White paper

Cisco public

Intent-Based Networking
Building the bridge between business and IT

Introduction
Networks are at the heart of the unstoppable evolution to a digital economy. Digitalization
is changing the way businesses, partners, employees, and consumers interact at an
unprecedented pace. Products and services can be customized, ordered and delivered at the
click of a button using web-based applications. Business data can be acquired, analyzed and
exchanged in near-real time. Geographic boundaries between businesses and consumers
are diminishing. And the network is at the center of communication to and between the
applications driving the digital economy.
Increasingly, traditional enterprise and data center network architectures are being stressed
to adapt quickly to these dynamic requirements. Applications are moving to public-, private-,
and hybrid-cloud environments and are now consumed as services, blurring the well-
defined boundaries between the enterprise’s network and untrusted domains. Developers,
empowered by the movements toward open-source software, containers, microservices
and agile development processes, can bring applications from concept to production in
days rather than months or even years. Employees and customers expect connectivity
from anywhere, on any device, to access information at any time. And increasingly, sensors
and autonomous devices are being connected as the Internet of Things (IoT) expands. At
the same time, cyber-threats across the network are becoming more sophisticated and
dangerous to the brand reputation and financial welfare of all organizations.
Traditional enterprise and data center network architectures and their respective operational
procedures need to evolve to keep pace with these trends. Specifically, the new network
needs to:
• Enable new digital business initiatives, not hold them back. It needs to have the flexibility to
quickly change in alignment with rapidly changing business objectives.
• Be easier to configure, operate and maintain in the face of growing scale and complexity.
Current operational models are not scalable or sustainable.
• Provide full visibility in terms of how a network is operating and providing assurance that
it is supporting the desired business initiatives and achieving compliance. Identify any
discrepancies and recommend fixes
• Identify and neutralize security threats before they cause harm. Multi-cloud, IoT and mobile
adoption open up new threat vectors that the network needs to constantly protect against.
© 2018 Cisco and/or its affiliates. All rights reserved.
White paper
Cisco public

Contents This is driving the IT industry’s growing interest in more intelligent networks,
commonly termed “Intent-based Networks”.

Introduction Intent-based networking (IBN) offers a significant paradigm shift in how

networks are planned, designed, and operated. In the past, tools were not
Intent: Bridging the gap available to declare intent and translate it into the device-level configurations
between business and IT required to realize a desired outcome. Instead, the network designer or
operator had to manually derive individual network-element configurations
Building blocks of an to support the desired intent, such as, “I want these servers to be reachable
intent-based enterprise from these branches; therefore, I need to configure specific VLAN, subnet,
network and security rules on each device in my network.”
Translation Intent-based networking solutions enable conventional practices that require
Activation the alignment of manually derived individual network-element configurations
to be replaced by controller-led and policy-based abstractions that easily
Assurance enable operators to express intent (desired outcome) and subsequently
validate that the network is doing what they asked of it.
Intent-Based Networking in
multi-domain environments Scale, agility and security demands associated with digital transformation
require that element-by-element network configuration be replaced by
Benefits of an Intent-Based automated systemwide programming of network elements with consistent
Network intent-based policies. Furthermore, the contextual analysis of data before,
Increased business agility during, and after deployment enables continuous verification to help assure
that the network is delivering the desired outcome and protection at any
Improved operational point in time. Continuous gathering of telemetry and other forms of data
efficiencies from a multitude of diverse sources provides a rich context of information to
Continuous alignment of optimize a system and ensure it is secure.
the network with the Intent-based policy extends beyond the access control of clients or
business objectives applications. It broadens to expressions of the desired user experience,
Better compliance application prioritization, service-chaining network functions that need to
and security be applied to an application flow, or even operational service-level
agreement (SLA) rules, such as, “I want to deploy only golden images on
Reduced risk
my network devices.”
The transition to
intent-based networking

For more information

© 2018 Cisco and/or its affiliates. All rights reserved.

