Inside Cisco IT: The New Catalyst 9000 Series and Software ... · 4. Cloud Internet Exchange 5. Private Cloud Interconnect 6. Extranet Partners 7. Media/SIP service Carrier Neutral

Inside Cisco IT: The New Catalyst 9000 Series and Software Defined Access

John Moe, Cisco IT Member of Technical Staff

BRKCOC-2299

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCOC-2299

• Cisco IT Overview

• DNA and the Next Generation Network

• Catalyst 9000 Series and Open IOS-XE

• Software Defined Access (SDA)

Agenda

Cisco IT Overview


More Than 150,000 People

Worldwide in the Extended

Cisco Family

• 300+ Locations in 93 Countries

• 500+ Buildings

• 70,000+ Employees

• 50,000+ Contractors

• 200+ Business/Support Partners

• 6000+ Switches

• 5000+ Routers

• 600+ WLCs

• 11,000+ APs

• 1000+ Labs Worldwide

• 5 Production Data Centers

• 40 Non-prod Data Centers

• 13,000+ UCS Servers

• 60,000+ Virtual Machines

• 5000+ Business Applications

6BRKCOC-2299

Cisco IT Overview

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKCOC-2299

Cisco IT Global WAN Backbone


Branch Office WAN Classifications and LAN Topologies

Business Performance (2A/2A+) Business Essential (2B) Business Ready (2C)

Headcount >300 or Business justified Headcount >25 or Business justified Headcount <25

Small Office• Single WAN router

• No wiring closets or physical infrastructure

• Equipment located in portable comm rack

• Low LAN SLA configuration

Medium Office• Dual WAN routers

• Typically single floor and VLAN domain

• 1 or more wiring closets with cabling infra

to the primary wiring closet

• High LAN SLA configuration

Large Office

• Dual WAN routers

• Typically multiple floors and VLAN domains

• 1 or more wiring closets per floor with

cabling infra to the primary wiring closet

• High LAN SLA configuration


Secure Internet OfficeHybrid WAN for Cost Savings

Private

(active)

Current state

Private

(backup)

Branch

(2B) 75%25%

Private

(active)

Phase 1

iVPN

(active)

Branch

(2B) 85%15%

Private

(active)

Phase 2

iVPN + DIA

(active)

Branch

(2B) 90%10%


Cisco IT’s Cloudport Solution

Cisco

Data Centre

1. Internet

2. Branch Office Connectivity

3. Backbone Connectivity

4. Cloud Internet Exchange

5. Private Cloud Interconnect

6. Extranet Partners

7. Media/SIP service

Carrier

Neutral

Facility

Dark Fiber DWDM Ring

Campus Location

Sales Office

1

2

3

4

5

6

7

SIP


Workspace Optimization


130,643

Corporate

Provided

Devices

(CYOD)

12BRKCOC-2299

Cisco IT Device Landscape (November 30th, 2017)

78,287 46,3915,965

-0.1% -4.5% +0.5%

66,804

Mobile

Devices

(BYOD)

1.17devices / user

18 month Sparkline

Growths Based on a 3 Month Period

-3.1%

357

-1.2%

7,617

+4.3%

13,950

+5.2%

44,880


Cisco IT UC and Video Platform Services

131,000

IP Phones

68,000

Soft Clients

1,759

Immersive7,000

Desktop /

Personal

97,000

WebEx Clients

Unified Communications Manager (UCM)

33 clusters in 12 Sites

Telepresence Management Suite (TMS)

1 cluster, 73 VCS / VCS Expressway nodes

8,700

Video Conference

Bridge Ports

67,000

Mobile Devices

Unity Connection (Voicemail)

19 clusters in 9 Sites

6,600

Contact Center

Clients

Unified Contact Center Enterprise (UCCE)

6 clusters, 12 IVR,s, 2 ICMs in 6 Sites

DNA and the Next Generation Network

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Cisco IT - Location as a Service

CMX Location Data (via API)

Wayfinding

Cisco IT

Cisco Maps

Phunware

Beam Pro

Space

Utilization

WPR

Rifiniti

Asset

Management

Cisco Labs

IoT Platform

Active RFID

Tracking

Supply Chain

TagIt

Asset

Detection

Security

Face

Recognition

Wireless Network Infrastructure (Hyperlocation/CleanAir/BLE)

