DNAC

Campus Segmentation and Beyond

Security is top of mind for most companies today. And for good reasons. Every day new major security incidents hit both the private and public sectors. We’re no longer dealing with curious geeks, script kiddies, and smaller groups of cyber criminals. Hacking used to be a niche thing. Today state-sponsored hackers are a reality. Although you cannot guarantee protection from these malicious events, you can try to limit the risk and possibility of their success.

VRF-aware RADIUS with DNAC

DNAC is currently not designed to be VRF-aware with its Network Settings. The AAA server settings are configured with global context regardless of the device management IP being in a VRF. Here is what DNAC provisions for RADIUS: aaa new-model aaa authentication login default local aaa authentication login dnac-cts-list group dnac-client-radius-group local aaa authentication dot1x default group dnac-client-radius-group aaa authorization exec default local aaa authorization network default group dnac-client-radius-group aaa authorization network dnac-cts-list group dnac-client-radius-group aaa accounting Identity default start-stop group dnac-client-radius-group aaa accounting update newinfo periodic 2880 !

Jinja Templates in DNAC

In this post I will show you some examples of Jinja templates that might inspire you to create your own. As always my focus is centered on how stuff works rather than how you use the product. I will provide a breif overview of the Template Editor, though. For a user guide, please have a look at the official doc: Create Templates to Automate Device Configuration Changes One of the main advantages of DNAC is its ability to help you automate certain tasks within your network.

DNAC Code Names

DNA Center has a versioning scheme that uses four digits. At the time of writing the recommended DNAC version is 2.2.3.6  2.b.c.d - The first digit is the major release which introduces “significat market value, including infrastructure and architectural changes”  a.2.c.d - The second digit is a minor version that includes “new functions and features in the platform”. It is categorized as a “new market value” release and also an anchor point for long-lived releases

DNAC - NIC Bonding

If you are looking to configure NIC bonding for DNAC, this post will show the currently available options for the DN2-HW-APL appliance running DNAC version 2.2.2.6 and newer. Only 10G interfaces are addressed for NIC bonding in this post. If you want to play with 1G interface NIC bonding, have a look at the official documentation NOTE! NIC bonding is not supported for the DN1-HW-APL (1st gen DNAC appliance). An apparent reason for this is that the DN1 appliance only comes with a single NIC adapter with two 10G interfaces.

DNAC LAN Automation vs. PnP

The Challenge Operating a network can be a daunting task. Especially when you find yourself manually repeating ordinary work on a regular basis. As a network engineer you are likely to enjoy challenges with protocols and designs rather than unboxing, mounting, and installing hardware. The time spent on this everyday work should be kept at a minimum. In a streamlined network design, the configuration of new equipment should be based on a template with few variables, such as hostname and IP addressing.

SD-Access with Extended Nodes

Unfortunately not all Cisco platforms support SDA. Cisco has chosen these platforms to be extended by SDA to be able to offer both a desktop platform and IoT platforms: 3560CX IE 3300 IE 3400 IE 3400H IE 4000 series IE 5000 series Catalyst Digital Building NOTE! If you plan on using policy, meaning micro segmentation using SGTs, only IE 3400 and IE 3400H are supported as policy extended nodes!

DNAC - SDA Transit with Direct Internet Access

Some companies are established with multiple sites in a small geographic area inter-connected with DWDM, dark fiber, or maybe MPLS. SDA transit could make sense to configure if the MTU (>= 1550 bytes) and latency (~10 ms) allows for it. One advantage of using SDA transit is the end-to-end VXLAN encapsulation which menas we have end-to-end policy for both macro (VN) and micro (SGT) segmentation when using SDA transit.

DNA Center - Discovery - What It Does To Your Devices

In this post I’m using DNAC version 1.3.3.3 for demonstrate what happens when you discover a switch using DNAC. Previously I’ve written similar posts: DNA Center - PnP - What It Does To Your Devices DNA Center - Provision - What It Does To Your Devices Test Case One simple test case is all we need to see what DNAC does: Manually configure a Cat9300 switch Add the switch to DNAC using a discovery job Topology The below topology is used for this post:

DNA Center - Provision - What It Does To Your Devices

In this post I’m using DNAC version 1.3.3.3 to demonstrate what DNAC does to your device when configuring the network settings in DNAC. Previously I’ve written similar posts: DNA Center - PnP - What It Does To Your Devices DNA Center - Discovery - What It Does To Your Devices Test Case One simple test case is all we need to see what DNAC does: Manually configure a Catalyst 9300 switch Add the switch to DNAC manually via inventory Topology The below topology is used for this post: