1 00:00:06,870 --> 00:00:08,940 - [Instructor] The Cisco Digital Network Architecture, 2 00:00:08,940 --> 00:00:11,966 otherwise known as DNA is also referred to 3 00:00:11,966 --> 00:00:14,560 as intent-based networking. 4 00:00:14,560 --> 00:00:17,640 Now, the DNA solution provides automation, 5 00:00:17,640 --> 00:00:20,300 assuring services across campus networks, 6 00:00:20,300 --> 00:00:22,930 wide area networks, and also branch networks, 7 00:00:22,930 --> 00:00:26,430 so also including remote branch offices. 8 00:00:26,430 --> 00:00:28,940 Now this solution is based on open 9 00:00:28,940 --> 00:00:31,090 and very extensible platforms, 10 00:00:31,090 --> 00:00:34,150 and provides the policy, automation 11 00:00:34,150 --> 00:00:36,993 and analytics capabilities that I'm actually showing here 12 00:00:36,993 --> 00:00:38,010 in this screen. 13 00:00:38,010 --> 00:00:43,010 So basically at the heart of the DNA solution, 14 00:00:43,030 --> 00:00:46,850 DNAC, or the DNA Center, is basically the command 15 00:00:46,850 --> 00:00:48,580 and control element that actually provides 16 00:00:48,580 --> 00:00:50,333 that centralized management. 17 00:00:51,200 --> 00:00:52,900 Now, regarding the management, 18 00:00:52,900 --> 00:00:55,720 it can be done through dashboards 19 00:00:55,720 --> 00:00:57,680 as you actually are seeing in the screen, 20 00:00:57,680 --> 00:01:01,180 and I'm doing a quick demo here of the DNA Center. 21 00:01:01,180 --> 00:01:06,180 But the more robust capability for DNA Center is 22 00:01:06,580 --> 00:01:11,220 actually the extensive APIs that it offers, right? 23 00:01:11,220 --> 00:01:13,400 So you can actually automate a lot 24 00:01:13,400 --> 00:01:17,460 and integrate many, many different other solutions 25 00:01:17,460 --> 00:01:22,070 like the Cisco Identity Services Engine and many others. 26 00:01:22,070 --> 00:01:22,903 Now in this screen I'm 27 00:01:22,903 --> 00:01:25,334 actually just showing the ISE configure 28 00:01:25,334 --> 00:01:28,270 as an authentication, authorization and accounting, 29 00:01:28,270 --> 00:01:31,354 or AAA server in that Cisco DNA Center 30 00:01:31,354 --> 00:01:33,400 and network settings screens. 31 00:01:33,400 --> 00:01:35,380 For the exam you don't need 32 00:01:35,380 --> 00:01:39,100 to know all the different configurations for DNA Center. 33 00:01:39,100 --> 00:01:44,100 However, Cisco has a lot of sandboxes and active demos 34 00:01:44,671 --> 00:01:48,520 that you can take advantage of are definite, 35 00:01:48,520 --> 00:01:51,420 and are the links that I'm actually sharing in the screen. 36 00:01:52,610 --> 00:01:55,010 Now let's go back to the Cisco DNA Policies, right? 37 00:01:55,010 --> 00:01:59,070 So policies created in the DNA Center can actually 38 00:01:59,070 --> 00:02:02,210 be group-based access control policies, 39 00:02:02,210 --> 00:02:04,400 IP-based Access Control policies, 40 00:02:04,400 --> 00:02:06,400 Application access control policies, 41 00:02:06,400 --> 00:02:09,040 and also Traffic Copy policies. 42 00:02:09,040 --> 00:02:11,520 And basically here I'm actually showing the DNA Center 43 00:02:11,520 --> 00:02:12,410 Policy Dashboard. 44 00:02:12,410 --> 00:02:15,680 There you can actually see the number of virtual networks, 45 00:02:15,680 --> 00:02:18,290 group-based access control policies, 46 00:02:18,290 --> 00:02:21,849 the IP access control policies, and many others. 47 00:02:21,849 --> 00:02:25,170 Now, whenever you configure group-based 48 00:02:25,170 --> 00:02:26,530 access control policies, 49 00:02:26,530 --> 00:02:29,600 you need to integrate the Cisco ISE. 50 00:02:29,600 --> 00:02:33,570 So the Cisco Identity Service Engine with the DNA Center. 51 00:02:33,570 --> 00:02:35,960 Now, in ISE you can actually configure the 52 00:02:35,960 --> 00:02:39,246 work process setting as a Single Matrix. 53 00:02:39,246 --> 00:02:41,350 Now I'm going a little bit beyond 54 00:02:41,350 --> 00:02:45,900 of what probably you will see in the text in the exam, 55 00:02:45,900 --> 00:02:49,910 because there are concentration exams for CCMP 56 00:02:49,910 --> 00:02:53,730 or the CCA lab will absolutely concentrate 57 00:02:53,730 --> 00:02:56,990 on the configuration and troubleshooting 58 00:02:56,990 --> 00:02:59,460 of the deployment of DNA Center, 59 00:02:59,460 --> 00:03:02,310 and the underlying network capabilities. 60 00:03:02,310 --> 00:03:04,630 Now, another thing that I want to highlight is 61 00:03:04,630 --> 00:03:07,130 that depending on the organization environment 62 00:03:07,130 --> 00:03:08,170 and access requirements, 63 00:03:08,170 --> 00:03:09,840 you can actually segregate your groups 64 00:03:09,840 --> 00:03:12,030 into different virtual networks 65 00:03:12,030 --> 00:03:14,330 to provide further segmentation. 66 00:03:14,330 --> 00:03:17,710 So whenever you integrate ISE with the DNA Center, 67 00:03:17,710 --> 00:03:19,540 the scalable groups that actually assist 68 00:03:19,540 --> 00:03:23,730 in ISE are propagated to the DNA Center configuration. 69 00:03:23,730 --> 00:03:28,300 So if a scalable group that you need does not exist, 70 00:03:28,300 --> 00:03:30,830 you can actually create it in Cisco ISE, 71 00:03:30,830 --> 00:03:34,500 and it will then be propagated to DNA Center. 72 00:03:34,500 --> 00:03:36,320 Now DNA Center also has the concept 73 00:03:36,320 --> 00:03:38,200 of Access Control Contracts, 74 00:03:38,200 --> 00:03:41,780 and a contract specifies a set of rules that allow 75 00:03:41,780 --> 00:03:43,810 or deny network traffic, 76 00:03:43,810 --> 00:03:47,730 based on such traffic matching a particular protocol 77 00:03:47,730 --> 00:03:49,780 or a particular port. 78 00:03:49,780 --> 00:03:53,320 Now, as I mentioned to you, you can also configure IP-based 79 00:03:53,320 --> 00:03:56,820 access control policies as I'm actually showing in here. 80 00:03:56,820 --> 00:04:01,351 You can also configure Application policies in DNA Center, 81 00:04:01,351 --> 00:04:06,330 and this policies allow you to provide things like quality 82 00:04:06,330 --> 00:04:07,340 of service capabilities, 83 00:04:07,340 --> 00:04:10,390 but also application awareness capabilities as well. 84 00:04:10,390 --> 00:04:12,250 Now in DNA Center applications can be grouped 85 00:04:12,250 --> 00:04:15,380 into logical groups called Application Sets. 86 00:04:15,380 --> 00:04:17,350 These Application Sets can then 87 00:04:17,350 --> 00:04:22,070 be assigned a business relevance within a policy. 88 00:04:22,070 --> 00:04:25,880 You may also map applications to industry standards, 89 00:04:25,880 --> 00:04:28,925 traffic classes that are defining in standards, 90 00:04:28,925 --> 00:04:33,020 like the RFC 4594 for example. 91 00:04:33,020 --> 00:04:35,770 Another thing that you can configure in the Cisco DNA Center 92 00:04:35,770 --> 00:04:39,930 is the use of Encapsulated Remote Switched Port Analyzer, 93 00:04:39,930 --> 00:04:40,763 or ERSPAN. 94 00:04:42,030 --> 00:04:47,030 And basically that allows you so that the IP traffic flow 95 00:04:47,170 --> 00:04:49,715 between two entities is actually copied 96 00:04:49,715 --> 00:04:54,570 to a given destination for monitor or troubleshooting. 97 00:04:54,570 --> 00:04:57,770 So in order for you to actually configure ERSPAN 98 00:04:57,770 --> 00:05:00,338 using DNA Center, you need to create a traffic control 99 00:05:00,338 --> 00:05:05,000 or Traffic Copy policy rather that defines the source 100 00:05:05,000 --> 00:05:08,600 and destination of the traffic flow that you want to copy. 101 00:05:08,600 --> 00:05:11,690 Now, the Cisco DNAC Assurance solution also allows you 102 00:05:11,690 --> 00:05:15,070 to configure sensors to test the health 103 00:05:15,070 --> 00:05:17,813 of networking devices like wireless networks, right? 104 00:05:17,813 --> 00:05:21,150 A wireless network includes things like APs, 105 00:05:21,150 --> 00:05:25,380 WLAN configurations, wireless network services and so on. 106 00:05:25,380 --> 00:05:29,170 Now sensors can be either dedicated sensors 107 00:05:29,170 --> 00:05:31,040 or on demand sensor. 108 00:05:31,040 --> 00:05:33,910 And a dedicated sensor is actually whenever you configure 109 00:05:33,910 --> 00:05:37,240 an access point or an AP, and then it's converted 110 00:05:37,240 --> 00:05:40,601 into a sensor and it basically stays in sensor mode. 111 00:05:40,601 --> 00:05:44,550 And it's not basically used for serving wireless clients, 112 00:05:44,550 --> 00:05:47,660 unless it actually manually is converted back to AP mode. 113 00:05:47,660 --> 00:05:49,640 So you have to keep that in consideration, 114 00:05:49,640 --> 00:05:52,063 because if you actually configure an AP 115 00:05:52,063 --> 00:05:54,960 as a dedicated sensor, that's the only thing 116 00:05:54,960 --> 00:05:55,840 that it will actually do. 117 00:05:55,840 --> 00:05:57,540 It will not serve any clients, 118 00:05:57,540 --> 00:05:59,210 or no clients will terminate to that. 119 00:05:59,210 --> 00:06:03,670 So you have to think about that for in your deployment. 120 00:06:03,670 --> 00:06:05,890 Now, an on demand sensor is actually whenever 121 00:06:05,890 --> 00:06:10,275 an AP is temporarily converted into a sensor 122 00:06:10,275 --> 00:06:13,020 to run test, and after the test are complete, 123 00:06:13,020 --> 00:06:15,888 the sensor actually goes back to AP mode. 124 00:06:15,888 --> 00:06:19,080 Now, as I mentioned before, one of the key benefits 125 00:06:19,080 --> 00:06:23,260 of the Cisco DNA Center is the comprehensive APIs 126 00:06:23,260 --> 00:06:24,810 that are available. 127 00:06:24,810 --> 00:06:27,540 They also call them intent APIs, right? 128 00:06:27,540 --> 00:06:31,370 But this intent APIs are northbound rest APIs 129 00:06:31,370 --> 00:06:33,620 that expose the specific capabilities 130 00:06:33,620 --> 00:06:37,260 of the Cisco DNAC, or Cisco DNA Center Platform. 131 00:06:37,260 --> 00:06:40,700 And these APIs provide policy-based obstruction 132 00:06:40,700 --> 00:06:43,590 of business intent, so what you want to actually do, 133 00:06:43,590 --> 00:06:46,630 and then allows you to focus on an outcome to achieve, 134 00:06:46,630 --> 00:06:49,200 instead of struggling with a lot of the mechanisms 135 00:06:49,200 --> 00:06:51,850 that are part of the implementation, 136 00:06:51,850 --> 00:06:54,280 and of course you can actually automate 137 00:06:54,280 --> 00:06:57,140 and perform an extensible architecture, right? 138 00:06:57,140 --> 00:06:59,330 And at the end of the day it will allow you 139 00:06:59,330 --> 00:07:01,420 to be consistent, 140 00:07:01,420 --> 00:07:05,873 and consistency also drives towards security.