© 2019 Cisco and/or its affiliates. All rights reserved. Page 1 of 17

Intent-Based Networking’s Next Evolution: Policy

Integrations Between Multiple Domains

White Paper

Cisco public

© 2019 Cisco and/or its affiliates. All rights reserved. Page 2 of 17

Contents

Abstract 3

Introduction 3

Intent-based networks 5

Networking domains 6

Why integrate policies between domains 7

Multidomain integrations 9

Conclusion 16

© 2019 Cisco and/or its affiliates. All rights reserved. Page 3 of 17

Abstract

Multidomain policy integrations is a strategic next step that preserves and extends Cisco’s leadership in Intent-

Based Networking (IBN). It cements and reinforces IBN principles in Cisco® architectures in enterprise

networking domains including campus, branch, WAN, data center, and cloud. This paper provides a rationale for

why integration of policies between these domains is the best way to preserve the uniqueness of each domain

and yet achieve consistency of purpose throughout the enterprise, and how it can deal with the accelerating IT

complexity. It describes the currently supported integrations, customer benefits, and Cisco’s commitment and

vision for the road ahead.

This paper is targeted towards CIOs and network architects who are familiar, but not experts, with IBN and

Cisco’s networking architectures. It aims to educate them on the latest from Cisco in IBN and efforts in

simplifying networking across the enterprise. It is not overly technical but provides enough technical details to

bring clarity to integrations and show that they are real.

Introduction

Organizations in every industry are reworking their business strategies. In order to grow and compete

effectively, they are making increasing use of technology to improve their processes, deliver better experiences

to their customers, and better tools to their employees.

For example, manufacturing organizations are adding smart things such as sensors and actuators to give them

real-time feedback and control over their processes. They are also collecting vast amounts of data throughout

the value-chain from suppliers, distributors, partners, and customers, that they use for predictive analytics.

These sorts of digital initiatives transform their operations from traditional static manufacturing supply chains to

a dynamic and interconnected system, allowing them to deliver customized experiences for their customers,

increasing productivity of their employees, and making their processes more agile to keep pace with business

cycles.

In healthcare, telemedicine is helping patients in the most remote locations of the world receive quality

healthcare. Patients are using connected blood-pressure gauges, glucometers, heartrate monitors, and even

home EKG machines to upload vital information for remote monitoring and diagnoses. Specialized programs are

now preprocessing scans to supplement the work of human radiologists and use AI techniques to guide and

predict the efficacy of drugs.

Likewise, the financial industry is relying more and more on digital technology to sign contracts online, building

bank branches that feature virtual tellers, and even provide convenient banking facilities to millions of

underserved populations through the convenience of their mobile phones.

Clearly, digital transformation has positively impacted economic growth, accelerated innovation, brought about

better service delivery, and improved customer and employee experiences.

Gartner believes that “a full Intent-Based Networking System implementation can reduce network infrastructure

delivery times to business leaders by 50% to 90%, while simultaneously reducing the number and duration of

outages by at least 50%.”1

1 Andrew Lerner, Joe Skorupa, Sanjit Ganguli, Innovation Insight: Intent-based Networking Systems (IBNS), Gartner, Refreshed 13

April 2018

© 2019 Cisco and/or its affiliates. All rights reserved. Page 4 of 17

Figure 1.

Positive results from digital transformation efforts

Now, more than ever, these organizations’ IT strategies are essential for their business strategies to succeed.

For these digital initiatives to work, organizations need to ensure that a secure and robust infrastructure is in

place. Smart Internet of Things (IoT) devices are notorious for increasing the available attack surface and must

be properly secured. User experience that is crucial for any digital initiative to work needs a robust WAN

network that can prioritize application traffic appropriately. This type of network is even more essential as

applications are becoming more distributed and are not limited to the enterprise’s data center. Moreover, all

these processes must adhere to all applicable regulatory and compliance directives. As digital innovations

continue to evolve, infrastructure needs to be agile and adapt rapidly to changing priorities and needs of the

business.

Unsurprisingly, then, IT departments feel an increasing urgency to keep up with business pace and innovation.

IT must maintain the constant deluge of daily operations to drive optimal user experiences, while still innovating

and adopting modern techniques to deliver on business intent.

