Cisco CCNA 200-301 – Network Automation and Programmability Part 6

11. Software Defined Architecture – DNA Center

About DNA Center, which is Cisco’s Sdn controller for Enterprise environments. On the slide, I’ve put in the definition from Cisco’s website about what DNA is. DNA. It stands for Digital Network Architecture. Cisco DNA enables you to streamline operations and facilitate it and business innovation. intentbased Networking IDN built on Cisco DNA takes a software delivered approach to automating and assuring services across your Wan and your campus and branch networks.

And I’ve highlighted and bold the key terms there. So what DNA is, is when you’re using Cisco software defined services to help automate your network. I’ll explain more about what Intent based networking is on the slides. Coming up. Three of the main building blocks of Cisco DNA and the software defined architecture are DNA Center, which we’ll be talking about here, and Sdn SD Access, and SD One, which I’ll cover in the next couple of lectures. So, DNA Center, it’s a Cisco Sdn controller, which is designed to manage enterprise environments.

It’s a campus branch and one, as opposed to the APIC controller, which manages data center environments with Nexus switches. You can think of the DNA Center as an upgrade to the older enterprise Sdn controller from Cisco, which was the APIC em. So the DNA Center, it runs as an appliance on Cisco UCS server hardware. The underlying operating system is Linux, and it can be clustered for redundancy. Okay, so I mentioned Ibn intent based networking earlier. This is a key part of the concept of the software defined architecture. So, Intent based networking transforms a traditional manual network into a controller led network that translates the business needs into policies that can be automated and applied consistently across the network. The goal is to continuously monitor and adjust network performance to help assure the desired business outcomes. So let’s work through some examples to see what this really means.

First example is going to be a QoS policy rollout across the entire network. So what is the intent here? What do we want to do? Well, the network policy is first defined, for example, providing guaranteed service to voice and video across network locations company wide. That’s our intent. That is what we want to do. If we were going to do this the traditional way, the network team would research and plan the implementation. So they would see what the different sites are. They would see what the different device models are in each site. They would look at what the current bandwidth is in each of the locations. They would do the design to figure out what configuration had to be applied to all of the different devices so that voice and video were given the guaranteed quality that they required. Different network device models require different commands. So when you do a QoS configuration, the config you do is different on routers than it is on switches. And also it can be different on different models of switches as well. So in a normal large network environment, you are going to have different models of equipment and this makes it complicated to implement your QoS configuration. The method is very time consuming and also because you are configuring the devices one by one, it’s liable to mistakes. Let’s see how it works when we use Intent based networking now with the DNA Center. So when we’re doing it this way, the network team creates an application policy in DNA Center specifying voice and video as business relevant applications and that’s it.

So we don’t have to do the huge planning, we don’t have to check what all our different network devices are, we don’t have to have different configurations on different devices and in different locations. We can just quickly specify in our application policy that voice and video are business relevant applications. DNA center will then automatically configure the best practice QoS settings on the network devices. So we don’t need to get involved in the command line, we don’t need to figure out the different commands for the different devices. DNA center does all of that automatically for us. And that can reduce the total deployment time to implement QoS company wide from months down to minutes. Here is a screenshot of doing that. So you can see here, this is on the DNA Center I’ve come into policy, I’ve created a new application policy. And in there I specify what my business relevant applications are. And what my business irrelevant applications are.

The business irrelevant applications are going to be police dialing. So they’re going to get very limited bandwidth so that they don’t impact on our actual important applications. And our important applications are going to get the QoS settings that they require based on what the best practice settings are. So for example, voice and video are going to get put into the priority queue. Okay, so that was our first example. Looking at another example of policy here. We want to secure traffic flows in the campus. So for the Intent, we’ve got users in department A, other users in department B. They must have connected A to other users in their own department and also to the company servers. They must not have connected the A to users in the other department. So how we would do this with traditional networking? Well, the network team would plan the VLAN IP subnet and access control list implementation and then they would configure each switch individually. Users are expected to stay plugged into the same access port because the way this is controlled is that on the switches, we’ve configured our switch ports with an access VLAN.

