The Cisco DNA Campus Fabric is fairly new, and I’m still absorbing. I have some design biases that apply (in general):
- I very strongly don’t like extended L2. VLANs spanning a couple of switches, OK. A fair-sized campus, I don’t want to go there.
- I’ve not yet seen any use cases I really believed in for extending L2 at large scale. But if you have to, VXLAN is the way to go.
- LISP is inherently complex. The way it does VRFs is very weird (to my brain, anyway). Counter-intuitive.
- Firewalls tend to be inflexible, rigid and limiting, and generally not great at routing.
I’ve seen firewall-based segmentation mostly when it was designed by security staff. Comfort zone, or “I have a hammer and everything looks like a nail syndrome”?
I’ve seen and done some network-based segmentation. In a few cases, ISE might have been more elegant and provided more security information. The trade-off there: low-tech VLANs and VRF for higher-tech ISE, and perhaps difficulties keeping it working. (We have consultants who can help a lot with that, but that defeats do-it-yourself, and has costs.)
Concerning the VXLAN items: I’m on board with VXLAN (and EVPN) for modest-sized datacenters where ACI policy control doesn’t particularly fit, e.g. a 90 percent virtualized NSX environment where ACI as fabric manager isn’t deemed cost-justified.
In the Campus, VoIP over WLAN without central CAPWAP might be one reason for extending L2 robustly via VXLAN. Having to re-DHCP while roaming is not great for VoIP. That aspect of WLAN may be evolving. At scale, people seem to want centralized controllers, but doing FlexConnect with them means people roaming between floors or whatever need to re-DHCP, or you need site-wide VLANs. VXLAN is a robust way to do larger-scale L2, via routed tunnel overlay on top of a robust L3 infrastructure.
LISP allows you to track where a mobile device or VM happens to be and route to its location. For datacenters, you may need that capability if you extend L2 (DCI, OTV, or whatever) across locations or normal L3 boundaries. Caution: A lot of complexity and other baggage may accompany this. Design advice highly recommended!
I strongly prefer to not extend L2 in the first place. Vmotion is active-active in a sense (VM running in one or the other location). I prefer cloud-scale approaches, where GSLB load balancing or anycast is used to support multiple active instances.
Different people weight factors differently, so some may opt for extended L2. LISP is part of the toolkit available for cases where L2 must be extended. I think of it as useful for /32 routing, in effect.
Concerning ISE, I’ve liked it as logical segmentation. The analogy I’ve used is having a corridor getting you wherever you need to go, with policy/user-group (and other factor) based “badge” that opens some doors to you, but not others. The “door” here being a Policy Enforcement Point (PEP). The MPLS, VRF-Lite, etc. is more like building sub-corridors with hard walls within the main corridor: extra structure providing segmentation even where it isn’t really relevant.
The challenge with ISE is that, as with badges, it doesn’t separate different types of users in a typical campus LAN. So if you have a university-affiliated hospital, having mixed user spaces in the hospital might expose some medical staff computers to malware, which might then propagate to FDA-approved non-hardenable medical devices that those medical staff access. (Shades of Stuxnet?)
Another example: A large manufacturing organization used MPLS for core segmentation, with VLANs and VRFs at buildings. They needed to separate admin personnel from manufacturing operations, to protect the assembly line etc. from disruption. Complexity was a bit of a problem and a cost. It was particularly fun when we needed to get IP multicast working on wired and WLAN segments — but that’s another story. The scale was a bit large for VRF Lite, but it could have worked. This type of design I think of as closer to physical segmentation.
By the way, with IOT, segmenting within campuses and sites will likely be a growing problem. We’ll probably want to isolate the different IOT device networks as well, to limit the spread of malware or security exploits as the technology matures. Maintaining separate physical networks for different forms of IOT would be cost-prohibitive.
This article originally appeared on the NetCraftsmen blog.