Scribd
Upload
44 views39 pages

Brkens 2566

The document outlines the latest features and enhancements in Cisco's SD-Access and Catalyst Center, including deployment options, management plane enhancements, and LAN automation improvements. It discusses the default deny model for security policies, emphasizing the benefits of understanding traffic flows and resource management. Additionally, it provides details on visibility and control features, integration with Cisco ISE, and various enhancements for automation and planning in network design.

Uploaded by

ccietest86
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
44 views39 pages

Brkens 2566

The document outlines the latest features and enhancements in Cisco's SD-Access and Catalyst Center, including deployment options, management plane enhancements, and LAN automation improvements. It discusses the default deny model for security policies, emphasizing the benefits of understanding traffic flows and resource management. Additionally, it provides details on visibility and control features, integration with Cisco ISE, and various enhancements for automation and planning in network design.

Uploaded by

ccietest86
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 39

#CiscoLiveAPJC

-
What’s New in SD-Access?
Mahesh Nagireddy
Technical Marketing Engineering, Technical Leader
CCIE R&S
BRKENS-2566

-
#CiscoLiveAPJC
https://ciscolive.ciscoevents.com/

Cisco Webex App ciscolivebot/#BRKENS-2566

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space

4 Enter messages/questions in the Webex space

Webex spaces will be moderated


by the speaker until November 15, 2024.

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Catalyst Center (formerly Cisco DNA Center)

• Introduction
• Management Plane Enhancements
• Lan Automation
Agenda • Default Deny
• ISSU
• Mesh Support – 2.3.7.3

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco SD-Access
Cisco Catalyst Center Deployment
• Deployment Options Standalone HA Cluster
Cisco Catalyst
▪ Standalone Center Cluster
Physical Appliance Virtual Appliance
▪ On-Prem Physical Appliance(DN3 – C220 M6 HW) (On-Prem)
▪ Virtual Appliance on Cloud(AWS) * (On-Prem)

▪ On-Prem Virtual Appliance on VMWare ESXI * (Cloud)


▪ Cluster for High Availability (HA)
Cluster interconnected with 10Gbps interface with <10msec latency
Disaster Recovery
▪ Wnetwork downtime
Disaster Recovery (DR) for
Cluster connected with 1Gbps interface between main site and recovery site
with <350 msec latency IPSec Encryption

• Failure detection and recovery Recovery Site


Main Site Witness Site
High Availability Disaster Recovery W
Failure Detection time 5 minutes 3 minutes Cisco Catalyst Center
Witness (VM)
Time taken to failover on 7-13 minutes 15-30 minutes
failure detection

Failover time behavior Service down up to 7 Service down up to 30 Cisco Catalyst Center Cluster Cisco Catalyst Center Cluster
minutes minutes (Standalone or HA) (Standalone or HA)
Failback Automatic Manual
* - DN-SW-APL

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco SD-Access
On-Prem and Cloud supported models

Catalyst Center Cisco ISE on-cloud (AWS)


Virtual Appliance on Cloud (AWS) Version: 3.3P3
Catalyst Center Appliance Cisco ISE on-prem, Version: 2.3.7.6
on-prem, Version: 1.x Version: 2.x

Catalyst Center Cisco ISE on-prem, Version:


Virtual Appliance on Cloud (AWS) 3.2 P5
Version: 2.3.5.3

Catalyst Center Cisco ISE on-prem, Version:


Virtual Appliance (ESXI) 3.3 P3
on-prem , Version: 2.3.7.4
Catalyst Center On-Prem Cisco ISE on-cloud (AWS)
Version: 3.3 P3
Multiple Catalyst Center Feature supported on all above options
-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
N=5 starting

Integrating Cisco Catalyst Center with ISE Catalyst Center: 2.2.3.x

Multiple Cisco Catalyst Center Solution Overview SD-Access Data


Virtual Network
Cisco ISE Deployment (Cluster) Extranet Policy

pxGrid and REST GBP Data


APIs Policy
SGT
c Access Contract
Syn c GBP
Data S yn +S
DA
GBP+
SDA
DA ata
+S D Da Da
ta
BP

Data Sync
DA ta

GBP+SDA
S S yn
+S
G
y c

nc
GB
Author Cisco Catalyst Center Reader
Cisco Catalyst Cisco Catalyst Reader Cisco Catalyst Cisco Catalyst
Reader Reader
Cluster #1 Center Cluster #2 Center Cluster #3 Center Cluster #4 Cluster Cluster #N

