Cisco CCNP Enterprise 300-420 ENSLD – Discovering SD Access Architecture Part 1

  1. Discovering SD Access Architecture

Hello, and welcome to discovering the Cisco SD. Access architecture. This video will give you insight into what you are able to understand after reading this section. I have been working with the technologies discussed in this section for of years and the most challenging part for the majority of people is to fully understand the benefits in time, cost and effectiveness, all of which are explained very well. Take the time to make those connections with the material. Let’s begin. Digital Network Architecture cisco DNA is the blueprint of intent based netting for the Cisco Enterprise networks. The section begins with an overview of Cisco software defined Access, which is one of the main elements of Cisco DNA. Defining what does intent based networking mean?

Including a listing with discrete of the SD access elements such as switches, routers, wireless Identity Service engine, Davante, Cisco DA and Services. Take the time to make those connections with the material presented. Let’s begin ital. Network Architecture cisco DNA is the blueprint of intent based networking for the Cisco Enterprise networks. The section begins with an overview of Cisco software defined Access, which is one of the main elements of Cisco Day.

Defining what does intent based networking mean? Including a listing with descriptions of the SD access elements such as switches, routers, Wireless Identity Service Engine Davenet, Cisco DNA and Services this is a description of the five basic layers of the SD Access architecture. As we mentioned SD Access out of Cisco DNA so the next topic is Cisco Digital Network Architecture Review where you are introduced to the idea of providing insights and actions allows you to drive faster business innovation, automation, assurance while lowering It costs and complexity. Cisco’s objective is for you to know more than just those words, but also grasp what it means to the customer’s business. So the next part navigates you through the role of Cisco SD Access in Cisco DNA. The key aspect is how to assist customers in competing in the digital era. Cisco does the creating virtualized networks, enabling controller based automation, getting rich contextual analytics, deploying first strategies, and building completely open environments. Pay attention to the detail provided in each one of those categories as an immense amount of helpful information is provided and clear dialogue that you can say to a customer. To help understand the benefits of this architecture. The section now transitions to explaining SD Access terminology.

For example, listing and describing components of Cisco DNA such as the controller group, repository, anal engine and the various nodes deployed included our discussions about the abstraction layer, the underlay and O network, including detail on Lisp Locator, ID separation protocol, VXLAN, virtual tunnel, endpoints, Trek and as Sgt. The concept of overlay networks is not new. Gray tunnels have been around since the 90s. Review the list provided and make sure you understand the benefits of each, including the difference between manned automatic underlay networks, secure policy based automation regarding service enablement and onboard users, and devices are presented next, along with describing the traditional way versus the SD access method of provisioning described and explained. Benefits for each complete network visibility is covered next, as networks have grown a’s and number of locations as well as diversified in topology types and devices. The next several topics explain the different nods deployed along with descriptions of their activities, their capabilities, including recommendations for configuration, placement and hardware platform. Now we cover detail on provisioning and deployment option wireless network, including defining the components and benefits of each. The last topic described the role of OSD access and Cisco DNA, referencing components of the management system, automation for provisioning and anal for assurance. Each topic includes descriptions, diagrams with recommendations and example workflows well, those are the topics with the provided you could create a powerful compelling presentation demonstrating how and why this architecture will propel the customer into the digital era.

  1. Overview of SD Access Part 1

Cisco software defined access is the Cisco DNA evolution from traditional campus land designs to network directly implement the intent of an organization. SD Access is enabled with an application package that is part of the Cisco DNA Center software for designing, provisioning, applying policy and facilitating the creation. Intelligent campus wide then wireless network with assurance fabric technology and integral parts. D Access enables wired and wireless campus networks with programmable overlays and easy to deploy network Virtualization permitting a physical network to host one or more logical networks as required to meet the design intent. Addition to network virtualization fabric technology in the campus network enhances control of communications, pro software defined segmentation and policy enforcement based on user identity and group membership. Soft Define segmentation is seamlessly integrated using Cisco Trust SEC technology providing micro segmentation by scalable groups within a virtual network.

