Conference 2018

Next Generation Campus Architectures

Based on Software Defined Networking
Robert Barton, Principal Systems Engineer
Cisco
Unprecedented Demands on the Network

Digital Disruption Complexity Security

63 million new devices 3X spend on

6 months to
online every second network operations
detect breach3
by 20201 vs network2

Lack of Business Slow and Error Unconstrained

and IT Insights Prone Operations Attack Surface
1: Gartner Report - Gartner’s 2017 Strategic Roadmap for Networking
2. McKinsey Study of Network Operations for Cisco – 2016
3. Ponemon Research Institute Study on Malware Detection, Mar 2016

Conference 2018
Key Challenges for Traditional Networks

Difficult to Segment Complex to Manage Slower Issue Resolution

Ever increasing number of users
and endpoint types
Ever increasing number of
VLANs and IP Subnets
Multiple steps, Separate user policies for
user credentials, complex wired and wireless networks
interactions
Unable to find users
Multiple touch-points when troubleshooting

Traditional Networks Cannot Keep Up!

Conference 2018
Rewriting the Networking Playbook

Hardware centric Software driven (SDN)

Manual Configuration Automated and end-to-end

Silo’d Security and Policies Integrated Security / Policy

Network Monitoring Analytics and Insights

Conference 2018
Software-Defined
Access (SDA)

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Conference 2018
Software Defined Access (SDA):
The Campus Fabric + DNA-Center
Programmability
APIC-EM
1.X
SD-Access
Policy ISE
Engine NDP
Analytics

DNA Center
§ DNA-Center GUI approach provides
automation & assurance of all Fabric
configuration, management and
group-based policy.
B B § Leverages DNA Center to integrate
external Service Apps, to orchestrate
C your entire LAN, Wireless LAN and
WAN access network.
Campus § A new paradigm for campus network
Fabric based on overlay technologies and
agile security policy

Conference 2018
Software Defined Access (SDA)
What exactly is a Fabric?

A Fabric is an Overlay
• An Overlay network is a logical topology used to virtually connect devices, built on top
of some arbitrary physical Underlay topology.
• An Overlay network network often uses alternate forwarding attributes to provide
additional services, not provided by the Underlay.

Examples of Network Overlays

• GRE or mGRE • LISP
• MPLS or VPLS • OTV
• IPSec or DMVPN • DFA
• CAPWAP • ACI

15

Conference 2018 7
SD-Access
Fabric Terminology

Overlay Control Plane

Overlay Network

Encapsulation

Edge Device Edge Device

Hosts
(End-Points)

Underlay Network Underlay Control Plane

Conference 2018
SD-Access
Campus Fabric - Key Components

1. Control-Plane based on LISP (RFC 6830)

2. Data-Plane based on VXLAN (RFC 7348)
3. Policy-Plane based on CTS (RFC 3514)

Conference 2018 9
SD-Access Fabric
Key Components – LISP
1.
Routing Protocols = Big Tables & More CPU
with Local L3 Gateway
BEFORE
IP Address = Location + Identity
Prefix Next-hop
189.16.17.89 …......171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Topology + Endpoint Routes
Control-Plane based on LISP Host
Mobility
LISP DB + Cache = Small Tables & Less CPU
with Anycast L3 Gateway
AFTER
Separate Identity from Location
Prefix RLOC
192.58.28.128 ….....171.68.228.121
Prefix Next-hop 189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
189.16.17.89 ….....171.68.226.120 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 192.58.28.128 ….....171.68.228.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
192.58.28.128 …....171.68.228.121 Prefix Next-hop 189.16.17.89 ….....171.68.226.120
Mapping
189.16.17.89 …....171.68.226.120 22.78.190.64 ….....171.68.226.121
Endpoint
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 …......171.68.226.120 172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121
192.58.28.128 ….....171.68.228.121
192.58.28.128 …....171.68.228.121
Database
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
Routes are
172.16.19.90 …......171.68.226.120
192.58.28.128 …......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
Consolidated
192.58.28.128 ….....171.68.228.121
to LISP DB
Prefix Next-hop
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
Prefix Next-hop
Prefix Next-hop 189.16.17.89 ….....171.68.226.120
189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
Only Local Routes
192.58.28.128 ….....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
Topology Routes
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Endpoint Routes
10
Conference 2018 10
Locator / ID Separation Protocol
LISP Mapping System

