Presentation Title Goes Here - Subtitle goes here Speaker name Speaker title Date
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cisco Tech Talks 2021
Cisco Switching Portfolio Update
Presentation Title Goes Here
Subtitle goes here
Andrii Ovrashko
Speaker name
Systems
Speaker title Engineer
Date aovrashk@cisco.com
Released April 2017
08 June 2021
Key challenges for traditional networks
Difficult to segment Complex to manage Slower issue resolution
Ever-increasing number of Multiple steps, Separate user policies for
users and endpoint types user credentials, complex wired and wireless networks
interactions
Ever-increasing number of Unable to find users
VLANs and IP Subnets Multiple touch points when troubleshooting
Traditional networks cannot keep up!
Cisco Enterprise Access Stack
Ecosystem Third Party Apps
Cisco Apps
Software Cisco DNA Center
Orchestration Policy | automation | analytics
Identity Services
Security Stealthwatch Umbrella Talos
Engine (ISE)
Catalyst 9800
Wireless Controller
Intent-based Cisco Meraki MR
Cisco Meraki
Infrastructure Catalyst 9000
Cloud Access Points
series switches
For Access
Catalyst 9100 MS355 Access
Access Points MS450 Aggregation
Extended Data
Multi-domain Integration Enterprise
WAN
Centers
Multi-cloud
Cisco Catalyst 9000 Series
Transition to Next Gen - Legacy Platforms End of Sale
EOS Plans Products Transition Products
Catalyst 3850 (excl. Fiber SKUs) Catalyst 9300
EOS External Catalyst 4500E (excl. SUP9E)
Announcement Catalyst 9400
10/31/19 Catalyst 4500X Series
Catalyst 9500
Catalyst 6880 and 6840 Series
EOS Date
Catalyst 9600
10/30/20 Catalyst 6500* (6/9/13 slots Chassis/Sup2T)
Catalyst 2960C Catalyst 2960CX/3560CX
EOS External
Catalyst 2960X/XR (excl. PSQ Fanless) Catalyst 9200/L
Announcement Catalyst 2960L/P Catalyst 1000
10/31/20
Catalyst 3650 (excl. 3650 Mini) Catalyst 9300L
EOS Date
10/31/21 Catalyst 4500E - SUP9E Catalyst 9400
Cisco Catalyst Switching Portfolio
Refreshed from Access to Core
Catalyst Catalyst
9 3 00X 9 6 00 Series
Catalyst
Catalyst 9 5 00 Series
9 4 00 Series Catalyst
Catalyst 9000
9 3 00 Series
Catalyst
9 2 00 Series
Switching
Platform
Catalyst Catalyst Catalyst Catalyst Catalyst Catalyst
2960-X/XR 3650/3850 4500-E Series 3850-XS/4500-X 6840-X/6880-X 6500-E/6807-XL
A ccess Switching C or e S witching
Cisco Catalyst 9000 switches at a glance
Enabling a new era of intent-based networking
Secure IoT convergence Mobility Cloud
• Encrypted Traffic Analytics • Constrained Application • Fabric-enabled wireless • DevOps toolkit
• 256-bit MACsec* Protocol (CoAP) • NETCONF/YANG models
• Embedded Catalyst 9800 WLC
• Trustworthy solutions • DNA Service for Bonjour • Streaming telemetry
• Unified control and policy
• Group-based policy • Perpetual PoE • Patching/GIR
• Wired and wireless
• Full Flexible NetFlow • IEEE 1588 Audio Video guest access • Application hosting
Bridging (AVB)
Software and Hardware Innovations
• Cis co Catalyst 9600 Series switches
Lead Modular core
Built on a
modern modular • Cis co Catalyst 9500 Series switches
OS (IOS XE) and Lead fixed core
programmable
ASIC • Cis co Catalyst 9400 Series switches
Lead modular access
• Cis co Catalyst 9300 Series switches
Lead fixed access
• Cis co Catalyst 9200 Series switches
Entry-level fixed access
С9600
Cisco Catalyst 9600 Series Switching
Powering the Cloud-scale Campus
Most programmable Purpose built for
Highest ACL Scale
ASIC in Industry Powered by
UADP 3.0 and
Open Cisco
Intent-based
IOS XE Networking
Designed for campus SD-Access, VXLAN BGP Mission-critical
25G dual-rate optics EVPN, MPLS VPN resiliency
25.6 Tbps switching capacity
Flexible speeds:
1G,10G, 25G, 40G, 100G Lowest TCO
MACsec-256 link
Flexible Netflow
encryption
Ready for Cisco Catalyst 6500 and 6800 Series Migration
Cisco Catalyst 9600 Series
Chassis
Dual-serviceable 4 line card slots
fan tray
2 supervisor slots
Built-in RFID (dedicated)
6.4 Tbps per slot
Blue Beacons from each
(system/fan tray, sup, supervisor slot
line cards)
Dimensions
Modular power (HxWxD inches)
supplies 13.95 x 17.4 x 16.1
(8RU)Cisco Catalyst 9600 Series
C9606R chassis port density
Maximum
Density with
Port speed chassis
supervisor 1
density
100G 48 128
40G 96 128
25G 192 192
10G 192 192
5G 192 192
2.5G 192 192
1G 192 192
Line Rate non-blockingС9400
Cisco Catalyst 9400 Series
New generation of modular access for Access, Aggregation and FTTD
9 Tbps Cisco® Catalyst®
system
bandwidth 9400 leadership
UADP 2.0
Redundancy
is now Open Cisco IOS® XE
table stakes
SD-Access
Industry’s
highest PoE x86 CPU and containers
scale
New Encrypted Traffic Analytics
256-bit MACsec
Trustworthy systems
New
Cisco StackWise® Virtual
ISSU
4-Slot 7-Slot 10-Slot
NBAR2
Sup ervisor A ccess line cards Co re line cards Po wer supply
New• Sup-1XL-Y: Adds 25G Uplinks Model-driven programmability
• 24x Multigigabit + • 24x 10G SFP+ • 3200W AC
• Sup-1XL: Up to 240G per slot • 48x 1G SFP New• 3200W DC
24x Cisco UPOE®
• Sup-1: 80G per slot • 48x Cisco UPOE • 24x 1G SFP • 2100W AC Patching and GIR
• 48x PoE+, 48x data
Streaming telemetryFuture proof investments with C9K Modular
Capture Industry Transitions Key Modular Differentiation
Speed Transition
• 1G → mGig (Access)
Mission Critical HA
• 10/25/40G → 100/400G 1 (Core) • Platform, O S, Architecture
resiliency
C9600
Cloud Security2 Max Investment Protection
• New SASE use cases • 15- 20 Year Lifecycle
90W UPOE+ Unmatched Flexibility
• Expanded smart building • Flexible templates, table sizes
ecosystem C9K holds
83% Modular
C9400 POE Market
Share
1Future
2Applicable only to C9400StackWise Virtual Quad Sup RPR now on C9400
IOS-XE 17.4.1
SSO
StackWise-A StackWise-S
RPR
SVL RPR
ICS ICS
DAD
Chassis-1 Chassis-2
B a n dwidth
B a n dwidth
1 0 0%
1 0 0%
Time until the Supervisor is Convert new supervisor to
Bring up the system Bring up LCs and Sync
replaced StackWise
state info
…
50%
50%
Manual Intervention
Ti m e Ti m e
w/o Quad Sup RPR w/ Quad Sup RPR
StackWise-A: StackWise Virtual Active In Chassis Active, StackWise-S: StackWise Virtual Standby In Chassis Active, ICS - In-Chassis Warm Standby 15Modular Access Value Proposition
Highly Resilient, Flexible and Future-proof network architectures
Resiliency
Full Redundancy ISSU & SVL Uplink HA
Highest MTBF Zero downtime No b/w impact
Flexibility
Versatile Any Closet Transition
10G Aggregation, FIAB & Collapsed Space, Noise, Power Native 40G, 25G & 10G on Sup
Investment Protection
Catalyst 9400
15-20 Years 480G/slot IEEE 802.3bt 90W
Modular Lifecycle No forklift upgrade Highest Power deliveryС9500
Cisco Catalyst 9500 Series
New generation of purpose-built fixed core/aggregation switches
High Performance switches (UADP 3.0)
Standard switches Catalyst 9500 Series high
(UADP 2.0) 100G/40G SKUs 25G/10G SKUs
performance switches (UADP 3.0)
40G/10G SKUs C9500-32C: 32x 100G C9500-48Y4C: 48x 10/25G + Throughput (3.2 Tbps)
4x 40/100G Performance: 3x UADP 2.0
9500- 16X Scale: 3x UADP2.0
9500- 40X C9500-32QC: 32x 40G/16x 100G C9500-24Y4C: 24x 10/25G + 4x 1G, 10G, 25G, 40G, 100G
40/100G
9500- 24Q Pluggable SSD storage for app hosting – 1 TB
9500- 12Q Customizable templates
Breakout support (4X 10G, 4X 25G) on
Cisco Catalyst 240GB, 480GB, 650W AC 930W DC 1600W AC/DC C9500-32C
9 5 00 Series 960GB SSD storage Cisco StackWise Virtual
Cisco Catalyst
9500 Series high performance switches
Performance
Security Resiliency
and scaleС9300
Cisco Catalyst 9300 Series
Platform transitions
9300X
9300L
Cisco Catalyst
9300 Series
switch platform
Cisco Catalyst
9300 Fiber models Cisco® Catalyst®
9300L Family
Cisco Catalyst Cisco Catalyst Cisco Catalyst
3 8 50 Series Fiber models 3 8 50 Series 3 6 50 Series
M o dular u plin ks F i xed u plinksCisco Catalyst 9300 Series
New generation of fixed access
Modular uplinks Fixed uplinks
(C9 300 SKUs) (C9 300L SKUs)
Copper
Cisco Catalyst 9300
2x40G UL Series leadership
48 ports 48 ports Cisco UPOE 24 ports Cisco 48p UPOE 25p UPOE UADP 2.0 (XL)
Cisco UPOE 5G 12P Multigigabit + 36P 2.5G UPOE Multigigabit 12mG+36 1G 8mG+16 1G Cisco IOS XE Software
4x10G UL SD-Access
x86 CPU and containers
48p UPOE 25p UPOE
12mG+36 1G 8mG+16 1G Application hosting
48/24 ports 48/24 ports 48/24 ports Encrypted Traffic Analytics
Cisco UPOE 1G PoE+ 1G data 1G 4x10G UL
MACsec-256 link encryption
48/24 ports PoE+ 1G 48/24 ports data 1G Trustworthy solutions
Cisco StackWise-480*/320
4x1G UL Cisco StackPower*
48/24 ports 48/24 ports 48/24 ports UPOE
IEEE1588 and AVB
Deep Buffer/High Scale UPOE+ 1G UL1069 1G 48/24 ports PoE+ 1G 48/24 ports data 1G
NBAR2
Fiber SFP Stack kit Perpetual/Fast PoE
IEEE 802.3bt Type3 & 4 compliant**
48/24 ports SFP 1G Model-driven programmability
Hot patching/GIR
Full Flexible NetFlow
streaming telemetry
Modular uplinks Modular fans AC and DC power supplies
* Modular uplink SKUs only
** Roadmap
Platinum
8x 10G 2x 40G 4x Multigigabit 4x 1G 2x 25G 315W AC 715W AC/DC 1100W AC ratedStackPower – C9300 only
“Zero-footprint” redundant power system (RPS) deployment
• Provides RPS functionality with zero RPS
footprint
• Pay-as-you-grow architecture – similar to the
data stack
• 1+N redundancy with inline power
• Up to 4 switches in a StackPower ring
• Multiple StackPower possible within one data
stack
• Up to 8 switches in a star topology with an
expandable power system (XPS)
StackPower is not supported on C9300L SKUsHighly Available StackPower
1900W 1900W 1900W 1900W
1900W 1900W 1900W 1900W
4 member One shared PS X Watts
1900W 1900W 1900W 1900W
Pool
1900W 1900W Stack
for 4 switches
1900W 1900W
Power
1900W 1900W 1900W 1900W
1900W 1900W Second
1900Wshared
1900W
4 member PS Pool X Watts
1900W 1900W 1900W
for 1900W
4 switches
1900W 1900W 1900W 1900W
• Pools power from all power supplies (PS)
• All switches in StackPower share the available power in the pool
