Cisco SD-Access - Campus Fabric with DNA Center Automation & Assurance with Shawn Wargo

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay so thanks for inviting me here guys the main thing here to talk about is this new software to find access stuff you know cisco has been talking about network intuitive and digital network architecture and integrated security and what is what does all that mean so you know that's like the number one question that I'm getting this week what is exactly software to fine access now we've actually been shipping the product called canvas fabric for a while now and if you think of the actual like the protocols the technologies involved that is in its essence campus fabric and we've actually had a variety of tools for a very long time we've had ice for a long time we got ATM for a while now we've got prime is that no shortage of tools the challenge is that they're all independently managed right you gotta go dice and do the ice thing and you go to a p.m. and do the automation thing and Prime and you do the prime thing and then you go down to every single switch and router you configure some things and magically it all sort of kind of works for the kind of right so the punchline is actually the the subtitle on this slide when people ask me what is software to find access I say it's campus fabric with DNA Center and I'm hoping that's a hash tag somewhere that's what's offer to find accesses it's the automation and the assurance of campus fabric all right so it's a it's a new GUI through this DNA Center application which comes through ava cam i'll show you guys this in just a bit but most importantly it's orchestrating between all those individual elements in the backend right so instead of having to go to ice and do the ice thing and then go over to your management system and do that thing right and then somehow hopefully connect all at that to programming the network I'm doing all of this from that single pane of glass it's genuinely what everybody's been promised but never given right which is the the single pane of glass now I'm sure everybody seen this picture like I thought a hundred thousand times yeah I even see a couple chuckles in the room but I always get a half like you know that's just some boxes and they with some words on them I don't really get what you're trying to tell me so at the bottom you've got this virtualization this infrastructure layer that's in effect where software-defined access lives and we've got a couple other things out there these are fabrics they're running this overlays this includes things like I win for the weigh-in infrastructure but it also includes things like network function virtualization so this is where software-defined access and the campus fabric lives and then what about this automation analytics cloud stuff cost so that's really where DNA Center puts in its appearance right its DNA center orchestrating between ATM ice and then this network data platform and so that's how cisco is actually going to deliver on this network intuitive that's what that you know hashtag really means is that picture okay so going through some of the quick pieces of just what's all in this picture so it's the same picture I showed a minute ago when I showed the campus fabric and the DNA Center but to give them some kind of names one of the things we're trying to do is you know simplify and again it's easy to say words like simplify what does accenting it's like okay let's use basic terms that just explain what it's trying to do they'll come with some crazy new technologically name I just want to know what the things trying to do right so things like APM it is in effect the DNA controller this is the thing that is controlling DNA but it's also the the GUI that you and I would interact with as I keep saying right it's really about abstracting all the complexity and talking to the different elements underneath right so that then gets you to identity services now you see at least on the slide I put identity services engine I know mele mean ice but it can actually talk to all kinds of different sources of identity right so it can talk to Active Directory it can talk to Amazon Web Services there's a there's a whole industry movement around identity and as long as they can give you some common attributes about you know what's a user what's a what's a machine you know your location and all that kind of stuff I can then feed that information back into ice right so that's the part of the inbuilt security elements and then some kind of an analytics engine so so again we just released this network data platform and it it's more than just a data collector it so it's a event core later right it's fine that I have a bunch of sis logs and I have a bunch of NetFlow and I have some SNMP traps and whatever but who's actually taking all that data and actually looking at that and trying to say oh this link flap on you know this router like 12 hops away cause DGP to fail on this client all you know is that you got a ticket that said DGP failed right but actually having all those events correlated and then tie all that back into automation and so it says hey you're experiencing DGP loss on this user wouldn't it be great if you know would you like to implement a quality of service policy yes I would click the button and then the automation tool kicks in and pushes a QoS policy all right so that's that's kind of the vision around that piece so now within campus fabric itself talking about the techy stuff right you've got the control plane node this is the the master brain of the system this is a host routing map system it's an on-demand host routing system now the most common analogy is DNS for routing right you don't actually know where google.com or Cisco communists you're machining asks the DNS server and the