Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1355
Views
15
Helpful
2
Replies

Segment Routing & SD-Access

TNSC2021
Level 1
Level 1

‎02-12-2021 10:53 PM - edited ‎02-13-2021 02:10 AM

Imagine a large enterprise with both IT and OT networks where challenges include:

 

1) Keeping up with lifecycle - too many network silos engineered for specific use cases, too many platforms to lifecycle.

2) Operations - network landscape is complex, support is expensive, spare parts and skills becoming scarce.

3) Digitisation - network silos translate to data silos which adversely impair digital transformation efforts.

4) IoT endpoints - building management, CCTV, digital signage, sensors... growing 100x faster than IT managed devices.

5) Culture - OT divisions do not value modern and agile, they value only integrity and availability, used to running own show.

6) Security - security zoning simple in concept, hard to implement in brownfields especially in safety-critical networks.

 

The CCI CVD provides some guidance for converged IT/OT networks leveraging SD-Access.

 

The introduction of service provider technologies such as private LTE accelerate digital transformation by providing wide area high speed connectivity. Likewise, 5G promises to continue that trend and completely transform industries and turn cities of today into the smart cities of tomorrow.

 

With one eye on the future, it is clear that 5G and IPv6 are strategic network technologies that enterprises should keep an eye on and provide support for considering the innovation potential and the explosive growth in IoT.

 

Today as both service provider and enterprise networks embrace software-defined networking and intent-based networking capabilities, both network managers and their finance counterparts are now changing the way they look at networks to view the entire network as a system/platform and asset.

 

However, enterprise networks and service provider networks are technically like two different schools of thought. Each solve different challenges, but for some enterprises these worlds are fast colliding and while it is easy to have two networks, both network managers and architects are left wondering, is it possible to have a single converged network with the best of both worlds without duplicating any infrastructure.

 

The name of the game is investment optimisation. Once upon a time, IBM introduced the logical partitions to the mainframe. This allowed different divisions in a company or subsidiaries within a multi-national company to share a mainframe, while providing all the benefits of isolation and lower costs.

 

If the goal is to have a single multi-service IT/OT network with the best of the SP world including 5G/TE and the best of the EN world including fabric architecture, device profiling and micro-segmentation, then...

 

1. Is it possible to have a segment routed forwarding plane, MPLS/IPv6 data plane, BGP EVPN control plane and CTS policy plane?

 

2. If 5G network slicing is end-to-end, does that mean that a separate parallel terrestrial network including access layer needs to be built to support this?

 

3. Is it possible to use SGTs to enforce security policy on the access layer of a segment routed network?

 

Any guidance would be much appreciated. Thanks.

Labels:
0 Helpful
2 Replies 2

Andrii Oliinyk
VIP
VIP

‎02-15-2021 06:49 AM

hi

i guess u mix a lot of different purposes technologies here. but just to be short: it's up to u how do u build your underlay (i.e. SR) while it's in compliance with SDA-metrics requirements.

Jonathan Cuthbert
Cisco Employee
Cisco Employee

‎02-15-2021 09:31 AM - edited ‎02-15-2021 09:50 AM

@TNSC2021 wrote:

 

1. Is it possible to have a segment routed forwarding plane, MPLS/IPv6 data plane, BGP EVPN control plane and CTS policy plane?

 

 

I wanted to comment on this part in particular. 
Let's take SD-Access, segment routing, and all the rest out of the equation for second and just look at this:
What methods can be used to carry SGT Policy information?

There are three methods:

1. SGT Exchange Protocol over TCP (SXP)

2. SGT Inline tagging (CMD - Cisco Metadata)

3. Tunneling (encapsulation) technology (examples: VXLAN-GPO/SD-Access Fabric VXLAN, SGT to IPsec such as in Cisco SD-WAN).

CTS in general is egress enforcement.  The tag is applied on ingress.

 

Here is the challenge with SXP:

the endpoint-to-SGT mapping needs to come from somewhere. 

 

So if your ingress device is an access switch, you could build SXP peerings from each of those...
That's a scaling discussion that is outside the scope of this reply. 

 

You could enforce at a central location, such some sort of edge device (the 'border' between your overlay network and the rest of the world or some next-hop device in the chain).  You still need a way to communicate the mappings from the access layer up to that device which is going to require SXP or inline tagging. 

So if we apply all that information to your question, the underlying question is can we do SXP or inline tagging over an MPLS network or segment routing network.  Inline tagging over MPLS is not possible.  Could you do SXP?  Maybe, but we are still left with the question of how we got the endpoint-to-SGT information to the SXP speaker. 

 

@TNSC2021 wrote:

Imagine a large enterprise with both IT and OT networks where challenges include:

However, enterprise networks and service provider networks are technically like two different schools of thought. Each solve different challenges,

 

If the goal is to have a single multi-service IT/OT network with the best of the SP world including 5G/TE and the best of the EN world including fabric architecture, device profiling and micro-segmentation, then...

 

These two networks are two different schools of thought.  As much as we would like it to be otherwise, these are still different networks solving different challenges. 

 

If you look at our Enterprise Architecture Model, the way we build networks is in blocks.  We have the Enterprise Campus Network block, the services block, the WAN block, the WAN edge block, etc.  We build the blocks, we connect the blocks.  The idea here is that it is an end-to-end network in terms of reachability, but it is not an end-to-end network that is one protocol, one manager, one team overseeing all of it.  It's too big, too much, too many different problems being solved.  These are separate entities.  Things aren't separate into block to enforce this idea of silos.  They are separated into blocks, into chunks, as this is the tried and true method for building complex anything, inclusive of networks. 

 

 

@TNSC2021 wrote:

Imagine a large enterprise with both IT and OT networks where challenges include:

 

If the goal is to have a single multi-service IT/OT network with the best of the SP world including 5G/TE and the best of the EN world including fabric architecture, device profiling and micro-segmentation, then...

 

Any guidance would be much appreciated. Thanks.

Our over-arching solution is our multi-domain concept which provides a method of carrying macro- and micro-segmentation from the campus to the data center to the branch across the WAN.  This is combination of our three key solutions of SD-Access, SD-WAN, and ACI. 

Customers Also Viewed These Support Documents