nw19 - cisco: trends in enterprise networking

Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

PUBLIC INFORMATION

NW19: CiscoTrends in Enterprise Networking


PUBLIC INFORMATION

Trends in Enterprise Networking

TopicsSDN – Software Defined Networking

Cisco TrustSec

IPV6 and BYOD

Cloud Applications


Software Defined Networking

SDN – Software Defined Networking


Control and Data Plane resides within Physical DeviceControl plane decides what to do with incoming packets

Data plane just forwards the packets

The network paradigm as we know it…


In other words…

In the SDN paradigm, not all processing happens inside the same device. The

control plane is separated, and runs on a separate device called a controller

The SDN Paradigm


Cisco has a similar model for wirelessUnified model has a central controller

The wireless architecture started with

autonomous access points that are configured

separately. No coordination. This model is fine

for smaller deployments.

Cisco now uses a Unified architecture, with a

central controller managing many access

points. They get all of their configuration from

the controller.


Network Programmability ModelsPhysical / Virtual

Network Overlays Apply to All Models (Physical/Virtual)Custom Features Can Be Built

Current Switch/Router

Applications

APIs

Control Plane

Data Plane

Resilient, Scalable, Secure, Rich Features, Evolutionary, Investment Protection

“SDN” Approach

Data Plane Data Plane…

Applications

APIs

Controller

Simpler Provisioning, Centralized NW Topology

Hybrid Model

Control Plane

Data Plane

…

Control Plane

Data Plane

Applications

APIs

Controller

Combined Benefits, Evolutionary Model, Investment Protection

…


OpenFlow is a Layer 2 communications protocol that allows the control plane to talk to the data plane over the network

What is Openflow?

Define Openflow


Four partsto Openflow:Start with theApplication,CIP traffic,Email, etc

Let’s take a closer look at Openflow …


Central Administrationand Operations

point forNetwork Elements.

The controlleris just a server

Openflow Controller


Agent runs on the network device

Agent receives instructions from Controller

Agent programs device tables

Openflow Device Agent


Openflow Protocol is…

“A mechanism for the Openflow Controller to

communicate with Openflow Agents…”

Openflow Protocol


Some Things Will Never Be Equal

Openflow will not turn this… Into this…


Cisco’s ACI (Application Centric Infrastructure)


Cisco TrustSec

Cisco TrustSec –Enable Identity-aware NetworkWho can do what…


Challenges with Enterprise Security and Access Control Policy

Protected assets are defined by their network connection

• Policies are statically and manually configured

• Rules are based on network topology (subnets, addresses)

• IP Address does not provide user context or meaning

Method does not facilitate key Business / IT requirements like:

• Frequent organizational changes

• Mobile workforces

• Device choice

• Virtualization


Cisco TrustSec – Identity Services


access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782access-list 102 deny ip 193.250.210.122 0.0.1.255 lt 2297 130.113.139.130 0.255.255.255 gt 526access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968

Taking Complexity out of Network Security


Traditional Security Administration

Adding destination Object

Adding source Object

ACL for 3 source objects & 3 destination objects

permit NY to SRV1 for HTTPSdeny NY to SAP2 for SQLdeny NY to SCM2 for SSHpermit SF to SRV1 for HTTPSdeny SF to SAP1 for SQLdeny SF to SCM2 for SSHpermit LA to SRV1 for HTTPSdeny LA to SAP1 for SQLdeny LA to SAP for SSH

Permit SJC to SRV1 for HTTPSdeny SJC to SAP1 for SQLdeny SJC to SCM2 for SSHpermit NY to VDI for RDPdeny SF to VDI for RDPdeny LA to VDI for RDPdeny SJC to VDI for RDP

A Global Bank dedicated 24 global resources

to manage Firewall rules currently

Complex Task and High OPEX continues

Traditional ACL/FW Rule

Source Destination

NY

SF

LA

DC-MTV (SRV1)

DC-MTV (SAP1)

DC-RTP (SCM2)

