Cisco recently announced DNA center, the SDN controller for the campus network. This is a new evolution in how networking can by having everything be policy driven from a business need vs. manually configuring the network based of IP addresses. Below I’ll show some highlights of DNA Center (DNAC)
Using DNA Center provides an easy way of doing end to end network segmentation. It simplifies network operations by bringing a single point of orchestration for network devices and giving a consistent experience for users no matter how they connect (wired or wireless).
Home screen of DNA Center Here you can choose where to go into further. On the top row we see the new features as part of DNAC – Design, Policy and Provision The bottom row we see familar apps that are a part of APIC-EM
Design
In design we have have the ability to set up Regions, Sites, Buildings and floors. Along with setting up network settings such as DHCP, DNS, AAA, etc. and network profiles, such as wireless settings
Network Hierarchy
On a floor you can upload an image, cad drawing, etc. And once AP’s are added into DNAC you can place them on the map
Network Services (settings)
Here we can configure authentication (AAA), DHCP, DNS, along with other things as needed. These settings can be applied globally and are inherited by all child folders.
2 Radius servers added, 1 DHCP server and 1 DNS server with domain name
To override, click the folder you want and click add servers
IP Address Pools
Create or reserve IP pools. This can sync with an IP Address Management tool. The demo does not have an IPAM included, I’ll add an IP pool within DNAC
Wireless
In DNAC we can configure SSID’s for the fabric. I’ll create an SSID that will be available across all locations.
Network Profiles
Here’s where we can associate an SSID with a location, site, etc. Profiles can contain a group of SSID’s
After Network Profile is created, we can assign it to sites. Below we assign it to USA sites only
Policy
Now that our basic network design is set up we want to add policy to our network. Policy will help determine who can talk to what. We do this with creating virtual networks, defining policy within a virtual network and creating contracts. All of which I’ll go into more detail
Virtual Network
Virtual Networks are created by pulling in ISE groups. ISE will place users and servers into groups. ISE and DNAC communicate using pxGrid. Below we’ll configure a few virtual networks and assign ISE groups to the virtual network. Virtual Networks can be aligned with thinking of a VRF. Virtual Networks will not talk with each other unless you bring them out of the fabric.
Corporate VN that includes 4 groups
Guest VN that only contains guests
IOT VN where we have HVAC, Lights, Camera’s and Quarenteen to be used in the Policy admin example shown in next section
Policy Administration
In policy administration we can define access rules for how groups within a Virtual Network can communicate with each other. In the echo system of DNAC, ISE and Stealthwatch all working together we can have a lot of automation happen in the background for us. For example, lets say Stealthwatch finds a machine in IOT isn’t behaving the same way anymore and seems to be infected, ISE can move that device from it’s original group into Quarantine and block is from communicating with other IOT devices until it has been remediated. By default we have basic permit and deny, but within contracts we can get more granular.
By default ACL’s are applied in 1 direction, we’ll want to ensure we block both directions of traffic. We’ll create 2 rules as shwon below
Block IOT to Quarentine
Block Quarantine to IOT
Contracts
Contracts are used if you need something that’s more defined that a complete permit or deny of traffic.
Provision
Provision allows you to add devices to the sites created in design and start building your campus fabric
Choose devices to provision and add to the SJC site
Now that the devices are assigned to SJC we’ll want to provision these. Provisioning the devices will allow them to get the network settings setup during design
Fabric
Now that the devices are provisioned we can start building the fabric. A fabric is an overlay network to simulate a single switch
I’ll create a new fabric for the demo
Fabric Terminology
- Edge Node – access layer of the network, where devices connect
- Border Node – device that connects outside of the fabric, ex: WAN edge
- Control Plane Node – Tracks where hosts are located within the fabric
Fabric requires at least 1 of each node type to be setup. Border and Control node can be the same device. Devices not configured in the fabric are intermediate nodes that require IP connectivity within the campus. Intermediate nodes do not play a role in the fabric and will only see fabric encapsulated traffic as normal IP and forward based on normal routing
Add device as Control Plane and Border Node
Need to pick which routing protocol for the border node to talk outside of the fabric Control Plane node does not require any special configuration
Add access switch as Edge Node
Devices in fabric turn from grey to blue
Host Onboarding
Here is how we tell the fabric how to handle hosts connecting into the fabric
Adding a new IP Address Pool. The ones we create in design could be used. Also showing we can create here as well and show the different authentication methods we can use
This new IP Pool gets assigned to the fabric and will be used by the corporate virtual network
Nice read!
LikeLike
Thanks Benny! Feel free to share with your customers. May help before you do your own demos onsite. Drive some more questions
LikeLike