BRKCRS 2701

#CLUS
Intent-based
Networking with Cisco
DNA
Mark Montanez, Distinguished Consulting Engineer

Matt Falkner, Distinguished Engineer, Technical Marketing
BRKCRS-2701
#CLUS
BRKCRS-2701 IBN for DNA
One of the major goals of Cisco’s Digital Network Architecture (DNA) is to enable intent-based networking
(IBN). IBN enables operators to express the expected network behavior in abstracted policy terms (WHAT),
instead of prescribing the network’s functionality in low-level configurations (HOW). This session
introduces the concept of IBN, and describes its four main capabilities: translating abstracted expressions
of higher-level business policies into network configurations, automating the implementation into the
network, continuously validating the business intent by observing the network state in real-time, and taking
corrective actions in case of deviations. Participants will learn how various elements of the DNA fulfil these
capabilities, for example the role of the DNA network controller platform to in policy translation, or the role
of the DNA network data platform for telemetry and assurance. The session will also focus on challenges
of moving to an intent-based system.
#CLUS BRKCRS-2701 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda: BRKCRS-2701 Intent-
based Networking with Cisco DNA
• Motivation – What does this mean to you? (Why should you care?)
• What is Intent-based Networking?
• An Architectural View – What is an IBN?
• From Theory to Reality – Use Cases
• Conclusion
Motivation – What
does this mean to
you? (Why should
you care?)
The Need for LEARNING
a New Network
THE NETWORK.
INTUITIVE. INTENT CONTEXT
Powered by intent.
Informed by context.
SECURITY
BRKCRS-2701 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Unprecedented Demands on the Network
Digital Disruption Complexity Security
63 million new
3X spend on
devices 6 months to
network operations
online every second detect breach3
vs network2
by 20201
Lack of Business Slow and Error Unconstrained

and IT Insights Prone Operations Attack Surface
1. Gartner Report - Gartner’s 2017 Strategic Roadmap for Networking
2. McKinsey Study of Network Operations for Cisco – 2016
3. Ponemon Research Institute Study on Malware Detection, Mar 2016
Our Vision and Strategy
Vision Strategy
Change the way the world We create solutions built on
works, lives, plays, and learns intelligent networks that solve
our customers' challenges
Digital Transformation is Moving IT to the Boardroom
UPS My Choice Workforce Efficiency Starbucks Apps

Delivery Control WIP Inventory and Order Ahead
Personalized Service Part Tracking Skip the Line
American Express
Customer Experience
Personalized Service
Physical and Virtual
Through Mobile
RFID Content
Business at the
Speed of Digital
3X
more organizations
“Digital business requires faster delivery
of services to the business, ultimately
intend to be requiring enterprises to change network
digital ready in operations processes and tooling.”
2 YEARS – Gartner2
– IDC1
Rewriting the Networking Playbook
Traditional Network Digital-Ready Network
Hardware Centric Software Driven
Manual Automated
Silo’d Security Integrated Security
Network Monitoring Analytics and Insights
You Need a Network that Drives your Digital Business

Automation & Analytics at Scale
+ +
Efficiency Speed Financial Value
More Efficient Faster Delivery of Faster WAN Average Annual Benefit 5 Year ROI
Networking Staff New Applications Branch Deployments
28% 17% 42% $48K 402%

Per 100 Employees
Source: IDC The Business Value of Creating Digital-Ready Networks with Cisco DNA Solutions, Jan 2017.
Figures refer to business value achieved by customers adopting Cisco DNA solutions
Cisco’s Enterprise SDN Strategy
Policy and Intent to Unlock the Power of your Network
Unlock the Power that Exists Leverage the Enable Network Wide
in the Network through Power of Existing Fidelity to an Expressed
Abstraction, Automation, Distributed Systems Intent (Policy) through
and Policy Enforcement Analytics & Assurance
The Network you
have already built
13
What is Intent-
based
Networking?
Intent-based Networking
What the Industry Is Saying
“Gartner sees the biggest benefits from IBNS are improving
network agility and availability, and supporting unified intent and
policy across multiple infrastructures.”
“By 2021, in value terms, over 25% of infrastructure services will have
some autonomous self-managing capabilities, expediting business
outcomes and mitigating the risk of human error”
“For an enterprise to be successful with intent-based networking,

