Cisco Digital Network Architecture (DNA) Center Flashcards
Cisco Digital Network Architecture (DNA) Cente
a powerful management system that leverages artificial intelligence (AI) to connect, secure, and automate network operations.
DNA Center Benefits
Get the network up and running faster with intelligent and automated provisioning.
Save valuable human capital with automation of routine administrative tasks.
Reduce outages and minimize business impact with AI-driven insights and predictive performance analytics.
Realize efficiencies of business process automation using an integrated Cisco and third-party ecosystem and leveraging the Cisco DNA Center application programming interfaces (APIs).
Deliver optimal user experience with deep insights into application performance and end-users’ application experience.
Secure the digital enterprise with intuitive security policy management, strong AI-driven enforcement, and zero-trust network access.
Help the organization achieve sustainability goals by managing IT energy and enabling smart buildings.
DNA Center Components
These are Cisco DNA Center components:
Design with physical maps and logical topologies.
Policy to define user and device profiles that facilitate highly secure access and network segmentation.
Provisioning for policy-based automation to deliver services to the network.
Assurance to combine deep insights with rich context to deliver a consistent experience and proactively optimize your network.
DNA Center Capabilities
AIOps is an AI-driven visibility, observability, insights, and troubleshooting to ensure the health of your users, applications, and infrastructure.
NetOps is an automation to simplify the creation and maintenance of your networks with flexibility to move from manual to AI-assisted to selectively autonomous network management.
SecOps is an AI-driven security to classify endpoints and enforce security policies for a complete zero trust workplace solution.
DevOps is a mature APIs, software development kits (SDKs), and closed-loop integrations to simplify and streamline ecosystem integration.
DNA Center NetOps Tools
These are Cisco DNA Center NetOps tools:
Inventory updates, EoX, credential status, port groups
Discovery improvements
Multiple access point (AP) groups and policy tags on the same floor
Granular software upgrade workflow and troubleshooting
CLI template compliance and compliance reports
Return Materials Authorization (RMA) support for modular switches and zero touch fabric RMA
Flexible AP refresh workflow
Enhanced learn device configuration workflow
AP provisioning enhancements
Enhanced User Defined Network (UDN) administration and troubleshooting
6 GHZ radio configuration
Historical trends for Cisco DNA license consumption
Intent-Based Networking (IBN)
provides three principal functional building blocks, as shown in the following figure—the capability to capture intent, functions to automate the deployment of the expressed intent throughout the network infrastructure, and the ability to provide assurance that the desired intent is being realized.
IBN Translation
Translation: Translation involves several functions in an intent-based model. One or more operators or groups of operators have the capability to characterize their desired intent, which may take the form of an easy-to-use GUI, an abstracted model (such as Yet Another Next Generation [YANG] or JavaScript Object Notation [JSON]/XML) that is intuitive and related to the business objectives, or even a predefined syntax or language. It can be defined by application developers as part of a continuous integration and delivery process, or in the future, it may even be achieved through text-to-speech expressions, in which operators verbally speak intent, and the intent-based system executes and provides verbal or other feedback. This abstract and business-near expression of what the network should do differentiates an intent-based approach from traditional network architectures.
Another capability of translation is to harmonize the captured intent into a common model-based policy, often with the help of a controller-based architecture. Intent expressed by various input mechanisms, potentially across multiple network domains, is translated into such standard model-based policies—a foundational step to use automation and allow sophisticated consistency and integrity checks to be applied. An important challenge relates to moving from a traditional network deployment to an IBN deployment. In this case, there are already policies in effect in the current network, but the network operator may or may not have a list or full visibility of all the currently deployed policies. Therefore, it is important to perform automatic host discovery and policy discovery to identify the policies in operation, to provide the operator with full visibility of all the running policies for review, and then to activate the desired policies automatically in the IBN deployment.
IBN Activation
Activation: Activation functions ensure that the derived model-based policies are disseminated throughout any of the relevant network domains. The physical or virtual network functions in an IBN can be managed in different operational domains (data center, WAN, branches, campuses) by the same or different operational teams. The orchestration function in an intent-based network allows for the dissemination of model-based policies into the relevant domains—meaning that policies can also be limited in scope to particular parts of the network.
Activation may also employ additional functions to further derive the appropriate device configurations. A domain controller can correlate the information about the network elements, their capabilities, and the topology. Additional checks for consistency at the configuration level may also be applied before programming the network elements using standards-based APIs, such as Network Configuration Protocol (NETCONF), YANG, or Representational State Transfer (REST).
IBN Assurance
Assurance: Assurance is a critical function of intent-based networking. It uses contextual analysis of data to provide validation that the intent has been applied as intended, and also continuously verifies that the desired outcomes are actually being achieved.
