A new era of campus network design

Applications have become a key driver of revenue, rather than their previous role as merely a tool to support the business process. What acts as the heart for all applications is the network providing the connection points. Due to the new, critical importance of the application layer, IT professionals are looking for ways to improve the architecture of their network.

A new era of campus network design is required, one that enforces policy-based automation from the edge of the network to public and private clouds using an intent-based paradigm.

SD-Access is an example of an intent-based network within the campus. It is broken down into three major elements:

1. Control-Plane based on Locator/ID separation protocol (LISP),
2. Data-Plane based on Virtual Extensible LAN (VXLAN) and
3. Policy-Plane based on Cisco TrustSec.

Intent-based networking is all about informing the controller about the end goal and allowing the controller-based network to figure out the low-level device and configuration details. This is similar to how the general packet radio service (GPRS) works. The user inputs a destination and the software calculates the best route, taking into consideration the parameters abstracted from the user.

In campus networking, the trends that have influenced the introduction of SD-Access and its intent-based paradigm include mobility, the internet of things (IoT) and uniformed security across the wired and wireless connections.

1. Mobility

The traditional campus networks used to include only company-owned devices. In contrast, nowadays the networks consist of a range of devices such as bring your own device (BYOD) and intelligent wearables to name a few.

It is believed that the average user will bring 2.7 devices into the workplace, thereby, requiring access to corporate systems in the cloud and to the application workloads in private data centers. Today, users require seamless mobility across all devices, while still retaining the same level of security and access control. At the same time, corporate policy and compliance should not be compromised.

2. IoT

Corporate IoT within the campus consists of all the things you would find in an office building ranging from connected lights to card readers. Challenges surface as to how one enforces security among these devices.

There have been numerous attacks that have involved some kind of insecure IoT device. Usually, the device has not been managed or procured by the IT department, which results in a security leak. In some cases, the infected IoT device has direct access to the Internet or corporate network, which breeds malware and hacking.

One such recently publicized attack involving a fishbowl caused a data exfiltration event. The unsecured IoT device allowed the hacker to swipe 10 gigabytes of data from a North American casino. There was a sensor on a fishbowl monitoring the temperature of the water. A threat actor compromised the sensor to move laterally around the network, accessing critical assets. With the availability of easy-to-use hacking tools, hackers don’t need to be resourceful. They keep looking for any tiny opening to infiltrate in the network.

3. Uniformed security for wired and wireless connections

Wired and wireless are just different ways of getting onto the network. The user itself does not change. Considering the demands of time, we have to change the way wired and wireless work together. Traditionally, wireless was an over-the-top network, using control and provisioning of wireless access points (CAPWAP). However, a new technology is needed for wireless that uses VXLAN tunnels and overlays that begin at the access point.

Traditional tools for segmentation & network management

The issue of segmentation has been around for years. However, the traditional tools used for segmentation are not adequate considering that today’s networks need to support mobility, IoT and consistent security among wired and wireless connectivity.

The use of virtual LANs (VLANs) for segmentation is still a popular method. However, VLANs along with other protocols, such as spanning tree protocol (STP) were not designed with security in mind. Segmentation was not the purpose behind the introduction of VLANs. There were created in the ’90s to divide broadcast domains. However, over time the administrators transitioned to use VLANs with access control.

Administrators would associate a VLAN with an IP subnet to enforce subnet control. Eventually, as networks grew in size, VLANs failed to match with the expanding size. Besides, the policies enforced based on IP address lack flexibility and access control lists (ACLs) made their mark by reaching millions.

Management is another major issue. The problem is, we are using technologies such as Syslog, simple network management protocol (SNMP) and Netflow for monitoring and troubleshooting. Again, these are technologies that were created 30 years ago. We need to get over SNMP as a means to monitor networks. SNMP operates with a pull model that creates challenges with the central processing unit (CPU) utilization amongst others.

The right way forward: TrustSec for macro & micro segmentation

VLANs are a single flat layer segmentation paradigm. Considering today’s campus networks, we need to make this flat layer paradigm into a two-layer paradigm. This can be achieved by introducing virtual networks (VN), also known as macro segmentation.

Virtual networks in the campus are analogous to virtual routing and forwarding (VRF). Virtual networks provide segmentation at the forwarding layer. This is essentially what a VRF does. How you define segmentation is based on the organization’s structure and line of business. For example, in healthcare, you can have health insurance portability and accountability act (HIPAA) complaint members in one VN and the non-HIPAA compliant members in another.

VNs, by definition, cannot communicate with each other and any cross-VN-communication should go through a stateful firewall. A stateful firewall monitors the state of active connections and the characteristics of network connections traversing it.

If you want to go one step further, secure group tags provide what is known as micro segmentation. We further embed the segments within the VN and filters are defined between the micro segments.

For this to work extensions are needed in VXLAN, which are known as VXLAN Group Policy Option (VXLAN-GPO). This defines the way to embed a micro segmentation tag within the VXLAN headers. Both macro and micro segmentation is segmentation at the data plane. Now, let’s examine the newly improved control plane.

Another right way forward: Locator/ID separation protocol (LISP)

Now since the data plane forwarding has been taken care of, we need a good control plan to distribute information across the large campus network.

Border gateway protocol (BGP) is a distributed state protocol. It works well in the data centers but not in the campus networks where many users connect using wireless. The users are moving all the time from one AP to another AP and from wireless to wired networks. The end host’s moves are usually addressed with /32 but BGP does not deal well with frequent moves in this way.

In this case, LISP is a much better option forming the perfect marriage between control and data plane. LISP is a demand-based protocol that works similarly to domain name system (DNS). It brings the advantages of using a centralized control plane and simplifies routing environments by eliminating the need for every router to process every possible destination. 

Future challenges

The next significant challenge is how to secure group-based policies distributed across all campus networks. The security needs to extend across the wide area network (WAN) to both public, private and multi-cloud scenarios. We require the ability to furnish all the intelligent WAN capabilities such as path selection and encryption, while still extending consistent group-based policies.