SDN, SD-WAN, & SD-Access Simplified... Seriously!
Summary
TLDRIn this informative video, Kevin delves into the realm of software-defined technologies, explaining the concepts of SDN, SD-WAN, and SD-Access. He clarifies how traditional networking devices operate and how SDN centralizes control planes with SDN controllers, enabling intent-based networking. The video explores Cisco's specific solutions like ACI and DNA Center, and how SD-WAN simplifies WAN management with an overlay network. Kevin also introduces SD-Access as an advanced policy enforcement mechanism that replaces traditional ACLs with identity-based access, enhancing security and mobility in networks.
Takeaways
- 🌐 Software-Defined Networking (SDN) centralizes control planes in a controller, allowing for centralized management and intent-based networking.
- 🔄 Traditional networking devices have three planes of operation: data, control, and management, while SDN shifts to a centralized control plane with APIs for device communication.
- 📡 SDN uses southbound interfaces (SBIs) like OpenFlow or Cisco's OpFlex for communication between the controller and network devices.
- 📚 Intent-based networking allows administrators to express their networking intent through applications, which communicate with the controller via northbound interfaces (NBIs).
- 🔍 Cisco's Application Policy Infrastructure Controller (APIC) is used for data center SDN solutions, while Cisco DNA Center is used for enterprise networks.
- 🌐 Software-Defined Wide Area Networks (SD-WAN) provide an overlay network on top of the physical infrastructure, simplifying the management of WAN connections.
- 🛠️ SD-WAN allows for direct internet access from remote sites without the need for backhauling to a central location, improving efficiency.
- 🔄 Cisco's SD-WAN solution is based on the Viptela technology they acquired, incorporating components like vManage, vBond, and vSmart for management and control.
- 🔒 SD-WAN supports various WAN technologies and dynamically forms IPSec tunnels for secure traffic forwarding between edge routers.
- 📝 Software-Defined Access (SD-Access) moves beyond traditional ACLs to policy enforcement based on user identity, facilitated by Cisco's Identity Services Engine (ISE).
- 🔑 SD-Access enables the creation of security group ACLs that grant access based on user identity, allowing consistent access regardless of device location within the network.
Q & A
What is meant by the term 'software-defined' in the context of networking?
-'Software-defined' refers to the concept of using software-based controllers or APIs to manage and control hardware devices, such as routers and switches. This approach allows for more flexible, efficient, and scalable network management.
What are the three planes of operation in traditional networking devices?
-The three planes of operation are the data plane, the control plane, and the management plane. The data plane handles the forwarding of packets, the control plane runs algorithms for routing and switching, and the management plane is used for device configuration and management.
How does Software-Defined Networking (SDN) change the traditional networking model?
-SDN centralizes the control plane by using an SDN controller, which runs the control plane algorithms and manages device configurations through APIs. This contrasts with the traditional distributed control plane model where each device has its own control plane.
What is a southbound interface (SBI) in SDN?
-A southbound interface (SBI) is an API used for communication from the SDN controller to the network devices it manages. Examples include OpenFlow and Cisco's proprietary OpFlex.
What is intent-based networking in the context of SDN?
-Intent-based networking allows administrators to specify high-level business goals or 'intents' (such as performance or security requirements) rather than configuring individual devices. The SDN controller translates these intents into device-specific configurations.
What is Cisco's SDN controller for data centers called?
-Cisco's SDN controller for data centers is called the Cisco APIC (Application Policy Infrastructure Controller), which is part of Cisco's ACI (Application Centric Infrastructure).
What are some features of Cisco DNA Center?
-Cisco DNA Center can design network topologies, pre-provision devices, handle day-to-day configurations, monitor network performance, and provide proactive troubleshooting with recommendations based on Cisco TAC knowledge.
What is Software-Defined WAN (SD-WAN) and what benefits does it offer?
-SD-WAN is a technology that uses software-based controllers to manage WAN connections. Benefits include improved cloud application performance, reduced need for backhauling traffic, and the ability to use a variety of WAN technologies with centralized control.
How does Cisco implement SD-WAN?
-Cisco's SD-WAN solution is based on technology from their acquisition of Viptela. It includes components such as vManage for management, vBond for orchestration, and vSmart for control, with edge routers forming secure tunnels for data transport.
What is Software-Defined Access (SD-Access) and how does it enhance traditional access control?
-SD-Access uses identity-based security group ACLs instead of traditional IP-based ACLs. This allows for consistent access policies regardless of device location. It relies on Cisco ISE (Identity Services Engine) for defining identities and policies.
Outlines
📚 Introduction to Software-Defined Technologies
Kevin welcomes viewers and introduces the concept of software-defined technologies, including networking, WAN, and access. He explains the traditional networking devices' planes of operation: data, control, and management. He highlights the shift from distributed to centralized control planes using an SDN controller and APIs, specifically southbound interfaces like OpenFlow and OpFlex.
🏢 Cisco's SDN Solutions for Data Centers and Enterprises
Kevin differentiates between Cisco's SDN solutions for data centers and enterprise networks. In data centers, Cisco uses the Application Policy Infrastructure Controller (APIC) as part of the Application Centric Infrastructure (ACI). For enterprise networks, Cisco DNA Center enables intent-based networking, offering features like network design, troubleshooting, and proactive monitoring, leveraging Cisco's TAC knowledge base.
🌐 Introduction to Software-Defined WAN (SD-WAN)
Kevin transitions to discussing SD-WAN, explaining traditional WAN's limitations and the benefits of SD-WAN in optimizing cloud application performance. He describes the virtual topology of SD-WAN, enabling secure, quality connections across various physical WAN technologies, and mentions Cisco's SD-WAN solution based on Viptela technology.
🧠 SD-WAN Components and Control Layers
Kevin elaborates on Cisco's SD-WAN solution's components: vManage, vBond, and vSmart, detailing their roles in management, orchestration, policy enforcement, and control. He draws a parallel to the Borg collective from Star Trek, emphasizing the centralized control plane. The data plane consists of edge routers, which can be physical or virtual, handling traffic forwarding.
🔍 Exploring Cisco's vManage Interface
Kevin provides a live look at Cisco's vManage interface available through Cisco's dCloud service, showcasing its tools and monitoring options. He concludes the segment by explaining SD-Access as an evolution of traditional access control lists, introducing security group ACLs based on user identities managed by Cisco Identity Services Engine (ISE).
🔧 Layers and Components of Cisco SD-Access
Kevin breaks down Cisco SD-Access into layers: physical infrastructure, virtualized network, controller (including DNA Center and ISE), and management. He emphasizes the virtual fabric overlay network and how policies are enforced through these layers. He wraps up by inviting viewers to explore free course modules on various topics.
Mindmap
Keywords
💡Software-Defined Networking (SDN)
💡Control Plane
💡Southbound Interface (SBI)
💡Northbound Interface (NBI)
💡Cisco DNA Center
💡Intent-Based Networking
💡Cisco SD-WAN
💡Viptela
💡Overlay Network
💡Application Policy Infrastructure Controller (APIC)
Highlights
Introduction to software-defined technologies like SDN, SD-WAN, and SD-Access and their roles in modern networking.
Explanation of the traditional networking model with distributed control planes in devices such as routers and switches.
Introduction to Software-Defined Networking (SDN) and the shift from distributed control planes to centralized control planes using an SDN controller.
Description of southbound interfaces (SBIs) and northbound interfaces (NBIs) in SDN, including examples like OpenFlow and REST APIs.
Overview of Cisco's specific SDN solutions like Cisco APIC for data centers and Cisco DNA Center for enterprise networks.
Discussion of intent-based networking and how SDN controllers enable administrators to manage network policies more efficiently.
Introduction to Software-Defined WAN (SD-WAN) and its advantages over traditional WANs, such as direct internet access and improved performance for cloud-based applications.
Explanation of underlay and overlay networks in SD-WAN and the concept of virtual topologies on top of physical infrastructure.
Details about Cisco's SD-WAN solution using Viptela technology, including the roles of vManage, vBond, and vSmart components.
Description of zero-touch provisioning in Cisco's SD-WAN, allowing pre-configuration of devices before deployment.
Example of an SD-WAN implementation with secure IPsec tunnels and centralized control for provisioning and configuration.