Business and IT initiatives ultimately depend on the underlying network to realize their goals. The organization’s

network needs to provide wired and wireless access to all users and IoT devices, take preventative measures to

minimize the threat surface, connect customers and employees entering through a variety of transport

mechanisms, and ensure high-quality application experience.

These multiple challenges of scale, complexity, security, and agility cannot easily be met with the traditional

ways of building, monitoring, and managing networks. In the past, network administrators have relied on site-

by-site and box-by-box configurations. That worked well when networks were relatively static with few

modifications. Now, with the new normal of hyper connectivity, manual changes do not scale. Similarly, much

troubleshooting has generally consisted of manually collecting information, reproducing the problem, and

pouring over logs to figure out where the problem might be. This strategy is also not scalable and will not

succeed in the current age of digital transformation.

© 2019 Cisco and/or its affiliates. All rights reserved. Page 5 of 17

Figure 2.

Network complexity due to scale, security, and connectivity is outpacing human capability to manage

Intent-based networks

Intent-based networking, or IBN, provides the answer. IBN seeks to make changes in monitoring and

management that will bring networks closer to the business intent—or desired outcomes, with network

automation and assurance.

Role of the network controller

Traditional models of network control in the past have varied from basic device control by dedicated Element

Management Systems (created specifically for a specific set of devices), network managers (that offered a

static set of extended functions but no integrations to make the network agile), and SDN Controllers (that

injected limited dynamism but did not go far enough). Enterprises had to deploy several management systems

that did not work with each other to control the network, resulting in excessive manual work to maintain the

network, poor business alignment, and high operational expenses.

To address this, new software-driven networking models that embrace automation, advanced analytics, and

open platforms are transforming networks – resulting in dramatically new ways of operating the networks.

Through a controller-led strategy, network operators can quickly set the business intent, and the controller will

translate it into network configuration and execution at scale, while continuously monitoring to assure

performance and security. This results in a closed-loop system that learns, optimizes, and protects. Using APIs,

network controllers integrate with business and IT processes in real-time, making the network responsive and

better equipped to achieve business objectives. These APIs also allow communications between controllers

enabling fulfillment of intent that spans across multiple controller led networks.

© 2019 Cisco and/or its affiliates. All rights reserved. Page 6 of 17

Figure 3.

Role of the network controller in intent-based networks

Networking domains

Today Cisco offers networking solutions using intent-based networking principles in several networking

domains. We define networking domain as a grouping of devices such as switches, routers, wireless APs, and

Wireless LAN Controllers (WLCs) that share rules and procedures and are governed by a common controller.

Figure 4.

Networking domains, their purpose, and their controllers

© 2019 Cisco and/or its affiliates. All rights reserved. Page 7 of 17

The division of networking responsibilities between domains results from the specific requirements that the

domains need to address. For example, a campus network is responsible for authenticating and onboarding

users and devices through wired and wireless means, authorizing them and granting them various privileges

based on their levels, and detecting and mitigating threats that such devices could be subject to. The WAN

network connects users to applications either in the data center, in one or more public clouds, or within a

Software as a Service (SaaS) provider. The WAN network is responsible for appropriate path selection and

prioritization and mitigation of threats that may originate from inside and outside. The data center network

manages compute resources among application workloads serving the needs of virtualized and distributed

applications and safeguards sensitive data.

Cisco Digital Network Architecture (Cisco DNA), Cisco SD-WAN, and Cisco Application Centric Infrastructure

(Cisco ACI®) are Cisco’s implementations of campus/branch, WAN, and data center networks. Each is governed

by a controller that sets policies within the domain—Cisco DNA Center, Cisco vManage, and Cisco Application

Policy Infrastructure Controller (APIC), respectively.

Because the functions they perform are so specialized, each domain must remain independent of others with its

own controller-based infrastructure optimized for its tasks. With significant differences in networking, security,

and performance requirements, collapsing these domains into one is not realistic. However, each domain

provides services that are meaningful in an end-to-end context and therefore must be visible across the

domains.

Cisco’s architecture for these domains follows intent-based networking principles. Each of the domain

controllers work through a set of policies, generated from business intent, that it translates into device

configurations. The controllers collect performance data from these devices, analyze it, and ensure that they are

meeting the intent. A single business intent might render into different domain-specific policies, but in order to

fulfil that single intent all these policies must be coherent and communicated across all domains.

