The Network Intuitive explained and put into action
Imagine a network that is adaptable, constantly learning, dynamically changing and reconfiguring itself, and all of this while detecting malware in encrypted traffic. But wait, we’ve had adaptable networks dynamically changing for a while now. All the way back in the Routing Information Protocol (RIP) days, the network was kind of adaptable to change. What’s different about the Network Intuitive?
The need for a new kind of Network
The Enterprise Networking business unit within Cisco (driven by the requirements of a massively scalable network that needs to seamlessly and securely connect all the cabled, wireless, IoT, mobile and cloud endpoints while making it easier to setup, manage and configure), came up with an elegant solution. For the enterprise space this is all encompassed under the Software Defined Access umbrella. Combining existing and proven technologies in a new and innovative way, SDA was born. For the control plane they selected Locator/ID Separation Protocol (LISP), the data plane is handled by Virtual Extensible LAN (VXLAN) and the policy is enforced throughout the fabric by Scalable Group Tags (SGT) and Cisco Identity Services Engine (ISE).
I will not go into much detail about the new Catalyst 9k switches which make a lot of the magic possible with SDA, about their new programmable UADP 2.0 ASICs that gives them unprecedented longevity, or about the new programmable IOS-XE running on them. However, I do want to go into more detail on DNA Center. And anyway we have to keep in mind that you can build SDA fabric in a brownfield environment using older Catalyst switches, ISR, ASR and CSR routers and wireless LAN controllers and access points. For a brand new greenfield environment and for migrations I would definitely recommend getting the Catalyst 9ks in order to be able to take advantage of the increased performance and all the features available with SDA.
DNA Center is built on the services and applications that APIC-EM made available a while back and has definitely taken it to the next level. It offers one pane of glass for your whole enterprise network. You can discover your network, have the topology automagically built, you can provision new devices like you are able to do with APIC-EM but you can also do something brand new: You can build your own SDA fabric with it! SDA fabric gives you the option of managing your entire enterprise network as one big switch. For all the clients and endpoints in the network, be it cabled or wireless, you can now configure and enforce a consistent policy throughout the whole network. No longer do we have to manually configure the access switches port by port. Wherever and whenever somebody or something connects to the network in a secure manner, the policy associated with that entity is consistently enforced everywhere.
Once you log-in to the DNA Center GUI, you see four main sections:
Design, Policy, Provision, and Assurance.
Here you can add sites, buildings and floors and have a geographical representation of your network before you actually discover a single device. At each level in the hierarchy you have the option of adding AAA (typically Cisco ISE), DHCP, DNS, NTP, SYSLOG, SNMP and Netflow Collector servers. This is also where you define the CLI, SNMP and HTTPS credentials that DNA Center will use in its discovery process. IP address pools for each site, wireless profiles, SSIDs and golden images for the SWIM process are configured here. Configure everything that is pertinent from a design perspective for your network
Start segmenting your network into different virtual networks, think VRF, and define the policy for your network. SGTs and the Cisco ISE integration that were mentioned above come into play here. The user group to SGT mapping done in Cisco ISE is imported into DNA Center, via pxGrid. Building the policy and enforcing it throughout the whole fabric is as easy as dragging and dropping a group of users into the source field, a different group or the same one in the destination field, and associating a contract with the policy: accept, deny or custom. Custom contracts can be defined based on specific applications that you want to allow or deny. The segmentation done at the virtual network layer is extended into microsegmentation for each user group/SGT at the policy layer.
Assign discovered devices to your sites and build the fabric using those devices. Following the discovery process, DNA Center can manage the devices via CLI, SNMP, HTTPS, NETCONF, etc. At the fabric provisioning stage, DNA Center configures the fabric roles on each device that is part of the fabric: border, control node, edge; etc. Host onboarding and the assignment of IP pools to virtual networks is also done here.
