DNA Center Automates Your Campus!

In?last week’s LinkedIn blog I mentioned that people now are investing time in deeper use of ISE, while waiting for hardware orders to arrive.

NetCraftsmen is also seeing increased interest and use of DNA Center (“DNAC”). So the product use is heating up, if not already hot! And note that there is solid value to be had from DNAC, even if your ISE deployment and NAC situation is still a Work In Progress.

Context: DNAC is Cisco’s automation and management tool for campus / Catalyst switch / IOS devices, including AP’s, WLC’s and newer industrial switches. It can even do things like deploy containerized apps to Cat9K switches.?

TL;DR:?Some of why this is happening might apply to you as well! Seize the opportunity!

There are several use cases that appear to be driving this:

• DNAC for new switch, AP, and/or WLC (controller) management or deployment
• DNAC for better switch operations/assurance/visibility, automated upgrades, etc.?
• DNAC for QoS deployment (QoS desired for IP phones, and DNAC automation likely to be far less costly and much more accurate than manual deployment)
• DNAC for SD-Access

You don't have to have Cat 9K switches to leverage DNAC. It can automate prior vintage devices. See below.

Note that “deeper ISE” can be independent of DNAC. Yeah, you typically do integrate the two, but that mainly provides the convenience of working within DNAC when deploying SD-Access, rather than having to move back and forth between DNAC and ISE.?

The way I think of it is that ISE controls access to the network, monitoring connected devices, etc. The role of DNAC is design/deployment of devices and policy. The integration of DNAC and ISE means you can do the design/deployment/policy work in one place, DNAC.?

My Recommendations

It comes down to what are your biggest problems, and where can the tools help best.?

ISE device profiling seems to take sites a while to do, for various reasons. So one approach might be to get started monitoring ports (open policy), seeing what’s out on your network, classifying / profiling it, and gradually working your way towards 802.1x/NAC. But that might just need a starting “pop” of focused activity, followed by intermittent attention for a while. (Depending on the urgency of tightening up network security.)

If you have DNAC (and the related Advantage licensing), I’d suggest using it to do automated management of equipment, at the least. The Operations/Assurance features have been getting enhanced, and can spot at least some issues out in “campus switch land”. Some of the wireless features (3-D heat maps!) are pretty nifty.?

While you’re at it (especially if budget planning is active), you might check out the DNAC support documents: which devices, code versions, and DNAC applications are supported.?

DNAC supports most Catalyst and some Nexus equipment. On the Catalyst front, Catalyst 3750 and 3850 are supported to a fair degree. Most recent AP’s and WLC models are also supported by DNAC. (Cisco hasn’t announced end of life for Cisco Prime, and it is still needed for older AP’s and WLC’s that DNAC does not support. But “the end of Prime is on the horizon”?)

The supported devices and code versions can be found from the DNAC support matrix:

• Go to https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/dnac_compatibility_matrix/index.html
• Pick new deployment
• Click on Device and choose "Wireless" (etc.)
• Click on Application and choose "All"

This will allow checking which hardware running which software versions DNAC supports. In particular, you can see if your current wireless equipment is or is not supported by DNA Center.

Note that SD-Access ("SDA") support is separate. Unless you’re doing SDA prep planning, if it asks about the SD-Access support matrix, just click "Cancel".

DNAC familiarization: if you want a better idea what DNAC can do for you, I think highly of my NetCraftsmen DNAC Tour blog series. Go to the blog filter Peter Welcher blogs to see my blogs. Several are currently posted. The last ones in the DNAC tour are being posted one per week, subject to reviewer availability.

If you’re going to do SD-Access, I’m a big fan of setting up a lab. References:

• https://netcraftsmen.com/sd-access-multi-site-lab/
• https://netcraftsmen.com/sd-access-multi-site-lab-tasks/

For more about SD-Access and how it works, see also the rest of the SD-Access blogs I wrote in 2021 on the NetCraftsmen site. The?final SDA blog?has links to all the blogs in that series.?

Some of the DNAC GUI look and feel may have changed, but the rest should still be useful. Furthermore, that series gets into some topics I haven’t seen elsewhere, including IP address planning for a middle to large multi-site SD-Access deployment. The Cisco materials seem to assume either doing it on the fly, or single-site deployment for starters. Or maybe keeping it simple, either as the most immediate user need, or so as to not scare anyone off (putting on my cynical hat).?

Conclusion

While you’re waiting for backlogged hardware, now is the time to document and do some house-keeping, but also to advance things that you’ve had to put off. ISE features, especially device profiling and 802.1x/NAC is one such possibility, and automation / monitoring or QoS via DNA Center is another “low-hanging fruit”.?

Comments

Comments are welcome, both in agreement or constructive disagreement about the above. I enjoy hearing from readers and carrying on deeper discussion via comments. Thanks in advance!?

Hashtags:?#NetCraftsmen #CiscoChampion #CCIE1773 #ISE #DNACenter?

Disclosure statement

Twitter:?@pjwelcher

LinkedIn:?Peter Welcher