DNS server replies with an address and your machine says oh okay I do know what to do with that and it just sends a packet to that machine same kind of thing for this now instead of every router knowing about every single device in the network all I have to keep track of is which switch or router that this laptop is currently connected to right and the best analogy I make is a phone everybody's got a phone number right but as you move around to the cell towers what what the cellular system is doing is just mapping you to the current cell tower you move to a different cell tower same phone number which are being your location is changing okay so that's the job of this control plane mode just to map your current location of the host and I just move your location as you move around then there's these border notes they have one leg that lives in the fabric and another leg that lives outside the fabric and so they're talking traditional IP MPLS layer 2 layer 3 whatever and provide that connectivity in and out of the fabric okay then you've got edge nodes and you notice that I know we're in here I've said the word core or distribution any of those things there there's hidden the slides but I'm not using those terms on purpose because it's the job they're trying to do so an edge node is actually what directly connects to the host it could be a user it could be a device and his job is to the security piece how do I actually figure out hey Shawn's laptop is currently connected to edge number one right and that's his job figure out ok Shawn's just connected and then tell the control plane hey Shawn's currently connected to me Ryan if Shawn moves over to edge number two edge number two says hey he's currently connected to me and that kind of thing ok now the reason I made the point about not using traditional networking terms because then the question often comes is what if I plug in a host on the distribution layer well then he is by definition an edge device or what if my data center connects to my distribution layer well then he's a border node right so the the traditional constructs don't go away it's really just what kind of job is this box trying to do right now another key point UPS offer to find access is it must must have what I don't think anyone in this room is using an actual Ethernet cable right maybe the camera is but nobody on their machine is using a wire right so if I only do the wired piece I'm only doing half of the customers network ok now of course we have Wireless what this is is it's everything we've promised about having a common security and policy infrastructure for wired and wireless so again this network intuitive stuff and it's better than the other solutions we have in the sense that if you have a traditional model everything goes back to the central wireless LAN controller both control and data and end that's fine everything works we've done this for 20 years years but the policy is now different I have to have a wireless policy that's anchored up here on the wireless LAN controller and a different wired policy that's anchored on the switch right now the nice thing about this is it's half and half so the control how roaming happens the AP registration RF management all that is still centralized at the wireless LAN controller but the client element and that's why the the little blue line between the wireless LAN controller in the control plane he's handing that wireless client information off to the control plane system so in the same way they're wired device gets registered this is happening so you can kind of think of him as a an edge node for wireless so so if you're using a switch like a 3650 or 3850 that has the wireless controller functionality and the wired functionality in it it's essentially just holding both roles so it's not the same thing as converged access or the inbuilt this is actually a normal wireless LAN controller like 3500 455 20 85 40 that is something more exploring but it's not what this is this is actually where the the management functions the control is on the wireless LAN controller but then what we do is we the access points pass off the information to the first hops which so from the data perspective right data cap lap it terminates on the first hop switch and now I normalize that back to Ito so it's very similar in principle another similar thing is like flex connects but this is the the real point is that that dotted line between the wireless LAN control in the control plane where it's not like these solutions because what I'm doing is I'm passing off the client information into the control plane node and he's handling the client registration now another really important point about this is the last thing I don't have a special bullet but it's this idea of intermediate nodes and so one of the main questions I get asked is you know is this mean I got to go buy a bunch of new Cisco gear right and the good news is no so the intermediate devices are effectively basic IP forwarders okay because this is a fabric and I'm using encapsulation I have a few slides on this in just a moment they just see IP packets in the middle so in effect I can leave my existing network in place and I can just drop in some new access later switches and some new core or border switches and take advantage of this fabric that those existing devices now become my underlay okay so it's really divided on a technical level this is actually campus fabric terminology but what you know they told me these tech field gay guys they want to hear the techie stuff don't talk fluffy stuff techie stuff so it's broken down in these three elements control playing data playing policy plane control plane based on Lisp location identity separation protocol it's been around for 5-10 years data plane which is the the actual frame encapsulation based