Modernizing Manufacturing Plants Through Cisco DNA Solution

Modernizing Manufacturing Plants
Through Cisco DNA Solution

Convergence of IT and OT for Common Goal
Sadiq Memon – Principal Architect

@sadhussa
BRKENS-2825
#CiscoLive
Cisco Webex App
https://ciscolive.ciscoevents.com/
ciscolivebot/#BRKENS-2825
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space
4 Enter messages/questions in the Webex space
Webex spaces will be moderated Enter your personal notes here
by the speaker until June 7, 2024.
BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
• Modernizing Factories - Why &
How?
• Cisco DNA - Overview.
• Manufacturing Design
Agenda Considerations & Use-Cases.
• Seamless Security Enforcement.
• Automation for Business Agility.
• Rapid Problem Resolution
through Assurance.
Modernizing
Factories
Why & How ?
Understanding Industrial Evolution
(Mechanized Systems)
Industry 0.0 (1440-1500)
Printing Press innovation by
Johannes Gutenberg in Germany.
Industry 1.0 (1760-1860)

Rise of Steam and water powered
mechanized system with
Development of machine tools in
England.
Industry 2.0 (1870-1920)

Iron/Steel production,
build-out of railroads,
widespread use of machinery,
beginning of electrification and mass
production through
assembly lines.
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Understanding Industrial Evolution
(Digitized Information Systems)
Industry 3.0 (1950-1970)
Shift from Mechanical and Analog
Electronics systems to Digital
Electronic system. Beginning of
automation of manufacturing
process.
Industry 4.0 (2011)
Digital integration and automation
of manufacturing process.
Converting digital data into
information for business decisions
(evolution of IIoT).
Industry 5.0 (2023)

Cognitive Intelligence. Synergy
between human and machine
learning. Innovation of Generated Pre-
trained Transformers (GPT).
Cisco DNA
Overview
Digital Network Architecture (DNA)
Intent-based Architecture
Main Components:
• Software Defined Access (SDA). SAAS
• Identity Service Engine (ISE). ACI

• Catalyst Center. Data Center
LEARNING SD-Access
Cisco Catalyst Center
Policy Automation Analytics SD-WAN Fabric

Wireless
INTENT CONTEXT
Fabric
Border
Intent-Based Fabric
Network Infrastructure Control
SD-Access
Fabric
Switch Route Wireless Edge
SECURITY
Digital Network Architecture (DNA)
• The Foundation for Cisco’s Intent-Based Network
Cisco Catalyst Center
One Automated
Network Fabric
Policy Automation Assurance Single fabric for Wired and
Wireless with full automation
Outside
B B
Identity-Based
C
Policy and Segmentation
Policy definition decoupled
from VLAN and IP address
AI-Driven
Insights and Telemetry
SD-Access
Extension Client Mobility Analytics and visibility into
User and Application experience
Policy follows User
IoT Network
Employee Network
Identity Services Engine (Zero Trust Platform for Workplace)
Cisco DNA
Roles and Terminology
▪ Network Automation – Simple GUI
Automation and APIs for intent-based Automation
Identity of wired and wireless fabric devices
Cisco ISE Cisco Catalyst Center
Services
▪ Network Assurance – Data Collectors
analyze Endpoint to Application flows
Assurance and monitor fabric device status
▪ Identity Services – NAC and ID Services
(e.g., ISE) for dynamic Endpoint to Group
Fabric Border IP Fabric Wireless mapping and Policy definition
Nodes Controllers
B B ▪ Control-Plane Nodes – Map System that

manages Endpoint to Device relationships
Control-Plane
Intermediate ▪ Fabric Border Nodes – A fabric device
C Nodes
Nodes (Underlay)
(e.g., Core) that connects External L3
network(s) to the SD-Access fabric
SDA ▪ Fabric Edge Nodes – A fabric device

(e.g., Access or Distribution) that connects
Fabric Edge
Nodes Fabric Fabric Wireless
Access Points
Wired Endpoints to the SD-Access fabric
▪ Fabric Wireless Controller – A fabric
device (WLC) that connects Fabric APs and
Wireless Endpoints to the SD-Access fabric
SD-Access Fabric (A Closer Look)
Control-Plane Nodes
Control-Plane Node runs a Host Tracking Database to map location information

IP to RLOC MAC to RLOC Address Resolution
• A simple Host Database that maps Endpoint IDs to
1.2.3.4 → FE1 AA:BB:CC:DD → FE1 1.2.3.4 → AA:BB:CC:DD
a current location, along with other attributes
C
• Host Database supports multiple types of Endpoint
ID lookup types (IPv4, IPv6, or MAC)
B B
• Receives Endpoint ID map registrations from Edge

and/or Border Nodes for “known” IP prefixes
• Resolves lookup requests from Edge and/or

Border Nodes to locate destination Endpoint IDs
FE1
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
Edge Nodes
Edge Node provides first-hop services for Users/Devices connected to a Fabric

IP to RLOC MAC to RLOC Address Resolution
• Responsible for Identifying and Authenticating
1.2.3.4 → FE1 AA:BB:CC:DD → FE1 1.2.3.4 → AA:BB:CC:DD
Endpoints (e.g., Static, 802.1X, Active Directory)
C
• Register specific Endpoint ID info (e.g., /32 or
/128) with the Control-Plane Node(s)
B B
• Provide an Anycast L3 Gateway for the connected

