Multidomain policy integrations is a strategic next step that preserves and extends Cisco’s leadership in Intent-Based Networking (IBN). It cements and reinforces IBN principles in Cisco® architectures in enterprise networking domains including campus, branch, WAN, data center, and cloud. This paper provides a rationale for why integration of policies between these domains is the best way to preserve the uniqueness of each domain and yet achieve consistency of purpose throughout the enterprise, and how it can deal with the accelerating IT complexity. It describes the currently supported integrations, customer benefits, and Cisco’s commitment and vision for the road ahead.
This paper is targeted towards CIOs and network architects who are familiar, but not experts, with IBN and Cisco’s networking architectures. It aims to educate them on the latest from Cisco in IBN and efforts in simplifying networking across the enterprise. It is not overly technical but provides enough technical details to bring clarity to integrations and show that they are real.
Organizations in every industry are reworking their business strategies. In order to grow and compete effectively, they are making increasing use of technology to improve their processes, deliver better experiences to their customers, and better tools to their employees.
For example, manufacturing organizations are adding smart things such as sensors and actuators to give them real-time feedback and control over their processes. They are also collecting vast amounts of data throughout the value-chain from suppliers, distributors, partners, and customers, that they use for predictive analytics. These sorts of digital initiatives transform their operations from traditional static manufacturing supply chains to a dynamic and interconnected system, allowing them to deliver customized experiences for their customers, increasing productivity of their employees, and making their processes more agile to keep pace with business cycles.
In healthcare, telemedicine is helping patients in the most remote locations of the world receive quality healthcare. Patients are using connected blood-pressure gauges, glucometers, heartrate monitors, and even home EKG machines to upload vital information for remote monitoring and diagnoses. Specialized programs are now preprocessing scans to supplement the work of human radiologists and use AI techniques to guide and predict the efficacy of drugs.
Likewise, the financial industry is relying more and more on digital technology to sign contracts online, building bank branches that feature virtual tellers, and even provide convenient banking facilities to millions of underserved populations through the convenience of their mobile phones.
Clearly, digital transformation has positively impacted economic growth, accelerated innovation, brought about better service delivery, and improved customer and employee experiences.
Gartner believes that “a full Intent-Based Networking System implementation can reduce network infrastructure delivery times to business leaders by 50% to 90%, while simultaneously reducing the number and duration of outages by at least 50%.”
Positive results from digital transformation efforts
Now, more than ever, these organizations’ IT strategies are essential for their business strategies to succeed. For these digital initiatives to work, organizations need to ensure that a secure and robust infrastructure is in place. Smart Internet of Things (IoT) devices are notorious for increasing the available attack surface and must be properly secured. User experience that is crucial for any digital initiative to work needs a robust WAN network that can prioritize application traffic appropriately. This type of network is even more essential as applications are becoming more distributed and are not limited to the enterprise’s data center. Moreover, all these processes must adhere to all applicable regulatory and compliance directives. As digital innovations continue to evolve, infrastructure needs to be agile and adapt rapidly to changing priorities and needs of the business.
Unsurprisingly, then, IT departments feel an increasing urgency to keep up with business pace and innovation. IT must maintain the constant deluge of daily operations to drive optimal user experiences, while still innovating and adopting modern techniques to deliver on business intent.
Business and IT initiatives ultimately depend on the underlying network to realize their goals. The organization’s network needs to provide wired and wireless access to all users and IoT devices, take preventative measures to minimize the threat surface, connect customers and employees entering through a variety of transport mechanisms, and ensure high-quality application experience.
These multiple challenges of scale, complexity, security, and agility cannot easily be met with the traditional ways of building, monitoring, and managing networks. In the past, network administrators have relied on site-by-site and box-by-box configurations. That worked well when networks were relatively static with few modifications. Now, with the new normal of hyper connectivity, manual changes do not scale. Similarly, much troubleshooting has generally consisted of manually collecting information, reproducing the problem, and pouring over logs to figure out where the problem might be. This strategy is also not scalable and will not succeed in the current age of digital transformation.
Network complexity due to scale, security, and connectivity is outpacing human capability to manage
Intent-based networking, or IBN, provides the answer. IBN seeks to make changes in monitoring and management that will bring networks closer to the business intent—or desired outcomes, with network automation and assurance.
