SDN, SD-WAN, & SD-Access Simplified... Seriously!

00:04

hey welcome back to the channel

00:06

everybody this is kevin and in this

00:07

week's video we want to talk about this

00:09

term that you may have heard software

00:11

defined

00:12

we have a software-defined networking

00:15

software-defined wan software-defined

00:17

access what's up with all these

00:19

software-defined technologies what do

00:21

they do for us and what pieces and parts

00:23

make up a cisco solution that's what

00:26

we're going to talk about in this week's

00:27

video and as always if you enjoy this

00:29

content please do me a huge favor and

00:31

click the like button down below and

00:33

subscribe so you don't miss any of our

00:35

weekly content now let's begin our

00:37

software-defined journey by taking a

00:38

look first at software defined at

00:40

networking or sdn and i want us to

00:43

consider some traditional networking

00:44

devices like routers and switches they

00:47

have three different planes of operation

00:49

they have the data plane which is

00:51

concerned with getting a frame or a

00:53

packet in one interface and out of the

00:55

egress interface as quickly as possible

00:58

the control plane that's where our

01:00

algorithms run for example a router is

01:02

going to run ospf at this plane the

01:04

switch might run a spanning tree

01:06

protocol of this plane

01:08

these are the planes that populate the

01:10

tables that will be used to forward data

01:12

by the data plane and when we as

01:14

administrators go to configure a router

01:16

or switch we're interfacing with the

01:19

management plane perhaps we secure shell

01:22

into a switch to do some configuration

01:24

we're coming in on the management plane

01:27

now let's take a look at software

01:28

defined networking and see how this can

01:30

radically shift our perspective of how

01:32

we manage our devices day-to-day the

01:35

model that we just described is known as

01:37

a distributed control plane meaning

01:40

that the control planes of these devices

01:42

are distributed in the devices in other

01:44

words each device has its own control

01:46

plane

01:47

however with an sdn controller or a

01:50

software-defined networking controller

01:52

what we can do in some cases is take

01:55

those control planes on those individual

01:57

devices and have them run inside of the

02:00

sdn controller so that appliance is in

02:03

charge of running all of those

02:05

algorithms and the configuration and any

02:07

update information is going to be pushed

02:09

down from the sdn controller down to

02:11

those devices and that communication is

02:14

using something called an api that's an

02:16

application programming interface and we

02:19

typically say that the api going from

02:22

the controller down to the device is a

02:25

southbound interface consider a compass

02:28

south is usually down

02:30

and when we draw out an sdn network we

02:32

typically draw the devices being managed

02:35

below the sdn controller so we're going

02:39

down to those devices and these apis are

02:42

therefore called southbound interfaces

02:44

or sbi for short

02:46

and now that we've got our control

02:48

planes centralized in that sdn

02:50

controller we've now migrated from a

02:53

distributed control plane to a

02:55

centralized control plane now when i say

02:57

we have an api running between the

02:59

controller and the device what's an

03:02

example of that well there's an industry

03:04

standard called openflow cisco has their

03:07

own proprietary version called opflex

03:09

but those are a couple of examples of

03:11

southbound interfaces and the advantage

03:13

that we as administrators get from this

03:16

is we can do what is called intent based

03:19

networking we can express our intent

03:22

such as i want to treat video traffic

03:25

this way and i want to treat voice

03:26

traffic this way and i want to give this

03:28

application this level of security and

03:30

this level of quality of service

03:32

and the way we express our intent is not

03:35

by going to each device and entering

03:37

correct commands on each device we

03:39

express our intent through an

03:40

application and this application is

03:42

going to talk to the controller using an

03:45

nbi a northbound interface because the

03:48

applications we draw that above the sdn

03:51

controller or north of the controller

03:53

so these are going to be called nbis

03:55

northbound interfaces

03:57

and here we're not talking about op flex

03:59

or open flow we're using something

04:01

called rest apis and rest stands for

04:05

representational state transfer what

04:07

does that mean exactly it means we're

04:09

using http verbs like you would use when

04:13