IBN Assurance Aspects
Continuous verification: Continuously verify the IBN system behavior before, during, and after deployment. Check that the system behavior is aligned to the expressed intent at any point in time. This capability requires ongoing observation of the network element states and events. Intent-based telemetry data specifically measures the performance of the expressed intent and is continuously collected and reported to the IBN assurance functions. Assurance algorithms, ranging from formal mathematical models to approaches based on telemetry and machine learning, guarantee that the network state and behavior are coherent with the desired intent at both the domain and cross-domain levels.
Insights and visibility: Derive insights based on analytics—correlate events and apply machine learning and artificial intelligence for validation, understanding, and prediction. In addition to verifying the current network state and its alignment with the expressed intent, assurance functions can derive more sophisticated insights and visibility into the behavior of an intent-based network. For example, they might predict violations of the expressed intent prior to changes being applied, understand or forecast trends, identify anomalies, and predict and validate system-level network performance.
Corrective actions: Apply a closed-loop cycle to realize corrective action and optimization. Anomalies, violations, and simple out-of-SLA situations that are detected can be programmatically fixed, leveraging the activation building block to create a systemwide adjustment. An intent-based network thus enables a mechanism to automate the remediation of any intent-based policy violations or to allow continuous optimizations to be automated to guarantee that the expressed intent is realized by the network. Note that, depending on the policy, the actions may be automatically executed or may be provided to the operator as recommendations, in which case the operator decides on execution.
DNA Center Design Workflow
The following is the suggested workflow for Cisco DNA Center design:
Create a hierarchy that consists of areas, buildings, and floors.
Define global network settings, for example, authentication, authorization, and accounting (AAA), DHCP, DNS, and Network Time Protocol (NTP).
Define the “golden image” to ensure consistency in your network.
Create templates to automate applying commonly used configuration to the devices.
Define network profiles to apply the templates to the devices.
Assign devices to specific locations, for example, a building.
Network Hierarchy Elements
Areas or sites do not have a physical address, such as the United States. You can think of areas as the largest element. Areas can contain buildings and subareas. For example, an area that is called United States can contain a subarea that is called California, and the subarea California can contain a subarea that is called San Jose.
Buildings have a physical address and contain floors and floor plans. When you create a building, you must specify a physical address, and latitude and longitude coordinates. Buildings cannot contain areas. By creating buildings, settings can be applied to a specific area.
Floors are within buildings and consist of cubicles, walled offices, wiring closets, and so on. You can add floors only to buildings.
By default, there is one site that is called “Global,” but more sites, buildings, and areas can be added to the network hierarchy.
DNA AAA
For AAA services, Cisco ISE or any other AAA servers can be added to perform network, client, and endpoint authentication:
Both RADIUS and TACACS are supported for network authentication.
Only RADIUS is supported for client authentication.
Only one Cisco ISE deployment is supported per Cisco DNA Center.
DNA Center - NetOps - Network Settings: Override Global Servers
Adding a common set of servers to Cisco DNA Center results in the default settings for the entire network.
There are two primary areas from which you can define the settings within your network:
Global settings: Settings that are defined in global settings affect your entire network.
Site settings: Settings that are defined in site settings override the global settings and are applied to the site only. All sublevel sites are also affected.
Each site inherits the settings from the level above. Inherited settings can be overridden at any level, providing flexibility in the network design.
The inheritance logo indicates that the setting is inherited. If the logo is not present, the setting is overridden.
DNA Center - NetOps - Network Settings: Device Credentials
Device credentials refer to the CLI, Simple Network Management Protocol (SNMP), and HTTPS credentials that are configured on network devices.
Cisco DNA Center uses these credentials to either discover or collect information about the devices in your network:
CLI credentials must be preconfigured on the network device and must match the credentials in Cisco DNA Center.
SNMP credentials can be populated to the network device once the device is added to the Cisco DNA Center.
HTTPS credentials are used to discover Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS) devices only.
DNA Center - NetOps - SWIM Overview
The image repository for the SWIM is also a part of the design application. It allows network operators to standardize software images across the organization and create a software image compliance policy based on the network device role, the site, or a combination of both. SWIM can be used as a part of the Day-N monitoring and upgrading tool, or for Day-0 device onboarding.
Cisco DNA Center stores all of the software images, Software Maintenance Updates (SMUs), subpackages, and ROM monitor images for the devices in your network. You can view, import, and delete software images, and provision them to the devices in your network.
The Integrity Verification application monitors software images that are stored in Cisco DNA Center for unexpected changes or invalid values that could indicate that your devices are compromised. When importing an image, the system compares its software and hardware platform checksum values to the values identified for the platform in the Known Good Values (KGV) file to ensure that they match. Cisco produces and publishes a KGV data file that contains KGVs for many of its products.