Overview of SD-Access as a next-generation policy enforcement solution, using identity-based access control instead of traditional ACLs.
Explanation of Cisco Identity Services Engine (ISE) and its role in defining user identities for SD-Access policies.
Comparison of traditional ACLs with security group ACLs in SD-Access, highlighting the benefits of identity-based access control.
Components of Cisco's SD-Access solution, including physical infrastructure, virtual overlay networks, and controller layer with Cisco DNA Center.
Transcripts
hey welcome back to the channel
everybody this is kevin and in this
week's video we want to talk about this
term that you may have heard software
defined
we have a software-defined networking
software-defined wan software-defined
access what's up with all these
software-defined technologies what do
they do for us and what pieces and parts
make up a cisco solution that's what
we're going to talk about in this week's
video and as always if you enjoy this
content please do me a huge favor and
click the like button down below and
subscribe so you don't miss any of our
weekly content now let's begin our
software-defined journey by taking a
look first at software defined at
networking or sdn and i want us to
consider some traditional networking
devices like routers and switches they
have three different planes of operation
they have the data plane which is
concerned with getting a frame or a
packet in one interface and out of the
egress interface as quickly as possible
the control plane that's where our
algorithms run for example a router is
going to run ospf at this plane the
switch might run a spanning tree
protocol of this plane
these are the planes that populate the
tables that will be used to forward data
by the data plane and when we as
administrators go to configure a router
or switch we're interfacing with the
management plane perhaps we secure shell
into a switch to do some configuration
we're coming in on the management plane
now let's take a look at software
defined networking and see how this can
radically shift our perspective of how
we manage our devices day-to-day the
model that we just described is known as
a distributed control plane meaning
that the control planes of these devices
are distributed in the devices in other
words each device has its own control
plane
however with an sdn controller or a
software-defined networking controller
what we can do in some cases is take
those control planes on those individual
devices and have them run inside of the
sdn controller so that appliance is in
charge of running all of those
algorithms and the configuration and any
update information is going to be pushed
down from the sdn controller down to
those devices and that communication is
using something called an api that's an
application programming interface and we
typically say that the api going from
the controller down to the device is a
southbound interface consider a compass
south is usually down
and when we draw out an sdn network we
typically draw the devices being managed
below the sdn controller so we're going
down to those devices and these apis are
therefore called southbound interfaces
or sbi for short
and now that we've got our control
planes centralized in that sdn
controller we've now migrated from a
distributed control plane to a
centralized control plane now when i say
we have an api running between the
controller and the device what's an
example of that well there's an industry
standard called openflow cisco has their
own proprietary version called opflex
but those are a couple of examples of
southbound interfaces and the advantage
that we as administrators get from this
is we can do what is called intent based
networking we can express our intent
such as i want to treat video traffic
this way and i want to treat voice
traffic this way and i want to give this
application this level of security and
this level of quality of service
and the way we express our intent is not
by going to each device and entering
correct commands on each device we
express our intent through an
application and this application is
going to talk to the controller using an
nbi a northbound interface because the
applications we draw that above the sdn
controller or north of the controller
so these are going to be called nbis
northbound interfaces
and here we're not talking about op flex
or open flow we're using something
called rest apis and rest stands for
representational state transfer what
does that mean exactly it means we're
using http verbs like you would use when
interacting with a web page to send
information to the controller our intent
and to retrieve information from the
controller so we can see for example the
status of a router and this information
being sent using these http verbs needs
to be formatted in a certain way and one
of the popular formats is json json that
stands for javascript object notation
and this is a fairly generic look at how
sdn works but let's talk cisco specific
solutions sometimes a cisco sdn
controller is not going to use a
centralized control plane it very well
may leave the control planes in the
devices it just kind of depends on how
things are set up so it's not always
going to be a centralized control plane
but when we say sdn controller what are
we talking about in the cisco world well
it varies are we talking about the data
center or are we talking about the
enterprise network in the data center
i'd like you to know that the sdn
controller of choice is the cisco apic
that's the application policy
infrastructure controller that's part of
cisco's aci or application centric
infrastructure that they have for data
centers but in the enterprise instead of
using a cisco apic which is going to be
talking typically to nexus devices we're
going to use cisco dna center where dna
stands for digital network architecture
this allows us to do that intent based
networking that i was talking about and
is a few examples of what cisco dna
center can do we can use it to design
our network we can draw topologies we
can pre-configure our devices such that
they can be plugged in and they'll
automatically download their
configuration in other words we can
pre-provision them we can do our
day-to-day configuration using cisco dna
center it's great for troubleshooting
and monitoring what's going on and when
we talk about troubleshooting this is