Using DNA Center to automate the creation of virtual net reduces operational expenses coupled with the advantage of reduced risk with integrated security and improved network performance provided by the assurance and analytics capabilities with digitization software application evolving from simply supporting business processes to becoming sometimes the primary source of business revenue and competitoriation organizations are now constantly challenged by the need to scale their network capacity to quick act to application demands and growth. Because the campus LAN is the network through which users and devices location access application, campus wired and wireless LAN capabilities should be enhanced to support those changing needs.

The need for Cisco SD Access the Cisco software defined access solutions ends a fundamental change in the way to design, provision and troubleshoot enterprise networks. Today, there are challenges in managing the network to drive business outcomes. These limitations are due to manual configure and fragmented tool offerings. There is high operational cost due to the amount of man hours to implement the fully split policy of air fabric architecture. The manual configuration leads to higher network risk due to error. Regulatory pressure will increase due to escalating number of data breaches across the industry. More time is spent on troubleshooting the network because there is not much network visibility and analytics.

The elements of Cisco SD Access Wireless WiFi 6802 is helping to reinvent wireless access, opening opportunities to enhance customer experience and improve IoT deployments. Several WiFi Six technologies that can improve your network’s performance, accelerate troubleshooting and simplify onboard switches cisco switches are constantly learning, constantly adapting, constantly protecting. Build a foundation for extraordinary outcomes in your data center core or edge routers. Connect all your offices to one another and to the cloud seamlessly and securely. Cisco DNA Center cisco DNA Center is book management and command center for Cisco DNA your intent based network for the enterprise. Provisionfigure all your network devices in minutes. Use advanced artificial intelligence, AI and machine learning to proactively, monitor troubleshoot and optimize your network. Integrate with third party systems for improved operational processes. Cisco Identity Services Engine the Cisco Identity Services offers a network based approach for adaptable, trusted access everywhere based on context it’s you intelligent integrated protection through Intent based policy and compliance solutions. And It is all delivered with streamlined, centralized management that lets you scale securely in today’s market. Cisco DNA Saw Cisco Digital Network Architecture cisco DNA software delivers automation, security predictive, monitor, and a policy driven approach turn your vision of an intelligent network into reality services. How to design a smarter, more responsive network Evaluate what you already have and what you still need to move.

Secure and automated network can simplify your It journey and accelerate time to value, mitigate exposure risk, decrease costs and improve business outcomes. With proven design and deployment expertise from Cisco services, they’ve net Intent APIs provide a consistent way to make network wide changes aligned with the business. Events and notifications resolve issues proactively by helping thirdparty applications listen and respond. Related events detected by Cisco DNA Center Integration API is bringing your network into your Ipsos and publish network data and events to and from thirdparty tools. Use the Cisco DNA Center multivendor SDK to discover and manage non Cisco devices directly via Cisco DNA Center. Layers of the SD Access Architecture The Cisco SD Access solution can be divided into five basic layers and then divided from there. The five basic layers of the SD Access Architecture are Physical layer contains the hardware elements such as routers switches and wireless platforms, interfaces and links and clusters or virtual switch as well as server appliances. Network layer Contains the control plane, data plane and policy payments that make up the network and the lay and fabric overlay. Controller layer Contains the software, system manager and orchestration elements and associated subsystems such as automation, identity and analytics. Management layer Contains the elements that users interact with, in particular the graphical user interface as well PiS and command line interfaces CLI’s where applicable.

Partner Ecosystem Contains all the Cisco and third party partner systems that are capable of augmenting and or using services within SD Access. Each layers is described here with diagrams that describe the layers and how they relate to one another. Cisco Digital Network Architecture Overview Cisco DNA is an open, extensible and software driven architecture that is on a set of design principles. The objective is to providing insights and actions to drive faster business automation and assurance to lower It costs and complexity while meeting business and user expectations. It also provides security and compliance to reduce risk. As the organization continues to expand and grow, traditional network architectures are unable to scale for the digital era. Cisco has reimagined the network architecture with the following characteristics Cloud service Management Design provision Enable policy and assurance services through centralized management. Enable visibility of end to end network services for campus and run virus on premises or in the cloud automation fully automate the network infrastructure that is based on policy across the entire access network, acting as a single fabric simplify and scale operation.

