(Cisco-Live) Software - Defined - Access - 2017

Tech Update
10 – 12 Oktober 2017
Rene Andersen / Ib Hansen

DNA Solution DNA Center
Simple Workflows
Cisco Enterprise Portfolio
DESIGN PROVISION POLICY ASSURANCE
DNA Center
Identity Services Engine APIC-EM Network Data Platform
Routers Switches Wireless Controllers Wireless APs
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key Concepts
What is Software Defined Access?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
What is SD-Access?
Campus Fabric + DNA Center (Automation & Assurance)
§ SD-Access – Available Aug 2017
APIC-EM
APIC-EM
2.0
1.X GUI approach provides automation &
assurance of all Fabric configuration,
ISE NDP
management and group-based policy.
DNA Center Leverages DNA Center to integrate
external Service Apps, to orchestrate
your entire LAN, Wireless LAN and
WAN access network.
B B § Campus Fabric – Shipping Now

CLI or API form of the new overlay
C
Fabric solution for your enterprise
Campus access networks.
Campus CLI approach provides backwards
Fabric compatibility and customization,
Box-by-Box. API approach provides
automation via NETCONF / YANG.
APIC-EM, ISE, NDP are all separate.
Roles & Terminology
1. High-Level View
2. Roles & Platforms
3. Fabric Constructs
What is SD-Access?
Fabric Roles & Terminology
§ DNA Controller – Enterprise SDN Controller
DNA
APIC-EM
Controller (e.g. DNA Center) provides GUI management
Identity and abstraction via Apps that share context
Services
ISE NDP § Identity Services – External ID System(s)
Analytics (e.g. ISE) are leveraged for dynamic Endpoint
to Group mapping and Policy definition
Engine
§ Analytics Engine – External Data Collector(s)
(e.g. NDP) are leveraged to analyze Endpoint
Fabric Border Fabric Wireless to App flows and monitor fabric status
Nodes Controller
B B § Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate § Fabric Border Nodes – A Fabric device (e.g.
C Nodes
Nodes (Underlay) Core) that connects External L3 network(s)
to the SDA Fabric
Campus § Fabric Edge Nodes – A Fabric device (e.g.
Access or Distribution) that connects Wired
Fabric Edge
Nodes
Fabric Endpoints to the SDA Fabric
§ Fabric Wireless Controller – A Fabric device
(WLC) that connects Wireless Endpoints to
the SDA Fabric
Roles & Terminology
1. High-Level View
SD-Access Fabric
Control-Plane Nodes – A Closer Look
Control-Plane Node runs a Host Tracking Database to map location information
• A simple Host Database that maps Endpoint IDs to a

current Location, along with other attributes C
Known Unknown
Networks Networks
• Host Database supports multiple types of Endpoint ID

lookup types (IPv4, IPv6 or MAC)
• Receives Endpoint ID map registrations from Edge

and/or Border Nodes for “known” IP prefixes
• Resolves lookup requests from Edge and/or Border

Nodes, to locate destination Endpoint IDs
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 9
SD-Access – Control-Plane
Platform Support
NEW
Catalyst 3K Catalyst 9500 Catalyst 6K ASR1K, ISR4K & CSRv
• Catalyst 3850 • Catalyst 9500 • Catalyst 6800 • CSRv

• 1/10G SFP • 10/40G SFP/QSFP • Sup2T/6T • ASR 1000-X/HX
• 10/40G NM Cards • 10/40G NM Cards • 6880-X or 6840-X • ISR 4430/4450
• IOS-XE 16.6.1+ • IOS-XE 16.6.1+ • IOS 15.5.1SY+ • IOS-XE 16.6.1+
SD-Access Fabric
Edge Nodes – A Closer Look
Edge Node provides first-hop services for Users / Devices connected to the Fabric
• Responsible for Identifying and Authenticating Endpoints

(e.g. Static, 802.1X, Active Directory) C
Known Unknown
Networks Networks
• Register the specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)
• Provide an Anycast L3 Gateway for connected Endpoints

(same IP address on all Edge nodes)
• Performs encapsulation / de-encapsulation of data traffic

to and from all connected Endpoints
SD-Access – Edge Node
Platform Support
NEW NEW
Catalyst 3K Catalyst 9300 Catalyst 4K Catalyst 9400
• Catalyst 3650/3850 • Catalyst 9300 • Catalyst 4500 • Catalyst 9400

• 1/MGIG RJ45 • 1/MGIG RJ45 • Sup8E/9E (Uplinks) • Sup1E
• 10/40G NM Cards • 10/40/mG NM Cards • 4700 Cards (Down) • 9400 Cards
• IOS-XE 16.6.1+ • IOS-XE 16.6.1+ • IOS-XE 3.10.1+ • IOS-XE 16.6.1+
SD-Access Fabric
Border Nodes – A Closer Look
Border Node is an Entry / Exit point for all data traffic going In / Out of the Fabric
There are 2 Types of Border Node! ! C ?