Endpoints (same IP address on all Edge Nodes)
• Perform encapsulation/de-encapsulation of data

traffic to and from all connected Endpoints
FE1
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
Border Nodes
Border Node is an Entry and Exit point for data traffic going into and out of a Fabric
There are 3 Types of Border Nodes:
• Internal Border (Rest of Company)

Connects ONLY to the known areas of the company
• External Border (Outside)

Connects ONLY to unknown areas outside the company
• Internal and External (Anywhere)

Connects transit areas AND known areas of the company
Border Nodes - Internal
Internal Border advertises Endpoints to outside and known Subnets to inside
• Connects to any “known” IP Subnets available IP - 1.2.3.0/24

from the outside network (e.g., DC, WLC, FW) C
Known Unknown
Networks Networks
• Exports all internal IP Pools to outside (as B B
aggregate), using traditional IP routing protocol(s)
• Imports and registers (known) IP Subnets from

outside into the Control-Plane Map System
• Hand-off requires mapping the context (VRF and

SGT) from one domain to another
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
Border Nodes - External
External Border is a “Gateway of Last Resort” for any unknown destinations
• Connects to any “unknown” IP subnets outside of IP - 0.0.0.0/0

the network (e.g., Internet, Public Cloud) C
Known Unknown
Networks Networks
• Exports all internal IP Pools outside (as aggregate)
B B
into traditional IP routing protocol(s)
• Does NOT import unknown routes; Uses “default”

exit if no entry is available in Control-Plane
• Hand-off requires mapping the context (VRF and

SGT) from one domain to another
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
Fabric Enabled Wireless
Fabric Enabled WLC is integrated into Fabric for SD-Access Wireless clients
• Connects to Fabric via Border (Underlay) MAC – AA:BB:CC:DD

Ctrl: CAPWAP
Data: VXLAN
• Fabric Enabled APs connect to the WLC

C
(CAPWAP) using a dedicated Host Pool (Overlay)
Known Unknown
Networks Networks
• Fabric Enabled APs connect to the Edge via B B
VXLAN
• Wireless Clients (SSIDs) use regular Host Pools for

data traffic and policy (same as Wired)
• Fabric Enabled WLC registers Clients with the

Control-Plane (as located on local Edge and AP)
IP - 1.2.3.4/32
Manufacturing
Design Considerations &
Use-Cases
IT vs OT Requirements
Protect the Data Protect the Process
Confidentiality Availability
Integrity Integrity
Availability Confidentiality
Industrial Automation Architecture
Outcomes
• Improve uptime, OEE
and asset utilization
• Reduce support effort
and deployment errors
• Reduce risk from
cybersecurity threats
Benefits
• Validated Design and
Implementation guidance
developed by Cisco
engineering
• Tested against leading
IACS vendor devices and
applications
• Experienced Cisco
services ready to apply to
a customer scenarios
How to Transform Industrial Automation
Architecture to Cisco DNA
Key design questions
• Could we apply the Purdue Model with Cisco DNA solution?

• Shared IT/OT SDA Fabric vs dedicated SDA Fabric for IT and OT
separately.
• Should SDA Fabric extend to the Industrial Access Layer?
• Should IT and OT share same Catalyst Center for managing overall
infrastructure?
• How Industrial Wireless integrates with Cisco DNA solution?
OT Requirements vs Current DNA Support
Tolerance to network outages: 10-80ms Failure on the underlay may produce outages > 200ms
• L2 flooding enables multicast but broadcast domain is

Layer 2 multicast is used for device
extended through the fabric
discovery, producer/consumer messages
• IGMP has not been validated
Resiliency protocols in industrial networks:

Only REP is supported in Catalyst Center today
PRP, MRP, DLR, HSR, REP
QoS: Priority queue needs to be reserved

Application policy is based on enterprise profile
for high priority traffic
QoS: Profinet uses COS values Application policy does not support for COS
May require precision timing Fabric nodes cannot be part of the PTP domain yet
L2NAT L2NAT configured via Catalyst Center template
1 General Design with Physical Topology
DHCP, DNS, AD
(Services)
Enterprise
Network
Internet • ISE (PAN, MNT, PSN,
AMP Cloud Talos XDR PxGrid), Catalyst
Center, WLC, Cyber
Cyber ISE Cisco F F eBGP Enterprise Zone Vision
Vision Catalyst Multi-hop
Center Center
iDMZ Applications and Services NGFW NGFW • Stateful Firewall HA pair
SW Updates Data Proxy HA/State
Link
connects to Manufacturing
File Transfers
Remote Access Industrial DMZ VN.
Industrial Zone • Site Application Servers,
Plant Wireless, Security
Cameras, Engineering
SDA Workstation, Video
Fabric Endpoint, connectivity via
Site-Level Area Fabric Edge Node (EN)
• PLC, HMI, Robots etc.
Cell/Area Zone connectivity via Cisco
Sensor Sensor
Sensor
Cisco
Industrial Ethernet (IE)
IE Switch PLC MES switches with Cyber Vision
HMI
HMI Switch Cisco Cisco Sensors.
IE Switch IE Switch
PLC
Cisco
IE Switch
SIS Logical Virtual Networks
Site-Level Area
Corp Mfg BMS Guest
VN VN VN VN
Cell/Area Zone-1 Cell/Area Zone-2
General Design with Firewall inline in Manufacturing
Virtual Network
BGP BGP
AS-100 AS-100
INSIDE OUTSIDE F
SDA 1.1.1.1 1.1.1.2 2.2.2.1 2.2.2.2