W W

Intent-based Network Infrastructure

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Package required if
Catalyst Center release < 2.3.6.x
Multiple Cisco Catalyst Center Cisco ISE release < 3.2
Multiple Cisco Catalyst Center Package and Installation
Connect with your Cisco Sales Representative or Channel Partner for:
• High-Level Design review
• Multiple Cisco Catalyst Center Package release

Cisco Catalyst Center Cisco Catalyst Center Cisco Catalyst Center Cisco Catalyst Center Cisco Catalyst Cluster
Cluster #1 Cluster #2 Cluster #3 Cluster #4 Cluster #N
Author Author Author Author Author

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Max Cluster :5
Catalyst Center : >2.3.6.x(LA+)
Multiple Cisco Catalyst Center Cisco ISE. : >3.2

Multiple Cisco Catalyst Center Enhancements(Package part of ISO)

Connect with your Cisco Sales Representative or Channel Partner for:


• High-Level Design review

Cisco Catalyst Center Cisco Catalyst Center Cisco Catalyst Center Cisco Catalyst Center Cisco Catalyst Cluster
Cluster #1 Cluster #2 Cluster #3 Cluster #4 Cluster #N
Author Author Author Author Author

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Catalyst Center : 2.3.5/7.x

Cisco SD-Access
UI/UX Enhancements
Original UI navigational architecture has been preserved and refreshed, nesting Virtual
Direct Navigation to SD-Access Building
Networks and Anycast Gateways under Fabric Sites.
Blocks and Workflows

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Visibility and Control of SD-Access
Details

▪ The configuration preview step will be made mandatory to display the CLI commands generated for all provisioning
operations.
▪ The system provides visibility into the exact CLI commands being sent to devices for all operations.
▪ Generate device specific config preview rather than all config at once
▪ The control feature allows you to submit planned fabric configurations to ITSM for approval prior to deploying them on the
fabric devices.

Considerations

▪ Visibility is supported from Cisco Catalyst Center 2.3.6.x and Control from 2.3.7.x release.
▪ New Visibility is enabled by default, but this can be disabled via a toggle
▪ There can only one active provisioning task.

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Visibility and
Control Demo

-
Visibility and Control of SD-Access ITSM Workflow
▪ The control feature allows you to submit planned fabric configurations to ITSM for approval prior to deploying them on the fabric devices.

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Lan Automation Enhancements

-
*Catalyst Center: 2.3.7.x

Lan Automation – Planning


Automation Boundary
Catalyst Center

Policy Automation,
Assurance

2 Tier – Collapsed Core Design 3 Tier – Campus Design Extended Campus Design

Discovery Depth = 2 Discovery Depth = 2 Discovery Depth = 2

Seed

Underlay Automation Boundary Seed


Maximum Automation boundary(Discovery Depth) from Seed Device: 1 to 5 (Default: 2)* PnP Agent
Supporting common hierarchical and structured Enterprise network designs Layer 3
Layer 2
LAN
Automation
Boundary

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Lan Automation – Planning
Multistep for Large Topologies

Catalyst Center
Catalyst Center

Policy Automation,
Policy Automation,
Assurance
Assurance

IP IP
Discovery Depth = 2
Seed Device(1st Session) Discovery Depth = 2
Seed Device(1st Session)
Max simultaneous
discovered devices=50

Seed Device(2nd Session)

Seed Device(2nd Session)

Seed

PnP Agent
Layer 3
Layer 2
LAN
Automation
Boundary

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Lan Automation Enhancements
LAN Automation Enhancements 2.3.5.0
• Dedicated LAN Automation landing page
• 5 Simultaneous LAN Automation sessions with one session per site
• Day N Add or Delete L3 links

LAN Automation Enhancements 2.3.7.0


• Workflow now support /27,/28 and /29 LAN pools
• Deterministic of loopback IP addresses(Day 0 & Day N*)

LAN Automation Enhancements 2.3.7.5


• Discovery depth level for LAN automation(Default depth=2)
• Session Attributes
• Session Timeout
• Device Matching
• Relaxed
• Strict

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Lan Automation – Planning
IP Pool Planning

IP Pool Type and Usage IP Pool Allocation Logic

Roles Mandatory Pool Type Usage Allocation Logic TEMP Pool Rest of the Pool

Main/Principal IP Yes LAN Temp DHCP Pool* Less than /21 /23(512 IPs) Loopback(/32)
Pool Loopback(/32) P2P L3 Links(/31)*
P2P L3 Links(/31)* Multicast
Multicast
/24 /26(64 IPs) Loopback(/32)
Link Overlapping IP No LAN Temp DHCP Pool P2P L3 Links(/31)*
Pool P2P L3 Links(/31) Multicast

* - Link Overlapping IP Pool not provided

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Lan Automation – Planning
IP Pool Planning