it needs to fully embrace automation in the data center, the
campus, the wide area, and in the branch.”
1. Gartner, Innovation Insight: Intent-Based Networking Systems, February 2017
2. IDC FutureScape: Worldwide Enterprise Infrastructure 2018
3. Current Analysis: Enterprises Cannot Have Automation Commitment Issues and
Be Successful , Fratto, Mike, 2017 #CLUS BRKCRS-2701 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Cisco’s Enterprise SDN IBN Strategy
Policy and Intent to Unlock the Power of your Network
Translate Automate Assure
Unlock the Power that Exists Leverage the Enable Network Wide
in the Network through Power of Existing Fidelity to an Expressed
Abstraction, Automation, Distributed Systems Intent (Policy) through
and Policy Enforcement Analytics & Assurance
The Network you
have already built
Intent-Based Networking (IBN)
Digital Business Network

Learning
Contex
Intent
t
Mobile Security IoT MultiCloud Security
Powered By Intent. Informed by Context.

The Need for LEARNING
a New Network
THE NETWORK.
INTUITIVE. INTENT CONTEXT
Powered by intent.
Informed by context.
SECURITY
Built on Cisco Digital Network Architecture
Cloud Service Management Automation

Open and Assurance
Automation Analytics
Security and
Principles Programmable
Virtualization Compliance
Programmable Physical and Virtual infrastructure

API Driven Insights and
Experiences
Security
What we have Launched

Open Cisco DNA Center & vManage and Assurance
SD-WAN, SD-Access Security and
& Assurance
API Driven
Catalyst 9000 Insights and
Experiences
Encrypted Traffic Analytics

Security
What we are Launching
DNA-C As a Platform
Open Cisco DNA Center & vManage and Assurance
SD-WAN, SD-Access Security and
& Assurance
API Driven
Catalyst 9000 Insights and
Experiences
Encrypted Traffic Analytics

Security
Driving the Transformation
Integrate Controllers into IT OP’s
Open Extend/Customize DNA-C++ and Assurance
Make IBN
Security Real
for NetOps Security and
Intent + Policy = Automation & Analytics
Enterprise Wide Fabric Experiences
(SD-Access & SD-WAN - End-to-End Segmentation)

Security
Objective:
Business intent drives continuous
alignment of network services
Adapting:
Intent-based • Respond dynamically to business
Networking: demands
Learning:
What is it? • Apply telemetry, machine learning to
provide contextual insights and inform
decisions
Protecting
• Identify or predict issues and threats
and respond
An Architectural
View – What is an
IBN?
Setting the Stage: A high-level Enterprise
Network Model
Network Sites
Plane SD- WAN Cloud Exchange VPC
Internet
Outd oor
Mobile / 5G SaaS
SP
Internet
NW Fns (phy&vir)
Branch
Ent Apps
MPLS
Camp us DC Fabric
SD Access Corporate WAN
NW Fns (phy&vir) NW Fns (phy&vir) NW Fns (phy&vir)
The Intent Architecture sits between the
Infrastructure and Operators
Intent Architecture
Physical and Virtual Infrastructure
Unpacking the Intent-based Model
Intent-based Networking
Industry Initiative
Capture business intent,

translate to policies, and Translation
check integrity Continuous verification,
insights & visibility, and
corrective actions
Activation Assurance
Orchestrate policies
& configure systems
Translation
Capturing Intent – the ‘Intent Translation’ Layer

Verify
Capture Translate
Integrity
• Characterize Intent in the • Harmonize captured intent • Check consistency / logic

Abstract • Model-based against existing intent
• GUI, YANG/XML • Creates an abstracted • Intent expressed at
• Natural or Intent Language model for Intent different times
• From different operators /
syntax
sources
• Heuristic algorithms
• Formal methods
Translation
Intent is expressed by different Operators

