Introduction
It’s a complex but vital aspect of modern networking to maintain both security and efficiency in today’s dynamic digital landscape.
In Cisco SD-Access fabric sites, segmentation is achieved using Virtual Networks (VNs) and Cisco TrustSec Scalable Group Tags (SGTs). VNs enable macro-segmentation, while SGTs enable micro-segmentation within the VN. When SD-Access fabric sites are connected via SD-WAN fabric, these segmentation constructs must be propagated across the WAN fabric to maintain end-to-end segmentation and to enforce the policies consistently across the sites.
Implementing segmentation across SD-Access and SD-WAN fabric presents its own challenges in – maintaining consistent policies, integrating security measures, and ensuring visibility and scaling while handling interoperability. Careful planning and skilled management are essential to address these complexities effectively.
In this blog, we will understand the core challenges of segmentation across SD-Access and SD-WAN fabric, explore how Anuta ATOM addresses these challenges, and automate this use case.
The Significant hurdle
In an Independent Domain Deployment, the Cisco SD-WAN controllers and Cisco DNA Center are not integrated. The SD-Access Border Node roles are deployed on one set of network devices, while the SD-WAN Edge functionality is deployed on a separate set of network devices. The SD-Access components are managed independently by the Cisco DNA Center, and Cisco SD-WAN components are managed independently by the Cisco vManage controller.
In this deployment,
- VNs in the Cisco SD-Access Border devices are mapped to the corresponding service VPNs on the WAN Edge devices to extend the macro-segmentation.
- SGTs are carried from the Cisco SD-Access Border devices to the WAN Edge devices on the Layer 3 handoff interface with additional Cisco TrustSec inline configuration to extend the micro-segmentation.
A representative process involves:
- Open Change Request in ITSM Tool (ServiceNow)
- Execute Pre-Checks and Push TrustSec Configs on WAN-Edges through Cisco vManage SD-WAN Controller
- Execute Pre-Checks and Push TrustSec Configs on Border Nodes through the Cisco DNA Center SD-Access Controller
- Additionally, Push Group Based Access Policies through the Cisco DNA Center
- Execute Post Checks on SD-Access and SD-WAN devices through Cisco DNA Center and Cisco vManage Controller, respectively
- Perform Pre / Post check validations
- Update and Close the Change Request in ServiceNow
- Finally, Notify the stakeholders via Webex and Email
Major challenges in this process include
- Accessing multiple controllers and IT systems
- Network operations teams are expected to know about these various controllers and systems to accomplish the various provisioning tasks.
- ClickOps heavy processes
- Some of these controllers can be ClickOps heavy. An operator might have to navigate through multiple screens and many clicks to complete provisioning tasks.
- Multiple team coordination
- There can be multiple teams managing these systems, and the entire provisioning process coordination can be very time-consuming.
These challenges make the entire process slow, cumbersome, inconsistent, error-prone, and unreliable.
Moving beyond the Roadblocks
In response to these challenges, Anuta ATOM emerges as a powerful solution by providing network operators with a unified user interface. It incorporates–
- Pre-built Workflows: Several out-of-the-box process automation workflows can be invoked from an OSS/BSS portal or an ITSM system like ServiceNow. These workflows take care of all the integration with the various domain controllers and systems.
- Consolidated User Forms: The network operator is presented with a single user form to capture all the controllers’ inputs and required information to complete the provisioning process.
ATOM workflows seamlessly integrate with all the controllers and systems to simplify the complex provisioning process. Thus ensuring reliability, consistency, reduced delivery time, and improved customer satisfaction.
Automate Segmentation and Policy using ATOM
The ATOM Workflow Summary Dashboard serves as the go-to hub for the network ops team. It gives the lowdown on what’s happening in the workflow, such as how many tasks are done, what’s still in the works, or if any unexpected errors have popped up. It also gives the lowdown on pending user actions, monitors SLA compliance, and lays out activity planners and scheduled automation. The dashboard can provide helpful information like the number of complete vs. in-progress vs. error processes, pending user actions, and heatmaps required to identify any process bottlenecks, trends, charts, etc.
ATOM – Workflow Dashboard
ATOM also supports automation of Day0 to Day-N use cases such as
- New Campus Branch onboarding
- Policy updates on SD-WAN fabric
- Deploy new or update existing access policies
- SD-DC provisioning
- Establish connectivity between SD-Access and DC fabric
- Cloud On-Ramp deployments
- Closed-Loop Automation
- Software upgrades
- Compliance etc.
Example: ATOM Out of Box Workflow Catalog
ATOM – End-to-End Segmentation Workflow
Upon initiating the workflow, the network operator gains access to a user input form, facilitating the submission of all necessary details required for provisioning. These include details of Cisco DNA Center and vManage controllers, SD-Access site, SD-WAN router, Access policy, ServiceNow, Webex room and Email, etc. Furthermore, the operator can deploy new access policies on the SD-Access Fabric sites.
Alternatively, the workflow can be activated through the OSS/BSS portal, simplifying the procedure by offering all necessary inputs in one place.
ATOM – End-to-End Segmentation Input Form
ATOM – API call to ServiceNow to Create Change Request
ServiceNow – Change Request Created
The Cisco vManage controller uses the feature and device templates to configure the WAN Edge devices. Trustsec must be enabled on the feature template associated with the interface on the WAN Edge device that connects to the SD-Access Border Node.
ATOM integrates with Cisco vManage using APIs to perform Pre-Checks, identify the device and feature templates associated with the WAN Edge device, and enable the Cisco TrustSec configuration. ATOM directly executes a few pre-checks on the device that are not supported by Cisco vManage.
ATOM – API Calls to Cisco vManage to enable TrustSec Configs
Cisco vManage – TrustSec enabled
TrustSec configuration needs to be set up on the L3 hand-off interface of the SD-Access Border Node. ATOM collaborates with Cisco DNA Center to recognize the L3 hand-off interfaces of the SD-Access Border Node, assists in creating the TrustSec configurations, and then deploys them on the Border Node.
ATOM also enables Global Access Policy through the Cisco DNA Center.
Cisco DNA Center – Border Node L3 Handoff interfaces
ATOM – Calls to Cisco DNA Center to Provision TrustSec and Access Policy
ATOM – TrustSec Configs on SD-Access Border Node
Cisco DNA Center – Global Access Policy Enabled
In the last phase of provisioning, the essential step is to perform post-checks on the WAN Edge device and SD-Access Border Node. This is done through the Cisco vManage controller for the WAN Edge device and via the Cisco DNA Center for the SD-Access Border Node. If the controllers cannot support these checks, they are executed directly on the devices.
Furthermore, ATOM detects and reports any disparities between the pre-checks and post-checks.
ATOM – Pre and Post-Check Diffs on Cisco vManage
ATOM – Pre and Post-Check Diffs on Cisco DNA Center
ATOM – Pre and Post Check Diff on SD-Access Border Node
ATOM wraps up the process by updating and closing the Change Request in ServiceNow and sending an email notification.
ATOM – Workflow Completed Successfully
ServiceNow – Change Request Closed
ServiceNow – Change Request Notes updated at major milestones
Email Notification on Successful Site Deployment
ChatOps tools such as Cisco Webex Spaces are updated at major milestones. Likewise, the notes section in the Change Request is also updated.
Cisco Webex Spaces – Notifications at major milestones
When handling complex provisioning that involves several external systems and integration points, an automation platform must have robust mechanisms to detect, notify, and resolve failure scenarios.
ATOM workflow has integrated checks designed to handle these errors with retry and rollback options. A corresponding incident ticket is created in an ITSM system like ServiceNow. Additionally, an Email and Webex notification is also sent to the team.
ATOM Workflow – Error Handling, Retry and Rollback Options
Summary
In the rapidly evolving realm of unprecedented network expansion, the integration achieved through Anuta ATOM between Cisco SD-Access and SD-WAN fabric stands as a linchpin. It not only conquers the complexities of network segmentation but also streamlines the entire process. ATOM establishes a new era of reliability, consistency, and efficiency by effortlessly orchestrating workflows across platforms like ServiceNow, Cisco DNA Center, and Cisco vManage Controller. Moreover, its versatility extends to many use cases, transforming network operations from Day 0 to Day-N. ATOM emerges as a formidable cross-domain automation platform, offering out-of-the-box support and the flexibility to adapt to on-premises or cloud deployments, driving digital transformation forward.
Additional Contributors: Manisha Dhan