• United States
Senior Editor

A deep dive into Cisco’s intent-based networking

Nov 10, 20178 mins
Data CenterNetworking

Cisco SVP Scott Harrell serves up details about the company's intent-based networking.

what is intent based networking
Credit: IDG / Thinkstock

When Cisco announced its intent-based networking (IBN) strategy this summer, CEO Chuck Robbins called it the company’s biggest announcement in years.

IBN architectures use a combination of software and hardware to control network infrastructure. It allows users to express their desired state of the network – infrastructure configurations, security polices, etc. – and IBN automatically implements and maintains that state.

[ Check out What is intent-based networking? and Why Cisco’s intent-based networking could be a big deal. ]

Cisco says customers are now trialing the technology. Cisco Senior Vice President Scott Harrell sat down with Network World Senior Editor Brandon Butler to discuss how customers are implementing this technology.  

 He talked about the general business value of IBN, the differences between campus and data-center IBN deployments, the hardware investment that is required, the ability to deploy in heterogeneous environments and return on investment,

 The following is an edited transcript of that conversation.  

Brandon Butler: Why would I want an intent-based networking system? It seems like it’s just advanced network automation and orchestration. What’s the big deal here?

Scott Harrell: The business benefits of intent-based networking can be summed up in three main areas. Number one is around speed and agility. As the network evolves there is a lot more on it. People are now able to spin up a cloud app with the swipe of a credit card. You need to be able to respond in the network. It’s critical for the network to rapidly evolve to meet those needs with minimal manual intervention.

The second thing is it allows IT to focus more on delivering business value. IT today spends a lot of time in tasks that don’t produce value. We can automate a lot of tasks at the management layer, which allows IT to do more work that’s a value-add to the business.

And thirdly, when you look at security, compliance and risk, the automation allows you to reduce the risk of an error and do more granular analysis of the network.

BB: What’s specific about intent-based networking that allows those goals to be achieved?

SH: With IBN we’re treating the entire network as a single fabric and allowing the user to create a policy that spans every node of that network. It automatically translates the user intent into something that can program the entire network. That’s something that’s hard to do if you’re just a management tool because you have to change the OS layer and the ASIC.

We’ve also changed how you listen to the network. Now you can get the context of what’s happening in the network, which dramatically simplifies operations by giving you a more holistic view of the network – most other tools don’t do that.

BB: What does it look like to deploy an IBN in the campus? It seems like it would take a lot of underlying policy writing to implement this intent. Is that true?

SH: We’ve tried to radically simplify this. There are multiple ways to deploy automation. You can perform simple tasks that have historically been done manually. That could be as simple as image management and ensuring that all devices have a consistent level of software. You can start with simply managing your environment as a single unit instead of disparate devices.

Some customers start with just one wiring closet or one floor of a building. Because this is a fabric-based architecture, all I have to do is make changes at the access layer – the layer closest to the user – and then have something back in the core. This allows customers to use intent-based networking in a brownfield scenario. It works in a Cisco environment or a mixed infrastructure environment. It supports multiple generations of previous Cisco hardware.

Policy creation is all UI driven through a simple drag-and-drop interface. It can be done at a macro level – the engineering department traffic can’t interface to accounting networks – or I can go granular down to individual users through interconnections with ISE – Identity Services Engine.

BB: I thought IBN was an integrated hardware-software offering, so I’m surprised to hear that it can work across non-Cisco gear.

SH: We’re not saying we’re managing those third-party pieces of infrastructure. What we say is if you have a Cisco access switch or Cisco access point, then the rest of your network can be something other than Cisco, all you need is something at the control plane level, like a core router or switch that’s also Cisco. Because it’s a standards-based protocol, if there are non-Cisco switches in the intermediate layers they can continue to operate as traffic forwarders. If the network is fully Cisco, automated lifecycle management, application intent and analytics can be fully applied across the entire network and operated from a single management console named Cisco DNA Center.

BB: You mentioned that IBN supports previous generation hardware, but does some IBN functionality require the latest Catalyst 9K hardware?

SH: Yes. Most of the benefits of IBN can be achieved on previous generation Cat 3Ks, 4Ks, 7K, it’s supported on the Wave 1 and 2 Access Points, plus the ISR 4K and ASR 1K routers.

There are some incremental features that need the Catalyst 9K switch because we designed that from the ground up to work in an IBN. This includes new security capabilities, such as Encrypted Traffic Analytics, which allows you to understand the posture of encrypted traffic without decrypting it. The Cat 9K has an x86 Intel chip – switches historically do not have that – that allows us to distribute workloads directly to the switch level and program the devices. But a lot of the automation – the business policy, fabric creation – that can be done in the Cat 3K as well as the 9K.

BB: Why is there a different intent-based networking platform for the data center (made of Application Centric Infrastructure plus Tetration analytics) compared to in the campus with the Catalyst 9K switches and the DNA Center software?

SH: There are different solutions for different buying centers because people tend to manage those environments differently. Our bigger customers have separate teams managing their data center compared to their campus and LAN. What you focus on in implementing policy is different too. In the data center, all the policy revolves around the application and controlling flows for it. When you’re out in the campus on the LAN, it’s much more focused on the user and the device.

BB: Just a couple years ago the next big thing in networking was software-defined networking (SDN). So, is that no longer important? Do SDN and IBN overlap?

SH: When you look at what SDN was trying to accomplish, a lot of what IBN does is really bringing that to life, plus doing quite a few more things beyond it. I look at IBN as a super-set of SDN. Some of the aspirational goals of SDN are being achieved with IBN. Both also use a controller-based architecture. In the data center, ACI uses a controller architecture, along with Tetration for analytics. In the campus we have DNA Center, which has a controller underneath it.

BB: How much does an average IBN deployment cost? Would it be five, six, seven figures? And what’s the ROI for customers? Will this reduce staff to help pay for itself?

SH: I don’t have an average price because it really comes down to the customer’s network and how broad they want to go. From an ROI point of view, our early field trial customers estimate a positive ROI in one to three years. The majority of cost savings comes from the dramatic reduction in “touch” time required to provision and maintain the network. This more than offsets the additional CapEx costs to deploy these new, intent-based networks.

BB: What parts of IBN can I buy now, and what’s on the roadmap for the future?

SH: The Cat 9Ks have been shipping since June/July and we already have 450 customers. DNA Center, which is the software platform that controls the intent based network, has been available since August, and we have about 125 customer trials deployed. Those are the two main components shipping today. And one thing that’s important to note is DNA Center is sold as a subscription service, so when you buy the 9K and the software, new releases and features come automatically.

Other parts are coming. We mentioned the ETA (Encrypted Traffic Analytics) that’s going to be available later this calendar year. We’ll also continue to invest in more advanced analytics, which we’ll be building into DNA Center.

Senior Editor

Senior Editor Brandon Butler covers the cloud computing industry for Network World by focusing on the advancements of major players in the industry, tracking end user deployments and keeping tabs on the hottest new startups. He contributes to and is the author of the Cloud Chronicles blog. Before starting at Network World in January 2012, he worked for a daily newspaper in Massachusetts and the Worcester Business Journal, where he was a senior reporter and editor of MetroWest 495 Biz. Email him at and follow him on Twitter @BButlerNWW.

More from this author