Automating day to day configuration provisioning and troubleshooting analytics Proactively predict the puns through machine learning to correlate user, device and application data for business and operational insights, identify issues and provide actionable insight to deliver better, more personalized experiences. Security Detect and mitigate threats with end to end network segmentation and enforce security policies across the network. Identify and mitigate threats and vulnerabilities in encrypted traffic with network analytics virtualization deploy network services in minutes on any platform in the branch, campus or public cloud and connect user applications with one seamless network role of Cisco SD access in Cisco DNA. To compete in the digital era, customers must move to virtualised networks, enable controller based automation, gather Rich Castrol analytics, deploy cloud first strategies and build on completely open environments to support move to virtualized networks.

A layered architecture has been developed from its class six stack model look you can roots of the developers in networking. At first glance, you could mistake it for a protocol stack such as Te IP. However, in this case you have an architecture that is designed for functionality, virtualization, automation, analytics, cloud services and network programmability. Cisco Digital Network architecture is an open, software driven architecture that is built on a set of design principles with the objective of profollowing insights and actions to drive faster business innovation. The architecture must not only the network, it must allow for the extraction of information that is related to network operations and enduser operation automation and assurance to lower It costs and complexity while meeting business and user expectations. This objective is accomplished through device and network virtualization automation of configurations and variation of quality of experience with assurance and feedback into possible automation of changes secure compliance to reduce risk as the organization continues to grow and open up to mobility, cloud and other technology. This objective is accomplished through a centralized and automated tool which will maintain compliance at the scale entire network more easily than a human. Cisco DNA is delivered through the virtualization and abstraction underlying network infrastructure, policy based automation of the infrastructure and heavy use of network enabled analysts. The virtualization architecture, which is part of Cisco DNA is composed of two main components transport Virtualization the logical separation of traffic by using VLANs or VRFs. Already a standard tool in prize network designs, the network elements comprising the enterprise fabric are fully capable of logical separation of traffic at layer two and layer three. The logical segmentation of groups of users and applications is an essential component of the enterprise fabrics overlay architecture. Cisco SD access and Sdvan Alerts that support transport virtualization in enterprise campus and branch networks. Enterprise Network Functions Virtualization Network Functions virtualization enfv is a part of Cisco DNA that allows network functions to run anywhere in the network infrastructure based on the availability of X 86 computer resource. Virtualization of the network functions that manipulate the IP traffic flows according to the policies is still in Cisco DNA to provide a completely virtualized environment.

The Cisco DNA Center is a central management application for your network. The Cisco DNA Center simplifies network management, so I dove more quickly using automation to lower costs and also assurance and analytics to improve network performance and SIKI. Enterprises are in search of real transformation to enable digital capabilities in the way services are in managing It assets. Cisco Software defined Access SD Access is built on the principle Cisco Digital Network Architecture DNA and it provides this transformational shift in building and managing network. The Cisco SD Access architecture is designed to meet the It transformation goals around operational effectiveness, improved workforce experience and security compliance. The Cisco SD Access architecture is an open software driven platform that integrates critical innovations in networking software such as virtualizing automation, analytics and cloud into a unified architecture for wired, wireless and remote access. The following are the key capabilities of the Cisco SD Access solution that aligns it with Cisco DNA network Fabric The Cisco SD Access network fabric is based on standardsbased technologies which builds on the most resilient, highly available and scalable Cisco switching infrastructure. The scalable virtualization cavities in the infrastructure help you create the hierarchical segmentation policies that are enforced within the fabric infrastructure. Secure segmentation as access transitions to wireless endpoints. The Cisco Enterprise wireless architect is designed to completely integrate with the switch network fabric to provide consistent network services and operating more respective of the media, wired or wireless. The fabric virtualization capabilities seamlessly extend wireless media, ensuring the network architecture is ready to support convergence of any number of disparate wireless network operational ease, availability assurance and performance assurance.

