
• MPLS / VPLS
• IPSec / DMVPN
• CAPWAP
• LISP
• OTV
• DFA
• ACI
Examples of Network Overlays
SD-Access
What exactly is a Fabric?
19

SD-Access
Fabric Terminology
Overlay Control Plane
Underlay Control PlaneUnderlay Network
Hosts
(End-Points)
Edge DeviceEdge Device
Overlay Network
Encapsulation
20

You can reuse your existing IP network
as the Fabric Underlay!
• Key Requirements
• IP reach from Edge to Edge/Border/CP
• Can be L2 or L3 – We recommend L3
• Can be any IGP – We recommend ISIS
• Key Considerations
• MTU (Fabric Header adds 50B)
• Latency (max RTT =/< 100ms)
Manual Underlay
Prescriptive fully automated Global
and IP Underlay Provisioning!
• Key Requirements
• Leverages standard PNP for Bootstrap
• Assumes New / Erased Configuration
• Uses a Global “Underlay” Address Pool
• Key Considerations
• PNP pre-setup is required
• 100% Prescriptive (No Custom)
Automated Underlay
Underlay Network
SD-Access
Manual vs. Automated Underlay
21

SD-Access
Campus Fabric - Key Components
1. Control-Plane based on LISP
2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
Key Differences
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)
22
C
B B

SD-Access Fabric
Campus Fabric - Key Components - LISP
Endpoint
Routes are
Consolidated
to LISP DB
Topology + Endpoint Routes
BEFORE
IP Address = Location + Identity
Prefix Next-hop
189.16.17.89 …......171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 …......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Routing Protocols = Big Tables & More CPU
with Local L3 Gateway
Host
Mobility
Mapping
Database
Only Local Routes
Prefix RLOC
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
Prefix Next-hop
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
Prefix Next-hop
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
AFTER
Separate Identity from Location
Topology Routes
Endpoint Routes
LISP DB + Cache = Small Tables & Less CPU
with Anycast L3 Gateway
23

SD-Access Fabric
Key Components – VXLAN
ORIGINAL
PACKET
PAYLOADETHERNET IP
PACKET IN
LISP
PAYLOADIPLISPUDPIPETHERNET
PAYLOADETHERNET IPVXLANUDPIPETHERNET
PACKET IN
VXLAN
Supports L2
& L3 Overlay
Supports L3
Overlay Only
24

PAYLOADETHERNET IPVXLANUDPIPETHERNET
SD-Access Fabric
Key Components – CTS
VRF + SGT
25
Virtual Routing & Forwarding
Scalable Group Tagging

Key Concepts
What is SD-Access?
1. High-Level View
2. Roles & Platforms
3. Fabric Constructs

SD-Access
Fabric Roles & Terminology
27
NCP
ISE NDP
§ Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
§ Fabric Edge Nodes – A Fabric device
(e.g. Access or Distribution) that connects
Wired Endpoints to the SDA Fabric
§ Identity Services – NAC & ID Systems
(e.g. ISE) for dynamic Endpoint to Group
mapping and Policy definition
§ Fabric Border Nodes – A Fabric device
(e.g. Core) that connects External L3
network(s) to the SDA Fabric
Identity
Services
Intermediate
Nodes (Underlay)
Fabric Border
Nodes
Fabric Edge
Nodes
§ DNA Center – provides simple GUI
management and intent based automation
(e.g. NCP) and context sharing
DNA
Center
§ Analytics Engine – Data Collectors
(e.g. NDP) analyze Endpoint to App flows
and monitor fabric status
Analytics
Engine
Control-Plane
Nodes
§ Fabric Wireless Controller – A Fabric device
(WLC) that connects APs and Wireless
Endpoints to the SDA Fabric
Fabric Wireless
Controller
Campus
Fabric
B
C
B

Control-Plane Node runs a Host Tracking Database to map location information
SD-Access Fabric
Control-Plane Nodes – A Closer Look
Unknown
Networks
Known
Networks
• A simple Host Database that maps Endpoint IDs to
a current Location, along with other attributes
• Host Database supports multiple types of Endpoint
ID lookup types (IPv4, IPv6 or MAC)
• Receives Endpoint ID map registrations from Edge
and/or Border Nodes for “known” IP prefixes
• Resolves lookup requests from Edge and/or Border
Nodes, to locate destination Endpoint IDs
28
B
C
B