Customer

Use Case

iOS, Android, macOS, Windows, RFID tags, BLE tags

Application

Foundational

Infrastructure

and Service

Endpoints

BRKCOC-2299


Rifiniti Space Utilization

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCOC-2299 17


Suitable Technologies Beam Pro Wi-Fi LBS Integration


Cisco IT - Lighting as a Service

Lighting Control Data (via API)

Workspace

Personalization

Cisco IT

Cisco Maps

Wired Network Infrastructure

Customer

Use Case

NuLED, CREE, Philips

Application

Foundational

Infrastructure

and Service

Endpoints

Emergency

Pathway Out

Safety/Security

Flash lights or

illuminate path

First

Responder In

Safety/Security

Flash lights or

illuminate path

Customized

Lighting

Cisco IT

Cisco Proximity


Personalized Control of Lighting Environment

Cool white Warm white


A Ten Year Journey…

2020

2007

Today

Any

Device,

Mobility

Pervasive

Video

Changing

Expectations


Expectations have changed…Here’s some of what happened…

Multi-Cloud World is Now a Reality

Fierce Competition and Cost Pressures

Security is a Board Room Conversation

Business Demands Digital Transformation

BRKCOC-2299


A Ten Year Journey…

2007

Today

Any

Device,

Mobility

Pervasive

Video

Changing

Expectations

2020

BRKCOC-2299


Modern Network Environment is Vast and Complex

40,000

Configuration

Assurance Policy

Violations

1,100

Network

Changes Per

Month

Human Mistake

80%

Performed Manually

95%

45,000

Network

Devices

Manual Configuration & Refresh

• No centralized access

• No Plug-n-play

Complicated Equipment Portfolio

• Can’t keep skills up

Convoluted maintenance & troubleshooting

• Lack of visibility

• Lack of analytics

Tool Proliferation

• Multiple interfaces

• Increased tool errors

Drivers of cost and complexity

BRKCOC-2299


Digital Network Architecture Roadmap

Base

automation

Automated deployment

across greenfield and

brownfield

1

SDN /

Automated

enterprise

Controller-based

networking with

assurance across

WAN/LAN and wireless

2

Advanced

security and

network

analytics

Next generation threat

and application analytics

3

Single

cross-domain

orchestration

Automated user to application

policy (access and priority)

across enterprise and DC

domains

4

Self-driving

Enabling policy based

compliance, assurance

driven optimization

5

Simplicity

Lower Risk

Business enablement

Lower TCO

Service quality

Customer

outcomes


From Task Automation to Service Orchestration… and Beyond

Ad-hoc Scripting

Engineers run one-off scripts

and tools, device-by-device

Re-useable Frameworks

Centrally managed frameworks,

templates accelerate delivery

Service Orchestration

Model-driven config lifecycle –

CrUD automation in one place

NSO

Closed-loop

Orchestration

Business-level intent, dynamic

optimization based on real-time

network state

We’re Here!

BRKCOC-2299


DNA and Next Generation Network Highlights

• Leverage network data from existing networks for new use cases

• Network consolidation and new IoT devices are driving up endpoint count

• Changing expectations caused us to think about how we work and organize differently... now we have to make sure that we are ahead of the curve

• Modern network environment is vast and complex and prone to human mistakes

• Journey from task automation to closed loop service orchestration

27BRKCOC-2299

Catalyst 9000 Series and Open IOS-XE


Cisco IT Network Landscape 2017

Access Distribution/Core WAN

IE3010 (19)

C3850 (1671)

C3750 (296)

3560C (7) C4500-X (606)

C6880-X (186)

C6509E/2T (463)

C6807/2T (39)

ISR 3900 (1173)

ISR 800 (30K)ISR 2900 (702)

ISR 4451-X (944)

ASR 1002 (19)

ASR 1006 (251)

ASR 1004 (187)C4510/8E (1301)