White paper
Cisco public

“Gartner sees the In Cisco’s view, a complete intent-based network (Figure 1) needs to deliver
on a number of essential functions:
biggest benefits • Translation: The Translation function is about the characterization of intent.
It enables network operators to express intent in a declarative and flexible
from IBNS manner, expressing what the expected networking behavior is that will best
support the business objectives, rather than how the network elements
are improving should be configured to achieve that outcome.

network agility • Activation: The captured intent then needs to be interpreted into policies
that can be applied across the network. The Activation function installs

and availability, these policies into the physical and virtual network infrastructure using
networkwide automation.

and supporting • Assurance: In order to continuously check that the expressed intent
is honored by the network at any point in time, the Assurance function
unified intent maintains a continuous validation-and-verification loop. Context derived
from telemetry data is used to check alignment of operation with intent.
and policy Figure 1.  Intent-based network functions

across multiple
Intent
infrastructures.”
Capture business intent;
—Gartner, 2017 translate to policies;
check integrity
Translation Continuous verification;
insights and visibility;
corrective actions

Activation Assurance

Orchestrate policies;
configure systems
Physical and virtual infrastructure

This paper provides Cisco’s point of view on the evolution toward intent-
based networking by outlining the vision for it and its architecture and
benefits for network strategists and architects. The paper provides an
overview of the main functional building blocks of an intent-based network
and offers concrete examples from both a data center and an enterprise
networking perspective.

Gartner, Innovation Insight: Intent-Based

Networking Systems, Andrew Lerner,
Joe Skorupa, Sanjit Ganguli, 07 February 2017

© 2018 Cisco and/or its affiliates. All rights reserved.

White paper
Cisco public

Intent: Bridging the gap between business and IT

Today, implementing business requirements requires a lot of human interpretation and manual intervention to ensure
the IT systems are meeting these needs. In most cases the process is lengthy, very resource intensive, and error
prone. It does not meet the criteria for an agile digital business environment that has increasing numbers of systems,
devices, applications, and services that need to be served.

Intent-based networking captures the business intent, in business language, and translates this intent into IT policies
that can be applied and constantly monitored across the network. Figure 2 provides examples of the difference
between intent (the “what”) and execution (the “how”).
Figure 2.  Examples of intent expressions

I need to scale out I have scheduled a I am rolling out a new I need to deploy a
Intent my application
database
telemedicine session
at 10am
IoT app for factory
equipment monitoring
secure multi-tier
application

Extend network Create HD video Create a new segment Provision multiple

segments; update load connection; prioritize for all factory devices networks and subnets;
balancer configuration; with E2E QoS; validate to connect to the IoT configure ACLs and
Execution configure QoS policies performance; keep the
communication safe;
app; isolate from other
traffic; apply SLA;
firewall rules; advertise
routing information
tear down connection validate SLA; optimize
after call

With an intent-based network, the administrator determines the ‘what,’ and the system then figures out the ‘how’.” —Zeus Kerravala

© 2018 Cisco and/or its affiliates. All rights reserved.

White paper
Cisco public

Building blocks of an intent-based enterprise network

An intent-based network provides three principal functional building blocks (Figure 3): capabilities to capture intent,
functions to automate the deployment of the expressed intent throughout the network infrastructure, and the ability to
assure that the desired intent is being realized.
Figure 3.  Building blocks of Intent-Based Networks (IBN)

Translation
Intent-
Based Network
Activation Assurance

Translation An important challenge relates to moving from a traditional

Translation involves several functions in an intent-based network deployment to an IBN deployment. In this case
model. One or more operators, or groups of operators, there are already policies in affect in the current network,
have the capability to characterize their desired intent. but the network operator may or may not have a list
This may take the form of an easy-to-use graphical or full visibility of all of the currently deployed policies.
user interface, an abstracted model (such as YANG or Therefore, it is important to perform automatic host
JSON/XML) that is intuitive and related to the business discovery and policy discovery to identify the policies in
objectives, or even a predefined syntax or language. operation, to provide the operator with full visibility of all
It may be defined by application developers as part of the running policies for review, and then to activate the
a continuous integration/continuous delivery (CI/CD) desired policies automatically in the IBN deployment.
process, or in the future, it may even be achieved through Activation
text-to-speech expressions, in which operators verbally
speak intent and the intent-based system executes and Activation functions ensure that the derived MBPs are
provides verbal or other feedback. This abstract and disseminated throughout any of the relevant network
business-near expression of what the network should do domains. The physical or virtual network functions in an
differentiates an intent-based approach from traditional IBN may be managed in different operational domains
network architectures. (data center, WAN, branches, campuses) by the same or
different operational teams. The orchestration function in
Another capability of Translation is to harmonize an intent-based network allows for the dissemination of
the captured intent into a common model-based MBPs into the relevant domains—meaning that policies can
policy (MBP), often with the help of a controller- also be limited in scope to particular parts of the network.
based architecture. Intent expressed by various input
mechanisms, potentially across multiple network domains, Activation may also employ additional functions to
is translated into such standard MBPs—a foundational further derive the appropriate device configurations. A
step to leverage automation and allow sophisticated domain’s controller can correlate the information about
consistency and integrity checks to be applied. the network elements, their capabilities, and the topology

© 2018 Cisco and/or its affiliates. All rights reserved.

White paper
Cisco public

with the expressed MBPs to establish the appropriate • Derive insights based on analytics (correlation
device configurations. Additional checks for consistency of events and leveraging machine learning and
at the configuration level may also be applied before artificial intelligence [ML/AI]) for validation,
programming the network elements using standards-based understanding, and prediction: In addition to
APIs (such as Network Configuration Protocol [NETCONF] verifying the current network state and its alignment
with the expressed intent, assurance functions can
or YANG, or representational state transfer [REST]).
derive more sophisticated insights and visibility into
Assurance the behavior of an intent-based network. For example,
they may predict any violations of the expressed intent
Assurance is a critical function of intent-based prior to changes being applied, understand or forecast
networking. It uses contextual analysis of data to provide trends, identify anomalies, predict and validate system-
validation that the intent has been applied as intended, level network performance.
and also continuously verifies that the desired outcomes
are actually being achieved. The Assurance capabilities of • Leverage a closed-loop cycle to realize corrective
an intent-based network cover three main aspects, also action and optimization: Anomalies, violations, and
highlighted in Figure 4: simple out-of-SLA (expressed intent) situations that
are detected can be programmatically remediated
• Continuously verify the IBN system behavior before, leveraging the Activation building block to effect
during, and after deployment: Check that the system systemwide adjustment. An intent-based network thus
behavior is aligned to the expressed intent at any point enables a mechanism to automate the remediation
in time. This capability requires ongoing observation of of any intent-based policy violations, or to allow
the network element states and events. Intent-based continuous optimizations to be automated to guarantee
telemetry data specifically measures the performance that the expressed intent is realized by the network at
of the expressed intent, and is continuously collected any point in time. Note that depending on the policy,
and reported to the IBN Assurance functions. Assurance the actions may be automatically executed or may be
algorithms, ranging from formal mathematical models to provided to the operator as recommendations, in which
approaches based on telemetry and machine learning, case the operator decides on execution.
guarantee that the network state and behavior are
coherent with the desired intent at both the domain and
cross-domain levels.

Figure 4.  Three main aspects of Assurance

Continuous Configs, Changes, Telemetry, Routing,

Security, Services, VMs, Compliance, Audits
verification Successful rollouts, Operational continuity

Insights and Visibility, Context, Historical Insights, Prediction

visibility Minimize downtime, User productivity

Corrective Guided Remediation, Automated Updates,

System Optimization
actions IT Productivity

© 2018 Cisco and/or its affiliates. All rights reserved.

White paper
Cisco public

The main architecture, building block, and outcomes differences between a traditional network and an Intent-based
network are captured in Table 1 below.
Table 1.  Comparison of traditional and intent-based networks

Capabilities Traditional network Intent-based network

Architecture • Device-by-device management • Networkwide system-oriented management

• Unidirectional configuration • Closed-loop automated configuration and assurance
• Nonprogrammable devices • Programmable physical and virtualized infrastructure
• Patchy network security • Security functions integrated systematically
throughout the architecture
• API-centric, model-based
• Open hardware and software stack

Translation • Ad hoc operator interpretation and ad • Yes, through intent capturing and translation
hoc translation system functions

Intent verification • No support • Yes, integrity and consistency checks

Policy support • Limited, expressed by device commands • Intent-based policies based on models

Activation • Limited (scripting), device-by-device • Automated, networkwide with controllers

Telemetry • Limited support • Extensive support

Assurance • Manual, device-by-device • Automated, full analytics with AI/ML or formal

method support

Feedback loop • Based on ad hoc, manual operator monitoring • Yes, automated for either operator or system activation

Outcomes • Limited, best effort business alignment • Continuous business alignment

• Complex and costly to manage at scale • Simplified, efficient management at scale

© 2018 Cisco and/or its affiliates. All rights reserved.

White paper
Cisco public

Intent-based networking in multi-domain environments

An enterprise’s network infrastructure may be managed in different domains, separating the operational duties into
campus and branch sites, WAN, data center, and the cloud. Applications hosted in the data center or cloud, as
well as clients, may also have their own operational procedures, and thus be considered domains. In an IBN, one or
more domains are expected to be governed by a controller, which provides a holistic view of the infrastructure and
maintains a consistent state (configurations, software images, etc.).

