BRKARC-2009 - Why SD-Access?

#CLUS
Why SD-Access?
Journey - Traditional to Modern Networks
Prabhjit Singh Bagga, Technical Marketing Engineer

@Prabhjit_bagga
BRKARC-2009
#CLUS
New QA Employee QA Team
New Dev Employee
IT Team
Developer Team
Networking Team
Who has seen this?
access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286
access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191
access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721
access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716
access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533
access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539
access-list 102 deny ip 9.148.176.48 0.0.1.255 eq 1310 64.61.88.73 0.0.1.255 lt 4570
access-list 102 deny ip 124.236.172.134 255.255.255.255 gt 859 56.81.14.184 255.55.255.255 gt 2754
access-list 102 deny icmp 227.161.68.159 0.0.31.255 lt 3228 78.113.205.236 255.55.255.255 lt 486
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
#CLUS BRKARC-2009 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
1 Why SD-Access?
Traditional Campus, Journey, Issues
2 Introduction - Intent Based Networking

Automation, Security, Assurance
3 SD-Access Concepts
Roles, Terminologies
4 SD-Access Fundamentals
How does it work?
5 Demo
Take Away
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKARC-2009

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Sessions are available Online @ CiscoLive.com
Cisco Software-Defined Access

Cisco Live San Diego - Session Map You Are Here
Monday (June 10) Tuesday (June 11) Wednesday (June 12) Thursday (June 13)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00
BRKCRS-2818 BRKCRS-2821 BRKCRS-2825 BRKCRS-1501 BRKNMS-2814

Connect SDWAN Integration Scaling Validated Design Assurance
BRKARC-2020 BRKARC-2009
Troubleshoot Why SDA
BRKCRS-2810 BRKCRS-2811 BRKCRS-2815 BRKCRS-2816 BRKCRS-2817 BRKCRS-3810

Fundamentals Connect Outside Connect Sites Underlay Extension Deep Dive
BRKCRS-2812 BRKSEC-2025 BRKCRS-2819

Migration Security Cross-Domain
BRKCRS-3811
Policy
BRKEWN-2021 BRKEWN-2020
Live Setup Wireless
Why SD-Access
(SDA)?
Key Challenges for Traditional Networks
Difficult to Segment Complex to Manage Slower Issue Resolution
Ever increasing number of Multiple steps, Separate user policies for

users and endpoint types user credentials, complex wired and wireless networks
interactions
Ever increasing number of Unable to find users
VLANs and IP Subnets Multiple touch-points when troubleshooting
Traditional Networks Cannot Keep Up!

#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Diverse end-points and applications served across a
multidomain network
Classes of end-points Classes of Applications
User devices IT services Non-IT services

(Printers, audio, video, (Lighting, alarms, (on-premise or private
(Laptops, phones, PCs) (Public cloud hosted)
displays) surveillance) cloud hosted)
• Consistent access across • Service discovery for • Network and power HA for • Application visibility and
wired/wireless printing, Apple TV emergency control
• Granular quality of service • network timing for audio • Traffic monitoring for • Seamless experience with
and AVC and video surveillance on-premise and cloud
Network requirements
Increased Scale, Complexity & Growing Security

#CLUS © 2019Threats
Cisco and/or its affiliates. All rights reserved. Cisco Public
Unprecedented Demands on the Network
Digitization Complexity Security
Scale Cost Risk
Lack of Business Slow and Error Prone Unconstrained Attack