not just a typical help interface the
troubleshooting is going to be proactive
it's going to watch for things and it's
going to tell you about things that it
noticed and it's going to give you
recommended remediation steps and this
troubleshooting intelligence comes from
cisco tech engineers who have seen these
issues as part of their job
so this is like a knowledge base of
cisco tack built into cisco dna center
and you also hear that cisco dna center
gives you platform support what we mean
by platform support is we can write
applications to talk to cisco dna center
now cisco dna center it has a beautiful
gui interface we can go in and use and
we can do a lot from that interface but
we don't have to do everything or
anything from that interface we can do
everything programmatically we can write
applications maybe using python maybe
modify somebody else's application for
our environment and we can run that
application and it's going to send
instructions to the apis known to cisco
dna center to do any of these functions
and that's an overview of sdn
software-defined networking our next
technology is software-defined wan or
software-defined wide area networks but
before we jump into that sd-wan
discussion i want to tell you about a
way to taste test for free
some of our courses here's a challenge
that many students have they're not sure
which track they want to go down is it
security is it enterprise one of my
favorites is collaboration well here you
can taste test some of these different
topics specifically you can check out
the first module in any of these courses
you might want to start at ccna or if
you've already got your ccna you can
taste test the core content for
enterprise security collaboration
if you've already completed your core
training in security or enterprise you
can take the next step take a narci for
enterprise or sncf for security or if
you don't want to stay cisco specific
you may want to check out our newest
course which is professional ethical
hacking that gets you ready for version
11 of the certified ethical hacker exam
which by the way is currently listed as
the fifth most in-demand certification
to have above any cisco certification
because of the incredible demand for
cyber security professionals or you may
want to check out the new version of
comptia's network plus certification if
you're just getting into networking but
again you can sign up to go through the
first module in any or all of these
courses for free
just go to kw train dot com slash course
hyphen samples again that's kwtrain.com
course hyphen samples and taste test any
or all of these training courses now
let's take a look at sd-wan which stands
for software-defined wide area network
and to understand the benefits of sd-wan
let's first consider a traditional win
in a traditional land we had our remote
sites that connected to our central site
maybe there was a data center at that
central side and we could use a variety
of wan technologies to do that here is a
couple of examples we have mpls or metro
ethernet and because we were going over
a single circuit from one site to
another site we had very predictable
performance we could configure security
on those endpoint routers a disadvantage
though is if we wanted to go out to the
internet we might be forced to go
through that hq location or perhaps we
had to do backhauling maybe we had to go
to the data center to have a security
check done and then we could come back
to our remote site and then go out over
our internet connection that's not
terribly efficient with software-defined
wide area networking we make the
observation that a lot of applications
are migrating to the cloud we've got
amazon's cloud aws amazon web services
microsoft azure we've got google cloud
microsoft office is available in the
cloud dropbox and on and on and on and
the thing is these applications that are
cloud-based they can give us security
and quality service and a predictable
performance experience we don't need to
do any backhauling back to the
headquarters if we have a remote site
and it wants to go out to the internet
it can go straight out to the internet
and the thing i want you to understand
here is that we might have a variety of
technologies that are interconnecting
all of our sites here i've got just
three sites but things could get much
more complicated in larger enterprises
for example consider this topology with
a few different locations and you see
how these devices are physically
interconnected this is what we call the
underlay network or we might refer to
this as the physical infrastructure this
is how our devices are physically
interconnected but with sd-wan we can
define our topology in other words we
can define our wide area network
connections perhaps i want a connection
from the upper left office to the lower
right office and a connection from the
lower left office to that upper right
data center and i'm not sure what the
performance is going to be because i'm
not sure which path i'm going to take
well what we can do with sd-wan
is put a virtual topology on top of that
physical topology this is called our
sd-wan overlay network this is our
virtual infrastructure where logically
from the perspective of these routers it
looks like they have a connection from
their site to the next top which is the
other site now in reality they may be
going through multiple other routers in
between but it doesn't look like that to
them because what's happening here is we
have virtual secured tunnels that are
set up through the wan and we're not
going from router to router and
configuring things individually that's
one of the big advantages those control
plane functions we were talking about
they no longer have to reside in the
routers they can be done inside of our
sd-wane controller and we can have a
wide variety of physical wan connections
everything from cellular to metro
ethernet or cable modem or mpls and the
list goes on and on and as long as we
educate our sd-wan controller about
those technologies it will take care of
it it will send out appropriate
configuration commands to our routers it
knows what's available on those routers
and it's going to give us that security
and quality of service and predictable
performance that we had with those
traditional point-to-point win
connections and again let's talk cisco
specific solutions cisco acquired a
company called viptela back in 2017.
it's this viptela technology that cisco
is using for their sd-wan solution and
we can break down the functions and uh
components in cisco's sd-wan solution
into a few different layers of operation
let's consider those layers we've got
the data plane the control plane and the
management and orchestration planes
they're so similar we'll just group them
together let's talk about some of the
pieces and parts that live at these
different planes of operation
first is vmanage up at the management
and orchestration plane this is our
interface to do the configuration in
fact i'll take you out live to a vmanage
interface in a few moments and you'll
see what it looks like and i'll give you
a link where you can go explore on your
own another sd-wan component living at
this layer is v-bond and the job of
v-bond is to understand how the network
is physically constructed and to figure
out how all of these different
interconnected components can work
together and vbond also lets us do
something called zero touch provisioning
in other words we can completely
provision or pre-configure a device
before it ever arrives at one of our
sites let's say a new router is shipped
to one of our remote sites somebody
plugs it in and it's going to phone home
basically it's going to go up to a cisco
site provide its serial number be given
a certificate and it's going to be told
the ip address for vmanage and a control
plane device we'll talk about in a
moment called v smart in fact let's go
ahead and talk about that device v smart
down at the control plane v smart as we
see here does a policy enforcement so
after we create a policy v-smart is in
charge of enforcing that policy and
sending those policies out to other
sd-wan devices and route information
from remote sites that's received using
a protocol called omp the overlay
management protocol because we're
dealing with an overlay network and here
we are doing that centralized control
plane that we talked about earlier and
if you're a star trek fan you might
relate this to the borg where they have
one mind the collective they call it
that's kind of what's going on here the
control plane is a lot like the borg
collective it is the mind if you will
for all of the different components
making up our sd-wan and finally down at
the data plane we have the edge routers
themselves and these are responsible for
doing the forwarding of our traffic and
these edge routers they could be
physical routers or they could be
virtual routers and now that we've seen
these pieces in parts let's take a look
at how this might be implemented in the
real world here we see a sample topology
with a main campus location we've got a
couple of branch locations we've got a
physical data center we've got a cloud
data center and they're all connected
using a variety of wan technologies but
remember sd-wan is an overlay technology
so the underlying physical
infrastructure that is transparent to
the traffic flowing over our overlay
network and at each of these locations
we have a cisco v-edge router and these
routers are going to securely talk to
one another over dynamically formed
ipsec tunnels and this is going to make
up our data plane that we talked about a
moment ago and also remember the control
elements that we discussed where we had
cisco's vmanage v-bond v-smart we would
form a connection between each of these
control elements and each of these edge
routers we're going to use those control
elements for the provisioning and
configuration of those edge devices and
also i mentioned that these routers
could be physical or they could be
virtual well cisco's v edge routers are
physical routers and they're running
viptela's operating system we could also
use some models of isr or integrated
services routers or asrs aggregation
service routers and the software or the
virtual routers include cisco's cloud
services router the csr 1000v or a v
edge cloud router again running
viptela's operating system and that's a
look at how cisco provides an sd-wan
solution based on their viptela
acquisition but i promise to go out and
show you v-manage let's take a look at
that now here we're sitting at a
v-manage interface and cisco makes this
available to us for free to go explore
it's part of their d cloud service now
this is read only we're not going to be
able to go in and reconfigure anything
but if you just want to go in and
explore you can go to cisco.com
go slash sd-wan demos then you'll select
live demo and you'll be given
instructions as to how to log into this
v-managed console looks like we've got a
couple of v-smart devices we've got
eight wan edge routers got a couple of
v-bond devices we've got one instance of
vmanage which we're on now and we can go
in and check out some of the different
tools monitoring options that we have