Site Corporate
Network STATIC STATIC Network
ROUTES ROUTES
eBGP
Multi-hop
STATIC ROUTES
BN: ip route vrf mfg_vn 2.2.2.1 255.255.255.255 1.1.1.2
NOTE:
Manual Configuration Required.
BN: ip route vrf mfg_vn 2.2.2.2 255.255.255.255 1.1.1.2
!
FN: ip route vrf mfg_vn 1.1.1.2 255.255.255.255 2.2.2.1 • STATIC Routes between BN/FN and
FN: ip route vrf mfg_vn 1.1.1.1 255.255.255.255 2.2.2.1 FW.
• Minor Modification on Border Node
BGP CHANGES BGP configuration by changing
BN: router bgp 100
neighbor IP of Fusion Node.
! • Catalyst Center Templates can be
address-family ipv4 vrf cpn_vn used to automate the additional
neighbor 2.2.2.2 remote-as 200 configuration.
neighbor 2.2.2.2 ebgp-multihop 2 BGP Default
exit-address-family TTL is 1
Catalyst Center
2 No Faults Forward (NFF) (Enable L2 Flooding on Wireless Subnet)
Enterprise NFF_10.46.203.64/28
Network
NFF_VLAN
F F
eBGP
Cyber ISE Cisco Multi-hop
Vision Catalyst
Center Center
NGFW NGFW
HA/State
Link
IP Directed
Broadcast
IP Network
Broadcast
SDA (CLI Configuration on FE Switches)
Packet Fabric Template Editor on CatC can be Used
10.46.200.80
Capture
On FE Switch with APs:
On FE Switch with
VLAN1058 (Anycast GW) ---- Access Tunnel -----→ VLAN1033 (Anycast GW)
10.46.203.65/28 10.46.202.1/27 router lisp Server:
instance-id 8191
10.46.203.252
SSID SSID service-ethernet
LIGHTNING LIGHTNING
interface vlan 1033
eid-table vlan 1058 ip network-broadcast
App broadcast-underlay
VIN VIN !
1J4GZ78Y5PC574443 1HJ2Y78X5RC572254 VLAN1033 239.0.17.1 interface vlan 1058
VLAN1058
10.46.202.3/27 L2 LISP flood unknown-unicast ip directed-broadcast
VLAN1058
10.46.203.72/28 10.46.203.73/28 instance-id flood access-tunnel
for vlan 1058
No Faults Forward (NFF) - Output
TestPC
test.local
Hybrid
Sender Only No
No
<TX 268; 10.46.203.79:2001> hello Fabric test test.local
10.46.203.79 2001 <TX 268; 10.46.203.79:2001> hello Fabric test
<TX 268; 10.46.203.79:2001> hello Fabric test
<TX 268; 10.46.203.79:2001> hello Fabric test
10.46.202.3(Preferred)
255.255.255.224
10.46.202.1
Receiver Only
<RX 268; 10.46.203.79:62186> hello Fabric test

2001 <RX 268; 10.46.203.79:62187> hello Fabric test
10.46.203.72(Preferred)
255.255.255.240
10.46.203.65
No Faults Forwarding (NFF) Virtual eXtensible Local Area Network
Packet Capture
Flags: 0x0800, VXLAN Network ID (VNI)
Group Policy ID: 0

EN1# show monitor capture en1_zff buffer detail
VXLAN Network Identifier (VNI): 8191
App Server
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
Ethernet II, Src: 00:00:0c:9f:fb:54, Dst: ff:ff:ff:ff:ff:ff IP
Frame 1: 111 bytes on wire (888 bits), 111 bytes captured (888 bits) on
Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
interface /tmp/epc_ws/wif_to_ts_pipe, id 0
Address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
[Protocols in frame: Wireless AP
Mgmt IP
Source: 00:00:0c:9f:fb:54 (00:00:0c:9f:fb:54)
eth:ethertype:ip:udp:vxlan:eth:ethertype:ip:udp:data]
Address: 00:00:0c:9f:fb:54 (00:00:0c:9f:fb:54)
FE Switch IP Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00
Internet Protocol Version 4, Src: 10.46.202.3, Dst: 255.255.255.255
Destination: 00:00:00:00:00:00 (00:00:00:00:00:00)
Connecting AP
0100 .... = Version: 4
Type: IPv4 (0x0800)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
0100 .... = Version: 4
Time to live: 126
.... 0101 = Header Length: 20 bytes (5)
Protocol: UDP (17)
Source: 10.46.202.3
Destination: 255.255.255.255
Protocol: UDP (17)
Source: 10.46.200.80
User Datagram Protocol, Src Port: 62186, Dst Port: 2001 Data
Destination: 10.46.203.252
Source Port: 62186
Payload
Destination Port: 2001
User Datagram Protocol, Src Port: 65345, Dst Port: 4789
Data (19 bytes)
Source Port: 65345
0000 68 65 6c 6c 6f 20 46 61 62 72 69 63 20 74 65 73 hello Fabric test..
Catalyst Center
3 Wake on LAN (WoLAN) (Enable L2 Flooding & IP Directed-Broadcast on IoT Subnet)
Enterprise
Network
App wol_10.46.203.64/28
10.46.199.20/28
IP Network F F
Cyber
Vision
ISE Cisco
Catalyst Broadcast eBGP
Center Center Multi-hop
NGFW
NGFW
HA/State
IP Directed Link
Broadcast
SDA
Packet No CLI configuration
Capture Fabric
10.46.200.80
needed.
Catalyst Center workflow is
VLAN1058 (Anycast GW)
10.46.203.65/28 10.46.203.252
sufficient.
Sensor Sensor
PLC
HMI
Cisco Cisco
IE Switch IE Switch
SIS NOTE: Wireless EPs do need Access-
Tunnel manual config in LISP L2 instance-id
10.46.203.64/28
Cell/Area Zone-2
Wake on LAN (WoL) - Output
PC2
test.local
Hybrid
No
Sender Only No
test.local
<TX 268; 10.46.203.79:2001> hello