• Each switch is given its minimum power budgetIntroducing the new Catalyst 9300X
Catalyst 9300X- Stackable 10/25G Fiber Switch
X86 CPU UADP 2.5sec N ew Flexible Uplink
1 6 GB Memory
with cr ypto acceleration With Encr yption Engine Options
Enha nced App
Stca kWise-1T
Sta ckPower+ H osting
1 Terabit Stacking 2 x App Hosting
Bandwidth
CapacityHighest Speed Uplink Options in the Industry
100/40G Modular Uplinks
2 x 100/40G QSFP
Multigigabit Uplinks 10/25 G Modular Uplinks
8 x 10G-mGig 8x
10/25GFlexible Architectures with C9300 and C9300X
2 Tier Architecture 3 Tier Architecture
9300X-24Y
Core
Co re
100G
9300X-24Y
10/25/40/100G
Distribution
10/25/40G
9300X-24Y
9300-48UXM Co llapsed 9300 Stack
9300-48UXM A ccess/Distro Access
9300-48UXM Stack
9300-48UXM
C9300X Standalone in Core
C9300X Stack in Core
C9300X Stack in Distribution
C9300X Stacked with C9300 in Access
C9300X Stacked with C9300 in Access
*For Branch or Small Campus Deployments onlyCatalyst 9300X Models
C9300X-24Y: 24-port 1/10/25G SFP+ Switch • 24 and 12 port SFP SKUs
• Transition Catalyst 3850 1G SFP to
Catalyst 9300 1G SFP Models
• Transition Catalyst 3850 10G SFP
to Catalyst 9300X 10/25G SFP+
Models
• Wire-speed, non-blocking
C9300X-12Y: 12-port 1/10/25G SFP+ Switch performance
• Seamlessly integrates
with Cisco Catalyst 9300
Series copper
• Supports same optics
• Common stacking – StackWise-480
• Common power stacking –
StackPower
Modular Higher-efficiency AC Platinum
Modular uplinks Common power supplies,
fans and DC power supplies rated •
fans, cables
Secure Cloud Connectivity
1/10/25G fiber aggregation
350W AC-P715W AC-P1100W AC-P
1900W AC-P715W WDC*
2 x 100/40G QSFP 8 x 10G-mGig 8 x 10/25G
Collapsed access
* DC PS is Gold-Rated
29Stack Bandwidth: 9300X and 9300 Mixed Stack
One Logical Switch
One Logical Switch
480G
1T
1T 480G
9300X only Stack 9300X and 9300* mixed Stack
(Fiber models only ) ( Copper and Fiber )
* 9300 B/L Models is not supported in mixed stackCatalyst 9300 Stacking Support
Modular Uplink Modular Uplink Fixed Uplink
C9300X SKUs ( 10/25G Fiber ) C9300 (non –B) SKUs and C9300X C9300L SKUs
8 switches
8 switches
8 switches
1T 480G 320G
Stacking supported among C9300X SKUs and Mixed Stacking between C9300 and Stacking supported among C9300L SKUs
C9300X SKUs only
Mixed stacking is not supported between C9300 and C9300L SKUsConnect, Secure, Assure and Extend with Catalyst
9300 Secure Assure Extend
A I End-point
A n alytics
O ccupancy E nergy Facility P artner
s e nsing e fficiency uti lization Ap ps
EA
Sma r t building Insights
ISE DNAC Cloud b ased
Analytics Engine
Cyber
Catalyst 9K Vision
(NBAR2 Agent) Center
Smart Smart UV
Wired PLCs
Desks cameras Lights
sensors
Secure IoT End-point onboarding PoE Assurance & Troubleshooting Edge Compute for IoT Gateway
Connect
Motorized
Shades
Nurse call Network Powered Light UV Disinfection People counting sensors
USB-C Dongle Touchscreen PCs POE Displays POE Powered Micro Private
systems UHD IP Cameras
Switches LTE
IT OT
Ca talyst 9300
S w itchesС9200
Extending intent-based networking everywhere
Catalyst 9600 Series
F as t, Flexible and
Lead Modular Core light ASIC
Cisco UADP 2.0 mini
Catalyst 9400 Series
Lead Modular Access
Re s iliency
Redundant PS, Fans
Se curity
Macsec-128
Pro grammability
YANG Models
Catalyst 9200 Series switches
Catalyst 9300 Series
Catalyst 9500 Series Lead Fixed Access SD -Access
Lead Fixed Core Edge Node
Catalyst 9200 Series switches built on
industry leading Catalyst 9000 switching attributesCisco Catalyst 9200 Series
Next generation of entry-level access switches for intent-based networking
Fixed Uplinks Modular Uplinks
Re co mmended for small scale SDA deployments
Cisco Catalyst 9200 Series highlights
Se curity 48 ports Full POE+/Partial POE+/Data,1G/10G Uplink
48 ports Full POE+/Partial PoE+/Data UADP 2.0 mini
48 port Full POE+ with 32 VN**
48 ports Full POE+, 12xmGig, 10G Uplink
Cisco IOS XE Software
48 ports Full POE+, 8xmGig, 25G Uplink
48 ports Full POE+, 8xmGig
Re s iliency Limited-scale SD-Access
24 ports Full POE+/Data, 1G/10G Uplink 24 ports Full POE+/Data
24 ports Full PoE+ with 32 VN**
MACsec-128 link encryption
A p plication 24 ports Full POE+, 8xmGig, 10G Uplink Trustworthy solutions
e xperience 24 ports Full POE+, 8xmGig
24 ports Full POE+, 8xmGig, 25G Uplink
Perpetual/Fast PoE
Modular
fans
Higher Efficiency AC FRU Power Supplies Modular uplinks
Programmability
FRU Fan FRU PSU FRU Uplinks*
Cold patching
Silver Platinum Platinum
Rated Rated Rated
Full Flexible NetFlow
1 2 5W 6 0 0W 1 0 00W
4x 1G 4x 10G 2x 25G 2x 40G streaming telemetry
*C9200 1G skus support 1/10G uplinks while C9200 mGig will support 10/25/40G uplinks
**C9200 32 VN skus only support 1/10G uplinks and these skus cannot be stacked with other C9200 skusDNA Advantage – Unmatched Value with each port
Разница между С9200 и C9300/L
Innovations
Assurance Zero-Trust Flexible
Architectures
