Intent-based networks – introduction

By Daniel Dib, Senior Network Architect, Conscia

Intent-based Networking Systems, IBNS: Intent-based networks – introduction

Intent-based networks: In June Cisco launched its Software Defined Access (SDA), which is an intent-based networking solution. There are also other places in this space, for example Apstra. What is intent-based networking?

Traditional networking: imperative approach

Traditionally we have built networks with an imperative approach, which means that we had to precisely specify every component in order to reach our desired state. To illustrate let’s start with a simple example where we have a traditional network infrastructure.

This network is a simple network that is typical for a smaller office. We have two users, Bob and Alice, who work in different departments. Bob is in HR and Alice is in Sales. We want Alice to be able to access the file server but not Bob. However, both should have access to the Internet.
If we start from the beginning and configure this scenario, we would have to follow these steps:

  • Assign a VLAN for HR users
  • Assign a VLAN for Sales users
  • Assign a VLAN for servers
  • Assign an IP network for HR users
  • Assign an IP network for Sales users
  • Assign an IP network for servers
  • Configure Bob’s and Alice’s ports to be in the right VLAN
  • Configure the trunk-port between access and distribution to allow these VLANs
  • Configure the trunk-port between switches in the distributions layer to allow these VLANs
  • Configure two SVIs in the switches in the distribution layer
  • Configure HSRP on the switches in the distribution layer
  • Configure an ACL on FW to deny traffic from Bob (HR) but allow traffic from Alice (Sales) to the server
  • ACL allows traffic from both departments to the Internet

There are several disadvantages with this approach, some of which I have listed below:

  •     Assigning VLAN and IP network is a manual setting
  •     User identity is based on an IP address
  •     Security can be bypassed if a user gets an IP address in the “right” IP network
  •     The underlying topology must be updated for every change
  •     Adding of removing a configuration can affect all users
  •     Several devices must be updated in order to update the configuration

Some of this can be solved by using network automation, but here are some of the things we want to achieve:

  •     Get away from manually taking care of VLAN and IP networks
  •     Have a policy based on something other than an IP address
  •     Achieve better security through the use of authentication
  •     Create a more stable underlying topology that is always in place
  •     Minimise the number of devices that must be updated in order to configure new networks and users

Intent-based networking: declarative approach

With a declarative approach we would be able to define a policy and get the network to calculate all the details. Our intention is to:

  •     Allow Bob to access all internal resources except for the server and Internet
  •     Allow Alice to access all internal resources and the Internet
  •     Give gateway redundancy to users

We don’t care about which VLAN is assigned or the IP network. We don’t care about access ports or trunks or configuring firewall rules. We just want a network that instantiates the above policy. This is the whole thinking behind intent-based networking.

According to Gartner Research VP, Andrew Lerner, an Intent Based Networking System (IBNS) has the following components*:

  • Translation and validation: One of the most important principles for IBNS is its ability to translate the commands from the network administrator into actions the software performs. The thinking is that network managers define a high-level policy that they want implemented in the network. IBNS verifies that the policy can be implemented.
  • Automated implementation: When a network administrator has defined the network’s desired state, the IBNS software manipulates network resources to create the desired state and force through the policies.
  • Awareness of the state: Another key component of IBNS is its gathering of data to constantly monitor the state of the network.
  • Assurance and dynamic optimisation: IBNS constantly ensure that the network’s desired state is maintained. It uses machine learning to choose the best way to implement the desired state and can take automated corrective action to maintain state.

The basis of intent-based networks

In order to build an intent-based network a few components are need, and I will describe these based on the Cisco SDA network.

Fabric is built with Catalyst 9k (UADP 2.0) or Catalyst 3850/3650 (UADP 1.1) switches where the administrator doesn’t care about the individual switches, but rather sees it as one unit, or a fabric.

Underlying topology
The underlying topology is what gives IP accessibility so that the overlying topology can build the tunnels and find the destination for the tunnel endpoints. The underlying topology is often built with Intermediate System to Intermediate System (ISIS), which is also the case in Application Centric Infrastructure (ACI) in DC environments

Overlying topology
An overlying topology makes it possible for users to connect to all the switches that form the fabric and belong to a specific IP network and can still communicate in L2 with other users on other switches. Virtual EXtensible LAN (VXLAN) is often used to build the overlying topology.

Orchestrating engine
There must be an engine responsible for orchestrating the configuration for the individual devices. In SDA it is APIC-EM (Application Policy Infrastructure Controller Enterprise Module) that is responsible for this.

Policy engine
Something is needed to reform the policy and perform authentication of users. In SDA, Identity Services Engine (ISE) is used for this role.

Management of SDA takes place via Digital Network Architecture Center (DNA Center) where design, provisioning and management of the solution is performed.

The administrator needs to know how the network is working. Are there any issues? How many active wireless users are there? Are there enough IP addresses in the DHCP pools? Cisco uses Network Data Platform (NDP) to give the administrator insight into the network.

The network administrator is getting faster and better

Is intent-based networking a new concept? In networking any technology is never entirely new, and generally builds on something that already exists. From my perspective, what is new is that the future network administrator will be less focused on VLAN, IP networks and ACL and more focused on user identity, policy and providing a good user experience. This does not mean that the administrator does not need knowledge. Bear in mind that in the background this is configured using tools and technologies that we have previously used manually.

There will be situations where the administrator needs to troubleshoot or collect information on a TAC issue, etc. This means that a less experienced administrator will be able to perform more work faster. It also means that the administrator can focus on more important things than provisioning VLAN.

I hope that this blogpost has provided you with some insight into what IBNS and that it is not so scary. My colleagues and I have the highest certifications in Cisco’s networking products and we are available to answer any questions you may have about intent-based networking network for your business, contact us.

By Daniel Dib, Senior Network Architect, Conscia, CCIE #37149, CCDE #20160011