Session Abstract
Cisco's Digital Network Architecture - Introducing the Network Intuitive
More and more organizations are adopting customer-centric applications and “as-a-service” models to
keep up with the pace of digital business and improve the quality and flow of information. As a result, the
network has shifted to become the fundamental platform for digitization, empowering business efficiency
and innovation by simplifying and automating processes while protecting and securing company data.
Cisco's Digital Network Architecture (DNA) offers a new holistic approach to meet the requirements of the
digitized enterprise. This session introduces the motivation for an architecture evolution of enterprise
networks, and provides details on each of the building blocks, including the new DNA Center (DNA-C)
GUI, Automation and Assurance capabilities it supports.
The concepts of virtualization, controllers, policy-based networking and cloud enablement are explored
as main architecture shifts. The session also provides insight into concrete examples on how to
automate and simplify application visibility and QoS deployments for network operators.
Come to this session to learn how Cisco is revolutionizing the network with DNA! This is the first of two
sessions – an optional deeper-dive “double-click” session focused on Cisco’s advanced, programmable
networking silicon and the platforms and solutions it supports – namely, the exciting new Catalyst 9000
family of switches, Cisco’s advanced wireless solutions, and the new Encrypted Traffic Analytics and
Software-Defined Access solutions are explored in the companion session.

It’s a Digital World!
Automating your network with DNA
Center
Gaining Deep Insights with Assurance
And Analytics
Summary
Agenda
Cisco DNA – Introducing the Network
Intuitive

4© 2017 Cisco and/or its affiliates. All rights reserved.
It’s a digital world!

What is the Risk of Digital Disruption?
• According to the Global Center for Digital Transformation in a survey of
941 companies:
of today’s Top-10 incumbents
(in terms of market share)
will be digitally disrupted
within the next 5 years
https://www.imd.org/uupload/IMD.WebSite/DBT/Digital_Vortex_06182015.pdf
http://www.economist.com/news/business/21647317-messaging-services-are-rapidly-growing-beyond-online-chat-message-medium
40%
in 5

Why Transform Digitally?
• According to Harvard Business Review, companies that master
digital transformation generate:
more revenue than their industry peers, and
more profits than their industry peers
https://hbr.org/product/leading-digital-turning-technology-into-business-transformation/17039E-KND-ENG
9%
26%

UPS My Choice
Delivery Control
Personalized Service
Workforce Efficiency
WIP Inventory and
Part Tracking
American Express
Personalized Service
Through Mobile
Starbucks Apps
Order Ahead
Skip the Line
7
Digital Transformation is Moving IT to the Boardroom
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7TECCRS-2700
Customer Experience
Physical and Virtual
RFID Content

Cisco Enterprise Networking Vision
Transform our customers’ businesses
through powerful yet simple networks.

Digital Business Demands Application Agility
“…While other components of the IT infrastructure have become more
programmable and allow for faster, automated provisioning, installing
network circuits is still a painstakingly manual process...”
— Andrew Lerner, Gartner Research

Agility Requires Faster Network Provisioning
Source: Forrester Source: Open Compute Project
Time IT spends on operations80% CEOs are worried about IT strategy
not supporting business growth57%
Network Expenses
Deployment Speed
0 10 100 1000
Computing Networking
Seconds
0
100%
CAPEX OPEX
33%
67%

11
HCD Case Study: GE MRI

12
HCD Case Study: GE MRI

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is Contextual
Intent?

Intent-based networking describes a network that has the
intelligence and automation necessary to set and modify
its configurations to meet the organization’s business
needs.

The Need for
a New Network Constantly Learning
Support 100X new devices, apps, users
Constantly Adapting
Respond Instantly to business demands with
limited staff and budget
Constantly Protecting
See and predict issues
and threats and respond fast
The more you use
it, the wiser it gets.

