This post touches upon various approaches of designing an IP addressing plan for an enterprise network. It will also deal with segmentation in general, because IP addressing and segmentation are dependent on each other.

IP Addressing

A typical enterprise network consists of multiple sites of varying sizes that might span a wide geographical area - even international and/or inter-continental. A such we have different areas of network types that needs IP addresses. At least LAN, WAN, and probably also DC are the areas or building blocks we see in our networks.

Security is top of mind for most companies today. And for good reasons. Every day new major security incidents hit both the private and public sectors. We’re no longer dealing with curious geeks, script kiddies, and smaller groups of cyber criminals. Hacking used to be a niche thing. Today state-sponsored hackers are a reality.

Although you cannot guarantee protection from these malicious events, you can try to limit the risk and possibility of their success. Various methods and technologies help narrowing the attack surfaces you make available to the threat actors.

DNAC is currently not designed to be VRF-aware with its Network Settings. The AAA server settings are configured with global context regardless of the device management IP being in a VRF.

Here is what DNAC provisions for RADIUS:

aaa new-model
aaa authentication login default local
aaa authentication login dnac-cts-list group dnac-client-radius-group local
aaa authentication dot1x default group dnac-client-radius-group
aaa authorization exec default local
aaa authorization network default group dnac-client-radius-group
aaa authorization network dnac-cts-list group dnac-client-radius-group
aaa accounting Identity default start-stop group dnac-client-radius-group
aaa accounting update newinfo periodic 2880
!
aaa server radius dynamic-author
 client 10.0.0.111 server-key <secret>
 client 10.0.0.112 server-key <secret>
!         
radius server dnac-radius_10.0.0.111
 address ipv4 10.0.0.111 auth-port 1812 acct-port 1813
 timeout 4
 retransmit 3
 automate-tester username dummy ignore-acct-port probe-on
 pac key <secret>
!
radius server dnac-radius_10.0.0.112
 address ipv4 10.0.0.112 auth-port 1812 acct-port 1813
 timeout 4
 retransmit 3
 automate-tester username dummy ignore-acct-port probe-on
 pac key <secret>
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only
radius-server dead-criteria time 5 tries 3
radius-server deadtime 3
!
aaa group server radius dnac-client-radius-group
 server name dnac-radius_10.0.0.111
 server name dnac-radius_10.0.0.112
 ip radius source-interface Loopback0
!
ip radius source-interface Loopback0

Here my ISE PSNs are 10.0.0.111 and .112

In this post I will show you some examples of Jinja templates that might inspire you to create your own. As always my focus is centered on how stuff works rather than how you use the product. I will provide a breif overview of the Template Editor, though. For a user guide, please have a look at the official doc: Create Templates to Automate Device Configuration Changes

One of the main advantages of DNAC is its ability to help you automate certain tasks within your network. One of which is configuration changes. Here DNAC will ensure consistent configuration pushes to your devices while bringing automation capabilities to the table.

DNA Center has a versioning scheme that uses four digits. At the time of writing the recommended DNAC version is 2.2.3.6

 2.b.c.d - The first digit is the major release which introduces “significat market value, including infrastructure and architectural changes”
 a.2.c.d - The second digit is a minor version that includes “new functions and features in the platform”. It is categorized as a “new market value” release and also an anchor point for long-lived releases
 a.b.3.d - Third digit represents “new functions in applications” and it is categorized as a “minor-minor” release
 a.b.c.6 - Fouth digit is the patch level. You should only see bug fixes for these releases, but Cisco states that you could see “enhancements to existing functions introduced in a previous feature release”, which i interpret as enhancements from a “minor-minor” release

CCDE is one of the most sought-after and valuable IT certifications today. It used to be very service provider focused. The current version, CCDEv3, was launched November 2, 2021 and it changed radically in terms of technology coverage. Also, this version adds the AoE (Area of Expertise) scenarios of choice, meaning you can choose one scenario based on three different technology areas:

• Large Scale Networks
• On-Prem and Cloud Services
• Workforce Mobility

To become a CCDE you must pass a written exam and a practical exam - respectively in that order. I started on my own almost two years ago by studying for the CCDEv2 written. My first attempt was on November 2, 2020. It was a fail, but a good attempt, because I got a feeling of what it was all about. At this point I didn’t know if I would ever be able to finish the study and become certified. After I talked with my boss about my goal, he mentioned that one of my colleagues also thought about going after this cert. We teamed up and started reading book after book after book… On March 26, 2021 we both passed written. Both of us got very motivated and started a more structured approach of reading every single reference of study materials on the official recommended reading list… We also booked the CCDEv2 practical exam at Pearson VUE on several occasions, but due to the travel restrictions caused by the pandemic, we had to cancel each time. In the end we decided to give up on the CCDEv2 and go for the CCDEv3. Our reading started focusing on the v3 topics and its learning matrix. Never in my life had I read so much before and taken so many notes. Some of the books we even read several times. This is where self-discipline comes in to play and having a study group or partner is a must. Especially with CCDE compared to CCIE, because you’ll not be able to assess yourself by labbing stuff. That’s not what the CCDE is about.

Segmentation is becoming more and more critical as part of securing a network. In this article I will compare MPLS VPNs to VRF-lite. Both are ways to segment a network logically at L3 using VNs (VRFs).

Many years ago when I was new to networking technologies I had some fear of “MPLS”. I was biased and I though of MPLS as something insanely complicated that only service providers used in their network to magically inter-connect large companies. Later when I started learning about MPLS and its operations I realized that I was prejudiced only due to fear of the unknown.

If you are looking to configure NIC bonding for DNAC, this post will show the currently available options for the DN2-HW-APL appliance running DNAC version 2.2.2.6 and newer. Only 10G interfaces are addressed for NIC bonding in this post. If you want to play with 1G interface NIC bonding, have a look at the official documentation

NOTE! NIC bonding is not supported for the DN1-HW-APL (1st gen DNAC appliance). An apparent reason for this is that the DN1 appliance only comes with a single NIC adapter with two 10G interfaces. Cisco wants the NIC bonding to be configured on two different physical NIC adapters.

Introduction

We all know how daunting it can be to create and maintain documentation. Yet, when it is missing, we get frustrated. There is a standing joke regarding documentation:

Documentation is like sex. When it's good, it's very good. When it's bad, it's still better than nothing.

Nevertheless I believe we can all agree that documentation is a requirement for any system. Having good up to date documentation provides the following benefits:

The Challenge

Operating a network can be a daunting task. Especially when you find yourself manually repeating ordinary work on a regular basis. As a network engineer you are likely to enjoy challenges with protocols and designs rather than unboxing, mounting, and installing hardware. The time spent on this everyday work should be kept at a minimum. In a streamlined network design, the configuration of new equipment should be based on a template with few variables, such as hostname and IP addressing. Many companies already practice using templates, but for the most part the engineer must still manually adjust these variables, or at best some advanced excel spreadsheet or flat text file is used with a manual search and replace to build new configurations. Next, the device is powered up, connected to with a console cable and the newly build configuration is pasted into the device before installing it in its final location. Oh, and now both software upgrade and licensing tasks must be performed to be compliant. The workflow is manual, time consuming, and worst of all error prone due to the inevitable human factor.