Nicole, 46 - Network Architect

• Researches trends, designs new networks
• Works with execs to understand business needs
• Intent Scope: Infrastructure Architecture, Service Architecture,
• Concern: standardize deployments, scale, flexibility, cost
Andrew, 39 - Network Admin

• Pushes configurations to components,
• Ensure network operates as designed
• Develop golden configurations
• Concern: minimize risks, always under pressure, Change management
Greg, 46 – Network Operator

• Run compliance checks
• Manual installation of network elements / components
• Test, validation, troubleshooting
• Concern: non-standard designs/requests, lack of control, searching for resolutions
Translation
… and Abstractions may be ambiguous

“My Point-of-sale traffic is always critical”
“I am rolling out a new IoT application”

IT/App
“The network should only have golden images deployed ”
“User group X can talk to application group Y, but always

needs to be encrypted ”
NetOps
“I need to scale out my application database”
“I need to deploy a secure multi-tier application”

DCOps
Need to understand definition of Intent Expression ->

Intent Models / Policies
Translation
… and may have different scopes

• Depends on the operator’s domain
IT/App NetOps DCOps IT/App
BranchOps WANOps
Network Sites
Plane SD- WAN Cloud Exchange VPC
Internet
Outd oor
Mobile / 5G SaaS
SP
Internet
NW Fns (phy&vir)
Branch
Ent Apps
MPLS
Camp us DC Fabric
SD Access Corporate WAN
NW Fns (phy&vir) NW Fns (phy&vir) NW Fns (phy&vir)
In the Enterprise, Cisco Cisco DNA Center
captures Intent
Cisco DNA Center
Simple Workflows
DESIGN POLICY PROVISION ASSURANCE
Cisco DNA Center

Identity Services Engine Automation Platform Analytics Platform
Routers Switches Wireless Controllers Wireless APs
Translation
The Cisco DNA Center Architecture For IBN

Cisco DNA Center User Interface
DNA Applications Analytics Applications
DNA Controller Platform Services DNA Analytics – Network Data Platform
Elastic Controller Infrastructure

Kubernetes
Kafka
Cassandra
Elastic Services
Mongo DB
Cisco DNA Center performs Intent translations
Translation
to Configurations
DNA Application (e.g. SDA)

NB API: REST/RESTConf
Examples:
Device Provisioning Service Provisioning

(Network wide Intent)
1. Service Model: Service Model
• Deploy SD-WAN between YANG
sites {A,B,C}
Workflow Engine
Device Manager
2. CFS:
• QoS, PfR, Ipsec/GRE
(Device-specific Intent)
3. RFS: Device Model
• QoS on Router R1 YANG XDE
• QoS on Switch S1
• …
Network Programmer
4. Device Model
• R1: ASR1K SB API: NC/YANG, CLI..
• S1: Cat9K
Network Elements
Translation
Closing the loop with the ’Intent Assurance’ Layer

Provide
Verification Remediate
Insights
• Continuous verification of • Determine causes of • Identify and recommend

the IBN system behavior intent-to-behavior corrective actions
• Check that the network discrepancies • Goal: automate corrective
behaves in accordance • Performed by actions
with expressed intent • Pattern-matching
• Network telemetry • ML
• Heuristics
Contextual Correlation and Property Graph
Translation
Business Applications
Finance George Baker

App ID: 18
Src IP: 1.1.1.2 Dest Port: 3600 ?

1.1.1.1 Dest IP: 2.2.2.2
? Forwarding
problem here…
RTP
DC
Client density
WAN QoS problem here...
problem here...
SJC-9 2nd Floor
Netflow AVC DDI ISE/Radius Topology CMX, DNAC Device

Putting it all Together: the Cisco IBN Architecture
Characterize Translate /
Translation Intent Homogenize
Model- based
Verify Integrity
Policies
Intent Model API
Disseminate policy x- domain X- domain

Activation API Assurance
Config Generation Conflict Resolution Domain- specific
API API
Infrastructure Sites WAN DC Cloud