BRKCOC-2299


Catalyst 9000 Series

Catalyst 9300

Fixed Access

Catalyst 9400

Modular Access

Catalyst 9500

Fixed Core

Converged

ASIC

Single

Image

Common

Licensing

UADP 2.0

Open IOS-XE

With the Catalyst 9000 Series -

• 1 Common HW Architecture (UADP 2.0)

• 1 Software Image (Open IOS-XE)

• Device Bootstrap and Onboarding

• Standards-based, structured programmability

• Apps and services embedded in fabric

x86 CPU and

Containers


Perpetual and Fast PoE

• Perpetual PoE: With Perpetual PoE, the PoE power is maintained during a switch reload. This is important for IoT endpoints such as PoE-powered lights, so that there is no disruption during switch reboot

• Fast PoE: When power is restored to a switch, PoE starts delivering power to endpoints without waiting for the operating system to fully load, thereby speeding up the time for the endpoint to start up

31BRKCOC-2299

Catalyst 9400

Modular Access

Catalyst 9300

Fixed Access


Infrastructure FoundationEmbedded Security - Encrypted Traffic Analytics

StealthWatch

Context &

Mitigation

ISE

Machine Learning

Encrypted

Traffic Analytics

Malware in Encrypted

Traffic

Primary Use-case

Cryptographic Audits

Secondary Use-case

BRKCOC-2299


Cisco IT Catalyst 9000 Migration Path

Access Distribution/Core WAN

C9400 10-slot

Sup1, mGig

C9300 48-port mGig

C6880-X

C6509E/2T

C6807-XL/2T

ISR 4451-X

ASR 1006

ASR 1004

BRKCOC-2299

C9500 40X


Open IOS-XE 16 - Hardware Migration StrategyNetwork

Function

Capacity

Criteria

Current Hardware Comments Target Hardware Hardware Status

CORE/AG GW ASR 1006 RP1, ESP5, ESP10, SIP10 not supported RP2, ESP40/100/200, SIP40 General Deployment

WAN GW > GE WAN

<= GE WAN

ASR 1004

ISR 4451-X

RP1, ESP5, ESP10, SIP10 not supported RP2, ESP40, SIP40

ISR 4451-X

General Deployment

General Deployment

LAN GW > 40 ports

<= 40 ports

CAT 6500/6800/Sup2T

CAT 4500-X

Support thru 2024, will not support Open IOS-XE


TBD

CAT 9500

Participate in EFT

Limited Deployment

LAN SW > 192 ports

<= 192 ports

no HVAC

CAT 4510/Sup8E

CAT 3850-UPOE

IE 3010


Runs Open IOS-XE, UADP v1

Will not support Open IOS-XE

CAT 9400 10-slot, dual Sup-1, mGig

CAT 9300 mGig

CAT 9300 mGig

Limited Deployment

Limited Deployment

Limited Deployment

LAB GW > 16 ports

<= 16 ports

CAT 6880-X

ISR 4451-X

Support thru 2024, will not support Open IOS-XE CAT 9500

ISR 4451-X

Participate in EFT

General Deployment

Voice GW CUBE/SIP

SRST

ASR 1002

ISR 4451-X

1002 chassis, RP1, ESP5/10 SIP10 not supported ASR 1004, RP2, ESP40

ISR 4451-X

General Deployment

General Deployment

Console GW > 64 async

<= 64 async

DC Voltage

ISR G2 3945

ISR G2 2901

ISR G2 2911

HW end of sale 12/2017



ISR 4451-X, NIM-24A, CAN-ASYNC-8

ISR 4331, AC PS, NIM-24A, CAN-ASYNC-8

ISR 4331, DC PS, NIM-24A, CAN-ASYNC-8

General Deployment

General Deployment

General Deployment

NFV N/A Investigate Network Function Virtualization ENCS 5412 vBranch demo at Cisco Live Cancun

