Professional Documents
Culture Documents
Modernizing Manufacturing Plants Through Cisco DNA Solution
Modernizing Manufacturing Plants Through Cisco DNA Solution
Modernizing Manufacturing Plants Through Cisco DNA Solution
#CiscoLive
Cisco Webex App
https://ciscolive.ciscoevents.com/
ciscolivebot/#BRKENS-2825
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
• Modernizing Factories - Why &
How?
• Cisco DNA - Overview.
• Manufacturing Design
Agenda Considerations & Use-Cases.
• Seamless Security Enforcement.
• Automation for Business Agility.
• Rapid Problem Resolution
through Assurance.
BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Modernizing
Factories
Why & How ?
Understanding Industrial Evolution
(Mechanized Systems)
Industry 0.0 (1440-1500)
Printing Press innovation by
Johannes Gutenberg in Germany.
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Understanding Industrial Evolution
(Digitized Information Systems)
Industry 3.0 (1950-1970)
Shift from Mechanical and Analog
Electronics systems to Digital
Electronic system. Beginning of
automation of manufacturing
process.
Industry 4.0 (2011)
Digital integration and automation
of manufacturing process.
Converting digital data into
information for business decisions
(evolution of IIoT).
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco DNA
Overview
Digital Network Architecture (DNA)
Intent-based Architecture
Main Components:
• Software Defined Access (SDA). SAAS
LEARNING SD-Access
SD-Access
Fabric
Switch Route Wireless Edge
SECURITY
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Digital Network Architecture (DNA)
• The Foundation for Cisco’s Intent-Based Network
Cisco Catalyst Center
One Automated
Network Fabric
Policy Automation Assurance Single fabric for Wired and
Wireless with full automation
Outside
B B
Identity-Based
C
Policy and Segmentation
Policy definition decoupled
from VLAN and IP address
AI-Driven
Insights and Telemetry
SD-Access
Extension Client Mobility Analytics and visibility into
User and Application experience
Policy follows User
IoT Network
Employee Network
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Identity Services Engine (Zero Trust Platform for Workplace)
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cisco DNA
Roles and Terminology
▪ Network Automation – Simple GUI
Automation and APIs for intent-based Automation
Identity of wired and wireless fabric devices
Cisco ISE Cisco Catalyst Center
Services
▪ Network Assurance – Data Collectors
analyze Endpoint to Application flows
Assurance and monitor fabric device status
▪ Identity Services – NAC and ID Services
(e.g., ISE) for dynamic Endpoint to Group
Fabric Border IP Fabric Wireless mapping and Policy definition
Nodes Controllers
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
SD-Access Fabric (A Closer Look)
Control-Plane Nodes
FE1
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
SD-Access Fabric (A Closer Look)
Edge Nodes
FE1
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
SD-Access Fabric (A Closer Look)
Border Nodes
Border Node is an Entry and Exit point for data traffic going into and out of a Fabric
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
SD-Access Fabric (A Closer Look)
Border Nodes - Internal
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
SD-Access Fabric (A Closer Look)
Border Nodes - External
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
SD-Access Fabric (A Closer Look)
Fabric Enabled Wireless
Fabric Enabled WLC is integrated into Fabric for SD-Access Wireless clients
Data: VXLAN
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Manufacturing
Design Considerations &
Use-Cases
IT vs OT Requirements
Confidentiality Availability
Integrity Integrity
Availability Confidentiality
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Industrial Automation Architecture
Outcomes
• Improve uptime, OEE
and asset utilization
• Reduce support effort
and deployment errors
• Reduce risk from
cybersecurity threats
Benefits
• Validated Design and
Implementation guidance
developed by Cisco
engineering
• Tested against leading
IACS vendor devices and
applications
• Experienced Cisco
services ready to apply to
a customer scenarios
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
How to Transform Industrial Automation
Architecture to Cisco DNA
Key design questions
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
OT Requirements vs Current DNA Support
Tolerance to network outages: 10-80ms Failure on the underlay may produce outages > 200ms
QoS: Profinet uses COS values Application policy does not support for COS
May require precision timing Fabric nodes cannot be part of the PTP domain yet
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
1 General Design with Physical Topology
DHCP, DNS, AD
(Services)
Enterprise
Network
Internet • ISE (PAN, MNT, PSN,
AMP Cloud Talos XDR PxGrid), Catalyst
Center, WLC, Cyber
Cyber ISE Cisco F F eBGP Enterprise Zone Vision
Vision Catalyst Multi-hop
Center Center
iDMZ Applications and Services NGFW NGFW • Stateful Firewall HA pair
SW Updates Data Proxy HA/State
Link
connects to Manufacturing
File Transfers
Remote Access Industrial DMZ VN.