When a user plugs into their department’s access VLAN, they can then communicate with the DHCP server and get an IP address in their subnet. And we’ve then got access control lists that control the traffic flows between the different IP subnets. So they’re assigned to VLAN and an IP address based on their physical location, not who they actually are. Again, the method is very time consuming, liable to mistakes because we’re configuring devices individually and it does not support mobility because users are expected to be plugged in into a particular physical part when we do this with DNA.

Center. Now, using Intent based networking, the network team creates a group based access control policy and DNA Center, which specifies the allowed traffic flows users log in from and can move to any physical location on campus. So they’re no longer tied to a physical port on a switch. The users are authenticated by Cisco Ice, it’s the Identity Services engine and assigned a security group tag which controls their access. So this moves away from being based on the physical part to being based who the user is and the user can move anywhere within the campus. Looking at how this is configured in DNA Center. So again, we’re in the policy, we configure a group based access control policy. We have got our user groups in here. This is information from the Ice, the Identity Services engine, which is Cisco’s AAA authentication server. And then in here we can specify the allowed traffic flows between the different groups. Okay, so those are a couple of quick examples of how DNA Center can make your life easier as an administrator with the Intent based networking.

Having a look in some more detail now at the user interface for DNA Center. So when you log in, you will land on the dashboard. Up at the top you will see this page here and you can see the main parts of DNA Center are design, policy, provision and assurance. Design is where you enter the design of your networks of a different sites. You have that kind of information policy. You saw examples there earlier where we configured a security policy and also a QoS policy provision. This is where you can set up the configuration on your devices.

Plug and Play is also supported as well for when you’re first adding a new device to the network. Talk about that in some more detail later. And Assurance this is where with the Intent based networking. So you’ve configured DNA Center with your intent how you want the network to work. Assurance ensures that it is actually working how you intend it to do so. Further down on the dashboard we’ve also got the tools. Tools in here are discovery where DNA Center will discover your network devices. They then get added to the inventory. You can also look at that in a topology. View Image Repository is where you configure the operating system versions that you want for your different network devices. Command Runner, you can run show commands directly from DNA Center. This makes it more convenient than having to log into the individual devices.

You can manage your licenses from DNA Center for pushing configuration to your devices. You can use Templates was a template editor network plug and Play is when you first add a device to the network, it can automatically download its configuration from DNA Center. And Telemetry is used for gathering statistics from your devices with the statistics that are gathered. That helps with the troubleshooting tools in DNA Center, so it will report if it sees any issues. It can also correlate those statistics between the different devices. Okay, so let’s have a look at each of those, starting off with the design. So when you first install DNA Center and you’re ready to get everything set up, the first thing that you want to do is your network design. So in here you go to the design page and in the network hierarchy and you specify your different locations in here.

So you can see in the example up at the top level we’ve got global, and then under there we’ve divided it into the continents. Under there we would have our different offices in each continent or country as well. So get your sites added. Then again, under design we’ve got network settings. So in here we can set properties such as the AAA server for users, administrators logging into our network devices, the NTP server, syslog, et cetera. And you can have different settings at different levels here. So that’s why we had the hierarchy on our sites, because it’s possible that there’s a different NTP server, for example, in Asia than there is in Australia. So if you configure something at the global level that will apply to all sites below it, unless you override it with a more specific setting at the site level, then we’ve got discovery. So we want to have all of our network devices to be known by DNA Center. So it’s Discovery that does that. To discover the devices, you can use CDP, or you can specify a range of IP addresses to be scanned. So you put that information and also enter in the login credentials as well. The DNA Center will then go discover your network devices, log into them, and pull information in the DNA Center about those network devices.

Once that has been done, you can see the information in the inventory. So you can see in my example here, I’ve got all these different devices. It knows the IP address, the Mac address, what operating system version is running on that device, the platforms, the actual hardware model, the serial number, et cetera. You can also see your configuration if you’ve pushed a configuration to the device from here too, and also from that information, you can view it in a topology view.