Known Unknown
Networks Networks
• Fabric Border B B
• Used for “Known” Routes in your company
• Default Border
• Used for “Unknown” Routes outside your company
SD-Access Fabric
Fabric Border advertises Endpoints to outside, and known Subnets to inside
• Connects to any “known” IP subnets attached to the

outside network (e.g. DC, WLC, FW, etc.) C
Known Unknown
Networks Networks
• Exports all internal IP Pools to outside (as aggregate), B B
using a traditional IP routing protocol(s).
• Imports and registers (known) IP subnets from outside,

into the Control-Plane Map System
• Hand-off requires mapping the context (VRF & SGT)

from one domain to another.
SD-Access Fabric
Default Border is a “Gateway of Last Resort” for unknown destinations
• Connects to any “unknown” IP subnets (e.g. Internet)

C
Known Unknown
• Exports all internal IP Pools outside (as aggregate) Networks Networks
into traditional IP routing protocol(s). B B
• Does NOT import unknown routes. It is a “default” exit,

if no other entry available in Control-Plane.
• Hand-off requires mapping the context (VRF & SGT)

from one domain to another.
SD-Access – Border Node
Platform Support
NEW
Catalyst 3K Catalyst 9500 Catalyst 6K ASR1K & ISR4K Nexus 7K
• Catalyst 3850 • Catalyst 9500 • Catalyst 6800 • ASR 1000-X/HX • Nexus 7700
• 1/10G SFP+ • 40G QSFP • Sup2T/6T • ISR 4430/4450 • Sup2E
• 10/40G NM Cards • 10/40G NM Cards • 6880-X or 6840-X • 1/10G/40G • M3 Cards
• IOS-XE 16.6.1+ • IOS-XE 16.6.1+ • IOS 15.5.1SY+ • IOS-XE 16.6.1+ • NXOS 7.3.2+
Roles & Terminology
1. High-Level View
SD-Access Fabric
Virtual Network– A Closer Look
Virtual Network maintains a separate Routing & Switching instance for each VN
• Control-Plane uses Instance ID to maintain separate

VRF topologies (“Default” VRF is Instance ID “4097”)
Known Unknown
Networks Networks
• Nodes add VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are advertised

within one (or more) Virtual Networks VN VN VN
“A” “B” “C”
• Uses standard “vrf definition” configuration, along with
RD & RT for remote advertisement (Border Node)
SD-Access Fabric
Scalable Groups – A Closer Look
Scalable Group is a logical ID object to “group” Users and/or Devices
• CTS uses “Scalable Groups” to ID and assign a

unique Scalable Group Tag (SGT) to Host Pools
Known Unknown
Networks Networks
• Nodes add SGT to the Fabric encapsulation
• CTS SGTs used to manage address-independent

“Group-Based Policies” SG
1
SG
4
SG
7
SG SG SG SG SG SG
5 8 9
• Edge or Border Nodes use SGT to enforce local 2 3 6
Scalable Group ACLs (SGACLs)
SD-Access Fabric
Host Pools – A Closer Look
Host Pool provides basic IP functions necessary for attached Endpoints
• Edge Nodes use a Switch Virtual Interface (SVI),

with IP Address /Mask, etc. per Host Pool
Known Unknown
Networks Networks
• Fabric uses Dynamic EID mapping to advertise

each Host Pool (per Instance ID)
Pool Pool Pool
• Fabric Dynamic EID allows Host-specific (/32, 1 4 7
/128, MAC) advertisement and mobility Pool Pool Pool Pool Pool Pool
2 3 5 6 8 9
• Host Pools can be assigned Dynamically (via