Why integrate policies between domains

Intent-based networks allow users to define their intent—or desired outcomes—and stores them as policies. An

example of an intent in the campus network could be to separate IoT traffic from user traffic, and the

corresponding policy would specify that when IoT devices onboard, place them in a separate network segment

other than users. Similarly, in the data center, policies could dictate which applications are sensitive and must

be protected from indiscriminate access.

Business objectives, however, are enterprise wide and span domains. Therefore, all domains need to have a

consistent set of policies that work collaboratively to deliver the desired outcomes. For example, in healthcare

industry, we want doctors in hospitals to be able to run applications in the data center that access and update

their patients’ medical records. We also want them to do so securely, complying with all regulations, and with

good quality of experience. To make this happen, access policies defined for the doctor in the hospital

(campus) need to be mapped to the access policies defined in the data center for the medical application, so

that while the doctor can read and write medical data, unauthorized users are not able to, and thus the process

complies with regulations. Moreover, the WAN connecting the campus to the data center must be able to

recognize the application traffic and prioritize it appropriately.

© 2019 Cisco and/or its affiliates. All rights reserved. Page 8 of 17

Global Data: For an enterprise to be successful with intent-based networking, it needs to fully embrace

automation in the data center, the campus, the wide area network, and in the branch.2

- Mike Fratto, Senior Analyst, 451 Research

The above example illustrates the need for three key policy integrations, namely, network segmentation policies

that separate user traffic and create a permit/deny matrix with resources and applications; application

experience policies that allow data center network to interwork with the WAN; and security policies that are

consistent across all domains.

Figure 5.

Policy integrations between domains

Before such integrations, policy coordination between domains was done manually. Each time administrators

made a policy update in any one of the domains they needed to alert administrators in other domains so that

they could interpret and translate the policy change and apply it to their own domains. In contrast, an automated

exchange of policies makes the entire enterprise network work as one, be responsive to modifications, and

rapidly adopt policies end-to-end without errors.

From an intent-based networking perspective, these integrations represent the next logical step in extending

business intent across the enterprise.

2 Global Data: Enterprises Cannot Have Automation Commitment Issues and Be Successful, July 21, 2017, Mike Fratto, Senior Analyst,

Business Technology and Software

© 2019 Cisco and/or its affiliates. All rights reserved. Page 9 of 17

Multidomain integrations

Cisco offers a complete intent-based networking portfolio of devices and controllers for all networking domains

and therefore is in a unique position in the industry to offer such policy integrations that stitch together multiple

networking domains and make them whole.

Segmentation policy integrations

As more and more critical information is entrusted to the digital infrastructure, the risk of information being

compromised increases. Furthermore, as more devices are connected to the network, the paths by which

criminals may compromise information are substantially increased, and the available attack surface is expanded.

It is therefore critical to deliver a comprehensive and hardened set of security measures that allow the network

to be the first line of defense in the IT security strategy. Originally, network segmentation was aligned to a

strategy for improving network stability and performance. Over time, it has evolved to reflect a security strategy

in which the network is segmented or compartmentalized to enforce a policy by enabling controls within and

between segments. This segmentation is aimed at fragmenting the attack surface and reducing the scope of

lateral movement that malware may pursue during a security breach. For segmentation to be effective in limiting

the effectiveness of a security breach, the network must be segmented end-to-end because the attacker may

attempt lateral movements in the access, WAN, or data center.

When a security breach is identified, the offending endpoints can be quickly isolated into a segment built for the

purposes of quarantining attacks and malware. The ability to dynamically create quarantine segments, and

quickly assign an endpoint to such a segment in response to a detected threat, is possible in a Software-

Defined Networking (SDN) network like SD-Access in the campus and branch, and ACI in the data center.

Segmentation may be realized at a coarse level in the form of virtual networks or at a more granular level in the

form of groups of endpoints. These approaches to segmentation are referred to as macrosegmentation and

microsegmentation respectively. Microsegmentation provides a much more granular level of segmentation than

that provided by virtual networks and is also more elastic in its ability to rapidly change the group that an

endpoint belongs to, or alter the policy that governs the communication for a group. While traditionally,

microsegmentation is generally enforced by using Access Control Lists (ACLs) in a distributed manner across

the network infrastructure, modern microsegmentation leverages the concept of group-based access control

lists (also called Scalable Group Access Control Lists [SGACLs]) to enforce ACLs based on group membership,

rather than IP addressing, and thus provide an access control policy environment that is independent of IP

addressing or subnet boundaries.

© 2019 Cisco and/or its affiliates. All rights reserved. Page 10 of 17

Figure 6.

Macro and micro segmentation in SD-Access

The organization of hosts into groups and the resulting ability to author access control policies in terms of

groups, rather than IP addresses, has fundamental implications from a scalability and manageability perspective.

For instance, a group may have endpoints from 100 different subnets associated with it. In this case a traditional

IP-based ACL would have required each IP prefix in the group to have its own access control entry, leading to

very large ACLs that are complex to manage and consume a very large amount of hardware resources in the

network. With group-based ACLs, these hundreds of clauses become a single clause for the group, rather than

the one clause for each group member. To enforce this group-based ACL, traffic transiting the network is

tagged so that policies can be applied on the tag rather than its IP address.

Network segmentation in SD-Access

Within the SD-Access architecture, Cisco DNA Center and Cisco Identity Services Engine (ISE) work in unison to

provide the automation for planning, configuration, segmentation, identity, and policy services. Cisco ISE is

responsible for device profiling, identity services, and policy services, dynamically exchanging information with

Cisco DNA Center.

Segmentation within SD-Access is enabled through the combined use of both Virtual Networks (VNs), which are

synonymous with Virtual Routing and Forwarding (VRF), and Scalable Group Tags (SGTs). Whereas

segmentation can be accomplished using purpose-built virtual networks alone, Cisco TrustSec SGTs provide

logical segmentation based on group membership. SGTs provide an additional layer of granularity, allowing you

to use multiple SGTs within a single VN providing microsegmentation within the VN.

© 2019 Cisco and/or its affiliates. All rights reserved. Page 11 of 17

Network segmentation in ACI

A similar example in the data center, Cisco Application Centric Infrastructure (ACI), powered by the Cisco

Application Policy Infrastructure Controller (APIC), offers an architecture that can translate business

requirements into secured zones or enclaves. ACI has built-in segmentation and security as part of the

architecture. ACI uses the concept of tenants, contexts, and endpoint groups to deliver segmentation. A context

is equivalent to a virtual network and provides macrosegmentation using VRFs and bridge domains. Endpoint

Groups (EPGs) are equivalent to the Scalable Groups (SG) discussed in SD-Access and provide a level of

microsegmentation. With Cisco ACI deployed, contracts or policies can be created that allow only specific

communications between tiered applications, as well as access to external resources, whether applications or

users, while blocking all other unauthorized access. Within the Cisco ACI policy model, both VRFs as well as

group-based Endpoint Groups (EPGs)—similar in many ways to SGTs, even to the extent that they can be

translated—are used to provide segmentation.

Figure 7.

A grouping of HTTP and HTTPS services as a single group of endpoints known as an EPG

ACI thus provides a policy and segmentation environment that is consistent with the policy and segmentation

environment used in the SD-Access enabled access network. Further, with ACI Anywhere, the policy and

segmentation environment extends across the hybrid cloud to provide a single policy domain across diverse

public cloud facilities and the private on-premises data center. An ACI fabric can thus extend across Amazon

Web Services (AWS), Azure, and Google Infrastructure as a Service (IaaS) facilities, as well as private premises,

and present itself as a single multisite domain to the access network.

© 2019 Cisco and/or its affiliates. All rights reserved. Page 12 of 17

Segmentation integrations

Cisco is focused on delivering a truly integrated end-to-end segmented network in which the different domains

are integrated with each other to align connectivity and segmentation. Although the operational environments

are integrated, each domain remains independent so that the domain-specific functionality and domain-specific

vertical integration of the management and networking stacks are preserved in full for an ideal experience and

full set of functionalities within and across domains. For example, SD-Access is integrated with SD-WAN to

deliver a single network experience for the purposes of connectivity and segmentation, but endpoint onboarding

in the SD-Access and path engineering for Service Level Agreement (SLA) enforcement in SD-WAN operate

independently of each other. Likewise, SD-Access is integrated with ACI Data Center to enable the federation

of identity and the definition of end-to-end users to application segmentation policies.

Figure 8.

