At IPTel we've been working on the deployed of Cisco SD Access.
This is pretty new technology for most people and so has a bit of mystery to how this is deployed.
In this blog, we'll take a look at how a real world deployment of Cisco SD Access looks.
Background to Cisco SD Access
For many years, networking engineers have been lovingly building and configuring enterprise networks with an almost endless variety of tools and best practices, which we have been cobbled together over years.
The CLI was the main method of provisioning these devices, and with the help of spreadsheets and hand-crafted script we artisanally deployed networks like precious little snowflakes.
When we think of our network as code, it means that we can repeatedly execute the same steps on some piece of hardware without needing to explicitly care about the underlying details. Say goodbye to those Excel configuration scripts!
Cisco DNA Center Automation
I won’t explain Cisco SDA (Software Defined Access) here, but I wanted to share with you how impressive the DNAC LAN Automation is, since it can accelerate your fabric deployment.
In essence, SDA is an overlay technology that runs on a layer 3 underlay. One misconception is that the underlay must run IS-IS routing protocol, and that it has to be built by DNAC. The underlay must be layer 3, but the routing protocol is up to you.
If however, you chose to build your underlay using Cisco DNA Center, then it will be built using IS-IS during the LAN Automation process.
Our friends in the data centre have been using APIC-EM for some time to automatically provision device in the data centre. APIC-EM is one component of DNA Centre, and it deserves a bit more attention.
Cisco SDA Fabric
Imagine the scenario: You are building an SDA fabric in a campus and you have 50 edge switches (e.g. C9300 or C9200) to commission.
How do you go about it in the most efficient manner to save having to send expensive resources to site to commission devices?
How about zero touch deployment, or Plug and Play, as Cisco calls it? This is where Cisco DNA Architecture comes in to play.
There is a little bit of upfront planning in DNAC, but the process is literally as simple as discovering your first seed device (e.g. a border fabric node) and telling DNAC to use that device as the starting point for PnP (we've also got some blogs exploring how Meraki does this).
The onsite personnel rack and stack all the switches in factory defaulted mode and cable them up in the typical three-tiered Access/Distribution/Core model. Out of the box, the switches will power up and run a PnP agent that listens for instructions from the seed device.
Within minutes DNAC will start pushing configuration to all the devices using a pool of IP addresses that have been assigned to the underlay. Devices receive hostnames (optionally related to serial numbers if required), loopback addresses and all the AAA, SNMP, NTP, Device Tracking, and golden software image. Sit back and watch the underlay being built.
Cisco SDA Fabric: Underlay
Once the underlay has been built, Cisco DNAC adds all the device into its inventory and then you can manage/provision these devices.
Provisioning the devices will ensure that they are added to the correct site/building, and if you have ISE integrated to DNAC, then all of the devices will be added into ISE for device administration.
It couldn’t be smarter than this, because the configuration will be done according to Cisco best practice – gone are the days of juggling multiple configuration snippets for each device type, operating system and feature.
Cisco SDA Fabric: Overlay
When deploying the overlay fabric, DNAC really starts to shine. If you don’t believe me, then consider the complexity involved in configuring a Centralised Web Auth guest portal on a C9800 platform, with ISE hosting the web portal. There are many moving parts in ISE to build the portal, create the Policy Set and Policy Results.
On the C9800 wireless controller there are redirection ACLs (which follow a different logic to the old AireOS) and all the AAA commands required to achieve URL redirection.
You may spend a day or more figuring all this out and perhaps you missed a permit/deny somewhere along the lines.
With SDA you will design and deploy a guest portal within DNAC without touching ISE or the WLC. This is what is meant by network as code – create the intent in DNAC and allow the tool to push the commands out to the devices.
Every journey starts with the first step, and DNAC gives us a leg up with great features such as LAN Automation.
Cisco SDA Deployment: Summary
The terms underlay (the routing layer) and the overlay (the contract layer, at which clients communicate) are at once familiar topics, but also new. They are a rebuilding of how we have approached networking over the years (we all know the OSI stack right?), but with a new twist.
The network is now managed via a GUI. Those of us that have been in networking a while (over 25 years now!) have loved the CLI - its quick and efficient.
Cisco Machine learning and Cisco AI Analytics are going to be big concepts in networking - the ability to alert on changes in behaviour will help cut down on alarm fatigue.
With so much larger networks, with a myriad of features, the time is here now to begin the journey to software defined networking.