The document discusses Cisco's Software Defined Access (SDA) and intent-based networking solutions. It highlights how SDA and the Cisco DNA Center simplify network design, provisioning, policy implementation and assurance through automation and analytics. Traditional networks are complex to manage and secure, while SDA provides a more flexible, software-driven approach through centralized management and segmentation based on user identity rather than network topology.
This is a typical campus network that many of our customers & you will be familiar with.
[Build slide up showing different layers, protocols, policy, management, controller etc…]
Whilst the network is critical for every business and offers powerful features, enterprise networks are complex and we have tied policy to an IP address - that is why you build with VLAN’s, per switch, you put subnets against ACL’s, you implement Spanning-Tree and then HSRP, VSS, the list goes on…
And there we see it. Very powerful and feature rich but:
Complex to operate
Difficult to scale
Difficult to secure
Inflexible and closed architecture
And you manage it all with CLI…
In Cisco’s view, a complete intent-based network (Figure 1) needs to deliver on 3 essential functions:
Translation: The Translation function is about the characterization of intent. It enables network operators to express intent in a declarative and flexible manner, expressing what the expected networking behavior is that will best support the business objectives, rather than how the network elements should be configured to achieve that outcome.The captured intent then needs to be interpreted into policies that can be applied across the network
Activation:. The Activation function installs these policies into the physical and virtual network infrastructure using a networkwide automation engine.
Assurance: In order to continuously check that the expressed intent is honored by the network at any point in time, the Assurance function maintains a continuous validation-and-verification loop. Context derived from telemetry data is used to check alignment of operation with intent.
For many enterprises, the evolution to a fully intent-based network will be a journey, requiring a combination of new technologies and process changes.
The full potential of intent-based networking is recognized when deployed across all network domains, including data center, campus, branch, and WAN.
Cisco’s solutions help customers achieve end-to-end intent-based networking based on Cisco’s open platform and third-party technologies.
Data Center
Cisco Network Assurance Engine (NAE)
Provides always-on assurance for data centers. NAE predicts the impact of changes, proactively verifies network behavior, and helps assure policy and compliance.
Cisco Application Centric Infrastructure (Cisco ACI)
Policy-based automated network fabric, covering the translation and deployment phases of the intent-based network framework.
Cisco Tetration platform
Dramatically improves data center security by enabling zero-trust operations and real-time visibility. Using behavior-based application insights and machine learning, it provides customers with a whitelist policy model, enabling segmentation through automated policy enforcement.
Enterprise Networks
Cisco Digital Network Architecture (Cisco DNA)
Intent-based networking platform for enterprise campus and WAN environments, providing automation and analytics for wired and wireless, software-defined access, and software-defined WAN domains. Cisco’s Identity Services Engine (ISE) provides identify-based policy and rich contextual information.
Cisco Services [this should be the same level as DC and EN above]
New Cisco Services help you accelerate network assurance, gain analytical insight, improve productivity, and lower risk by leveraging our unique expertise, best practices, innovative tools, and business and IT insights.
Learn more about intent-based networking
https://www.cisco.com/go/intentbasednetworking
There are 2 main components of SD-Access: Campus Fabric + DNA Center.
Campus Fabric are all of the features and protocols (control-plane, data-plane, policy-plane) to operate the network infrastructure.
DNA Center provides all of the wired & wireless automation & assurance aspects, along with Cisco ISE for security aspects.
If you manage the solution via the CLI or API, it is considered Campus Fabric.
If you manage the Campus Fabric with DNA Center, it is SD-Access!
Traditional segmentation could be based on topology. Those could be VLANs, Subnets, VRF, and statically configured Access Control List.
When you create a VLAN, you can definitely isolates endpoints as long as you configure those VLANs are not communicating. VLAN is easy to setup in the lab. But in a real world, when you are trying to setup additional VLAN to implement security policy, you are not just adding one VLAN. You need same VLAN per floor, per building, and per location. Adding VLAN involves additional adjustments in the topology. You have to make sure that you have enough address space for those VLANs, changes in DHCP pools (and possibly DNS), probably adding VLAN to gateway redundancy like HSRP, and adding segments to the routing. After all of those additional works, you will use VACL or L3 IP ACL statically to enforce traffic. You want to make sure that you have enough TCAM space on the box. And you are going to keep adding ACL again, and again, and again…
We’ve been seeing customers trying to understand what those 1000’s lines of ACLs on their routers because IP address does not tell you exactly what’s behind it. Even servers or applications are decommissioned, you are keeping those ACLs because you don’t know exactly what type of security hole you are making.
With TrustSec, you can simply leverage your customer’s existing VLAN design.
We simply assign SGT or Security Group Tag to the endpoints (not just endpoint but also destination as well) and user such tag information to enforce traffic. ISE automates the whole ACL provisioning process. When a device is connected, then switch will ask ISE what type of policy ISE has for this endpoint. If there is any policy exists, then switch automatically get that policy right away.