Device, Client, Application Umbrella, MACSec-256, ETA SDA, BGP-EVPN
MRE, SD-AVC, POE + StealthWatch Cloud MPLS/VPLS,
Wired Client Sensor + RadSec Embedded Wireless, HA
+ ThousandEyes + AI Endpoint Analytics + ASIC Customization
UNMATCHED VALUE with Each PortCatalyst 9200 Series switching H/W characteristics
Catalyst 9200 Series Catalyst 9200 Series Catalyst 2960-XR Catalyst 2960-X
modular switches fixed switches Series switches Series switches
4 Core @ 1.4Ghz 4 Core @1.4Ghz
CPU Dual Core CPU@600MHz Dual Core CPU@600MHz
Embedded ARM Embedded ARM
DRAM (DDR3) 4GB 2GB 512MB 512MB
Flash On board 4GB 4GB 256MB 128MB
Buffer 6MB/ASIC 6MB/ASIC 4MB/ASIC 4MB/ASIC
FlexStack-Plus/ FlexStack-Plus/
Stacking (module) Stackwise-160 Stackwise-80
Extended module Extended module
# of Stack Members 8 8 8 8
Stack Bandwidth 160Gbps 80Gbps 80Gbps 80Gbps
Power Supply 2 FRUable PS 2 FRUable PS 2 FRUable PS Single Fixed
Max PoE Budget 1440W 1440W 740W 740W
Modular Uplinks Yes No No No
Modular Fans Yes No No No
Max Depth 13.8” 11.3”(13.8” for mGIG) 16” 14.5”Wi-Fi 6 mGig
Accelerate Wi-Fi 6 adoption with mGig
Multigigabit provides speed transitions for Wi-Fi 6 and beyond 802.3bz
In dustry’s most
co m prehensive mGig
p o rtfolio
• Wi-Fi 6 drives
• Faster Speed - 3x data rates
• Lower Latency
• Higher Capacity
• mGig supported from C9K Access to
Core (all price points)
• PoE (IEEE 802.3af/at/bt*) supported
across C9K Access
Drive Wired + Wireless refresh with mGig / Wi-Fi 6
*802.3bt supported on 9300 and 9400PoE
Catalyst 9000 provides highest power resiliency in industry
N+1/N+N Redundant power supplies
Use best suited power redundancy mode AC PSU NEW
on 9400
DC PSU Configurable POE Port Priority
Power available from AC + DC sources Critical devices stay up during load shed
Mix power sources for backup New on C9400 w/ IOS-XE 17.3.1
Configurable LC Priorities as well for C9400
Perpetual PoE
NEW
End points powered during upgrades 17.3.1
1900W AC PSU on C9300
~2x POE redundancy on PSU failure
Fast PoE 32x 90W ports; 48 x 60W ports w/ 2x PSUs
Restores power within a minute Platinum ratedMaintain POE Leadership with 90W At 60W
prices
PoE
The 4th Utility
Connect, Secure, Assure and Extend IoT with C9K
C9K 90W switches
Secure Assure Extend
A I End-point
A n alytics
O ccupancy E nergy Facility P artner
s e nsing e fficiency uti lization Ap ps
EA
Sma r t building Insights
Cloud based
ISE DNAC Analytics Engine
Cyber
Catalyst 9K Vision
(NBAR2 Agent) Center
Wired Smart Smart UV
PLCs Lights
sensors Desks cameras
Secure IoT End-point PoE Assurance & Troubleshooting Edge Compute for IoT
onboarding Gateway
W o rld’s leading SaaS F o rtune 100 Pharma
co m pany is converting to co m pany adopting
D ig ital Buildings By 2030 d ig ital buildings
550 Madison Ave.90W is driving Smart building outcomes for ‘The new normal’
Digital Twin
Lights & Shades 90W
nodes
90W Security sensors
nodes
90W
faucets
Washroom Technology nodes Collaboration Facility utilization
Urinals Soap Paper Water
Savings: Daisy chained IoT nodes Ecosystem: Standards based connectivity Convergence: Secured by one IT
Health & Wellness Occupant Experience Sustainability Security
• UVC disinfection • Smart desks • Smart luminaires • Biometric scanners
• Proximity sensors • Occupancy sensors • Motorized blinds • Security cameras
• Contact tracing • Wayfinding • HVAC VAVs • PA systems
Lead with Catalyst 9K Smart building adoption success to drive 2x uplift to switching deal sizesDeployment Options
Эволюция сетей
SDNCisco Catalyst 9000 – Flexible deployments
Multi-tier deployments Layer 3 Core + MPLS PE Fabrics: SDA + EVPN-VXLAN
Core Distribution Core Distribution
25G/40G/100G
Site 1
Distribution CE
MPLS Site 3
PE
Fabric
PE CE
Site 2
Access
1G/2.5G/5G
CE
VRFs
Customer-managed MPLS backbone
Cisco turn-key Solutions Do-It-Yourself (DIY) Solutions
• SD-Access • EVPN-VXLAN
• Cisco DNA Assurance • MPLS/VPLS
• Cisco DNA Service for Bonjour • Traditional 2/3-tier topologies
• Cisco DNA Application Visibility Service • Application Hosting
• Encrypted Traffic Analytics • Programmability – YANG models
• DNAC Cloud with Netconf, Restconf, GNMI APIs
One platform. Any place. Any speed (1G to 100G)
46SDA Architecture ISE DNA-C
AD/LDAP
Fabric SiteExample migration of traditional network to SD-
Access
Traditional network Add Cisco DNA Center Add Cisco ISE
Co r e
Dis tribution
Access
Endpoints
Add Cisco DNA Center to Add Cisco ISE for enhanced
Traditional network with layer
automate segmentation but visibility, retain layer 2
2 access and manually VLAN
retain layer 2 access and access but convert to policy
segmentation
VLAN-IDs extended nodes for added
security
Гнучкість сценаріїв міграції з поточної архітектури мережі на
SDN.SD-Access ensures policies are being enforced
Network telemetry and Complex event Suggested
Correlated insights
contextual data processing remediation
Traceroute
Syslog NetFlow