Host Authentication) and/or Statically (per port)
Campus Fabric
Virtual Network– A Closer Look
Anycast GW provides a single L3 Default Gateway for IP capable endpoints
• Similar principles and behavior as HSRP / VRRP

with a shared Virtual IP and MAC address
Known Unknown
Networks Networks
• The same Switch Virtual Interface (SVI) is present

on EVERY Edge, with the same Virtual IP and MAC
• Control-Plane with Fabric Dynamic EID mapping

creates a Host (Endpoint) to Edge relationship
• If (when) a Host moves from Edge 1 to Edge 2, it

GW GW GW
does not need to change it’s IP Default Gateway!
Fabric Fundamentals
What is Campus Fabric?
1. Fabric Basics
2. Control-Plane
3. Data-Plane
4. Policy-Plane
SD-Access
What exactly is a Fabric?
A Fabric is an Overlay
An Overlay network is a logical topology used to virtually connect devices,
built on top of some arbitrary physical Underlay topology.
An Overlay network network often uses alternate forwarding attributes to
provide additional services, not provided by the Underlay.
Examples of Network Overlays

• GRE or mGRE • LISP
• MPLS or VPLS • OTV
• IPSec or DMVPN • DFA
• CAPWAP • ACI
23
SD-Access
Fabric Terminology
Overlay Network Overlay Control Plane
Encapsulation
Edge Device Edge Device
Hosts
(End-Points)
Underlay Network Underlay Control Plane
SD-Access
Fabric Underlay – Manual vs. Automated
Manual Underlay Automated Underlay

You can reuse your existing IP network Prescriptive fully automated Global
as the Fabric Underlay! and IP Underlay Provisioning!
• Key Requirements • Key Requirements
• IP reach from Edge to Edge/Border/CP • Leverages standard PNP for Bootstrap
• Can be L2 or L3 – We recommend L3 • Assumes New / Erased Configuration
• Can be any IGP – We recommend ISIS • Uses a Global “Underlay” Address Pool
• Key Considerations • Key Considerations

• MTU (Fabric Header adds 50B) • PNP pre-setup is required
• Latency (RTT of =/< 100ms) • 100% Prescriptive (No Custom)
Fabric Fundamentals
1. Fabric Basics
2. Control-Plane
3. Data-Plane
4. Policy-Plane
SD-Access
Campus Fabric - Key Components
1. Control-Plane based on LISP

2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
Key Differences
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)
SD-Access Fabric
Key Components – LISP
1. Control-Plane based on LISP Host

Mobility
Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU
with Local L3 Gateway with Anycast L3 Gateway
BEFORE AFTER
IP Address = Location + Identity Separate Identity from Location
Prefix RLOC
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
Prefix Next-hop 22.78.190.64 ….....171.68.226.121
189.16.17.89 ….....171.68.226.120 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 192.58.28.128 ….....171.68.228.121
172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121
192.58.28.128
189.16.17.89
…....171.68.228.121
…....171.68.226.120
Prefix Next-hop 189.16.17.89 ….....171.68.226.120
Endpoint Mapping
189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 …......171.68.226.120 192.58.28.128 ….....171.68.228.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121 192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
Database
22.78.190.64 ….....171.68.226.121
Routes are
172.16.19.90 …......171.68.226.120
192.58.28.128 …......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
Consolidated
192.58.28.128 ….....171.68.228.121
Prefix
189.16.17.89
Next-hop
…......171.68.226.120
to LISP DB
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120 Prefix Next-hop
22.78.190.64 ….....171.68.226.121 189.16.17.89 ….....171.68.226.120
172.16.19.90 …......171.68.226.120 22.78.190.64 ….....171.68.226.121
192.58.28.128 ….....171.68.228.121 172.16.19.90 ….....171.68.226.120
189.16.17.89 …....171.68.226.120 192.58.28.128 …....171.68.228.121
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
Prefix Next-hop 189.16.17.89 ….....171.68.226.120
189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
Topology + Endpoint Routes

189.16.17.89
22.78.190.64
172.16.19.90
…....171.68.226.120
….....171.68.226.121
…......171.68.226.120 Only Local Routes
Topology Routes
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Endpoint Routes
Fabric Fundamentals
1. Fabric Basics
2. Control-Plane
3. Data-Plane
4. Policy-Plane
SD-Access Fabric
Key Components – VXLAN

ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN
Next-Hop MAC Address
VXLAN-GPO Header Dest. MAC 48

Src VTEP MAC Address
MAC-in-IP with VN ID & Group ID Source MAC 48
VLAN Type 14 Bytes

16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type 16 Header
0x0800 16 20 Bytes
Outer MAC Header
Underlay
Checksum
Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address
UDP Header Dest Port 16

8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789
Inner (Original) MAC Header

Allows 64K
VXLAN Flags possible SGTs
Inner (Original) IP Header RRRRIRRR
8
Overlay
Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs
Fabric Fundamentals
1. Fabric Basics
2. Control-Plane
3. Data-Plane
4. Policy-Plane
SD-Access Fabric
Key Components – CTS

3. Policy-Plane based on CTS
Virtual Routing & Forwarding
Scalable Group Tagging
VRF + SGT
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
Cisco TrustSec
Simplified access control with Group Based Policy
Enforcement
Shared Application
Group Based Policies Services Servers
ACLs, Firewall Rules
Enforcement DC Switch
or Firewall
Propagation
Carry “Group” context
through the network Enterprise
using only SGT Backbone
ISE
Classification
Static or Dynamic Campus Switch Campus Switch DC switch receives policy
for only what is connected
SGT assignments
Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag
VLAN A VLAN B
Packet Flow in SD-Access Fabric
VN & SGT in VXLAN-GPO Encapsulation
Encapsulation Decapsulation
IP Network
Edge Node 1 Edge Node 2
VXLAN VXLAN
VN ID SGT ID VN ID SGT ID
Classification Propagation Enforcement

Static or Dynamic VN Carry VN and Group Group Based Policies
and SGT assignments context across the network ACLs, Firewall Rules
Controller Fundamentals
What is DNA Center?
1. DNAC Architecture
2. DNAC User Interface
3. DNAC Workflows
SD-Access
DNA Center – Service Components
DNA Center Appliance
API DNA Center 1.0 API
Design | Policy| Provision | Assurance
API
Cisco ISE 2.3 Cisco APIC-EM 2.0 Cisco NDP 1.0

API API
Identity Services Engine App Policy Infra Controller – EN Module Network Data Platform
NETCONF
SNMP
SSH
AAA
RADIUS
EAPoL
Campus Fabric HTTPS
NetFlow
Syslogs
Cisco Switches | Cisco Routers | Cisco Wireless
SD-Access Wireless:
why would you care?
CUWN Architecture - Centralized
Overview
AD
WLC
AAA LDAP IPAM
DNS
NTP DHCP Architecture Benefits:
MDM
SMTP
Policy Definition Single point of Ingress
• Overlay: works on any wired network
Enforcement Point to wired network • Simplified Access switch configuration
for Wi-Fi clients
Client keeps same IP Wireless VLANs are
address while roaming centrally defined
• Single point of Ingress for wireless traffic
• Easy seamless mobility
• Simplified IP addressing for wireless
• Centralized Management
Internet • Easy wireless Guest tunneling solution
SW DMZ
WLC Anchor WLC
Policy Definition and Traditional Campus Customers may NOT like:

Enforcement Point for • Limited scalability for East-West traffic
wired clients
Switch 1 Switch 2 • Separated policies for wired and
wireless
• Different enforcement point for wired
and wireless
AP1 • Lack of visibility between WLC and APs
Traditional switches
SSID SSID
Employee Guest
Local mode AP
Packet to wired CAPWAP Control & Data

EoIP Tunnel
CUWN Architecture - FlexConnect
Overview
Data Center AD
DNS
AAA LDAP IPAM DHCP
NTP Architecture Benefits:
MDM
SMTP
• Overlay: works on any wired network
Centralized
Management for all • Centralized Management / Lean IT
branches • Branch cookie cutter configuration
• Distributed data plane
• Reduced hardware footprint at the branch
WLC • Built-in resiliency (WAN survivability for locally
switched traffic)
SW DMZ
WAN Internet Customers may NOT like:

