Inside Cisco’s DNA Center – The Dashboard For Intent-Based Networking

The intention-based network is Cisco's great impetus for the future of network management. Here is a preview of DNA Center: the Cisco IBN software

The Cisco DNA Center is a new network automation software that the company has positioned as the interface for its ambitious intent-based network (IBN) strategy.

Launched in the summer of 2017, IBN's plan to build an intuitive network has a variety of components including DNA Center, which is the supply board to manage campus and branch networks.

The plan also includes SD-Access, which uses an identity-centric approach to manage users and devices that enter and operate the network; Network Data Platform (NDP) and Assurance, which will categorize network traffic data and provide predictive analytics; and Encrypted Traffic Analytics (ETA), which uses traffic metadata to identify threats.

One of the first aspects of this strategy that has reached the market is DNA Center to control SD-Access. DNA Center runs on a local device for the client known as Application Policy Infrastructure Controller - Enterprise Module (APIC-EM) that is paid through a subscription according to the size of the implementation. (Cisco could offer a hosted version in the cloud in the future).

"When you deploy SD-Access, you're actually creating an overlay network," explains Carl Solder, senior director of technical business-switching marketing at Cisco. There is still a physical network composed of switches, routers and wireless access points, but DNA Center creates an abstraction layer that allows the entire structure to be treated as a virtual switch. This fabric can be manipulated to create virtual networks that segment the network and each one has specific policies that are managed centrally.

Conventionally, the creation and administration of these virtual networks has been done using a combination of VPN, vLANS and segmentation rules. "But applying it consistently through switching, routing and wireless can take some time," says Solder. "The idea is to simplify the whole process by creating virtual networks with a few clicks and applying policies in a coherent way, we express our intention and allow the controller, the DNA Center, to discover how to implement that configuration in all the devices under its control."

When controlling SD-Access, DNA Center has four main components: network design, policy establishment, policy provisioning and policy assurance. Cisco says that this is the promise of its IBN strategy: users express their intention of what they want the network to do, and the software automation platform implements it.

Design

This is where network administrators administer all the settings that apply to the new devices included in the network. Users can define sites in the DNA Center, for example, a head office or branch, or a specific geographic location. In the design portal, users define how the equipment should be configured, depending on their domain. Functions such as setting a host protocol, setting the domain name, setting syslog files and configuring administration protocols are defined here. Then, when a device is deployed to a site, DNA Center automatically takes the settings from that site and installs them on the device. "I can define a hierarchy of configurations once and everything under that domain will inherit those configurations," explains Solder.

Here hardware credentials, user names, passwords and IP addresses are managed. DNA Center can be configured to automatically assign IP addresses when integrating with external administrators of IP addresses such as Infoblox.

The design portal also manages device images. Administrators can set golden images and, when new devices are added, DNA Center will verify which images are running and, if it does not match the predefined golden image, will ask administrators to update the image.

Politics

Policy management is the real meat of the DNA Center. It is the portal where administrators create and manage profiles of virtual networks. When users or devices are assigned to a virtual network, they are logically confined to it. Access to a different virtual network should, in best practice, require going through a firewall. Similar policy controls could be executed using a combination of firewalls, MPLS implementations and virtual reference stations. However, deploying them to different kinds of devices (routers, switches, and access points) in a distributed environment requires a lot of manual work, says Solder.

Within these virtual network segments, DNA Center allows even more granular microsegmentation. So, for example, different teams within a company can have their own virtual network segments: a virtual network for employees, another for installations and a third for external users. DNA Center can create policies that prevent external users from communicating with the facilities network, for example.

Micro-segmentation allows for an even granular policy application. For example, within the virtual network of employees, the finance team may have different access and use policies than the marketing team. Solder points out that the creation of these virtual networks limits the scope of security threats: if a ransomware attack enters an area of ​​the company, logically it is denied access to other areas.

This policy management is designed to replace access control lists based on source IP and IP addresses. The DNA Center adopts an identity-based approach using what is called the Identity Services Engine (ISE), software that must work in conjunction with the DNA Center. It can be integrated with Active Directory or other identity management platforms to apply identity-based policies within the network. "Whether you're connected to the campus or the branch, by cable or wirelessly, the policy follows (to the user)," anywhere in the fabric, explains Solder.