WLC WiSM2

WLC 5508

3850 Converged Access

WLC 5520

Virtualized controller for C9K

Limited Deployment

Participate in EFT

APs 3700 Series Will not support IPv6, AVC in DNA/SDA NG AP Participate in EFT

WAAS Core/Campus

Large

Medium

Small

WAVE 8541

WAVE 7571

WAVE 694

ISR-WAAS

UCS

UCS-C vWAAS50K, C9K vWAAS

UCS-E, UCS-C, ENCS-5412-W, C9K vWAAS

ISR-WAAS

SVL testing in progress




AppNav Core/Large

Medium

Small

WAE 594 w/10GE

WAE 694

AppNav-XE

UCS-C

AppNav-XE

AppNav-XE




34BRKCOC-2299


Open IOS-XE 16 and IOS Migration Status

Platform Rommon Version IOS Version Device Count Future Target IOS

ASR 1000/RP2

(RP1,ESP10,SIP10 unsupported)

16.3(2r) *required 16.6.2 17 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)

ISR 4451

ISR 4331

16.2(1r)

16.4(3r)

16.6.2 37 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)

vEdge 1000 N/A 17.2.1 4

ENCS 5412 BIOS 2.4, NFVIS 3.6.2 16.6.2 2 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)

ISR G2 3945

ISR G2 2901

15.0(1r)M16 15.7.3M 41

CAT 9500 N/A 16.6.2 2 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)

CAT 9400 N/A 16.6.2 0 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)

CAT 9300 N/A 16.6.2 26 16.6.3 (CCO target 02/02/18) 16.8.1 (3/30)

CAT 6500/2T 12.2(50r)SYS4 15.4(1)SY2 21 15.5(1)SY1 (CCO target 01/25/18)

CAT 4500/8E

CAT 4500-X

15.1(1r)SG10

15.0(1r)SG15

3.9.2E 30 3.10.1E (CCO target 02/21/18)

CAT 3850 N/A 16.3.5 0 16.3.6 (CCO target 02/21/18)

WiSM2, 5508 N/A 8.0.152 600+ 8.5.110(MR1)

5520 N/A 8.5.110(MR1) 2

35BRKCOC-2299


Cisco Fleet – Technology Release Process

Solution Verification Lab

Verifies new designs, hardware, software and processes

Holistic testing with automation

Provides certification testing services

Pilot Deployment

Funnels technology and capabilities for small pilot and testing

Mirror of Production Network

Limited Deployment

Pilot for evaluation in production network

Limited to a few locations

Monitored to ensure issues can be mitigated quickly

Network Refresh( Fleet)

Ongoing upgrade cycle for all products in all sites

Ensures the IT Network’s hardware and software are current


Catalyst 9000 Series and Open IOS-XE Highlights• Strategy to stop investing in older hardware and start deployment of C9K HW

• 24 C9300s deployed in North Sydney, 2 C9300s deployed in Sendai

• 7 deployment stopper defects identified and fixes integrated to 16.6.2 and 16.3.6

• Common hardware and single IOS-XE image will reduce our OPEX

• Plug n Play, image management, and config automation important to reduce cost

• ETA export from 2 C9300 sites, 2 ISR4K sites, and 2 ASR1K WAN Aggregation

• Thousand Eye performance agent running on C9K, ISR4K, ASR1K, ENCS5K

• Analyze network infrastructure for Open IOS-XE 16 unsupported hardware

• Some platforms require rommon upgrades prior to installing Open IOS-XE 16

• Be aware of potential speed negotiation issues for mGig models and modules

37BRKCOC-2299

Software Defined Access (SDA)


DNA Center - High-Level Architecture

Telemetry protocols:

NetFlow, SNMP, Syslog, streaming

CLI, SNMP, PnP,

NETCONF

Northbound

Open REST APIs

Cisco DNA Center

NDPAPIC-EM 2.0ISE

Physical, virtual, and cloud network infrastructure

Meraki dashboardCisco Meraki™

Meraki®

Dashboard API

Wireless

AP

Catalyst(R)

2000/3000

Catalyst

4000/6000

Cisco

Nexus(R)

7000

WLC ISR/ASR NFV-IS

Northbound

Open REST APIs

IPAM (3rd Party)