• Separated policies for wired and wireless
• Different enforcement point for wired and wireless
• No Layer 3 roaming support
Distributed Data plane No Controller at the
branch
• Limited seamless roaming scope (FlexConnect
Group)
• Additional configuration on the access switch (trunk
Traditional switches and allowed VLANs)
Flex mode AP
Branch
CAPWAP Control & Data
dot1q trunk © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Converged Access Architecture
Overview
AD
WLC
AAA LDAP IPAM
DNS
NTP DHCP Architecture Benefits
Guest Tunnel through MDM
SMTP
the MC • Distributed Data Plane: scalability
• One Policy enforcement point for wired
• Reduced HW footprint and less devices
to manage (branch is the sweet spot)
• One common software
MC MA
MA
Internet • Policies enforced at the edge
• Wireless traffic visibility at the edge
SW DMZ
WLC Anchor WLC • Easy wireless Guest tunneling solution
Switch is the Policy For roaming, traffic is
CA Network
Enforcement for wired anchored back to the
and wireless original switch
Customers may NOT like:
Switch 1 Switch 2 • Distributed Management plane
• Multiple wireless touch points
• Wired and wireless software
MA dependencies
Switch with Mobility Agent • Anchoring solutions for seamless
mobility
Local mode AP
• Support for Local mode AP only
SSID
SSID Guest CAPWAP Control & Data • Lack of feature parity with CUWN
Employee
MA to MA tunnels
Packet to wired
EoIP tunnel
What is the Problem?
Policy Model Today
Network Policy
Enterprise Network
SRC DST
PAYLOAD DATA DSCP PROT IP SRC IP DST
PORT PORT
• QoS
• Security
• Redirect/copy
Policy is based on “5 Tuple”
• Only Transitive information
• Traffic engineering • Survives end to end
• etc.
Policy Model Today
Network Policy access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
Enterprise Network
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
SRC DST
PAYLOAD DATA DSCP PROT IP SRC IP DST
PORT PORT
IP
SSID C
ADDRESSES VLAN 20 VLAN 10
User/device info?
SSID A
§ Locate you IP Address VLAN 30
§ Identify you “meaning” VLAN 40
§ Drive “treatment” OVERLOAD SSID B
§ Constrain you SSID D
User Group policy rollout - Today
1. Define Groups in AD
Production AAA
Servers
2. Define Policies
§ VLAN/subnet based
DHCP
Developer
Servers
3. Implement VLANs/Subnets
AD § Create VLANs
LAN Core § Define DHCP scope
§ Create subnets and L3 interfaces
§ Routing for new subnets
L3 Switch § Map SSID to Interface/VLAN
Trunk
4. Implement Policy
What if You Need to Add Another
§ Define Group & Policy?
WLAN
Trunks ACLs
§ Apply ACLs
L2 Switch
5. Many different User Interfaces
Multiple Steps and
Touch Points
….
One SSID
AAA WLC Devices CLI
BYOD Employee Contractor

User Group policy rollout - Today
Production AAA § Three user Groups

Servers Customer § One single SSID
§ Differentiated policies per Group
DHCP requirements § Guest segmentation (wired and wireless)
Developer
Servers AD
LAN Core
§ Customer Policy requirements:

L3 Switch Customer
Trunk Policy Production
Developer Serv.
WLC Serv.
Trunks
Employee
L2 Switch BYOD
Network Contractor
Touch Points
One SSID

SD-Access Wireless Architecture
SD-Access Fabric Architecture § DNA Controller – Enterprise SDN Controller
Roles and Terminology provides GUI management abstraction via
multiple Service Apps, which share information
DNA
Group Controller § Group Repository – External ID Services
ISE / AD
Repository (e.g.. ISE) is leveraged for dynamic User or
Device to Group mapping and policy definition
Fabric Mode
§ Control-Plane (CP) Node – Map System that
WLC
manages Endpoint ID to Location relationships.
Fabric Border Also known as Host Tracking DB (HTDB)
§ Border Nodes – A Fabric device (e.g.. Core)
B B that connects External L3 network(s) to the
SDA Fabric
Control-Plane § Edge Nodes – A Fabric device (e.g.. Access
Intermediate C Nodes or Distribution) that connects wired endpoints
Nodes (Underlay)
to the SDA Fabric
§ Fabric Wireless Controller – Wireless
Fabric Edge Controller (WLC) fabric-enabled, participate in
Nodes SD-Access Fabric Fabric LISP control plane
Mode APs § Fabric Mode APs – Access Points that are
fabric-enabled. Wireless traffic is VXLAN
encapsulated at AP
Bringing the best of both architectures by...
1 Simplifying the Control & Management Plane
2 Optimizing the Data Plane
3 Integrating Policy & Segmentation E2E
SD-Access Wireless Architecture 1
Simplifying the Control Plane
DNAC
ISE / AD Automation
Policy § DNAC simplifies the Fabric deployment,
Abstraction and
§ Including the wireless integration component
Configuration
CAPWAP Automation
Cntrl plane
LISP Centralized Wireless Control Plane