and IT Insights Operations Surface
Modern Networking with Cisco Catalyst 9000
IoT
Secure convergence Mobility Cloud
• Support industry IoT • Fabric-enabled • DevOps toolkit
• Malware detection in
encrypted traffic device protocols wireless • NETCONF/YANG
• Micro and macro • Classify wide range • Embedded Catalyst models
segmentation of IoT devices 9800 WLC • Streaming telemetry
• Greater Network • Uninterrupted PoE • Common policy for • Patching/GIR
visibility wired and wireless
• Wired and wireless • Application hosting
guest access
Cisco Software Defined Access
The Foundation for Cisco’s Intent-Based Network
Cisco DNA Center
One Automated
Network Fabric
Policy Automation Assurance Single fabric for Wired and
Wireless with full automation
Outside
B B
Identity-Based
C
Policy and Segmentation
Policy definition decoupled
from VLAN and IP address
AI-Driven
Insights and Telemetry
SD-Access
Extension Client Mobility Analytics and visibility into
User and Application experience
Policy follows User
IoT Network Employee Network #CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Intent Based Networking
Tell your network
What you Want
and let it figure out
How to do That
Correlate Information from Multiple Sensors
to provide Deeper Insights and Suggest Actions
Context
Automated Network Fabric - Day 0/1
Simplifying Automation with New Toolsets
IP Address Management
Image Management
Upgrading your network elements
SD-Access
moves to IDENTITY
Joshua Susan Alan Nathan
192.168.3.47 192.168.12.213 192.168.8.89 192.168.37.149
Moving away from an IP Address Centric View

It starts with a User
or a device or thing
We move the user into a
group…
We place the group into a
Virtual Network…
This is where
Segmentation happens
How does it come
together?
Process starts with a user
connecting to the
network…
User authenticates with
the Identity Services
Engine…
ISE configuration of user
and network element…
User becomes part of a
Fabric Overlay…
Only sees other users
from SAME virtual
network…
Now for the
Fabric Overlay !
Data transported in the
overlay network…
Policy enforced in the

overlay network…
With user/device
mobility, the SAME
policy stays intact…
The connected tunnel

AUTOMATICALLY re-
establishes…
Overall Network Health Map
Network Health Score
Network split by device
Client Health Score

Clients split by wired/wireless
Top 10 issues
Network Health Map
Network Health Score
Split by 15min/24 hour
Network Health by Device

Access | Core | Distribution | Wireless
Network Device List

Device Health Timeline
Device Issues
Physical Neighbor Topology
Path Trace
Detailed Device Info
Client Health Map
All of Client Health Score
Split by Wired/Wireless
Client Metrics
Client Onboarding
Connectivity RSSI
Connectivity Physical Link
Client List
Client Health Timeline
Client Issues
Client Onboarding Map
Path Trace
Detailed Client Info
For more details: cs.co/sda-compatibility-matrix
SD-Access Support
Digital Platforms for your Cisco Digital Network Architecture
What is SD-Access?
Roles & Terminology
What is SD-Access?
Campus Fabric + Cisco DNA Center (Automation & Assurance)
 SD-Access
APIC-EM
NCP
1.X GUI approach provides automation &
ISE NDP
PI assurance of all Fabric configuration,
management and group-based policy
Cisco DNA
Center Cisco DNA Center integrates multiple
management systems, to orchestrate
LAN, Wireless LAN and WAN access
B B
 Campus Fabric
CLI or API approach to build a LISP +
C
VXLAN + CTS Fabric overlay for your
enterprise Campus networks
Campus CLI provides backwards compatibility,
Fabric but management is box-by-box.
API provides device automation via
NETCONF/YANG
Separate management systems
SD-Access
What exactly is a Fabric?
A Fabric is an Overlay
An Overlay network is a logical topology used to virtually connect devices,
built over an arbitrary physical Underlay topology.
An Overlay network often uses alternate forwarding attributes to provide
additional services, not provided by the Underlay.
Examples of Network Overlays

• GRE, mGRE • LISP
• MPLS, VPLS • OTV
• IPSec, DMVPN • DFA
• CAPWAP • ACI
SD-Access
Fabric Terminology
Overlay Network Overlay Control Plane
Encapsulation
Edge Device Edge Device
Hosts
(End-Points)
Underlay Network Underlay Control Plane
SD-Access
Fabric Underlay – Manual vs. Automated
Manual Underlay LAN Automation

You can reuse your existing IP Fully automated prescriptive IP
network as the Fabric Underlay! network Underlay Provisioning!
• Key Requirements • Key Requirements
• IP reach from Edge to Edge/Border/CP • Leverages standard PNP for Bootstrap
• Can be L2 or L3 – We recommend L3 • Assumes New / Erased Configuration
• Can be any IGP – We recommend ISIS • Uses a Global “Underlay” Address Pool
• Key Considerations • Key Considerations

