A brief introduction to intent-based networking (IBN)

In campus networks, there are many emerging trends that influence the way future networks are modeled, including mobility, the Internet of Things (IoT), and unified security across wired and wireless connections.

To adapt to these trends, a new era of networking is needed, using intent-based networking to move policy-based automation from the network edge to public and private clouds. SD-Access is one example.

Intent-based networking is all about telling the controller the end goal and allowing the controller-based network to figure out the low-level device and configuration details. This is similar to how General Packet Radio Service (GPRS) works. The user enters the destination and the software calculates the best route, taking into account the parameters extracted from the user.

Intent-based networking needs to meet multiple elements ranging from access control to quality of service (QoS).

[[233026]]

1. Mobility

Traditional campus networks used to include only company-owned devices. In contrast, today’s networks consist of a range of devices, such as bring your own device (BYOD) and smart wearables.

The average user brings 2.7 devices to the workplace, requiring access to corporate systems in the cloud as well as application workloads in private data centers. Now, users need seamless mobility across all devices while still maintaining the same level of security and access control.

2. Internet of Things

Enterprise IoT on campus includes everything that can be found in an office building, and the current challenge is how to achieve impenetrable security measures between these devices.

Most attacks in the past 12 months involved some kind of unsecured IoT device. Often, the device has not been managed or acquired by the IT department, leading to a security breach. In some cases, infected IoT devices have direct access to the internet or corporate networks, allowing malware and hacking to take place.

The recent public attack known as fishbowl led to a data breach. This unsecured IoT device allowed hackers to steal 10G of data from a North American casino. The fishbowl had a sensor for monitoring, and the actor compromised the sensor to move laterally in the network to access critical assets. Remember, hackers don’t need rich resources, they have easy-to-use hacking tools and are constantly looking for every little vulnerability to infiltrate the network.

3. Security

In this day and age, where most networks are converged, no network can be 100% secure and attacks will eventually happen. It is only a matter of time before your network is affected. However, by segmenting the network, administrators can limit the radius of attack and segmentation ensures that infected hosts cannot continue to spread forward.

Traditional segmentation

Segmentation has been a problem for years. However, given that today’s networks need to support mobility, IoT, and unified security across wired and wireless connections, traditional segmentation tools are not adequate.

Most networks use virtual local area networks (VLANs) for segmentation. However, VLANs, along with other protocols such as the Spanning Tree Protocol (STP), were not designed with security in mind. Segmented broadcast domains were created in the 90s. Each VLAN was a separate broadcast domain, and separate VLANs divided the broadcast domains. However, over time, administrators switched to using VLANs with access controls.

Administrators will associate VLANs with IP subnets to implement subnet control. Eventually, as the network scales, VLANs cannot keep up with the scale. In addition, IP address-based policy enforcement is rigid and lacks flexibility.

Another major issue is management. Networks are complex and most are still based on command-line interfaces (CLIs) with limited or no automation, which presents a serious challenge. Since every network is unique, operations become a burden. Vendors can use the most advanced network segmentation technology, but unless it can be easily removed and deployed with a single button, it will not be adopted.

Controller Analysis Engine

If controller-based architectures are to become ubiquitous in campus networks, the controllers need to be fully automated, and monitoring and troubleshooting issues need to be effortless.

The problem is that we are using technologies like Syslog, Simple Network Management Protocol (SNMP) and Netflow to perform monitoring and troubleshooting, which were created 30 years ago, and we need to monitor the network through SNMP. SNMP operates in pull mode and faces great challenges in terms of central processing unit (CPU) utilization and other issues.

Today's networks are in great need of a controller big data analytics engine that operates in push mode, which can accumulate and manage data from all devices. It can provide insights and predict the development of things, enabling network self-healing.

The Way Forward - Macro and Micro Segmentation

VLAN is a single flat layer segmentation. Considering today's campus network, we need to change this flat layer model to a two-layer model. This can be achieved by introducing virtual networks (VNs), also known as macro segments.

The virtual network in the campus is similar to virtual routing and forwarding (VRF). What VRF does is to segment the virtual network at the forwarding layer. Defining how to segment needs to be based on the structure and business lines of different organizations.

By definition, VNs cannot communicate with each other, and any cross-VN communication should go through a stateful firewall. A stateful firewall monitors the state of active connections and the characteristics of the network connections traversing it. Virtual Extensible LAN (VXLAN) is used to create macro segments (VNs).

Security group tags can provide micro-segmentation. We further embed micro-segmentation into VNs, and then filters can be defined between micro-segments.

An extension is needed in VXLAN, which is called VXLAN Group Policy Options (VXLAN-GPO). This defines how micro-segmentation tags are embedded in the VXLAN header. Macro and micro segmentation are segmentation of the data plane, let's take a look at the control plane.

Control Plane - Locator/ID Separation Protocol (LISP)

Now that data plane forwarding has been handled, we now need a good control plan to distribute information across a large campus network.

Border Gateway Protocol (BGP) is a distributed stateful protocol. It works well in the data center, but it doesn't show up in campus networks because more than 60% of the network is wireless. Users are constantly moving from AP to AP, from wireless to wired networks. End host movement is usually addressed using /32, but BGP is not good at handling frequent movement in this way.

In this case, LISP is the best choice to perfectly combine the control and data planes. LISP is a demand-based protocol similar to the Domain Name System (DNS), which brings the advantages of routing based on IP addresses and uses a centralized control plane.

Wireless Progress

Traditionally, wireless technology is a top-level network that uses control and configuration of wireless access points (CAPWAP). However, wireless technology requires the use of VXLAN tunnels and overlays starting from the access point. Therefore, VXLAN needs to be used for tunneling instead of CAPWAP as the data plane.

Given the demands of the time, we have to change the way wired and wireless work. If user group tag information is carried, it must be carried the same way whether the user is on an AP or a wired switch. Tags should not change based on the medium entering the network.

Wired and wireless are different ways to enter the network, the user itself does not change, this is called identity-based segmentation. Users are identified based on user profiling capabilities. Therefore, once a profile in the form of a tag is assigned to a user, no matter how the user's location moves, the tag remains.

Future challenges

The next big challenge is how to protect group-based policies distributed across all campus networks. Security needs to extend across the wide area network (WAN) to public, private, and multi-cloud scenarios. Provide all advanced WAN features such as path selection and encryption while still being able to extend consistent group-based policies.