This guide focuses on creation and validation of Cisco SD-Access and Cisco SD-WAN-based deployment for a large-scale financial vertical. This deployment uses an Independent-Domain model, where the Cisco SD-WAN controller and Cisco DNA Center are independently managed and not integrated. This guide can be used as a reference document for finance network deployments.

Financial organizations operate hundreds of branches throughout the world, ranging from small ATMs to large corporate offices. While each site has its own special requirements, the financial vertical needs standardized and secure network connectivity, simplified network operations and maintenance, highly failure-resilient systems, and a consistent policy implementation across the entire organization.

Using features such as Cisco DNA Center three-node high availability and disaster recovery for resiliency, the resulting solution provides high uptimes, lower operating costs, streamlined workflows, performance optimization, and secure end-to-end connectivity.

System and Network Resiliency

The financial vertical solution can handle failures at multiple layers, from low-level device and link failures, to controller failures, to even data center outages. Cisco DNA Center provides system resiliency with features such as high availability and disaster recovery. Cisco SD-Access and SD-WAN also offer network resiliency with support of dual SD-Access borders, dual Cisco SD-WAN WAN edges, fabric nodes with stacks and StackWise Virtual Link (SVL), and wireless controllers in SSO and N+1.

Security

The solution leverages the built-in security features as well as the integration of Cisco ISE and Cisco DNA Center to provide highly secure and segmented systems.

Cisco ISE is the policy engine that simplifies the delivery of security to the network and provides support for Group-Based Policy (GBP). Cisco GBP dynamically organizes endpoints into logical groups, using scalable group tags (SGTs). SGTs are assigned based on business decisions using a richer context than simply an IP address. SGTs are easier to understand and manage. The number of group-based rules is dramatically less than an equivalent set of rules based on IP addresses. Cisco ISE also performs AAA functions with network devices and end clients.

Cisco DNA Center scales the network and still restricts access to critical applications in the fabric while improving situational awareness on the network. After Cisco ISE is integrated with Cisco DNA Center, Cisco DNA Center retrieves the Group-Based Policy from Cisco ISE to protect applications from unauthorized endpoints and clients. Cisco ISE gathers real-time contextual information from networks, users, and devices for Cisco DNA Assurance. This integration simplifies the advanced security needs of the financial institution that strives to prevent fraud and protect confidential data. The integration facilitates the provisioning of network access, accelerates security operations, and consistently enforces policy anywhere in the network.

Cisco GBP and the identity-based access control features (IEEE 802.1X/MAC authentication bypass, site-level MACsec encryption, FQDN-based certificates) help achieve the security needs of the financial vertical.

Network Segmentation

Network segmentation is essential for protecting critical business assets. Cisco DNA Center provides a simplified approach, called macrosegmentation, to protect data between virtual networks (VNs). Cisco DNA Center also provides the framework for deploying microsegmentation using group-based access control for endpoints within VNs.

The concept of network segmentation is not new, but it has evolved significantly over recent years. Initially, network segmentation was defined as the process of breaking up one flat network or broadcast domain into smaller segments with virtual LANs (VLANs). As requirements were established to extend network segments across organizations regardless of location, the concept of VN or Virtual Routing and Forwarding (VRF) instances was used to implement Layer 3 isolation between network segments.

Isolation is inherent, as each VRF maintains its own routing and forwarding, thereby creating a virtual network. Isolation is attained because routes contained in one VRF are not present in another, thereby limiting communications between them. With Cisco GBP, segmentation is no longer performed based on VLANs or VRFs with IP addressing and routing. Instead, Cisco GBP relies on the use of role- or group-based membership, regardless of IP addressing, to create policies that allow segmentation of the network.

Simplify Network Operations

Cisco DNA Center provides an intent-based solution to automate workflows such as network device provisioning, software image management (SWIM), and inventory management. Cisco DNA Center also pushes the organization's intent as policies across all sites. The solution allows Switch Virtual Interface (SVI) number reuse for the Layer 3 connections between the fabric borders and gateways and provides the framework for administrators to standardize SVI assignments in each border. Cisco DNA Center also provides actionable information about the network’s health using Assurance, such as Assurance dashboards for network, client, and critical issues. The capability to drill down to a single device or client simplifies the troubleshooting process.

Robust Network and Connectivity

Cisco SD-WAN is an overlay WAN architecture that connects multiple sites through a single fabric. The Cisco SD-WAN architecture consists of separate orchestration, management, control, and data planes. The Cisco vBond controller provides for the automatic onboarding of the SD-WAN routers into the SD-WAN overlay. The Cisco vManage controller is responsible for central configuration and monitoring. The Cisco vSmart controller is responsible for the centralized control plane of the SD-WAN network. The WAN edge establishes secure data-plane connectivity with other WAN edges.

The Cisco SD-WAN edges connect to SD-Access sites across the Cisco SD-WAN fabric using Cisco SD-Access IP transit to maintain a standard and secure connectivity throughout the network. In the Independent-Domain deployment model, Cisco vManage and Cisco DNA Center do not communicate with each other. Cisco SD-Access VNs are connected to Cisco SD-WAN virtual private networks (VPNs) using VRF-Lite. This allows the VN from two SD-Access sites to communicate across Cisco SD-WAN. External Border Gateway Protocol (eBGP) is configured between SD-WAN WAN edges and Cisco SD-Access borders to exchange routes within the VN/VPN.

