cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3584
Views
2
Helpful
1
Comments
jedolphi
Cisco Employee
Cisco Employee

 

 
 
 
07c1b4d3-f97c-4452-921b-ef298a7b80b1.png

 

Cisco Public



Cisco SD-Access for Large Enterprise and Government

 

Contents

 

Authors

Jerome Dolphin
Technical Marketing Engineer, Technical Leader

 

Executive Summary

Enterprise Networks owned by multinational corporations and governments are some of the largest networks in existence, revealing unique opportunities and challenges as digital transformation marches forward. These networks can comprise tens of thousands of switches and wireless access points across many campus locations, connecting hundreds of thousands of endpoints.

For any organization to successfully transition to a digital world, investment in its network is critical. The network connects all things and is the cornerstone where digital success is realized or lost. The network is the pathway for productivity, collaboration, digitization, and an enabler of improved end user experience. The network is also a critical line of defense in securing enterprise assets and intellectual property.

Cisco SD-Access is a software application running on Cisco DNA Center that helps automate and secure enterprise networks at scale. This document provides design guidance for the large enterprise and government space, focusing on utilizing the new innovations in Cisco SD-Access to create automated simple, secure, scalable, and flexible networks.

Challenges and Requirements

Segmentation

Suborganizations such as government agencies or business units of a parent enterprise may operate as individual businesses while benefiting from economies of scale, such as a shared network infrastructure. Each suborganization may require their applications and network traffic to remain separate on a shared network to meet privacy and security requirements.

Scale

The largest enterprises have a network footprint in hundreds or thousands of cities around the world. The network manager needs to configure, secure, monitor and maintain tens of thousands of switches and wireless access points with hundreds of thousands of connected endpoints.

Consistency

Users and devices may move between locations while expecting a consistent network experience. The same access, security and applications are expected to be available regardless of what building, city or country the user is accessing the network.

BYOD

BYOD (Bring Your Own Device) modalities allow employees or guests to connect personal devices to the enterprise network. Optionally MDM (Mobile Device Management) platforms that onboard BYOD devices may need to be incorporated into the network design.

Air Gap

In some security sensitive enterprises, systems or networks may be physically isolated from other networks, such as the public Internet or untrusted third parties.

IT as a Business (ITaaB)

Some enterprises may have a network management team or department that cross-charges suborganizations to recover the expenses relating to network availability and support. Individual tenant network consumers must be isolated but may require access to a common set of shared services. These networks may go through bursts of change when suborganizations expand, contract or relocate.

Managed Service Providers

An MSP is similar to ITaaB, but the network management team is provided by a contracted external business entity. MSPs can manage the network infrastructure and a variety of end-user systems. MSPs must have visibility into their customer’s networks to ensure applications are available and performing to customer expectations.

How Cisco SD-Access Resolves These Challenges

Cisco SD-Access was founded on the principles of visibility, automation, security, and simplification. Using Cisco DNA Center automation and orchestration, network administrators can implement changes across the entire enterprise environment through an intuitive, GUI-based interface. With DNA Center they can build enterprise-wide Fabric architectures, classify endpoints for security grouping, create and distribute security policies, and monitor network performance and availability.

Fabric Sites and Site Flexibility

An SD-Access Fabric Site is composed of wired and wireless networking devices operating in fabric roles. At a minimum, a Fabric Site must have an SD-Access Border Node and a Control Plane Node, but most often, it will also have Edge Nodes. A Fabric Site may have one or more associated Fabric Wireless LAN Controllers (WLC) and potentially an ISE (Identity Services Engine) Policy Service Node (PSN).

In the Cisco SD-Access architecture:

  • Edge Nodes provide network connectivity to wired endpoints.
  • Fabric Wireless LAN Controllers and Fabric APs provide network connectivity to wireless endpoints.
  • Control Plane Nodes are a mapping system that tracks endpoint attributes and locations.
  • Border Nodes connect a Fabric Site to an external routing domain.