Cntrl plane § WLC still provides client session management
§ AP Mgmt, Mobility, RRM, etc.
WLC § Same operational advantages of CUWN
B B Fabric enabled WLC:
WLC is part of LISP control plane
C LISP control plane Management

§ WLC integrates with LISP control plane
§ WLC updates the CP for wireless clients
SD-Access § Mobility is integrated in Fabric thanks to LISP CP
Fabric
Optimizing the Data Plane
DNAC
Automation
ISE / AD § DNAC simplifies the Fabric deployment,
Policy § Including the wireless integration component
Abstraction and
Configuration
CAPWAP Automation
Cntrl plane Centralized Wireless Control Plane
LISP § WLC still provides client session management
Cntrl plane § AP Mgmt, Mobility, RRM, etc.
VXLAN § Same operational advantages of CUWN
Data plane WLC
B B Fabric enabled WLC:
WLC is part of LISP control plane
LISP control plane Management
C § WLC integrates with LISP control plane
§ WLC updates the CP for wireless clients
§ Mobility is integrated in Fabric thanks to LISP CP
SD-Access
Fabric Optimized Distributed Data Plane
§ Fabric overlay with Anycast GW + Stretched subnet
§ VLAN extension with no complications
Fabric enabled AP: § All roaming are Layer 2
AP encapsulates Fabric
SSID traffic in VXLAN
VXLAN VXLAN from the AP
(Data Plane)
§ Carrying hierarchical policy segmentation starting
from the edge of the network
Optimizing the Data Plane: Stretched subnets – A Closer Look
Fabric Mode AP integrates with the VXLAN Data Plane

Wireless Data Plane is distributed across APs
§ Fabric mode AP is a local mode AP and needs to be
directly connected to FE
§ CAPWAP control plane goes to the WLC using Fabric
§ Fabric is enabled per SSID:
• For Fabric enabled SSID, AP converts 802.11 traffic to 802.3 and CAPWAP
encapsulates it into VXLAN encoding VNI and SGT info of the Control plane
client
• Forwards client traffic based on forwarding table as programmed
by the WLC. Usually VXLAN DST is first hop switch.
§ AP applies all wireless specific feature like SSID policies,

AVC, QoS, etc. VXLAN
(Data)
Simplifying policy and Segmentation
3
B
VXLAN C
(Data) FE A
SD Fabric FE B
IP payload IP 802.11
AP removes the
1 802.11 header
EID underlay
IP payload 802.3 VXLAN UDP IP
IP
AP adds the
2 802.3/VXLAN/underlay IP
header
3
B
VXLAN C
(Data) FE A
SD Fabric FE B
R Client SGT Client VRF R
Hierarchical Segmentation:
1. Virtual Network (VN) == VRF - isolated Control Plane + Data Plane
IP payload
EID
802.3 VXLAN UDP
underlay 2. Scalable Group Tag (SGT) – User Group identifier
IP IP
APs embed the Policy

2 information in the VXLAN
header and forwards it
3
B
VXLAN C
(Data) FE A
SD Fabric FE B
Client is placed in the

right VRF
EID underlay
IP
FE removes the outer IP header,

3 looks at the L2 VNID and maps it
to the VLAN and L2 LISP instance.
Then encapsulates to the
destination FE
3
B
VXLAN C
(Data) FE A
SD Fabric FE B
Client Policy
is carried end
to end in the
SGT policy is applied
overlay
EID underlay
IP
FE removes the outer IP header, looks

at the L2 VNID maps it to the VLAN.
4
Also looks at the SGT and apply the
policy before forwarding the packet
SD-Access Wireless Benefits
User Group policy rollout
DNA Center 1. Define Groups in AD
Production AAA
Servers
2. Design and Deploy in DNA-C
DHCP
§ Create Virtual Network for Corporate
Developer
Servers
§ Define Policies
AD
• Role/Group based
§ Apply Policies
LAN core • SGT based
Production Serv. Developer Serv.

