DNA Center Demo

Cisco recently announced DNA center, the SDN controller for the campus network. This is a new evolution in how networking can by having everything be policy driven from a business need vs. manually configuring the network based of IP addresses. Below I’ll show some highlights of DNA Center (DNAC)

Using DNA Center provides an easy way of doing end to end network segmentation. It simplifies network operations by bringing a single point of orchestration for network devices and giving a consistent experience for users no matter how they connect (wired or wireless).

Home screen of DNA Center Here you can choose where to go into further. On the top row we see the new features as part of DNAC - Design, Policy and Provision The bottom row we see familar apps that are a part of APIC-EM

Home screen of DNA Center Here you can choose where to go into further. On the top row we see the new features as part of DNAC – Design, Policy and Provision The bottom row we see familar apps that are a part of APIC-EM

Design 

In design we have have the ability to set up Regions, Sites, Buildings and floors. Along with setting up network settings such as DHCP, DNS, AAA, etc. and network profiles, such as wireless settings

Network Hierarchy

Network Hierarchy

On a floor you can upload an image, cad drawing, etc. And once AP's are added into DNAC you can place them on the map

On a floor you can upload an image, cad drawing, etc. And once AP’s are added into DNAC you can place them on the map


Network Services (settings)

Here we can configure authentication (AAA), DHCP, DNS, along with other things as needed. These settings can be applied globally and are inherited by all child folders. 

2 Radius servers added, 1 DHCP server and 1 DNS server with domain name

2 Radius servers added, 1 DHCP server and 1 DNS server with domain name

To override, click the folder you want and click add servers

 

IP Address Pools

Create or reserve IP pools. This can sync with an IP Address Management tool. The demo does not have an IPAM included, I’ll add an IP pool within DNAC

Wireless

In DNAC we can configure SSID’s for the fabric. I’ll create an SSID that will be available across all locations. 

Network Profiles

Here’s where we can associate an SSID with a location, site, etc. Profiles can contain a group of SSID’s

After Network Profile is created, we can assign it to sites. Below we assign it to USA sites only


Policy

Now that our basic network design is set up we want to add policy to our network. Policy will help determine who can talk to what. We do this with creating virtual networks, defining policy within a virtual network and creating contracts. All of which I’ll go into more detail

Virtual Network

Virtual Networks are created by pulling in ISE groups. ISE will place users and servers into groups. ISE and DNAC communicate using pxGrid. Below we’ll configure a few virtual networks and assign ISE groups to the virtual network. Virtual Networks can be aligned with thinking of a VRF. Virtual Networks will not talk with each other unless you bring them out of the fabric. 

Corporate VN that includes 4 groups

Corporate VN that includes 4 groups

Guest VN that only contains guests

Guest VN that only contains guests

IOT VN where we have HVAC, Lights, Camera's and Quarenteen to be used in the Policy admin example shown in next section

IOT VN where we have HVAC, Lights, Camera’s and Quarenteen to be used in the Policy admin example shown in next section

Policy Administration

In policy administration we can define access rules for how groups within a Virtual Network can communicate with each other. In the echo system of DNAC, ISE and Stealthwatch all working together we can have a lot of automation happen in the background for us. For example, lets say Stealthwatch finds a machine in IOT isn’t behaving the same way anymore and seems to be infected, ISE can move that device from it’s original group into Quarantine and block is from communicating with other IOT devices until it has been remediated. By default we have basic permit and deny, but within contracts we can get more granular. 

By default ACL’s are applied in 1 direction, we’ll want to ensure we block both directions of traffic. We’ll create 2 rules as shwon below

Block IOT to Quarentine

Block IOT to Quarentine

Block Quarantine to IOT

Block Quarantine to IOT

Contracts

Contracts are used if you need something that’s more defined that a complete permit or deny of traffic. 

 


Provision

Provision allows you to add devices to the sites created in design and start building your campus fabric

Choose devices to provision and add to the SJC site

Choose devices to provision and add to the SJC site

Now that the devices are assigned to SJC we’ll want to provision these. Provisioning the devices will allow them to get the network settings setup during design

Fabric

Now that the devices are provisioned we can start building the fabric. A fabric is an overlay network to simulate a single switch

I'll create a new fabric for the demo

I’ll create a new fabric for the demo

Fabric Terminology

  • Edge Node – access layer of the network, where devices connect
  • Border Node – device that connects outside of the fabric, ex: WAN edge
  • Control Plane Node – Tracks where hosts are located within the fabric

Fabric requires at least 1 of each node type to be setup. Border and Control node can be the same device. Devices not configured in the fabric are intermediate nodes that require IP connectivity within the campus. Intermediate nodes do not play a role in the fabric and will only see fabric encapsulated traffic as normal IP and forward based on normal routing

 

Add device as Control Plane and Border Node

Add device as Control Plane and Border Node

Need to pick which routing protocol for the border node to talk outside of the fabric Control Plane node does not require any special configuration

Need to pick which routing protocol for the border node to talk outside of the fabric Control Plane node does not require any special configuration

Add access switch as Edge Node

Add access switch as Edge Node

Devices in fabric turn from grey to blue

Devices in fabric turn from grey to blue

Host Onboarding

Here is how we tell the fabric how to handle hosts connecting into the fabric

Adding a new IP Address Pool. The ones we create in design could be used. Also showing we can create here as well and show the different authentication methods we can use

This new IP Pool gets assigned to the fabric and will be used by the corporate virtual network

This new IP Pool gets assigned to the fabric and will be used by the corporate virtual network

2 Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.