Fabric

The network infrastructure, called the fabric, is divided into two parts:

• Underlay: This is most closely associated with the physical network. The underlay reveals additional devices and specifies how these devices are connected. Endpoints access the network through the Layer 2 devices. The underlay control plane is responsible for simple forwarding tasks.

• Overlay: This is where tunneling protocols like Virtual Extensible LAN (VXLAN) are implemented to transport Layer 3 protocols such as IP Security (IPsec) and Control and Provisioning of Wireless Access Points (CAPWAP). The overlay is where policies are specified. The overlay is not concerned with how the devices are physically or logically connected. Its job is to abstract these inherent complexities and limitations.

For example, in Figure 2-2 the two switches, SW1 and SW2, dynamically create a VXLAN tunnel between the endpoints in the overlay. The exact path the data takes between the two switches is determined by the underlay’s Layer 2 and Layer 3 process.

Underlay

The underlay includes the switches, routers, cables, and wireless links used to create the physical network. It also includes the configuration and operation of the underlay to support the work of the overlay network.

The SDA underlay configuration includes different SDA the roles filled by each device. These roles include

• Fabric edge node: A switch that connects to endpoint devices

• Fabric border node: A switch that connects to devices outside SDA’s control, such as switches that connect to the WAN routers

• Fabric control node: A switch that performs special control plane functions for the underlay, requiring more CPU and memory

Overlay

Cisco chose the VXLAN protocol to create the tunnels used by SDA. When an SDA endpoint (for example, an end-user computer) sends a data link frame to an SDA edge node, the ingress edge node encapsulates the frame and sends it across a VXLAN tunnel to the egress edge node, as shown in Figure 2-3.

The VXLAN tunnel in the overlay works like this:

Step 1. An endpoint sends a frame.

Step 2. The frame is encapsulated in the VXLAN tunneling specification.

Step 3. The frame is forwarded to the underlay fabric.

Step 4. The other nodes in the underlay forward the frame based on the VXLAN tunnel details.

Step 5. The last SDA node removes the VXLAN details.

Step 6. The frame is forwarded to the destination endpoint.

Cisco DNA Center and SDA

Cisco DNA Center and SDA make managing policies, such as access control lists (ACLs), much easier. For example, consider the ACL in Figure 2-4. Each number represents a new policy implemented over the life of the ACL.

Determining where to place the new access control entries (ACEs) within the existing ACL can be a complex and risky process. Also, unless an ACL is fully documented, you are never quite sure what effects a new policy will have on existing policies—or even if the existing policy is still valid.

However, with SDA security groups, you can enforce a policy without even thinking about IP address ranges and ACLs. Instead of writing new ACEs each time a policy needs to be implemented, the policy is defined in DNA Center. Then, as needed, DNA Center configures the devices in the fabric to enforce the security, as shown in Figure 2-5.

The SDA policy model solves the challenges with traditional ACLs:

• Each new security requirement can be considered separately, without analysis of an existing ACLs.

• Each new requirement can be considered without searching for all the ACLs in the likely paths between endpoints and analyzing each and every ACL.

• DNA Center keeps the policies separate.

• Each policy can be removed without fear of impacting the logic of the other policies.

To implement policies in SDA, you tie them to security groups. A security group is identified with a tag (SGT). If DNA Center sees a permit action between the source/destination pair of SGTs, DNA Center directs the edge nodes to create the VXLAN tunnel. The SGTs for source and destination are added to the VXLAN header, along with the VXLAN IDs (VNIDs), as shown in Figure 2-6.

Cisco DNA Center Network Management Platform

Cisco DNA Center supports the expression of intent for multiple use cases, including basic automation capabilities, fabric provisioning, and policy-based segmentation (SGTs) in the enterprise network. Cisco DNA Center is a network management and command center for provisioning and configuring network devices. It is a hardware and software platform that provides a “single pane of glass”(also called a dashboard) that focuses on assurance, analytics, and automation.

The DNA Center interface launch page gives you an overall health summary and network snapshot, as shown in Figure 2-7. From there, a network administrator can quickly drill down into areas of interest.

Five menus at the top of the screen provide access to DNA Center’s five main areas:

• Design: Model your entire network, from sites and buildings to devices and links, both physical and virtual, across campus, branch, WAN, and cloud.

• Policy: Use policies to automate and simplify network management, reducing cost and risk while speeding rollout of new and enhanced services.

• Provision: Provide new services to users with ease, speed, and security across the enterprise network, regardless of network size and complexity.

• Assurance: Use proactive monitoring and insights from the network, devices, and applications to predict problems faster and ensure that policy and configuration changes achieve the business intent and the user experience you want.

• Platform: Use APIs to integrate with your preferred IT systems to create end-to-end solutions and add support for multivendor devices.

Cisco DNA Center features focus on simplifying the work done by enterprises, with a goal of reducing costs and deployment time. Some of the features unique to Cisco DNA Center include the following:

• EasyQoS: Enables deployment of quality of service (QoS) with just a few simple choices from Cisco DNA Center.

• Encrypted Traffic Analysis: Uses algorithms to recognize security threats even in encrypted traffic.

• Device 360 and Client 360: Give comprehensive (360-degree) views of the health of the device.

• Network Time Travel: Shows past client performance in a timeline for comparison to current behavior.

• Path Trace: Discovers the actual path that packets would take from source to destination, based on current forwarding tables.

Be sure to search the Internet for Cisco DNA Center demos or tutorials to review this tool before you take the certification exam.