Assurance is where you find a dashboard for monitoring network health, identifying issue root causes, evaluating network configuration changes, and remediating issues. Not only do you get unparalleled and comprehensive visibility into devices, users and applications, but all this data is correlated and machine learning algorithms are applied to it, following 30 years of Cisco best practices, to come up proactively with suggestions on how to fix problems before they even become visible to the end users. We’ve all suffered through network troubleshooting and fixing sessions taking hours, if not days. Imagine a world in which this is taken down to seconds and, by using Open APIs and automation workflows, it’s automatically done for you!
The DevNet SDA fabric
After the initial announcement around network intuitive and coming back from Cisco Live Las Vegas last year, I was ready to have a closer look at all this. So I started looking around and investigating what this actually means for us engineering folk. Being part of Cisco has a lot of benefits, but one that I enjoy a lot is being able to play around and kick the tires on brand new technologies. I grabbed five Catalyst 3850s (2 would act as border and control plane nodes for redundancy purposes and 3 as edge nodes), a UCS C-series server and an ASR 1002-HX from my lab and from a hardware perspective the setup was ready. Asking around, joining internal Cisco Spark rooms, I was able to find the guide and the ISOs that I needed to setup DNA Center and Cisco ISE.
Like most things, the preparation, studying and getting all the pre-requisites ready took much longer than the actual installation. By the time I joined the Early Field Trial program, DNA Center was already at version 3. After the smooth installation, I built my own SDA fabric with the hardware I had available. The process is incredibly simple and the whole workflow just makes sense. Attending SDA sessions at Cisco Live Cancun 2017 was very helpful and gave me the option of asking questions and meeting in person the TMEs responsible for DNA Center.
Back in the lab in San Jose, I was getting familiar with the product and trying to break it and then fix it while providing feedback to the designers and engineers I had met in Cancun. I find that hands-on, pushing it to the limit is the best way to learn a new technology. The DNA Center GA version that was released at the end of November 2017, streamlined everything including the graphical user interface, the workflows, new features, and the stability of the product.
We started considering the option of having the DevNet Zone in Barcelona run on SDA fabric, and being managed by DNA Center. And that’s what we’ve done for Cisco Live Europe 2018! We’ve set up a SDA fabric using DNA Center 1.1 and we are running the DevNet Zone on it in Barcelona this year. We have a long history of eating our own dog food for everything infrastructure within the DevNet events team so this just felt right. We couldn’t have done this without Andre Laurent, WW Director of Engineering – EN Sales and his team’s support.
The lessons learned during the EFT phase were invaluable, from building the underlay (I’ve used IS-IS), integrating DNA Center with ISE, creating virtual networks and building the policy to configuring MP-BGP to VRF leaking and Internet access on the border router. All these lessons have contributed to a painless migration to the GA version. I gotta tell you, it’s a glorious feeling when you make that final test, connect the client to the fabric, get the 802.1x authentication pop-up, put in the credentials, get authenticated by ISE, get assigned the correct IP settings over DHCP, get the right policy assigned to the client and everything just works. No matter on which port or to which access point you have the client joining the network the policy follows along. There are a lot of moving pieces in the background to make this possible and to see them all working in harmony is just awe-inducing. This reminds me of the first time I set up MPLS Layer3 VPN. Seeing so many technologies come together in a new and innovative way to resolve very elegantly a real life problem was inspiring.
We are already planning for Cisco Live Orlando 2018, and I do not want to spoil the surprises that we have reserved for you for that event, just yet. Also some people would say it is better to underpromise and overdeliver. Having said that, we are looking more closely at wireless integration, Assurance and APIs. Be on the lookout for the next post in this blog series to know in more detail what changes we have made to our SDA fabric for Orlando.
We’ve come a very long way from those RIP days. RIP and dynamic routing protocols were revolutionary 30 years ago when 15 hops in a network was considered a large network, SDA and the network intuitive are revolutionary for the infrastructure of tomorrow when billions of devices will be connected to our networks.
I hope you will join us for Cisco Live Europe in Barcelona this year between January 29th and February 2nd and check out the DevNet zone and all the workshops, classroom sessions, learning labs and all the other activities and surprises we have reserved for you. All powered by SDA and DNA Center.
#WeAreCisco #LoveWhereYouWork #NetworkIntuitive