Edge Node provides first-hop services for Users / Devices connected to a Fabric
SD-Access Fabric
Edge Nodes – A Closer Look
Unknown
Networks
Known
Networks
• Responsible for Identifying and Authenticating
Endpoints (e.g. Static, 802.1X, Active Directory)
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)
• Provide an Anycast L3 Gateway for the connected
Endpoints (same IP address on all Edge nodes)
• Performs encapsulation / de-encapsulation of data
traffic to and from all connected Endpoints
30
B
C
B

SD-Access Fabric
Border Nodes – A Closer Look
Unknown
Networks
Known
Networks
32
B
C
B
Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric
There are 2 Types of Border Node!
• Internal Border
• Used for “Known” Routes inside your company
• External Border (or Default)
• Used for “Unknown” Routes outside your company

Fabric Enabled WLC is integrated into Fabric for SDA Wireless clients
SD-Access Fabric
Fabric Enabled Wireless – A Closer Look
Unknown
Networks
Known
Networks
• Connects to Fabric via Border (Underlay)
• Fabric Enabled APs connect to the WLC (CAPWAP)
using a dedicated Host Pool (Overlay)
• Fabric Enabled APs connect to the Edge via VXLAN
• Wireless Clients (SSIDs) use regular Host Pools for
data traffic and policy (same as Wired)
• Fabric Enabled WLC registers Clients with the
Control-Plane (as located on local Edge + AP)
Data: VXLAN
Ctrl: CAPWAP
36
B
C
B

SD-Access Fabric
Virtual Network– A Closer Look
Virtual Network maintains a separate Routing & Switching table for each instance
• Control-Plane uses Instance ID to maintain separate
VRF topologies (“Default” VRF is Instance ID “4098”)
• Nodes add a VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are routed and
advertised within a Virtual Network
• Uses standard “vrf definition” configuration, along
with RD & RT for remote advertisement (Border Node)
VN
Campus
VN
IOT
VN
Guest
39
Unknown
Networks
Known
Networks
B
C
B

SD-Access Fabric
Scalable Groups – A Closer Look
Scalable Group is a logical policy object to “group” Users and/or Devices
• Nodes use “Scalable Groups” to ID and assign a
unique Scalable Group Tag (SGT) to Endpoints
• Nodes add a SGT to the Fabric encapsulation
• SGTs are used to manage address-independent
“Group-Based Policies”
• Edge or Border Nodes use SGT to enforce local
Scalable Group ACLs (SGACLs)
40
Unknown
Networks
Known
Networks
B
C
B
SGT
17
SGT
3
SGT
23
SGT
4 SGT
8
SGT
12
SGT
11
SGT
19
SGT
25

SD-Access Fabric
Host Pools – A Closer Look
Host Pool provides basic IP functions necessary for attached Endpoints
• Edge Nodes use a Switch Virtual Interface (SVI),
with IP Address /Mask, etc. per Host Pool
• Fabric uses Dynamic EID mapping to advertise each
Host Pool (per Instance ID)
• Fabric Dynamic EID allows Host-specific (/32, /128
or MAC) advertisement and mobility
• Host Pools can be assigned Dynamically (via Host
Authentication) and/or Statically (per port)
41
Unknown
Networks
Known
Networks
B
C
B
Pool
.17
Pool
.13
Pool
.23
Pool
.4 Pool
.8
Pool
.12
Pool
.11
Pool
.19
Pool
.25

Anycast GW provides a single L3 Default Gateway for IP capable endpoints
SD-Access Fabric
Anycast Gateway– A Closer Look
• Similar principle and behavior as HSRP / VRRP with
a shared “Virtual” IP and MAC address
• The same Switch Virtual Interface (SVI) is present
on EVERY Edge, with the same Virtual IP and MAC
• Control-Plane with Fabric Dynamic EID mapping
maintains the Host to Edge relationship
• When a Host moves from Edge 1 to Edge 2, it does
not need to change it’s Default Gateway J
GW GW GW
42
Unknown
Networks
Known
Networks
B
C
B
GW GW

Stretched Subnets allow an IP subnet to be “stretched” via the Overlay
SD-Access Fabric
Layer 3 Overlay – A Closer Look
• Host IP based traffic arrives on the local Fabric Edge
SVI, and is then transferred by Fabric
• Fabric Dynamic EID mapping allows Host-specific
(/32, /128, MAC) advertisement and mobility
• Host 1 connected to Edge A can now use the same
IP subnet to communicate with Host 2 on Edge B
• No longer need a VLAN to connect Host 1 and 2 J
Dynamic
EID
43
Unknown
Networks
Known
Networks
B
C
B
GW GW GWGW GW