NY

10.2.34.0/24

10.2.35.0/24

10.2.36.0/24

10.3.102.0/24

10.3.152.0/24

10.4.111.0/24

….SJC DC-RTP (VDI)

Production

Servers


Security Administration with TrustSec

Permit Employee to Production_Servers eq HTTPSDeny Employee to Production_Servers eq SQLDeny Employee to Production_Servers eq SSHPermit Employee to VDI eq RDP

Deny BYOD to Production_ServersDeny BYOD to VDI eq RDP

Policy Stays with Users / Servers regardless of location/topology

Simple to define, Audit, and Manage

Less operational effort and faster to deploy new services

Security Group

Filtering

NY

SF

LA

DC-MTV (SRV1)

DC-MTV (SAP1)

DC-RTP (SCM2)SJC DC-RTP (VDI)

Production

Servers

VDI Servers

BYOD

Employee

Source SGT:

Employee (10)

BYOD (200)

Destination SGT:

Production_Servers (50)

VDI (201)


Flexible Classification for Security Group Tags (SGT)

VLAN-SGT

IP-SGT

Port

Profile

Port-SGT

IPv4 Prefix

Learning

IPv6 Prefix

LearningIPv6 Prefix-SGT

IPv4 Subnet-SGT

802.1X

MAB

Web

Auth

Profiling

SGT

SGT

Addr.Pool-SGT

VLAN-SGT

Data Center/

Virtualization

User/Device/Location

Cisco access layer

ISE

NX-OS/

CIAC/

Hypervisors

IOS/Routing

Campus

& VPN Access

non-Cisco

& legacy env

Business Partners & Supplier access controls

SGT

• TrustSec decouples network topology and security policy to simplify access control and segmentation

• Classification process groups network resources into Security Groups


SGT Propagation

Wired

Access

Wireless

Access

DC Firewall

Enterprise

Backbone

DC

Virtual

AccessCampus Core DC Core

DC

Distribution

Physical

Server

Physical

Server

VM

Server

VM

Server

DC

Physical

Access

SGT 20

SGT 30

IP Address SGT SRC

10.1.100.98 50 Local

SXP IP-SGT Binding Table

SXP

SGT = 50

ASIC ASIC

Optionally Encrypted

Inline SGT Tagging

SGT=50

ASIC

L2 Ethernet Frame

SRC: 10.1.100.98

IP Address SGT

10.1.100.98 50SXP

Non-SGT

capable

SXP – SGT Exchange Protocol


Campus User Segmentation

Voice Employee Guest Quarantine

Employee Tag

Supplier Tag

Guest Tag

Quarantine Tag

Data Center Firewall

Voice

Building 3

Data VLAN

Campus Core

Data Center

Main Building

Data VLAN

Employee Quarantine

Enforcement is based on Security

Group, even for communication in

same VLAN

Employee

Supplier

Guest

EmployeeSRC

DSTSupplier Remed. Internet

✗

✗

✗

✔ ✗

Quarantine ✗ ✗✗ ✗ ✔

✔

✔✗

✔ ✗

✔

Access Layer

Employee


Cisco TrustSec Summary

Efficient

Simplifies implementation of security policy

Highly scalable & Inline rate

Simplifies Data Center network design

Secure

Embed security within the infrastructure

Enforcement based on rich context

Solution simplicity enables end-to-end approach

Demonstrable ROI

Reduces ACL and VLAN complexity & maintenance

Automates FW policy

Improve both performance & availability


Cisco TrustSec

IPV6


IPV6 is Happening

Ever So Slowly


So What’s Your Address?

Sta

tus

Why everyone is quiet on IPv6

Going forward

What is it Where will it start


Why everyone is quiet on IPv6?

Enterprises find no panic condition to adopt IPv6

Migration to IPv6 is not into the priority list of decision makers

End consumer lacks readiness of IPv6

Governments lagging in their deployment targets

Lots of doubts and fear regarding adoption of IPv6

Conversation around IPv6 is low..


Going Where?