Industrial Zone • Site Application Servers,
Plant Wireless, Security
Cameras, Engineering
SDA Workstation, Video
Fabric Endpoint, connectivity via
Site-Level Area Fabric Edge Node (EN)
• PLC, HMI, Robots etc.
Cell/Area Zone connectivity via Cisco
Sensor Sensor
Sensor
Cisco
Industrial Ethernet (IE)
IE Switch PLC MES switches with Cyber Vision
HMI
HMI Switch Cisco Cisco Sensors.
IE Switch IE Switch
PLC
Cisco
IE Switch
SIS Logical Virtual Networks
Site-Level Area
Corp Mfg BMS Guest
VN VN VN VN
Cell/Area Zone-1 Cell/Area Zone-2
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
General Design with Firewall inline in Manufacturing
Virtual Network
BGP BGP
AS-100 AS-100
INSIDE OUTSIDE F
eBGP
Multi-hop
STATIC ROUTES
BN: ip route vrf mfg_vn 2.2.2.1 255.255.255.255 1.1.1.2
NOTE:
Manual Configuration Required.
BN: ip route vrf mfg_vn 2.2.2.2 255.255.255.255 1.1.1.2
!
FN: ip route vrf mfg_vn 1.1.1.2 255.255.255.255 2.2.2.1 • STATIC Routes between BN/FN and
FN: ip route vrf mfg_vn 1.1.1.1 255.255.255.255 2.2.2.1 FW.
• Minor Modification on Border Node
BGP CHANGES BGP configuration by changing
BN: router bgp 100
neighbor IP of Fusion Node.
! • Catalyst Center Templates can be
address-family ipv4 vrf cpn_vn used to automate the additional
neighbor 2.2.2.2 remote-as 200 configuration.
neighbor 2.2.2.2 ebgp-multihop 2 BGP Default
exit-address-family TTL is 1
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Catalyst Center
2 No Faults Forward (NFF) (Enable L2 Flooding on Wireless Subnet)
Enterprise NFF_10.46.203.64/28
Network
NFF_VLAN
F F
eBGP
Cyber ISE Cisco Multi-hop
Vision Catalyst
Center Center
NGFW NGFW
HA/State
Link
IP Directed
Broadcast
IP Network
Broadcast
SDA (CLI Configuration on FE Switches)
Packet Fabric Template Editor on CatC can be Used
10.46.200.80
Capture
On FE Switch with APs:
On FE Switch with
VLAN1058 (Anycast GW) ---- Access Tunnel -----→ VLAN1033 (Anycast GW)
10.46.203.65/28 10.46.202.1/27 router lisp Server:
instance-id 8191
10.46.203.252
SSID SSID service-ethernet
LIGHTNING LIGHTNING
interface vlan 1033
eid-table vlan 1058 ip network-broadcast
App broadcast-underlay
VIN VIN !
1J4GZ78Y5PC574443 1HJ2Y78X5RC572254 VLAN1033 239.0.17.1 interface vlan 1058
VLAN1058
10.46.202.3/27 L2 LISP flood unknown-unicast ip directed-broadcast
VLAN1058
10.46.203.72/28 10.46.203.73/28 instance-id flood access-tunnel
for vlan 1058
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
No Faults Forward (NFF) - Output
TestPC
test.local
Hybrid
Sender Only No
No
<TX 268; 10.46.203.79:2001> hello Fabric test test.local
10.46.203.79 2001 <TX 268; 10.46.203.79:2001> hello Fabric test
<TX 268; 10.46.203.79:2001> hello Fabric test
<TX 268; 10.46.203.79:2001> hello Fabric test
10.46.202.3(Preferred)
255.255.255.224
10.46.202.1
Receiver Only
10.46.203.72(Preferred)
255.255.255.240
10.46.203.65
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
No Faults Forwarding (NFF) Virtual eXtensible Local Area Network
Packet Capture
Flags: 0x0800, VXLAN Network ID (VNI)
Source: 10.46.200.80
User Datagram Protocol, Src Port: 62186, Dst Port: 2001 Data
Destination: 10.46.203.252
Source Port: 62186
Payload
Destination Port: 2001
User Datagram Protocol, Src Port: 65345, Dst Port: 4789
Data (19 bytes)
Source Port: 65345
Destination Port: 4789
0000 68 65 6c 6c 6f 20 46 61 62 72 69 63 20 74 65 73 hello Fabric test..
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Catalyst Center
3 Wake on LAN (WoLAN) (Enable L2 Flooding & IP Directed-Broadcast on IoT Subnet)
Enterprise
Network
App wol_10.46.203.64/28
10.46.199.20/28
IP Network F F
Cyber
Vision
ISE Cisco
Catalyst Broadcast eBGP
Center Center Multi-hop
NGFW
NGFW
HA/State
IP Directed Link
Broadcast
SDA
Packet No CLI configuration
Capture Fabric
10.46.200.80
needed.
Catalyst Center workflow is
VLAN1058 (Anycast GW)
10.46.203.65/28 10.46.203.252
sufficient.
Sensor Sensor
PLC
HMI
Cisco Cisco
IE Switch IE Switch
SIS NOTE: Wireless EPs do need Access-
Tunnel manual config in LISP L2 instance-id
10.46.203.64/28
Cell/Area Zone-2
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Wake on LAN (WoL) - Output
PC2
test.local
Hybrid
No
Sender Only No
test.local
10.46.199.20(Preferred)
255.255.255.240
10.46.199.17
Receiver Only
test.local
10.46.203.72(Preferred)
255.255.255.240
10.46.203.65
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Wake on LAN (WoL) Virtual eXtensible Local Area Network
Packet Capture
Flags: 0x0800, VXLAN Network ID (VNI)
Source: 10.46.200.80
User Datagram Protocol, Src Port: 58872, Dst Port: 2001 Data
Destination: 10.46.203.252
Source Port: 58872
Payload
Destination Port: 2001
User Datagram Protocol, Src Port: 65345, Dst Port: 4789
Data (19 bytes)
Source Port: 65345
Destination Port: 4789
0000 68 65 6c 6c 6f 0d 0a 61 62 72 69 63 20 74 65 73 hello..
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
4 Cisco Ultra Reliable Wireless Backhaul (CURWB)
over Cisco SDA
Corporate Network
DNAC Cat9800-40
2.3.3.7 17.12.3
Parking
Lot
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Cisco CURWB Configuration
10.46.203.34 10.46.203.35
10.46.203.33 10.46.203.33
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Cisco CURWB Configuration
STATUS
Device: Cisco IOT IW9165E Series Access Point
Name: unset ID: 5.66.194.164
Serial: FOC272919FA
Operating Mode: Mesh End
Uptime: 3 days, 9:38 (hh:mm)
Firmware version: 17.12.1.5
DEVICE SETTINGS IP: 10.46.203.34 Netmask: 255.255.255.248 MAC address:
40:36:5a:42:c2:a4 Configured MTU: 1530
WIRED0 Status: up Speed: 2500 Mb/s Duplex: full MTU: 1530
WIRED1 Status: down
STATUS
WIRELESS SETTINGS Operating region: B
Device: Cisco IOT IW9165E Series Access Point
Radio 1 Interface: enabled Mode: fixed infrastructure Frequency: 5600 MHz Channel: 120 Channel
Name: unset ID: 5.66.194.84
Width: 80 MHz Current tx power: 23 dBm Current tx power level: 1 Antenna gain: not selected
Serial: FOC2729195H
Antenna number: 2 AES enabled Radio Mode: csma/ca Maximum link length: 3 km
Operating Mode: Mesh Point
Radio 2 Interface: enabled Mode: fluidity Frequency: 5745 MHz Channel: 149 Channel Width: 80
Uptime: 3 days, 9:37 (hh:mm)
MHz Current tx power: 20 dBm Current tx power level: 1 Antenna gain: not selected Antenna
Firmware version: 17.12.1.5
number: 2 AES enabled Radio Mode: csma/ca Maximum link length: 3 km