on VX LAN virtual extensible and that's been around for several years now and then a policy plane so even thinking about how do I actually get Network intuitive inbuilt security based on what's been around for a while cisco trust sec okay now the point i'll make here is that it's not that that the notion of fabrics and overlays and none of this is new right what's new and what's unique is these three things together nobody else is doing it the way that we're doing and that's kind of where i get into these key differences this is going to give you for example we have existing layer two overlays like oh TV or VPLS right but that's a pure layer to only overlay okay but by combining these together I'll give you both layer 2 and layer 3 and I talked a little bit about host mobility I'll talk about each of these other things what I want to draw on this slide is the last bullet no topology limitations and I talked about those intermediate nodes so the beautiful thing here is a lot of customers you know some people they'll have two tier three tier some people require our ring stars I've seen daisy chains down subway tunnels if you can get me from from one edge device to the other edge device I can give you canvas fabric okay so that's that's a key thing and I don't impose a sir topology on you which certain fabrics do so the next question I always get asked is why Lisp okay why not this other thing that I learned about that last Cisco live and I really love it and I don't like that you're changing this then so I always draw attention to the little blue starry thing it's really about host mobility like I said letting the laptop the phone the camera move around the network and on demand being able to change that information we can do this with traditional routing protocols I won't name any names but if you do that it requires the router to keep track of every host address so that's the same as saying if I have 20,000 users every edge device has to keep track of 20,000 routing entries now imagine if those guys are moving around every one of those moves is a routing update okay and imagine all 20,000 people moving around all day long every single one of those is our body an updated so yes we can use a variety of different control plane protocols but it's going to be big big tables and big CPUs okay so that's where list comes in and it's one of the few acronyms that actually means what it says it's its purpose is to separate the location from his identity okay and he talking about it's a you know dynamic map based system right so the ID is your phone number right and the location is the cell tower you're currently on or in this case it's the address of the host and the edge switch that he's connected to and then what lists done is it puts all of this in the mapping system okay that's that control plane node and then each of these edge devices these tunnel routers are your edge device and all they have to keep track of are the hosts that are currently connected to them and then tell the control plane node hey sean is currently connected to edge one I move over to edge number two he tells the control plane and then we just map it like that so and moreover it's on demand so so then somebody wants to actually connect to Sean I'll just say it's like the DNS right where is Sean right and then the map system will say oh he's currently on edge number two cool I know what to do I send it off to edge number two okay so very very small tables very very lightweight okay less CPU now the second point I talked about was the encapsulation the X LAN so we have the original frame right layer two layer three some kind of data now Lisp actually has its own encapsulation it's been around for a decade or so but they built it as an IEP overlay they really wanted to be sort of like a replacement for MPLS and and also to enable like ipv6 over ipv4 now the only reason make that point is it was built for layers it was built for IP and so they throw away the source Ethernet frame I don't care about MAC addresses I'm just dealing with IP addresses who cares right well what we want to do so I could keep using less but what I want to do is I want to give you that layer 2 and layer 3 so when DX lamb was invented it was invented mainly for the data center virtual extensible and right it's all about land so one of the one of the reasons why we chose the F line not the only reason but one of the reasons is we preserve the original source Ethernet frame and you know so by just simply switching the frame encapsulation this is just the packet I put on the outside and what the intermediate device is see in the middle I can give you now layer 2 and layer 3 overlay now if folks on the video or anywhere I want to look this up its goes by the name DX LAN GPO it's an IETF draft right now the industry is moving to via clan GPO like all standards it's evolving right so it builds on the original VX land and the original VX line is just classified as mac and IP the part I just talked about right so the things in the middle all they see is a normal IP from edge 1 talking to edge 2 that's all they see that's all they know right and it's a it's a basic UDP frame some interesting cool techy things here imagine if edge one edge two are always talking to each other right then load balancing is not going to happen because the source and destination address are never changing so what we do is we take the original source address and we create a random number as the source UDP port number and that guarantees there will always be a unique number and now all load balance across the underlay but what's important here is it's a dedicated UDP number okay and so when it gets to the other side it's it's destined to him right and it's got a dedicated UDP port number 47 and 89 and he says oh it's a VX line of frame okay let me open that thing up and by that standard VX plan what the X line GPO comes in is that we've added a source group tag scalable group tags and vrf IDs BN IDs into the VX LAN header so all this stuff about integrated security is the magic is right here in this piece I'm carrying the s GT and the vrf natively in the frame I don't have to set up MPLS or veer flight or do any of that stuff it just comes for free as part of the fabric okay so that was really the the second reason that we chose the X LAN because I can directly embed that be our F and s GT into the vehicle and header and so now we've had trust sack again four four five six seven years but it's been really complicated it's a wonderful idea but normally we placed it in a layer 2 frame I don't know how come the other team is with a truss second this thing but the point is we put it in a layer two frames so you had to like rewrite this frame every single hop right but by adding this into the fabric header now I can run right over the top of your legacy gear and I can actually give you trust ACK the idea without having to turn on that trust SEC on every single link in the network all right so if anybody's not familiar with pro SEC I'll do a quick recap it's basically the idea of using the tag something else other than the address what they want to do is they want to separate the IP address from their identity right and traditionally everything was based on IP I know what your IP is so I'll build an IP access list right and then I use that access list for security for quality of service policy based routing whatever but god forbid you actually moved somewhere changed to a different buildings a different city you've got a completely different IP address now I have to change all of those policies right and now I'm changing access lists and so on so the whole idea here is to find something else to build those policies on and that's where this scalable group tag really comes in I simply when the user comes on I give him a new tag and then I build all my policies based on that security quality of service PDR PFR etc alright I have a question from Twitter futuristic place can any switcher device act as an msmr for lists or in fabric or do you need a dedicated device so there is a specific set of devices that are supported and it does matter because this is the brain of the system to the MSM are the control plane node he's the one box it does have to be big because he's keeping track of where those 20,000 50,000 users are but the good news is that virtually all of the enterprise products are supported and they're really laid out in scale so it's now a scale discussion right so if I had a for example 30 50 it is supported but they have a traditionally a small table right so you'd really only want to use that in a small environment but then I could move to like the nuke at 9k we just announced these much much bigger tables right we support kept 6k 6800 as well as the ASR 1k and is our 4k yeah all right I trust X so that's the basics of trust sec you guys get the basic idea right that we're building these rules now purely on these tags and like plain English names so I no longer care what actual IP subnetting is on anymore it's just whether you know the doctor can talk to radiology or can this camera IOT camera talk to the credit card system right and I don't care what subnet they're on okay it's a wonderful wonderful concept the important thing here that we've had for some time it's how fabric is enabling trust sec okay so that's why I brought it to this slide it's just a cute little visualization the original packet comes in we figured out who he is right the classification side of it then we figure out oh okay he's a he's a doctor and I'm going to put him into the medical vrf network right to put those tags on that gets put into the vehicle in frame and then it comes right over the middle of the you know legacy network the traditional network and when he gets to the side like I said he knows it's for him he sees that thing he pops it out he says oh okay there's that V NID and that s UT so like there's just a cute visualization of how it actually works so that brings me almost to the tail end so remember in the beginning I said the the punch line was campus fabric with DNA center right and the picture was really more about the campus fabric and there were little tiny dots up at the top that were DNA Center a Pacquiao my small ant same picture but the reverse right now down here on the bottom campus fabric okay we get it it's all trussed SEC the excellent list but what exactly is DNA Center okay so DNA center in effect is a picky m2x okay now I drew a box around them this is actually a common confusion it's the user interface it's it's the web front-end of a picky m2x but they are one in the same when you deploy a PTM 2x you will get DNA Center so that leads to a question that came in from Twitter sir is the API for accessing a PAP m2x of publicly accessible there are so we will have both standards-based api's and then there'll be a special library that's unique to a p.m. and that will be public information okay so if people want to interact with the API key m yes various scripting automation etc rather than the fog they can do that absolutely absolutely thank you which in fact is an excellent segue by itself so then I talked about you know the identity and created security elements of it how does it user actually even end up in that group thing I've been talking about right so that's really where the identity services comes in right and it's not just limited to traditional ice like 8 or 2.1 x access control these kind of things you can actually through API is it can talk to a variety of different sources of information can talk to Amazon Web Services ad you can even write your own user identity