Jim Grubb talks to Jeff McLoughlin, Principal TME, Cisco Enterprise Switching & Wireless, about the value adds of SDA (efficiency, automation, scalability, security) and what they mean for network operations now and in the future.
In the pilot episode of The Grubb Cast I introduced myself and offered my thoughts on the effects of automated provisioning and visibility tools on networks and network operators. In this episode, I was pleased to be able to sit down with Jeff McLoughlin, a Principal TME in the Enterprise Switching and Wireless group to take a closer look at the new tools.
Jeff and I first spoke about Cisco Unified Access® – and why the creation of the Switching & Wireless group represented an organizational change for Cisco, but also a fundamental shift in the way we think of networks and security.
Wired & Wireless access is unified at Cisco because the policy should be based on the user, the device they used to access the network, (PC, Tablet, Phone), and the location where they are connecting as they move through the network. A mobile user community means that the IP address as a means of identifying a user is limited, and we have to integrate user-level authentication. It also makes it much easier for the network administrator as the current spreadsheet/Visio/text-file methods of keeping track of the ACL’s and QOS cues is no longer necessary. DNA Center provides flexible, scalable, efficient tools that will help us keep pace with the changing needs of an itinerant work force. Unified Access is quickly becoming a business need rather than a convenience.
Cisco Software Defined Access (SDA)
Cisco Software Defined Access unifies wired and wireless policies as part of the network intuitive. It uses software to manage the network in a fundamentally different way – more efficiency, more automation, more scalability & more secure & standardized policy application. SDA is a campus fabric, a physical network topology with an overlaid virtual network to provide secure policy in a software defined environment.
Cisco Identity Services Engine (ISE), a component of SDA, is the gold standard for authentication and is required for first release of SD-Access. It allows you build more complex policies using drag and drop and just a few mouse clicks to establish segmentation and micro-segmentation. In contrast, in the past we had to have an engineer log into every device and manually provision from box to box throughout the network.
Micro-segmentation delivers very strong security, if you can manage to get it implemented. It’s very time consuming and error prone and just plain hard to do manually. The problem is that the more granular the micro-segmentation, the more overhead it creates. The complexity creates a tremendous work load. SDA allows you to establish a policy using modern point and click tools. The configuration is carried out through automation between the DNA controller and the devices in the fabric.
The Four-Stage Workflow
The meat of the podcast discussion was SD-Access implementation. You can implement via CLI, old school, or use the management layer of Cisco DNA Center. This provisioning, management, and troubleshooting solution does discovery, automatic provisioning, and management of both overlay and underlay in a greenfield environment. In a brownfield environment, it discovers and maps the network, then allows you to add devices to the fabric.
Implementation is a four-stage workflow – design, policy, provision, and assurance.
- Design – In this phase we define the hierarchy of sites, starting global and working down. We import floor plans, wireless AP placement, define global and local settings for fabric. This phase establishes consistency to make troubleshooting easier and increase scalability.
- Policy – Here we define the policy for the virtual networks and also set up containers for groups or users. When we define groups, by default traffic is permitted. Inside the group, networks can talk by default, but we can set up policies that prohibit them to talk – even if they’re on the same subnet, same VLAN, or in the same location.
- Provision – After the devices are discovered into the tool, we identify which devices are in the fabric and what their roles are. Then we use the GUI to set them up and push the config, either now or at a scheduled time.
- Assurance – The assurance phase is where we set up monitoring and troubleshooting for wired and wireless networks. DNA Center gives all the usual monitoring information, like a health score and notifications, but also provides visibility into flows and user traffic. Rather than needing an IP address to determine where a user is and what they’re doing, you can type in a username and get their IP address, MAC address, and perform path traces – lots of client level information. Assurance provides end to end visibility, including showing which devices have issues, and then presents possible troubleshooting steps.
Cisco is drawing on years of experience & knowledge to develop self-diagnosing, self-healing solutions for the #NetworkIntuitive. I look forward to addressing more of them in podcasts in the coming weeks with other experts, and doing more dCloud demonstrations with Jiwan to show the solutions.
- Cisco Software Defined Access video
- DevNet learning labs, APIs, programmability resources
- Digital Network Architecture (DNA) Solutions with APIC-EM