Cisco DNA Center allows you to designate software images and SMUs as golden. A golden software image or SMU is a validated image that meets the compliance requirements for a particular device type. Designating a software image or SMU as golden standardizes the image and saves you time by eliminating the need to make repetitive configuration changes, and also ensures consistency across your devices. You can also specify a golden image for a specific device role (all, access, border router, core, distribution, and unknown).
A software image can be added to Cisco DNA Center in these ways:
Uploading it from the local repository.
Downloading it from the Cisco website or any other third-party site.
DNA Center - NetOps - Template Editor
Cisco DNA Center provides an interactive editor that is called Template Editor to author CLI templates. Template Editor is a centralized CLI management tool that you can use to design and build generic configurations and apply the configurations to one or more devices in a given site.
Template Editor provides the following options:
Create, edit, and delete templates
Validate errors in the template
Simulate the templates
Version control the templates for tracking purposes
Add interactive commands, variables, and macros to the configuration
The templates are based on the Apache Velocity template engine.
DNA Center - NetOps - Network Profiles
The Network Profiles function allows you to use Day-0 or Day-N templates for configuring the network devices that are attached to the profile.
There are different types of network profiles for the following device families. The available options depend on the version of Cisco DNA Center you are using:
Assurance
Firewall
Routing
Switching
Telemetry Appliance
Wireless
Cisco DNA Center SecOps tools
These are Cisco DNA Center SecOps tools:
IP based endpoint classification.
Extended node onboarding with Essentials license.
Talos Integration and detect connection to low reputation sites.
Allowed Access Point List is now shown on the Rogue and aWIPS Dashboard.
Cisco Network PnP
The Cisco Network PnP solution includes the following components:
PnP agent: This agent is embedded in Cisco devices and communicates to the Cisco Network PnP application by using the open PnP protocol over HTTPS during device deployments. The PnP agent, which is using DHCP, DNS, or other such methods, tries to acquire the IP address of the PnP server with which it wants to communicate. After a server is found and a connection is established, the agent communicates with the PnP server to perform deployment-related activities.
PnP server: The Cisco PnP server is a central server that encodes the logic of managing and distributing deployment information (images and configurations) for the devices being deployed. The PnP server communicates with the PnP agent on the device by using the PnP protocol. Cisco DNA Center is the software-defined networking (SDN) Controller from Cisco and is meant for enterprise networks (access, campus, WAN, and wireless). The platform hosts multiple applications (SDN applications) that use open northbound REST APIs and drive core network automation solutions. The platform also supports several southbound protocols that enable it to communicate with various network devices, which customers already have in place, and extend SDN benefits to both greenfield and brownfield environments.
PnP protocol: The PnP protocol defines the transport bindings and schemas for various messages that get exchanged between the PnP agent and the PnP server over HTTPS.
SWIM Automation
Intent-based network upgrades: Allow for image standardization, which is much desired by all network administrators.
Upgrade pre- and post-checks: Allow network administrators control and visibility over network upgrades.
Patching support: Patches are maintained the same way regular images are managed to maintain operational consistency across the fabric.
Policy-Based Automation
There are three types of policies in Cisco Software-Defined Access (SD-Access):
Access control policy: to configure who can access what. This policy includes permit and deny rules for group-to-group access.
Application policy: to configure how to treat traffic. This policy includes quality of service (QoS) and application caching.
Traffic copy policy: to configure which traffic is to be monitored. You can enable Switched Port Analyzer (SPAN) services for specific groups or traffic.
Cisco DNA Center—AIOps Overview
Cisco has a strategy to help customers connect, secure, and automate agile networks to accelerate the digital transformation of their environment. Integrated Cisco DNA Platform Suite securely connects people to people, people to applications, and devices to applications.
This is accomplished with AI-driven visibility, observability, and insights to ensure the health of users, applications, and infrastructure. AIOps with the Cisco DNA Center utilizes industry-leading Cisco AI network analytics with machine learning, machine reasoning, and visual analytics to eliminate excess noise, quickly identify issues, and remediate problems faster. This new agile approach of integrating AIOps, NetOps, SecOps, and DevOps personas evolves IT into a competitive advantage.
Cisco DNA Center AIOps characteristics
Enables visibility of the entire network through multiple lenses, such as geography, hierarchy, and topology, as well as at the site, building, and floor levels.
Provides observability of device health, client health, and application health utilizing Key Performance Indicators (KPIs), which enables AI-driven issue identification and AI-driven root cause analysis. Cisco DNA Center combined with Machine Reasoning Engine (MRE) is like having 30-years of Cisco experience at hand.
Delivers insights on trends and changes in the environment over time and creates system-generated issues to proactively identify abnormal behavior.
