《思科软件安全接入最佳实践 - 设计和部署.pdf》由会员分享,可在线阅读,更多相关《思科软件安全接入最佳实践 - 设计和部署.pdf(68页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveMahesh Nagireddy Technical Marketing Engineering,Technical LeaderCCIE R&SBRKENS-2502Design and DeploymentCisco SD-Access Best Practices 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Web
2、ex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2
3、023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-25023 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Learning MapBRKENS-25024Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroductionSD-Access Scale&Readines
4、sSD-Access Single-Site Design OptionsSD-Access Multi-Site Design OptionsSD-Access Policy Design OptionsBRKENS-25025 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco ISECisco SD-AccessFabric Roles&TerminologyControl-Plane Nodes Map System that manages Endpoint to Devic
5、e relationshipsFabric Edge Nodes A fabric device(e.g.Access or Distribution)that connects Wired Endpoints to the SD-Access fabricIdentity Services NAC&ID Services(e.g.ISE)for dynamic Endpoint to Group mapping and Policy definitionFabric Border Nodes A fabric device(e.g.Core)that connects External L3
6、 network(s)to the SD-Access fabricIntermediate Nodes(Underlay)Fabric Border Fabric Border NodesNodesFabric Edge Fabric Edge NodesNodesNetwork Automation Simple GUI and APIs for intent-based Automation of wired and wireless fabric devicesNetwork Assurance Data Collectors analyze Endpoint to Applicati
7、on flows and monitor fabric device status ControlControl-PlanePlaneNodesNodesFabric Wireless Controller A fabric device(WLC)that connects Fabric APs and Wireless Endpoints to the SD-Access fabricFabric WirelessFabric WirelessControllersControllersFabric SiteFabric SiteFabric WirelessAccess PointsAut
8、omationAssuranceCisco DNA CenterIPIdentity ServicesBRKENS-25026 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSD-Access Platform SupportDigital Platforms for your Cisco Digital Network ArchitectureFor more details:cs.co/sda-compatibility-matrixPlatform support based on t
9、he Fabric RoleSupported Hardware,Software and Recommended Version for all Cisco SD-Access componentsFor your referenceBRKENS-25027 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access Scale&ReadinessCisco DNA Center 2.3.5 Data SheetCisco DNA Center Fabric Readin
10、ess and Compliance ChecksHardware VersionImage TypeSoftware Version Software LicensesCisco SD-Access Software LicensingCisco DNA Advantage/Cisco DNA Premier LicenseCisco DNA Center Security Best Practices GuideBRKENS-25028 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCi
11、sco SD-AccessLatency Requirements 10 msecRTT300 msecRTTBRKENS-25029 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveV4 and V6 support in SD-AccessCisco DNA Center Physical InterfacesCisco DNA Center Physical Interfaces:V4/V6 Cisco Catalyst devicesCisco Catalyst devices:V4/
12、V6/Dual-StackCisco SDCisco SD-Access Underlay DevicesAccess Underlay Devices:V4 onlyCisco SDCisco SD-Access Overlay ClientsAccess Overlay Clients:V4/V6/Dual-StackCisco ISECisco ISE:V4/V6/Dual-StackCisco DNA Center to Cisco ISECisco DNA Center to Cisco ISE:V4 onlyAs of DNA Center:2.3.5.0Cisco ISE:3.2
13、GWGWAnycast Gateway2001:db8:46:1:/64GWGWGWGWAnycast Gateway2001:db8:46:3:/64Edge Node Routing Table2001:db8:46:1:/64 Local2001:db8:46:1:ac/128-Local2001:db8:46:1:ac/128 2001:db8:46:1:ac/128 10.0.255.110.0.255.210.0.255.3Edge Node Routing Table2001:db8:46:3:/64 Local2001:db8:46:3:ac/128-LocalMap Regi
14、sterEndpoint 2001:db8:46:1:ac/128Edge Node:10.0.255.1Control-Plane Node Database2001:db8:46:1:ac/128 10.0.255.12001:db8:46:3:ac/128 10.0.255.3BRKENS-250210 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-AccessCisco DNA Center Deployment Deployment TypesDeployment
15、 TypesStandaloneCluster for High Availability(HA)Cluster interconnected with 10Gbps interface with 10msec latencyDisaster Recovery(DR)for network downtimeCluster connected with 1Gbps interface between main site and recovery site with System Deployment Select ISE Host NameAdministration System Deploy
