To understand what Cisco® Software-Defined Access (SD-Access) can do for your workplace networking, you first need to consider what the network itself can do to help you achieve your business goals. Going beyond simple connectivity needs, today’s network can help you secure your critical data and sensitive applications, simplify IT tasks, enhance user experience with automatic configuration and issue resolution, and introduce new services rapidly.
Achieving some of these promised benefits requires a modern infrastructure with programmable network devices and a way to establish, enforce, and verify trust in connected endpoints with a capable network controller.
While you may be able to build such an infrastructure when you build a brand-new network from scratch, you may not find it easy to convert an existing network that hosts many users, is necessary for business continuity, and cannot withstand any disruptions. And yet, given today’s urgent needs in your business, you need to modernize your network.
Recognizing this fact, we have enhanced SD-Access to make it easier for you to begin the process of modernization with small steps that you can take at your own pace, in keeping with your budget, and without disrupting your users and your business.
The network’s effect on businesses can hardly be overstated. All modern organizations depend on a robust and secure network to run. And just as businesses are different, their networking requirements and designs are different, too. In fact, given its importance to both the business’s top and bottom lines, the network must be thought out carefully and designed diligently to meet today’s and future (anticipated or otherwise) needs. Some of the top design criteria include:
● Connectivity and mobility: The network supports users and devices connecting over a variety of methods such as wired, wireless, or VPN. It needs to provide the same level of authentication and access policies regardless of their location
● Zero-trust security: The network is increasingly being called on to help define and enforce access policies for users and devices, not just at the point of admission, but also in determining the resources, data, and applications they can get to once inside the network. Moreover, to guard against endpoint compromise after admission, the network needs to continuously monitor and verify its trust level
● Business agility: The network must be agile. It must be easy for IT to adapt it to new and unanticipated business needs
With its responsibilities, networks and their operations can get really complex. To manage this increasing complexity, and keep the network, and the business, running, network management becomes a crucial task.
SD-Access provides an elegant solution to these network requirements. It relies on Cisco DNA Center, Cisco Identity Services Engine (ISE), and a modern network infrastructure consisting of Cisco Catalyst® switches, routers, and wireless equipment to provide the desired connectivity, mobility, security, and agility.
However, not all networks have these necessary elements in place. In this paper we will discuss ways in which SD-Access simplifies achieving network objectives starting with what you have, attaining incremental benefits along the way, and setting you up on a path to full realization.
The figure below shows a typical hierarchical network architecture. You will see that there are three switching layers defined. Such a design segregates the functions of the network into these separate building blocks to provide for availability, flexibility, scalability, and fault isolation.
Switching layers in campus and branch networks
At the lowest level in this tree are access switches to which user devices, IoT devices, and access points connect. Because these switches interface directly with clients, they are critical in terms of providing connectivity and security. Some of the main characteristics and functions of access switches include authentication and authorization, access control, and quality of service.
In the traditional design, access switches use the connected devices’ data link layer (Layer 2 in the OSI model) to extract the source and destination MAC addresses to decide where to forward frames. The advantages of Layer 2 switching include speed, low latency, and low cost, mainly because they don’t need to look at the network layer header information (Layer 3 in the OSI model) to make a forwarding decision.
Because such access switches use MAC addresses to forward packets, they are vulnerable to creating routing loops when redundant physical links are present between the source and destination. Such loops can be disastrous to a network and must be avoided at all costs. But in a large network it can become hard to detect and eliminate such loops.
Layer 2 access
Layer 3 or routed access
Organizations routinely segment their network using virtual local area networks or VLANs. VLANs serve to divide the network and allow custom handling of different traffic. They have proven to be invaluable for keeping physically separated devices in the same logical network, giving flexibility in office space usage and for security through segmentation. Using Layer 2 switches for VLANs, however, means that routing capabilities are needed to forward traffic that traverses VLAN boundaries. Therefore, Layer 2 access works well only when traffic in and across VLANs is relatively low.
The alternative to using Layer 2 access switches are Layer 3 access switches. Because these switches use both Layer 2 and Layer 3 constructs, they are also referred to as multi-layer switches. The main difference between Layer 2 and multi-layer switches is that the latter also do the necessary routing between VLANs. Other benefits of such switches include improved fault isolation, simplification of security management, reduction of broadcast domains, simplified troubleshooting, and lower network latency as packets do not have go through routers.
Layer 3 switches also avoid Layer 2 switches’ routing problems, improve convergence, and are useful for advanced controls such as load balancing, convergence, and increased troubleshooting.
