Cisco’s DNA Center is a new network automation software that the company has positioned as the interface for its ambitious intent-based networking (IBN) strategy.
Launched in the summer of 2017, the IBN plan to build an intuitive network has a variety of components that include DNA Center, which is the provisioning dashboard for managing the campus and branch networks.
The plan also includes SD-Access, which uses an identity-centric approach to manage users and devices coming onto and operating in the network; Network Data Platform (NDP) and Assurance, which will categorize network traffic data and provide predictive analytics; and Encrypted Traffic Analytics (ETA), which uses traffic metadata to identify threats.
One of the first aspects of this strategy that has come to market is DNA Center for controlling SD-Access. DNA Center runs on a customer-premises appliance known as Application Policy Infrastructure Controller – Enterprise Module (APIC-EM) that is paid for it via subscription based on the size of the deployment. (Cisco could offer a cloud-hosted version in the future.)
“When you implement SD-Access you are in effect creating an overlay network,” explains Carl Solder, senior director of enterprise switching technical marketing at Cisco. There is still the physical network made of switches, routers and wireless access points, but DNA Center creates an abstraction layer that allows the entire fabric to be treated as a virtual switch. This fabric can be manipulated to create virtual networks that segment the network and each have specific policies that are centrally managed.
Conventionally, creating and managing these virtual networks has been done using a combination of VPNs, vLANS and segmentation rules. “But to apply that consistently across switching, routing and wireless can take some time,” Solder says. “The idea is to simplify that whole process by creating virtual networks in a few clicks and having policies applied consistently. We express our intent and let the controller – DNA Center – figure out how to deploy that configuration across all of the devices under its control.”
The welcome screen of Cisco’s DNA Center, the software interface for managing a software-defined access(SD-Access) intent-based network
In controlling SD-Access, DNA Center has four main components: Designing the network, setting policy, provisioning the policy and assuring polices are enforced. Cisco says this is the promise of its IBN strategy: Users express their intent of what they want the network to do, and the software automation platform implements it.
This is where network administrators manage all of the settings that are applied to new devices onboarded into the network. Users are able to define sites in DNA Center – for example, a headquarters or branch, or a specific geo location. In the design portal, users define how equipment should be configured, depending on its domain. Funcgtions such as establishing a host protocol, setting the domain name, establishing syslog files and configuring management protocols are all defined here. Then, when a device is deployed at a site, DNA Center automatically grabs the configuration settings for that site and installs them on the device. “I can define a hierarchy of settings once and everything underneath that domain will inherit those settings,” Solder explains.
Hardware credentials, user names, passwords and IP addresses are all managed here. DNA Center can be set to automatically assign IP addresses by integrating with external IP address managers like Infoblox.
The design portal also manages device images. Administrators can set golden images and when new devices are onboarded, DNA Center will check what images it is running and if it does not match with the pre-defined golden image it will prompt administrators to update the image.
Policy management is the real meat of DNA Center. It’s the portal where administrators create and manage profiles of virtual networks. When users or devices are assigned to one virtual network, they are logically confined to it. Accessing a different virtual network should, in best practice, require going through a firewall. Similar policy controls could be executed using a combination of firewalls, MPLS deployments and virtual reference stations. However, implementing them across different classes of devices – routers, switches and access points – in a distributed environment takes a lot of manual labor, Solder says.
Within these virtual network segments, DNA Center allows for even more granular microsegmentation. So, for example, different teams within an enterprise may have their own virtual network segments – a virtual network for employees, another for facilities and a third for external users. DNA Center can create policies that prevent external users from communicating with the facilities network, for example.
Microsegmentation allows for even more granular policy enforcement. For instance, within the employee virtual network the finance team may have different access and usage policies than the marketing team. Solder notes that creating these virtual networks limits the scope of security threats – if a ransomware attack gets into one area of the enterprise, it's logically denied access into other areas.
This policy management is designed to replace access-control lists based on IP addresses and source IPs. DNA Center takes an identity-based approach using what is called an Identity Services Engine (ISE), software that’s meant to run alongside DNA Center. It can integrate with Active Directory or other identity management platforms to enforce identity-based policies within the network. “Whether you’re connected in the campus or the branch, wired or wirelessly, the policy follows (the user),” anywhere in the fabric, Solder explains.
While the design step ensures new network infrastructure is properly configured and the policy step establishes rules, the provision function is where those rules get implemented.
Administrators use graphic-based drag-and-drop interfaces and color-coded templates in DNA Center to manage which devices should be specific to which domain, and what policies will be enforced on those devices. As users and devices join the network, hardware equipment – the routers, switches and access points – uses their identity, through ISE, to enforce these policies.
The final component of DNA Center - assurance - deals with ongoing management of the fabric. The assurance component uses software that's bundled with DNA Center named the Network Data Platform (NDP), which collects network operation data. DNA Center uses this information to create health scores that show trouble spots within the network – such as an app not performing correctly, a piece of infrastructure malfunctioning, or users connecting to the network on unfamiliar devices. DNA Center will even recommend some trouble-shooting steps.
One of the key differences between existing network operations management and the new wave of intent based networking that Cisco has promised is the idea of using software to ensure that policies that have been created are correctly being enforced within the network. Cisco plans to use algorithms to monitor network activity and prove policies are being enforced. Some of that functionality – such as heat maps, usage statistics and trouble-shooting of problem areas – will be available in the 1.1 release of DNA Center in January 2018; other aspects are on future roadmaps for DNA Center.