SD-Access and ACI exchange SGTs and EPGs

SD-Access to ACI integration allows the controllers in SD-Access (Cisco DNA Center) and ACI (APIC) domains

to interwork with each other and exchange identity information. SD-Access provides ACI with a list of groups

resulting from the classification of endpoints in the access, and ACI provides a list of application groups. With

this information, SD-Access and ACI domains now have enough user and application information to allow the

operator to author user- to-application policies using the group-based model. This gives the operators

consistency across the access and data center to effectively be able to produce an end-to-end segmentation

policy. Open APIs allow SD-Access ACI systems to integrate with threat and anomaly detection tools and adapt

the segmentation accordingly, thus providing the foundation for the IT infrastructure to prevent and remediate

security breaches leveraging end-to-end segmentation. As part of this integration, network control and data

planes are also integrated to maintain the semantics of macro- and microsegmentation across access and data

center domains.

Figure 9.

SD-WAN passes SGTs between segments of SD-Access so policy follows identity

© 2019 Cisco and/or its affiliates. All rights reserved. Page 13 of 17

SD-Access to SD-WAN integration automates the provisioning and assurance of the control and data plane

interface between SD-Access and SD-WAN domains. The Network-to-Network-Interface (NNI) between the

domains is distilled into a single network device (the edge router). This device is shared between the two

domains to simplify the handoff between domains and make them behave as closely as possible as a single

domain without losing the functionality independence of each domain. The management planes are integrated

so that any given device is managed by one controller and one controller only, which allows the system to

remain transactional and therefore reliable. The macrosegmentation semantics are mapped between the

domains to produce an end-to-end virtual network across access and WAN, without sacrificing functionality in

either domain. The microsegmentation semantics are transported opaquely by the WAN so that they can be

effective in the edge domains (campus, branch, and data center). With this integration, segmentation can be

defined once in Cisco DNA Center, and behavior is driven to the SD-Access domain and to the SD-WAN

domain through API-based controller integration. Two domains effectively appear as one for the tasks that

matter.

A network segmentation strategy developed to enforce security policy in support of an organization’s business

requirements is not limited to a single location or a single domain. A given network segment, and the policies it

represents, may be extended anywhere within an organization where one of the business-relevant applications

or functions reside. This range of function extends from the access through the WAN all the way to the

multicloud data center across the WAN and security domains.

User experience policy integrations

SD-WAN to ACI integration allows the ACI administrator to define service-level requirements for different

applications and to communicate those to the SD-WAN controller so that any necessary path selection, QoS, or

traffic engineering may be enforced in the WAN to deliver the required SLA. A single touchpoint can trigger the

rendering of the desired intent across multiple domains.

Figure 10.

Automatic service assurance integration to ensure quality of user experience

Security policy integrations

Security applications should not be bolted on but rather built into the network fabric that allows security and the

network to work together to reduce time to prevent, detect, and remediate threats. This level of integration

protects users and devices regardless of their physical location and the location of application they are trying to

get access—in the data centers, hybrid clouds, or within a SaaS provider.

Cisco defines integration between network and security as intent-based network security to emphasize that its

security applications apply to all intent-based networking domains. A secure intent-based network provides

visibility into who and what is on the network, contributes to a complete zero trust access model, and

continuously detects and contains threats.

© 2019 Cisco and/or its affiliates. All rights reserved. Page 14 of 17

Security point products that are made for specific threats allow their use in only a single networking domain. As

organizations transform their networks towards SD-Access, SD-WAN, and hybrid multicloud, and as user traffic

traverses multiple networking domains, it is imperative that security policy follows the traffic, and maintains the

security posture across all these networking domains.

Figure 11.

Security for the multidomain world

Cisco’s aptly named security architecture—intent-based network security—emphasizes the need for security to

work within the principles of intent-based networking. Intent-based network security addresses the critical

question: is security fulfilling the business intent?

Figure 12.

Cisco intent-based network security components and benefits

© 2019 Cisco and/or its affiliates. All rights reserved. Page 15 of 17

Intent-based network security approaches the problem holistically. It allows you to:

● Enable automated access policies from a simple and single interface to secure any user, any device, any

app, anywhere

● Stop propagation of data breaches using dynamic context, not location, for segmentation

● Ensure fast compliance by applying security to thousands of locations from one interface

● Streamline visibility to the SOC for reduced time to threat detection

● Automate threat responses from the SOC to remediate incidents in less time

Figure 13.

