Cisco DNA Architecture … Part 2

Now that the higher-level architectural principles behind Cisco Digital Network Architecture are clear, this blog provides an overview of the main architectural components, i.e. Cisco DNA infrastructure, automation, analytics, and cloud integration.

The critical blocks of Cisco DNA are shown in below figure, which illustrates how the principles of openness, extensibility, programmability, software driven, policy-based networking, security, and cloud integration (all discussed in the previous blog) drive the overall architecture. This blog will explain how these components interact/collaborate to deliver the requirements (outlined in the previous blog “Value Proposition for Cisco DNA”). Let’s understand all of these blocks in more details

Infrastructure

The infrastructure component in Cisco DNA represents all those functions that participate in carrying network traffic between users, devices, and applications. This piece of the network is built with traditional data plane and control plane functions needed to transport traffic across the network to connect users, applications, and devices with each other.

Cisco DNA still relies on the existing proven distributed forwarding techniques that are successfully deployed in every network today! So what is “New” in Cisco DNA? – Well, the first answer is “Improvement in Physical Infrastructure with Programmable ASICs”.Then the next questions come; why do we need such ASICs?

  • The requirement of Scale – We require ASICs to offer high-speed transport at the scale which is only possible with Hardware-based ASICs instead of software.
  • Security requirement – Strong encryption used in fabric(To be discussed later in this section) to provide security and infliction of security group tags.
  • The requirement of Flexibility & Agility – Having ASICs to be fully programmable in the Cisco DNA fabric, It allows for new software-based capabilities to be introduced into the network through a simple software upgrade instead of a hardware refresh. e.g. Transport protocol developments or packet formats such as the recent rise of the virtual extensible local area network (VxLAN) will not require the re-spin of ASICs.
  • The requirement for a high volume of telemetry data – to be collected and delivered to the analytics engine

The second answer is “Addition of virtual component in Cisco DNA Infrastructure” to meet Cisco DNA principles of openness, software driven, programmability, and security. For example;

  • Software virtualized Cisco Cloud Services Router (CSR) 1000V Series offers the same functionality as a hardware-based IOS XE router (the Cisco ISR 4000 Series or the Cisco ASR 1000 Series routers). It provides both operational and functional consistency between the physical and virtual network infrastructures—significantly enhancing simplicity and operational flexibility.
  • Other functions such as firewalls, DPI, IPS/IDS, etc. can also be accommodated in Cisco DNA in a virtual form wherever desired. These functions can be provided by Third party as well.
  • Another instance, a firewall function required by a service policy may be instantiated in a branch, rather than the enterprise’s data center within minutes. VLANs, virtual routing, or overlay networks can then be deployed to steer the service flows through the firewall. This contrasts with the deployment of physical firewall functions, which today take weeks or even months to install in enterprise branch environments.

Virtualization plays another major role in the Cisco DNA infrastructure because it is a very crucial mechanism to deploy services fast and with minimal dependencies on the underlying hardware infrastructure. The virtualization architecture can be broken down into two main components:

  • Transport Virtualization
  • Network Function Virtualization

Again, what’s new in “Transport Virtualization” – according to me Its nothing, It is the same technology i.e. Segmentation which has been around us with multiple decades such as VLANs, VRF.

Typically, a service connects endpoints or endpoint groups; therefore, the service may be not only application-aware but also a user (identity) aware. The logical segmentation of groups of users and applications, then, is an essential component of the enterprise fabrics overlay architecture, augmenting the traditional concepts of VLANs and VRF.

Network function virtualization (NFV) is part of the architecture that can enable network functions to run anywhere in the network infrastructure based on the availability of computing resources. 

The operating systems of the network elements in Cisco DNA are enhanced to support this virtualization, providing the ability to spin up or tear down network functions within minutes, to monitor their status, and to redeploy, restart, or even support their move from one location or server to the next. For example

  • some control plane functions such as LISP Map-Servers/Map-Resolvers (MS/MR) may run in virtual machines (VM) to assist in determining the forwarding path. Other examples of such auxiliary functions are DNS servers or DHCP servers because these are often essential for the successful operation of the Cisco DNA infrastructure.

Third answer is “App Hosting” – Note that in Cisco DNA, applications can also be hosted within the infrastructure. Some of the examples could be traffic generators, troubleshooting or monitoring tools, print servers or other business support functions.

Workload of such application could run efficiently in a container so as not to require an additional layer of operating system (which is the case in a virtual machine–based deployment).

Cisco DNA Infrastructure Domain

It is one of the most frequently used terms in Cisco DNA. Hence, I thought it is worth spending some time on it. To understand this; let’s consider our typical enterprise infrastructure which is composed of Campus, Data Center, WAN that connects all users and end points to respective applications. The idea behind such segregation was primarily motivated by different requirement, technologies & Enterprise structures.

  • WAN Domain – Typically contend among the variety of WAN technologies (Serial, Frame Relay, ATM), Secure connectivity to the Internet, Handling bandwidth-limited link that connect to Branches/Sites which are geographically separated.
  • Campus Domain – Typically focus on providing an access port to Users and Devices, Handling user/Device mobility.
  • DC Domain – driven by connecting large amounts of servers hosting applications to the network.

However, in Cisco DNA domain is more flexible in the sense a domain can also be created for all network elements in Campus and WAN, under the governance of a single controller instance. As per Cisco, in Cisco DNA domains are Categorized in one of the four Category as shown in below figure.

  • Campus
  • WAN – includes WAN Aggregation and branches
  • Data Center
  • Cloud

Due to this post length; Rest of the Three blocks, i.e. automation, analytics, and cloud integration will be discussed in next page. Till then please stay tuned, let me know if you have any questions and comments.

References:
https://www.cisco.com/c/dam/global/ru_kz/solutions/enterprise-networks/digital-network-architecture/pdf/white-paper-c11-736842.pdf.

Cisco DNA Architecture Principles

So are you ready to do a deep dive into Cisco DNA? If yes, you are actually at the right place. In this blog, I will discuss the principles of Cisco DNA Architecture. As you are aware, any successful network architecture is based on some Principle that builds its logical structure. Thus, Cisco DNA is developed on below architecture principles

Open

Definition of OPEN actually vary from Context to context. In the context of Cisco DNA – It enables the customers to guide with Network operations through following

  • Enabling OPEN APIs to control network elements programmability.
  • Enables third party Virtual network functions such as Virtual Firewall, Virtual IPS/IDS to be integrated with Cisco DNA.
  • Use standard protocols instead of any Proprietary ones; to allow third party vendors to integrate smoothly.

EXTENSIBLe

Extensible principle refers to the flexibility and evolution of Cisco DNA as the business requirement changes.

  • Integration of Network Controllers such as Cisco DNA Controller with Applications.
  • Including third party applications or Virtual network functions in Cisco DNA architecture. e.g. Integrating Checkpoint virtual firewall with Cisco DNA architecture

Security

Security is the one of the core principle in Cisco DNA. We will go through these aspects of Cisco DNA in later blogs. Some of the major things Cisco DNA considers are as follows

  • Securing all APIs to integrate building blocks.
  • All control plane and data plane transactions must be authenticated.
  • Extensive logging capability of Authentication and Authorization transaction for compliance purpose.
  • Applications which are supposed to interact with Network control planes must be Authenticated and authorized.
  • Support security detection by enhancing network sensor to mitigate attacks closer to source.
  • Automating the devices in the network based on a controller. This also adds to heightened security. Mis-typed configuration commands are eliminated when network elements are provisioned from the controller.

Policy

This is something very Unique about Cisco DNA infrastructure. We have used many Policies in our network many times such as “Configuring ACLs” to

  • Determine who can gain access to the network
  • Help classify traffic flows into the right quality of service (QoS) classes
  • Assist in Layer 4 firewall rules

But the question is; are these policies always aligned to the business goal? In most of the cases; these evolve. So, are these scale-able? – Based on my experience, network operators are quite reluctant to remove any entries/fiddle up with these entries if the business requires to risk the existing situation.

Also, beyond above mentioned – There are other major drawbacks of these ACLs. Currently, these are tightly coupled with the underlying Network Infrastructure. Imagine a situation where we have one policy defined for a set of users Present on Building A. If this user moves to Building B; this policy cannot be applied unless we have the same policy configured for these. Hence, in this case, we need to follow the user and configure the policy accordingly.

However, with Cisco DNA infrastructure, “Policy will follow the User.” How? – Cisco DNA primarily focuses business goals align with the services delivered by the network—services that are tied to users, applications, and devices, not topology.

Programmable

Days are gone where a Technology Subject Matter Expert (SME) need to know all hardware and software details, Physical and Logical Topology diagram, Traffic path about a particular network element, troubleshooting into such networks by login into devices & configure these different CLI depending on OS type such as IOS, Air-OS. Traditional practices have following drawback

  • Multiple SMEs
  • Error-prone
  • Slow deployment and troubleshooting

Network automation is essential not only to reduce OPEX but also to increase the speed at which new network, business, or security services are introduced.

Software driven

Cisco DNA is developed with the mindset of Software-driven because a new functionality can be developed in fraction of time in comparison with Hardware.

The majority of Cisco DNA functions are driven by software such as

  • Functions to forward and manipulate IT traffic flows
  • Centralized control of Network elements
  • Intelligent algorithm development for optimized operation
  • Programmable ASICs

cloud integration

There is a greater benefit of using a cloud provider to host applications avoids capital costs to build up data center infrastructure and operational costs to run it.

In Cisco DNA different cloud models are fully integrated, including private clouds, virtual private clouds, hybrid clouds, and public cloud environments. This integration is designed both at the transport layer and the control layer of the network

Value Proposition of Cisco DNA … Part 2 … Business View

Hello Everyone! It is in continuation of my previous blog in Cisco DNA series. Here, we will look at how Cisco DNA maps and implement the Business values as discussed at an earlier blog.

Refer to below picture for a complete summary.

Cost Reduction through ASICs

Cisco has evolved their product via leveraging Custom-engineering programmable and flexible hardware application-specific integrated circuits (ASICs) which will double the average lifespan of devices with their fixed ASICs counterparts thus reducing CapEx.

Cost Reduction via Automation

Concerning OpEx; Automation plays a pivotal role in reducing the following cost

1) Faster Day – 0 deployment
2) Reduction in time it takes to Configure Network devices
3) Reduction in Troubleshooting time
4) Automatic implementation of time-intensive projects such as End to end QoS deployment
5) Automation of bootstrapping and configurations.
6) Automation of Licensing and Authentication

Risk Mitigation with Integrated Security Module

Analytics capabilities allow security tools to establish baselines for a standard security environment and provide automated alerting and, in some cases, remediation when the network security environment shows an anomaly. This use of the network as a security sensor can reduce mean time to repair (MTTR), preventing disruption to the business.

Meaningful Insights with Analytics

With the help of Artificial Intelligence and Machine Learning; Cisco DNA lays the foundation of Auto-Remediation thus a self-healing network.

Network analytics goes beyond – detecting security anomalies to identify customer pattern to achieve Customer experience.

Agility through OPEN API

As discussed previously; Refer to below picture – It explains how does Cisco DNA add value at each layer to deliver business agility.

At Infrastructure Layer – Cisco DNA can detect network failures/threats much faster than any of the previous solution. It can also re-mediate & quarantine policies to the network infrastructure in real time.

At Application Layer – It can be integrated with Business Application to provide network resources on Demand.

At operating layer – It can also integrate with non-network nodes such as a digital display, Lightning, AC resulting in Better experiences, improved efficiency and driving more business opportunity. Also, It reduces significant time & money in network operations & troubleshooting. Thus, It will give more time to your employees to innovate and work on other projects.

At Business layer – It enables business transformation; now businesses can identify and capitalise on new opportunities, markets, and business models to provide their leaders with organisational insights such as.

  • Where are employees working?
  • How long are they in meetings?
  • How much time do employees get to spend with their managers?
  • Do employees work in teams or silos?
  • Which teams work well together? Which don’t?

There are other benefits which Cisco DNA brings in along with the above mentioned

  • Error-free service deployment (Because configuration are done in Automated fashion rather than manually)
  • Consistent network operation across different segment (i.e. Routers, Switches, Access Points, Wireless LAN Controller)
  • Detailed reporting in case of failure 
  • Flexibility in terms of Scale & variety of, i.e. every day’s new clients are getting onboard to the network irrespective of how they connect.  Thus, Flexibility is also required from the Networks to support a variety of network and business applications that are increasingly dynamic.

In 2017, Cisco worked with International Data Corporation (IDC) to develop a five-state Digital Network Readiness Model, as shown in the figure.

Cisco Digital Network Readiness Model (Source: www.cisco.com/go/dnaadvisor)

In the next blog of this series; we will do a deep dive on Cisco DNA architecture on technical front. Till then, please stay tuned.

Intent Based Networking (IBN)

This blog is in continuation of my previous blog where I discussed the Business requirement of Enterprise Network Architecture. Refer to mentioned hyperlink for details. Before I start with Cisco DNA, Let’s understand Intent Based Networking.

So what’s Intent Based Networking (IBN) mean? I am sure everyone agrees with me:- this is the latest buzz word in the market we have heard from last one year. So, do you think? It is something new? – Well, if you ask me; Yes it is a new buzz word, but the concept has been there with us from the last two decades.

Then, the next question comes – What is it?

SDN framework considered for the definition of Intent-Based Networking (IBN). It begins with the expression of Business Intent. So, what is business Intent?

  • This application is very critical to my business & should be up 100%.
  • Only specific group of users can access these applications and services.
  • If one of the device is infected; It must be quarantined.