Traditional models of network control in the past have varied from basic device control by dedicated Element Management Systems (created specifically for a specific set of devices), network managers (that offered a static set of extended functions but no integrations to make the network agile), and SDN Controllers (that injected limited dynamism but did not go far enough). Enterprises had to deploy several management systems that did not work with each other to control the network, resulting in excessive manual work to maintain the network, poor business alignment, and high operational expenses.
To address this, new software-driven networking models that embrace automation, advanced analytics, and open platforms are transforming networks – resulting in dramatically new ways of operating the networks. Through a controller-led strategy, network operators can quickly set the business intent, and the controller will translate it into network configuration and execution at scale, while continuously monitoring to assure performance and security. This results in a closed-loop system that learns, optimizes, and protects. Using APIs, network controllers integrate with business and IT processes in real-time, making the network responsive and better equipped to achieve business objectives. These APIs also allow communications between controllers enabling fulfillment of intent that spans across multiple controller led networks.
Role of the network controller in intent-based networks
Today Cisco offers networking solutions using intent-based networking principles in several networking domains. We define networking domain as a grouping of devices such as switches, routers, wireless APs, and Wireless LAN Controllers (WLCs) that share rules and procedures and are governed by a common controller.
Networking domains, their purpose, and their controllers
The division of networking responsibilities between domains results from the specific requirements that the domains need to address. For example, a campus network is responsible for authenticating and onboarding users and devices through wired and wireless means, authorizing them and granting them various privileges based on their levels, and detecting and mitigating threats that such devices could be subject to. The WAN network connects users to applications either in the data center, in one or more public clouds, or within a Software as a Service (SaaS) provider. The WAN network is responsible for appropriate path selection and prioritization and mitigation of threats that may originate from inside and outside. The data center network manages compute resources among application workloads serving the needs of virtualized and distributed applications and safeguards sensitive data.
Cisco Digital Network Architecture (Cisco DNA), Cisco SD-WAN, and Cisco Application Centric Infrastructure (Cisco ACI®) are Cisco’s implementations of campus/branch, WAN, and data center networks. Each is governed by a controller that sets policies within the domain—Cisco DNA Center, Cisco vManage, and Cisco Application Policy Infrastructure Controller (APIC), respectively.
Because the functions they perform are so specialized, each domain must remain independent of others with its own controller-based infrastructure optimized for its tasks. With significant differences in networking, security, and performance requirements, collapsing these domains into one is not realistic. However, each domain provides services that are meaningful in an end-to-end context and therefore must be visible across the domains.
Cisco’s architecture for these domains follows intent-based networking principles. Each of the domain controllers work through a set of policies, generated from business intent, that it translates into device configurations. The controllers collect performance data from these devices, analyze it, and ensure that they are meeting the intent. A single business intent might render into different domain-specific policies, but in order to fulfil that single intent all these policies must be coherent and communicated across all domains.
Intent-based networks allow users to define their intent—or desired outcomes—and stores them as policies. An example of an intent in the campus network could be to separate IoT traffic from user traffic, and the corresponding policy would specify that when IoT devices onboard, place them in a separate network segment other than users. Similarly, in the data center, policies could dictate which applications are sensitive and must be protected from indiscriminate access.
Business objectives, however, are enterprise wide and span domains. Therefore, all domains need to have a consistent set of policies that work collaboratively to deliver the desired outcomes. For example, in healthcare industry, we want doctors in hospitals to be able to run applications in the data center that access and update their patients’ medical records. We also want them to do so securely, complying with all regulations, and with good quality of experience. To make this happen, access policies defined for the doctor in the hospital (campus) need to be mapped to the access policies defined in the data center for the medical application, so that while the doctor can read and write medical data, unauthorized users are not able to, and thus the process complies with regulations. Moreover, the WAN connecting the campus to the data center must be able to recognize the application traffic and prioritize it appropriately.
Global Data: For an enterprise to be successful with intent-based networking, it needs to fully embrace automation in the data center, the campus, the wide area network, and in the branch.
- Mike Fratto, Senior Analyst, 451 Research
The above example illustrates the need for three key policy integrations, namely, network segmentation policies that separate user traffic and create a permit/deny matrix with resources and applications; application experience policies that allow data center network to interwork with the WAN; and security policies that are consistent across all domains.
Policy integrations between domains
Before such integrations, policy coordination between domains was done manually. Each time administrators made a policy update in any one of the domains they needed to alert administrators in other domains so that they could interpret and translate the policy change and apply it to their own domains. In contrast, an automated exchange of policies makes the entire enterprise network work as one, be responsive to modifications, and rapidly adopt policies end-to-end without errors.