So this gives you a nice graphical representation of how the devices in your network are connected to each other. Another thing we can do with DNA Center is we can manage the operating system versions running on our network devices. So you’ll have the different iOS devices in here. DNA center already knows about all the different models of equipment that you’ve got in your network. It will recommend the iOS image to use on them. And in here under the golden image, you can specify the iOS image that you want to use and then DNA Center can push that version to your devices and make sure that they are running the correct version of iOS. The next feature I want to talk about is Network Plug and Play, which I mentioned earlier.

The Network Plug and Play allows your routers switches and wireless access points to be deployed in remote offices with zero touch configuration. Meaning it doesn’t need a network administrator to physically take the device out of the box and configure it. The way it works is the device is physically installed in the remote office and connected to the network. It then discovers the DNA Center and various methods are available to do this, including DHCP option 43 or DNS. So what happens is the device gets plugged into the network, it then gets connected out to its DHCP server and from the DHCP server it learns its IP address subnet mask default gateway.

And another thing is, through DHCP option 43, the IP address the DNA Center. So this is built into Cisco devices. Now that when you first plug them in, when you first connect them to the network, they will loop to see if they have a DNA Center Sdn controller controlling them. It can discover the DNA center either through DHCP or through DNS. So if in your DNS you’ve added a host entry there for PNP server, your domain name again, the router and switch when it comes out of the box, it’s set up by Cisco, but it will look for that host name in DNS. If it finds it, it will use it to connect out to the DNA Center. It then registers with and downloads its configuration from DNA Center. So that ensures consistent configuration of your remote office devices with no need for a network engineer on site. The way that we used to do it is when you ordered a new router or switch or wireless access point, it would have to be sent to the physical location that the network engineer is in.

They would then take it out of the box, connect to it, do the configuration and then ship it to the final site and it would need somebody there to plug it in as well. Now, you don’t need to go through those two steps. It can be just shipped directly to its final location plugged in. It will connect to DNA Center and it will download its configuration from there. So it makes sure that you’ve got that correct configuration on there. It also saves you time and money. Next thing is assurance. Assurance guarantees that the infrastructure is doing what you intended it to do. The DNA Center receives information from all of the different network devices your routers, your switches, et cetera. Also the Ice, the AAA server, et cetera. And DNA Center has got a built in correlation engine which can identify over 150 different types of network and client issues. And because it’s getting all this information from your different devices, it can correlate between them. And if it sees that things are related, that is going to give it better information to report to you as well.

So DNA Center then reports a problem and it will also provide recommended remediation actions. So looking at an example of that, we’re now on the assurance page in DNA Center we can see an overall summary of the network health and also on the main page here we will see the top ten issues. You can see here one of the issues is the OSPF adjacency has failed on one of our routers. So we can then click on the link there and that will drill down further and we can see there further details and it also gives us the remediation which is first up check that we can ping the neighbor, verify connectivity, then check OSPF neighbors, et cetera. And you can actually run the commands directly from DNA center. So it’s very useful, it gives you reports and the issues that are happening in the network and it also walks you through how to troubleshoot them as well.

And because DNA Center has got a system wide view of the network, it gives you that global visibility in what is happening and also troubleshoot it rather than having to do it one device at a time. So you saw there that you can drill down in the health status of network devices and clients and as well as seeing what’s happening now, you can also view historical information that’s useful to troubleshoot intermittent problems which are just happening at random times or issues which occurred in the past. So a screenshot of that you can see here that we have got a client here, so this is a user’s end machine and we can see that they have got intermittent connectivity problems here.

So there’s been a couple of drops and you see the time scale on the bottom there so we can view back what’s been happening over time, we can click in here on the timeline and we can see what the problem is then. So if this user has been saying that they’ve had connectivity problems with a network but it’s working fine now with the traditional networking then you would just have to wait until the next time it happens and then go troubleshooting it then. But with DNA Center you can go back in time and see what was happening.

• Category: Uncategorized