Business Intent explains only “what” you want; not how you want, e.g., placing an order of phone using an online shopping portal. In this case, you intend to get the phone; But, How this phone get delivered to you? Which retailers used to procure this phone? It does not matter at all. This decision is up to the Shopping portal.

Therefore Intent Based Networking help us to deliver this Business Intent by expressing them over Network. Below picture depicts “Behind The Scene” involved in an IBN system.

In Translation phase, the input is Business Intent which defines “what.”

In the Validation phase, IBN system validates the Business Intent to make sure It is possible & network device configuration gets generated for network devices which explains “How.”

This business intent needs to be expressed across the network; therefore this configuration must be pushed on to hundreds, or thousands of network devices such that these deployments are error-prone. Hence, it needs an Automation/Orchestration which allows a network operator to treat thousands of network devices as a single software-enabled, programmable entity.

This network state must be analyzed and provides assurance which tells us if the intent was delivered; if not, remediation action should be taken.

Additionally, IBN system should be continually self-learning, so that it can understand

  • What is normal versus abnormal?
  • What are the most common root causes of issues?
  • What are the most effective remedial actions for a given issue?

With these capabilities of IBN, such a system becomes not only smarter, but also more reliable, available, and adaptable to ever-evolving business requirements.

If you take a look at last 15 years, IT vendors have promised dynamic, self-configuring/self-optimizing infrastructures but for most enterprises, this promise remains largely unfulfilled. That’s why I said earlier, concepts of IBN has been around us with two decades.

Hence, IBN system is changing the way networking was supposed to happen in the past. It enables network managers and engineers to deal with the network less concerning port-by-port and device-by-device configurations and more in terms of the desired outcome at a higher level.

So, Are you ready for Intent Based Networking? – Understanding that IBN system benefits Enterprise organization to a great extent; we should also keep in mind the implication of it to your IT Staff.

  • Considering the new technology; it can take some of your IT staff out of their comfort zone.
  • Evolution of automation in networking is already given bitter experience to network engineers.

Cisco DNA is an IBN system which promises to fulfill all of the mentioned above.

In my next blog, we will take a close look at the mapping of the business requirement mentioned in the previous blog via IBN systems such as Cisco DNA.

Value Proposition of Cisco DNA … Part 1

In this Blog (First one in Cisco DNA); I would like to share some of the Value Proposition offered by brand new Cisco Solution for Enterprise industry, i.e. Cisco DNA (Digital Network Architecture).

Last week; my few colleagues and I were discussing over a cup of Tea (In India also known as “Chai Pe Charcha”), and suddenly This topic popped up; All of us started talking about this technology :- one said, this might be another Marketing/technology Jargon and does not help much in the real world. Blah…Blah…Blah.

Coincidentally I don’t agree with their thoughts & said, there must be something interesting with this product/technology because the whole Enterprise industry is shifting towards it. If most of the companies are adopting and doing pilot installation or early field trials, in that case, It must be solving some purpose. Therefore, I decided to do some research on it & share some gained knowledge among us.

Before I start with the DNA; Let’s understand the Business requirement of Enterprise Network Architecture.

Based on the industry trend most of the Organizations are in the phase of digital transformation to gain Competitive benefits. Since, the network infrastructure serves as a common point among all elements of digital change, including users, end devices, applications, and the Internet of Things (IoT) devices. Let’s take a look at the below picture:-

In a typical Enterprise environment, We can flex the “Compute” at any point in time similarly We can flex the “Storage” very quickly, but when it comes to network, it is not that easy. It will require numerous efforts to plan, design, implementation, Testing, and handing over to operations.
Therefore, the network plays one of the most significant barrier to business evolution. Traditional networks are disconnected from growing businesses, end users and application needs. Therefore we need to evolve these networks such that these are secure, agile, flexible, intelligent and simple to operate.

These evolving requirements demand a new architecture and design approach that can add significant Business value to the enterprise. There could be many business requirements for digitally transforming networks, but these all can be categorized into four categories.

  1. Cost Reduction & Innovation
  2. Risk Mitigation
  3. Meaningful Insights driving experience
  4. Agility

1. Cost Reduction & Innovation

There are two major costs associated with Network
1) Operational Expenditure (OpEx)
2) Capital Expenditure (CapEx)

Based on 2016 McKinsey study of Network Operations for Cisco – Companies spend over $60B in network operations and labor. Imagine this cost if we consult recently study on IP Traffic, IP traffic will increase by more than 2.x folds by 2020 (per the Cisco Visual Networking Index forecasts); and with the addition of more and more IoT devices; these numbers are going to increase drastically. Traditionally managing these devices is going to be a cumbersome job for IT infrastructure operation. Hence, operational cost is increasing day by day.

