This Bridge is the Root

View Original

What is Intent-Based Networking?

One of the biggest buzz words in Computer Networking (especially by Cisco) over the last couple of years has been the concept of "intent-based Networking". If you were to ask a group of people what intent-based Networking is, you might get several different answers. My definition goes like this, "Intent-based networking is an architecture where we define what the business policies are, and then turn those into network policies that can be automatically applied globally within your organization." 

To be clear, intent-based networking is a philosophy, not any single technology.

I'll give an example of how it's traditionally done and how it can be done better. Traditionally if we wanted to limit access to a particular server to only people from HR, we would create a VLAN and subnet just for HR and then put an access-list somewhere that limited access from only that subnet. If a person from HR picked up their laptop and went into a meeting room that only had wireless, we would have to create new workarounds to allow for that movement or live with the fact that the HR person couldn't access the server remotely.

Traditional network designs are inflexible because the policy isn't based on the intent.

With intent-based networking, the goal is to accurately identify users on the network and classify them into groups, and then we're applying our policy to that group. I find that this is analogous to the transition to Next-Generation Firewalls. Legacy firewalls dealt with IP addresses and port numbers. NGFWs, however, can identify applications on non-standard ports. If the intent is to block bit torrent, the firewall looks at the upper layers of the packet to block the application not a specific port.

With intent-based networking, if our HR person leaves their desk and takes their laptop with them, the policy that we applied follows them onto wireless. That policy could also follow them home when they start up their VPN.

The technologies that enable us to do this vary from application to application, but they are generally all talking via RADIUS to a single authentication and authorization server in the background. Often, Cisco's ISE or Aruba's ClearPass will be that server. We first identify who is accessing our network (authentication) and then tell them what they can do (authorization).

Our authorization can come in many forms though. You could keep it old school and apply a VLAN to the machine, apply an access-list, or in the case of Cisco's TrustSec and SD Access, apply a Security Group Tag (SGT).

I hope this clears up any confusion you may have, and I'll dive deeper into the applications of Intent-Based Networking in later post.