Cette publication est également disponible en : FRANÇAIS

SD-Access and DNA Center: An enterprise network can become quite complex .

There is usually a headquarters, remote sites, people working remotely, and all of this is connected by WAN connections.

|
Inside these buildings, there are many devices of the physical layer, like :

• – | of routers
• – | of the switches
• – | of firewalls
• – | of wireless LAN controllers
• – etc.

There are also a lot of things
|
in the logical topology, there are :

• – | VLANs
• – | VRFs
• – | routing protocols
• – | ACL’s
• – | firewall rules
• – and so on.

And all this is configured in principle, manually, with perhaps a little automation of the network to make our lives easier.

.

In 2007/2008, | SDN (
S
oftware
D
efined
A
ccess) has emerged with the objective of automate everything, and even, to get rid of the CLI, replacing it with a unique and centralized software, which is
|
the Cisco DNA Center (
D
igital
N
etwork
A
rchitecture), which we will detail later in the course.

But today, SDN is more about the data center and focuses mainly on applications.

As enterprise networks still use a lot of hardware devices, the idea would be to offer new services, as there are currently in the datacenters.

For example, if we need a new firewall, well, it would be easier if with just a few clicks we could get a virtual ASA, directly in our company.

Well, that’s one of the promises of Cisco’s SD-Access :

That is, to give full automation of its enterprise network, just like what already works in the cloud.

The SD-Access (SDA :
S
oftware-
D
efined
A
ccess) is an innovative solution that offers a fully automated and programmable network infrastructure, thus allowing great savings.

The principle is based on
|
a ” fabric “ programmable, built on all the equipments of the company’s network.

|
The diagram shows what an SDN topology looks like.

|
Five components are shown :

• – | The Fabric
• – | The APIC-EM controller
• – | THEISE ( I dentity S ervices E ngine)
• – | The NDP ( N etwork D ata P latform)
• – | And the DNA center

DNA Center : Fabric

.

In the ” Fabric “, you will find
|
all the hardware components you know:

That is :

• – | routers
• – | switches
• – | wireless LAN controllers
• – | access points
• – etc.

This includes all devices running on IOS and IOS XE.

To configure the devices in the  Fabric , APIs must be used.

The CLI is still available for troubleshooting.

|  Fabric  contains three key components:

.

• – | The Control Plan: based on the LISP protocol ( L ocator I dentity S eparator P rotocol)
• – | The Data Plan: which is based on an Extensible Virtual LAN. (VXLAN : V irtual E x tensibe LAN )
• – | And the Policy: based on CiscoTrustSec (CTS)

In the control plan, the protocol
|
LISP (
L
ocator
I
dentity
S
eparator
P
rotocol) allows to simplify the routing by removing the destination information from the routing table, to move them to a mapping system, very similar to the
|
DNS (
D
omain
N
ame
S
ystem).

That is, to find a destination address, the router will ask the LISP protocol mapping system directly.

The router’s routing tables are therefore smaller, and require less CPU load.

The LISP protocol therefore allows the tunnelling of Layer 3 traffic in the control plane.

For the data plane, which operates at Layer 2, SD-Access technology uses VXLAN to support Layer 2 encapsulation, and allows network policies to be created without mapping them to IP addresses or subnets.

DNA Center: APIC-EM Controller

.

| The APIC-EM Controller is Cisco’s SDN controller for enterprise networks and supports devices running IOS or IOS XE .

It allows to control all the peripherals of the structure,
|
and is controlled by the DNA Center.

DNA Center

.

| The DNA center is the portal, which allows to control the whole SD-Access topology.

It is a hardware appliance that is usually located on the WEB.

|
The idea is to provide a centralized interface for all operations :

• – | Of configuration
• – | Security
• – | And analysis

of the corporate network, whether in the LAN , WLAN, or WAN.

This makes network management simpler, accelerating changes and responding more quickly to business needs.

Remember our example with the programmer.

The addition of a piece of equipment in the ” fabric “ is immediate and the different modifications, whether it is safety rules or groups, only take a few minutes, instead of several hours of study…

In the DNA Center, we have four key attributes:

.

• – | The Design
• – | The Policy
• – | Provision
• – | And Insurance

.

So, if you want to see what the DNA Center GUI looks like, you can log in with Cisco Sandboxes at
|
at : https: //sandboxdnac.cisco.com/

And use
|
the identifier ” devnet user “ with
|
the password ” Cisco123 ! “.

We will now detail the 4 attributes of the DNA Center

DNA Center : Design

| In the “Design” tab, this is where you design your entire network.

You can:

• – | Build the network hierarchy
• – | Manage IP addresses
• – | Set up the network
• – | And manage all your IOS or IOS XE images from your devices, all in one place.

DNA Center: Policy

|  policy  is the policy we configure on everything related to network policies.

In other words, all you have to do is create your own policies and the ” DNA Center “ takes care of translating them into configurations on all the hardware devices in the topology.

DNA Center : Provision

|
In the tab ” provision “, this is where you add new devices to the network and apply the network policies to the devices.

DNA Center: Insurance

| And the last tab is where you canmonitor the whole network.

It is possible to see an overview of all network devices, wireless clients and applications.

|
This allows us to monitor the health of the network and get an overview of all the problems in the network.

ISE(Identity Services Engine)

| To continue the pattern from the beginning,
|
On the left-hand side, we have the ISE (Identity Services Engine), which is a solution for managing the security and control rules for the entire network.
the entire network.

The SDA fabric relies on ISE to segment the network and define user and device groups.

NDP

| And the NDP (
N
etwork
D
ata
P
latform) a platform that allows to translate the different analysis data and to synthesize them for the company.

Everything the NDP collects can be monitored via the DNA Center.

Quiz

.

Question 1

In 2007/2008, | SDN (
S
oftware
D
efined
A
ccess) has emerged with the objective of automate everything, and even, to get rid of the CLI, replacing it with a unique and centralized software, which is
|
the Cisco DNA Center (
D
igital
N
etwork
A
rchitecture) ?

True
Fake

Question 2

The Fabric  contains three key components.
Which of its components is based on CiscoTrustSec (CTS) ?

The Control Plan
The Data Plan
Le “ Policy “

.

Question 3

In the DNA Center, we have four key attributes.
Which one is the policy we configure on everything related to network policies ?

Design
Policy
Provision
Insurance

In other words, all you have to do is create your own policies and the ” DNA Center ” takes care of translating them into configurations on all the hardware devices in the topology.

.

Question 4

In the DNA Center, we have four key attributes.
Which one is where new devices are added to the network and network policies are applied to the devices ?

Design
Policy
Provision
Insurance

.

.

Question 5

Which solution allows you to manage security and control rules on
the entire network

 

?

ISE (IDENTITY SERVICES ENGINE)
NDP (Network Data Platform)

The SDA fabric relies on ISE to segment the network and define user and device groups.

.

Cette publication est également disponible en : FRANÇAIS