Given the advantages of Layer 3 access switches, most medium to large organizations prefer them over Layer 2.
Distribution layer switches sit in between the access and the core layers. They are also known as aggregation switches since they group traffic from access switches and provide common services such as internet access. When used with Layer 2 switches for access, the distribution layer with its Layer 3 switches and routers routes traffic between subnets and VLANs in the network.
The core layer is responsible for fast and reliable transportation of data across the network. The core layer is the backbone that all other layers rely upon. Its purpose is to reduce the latency time in the delivery of packets and typically consists of high-performance and high-capacity switches providing minimal processing of the packets such as QoS (Quality of Service) and access control, which are addressed by other layers in the hierarchy.
No matter what model you use for your campus switching design, if you have a large number and type of users and devices and need to support their mobility while maintaining a high level of security, you are likely to run into configuration complexities.
The challenges you are likely to face when designing a network for medium to large organizations are as follows:
1. Scale: You have a growing organization with new hires and new endpoints that need to be connected every day. Your network needs to be scalable so that it can onboard all of them and provide an acceptable level of throughput to all. How do you scale your own operations to get them all up to speed quickly within their workgroups and be part of the right segments and VLANs?
2. Diversity: Not just the sheer number, but the variety of users and endpoints now vying for connectivity is also increasing. There may be employees, vendors, contractors, and guests who need to be served. Most organizations also have a variety of connected devices ranging from IP phones, printers, video conferencing equipment, surveillance cameras, badge readers, to climate control systems, and certain industries may have vertical-specific endpoints, such as heart-rate monitors, X-ray machines, or manufacturing robots, etc. How can you tell what is being connected to your network so you can set it up to deliver the connectivity levels they need?
3. Modifications: Updates to the network to track the evolving organizational structure is an ever-present problem for IT. People move to different groups, they are promoted, they need access, for example, to video conferencing resources or to personnel records, or to the customer database. How do change your switches and firewall configurations to provide timely support while maintaining the privacy and confidentiality of the resources?
4. Connection method: People increasingly connect using different mechanisms. While they might be tethered to a cable while at their desks, they migrate to wireless as they move to the conference room, and then to VPN when at home. How do you make the network provide a uniform experience and consistent and accurate access privileges over the different connectivity methods?
5. Mobility: Your employees move between campus buildings and from the HQ to branches across your geographically distributed enterprise. How do you fulfill connectivity and access needs when your employees are on the move and not at their assigned building?
6. Security: The network is being called upon to do more to improve security through access control – not just at the endpoint connection – but also to protected resources such as customer data, credit card information, and personally identifiable information among others. Given the scale, diversity, and ever-changing needs, how can you ensure that your resources remain protected, and you are always following applicable regulatory compliance mandates?
SD-Access is part of Cisco Digital Network Architecture (Cisco DNA) that focuses on solving the network onboarding and access challenges. It takes a holistic view of organizational networking needs and presents a simple, effective, and automated way for organizations to transform their operations to be simpler and position themselves to address their anticipated and unanticipated challenges.
The SD-Access solution consists of several sub-solutions. Taken together they provide a comprehensive approach to control, monitor, and ensure access. However, SD-Access does not mandate that all its constituent parts be deployed to see any benefits. Most of the sub-solutions may be independently used and yield usable benefits on their own.
1. Identify and group endpoints: The first step required for providing the right level of access to any endpoint is to figure out what the endpoint is and what privileges it needs. Cisco AI Endpoint Analytics, an application running in the Cisco DNA Center, aggregates data obtained from Deep Packet Inspection (DPI) of traffic to and from each endpoint, various logs, configuration databases, and telemetry and deduces details such as make, model, operating system, location, etc. This provides enough information to SD-Access for it to determine the endpoint’s role in the business, place it in the appropriate group of like endpoints, and give it the appropriate level of resource access. Further, it also allows SD-Access to continuously monitor endpoint behavior to determine if it is compromised before or after it is admitted to the network.
2. Analyze traffic between groups: Cisco Group-Based Policy Analytics, another application that runs in Cisco DNA Center and is part of the SD-Access solution, gathers traffic flows between endpoints and shows them graphically on a dashboard. It gives details down to the port and protocol levels which you can then use to determine if the traffic is legitimate and allowed or illegitimate and stopped.
3. Define group-based access policies: AI Endpoint Analytics and Group-Based Policy Analytics lay a sound foundation on which effective policies can be defined. Grouping like endpoints allows policies to operate on a group level, and not at an individual one, reducing the number of policies and making them easy to understand and maintain. Analysis of traffic provides the insight to allow or block access at a more granular level.