interacting with a web page to send

04:16

information to the controller our intent

04:18

and to retrieve information from the

04:20

controller so we can see for example the

04:22

status of a router and this information

04:24

being sent using these http verbs needs

04:27

to be formatted in a certain way and one

04:29

of the popular formats is json json that

04:33

stands for javascript object notation

04:36

and this is a fairly generic look at how

04:38

sdn works but let's talk cisco specific

04:41

solutions sometimes a cisco sdn

04:43

controller is not going to use a

04:45

centralized control plane it very well

04:47

may leave the control planes in the

04:49

devices it just kind of depends on how

04:51

things are set up so it's not always

04:53

going to be a centralized control plane

04:55

but when we say sdn controller what are

04:58

we talking about in the cisco world well

05:00

it varies are we talking about the data

05:02

center or are we talking about the

05:04

enterprise network in the data center

05:06

i'd like you to know that the sdn

05:08

controller of choice is the cisco apic

05:11

that's the application policy

05:13

infrastructure controller that's part of

05:15

cisco's aci or application centric

05:18

infrastructure that they have for data

05:20

centers but in the enterprise instead of

05:23

using a cisco apic which is going to be

05:25

talking typically to nexus devices we're

05:28

going to use cisco dna center where dna

05:30

stands for digital network architecture

05:32

this allows us to do that intent based

05:35

networking that i was talking about and

05:36

is a few examples of what cisco dna

05:38

center can do we can use it to design

05:41

our network we can draw topologies we

05:43

can pre-configure our devices such that

05:46

they can be plugged in and they'll

05:49

automatically download their

05:50

configuration in other words we can

05:52

pre-provision them we can do our

05:54

day-to-day configuration using cisco dna

05:56

center it's great for troubleshooting

05:59

and monitoring what's going on and when

06:01

we talk about troubleshooting this is

06:02

not just a typical help interface the

06:05

troubleshooting is going to be proactive

06:07

it's going to watch for things and it's

06:09

going to tell you about things that it

06:10

noticed and it's going to give you

06:11

recommended remediation steps and this

06:14

troubleshooting intelligence comes from

06:16

cisco tech engineers who have seen these

06:18

issues as part of their job

06:20

so this is like a knowledge base of

06:22

cisco tack built into cisco dna center

06:25

and you also hear that cisco dna center

06:28

gives you platform support what we mean

06:30

by platform support is we can write

06:32

applications to talk to cisco dna center

06:36

now cisco dna center it has a beautiful

06:38

gui interface we can go in and use and

06:40

we can do a lot from that interface but

06:43

we don't have to do everything or

06:44

anything from that interface we can do

06:46

everything programmatically we can write

06:48

applications maybe using python maybe

06:51

modify somebody else's application for

06:53

our environment and we can run that

06:56

application and it's going to send

06:57

instructions to the apis known to cisco

07:00

dna center to do any of these functions

07:03

and that's an overview of sdn

07:05

software-defined networking our next

07:08

technology is software-defined wan or

07:10

software-defined wide area networks but

07:12

before we jump into that sd-wan

07:14

discussion i want to tell you about a

07:16

way to taste test for free

07:19

some of our courses here's a challenge

07:21

that many students have they're not sure

07:23

which track they want to go down is it

07:25

security is it enterprise one of my

07:28

favorites is collaboration well here you

07:30

can taste test some of these different

07:32

topics specifically you can check out

07:34

the first module in any of these courses

07:37

you might want to start at ccna or if

07:38

you've already got your ccna you can

07:40

taste test the core content for

07:43

enterprise security collaboration

07:46

if you've already completed your core

07:48

training in security or enterprise you

07:50

can take the next step take a narci for

07:52

enterprise or sncf for security or if

07:56

you don't want to stay cisco specific

07:57

you may want to check out our newest

07:59

course which is professional ethical

08:01

hacking that gets you ready for version

08:04

11 of the certified ethical hacker exam

08:07

which by the way is currently listed as

08:09

the fifth most in-demand certification

08:11

to have above any cisco certification

08:14

because of the incredible demand for

08:16

cyber security professionals or you may

08:18

want to check out the new version of