Layer 2 Overlay allows Non-IP endpoints to use Broadcast & L2 Multicast
SD-Access Fabric
Layer 2 Overlay – A Closer Look
• Similar principle and behavior as Virtual Private LAN
Services (VPLS) P2MP Overlay
• Uses a pre-built Multicast Underlay to setup a P2MP
tunnel between all Fabric Nodes.
• L2 Broadcast and Multicast traffic will be distributed
to all connected Fabric Nodes.
• Can be enabled for specific Host Pools that require
L2 services (use Stretched Subnets for L3)
VLAN VLANVLAN
L2
Overlay
44
Unknown
Networks
Known
Networks
B
C
B
NOTE: L3 Integrated Routing and Bridging (IRB) is not support at this time.

What’s new?
SDA Roadmap
45

SD-Access Roadmap
SDA 1.1
December’17
SDA 1.2
May’18
• Identity-based
Policy & Segmentation
• Automated Network Fabric
• Fabric-Enabled Wireless
DNA Center 1.1/1.1.1, ISE 2.3,
IOS-XE 16.6, AireOS 8.5
DNA Center 1.2, ISE 2.4,
IOS-XE 16.8. AireOS 8.7
• Wireless Assurance (DNAC 1.1.1)
• Network Health Monitoring
• SD-Access for Distributed Campus
(Beta)
• SD-Access Extension for IoT (Beta)
• IBNS 2.0
• Usability Enhancements
• Fabric Enabled Wireless
Enhancements
SDA 1.2.5/6
October’18
DNA Center 1.2, ISE 2.4,
IOS-XE 16.9. AireOS 8.8
• SD-Access for Distributed Campus
(FCS)
• Layer 2 Flooding
• Layer 2 Hand off for Migration
purposes
• Native Multicast
• Fabric in a Box
• LAN Automation & Host On-
boarding Enhancements
• Fabric Control Plane Resiliency (six
control plane nodes)
• DNAC CLI Templates

SD-Access for Distributed Campus
Connecting Multiple Fabric Sites
47

Fabric Sites & Domains
Connecting Multiple Fabrics
?VRF-LITE
MPLS
Fabric
Site 2
B
C
B
*New in SDA 1.2
Fabric
Site 1
B
C
B
SD-Access*
First, you build a
single Fabric Site
Later, you build
another Fabric Site
How do you connect them together?
Metro Area
48

Inter-Connecting Fabric Sites
Multiple Fabric Domains with VRF-LITE Transit
Fabric
Site 2
B
C
B
Fabric
Site 1
B
C
B
VRF-LITE
SXP + ISESGT SGT
1
POLICY-PLANE
MP-BGPLISP LISP
1 CONTROL-PLANE
VRF-LITEVXLAN VXLAN
1 DATA-PLANE
SXP
SDA 1.0 - 1.1
49

ü Automated Inter-Site Connectivity
ü Consistent Enterprise-Wide Policy
ü Enhanced Resiliency & Local Isolation
ü Direct Internet Access per Site
§ Individual Fabric Sites contain local Border
and Control Planes nodes
§ Local Border nodes can hand-off to an
IP-based WAN or an SD-Access Transit
§ Transit has a unique Control Plane node,
to connect local and remote Sites
§ Transit does not have Fabric Edge nodes
Fabric Site 1
Fabric Site 2
Fabric Site 3
Transit
B
C
B
C
B B
C
C
B B
Introducing Distributed Campus
Enhanced Resiliency and Scale for Large Deployments
50

SDA
Inter-Connecting Fabric Sites
Multiple Fabric Domains with Native SDA Transit
Fabric
Site 2
B
C
B
Fabric
Site 1
B
C
B
LISPLISP LISP
1 CONTROL PLANE
VXLAN-GPOVXLAN-GPO VXLAN-GPO
1 DATA + POLICY PLANE
New in SDA 1.2
DNA Center
51
C