AAA Router DHCP
Wireless CLI
Visibility: Personalized
Telnet Complex Metadata
DNS correlation extraction baselining
OID IPSLA Ping Clients Baseline
SNMP IPAM MIB
AppD
CMX Insight: Intelligent
analysis
Stream Application Network
A ction: Accelerated
processing AI/ML remediation
Knowledge Base techniques
https://www.cisco.com/go/dnaassurance
Over 100 actionable insights
Client | Applications | Wireless | Switching | RoutingSD-Access makes getting started with
group-based policy segmentation easy
Log servers
Endpoint Log Media
servers servers Employees
context
Aler ts
Media servers
L M E
Cameras
Context-based
Identity
and group ? Risk
score scalable group Str eaming Cameras
Cameras
assignments
WEB C
MAC/IP Address SSH
Employees
3. Author policies, segment network,
1. Identify and group endpoints with 2. Define policies with traffic flows between endpoint groups
and enforce policies with group-based
AI endpoint analytics by group-based policy analytics
access controlIntroduction to Group-Based Policy Analytics
ISE scalable groups Endpoint
and profiles Analytics MFC
Group to Group Activity
Policy
discovery
Cisco DNA Center
Policy
modeling
Policy Stealthwatch®
enforcement Host Groups
Flow InfoC9K VXLAN BGP EVPN Solution
End-to-End Design and Interoperability
Datacenter Shared Services WAN
Spine
External
Nexus Platforms ASR Platforms Handoff
EVPN
D istribution VTEP A ccess VTEP Multi-homing – StackWise Virtual W ireless Deployment
Site1 Site2 Site3
Campus
VTEP SVL
VTEP
Trunk
VTEP
Lo cal ModeEVPN Control Plane and Data Plane
Route Types, Gateways and Border Handoff
L2 Handoff L3 Handoff
PE
VPLS 802.1Q MPLS VRF-Lite
Bridging Bridging
+
Routing
Route Type 2 – MAC/IP Route Type 5 – IP Prefix Distributed Anycast Gateway Centralized Gateway
L2 VNI - Bridging L3 VNI – Symmetric IRB Routing + Bridging Remote Routing + Bridging
VTEP SVI L3
Route Route
Route Route
VTEP SVI L2/L3 L2Comprehensive MPLS Features for Core + MPLS PE
MPLS
Backbone
P P
Cor e Cor e P
P
• MPLS L2 VPN
• VPLS (IRB, H-VPLS)
• MPLS L3 VPN
Di st ribution • MPLSoGRE Di st ribution
PE
• Inter-AS Option A/B
• Inter-AS Option C 17.4
• Seamless MPLS A c c ess PE
A c c ess
• mVPN 17.3
Ca mpus 1 • mLDP Ca mpus 2
Catalyst 9300/9400/9500/9600C9K provides most flexible design and HA options
Platform Design Options High Availability
✓ Modularity ✓ SDA ✓ StackWise
✓ Speed ✓ BGP-EVPN ✓ StackWise Virtual
✓ Power ✓ MPLS ✓ NSF/SSO
✓ POE ✓ ISSU
✓ Wireless ✓ GIR
✓ ASIC Customization ✓ NSR/IPFRR
✓ Scale ✓ Quad SUP RPR
✓ xFSU
Mix-Match to build the best Infra for your needsLicensing
Catalyst 9000 switches - Advantage vs. Essentials
Catalyst 9200, 9300, 9400, 9500, 9600 Series switches
Advantage Essentials
C isco DNA Advantage (includes C isco DNA Essentials) 3, 5, 7-Year terms Cisco DNA Essentials 3, 5, 7-Year terms
Adva nced automation Assur ance and analytics Element management Ba sic a utomation Ba sic a ssurance Element management
• SD-Access • Global insights, trends • Patch lifecycle management • Plug-and Play (PnP) • Health dashboards – • Software image management
• Application policy • Compliance, custom reports application network, client, • Discovery, inventory, topology
• Encrypted Traffic Analytics* • Switch 360 and Wired Client 360 • LAN automation application
• Cisco DNA Service for • SD-Access and switch insights
Telemetry a nd visibility • Basic switch and wired Telemetry
• Embedded Event Manager
Bonjour* • Application health, Application • ERSPAN client health monitoring • Full Flexible NetFlow
• Third-party app hosting* 360, performance • AVC (NBAR2)
(loss, latency, jitter) • Wireshark*
N etwork Advantage (includes Network Essentials) Perpetual N etwork Essentials Perpetual
Enha nced security Full r outing functionality H igh availability and Essential switch capabilities D evOps integration Telemetry
controls • BGP*, HSRP, OSPF, ISIS r esiliency Layer 2, routed access (RIP, EIGRP • NETCONF, RESTCONF, a nd visibility
• MACsec-256* • NSF*, GIR*, StackWise Stub, OSPF [1000 routes], gRPC • Model-driven Telemetry
Virtual**, ISSU**/eFSU*, PBR, PIM Stub Multicast • YANG data model • Sampled NetFlow
Patching (CLI) [1000 routes] • Guest Shell (on-box • SPAN, RSPAN
IoT a nd mobility Flex ible network Optimize bandwidth PVLAN, VRRP, PBR, Cisco Discovery Python)
• CoAP*, AVB*, PTP* Protocol, QoS, FHS, 802.1X,
segmentation utilization with multicast • PnP Agent, zero-touch
MACsec-128, CoPP, SXP, IP SLA provisioning
• VRF, VXLAN, LISP, SGT, • MSDP*, mVPN*, AutoRP, Responder SSO), StackWise-xxx
MPLS* PIM-BIDIR*
• Cisco Catalyst 9000 switching hardware includes the Perpetual Network Stack – • It is mandatory to attach a Cisco DNA license when ordering Cisco Catalyst 9000
Network Essentials or Network Advantage. switches. Cisco DNA license includes switch and Cisco DNA Center features.
• Cisco Catalyst 9600 Series offers only the Cisco DNA Advantage license.
* Not available on Cisco Catalyst 9200 Series switches
**Only available on Cisco Catalyst 9400, 9500, and 9600 Series switches
For more details please refer to the Cisco DNA Software MatrixHardware Innovations
Rich Data Set
Intelligent Programmable Secure
Providing data up the stack Adapting to fast Securing the transport
Custom
changing technologies and end points
NetFlow, SPAN,
AVC, NBAR VXLAN, LISP, SGT, iCAP MACSEC, WPA3, DTLS
Cisco ASICs
Ready to adapt new innovations and technologies
Value of investmentUADP 2.0/2.0 XL – Next Generation of ASIC
Innovation
Investment Protection
Flexible Pipeline
Enhanced Scale*/Buffering
1/ 2.5/5/10/25/40G
160GE 1 6 /32MB
Supports Different
Bandwidth Packet Buffer
Speeds
64/128K F lexible SD M templates
Netflow Records Programmable modules Flexibility
Catalyst 9300/9300B
480/320G
Stacking Capacity
Up to 2X
forwarding + TCAM
A p p Hosting
1G App Gig ports
Catalyst 9500 1st genUADP 2.0 mini
Investment Protection
Flexible Pipeline
Enhanced Scale/Buffering
Multicore resource share Embedded
CPU
1/ 2.5/5/10/40G
100GE 6MB
Supports Different
Bandwidth Packet Buffer
Speeds
16K F lexible SD M Templates
Netflow Records Programmable Modules Flexibility
160/80G
Stacking Capacity
Up to 2X to 4X
forwarding + TCAM Catalyst 9200UADP 2.5sec – Next Generation of ASIC
Innovation
Investment Protection
Flexible Pipeline
Enhanced Scale/Buffering
1 / 2.5/5/10/25/40/10
500GE 16MB 0G
Bandwidth Packet Buffer Supports Different
Speeds
64K Q A T Engine
Catalyst 9300X
100G Encryption
Netflow Records (HW Acceleration)
E n hanced App
1T Up to 2X
H o s ting
Stacking Capacity forwarding + TCAM
2 x 10G App Gig portsUADP evolution
UADP 2.0 vs. 3.0 per-ASIC capabilities
Throughput Ports Forwarding
500, 625, 1G, 10G, 1G, 10G, 25G, 375 Mpps 1000 Mpps
500, 625, 750, 875
750, 875 25G, 40G 40G, 100G
750 MHz
750 MHz MHz, 1 GHz
MHz, GHz
Up to 240 ports ports
Up to 240 Gbps Up
Upto
to 1.6
1.6 Tbps
Tbps
Gbps
UADP 2.0 UADP 3.0 UADP 2.0 UADP 3.0 UADP 2.0 UADP 3.0
Buffers Backplane
32 MB 36 MB 720G 800G
Shared buffers Unified buffers (36x 15G) (32x 28G)
Stack interconnect ASIC interconnect
16 MB 16 MB 36 MB
UADP 2.0 UADP 3.0 UADP 2.0 UADP 3.0Cisco Catalyst 9500 Series ASIC comparison
Cisco® Catalyst® 9500 Cisco Catalyst 9500 Series
Capabilities (per ASIC)
Series (UADP 2.0) High Performance (UADP 3.0)
Switching and forwarding capacity 240 Gbps/360 Mpps 1.6 Tbps/1 Bpps
Stack bandwidth 2x 360 Gbps 2x 400 Gbps
Buffer capability 2x 16 MB 36 MB shared buffer
Switch Database Management (SDM) template Fixed templates Customizable templates
NetFlow capabilities Dedicated NetFlow table Shared NetFlow table
v4 FIB scale Total 228,000* Total 412,000*
v4 and v6 scale v6 reduced by half v4 and v6 same scale
* Maximum ASIC capability.UADP 3.0
Customizable ASIC 36-MB
templates unified buffer
Double-width tables 3x more FIB scale
1G, 10G, 20G,
~20B transistors Up to 1.6 TB
25G, 40G, and 100G
bandwidth
16-nm technology speeds
Catalyst 9500H
Catalyst 9600Cisco Catalyst 9300– Buffer Complex Composition
0.5-1.0 0.5-1.0
0.5-1.0
0.5 MB MB 0.5 MB MB
0.5 MB MB 1.5 – 1.5 –
3.5 MB 3.5 MB
0.75-1
Egress Egress Egress
MB (AQM) (AQM) (AQM)
Common Common Common
1.5 MB 1.5 MB
0.5 MB 10 MB 10 MB
5 MB Stack (SQS) Stack (SQS) Stack (SQS)
UADP 2.0 Temporary UADP 2.0XL Temporary UADP 2.5sec Temporary
Catalyst 9300/L Models Catalyst 9300B Models Catalyst 9300X Models
• Total of 16MB buffer on • Total of 32MB buffer on • Total of 16MB buffer on
Switch Switch Switch
• 8 MB packet buffer per core • 16 MB packet buffer per • 16 MB packet buffer is
is shared by ingress and core is shared by ingress shared by ingress and
egress data paths and egress data paths egress data pathsBuffer size comparison
Cisco® Catalyst® 9300 Series Cisco Catalyst 9400 and 9500 Series
5 MB egress 10 MB egress
0.75 MB 1.5 MB
FIFO 1 MB – FIFO 1.5 MB –
1.75 MB 3.5 MB
stack stack
0.5 MB -1 MB 0.4 MB -1.5 MB
ingress ingress
Per core: 8 MB | Per ASIC: 8+8 MB Per core: 16 MB | Per ASIC: 16+16 MBCatalyst 9200
6MB packet buffer per ASIC
EQC Packets to Egress Port Queues
Packets from the Stack And Locally
SQS Switched Packets
0,5
0,6
Head room For IQS and SQS to grow
Packet Holding Buffer
0,75
IQS Packets going to stack 3,4
Packet Buffer 0,75
• 6MB/ASIC
• Shared across Ingress and Egress
• IQS and SQS intelligently shared the
common-shared
EQC SQS Head room PHB IQS
• Buffer organized in cells of 256 Bytes eachCisco Catalyst 9000 Platform Trustworthy Systems
Design/ Plan/ Service/End
Source Make Quality Delivery
Develop Order of Life (EOL)
P nP SUDI Physical security practices + security technology innovations + logical security processes Secure boot
support Boot sequence
Two-way trust check
Integrity
Ima ge signing
ver ification
Authentic OS
Malware protection
H a rdware Runtime
a uthenticity defenses
Genuine hardware 64-bit ASLR
Cisco® trustworthy systems use industry best practices to help ensure full development lifecycle integrity and end-to-end securityMACsec
Hop-by-hop encryption via 802.1AE
Encrypt Encrypt Encrypt
MACsec MACsec MACsec
D ownlink Uplink Downlink
Decrypt Decrypt Decrypt
• Packets are encrypted on egress; decrypted on ingress
• Offers line-rate encryption on all ports and speeds (1G, 2.5G, 5G,10G, 25G, 40G, and 100G)
• Transparent to all upper-layer protocols
• Supports switch-to-switch and switch-to-host MACsec
• 256-bit MACsec-capable between switch to switch
• Manual or 802.1X modes supportedMACsec-256 link encryption
Hop-by-hop encryption via 802.1AE
MACsec
Switch to switch 128 bits Security Association Protocol (SAP)
128 bits MACsec Key Agreement (MKA)