4. Enforce policies: Group-Based Access Control, also referred to as Access Control Application (ACA), provides an easy-to-use matrix that allows you to define those granular policies within Cisco DNA Center. In turn, Cisco DNA Center sends these policies to Cisco Identity Services Engine (ISE) that then configures them in the network infrastructure on demand as endpoints attach to the network.
5. Segment at multiple levels: SD-Access provides network segmentation at two levels. A macrosegment, also known as Virtual Networks (VNs), creates Layer 3 partitions using Virtual Routing and Forwarding (VRF) technology that is much more scalable and extensible than Layer 2 VLANs. Microsegments use special labels in their packets called Scalable Group Tags (SGTs). These tags are added to traffic packets at their ingress point into the network and are checked within the network. The packet can travel to its destination only if access policies allow it to. Macro and microsegmentation techniques can exist independently of each other, may be deployed separately or jointly, and together provide a very flexible and powerful mechanism that can be applied to a wide variety of situations.
6. Create an overlay fabric: You can use SD-Access to create an automated, standardized, and scalable overlay fabric that utilizes all of visibility, policies, and segmentation constructs. Such a fabric builds a secure infrastructure for an enterprise that continually verifies the behavior of all endpoints and resources, reduces the scope of any potential breaches, aids in all applicable regulatory compliance measures, and reduces overall risks for the organization.
7. Use Policy Extended Nodes: Certain switches that do not fully support the SD-Access fabric may be deployed as Policy Extended Nodes. Acting in this way, they provide a bridge from a traditional to an SD-Access network. These nodes preserve the Layer 2 access nature of the traditional network while still tagging packets it receives from connected endpoints and performing access control based on SGTs in packets it receives that are destined for those endpoints.
8. Monitor endpoints: As part of its support for zero trust security, SD-Access can monitor each connected endpoint for continuing the level of trust that was initially established. It looks for any vulnerabilities in the endpoint's posture, gets data from security applications such as Umbrella and Stealthwatch, analyzes each endpoint's behavior and looks for any anomalies. Based on this analysis it can detect if the endpoint has been infected or compromised and if any corrective steps should be taken. As part of this Trust Analytics component of AI Endpoint Analytics, Cisco has developed several endpoint models that can be used as references for detecting abnormal behavior. These endpoint models are trained using NetFlow data for known endpoint types functioning under normal operating conditions and deployed within Cisco DNA Center. The real-time behavior of the endpoint under monitoring is compared to that of the known models. If there is a deviation from the expected modeled behavior, Cisco DNA Center will alert the user and ISE that the endpoint is not behaving as expected and access policies should be adjusted.
9. Extend policies throughout the enterprise: Once access policies are established for endpoints, they can be integrated with similar policies for applications running in the data center with Cisco Application Centric Infrastructure (Cisco ACI®) networking, and with wide area networks between campus, branches, and the data center using Cisco SD-WAN. Such integrations provide a uniform enterprise-wide policy domain that extends the automated protection to the entire organization.
Cisco DNA Center, Cisco Identity Services Engine (ISE), and the entire networking infrastructure form the set of products necessary for SD-Access.
Cisco DNA Center: As a network management system and controller, Cisco DNA Center provides a dashboard for user interaction, an automation engine to configure devices, an AI/ML analytics engine to ingest network data and derive useful insights, and a variety of integrations with security applications. As part of the automation, Cisco DNA Center allows network engineers to set up configuration templates that it customizes and pushes into network devices. Cisco DNA Center also hosts applications such as Cisco AI Endpoint Analytics, Cisco Group-Based Policy Analytics, Access Control Application, and others that SD-Access uses.
Cisco ISE: As an authentication and authorization server, Cisco ISE acts as the policy repository and enforcement engine and works with Cisco DNA Center as part of the SD-Access solution. It obtains policy definitions from the Cisco DNA Center, identifies and groups endpoints as they first access the network, and dynamically programs the relevant access privileges to the switch port for the endpoint.
Network infrastructure: SD-Access works with all Cisco Catalyst® switches, routers, wireless access points, and LAN controllers introduced in the past decade. While the entire set of SD-Access features is fully supported by the Catalyst 9000 family of devices, the level of support may be lower in previous generation devices. Please consult the SD-Access compatibility matrix for detailed device and feature support. While SD-Access does not directly work with devices that are unmanaged or are not compatible with SD-Access requirements, it does have a mechanism that allows these switches to coexist in an SD-Access environment with more advanced equipment. SD-Access support of such a hybrid environment allows organizations to deploy SD-Access in a gradual and phased manner.