08:20

comptia's network plus certification if

08:22

you're just getting into networking but

08:24

again you can sign up to go through the

08:25

first module in any or all of these

08:28

courses for free

08:29

just go to kw train dot com slash course

08:32

hyphen samples again that's kwtrain.com

08:36

course hyphen samples and taste test any

08:39

or all of these training courses now

08:41

let's take a look at sd-wan which stands

08:44

for software-defined wide area network

08:46

and to understand the benefits of sd-wan

08:48

let's first consider a traditional win

08:51

in a traditional land we had our remote

08:54

sites that connected to our central site

08:56

maybe there was a data center at that

08:58

central side and we could use a variety

09:00

of wan technologies to do that here is a

09:02

couple of examples we have mpls or metro

09:05

ethernet and because we were going over

09:07

a single circuit from one site to

09:09

another site we had very predictable

09:11

performance we could configure security

09:14

on those endpoint routers a disadvantage

09:17

though is if we wanted to go out to the

09:19

internet we might be forced to go

09:21

through that hq location or perhaps we

09:23

had to do backhauling maybe we had to go

09:25

to the data center to have a security

09:27

check done and then we could come back

09:30

to our remote site and then go out over

09:32

our internet connection that's not

09:34

terribly efficient with software-defined

09:36

wide area networking we make the

09:38

observation that a lot of applications

09:40

are migrating to the cloud we've got

09:42

amazon's cloud aws amazon web services

09:46

microsoft azure we've got google cloud

09:48

microsoft office is available in the

09:50

cloud dropbox and on and on and on and

09:53

the thing is these applications that are

09:55

cloud-based they can give us security

09:58

and quality service and a predictable

10:00

performance experience we don't need to

10:02

do any backhauling back to the

10:03

headquarters if we have a remote site

10:06

and it wants to go out to the internet

10:07

it can go straight out to the internet

10:10

and the thing i want you to understand

10:11

here is that we might have a variety of

10:14

technologies that are interconnecting

10:15

all of our sites here i've got just

10:17

three sites but things could get much

10:19

more complicated in larger enterprises

10:22

for example consider this topology with

10:25

a few different locations and you see

10:27

how these devices are physically

10:29

interconnected this is what we call the

10:31

underlay network or we might refer to

10:33

this as the physical infrastructure this

10:35

is how our devices are physically

10:37

interconnected but with sd-wan we can

10:40

define our topology in other words we

10:42

can define our wide area network

10:44

connections perhaps i want a connection

10:46

from the upper left office to the lower

10:48

right office and a connection from the

10:50

lower left office to that upper right

10:52

data center and i'm not sure what the

10:54

performance is going to be because i'm

10:56

not sure which path i'm going to take

10:57

well what we can do with sd-wan

10:59

is put a virtual topology on top of that

11:03

physical topology this is called our

11:05

sd-wan overlay network this is our

11:07

virtual infrastructure where logically

11:10

from the perspective of these routers it

11:12

looks like they have a connection from

11:14

their site to the next top which is the

11:16

other site now in reality they may be

11:18

going through multiple other routers in

11:20

between but it doesn't look like that to

11:22

them because what's happening here is we

11:24

have virtual secured tunnels that are

11:27

set up through the wan and we're not

11:29

going from router to router and

11:30

configuring things individually that's

11:32

one of the big advantages those control

11:34

plane functions we were talking about

11:36

they no longer have to reside in the

11:38

routers they can be done inside of our

11:39

sd-wane controller and we can have a

11:42

wide variety of physical wan connections

11:44

everything from cellular to metro

11:47

ethernet or cable modem or mpls and the

11:49

list goes on and on and as long as we

11:51

educate our sd-wan controller about

11:53

those technologies it will take care of

11:55

it it will send out appropriate

11:56

configuration commands to our routers it

11:59

knows what's available on those routers

12:01

and it's going to give us that security

12:03

and quality of service and predictable

12:05

performance that we had with those

12:07

traditional point-to-point win

12:08

connections and again let's talk cisco

12:11

specific solutions cisco acquired a

12:14

company called viptela back in 2017.

