The Cisco DNA Center is a new network automation software that the company has positioned as the interface for its ambitious intent-based network (IBN) strategy.
Launched in the summer of 2017, IBN's plan to build an intuitive network has a variety of components including DNA Center, which is the supply board to manage campus and branch networks.
The plan also includes SD-Access, which uses an identity-centric approach to manage users and devices that enter and operate the network; Network Data Platform (NDP) and Assurance, which will categorize network traffic data and provide predictive analytics; and Encrypted Traffic Analytics (ETA), which uses traffic metadata to identify threats.
One of the first aspects of this strategy that has reached the market is DNA Center to control SD-Access. DNA Center runs on a local device for the client known as Application Policy Infrastructure Controller - Enterprise Module (APIC-EM) that is paid through a subscription according to the size of the implementation. (Cisco could offer a hosted version in the cloud in the future).
"When you deploy SD-Access, you're actually creating an overlay network," explains Carl Solder, senior director of technical business-switching marketing at Cisco. There is still a physical network composed of switches, routers and wireless access points, but DNA Center creates an abstraction layer that allows the entire structure to be treated as a virtual switch. This fabric can be manipulated to create virtual networks that segment the network and each one has specific policies that are managed centrally.
Conventionally, the creation and administration of these virtual networks has been done using a combination of VPN, vLANS and segmentation rules. "But applying it consistently through switching, routing and wireless can take some time," says Solder. "The idea is to simplify the whole process by creating virtual networks with a few clicks and applying policies in a coherent way, we express our intention and allow the controller, the DNA Center, to discover how to implement that configuration in all the devices under its control."
When controlling SD-Access, DNA Center has four main components: network design, policy establishment, policy provisioning and policy assurance. Cisco says that this is the promise of its IBN strategy: users express their intention of what they want the network to do, and the software automation platform implements it.
This is where network administrators administer all the settings that apply to the new devices included in the network. Users can define sites in the DNA Center, for example, a head office or branch, or a specific geographic location. In the design portal, users define how the equipment should be configured, depending on their domain. Functions such as setting a host protocol, setting the domain name, setting syslog files and configuring administration protocols are defined here. Then, when a device is deployed to a site, DNA Center automatically takes the settings from that site and installs them on the device. "I can define a hierarchy of configurations once and everything under that domain will inherit those configurations," explains Solder.
Here hardware credentials, user names, passwords and IP addresses are managed. DNA Center can be configured to automatically assign IP addresses when integrating with external administrators of IP addresses such as Infoblox.
The design portal also manages device images. Administrators can set golden images and, when new devices are added, DNA Center will verify which images are running and, if it does not match the predefined golden image, will ask administrators to update the image.
Policy management is the real meat of the DNA Center. It is the portal where administrators create and manage profiles of virtual networks. When users or devices are assigned to a virtual network, they are logically confined to it. Access to a different virtual network should, in best practice, require going through a firewall. Similar policy controls could be executed using a combination of firewalls, MPLS implementations and virtual reference stations. However, deploying them to different kinds of devices (routers, switches, and access points) in a distributed environment requires a lot of manual work, says Solder.
Within these virtual network segments, DNA Center allows even more granular microsegmentation. So, for example, different teams within a company can have their own virtual network segments: a virtual network for employees, another for installations and a third for external users. DNA Center can create policies that prevent external users from communicating with the facilities network, for example.
Micro-segmentation allows for an even granular policy application. For example, within the virtual network of employees, the finance team may have different access and use policies than the marketing team. Solder points out that the creation of these virtual networks limits the scope of security threats: if a ransomware attack enters an area of the company, logically it is denied access to other areas.
This policy management is designed to replace access control lists based on source IP and IP addresses. The DNA Center adopts an identity-based approach using what is called the Identity Services Engine (ISE), software that must work in conjunction with the DNA Center. It can be integrated with Active Directory or other identity management platforms to apply identity-based policies within the network. "Whether you're connected to the campus or the branch, by cable or wirelessly, the policy follows (to the user)," anywhere in the fabric, explains Solder.
While the design step ensures that the new network infrastructure is correctly configured and the policy step establishes rules, the provisioning function is where those rules are implemented.
Administrators use drag-and-drop interfaces based on color-coded graphics and templates in DNA Center to manage which devices should be specific to which domain and which policies will be applied on those devices. As users and devices join the network, hardware teams (routers, switches, and access points) use their identity, through ISE, to enforce these policies.
The final component of DNA Center - assurance - deals with the continuous management of the structure. The assurance component uses software that is included with the DNA Center called the Network Data Platform (NDP), which collects operating data from the network. The DNA Center uses this information to create health scores that show problematic points within the network, such as an application that does not work properly, a malfunction of the infrastructure or users that connect to the network in unknown devices. DNA Center will even recommend some steps to solve problems.
One of the main differences between the management of existing network operations and the new wave of networks based on the intention that Cisco has promised is the idea of using software to ensure that the policies that have been created are applied correctly within the network. Cisco plans to use algorithms to monitor network activity and prove that policies are being applied. Some of these functionalities, such as heat maps, usage statistics and problem solving of problem areas, will be available in version 1.1 of the DNA Center in January 2018; Other aspects are in the future work plans for DNA Center.