Automated Administration –

Going back many years, I developed a complex Quality of Service (QoS) policy for a large enterprise network. It contained many different network switch models that supported varying queues structures (Priority Queues, Class-Based Weight Fair Queuing, Custom queuing, Weighted Round Robin queuing … you get the point).  Building these up was a complex and time-consuming process. Today, the SDN controller does it all for you mapping hardware queues to your simplified traffic profiling as either business relevant or irrelevant. This is but one of many conversations I have with engineers today that starts with “Back in my day …”!

Beyond QoS, the fabric takes care of the switch port configurations now where devices are profiled and assigned their security rights based on SGT’s. The requirement for incessant port VLAN assignments of the past is removed in the fabric freeing up the network team significantly from this burden.

And finally, switch deployments in a fabric become considerably simplified through a plug-and-play architecture that reduces the burden on design and implementation resourcing.

Why is all this important?

Network administrators are empowered with tools in an SDA construct in two important facets: the ability to be efficient and consistent.  The former is obtained through automation and scripting and the latter, reduces potential risk.  This allows the network team to focus their time and efforts on providing the best possible service to the network users.

Network Architecture.

The most significant thing about an SDA fabric is in the architecture and how it signifies a change in the way traffic is fundamentally delivered across the network. Traditional network routing is dependent on knowing a device’s identity (IP address) and its location (what it is connected to on the network). With a centralised control plane, we can now decouple these two attributes into two different numbering constructs; the device’s identity (Endpoint Identified / EID) and its location (Routing Locator / RLOC). The fabric accomplishes this using LISP; Locator/ID Separation Protocol. There are many benefits to the network team with this shift in architecture as it allows for some considerable simplifications to the design and implementation of the network. For one, it enables for much simpler endpoint mobility where devices can roam from a wired port to a wireless connection to a different building and retain their same IP address (identity) irrespective of their location. Secondly, this allows for layer 3 gateways to be moved to the edge as part of the fabric with AnyCast Gateways existing on every entry point to the network.  No longer is the network dependent on redundant configuration of Switched Virtual Interfaces (SVI’s) on core network switches with redundancy protocols such as HSRP or VRRP to ensure availability. It is inherent in the SDA fabric design.

Why is all this important?

It eliminates a large part of the complexity and burden associated with designing and maintaining traditional layer 2 and layer 3 networks. No longer is there a requirement for the network team to deal with layer 2 broadcast domains, developing and maintaining extensive VLAN’s, Spanning tree protocols, IP addressing schemes etc. This is all greatly reduced in the SDA fabric allowing for faster deployments, easier troubleshooting and more robustness with built-in resiliency across both the underlay and overlay network constructs.

Visibility and Assurance.

One of the most powerful enablers of a fabric is the centralised view of the network from all perspectives. If you were to metaphorically “ask” a switch in a traditional network construct what it knows about the network, it can report on only what it can extract from its own data plane and control plane. Within an SDN fabric, the control plane functionality is centralised and allows for significantly enhanced visibility taking into account end-to-end telemetry. The fabric can correlate an end user experience from its authentication processes, through to traffic traversal over the network to the application performance. In this context, we refer to the network as a sensor and it can drive incredible visibility into network and client experiences. As AI continues to evolve, this will, over time, allow for the trending of issues and pro-active automated remediations to ensure the network is always optimally performing.

Why is all this important?

Network teams spend an inordinate amount of time chasing their tails and troubleshooting performance issues across disparate wireless and wired network instances. Reactive activities such as this account for much of their time and, from experience, this stops them from undertaking high-value activities such as proactively addressing issues and preventing them in advance, capacity planning and other service optimisation initiatives. Having the visibility and guided remediation recommendations available to network administrators allows them to fix issues faster and provide a better service to the end users.

Advanced Hardware.

It is easy for the cybersecurity team to downplay the role of network infrastructure in the context of security. We often hear arguments along this lines that rather than upgrading network switches to support an SDA fabric, you could just add a significantly less amount of firewalls strategically placed at a fraction of the cost and keep the switches being unintelligent data forwarders. If the purpose of the SDA fabric were to provide security benefits alone, this argument might have some backers. Just as the fabric has evolved the network, the LAN switches and wireless components have also evolved significantly. We recommend, in the migration planning to a SDA fabric, that legacy switches be upgraded with current models in alignment with their lifecycle status and get added to the fabric as and when that budgeting allows. This can be done in any timeline and scale, applicable to the size of the network.

When the time is right though, LAN switching hardware refreshes will allow you to do more than just facilitate endpoint connectivity in the fabric construct. Current generation switches support the installation of applications in containers hosted directly on the switches. A couple of key use cases we see here in these are with Cisco ThousandEyes that allows for enhanced telemetry tracking of end-to-end services from the LAN through to the cloud and Claroty Medigate that provides advanced IOT and clinical device profiling using the switch as a sensor. This eliminates the need for traditional port mirroring and complex SPAN/RSPAN network configurations.

Why is all this important?

LAN switching platforms will continue to evolve in the same manner as every other technology and it will augment and improve the fabric functionality as it does so.  It needs to play a key role in the network performance and security contexts and offers significant ROI when investment is undertaken in these areas.  From power over ethernet efficiency and power down automation contexts for environment sustainability goals, to evolving data chips sets such as Data Processing Units (DPU’s) that will facilitate firewall features directly on the chipsets (refer Cisco Hyper Shield), switching platforms will continue push the networking realm forward.  Adding intelligent services as close as possible to the edge (the network switch and wireless access point) ensures you get security at the entry point to the network and performance and visibility telemetry all the way to the endpoint. Leveraging your investment spend on the network infrastructure to make it a “sensor” and “enforcement point” just makes good sense.

In summary.

SDA aligns directly to a secure networking framework and has significant advantages over traditional networking in significantly enhanced security capabilities but also in network capabilities. In fact, Network Engineers can build a business case very easily for migrating/implementing an SDA fabric with no security implementations at all. The benefits derived from network management (programmability and automation), network architecture enhancements, visibility and assurance and capabilities of the latest hardware components, makes SDA stand-alone independent of the powerful security enablers. The micro and macro segmentation security elements are the icing on the cake.