As the businesses are evolving, infrastructure is increasing and thus require the scale of a network as well. For example, capital expenditures can also be economized by network infrastructures that are elastic, flexible, and agile. Such gains realized when scalability is flexible and easily achieved, with seamless ability to make moves, adds, and changes (MAC) as specific network demands shift.

In the coming years, the network must operate to comply with the evolving application needs. Hence, we need an agile network which can reduce cost without the need for expensive hardware, installation man-hours.

In this article, innovation specifically refers to move resources into new business or organizational areas to drive new business. Due to the reduction in the time spent on network operations enterprise can now focus on further investment in innovation.

Another measure of innovation could be an increase in the percentage of network staff time allocated for new projects. What did those organizations do with the additional time? e.g.

  • Employees can focus on more trending technologies such as Cloud and SDN.

2. Risk Mitigation

As more and more IP devices including IoT are onboarding on networks; therefore new security challenges/threats arise. A malicious actor can exploit one of the vulnerability and breach enterprise networks to harm the organization.

However, with the rapid growth of public/private cloud–hosted applications, Bring Your Own Device (BYOD), and mobile workers, threat actors, find multiple ways to the network from both the inside and the outside; it mandates the requirement for network security to take a 360-degree approach.

Also, the Organization must comply with regulatory compliance such as PCI-DSS. Failing to do this can result in harsh fines and penalties which may further impact productivity. In such a case, organizations may benefit significantly by having an automated and systematic approach to enforcing compliance through their architecture.

Reliable and secure operations are essential not just for risk mitigation but also for enabling the organization to further its digital transformation. Another significant benefit that can provide the organization that level of confidence to roll out new digital capabilities and services with minimum risk (on-time delivery, compliance, service levels, etc.)

3. Meaningful Insights driving experience

In today’s world, every enterprise is having tons of data which is increasing very rapidly. However, very few enterprises get any meaningful insights out of it. These insights are constructive for Customer experience. For example for a retail customer might be interested to know

  • Who is buying our products?
  • Where are our customers buying it?
  • When are they buying it?
  • Why are they buying it?
  • What do they like about it?
  • What don’t they like about it?
  • Is our product or service meeting their needs?
  • Are there customer needs that our product or service doesn’t meet?

Similarly, the same customer might be interested to know insights which will help to understand employee experience.

  • Are our employees able to achieve their work goals?
  • What applications are our employees using to meet their goals? the Categories of applications could be one of the below
    • Unified communications (voice, video) and collaboration applications
    • Cloud-based/SaaS business applications
    • Mobile applications
    • IoT applications
    • Business transactions applications
  • Where are they using these applications?
  • Are these applications meeting their needs?
  • Are there any needs that are not addressed?
  • What do they like about these applications?
  • What don’t they like about these applications?
  • How well are these applications performing?
  • How much does it cost to run these applications?

Similarly, there could be many insights which could help IT Network operations team such as Compliance & Security purpose.

4. Agility

So, Do you think; just insights would help the enterprise in today’s world? – The answer is “No.” Because the enterprise wants to take certain actions to improve its employee/customer experience. It is something like; you visit a doctor and doctor tells; you got an infection, but Doctor does not tell you “which medicine to take”

Hence, we need to know the right set of actions that need to take if there is any abnormality. Term “Agility” varies differently with a different context. Refer to below picture to understand the Agility to different layers of Enterprise.

@ Infrastructure layer; Agility refers to Self-defending/Self-healing networks such as

  1. If one of the Access Point goes down; another access point should be able to increase their power levels automatically.
  2. Resolving the error-disable interface
  3. Patching/fixing on the known bug knowledge base.
  4. Fixing memory leak/CPU utilization issue.

@ Application layer; Agility refers to the applications interacting with network infrastructure to deploy services

  1. QoS policies for Enterprise VoIP application
  2. WAN policies for Critical Application data replication, i.e. backup and restore.

@ Operate layer; Agility refers to Automation which can help to automate the Mundane tasks. Few examples could be

  1. Executing a command script to all routers and switches.
  2. Taking a compliance report
  3. Rebooting a set of devices

@ Business layer; An agile organization can reduce the time needed to deploy new business-enabling applications and services and bring new products and services to market faster and more reliably with a higher customer acceptance rate. Below could be the examples

  1. Time to bring new branch online
  2. Time to market new product and services

Please stay tuned for my next blog in this series; We will look at How does DNA meet above mentioned Business Requirement.

Till then, appreciate your comments/feedback; I will update this blog based on your inputs.