Asfandyar,
I have been working with customers to design Cisco SD-Access solutions for about 4 1/2 years, and the most common reasons I see for their desire to adopt the solution are:
Multi-tier Segmentation
With most traditional networks, segmentation is achieved at the Access Layer port using VLANs that terminate with an SVI in a common routing table shared by all other SVIs. This means that if that routing table is compromised, all of the VLANs terminating in that routing table can be compromised. The increasing adoption of IOT and BYOD devices has made the attack surface of a network broader, with many of these devices having weaker security than a corporate laptop / desktop / tablet.
With SD-Access, there is multi-tier segmentation at the Access Layer port by using VRFs and Scalable Group Tags (SGTs). This means that a routing table can be carved into secure partitions, using VRFs, to accommodate different types of clients / devices (IOT / BYOD / corporate / etc). This reduces the impact that a compromised device can have on the network as a whole since the routing tables are isolated. This isolation of the routing space can be maintained outside the fabric as well, with the VRFs being carried into the WAN and/or DC to terminate on a firewall.
Within the VRFs , traffic can be tagged with SGTs to allow for what we call micro-segmentation, meaning segmentation within a segment (VRF). With SGTs, inter-group and/or intra-group security rules can be established to enforce policies as desired. These two levels of segmentation, network-level with VRFs and group-level within a VRF with SGTs, provide a capability that cannot be achieved in a traditional network. Just as with VRFs, this micro-segmentation with SGTs can be maintained outside the fabric and can be enforced on a firewall.
While both VRFs and SGTs can be used in traditional networks, SD-Access provides the only solution where they can be used together to provide the highest level of security at the port level.
Dynamic Security
While applying VRFs at the port level is possible in a traditional network, it would be a very challenging environment from a support perspective, especially in networks where users and devices are mobile and/or the work environment is flexible. By using 802.1x to authenticate users/devices, the VRF into which a user/device is placed will depend on where they authenticate. Every port in an SD-Access fabric is dynamically assigned a VRF and SGT based on the device that is currently authenticated in that port .
Let us imagine a flexible work space where users plug into any available docking station in any available cube. Now let us say that User A is in Port 1 and is assigned VRF A and SGT A. If that user unplugs and now User B plugs into that docking station, that port could be assigned VRF B and SGT B if User B authenticates into a different VRF and group (SGT) than User A. Or, the port for User B could be in VRF A but Group B if both users are in the same VRF but different groups (sales vs engineering, for example).
From a wireless perspective, SD-Access provides this same benefit, given that fabric-capable Catalyst switches support the multi-authentication 802.1x capability on a port. This means that many clients can be authenticated into many different VRF / SGT combinations on one Access Point. In addition, the security of the VRF/SGT combination starts on the AP itself, as the packet header that provides that multi-tier security is added as part of the data packet on the AP. This moves the security boundary for the network infrastructure as far out to the edge as possible for wireless clients.
Finally, VRFs and SGTs are not site specific, meaning they can be used across an entire fabric domain. A fabric domain consists of one or more sites administered by the same Cisco DNA Center orchestration / assurance platform. As an example of an actual customer I have worked with that needs this kind of multi-site security, imagine a university that has two campuses: the main campus in the center of the city and a research campus in another part of the city. The research campus houses tenant companies that do research projects with the university, and these companies may come and go and different projects are undertaken. Professors and students from the main campus work with these researchers on the second campus, so the university wants their security policies (VRF and SGT) to follow them to this other site. Likewise, the researchers will sometimes go to main campus, and their security policies follow them to that site.
It is the dynamically mobile nature of the multi-tier security that gives SD-Access an edge over a traditional network.
Simplification and Orchestration
An additional benefit of SD-Access is that all of the Fabric Edge Nodes, into which users and devices will connect, are essentially configured the same. The only difference in configuration between one Fabric Edge Node and another will be a few IP addresses used for the fabric Underlay (packet transport) and for management of the device. Other than that, the configurations are identical because they are put in place by Cisco DNA Center. Cisco DNA Center is an orchestration and assurance platform that provides a GUI interface for network engineers to build, change and monitor an SD-Access environment. By using such a platform, the number of configuration errors is greatly reduced, and the ability to make changes become much easier.
If a new Virtual Network (VN .. the name for a VRF in DNA Center) is needed, a simple GUI workflow allows an engineer to deploy this change across the entire fabric domain in minutes. If a new building / floor / wiring closet is brought online and needs to be a member of the fabric, a simple GUI workflow enables this change in a matter of minutes. If a user is having a network issue, the platform provides detailed analytical capabilities to quickly find that user and begin the troubleshooting process.
There are such tools available for traditional networks, but it usually takes multiple tools to accomplish what can be accomplished with DNA Center.
What I have given you here is a high level overview of the value of an SD-Access network compared to a traditional network based on my own experiences and customer feedback. These are by no means the only capabilities of SD-Access and/or DNA Center. For a deeper understanding, I suggest you look at some of the presentations in the On-Demand Library at ciscolive.com, focus on the newest ones from 2020 unless there is a topic from a prior year not covered this year. If you have additional questions, feel free to post them here or message me directly.
The university customer I referenced here is called Waterford Institute of Technology, and you can find their case study here : https://blogs.cisco.com/networking/wit-fosters-startups-and-nurtures-students-with-an-open-yet-secure-network.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