From an intent-based networking perspective, these integrations represent the next logical step in extending business intent across the enterprise.
Cisco offers a complete intent-based networking portfolio of devices and controllers for all networking domains and therefore is in a unique position in the industry to offer such policy integrations that stitch together multiple networking domains and make them whole.
As more and more critical information is entrusted to the digital infrastructure, the risk of information being compromised increases. Furthermore, as more devices are connected to the network, the paths by which criminals may compromise information are substantially increased, and the available attack surface is expanded. It is therefore critical to deliver a comprehensive and hardened set of security measures that allow the network to be the first line of defense in the IT security strategy. Originally, network segmentation was aligned to a strategy for improving network stability and performance. Over time, it has evolved to reflect a security strategy in which the network is segmented or compartmentalized to enforce a policy by enabling controls within and between segments. This segmentation is aimed at fragmenting the attack surface and reducing the scope of lateral movement that malware may pursue during a security breach. For segmentation to be effective in limiting the effectiveness of a security breach, the network must be segmented end-to-end because the attacker may attempt lateral movements in the access, WAN, or data center.
When a security breach is identified, the offending endpoints can be quickly isolated into a segment built for the purposes of quarantining attacks and malware. The ability to dynamically create quarantine segments, and quickly assign an endpoint to such a segment in response to a detected threat, is possible in a Software-Defined Networking (SDN) network like SD-Access in the campus and branch, and ACI in the data center.
Segmentation may be realized at a coarse level in the form of virtual networks or at a more granular level in the form of groups of endpoints. These approaches to segmentation are referred to as macrosegmentation and microsegmentation respectively. Microsegmentation provides a much more granular level of segmentation than that provided by virtual networks and is also more elastic in its ability to rapidly change the group that an endpoint belongs to, or alter the policy that governs the communication for a group. While traditionally, microsegmentation is generally enforced by using Access Control Lists (ACLs) in a distributed manner across the network infrastructure, modern microsegmentation leverages the concept of group-based access control lists (also called Scalable Group Access Control Lists [SGACLs]) to enforce ACLs based on group membership, rather than IP addressing, and thus provide an access control policy environment that is independent of IP addressing or subnet boundaries.
Macro and micro segmentation in SD-Access
The organization of hosts into groups and the resulting ability to author access control policies in terms of groups, rather than IP addresses, has fundamental implications from a scalability and manageability perspective. For instance, a group may have endpoints from 100 different subnets associated with it. In this case a traditional IP-based ACL would have required each IP prefix in the group to have its own access control entry, leading to very large ACLs that are complex to manage and consume a very large amount of hardware resources in the network. With group-based ACLs, these hundreds of clauses become a single clause for the group, rather than the one clause for each group member. To enforce this group-based ACL, traffic transiting the network is tagged so that policies can be applied on the tag rather than its IP address.
Within the SD-Access architecture, Cisco DNA Center and Cisco Identity Services Engine (ISE) work in unison to provide the automation for planning, configuration, segmentation, identity, and policy services. Cisco ISE is responsible for device profiling, identity services, and policy services, dynamically exchanging information with Cisco DNA Center.
Segmentation within SD-Access is enabled through the combined use of both Virtual Networks (VNs), which are synonymous with Virtual Routing and Forwarding (VRF), and Scalable Group Tags (SGTs). Whereas segmentation can be accomplished using purpose-built virtual networks alone, Cisco TrustSec SGTs provide logical segmentation based on group membership. SGTs provide an additional layer of granularity, allowing you to use multiple SGTs within a single VN providing microsegmentation within the VN.
A similar example in the data center, Cisco Application Centric Infrastructure (ACI), powered by the Cisco Application Policy Infrastructure Controller (APIC), offers an architecture that can translate business requirements into secured zones or enclaves. ACI has built-in segmentation and security as part of the architecture. ACI uses the concept of tenants, contexts, and endpoint groups to deliver segmentation. A context is equivalent to a virtual network and provides macrosegmentation using VRFs and bridge domains. Endpoint Groups (EPGs) are equivalent to the Scalable Groups (SG) discussed in SD-Access and provide a level of microsegmentation. With Cisco ACI deployed, contracts or policies can be created that allow only specific communications between tiered applications, as well as access to external resources, whether applications or users, while blocking all other unauthorized access. Within the Cisco ACI policy model, both VRFs as well as group-based Endpoint Groups (EPGs)—similar in many ways to SGTs, even to the extent that they can be translated—are used to provide segmentation.