10.46.203.79 2001 <TX 268; 10.46.203.79:2001> hello
<TX 268; 10.46.203.79:2001> hello
<TX 268; 10.46.203.79:2001> hello
10.46.199.20(Preferred)
255.255.255.240
10.46.199.17
Receiver Only
<RX 268; 10.46.203.79:62186> hello

2001 <RX 268; 10.46.203.79:62187> hello
test.local
10.46.203.72(Preferred)
255.255.255.240
10.46.203.65
Wake on LAN (WoL) Virtual eXtensible Local Area Network
Packet Capture
Flags: 0x0800, VXLAN Network ID (VNI)
Group Policy ID: 0

EN3# show monitor capture en1_zff buffer detail
VXLAN Network Identifier (VNI): 8191
App Server
Starting the packet display ........ Press Ctrl + Shift + 6 to exit
Ethernet II, Src: 00:00:0c:9f:fb:54, Dst: ff:ff:ff:ff:ff:ff IP
Frame 1: 111 bytes on wire (888 bits), 111 bytes captured (888 bits) on
Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
interface /tmp/epc_ws/wif_to_ts_pipe, id 0
Address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
[Protocols in frame: Wireless AP
Mgmt IP
Source: 00:00:0c:9f:fb:54 (00:00:0c:9f:fb:54)
eth:ethertype:ip:udp:vxlan:eth:ethertype:ip:udp:data]
Address: 00:00:0c:9f:fb:54 (00:00:0c:9f:fb:54)
FE Switch IP Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00
Destination: 00:00:00:00:00:00 (00:00:00:00:00:00)
Connecting AP
0100 .... = Version: 4
Type: IPv4 (0x0800)
0100 .... = Version: 4
Time to live: 126
.... 0101 = Header Length: 20 bytes (5)
Protocol: UDP (17)
Source: 10.46.199.20
Destination: 255.255.255.255
Protocol: UDP (17)
Source: 10.46.200.80
User Datagram Protocol, Src Port: 58872, Dst Port: 2001 Data
Destination: 10.46.203.252
Source Port: 58872
Payload
User Datagram Protocol, Src Port: 65345, Dst Port: 4789
Data (19 bytes)
Source Port: 65345
0000 68 65 6c 6c 6f 0d 0a 61 62 72 69 63 20 74 65 73 hello..
4 Cisco Ultra Reliable Wireless Backhaul (CURWB)
over Cisco SDA
Corporate Network
DNAC Cat9800-40
2.3.3.7 17.12.3
TRUNK Port with IW9167

