Test Driving DNA Center

In this blog post, I'm going to be taking a test drive of Cisco's DNA Center and SD-Access. Unfortunately, I don't have this set up in my lab yet so I'll be utilizing dCloud for this and writing this blog post as I go. Big shout-out to Dustin "Master of CDP Neighbors" Schuemann and his team for standing this up. If you don't know what DNA is, I'll go over the history really quickly. Cisco announced and pushed their Digital Network Architecture (DNA) early last year. There was generally a lot of buzz about developing architectures and platforms that are open, extensible, and software-driven. Beyond that messaging and a few key products, I think there was a lot that they were developing in the background. 

A couple of weeks ago, Cisco unveiled a new line of switches called the Catalyst 9000s and a solidified vision of where they see DNA going to. The DNA platform was to incorporate cloud service management, automation, analytics, security, and virtualization into the same platform and the various infrastructure elements in a rather cool way. Obviously, I work at Cisco so saying that I think this sounds really cool is like Colonel Sanders saying that he prefers Kentukey Fried Chicken. With that being said, my opinion that this stuff is pretty amazing is that of an engineer, not a Cisco employee. Take it with a grain of salt or not as you see fit. I don't have access to everything yet but I felt like taking a test drive of some of the stuff I can play with.

Part of this vision is the DNA Center which will be the central view for the hosted applications and functions from APIC-EM 2.0. I thought it would be useful to walk through some of the features and the UI. If any of you ever used APIC-EM before, it had some good features like Path Trace, Easy QoS, etc but there just wasn't much there initially. DNA Center goes beyond that.

Logging into DNA Center initially, you're greeted by a central dashboard as shown below.

I'm going to start out by clicking on Design to kick off the design tool. This is where we will specify attributes we will apply to a network such as location information, floor plans, services such as DHCP, IP addressing, SSIDs, etc. It also supports the ability to pre-deploy.

I'm going to click on Create Site to create a new site on this page. Since this is the network hierarchy tab, you can build it as USA and then build child sites under that.


I'm going to create a child site under USA below. 


Next I will create a building under Pasadena. 


Now I have built my beautiful Casa De McNamara building in DNA Center's Network Hierarchy! Let's go ahead and add a floor to my casa! 

Clicking on the gear icon next to Casa-De-McNamara, I get a dropdown to add a floor.

After creating the floor, we can now upload a floor plan here. 

I clicked on Upload File and uploaded a shared file hosted on dCloud and clicked Save


That was easy! Obviously, there's a lot more than just putting a pin on a map and adding a site map. After this is done, I'm going to go to the Network Settings tab on the top of the screen to pick out various network services. I can build global services or site specific services here. 


On the Network tab, you can define a AAA server, DHCP server, and DNS server here as pictured below.


By clicking Add Servers, you can also define other types of servers such as NTP, Syslog, SNMP Trap and Netflow Collectors.


I'm going to populate the fields below for the Global hierarchy.

You can have global services that are inherited from the network hierarchy or you can create them for a specific site or multiple sites as shown above. You can also choose to inherit only certain services (i.e. DHCP) but have everything else be site specific. If the services are inherited from the network hierarchy, you'll see an orange pyramid right next to the name of the service. If you make any changes to the service, it will override the default. I have expanded to Casa De McNamara's level and as you can see, my global services have been inherited unless I make a change at this level and save it. 


The next table in Network Settings is Device Credentials for the various network devices that will be configured. This includes CLI, SNMP, and HTTP credentials.


The next tab is IP Address Pools where we can create and reserve DHCP pools.  They can also be discovered from an IPAM. 


By clicking on Add, a pop-up will come up which allows you to creat a DHCP pool. 


After it's created, you could allocate it to the site as well by drilling down on the left-hand side and click Reserve in the main window. From there, you can pick the global IP pool you just created and reserve it for that site or floor.


Next we will go to the Wireless tab. On this page, we can create both Wireless interfaces and SSIDs. 


The first thing I will do is create a corporate SSID for myself by clicking Add SSID


I will also create a wireless interface as well.

After creating both the SSID and interface, you'll click Save in the top right corner to save the changes.

Now that we are done with Network Settings, I'm going to move to Image Management on top. This is where you can import images so you can keep your images standardized at a site or across your whole enterprise.


