Master Series | Live SDA from 0 to 100 - a Pure 100% Cisco DNA Center SDA Demo

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Applause] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] hello everybody welcome at Cisco life so we are life here I'm together with my cell and I'll quickly want to introduce myself I'm Marcus a become a senior solution architect in customer services and I will guide you today and of course micelle through an SDA environment how to get it from zero to 100 and make sure you understand all the components at SDA until it's up and running let me give Marcel a chance to introduce himself quickly okay Thank You Markus so on hello everybody my name is Marcelo Klein I'm a technically solution architect based in Frankfurt Germany and today I'm here to help Marcus a little bit with the introduction of a state so Marcus how can we start so let's do a quick introduction the first of us for the two of us we are both German so for anybody watching this is presentation the xn might be a very bad so you can ping us later on if you have a good idea how we can improve this so let me dig into the the presentation it is about software-defined axis you have heard that this is a new solution offer from Cisco and has been developed over the last couple of years so software-defined access had been built on top of our switching portfolio and we introduced new capabilities into iOS and the beginning everybody on earth was doing this using command-line interface so you remember the days where we all we're at the keyboard and trying to figure out how to get a villain configured how to get a default gateway configured how to make high availability enabled and you know all the hustle together with spanning tree and the large broadcast domains and failure domains and to troubleshoot those environments so the idea of software-defined X's is to put a controller on top of the environment that means we completely abstract the way we do the network so the abstraction means you buy a piece of hardware it can be a catalyst 9000 it can be a 38 50 it can be anything so you buy a piece of hardware on top of the hardware you usually have an installed OS version and this can be a big variety of different iOS versions right so all the IRS versions behave differently and the third level on top of hardware and software is about the license so the network behaves very differently if you buy an essential license or if you buy an advantage license so what we have done in the past we left our engineers and of course our customer and partners a little bit alone with how to configure the environment how to make SDX as possible how to make switching possible and if you update the environment you may have recognized already that commands may change so what we have done here is we have created a control and Mtn a center DNS center is not now in the version of one three-30 which recently announced this release it is a week old by the way and DNA Center is taking care of this abstraction we call this intent based networking so the intent is about what I want to do it's not about how I configure my network it's not about which different commands you need to use it's about I want to get a fabric up and running I want to connect an end user and the end user should be capable of connecting to the data center or to his or her application so DNA Center brings all of that does it make sense for you yeah for me it sounds really great the only question I have because I can see that you've put ice in your slide as well so USDA solution is not just about automation isn't it that is correct so that's a very good question myself so DNA Center brings automation into it we call this intent to automate the network infrastructure it gives you context with this with assurance and analytics because you need to troubleshoot it and regular networks were just built for connectivity for forwarding so connecting the device and you can ping your application you can open email and do things like this but as of today security becomes more and more relevant for Network environments so the idea is to utilize identity services engine embed them into DNA Center so we have a channel between eyes and DNA Center and use all the beauty of identity services engine for policy for security for user identification for authentication radius and targets into the switches and we didn't build a new and bi meant for this we just took identity services engine which was out for a while and integrate this into DNA Center so having said this in the beginning I mentioned you we left you alone with CLI and now we have DNA Center to automate it that means on the other hand side now you have ice and you need to provision ice your own and we did exactly the same thing so we go and abstract ice from the network and DNA Center will take care about ice configuration so whenever you create a policy DNA Center is your single pane of glass we configure your policy like you do you set up your fabric and DNA Center pushes this into identity service engine and you don't have to touch it so great so I'm just using DNA Center to set up my network to create my policies and later on to troubleshoot it yes you got it that's exactly what it's meant to be sounds really cool so what else do I need to do in my networks to get such a solution yeah let's begin so there are components we we talked about DNA center automation analytics and assurance the identity service services engine is a component for policy by the way it's a requirement you need to install ice to make sta happen and let's dig into the different things and components out of SD X's which are important so the first you need to know is that we distinguish as the X's into three components it's the control plane which is built on locator ID separation protocol so that's your route