Cisco IT—our future network
What new demands will networks face in 2025? In this blog series the Cisco IT networking team will share our vision for the future of our network—and the investments we’re making to get there.
Predicting future network demands is trickier now than any time in my career. Consider the last couple of years. Over a few weeks in March and April 2020, COVID-19 sent our entire workforce home to work, making the business completely reliant on remote access. The 16 companies we’ve acquired since 2020 had to be securely joined to our network. In the face of ongoing supply chain disruptions triggered by the pandemic and geo-political events, we’ve had to quickly onboard new partners to our network and just as quickly disconnect others. Expectations for data privacy and data sovereignty have grown.
What changes will the next three years bring? No one can know, so agility is key.
Why we’re re-architecting our network—business drivers
Here’s what we do know. From now through 2025, our network will need to adapt quickly to a shifting mix of users, devices, applications, and data that keep moving around. Consider my workday. On a given Monday morning I might be working at home, in the office, or in a coworking space. I’ll connect to applications hosted in our data center, public clouds, and SaaS like Webex, Microsoft 365, and ThousandEyes.
Building a secure, agile network now will save us from having to scramble when the unexpected happens. We need to do it quickly, at scale, and while keeping operational costs down.
Transitioning to a secure, agile network
To meet these challenges, we’re following the modern network principles shown in Figure 1:
- Centralized device management. Device-by-device management using a command line interface is a time sink. We’re moving to centralized management using controllers.
- Automated operations. Manual operations, like updating firewall rules whenever we add or retire servers or bring on new partners, aren’t sustainable for dynamic businesses like ours. We’re working to automate changes based on insights from network behavior, otherwise known as AIOps. Treating infrastructure as code (IaC) will help to make our services consistent and standardized.
- Internet transport. The internet is ubiquitous. We’re leveraging it to connect workers, applications, and data anywhere in the world—including employees’ homes, our own data centers, colocation facilities, and public clouds. The open internet is insecure, so we use an SD-WAN overlay to protect data in motion.
- Identity-based security. Access policies that depend on the location of the person or device aren’t practical with a distributed workforce. We’re shifting to identity-based security, granting each person or device the same privileges no matter where or when they try to connect.
- Network management and security in the cloud, “as a service.” Augmenting our on-premises network management software with cloud-based IT services will reduce the costs of infrastructure, space, power, and cooling.
Our strategic network investments—30,000-foot view
Figure 2 shows the technologies we’re investing in to build a secure, agile network with the capabilities I just listed. It’s a feedback loop: Sense network activity by collecting telemetry from infrastructure. Gain insights (traffic patterns, security threats, etc.) using artificial intelligence and machine learning (AI/ML). Then automatically re-program infrastructure based on those insights. Repeat.
Here’s a summary of how we’re investing to make the vision in figure 2 a reality. In future blogs we’ll drill down into each capability.
Borrowing from modern application development, network engineers are starting to treat infrastructure as code so that they can automate changes. We in Cisco IT are already automating certain tasks in parts of our network. But scattered pockets of automation are difficult to support, so we’re evolving from automating individual tasks to automating end-to-end processes.
Our future architecture will use AIOps, continually updating infrastructure based on insights gleaned from telemetry. Network controllers will make changes automatically—initially using rules we provide, and later based on machine learning. Already, our SD-WAN controllers continually assess link performance to choose the best path to meet the application service level agreement. Taking humans out of the loop will allow us to make changes faster and without the risk of typos.
When most applications and data lived in our data centers, it made sense to route network requests from branches and employees’ home offices to the data center. We built a platform for connectivity and security that we deployed on-premises, called CloudPort. But with a hybrid workforce and growing use of cloud services, routing all requests through the data center burdens the network and can negatively affect the user experience.
Today we’re moving network aggregation and security to the cloud edge—closer to cloud workloads and SaaS providers. We’re starting to use services like Secure Access Service Edge (SASE) in conjunction with “as-a-service” providers for middle-mile connectivity. The cloud edge will help us adapt to new traffic patterns and security needs, while also reducing our operating costs by using as-a-service consumption models.
A traditional WAN can’t keep up with the new cloud edge. Our current approach has two limitations. First, not all traffic needs to be secured with an on-premises firewall. As we continue to migrate more applications to the cloud, it doesn’t make sense to bring everything over the private WAN to the on-premises network. Second, our backup WAN links are expensive and often underutilized.
SD-WAN technology helps us use the internet more effectively, lowering overall costs. A centralized controller makes intelligent policy decisions—for example, when to route traffic over our MPLS network, and when to use the internet path. Some SaaS applications will use the SD-WAN Cloud OnRamp directly from the internet path, and cloud-hosted applications will use SASE (blog here). A centralized controller also simplifies network automation and keeps policy consistent in all locations.
Our multicloud environment includes our on-premises private cloud and the third-party clouds we use for IaaS, PaaS, and SaaS. We want business teams to have the flexibility to deploy applications in whatever cloud environment makes the most sense for their use case.
We’ve enabled software-defined networking (SDN) for our private cloud using Cisco Application Centric Infrastructure (ACI). Through automation, applications in public clouds can connect to databases or infrastructure services in our private cloud. In the future, applications running in our private cloud will replicate automatically to the public cloud when they need more resources—for example, at quarter end.
People and devices connect to our network from around the world. We want to define access policies once, manage them centrally, and enforce them everywhere. In our future network, we’ll continually verify identity and device status after a connection has been established. (Just because we trust a user or device when it connects doesn’t mean we should trust it for the duration of the connection.) We’ll also use microsegmentation to tightly control which users and devices can connect to which resources, limiting the spread of any threats that manage to get past our defenses. In combination, continual user and device authentication and microsegmentation are the basis of our zero-trust framework.
Imagine a couple hundred offices suddenly expanding to thousands of home offices. This is what our network team experienced in the immediate aftermath of the pandemic. We also had to grapple with the fact that Cisco employees’ home networks were also used by their family members and roommates.
To adapt to these changes, we’re bringing the network closer to our users with enterprise-class home networking. This includes fast Wi-Fi 6 connectivity, SD-WAN based transport, and cloud-based security. We’re aiming to deliver the same great experience and highly secure access to people working from home, on any device, that they now have in the office. Employees will manage their home networks themselves using a cloud-based platform. That platform will bring in more insights about the user experience from another cloud service, ThousandEyes.
That’s the Cliff Notes version of the future network architecture. Check back for follow-up blogs that explain more about each element described here.
What would you like to see in a future network? Please type in the comment box.
Follow Cisco IT on social!
Share: