Well…it’s finally happened, Robb Boyd has handed the controls of the TechWiseTV Workshops over to me! Don’t worry, you still get to hear his dulcet voice on this episode.
That’s not why you’re here, though, you want to know all about Software Defined Access (SD-Access) and in this workshop, you get a great intro to it…complete with live demos and all! Thanks to Shawn Wargo we got to hear all about the technology that goes into SD-Access as well as see the DNA Center GUI live and in action. This particular workshop is an interactive dive into a topic we covered on the TechWiseTV show we did with Shawn and Carl Solder, which you should definitely check out.
At the top of the workshop Shawn points out, SD-Access is all about taking tried and true technology solutions like Campus Fabric and making it even more accessible and easier to use by adding on a controller, which we get with DNA Center. So what we really have is a pristine underlay that does its job, it forwards frames. Then a logical overlay that let’s us automate all sorts of hardware, software, and policy configurations.
Check out the Workshop here: https://engage2demand.cisco.com/LP=6185?dtid=odicdc000016
Check out the slides here: https://www.slideshare.net/robboyd/techwisetv-workshop-softwaredefined-access
DNA Center isn’t just one of those cobbled together GUIs that only acts as a replacement for 50% of CLI, either. It’s a simple to use, maybe even comfortable GUI, if I may be so bold. The idea is to use it to design your network, create policy, and provision configurations. Of course, it can be used for assurance and analytics as well, but this workshop concentrates more on the DESIGN, PROVISION, POLICY aspects.
Design:
- Specify geographic location for devices and policies (even down to the floor plan of a level in a particular building)
- Create IP Pools
- Specify common services like DHCP, DNS, AD
- Specify information for wireless access controllers
Policy:
- Create groups of people and devices
- Create contracts that let things talk
- All drag and drop with information that can be gathered from solutions like Cisco ISE
Provision
- Send intended configurations to the proper devices
- Specify roles of devices (DNA Center: “Is it a border router? Sweet, I’ll tell it to be a border router”)
For a deeper look at SD-Access Check out our aptly named TechWiseTV show “A Deeper Look at SD-Access”
What Does All This Mean?
Now we can have intent based networks in the Enterprise and Campus. We can design and create policy for our networks, and the hardware doesn’t even need to be hooked up yet. Once the hardware is hooked up, we can use pull-down lists and topology views to provision the proper configs. The best part…no matter where my users are connecting (wired, wireless, VPN, remote, on-premises) and no matter what they’re using to connect (tablet, computer, phone, VR headset, XBOX…seriously!) they get the correct policies applied to them. Wait, the actual best part…we network folks don’t have to manage hundreds or thousands of ACLs and firewall rules to get the right security at the right time and it’s so easy to scale.
A huge thanks to Shawn Wargo for the amazing presentation and demo at this workshop, and thanks to the seriously excellent Q&A panelists that worked in overdrive to get everyone’s questions answered. Check out the workshop, the only bad part was we only had an hour. Don’t worry, we’ll do another one!
Q&A
In case you’re curious about some of the questions asked during the Workshop you can go here to see the full list. But here are a few…
Q. Is there any portion of this that focuses on hand-off to the data center?
A. We do hand-off to the data center through the border node in the softw are-defined access (SDA) Fabric.
Q. Identity Services Engine (ISE) policies are actually defined in the Cisco DNA Center? What am I controlling from DNA Center from a security perspective and what am I controlling in ISE?
A. ISE is the policy repository, and the long-term goal is for all policies to be defined through DNA Center. In the initial release there w ill be some setup needed on ISE.
Q. What is Cisco DNA?
A. DNA means Digital Netw ork Architecture. DNA is the umbrella term referencing all the technologies that w e are talking about today.
Q. Is DNA a virtual machine (VM) based system or an appliance?
A. DNA is an appliance.
Q. Is the DNA controller just an application running on the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) or is it a physically separate server? Do I need both to make this solution work?
A. The DNA Controller is the new term for APIC-EM. DNA Center is the application that runs on the controller that is used to manage the SDA Fabric. Think of the DNA Controller as APIC-EM V2.0. You w ill only need the DNA controller appliance.
Q. Which version of Identity Services Engine (ISE) is required? A. ISE 2.3 is required. Q. Can ISE use Lightweight Directory Access Protocol (LDAP)?
A. Yes. ISE can also use Active Directory, one-time passw ord (OTP) and local.
Q. How does this support multi-venders or legacy environment?
A. Many existing platforms are supported such as Cisco Catalyst 3K, Catalyst 4K, Catalyst 6K, Nexus 7700, ISR 4K, ASR 1K. All the protocols in use are open standard based. It w ill be up to other vendors as to whether they choose to implement those protocols to connect into our solution.
An awesome introduction to the Software Defined Access. Excellent Network Wise !