Provision

While the design step ensures that the new network infrastructure is correctly configured and the policy step establishes rules, the provisioning function is where those rules are implemented.

Administrators use drag-and-drop interfaces based on color-coded graphics and templates in DNA Center to manage which devices should be specific to which domain and which policies will be applied on those devices. As users and devices join the network, hardware teams (routers, switches, and access points) use their identity, through ISE, to enforce these policies.

Warranty

The final component of DNA Center - assurance - deals with the continuous management of the structure. The assurance component uses software that is included with the DNA Center called the Network Data Platform (NDP), which collects operating data from the network. The DNA Center uses this information to create health scores that show problematic points within the network, such as an application that does not work properly, a malfunction of the infrastructure or users that connect to the network in unknown devices. DNA Center will even recommend some steps to solve problems.

One of the main differences between the management of existing network operations and the new wave of networks based on the intention that Cisco has promised is the idea of ​​using software to ensure that the policies that have been created are applied correctly within the network. Cisco plans to use algorithms to monitor network activity and prove that policies are being applied. Some of these functionalities, such as heat maps, usage statistics and problem solving of problem areas, will be available in version 1.1 of the DNA Center in January 2018; Other aspects are in the future work plans for DNA Center.

Cisco 642-999 Question Answer

What is true statement concerning port personalities on the Cisco Unified Computing System 62XX Fabric Interconnect?

A. Fibre Channel uplink ports must operate in Fibre Channel switching mode.
B. The fabric interconnects use native FCoE storage ports to directly attach to the SAN infrastructure.
C. By default, all Fibre Channel ports are unconfigured.
D. The Fibre Channel uplink ports do not support VSAN trunking and Fibre Channel port channels.
F. The Fibre Channel storage ports support VSAN trunking and Fibre Channel port channels.

Answer: C

Cisco 642-999 Question Answer

Which two are true with respect to the switching modes on the Cisco Unified Computing System 62XX Fabric Interconnect? (Choose two.)

A. End-host mode presents a link to a northbound uplink switch as a host trunk with loop detection that is provided by STP.
B. For northbound traffic, server MAC addresses are statically pinned to an uplink; the return path is
controlled by the unified fabric switches.
C. A fabric interconnect port in Ethernet switching mode appears to the uplink switch as a host with
many MAC addresses.
D. Server-to-server traffic on a common VLAN are locally switched by the fabric interconnect and not the northbound switches. 
E. A MAC forwarding table is not used to forward traffic to the uplink switch.
F. A MAC address forwarding table is maintained for server-to-server communications across VLANs.

Answer: D, E

Pass4sure 642-999 Question Answer

Which two are true with respect to the unified ports on the Cisco Unified Computing System 62XX
Fabric Interconnect? (Choose two.)

A. The port mode is automatically discovered after plugging in a LAN or Fibre Channel-attached cable.
B. By default, unified ports that are changed to Ethernet port mode are set to uplink Ethernet port type.
C. Ethernet ports must be grouped together in a block and must start with the first port and end with an odd numbered port.
D. Alternating Ethernet and Fibre Channel ports is supported on the expansion module.
E. After making port mode changes on an expansion module, the module will reboot.
F. In a standalone configuration, making port mode changes to the fixed module will not cause the fabric interconnect to reboot.

Answer: CE

Pass4sure 642-999 Question Answer

Which NIC redundancy modes allow the LOMs to be discovered by the operating system or hypervisor?

A. Dedicated mode
B. Active/Active
C. Active/Standby
D. Cisco Card Mode

Answer: A

Cisco: Global IP Traffic to Triple by 2020, Led by Video, Smartphones, more

More than 1 billion new Internet users and 10 million new devices and connections over global IP traffic triple in the next five years, according to Cisco's annual Visual Networking Index dealer.

The causes of the growing numbers measured in petabytes, exabytes, etc. Bytes: Internet of Things, games, smartphone.

And the picture, who is starring role.

"This is more than 5 million years to watch the amount of video that will cross global IP networks every month in 2020," the report says Cisco.  Passleader 642-999 Practice Test

Video for 82% of all IP traffic in 2015 to account in five years, from 70 percent, and video game Internet will grow seven times, according to the VNI.

Learn more about the video, so you get the picture: in 2015, CCTV Internet has nearly doubled. Nearly four times the traffic of virtual reality and Internet video to the TV 50 percent. All these numbers are expected to continue to go nowhere but - including increased tenfold in video surveillance in 2020.

