Open programmable architecture delivering value beyond connectivity

Co-author: Srini Jasti

In our last blog, we discussed how Cisco delivers consistency and simplicity, with integrated security, across Enterprise domains. Now we’ll discuss in more detail how this is done.

“People who are serious about software should make their own hardware” – Alan Kay

Cisco uniquely develops its own hardware and software, including silicon for Switching, Wireless, and Routing platforms. This allows Cisco to deliver unique innovations and optimizations pertaining to network-specific needs, such as:

Stackpower/Stackwise, AVB, MACSec-256, and ERSPAN for Switching
CleanAir, Flexible Radio Assignment and Hyperlocation for Wireless
Advanced hardware queueing and Deep Packet Inspection for Routing
Flexible Netflow (FNF), Scalable Group Tags (SGT), VXLAN, and NBAR2 across all the domains

These unique innovations in hardware and software enables Cisco to deliver a lot more value beyond connectivity in the areas of security, visibility, high availability, etc and are the foundation for the evolution to an Intent-based architecture.

Built-in Security and Network Visibility for Proactive Insights

FNF and NBAR2 are foundational enablers for Security and Application Visibility embedded in the platforms. Cisco Switching, Routing and Wireless platforms incorporate special hardware and software to collect information about all the flows in the network, not just sampled, and deep packet inspection capability to identify applications. All this is done without network slowdown. This is what makes advanced Security services such as Encrypted Traffic Analytics (ETA) able to detect malware in encrypted traffic without decrypting the traffic, working in conjunction with Cisco Talos, Cognitive Threat Analytics (CTA), and Threatgrid while using Cisco Stealthwatch. It is also what enables Application Assurance, advanced Application Policy, and Network as a Sensor.

Granular Visibility: Model-driven telemetry (MDT, otherwise known as Streaming Telemetry) provides a mechanism to stream data from Switches, Routers, and Wireless devices to a destination. By subscribing to a data set defined in a YANG model, the specific event data can be streamed on-change, providing near-real-time monitoring of the network, leading to quick detection and rectification of failures.
Intelligent Capture: Gather contextual data ranging from live client onboarding to on-demand RF scanning to real-time Wi-Fi analytics and client location. Actionable insights are provided by analyzing packet captures across multiple network elements, with zero packet loss.

Simplified Management for an Always-on Network

Network Automation is a new paradigm for network configuration, operation and monitoring. Cisco’s solution delivers the following across wired and wireless in the Enterprise:

Automated device provisioning: This is the ability to automate the process of upgrading software images and installing configuration files on Cisco Switches, Routers, and Wireless devices when they are being deployed in the network for the first time. Cisco provides turnkey solutions such as Plug and Play (PnP) that enable an effortless and automated deployment. Automatic device provisioning is also provided using Zero Touch Provisioning (ZTP) which, while not a turnkey solution like PnP, is offered for greater flexibility and compatibility with numerous device types.
API-driven configuration: support a wide range of automation features and provide robust open APIs over Network Configuration Protocol (NETCONF) using YANG data models for external tools, both off-the-shelf and custom built, to automatically provision network resources. Most platforms also support Restconf and GNMI APIs.
Seamless software upgrades and patching: To enhance OS resiliency, Cisco IOS XE supports patching, which provides fixes for critical bugs and security vulnerabilities between regular maintenance releases. This support allows customers to add patches without having to wait for the next maintenance release.
Application Hosting:Cisco Switches and Routers support hosting of applications directly in the infrastructure. Container/VM App hosting for Analytics, Security, IOT, Validation/Troubleshooting tools (Wireshark, iPerf, etc), Cloud Connectors, CI/CD applications, and more. These platforms support local storage starting from 120GB and above to store application data.

Orchestrating and Assuring the network from an Enterprise-wide view

Custom ASICs enable Cisco to future proof customers for the ever-changing digital businesses, by delivering beyond standards. Modern and modular IOS-XE support across the portfolio supports IT simplicity and scale. More importantly, all Cisco’s next generation platforms are built from the ground-up for Intent Based Networking (IBN). Cisco SD-Access, Cisco’s IBN architecture for the Campus, provides automated end-to-end segmentation to separate user, device and application traffic.

Cisco SD-Access automates user access policy so organizations can make sure the right policies are established for any user or device with any application across the network. Instead of defining a policy for your LAN, wireless LAN and WAN, you only define it once and apply it to all three domains. SD Access provides the ability for “policy-based automated network enforcement” for access, security, application quality and monitoring, across ALL network domains. Cisco SD-Access delivers macro-segmentation using Virtual Networks (or VRFs) and micro-segmentation using Scalable Group Tags (SGTs). VXLAN is the dataplane encapsulation protocol carrying the Virtual Networks and SGTs and forwarded with the specialized silicon in the hardware platforms, while LISP is the fabric Control Plane protocol keeping track of devices and users as they connect and move in the fabric.

“It is clear that SD-Access is the future; it is the only way we can keep up with the explosion of connected devices” -Marty Miller, Technology Specialist, CHLA

Cisco DNA Center is the single pane of glass where all of this comes together. It is the single point of Orchestration, Automation, and Assurance for the network.

Automation for Provisioning: Software Image Management (SWIM) manages the images for your network devices and, when it detects a device is not conformant with images deemed as “Golden” in your environment, can automatically update the device. Cisco Plug-n-Play (PnP) enables zero-touch deployment for new devices as they are added to your network.
Analytics for Assurance: Cisco DNA Center receives contextual information from the network devices, endpoints, and applications and delivers rich assurance functionality. It delivers unprecedented visibility, proactive insights, real-time troubleshooting, and predictive performance.

“The new Cisco Catalyst 9000 provide us performance we need, and the security features that are critical for our healthcare records. The new network, powered by Cisco® Digital Network Architecture (Cisco DNA), gives us granular insight into who’re the users, the devices they use, and the applications they access—all with the ability to learn and adapt to changes and needs in the network.” – Michel Fontaine, CHC (Belgium)

Cisco DNA Center is also the place where the network can be designed, policy is created, and devices are deployed in the network, for SD-Access (fabric based) and non-fabric based environments. Next time we’ll explore DNA Center a bit closer. In the meantime, here is a teaser showing Wired and Wireless Client Health in DNA Center.