BRKCOC-2299 39


DNA CenterNext-Gen platform to enable digital capabilities

Assurance

PredictiveMachine learning-based detection

of problems prior to occurrence

ProactiveFaster troubleshooting with problems

and trends correlation and dynamic

thresholding

E2E Visibility Scalable data collection and reporting

for reactive troubleshooting and planning

Automation

ProfilesStandardized configurations

for multi-PIN services

Policy Abstraction Expressing the business intent

rather than a feature

ValidationMachine learning-based

network-wide configuration

validation prior to deployment

Enterprise WAN and access networks | Wired and wireless

Closed Loop

Self-Optimizing

BRKCOC-2299 40


Proof of concept and evaluation

•Collaborate with BU on IT use-cases for:

• Contextual Dashboard

• Image management

• ITSM Integration

•Setup lab environment for DNA-C, ISE, C9K, and SDA

Q4 CY17

Coordinate Global Installation

• 3 regional pairs

• Monitor 2 sites in 2 weeks post FCS

• Monitor 10 sites in 4 weeks post FCS

Q1 CY18

Additional pilots

• SDA

• PnP (ZTP)

• Assurance

• NDP

• PathTrace

• SD-WAN

Beyond

41BRKCOC-2299

DNA-Center High-Level Deployment Schedule


Secure Network Access at Cisco

Identity Services Engine

Wireless Devices

AnyConnect VPN (All Mobile)

WSA, ESA + AMP

Wired Network Devices

Adaptive Security

Appliance

Cisco Core Network

Home Access (CVO)

Device Management

StealthWatch

The 4 Stages:1. Profiling

2. Authentication

3. Posture

4. Enforcement


Cisco IT ISE Production Deployment

Internet Only

Corporate Access

WLAN, CVO, VPN, LAN

ISE 1.2, 8 VMs, 2 DCs

ISE 2.1, 24 VMs, 8 DCs

1.5 Million active profiled “Endpoints”

Max ~450K Concurrent “Endpoints”

27K CVO; ~60K EP

580 WLC; ~200K EP

70 ASA; ~90K EP

2K SW; ~200K EP

8 Sites; ~8K EP

~14K Guest/WeekCWA

Central Web Auth


What is a Fabric?

Device Management

• Secure risky IoT devices, mobile devices, printers

Programmable Overlay

• Dynamic Path Setup and Client Mobility

• Network Segmentation via Virtual Networks (VNs)

• User/Device Segmentation via Segments (Groups)

Prescriptive Underlay

• Topology and Protocol Independent

• Leverage Standards-based Network Infrastructure

• Optimized Forwarding, Load-Balancing & Scale

Users or Devices


Campus Fabric SD-Access

DNA Center

Automated Workflows

Design, Provision, Policy

Assurance

Wireless Integration

• Programmable APIs

• REST / NETCONF

• Automated Workflows

• Centralized Management

• Wireless Overlay

• SmartCLI Macros

• Simple User Inputs

• Customized Workflows

• Box-by-Box Management

• Wireless overlay

45BRKCOC-2299

Software Defined AccessCampus Fabric + Wireless Integration + Automation & Orchestration

Campus Fabric

C

BB


What is unique about SDA Fabric?

Key components

• Control-Plane based on LISP

• Data-Plane based on VXLAN

• Policy-Plane with Cisco TrustSec (CTS)

UADP and QFPallow for Flexibility –Key to Supporting theEvolution to Network

Fabrics

Cisco Hardware and Software innovationsKey Differences

• L2 + L3 Overlay -vs- L2 or L3 Only

• Host Mobility with Anycast Gateway

• Adds VRF + SGT into Data-Plane

• Virtual Tunnel Endpoints (No Static)

• No Topology Limitations (Basic IP)


SD-Access Fabric ArchitectureRoles and Terminology

ISE / AD

Control-Plane (CP) Node – Map System that manages Endpoint ID to Location relationships. Also known as Host Tracking DB (HTDB)

Edge Nodes – A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric

Group Repository – External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition

Border Nodes – A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric

Group

Repository

SD-Access Fabric

Intermediate

Nodes (Underlay)

Fabric Mode

WLC

Fabric Edge

Nodes

DNA Controller – Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share information

DNA

Controller

CControl-Plane

Nodes

B

Fabric Wireless Controller – Wireless Controller (WLC) fabric-enabled, participate in LISP control planeFabric

Mode APs Fabric Mode APs – Access Points that are

fabric-enabled. Wireless traffic is VXLAN encapsulated at AP

Fabric Border

B


SD-Access Wireless ArchitectureSimplifying the Control Plane

ISE / AD

WLC

DNAC

SD-AccessFabric

BB

Policy

Abstraction and

Configuration

Automation

Automation

DNAC simplifies the Fabric deployment,

Including the wireless integration component

C

Fabric enabled WLC:

WLC is part of LISP control plane

Centralized Wireless Control Plane

WLC still provides client session management

AP Mgmt, Mobility, RRM, etc.