available and that's an overview of
cisco's sd-wan solution next up let's
consider sd access
and we could at this high level loosely
consider sd access
as an advancement or a replacement for
traditional access control lists let's
take a look at some of its features
cisco tells us that sd access is the
next generation in policy enforcement
instead of having individual access
control lists that say this ip address
can go to this other ip address using
this tcp port number here we're going to
use security group acls so here rather
than identifying someone based on the ip
address they're using at the moment it's
based on their identity and their
identity is going to be defined on a
device called cisco ice the identity
services engine and like our other
software-defined technologies we're
going to be virtualizing the physical
network in fact we can have multiple
virtual networks all using the same
physical network and we can give
different virtual networks different
policies even though they're sharing the
same physical network that would be much
more of a challenge to do with
traditional acls in fact let's consider
a basic example of using a traditional
acl where we are manually configuring
access control for example let's say
that we have an access control list that
says we want to permit pc1 which has an
ip address of 192.168.1.100
we want to permit that ip address to go
to the server which has an ip address of
192.0.2.3 we want it to go to that
server using a tcp port 443 the secure
http port and with that acl in place on
router r1 that traffic is going to be
allowed no problem but what if that user
takes their pc or maybe it's a laptop
they take it somewhere else in the
building or in the enterprise they're
suddenly connected to a different subnet
and they've got a different ip address
here the ip address is 203.0.113.125.
there's no acl that says that's going to
be permitted and they're going to be
denied access to the server when that
user should have access to the server
can you see with today's more mobile
workforce it's going to be harder and
harder to limit or grant access to
resources based on acls instead
enter sd access with a software defined
access we're going to have security
groups and let's pretend we have a
security group called it and it has a
couple of members kevin and charles and
the identity of each member that's going
to be defined on a device called cisco
ice the identity services engine and
here instead of having a regular acl
that says permit this ip address to go
to the https port on the server here we
have a security group acl which says
permit the it security group to go to
that server on that port so here i've
logged into pc1 with my identity of
kevin and that's a member of the it
group and that is permitted to get to
the server and if i move my device to
another location i'm still kevin i can
still connect with my identity so
regardless of where i am in the network
i still have permission to get to the
server now let's take a look at some of
the pieces and parts making up a cisco
sd access solution and again we'll break
this into different layers beginning
down at the bottom the physical layer
and the physical layer is made up of our
actual infrastructure devices here we
might have things like routers and
switches wireless line controllers up at
the network layer we have both the
physical underlay network and the
virtualized network that lies on top of
the underlay network the sd access
overlay network this is sometimes
referred to as our virtual fabric if we
move up to the controller layer we see
cisco dna center which is going to be
sending instructions using those
southbound apis out to our devices
that's going to live at the controller
layer as well as cisco ice that's
granting permission for different
identities
and our interface to manage all this is
going to be done through the gui of
cisco dna center that's up at the
management layer and after going through
this video i hope you have a better
sense for what these sd technologies are
all about sdn sd-wan sd access and as we
wrap up i just want to remind you again
about the opportunity you have to taste
test any of these courses specifically
you can go through the first module of
any of these courses for free and see if
it's for you all you have to do is go to
kwtrain.com
course hyphen samples thanks for joining
me and we'll see you next time
[Music]
you
Посмотреть больше похожих видео
Software Defined Networking - CompTIA A+ 220-1101 - 2.2
Getting Started with SD-WAN | A Hands-On Overview
WAN....it's not the internet!! (sometimes) // FREE CCNA // EP 8
AlgoSec Platform - Full Demo
Cisco SD-Access How To: Prerequisites to Automate Underlay Networks
Computer Scientist Explains the Internet in 5 Levels of Difficulty | WIRED
5.0 / 5 (0 votes)