The fabric is able to provide Indian services for application recognition, traffic analytics, traffic prioritization and traffic steering. This capability ensures that the network infrastructure is able to optimize the digital services that are being enabled by deaddressing the priority of operational effectiveness. Controller based Networking The controller owes the configurations and operations of its network elements, including the day zero configuration of fabric elements and CS that are associated with users, devices or endpoints as they connect to the network. The Cisco DNA Center controller Cisco OPEC M exposes the northbound Rest based APIs that abstract out the network functionality services that are available at a network level. Cloud enabled Networking in line with the cloud first Trail fusing the cloud with the enterpriseoperated infrastructure is an integral part of the architecture.

The cloud’s resources to host digitized applications for business process delivery as if they were hosted in the enterprise owned infrastructure. The fabric architecture is integrated into the intercloud fabric while maintaining security capability encryption across a nontrusted link. In public cloud environments. Applications can be accessed by the devices on the enterprise network using a public cloud gateway, which provides a demarcation between the public and the enterprise domain. Security cisco SD Access helps facilitate a security architecture that allows customers to respond better throughout the attack continuum. Through automation, the network is able to act quickly to protect unnecessary detect and contain an attack. Also, it provides unparalleled visibility and capabilities to erate an automate incident response for defense against advanced threats, including insider risks.

The Cisneri fabric is the only core networking infrastructure in the industry that is able to capture all the flow information at line without any performance impact, providing scalable telemetry for it. This flow telemetry, when analyzed for releasing a baseline of tay network normal, can be used to automatically determine anomalies in the network traffic behavior point to initial indicators of compromise. The network flow data is a critical source to strengthen the security texture and also facilitates day to day security event analysis. Cisco SD Access offers the mouthful set of network access control feature sets that allow several options to grant authenticated access across various other devices and machines. Once an endpoint session is authenticated, Cisco SD Access is also able assigned network segmentation policies dynamically which help contain the attack surface in case the endpoint were to be compromised. Network segmentation policies are automated so that no network configuration is required as user across different sites.

Segmentation policies are managed in terms of business relevant grouping information completely decoupled from the network architecture and design, thus providing an extra level of simplicity and agility to security policies. Cisco SD Access terminology and Roles There are several different components play different roles in the SDA network. DNI Controller DNA Center provides gee management and abstraction via multiple service applications that share information. Group Repository external ID services egis are leveraged for dynamic user to or device to group mapping and policy definition. Analytion Assurance is used to analyze user to or device to app flows and monitor fabric status. Contain Nods map system that manages endpoint ID to device relationships. Border Nods a fabric device that connects external l three networks to the SDA fabric. Edge Nods a fabric device e access or distribution that connects wired endpoints to the SDA fabric. In the diagram, the borders are denoted with the letter B. There has to be at least one border node in an SDA network. All traffic entering even the fabric goes through this type of node.

This connects traditional l three networks and or different fabrics to the local domain. This is where two domains exchange endpoint reachability and policy information. The border node is also responsible for translation of context VRF and scalable group tags from domain to another and provides a domain exit point for all edge nodes. To the right is the device with the letter C. This is the control plane node. It runs the Lisp host tracking database to provide overlay reachability information. This is a simple host database that tracks endpoint ID to edge node bindings along with other attributes and look up requests from remote edge nodes to locate local endpoints out on the edge of the SDA network, you have the fabric edge nodes that provide connectivity for users and devices connected to the fabric campus fabric. The Edge Nods are responsible for identifying and authenticating Endpoints and registering the Endpoint ID information with the control plane nods. They function as an anycast l three gateway for connected endpoints and must encapsulate capsulate host traffic to and from Endpoints connected to the fabric.

  1. Overview of SD Access Part 2

SD Access definition and design deploying the intended outcomes for the needs of the organization in a simplified use automation capabilities built into Cisco DNA Center and those Simplifications span the wired and wireless domains. These controller subsystems form an abstraction layer to hide the complexities and dependencies of managing so network devices and protocols. For example, whenever you add, remove, or update something in the SD A fabric, these are the software subsystems responsible for ensuring that it is added, removed, or updated correctly. All of Tay base and fabric automation services are provided by Cisco NCP and all of Tay analysts and assurance services are provided by Cisco NDP.

