In this first post on Cisco DNA, I want to break down the engineering skills required to successfully deploy, operate and troubleshoot a Cisco DNA deployment.
First off, let us have a look at all the basic components that make up a Cisco DNA deployment. I understand there are some terms here which you might not be familiar with at this stage.
1. Cisco DNA Appliance (these come in 3 sizes, S, M and L) they are basically Cisco UCS servers with a Cisco DNA badge attached to the front . There is currently no virtual option – and unlikely to be so. Based on the size of your deployment, you’ll choose the size accordingly.
2. Cisco ISE. Unlike Cisco DNA, Cisco ISE comes as either a VM, or a HW appliance. Again, based on the size of your deployment, you’ll choose the size accordingly.
3. Some Cisco Catalyst 9000 switches. Given that the end game is to connect devices and users, we obviously need some switches. Cisco recommend either the Catalyst 9300 or 9500 product line, these will act as either Borders, Edges or Intermediates – don’t worry, we’ll get to the terminology later.
4. Depending on the size of your deployment, you may also want a dedicated Cisco Catalyst WLC. The other alternative is to use the Embedded WLC. And of course, to go along with the WLC, you need some APs – preferably they’re 802.1ax capable 😁
5. A device (it can be a router or a switch) which will be used for the function of a ‘Fusion Router’. Cisco use this term ‘Fusion Router’, it basically facilities communication between Fabric and Non-Fabric devices – with the Fusion Router being Non-Fabric, and something like a Border being Fabric. Technically you can use any device for this, but it does need to support BGP – which is used for the VN/VRF-Lite hand off
6. Existing infrastructure services running AD, DNS, DHCP, NTP. Chances are, you’ll have an existing Active Directory domain with all these services already running. These are needed for various functions within Cisco DNA and Cisco ISE.
Now that we have this basic shopping list. Let us go in to some of the skills which I believe you need to posses to successfully deploy all of the above. These aren’t written in any particular order.
1. First off, you need to have an understanding of IS-IS. Given that one of the first tasks to deploy Cisco DNA is to create the underlay. The first skill you should have is configuring basic IS-IS. You don’t need to understand IS-IS to a deep level, but some basic show commands are useful.
2. Next up on the list is redistribution. Given that we run IS-IS in the underlay, and with the strong possibility that you are not running IS-IS as your preferred enterprise IGP, we need to redistribute. You really only need to understand how basic mutual redistribution works. In my experience, using Route-Maps to control the entire In->Out / Out->In process ensures any nasty routing loops can be avoided, as well as Route-Maps, and depending on which IGP you’re coming from or going to, you may need to play around metrics, such as AD (Administrative Distance). All in all though, if you have two entry and exits points in too and out of the Fabric, you shouldn’t have too much to worry about. It’s always best to KISS (keep it simple stupid)
3. The last ‘traditional’ routing skill you need is BGP. As I said earlier on in the post, the Fusion Router is your hand off device from Fabric to Non-Fabric, and this is all achieved through BGP and VRF LITE (basically VRF without MPLS).
4. Now we get in to the more interesting side of things. Let’s start with ISE. Before I started looking at Cisco DNA, I had never seen ISE. It’s a huge product, and does a whole ton of things – a quick Google search defines ISE as “ISE enables a dynamic and automated approach to policy enforcement that simplifies the delivery of highly secure network access control” – essentially it’s a AAA server on steroids… Anyway, the learning curve can be steep, and I have learned a fair amount in the short time I’ve been playing with it. For the most part, Cisco DNA does a fine job of getting you started, but you’ll soon want to write more complex policies. I think for a successful deployment, you at least need to understand the following ISE topics; Policies, pxGrid, 8021.x, TrustSec and Profiling. Again, ISE is huge, and I could go on, but those the basic things you need to understand.
5. LISP. Given that LISP is the Control Plane used within the fabric, I think it’s beneficial to understand the protocol at a basic / intermediate level. Understanding concepts such as; MS/MR, ITR,ETR,xTR,Proxies and Instances (VRFs), will get you most of the way there. Check my links section for a really good blog on LISP 🙂
6. VXLAN. I can’t talk about LISP without mentioning VXLAN. As I said above, LISP is the Control Plane in a Cisco DNA network, the Data Plane portion is taken care of with VXLAN. Lucky for us, there are plenty of resources online to understand the basics of VXLAN, so I would recommend searching those out.
I think that’s all for now. If you have any questions, please do not hesitate to get in touch.