DEVICE SETTINGS IP: 10.46.203.35 Netmask: 255.255.255.248 MAC address:
40:36:5a:42:c2:54 Configured MTU: 1530
WIRED0 Status: up Speed: 2500 Mb/s Duplex: full MTU: 1530
WIRED1 Status: down
WIRELESS SETTINGS Operating region: B
Radio 1 Interface: enabled Mode: fixed infrastructure Frequency: 5600 MHz Channel: 120 Channel
Width: 80 MHz Current tx power: 23 dBm Current tx power level: 1 Antenna gain: not selected
Antenna number: 2 AES enabled Radio Mode: csma/ca Maximum link length: 3 km
Radio 2 Interface: enabled Mode: fluidity Frequency: 5745 MHz Channel: 149 Channel Width: 80
MHz Current tx power: 20 dBm Current tx power level: 1 Antenna gain: not selected Antenna
number: 2 AES enabled Radio Mode: csma/ca Maximum link length: 3 km
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Catalyst Center Assurance showing FEW Client
over CURWB
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
FEW Client Traces Roaming from one AP to the
other over CURWB
2024/04/26 14:56:08.564554962 {wncd_x_R0-0}{1}: [dot11] [19636]: (note): MAC: 8ec7.5d0e.963c Association success. AID 1, Roaming = True, WGB =
False, 11r = False, 11w = False Fast roam = False
2024/04/26 14:56:08.564644351 {wncd_x_R0-0}{1}: [client-orch-sm] [19636]: (note): MAC: 8ec7.5d0e.963c Delete mobile payload sent for BSSID:
a4b2.3905.352e WTP mac: a4b2.3905.3520 slot id: 1
2024/04/26 14:56:08.564936813 {wncd_x_R0-0}{1}: [client-orch-state] [19636]: (note): MAC: 8ec7.5d0e.963c Client state transition: S_CO_RUN ->
S_CO_L2_AUTH_IN_PROGRESS
2024/04/26 14:56:08.565789693 {wncd_x_R0-0}{1}: [client-auth] [19636]: (note): MAC: 8ec7.5d0e.963c ADD MOBILE sent. Client state flags: 0x41
BSSID: MAC: 6871.612e.83ac capwap IFID: 0x90000006, Add mobiles sent: 1
2024/04/26 14:56:08.598424565 {wncd_x_R0-0}{1}: [client-orch-sm] [19636]: (note): MAC: 8ec7.5d0e.963c Mobility discovery triggered. Client mode:
Local
2024/04/26 14:56:08.598427740 {wncd_x_R0-0}{1}: [client-orch-state] [19636]: (note): MAC: 8ec7.5d0e.963c Client state transition:
S_CO_L2_AUTH_IN_PROGRESS -> S_CO_MOBILITY_DISCOVERY_IN_PROGRESS
2024/04/26 14:56:08.598565043 {wncd_x_R0-0}{1}: [mm-client] [19636]: (note): MAC: 8ec7.5d0e.963c Mobility Successful. Roam Type None, Sub
Roam Type MM_SUB_ROAM_TYPE_INTRA_INSTANCE, Previous BSSID MAC: a4b2.3905.352e Client IFID: 0xa0000003, Client Role: Local PoA:
0x90000006 PoP: 0x0
2024/04/26 14:56:08.599112837 {wncd_x_R0-0}{1}: [client-auth] [19636]: (note): MAC: 8ec7.5d0e.963c ADD MOBILE sent. Client state flags: 0x46
BSSID: MAC: 6871.612e.83ac capwap IFID: 0x90000006, Add mobiles sent: 1
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
FEW Client Traces Roaming from one AP to the
other over CURWB
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
5 Autonomous Vehicle
Driving vehicles autonomously during manufacturing process
using LiDAR technology. Requires isolated network with
Multicast enabled in Manufacturing VN.