16、ment Select ISE Host NameEnableEnable pxGrid ServicesAdministration Settings ERS Settings Administration Settings ERS Settings EnableEnable ERS for Read/Write on PAN on PAN Enable Enable ERS for Read on All other NodesAll other Nodes incase of Distributed modelCisco ISE:Enable below ISE ServicesCisc
17、o DNA Center Cisco DNA Center Cluster Cluster TCP/443TCP/9060TCP/5222&8910BRKENS-250249 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco DNA Center SettingsCisco ISE+Load Balancer Load Balancer VIP BRKENS-250250 2023 Cisco and/or its affiliates.All rights reserved.Cis
18、co Public#CiscoLiveCisco DNA Center DesignISE as AAA Server for Client and NetworkBRKENS-250251 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity Group Tags(SGT)Classification MechanismVLAN to SGTIP/Subnet to SGTL2 Port to SGTStatic ClassificationDynamic Classificat
19、ionWLCFirewallAccessDistributionCoreDC CoreDC AccessEnterprise BackbonePassiveIDPassiveIDADDynamic ClassificationStatic ClassificationIP/Subnet/L3IF to SGTPort to SGTVLAN to SGTIP/Subnet/Policy Profile to SGTBRKENS-250252 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSec
20、urity Group Tags(SGT)Propagation MechanismInline Tagging MethodsInline Tagging MethodsEthernet Inline Tagging:Ethernet Inline Tagging:(EtherType:0 x8909)16-Bit SGT encapsulated within Cisco Meta Data(CMD)payload.IPSec/L3 CryptoIPSec/L3 Crypto:Cisco Meta Data(CMD)uses protocol 99,and is inserted to t
21、he beginning of the ESP/AH payload.LISP:LISP:SGT(16 bit)insertion in the Nonce field(24 bit)VXLAN:VXLAN:SGT(16 bit)inserted into Segment ID of VXLAN Header Cisco MetaData(CMD)Ethernet MACsec IPsec DM-VPN GET-VPN VXLANPropagation optionsPropagation options Catalyst switches WLAN controllers Nexus swi
22、tches Integrated Service Routers Industrial Ethernet Switches ASR 1000 ASA 5500-x Firepower Threat DefenseSupporting devicesSupporting devicesBranchesFabricBRKENS-250253 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIP TransitPeer DevicePeer DeviceSDSD-AccessAccessExtens
23、ionExtensionEmployeesContractorsProductionDevelopmentSourceDestinationContractFABRIC POLICIESPERMITEmployeesProductionEmployeesProductionAPICisco DNA Center PolicyAccess Contracts EnforcementExternal to FabricDeployDeployDeployDeployIntra-VN&Inter-VNEnforcementEnforcement ScaleEnforcement ScaleDNA C
24、luster supports 64-256 VNs/Site,4000 SGTs255 unique SGTs can be enforced locally on C3850/C9k Access/Edge nodes usually wont have that scale of 255+If enforcing on Border Nodes then consider numbers of DC/cloud-related SGTs which might increase the SGT countsCisco DNA Center Cisco DNA Center Cluster
25、 Cluster Cisco ISESD-Access Fabric SiteBRKENS-250254 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntegrating Multiple Cisco DNA Center with ISEOption 1IntentIntent-based Network Infrastructurebased Network InfrastructurepxGridpxGrid and and REST APIsREST APIsCisco DNA
26、CenterCisco DNA CenterCluster#1Cluster#1Cisco DNA CenterCisco DNA CenterCluster#2Cluster#2Cisco DNA Cluster Cisco DNA Cluster Cluster#NCluster#NCisco ISE Deployment Cisco ISE Deployment(Cluster)(Cluster)Cisco ISE Deployment Cisco ISE Deployment(Cluster)(Cluster)Cisco ISE Deployment Cisco ISE Deploym
27、ent(Cluster)(Cluster)pxGridpxGrid and and REST APIsREST APIsBRKENS-250255 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntentIntent-based Network Infrastructurebased Network InfrastructureCisco ISE Deployment(Cluster)Cisco ISE Deployment(Cluster)pxGrid and pxGrid and RE
28、ST APIsREST APIsCluster#1Cluster#1Cluster#2Cluster#2Cluster#3Cluster#3Cluster#4Cluster#4Cluster#NCluster#NIntegrating Multiple Cisco DNA Center with ISEOption 2*GBP GBP Read/Write Read/Write SDSD-Access Data LocalAccess Data LocalSDSD-Access Data LocalAccess Data LocalSDSD-Access Data LocalAccess Da
29、ta LocalSDSD-Access Data LocalAccess Data LocalSDSD-Access Data LocalAccess Data LocalSDSD-Access DataAccess DataVirtual NetworkExtranet PolicyGBP DataGBP DataPolicySGTAccess ContractBRKENS-250256 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntentIntent-based Network I
30、nfrastructurebased Network InfrastructureCisco ISE Deployment(Cluster)Cisco ISE Deployment(Cluster)pxGrid and pxGrid and REST APIsREST APIsCisco DNA CenterCisco DNA CenterCluster#1Cluster#1AuthorAuthorCisco DNA CenterCisco DNA CenterCluster#2Cluster#2ReaderReaderCisco DNA Center Cisco DNA Center Clu