12:17

it's this viptela technology that cisco

12:19

is using for their sd-wan solution and

12:22

we can break down the functions and uh

12:24

components in cisco's sd-wan solution

12:27

into a few different layers of operation

12:28

let's consider those layers we've got

12:30

the data plane the control plane and the

12:32

management and orchestration planes

12:34

they're so similar we'll just group them

12:36

together let's talk about some of the

12:37

pieces and parts that live at these

12:39

different planes of operation

12:41

first is vmanage up at the management

12:43

and orchestration plane this is our

12:45

interface to do the configuration in

12:48

fact i'll take you out live to a vmanage

12:50

interface in a few moments and you'll

12:52

see what it looks like and i'll give you

12:53

a link where you can go explore on your

12:55

own another sd-wan component living at

12:58

this layer is v-bond and the job of

13:01

v-bond is to understand how the network

13:04

is physically constructed and to figure

13:06

out how all of these different

13:08

interconnected components can work

13:10

together and vbond also lets us do

13:12

something called zero touch provisioning

13:14

in other words we can completely

13:16

provision or pre-configure a device

13:18

before it ever arrives at one of our

13:20

sites let's say a new router is shipped

13:23

to one of our remote sites somebody

13:25

plugs it in and it's going to phone home

13:28

basically it's going to go up to a cisco

13:30

site provide its serial number be given

13:32

a certificate and it's going to be told

13:34

the ip address for vmanage and a control

13:37

plane device we'll talk about in a

13:38

moment called v smart in fact let's go

13:40

ahead and talk about that device v smart

13:42

down at the control plane v smart as we

13:45

see here does a policy enforcement so

13:47

after we create a policy v-smart is in

13:50

charge of enforcing that policy and

13:53

sending those policies out to other

13:55

sd-wan devices and route information

13:58

from remote sites that's received using

14:00

a protocol called omp the overlay

14:03

management protocol because we're

14:04

dealing with an overlay network and here

14:06

we are doing that centralized control

14:08

plane that we talked about earlier and

14:10

if you're a star trek fan you might

14:11

relate this to the borg where they have

14:14

one mind the collective they call it

14:17

that's kind of what's going on here the

14:19

control plane is a lot like the borg

14:21

collective it is the mind if you will

14:23

for all of the different components

14:25

making up our sd-wan and finally down at

14:27

the data plane we have the edge routers

14:30

themselves and these are responsible for

14:32

doing the forwarding of our traffic and

14:33

these edge routers they could be

14:35

physical routers or they could be

14:36

virtual routers and now that we've seen

14:38

these pieces in parts let's take a look

14:40

at how this might be implemented in the

14:42

real world here we see a sample topology

14:44

with a main campus location we've got a

14:46

couple of branch locations we've got a

14:47

physical data center we've got a cloud

14:49

data center and they're all connected

14:51

using a variety of wan technologies but

14:53

remember sd-wan is an overlay technology

14:56

so the underlying physical

14:58

infrastructure that is transparent to

15:00

the traffic flowing over our overlay

15:02

network and at each of these locations

15:04

we have a cisco v-edge router and these

15:08

routers are going to securely talk to

15:10

one another over dynamically formed

15:13

ipsec tunnels and this is going to make

15:15

up our data plane that we talked about a

15:17

moment ago and also remember the control

15:19

elements that we discussed where we had

15:22

cisco's vmanage v-bond v-smart we would

15:26

form a connection between each of these

15:28

control elements and each of these edge

15:31

routers we're going to use those control

15:33

elements for the provisioning and

15:35

configuration of those edge devices and

15:38

also i mentioned that these routers

15:39

could be physical or they could be

15:41

virtual well cisco's v edge routers are

15:44

physical routers and they're running

15:46

viptela's operating system we could also

15:48

use some models of isr or integrated

15:50

services routers or asrs aggregation

15:54

service routers and the software or the

15:56

virtual routers include cisco's cloud

15:59

services router the csr 1000v or a v

16:02

edge cloud router again running

16:04

viptela's operating system and that's a

16:06

look at how cisco provides an sd-wan

16:09

solution based on their viptela

16:10

acquisition but i promise to go out and

16:12

show you v-manage let's take a look at

16:14

that now here we're sitting at a

16:16

v-manage interface and cisco makes this

16:18

available to us for free to go explore

16:21

it's part of their d cloud service now

16:23

this is read only we're not going to be

16:24

able to go in and reconfigure anything

16:26

but if you just want to go in and

16:28

explore you can go to cisco.com

16:31

go slash sd-wan demos then you'll select

16:34

live demo and you'll be given

16:35

instructions as to how to log into this

16:37

v-managed console looks like we've got a

16:39

couple of v-smart devices we've got

16:41

eight wan edge routers got a couple of