like so there's a industry effort around what is identity but what's important here is is the API interaction between ice and APM no longer are they two different ships in the night and you have to manually mentally connect them together I'm actually natively sharing information between the two so I know when the user came online I know exactly which group he gets punted into and think later on down the road what if I want to change his QoS policy or security policy right I can just flip the change of authorization boom he gets dropped into a different group and it's all magic right but that's just making the network work right now I have to somehow manage the network and that's where this new network data platform comes in okay again we've got lots of management tools out there there's no shortage of data we know how to collect a net flow and sis logs and SNMP and so on this thing is more than anything a event correlator is a collector of information and an analyzer and then again through API is share all that information back to APM right so I know the user logged in I know what's going on I know everything about campus fabric I'm watching CPU I'm watching interface statistics and I can see all these things happening in sequence right so this is how I'll know that the link flap 20 hops away is causing DTP to fail right yeah question so I'm in DNA Center and I provision something yep there's the epoch a.m. through the API okay so DNA Center talks it figures it in ice right so that's that's wrong going right so you the one of the things that Cisco's promised for a very long time is single pane of glass okay we've tried our best it's very difficult to a task to accomplish I want to say you know for the Twitterverse this is the actual single pane of glass okay because what it is is it's the UI more than anything DNA Center is a UI it's just a front end right and then the authoring through the api's is going down and either talking to ice it's talking to a pack am it's talking to NDP right so ice is all about identity services APM is all about automation network programming and NDP is all about management and data analytics right but your interface the thing you and I interact with is DNA Center who doesn't going to better I'm sorry good Dodgers say so we have some campus fabric right it there's lots of paths whatever we don't even care out we get the point a point B if NDP will say is it senses there's the bad link somewhere in the mix right do we get the point was intelligent enough that's just going to take that out of the path pull and they'll just go work around it right yeah exactly so it knows like what what the current situation is like you know links link low utilization interfaces these things and then ultimately you know it can interface directly with the AP cam programming element of it right so if you think of like I want to take an interface out of service okay well I'll shut down that interface or maybe I turn on a new QoS policy like it just it's been over utilized okay I can change the QoS policy on the fly and those kind of things same kind of things with security right I'll be able to then you know we've been talking about ETA I know that's another big topic that's been talked about this week so using things like stealthWatch right and be able to issue a change of authorization to quarantine someone right so I can actually change this group and I can go off and make him do something completely different right and that's that's the real magic that's happening behind all this this is what Network intuitive means exactly and then getting how do you have actually visualization coordinator looks like for that I do depending on how much time you guys still have I have both some nice little screenshots and but I also have a live demo so but at its basic level it's visualized into four areas design provision policy insurance and you know each one has its own set of workflows but it's really geared towards each of the things you saw in the main architecture right InDesign is as it suggests it's all like building the design virtually policy is really for your security and operation staff to build policy and then I actually program it on the network devices through provisioning right and then later on visualizing all that through assurance this first single pane of glass we're talking about just access right now this firepower play and anywhere here that would be more at the edge so I also want to like leave you guys with I have a slide that I made that I didn't get a chance to put in this deck you know this is the beginning of the future and and think terms like ecosystem right because you can just keep giving me names the short answer for fire powers absolutely but really what we want to do is create an ecosystem and say I can't even think of everything that could possibly be today what I want to do is say look the notion of identity and how do I share identity information with something like firepower all right open our does some new cool thing all create let me just share that information with you and then you can keep doing your cool thing another good example is IP address management we do direct API interaction with Infoblox so I can just let Infoblox continue to be the IP address management so you see my point right it's like there's a whole bunch of these same thing on assurance like I can plug into a whole bunch of existing management tools we can share cool data with one another and these kind of things

Info

Channel: Tech Field Day

Views: 59,541

Rating: 4.9022222 out of 5

Keywords: Tech Field Day, TFD, Tech Field Day Extra, TFDx, Cisco Live US, Cisco Live, Cisco Live US 2017, CLUS17, Cisco, Shawn Wargo, Cisco DNA, SD-Access

Id: GWaon8uP5gA

Channel Id: undefined

Length: 31min 12sec (1872 seconds)

Published: Thu Jun 29 2017