There’s multiple challenges in designing, deploying and maintaining a network environment. We can’t go through all these in one blog - there’s just too many, but in this blog, we’re going to have a quick run though on those that SDN (Software Defined Networking) can help solve.
First up, I'm going to be talking about SDN in a Wi-Fi centric environment. Cisco calls this SDA (Software-Defined Access, or SD-Access). There's a lot of 'Software Defined' everything out there, from generic SDN to the Cisco SDA.
Anyway - to set the scene - we'll be talking about Cisco SDA and the use of Cisco DNA Center in the implementation of your Wi-Fi network.
If you're interested in an entry level blog, have a read of Cisco SD Access Demystified.
Looking after any network comes with its range of challenges. Let's take a quick look at a list:
- Security: Secure on-boarding for new clients
- Complex: Wi-Fi is complex to manage
- Time Consuming: Issues with Wi-Fi are slow to resolve
To make matters that bit worse, design for WLAN is also a little complex – involving up front allocation of SSIDs, VLANs and IP Address ranges.
Added to this, the factors and complexity that RF design and fault finding bring, you can see that a large, centralised WLAN environment needs some special skills to be able to deploy and operate. This is of course typically where we come in.
However, with the advent of SDA, its getting simpler – to a point. Let’s take a look at why.
Advantages of Software Defined Access
Software Defined Access has some key advantages, including:
- Identity Based: Based around how to you deal with the client, not around the VLAN, IP ranges and so on
- Automated Network Fabric: Making configuration quicker and easier
- Insights and Telemetry: Can automatically capture logs and sniffs for easier fault finding
There’s a bit in these above points to dissect, so let’s take a closer look.
Identity Based Access
Cisco ISE plays a big part in the authentication of users and devices on a network. Check out the Top 5 Unique Features of Cisco
You will now identify a user / device and provide a network experience tailored to that user.
This is a pretty big change in concept to how we’ve always worked.
You can micro segment individual clients and be very specific on what access they have and automate the whole process.
No longer do you need to deal with placing clients in VLANs, but just in tagging them with the attributes they will experience within the network – more on this in the next point below.
Automated Network Fabric
The expression ‘fabric’ seems to crop up quite a lot these days and in this regard, we are talking about the ability to fully control the network from DNA Center.
This means a routing underlay is applied, all network elements can communicate and we apply the network overlay to give the client the network experience. This is tied in with the point above – we need strong Identity Based controls to allocate the right network experience to the right client. The automated Fabric allows us to set up Contracts, which are then automatically applied to clients.
Insights and Telemetry
A network that uses Artificial Intelligence (AI) can do that much more than a standard network management station which just alerts based on static alarms. Telemetry means we are getting continuous data from network elements, so we have the most up to date data, with which to make informed decisions.
Why SD Access?
We’ve had a run through the advantages of SDA above, but what reasons might you use when you go speak with your boss and try to convince them to invest in SDA. Let’s take a look:
- Automation: Automation and Programmability
- Mobility: Host Mobility
- Policy: Policy Simplification
The above concepts are in many ways all part of the same key point.
SDA is a whole new world, where we have clients connect wherever they want to and we can micro-segment their access between these clients and other clients. We can implement much greater control, but also simplify a vast array of rules and regulations on that clients access.
This is essentially a policy model and the whole process is about simplification of the network attributes – IP ranges, VLANs, QoS, Security, etc – this is now based on identify of the end user / device, not the DSCP values or TCP ports in use.
The policy model then moves from an IP level up to an identity level.
SDA Explained: Summary
The key concept to take away from this blog is that the world is changing from one where we determine how a client is treated on a network based on the VLAN, TCP / UDP ports in use or DSCP markers placed on the packet, to one where we act based on the identity of the client.
We understand the client and the required attributes and the network implements these under the surface – this is much more secure and a much greater granular control can be applied.
It’s a completely difference concept of course from our historic network configurations of per-hop based QoS, so will be interesting to see how the adoption and uptake of SDA happens
We are experts in network design and especially Wi-Fi design and remediation. DNA Center and SDA and new specialties for us – if you need help, drop us a line.