A grouping of HTTP and HTTPS services as a single group of endpoints known as an EPG
ACI thus provides a policy and segmentation environment that is consistent with the policy and segmentation environment used in the SD-Access enabled access network. Further, with ACI Anywhere, the policy and segmentation environment extends across the hybrid cloud to provide a single policy domain across diverse public cloud facilities and the private on-premises data center. An ACI fabric can thus extend across Amazon Web Services (AWS), Azure, and Google Infrastructure as a Service (IaaS) facilities, as well as private premises, and present itself as a single multisite domain to the access network.
Cisco is focused on delivering a truly integrated end-to-end segmented network in which the different domains are integrated with each other to align connectivity and segmentation. Although the operational environments are integrated, each domain remains independent so that the domain-specific functionality and domain-specific vertical integration of the management and networking stacks are preserved in full for an ideal experience and full set of functionalities within and across domains. For example, SD-Access is integrated with SD-WAN to deliver a single network experience for the purposes of connectivity and segmentation, but endpoint onboarding in the SD-Access and path engineering for Service Level Agreement (SLA) enforcement in SD-WAN operate independently of each other. Likewise, SD-Access is integrated with ACI Data Center to enable the federation of identity and the definition of end-to-end users to application segmentation policies.
SD-Access and ACI exchange SGTs and EPGs
SD-Access to ACI integration allows the controllers in SD-Access (Cisco DNA Center) and ACI (APIC) domains to interwork with each other and exchange identity information. SD-Access provides ACI with a list of groups resulting from the classification of endpoints in the access, and ACI provides a list of application groups. With this information, SD-Access and ACI domains now have enough user and application information to allow the operator to author user- to-application policies using the group-based model. This gives the operators consistency across the access and data center to effectively be able to produce an end-to-end segmentation policy. Open APIs allow SD-Access ACI systems to integrate with threat and anomaly detection tools and adapt the segmentation accordingly, thus providing the foundation for the IT infrastructure to prevent and remediate security breaches leveraging end-to-end segmentation. As part of this integration, network control and data planes are also integrated to maintain the semantics of macro- and microsegmentation across access and data center domains.
SD-WAN passes SGTs between segments of SD-Access so policy follows identity
SD-Access to SD-WAN integration automates the provisioning and assurance of the control and data plane interface between SD-Access and SD-WAN domains. The Network-to-Network-Interface (NNI) between the domains is distilled into a single network device (the edge router). This device is shared between the two domains to simplify the handoff between domains and make them behave as closely as possible as a single domain without losing the functionality independence of each domain. The management planes are integrated so that any given device is managed by one controller and one controller only, which allows the system to remain transactional and therefore reliable. The macrosegmentation semantics are mapped between the domains to produce an end-to-end virtual network across access and WAN, without sacrificing functionality in either domain. The microsegmentation semantics are transported opaquely by the WAN so that they can be effective in the edge domains (campus, branch, and data center). With this integration, segmentation can be defined once in Cisco DNA Center, and behavior is driven to the SD-Access domain and to the SD-WAN domain through API-based controller integration. Two domains effectively appear as one for the tasks that matter.
A network segmentation strategy developed to enforce security policy in support of an organization’s business requirements is not limited to a single location or a single domain. A given network segment, and the policies it represents, may be extended anywhere within an organization where one of the business-relevant applications or functions reside. This range of function extends from the access through the WAN all the way to the multicloud data center across the WAN and security domains.
SD-WAN to ACI integration allows the ACI administrator to define service-level requirements for different applications and to communicate those to the SD-WAN controller so that any necessary path selection, QoS, or traffic engineering may be enforced in the WAN to deliver the required SLA. A single touchpoint can trigger the rendering of the desired intent across multiple domains.
Automatic service assurance integration to ensure quality of user experience
Security policy integrations
Security applications should not be bolted on but rather built into the network fabric that allows security and the network to work together to reduce time to prevent, detect, and remediate threats. This level of integration protects users and devices regardless of their physical location and the location of application they are trying to get access—in the data centers, hybrid clouds, or within a SaaS provider.
Cisco defines integration between network and security as intent-based network security to emphasize that its security applications apply to all intent-based networking domains. A secure intent-based network provides visibility into who and what is on the network, contributes to a complete zero trust access model, and continuously detects and contains threats.