Domains
How does IBN stack up?
Traditional Network Intent-based Network
Architecture • Device-by-device management • Networkwide system-oriented management
• Unidirectional configuration • Closed-loop automated configuration and assurance
• Nonprogrammable devices • Programmable physical and virtualized infrastructure
• Patchy network security • Security functions integrated systematically throughout
the architecture
• API-centric, model-based
• Open hardware and software stack
Translation • Ad hoc operator interpretation and ad hoc • Yes, through intent capturing and translation system
translation functions
Intent Verification • No Support • Yes, integrity and consistency checks
Policy Support • Limited, expressed by device commands • Limited, expressed by device commands
Activation • Limited (scripting), device-by-device • Automated, network-wide with controllers
Telemetry • Limited support • Extensive support
Assurance • Manual, device-by-device • Automated, full analytics with AI/ML or formal method
support
Feedback loop • Based on ad hoc, manual operator monitoring • Yes, automated for either operator or system activation
Outcomes • Limited, best effort business alignment • Continuous business alignment

• Complex and costly to manage at scale • Simplified, efficient management at scale
From Theory to
Reality – Use
Cases
Examples of IBN in the Enterprise
“My application is critical “I don’t want engineering to “I want to roll out a new
to the business” talk to finance applications” small branch”
Application Experience Access Control Policies Standardizing Branch

Architecture
• Express application • Express Group • Design a branch
intent using EasyQoS relationships using GBP architecture
• Deploy in the network • Deploy in the network • Deploy in the network
Demo: Access Control Policies
Under the Hood – What is Happening?
• Allocate VRF for Virtual Network and configure on Fabric nodes
• Create VLANS and Associate with VRF’s in Fabric nodes
• Create Policy in ISE to establish VLAN assignment to land
Authenticated User/Device in appropriate VLAN/VRF
• Create Policy in ISE to establish SGT assignment
• Create Policy in ISE to establish SGT to SGT Policy Rule Set
• Distribute SG-ACL’s to Fabric Nodes
Demo: Application Experience
Deploy End-to-End DSCP-based Queuing
Policies
EasyQoS will seamlessly interconnect all types of
hardware and software queuing models to achieve DNAC
consistent and compatible end-to-end treatments (NCP+ NDP)
aligned with the expressed business-intent EM
What Do We Do ”Under-the-Hood”?
Apply RFC 4394-based Marking / Queuing / Dropping Treatments
Application Per-Hop Queuing & Application
Class Behavior Dropping Examples
VoIP Telephony EF Priority Queue (PQ) Cisco IP Phones (G.711, G.729)
Broadcast Video CS5 (Optional) PQ Cisco IP Video Surveillance / Cisco Enterprise TV
Real-Time Interactive CS4 (Optional) PQ Cisco TelePresence
Multimedia Conferencing AF4 BW Queue + DSCP WRED Cisco Jabber, Cisco WebEx
Multimedia Streaming AF3 BW Queue + DSCP WRED Cisco Digital Media System (VoDs)
Relevant
Network Control CS6 BW Queue EIGRP, OSPF, BGP, HSRP, IKE
Signaling CS3 BW Queue SCCP, SIP, H.323
Ops / Admin / Mgmt (OAM) CS2 BW Queue SNMP, SSH, Syslog
Transactional Data AF2 BW Queue + DSCP WRED ERP Apps, CRM Apps, Database Apps
Bulk Data AF1 BW Queue + DSCP WRED E-mail, FTP, Backup Apps, Content Distribution
Default Default Forwarding DF Default Queue + RED Default Class
Irrelevant Scavenger CS1 Min BW Queue (Deferential) YouTube, Netflix, iTunes, BitTorrent, Xbox Live
Your Choice….
ip access-list extended APIC_EM-MM_STREAM-ACL
remark citrix - Citrix
permit tcp any any eq 1494
permit udp any any eq 1494
remark citrix-static - Citrix-Static
permit tcp any any range 2512 2513
permit udp any any range 2512 2513
remark pcoip - PCoIP
remark timbuktu - Timbuktu
remark xwindows - XWindows
remark vnc - VNC
permit udp any any range 5900 5901
exit
ip access-list extended APIC_EM-SIGNALING-ACL
remark h323 - H.323
permit udp any any eq 1300 #CLUS BRKCRS-2701 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Demo: Standardizing Network
Infrastructure
What just happened?
Cisco DNAC Branch Template
• Create Virtualized Branch Template

• Specify Hardware
• Specify VNFs
• Provide required details
• Power up ENCS
• PnP against DNAC SN, Version, IP for host
• Authenticate against SN
• Secure Connection between Cisco DNA Push config /
Center and ENCS template
• Push profile to ENCS using REST APIs Branch
• Instantiate VNFs
• Create Service chains NFVIS
WAN
ENCS
Closing
Driving the Transformation
Integrate Controllers into IT OP’s
Open Extend/Customize
Closed Loop DNA-C++ and Assurance
Security
Make IBN for NetOps
Real Security and
Intent + Policy =Deploy
Virtualization
Automation & Analytics Compliance
Measure
Adjust
Enterprise Wide Fabric Experiences
(SD-Access & SD-WAN - End-to-End Segmentation)

Security
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot# BRKCRS-2701

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you
#CLUS
#CLUS

BRKCRS 2701

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS 2701

Uploaded by

Copyright:

Available Formats

#CLUS

Mark Montanez, Distinguished Consulting Engineer

Digital Disruption Complexity Security

Lack of Business Slow and Error Unconstrained

UPS My Choice Workforce Efficiency Starbucks Apps

Hardware Centric Software Driven

Silo’d Security Integrated Security

Network Monitoring Analytics and Insights

You Need a Network that Drives your Digital Business

28% 17% 42% $48K 402%

“For an enterprise to be successful with intent-based networking,

Translate Automate Assure

Digital Business Network

Mobile Security IoT MultiCloud Security

Powered By Intent. Informed by Context.

Cloud Service Management Automation

Programmable Physical and Virtual infrastructure

Cloud Service Management Automation

Encrypted Traffic Analytics

Encrypted Traffic Analytics

(SD-Access & SD-WAN - End-to-End Segmentation)

NW Fns (phy&vir) NW Fns (phy&vir) NW Fns (phy&vir)

Physical and Virtual Infrastructure

Capture business intent,

Physical and Virtual Infrastructure

Capturing Intent – the ‘Intent Translation’ Layer

• Characterize Intent in the • Harmonize captured intent • Check consistency / logic

Intent is expressed by different Operators

Nicole, 46 - Network Architect

Andrew, 39 - Network Admin

Greg, 46 – Network Operator

… and Abstractions may be ambiguous

“My Point-of-sale traffic is always critical”

“I am rolling out a new IoT application”

“The network should only have golden images deployed ”

“User group X can talk to application group Y, but always

“I need to scale out my application database”

“I need to deploy a secure multi-tier application”

Need to understand definition of Intent Expression ->

… and may have different scopes

• Depends on the operator’s domain

IT/App NetOps DCOps IT/App

NW Fns (phy&vir) NW Fns (phy&vir) NW Fns (phy&vir)

DESIGN POLICY PROVISION ASSURANCE

Cisco DNA Center

Routers Switches Wireless Controllers Wireless APs

The Cisco DNA Center Architecture For IBN

Cisco DNA Center User Interface

DNA Applications Analytics Applications

DNA Controller Platform Services DNA Analytics – Network Data Platform

Elastic Controller Infrastructure

DNA Application (e.g. SDA)

Device Provisioning Service Provisioning

Closing the loop with the ’Intent Assurance’ Layer

• Continuous verification of • Determine causes of • Identify and recommend

Physical and Virtual Infrastructure

Finance George Baker

Src IP: 1.1.1.2 Dest Port: 3600 ?

Netflow AVC DDI ISE/Radius Topology CMX, DNAC Device

Intent Model API

Disseminate policy x- domain X- domain

Infrastructure Sites WAN DC Cloud

Telemetry • Limited support • Extensive support