• MTU (Fabric Header adds 50B) • Seed Device pre-setup is required
• Latency (RTT of =/< 100ms) • 100% Prescriptive (No Custom)
Underlay Network
Cisco SD-Access
Fabric Roles & Terminology
 Network Automation – Simple GUI
Automation and APIs for intent-based Automation
Identity Cisco DNA Center of wired and wireless fabric devices
Cisco ISE
Services
 Network Assurance – Data Collectors
analyze Endpoint to Application flows
Assurance and monitor fabric network status
 Identity Services – NAC & ID Services
(e.g. ISE) for dynamic Endpoint to Group
Fabric Border IP Fabric Wireless mapping and Policy definition
Nodes Controllers
B B  Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate  Fabric Border Nodes – A fabric device
C Nodes
Nodes (Underlay)
(e.g. Core) that connects External L3
network(s) to the SD-Access fabric
Campus  Fabric Edge Nodes – A fabric device

(e.g. Access or Distribution) that connects
Fabric Edge
Nodes Fabric Fabric Wireless
Access Points
Wired Endpoints to the SD-Access fabric
 Fabric Wireless Controller – A fabric device
(WLC) that connects Fabric APs and
Wireless Endpoints to the SD-Access fabric
SD-Access Fabric
Border Nodes
Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric
There are 3 Types of Border Node! C

Known Unknown
Networks Networks
B B
• Internal Border (Rest of Company)
• connects ONLY to the known areas of the company
• External Border (Outside)

• connects ONLY to unknown areas outside the company
• Internal + External (Anywhere)

• connects transit areas AND known areas of the company
SD-Access Platforms
Fabric Border Node
* EXTERNAL ONLY
Catalyst 3K Catalyst 6K Nexus 7K* ISR 4K ASR 1K
• Catalyst 3650/3850 • Catalyst 6500/6800 • Nexus 7700 • ISR 4300/4400 • ASR 1000-X/HX
• 1/mG RJ45 • Sup2T/Sup6T • Sup2E • AppX (AX) • AppX (AX)
• 1/10G SFP • C6800 Cards • M3 Cards • 1/10G RJ45 • 1/10G ELC/EPA
• 1/10/40G NM Cards • C6880/6840-X • LAN1K9 + MPLS • 1/10G SFP • 40G ELC/EPA
SD-Access Fabric
Control-Plane Nodes – A Closer Look
Control-Plane Node runs a Host Tracking Database to map location information
• A simple Host Database that maps Endpoint IDs to C

Known Unknown
a current Location, along with other attributes Networks Networks
B B
• Host Database supports multiple types of Endpoint
ID lookup types (IPv4, IPv6 or MAC)
• Receives Endpoint ID map registrations from Edge

and/or Border Nodes for “known” IP prefixes
• Resolves lookup requests from Edge and/or Border

Nodes, to locate destination Endpoint IDs
SD-Access Platforms The Channelco®
Fabric Control Plane CRN®

Products of the Year
2017, 2018
Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600
• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

• 1/mG RJ45 • Sup1XL • 40/100G QSFP • Sup1
• 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP • 9600 Cards
SD-Access Fabric
Edge Nodes – A Closer Look
Edge Node provides first-hop services for Users / Devices connected to a Fabric
• Responsible for Identifying and Authenticating C

Endpoints (e.g. Static, 802.1X, Active Directory)
Known Unknown
Networks Networks
B B
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)
• Provide an Anycast L3 Gateway for the connected

Endpoints (same IP address on all Edge nodes)
• Performs encapsulation / de-encapsulation of data

traffic to and from all connected Endpoints
SD-Access Platforms The Channelco®
Fabric Edge Node CRN®

Products of the Year
2017, 2018
Catalyst 9200 Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600
• Catalyst 9200/L* • Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600
• 1/mG RJ45 • 1/mG RJ45 • Sup1/Sup1XL • 1/10/25G SFP • Sup1
• 1G SFP (Uplinks) • 10/25/40/mG NM • 9400 Cards • 40/100G QSFP • 9600 Cards
SD-Access Platforms
Fabric Edge Node
Catalyst 3K Catalyst 4500E Catalyst 6K
• Catalyst 3650/3850 • Catalyst 4500E • Catalyst 6500/6800

• 1/mG RJ45 • Sup8E/Sup9E (Uplink) • Sup2T/Sup6T
• 1/10G SFP • 4600/4700 Cards (Host) • C6800 Cards
• 1/10/40G NM Cards • C6880/6840-X
SD-Access Fabric
Fabric Enabled Wireless – A Closer Look
Fabric Enabled WLC is integrated into Fabric for SD-Access Wireless clients
Ctrl: CAPWAP
Data: VXLAN
• Connects to Fabric via Border (Underlay) C

Known Unknown
Networks Networks
• Fabric Enabled APs connect to the WLC (CAPWAP)
B B
using a dedicated Host Pool (Overlay)
• Fabric Enabled APs connect to the Edge via VXLAN
• Wireless Clients (SSIDs) use regular Host Pools for

data traffic and policy (same as Wired)
• Fabric Enabled WLC registers Clients with the

Control-Plane (as located on local Edge + AP)
How does SD-Access
work?
SD-Access Fabric
Campus Fabric - Key Components
1. Control-Plane based on LISP

2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
B B
Key Differences
C
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)
Fabric Operation
Control-Plane Roles & Responsibilities Control-Plane EID RLOC
a.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
LISP Map Server / Resolver EID Space

EID
a.a.a.0/24
RLOC
w.x.y.1
(Control-Plane) b.b.b.0/24
c.c.c.0/24
d.d.0.0/16
x.y.w.2
z.q.r.5
z.q.r.5
• EID to RLOC mappings EID RLOC

Edge a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2
• Can be distributed across c.c.c.0/24

d.d.0.0/16
z.q.r.5
z.q.r.5
Non-LISP
multiple LISP devices Prefix Next-hop
w.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h
z.q.r.5 e.f.g.h
z.q.r.5 e.f.g.h
LISP Tunnel Router - XTR Border RLOC Space

(Edge & Internal Border)
• Register EID with Map Server
• Ingress / Egress (ITR / ETR) Edge
LISP Proxy Tunnel Router - PXTR EID Space

(External Border)
• EID = Endpoint Identifier
• Provides a Default Gateway
• Host Address or Subnet
when no mapping exists
• RLOC = Routing Locator
• Ingress / Egress (PITR / PETR) • Local Router Address
Fabric Operation
Control Plane Register & Resolution
Branch
Fabric Edge
Cache Entry (on ITR) Where is 10.2.2.2?
10.2.2.2/32  (2.1.2.1) Fabric Control Plane
5.1.1.1
2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
Database Mapping Entry (on ETR) Fabric Edges Database Mapping Entry (on ETR)
10.2.2.4/32  ( 3.1.2.1)
10.2.2.2/32  ( 2.1.2.1)
10.2.2.3/16 10.2.2.2/16 10.2.2.5/16 10.2.2.4/16
Subnet 10.2.0.0 255.255.0.0 stretched across

Fabric Operation
Fabric Internal Forwarding (Edge to Edge)
3 EID-prefix: 10.2.2.2/32
Mapping Locator-set: Path Preference
Entry Controlled
2.1.2.1, priority: 1, weight:100
by Destination Site
1
DNS Entry:
Branch Non-Fabric Non-Fabric
D.abc.com A 10.2.2.2
10.1.0.0/24
Fabric Borders
S Fabric Edge
2
1.1.1.1
10.1.0.1  10.2.2.2 5.3.3.3
IP Network 5.1.1.1 5.2.2.2