Centralized Policy Management

There are differences in numbers between Cisco DNA Center systems endpoint scale and Cisco ISE scale. With multiple geographic and distant branches and sites worldwide, large Cisco ISE deployments, such as in the financial vertical, can benefit by integrating multiple Cisco DNA Center clusters with a single Cisco ISE. Cisco supports multiple Cisco DNA Center clusters per Cisco ISE deployment to better utilize Cisco ISE and also provides a centralized policy management plane for multiple Cisco DNA Centers. In a multiple Cisco DNA Center deployment, the first Cisco DNA Center system serves as the author node for Group-Based Access Policy. The author node manages scalable groups, access contracts, policies, and VNs. Creation, modification, or deletion of these policy and security elements is only possible on the author node. Additional reader nodes are independent systems that manage separate sets of network devices. The reader node does not manage local VNs or Group-Based Access Policy. Reader nodes only have read-only visibility of VNs and scalable groups.

Network Services

Trading floor architectures largely use multicast protocols for their data and video feed services. Cisco DNA Center and Cisco SD-WAN provide the framework to enable multicast from hubs to branches.

The solution is tested with the hardware and software listed in the following table. For the complete list of hardware supported, see the Cisco Software-Defined Access Compatibility Matrix.

The following use cases were validated on the financial vertical profile using the topology defined in Figure 1.

• Implement intent-based networking using Cisco DNA Center and Cisco SD-Access.

  • Administrators should be able to automate and simplify network device provisioning.

  • Administrators should be able to maintain and monitor inventory and resolve problems easily.

  • Administrators should be able to use Cisco DNA Center SWIM to upgrade multiple devices, such as switches, routers, and wireless controllers.

• Integrate multiple Cisco DNA Centers with a single Cisco ISE.

  • Administrators should be able to create, modify, and delete intent-based policy on the Author node and automatically synchronize to the Reader node.

  • Administrators should be able to request promotion to the Author node from the Cisco DNA Center Reader node.

• Connect multiple geographic and distant sites using Cisco SD-WAN.

  • Administrators should be able to configure Cisco SD-WAN to connect between campus and branches.

  • Administrators should be able to configure the Cisco SD-WAN WAN edge to connect to the SD-Access fabric via IP transit.

  • Administrators should be able to configure inline SGT propagation on the Cisco SD-WAN WAN edge to maintain end-to-end using Cisco TrustSec.

  • Administrators should be able to use Cisco SD-WAN vManage to upgrade the Cisco SD-WAN WAN edge image.

• System and network resiliency.

  • The network should recover from device or link failure automatically with minimal impact on existing applications, traffic, and users.

  • Administrators should be able to configure Cisco DNA Center in three-node HA mode. In case of services or node failure in Cisco DNA Center, the system should recover without user intervention.

  • Administrators should be able to configure disaster recovery in Cisco DNA Centers that reside in different data centers. In case of multiple node failures or irrecoverable network issues, Cisco disaster recovery should trigger automatic failover to Cisco DNA Center in a different data center.

  • Administrators should be able to upgrade or perform maintenance activities with Cisco DNA Center disaster recovery configured.

  • Administrators should be able to fail over to the standby Cisco DNA Center.

  • Administrators should be able to configure multiple Policy Administration Node (PAN), Policy Service Node (PSN), and Cisco Platform Exchange Grid (pxGrid) in a Cisco ISE distributed deployment.

  • Administrators should be able to upgrade to a major release or apply new patches to a Cisco ISE distributed deployment without impacting users and devices.

  • Administrators should be able to back up, one time or on schedule, Cisco DNA Center controller configuration and data.

  • Administrators should be able to restore Cisco DNA Center controller configuration and data.

• Configure integrated network intent across the entire organization.

  • Administrators should be able to create VNs across the organization to achieve consistent macrosegmentation.

  • Administrators should be able to apply multiple SGTs for a single VN and create group-based access policy for microsegmentation traffic within a VN.

  • Administrators should be able to configure dot1x authentication for wired and wireless clients.

  • Administrators should be able add or remove new groups of users via an add/remove VN, and then associate or disassociate the IP pool to the VN.

• Configure enhanced security to protect sensitive financial data.

  • To prevent unauthorized access, administrators should be able to enable Closed Auth Onboarding (dot1x) for wired and wireless devices and users.

  • Administrators should be able to configure secure site-level fabric traffic with MACsec.

  • To provide tighter security, administrators on Cisco DNA Center should be able to apply trusted CA FQDN-based certificates.

  • Administrators should be able to integrate Stealthwatch with Cisco DNA Center for threat detection, threat containment, and SSA for ETA automation.

  • Administrators should be able to create granular role-based users and use audit logging to monitor Cisco DNA Center activities.

  • Administrators should be able to audit policy changes, deployment of policy changes, status of deployment, the user who initiate the changes, and when.

• Monitor network and client health using Assurance and analytics.

  • Network administrators should be able to monitor the state of the network, wired users, and wireless users from a single pane of glass.

  • Network administrators should be able to examine severe, critical, and other ongoing issues with the network and devices and follow the suggested actions in Assurance to resolve the issues.

  • Network administrators should be able to monitor the health of the wired and wireless users and devices connected to the network.

  • Network administrators should be able to look at a single device, wired user, or wireless user and retrieve detailed information.

  • Network administrators should be able to see detailed application data usage.

  • Network administrators should be able to use sensors to monitor wireless network health.

Solution test verified the scale numbers listed in the following table. For the hardware capacity, see the Cisco DNA Center Data Sheet.

• Cisco SD-Access Solution Design Guide (Cisco Validated Design)

• Cisco DNA Center User Role Permissions

• Implement Disaster Recovery

• Support for Multiple Cisco DNA Center Clusters with a Single Cisco ISE System

• Cisco DNA Center Release Notes