 

Within the SD-Access architecture individual Fabric Sites can range from very small to very large while implementing the same SD-Access configuration models for a consistent and secure user experience. This accommodates the large enterprise that may have a significant footprint at headquarters locations with smaller to medium footprints at branches. An SD-Access Fabric Site design can scale from one switch with one wireless access point to 1,200 switches and 18,000 wireless access points. Figure 1 shows samples of some common Fabric Site design patterns found in the Cisco SD-Access Validated Design document.

image1.png

 Figure 1: Cisco Validated Fabric Site Design Patterns

 

Fabric Sites are a logical construct that offer a high level of design flexibility. A Fabric Site may align to a geographical location, or a campus could be split into multiple Fabric Sites for scaling, or multiple physical locations could be aggregated into a single Fabric Site for design and management simplicity, as shown in Figure 2.

Screenshot 2023-08-14 at 9.01.31 am.png

Figure 2: Flexible Fabric Site Scoping

 

Layer 3 Virtual Networks

Large enterprise sub-organizations, MSP customers or government agencies can generally be referred to as network tenants. The most straightforward and common model to provide isolation for tenants is to segregate them into different Layer 3 Virtual Networks (L3VNs). SD-Access supports up to 256 Layer 3 Virtual Networks within a given Fabric Site to provide complete traffic isolation between tenants within each Layer 3 Virtual Network. Within each L3VN one or more access subnets are assigned to contain endpoints.

image3.png

 Figure 3: Virtual Networks 

In selective cases, communications between endpoints in different Layer 3 Virtual Networks may be necessary. For example, an engineer in a Contractor L3VN might need to reach out to the IoT L3VN to upgrade software remotely on a sensor via a Firewall. This can be easily achieved in the Cisco SD-Access solution, where the Border Node handoff of each L3VN uses a VRF to connect to a Firewall. Using either dynamic routing or default routing, traffic can be routed through the Firewall for inspection.

Screenshot 2023-08-11 at 1.31.31 pm.png

   Figure 4: Inter-Virtual Network Communication

Fabric Zones

Large campuses are comprised of networks across many buildings. The IT teams may have an IP schema where they map subnets to some of the buildings and use it as a geographic identity within the campus. The default behavior of Cisco SD-Access automation is to configure all the subnets on all Edge Nodes, which might not be the desired behavior in all cases. Using the Fabric Zones capability, an administrator can constrain selected subnets to Edge Nodes in one or more zones, preserving the geographically based IP schema.

Multisite Remote Border

For certain tenants, it is not sufficient to zone their subnets into buildings or floors. Tenants may also seek the deployment of exclusive Border Nodes and Control Plane Nodes for their Layer 3 Virtual Networks for full isolation. SD-Access supports Multisite Remote Borders whereby selected Layer 3 Virtual Networks can be terminated on specific Fabric Border Nodes and Control Plane Nodes. Figure 5 depicts the tenant use case.

Multisite Remote Border can also be used to terminate L3VNs across multiple Fabric Sites, which can often be a requirement of Guest access. This allows the organization to have a common Guest subnet across many individual Fabric Sites and funnel all the Guest traffic to a central site where the Multisite Remote Border is located.

Screenshot 2023-08-11 at 5.45.14 pm.png

   Figure 5: Multisite Remote Border

 

Micro-segmentation

Within the scope of a single Layer 3 Virtual Network, customers tend to have further micro-segmentation needs for use cases such as:

  • Placing loan department and credit card department in different security groups.
  • Placing video surveillance of branches and IoT devices like printers in different security groups.

 

For such requirements, in the traditional network architecture, the only means to segment was by separating groups into different subnets enforced by IP ACLs. In Cisco SD-Access, in addition to providing the flexibility of using different subnets, SD-Access provides the flexibility of micro-segmentation, i.e., using the same subnet in a more user and endpoint-centric approach.

Referring to the loan and credit card department example, each group can still be placed in the same subnet. However, by leveraging dynamic authorization, they can be assigned different Security Group Tags (SGTs) by ISE based on their authentication credentials. Traffic between or among these groups can then be enforced by Security-Group Access Control Lists (SGACLs) based on group membership instead of endpoint IP address.

Access to Shared Services

If Shared Services like common DHCP, DNS, and Internet are required they may manifest through per-VRF Border Node to Firewall peering as depicted in Figure 1. Alternatively Shared Services can be leaked into multiple Layer 3 Virtual Networks through an SD-Access Extranet. You do not need a peer device to perform the route-leaking; the route-leaking is done internally within the Fabric, as shown in Figure 6.