The next tab we will move onto is the Network Profiles tab on top. This is where we can associate an SSID, services, etc to a location or site. To add a profile, click Add Profile. I'm going to choose wireless first. 


For the wireless profile, I'm going to name it SecurityDemoWifi. This is where we can specify the AAA servers we previously created under Network Settings as well as whether or not it'll be part of the fabric or FlexConnect. 

After clicking Save, you will not be presented with the choice to assign it to a site. I'm going to assign it to Casa-De-McNamara's Second Floor


The next thing we will go through is the Policy page by clicking on it on top. This is where we define how we want the network to handle the applications, devices and users. The Policy page helps us with creating virtual networks (VRFs), policy administration and contracts between different groups.The groups come from ISE via pxGrid and DNA Center is able to get the Security Group Tags from ISE. The SGT policy created here in the DNA Center is pushed to ISE and ISE enforces it. 

The groups on the right-hand side are the SGTs that are currently provisions in ISE. DNA Center will also be integrated with Active Directory through ISE where groups can originate from and can be integrated with ACI as well where you can pick application groups. 

Users and devices can be either statically or dynamically assigned a group through ISE via 802.1x, profiling, PassiveID, etc. By utilizing these groups (or SGTs), we're removing the dependency on IP ACLs and removing a lot of the hard work of maintaining those ACLs. Between SGTs and VRFs that are created, we're adding two layers of segmentation to build this secure environment. Since hosts can usually communicate within the same VRF and potentially another VRF if the traffic leaves the border and returns, Group-based policy (SGTs) add further segmentation not only between VRFs but within the same VRF as well depending on your poilcy. 

To create a new Virtual Network (VRF), click the button on the top left corner. We're going to name this SecurityDemoLAN and add the Employees, Production, ACI_App_Servers, ACI_Web and Contractors groups to this Virtual Network by simply dragging and dropping the group from one side of the screen to the other and clicking Save. 


Next I will create a guest network with the Guest, BYOD, and Unknown groups in it. 

Once we drag and drop groups into virtual networks, we're preventing them from talking to other virtual networks and isolating the group. Now our guests cannot talk to our employees and contractors unless we explicitly allow them to or configure route leaking between the VRFs.


Now that we created the virtual networks, let's move onto the Policy Administration tab. This is where we can create that microsegmentation inside our virtual network.

Click Add Policy to start the policy creation. This is where we default what groups can talk to which groups and how they can speak to each other. In this case, I'm going to create a policy stating that I don't want my contractors to communicate with my ACI_App_Server. Once you drag and drop a group into either the source or destination, it will remove all the other groups except the ones that exist in that virtual network they reside on. Click Save.

This is what it looks like after it's been saved.

What if we would like to define certain ports and services to talk between groups instead of just deny or permit? Well, we would go to the Contracts tab and create that contract. 

By clicking on the Add Contract button, we can define ports, services, etc. 

Moving onto the Registry tab, we can see users and device groups and where they were learned from. We can also define a new one by clicking on the Add User & Device Group on top. 


Now that we've defined a site, services, virtual network, and segmentation policy, we're going to move on to provisioning it by clicking on the Provision tab on top. We will be in the Devices tab where I see several unprovisioned devices. I'm going to check a couple devices first.

Next I will choose Add to Site from the drop-down

Here I will assign the devices to Casa De McNamara

Next we will select the same devices and choose Provision from the same drop-down. This will take us to the Provision Devices wizard.

I'm going to check the box for All Same Site and click Next (since this is a lab and I don't have a configuration for them) and Next. Click Deploy.

After this, the devices show their provision status as Deployed. 


Going over to the Sites tab, you can see an overview of the site, your site plan, and add access points.


Next we will move on to the Fabric tab where we will create a fabric domain which is an overlay network that simulates a single switch. 

I'm going to choose New Fabic and call it Casa McNamara and then clicking on the domain that I just created. 

On this next page, it will take me through a wizard to select the devices to be added to the fabrico, the control plane and the border nodes for that fabric as well as a topology. For anyone that's familar with the APIC-EM topology creator, this is an even prettier version of that. 


