TechWiseTV Workshop: Software-Defined Access
3 likes3,709 views
This document discusses Cisco's Software-Defined Access (SD-Access) solution. It provides an overview of the key components of SD-Access, including: - A control plane based on LISP that separates endpoint identity from location and consolidates routing tables. - A data plane based on VXLAN that uses virtual tunnel endpoints and an overlay network to provide mobility and remove topology limitations. - A policy plane based on Cisco TrustSec that implements security policies based on endpoint groups rather than individual IP addresses. SD-Access leverages these components to automate configuration, management, and policy across campus wired, wireless and WAN networks. The document also outlines the platform support and roles of different
TechWiseTV Workshop: Software-Defined Access
- 2. © 2017 Cisco and/or itsaffiliates. All rightsreserved. 2
- 3. © 2017 Cisco and/or itsaffiliates. All rightsreserved. Campus Fabric – Shipping Now CLI or API form of the new overlay Fabric solution for your enterprise Campus access networks. CLI approach provides backwards compatibility and customization, Box-by-Box. API approach provides automation via NETCONF / YANG. APIC-EM, ISE, NDP are all separate. BB What is SD-Access? Campus Fabric + DNA Center (Automation & Assurance) APIC-EM 1.X SD-Access – Available Aug 2017 GUI approach provides automation & assurance of all Fabric configuration, management and group-based policy. Leverages DNA Center to integrate external Service Apps, to orchestrate your entire LAN, Wireless LAN and WAN access network. Campus Fabric ISE NDP APIC-EM 2.0 ISE NDP DNA Center 3 C
- 4. © 2017 Cisco and/or itsaffiliates. All rightsreserved. APIC-EM ISE NDP Control-Plane Nodes – Map System that manages Endpoint to Device relationships Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SDA Fabric Identity Services – External ID Systems (e.g. ISE) are leveraged for dynamic Endpoint to Group mapping and Policy definition Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SDA Fabric Identity Services Intermediate Nodes (Underlay) Fabric Border Nodes Fabric Edge Nodes DNA Controller – Enterprise SDN Controller provides GUI management and abstraction via Service Apps, that share information DNA Controller Analytics Engine – External Data Collectors (e.g. NDP) are leveraged to analyze Endpoint to App flows and monitor fabric status Analytics Engine C Control-Plane Nodes B What is SD-Access? Fabric Roles & Terminology B Fabric Wireless Controller – A Fabric device (WLC) that connects Wireless Endpoints to the SDA Fabric 4 Fabric Wireless Controller Campus Fabric
- 5. © 2017 Cisco and/or itsaffiliates. All rightsreserved. SD-Access – Control-Plane Platform Support 5 Catalyst 9500 • Catalyst 9500 • 10/40G SFP/QSFP • 10/40G NM Cards • IOS-XE 16.6.1+ Catalyst 3K • Catalyst 3850 • 1/10G SFP • 10/40G NM Cards • IOS-XE 16.6.1+ Catalyst 6K • Catalyst 6800 • Sup2T/6T • 6880-X or 6840-X • IOS 15.5.1SY+ ASR1K, ISR4K & CSRv • CSRv • ASR 1000-X/HX • ISR 4430/4450 • IOS-XE 16.6.1+ NEW
- 6. © 2017 Cisco and/or itsaffiliates. All rightsreserved. SD-Access – Border Node Platform Support 6 Catalyst 9500 • Catalyst 9500 • 40G QSFP • 10/40G NM Cards • IOS-XE 16.6.1+ Nexus 7K • Nexus 7700 • Sup2E • M3 Cards • NXOS 7.3.2+ Catalyst 3K • Catalyst 3850 • 1/10G SFP+ • 10/40G NM Cards • IOS-XE 16.6.1+ ASR1K & ISR4K • ASR 1000-X/HX • ISR 4430/4450 • 1/10G/40G • IOS-XE 16.6.1+ Catalyst 6K • Catalyst 6800 • Sup2T/6T • 6880-X or 6840-X • IOS 15.5.1SY+ NEW
- 7. © 2017 Cisco and/or itsaffiliates. All rightsreserved. SD-Access – Edge Node Platform Support 7 Catalyst 9400 • Catalyst 9400 • Sup1E • 9400 Cards • IOS-XE 16.6.1+ Catalyst 4K • Catalyst 4500 • Sup8E/9E (Uplinks) • 4700 Cards (Down) • IOS-XE 3.10.1+ Catalyst 3K • Catalyst 3650/3850 • 1/MGIG RJ45 • 10/40G NM Cards • IOS-XE 16.6.1+ Catalyst 9300 • Catalyst 9300 • 1/MGIG RJ45 • 10/40/mG NM Cards • IOS-XE 16.6.1+ NEW NEW