The intent-based system accommodates this arrangement of network infrastructure into domains. Translation and
orchestration capabilities are applied across domains, allowing for the characterization of networkwide intent-based
policies across the campus and branch sites, WAN, data center and cloud. An orchestration function disseminates
the captured policies to the relevant domains, which also enables restriction of some policies’ scope by design.
Automating the translation of the model-based policies into device-specific configurations, and instantiating these
into the network infrastructure, is covered by the domain-specific controllers. IBN Assurance functions may apply
to a particular domain to ensure adherence to the expressed intent-based policy. Additionally, Assurance functions
operate across domains to check for compliance with the expressed intent networkwide and end-to-end (from
application to application, regardless of where the apps are hosted).

Figure 5 illustrates additional functional details of the Translation, Activation, and Assurance building blocks of IBN,
and how they relate to different infrastructure domains. The figure also highlights the feedback loop that sends
insights gained by Assurance back into the Activation functions for ongoing optimization of the network.
Figure 5.  Intent-based networking model and functional details

Characterize Translate/
intent homogenize
Translation
Verify integrity Model-based policies

Intent model API

Disseminate policy x-domain Cross-domain

Activation API Assurance

Configuration generation Conflict resolution Domain specific

API
API

Infrastructure
Sites WAN Data center Cloud
domains

© 2018 Cisco and/or its affiliates. All rights reserved.

White paper
Cisco public

Benefits of an intent-based network

An intent-based approach to networking enables several benefits for business and IT leaders. These include improved
business agility and operational efficiencies, better compliance and security, continuous IT and business alignment
and reduced risk.

Increased business agility increases in a digitized network architecture. For

example, intent and policy are typically expressed
The abstractions and the fully automated nature of an
at a group level. Grouping applications, devices, and
IBN supported by open APIs ensures that the network is
users and expressing intent with respect to associated
responsive to the dynamics expected in a digital economy.
groups supports a simplified operational model. As
New applications can be quickly on-boarded in the
new employees join the company or application tiers
network wherever most appropriate (the enterprise data
scale out, new endpoints can simply be created within
center, a Virtual Private Cloud (VPC), or even consumed
existing groups, thereby leveraging previously expressed
as-a-service). The capability of an intent-based system
intent and policies. Furthermore, the standardized and
to capture the intent of a new application in the abstract
automated nature of IBN inherently supports a higher
simplifies the process of providing connectivity and
scale than traditional manual, non-automated processes.
security to such applications. Sophisticated integrity
checks, automated configuration of the network policies Through its closed-loop design, an intent-based network
relating to the application, and ongoing assurance allow also greatly reduces—or in many cases eliminates—
infrastructure teams to confidently support the rapid pace complex troubleshooting scenarios that occur in
of application development. networks today. As assurance processes verify the
alignment of network configuration with intent, they can
Improved operational efficiencies
surface potential problems before they occur, or can
The functionality offered by an IBN promises operational quickly and efficiently identify the root cause of
efficiencies and even reductions in Operating Expenses emerging issues.
(OpEx). Network operators are expected to be able to
significantly reduce the time spent on network design, Standard changes to commonly recurring issues can
implementation, testing, and troubleshooting. An intent- even be automated while preserving the integration
based network is fully model driven: Operators can with IT Service Management (ITSM) systems, potentially
express intent in an intuitive manner with easy translation yielding further significant OpEx savings. IBN can drive
into model-based policies. Once the intent is captured in transformation from an operator-curated knowledge
a model, sophisticated consistency and integrity checks base (manifested today in, say, a help-desk tool or
can be applied to ensure that new intent is consistent configuration management database) to a systemic or
with previously expressed intent, or that intent expressed machine-learned knowledge base that covers more
by different operational groups is consistent. Translation and more “preapproved” changes as the path towards
of model-based policies into standard network element closed-loop automation.
configurations can be fully automated, increasing the
Continuous alignment of the network with the
consistency in the network. An IBN thus offers a stark
simplification of the conventional process of manually business objectives
deriving Command-Line Interface (CLI) configurations An intent-based network system allows the desired
for a policy for every network element in the architecture, behavior of the network to be expressed in abstract,
repeating this manual process every time a new business-near terms: the what instead of the how.
application or device type is on-boarded, and ensuring This capability helps ensure that the network is always
that any configuration changes do not break or violate fully aligned with the business operations. Previously,
previous policies. the translation of business objectives into device
configurations was a process performed by a highly
The level of abstraction and automation in an intent- skilled engineer. For example, a business objective
based model also supports the anticipated scale

© 2018 Cisco and/or its affiliates. All rights reserved.