Both of these subsystems run together on impysical appliances. All of Tay identity and policy services are provided by Cisco Is, which run one or more separate appliances. These controller subsystems may run on single or multiple appliances in a standalone, redundant, or distributed model, on your premises, or in the future as cloud based services. Traditional networking focuses on per device management, which takes time and creates many complexities. This approach is prone to human errors. SD Access uses a modern controller architecture to drive business intent, orchestration, and operation of network elements. This process includes the day zero configuration of Devon policies associated with users, devices and endpoints as they connect to the network. The controller provides a network abstraction layer to arbitrate the specifics of various network elements. Also, the Cisco DNA Center controller exposes northbound representational state transfer Rest based APIs to facilitate 30 or inhouse development of meaningful services on the network. Key components of Cisco SD Access SD Access networks have two network topologies the underlay network and the overlay network. The underlay is the traditional routing and switching network and its routing protocol. This technology is well known. The Overlay is a logical topology used to virtually connect devices built on top of an arbitrary physical underlay topology. An Overlay network often uses alternate forwarding attributes to provide additional services not provided by the. An example of an Overlay network is capwap in Wireless and Lisbon. SDA ISP is the Locator ID separation protocol. It uses separate address spaces for identity, eid and routing local RLOC. The control plane maps the eid to the current location through Rlloc. The plane encapsulates the eid addressed packets in Rlloc Addressed headers. VXLAN is the virtual extend local area network, and it can support L two and L three overlay networks. It provides three functions underlay address, advertisement and mapping, automatic tunnel setup, virtual tunnel endpoints and frame encapsulation between locators TrustSec is used to reduce the complexity of traditional network segmentation in the SDA network trust SEC uses Sgt and NSGT names to create centrally defined endpoint ID groups. Sgt ACLs are policy matrices that are pushed down to network devices to determine what resources the ink can access in the fabric network.

Fabric overlays fabric is an overlay an overlay network logical topology used to virtually connect devices built over an arbitrary, physical undelay topology. Novellay network often uses alternate forwarding attributes to provide additional services not provided by the underlay. Examples include Gray, MGRE, MPLS, VPLs, IPsec DMVPN, Capwap, lisp, OTV DFA and ACI. Gray MGRE genetic routing encapsulation was developed by Cisco. It is a tunneling protocol that makes it possible to encapsulate over an Internet protocol network. It encapsulates variety of network layer protocols inside virtual point links. DMVPN offers scalability by using DMVPN and multipoint gray MGR. This capability allows a router to support multiple gray tunnels on a single gray interface. Pls VPLs multiprotocol label Switching MPLS is a nonspecific routing protocol technique designed up and shaped traffic flows across service provider and enterprise wide area networks. Virtual Private Land Service VPLs provides an Ethernet based multi point to multipoint communication over IP or an MPLS network IPsec DMVPN Internet Protocol Security IPsec uses a cryptographic security list to protect transmissions over Internet protocols. A dynamic multipoint Virtual It network DMVPN is a secure network that exchanges data between sites without the need to pass traffic through orders of an organisation’s. Virtual private network, VPN server or router capwe the Control and Provisioning of Wireless Access Points protocol enables an access control to manage a collection of wireless termination points.

Lisp Locator Identifier Separation cull is a family of computer programming languages. It is a programming language that was designed for manipulation of data strings. It is a commonly used language for artificial intelligence. OTV overlay Transport virtualization is a Mac in IP method that extends layer two connectivity across a transport network infrastructure DFA Cisco dynamic fabric automation helps simplify, optimize and automate the unified fabric environment by offering an architecture based on fin building blocks. ACI Cisco application centric infrastructure is considered SIS software defined networking Sdn offering for data center and cloud networks, manual underlay and LAN automation manual unlays allow variations from the automated undelayed deployment. For example, a different IGP could be chosen, but the previously listed undelay design principles still apply. The Cisco DNA Send automation feature is an alternative to manual underlay deployments for new networks and uses an I si S router s design. Although there are many alternative routing protocols, the ISI’s selection offers operational advantages such as neighbor establishment without IP protocol, dependencies peering capability using loopholes and agnostic treatment of IPV four, IPV six and non IP traffic. Land Automation Using land automation for more efficient delivery of traffic to interested edge switches using multicast replication kilities built into the fabric devices versus burdening the border with extra processing. Overhead end replication ulticast is encapsulated to interested fabric edge switches, which they encapsulate the multicast and replicated to interested receivers on the switch. If the receiver is a wireless endpoint, the multicast, just like unicast, is encapsulated by the fabric edge toward the AP associated with the multicast receiver. Secure, PA based automation easy segmentation and policy enforcement. Cisco SD Access provides the following benefits transformational Management solution that reduces operational expenses and enhances business agility consistent management of wired and wireless network provisioning and policy automated network segmentation based policy contextual insights for fast issue resolution and capacity planning.