IP Pool Usage Example (Recommended to use Overlapping IP Pool for P2P Links for /26 & lower )
Allocated Pool Total Devices to No of Uplinks TEMP DHCP Range Loopback Range P2P Range Total IP’s
Automate

Main/Principal IP Pool 10 2 (one each to First /26 Next /27 Remaining IPs 10 - Temp DHCP(Released
192.168.13.0/24 Primary and (192.168.13.1 to 63) (192.168.13.64 to 94) (192.168.13.96 to 254) upon completion)
Secondary Seed) 10 – Loopback
40 – P2P Uplinks

Main/Principal IP Pool Max 6,if no 2 (one each to First half (/27) Next /29 Remaining IPs /37 for Anycast RP
192.168.13.0/26 overlapping pool Primary and (192.168.13.0 to 31) (192.168.13.32 to 36 ) (192.168.13.40 to 63)
Secondary Seed)
Max : 29 with
Overlapping Pool

Main/Principal IP Pool Max 1 if no 2 (one each to First half (/29) Next /31 Next /30
192.168.13.0/28 overlapping pool Primary and (192.168.13.0 to 7) (192.168.13.8 to 9 ) (192.168.13.12 to 15)
Secondary Seed)
Max: 5 with
Overlapping Pool

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Demo Video

-
Default Deny

-
Cisco Catalyst Center Policy
Default Permit vs Default Deny Model
Details
Default Permit Model • Default action is Permit IP
• Restrictions should be explicitly configured with the use of Security
Group Access Lists (SGACLs).
• No complete understanding of traffic flows within their network.
• Fairly easy to implement.

Cons
• More Deny Policies (SGACL) to manage
• More TCAM resources
• Multiple Policy Distribution to switches

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Cisco Catalyst Center Policy
Default Permit vs Default Deny Model

Default DENY Model


Details
• Default action is Deny IP
• Traffic should be explicitly permitted with the use of Security Group
Access Lists (SGACLs).
• Fair understanding of traffic flows within their network.
• Lower TCAM Resource usage on switches
• Less Deny Policies(SGACL) to manage

Cons
• Detailed network study prior to implementation
• Degrade Wireless roaming performance till policy download
• Fallback mechanism incase of Cisco ISE Nodes down

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Cisco Catalyst Center Policy
Default Deny Automation Enhancements
Cisco Catalyst Center:

1. Use Template Editor to Disable CTS Role-based enforcement on AP, Extended node Vlans.
This is automated starting Cisco Catalyst Center release 2.3.7.6

2. For Lan Automated Devices, disable CTS Role-based enforcement on L3 Uplinks immediately
after the links are converted from L2 to L3 Interfaces.
Automated for New LAN Auto sessions starting Cisco Catalyst Center release 2.3.7.4

3. Disable CTS role-based enforcement on Edge Node downlinks facing SBEN.


This is automated starting Cisco Catalyst Center release 2.3.7.6

4. Disable CTS Role-based enforcement on SBEN uplinks/downlinks connecting to Edge or


SBEN.
This is automated starting Cisco Catalyst Center release 2.3.7.6

5. Disable CTS role-based enforcement on Edge Node downlinks facing PEN.

6. Disable CTS Role-based enforcement on PEN uplinks/downlinks connecting to Edge or PEN

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Cisco Catalyst Center Policy
Default Deny Automation Enhancements

Existing Deployments of
EN/PEN/SBEN

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
SD-Access ISSU Support

-
Catalyst Center Release: 2.3.7.9

In-Service Software Upgrade


Target: JAN 2025

Support in SD-Access LISP Fabric

• Considerations

✓ Device model matches C9404R, C9407R, C9410R with dual sup

✓ Fabric role: Edge Node(EN) only

✓ IOS XE Version: 17.15.1

✓ Source and Destination images part of the supported ISSU matrix


ISSU at Fabric Edge

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
WGB support on Cisco
SD-Access

-
WGB support on SD-Access Cisco ISE

WLC
Intro
Radius
▪ A workgroup bridge (WGB) is a Cisco access point that is configured to
act as a wireless client towards the wireless infrastructure, and to
provide Layer 2 connectivity for the devices connected to its ethernet
interface

Use Case SD-Access Fabric


▪ A WGB support in SD-Access allows the extension of the fabric connectivity to remote
sites where fabric EN/EX/PEN can‘t be deployed.

Details

▪ Supported from Cisco Catalyst Center 2.3.7.x release .

▪ The WGB/Fabric wireless should be running Cisco IOS_XE 17.12.1 and upwards.