Same operational advantages of CUWN

CAPWAP

Control plane

LISP

Control plane

LISP control plane Management

WLC integrates with LISP control plane

WLC updates the CP for wireless clients

Mobility is integrated in Fabric thanks to LISP CP


ISE / AD

WLC

DNAC

SD-AccessFabric

BB

Policy

Abstraction and

Configuration

Automation

C

Fabric enabled WLC:

WLC is part of LISP control plane

VXLAN from the AP

Carrying hierarchical policy segmentation starting

from the edge of the network

Optimized Distributed Data Plane

Fabric overlay with Anycast GW + Stretched subnet

VLAN extension with no complications

All roaming are Layer 2Fabric enabled AP:

AP encapsulates Fabric

SSID traffic in VXLAN

CAPWAP

Control plane

VXLAN

Data plane

LISP

Control plane

VXLAN

(Data Plane)

49BRKCOC-2299

SD-Access Wireless ArchitectureOptimizing the Data Plane


SD-Access Platform Support

Switching Wireless

AIR-CT5520

AIR-CT8540

Wave 2 Aps (1800, 2800,3800)

Wave 1 Aps (1700, 2700,3700)*

Catalyst 9400

Catalyst 9300

Catalyst 9500

Catalyst 4500E Catalyst 6K Nexus 7700

Catalyst 3850 and 3650

Routing

ASR-1000-X

ASR-1000-HX

ISR 4430

CSRv

ISR 4450

Subtended

Nodes

CDB

2960-CX

3560-CX

AIR-CT3504


Cisco IT Analysis - Software Defined Access

Gains with SDA...

• Agile use of virtual networks

• Easy segmentation & enforcement

• Decouple identity from location

• IPv4 subnet consolidation

• Cisco confidence in its technology and Ops experience

• Fabric wide RBAC/DUP

• Improved segment lifecycle

Losses with SDA…

• IPv6 (maybe able to use AnyConnect)

• Non-optimal multicast path

• Centralized architecture – exposure to large fault domain

• Increased support skillset required

• Migrate to Cisco ONE SW licensing, new CAPEX/OPEX model


SDA High Level Architecture

CoreDC

Campus

Remote

Offices

CampusCampus

DCDC

DCDCDC

CampusCampusCampus

Remote

Offices

Remote

Offices

DCDCDC

CampusCampusCampus

CoreCore

Fabrics will allow us to divide into

easily managed virtual networks

For each virtual network, logical

security groups can be formed

that abstracts the underlying

network address used

BRKCOC-2299 52


Per-ISP Fabric Design

Internet

Campus Remote Office

Control Nodes

Internal Border NodesExternal Border Nodes

ISP-GW’sGB-GW’s

CAPNET

and

DC

Edge NodesEdge Nodes

Fusion Routers

BRKCOC-2299 53


Campus Core

Edge Node

LAN-SW1

Loopback

10.1.x.1/32

Edge Node

LAN-SW2

Loopback

10.1.x.2/32

Edge Node

LAN-SW

Edge Node

LAN-SW

Edge Node

LAN-SW

Edge Node

LAN-SW

Desktop Gateway

Intermediate Node

Desktop Cluster Gateway

+Control Node

+Border Node

Building1Building2

Building Cluster1

Fabric1

Building Cluster2

Fabric2

Cisco Prod VN1:Host Cluster Pool 10.1.x.0/20 VN1:Host Cluster Pool 10.2.x.0/20

Summary Route: 10.1.x.0/20 Summary Route: 10.2.x.0/20

P2P: 10.1.x.0/30 P2P: 10.1.x.0/30

Desktop Cluster Gateway

+Control Node

+Border Node

Desktop Gateway

Intermediate Node

Desktop Gateway

Intermediate Node

Fusion Router - DHCP

Campus – Single Host Pool

BRKCOC-2299 54


Global SDA fabrics and TrustSec

Core

Fabric1: 10.1.0.0/16 Fabric2: 10.2.0.0/16

SGT-IP Reflector

SGT:1

SGT:2

SGT:3

SGT:1

SGT:2

SGT:3

SGT Rules:

Permit SGT1 to SGT1

Deny SGT1 to SGT2

SGT Rules:

Permit SGT1 to SGT1

Deny SGT1 to SGT2

ISE: Policy

Endpoint to SGT mapping

Fabric and TrustSec

work together to provide a

scalable way to segment the

network

BRKCOC-2299 55


Cisco IT Analysis - SDA Gap Summary

IPv6 support essential• March release of SDA will support IPv6

Wireless support• 5508/WiSM2 no fabric support (OTT only) and 3700 Series APs are fabric aware

Non-fabric switch support• Ability to support non-fabric switches (e.g. IE switches for parking lots etc.) March release required

TrustSec IPv6 ACL support 4510/C9K• Major benefit of consolidating and segmenting network cannot be realized without IPv6 ACL support

in TrustSec in 4510 or C9K

DNA Center 10 fabric limit• Need 20-25 fabrics

Fabric 100 mSec limit• Needs to be increased to 150-200 mSec to support remote offices

BRKCOC-2299 56


APIC-EM Prime

Infra?ISE2.3 ND

P

Network Automation, Security, Management,

Analytics Stack (3xUCS 460)

Traditional SDAGreenfield deployment

Floor 1 SSID: Blizzard Floor 2 SSID: Blizzard-Beta

Border Router (9500)

+ WLC (5520)

Edge Router (9300)

Segment FW??

Wired only for users

on floor 2 who do

not want to partake

in Beta testing

Fabric

New Uplinks

Existing uplinks

WAN1 WAN2

Migrate Users over time

Expand Fabric over time

WLCWLCWLCWLC

AP’s connect into

fabric

Greenfield ApproachParallel build of SDA using latest HW

BRKCOC-2299 57


Traditional

Floor 1 SSID: Blizzard

Fabric

New Uplinks

Existing uplinks

WAN1 WAN2

WLCWLC

BG (45xx)

EG (3850) (4510) (9300)

APIC-EM Prime

Infra?ISE2.3 NDP

Network Automation, Security, Management, Analytics

Stack (3xUCS 460)

AP’s initially tunneled over fabric

then eventually onto fabricTest group 6 week

testingTest group 6 week

testing

Test group 6 week

testing

Hardware

WLC: 5508/WISM2

Core switch: 4500/SUP8E

Distribution switch: 6500/2T

Brownfield ApproachUse existing HW creating a fabric foundation

BRKCOC-2299 58


SDA Highlights• DNA Center lab environment and 3 regional production pairs upgraded to 1.1.1

• Providing training for network engineers on DNA Center and SDA configuration

• Cisco IT drivers for SDA deployment are centralized automation and orchestration and simplified deployment of hardware (PnP)

• Global ISE and StealthWatch infrastructure upgrades in progress for SDA/ETA

• Targeting DNA 1.2 release in March timeframe for IPv6 and PnP support

• 5508/WiSM2 no fabric support (OTT only) and 3700 Series APs are fabric aware

• 3 Production Pilot sites identified for greenfield deployment of SDA

59BRKCOC-2299


This is a journey!


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#BRKCOC-2299


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Come talk to our Cisco IT Experts!

CollaborationAppDynamics

ACI & TA

NSOvBranch

World of Solutions

Cisco on Cisco will have 5 demo booths placed around the Cisco Campus showcasing how Cisco IT designs, deploys, and manages our own solutions. Through these IT success stories you’ll see how Cisco solutions are driving transformational business benefits.


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions

64BRKCOC-2299

Thank you

Documents

Inside Cisco IT: The New Catalyst 9000 Series and Software ... · 4. Cloud Internet Exchange 5. Private Cloud Interconnect 6. Extranet Partners 7. Media/SIP service Carrier Neutral