L3 Switch SGT 10 SGT 20
Trunk
WLC
VN
Employee
Contractor
BYOD SGT
VXN Fabric Fabric Employee
ID HDR SRC DST
SGT 100
Corporate VN
BYOD
L3 Switch SGT 200
Contractor
Touch Point SGT 300
One SSID
3. Upon user authentication, Policy is

Original packet
automatically applied and carried end to end
SD-Access Wireless Benefits
User Group policy rollout
DNA Center 1. Define Groups in AD
Production AAA
Servers
2. Design and Deploy in DNA-C
DHCP
§ Create Virtual Network for Corporate
Developer
Servers
§ Define Policies
AD
• Role/Group based
§ Apply Policies One
LAN core • SGT based Touch
Point
Production Serv. Developer Serv.
L3 Switch
IoT/HVAC Virtual Network SGT 10 SGT 20
Trunk
WLC
Guest Virtual Network Employee
SGT 100
Corporate VN
BYOD
L3 Switch SGT 200
Contractor
Touch Point SGT 300
One SSID
3. Upon user authentication, Policy is

automatically applied and carried end to end
What products
make this
Architecture?
SD-Access – Fabric Wireless
Platform Support
*with Caveats
NEW
3504 WLC 5520 WLC 8540 WLC Wave 2 APs Wave 1 APs
• AIR-CT3504 • AIR-CT5520 • AIR-CT8540 • 1800/2800/3800 • 1700/2700/3700

• 1G/mGig • No 5508 • 8510 supported • 11ac Wave2 APs • 11ac Wave1 APs*
• AireOS 8.5+ • 1G/10G SFP+ • 1G/10G SFP+ • 1G/MGIG RJ45 • 1G RJ45
• AireOS 8.5+ • AireOS 8.5+ • AireOS 8.5+ • AireOS 8.5+
SD-Access Wireless
Design Considerations
Wireless Integration in SDA Fabric
CUWN wireless Over The Top (OTT) SD-Access Wireless
ISE / AD APIC-EM ISE / AD APIC-EM
Non-Fabric Fabric
WLC enabled WLC
CAPWAP
B B Cntrl plane B B
CAPWAP
Cntrl & Data VS.
VXLAN
C Data plane C
SD-Access SD-Access
Fabric Fabric
Non-Fabric Fabric enabled

APs APs
§ CAPWAP for Control Plane and Data Plane § CAPWAP Control Plane, VXLAN Data plane
§ SDA Fabric is just a transport § WLC/APs integrated in Fabric, SD-Access advantages
§ Supported on any WLC/AP software and hardware § Requires software upgrade (8.5+)
§ Migration step to full SDA § Optimized for 802.11ac Wave 2 APs
CUWN Over the Top (OTT)
• Definition:
• Wireless OTT: this CAPWAP wireless overlay to Fabric: traditional CAPWAP
deployment connected to Fabric overlay. Fabric is a transport for CAPWAP
• Why wireless OTT?

• Migration step: customers wants/need to first migrate wired (different Ops teams
managing wired and wireless, get familiar with Fabric, different buying cycles, etc.)
• Longer term solution: customer doesn’t want/cannot migrate to Fabric (new software,
no 802.11n, wireless too critical to make changes)
CAPWAP tunnel
SD-Access
Fabric
Non Fabric WLC

Non Fabric AP
Key Takeaways
SDA for Mobility
Innovate Faster with Fabric-Enabled Wireless
Software Defined Wireless

DNA Center
§ Centralized management across wired-wireless
Consistent Policy for § Secure Policy based Automation

Wired/Wireless
§ Optimized distributed traffic flows for future scalability
§ Simplified enablement of Wi-Fi Services

Seamless L2 roam
across Campus
Policy stays with user
Simplified Optimized data plane with Easy end to end Virtualization Wired and Wireless
Provisioning Campus-Wide Roaming and Segmentation Policy Consistency
SD-Access Wireless
NDP and Assurance

Network quality is a complex, end-to-end problem
Affects Join/Roam
Affects Quality/Throughput Affects Quality/Throughput
Client firmware
Affects Both* Affects Both*

WAN Uplink usage
... End-User services
Affects Both*
Client density AP coverage Configuration

Affects Both* Affects Quality/Throughput Affects Join/Roam
Affects Both* WLC Capacity WAN QoS, Routing, ... Authentication

RF Noise/Interf. Affects Join/Roam
Addressing
CUCM
ISE
WAN
DHCP
Office site Network services DC

APs Cisco Prime™
Mobile clients
Local WLCs
* Both = Join/roam and quality/throughput
Components of DNA Assurance
Predict performance in wireless
Test your network anywhere at any time
• Synthetic tests on both network and application

performance across wired and wireless network
provide proactive monitoring capability
- Various options: AP as a sensor, XOR radio, Access point
dedicated sensor (AP1800)
- Intelligent algorithm identifies excessive radios and

transparently converts those into sensor mode
without client effect
R1
AP as a sensor Flexible Radio

