Cisco recently announced DNA center, the SDN controller for the campus network. This is a new evolution in how networking can by having everything be policy driven from a business need vs. manually configuring the network based of IP addresses. Below I’ll show some highlights of DNA Center (DNAC)
Using DNA Center provides an easy way of doing end to end network segmentation. It simplifies network operations by bringing a single point of orchestration for network devices and giving a consistent experience for users no matter how they connect (wired or wireless).
In design we have have the ability to set up Regions, Sites, Buildings and floors. Along with setting up network settings such as DHCP, DNS, AAA, etc. and network profiles, such as wireless settings
Network Services (settings)
Here we can configure authentication (AAA), DHCP, DNS, along with other things as needed. These settings can be applied globally and are inherited by all child folders.
To override, click the folder you want and click add servers
IP Address Pools
Create or reserve IP pools. This can sync with an IP Address Management tool. The demo does not have an IPAM included, I’ll add an IP pool within DNAC
In DNAC we can configure SSID’s for the fabric. I’ll create an SSID that will be available across all locations.
Here’s where we can associate an SSID with a location, site, etc. Profiles can contain a group of SSID’s
After Network Profile is created, we can assign it to sites. Below we assign it to USA sites only
Now that our basic network design is set up we want to add policy to our network. Policy will help determine who can talk to what. We do this with creating virtual networks, defining policy within a virtual network and creating contracts. All of which I’ll go into more detail
Virtual Networks are created by pulling in ISE groups. ISE will place users and servers into groups. ISE and DNAC communicate using pxGrid. Below we’ll configure a few virtual networks and assign ISE groups to the virtual network. Virtual Networks can be aligned with thinking of a VRF. Virtual Networks will not talk with each other unless you bring them out of the fabric.
In policy administration we can define access rules for how groups within a Virtual Network can communicate with each other. In the echo system of DNAC, ISE and Stealthwatch all working together we can have a lot of automation happen in the background for us. For example, lets say Stealthwatch finds a machine in IOT isn’t behaving the same way anymore and seems to be infected, ISE can move that device from it’s original group into Quarantine and block is from communicating with other IOT devices until it has been remediated. By default we have basic permit and deny, but within contracts we can get more granular.
By default ACL’s are applied in 1 direction, we’ll want to ensure we block both directions of traffic. We’ll create 2 rules as shwon below
Contracts are used if you need something that’s more defined that a complete permit or deny of traffic.
Provision allows you to add devices to the sites created in design and start building your campus fabric
Now that the devices are assigned to SJC we’ll want to provision these. Provisioning the devices will allow them to get the network settings setup during design
Now that the devices are provisioned we can start building the fabric. A fabric is an overlay network to simulate a single switch
- Edge Node – access layer of the network, where devices connect
- Border Node – device that connects outside of the fabric, ex: WAN edge
- Control Plane Node – Tracks where hosts are located within the fabric
Fabric requires at least 1 of each node type to be setup. Border and Control node can be the same device. Devices not configured in the fabric are intermediate nodes that require IP connectivity within the campus. Intermediate nodes do not play a role in the fabric and will only see fabric encapsulated traffic as normal IP and forward based on normal routing
Here is how we tell the fabric how to handle hosts connecting into the fabric
Adding a new IP Address Pool. The ones we create in design could be used. Also showing we can create here as well and show the different authentication methods we can use