Screenshot 2023-08-10 at 6.17.46 pm.png

 Figure 6: Inter-Virtual Network Route Leaking with SD-Access Extranet

Bring Your Own Device and Guest Access

Guest or Bring Your Own Device (BYOD) wireless access provides differentiated access and user policy to known/unknown devices. Guest or BYOD access can be achieved in an SD-Access design by using various options such as Static URL Redirect and RADIUS-Based Change of Authorization (CoA). Cisco DNA Center can configure Central Web Authentication (CWA), External Web Authentication (EWA), and hotspot SSIDs for Cisco WLCs in the Fabric design. With Cisco ISE integrated, customers can use Cisco DNA Center and ISE BYOD workflows to onboard their endpoints by provisioning Certificate Authority (CA) signed endpoint certificates and configuring the network interface and OS native supplicant to utilize the provisioned certificate for network access.

Cisco DNA Center Scale

As of this writing a 3-node XL DNA Center Cluster can manage multiple SD-Access Fabric Sites with an aggregate of:

  • 10,000 switches, routers and wireless controllers.

  • 25,000 wireless access points.

  • 300,000 concurrently connected endpoints.

DNA Center can further scale through horizontal repetition, by integrating multiple DNA Center clusters to a common ISE infrastructure. ISE, which is fundamental to SD-Access, has significant scale capabilities in a single cluster, with support for:

  • 58 nodes (2x PAN, 2x MnT, 50x PSN, 4x pxGrid).

  • 2,000,000 concurrent connected endpoints.

image8.png

 Figure 7: Multiple DNA Center to ISE

Air Gap

DNA Center and ISE are fundamental to deploying and maintaining an SD-Access Fabric. Both appliances can be hosted in the public cloud or the private cloud in either virtual or physical form factors. For highly security sensitive customers both appliances also support deployment in an “Air Gap” mode which means they do not require Internet access, allowing them to be completely isolated from external networks.

Transits

Transits can connect multiple Fabric Sites or can connect a Fabric Site to non-Fabric domains such as a data center or the Internet. Transits are a Cisco SD-Access construct that defines how Cisco DNA Center will automate the Border Node configuration for the connections between Fabric Sites, or between a Fabric Site and an external domain. There are two types of Transits: IP-Based and SD-Access.

A Transit may reside within a single building, a city, a country or it can stretch across continents. Each SD-Access Fabric Site can connect to zero, one or several Transits. DNA Center offers a variety of Transit options, ranging from a per-Fabric-Site interconnect with an existing IP network to a fully automated mesh of Fabric Sites spanning multiple DNA Center clusters, and in some cases around the world.

Screenshot 2023-08-11 at 7.02.51 pm.png

 Figure 8: Transits

DNA Center Automation

Cisco SD-Access Fabric Nodes are provisioned and managed by Cisco DNA Center. A network administrator can quickly configure hundreds or thousands of Fabric Nodes by entering a business intent into the DNA Center User Interface or APIs. DNA Center converts business intent into Cisco best practice wired and wireless configuration models and deploys them into the network infrastructure. This guarantees an error-free, secure and consistent Cisco-validated network implementation within and across Fabric Sites for a consistent user experience. An administrator can accomplish a large-scale configuration change in minutes with zero configuration mistakes.

Monitoring and Troubleshooting

Cisco DNA Center has a powerful Assurance application that provides next-generation visibility into the telemetry that is returned from the network infrastructure. The Assurance suite allows for issues to be alerted, automatically correlated, and triaged via advanced machine analytics. This allows for intelligence to be gathered for a wide range of network and client-related problems, which can be solved either through the Cisco DNA Center user interface or remotely through advanced integration via Rest-API with Service Now or other ITSM applications. Additionally, issues can be prioritized in a severity list and exported for reporting.

Summary

Large Enterprise and Government Networks are expansive and complex. Cisco SD-Access can help to solve the difficult challenges of Large Enterprise and Government Networks by introducing a comprehensive suite of tools for visibility, automation, scalability, consistency, security and Assurance.

 

References

Comments
kadsteph
Cisco Employee
Cisco Employee

Comments on this article have been closed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking for a $25 gift card