- 8. © 2017 Cisco and/or itsaffiliates. All rightsreserved. SD-Access – Fabric Wireless Platform Support * Some caveats with Wave 1 APs. Check release notes. 8 Wave 2 APs • 1800/2800/3800 • 11ac Wave2 APs • 1G/mGIG RJ45 • AireOS 8.5+ 5500 WLC • AIR-CT5520 • No 5508 • 1G/10G SFP+ • AireOS 8.5+ 8500 WLC • AIR-CT8540 • 8510 supported • 1G/10G SFP+ • AireOS 8.5+ Wave 1 APs* • 1700/2700/3700 • 11ac Wave1 APs* • 1G RJ45 • AireOS 8.5+ 3504 WLC • AIR-CT3504 • 1G/mGig • AireOS 8.5+ NEW NEW
- 9. © 2017 Cisco and/or itsaffiliates. All rightsreserved. 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on CTS SD-Access Key Components Key Differences • L2 + L3 Overlay -vs- L2 or L3 Only • Host Mobility with Anycast Gateway • Adds VRF + SGT into Data-Plane • Virtual Tunnel Endpoints (No Static) • No Topology Limitations (Basic IP)
- 10. © 2017 Cisco and/or itsaffiliates. All rightsreserved. Endpoint Routes are Consolidated to LISP DB Topology + Endpoint Routes BEFORE IP Address = Location + Identity Prefix Next-hop 189.16.17.89 …......171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121 189.16.17.89 …....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 …......171.68.226.120 192.58.28.128 ….....171.68.228.121 189.16.17.89 …....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 …......171.68.226.120 192.58.28.128 ….....171.68.228.121 189.16.17.89 ….....171.68.226.120 22.78.190.64 …......171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121 Prefix Next-hop 189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121 189.16.17.89 …....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 …......171.68.226.120 192.58.28.128 ….....171.68.228.121 189.16.17.89 …....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 …......171.68.226.120 192.58.28.128 ….....171.68.228.121 189.16.17.89 ….....171.68.226.120 22.78.190.64 …......171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121 Prefix Next-hop 189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121 189.16.17.89 …....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 …......171.68.226.120 192.58.28.128 ….....171.68.228.121 189.16.17.89 …....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 …......171.68.226.120 192.58.28.128 …......171.68.228.121 189.16.17.89 ….....171.68.226.120 22.78.190.64 …......171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121 Routing Protocols = Big Tables & More CPU with Local L3 Gateway Host Mobility Location ID Separation Protocol Map-Based On-Demand Host-Routing Mapping Database Only Local Routes Prefix RLOC 192.58.28.128 ….....171.68.228.121 189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121 192.58.28.128 ….....171.68.228.121 189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121 Prefix Next-hop 189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121 Prefix Next-hop 189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121 Prefix Next-hop 189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121 AFTER Separate Identity from Location Topology Routes Endpoint Routes LISP DB + Cache = Small Tables & Less CPU with Anycast L3 Gateway 1. Control-Plane based on LISP
- 11. © 2017 Cisco and/or itsaffiliates. All rightsreserved. Map Server / Resolver • EID to RLOC Mappings • Can be distributed across multiple LISP devices Tunnel Router - XTR • Edge Devices Encap / Decap • Ingress / Egress (ITR / ETR) Proxy Tunnel Router - PXTR • Connects between LISP and non-LISP domains • Ingress / Egress (PITR / PETR) EID = End-point Identifier • Host Address or Subnet RLOC = Routing Locator • Local Router Address Prefix Next-hop w.x.y.1 e.f.g.h x.y.w.2 e.f.g.h z.q.r.5 e.f.g.h z.q.r.5 e.f.g.h Non-LISP RLOC Space EID RLOC a.a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5 EID RLOC a.a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5 EID RLOC a.a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5 Locator / ID Separation Protocol LISP Roles & Responsibilities EID Space Map System EID Space ETR ITR PXTR 11