Intent-based
Network Infrastructure
DNA Center
AnalyticsPolicy Automation
I N T E N T C O N T E X T
S E C U R I T Y
L E A R N I N G
The Network. Intuitive.
Constantly learning, adapting and protecting.
Informed
by Context
Visibility into traffic
and threat patterns
Who, What, When,
Where, How
Powered
by Intent
Translate Business Intent
to Network Policy
Automate the management
and provisioning millions of
devices instantly

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Key Challenges for Traditional Networks
Slower Issue ResolutionComplex to ManageDifficult to Segment
Ever increasing number of
users and endpoint types
Ever increasing number of
VLANs and IP Subnets
Multiple steps,
user credentials, complex
interactions
Multiple touch-points
Separate user policies for
wired and wireless networks
Unable to find users
when troubleshooting
Traditional Networks Cannot Keep Up!
Key Challenges for Traditional Networks

Introducing DNA Center
Realizing vision of the intent-powered intuitive network
Decouple Policy from
Network Topology
Industry Best-Practices
Configuration and Policy
Compliance
Proactive Issue
Identification and
Resolution
Policy Automation
Assurance and
Analytics
Translate business intent
into network policy
Reduce manual operations
and cost associated with
human errors
Use context to turn data into
intelligence

DNA Solution
Cisco Enterprise Portfolio
Automation AnalyticsIdentity Services Engine
Routers Switches Wireless APs
DNA Center
DNA Center
Simple Workflows
Wireless Controllers
DESIGN PROVISION POLICY ASSURANCE

Automating your Network with
DNA Center

Impediments to Automation
• Organizational structures
Different groups
• Lack of internal standards
Snowflakes!
• History
e.g. ACL CLIs
• Standard vs.non-standard changes
Enterprise
Network
change
requests.
65%
Standard
changes
35%
New
initiatives
12%
New lab configurations
10% Hardware upgrades
21% ACL updates
7%
Fleet standardizations
7% Feature configs:
IP/Routing
4% Power shut-downs
8% Hardware upgrades
3% Feature configs:
Security
2% ACL updates
15% Other
12% Other

BRKNMS-1499
What are Standard Network Changes ??
AAA Configuration
DNS/DHCP Servers
NTP Servers
Syslog Servers
Netflow Collectors
SNMP/SSH/Telnet
Interfaces Configuration
ACL’s
Dial Plans
Vrf
Routing Protocols
Tunnels/DMVPN
Security/Crypto
QOS
AVC
AAA Configuration
DNS/DHCP Servers
NTP Servers
Syslog Servers
Netflow Collectors
SNMP/SSH/Telnet
Interfaces Configuration
Spanning Tree
VLAN
Security/Crypto
QOS
AVC
AAA Configuration
DNS/DHCP Servers
NTP Servers
Syslog Servers
Netflow Collectors
SNMP/SSH/Telnet
SSID’s
RF
Security/Crypto
QOS
AVC
Routers Switches WLC’s
Standard Changes :
o No Approval Required
o Minimal to Zero Disruption
Non-Standard Changes :
o Requires Approval
o May require service
disruption
o May need co-ordination
with other teams (App,DC
etc) during change window
23

Video Demonstration

Use Case:
• Adding a new Syslog (Ex:
Splunk) in the network
• SoX requirements to update
password every 6 months
AAA
Server
Site1
North
America
South
America
Site2
Africa
EMEAR
AAA
Server
DNS
Server
Syslog
Server
Syslog
Server
DHCP
Server
Benefits:
• Repeated manual error prone
tasks automated
• Eng get additional time to focus
on design and deployment
• Standard change automation
removes the lead time to make
changes
Network Settings Update (Standard) DESIGN

Network
Design
Deployment
Standardization
Network
Compliance
Before
During
After
Profile Based
Deployment
§ Plan for the network deployment
§ Feature and Capabilities to be
enabled based on requirements
§ Topology for network
deployment
§ Automated Day 0 Deployment
§ Version management of Profile
for Day 2 Change Management
§ Configuration Compliance
Validation against Profile
§ Remediation of Configuration to
Golden Config
Network Deployment Consistency using Profile
Driven Automation
Configuration Consistency
Simplified Network
Deployment
Integrated IT
Process Flows
DESIGN

DNA Center automates the Deployment and Operations
• Plug-and-play
• Software / config / license management
• Ensuring that Hardware is not EoL
(Cisco Active Advisor)
• Software Image management (SWIM)
PnP Agent
Runs on Cisco® switches,
routers,
and wireless AP
Automates discovery and
provisioning
PnP Server
Centralized server
Auto-provision device w/ images
& configs.
Northbound REST APIs
PnP Protocol
HTTPS/XML based
Open schema
protocol
Network PnP
Application UI
IWAN
App
Topology
Discovery
REST API
PnP Service
DNA Center
Controller
PROVISION

Visualize Software Images
• For a given Device Family,
view :
All images
Image Version
Number of Devices using a
particular image
• Image Repository to
centrally store Software
Images, VNF Images and
Network Container Images
28

Platform extensibility for building
custom apps
API and Data Models across multiple
stages in DNA Stack
Integrations with complimentary
platforms *
Open Interfaces and Integrations
Firehose *
Connectors
Graph API
Contextual Search
Cisco Assets
Industry
Integrations
Flexibility Accessibility Expansibility
* : roadmap post FCS

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
informed by context.
THE NETWORK.
INTUITIVE.

• Express Business Intent
• Translate into device specific policy/configuration
• Leverage Abstraction (the controller knows about the device specifics)
• Automate the Deployment across the Network
• Insure Fidelity to the Expressed Intent (keep everything in sync)
User policy based on user identity
and user-to-group mapping
Employee
(managed asset)
Employee
(Registered BYOD)
Employee
(Unknown BYOD)
ENG VDI System
PERMIT
PERMIT
DENY
DENY
DENY
DENY
DENY
PERMIT
PERMIT
PERMIT
PERMIT
PERMIT
Production Servers Development Servers Internet Access
Protected Assets
Source
De-coupling of
User Identity and Topology
Much easier to translate business objectives to
network functionality—Lowers TCO
Automation
Controller-Led
Networking Deployment
Evolution to a Policy Model
31
POLICY

Policy types
Access Policy
↓
Authentication/
Authorization
Group Assignment
Based on
Authentication methods
Access Control Policy
↓
Who can access what
Rules for x-group access
Permit group to app
Permit group to group
Application Policy
↓
Traffic treatment
QoS for Application
Path Optimization
Application compression
Application caching
DB
The
image
part
with
relatio
nship
ID rId2
was
not
found
in the
file.
The
image
part
with
relatio
nship
ID rId2
was
not
found
in the
file.
The
image
part
with
relatio
nship
ID rId2
was
not
found
in the
file.
✓
POLICY

1. Access Policies
• Access to the network is governed by ISE
users
things
Authenticate&
Authorize
(AAA)
Groups &
Policy
ISE
Network
Identity (e.g. Active
Directory)
SIEM
Location
Behavior
Analytics
pxGrid
CASB
Vulnerability
Scalable
Groups
Credentials
Posture
Profiling
POLICY

2. Access Control Policies
• Access Control (who can talk to who) is governed by DNA Center
Leverages ISE for group assignments
users
things
Authenticate&
Authorize
(AAA) Groups &
Policy
ISE DNA Center
Policy Authoring
Workflows
Fabric Management
Network
POLICY

DNA Automation – Access Control Policy Authoring

Quality of Service – Intuitive?

ip access-list extended APIC_EM-MM_STREAM-ACL
remark citrix - Citrix
permit tcp any any eq 1494
permit udp any any eq 1494
remark citrix-static - Citrix-Static
permit tcp any any range 2512 2513
permit udp any any range 2512 2513
remark pcoip - PCoIP
remark timbuktu - Timbuktu
remark xwindows - XWindows
remark vnc - VNC
permit udp any any range 5900 5901
exit
ip access-list extended APIC_EM-SIGNALING-ACL
remark h323 - H.323
permit udp any any eq 1300 38
Intent-Based
Application PolicyLegacy QoS Policy

Gaining Deep Insights with
Assurance and Analytics

Source: 2016 Cisco Study
Traditional Networking CANNOT Keep Pace with the Demands of Digital Business
OpEx spent on
Network Visibility and
Troubleshooting
75%
Policy Violations
Due to Human Error
70%
Network Changes
Performed Manually
95%
Main Operational Challenges

Make Data
Driven Decisions
Reveal
Hidden Patterns
Automation for Faster
Results
Focus on
Important Things
Business Value Propositions of Network Analytics

Collect relevant metrics
Architectural Requirement #1: Instrumentation
ASSURANCE

Categorize metrics by degrees of relevance
Architectural Requirement #2: On-Device Analytics
ASSURANCE

Upload critical metrics off the device to collector(s)
(optimally via model-based streaming-telemetry)
Architectural Requirement #3: Telemetry
EM
Collector
ASSURANCE

Provision long-term storage, retrieval and representation of network metrics and events
Architectural Requirement #4: Scalable Storage
ASSURANCE

Identify anomalies and trends
Architectural Requirement #5: Analytics Engine
ASSURANCE

Correlate all data points and permutations for cognitive and predictive analytics
Architectural Requirement #6: Machine Learning
ASSURANCE

Identify root cause of issues by contextually correlating data
Architectural Requirement #7: Guided Troubleshooting
EM
Analytics
Engine
ASSURANCE

Present actionable insights to the operator
Solicit input to remediate the root cause
Present a self-remediation option
Architectural Requirement #8: Self-Remediation
EM
DNAC
AssuranceEM
DNAC
Automation
Do you want to take the
recommended action?
Yes No
Do you want to take the
recommended action?
Yes NoAlwaysAlways
ASSURANCE

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
THE NETWORK.
INTUITIVE.

Transforming the Network with Big Data Analytics
Data
Insight
Information
Action
Create value at the right timeExtract meaningful insights from data
Businessbenefit
Volume
Data size
• TB per day
• Streaming telemetry,
NetFlow, Syslog, SNMP, logs
Velocity
Data speed
• Firehose
• Streaming, low-latency
push/pull
Variety
Data forms
• Structured, unstructured
• Switch, router, AP,
IoT sensor, firewall,
load balancer, DHCP, DNS
Veracity
Data trustworthiness
• Quality, validity
• Internal, partner, public
Analytics

EM
DNAC
Network
Telemetry
Contextual Data
Data Collection and Ingestion
FW LB WLC Sensor
AAA
DNS DHCP
LDAP TOPOLOGY
INVENTORY
LOCATION
POLICY
ITSM
ITFM
Streaming
TelemetrySNMP NetFlow Syslog
Data Visualization and Action
Network Assurance netWorth
Collector and Analytics Pipeline SDK
...
Data Models and Restful APIs
Time Series Analysis
System Management Portal
DNA Center Assurance
Data Correlation and Analysis
Machine Learning
in the Cloud
CEP (*) Correlation
CEP = Complex Event Processing
DNA Center Assurance (Internal) Architecture

NetFlow
AVC
DDI
ISE
Topology
Location
Device
Assurance
Stream
Processing
Contextual Correlation Example
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
?
?
?
NetFlow

AVC
NetFlow
DDI
ISE
Topology
Location
Device
Assurance
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
?
?
?

AVC
NetFlow
DDI
ISE
Topology
Location
Device
Assurance
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
?

AVC
NetFlow
DDI
ISE
Topology
Location
Device
Assurance
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing

AVC
NetFlow
DDI
ISE
Topology
Location
Device
Assurance
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing
Topology

AVC
NetFlow
DDI
ISE
Topology
Location
Device
Assurance
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing
Topology
Location
Building 24 1st Floor

AVC
NetFlow
DDI
ISE
Topology
Location
Device
Assurance
Stream
Processing
Source IP: 1.1.1.2
Dest IP: 2.2.2.2
Dest Port: 80
Dest IP: 3.2.2.2
Dest Port: 80
AVC
DDI
User: George Baker
ISE
Group: Marketing
Topology
Location
Building 24 1st Floor
Device
Client Density
Problem Here...

I N T E N T CONTEXT
S E C U R I T Y
L E A R N I N G
Powered by intent,
THE NETWORK.
INTUITIVE.

What is Machine Learning?
• Machine learning is an application of artificial intelligence (AI) that provides systems the ability to
automatically learn and improve from experience without being explicitly programmed to do so
• The process of learning begins with observations of data, and looking for patterns within the data so as to
make increasingly better correlations, inferences and predictions
• The primary aim is to allow these systems to learn automatically without human intervention or
assistance and adjust actions accordingly

Project Kairos
For Wireless, Wired and IOT
Cognitive Analytics
Anomaly detection
Identify and proactively adapt to a failure
before it happens
Machine Learning
Predictive Analytics

Machine Learning Algorithms
build their models using
hundreds of inputs
APs
WAN
Local WLCs
Network Services DCOffice Site
ISE
DHCP
Mobile Clients
CUCM
NCP
~
~
~
~
~
~
~
~
~
~
~
~
RF & EDCA
behavioral
metrics,..
Queuing, Dropping, WRED
behavioral metrics…
Device type, OS release,
behavioral metrics, ...
WAN & core
network metrics ..
Application metrics, user
feedback, failure rate, ...
... and more