Here's what you need to understand about the fabric: 

  • Fabric Edge Node - This is your access layer where endpoints connect to your fabric
  • Fabric Borner Node - This is the "border" of your fabric going to the big wide world beyond
  • Control Plane Node - This trafkcs the hosts within the fabric 

A fabric must have at least once of each to function and you can have a single device performing more than one role. In order to assign a device a role, they must be provisioned already. 

Intermediate devices that's don't support the DNA fabric will have no role in the operations and just see the traffic coming and going in the traffic as normal IP traffic and forward as normal. 

By clicking on a device in the topology, you get the following menu:

The options are as follows:

  • Add to the Fabric - Adds the device to the Fabric
  • Add as CP - Adds it as a Control Plane Node
  • Add as a Border - Adds it as a Border Noode
  • Add as CP + Border - This adds it as both a Border Node and a Control Plane Node (Remember: I did just say that you could have dual types on the same host). If you chose this one, it will ask you to select the routing protocol for communication outside the fabric.
  • Enable Guests - This is where you can enable a Guest  and have the Virtual Networks and whether or not it'll be a Control Plane Node or Border Node for that Guest. 
  • View Info - Gives you information on the underlying device type. 


Next I'm going to go to the Host Onboarding tab. 

One this page, we can see what fabric devices will be associated with the onboarding method we're defining, IP address the device will received, and which virtual network they'll be assocated with. 


Since I previously created an address pool, I'm going to double click it and associate it with my SecurityDemoLAN virtual network and state that it's for Data, not Voice.

You can also add SSIDs, statically configure ports for groups, voice, and a host of other tasks. 

Under the Advanced tab, you can create your mutlicast pool and select a rendezvous point in the fabric. 


So take a step back for a moment and think about this: We just breezed through the provisioning of a network, it's services, the network devices, the fabric, created VRFs, microsegmentation through TrustSec policy, and pushed it all out to the devices in a matter of minutes. I'm pretty sure on my best day with all the caffeine in the world, I couldn't configure this stuff fast enough and as error-free as someone using this tool. Just think about that for a moment. So going back to what I said about being impressed by this, can you see why I think this is cool? 

Of course, there's a lot more great aspects of DNA and I'm probably going to create some blog posts on them once I can actually get my hands on it and lab it up but I wanted to share this with you all so far. 


Network Tools

Now that we've taken a look through the three pillars of creating fabrics, sites and policy within DNA Center (Design, Policy, and Provision), let's go back to the main dashboard to take a look through some of the various network tools. If you're familiar with APIC-EM, some of these may seem familar. 




This is how we can configure DNA Center to automatically discover the various network devices in your network. Here you can check CDP or a range of IP addresses. 

You can add CLI and SNMP credentials for this discovery job:

Under Advanced, you can choose SSH and/or Telnet and in which order to try first.


Here is an example of a completed Discovery job:


Device Inventory

This is where you get a nice run down of your devices in DNA Center as well as the option to add a device, do a bulk import or conduct a filtered search.



This is where you can view the current topology, adjust it or mark changes on your own. It's all drag and drop and color customizations are available.

You can drag up the Device Inventory from the bottom of the screen:

There's an option to change the layout of what is show for Device Inventory on the right-hand side. 

If you click on a specific device in the Inventory, you get information about the IOS version, MAC address, type of device, inteface status, etc.

Hiding the Device Inventory, if you click on Legend on the top right corner, you can see the device legend or the topology.

You can save the topology by clicking on the disk icon next to the Legend. 

If you click on the three dots next to the disk icon, you will show the topology tools where you can filter layers, colors, etc. 


Image Management

This is where you can import a device image:

Once a golden image or image is added that you want to deploy, you would go back to the Provision menu and select the device. From the drop-down, choose Update OS Image

Next you will chose the image to upgrade to. Unfortunately, this demo doesn't have any images to update to but you can see how easy it is to just push out images on the fly when needed. 



With that, I'm going to end this post as this is all I have access to at the moment to play around with. I wanted everyone to see some of the cool things we can do with DNA Center including making ISE and TrustSec policies easy to push out as well as turning your campus network into a fabric that operates as a single switch. I'm sure I'll add more on the topic as I get my grubby little hands on more stuff to play with and build my own lab on this.