4 Mapping
System
1.1.1.1  2.1.2.1
10.1.0.1  10.2.2.2 2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
5 Fabric Edges
10.1.0.1  10.2.2.2
D
10.2.2.3/16 10.2.2.2/16 10.2.2.4/16 10.2.2.5/16
Subnet 10.2.0.0 255.255.0.0 stretched across
Would you like to know more?
Locator / ID Separation Protocol (LISP)
Suggested Reading
• BRKRST-3045 - LISP - A Next Generation Networking Architecture
• BRKRST-3047 - Troubleshooting LISP
• BRKCRS-3510 - LISP in Campus Networks
Other References
• Cisco LISP Site http://lisp.cisco.com
• Cisco LISP Marketing Site http://www.cisco.com/go/lisp/
• LISP Beta Network Site http://www.lisp4.net or http://www.lisp6.net
• IETF LISP Working Group http://tools.ietf.org/wg/lisp/
• Fundamentals of LISP https://www.youtube.com/watch?v=lKrV1qB8uqA
SD-Access Fabric
Key Components – VXLAN

ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay Only
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN
VXLAN-GPO Header
MAC-in-IP with VN ID & Group ID
What to look for in Frame 1: 192 bytes on wire (1536 bits), 192 bytes captured (1536 bits)
a packet capture?
Ethernet II, Src: CiscoInc_c5:db:47 (88:90:8d:c5:db:47), Dst: CiscoInc_5b:58:fb (0c:f5:a4:5b:58:fb)
Internet Protocol Version 4, Src: 10.2.120.1, Dst: 10.2.120.3
User Datagram Protocol, Src Port: 65354 (65354), Dst Port: 4789 (4789)
Source Port: 65354
Destination Port: 4789
OUTER
Length: 158 HEADER
Checksum: 0x0000 (none)
[Stream index: 0]
Virtual eXtensible Local Area Network

Flags: 0x0800, VXLAN Network ID (VNI)
OVERLAY
Group Policy ID: 50
VXLAN Network Identifier (VNI): 4098
HEADER
Reserved: 0
Ethernet II, Src: CiscoInc_c5:00:00 (88:90:8d:c5:00:00), Dst: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)

Destination: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)
Source: CiscoInc_c5:00:00 (88:90:8d:c5:00:00) INNER
Type: IPv4 (0x0800) HEADER
Internet Protocol Version 4, Src: 10.2.1.89, Dst: 10.2.1.99
Internet Control Message Protocol
SD-Access Fabric
Key Components – Group Based Policy

Virtual Routing & Forwarding

Scalable Group Tagging
VRF + SGT
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
SD-Access Policy
Two Level Hierarchy - Macro Level
Known Unknown
Networks Networks
SD-Access
VN VN VN
Fabric
Virtual Network (VN)
“A” “B” “C”
First level Segmentation ensures zero
communication between forwarding
domains. Ability to consolidate multiple
networks into one management plane.
Building Management Campus Users

VN VN
SD-Access Policy
Two Level Hierarchy - Micro Level
Known Unknown
Networks Networks
SG
SG
1
SG SG
SG
4
SG SG
SG
7
SG
SD-Access
Fabric
Scalable Group (SG)
2 3 5 6 8 9
Second level Segmentation ensures
role based access control between
two groups within a Virtual Network.
Provides the ability to segment the
network into either line of businesses
or functional blocks.
Building Management Campus Users

VN VN
Group Propagation
VN & SGT in VXLAN-GPO Encapsulation
Encapsulation Decapsulation
IP Network
Edge Node 1 Edge Node 2
VXLAN VXLAN
VN ID SGT ID VN ID SGT ID
Classification Propagation Enforcement

Static or Dynamic VN Carry VN and Group Group Based Policies
and SGT assignments context across the network ACLs, Firewall Rules
Policy Enforcement
Ingress Classification with Egress Enforcement
Destination Classification
CRM: SGT 20
Web: SGT 30
User Authenticated = FIB Lookup =
Classified as Marketing (5) Destination IP = SGT 20 ISE
Cat3850 Cat6800 Cat6800 Nexus 7000 Nexus 5500 Nexus 2248