All this is changing (mobile, VDI, cloud) is real and coming now. To reduce your costs, you need to look at your WAN BW costs because that’s where the money is being spent! So let’s talk about what we can do to manage that...
What’s great about SDA is that you can get started today.
@ C3K – Includes all models of C3650 & 3850 (copper) family, with C3K scale & features (UADP 1.0 or 1.1)
@ C9K – Includes all models of C9300 & 9400 (copper) family, with C9K scale & features (UADP 2.0)
@ C4K – Includes all models of C4500-E series chassis. C6500-E requires Sup8E or Sup9E uplinks for fabric encap (FGPA on Sup ONLY). Other cards (e.g. WS-X4700) can be used for non-fabric connections (outside).
@ C6K – Includes C6880-X and all models of C6840-X-LE family. Includes all models of C6500-E series chassis. C6807-XL / 6500-E requires Sup2T or Sup6T, with C6800 10G or WS-X6900 cards for fabric encap (FGPA on PFC4/DFC4). Other cards (e.g. WS-X6700) can be used for non-fabric connections (outside).
@ ASR1K – Only X or HX series. Includes 1001-X or 1002-X. Does not include other/older ASR1000 (non-X) series.
@ ISR4K – Only 4400 series. Includes 4431 and 4451. Does not include other/older models of ISR (e.g. G2) series.
NOTE: CSRv & ISRv (IOS CSR / ISR Virtual Machine) is also an option, but is not currently listed due to inherent underlay/reachability complexities (between network [RLOC] to remote CP node [e.g. via DC])
@ N7K – Includes all models of N7700 series chassis. Does not include N7000 series. N7700 requires Sup2E, with M3 cards for fabric encap (F3 SOC 2.0). Other cards (e.g. F3) can be used for non-fabric connections (outside).
SLIDE 4: Catalyst 9000
While our intent driven IOS software can be deployed on existing equipment to transform deployed networks, we are also announcing a new lineup of our award willing Catalyst campus switches – the 9000 series.
Built from the ground up for the world of cloud, IoT, Mobility and Advanced Persistent Threats these platforms are the most advanced enterprise switches in the world.
-----------------------------------------------------------
Key innovations include:
Programmable: High-performance, programmable ASICs. Cisco’s own ASIC for maximum performance and feature richness. It’s programmable to adapt to future innovations, a breakthrough in silicon technology.
Integrated Security: Rapid threat detection with Encrypted Traffic Analytics. We’ll say more about this later – the ability for the network to find and block the most sophisticated cyber-attacks.
IoT Ready: Instantly discover, onboard, and automatically segment IoT traffic. Built for IoT and the huge diversity of devices that will connect to enterprise networks. The ability to automatically configure the network for security – separating IoT devices from other traffic.
Mobile Ready: Built-in wired and wireless controller.
Cloud Ready: Secure Access to Cloud Apps 3rd Party App Hosting. These platforms are built for extensibility and open computing. They can host third party applications on a built in x86 compute complex. Allowing our customers to run their applications in containers or virtual machines. We can now extend the cloud all the way to the user.
Design: With these platforms we’ve taken a user-centered design approach every step of the way – from the software design to the operations to even the hardware design. The physical chassis have been designed and engineered by the famous Italian design firm Pininfarina to make them easy to install and maintain
How should customers implement our vision for a more intuitive network….Its through a phased approach
Infrastructure Readiness – To get to the network intuitive, you need to have the right infrastructure foundation in place – one that is flexbile, available, secure, and scalable. The Cisco infrastructure provides an open and programmable infrastructure which enables the powerful software-driven value around security, automation, and analytics.
Secure Foundation - The enterprise has become a loosely coupled collection of networks and clouds, the business actors have changing roles. This is why the cloud-agile network we envision needs to rely on a flexible, powerful policy model, and pervasively deliver security everywhere to support a network as a sensor/enforcer.
Policy Based Automation – the concept of a digital business wouldn’t even exist without the universal connectivity we have so successfully delivered on. Our networks are the engines that connect digital business to their customers, and we are looking to automate everywhere we can with our APIC EM controller strategy to simplify and speed up IT. With automation business intent can be translated into network configurations immediately, dynamically. Network services like IWAN can more efficiently use bandwidth or EasyQoS can dynamically update the network for application prioritization.
Analytics for Assurance - With DNA Center, Automation, and Analytics and Assurance, only Cisco combines analytics and network automation into a single, closed loop network management solution to power the self-driving network. Actionable insights from DNA Analytics and Assurance are driven by 30years of Cisco domain expertise.
This foundation delivers the a more intuitive network, a network that is constantly learning, adapting and protecting. The NETWORK. INTUITIVE.