▪ The WGB associates with a fabric SSID, extending the fabric network to the
Ethernet ports of the WGB WGB

▪ The endpoints behind the WGB are in the same Layer 2 extension as the WGB
itself.
L2 unmanaged switch

▪ The WGB can associate with an open/PSK and dot1x-based SSID.

▪ The WGB can act as an authenticator and talk radius protocol to allow endpoints
on its ethernet ports to be authenticated

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
WGB support on SD-Access Radius
Cisco ISE authentication for
WGB endpoints

Radius
WLC authentication for Cisco ISE
WGB
WGB

WGB
L2 unmanaged
switch
Fabric AP
WGB

WGB

WGB
authentication WGB endpoint
authentication
Considerations
▪ The endpoints behind WGB get the same policy attributes as a WGB, such as the VNID/SGT
▪ The WGB communicates using EAP with endpoints and RADIUS with the AAA server, and there is no provision to modify the timers for
these protocols
▪ Ensure that the latency between the WGB and the RADIUS server is within acceptable limits to avoid triggering re-transmissions.
▪ WGB configurations are not automated by the Cisco Catalyst Center; the configuration needs to be manually provisioned using the CLI
▪ The fabric SSID needs to be enabled for CCX Aironet for the WGB to associate. The CCX attribute can be automated with the Cisco
Catalyst Center using the model config generator.
▪ No support for wireless endpoints behind WGB

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Mesh support on Cisco
SD-Access

-
Mesh support on SD-Access
WLC
Use Case
Radius
▪ To support Mesh deployment on the Software-Defined Access fabric, enabling the
extension of the fabric's SSID from indoor to outdoor environments
▪ Maintain segmentation on the mesh network
Details
SD-Access Fabric
▪ Supported from Cisco Catalyst Center 2.3.7.x release .

▪ The Fabric wireless network should be running Cisco IOS_XE 17.12.1 and
upwards.

▪ Fully automated workflow using the Cisco Catalyst center


RAP

▪ The wireless endpoints connected to the RAP, or the MAP receives the same
segmentation as connected to a fabric SSID on a fabric AP RAP RAP

▪ MAP and RAP is in bridge mode but gets classified as a fabric AP, very similar
to the local mode AP.

Platforms
▪ WLC : All hardware and virtual form factors of the C9800 series. Embedded Wireless MAP
on Catalyst 9000 switches is not supported. MAP MAP

▪ AP: Wave2 and Catalyst Access Points that are compatible with mesh functionality.

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Mesh support on SD-Access
Details

CAPWAP
Access-Tunnel
MAP RAP
RAP

Access-Tunnel
MAP
MAP CAPWAP WLC
Access-Tunnel

▪ MAP and RAP establishes a CAPWAP session with the Wireless LAN Controller and uses the
regular CAPWAP discovery methods

▪ The wireless endpoints can be associated to the MAP and RAP and support seamless roaming
across the MAP and RAP

▪ The RAP and MAP has an Access-tunnel (VxLAN) established to the respective fabric edge.

▪ The MAP creates a tunnel to a fabric edge where the parent RAP is attached to.

▪ MAP and the fabric edge has a layer2 connectivity, traffic from a wireless endpoint gets
converted from 802.11 to 802.3 and goes through VxLAN encapsulation destined to the fabric
edge.

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Roaming support for MAP

Seamless roaming Seamless roaming not


RAP1
supported across FE for RAP2

RAP1 RAP2 MAP

MAP

MAP

Roaming
▪ In mesh network a RAP is uplinked to a fabric edge directly or through a EN/PEN node

▪ A MAP gets attached to a network using the backhaul radio network of a parent RAP/MAP. Seamless roaming supported across MAP/RAP
for wireless endpoints

▪ A MAP can roam if it finds a better parent node which could either be a MAP or a RAP.

▪ MAP operating in fabric mode can only roam across RAP/MAP if it attached to the same
parent fabric edge node.

▪ MAP roaming to another MAP/RAP attached to a different fabric edges are not supported

▪ A wireless client can roam across RAP/MAP on different fabric edges.

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
-
#CiscoLiveAPJC © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Complete Your Session Evaluations

Complete a minimum of 4 session surveys and the Overall Event Survey to


claim a Cisco Live T-Shirt.

Complete your surveys in the Cisco Live mobile app.

-
#CiscoLiveAPJC BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
• Visit the Cisco Stand
for related demos

• Book your one-on-one


Meet the Expert meeting
Continue Attend the interactive education
your education

with DevNet, Capture the Flag,
and Walk-in Labs

• Visit the On-Demand Library


for more sessions at
www.CiscoLive.com/on-demand

-
BRKENS-2566 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Thank you

-
#CiscoLiveAPJC
#CiscoLiveAPJC
-

You might also like