End-to-end visibility – Overall Health
Overall health of the
Network Infra and the
Clients
Where in the world are
the most serious issues
happening
Top 10 Global Insights

End-to-end visibility – Network Infrastructure Health
Drill down of device
health history based on
Role/Type
Overall Network
Infrastructure health
summary
Listing of Network
devices with detailed
health information

3600 Visibility– Network Device
Detailed Device health
information
Network device Health
history, Proactively
identify any Issues
Physical Neighbor
Topology

End-to-end visibility – Client Health
Drill down of Client
Onboarding, RF and
Profile details
Overall Network Client
health summary – wired
and wireless
Listing of Network
Clients with detailed
health information

3600 Visibility– Network Client
Detailed Client health
information
Network Client Health
history, Proactively
identify any Issues
Client Onboarding Details

Relevant 360 view
provides all the details
and issues experienced
Advanced Search
capability based on IP
Address, User name etc.
Double Click on the Issue to
get Insights and Suggested
Remediation Actions
User Search and Troubleshooting
1 3
2

Path Trace – Troubleshoot the Network Path
Detailed information for
all Devices and Interface
along the Network path
Network Path for any
traffic flow from any
source to destination
Identify ACLs that may
be Blocking or Affecting
the traffic flow

Network Time Travel
Ability to go back in time
when an issue is
observed
History shows critical
events and Identifies
when issues occurred
All information in the
relevant 360 page changes
to that point of time
Go back in time to
understand the
network state when
an issue occurred !!

Insights with Guided Remediation Actions
Ability to execute
operational commands
from dashboard
Guided Actions to help
remediate issues quickly
Detailed drill downs to
help identify the impact
of any issue

Advanced Client Insights– Apple iOS Analytics
Insights into the clients view
of the network – Neighboring
Access Points
Detailed Client device profile
information – device model,
OS details
Provide clarity into the
reliability of connectivity –
client disassociation details
Capability unique to
Cisco Wireless
Networks only !!

Create sensor tests,
schedule and define the test
scenarios to execute
Proactive identification
of Wireless Network
issues using Sensors
Detailed test results
along with historical
information
Proactive Insights– Wireless Sensors
Test your network
anywhere at any time
!!

I N T E N T CONTEXT
S E C U R I T Y
LEARNING
Powered by intent,
THE NETWORK.
INTUITIVE.

Providing Security While Maintaining Privacy!
Encrypted Traffic
Non-Encrypted
Traffic
Can we Actually Solve This?
How do you Analyze Metadata without decrypting traffic flows?
80%
of organizations are
victims of malicious activity
41%
Of attacks used encrypted
traffic to evade detection

Encrypted Traffic Analytics
Encrypted traffic analytics from
Cisco’s newest switches and routers
Security with Privacy
Analyze netflow metadata without
decrypting traffic flows
Global-to-local knowledge correlation -
99.99% threat detection accuracy

Summary

Key Takeaways
Profile Based Deployment simplifies Day 0 Deployment and
Day 2 Change Management
Assurance must be outcomes driven and not problem based
Intent Driven Networking Starts with Policy
Automation must be thought holistically, as some of the
simple tasks take the most amount of time

Automated Deployment
It’s a Journey!
Self-Driving Automation
Plug and Play,
Day 0 Deployment
Configure once and deploy
everywhere - SD-Access
Exists Today
ISE / AD NAE / PI
DNA Center
Campus
Fabric
SDA
Future
Closed Loop through Network
Analytics and Machine Learning
Network
Analytics
Platform
DNA Center
BB
Campus
Fabric
SDA
Network
Control
Platform
HTTP
Proxy
Internet
Admin
Installer
New
Step 1
Network admin
previsions devices in
Cisco Network Plug
and Play applications
Step 2
Onsite installer with
mobile app installs and
powers on devices,
triggers deployment,
checks status
Step 3
New devices contact
Cisco Network Plug and
Play application to get
provisioned
Network admin can
remotely monitor
install status
Basic Advanced
One Point of Management: All from Cisco DNA Center
Consistent Across Network Fabric

Cisco Connect Halifax 2018 Cisco dna - network intuitive