C
DNA Center
Surveillance Camera
Virtual Network
Outdoor Wireless
Virtual Network
Fabric Extended
Nodes
DUAL
MEDIA
CONSOLE
COM
IN2
REF
IN1
EXPRESS
SETUP
-
DC-A
+
!
+ 12-54V
3.4-3.0A
-
DC-B
+
OUT
IN2
IN1
SYS
EXP
USB
ALARM
SDCARD
SPEED
DUPLEX
PoE
SYNCE
HSR/PRP
DISPLAY
MODE
1
2
3
4
2
3
1
4
13
14
15
16
17
18
19
20
X
5
6
7
8
9
10
11
12
X
SD-Access Capabilities
• Easy automated Device install and setup
• Stretched subnets for ease of endpoint connections
• Workflow based policy automation
• Segment Applications with separate Virtual Networks
DNA Center Solution Benefits
• Single pane of glass for management
• Inventory, Topology, Image management
• Automate Day 1 Installation
• Network Assurance – Device 360
SD-Access Extension
Key Benefits for IoT and Business
BB
56
New in SDA 1.2

• Extended node connects to a single Edge node
using an 802.1Q Trunk port (single or multiple
VLANs) using static assignment
• Switchports on the Extended node can then be
statically assigned to an appropriate IP Pool
(in DNA Center)
• SGT tagging (or mapping) is accomplished by
Pool to Group mapping (in DNA Center) on the
connected Edge node
• Traffic policy enforcement based on SGTs
(SGACLs) is performed at the Edge node
Fabric
Site
B
C
B
Fabric Edge *
AP
VXLAN
Extended
Node
SD-Access Extended Node
Point-to-Point Connections
57
New in SDA 1.2
* C9K Edge Only

Layer 2 Flooding in SD-Access
Edge
Node 1
Edge
Node 3
Broadcast
or Link-
Local
Multicast
traffic
Broadcast or
Link-Local
Multicast
traffic
Edge
Node 2
BB
Allows Layer 2 flooding within an
IP Subnet/vlan
Silent Host Support
Broadcast , Link Local Multicast and
ARP flooding support
Layer 2
Border
Layer 2
Border

SDA Fabric
B
B
Host 1
IP: 10.1.1.0/24
Host 2
IP: 10.1.1.0/24
Hosts attached to SDA Fabric
Edge nodes in Address Pool (1024)
Host 3
IP: 10.1.1.0/24
Hosts attached to traditional
Access switches in VLAN (10)
Single or
port-channel*
Trunk Port
* Dual-Homing requires
L2 MEC to prevent L2 loops
DATA-PLANE
VLANVXLAN
Layer 2 Hand off for Migration in SD-Access
Layer 2
Border

Native Multicast in SD-Access
Significantly reduces replication
load at the Head-End
Significantly improves overall scale
and reduces latencyPIM-SSM
FB
Multicast Source
non
Fabric
Underlay Overlay
Fabric RP
B
Client 1Client 2
FE1FE2
* DNAC 1.2.6

Fabric in a Box in SD-Access
FE+FB+CP on C9K
Reduces the cost to deploy SDA
for “mini” sites
FABRIC IN A BOX
B C

Take Away
Things to Remember

Summary
Key Differences
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)
64
C
B B

Summary
SD-Access = Campus Fabric + DNA Center
BB
Campus
Fabric
C
65
DESIGN PROVISION POLICY ASSURANCE
DNA Center
Simple Workflows

SD-Access Support
Fabric ready platforms for your digital ready network
ASR-1000-X
ASR-1000-HX
ISR 4430
ISR 4450
WirelessRoutingSwitching
AIR-CT5520
AIR-CT8540
Wave 2 APs (1800, 2800,3800)
Wave 1 APs* (1700, 2700,3700)
Catalyst 9400
Catalyst 9300
Catalyst 4500E Catalyst 6800 Nexus 7700
Catalyst 3650 and 3850
AIR-CT3504
ISRv/CSRv
* with Caveats
Extended
Cisco Digital Building
Catalyst 3560-CX
NEW
NEW
NEW
NEW
66
IE Series (4K/5K)
NEW
Catalyst 9500NEW

SD-Access Resources
Would you like to know more?
cisco.com/go/cvd
• SD-Access Design Guide - Dec 2017
• SD-Access Deploy Guide - Jan 2018
cisco.com/go/dnacenter
• DNA Center At-A-Glance
• DNA Center 'How To' Video Resources
• DNA Center Data Sheet
cisco.com/go/sdaccess
• SD-Access At-A-Glance
• SD-Access Design Guide
• SD-Access FAQs
• SD-Access Migration Guide
• SD-Access Solution Data Sheet
• SD-Access Solution White Paper
74

Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns

Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns

Ähnlich wie Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns (20)

Mehr von Cisco Canada

Mehr von Cisco Canada (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns