Cisco DNA Architecture … Part 2

Now that the higher-level architectural principles behind Cisco Digital Network Architecture are clear, this blog provides an overview of the main architectural components, i.e. Cisco DNA infrastructure, automation, analytics, and cloud integration.

The critical blocks of Cisco DNA are shown in below figure, which illustrates how the principles of openness, extensibility, programmability, software driven, policy-based networking, security, and cloud integration (all discussed in the previous blog) drive the overall architecture. This blog will explain how these components interact/collaborate to deliver the requirements (outlined in the previous blog “Value Proposition for Cisco DNA”). Let’s understand all of these blocks in more details


The infrastructure component in Cisco DNA represents all those functions that participate in carrying network traffic between users, devices, and applications. This piece of the network is built with traditional data plane and control plane functions needed to transport traffic across the network to connect users, applications, and devices with each other.

Cisco DNA still relies on the existing proven distributed forwarding techniques that are successfully deployed in every network today! So what is “New” in Cisco DNA? – Well, the first answer is “Improvement in Physical Infrastructure with Programmable ASICs”.Then the next questions come; why do we need such ASICs?

  • The requirement of Scale – We require ASICs to offer high-speed transport at the scale which is only possible with Hardware-based ASICs instead of software.
  • Security requirement – Strong encryption used in fabric(To be discussed later in this section) to provide security and infliction of security group tags.
  • The requirement of Flexibility & Agility – Having ASICs to be fully programmable in the Cisco DNA fabric, It allows for new software-based capabilities to be introduced into the network through a simple software upgrade instead of a hardware refresh. e.g. Transport protocol developments or packet formats such as the recent rise of the virtual extensible local area network (VxLAN) will not require the re-spin of ASICs.
  • The requirement for a high volume of telemetry data – to be collected and delivered to the analytics engine

The second answer is “Addition of virtual component in Cisco DNA Infrastructure” to meet Cisco DNA principles of openness, software driven, programmability, and security. For example;

  • Software virtualized Cisco Cloud Services Router (CSR) 1000V Series offers the same functionality as a hardware-based IOS XE router (the Cisco ISR 4000 Series or the Cisco ASR 1000 Series routers). It provides both operational and functional consistency between the physical and virtual network infrastructures—significantly enhancing simplicity and operational flexibility.
  • Other functions such as firewalls, DPI, IPS/IDS, etc. can also be accommodated in Cisco DNA in a virtual form wherever desired. These functions can be provided by Third party as well.
  • Another instance, a firewall function required by a service policy may be instantiated in a branch, rather than the enterprise’s data center within minutes. VLANs, virtual routing, or overlay networks can then be deployed to steer the service flows through the firewall. This contrasts with the deployment of physical firewall functions, which today take weeks or even months to install in enterprise branch environments.

Virtualization plays another major role in the Cisco DNA infrastructure because it is a very crucial mechanism to deploy services fast and with minimal dependencies on the underlying hardware infrastructure. The virtualization architecture can be broken down into two main components:

  • Transport Virtualization
  • Network Function Virtualization

Again, what’s new in “Transport Virtualization” – according to me Its nothing, It is the same technology i.e. Segmentation which has been around us with multiple decades such as VLANs, VRF.

Typically, a service connects endpoints or endpoint groups; therefore, the service may be not only application-aware but also a user (identity) aware. The logical segmentation of groups of users and applications, then, is an essential component of the enterprise fabrics overlay architecture, augmenting the traditional concepts of VLANs and VRF.

Network function virtualization (NFV) is part of the architecture that can enable network functions to run anywhere in the network infrastructure based on the availability of computing resources. 

The operating systems of the network elements in Cisco DNA are enhanced to support this virtualization, providing the ability to spin up or tear down network functions within minutes, to monitor their status, and to redeploy, restart, or even support their move from one location or server to the next. For example

  • some control plane functions such as LISP Map-Servers/Map-Resolvers (MS/MR) may run in virtual machines (VM) to assist in determining the forwarding path. Other examples of such auxiliary functions are DNS servers or DHCP servers because these are often essential for the successful operation of the Cisco DNA infrastructure.

Third answer is “App Hosting” – Note that in Cisco DNA, applications can also be hosted within the infrastructure. Some of the examples could be traffic generators, troubleshooting or monitoring tools, print servers or other business support functions.

Workload of such application could run efficiently in a container so as not to require an additional layer of operating system (which is the case in a virtual machine–based deployment).

Cisco DNA Infrastructure Domain

It is one of the most frequently used terms in Cisco DNA. Hence, I thought it is worth spending some time on it. To understand this; let’s consider our typical enterprise infrastructure which is composed of Campus, Data Center, WAN that connects all users and end points to respective applications. The idea behind such segregation was primarily motivated by different requirement, technologies & Enterprise structures.

  • WAN Domain – Typically contend among the variety of WAN technologies (Serial, Frame Relay, ATM), Secure connectivity to the Internet, Handling bandwidth-limited link that connect to Branches/Sites which are geographically separated.
  • Campus Domain – Typically focus on providing an access port to Users and Devices, Handling user/Device mobility.
  • DC Domain – driven by connecting large amounts of servers hosting applications to the network.

However, in Cisco DNA domain is more flexible in the sense a domain can also be created for all network elements in Campus and WAN, under the governance of a single controller instance. As per Cisco, in Cisco DNA domains are Categorized in one of the four Category as shown in below figure.

  • Campus
  • WAN – includes WAN Aggregation and branches
  • Data Center
  • Cloud

Due to this post length; Rest of the Three blocks, i.e. automation, analytics, and cloud integration will be discussed in next page. Till then please stay tuned, let me know if you have any questions and comments.