Cisco DNA Architecture Principles

So are you ready to do a deep dive into Cisco DNA? If yes, you are actually at the right place. In this blog, I will discuss the principles of Cisco DNA Architecture. As you are aware, any successful network architecture is based on some Principle that builds its logical structure. Thus, Cisco DNA is developed on below architecture principles


Definition of OPEN actually vary from Context to context. In the context of Cisco DNA – It enables the customers to guide with Network operations through following

  • Enabling OPEN APIs to control network elements programmability.
  • Enables third party Virtual network functions such as Virtual Firewall, Virtual IPS/IDS to be integrated with Cisco DNA.
  • Use standard protocols instead of any Proprietary ones; to allow third party vendors to integrate smoothly.


Extensible principle refers to the flexibility and evolution of Cisco DNA as the business requirement changes.

  • Integration of Network Controllers such as Cisco DNA Controller with Applications.
  • Including third party applications or Virtual network functions in Cisco DNA architecture. e.g. Integrating Checkpoint virtual firewall with Cisco DNA architecture


Security is the one of the core principle in Cisco DNA. We will go through these aspects of Cisco DNA in later blogs. Some of the major things Cisco DNA considers are as follows

  • Securing all APIs to integrate building blocks.
  • All control plane and data plane transactions must be authenticated.
  • Extensive logging capability of Authentication and Authorization transaction for compliance purpose.
  • Applications which are supposed to interact with Network control planes must be Authenticated and authorized.
  • Support security detection by enhancing network sensor to mitigate attacks closer to source.
  • Automating the devices in the network based on a controller. This also adds to heightened security. Mis-typed configuration commands are eliminated when network elements are provisioned from the controller.


This is something very Unique about Cisco DNA infrastructure. We have used many Policies in our network many times such as “Configuring ACLs” to

  • Determine who can gain access to the network
  • Help classify traffic flows into the right quality of service (QoS) classes
  • Assist in Layer 4 firewall rules

But the question is; are these policies always aligned to the business goal? In most of the cases; these evolve. So, are these scale-able? – Based on my experience, network operators are quite reluctant to remove any entries/fiddle up with these entries if the business requires to risk the existing situation.

Also, beyond above mentioned – There are other major drawbacks of these ACLs. Currently, these are tightly coupled with the underlying Network Infrastructure. Imagine a situation where we have one policy defined for a set of users Present on Building A. If this user moves to Building B; this policy cannot be applied unless we have the same policy configured for these. Hence, in this case, we need to follow the user and configure the policy accordingly.

However, with Cisco DNA infrastructure, “Policy will follow the User.” How? – Cisco DNA primarily focuses business goals align with the services delivered by the network—services that are tied to users, applications, and devices, not topology.


Days are gone where a Technology Subject Matter Expert (SME) need to know all hardware and software details, Physical and Logical Topology diagram, Traffic path about a particular network element, troubleshooting into such networks by login into devices & configure these different CLI depending on OS type such as IOS, Air-OS. Traditional practices have following drawback

  • Multiple SMEs
  • Error-prone
  • Slow deployment and troubleshooting

Network automation is essential not only to reduce OPEX but also to increase the speed at which new network, business, or security services are introduced.

Software driven

Cisco DNA is developed with the mindset of Software-driven because a new functionality can be developed in fraction of time in comparison with Hardware.

The majority of Cisco DNA functions are driven by software such as

  • Functions to forward and manipulate IT traffic flows
  • Centralized control of Network elements
  • Intelligent algorithm development for optimized operation
  • Programmable ASICs

cloud integration

There is a greater benefit of using a cloud provider to host applications avoids capital costs to build up data center infrastructure and operational costs to run it.

In Cisco DNA different cloud models are fully integrated, including private clouds, virtual private clouds, hybrid clouds, and public cloud environments. This integration is designed both at the transport layer and the control layer of the network