reflector that's where we are learning all the routes from the endpoints that's where we are learning all the routes from the data center and the external networks since we go to a fabric environment we decided not to do layer two a connectivity anymore so you don't have to build all the villains all the trunks or spanning tree mildest Schatzi either general things like that but therefore we needed to introduce a new encapsulation so that we can get the traffic from the client from the endpoint to the network and this is VX LOM and weeks LAN can distinguish between a micro segment and a macro segment a micro segment is a verb a virtual network and we are going to deploy one of these networks in a minute and the micro segment is about separating the two of us in a single network so we can make happen in a policy environment that you can meet but can ping me but you cannot connect by a file transfer on any other protocol and this is all automated under the covers it's just the components because we want to inform you what's going on because it would be very easy to set it up and we will see this in a minute but of course if something goes wrong it may be good to have some ideas what's under the covers okay but at the end of the day I have to know about these protocols but I don't have to configure them because this is something Denise and I can do for me that is perfectly correct so you need to know it because of course you want to troubleshoot this but all the commands will come out of DNA Center it will be fully automated and we just want to make you comfortable that you understand the environment and can create the confidence that we do not do anything which is very crazy and would not work and we go into the console and I will show you a couple of things happening in the fabric looking forward so what are the fabric roads and terminologies we already talked about DNA center automation DNA Center automation is taking care about what kind of devices in the network software version and license and then push the configuration to the switch to the router or to the wireless controller so Wireless is part of it as soon as you have discovered or introduced a device into DNA Center it will start collecting analytics data and will give you a view is it a good health status or is it in a bad position and we give you guided mediation today we will focus on the STI portion of DNA Center so assurance comes along it is included in the licensing and it will run automatically you don't have to do anything in additional identity services engine as we have discussed runs in the background to create policies and make security available and of course under the covers there are a couple of components we have a so-called control plane node and the control plane node is responsible about learning the endpoint devices so let's do an example you connect to your network and the network switch will learn your IP address in Jamaica press e and we will announce this address like we do it in DNS towards the control plane and the control band exactly knows where Marcel sits in the network actually to be honest it doesn't know that's you Marcel but it knows your IP address so the second piece is the fabric borer node so inside the fabric we do we expand encapsulate but you may want to talk to foreign devices devices on the Internet in the data center in your traditional environment once you have not migrated everything and the border node is taking care that we translate Software Defined exists we explain encapsulation in to the traditional way of forwarding IP packets the third component is the fabric edge and this is the most obvious one it is your excess layer switch so the exit layers which is the one you connect you it will learn your IP address it will as mention register your IP address to the control plane and by the end it makes sure that you are reachable for all the other devices and takes care of the encapsulation into the fabric and the decapsulation because most likely your endpoint does not understand be excellent absolutely if I'm look on your slide that just looks for me like a traditional three-tier network design with for distribution access but I see some great outdoors which is in the middle so what does it mean for me can I use my traditional Network physical topology or do I have to recap everything yeah perfect so the grayed out devices are called intermediate nodes in s T X's that means if you have a very large network you may have a border which is your connection to the data center but then you need to distribute everything into the building's so you don't want to run cables from every single X to switch to your major locations and therefore you're most likely run distributions with switches per building or in several areas and the intermediate node is acting and behaving as a distribution node it will be a fully routed environment it will interconnect to the edge nodes but it doesn't participate in the X LAN and any of the control plane instances so it's just as scaling the environment you can do a core distribution access design as you know it from the past but it's even more capable I will show you LAN automation during the presentation and we have very topology independence so you can build ring topologies you can do triangles you can do daisy chaining so there are almost no limitations of course for scalability we may hit one but we release a couple of the topology dependencies we had in the past that sounds great and as you already mentioned some kind of automation with the land so does it mean I can fully configure everything from DNA Center without using any CLI yes that is correct so DNA Center is taking care of full LC a full CLI configuration the only thing if you have very special features let's do an example storm control you want to make sure if