Security point products that are made for specific threats allow their use in only a single networking domain. As organizations transform their networks towards SD-Access, SD-WAN, and hybrid multicloud, and as user traffic traverses multiple networking domains, it is imperative that security policy follows the traffic, and maintains the security posture across all these networking domains.
Security for the multidomain world
Cisco’s aptly named security architecture—intent-based network security—emphasizes the need for security to work within the principles of intent-based networking. Intent-based network security addresses the critical question: is security fulfilling the business intent?
Cisco intent-based network security components and benefits
Intent-based network security approaches the problem holistically. It allows you to:
● Enable automated access policies from a simple and single interface to secure any user, any device, any app, anywhere
● Stop propagation of data breaches using dynamic context, not location, for segmentation
● Ensure fast compliance by applying security to thousands of locations from one interface
● Streamline visibility to the SOC for reduced time to threat detection
● Automate threat responses from the SOC to remediate incidents in less time
Cisco intent-based network security provides security across domains
Intent-based network security is based on three principles:
1. Continuous visibility: A full view of who and what is on the distributed network is critical to fills the gaps in traditional perimeter and endpoint-based security solutions. Gaining a baseline understanding of all network communications—even in the cloud—provides a full inventory that a group-based policy can be built around. It enables monitoring of unusual behavior that could represent a threat or policy violation. Machine learning can further classify all types of devices or workloads and more quickly identify anomalies from the baseline.
2. Zero-trust access: A zero-trust security model provides the ability to secure access regardless of where access originates and minimizes the attack surface. This model contextually groups all users, devices, things, and applications, and then logically segments them throughout the wired and wireless infrastructure to secure the workplace. The segmentation model follows throughout the domains from the user in campus or branch, to applications in the data center and cloud, through SD-WAN.
3. Constant protection: Network transformations, including SD-WAN and SD-Access, have resulted in a distributed environment requiring security controls in hundreds to thousands of locations. Constant protection can be achieved only by building threat prevention, detection, and response into every network device—from the WAN edge to the campus core. An open, scalable multidomain architecture to push access policy changes from the branch to the data center is critical to rapidly contain threats.
Cisco Advanced Malware Protection (AMP) works in endpoints by blocking malware at the point of entry, and removes it from PCs, Macs, Linux, and mobile devices. Going beyond user devices, AMP also works within Cisco SD-WAN to proactively block threats and protect users.
Cisco Stealthwatch® scales visibility and security analytics across the whole business, including endpoints in campus and branch, data center, and cloud. And with Encrypted Traffic Analytics, Cisco Stealthwatch is the only product that can detect malware in encrypted traffic and ensure policy compliance, without decryption.
Cisco Umbrella™ provides a Secure Internet Gateway (SIG) that provides the first line of defense against threats on the internet wherever users go. Umbrella delivers complete visibility into internet activity across all locations, devices, and users, and blocks threats before they ever reach your network or endpoints.
Security constructs built into Cisco SD-WAN apply consistent security across campus, branches, devices, and users by shifting the security stack that enforces network segmentation, enterprise firewall, secure web gateway, and DNS-layer security policies in the centralized data center DMZ to the distributed WAN and cloud edge.
While IT is utilizing intent-based features in each of the networking domains, IT decision makers are realizing that business intents span domains and that these domains must work together to fulfill those intents. While each domain has policies that define its actions, integration of policies between domains serves as the most elegant way to preserve their uniqueness and still provide the essential consistency and management. With policy integration, each domain, while functioning independently, can collaborate with others for the benefit of the enterprise network.
It’s not an intent-based network until you can tell the network what you want and let it figure out how to do it. It’s not “one network” unless we have policy, automation, assurance, and security built in for continuous visibility, zero-trust access, and constant protection, with security and assurance working seamlessly across every domain.
Cisco is uniquely positioned to deliver multidomain integrations with these differentiators:
● Only Cisco has leadership and best-in-class purpose-built intent-based networks across campus, branch, WAN, data center, colocation centers, and multicloud domains
● Only Cisco is executing on the vision of end-to-end intent-based networking—from any user anywhere to any workload anywhere
● Only Cisco integrates security uniformly across all domains
For more information
● Experience it for yourself: Cisco ACI-ISE Integration Demo
● Dive deeper and listen to Cisco experts: Cisco Applications and End to End Infrastructure Policy (Tech Field Day), and The Integrated Multi-Domain Network - Status and Evolution
● Watch Techwise TV: Multidomain Integrations for Intent-Based Networking