Cisco intent-based network security provides security across domains

Intent-based network security is based on three principles:

1. Continuous visibility: A full view of who and what is on the distributed network is critical to fills the gaps in

traditional perimeter and endpoint-based security solutions. Gaining a baseline understanding of all network

communications—even in the cloud—provides a full inventory that a group-based policy can be built around.

It enables monitoring of unusual behavior that could represent a threat or policy violation. Machine learning

can further classify all types of devices or workloads and more quickly identify anomalies from the baseline.

2. Zero-trust access: A zero-trust security model provides the ability to secure access regardless of where

access originates and minimizes the attack surface. This model contextually groups all users, devices,

things, and applications, and then logically segments them throughout the wired and wireless infrastructure

to secure the workplace. The segmentation model follows throughout the domains from the user in campus

or branch, to applications in the data center and cloud, through SD-WAN.

3. Constant protection: Network transformations, including SD-WAN and SD-Access, have resulted in a

distributed environment requiring security controls in hundreds to thousands of locations. Constant

protection can be achieved only by building threat prevention, detection, and response into every network

device—from the WAN edge to the campus core. An open, scalable multidomain architecture to push access

policy changes from the branch to the data center is critical to rapidly contain threats.

© 2019 Cisco and/or its affiliates. All rights reserved. Page 16 of 17

Cisco multidomain security applications

Cisco Advanced Malware Protection (AMP) works in endpoints by blocking malware at the point of entry, and

removes it from PCs, Macs, Linux, and mobile devices. Going beyond user devices, AMP also works within

Cisco SD-WAN to proactively block threats and protect users.

Cisco Stealthwatch® scales visibility and security analytics across the whole business, including endpoints in

campus and branch, data center, and cloud. And with Encrypted Traffic Analytics, Cisco Stealthwatch is the only

product that can detect malware in encrypted traffic and ensure policy compliance, without decryption.

Cisco Umbrella™ provides a Secure Internet Gateway (SIG) that provides the first line of defense against threats

on the internet wherever users go. Umbrella delivers complete visibility into internet activity across all locations,

devices, and users, and blocks threats before they ever reach your network or endpoints.

Security constructs built into Cisco SD-WAN apply consistent security across campus, branches, devices, and

users by shifting the security stack that enforces network segmentation, enterprise firewall, secure web

gateway, and DNS-layer security policies in the centralized data center DMZ to the distributed WAN and cloud

edge.

Conclusion

While IT is utilizing intent-based features in each of the networking domains, IT decision makers are realizing

that business intents span domains and that these domains must work together to fulfill those intents. While

each domain has policies that define its actions, integration of policies between domains serves as the most

elegant way to preserve their uniqueness and still provide the essential consistency and management. With

policy integration, each domain, while functioning independently, can collaborate with others for the benefit of

the enterprise network.

It’s not an intent-based network until you can tell the network what you want and let it figure out how to do it.

It’s not “one network” unless we have policy, automation, assurance, and security built in for continuous

visibility, zero-trust access, and constant protection, with security and assurance working seamlessly across

every domain.

Cisco is uniquely positioned to deliver multidomain integrations with these differentiators:

● Only Cisco has leadership and best-in-class purpose-built intent-based networks across campus,

branch, WAN, data center, colocation centers, and multicloud domains

● Only Cisco is executing on the vision of end-to-end intent-based networking—from any user anywhere to

any workload anywhere

● Only Cisco integrates security uniformly across all domains

© 2019 Cisco and/or its affiliates. All rights reserved. Page 17 of 17

For more information

● Read the blogs: 3 Ways Intent-Based Networking Fulfills Business Intent with Multidomain Integration, and

Extending Intent-Based Networking Across Domains

● Read the AAG: Cisco Multidomain Integrations for Intent-Based Networking At-a-Glance

● Experience it for yourself: Cisco ACI-ISE Integration Demo

● Dive deeper and listen to Cisco experts: Cisco Applications and End to End Infrastructure Policy (Tech

Field Day), and The Integrated Multi-Domain Network - Status and Evolution

● Watch Techwise TV: Multidomain Integrations for Intent-Based Networking

Printed in USA C11-742929-00 12/19