All this growth comes with consequences, including security concerns. Frequency Distributed Denial of Service (DDoS) attack 2.5 times over the past three years due to the increased VNI, and they are projected to rise from 6.6 million to 17 million attacks, attacks in the next five years, including the numbers for the first time in conjunction with Arbor networks.

Some other notable tidbits from the report:

• By 2020, 30 percent of total smartphone traffic, IP, manufacturing and PCs make up 29 per cent.
•       Online games will be the fastest-growing Internet services to residential, growing from 1.1 billion users in 2015 to 1.4 billion in 2020.

•       Broadband speed in the world of 24.7 Mbps in 2015 to 47.7 Mbps to 2020.
        Finally, turning to the total global IP traffic forecast for 2020 are listed at the beginning of this message: that number is expected to reach 1.1 zettabytes by the end of 2016 and 2.3 zettabytes in 2020.

Cisco VNI draws from thousands of sources including analysts, in addition to its own estimates and forecasts and data collection directly.

Telstra Snveils Cisco SD-WAN Solution

Telstra's new SD-WAN service, delivered in partnership with Cisco, routes application traffic along the best available network pathway.

Telstra has announced its new Cisco technology-powered software-defined wide-area network (SD-WAN) solution, aimed at providing a more secure and cost-efficient service.

The telco's hybrid SD-WAN service is available worldwide, and enables a more efficient and flexible end-to-end solution by selecting the highest-performing transport path available for application traffic routing.

"The proliferation of media-rich applications and the increased number of connected devices is causing huge demand for bandwidth across wide-area networks," said Jim Clarke, head of International Marketing, Products and Pricing at Telstra.

"Hybrid services such as Telstra's SD-WAN offering allow traffic to be routed based on the application profile over multiple networks, including private MPLS and the public internet. This gives organisations greater flexibility to deal with increased traffic, and means their WANs can be more cost effective, without compromising on application performance or availability.

"Most importantly, it ensures that any traffic routed over the public internet remains highly secure incorporating VPN, firewall, and network segmentation features."

Cisco, which has a long-standing cloud, communications, and collaboration partnership with Telstra, said the new SD-WAN solution will enable enterprises to accelerate their digitisation with a software-driven, open architecture.

"Powered by Cisco's IWAN solution, Telstra's new SD-WAN suite gives enterprises the intelligence to innovate faster, reduce costs, and lower risk," said Jeff Reed, senior vice president of Cisco's Enterprise Infrastructure and Solutions Group.

"We are thrilled to enable this market-leading solution to customers in Asia."

According to Clarke, the new SD-WAN solution will leverage the three products unveiled by the two companies earlier this year, as well as Telstra's PEN Platform.

"This new service also complements our other dynamic network solutions -- including PEN Platform, Internet VPN, Data Centre Interconnect, and Cloud Gateway Protection -- and brings us a step closer to our vision of providing dynamic networks for complete customer control," Clarke said on Wednesday.

In March, Telstra and Cisco announced their three SDN and network function virtualisation (NFV) products to improve cloud security and global datacentre interconnection: Cloud Gateway Protection, Internet VPN, and Data Centre Interconnect.

Cloud Gateway Protection is a virtual security application designed to secure cloud services, internet access, and Next IP networks against cyber attacks and unauthorised access, while Internet VPN provides a secure and encrypted office network over public internet for businesses to use across several sites and by mobile workers.

Data Centre Interconnect, the third product, extended Telstra's SDN PEN1 global datacentre interconnection product through the addition of Australian points of presence. Through PEN1, business customers can directly set up and configure links between overseas and domestic datacentres on flexible contracts.

According to the two companies, these three products were designed to "transform" and "revolutionise" the use and function of cloud and managed services.

Connecting and housing the three new products is Telstra's "single, self-service portal with on-demand functionality".

Telstra in January also unveiled two additional functions for its SDN PEN Platform, allowing customers to procure virtual network functions and make digital partnerships on demand.

The first of the two new SDN services, called PEN Exchange, enabled customers to connect their network services with those of other PEN customers.

The second of the SDN service enhancements was PEN Marketplace, a basic online hub through which organisations can order NFV equipment in real-time, including routers and firewalls, with a choice of several vendors.