I have a broadcast that I control it into the switch I mean the impact is only the edge note itself but those commands are not being pushed by DNA Center because we don't consider them and therefore we have a template programmer and you can push all the commands you need in this environment after SDI provisioning has happened oh wow so it really looks nice on the PowerPoint but how is the reality yeah so I will show you the demo in a second let's go to the last component on the fabric while controlling yes exactly we have this virus controller and we do embed violence into s t axis and convert the access point into a weak slant speaker so that they participate the same way an edge node in s TX estas and it's part of the fabric and is embedded and has the same policy environment the same a pupu a people environment in s TX s so even we take care about all your wireless devices so and even they WRC is managed by the DNA Center that is correct you leave you read in the violence controller you add it to the fabric and you are done that's all you need to do no more SSID is fabric AP groups nothing this is all gone you need to create your SSID to be honest because you need to tell the controller what to provision but all the rest of it is gone so there's no complex configuration in terms of the access point so let's go into the live controller this is DNA Center it's an up to date version they offered me a new update on the top right corner for those who have recognized that we have the little cloud with the 13 updates nevertheless we have DNA Center when you start with DNA Center you need to give some information into the system because it doesn't know who you are who your organization are what your IP address scheme is so this is something we do under the design aspect I already prepared an environment for you and we will run the demo in Berlin in Germany so you see a design structure for a couple of locate I have prepared Berlin it's a it's the country itself and I have prepared a building so the DNA Center knows where it is and you can of course upload a floor plan and position you access point in this and get proper heat maps etc are later on the next thing on the under design you need to do is to explain the NH Center what are my network settings what is my DNS server what is my DHCP server what is my radio server what is my banner message of today what are my images I want to use so all the site expects we cannot know because TNA Center once we provision the network will form the entire configuration out of these parameters ok so the next thing which is fairly important is about IP address tools so SDA has a different way of doing a pier dressing so in the former life you may remember that we had a VLAN and an IP subnet tied together and normally it was the case that we tried to have small subnets to keep failure and broadcast domains very small and make the impact if something goes wrong not distributed into the entire network maybe we can cap it in an excess layer only so what we have done here is we said ok we do logistics Lash 32 addresses so your endpoint ID your endpoint IP and therefore you can have a very huge subnet configured for a fabric side and I will go you to show you what a fabric side is in a minute so you only have one IP subnet for your virtual network if you want there's some use cases having more of them but it's as simple as it is and I've prepared one of this which is for my demo here so I've prepared an IP pool and then a peer range and the DHCP server already so that's everything you should do nothing else that is correct from the design perspective Wow so we get to the next stage and provisioning the fabric itself and then I will show you that the IP configuration on the switch will completely automatically retrieve out of the out of this oh that's interesting but one more question our because I saw that you can add new IP address foods and we all know that some customers already having some kind of IP address management systems which already used for yeah setting up their IP ranges so is there any way to get these information already into DNA Center yeah so that's a very common task so thanks for asking this question so what we have done this just looks like an IP address management to it what we have done we built an integration on the top you see platform and the platform piece in DNA Center connects to third-party systems which can be your Microsoft DHCP server or can be Infoblox or look at just to name some of the examples it's completely independent what kind of DHCP vendor you have and we are able to learn from the DHCP vendor what's up nets are already assigned so we fill up this table automatically or if you try if you want to provision the pools from DNA Center DNA Center will make them available for example in Infoblox and also activate the DHCP ranges so you don't have to touch the IP address management tool anymore that's great and maybe also there's a one more thing if you want to edit and say I need to do get ipv6 it's just a matter of the point in time you want to run ipv6 in the overlay you just enable ipv6 get an ipv6 pool into it press safe and it will be all to deploy it into your network end-to-end so once we have done the design let's go to provision I've already set up the switches in terms of time what you can bring up everything using land automation let me quickly go into this there's a process called LAN automation you can select a primary side which is called Berlin for example so it will give you the possibility to add devices out of Berlin which we call a city by city you can then select an IP pool for the specific device and you can provision everything without touching a single time this command-line interface that means even the seek unit which is the border in the future in many cases will cannot