16:44

v-bond devices we've got one instance of

16:47

vmanage which we're on now and we can go

16:49

in and check out some of the different

16:50

tools monitoring options that we have

16:52

available and that's an overview of

16:54

cisco's sd-wan solution next up let's

16:57

consider sd access

17:00

and we could at this high level loosely

17:02

consider sd access

17:04

as an advancement or a replacement for

17:07

traditional access control lists let's

17:09

take a look at some of its features

17:11

cisco tells us that sd access is the

17:14

next generation in policy enforcement

17:16

instead of having individual access

17:18

control lists that say this ip address

17:21

can go to this other ip address using

17:23

this tcp port number here we're going to

17:25

use security group acls so here rather

17:29

than identifying someone based on the ip

17:32

address they're using at the moment it's

17:34

based on their identity and their

17:36

identity is going to be defined on a

17:38

device called cisco ice the identity

17:41

services engine and like our other

17:43

software-defined technologies we're

17:45

going to be virtualizing the physical

17:47

network in fact we can have multiple

17:49

virtual networks all using the same

17:51

physical network and we can give

17:53

different virtual networks different

17:54

policies even though they're sharing the

17:56

same physical network that would be much

17:58

more of a challenge to do with

17:59

traditional acls in fact let's consider

18:02

a basic example of using a traditional

18:05

acl where we are manually configuring

18:07

access control for example let's say

18:08

that we have an access control list that

18:10

says we want to permit pc1 which has an

18:13

ip address of 192.168.1.100

18:17

we want to permit that ip address to go

18:19

to the server which has an ip address of

18:23

192.0.2.3 we want it to go to that

18:25

server using a tcp port 443 the secure

18:29

http port and with that acl in place on

18:32

router r1 that traffic is going to be

18:34

allowed no problem but what if that user

18:37

takes their pc or maybe it's a laptop

18:39

they take it somewhere else in the

18:41

building or in the enterprise they're

18:42

suddenly connected to a different subnet

18:44

and they've got a different ip address

18:46

here the ip address is 203.0.113.125.

18:51

there's no acl that says that's going to

18:53

be permitted and they're going to be

18:55

denied access to the server when that

18:57

user should have access to the server

18:59

can you see with today's more mobile

19:01

workforce it's going to be harder and

19:04

harder to limit or grant access to

19:07

resources based on acls instead

19:10

enter sd access with a software defined

19:13

access we're going to have security

19:16

groups and let's pretend we have a

19:17

security group called it and it has a

19:20

couple of members kevin and charles and

19:22

the identity of each member that's going

19:24

to be defined on a device called cisco

19:27

ice the identity services engine and

19:29

here instead of having a regular acl

19:31

that says permit this ip address to go

19:33

to the https port on the server here we

19:36

have a security group acl which says

19:39

permit the it security group to go to

19:42

that server on that port so here i've

19:44

logged into pc1 with my identity of

19:47

kevin and that's a member of the it

19:50

group and that is permitted to get to

19:52

the server and if i move my device to

19:54

another location i'm still kevin i can

19:56

still connect with my identity so

19:59

regardless of where i am in the network

20:01

i still have permission to get to the

20:02

server now let's take a look at some of

20:04

the pieces and parts making up a cisco

20:07

sd access solution and again we'll break

20:09

this into different layers beginning

20:11

down at the bottom the physical layer

20:13

and the physical layer is made up of our

20:15

actual infrastructure devices here we

20:17

might have things like routers and

20:18

switches wireless line controllers up at

20:21

the network layer we have both the

20:23

physical underlay network and the

20:25

virtualized network that lies on top of

20:27

the underlay network the sd access

20:29

overlay network this is sometimes

20:31

referred to as our virtual fabric if we

20:34

move up to the controller layer we see

20:36

cisco dna center which is going to be

20:38

sending instructions using those

20:40

southbound apis out to our devices

20:42

that's going to live at the controller

20:44

layer as well as cisco ice that's

20:47

granting permission for different

20:49

identities

20:50

and our interface to manage all this is

20:52

going to be done through the gui of

20:55

cisco dna center that's up at the

20:57

management layer and after going through

20:58

this video i hope you have a better

21:00

sense for what these sd technologies are

21:02

all about sdn sd-wan sd access and as we

21:06

wrap up i just want to remind you again

21:08

about the opportunity you have to taste

21:11

test any of these courses specifically

21:14

you can go through the first module of

21:16

any of these courses for free and see if

21:18

it's for you all you have to do is go to

21:20

kwtrain.com

21:22

course hyphen samples thanks for joining

21:24

me and we'll see you next time

21:27

[Music]

21:37

you