Home >Documents >SD-Access 1.2 Update - cisco.com · PDF fileSGT/DGT Table 4K 4K 8K 2K 8K 8K SGACLs (Security...

SD-Access 1.2 Update - cisco.com · PDF fileSGT/DGT Table 4K 4K 8K 2K 8K 8K SGACLs (Security...

Date post:29-Nov-2018
Category:
View:227 times
Download:0 times
Share this document with a friend
Transcript:
  • Version 1.0

    29/05/2018

    SD-Access 1.2 Update

    Rene Andersen

  • SDA 1.0 (Beta)July17

    SDA 1.1December17

    SDA 1.2May18

    Identity-based Policy & Segmentation

    Automated Network Fabric

    Fabric-Enabled Wireless

    Wireless Assurance (DNAC 1.1.1)

    Network Health Monitoring

    SD-Access for Distributed Campus (Beta)

    SD-Access Extension for IoT (Beta)

    IBNS 2.0

    Usability Enhancements

    Fabric Enabled Wireless Enhancements

  • Warehouses

    Manufacturing

    Transportation

    Outdoor Spaces

    Connected Lighting

    Workspace Switches

  • Securely Consolidate IT and OT to One NetworkSD-Access Extension for IoT

    REP Ring

    Extended

    Nodes

    IE5000IE4010IE4000

    Catalyst Digital

    Building3560-CX Compact

    Extended Node Portfolio

    DNA Center

    Operational simplicity for IT designed and

    managed and IT designed and OT

    managed

    Greater visibility to broad set of IoT devices

    Improved threat detection and containment

    Exte

    nd

    ed

    En

    terp

    rise

    En

    terp

    rise

    Ca

    mp

    us

  • Metro MetroHQ

    Campus 2 Campus 3

    Cloud

    Data Center

    Metro

    Campus 1

    End-to-end segmentation

    Centralized Automation &

    Assurance

    Future Proof for SD-WAN

    (Viptela SD-WAN Integration on Roadmap)

  • End-to-End Policy and Segmentation

    Enhanced Resiliency & Local Isolation

    Direct Internet Access per Site

    Automated Inter-Site Connectivity

    Scalable to 100+ sites

    Flexible: 50-100,000 Users/Site

    Enhanced Resiliency and Scale for Large Deployments

    Automation and Assurance managed through DNA Center

    Extend SD-Access Benefits Campus-wide

    B

    C

    B

    B BC

    B B C

    Site 1

    Site 2 Site 3

  • DNA Center

    ISE

    Catalyst 3K/9K

    Catalyst 4500

    Catalyst 6800

    Nexus 7700

    ASR1K/ISR4K/CSR

    Wireless LAN

    DNAC 1.2

    AireOS 8.5 MR3

    TBD

    15.5(1)SY1 es

    IOS 3.10.2 es

    IOS-XE 16.8.1s

    IOS-XE 16.8.1s

    8.2(1) SMUs CSCvg39911 CSCvh87828 CSCvg09282 CSCvh32898

    * Minimum SW version needed for new features in SDA 1.2

  • DNA Center

    ISE

    Catalyst 3K/9K

    Catalyst 4500

    Catalyst 6800

    Nexus 7700

    ASR1K/ISR4K/CSR

    Wireless LAN

    DNAC 1.1.x

    AireOS 8.5 MR2

    ISE 2.3 Patch 2

    15.4(1)SY4

    IOS 3.10.0e

    8.2(1) SMU

    IOS-XE 16.6.3

    IOS-XE 16.6.3

    AireOS 8.5 MR1

    ISE 2.3 Patch 1

    IOS 3.10.0c

    IOS-XE 16.6.2s

    IOS-XE 16.6.2s

    * DNACs releases will support backward compatibility In terms of device code versions

  • SD-Access 1.2 Scale

  • SD-Access1.2 Scale

    Fabric ConstructsMaximum Supported on Single DNAC

    Cluster

    No of Fabric Domains per DNA Cluster 10

    No of Fabric Sites across the Fabric Domains* 200

    Total Endpoints (including APs) per DNA Cluster*

    APs (Counted as Endpoints) per DNA Cluster *

    25K

    4000

    Number of Virtual Networks 64

    Fabric Nodes (Edge, Border, WLC) per DNA cluster * 500**

    Non-Fabric Nodes( Intermediate, Subtended, Routers ) per DNA Cluster * 1000

    Control Plane Nodes Per Fabric Site 2

    Default Border Nodes Per Fabric Site 4

    Above scale is split across all the configurable fabric domains (10) or can be

    in one fabric domain

    ** A Stack of switches is considered as one Fabric Node

    Single DNAC cluster = 3 DNAC appliances ( 2+1 in HA)

  • SD-Access 1.2 Edge Scale

    Fabric

    Constructs

    Catalyst

    3650

    Catalyst

    3850Catalyst 9300

    Catalyst 4K

    (Sup8E)Catalyst 9400 Catalyst 9500

    Virtual Networks 64 64 256 64 256 256

    Local End

    Points/Hosts2K 4K 4K 4K 4K 4K

    SGT/DGT Table4K 4K 8K 2K 8K 8K

    SGACLs (Security

    ACEs) 1350 1350 5K 1350 18K 18K

    * These are 1D Platform numbers

  • SD-Access Border ScaleScale

    Catalyst

    3850(XS)

    Catalyst

    9300

    Catalyst

    9400

    (*SUP1 XL)

    Catalyst

    9500

    Catalyst

    9500H

    Catalyst

    6800

    Nexus

    N7700

    ASR1K/

    ISR4KCSR1Kv

    Virtual

    Networks64 256 256 256 256 500 500 4K n.a.

    SGT/DGT Table 4K 8K 8K 8K 8K 30K 16K 62Kn.a.

    SGACLs

    (Security

    ACEs)

    1500 5K 18K 18K 18K30K(XL)

    12K(non XL)16K 64K

    n.a.

    Fabric Control

    Plane Entries

    with Border

    Co-Located on

    Same Device

    3K 16K80K

    80K 80K 25KNot

    Supported

    200K/100K

    (16GB)

    100K/50K

    (8GB)

    200K

    IPv4 Fabric

    Routes8K 4K 20K 48K 48K

    1M (XL)/

    256K

    500K4M (16GB)

    1M (8GB)

    n.a.

    IPv4 Fabric

    Host Entries16K 16K 80K 96K 96K 32K

    * SUP1 XL is only supported as Border node

    * These are 1D Platform numbers

  • SD-Access 1.2 Features

  • SDA 1.2 FeaturesBelow are the new features that are being introduced with DNAC/SD-Access 1.2

    SD-Access Extension for IOT ( Requires IOS-XE 16.8.1s)

    SD-Access for Distributed Campus ( Requires IOS-XE 16.8.1s)

    Host On-Boarding Enhancements including IBNS 2.0

    Lan Automation Enhancements

    Wireless Enhancements

  • SD-Access Extension for IOT

  • Introducing SD-Access ExtensionExtending the Fabric Edge for IoT and Business

    Users, Device and IoTSegmentation

    Policy based Automation

    Purpose Built Switches for IoT

    Catalyst Digital Building

    Catalyst 3560-CX

    IE Series (4K/5K)

    Platform Support

    C

    B B

    IoT Network Employee Network

    Extended

    Node

    DNA Center

    AnalyticsPolicy Automation

    Extended

    NodeAP Extension

  • SD-Access ExtensionKey Benefits for IoT and Business

    DNA Center

    Surveillance Camera

    Virtual NetworkOutdoor Wireless

    Virtual Network

    Extended

    Nodes

    DUAL

    MEDIA

    CONSOLE

    COM

    IN2

    REF

    IN1

    EXPR ESS

    SETUP

    -

    DC-A

    +

    !+ 12-54V3.4-3.0A

    -

    DC-B

    +

    OUT

    IN2

    IN1

    SYS

    EXP

    USB

    AL

    AR

    M SD

    CA

    RD

    SP

    EE

    D

    DU

    PL

    EX

    Po

    E

    SY

    NC

    E

    HS

    R/P

    RP

    DISPLAY

    MODE

    1

    2

    3

    4

    2

    3

    1

    4

    13

    14

    15

    16

    17

    18

    19

    20

    X

    5

    6

    7

    8

    9

    10

    11

    12

    X

    Easy automated Device install and setup

    Stretched subnets for ease of endpoint connections

    Workflow based policy automation

    Segment Applications with separate Virtual Networks

    Single pane of glass for management

    Inventory, Topology, Image management

    Automate Day 1 Installation

    Network Assurance Device 360

    Fabric Edge

    Extended Nodes extend SD-Access beyond the Fabric edge

    Edge

  • Traditional SD-Access Extended Node

    Day 1 Design

    and Installation

    Manual box by box configuration

    Networking expertise required to

    provision and deploy devices

    Automated device deployment decreases time to operation

    Zero touch configuration enables non-networking personnel to install

    Day N Operations

    and Updates

    Network additions are complex

    No automated workflows

    Changes / Adds require manual

    configuration of multiple devices

    Operation monitoring limited

    Deployment flexibility with fabric enabled technologies

    i.e. Stretched Subnets

    Intent-based workflow uses automation for fabric and service

    configuration removes complexity of new service additions

    Intent drives network updates are centrally administered, removing

    manual reconfiguration and reducing downtime

    Network operational assurance with device 360 shows performance

    and pin points operational issues

    Security Static L2 L4 ACLs

    Address based segmentation

    Changes / Adds require manual

    configurations of multiple devices

    Continuous auditing required to

    maintain security rule sets

    Group based security policy auto configured in the fabric separating

    policy from addressing simplifies security enforcement and

    maintenance

    Fabric provides site-wide segmentation enables intent-based security

    Integrated threat defense, with suspicious users or devices

    easily quarantined

    Traditional vs SD-Access Extension

  • SD-Access Extended Node

    Extended node connects to a single Edge node using an 802.1Q Trunk port (single or multiple VLANs) using static assignment

    Switchports on the Extended node can then be statically assigned to an appropriate IP Pool (in DNA Center)

    SGT tagging (or mapping) is accomplished by Pool to Group mapping (in DNA Center) on the connected Edge node

    Traffic policy enforcement based on SGTs (SGACLs) is performed at the Edge node

    DNA Center

    Fabric Edge

    Extended

    Nodes

  • SDA Extended Node C3850 C4500 C9300/9400/9500

    3560CX No No Yes

    IE switches No No Yes

    CDB No No Yes

    SD-Access ExtensionFabric Edge Support Matrix

  • Catalyst Digital Building

    Catalyst 3560-CX

    IE Series (4K/5K)

    Platform Support

    15.2(6)E1

    15.2(6)E1

    15.2(6)E1 Link to IE4000

Click here to load reader

Reader Image
Embed Size (px)
Recommended