SDA AP Mgmt VLAN as NATIVE
AP Management
Management Fabric Subnet
Subnet
Corporate SSID
VLAN2045 (Anycast GW) VLAN518 (Anycast GW)
10.46.203.33/29 IW9167-A 10.46.203.33/29
& Subnet part of
AP-9136 Fabric Enabled
10.46.203.34 Wireless (FEW)
IW9167-A
Manufacturing CURWB
Line AP-9136
17.12
10.46.203.35
Parking
Lot
Cisco CURWB Configuration
10.46.203.34 10.46.203.35
10.46.203.33 10.46.203.33
Cisco CURWB Configuration
STATUS
Device: Cisco IOT IW9165E Series Access Point
Name: unset ID: 5.66.194.164
Serial: FOC272919FA
Operating Mode: Mesh End
Uptime: 3 days, 9:38 (hh:mm)
Firmware version: 17.12.1.5
DEVICE SETTINGS IP: 10.46.203.34 Netmask: 255.255.255.248 MAC address:
40:36:5a:42:c2:a4 Configured MTU: 1530
WIRED0 Status: up Speed: 2500 Mb/s Duplex: full MTU: 1530
WIRED1 Status: down
STATUS
WIRELESS SETTINGS Operating region: B
Device: Cisco IOT IW9165E Series Access Point
Radio 1 Interface: enabled Mode: fixed infrastructure Frequency: 5600 MHz Channel: 120 Channel
Name: unset ID: 5.66.194.84
Width: 80 MHz Current tx power: 23 dBm Current tx power level: 1 Antenna gain: not selected
Serial: FOC2729195H
Antenna number: 2 AES enabled Radio Mode: csma/ca Maximum link length: 3 km
Operating Mode: Mesh Point
Radio 2 Interface: enabled Mode: fluidity Frequency: 5745 MHz Channel: 149 Channel Width: 80
Uptime: 3 days, 9:37 (hh:mm)
MHz Current tx power: 20 dBm Current tx power level: 1 Antenna gain: not selected Antenna
Firmware version: 17.12.1.5
number: 2 AES enabled Radio Mode: csma/ca Maximum link length: 3 km
DEVICE SETTINGS IP: 10.46.203.35 Netmask: 255.255.255.248 MAC address:
40:36:5a:42:c2:54 Configured MTU: 1530
WIRED0 Status: up Speed: 2500 Mb/s Duplex: full MTU: 1530
WIRED1 Status: down
WIRELESS SETTINGS Operating region: B
Radio 1 Interface: enabled Mode: fixed infrastructure Frequency: 5600 MHz Channel: 120 Channel
Width: 80 MHz Current tx power: 23 dBm Current tx power level: 1 Antenna gain: not selected
Antenna number: 2 AES enabled Radio Mode: csma/ca Maximum link length: 3 km
Radio 2 Interface: enabled Mode: fluidity Frequency: 5745 MHz Channel: 149 Channel Width: 80
MHz Current tx power: 20 dBm Current tx power level: 1 Antenna gain: not selected Antenna
number: 2 AES enabled Radio Mode: csma/ca Maximum link length: 3 km
Catalyst Center Assurance showing FEW Client
over CURWB
FEW Client Traces Roaming from one AP to the
other over CURWB
2024/04/26 14:56:08.564554962 {wncd_x_R0-0}{1}: [dot11] [19636]: (note): MAC: 8ec7.5d0e.963c Association success. AID 1, Roaming = True, WGB =
False, 11r = False, 11w = False Fast roam = False
2024/04/26 14:56:08.564644351 {wncd_x_R0-0}{1}: [client-orch-sm] [19636]: (note): MAC: 8ec7.5d0e.963c Delete mobile payload sent for BSSID:
a4b2.3905.352e WTP mac: a4b2.3905.3520 slot id: 1
2024/04/26 14:56:08.564936813 {wncd_x_R0-0}{1}: [client-orch-state] [19636]: (note): MAC: 8ec7.5d0e.963c Client state transition: S_CO_RUN ->
S_CO_L2_AUTH_IN_PROGRESS
2024/04/26 14:56:08.565789693 {wncd_x_R0-0}{1}: [client-auth] [19636]: (note): MAC: 8ec7.5d0e.963c ADD MOBILE sent. Client state flags: 0x41
BSSID: MAC: 6871.612e.83ac capwap IFID: 0x90000006, Add mobiles sent: 1
2024/04/26 14:56:08.598424565 {wncd_x_R0-0}{1}: [client-orch-sm] [19636]: (note): MAC: 8ec7.5d0e.963c Mobility discovery triggered. Client mode:
Local
2024/04/26 14:56:08.598427740 {wncd_x_R0-0}{1}: [client-orch-state] [19636]: (note): MAC: 8ec7.5d0e.963c Client state transition:
S_CO_L2_AUTH_IN_PROGRESS -> S_CO_MOBILITY_DISCOVERY_IN_PROGRESS
2024/04/26 14:56:08.598565043 {wncd_x_R0-0}{1}: [mm-client] [19636]: (note): MAC: 8ec7.5d0e.963c Mobility Successful. Roam Type None, Sub
Roam Type MM_SUB_ROAM_TYPE_INTRA_INSTANCE, Previous BSSID MAC: a4b2.3905.352e Client IFID: 0xa0000003, Client Role: Local PoA:
0x90000006 PoP: 0x0
2024/04/26 14:56:08.599112837 {wncd_x_R0-0}{1}: [client-auth] [19636]: (note): MAC: 8ec7.5d0e.963c ADD MOBILE sent. Client state flags: 0x46
BSSID: MAC: 6871.612e.83ac capwap IFID: 0x90000006, Add mobiles sent: 1
FEW Client Traces Roaming from one AP to the
other over CURWB
5 Autonomous Vehicle
Driving vehicles autonomously during manufacturing process
using LiDAR technology. Requires isolated network with
Multicast enabled in Manufacturing VN.
Corp MCAST
RP Corporate Network
Internal External
RP RP
MSDP
Mfg MCAST Mfg MCAST
RP RP
Mfg Corp
VN VN
SDA
Fabric
IE-3400
Command
Center
C-V2X
Camera LiDAR RSU Camera LiDAR RSU
Manufacturing Corporate
Employee
Line
Configuration of Multicast in Manufacturing VN
interface Loopback4101 interface Loopback4101
vrf forwarding mfg_vn BN1 vrf forwarding mfg_vn BN2
ip address 10.35.66.9 255.255.255.255 ip address 10.35.66.4 255.255.255.255
ip pim sparse-mode ip pim sparse-mode
! !
ip pim vrf mfg_vn rp-address 10.210.82.72 ip pim vrf mfg_vn rp-address 10.210.82.72
ip pim vrf mfg_vn register-source Loopback4101 ip pim vrf mfg_vn register-source Loopback4101
! !
! !
router lisp router lisp
instance-id 4101 instance-id 4101
service ipv4 service ipv4
database-mapping 10.35.66.9/32 locator-set rloc_0a6a1d47-bb24-462e-82a1- database-mapping 10.35.66.4/32 locator-set rloc_26c5095c-29c3-46bb-8601-
538a47f0c207 be0f9209a610
! !
eid-record instance-id 4101 10.35.66.0/24 accept-more-specifics eid-record instance-id 4101 10.35.66.0/24 accept-more-specifics
! !
interface LISP0.4101 interface LISP0.4101
ip pim lisp transport multicast ip pim lisp transport multicast
ip pim lisp core-group-range 232.0.0.1 1000 ip pim lisp core-group-range 232.0.0.1 1000
!!!! !!!!!
ip msdp vrf mfg_vn peer 10.35.66.4 connect-source Loopback4101 ip msdp vrf mfg_vn peer 10.35.66.9 connect-source Loopback4101
ip msdp vrf mfg_vn cache-sa-state ip msdp vrf mfg_vn cache-sa-state
ip msdp vrf mfg_vn originator-id Loopback4101 ip msdp vrf mfg_vn originator-id Loopback4101
! !
snmp-server enable traps msdp snmp-server enable traps msdp
! !
description RP address for CPN MCAST Only description RP address for CPN MCAST Only
vrf forwarding mfg_vn vrf forwarding mfg_vn
ip address 10.210.82.72 255.255.255.255 Manual Configuration ip address 10.210.82.72 255.255.255.255 Manual Configuration
! !
database-mapping 10.210.82.72/32 locator-set rloc_0a6a1d47-bb24-462e-82a1- database-mapping 10.210.82.72/32 locator-set rloc_26c5095c-29c3-46bb-8601-
538a47f0c207 be0f9209a610
! !
eid-record instance-id 4101 10.210.82.72/32 accept-more-specifics eid-record instance-id 4101 10.210.82.72/32 accept-more-specifics
Configuration of Multicast in Manufacturing VN
vrf forwarding mfg_vn EN1 vrf forwarding mfg_vn EN2
ip address 10.35.66.2 255.255.255.255 ip address 10.35.66.5 255.255.255.255
! !
ip pim vrf mfg_vn rp-address 10.210.82.72 ip pim vrf mfg_vn rp-address 10.210.82.72
ip pim vrf mfg_vn register-source Loopback4101 ip pim vrf mfg_vn register-source Loopback4101
! !
! !
database-mapping 10.35.66.2/32 locator-set rloc_9c8e4e71-9764-4470-a930- database-mapping 10.35.66.5/32 locator-set rloc_9c8e4e71-9764-4470-a930-
735c083ed9cd 735c083ed9cd
! !
! !
interface LISP0.4101 interface LISP0.4101
ip pim lisp transport multicast ip pim lisp transport multicast
ip pim lisp core-group-range 232.0.0.1 1000 ip pim lisp core-group-range 232.0.0.1 1000
en1#show ip mroute vrf mfg_vn count en2#show ip mroute vrf mfg_vn count
Use "show ip mfib count" to get better response time for a large number of Use "show ip mfib count" to get better response time for a large number of
mroutes. mroutes.
IP Multicast Statistics IP Multicast Statistics
2 routes using 5936 bytes of memory 2 routes using 4752 bytes of memory
1 groups, 0.50 average sources per group 1 groups, 0.66 average sources per group
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc) Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
Group: 239.16.0.1, Source count: 1, Packets forwarded: 94919, Packets Group: 239.16.0.1, Source count: 1, Packets forwarded: 85251, Packets
received: 94920 received: 85251
RP-tree: Forwarding: 0/0/0/0, Other: 0/0/0 RP-tree: Forwarding: 1/0/396/0, Other: 1/0/0
Source: 10.35.74.102/32, Forwarding: 94919/1/391/3, Other: 94920/1/0 Source: 10.35.74.102/32, Forwarding: 85250/1/396/3, Other: 85250/0/0
6 DHCP server inside SDA Fabric
• DHCP Snooping is used
by SDA Fabric on FE MCAST
host port to learn the RP Corporate Network DHCP/ ISE
end point. This is by VBRICK
Media
DNS
Server TACACS+
design. Server
WAN/DFN WAN/DFN
• When DHCP Server is Router Router
connected to FE host DHCP Server ISE Cluster
2 PAN/MNT/pxGrid
port, it stops the DHCP
offer to send out to
inside Fabric 3 Nodes
3 Nodes
OSPF
2 PSN
CatC
DNAC Cluster DNAC
clients protecting it Cluster
Backup
Server
F Area 412
F
from man-in-middle
attack. BGP
AS 200
RP RP CORP
• FE Host port interface TenGigabitEthernet1/0/12 SP SP
Virtual RVPN
BGP Network Virtual
connecting to DHCP switchport trunk allowed vlan 1064
AS 100 Network
switchport mode trunk
server requires device-tracking attach-policy IPDT_POLICY WLC WLC
(Multicast
Enable)
additional command to ip flow monitor SSA-FNF-MON input
I I
ip flow monitor SSA-FNF-MON output
Trust DHCP Snooping access-session inherit disable interface -
template-sticky SD-Access
• The additional access-session inherit disable autoconf
Fabric
no macro auto processing
commands can be et-analytics enable
pushed to specific FE ip dhcp snooping trust
VLAN-1024
host port where DHCP 10.10.10.1/24 Trust DHCP
VLAN-1064
192.168.1.1/24
server is connected via Snooping
Catalyst Center Router/
DHCP Server Client Client
Template Editor. FW
Enabled
#CiscoLive BRKENS-2825 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public
7 Migration from Legacy Network to SDA
MCAST
RP Corporate Network
Ford Network DHCP/ ISE
VBRICK DNS
Media Server TACACS+
Server
WAN/DFN WAN/DFN
SDA/CatC Router Router
ISE Cluster Legacy
Migration OSPF 2 PAN/MNT/pxGrid
3 Nodes
Area 412 2 PSN Network
Strategy DNAC Cluster
CatC
DNAC Legacy-Mfg-SGT
19.x.x.x/16 Supernet F
Backup F 20.x.x.x./16 Supernet
(Manufacturing) Cluster Server
OSPF
BGP
Area 412
AS 65341
L2BHF Trunk VL-10

Convert to Wireless
10.140.0.1/24
FEW SSID OTT SSID BGP Trunk
After Migration During Migration AS 65340 OSPF
Layer2 Migration through Area 415
L2 Border Hand-off
VL-10
VL-10
VL-3000 ACL
10.30.0.1/24
MPN MPN MPN
MPN VL-2500 ACL
control control err-prf err-prf
10.25.0.1/24
Seamless
Security
Enforcement
(Wired/Wireless)
Cisco DNA Multi-level Segmentation
Cisco Catalyst Center and ISE Integration
Workflow
ISE Appliance Catalyst Center

SNS 3700 Series
Appliance
Cisco Catalyst Center DN3-HW-APL
API API Design | Policy | Provision | Assurance API API
API
Ciscoand
Identity ISE Policy
2.3 Automation
NCP Assurance
NDP
Identity Services Engine API Network Control Platform API Network Data Platform
NETCONF
SNMP
SSH
AAA
RADIUS
Campus Fabric NetFlow
Syslog
TACACS HTTPS
Cisco Switches | Cisco Routers | Cisco Wireless
Cisco DNA Multi-level Segmentation Policy
Workflow
Dynamic Classification Static Classification
L3 Interface (SVI) to SGT L2 Port to SGT
Campus
Access Distribution Core DC Core DC Access
MAB
Enterprise
Backbone
WLC Firewall Hypervisor SW
VLAN to SGT Subnet to SGT VM (Port Profile) to SGT
Cisco Cyber Vision with DNA
Cyber
ISE
Cyber Vision Center is deployed at Shared
Cisco
Catalyst
Center
Vision
Center
Shared
Services
DHCP, DNS, AD
(Services) Services
Cyber Vision may be deployed in FE

Fabric Site
(Cat9300, IE9300). Sensor collection IP
Sensor
needs to be part of the underlay
Sensor
Cisco
IE Switch Cyber Vision on extended nodes/non-
HMI Switch
SDA IE switches (IE9300, IE3400, IE3300)
Cisco
PLC IE Switch
Cell/Area Zone-1
Identity Service Engine + Cybervision
Enrich endpoint attributes in

ISE with rich context from
Cyber Vision
Use custom attributes to map

industrial process context like
Cells and Zones for profiling
endpoints
Enforce Network Access Control

through dynamic assignment of
VLAN and dACLs or micro-
segmentation with SGT / TrustSec
Profiling OT Assets to Enable Dynamic Segmentation
Cybervision manages OT
assets and provides
communication flow IT Engineer can now
OT information. OT Engineer have OT context to
IT
can group assets into build/enforce the right
zones security policies
Cell 1 - Segment
dACL
Cell 1 Cell 2 PLC MES
✓ ✘ ✓ ✘
Cell 1 SGT
Cell 2 ✘ ✓ ✓ ✘
PLC ✓ ✓ ✓ ✓
MES ✘ ✘ ✓ ✓
VLAN
pxGrid update with asset
endpoint identities and group
Cell1 as custom attribute
Dynamic segmentation
Cyber Vision Map View Cisco ISE
of industrial network
Cyber Vision and ISE Attributes
ISE attribute Cisco Cyber Vision property Description
IOTASSET Library
assetId ID Cyber Vision Component ID
assetName Name Component name
assetIpAddress IP Component IP address
assetMacAddress Mac Component MAC address
assetVendor Vendor-name Component manufacturer (IEEE OUI)
assetProductId Model-ref Manufacturer product ID
assetSerialNumber Serial-number Manufacturer serial number
assetSwRevision Fw-version Component firmware version
assetHwRevision Hw-version Component hardware version
assetProtocol Protocols All Protocols concatenated in one string
Custom Attributes
assetModelName Model-name Manufacturer model name
assetOsName OS-name Operating system name
assetProjectName Project-name Project name (from PLC program)
assetProjectVersion Project-version Project version (from PLC program)
assetGroup Group Component group in Cyber Vision
assetGroupPath Group Path Component group path in Cyber Vision (Nested Groups)
assetCustomName Custom Name Custom Name assigned to component by user
OT Asset Properties in Cyber Vision
OT Asset Properties transferred to ISE via pxGrid
ISE TrustSec Policy Matrix
ISE Security Policy Enforced After OT Asset
Moved to another Cell
Communication
Failed
Automation for
Business Agility
Why to Automate
Benefits of Automation
• Rapid & consistent changes.
• Simplicity.
• Reducing human error.
• Making changes on the fly.
• Ease for Non-IT end users to consume IT resources.
• Quick recovery after disaster.
How To Automate
&
Where to Start
Can Help !!
Catalyst Center Developer Toolkit
Collecting switch
port information
using Catalyst https://10.46.207.5/dna/intent/api/v1/business/sda/hostonboarding/user-device
Center Developer
Toolkit
https://developer.cisco.com/docs/dna-center/
Catalyst Center REST API
Example 1:
(Catalyst Center
Authentication)
Using REST client

to authenticate to
Catalyst Center
and generate a
Token
Catalyst Center REST API
Example 2:
(Configuring Switch
port)
Executing REST
operation “POST”
by using content of
Body field from the
output of “GET”
operation through
Catalyst Center
Developer Toolkit
ISE REST API
Example 3:
(SGT)
Creating,
Modifying &
Deleting SGT
through ISE
REST API
SGTSGT-ACL OUID
OUID received
received
from GET from GET
operation
operation
output
ISE REST API
Example 4:
(SGT-ACL)
Creating, Modifying
& Deleting SGT-
ACL through ISE
REST API
SGT-ACL OUID
received from GET
operation
operation output
RESTCONF On Switches
Example 5:
(Port, IPv4 ACL)
Shut/No Shut
port,
Port
Create/Modify/ Shut/No Shut by
Delete IPv4 setting value “true” or “false”
under “enabled” key
ACL, save
configuration
through
RESTCONF
] } ] } }
Rapid Problem
Resolution
through
Assurance
Catalyst Center Assurance Dashboard
1 AP Disconnected from WLC
AP Disconnected from WLC
2 WLC Reboot Crash
WLC Reboot Crash
Configuring Events Notification using Webhook
URL of Management
Server via Webhook
Configuring Events Notification using Webhook
Events included
In Notification
Events Notification via Webhook
“Businesses that grow by
development and
improvement do not die.”
Henry Ford
February 15, 1923
Complete Your Session Evaluations
Complete a minimum of 4 session surveys and the Overall Event Survey to be

entered in a drawing to win 1 of 5 full conference passes to Cisco Live 2025.
Earn 100 points per survey completed and compete on the Cisco Live
Challenge leaderboard.
Level up and earn exclusive prizes!
Complete your surveys in the Cisco Live mobile app.
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
Continue Attend the interactive education
your education
•
with DevNet, Capture the Flag,
and Walk-in Labs
• Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
Thank you
#CiscoLive

Modernizing Manufacturing Plants Through Cisco DNA Solution

Uploaded by

Copyright:

Available Formats

You might also like

Modernizing Manufacturing Plants Through Cisco DNA Solution

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Modernizing Manufacturing Plants Through Cisco DNA Solution

Uploaded by

Copyright:

Available Formats

Modernizing Manufacturing Plants

Through Cisco DNA Solution

Sadiq Memon – Principal Architect

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space

4 Enter messages/questions in the Webex space

Webex spaces will be moderated Enter your personal notes here

by the speaker until June 7, 2024.

Industry 1.0 (1760-1860)

Industry 2.0 (1870-1920)

Industry 5.0 (2023)

• Identity Service Engine (ISE). ACI

Cisco Catalyst Center

Policy Automation Analytics SD-WAN Fabric

B B ▪ Control-Plane Nodes – Map System that

SDA ▪ Fabric Edge Nodes – A fabric device

Control-Plane Node runs a Host Tracking Database to map location information

• Receives Endpoint ID map registrations from Edge

• Resolves lookup requests from Edge and/or

Edge Node provides first-hop services for Users/Devices connected to a Fabric

• Provide an Anycast L3 Gateway for the connected

• Perform encapsulation/de-encapsulation of data

There are 3 Types of Border Nodes:

• Internal Border (Rest of Company)

• External Border (Outside)

• Internal and External (Anywhere)

Internal Border advertises Endpoints to outside and known Subnets to inside

• Connects to any “known” IP Subnets available IP - 1.2.3.0/24

• Imports and registers (known) IP Subnets from

• Hand-off requires mapping the context (VRF and

External Border is a “Gateway of Last Resort” for any unknown destinations

• Connects to any “unknown” IP subnets outside of IP - 0.0.0.0/0

• Does NOT import unknown routes; Uses “default”

• Hand-off requires mapping the context (VRF and

• Connects to Fabric via Border (Underlay) MAC – AA:BB:CC:DD

• Fabric Enabled APs connect to the WLC

• Wireless Clients (SSIDs) use regular Host Pools for

• Fabric Enabled WLC registers Clients with the

Protect the Data Protect the Process

• Could we apply the Purdue Model with Cisco DNA solution?

• L2 flooding enables multicast but broadcast domain is

Resiliency protocols in industrial networks:

QoS: Priority queue needs to be reserved

L2NAT L2NAT configured via Catalyst Center template

SDA 1.1.1.1 1.1.1.2 2.2.2.1 2.2.2.2

<RX 268; 10.46.203.79:62186> hello Fabric test

Group Policy ID: 0

<TX 268; 10.46.203.79:2001> hello

<RX 268; 10.46.203.79:62186> hello

Group Policy ID: 0

TRUNK Port with IW9167

L2BHF Trunk VL-10

ISE Appliance Catalyst Center

API API Design | Policy | Provision | Assurance API API

Cisco Switches | Cisco Routers | Cisco Wireless

L3 Interface (SVI) to SGT L2 Port to SGT

WLC Firewall Hypervisor SW

VLAN to SGT Subnet to SGT VM (Port Profile) to SGT

Cyber Vision may be deployed in FE