256 bits MKA
Host to switch 128 bits MKA
256 bits MKA
• Supported on all Models ( Modular & Fixed SKU)
• For C9300-48UXM and C9300-48UN switch models, MACsec is supported only on the first 16 downlink portsETA - Finding Malicious Activity in Encrypted Traffic
Catalyst® 9000* Cisco Stealthwatch®
N e tFlow Cognitive
Analytics
M a lware
d e tection and
T elemetry for ‘ Biflow’ c ryptographic
e nc rypted malware detection c ompliance
a nd c ryptographic c ompliance
Leveraged network Faster investigation Higher precision Stronger protection
Enhanced NetFlow from Cisco’s Enhanced analytics Global-to-local Continuous
newest switches and routers and machine learning knowledge correlation enterprise-wide compliance
* E TA support for the Catalyst 9600 is on the roadmapETA Solution with Catalyst 9000 Portfolio
cognitive.cisco.acom
Stealthwatch®
PxGrid HTTPS SCP Cognitive
Management console
ISE Flow collectors
CoA On premises Cloud
Mitigation NetFlow export
Catalyst® 9000 FNF and ETASoftware Innovations
Open
data models
Cisco
IOS XE Programmable gNMI
interfaces RESTCONF
NETCONF
Modern Hosted
applications
Operating System
Open standards solutionsModel driven telemetry
Subscription Publication
NETCONF RESTCONF
• Support for any YANG subtree YANG Data Models
• Structured data Open Native
• XML encoding Configuration and Operation
• Periodic or On-change
• Reduced CPU Load Device Features
SNMP
Inter
face PoE QoS ACL …
Export enriched, consistent and concise data with context from devices
for a better user and operator experienceApplication Hosting
Transforming Catalyst 9300 into a compute
Platform
Enhanced Application- Application-Hosting
Hosting Infrastructure on C9300
Infrastructure on C9300X
External Storage
External Storage
QAT DockerTM DockerTM
USB 3.0 120/240G Quick Assist Technology
USB 3.0 120/240G
2 vCPU 2 x 10G AppGig Ports 2 vCPU 1 x 1G AppGig Ports
8G RAM 4G RAMTransforming Catalyst 9300 into a compute
Platform
Enhanced Application- Support for Multiple Docker applications
With Additional RAM Memory and 2 x AppGigigabit
Hosting Ports, multiple Applications can be hosted on C9300X
Infrastructure on C9300X
External Storage
QAT DockerTM Hardware Acceleration and Security
USB 3.0 240G Quick Assist Technology QAT is a special engine on the x86 CPU which helps in
accelerating the performance of Applications
Validated Apps
8G RAM 2/4 vCPU 2 x 10G AppGig Ports
C8kv
……….. MoreApplication hosting on the catalyst 9000
new strategic capabilities for Cisco devices
Cloud gateways with
IT operations and IT operations and Customer Specific
server-less edge
monitoring tools monitoring tools Applications
compute
Consolidate physical Enhance visibility and security Reduce app latency and Derive new insights and
infrastructure enforcement optimize app traffic respondZero Trust
Zero-Trust
Zero-Trust for Workplace Framework
E n dpoint Se cure Ne twork E n dpoint Rap id Threat
Vis ibility A ccess Se g mentation Co mpliance Co ntainment
Simplicity: Simplify security
Zero Trust for Workplace
operations through automation
Efficacy: Strengthen workplace Cisco Cisco
DNA
defenses with security Center
ISE
integrations
Efficiency: Increase efficiency of
security services by leveraging
network context
F irewall Ste althwatch U m brella Sw itches W ireless Ro uters
Security D omain Network DomainSegmentation Agility with Security
Secure onboarding of users and devices with flexible authentication and
segmentation
Employee virtual network
Before SD-Access After SD-Access
Users
• VLAN and IP address Group 1 Group 2 • No VLAN or subnet
based dependency for
IoT virtual network segmentation and
• Create IP-based ACLs
access control
for access policy Devices
• Define one consistent
• Deal with policy Group 3 Group 4
policy
violations and errors Drag policy
manually to apply Guest virtual network • Policy follows Identity
Apps
Group 5 Group 6
Completely automated Group-based policy Policy follows identityCatalyst 9K - Cloud Security Services enabled switch
Isolate Peer Endpoints
URL Based Access Control
Secure Access
Intelligent Device Classification
Secure RADIUS over Public Networks
Cloud Security DNS based threat protection
Services Detect anomalies in traffic with limited resourcesCloud Security at Access
Native Integration of Cisco Cloud Security
DNS Redirect Only
Stealthwatch Cloud Umbrella Cloud
Simplified Add Additional Lower Hardware Tight Distributed
Registration Context Capex & Opex Accelerated Integration Architecture
SWC Agent Umbrella Connector
Catalyst Access Switch – C9300Full Flexible NetFlow
Packet processing
NetFlow-enabled device
Traffic
• Flexible NetFlow/Full Netflow
• Source IP
• Destination IP
• Source port
• Destination port
• Layer 3 protocol
• Etc….
Packet from Network
Packet comes from the network interface
the network interface
Ingress FIFO Packet hits the ingress FIFO
Flexible pipe Packet goes through each of the flexible pipe stages in its path until
stage the final resolution is doneBenefits of Full Flexible NetFlow
Multiple monitors per interface
Troubleshooting
Forensics
Configuration Interface type
Behavioral • Traffic type • Switch port
anomaly detection • Non switch port
support
• IPv4 (routed port)
• IPv6 • VLAN configure
• Datalink • Port-channel
member interface
Traffic analysis
Multiple monitors for different traffic types per
interface per directionAI Endpoint Analytics
Identify Endpoints, Enforce Policies, and Stop Threats
DNAC 2.1.1.3
Cisco ISE
IOS-XE 17.2.1
ISE: 2.7 p1, 2.6
p5+, 2.4 p11+
Multifactor classification
Context
Labels
Endpoint type: Manufacturer:
CT Scanner G lobex Corp.
