1
00:00:06,850 --> 00:00:08,900
- [Instructor] The Cisco
digital network architecture,

2
00:00:08,900 --> 00:00:10,550
otherwise known as DNA,

3
00:00:10,550 --> 00:00:14,211
is also referred to as
intent-based networking.

4
00:00:14,211 --> 00:00:18,640
Now, the DNA solution provides
automation assurance services

5
00:00:18,640 --> 00:00:21,540
across campus networks,
wide area networks,

6
00:00:21,540 --> 00:00:22,900
and also branch networks.

7
00:00:22,900 --> 00:00:26,420
So also including remote branch offices.

8
00:00:26,420 --> 00:00:28,541
Now this solution is based on open

9
00:00:28,541 --> 00:00:30,592
and very extensible platforms

10
00:00:30,592 --> 00:00:33,800
and provides the policy automation

11
00:00:33,800 --> 00:00:35,910
and analytics capabilities

12
00:00:35,910 --> 00:00:37,980
that I'm actually showing
here in the screen.

13
00:00:37,980 --> 00:00:42,318
So basically at the
heart of the DNA solution

14
00:00:42,318 --> 00:00:45,630
the DNAC, or the DNA Center,

15
00:00:45,630 --> 00:00:47,570
is basically the command
and control element

16
00:00:47,570 --> 00:00:50,450
that actually provides that
centralized management.

17
00:00:50,450 --> 00:00:52,860
Now regarding the management,

18
00:00:52,860 --> 00:00:55,700
it can be done through dashboards

19
00:00:55,700 --> 00:00:57,650
as you actually are seeing in the screen.

20
00:00:57,650 --> 00:01:01,150
And I'm doing a quick demo
here of the DNA Center,

21
00:01:01,150 --> 00:01:06,150
but the more robust
capability for DNA Centers

22
00:01:06,430 --> 00:01:09,002
is actually the extensive APIs

23
00:01:09,002 --> 00:01:11,190
that, you know, it offers, right?

24
00:01:11,190 --> 00:01:13,380
So you can actually automate a lot

25
00:01:13,380 --> 00:01:17,440
and integrate many, many
different other solutions

26
00:01:17,440 --> 00:01:19,870
like the Cisco identity service engine

27
00:01:19,870 --> 00:01:22,050
and you know, many others.

28
00:01:22,050 --> 00:01:22,883
Now in this screen,

29
00:01:22,883 --> 00:01:25,870
I'm actually just
showing the ISE configure

30
00:01:25,870 --> 00:01:28,240
as an authentication
authorization on accounting

31
00:01:28,240 --> 00:01:31,750
or AAA server in that Cisco DNA Center

32
00:01:31,750 --> 00:01:33,360
and network setting screens, you know.

33
00:01:33,360 --> 00:01:35,970
For the exam, you don't need to know

34
00:01:35,970 --> 00:01:39,070
all the different
configurations for DNA Center.

35
00:01:39,070 --> 00:01:44,070
However, Cisco has a lot of
sandboxes and active demos

36
00:01:45,370 --> 00:01:48,490
that you can take advantage of at DevNet

37
00:01:48,490 --> 00:01:51,340
and at the links that I'm
actually sharing in the screen.

38
00:01:52,570 --> 00:01:54,970
Now let's go back to the
Cisco DNA policies, right?

39
00:01:54,970 --> 00:01:58,500
So policies created in the DNA Center

40
00:01:58,500 --> 00:02:01,730
can actually be group-based
access control policies,

41
00:02:01,730 --> 00:02:04,380
IP-based access control policies,

42
00:02:04,380 --> 00:02:06,550
application access control policies,

43
00:02:06,550 --> 00:02:08,950
and also traffic copy policies.

44
00:02:08,950 --> 00:02:10,030
And basically here,

45
00:02:10,030 --> 00:02:12,380
I'm actually showing the
DNA Center policy dashboard.

46
00:02:12,380 --> 00:02:15,650
There, you can actually see
the number of virtual networks,

47
00:02:15,650 --> 00:02:18,280
group based access control policies,

48
00:02:18,280 --> 00:02:22,103
the IP access control
policies, and many others.

49
00:02:23,150 --> 00:02:24,270
Now whenever you configure

50
00:02:24,270 --> 00:02:26,500
group-based access control policies,

51
00:02:26,500 --> 00:02:29,560
you need to integrate the Cisco ISE.

52
00:02:29,560 --> 00:02:33,550
So the Cisco identity service
engine with the DNA Center.

53
00:02:33,550 --> 00:02:34,700
Now, in ISE,

54
00:02:34,700 --> 00:02:37,760
you can actually configure
the work process setting

55
00:02:37,760 --> 00:02:39,590
as a single matrix.

56
00:02:39,590 --> 00:02:41,320
Now I'm going a little bit beyond

57
00:02:41,320 --> 00:02:45,880
of what probably you will
see in the text in the exam,

58
00:02:45,880 --> 00:02:48,510
because, you know, there
are concentration exams

59
00:02:48,510 --> 00:02:51,290
for CCMP or the CCA lab

60
00:02:51,290 --> 00:02:55,660
will absolutely concentrate
on the configuration

61
00:02:55,660 --> 00:02:59,460
and troubleshooting of the
deployment of DNA Center

62
00:02:59,460 --> 00:03:02,290
and the underlying network capabilities.

63
00:03:02,290 --> 00:03:04,790
Now, another thing that I
want to highlight is that,

64
00:03:04,790 --> 00:03:07,090
depending on the organization environment

65
00:03:07,090 --> 00:03:08,160
and access requirements,

66
00:03:08,160 --> 00:03:09,810
you can actually segregate your groups

67
00:03:09,810 --> 00:03:12,010
into different virtual networks

68
00:03:12,010 --> 00:03:14,300
to provide further segmentation.

69
00:03:14,300 --> 00:03:17,339
So whenever you integrate
ISE with the DNA Center

70
00:03:17,339 --> 00:03:20,070
the scalable groups that
actually assist in ISE

71
00:03:20,070 --> 00:03:23,720
are propagated to the
DNA Center configuration.

72
00:03:23,720 --> 00:03:28,290
So if a scalable group that
you need does not exist,

73
00:03:28,290 --> 00:03:30,800
you can actually create it in Cisco ISE,

74
00:03:30,800 --> 00:03:34,480
and it will then be
propagated to DNA Center.

75
00:03:34,480 --> 00:03:36,300
Now DNA Center also has the concept

76
00:03:36,300 --> 00:03:38,170
of access control contracts,

77
00:03:38,170 --> 00:03:41,160
and a contract specifies a set of rules

78
00:03:41,160 --> 00:03:43,402
that allow or deny network traffic,

79
00:03:43,402 --> 00:03:47,700
based on such traffic
matching a particular protocol

80
00:03:47,700 --> 00:03:49,750
or a particular port.

81
00:03:49,750 --> 00:03:50,870
Now, as I mentioned to you,

82
00:03:50,870 --> 00:03:54,650
you can also configure IP
based access control policies,

83
00:03:54,650 --> 00:03:56,800
as I'm actually showing in here.

84
00:03:56,800 --> 00:04:01,650
You can also configure application
policies in DNA Center.

85
00:04:01,650 --> 00:04:05,820
And these, you know, policies
allow you to provide things

86
00:04:05,820 --> 00:04:07,330
like quality of service capabilities,

87
00:04:07,330 --> 00:04:10,032
but also application awareness
capabilities as well.

88
00:04:10,032 --> 00:04:12,220
Now in DNA Center,
applications can be grouped

89
00:04:12,220 --> 00:04:15,360
into logical groups
called application sets.

90
00:04:15,360 --> 00:04:19,020
These application sets
can then be assigned

91
00:04:19,020 --> 00:04:22,040
a business relevance within the policy.

92
00:04:22,040 --> 00:04:24,240
You may also map applications

93
00:04:24,240 --> 00:04:27,430
to industry standards traffic classes

94
00:04:27,430 --> 00:04:29,230
that are defined in standards

95
00:04:29,230 --> 00:04:33,010
like the RFC 4594, for example.

96
00:04:33,010 --> 00:04:35,750
Another thing that you can
configure in the Cisco DNA Center

97
00:04:35,750 --> 00:04:39,910
is the use of Encapsulated
Remote Switch Port Analyzer,

98
00:04:39,910 --> 00:04:40,893
or ERSPAN.

99
00:04:42,000 --> 00:04:44,890
And basically that allows you,

100
00:04:44,890 --> 00:04:47,150
so that the IP traffic flow

101
00:04:47,150 --> 00:04:49,602
between two entities is actually copied

102
00:04:49,602 --> 00:04:54,550
to a given destination for
monitoring or troubleshooting.

103
00:04:54,550 --> 00:04:57,740
So in order for you to
actually configure ERSPAN

104
00:04:57,740 --> 00:04:58,670
using DNA Center,

105
00:04:58,670 --> 00:05:00,750
you need to create a traffic control,

106
00:05:00,750 --> 00:05:02,780
or traffic copy policy rather,

107
00:05:02,780 --> 00:05:06,160
that defines the source and destination

108
00:05:06,160 --> 00:05:08,990
of the traffic flow that you want to copy.

109
00:05:08,990 --> 00:05:12,090
Now, the Cisco DNAC assurance
solution also allows you

110
00:05:12,090 --> 00:05:13,810
to configure sensors,

111
00:05:13,810 --> 00:05:16,310
to test the health of networking devices

112
00:05:16,310 --> 00:05:18,100
like wireless networks, right?

113
00:05:18,100 --> 00:05:19,700
A wireless network includes things

114
00:05:19,700 --> 00:05:23,000
like APs, WLAN configurations, you know,

115
00:05:23,000 --> 00:05:25,360
wireless network services, and so on.

116
00:05:25,360 --> 00:05:28,648
Now sensors can be
either dedicated sensors

117
00:05:28,648 --> 00:05:31,020
or on demand sensor.

118
00:05:31,020 --> 00:05:32,770
And a dedicated sensor is actually

119
00:05:32,770 --> 00:05:36,040
whenever you configure
an access point or an AP

120
00:05:36,040 --> 00:05:38,060
and then it's converted into a sensor,

121
00:05:38,060 --> 00:05:40,870
and it basically stays in sensor mode,

122
00:05:40,870 --> 00:05:44,358
and it's not basically used
for serving wireless clients,

123
00:05:44,358 --> 00:05:47,650
unless it actually manually
is converted back to AP mode.

124
00:05:47,650 --> 00:05:49,890
So you have to keep that
in consideration because

125
00:05:49,890 --> 00:05:54,130
if you actually configure
an AP as a dedicated sensor

126
00:05:54,130 --> 00:05:55,830
that's the only thing
that it will actually do.

127
00:05:55,830 --> 00:05:57,740
It will not serve any clients.

128
00:05:57,740 --> 00:05:59,200
No clients will terminate to that.

129
00:05:59,200 --> 00:06:01,749
So you have to think about that for,

130
00:06:01,749 --> 00:06:03,650
you know, in your deployment.

131
00:06:03,650 --> 00:06:05,430
Now, an on demand sensor is actually

132
00:06:05,430 --> 00:06:08,830
whenever an AP is temporarily converted

133
00:06:08,830 --> 00:06:11,590
into a sensor to run tests,

134
00:06:11,590 --> 00:06:13,010
and after the tests are complete,

135
00:06:13,010 --> 00:06:15,773
the sensor actually goes back to AP mode.

136
00:06:16,700 --> 00:06:17,870
Now, as I mentioned before,

137
00:06:17,870 --> 00:06:20,560
one of the key benefits
of the Cisco DNA Center is

138
00:06:20,560 --> 00:06:24,780
the comprehensive APIs that are available.

139
00:06:24,780 --> 00:06:27,520
They also call them intent APIs, right?

140
00:06:27,520 --> 00:06:31,340
But these intent APIs
are Northbound Rest APIs

141
00:06:31,340 --> 00:06:34,440
that expose specific
capabilities of the, you know,

142
00:06:34,440 --> 00:06:37,250
Cisco DNAC or Cisco DNA center platform.

143
00:06:37,250 --> 00:06:40,016
And these APIs provide
policy based abstraction

144
00:06:40,016 --> 00:06:41,870
of business intent,

145
00:06:41,870 --> 00:06:43,560
so what you want to actually do,

146
00:06:43,560 --> 00:06:46,136
and then allows you to focus
on an outcome to achieve

147
00:06:46,136 --> 00:06:48,090
instead of struggling with, you know,

148
00:06:48,090 --> 00:06:50,610
a lot of the mechanisms
that are, you know,

149
00:06:50,610 --> 00:06:51,840
part of the implementation, you know,

150
00:06:51,840 --> 00:06:54,240
of course you can actually
automate, you know,

151
00:06:54,240 --> 00:06:56,797
and perform an extensible
architecture, right?

152
00:06:56,797 --> 00:06:58,410
And at the end of the day,

153
00:06:58,410 --> 00:07:01,410
it will allow you to be consistent,

154
00:07:01,410 --> 00:07:05,853
and consistency also, you
know, drives towards security.