connect home to DNA Center by plug-and-play protocol DNA Center will take care of the configuration will push their people's and will take care of the next layer the intermediate node you ask for the the grayed out one yes and the edge node and will bring up all the devices from scratch and you don't have to touch the CLI a single time so does it even mean that I do not have to use any templates because I know many customers use them in the past using from infrastructure I pick am setting up a template pushing it using plug-and-play so this is different plug-and-play that is hundred percent correct so what we have done is we took all the beauty and the features and functions out of black and play and SDI means its intent so we pre created all the templates for you they are in the backend and once you do a LAN automation it knows this switch is an STI device so we create the template for you and will be pushed or to automatically in the background you don't have to create CLI it's all done by us wow that's really cool so I've done this for you so these switches up and running let's go into the fabric environment so let's do the cool stuff right now you see I already have prepared a so called fabric domain a fabric domain means this is owned by an administrator today it's me if I dig into this one I do see already a couple of fabrics up and running so a fabric side is something like a HEPA a set of switches and Frankfurt in my case I have a set of switches in this Olaf etc etc but we were talking about Berlin so embroiling is nothing let's assume it's a new location so the thing I need to do is to create and add a new fabric site and you don't have to do it on your purpose what you can do is just select Berlin causes already been pre provisioned by a DNA center in the design phase and it will automatically create you the fabric site the only thing you need to answer is which virtual networks do you want to have in Berlin so which users needs to connect in my case it's just a demo one VM let's assume these are employees so let's enable this and the NS Center will do a provisioning in the background and we'll set up the stearic site for you and automatically assign if I click into the fabric all the devices which have been pre assigned to this site using the land automation process so whatever came up I'll and automation is already part of the site let's zoom in a little bit UCF a couple of 3859 case etc so what we need to do now is to identify the bottle note and the control plane this is mandatory there's no SDA without a border and control plane so what I do is my Bora device I just selected I need to give the information for BGP which is my advice and my autonomous system number and I've pretty decided it's 65 125 it may be different in your environment and then you explain I do have a transit exit that means I explain the border how to connect to the outside world so to my traditional network to my data everything which is every side the new fabric that is correct okay so this means we use this transit network and the transit link to learn external IP addresses so let's add this that's pretty much it the second thing we need to do is to enable the control plane as mentioned it's a mandatory that we do have a control plane so can it run on the same device yes that is correct you can run a control plane and a border node co-located on the device but if you want for high availability reasons or for scalability reasons you can separate border node and control plane so that's really good it means if you are small environment you can co-locate it on the same box if you want to grow you can split them up again that is correct and also you can put the control plane in two different locations to make sure okay I have some kind of physical high availability okay the next thing you need to do in this case is to enable the edge node function for the XS which and this is only the one you do I do it the five ones individually but I'll show you a better way how you can do it in a second because if you run like hundreds of switches you're most like you don't want to do the way I do here and all you do in the background while we are talking is to apply the configuration in the network so each node is just a single click no information at all because we already defined the border we already defined the access point and the control plane and we have two predefined IP pools so what we now add to the fabric is all the IP configuration for the underlay so that all the edge nodes and borders can reach each other it's amazing because you just swiped a button and is there really configuration changes on the switches yes there are really configuration changes on the switches let's quickly step in in the background you see something is going on on the switch I have a config archive log iron so you see we are really pushing things like a map-resolver into the switch and a map-resolver is a lift role for the control plane so there's really life happening something on the switch and this is not a mock-up this is a live network environment and the beauty of it you can step into the switch and you can read all the configuration we have been pushed for your convenience cause if you start with software-defined X's you're most likely want to create some trust and ok cisco what are you doing there so you can learn all the commands if you want but it's a lot of work because it's a couple of hundred commands being published in the background but given this way I'm much faster and rolling out my new network are exactly imagine you have like hundreds of those switches and they call come in by plug and play and all of them will be completely automatically distributed and you don't have to prepare anything the only process you have to start this land automation so you can do a building by building