Corp MCAST
RP Corporate Network
Internal External
RP RP
MSDP
Mfg MCAST Mfg MCAST
RP RP
Mfg Corp
VN VN
SDA
Fabric
IE-3400
Command
Center
C-V2X
Camera LiDAR RSU Camera LiDAR RSU
Manufacturing Corporate
Employee
Line
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Configuration of Multicast in Manufacturing VN
interface Loopback4101 interface Loopback4101
vrf forwarding mfg_vn BN1 vrf forwarding mfg_vn BN2
ip address 10.35.66.9 255.255.255.255 ip address 10.35.66.4 255.255.255.255
ip pim sparse-mode ip pim sparse-mode
! !
ip pim vrf mfg_vn rp-address 10.210.82.72 ip pim vrf mfg_vn rp-address 10.210.82.72
ip pim vrf mfg_vn register-source Loopback4101 ip pim vrf mfg_vn register-source Loopback4101
! !
! !
router lisp router lisp
instance-id 4101 instance-id 4101
service ipv4 service ipv4
database-mapping 10.35.66.9/32 locator-set rloc_0a6a1d47-bb24-462e-82a1- database-mapping 10.35.66.4/32 locator-set rloc_26c5095c-29c3-46bb-8601-
538a47f0c207 be0f9209a610
! !
eid-record instance-id 4101 10.35.66.0/24 accept-more-specifics eid-record instance-id 4101 10.35.66.0/24 accept-more-specifics
! !
interface LISP0.4101 interface LISP0.4101
ip pim lisp transport multicast ip pim lisp transport multicast
ip pim lisp core-group-range 232.0.0.1 1000 ip pim lisp core-group-range 232.0.0.1 1000
!!!! !!!!!
ip msdp vrf mfg_vn peer 10.35.66.4 connect-source Loopback4101 ip msdp vrf mfg_vn peer 10.35.66.9 connect-source Loopback4101
ip msdp vrf mfg_vn cache-sa-state ip msdp vrf mfg_vn cache-sa-state
ip msdp vrf mfg_vn originator-id Loopback4101 ip msdp vrf mfg_vn originator-id Loopback4101
! !
snmp-server enable traps msdp snmp-server enable traps msdp
! !
interface Loopback4601 interface Loopback4601
description RP address for CPN MCAST Only description RP address for CPN MCAST Only
vrf forwarding mfg_vn vrf forwarding mfg_vn
ip address 10.210.82.72 255.255.255.255 Manual Configuration ip address 10.210.82.72 255.255.255.255 Manual Configuration
ip pim sparse-mode ip pim sparse-mode
! !
router lisp router lisp
instance-id 4101 instance-id 4101
service ipv4 service ipv4
database-mapping 10.210.82.72/32 locator-set rloc_0a6a1d47-bb24-462e-82a1- database-mapping 10.210.82.72/32 locator-set rloc_26c5095c-29c3-46bb-8601-
538a47f0c207 be0f9209a610
! !
eid-record instance-id 4101 10.210.82.72/32 accept-more-specifics eid-record instance-id 4101 10.210.82.72/32 accept-more-specifics
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Configuration of Multicast in Manufacturing VN
interface Loopback4101 interface Loopback4101
vrf forwarding mfg_vn EN1 vrf forwarding mfg_vn EN2
ip address 10.35.66.2 255.255.255.255 ip address 10.35.66.5 255.255.255.255
ip pim sparse-mode ip pim sparse-mode
! !
ip pim vrf mfg_vn rp-address 10.210.82.72 ip pim vrf mfg_vn rp-address 10.210.82.72
ip pim vrf mfg_vn register-source Loopback4101 ip pim vrf mfg_vn register-source Loopback4101
! !
! !
router lisp router lisp
instance-id 4101 instance-id 4101
service ipv4 service ipv4
database-mapping 10.35.66.2/32 locator-set rloc_9c8e4e71-9764-4470-a930- database-mapping 10.35.66.5/32 locator-set rloc_9c8e4e71-9764-4470-a930-
735c083ed9cd 735c083ed9cd
! !
! !
interface LISP0.4101 interface LISP0.4101
ip pim lisp transport multicast ip pim lisp transport multicast
ip pim lisp core-group-range 232.0.0.1 1000 ip pim lisp core-group-range 232.0.0.1 1000
en1#show ip mroute vrf mfg_vn count en2#show ip mroute vrf mfg_vn count
Use "show ip mfib count" to get better response time for a large number of Use "show ip mfib count" to get better response time for a large number of
mroutes. mroutes.
IP Multicast Statistics IP Multicast Statistics
2 routes using 5936 bytes of memory 2 routes using 4752 bytes of memory
1 groups, 0.50 average sources per group 1 groups, 0.66 average sources per group
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc) Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Group: 239.16.0.1, Source count: 1, Packets forwarded: 94919, Packets Group: 239.16.0.1, Source count: 1, Packets forwarded: 85251, Packets
received: 94920 received: 85251
RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0 RP-tree: Forwarding: 1/0/396/0, Other: 1/0/0
Source: 10.35.74.102/32, Forwarding: 94919/1/391/3, Other: 94920/1/0 Source: 10.35.74.102/32, Forwarding: 85250/1/396/3, Other: 85250/0/0
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
6 DHCP server inside SDA Fabric
• DHCP Snooping is used
by SDA Fabric on FE MCAST
host port to learn the RP Corporate Network DHCP/ ISE
end point. This is by VBRICK
Media
DNS
Server TACACS+
design. Server
WAN/DFN WAN/DFN
• When DHCP Server is Router Router
connected to FE host DHCP Server ISE Cluster
2 PAN/MNT/pxGrid
port, it stops the DHCP
offer to send out to
inside Fabric 3 Nodes
3 Nodes
OSPF
2 PSN
CatC
DNAC Cluster DNAC
clients protecting it Cluster
Backup
Server
F Area 412
F
from man-in-middle
attack. BGP
AS 200
RP RP CORP
• FE Host port interface TenGigabitEthernet1/0/12 SP SP
Virtual RVPN
BGP Network Virtual
connecting to DHCP switchport trunk allowed vlan 1064
AS 100 Network
switchport mode trunk
server requires device-tracking attach-policy IPDT_POLICY WLC WLC
(Multicast
Enable)
additional command to ip flow monitor SSA-FNF-MON input
I I
ip flow monitor SSA-FNF-MON output
Trust DHCP Snooping access-session inherit disable interface -
template-sticky SD-Access
• The additional access-session inherit disable autoconf
Fabric
no macro auto processing
commands can be et-analytics enable
pushed to specific FE ip dhcp snooping trust
VLAN-1024
host port where DHCP 10.10.10.1/24 Trust DHCP
VLAN-1064
192.168.1.1/24
server is connected via Snooping
Catalyst Center Router/
DHCP Server Client Client
Template Editor. FW
Enabled
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
7 Migration from Legacy Network to SDA
MCAST
RP Corporate Network
Ford Network DHCP/ ISE
VBRICK DNS
Media Server TACACS+
Server
WAN/DFN WAN/DFN
SDA/CatC Router Router
ISE Cluster Legacy
Migration OSPF 2 PAN/MNT/pxGrid
3 Nodes
Area 412 2 PSN Network
Strategy DNAC Cluster
CatC
DNAC Legacy-Mfg-SGT
19.x.x.x/16 Supernet F
Backup F 20.x.x.x./16 Supernet
(Manufacturing) Cluster Server
OSPF
BGP
Area 412
AS 65341
VL-10
VL-10
VL-3000 ACL
10.30.0.1/24
MPN MPN MPN
MPN VL-2500 ACL
control control err-prf err-prf
10.25.0.1/24
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Seamless
Security
Enforcement
(Wired/Wireless)
Cisco DNA Multi-level Segmentation
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Cisco Catalyst Center and ISE Integration
Workflow
API
Ciscoand
Identity ISE Policy
2.3 Automation
NCP Assurance
NDP
Identity Services Engine API Network Control Platform API Network Data Platform
NETCONF
SNMP
SSH
AAA
RADIUS
Campus Fabric NetFlow
Syslog
TACACS HTTPS
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cisco DNA Multi-level Segmentation Policy
Workflow
Dynamic Classification Static Classification
Campus
Access Distribution Core DC Core DC Access
MAB
Enterprise
Backbone
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Cisco Cyber Vision with DNA
Cyber
ISE
Cyber Vision Center is deployed at Shared
Cisco
Catalyst
Center
Vision
Center
Shared
Services
DHCP, DNS, AD
(Services) Services
Cell/Area Zone-1
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Identity Service Engine + Cybervision
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Profiling OT Assets to Enable Dynamic Segmentation
Cybervision manages OT
assets and provides
communication flow IT Engineer can now
OT information. OT Engineer have OT context to
IT
can group assets into build/enforce the right
zones security policies
Cell 1 - Segment
dACL
Cell 1 Cell 2 PLC MES
✓ ✘ ✓ ✘
Cell 1 SGT
Cell 2 ✘ ✓ ✓ ✘
PLC ✓ ✓ ✓ ✓
MES ✘ ✘ ✓ ✓
VLAN
pxGrid update with asset
endpoint identities and group
Cell1 as custom attribute
Dynamic segmentation
Cyber Vision Map View Cisco ISE
of industrial network
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cyber Vision and ISE Attributes
ISE attribute Cisco Cyber Vision property Description
IOTASSET Library
assetId ID Cyber Vision Component ID
assetName Name Component name
assetIpAddress IP Component IP address
assetMacAddress Mac Component MAC address
assetVendor Vendor-name Component manufacturer (IEEE OUI)
assetProductId Model-ref Manufacturer product ID
assetSerialNumber Serial-number Manufacturer serial number
assetSwRevision Fw-version Component firmware version
assetHwRevision Hw-version Component hardware version
assetProtocol Protocols All Protocols concatenated in one string
Custom Attributes
assetModelName Model-name Manufacturer model name
assetOsName OS-name Operating system name
assetProjectName Project-name Project name (from PLC program)
assetProjectVersion Project-version Project version (from PLC program)
assetGroup Group Component group in Cyber Vision
assetGroupPath Group Path Component group path in Cyber Vision (Nested Groups)
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
OT Asset Properties in Cyber Vision
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
OT Asset Properties transferred to ISE via pxGrid
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE TrustSec Policy Matrix
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE Security Policy Enforced After OT Asset
Moved to another Cell
Communication
Failed
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automation for
Business Agility
Why to Automate
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Benefits of Automation
• Rapid & consistent changes.
• Simplicity.
• Reducing human error.
• Making changes on the fly.
• Ease for Non-IT end users to consume IT resources.
• Quick recovery after disaster.
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
How To Automate
&
Where to Start
Can Help !!
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Catalyst Center Developer Toolkit
Collecting switch
port information
using Catalyst https://10.46.207.5/dna/intent/api/v1/business/sda/hostonboarding/user-device
Center Developer
Toolkit
https://developer.cisco.com/docs/dna-center/
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Catalyst Center REST API
Example 1:
(Catalyst Center
Authentication)
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Catalyst Center REST API
Example 2:
(Configuring Switch
port)
Executing REST
operation “POST”
by using content of
Body field from the
output of “GET”
operation through
Catalyst Center
Developer Toolkit
ISE REST API
Example 3:
(SGT)
Creating,
Modifying &
Deleting SGT
through ISE
REST API
SGTSGT-ACL OUID
OUID received
received
from GET from GET
operation
operation
output
ISE REST API
Example 4:
(SGT-ACL)
Creating, Modifying
& Deleting SGT-
ACL through ISE
REST API
SGT-ACL OUID
received from GET
operation
operation output
RESTCONF On Switches
Example 5:
(Port, IPv4 ACL)
Shut/No Shut
port,
Port
Create/Modify/ Shut/No Shut by
Delete IPv4 setting value “true” or “false”
under “enabled” key
ACL, save
configuration
through
RESTCONF
] } ] } }
Rapid Problem
Resolution
through
Assurance
Catalyst Center Assurance Dashboard
1 AP Disconnected from WLC
AP Disconnected from WLC
2 WLC Reboot Crash
WLC Reboot Crash
Configuring Events Notification using Webhook
URL of Management
Server via Webhook
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Configuring Events Notification using Webhook
Events included
In Notification
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Events Notification via Webhook
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
“Businesses that grow by
development and
improvement do not die.”
Henry Ford
February 15, 1923
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Complete Your Session Evaluations
Earn 100 points per survey completed and compete on the Cisco Live
Challenge leaderboard.
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
• Visit the Cisco Showcase
for related demos
BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Thank you
#CiscoLive