Pro

ject

sco

pe

Why everyone is quiet on IPv6 ?

Going forward



Going forwardImplementation of IPv6 has been a marathon…… not a sprint race

Source: Heavy Reading (March, 2013) Current Analysis (August, 2013), IT Business edge, GCN

End-consumers need to get upgraded or replace their huge legacy electronics equipment, which supports IPv4 protocol but not IPv6

Status– End consumers are least motivated for migration to IPv6 supported equipment

CDN and web hosting companies are required to increase IPv6-enabled content.

Status– Number of people in the industry planning to implement IPv6 has increased, so IPv6 supported content for these users needs to be ready

More professional services from service providers and IPv6 skilled workforce by enterprises is desired

Status– Decision makers finding themselves resistant to adopt to IPv6 because of scarce skills


What is it Where will it start?

Pro

ject

sco

pe

Why everyone is quiet on IPv6 ?

Going forward



You said it was how many?

340,282,366,920,938,463,374,607,432,768,211,456(IPv6 Address Space - 340 Trillion Trillion Trillion)

vs

4,294,967,296(IPv4 Address Space - 4 Billion)

.

Our Sun

Let’s assume a phone booth represents 4 Billion Addresses

The IPv6 Address space would approach the size of the Sun


What does it look like?

16-bit hexadecimal numbers Basically combines IP address and MAC address into one Numbers are separated by a comma (:) Hex numbers are not case sensitive Abbreviations are possible

• Contiguous blocks of zeros could be represented by (::) Example:

2001:0db8:0000:130F:0000:0000:087C:140B

2001:0db8:0:130F::87C:140B

Double colon can only appear once in the address

• Leading zeros in a block can be omitted Example:

2001:0db8:00e2:0300::087C:140B

2001:db8:e2:300::87C:140B


Bring Your Own Device

This is really more about Wireless

Cooperate with IT or prepare to face failure

Device Security – Integrated

This is why IPV6 will happen!


BYOD Use Cases

Differentiated Services, On-Boarding Securely

Personal and Corporate Devices

Deny Some Devices

Focus on Basic Services,Guest Access

Broader Device Types

Internet Only

Posture from Mobile Device Management

Any Device, Any Ownership

MDM Compliance

LIMITED ADVANCEDENHANCEDBASIC/GUEST

Environmentswith Tight Controls

Only Corporate Devices

IT Whitelist


Integration with Virtualization Clients

Virtualized App Environment

ApplicationVirtualizationClient

Application Portability:

Delivering legacy/non-native apps to broad device set

Example: iPad does not support an application natively

Data Loss Prevention:

Securing Enterprise applications and data

Example: avoid storing data locally, use of virtualization for application subset – confidential, intellectual property, financial


BYOD will Force IPV6

Why

Literally 100’s of Thousands of devices

Cisco as an example:

65,XXX employees

1 IP Phone

1 Smart Phone

1 Tablet

1 Laptop

That’s 65,500 x 4 = 262,000 addresses


But wait!

Now add:

Door locks

Thermostats

Security Cameras

Servers

PACs

I/O

And…


Cloud Computing- Service Model

Service Model

SaaS (Software as a service) Users run existing online applications

Ex. Google Docs, Salesforce.com

IaaS (Infrastructure as a service) Run applications on someone else’s servers

Imagine running Factorytalk Historian somewhere besides your own servers

PaaS (Platform as a service)

Environment for creating and hosting web applications


Cloud Computing-Deployment Model

Businesses are choosing a variety of cloud models to meet their unique needs and priorities.

Private cloud: IT capabilities are provided “as a service” over an intranet, within the enterprise and

behind the firewall.

Public Cloud: IT activities and functions are provided “as a service” over the Internet.


PUBLIC INFORMATION

www.rockwellautomationteched.com

Thank you, enjoy your week!

nw19 - cisco: trends in enterprise networking

Technology

rockwell automation

rokteched control

rokteched openflow

rokteched cisco

physical device control

incoming packets data

central controller

server openflow controller