SA Model: Operating system:
Ul tima MS Windows 7
802.1x/MAB
Cisco® Catalyst® 9000 EA
Series Switch EA dashboard for admins
to show endpoint labels
(powered by NBAR2) and endpoint inventory
Cisco DNAC/EA
SD-AVC agent SA Cat 9200, Cat 9300, Cat 9400RadSec
Securing RADIUS communication over public networks
IOS-XE 17.4.1
Cloud Hosted
AAA
RADIUS as Cloud Service
TLS / DTLS Private Tunnel
Geographical distribution
Cisco® Catalyst® 9000 Series Switches
Open IOS-XE 17.4.1 Cloud redundancy and availability
Data at transit EncryptedUmbrella Connector: DNS-layer security
First line of defense
IOS-XE 17.3.1
DNScrypt
Umbrella
(Branch)
Catalyst 9200 and 9300
DNS Query/Response
Active Directory
Traffic Split
Headquarters
No access or control over the Branch RouterDynamic entity modeling for High Alert Fidelity
95% Stealthwatch Cloud alerts rated as “helpful” by customers
Excessive failed access attempts
Machine Learning based Analytics
DDoS and amplification attacks
Potential data exfiltration
Geographically unusual remote access
Connection to a suspicious destination
Custom segmentation and configuration policiesSegmentation and Policy
Traditional Approaches to Segmentation Cannot
Meet the Demands of a Digital Network
VLAN 2
Remote
WAN
HQ
ACL 1 ACL 2
Branch A Branch A ACL 3
VLAN 1 VLAN 2 VLAN 3 ACL 2
VLAN 1 VLAN 3
Setting Up Enabling Seamless Users, Device and Secure Connectivity
End-End Security Mobility IOT Segmentation to the Cloudaccess-list 102 permit udp 126.183.90.85 0.0.0.255 eq 3256 114.53.254.245 255.255.255.255 lt 1780 access-list 102 deny icmp 203.36.110.37 255.255.255.255 lt 999 229.216.9.232 0.0.0.127 gt 3611 What’s the business intent here? access-list 102 permit tcp 131.249.33.123 0.0.0.127 lt 4765 71.219.207.89 0.255.255.255 eq 606 access-list 102 deny tcp 112.174.162.193 0.255.255.255 gt 368 4.151.192.136 0.0.0.255 gt 4005 Traditional Security Policy access-list 102 permit ip 189.71.213.162 0.0.0.127 gt 2282 74.67.181.47 0.0.0.127 eq 199 access-list 102 deny udp 130.237.66.56 255.255.255.255 lt 3943 141.68.48.108 0.0.0.255 gt 3782 access-list 102 deny ip 193.250.210.122 0.0.1.255 lt 2297 130.113.139.130 0.255.255.255 gt 526 access-list 102 permit ip 178.97.113.59 255.255.255.255 gt 178 111.184.163.103 255.255.255.255 gt 959 access-list 102 deny ip 164.149.136.73 0.0.0.127 gt 1624 163.41.181.145 0.0.0.255 eq 810 access-list 102 permit icmp 207.221.157.104 0.0.0.255 eq 1979 99.78.135.112 0.255.255.255 gt 3231 access-list 102 permit tcp 100.126.4.49 0.255.255.255 lt 1449 28.237.88.171 0.0.0.127 lt 3679 access-list 102 deny icmp 157.219.157.249 255.255.255.255 gt 1354 60.126.167.112 0.0.31.255 gt 1025 access-list 102 deny icmp 76.176.66.41 0.255.255.255 lt 278 169.48.105.37 0.0.1.255 gt 968 access-list 102 permit ip 8.88.141.113 0.0.0.127 lt 2437 105.145.196.67 0.0.1.255 lt 4167 access-list 102 permit udp 60.242.95.62 0.0.31.255 eq 3181 33.191.71.166 255.255.255.255 lt 2422 access-list 102 permit icmp 186.246.40.245 0.255.255.255 eq 3508 191.139.67.54 0.0.1.255 eq 1479 access-list 102 permit ip 209.111.254.187 0.0.1.255 gt 4640 93.99.173.34 255.255.255.255 gt 28 access-list 102 permit ip 184.232.88.41 0.0.31.255 lt 2247 186.33.104.31 255.255.255.255 lt 4481 access-list 102 deny ip 106.79.247.50 0.0.31.255 gt 1441 96.62.207.209 0.0.0.255 gt 631 access-list 102 permit ip 39.136.60.170 0.0.1.255 eq 4647 96.129.185.116 255.255.255.255 lt 3663 access-list 102 permit tcp 30.175.189.93 0.0.31.255 gt 228 48.33.30.91 0.0.0.255 gt 1388 access-list 102 permit ip 167.100.52.185 0.0.1.255 lt 4379 254.202.200.26 255.255.255.255 gt 4652 access-list 102 permit udp 172.16.184.148 0.255.255.255 gt 4163 124.38.159.247 0.0.0.127 lt 3851 access-list 102 deny icmp 206.107.73.252 0.255.255.255 lt 2465 171.213.183.230 0.0.31.255 gt 1392 access-list 102 permit ip 96.174.38.79 0.255.255.255 eq 1917 1.156.181.180 0.0.31.255 eq 1861 access-list 102 deny icmp 236.123.67.53 0.0.31.255 gt 1181 31.115.75.19 0.0.1.255 gt 2794 access-list 102 deny udp 14.45.208.20 0.0.0.255 lt 419 161.24.159.166 0.0.0.255 lt 2748 access-list 102 permit udp 252.40.175.155 0.0.31.255 lt 4548 87.112.10.20 0.0.1.255 gt 356 access-list 102 deny tcp 124.102.192.59 0.0.0.255 eq 2169 153.233.253.100 0.255.255.255 gt 327 access-list 102 permit icmp 68.14.62.179 255.255.255.255 lt 2985 235.228.242.243 255.255.255.255 lt 2286 access-list 102 deny tcp 91.198.213.34 0.0.0.255 eq 1274 206.136.32.135 0.255.255.255 eq 4191 access-list 102 deny udp 76.150.135.234 255.255.255.255 lt 3573 15.233.106.211 255.255.255.255 eq 3721 access-list 102 permit tcp 126.97.113.32 0.0.1.255 eq 4644 2.216.105.40 0.0.31.255 eq 3716 access-list 102 permit icmp 147.31.93.130 0.0.0.255 gt 968 154.44.194.206 255.255.255.255 eq 4533 access-list 102 deny tcp 154.57.128.91 0.0.0.255 lt 1290 106.233.205.111 0.0.31.255 gt 539
Need for intent-based networking
Digital business Digital network
Learning
Business
goals
Intent
Context
Insights
Mobile Security IoT MultiCloud Security
Powered by intent. Informed by context.Segmentation Policies in Software-Defined Access
Contractors Developers
Traditional Users
Campus Virtual Network
With SD-Access
• VLAN and IP
• No VLAN or subnet
address based
dependency for
• Create IP based segmentation and
ACLs for access Devices
Energy Mgmt CCTV access control
policy
Building Management VN • Define one
• Deal with policy consistent policy
violations and
Apps • Policy follows Identity
errors manually
Cell 01 Cell 02
Manufacturing VNApplying Policy Employee Employee SGT (5) SGT (5) 10.1.100.1 10.2.200.6
You can also read