CRM
Enterprise
5 Backbone 5 DST: 10.1.100.52
SRC: 10.1.10.220 SGT: 20
DST: 10.1.100.52
SRC: 10.1.10.220 SGT: 5 Web
DST: 10.1.200.100
Egress SGT: 30
Enforcement
(SGACL)
WLC5508
DST  CRM Web
 SRC (20) (30)
Marketing (5) Permit Deny
BYOD (7) Deny Permit
Demo
Things to Remember
Take Away
85
What to Do Next?
SD-Access Cisco DNA Cisco

Capable Center Services
SD-Access Testimonials
Live Customer SD-Access Deployments
Network Services
375+ Production
Deployments
Cisco IT
www.cisco.com/c/en/us/solutions/enterprise-networks/network-architecture-customer-success-stories.html
Marriott Marquis San Diego
SD-Access @ CiscoLive US
SD-Access Resources
Would you like to know more?
cs.co/sda-resources
cs.co/sda-community
• Search from your Browser

• Indexed by Search Engines
• Discuss with experts & friends
• Supported by SDA TMEs
• 24-hour First Response
• Questions are marked Answered
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Thank you
#CLUS

BRKARC-2009 - Why SD-Access?

Uploaded by

Copyright:

Available Formats

BRKARC-2009 - Why SD-Access?

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKARC-2009 - Why SD-Access?

Uploaded by

Copyright:

Available Formats

What are the key concepts of SD-Access?

What are the key concepts of SD-Access?

What are the components of SD-Access and how do they work together?

What are the components of SD-Access and how do they work together?

#CLUS

Prabhjit Singh Bagga, Technical Marketing Engineer

New Dev Employee

2 Introduction - Intent Based Networking

Webex Teams will be moderated cs.co/ciscolivebot#BRKARC-2009

Cisco Software-Defined Access

BRKCRS-2818 BRKCRS-2821 BRKCRS-2825 BRKCRS-1501 BRKNMS-2814

BRKCRS-2810 BRKCRS-2811 BRKCRS-2815 BRKCRS-2816 BRKCRS-2817 BRKCRS-3810

BRKCRS-2812 BRKSEC-2025 BRKCRS-2819

Difficult to Segment Complex to Manage Slower Issue Resolution

Ever increasing number of Multiple steps, Separate user policies for

Traditional Networks Cannot Keep Up!

User devices IT services Non-IT services

Increased Scale, Complexity & Growing Security

Scale Cost Risk

Lack of Business Slow and Error Prone Unconstrained Attack

192.168.3.47 192.168.12.213 192.168.8.89 192.168.37.149

Moving away from an IP Address Centric View

Policy enforced in the

The connected tunnel

Client Health Score

Network Health by Device

Network Device List

Separate management systems

Examples of Network Overlays

Overlay Network Overlay Control Plane

Edge Device Edge Device

Underlay Network Underlay Control Plane

Manual Underlay LAN Automation

• Key Considerations • Key Considerations

Campus  Fabric Edge Nodes – A fabric device

There are 3 Types of Border Node! C

• External Border (Outside)

• Internal + External (Anywhere)

Catalyst 3K Catalyst 6K Nexus 7K* ISR 4K ASR 1K

Control-Plane Node runs a Host Tracking Database to map location information

• A simple Host Database that maps Endpoint IDs to C

• Receives Endpoint ID map registrations from Edge

• Resolves lookup requests from Edge and/or Border

Fabric Control Plane CRN®

Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600

• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

• Responsible for Identifying and Authenticating C

• Provide an Anycast L3 Gateway for the connected

• Performs encapsulation / de-encapsulation of data

Fabric Edge Node CRN®

Catalyst 3K Catalyst 4500E Catalyst 6K

• Catalyst 3650/3850 • Catalyst 4500E • Catalyst 6500/6800

• Connects to Fabric via Border (Underlay) C

• Fabric Enabled APs connect to the Edge via VXLAN

• Wireless Clients (SSIDs) use regular Host Pools for

• Fabric Enabled WLC registers Clients with the

1. Control-Plane based on LISP

LISP Map Server / Resolver EID Space

• EID to RLOC mappings EID RLOC

• Can be distributed across c.c.c.0/24