White paper
Cisco public

“application X is business critical” required in-depth Reduced risk

knowledge of every network element to filter application The abstractions, automation, and assurance introduced
X traffic, and configuration of the respective Quality- with IBN promise to reduce the overall operational risks
of-Service (QoS) policies at every relevant hop in of providing communication services between users,
the network. In an IBN, that same expressed intent devices, and applications. Manual, error-prone CLI-
is translated into policy, and the configuration of the based processes are minimized in an intent-based
network elements is fully automated. The feedback system. Consider, for example, the case of traffic filters
mechanism built into the IBN checks that the derived in the network. Typically, Access Control Lists (ACLs)
policies are always honored, and can help automatically are configured throughout the network to filter traffic
adjust the network configuration if the network is no for security or traffic control purposes (QoS, path
longer aligned with the expressed intent. determination). Many ACLs have grown over time, and
Better compliance and security making any modifications risks the creation of a security
hole, or may counteract previously desired policies. A
While sometimes over-looked, improved protection and predictable and coherent expression of intent-based
rapid threat containment are actually one of the main policies in IBN, the ability to apply consistency and
benefits intent-based networking can deliver. Each of the integrity checks (such as using formal mathematical
building blocks in an IBN helps to substantially improve methods), and their standardized translation and
the overall security and compliance of the network. deployment into network element configurations all
Continuous alignment to intent related to security and increase the consistency in the network—even in the face
compliance policies should be a core objective of IBN. It of multiple operator groups and disparate technologies.
is achieved by making security an integral part of each
of the IBN functional areas and delivering closed-loop Furthermore, intent-based networks significantly reduce
policy enforcement and threat containment. Security the risk of network outages by predicting the impact of
policies can be expressed by the security operations changes to the systemwide network state. For example,
team independently of other operations groups. The consider a situation where a primary site is functioning
integrity verification functions in the architecture check properly, but a secondary site, accessed only in the case
that policies are not counteracting each other. Also, the of disaster recovery, is not. An IBN system would be able
ongoing telemetry and assurance function provide an to identify such a latent misconfiguration and flag it to an
up-to-date picture of the state of the network that is operator (or correct it automatically) to avoid a potential
essential for security and regulatory compliance reports. network outage.
Advanced segmentation techniques prevent the spread
of lateral infections between endpoints, users, and
applications to protect the availability of core assets.

© 2018 Cisco and/or its affiliates. All rights reserved.

White paper
Cisco public

“We believe The transition to intent-based networking

a full IBNS For many organizations, the evolution to a fully intent-based network will
be a journey, requiring a combination of existing and new technologies and

implementation process changes. The full potential of IBN is ultimately recognized when it is
deployed across all network domains, including data center, campus, branch,

can reduce and WAN.

A number of initiatives across the industry are working to deliver on the

network promise of intent, and many of the functional building blocks contributing to
an intent-based model are available today and already providing substantial
infrastructure benefits. Many foundational elements, including software-defined networking,
virtualization, and analytics have matured to the point that they can be
delivery times deployed today, as part of a longer-term intent-based strategy. The transition
to IBN can also be dramatically simplified and accelerated by automatically
to the business discovering hosts and policies running on an organization’s current network,
and then providing the operator with the ability to review the running policies
leaders by 50% and identify which should be activated in their IBN.

to 90%, while Cisco is helping IT leaders embark on achieving an end-to-end intent-

based network based on our open platforms for data center and enterprise
simultaneously networking, together with an ecosystem of third-party technologies.

reducing the In the data center, the Cisco® Application Centric Infrastructure (Cisco ACI™)
solution provides a policy-based automated network fabric, covering the

number and translation and activation phases of the intent-based framework, while Cisco
Network Assurance Engine provides assurance in data center networks.

duration of On the enterprise-networking side, the Cisco Digital Network Architecture

(Cisco DNA™) offers similar services for enterprise campus, branch and WAN
outages by environments, providing translation, activation and assurance capabilities for
wired and wireless, software-defined access, and software-defined WAN
at least 50%.” domains. Furthermore, Cisco’s Identity Services Engine provides identify-based
policy and rich contextual information.

The journey to elevate networks to an intent-based model is well under way!

—Gartner, 2017

For more information

Learn more about intent-based networking here: https://www.cisco.com/c/
en/us/solutions/enterprise-networks/intent-based-networking.html

Gartner, Innovation Insight: Intent-Based © 2018 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco
Networking Systems, Andrew Lerner, and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/
trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not
Joe Skorupa, Sanjit Ganguli, 07 February 2017
imply a partnership relationship between Cisco and any other company. (1110R)  C11-740210-00  01/18