and it can be done by an operator who most likely has no deep knowledge of weeks LAN and Lisp but it can also be done of course by the knowledge people in the beginning and it helps really reducing rollout times so on you are hiding the complexity from the administrator or the user just to make their life a little bit easier as well absolutely that's the end it's the idea of intent so we want to make sure ok we give you all the insights to create trust but once you have understand this and tested it you just want to make sure it's a single open environment to get a pH note imagine you built a building 50 switches and a year later you get an extra space and you need additional switches is a matter of mounting the switch cabling the switch power it up press these three buttons and you're good to go okay so now I have these switches up and running but what happens if I want to try connect with a client yeah that's what we do next so one is for everybody in the in the room it's about I can also select multiple devices and assign an edge role right I can go into edit they are all in the fabric it will complain because they already distributed but you see I get this edge node button so I can do this for hundreds of devices simultaneously and don't have to run four through every single device you may have recognized the host onboarding button here yeah so this is now the magic piece which is the next step this this has some preparation to do it to be done STX s we had to form a name called secure access is about security so you need to decide what kind of authentication you want to do you're coming from a traditional network most likely you don't have authentication so your clients running don't running into to Dominic's applicants as stuff like this so you can go no authentication or you say no I want to do a closed authentication environment so the endpoint needs to authenticate and authorize using the network so we send credentials and to a challenge and response we sent an EVP all the way up to identity services engine they were ice will make sure Oh Marcel is existing and push back the policy with the proper villian and IP addressing for you and opens up the port so that the endpoint gets the correct IP address so it means if you just select close authentication and set as default all my wired network is now up and ready for boot or 1x correct in the same moment it's completely up and running for a total 1x imagine how many commands 802 dog 1x were on the switch in the past yeah was just thinking about how many lines of configuration I was needed in the older times to configure talk on X on my switch ports was a lot of pain so this looks really easy for me yeah and the fun was if you have different platforms and different iOS versions it was a lot of fun if you are network engineer you know what we are talking about but by the end of the day you don't want to deal with this anymore and it's also taking care about software update so if I get a new version it will push the proper configuration to the device oh wow so the next thing we need to do is the virtual network itself we already selected the demo VN which is being provisioned in the network you may have recognized as an infrastructure VN so the infrastructure viernes the job of connecting access points and extended nodes so smaller switches which can be connected to an edge node and access points need to operate in the under line network to reach the wireless controller and to all the roaming management and therefore we have built a VN which is not a VN so finally it's a show IP route no Verve configuration but the name of it it's in travail and so we don't have to touch this because we do the wire demo for now the only thing I have to do now is okay I need to add ni people so we have created this AI people before there's no people that is interesting so this is about live demos right let me just get into it so in general we have to add the AI people which is not presenting here so the demo fails this is all about lifetime us right normally we get there I people into the controller we have the authentication profile something is really going wrong here I'm sorry about this this is normally always happening so we can out there I people will hear let me go through one more time and see if it's after reload if it's going so adding their people to the virtual network so back to VN back to host onboarding back to virtual network back to demo attend I people and we still don't see it so let's leave it like here so we adding the AI people to the network give it the no mation the the drop of being a data pool or a voice pool which ends up in the decision to be provided as a as a trunk port for a phone or if you provide a just as an access port in that case and decide if this is as a scalable group for further policy tests in that case so once we have done this we can add this and so in this case it's not showing up let me fall back I have a plan B for you and I really apologize that this happens to the controller so let's go in my demo VN in my other fabric side you see that I have added I peoples in here and this end up in provisioning the IP information into the switch we are configuring interface VLAN with a number and the number is up to us so you don't have to distinguish between numbers or prepare anything in here and will be pushed to the switch and make the switch IP reachable and as soon as it now because wait 802 Darwin X enabled if you log into the switch using 802 Darwin X you will be assigned to proper villain and you immediately get a DHCP answer and can work so again there was no CLI until now right no CLI until now so once I've done this I can go further down and now I have I do see the list of my switches in my case now the Frankfurter main course berlin has some issues we need to troubleshoot this later on there will be an assurance measures message most likely what's going on so I get a full overview about my switches and in this fabric F a couple of switches cut nine case this different number scheme and they are all enabled by land automation and I get a full overview about my network environment my connected ports you see I have already configured some let's sort them with the link-up status so you can detect okay there are a couple of devices connected already and those devices are different I have one port which has no configuration in it so it looks like empty but my default authentication is 802 dot 1x in this port I already have pre assigned this port statically to a given thing so let's do it for this specific port let's assign it because there are three different ways of assigning a port we have a so-called user or endpoint policy or profile means your PC you make whatever end device you have it's just an access port we have an access point therefore we need to in fobian and we do have a server port if you want to connect a server to the network and the server most likely runs in separate VLANs to serve different customers or different applications to your endpoints and it will provision a trunk to the interface so that you can be part of different virtual networks if you want once you have selected it you can select the IP pool for this environment because we do not to 802 dot 1x 1x will return a VLAN ID for you so will be auto assigned to the correct VLAN if you do a static authentication we don't have this information so you need to do this manually you have second assign a group for for policy which I'm not doing here right now and you can say no it's a no authentication so I do an exception to my default policy so the port is a static standard traditional layer 2 X's port as you know it from the past ok so just in case I have an old printer which is not capable of running dot on X this would be the solution to get the printer pick up and running that is a perfect example I can put a description on top of it so that if you want to do this I mean you know okay I have this printer connected to my network I can put in a special description and the NH Center will put the description into the pod configuration for you so when I update this I need to apply the configuration you may have recognized I can do it now I can schedule it and schedule means I can also send this change all the way up to an IT service management tool like ServiceNow remedy or whatever you have in mind and this will create a change in this change management and somebody needs to approve the change if the change has not been approved then the change will not be fulfilled from the system so not nobody configures the network either DNA sender doesn't push anything and if you have proof to change and the time window matches then DNA Center will fulfill the change at the given time okay so I assume the integration and any IT Service Management is exactly the same like the integration with ice or the IPM services that is correct so we do it exactly the same so we put in I Pam we put in IT Service Management and it says open as this so we integrate if you go through the controller you will see ServiceNow but it's totally open to integrate other IT Service Management vendors so we want to be independent in that case and therefore we open up the platform and there may be some work on the other vendor side to do because they need to call our API but this is all documented and there are also software development kits available ok so now given the fact that the fabric is up and running how do I troubleshoot how do I see because I can remember at the beginning you mentioned something with assurance so what's this kind of feature and DNA Center yeah that's a that's a good asset you have seen that we have now brought the fabric up and running the ports are connected either authentic dynamically or you do the your static port assignment we saw a bit of Wireless we embedded the wireless controller we did not the demo but it's as simple as this so you just add the virus SSID assign an IP address scheme and it will push it out to the network so the next thing is once you have been running of call you get go into the life cycle of the network and therefore DNA Center along with network assurance so in the beginning I told you when we enable the devices and put it into the inventory of DNA Center DNA Center automatically starts collecting the environment so we get analytics data from the switches into DNA Center and DNA Center will do a math and calculate analytics data either in good shape or the embed shape and as you can see at least have a virus controller finally which is one of the unsupported controllers in my network which is not green but my core distribution Nexus environment is fine you see I have about a 17 97% health of my Wyatt environment so I have 35 connected devices to the fabric and it may have happened that in Berlin some of the 1x clients already showed up and connected to the network and are already into operation and pinging through the network and doing the application stuff ok so I never remember correctly at the beginning there was ice mentioned on your slides as well so ice is already known for the policies so how is the policy integration with ice working with DNA Center is there something special because they mentioned I do not have to go to ice that is correct so what we have done if you go to settings I give you a quick overview where you can see ice in the system so we haven't touched it but on the inner in the system/360 there for connection to ice it's based on peak spirit so you just have to give DNA Center an IP address of ice and the credentials and press on apply and then they'll form a trust connection between the two davis exchange certificates and form a secure channel so that's all you have to do they turn green and from now on ice connect as a radius and tack server for network and user authentication but it will also be the policy engine so we talk about security in the network so the fabric we have set up is actually just serving IP connectivity and you are allowed to do anything whatever you want if it's IP reachable it's not limited no access list no additional security it's all up to the firewall in the policy module of DNA Center we utilize this coat rustic and we have also a policy matrix inside identity services engine and what we did is the mirror the view form identity services engine - DNA Center and this is what we see here on the screen so we get the matrix you see all the groups so the question is where do the groups come from and actually I have connected my identity services engine to the active directory in the lab and these are the groups we have learned from Active Directory which is for instance it's a user group of of employees of guests of a company a of partners so some examples just to make it visible and these groups can have a relation you need to bring the group's into a virtual network so if I go to the virtual network tab I have the the option to go into demo and just drag and drop groups into the virtual network and from now on the new group the trust sex servers will be part of virtual network demo 1 so if you authenticate in that group you automatically get the correct VLAN provisioned onto your access point and all you have to do is just using drag and drop drag and drop that's all you need to do Wow so then the next thing is let's go back to the matrix now you can start limiting the traffic so if you want to prepare policy and let's grab one of the policies here you can just click on it and we've prepared one and the policy has a name and has an excess list in it and the excess list in this case is permit HTTP and HTTPS only and to a deny any any at the end so what's now available is that from BYOD to contractors so these are the two groups maybe I Logan as BYOD user you log in as contractor if you are belonging to the same virtual network we get a nexus list applied to our access switches so when I want to contact you I can do this used on their HTTPS basis but I cannot ping you anymore and cannot FTP you anymore I give you a simple use case one of the use cases is if you have a printer and an employee sitting in the same network you want the employee to print in the network but if you don't want to employ to manage the printer that means that we limit the traffic between sorry here's a fly on its head so that that is why we are laughing I apologize for this so it happens from time to time so that is about life in a live streaming in here so the employee cannot manage the print but they are capable of printing to the printer but if I'm a desk top administrator in the printer administrator I can print and again to SSH and HTT message management into the printer environment in that case so I don't have to know anything about the actual sgts and contracts and so on all I have to know what kind of services I want to limit correct so this this list you tell'em HTTP from A to B and the rest is under the covers and just to give you a last example if you go into the work center of ice you don't have to get there it's fully completely it's completely automated from here you go into the trusting environment you go into trusted components and there you have the security group access list metrics it looks pretty much the tip much the same as in DNA Center and you find the contract of HTTPS so if I pull the contract you recognize that this contract is now being translated into real CLI so this is the HCl we are gonna push into the network oh so you've done everything to DNA Center so even if there was some kind of configuration eyes if there was some configuration in the IBM system correct I still had my single point of view I didn't need any CLI to get the switches up and running that this meant there was the assurance part two and any troubleshooting steps necessary to step into that is correct this is absolutely correct so before I sum up I just completely hidden behind the network and we behind the DNA Center so that we do all the work all the the CLI work you formerly did it's completely automated between ice and DNA Center so let's do a quick summary what we have done in the last couple of minutes we have talked about Software Defined axis which is an up-to-date solution between DNA Center and the network environment we integrated this into identity services engine for policy and we did a full automation to bring up a client and a network device zero touch that means the network switch boots up into the DNA Center but we'll get a full configuration we assign a policy to the access port like a 22.1 x Michelle can log into the network gets IP connectivity and by the end of the day once he has connectivity give him a policy so that he cannot connect to the printer anymore for that I want to close now and I want to thank you for participating my session and I hope it was very valuable for you and you get some learnings out of this and I encourage you to try this out in our lab and play around with this to get a new new stuff learned yeah thank you Marcus and thank you everybody else so again it was really amazing to see how easy it is to set up this fabric with DNA Center without using any CLI and to get the integration with ice and all the other product so I'm looking forward for everybody to try it out and thanks a lot thank you

Info

Channel: Cisco Live EMEAR

Views: 1,722

Rating: 4.8461537 out of 5

Keywords: Cisco, Cisco Live, Barcelona, CLEUR, Master Series

Id: pcy5eKW16v4

Channel Id: undefined

Length: 40min 49sec (2449 seconds)

Published: Tue Feb 04 2020