LISP “Mapping System” is analogous to a DNS lookup

‒ DNS resolves IP Addresses for queried Name Answers the “WHO IS” question

[ Who is lisp.cisco.com ] ?
DNS
DNS Name -to- IP
Host Server URL Resolution
[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]

‒ LISP resolves Locators for queried Identities Answers the “WHERE IS” question

[ Where is 2610:D0:110C:1::3 ] ?
LISP LISP Map
LISP
Router System ID -to- Locator
Map Resolution
[ Locator is 128.107.81.169, 128.107.81.170 ]

Conference 2018
Locator / ID Separation Protocol Map System
LISP Roles & Responsibilities EID RLOC
a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5

Map Server / Resolver EID Space

EID RLOC
a.a.a.0/24
b.b.b.0/24
c.c.c.0/24
w.x.y.1
x.y.w.2
z.q.r.5
d.d.0.0/16 z.q.r.5

• EID to RLOC Mappings ITR

EID RLOC
a.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5

• Can be distributed across

d.d.0.0/16 z.q.r.5
Non-LISP
Prefix Next-hop

multiple LISP devices

w.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h
z.q.r.5 e.f.g.h
z.q.r.5 e.f.g.h

PXTR RLOC Space

Tunnel Router - XTR
• Edge Devices Encap / Decap
ETR
• Ingress / Egress (ITR / ETR)
EID Space
Proxy Tunnel Router - PXTR
• Connects between LISP • EID = End-point Identifier
and non-LISP domains • Host Address or Subnet
• RLOC = Routing Locator
• Ingress / Egress (PITR / PETR) • Local Router Address

Conference 2018
Locator / ID Separation Protocol
How does LISP operate? 5.3.3.3

5.1.1.1 5.2.2.2
Mapping
System

3 EID-prefix: 10.2.0.1/32
Mapping Locator-set:
Entry 2.1.1.1, priority: 1, weight: 50 (D1) Path Preference Controlled
1 by Destination Site
DNS Entry: 2.1.2.1, priority: 1, weight: 50 (D2)
Non-LISP Non-LISP
Branch
D.abc.com A 10.2.0.1
10.1.0.0/24

PXTR
S ITR
2 1.1.1.1

10.1.0.1 à 10.2.0.1
IP Network
4
1.1.1.1 à 2.1.1.1

10.1.0.1 à 10.2.0.1
2.1.1.1 ETR 2.1.2.1 3.1.1.1 ETR 3.1.2.1

5
10.1.0.1 à 10.2.0.1 Campus
D
10.2.0.0/24

Conference 2018
Locator / ID Separation Protocol Mapping Database
10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility 10.17.0.0/16 – 12.2.2.1
Map Register
EID: 10.17.1.10/32 10.17.1.10/32 – 12.1.1.1
RLOC: 12.1.1.1 10.17.1.10/32 – 12.2.2.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1

Mapping
System

Routing Table 12.0.0.1 xTR 12.0.0.2

5 Routing Table
10.17.1.0/24 – Local 3 42
10.17.1.0/24 – LISP0
10.17.1.10/32 – Local
10.17.2.0/24 – Local
10.17.1.10/32 – LISP0
10.17.1.10/32 - Local
IP Network

12.1.1.1 xTR 12.1.1.2 12.2.2.1 xTR 12.2.2.2

S 1

Campus Bldg 1 10.17.1.10 10.17.1.10 Campus Bldg 2

14

Conference 2018 14
VXLAN Data Plane
and Policy / Security
Plane

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Conference 2018
SD-Access Fabric
Key Components – VXLAN

1. Control-Plane based on LISP

2. Data-Plane based on VXLAN
ORIGINAL PACKET
ETHERNET IP PAYLOAD
Supports L3
Overlay
PACKET IN LISP
ETHERNET IP UDP LISP IP PAYLOAD

Supports L2
& L3 Overlay
PACKET IN VXLAN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD

16

Conference 2018 16
 Next-Hop MAC Address

VXLAN-GPE Header Dest. MAC 48

Src VTEP MAC Address

MAC-in-IP with VN ID & Group ID Source MAC 48

Generic Protocol Extension VLAN Type 14 Bytes
16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type 16 Header
0x0800 16 20 Bytes
Outer MAC Header
Underlay

Checksum

Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address

UDP Header Dest Port 16

8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789

Inner (Original) MAC Header

Allows 64K
Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 possible SGTs
Overlay

Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs

Conference 2018
SD-Access Fabric
Key Components – CTS

1. Control-Plane based on LISP

2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
Virtual Routing & Forwarding
Scalable Group Tagging
VRF + SGT

ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD

18

Conference 2018 18
Redesigning Network Policy with SGTs
Traditional access control is extremely complex – aka “Cisco TrustSec”
Applications

Enforcement
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
access-list
access-list
102
102
deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
IP Based Policies -
access-list
access-list
102
102
deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
ACLs, Firewall Rules
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list
access-list
102
102
permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216
deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 Propagation
Carry “Segment”
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462
Enterprise
context through the
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Backbone
network using VLAN,
Aggregation Layer IP address, VRF
Limits of Traditional
Static ACL VACL

Routing Segmentation
Access Layer Classification
Redundancy • Security Policy based on Static or Dynamic
DHCP Scope Topology (Address) VLAN assignments
Address • High cost and complex
VLAN maintenance Non-Compliant Voice Employee Supplier BYOD

Quarantine Voice Data Guest BYOD

VLAN VLAN VLAN VLAN VLAN

Conference 2018
SGTs with Cisco TrustSec
Simplified access control with Group Based Policy

Enforcement Shared Application

Group Based Policies Services Servers
ACLs, Firewall Rules
Enforcement DC Switch
or Firewall
Propagation
Carry “Group” context
through the network Enterprise
using only SGT Backbone
ISE

Classification
Static or Dynamic Campus Switch Campus Switch DC switch receives policy
for only what is connected
SGT assignments

Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag

VLAN A VLAN B

Conference 2018
 Cisco TrustSec
Identity Services Engine (ISE) enables CTS

NDAC authenticates
Network Devices for a Scalable Group ACL Scalable Group Tags
trusted CTS domain Destinations
SGACL Cisco ISE SGT &
3: Employee
✕✓✕✓✓✓
Name Table SGT Names
4: Contractors
Sources

SGT & SGT Names ✓✓✕✓✕✕ 8: PCI_Servers

Centrally defined ✕✓✓✕✕✕ 9: App_Servers
Endpoint ID Groups

SGACL - Name Table

Policy matrix to be
pushed down to the
network devices

ISE dynamically
Rogue
authenticates endpoint Device(s) Dynamic SGT Static SGT
users and devices, and Assignment Assignment
assigns SGTs
802.1X

21

Conference 2018
Bringing it all Together:
DNA Center

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Conference 2018
Cisco DNA DNA Center
Cisco Enterprise Portfolio Simple Workflows

DESIGN PROVISION POLICY ASSURANCE

DNA Center
Identity Services Engine Data Analytics

Routers Switches Wireless Controllers Wireless APs

Conference 2018
Data Analytics of the
Network
Constantly Learning
Support 100X new devices, apps, users

Constantly Adapting
Respond Instantly to business demands with
limited staff and budget

Constantly Protecting
See and predict issues
and threats and respond fast

The more you use it,

the wiser it gets.
DNA Center Data Analytics – Time Series Analysis
Time series data: (assurance performance KPIs)
• A set of observations collected at equally spaced time intervals for a variable:

Purpose of Time Series Analytics:

• Study past behavior in order to formulate policies or decisions
• Compare the changes in the values of different time
• Predict or estimate or forecast the future behavior

DNA Center Supports Time Series Operations:

• Statistical computation: mean, std, percentile, histogram,
moving_avg, etc.
• Windowing: fix, sliding, session, global
• Lag and missing data
• Preserve raw data for time range queries
• Tenant aware

Conference 2018
 THANK YOU!!

Conference 2018