Dedicated
Sensor
Real clients
Sensors act as clients
Wi-Fi analytics – building the network intuitive
• Crowdsource device telemetry

to enable
of network
• Automatically correlate client and
network data to provide insights
• Deliver and faster
resolution of issues
Client as a sensor (IOS 10)
Sendt fra IOS 11

Device
Key Takeaways
Software-Defined Access Summary
Manage Business Outcomes Instead of Managing the Network
Policy Automation Services Enablement

Use policy-based automated Quickly enable network services
provisioning from edge to cloud. across a complete ecosystem
Network Analytics Lower OpEx

Look at the entire network as a DNAC automates the Design,
single entity and find problems Policy and Provision
before your users do.
Brownfield Integration for
investment protection
Policy-based Complete Fast, Easy

Automation Network Visibility Service Enablement
Thank you

(Cisco-Live) Software - Defined - Access - 2017

Uploaded by

Copyright:

Available Formats

(Cisco-Live) Software - Defined - Access - 2017

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Cisco-Live) Software - Defined - Access - 2017

Uploaded by

Copyright:

Available Formats

Tech Update

Rene Andersen / Ib Hansen

DESIGN PROVISION POLICY ASSURANCE

Routers Switches Wireless Controllers Wireless APs

B B § Campus Fabric – Shipping Now

APIC-EM, ISE, NDP are all separate.

Control-Plane Node runs a Host Tracking Database to map location information

• A simple Host Database that maps Endpoint IDs to a

• Host Database supports multiple types of Endpoint ID

• Receives Endpoint ID map registrations from Edge

• Resolves lookup requests from Edge and/or Border

Catalyst 3K Catalyst 9500 Catalyst 6K ASR1K, ISR4K & CSRv

• Catalyst 3850 • Catalyst 9500 • Catalyst 6800 • CSRv

• Responsible for Identifying and Authenticating Endpoints

• Provide an Anycast L3 Gateway for connected Endpoints

• Performs encapsulation / de-encapsulation of data traffic

Catalyst 3K Catalyst 9300 Catalyst 4K Catalyst 9400

• Catalyst 3650/3850 • Catalyst 9300 • Catalyst 4500 • Catalyst 9400

There are 2 Types of Border Node! ! C ?

Fabric Border advertises Endpoints to outside, and known Subnets to inside

• Connects to any “known” IP subnets attached to the

• Imports and registers (known) IP subnets from outside,

• Hand-off requires mapping the context (VRF & SGT)

Default Border is a “Gateway of Last Resort” for unknown destinations

• Connects to any “unknown” IP subnets (e.g. Internet)

into traditional IP routing protocol(s). B B

• Does NOT import unknown routes. It is a “default” exit,

• Hand-off requires mapping the context (VRF & SGT)

Catalyst 3K Catalyst 9500 Catalyst 6K ASR1K & ISR4K Nexus 7K

• Control-Plane uses Instance ID to maintain separate

• Nodes add VNID to the Fabric encapsulation

• Endpoint ID prefixes (Host Pools) are advertised

Scalable Group is a logical ID object to “group” Users and/or Devices

• CTS uses “Scalable Groups” to ID and assign a

• CTS SGTs used to manage address-independent

Scalable Group ACLs (SGACLs)

Host Pool provides basic IP functions necessary for attached Endpoints

• Edge Nodes use a Switch Virtual Interface (SVI),

• Fabric uses Dynamic EID mapping to advertise

• Host Pools can be assigned Dynamically (via

Anycast GW provides a single L3 Default Gateway for IP capable endpoints

• Similar principles and behavior as HSRP / VRRP

• The same Switch Virtual Interface (SVI) is present

• Control-Plane with Fabric Dynamic EID mapping

• If (when) a Host moves from Edge 1 to Edge 2, it

Examples of Network Overlays

Overlay Network Overlay Control Plane

Edge Device Edge Device

Underlay Network Underlay Control Plane

Manual Underlay Automated Underlay

• Key Considerations • Key Considerations

1. Control-Plane based on LISP

1. Control-Plane based on LISP Host

Topology + Endpoint Routes

1. Control-Plane based on LISP

VXLAN-GPO Header Dest. MAC 48

MAC-in-IP with VN ID & Group ID Source MAC 48

VLAN Type 14 Bytes

UDP Header Dest Port 16