Today, Cisco is taking major steps to link the management of these domains together.
Each domain has its purpose
Why do we need these integrations? Why not just have the entire enterprise network run as a single fabric?
In the real world, each network domain serves a unique set of requirements. The campus network handles wired and wireless clients with high mobility demands and varying identity mechanisms. The WAN finds the most efficient route from user to application through the multiple connectivity options. The data center delivers high east-west bandwidth and control, integrating with virtual machine and container environments.
It’s not enough to have intent-based networking only within these silos.
Imagine a situation where your application service requirements, user experience needs, or segmentation policies are translated and applied to only one network domain – and not the others. What would that mean for your overall performance and security requirements? Your IT teams for each of the domains would need to share, translate, and implement policy in own environments. All manually. With the rapid pace of change, would that even be possible?
We need to stitch these fabrics together – automatically and seamlessly – to achieve the full business intent.
The automated integration of policy between domains is the best way to preserve domain uniqueness and still provide consistency and management. With policy integration, each domain, while functioning independently, can collaborate with others for the benefit of the entire network. You can define a policy once, apply it everywhere, and monitor it systematically to ensure it is realizing its business intent.
Towards an intent-based architecture
Cisco is taking steps to stitch the domains together. Not by making them identical and bringing them down to the lowest common denominator, but by having them share policy elements, so that they can cooperate with each other to fulfill the collective intent.
Segmentation policy integrations
Segmenting a network reduces congestion, improves security and compliance, and contains network problems. In the campus, Cisco’s SD-Access solution uses (and improves on) this technology to group users and devices within the segments it creates according to their access privileges. Similarly, Cisco ACI creates groups of similar applications in the data center.
When integrated, SD-Access and ACI exchange their groupings and provide each other an awareness into their access policies. With this knowledge, each of the domains can map user groups with applications, jointly enforce policies, and block unauthorized access to applications.
In another segmentation policy integration, Cisco SD-WAN connects with SD-Access and distributes user and device groups between an organization’s campus and branches, covering them all in a seamless access fabric. Access policies defined by SD-Access now apply consistently across all the organization’s sites.
Both these policy integrations together allow uniform access controls to be applied to users, devices, and applications regardless of where they connect to the network, or are hosted and how they move between sites, or between data center and cloud. The integrations help avoid the complex configurations and frequent changes that would be required to achieve the same objectives.
Take the example of an IoT installation. There may be thousands of IoT devices distributed throughout the enterprise, and applications in the data center they access. With segmentation policy integrations between SD-Access, SD-WAN, and ACI, the network can limit the access of these devices to just those applications, no matter where the devices and applications reside, and where they move.
Application experience policy integration
Ensuring that users have a good quality of experience when they run applications and access data in data centers and clouds is a high priority for IT. It’s always been hard to implement it end-to-end.
With policy integration between ACI and SD-WAN, application SLAs can be defined in the data center and propagated automatically to SD-WAN, which can then properly prioritize the traffic as it travels to users in campus and branches. The SLA propagation can save network operators from having to define these parameters manually in SD-WAN and update them every time the application or business needs change.
Going back to our IoT example, such an integration would ensure that any urgent action that needs to be communicated between a device and the controlling application is prioritized through the SD-WAN.
Security across domains
Security must be integrated into networks. It can’t just run at the perimeter. Integration between security and the network allows security applications and the network to work together to reduce time to prevent, detect, and mitigate threats.
Cisco’s security applications are pervasive and built-in into campus, branch, WAN, data center, co-location centers, and cloud. They protect users, no matter where they might be, as they access the internet or applications running in their data centers, hybrid clouds, or by a SaaS provider.
We are now expanding security capabilities across the domains. Cisco Advanced Malware Protection (AMP) prevents breaches, monitors malicious behavior, and detects and removes malware. Security constructs built into Cisco SD-WAN, and the recently announced SD-WAN onRamp for CoLocation, provide a full security stack that applies protection consistently from user to branch to clouds. Cisco Stealthwatch and Stealthwatch Cloud detect threats across the private network, public clouds, and even in encrypted traffic.
Stay tuned for more
With these policy integrations, we are delivering on our commitment to help our customers manage and orchestrate enterprise-wide networks. As our customers transform their businesses, they can confidently depend on the network to support them in every step of their transformation journey.
For more on this topic, please:
Read Multidomain At-A-Glance.
Experience: SD-Access with ACI integration demo