Although I primarily prepared this blog in advance, last week I presented my session at Cisco Live Barcelona in which I presented three tips to start your journey on Intent Based Networking. In this post I would like to provide a bit more thought about why software defined access is needed and what it is gonna entail for every organisation.
What is Intent Based Networking?
Software Defined networking is not new, it already exists for quite some time in the WAN and datacenters. And in 2017 Software Defined Access or Campus Fabric was announced. It entails a different approach to design, configure and implement access networks. It is based on a routed (layer3) underlay network upon which virtual networks are configured and deployed as overlay networks to provide the flexibility for designing and implementing several kinds of requirements in the access network.
This approach is quite similar to how remote access vpn’s to your enterprise networks are functioning. If you start your Anyconnect client, you will connect to a VPN concentrator (usually an ASA or FTD) and become part of the internal corporate network with an internal ip-address. Traffic from your endpoint is then encapsulated and sent encrypted over the Internet to the VPN concentrator. And this works from anywhere in the world, as long as you have a connection to the Internet. In this example, the underlay network is the Internet and the overlay network is your specific VPN tunnel with its policies. The internal network is totally unaware of where you are on the Internet, they just sent the traffic to the VPN concentrator’s internal address and the VPN concentrator knows how to get that traffic via the overlay network to your endpoint.
Software Defined Access is basically the same; the Campus Fabric is then similar to the Internet and each client can be seen as an endpoint with a tunnel group policy. The VPN concentrator is the edge router.
One of the main drivers for this required change is the exponential growth of devices that will connect to your internal enterprise network. And that’s not because the organisation will hire a lot of new employees, each bringing two to three devices to the network, I’m talking about the growth of IoT devices, or in other words, smart sensors, camera security, light bulbs, switches in rooms temperature sensors and basically anything you can think off. I know that some escalators and elevators are connected via IP to be monitored and that a SIP call is setup if there’s a failure in the elevator. And if you don’t think that this growth will also come to the enterprise, just count the number of devices you know have in your home that are connected to the Internet and check how many you had 5 years ago. Chances are that it has been doubled or tripled, right? So a lot of new devices with each their own requirements need to be connected to the network. And it must of course be secured, and preferably segregated from the internal enterprise network.
Another driver driver is the way we operate our network infrastructure today. For each application, or requirement, a separate VLAN is created, sometimes put into its own VRF (if possible) and some access lists that prevents traffic flowing between these VLAN’s. That is already a hassle to configure and manage, specifically doing it on-box by the network operations team. The same for software upgrades. So what would happen if the number of devices growth with a factor five? Would it be possible to manage the network and changes in a similar way? We would need much more staff, which is impossible to find and pay for. Besides, only a few persons would really have an overview on how the network is set, configured and what kind of devices are communicating with each other. In summary, the complexity of the network will increase dramatically, and that means that the way IT operates need to change.
So what is network intent, intent based networking and other paradigms that will become the next evolution in network infrastructures?
Obviously it is all about intent and the way the network is organised to facilitate that intent. Cisco’s VP enterprise networks, Gordon Thomson explained intent with a very good example at the network intuitive event that I joined in oktober. I’ve copied and modified the slide from that presentation to the table below.
|Every Saturday I need to wash my car||Park the car behind the garden. Take the water hose from the garage and connect it to the outside crane. Get some water with car wash. Go and wash the car, section by section, where I first rinse the section, wash it, rinse it and end with the wheels. Validate if the car is clean and then put all used equipment away.|
|I want to cook some nice dinner||Check the fridge for the ingredients, if some are missing, go to the store to replenish. Then place all ingredients on the kitchen table and follow the recipe to prepare the dinner. Clean up afterwards.|
|I received a request to setup a new branch location||Purchase required equipment , provision and configure the equipment, assign an IP network, configure the WAN for an extra branch office and provision staff with the correct guidance for connecting to the network. Validate the application performance.|
|A vendor wants to monitor their installed equipment on the factory floor||Create a new segment on the factory network, interconnect that in a separate VRF to the datacenter and provide remote access for the vendor for monitoring. Determine changes in requirements such as WAN and provision those as well.|
|I have a video conference session scheduled at 10:00 AM||Provision the WAN for HD video connection. Create the HD video connection, keep the connection safe, validate performance and tear down the connection after the call.|
All these examples demonstrate what intent is and what steps need to be executed. These steps are always the same and can therefore be automated. And control over the network comes with that automation. Because if you know the steps, you can also validate if those steps were executed correctly. And intent based networking is nothing more than preparing your network infrastructure (using SDA) in such a way that all kinds of intents can be executed in a controlled and automated manner using tools and API’s between a director and the network infrastructure. And just imagine what the possibilities would be if these automation steps could be called on using API’s. And the good news is, you now can! There are quite some tools on the market that can help you with Intent Based Networking, like Cisco’s DNA-Center or Ansible with a CI/CD.
But wait! There’s more to it.. Because Intent based networking is not only a technology or solution that you buy. It requires a different mindset, a different way of designing, managing and implementing a network infrastructure. And that also requires change within organisations, processes and procedures and more profoundly using tooling to automate the execution steps. So it is more a journey and how could you start your journey? I would like to give you three tips to get you along to go to intent based networking.
And what would work to start your journey? I’ll provide 3 tip in the next blog posts.