- 12. © 2017 Cisco and/or itsaffiliates. All rightsreserved. SD-Access Fabric Key Components – Virtual eXtensible LAN ORIGINAL PACKET PAYLOADETHERNET IP PACKET IN LISP PAYLOADIPLISPUDPIPETHERNET PAYLOADETHERNET IPVXLANUDPIPETHERNET PACKET IN VXLAN Supports L2 & L3 Overlay Supports L3 Overlay 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN
- 13. © 2017 Cisco and/or itsaffiliates. All rightsreserved. VXLAN-GPO Header MAC-in-IPwith VN ID & Group ID Underlay Outer IP Header Outer MAC Header UDP Header VXLAN Header Overlay 14 Bytes (4 Bytes Optional) Ether Type 0x0800 VLAN ID VLAN Type 0x8100 Source MAC Dest. MAC 48 48 16 16 16 20 Bytes Dest. IP Source IP Header Checksum Protocol 0x11 (UDP) IP Header Misc.Data 72 8 16 32 32 8 Bytes Checksum 0x0000 UDP Length Dest Port Source Port 16 16 16 16 8 Bytes Reserved VN ID Segment ID VXLAN Flags RRRRIRRR 8 16 24 8 Src VTEP MAC Address Next-Hop MAC Address Allows 16M possible VRFs UDP 4789 Hash of inner L2/L3/L4 headers of original frame. Enables entropy for ECMP load balancing. Inner (Original) IP Header Original Payload Inner (Original) MAC Header Allows 64K possible SGTs Dst RLOC IP Address Src RLOC IP Address 13
- 14. © 2017 Cisco and/or itsaffiliates. All rightsreserved. PAYLOADETHERNET IPVXLANUDPIPETHERNET SD-Access Fabric Key Components – Cisco TrustSec VRF + SGT Virtual Routing & Forwarding Scalable Group Tagging 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on CTS
- 15. © 2017 Cisco and/or itsaffiliates. All rightsreserved. Cisco TrustSec Simplified access control with Group Based Policy VLAN BVLAN A Campus Switch DC Switch or Firewall Application Servers ISE Enterprise Backbone Enforcement Campus Switch Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant Shared Services Employee Tag Supplier Tag Non-Compliant Tag DC switch receives policy for only what is connected Classification Static or Dynamic SGT assignments Propagation Carry “Group” context through the network using only SGT Enforcement Group Based Policies ACLs, Firewall Rules 15
- 16. © 2017 Cisco and/or itsaffiliates. All rightsreserved. Packet Flow in Fabric VXLAN Encapsulation IP Network Edge Node 1 Edge Node 2 Encapsulation Decapsulation VXLAN VN ID SGT ID VXLAN VN ID SGT ID Propagation Carry VN and Group context across the network Enforcement Group Based Policies ACLs, Firewall Rules Classification Static or Dynamic VN and SGT assignments 16
- 17. © 2017 Cisco and/or itsaffiliates. All rightsreserved. Cisco APIC-EM 2.0 App Policy Infra Controller –EN Module Cisco ISE 2.3 Identity Services Engine Cisco NDP 1.0 Network Data Platform Cisco Switches |Cisco Routers | Cisco Wireless DNA Center 1.0 AAA RADIUS EAPoL HTTPS NetFlow Syslogs NETCONF SNMP SSH API API API API API Campus Fabric SD-Access DNA Center – Service Components Design | Provision | Policy | Assurance 17
- 18. © 2017 Cisco and/or itsaffiliates. All rightsreserved. Policy • Virtual Networks • ISE, AAA, Radius • Endpoint Groups • Group Policies As s ure Design • Global Settings • Site Profiles • DDI, SWIM, PNP • User Access Provision • Fabric Domains • CP, Border, Edge • FEW / OTT WLAN • External Connect Assurance • Network Health • 360o Views • FD, Device, Client • Path Traces Planning & Preparation Installation & Integration 18 As s ure As s ure Prov is ion As s ure DNA Center SD-Access 4 Step Workflow
- 19. © 2017 Cisco and/or itsaffiliates. All rightsreserved. The First Step… 19
- 20. Thank you for watching!