Open and program interfaces for integration with third party solutions. Cisco SD access will change how Enterprise network configured and managed old way based on VLA and IP addresses. Isolates employees from them’s. Ie. Building management and deals with policies, users, and policy violations manually square defined way no IP address dependency with anycast gateway and SSgt defined policy once LandView LAN and Wan and IP and policy follow user traditional enterprise networks have been built on set of VLAN’s IP subnets and access lists. In the new age of digitisation, this architecture is no longer able to scale. VLAN’s and IP subnets are not designed for a mobile and wireless world growing number of users accessing resources anywhere from any device at any time. VLANs were not designed world with millions of IoT devices of varying levels of Sophistication running on a converged infrastructure that is man. IoT access lists were not built for a world where security is most crucial and the threat of malware and hacking are constant.

Cisco SD Access builds a standards based network fabric that converts a high level policy into network configuration. The networking approach that is used to build the Cisco SD Access fabric consists of an automatic physical undelay and a programmable overlay with constructs such as virtual networks and segments that can further map to neighborhoods and groups of users. These constructs provide macro and micro segmentation abilities to the network. In turn, it can be used to implement the policy by mapping neighborhoods and groups of users to virtual networks and segments. This new approach enables enterprise networks to transition from traditional Vincentric design architecture to a new user group centric design architecture. Cisco OSD access service. Enablement enable services using open APIs. Old way hardware centric with manual confessions. Script maintenance in a static environment. Slow workload change software defined way.

Simple user interface. Easy orchestration with objects and data models. Native. Third party app host enterprise networks have been configured using Klee and the same process had to be repeated each time that a new site was brought. This process is tedious and cannot scale. In the new era of digitization, Cisco SD Access uses the new Cisco Digital Network Architecture Center that is built on the Cisco application policy a structure controller enterprise module for end to end automation. A comparable analogy is the trunk to a Gee interface that Windows 30 drove in the early 1990s from the previously only Ms Dos interface. It ushered in an entirely new era for home computing, and the same is now true for enterprise networks secure onboarding of users and devices. As networks get more complex, it is taking longer to get people onto the right network with right credentials. Today, there is a clearly driven world that allows administrators to inconsistent policy, but just once with software defined access, also referred to as Cisco’s SS solution you can associate a policy to the specific groups with no dependency on VLANs and IP addresses. You can also define one consistent policy, and that policy follows the user from the edge to the cloud. Better yet, you don’t have to deal with policy violations and errors manually. Complete network Visibility The Cisco SD access architecture offers simplicity with an open and standards based ape automation and simply result in an increase in productivity. This architecture enables It to be an industry leader in transforming digital enterprise and providing the consumers the ability to achieve operational effectiveness.

Simple Management WLAN and van as a single entity. Old way One repeated policy work for secured wired and wireless. Two roaming challenges. Three chase down Mac and IP addresses for troubleshoot software. Defined way One consistent policy and management across wired and wireless. Two optimal traffic flows with seamless roaming. Three instantly find any user or device. Traditional networks have served well for the past 20 years. However, the methods and processes to install, set up and monitor traditional networks are complex and time consuming, which cannot scale to the needs and requirements of bimodal. It Cisco DNA controller provides a single dashboard for managing your enterprise network. It uses intuitive workflows to simplify provisioning of user access policies that, combined with advanced assurance capabilities, monitors the network proactively by gathering and processing information from devices, applications and users. It identifies root causes and provides suggested remediation for faster troubleshooting. Machine learning continuously improves network intelligence to predict the problems before they occur.