Although it relies on relatively new infrastructure and controls for its full functioning, SD-Access is not just for new installations. There are several paths that you can take from where your network is currently to full SD-Access. Each step brings you added benefits, and there is no necessity to continue to full adoption of SD-Access. You can choose where to stop based on your requirements.
Multiple incremental paths to full SD-Access
SD-Access offers you several starting points depending on where you are and gives you incremental steps to reach full functionality.
1. If you are setting up a new network and not burdened by legacy devices, you can begin by selecting SD-Access compatible Layer 3 access switches, ISE, and Cisco DNA Center, which would provide you with the full SD-Access experience right away.
2. Even in a new network, you can stagger your deployment by first using Cisco DNA Center to automate macrosegmentation using Layer 3 access, followed by adding ISE for endpoint and policy visibility, and microsegmentation.
3. For existing networks, if you already have ISE, you can begin your journey by endpoint and policy visibility and then with macro- and microsegmentation. Note that you could use either Layer 2 or Layer 3 access switches; however, with Layer 2, microsegmentation will only begin at the distribution level.
4. With an existing network that does not have ISE, you can begin with VN-based macrosegmentation, add ISE for visibility, and then microsegmentation.
Figure 6 shows how a traditional network without Cisco DNA Center or ISE and with Layer 2 access can migrate over to SD-Access in three steps.
Steps in migration of a traditional network to full SD-Access
Independent of whether they provide Layer 2 or Layer 3 connectivity, one of the major functions of access switches is clearly controlling access. Network Access Control (NAC) is a major consideration in almost all organizations that store confidential data, need to protect critical resources, keep malware out, and otherwise reduce risk to their business.
The most common and straightforward way that access control in traditional networks has been to place firewalls and use Access Control Lists (ACLs) in switches to permit or deny traffic. These lists usually work with individual IP addresses for endpoints and resources. In a medium to large network these lists can be thousands of lines long and extremely hard to maintain and prove to be a hindrance to effective segmentation. Manual methods suffer from lack of automation, limitation of scale, and a high degree of complexity. These problems can be solved by a new method of segmentation based on Virtual Routing and Forwarding (VRF) which requires Layer 3 access. But many traditional networks that have Layer 2 access cannot take advantage of VRFs.
Traditionally, SD-Access has required Layer 3 access for implementing VRF-based Virtual Networks (VNs). However, you can still use SD-Access by first converting switches at the distribution and core layers to SD-Access- compatible ones while leaving the access switches at Layer 2. You can then use Cisco DNA Center to define and enforce macrosegmentation through core and distribution layers.
While you can’t use many of the full SD-Access benefits, you have nevertheless gained a more secure and automated network without disrupting your users or your business.
In a traditional Layer 2 access network, an organization may have defined hundreds of VLANs for their users’ desktops, IP phones, printers, etc., and an effort to change only some of them at a time may result in traffic disruptions and unreachable destinations.
SD-Access makes it easy for you to gradually migrate your older Layer 2 access switches to Layer 3 by allowing you to keep existing VLAN-IDs and transporting them over VNs in distribution and core layers. By keeping VLAN-IDs, you can upgrade your access network switch by switch at your own pace, budget, and business needs and as per the device lifecycle.
Many organizations have broadly independent subnetworks. For example, universities may have separate networks for their different faculties, malls may have a dedicated network for each store, airports for each airline and store, etc. In such cases, each of the subnetworks typically operates with Layer 2 access switches while the corporate or the central entity maintains distribution and core layers and functions as a service provider.
In normal cases, traffic from access switches flows into the distribution and core to travel to its destination – either to another access switch or through a gateway across the WAN or to the internet. In situations such as airports, some tenants may have a business need to directly reach their own data center or cloud applications without transiting through the distribution and core layers.
SD-Access enables this transit by allowing you to define gateways that bypass the rest of the network and send such traffic directly to its destination. Figure 7 shows how traffic from point-of-sale terminals can be routed directly outside the fabric to an external data center or cloud for processing.
Offload data outside the fabric for multitenant networks
With support of several deployment models, all of which improve on traditional networking, SD-Access makes it even easier to begin and continue transforming your network to make it more intelligent, automated, scalable, and secure.
The deployment models also do not force you to follow a strict implementation regimen. Each of these are independent, yields immediate benefits, and, if you choose to, allows you to follow your own timeline to a full SD-Access powered fabric.
For more information on SD-Access, please refer to the following resources:
● Visit the SD-Access web page
● Register to attend a live Cisco DNA Center demonstration
● View the SD-Access infrastructure matrix