31、ster#3Cluster#3ReaderReaderCisco DNA Center Cisco DNA Center Cluster#4Cluster#4ReaderReaderCisco DNA Cluster Cisco DNA Cluster Cluster#NCluster#NReaderReaderIntegrating Multiple Cisco DNA Center with ISEOption 3-Multiple Cisco DNA Center Solution OverviewN=5 starting DNA Center:2.2.3.xMultiple Cisco
32、 DNA Center to Single Cisco ISE PDGBRKENS-250257 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMultiple Cisco DNA Center Use Case Shared SD-Access TransitCisco DNA Center Cluster#3Cisco DNA Center Cluster#3Cisco DNA Center Cluster#2Cisco DNA Center Cluster#2Cisco DNA Cen
33、ter Cluster#1Cisco DNA Center Cluster#1Cisco ISE Deployment(Cluster)Cisco ISE Deployment(Cluster)pxGridpxGrid and and REST APIsREST APIsReaderReaderReaderReaderAuthorAuthorShared SDShared SD-Access TransitAccess TransitShared SDShared SD-Access TransitAccess TransitShared SDShared SD-Access TransitA
34、ccess TransitControl plane Control plane TrafficTrafficSD-Access Transit shared across multiple Cisco DNA Center ClustersShared SD-Access Transit starting DNA Center:2.2.3.x 4 TCP Node supported Starting DNA Center:2.3.3.0 BRKENS-250258 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ
35、ic#CiscoLiveMultiple Cisco DNA Center LISP Extranet Policy Scenario 1(Shared Policy)Cisco ISE Deployment(Cluster)Cisco ISE Deployment(Cluster)pxGridpxGrid and and REST APIsREST APIsCisco DNA Center Cluster#3Cisco DNA Center Cluster#3Cisco DNA Center Cluster#2Cisco DNA Center Cluster#2Cisco DNA Cente
36、r Cluster#1Cisco DNA Center Cluster#1Control plane Control plane TrafficTrafficSD-Access Transit shared across multiple Cisco DNA Center ClustersShared SDShared SD-Access TransitAccess TransitAuthorAuthorReaderReaderReaderReaderShared SDShared SD-Access TransitAccess TransitShared SDShared SD-Access
37、 TransitAccess TransitVNCampusVNIOTShared Services VNPRPRSUBSUBSUBSUBWith Shared SD-A TransitVNCampusVNIOTShared Services VNPRPRSUBSUBSUBSUBVNCampusVNIOTShared Services VNPRPRSUBSUBSUBSUBDNA Center:2.3.4.xBRKENS-250259 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco
38、DNA Center PolicyThird-Party AAA/RADIUS Server supportCisco DNA Center Cisco DNA Center Cluster Cluster Cisco DNA Center Cisco DNA Center Cluster Cluster BRKENS-250260 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco SD-Access CollateralsCisco Software-Defined Access
39、Enabling intent-based networkingCisco Software-Defined Access for Industry Verticals Cisco SD-Access YouTube LinkCisco SD-Access SalesConnect LinkSD-Access BU Engagement FormSD-Access BU Design Council FormMultiple Cisco DNA Center LA FormCisco SD-Access Design ToolEN&C Validated DesignsBRKENS-25026
40、1 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOptions for deploymentCisco DNA Center automated configuration of a Cisco LISP Fabric which includes Macro and Micro SegmentationIncludes SDA Automation Workflows and IntegrationsBest practice standardized configurations In
41、cludes SDA Assurance ORCLI Configuration of Cisco LISP Fabric which includes Macro and Micro SegmentationOpen integration with heterogenous tooling(CLI,Ansible,NSO,etc)Agile customization within the parameters of the LISP Fabric validated designCan support DNAC Device and Client Assurance Subset of
42、features supported compared to what is available with Cisco DNA Center.62BRKENS-2502 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRaise of Hands!How many of you use automation systems to orchestrate network configurations today on the network devices?Example of automati
43、on systems(Ansible playbooks,NSO)How many of you would be interested in deploying LISP VXLAN Fabric in your networks via the above automation systems?BRKENS-250263 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimu
44、m of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey compl
45、eted.BRKENS-250264 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library
46、for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123467 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKENS-250267#CiscoLive