Furthermore, the IBN system should be continually self-

Large Enterprise learning, so that it recognizes, what is normal versus

abnormal, what are the most common root causes of issues,
Network Architecture what are the most effective remedial actions for a given
issue. In this manner, the IBN system becomes not only

Design smarter, but also more reliable, available, and adaptable to

ever-evolving business requirements.

(Your name)
This is an analysis on the effectiveness of Cisco Digital Network
Architecture for a Large Enterprise Network. The primary goal of
Cisco Digital Network Architecture (Cisco DNA) is to accelerate
the digital transformation of customers’ businesses. Industries
such as advertising, media and entertainment, finance,
communications, transportation, and others have been radically
transformed by the advent of digital technologies and processes.
Incumbents that adopted “wait and see” attitudes were quickly
displaced, while bold innovators grabbed market share at
astonishing rates.
Figure 1: Cisco Digital Network Readiness Model (Source:
www.cisco.com/go/dnaadvisor)
I. INTRODUCTION
Transform or die. It’s really that simple when it comes to
digital business. Provide customers new experiences,
delivering them greater value, personalization, convenience
and satisfaction. Enable employees new workplace
experiences, empowering them to collaborate effectively,
and effortlessly, improving their overall productivity and
job satisfaction. Leverage technology to reduce costs, make
informed data-driven decisions, and reallocate resources
from operation to innovation.

However, traditionally, the network also has been one of Figure 2: Digital Network Readiness Model (Source:
the biggest barriers to business evolution, being monolithic www.cisco.com/go/dnaadvisor)
and disconnected from evolving business, user, and
application requirements. Thus, to serve as an effective II. NETWORK
platform for digital transformation, the network must be
secure, agile, flexible, intelligent, and simple to operate. The main tenets of Cisco DNA are shown in Figure 3,
These combined and evolving requirements necessitate a which illustrates how the principles of openness,
new intent-based, architectural approach to networking, one extensibility, programmability, software driven, policy-
that offers considerable business value to the enterprise. based networking, security, and cloud integration drive the
The business requirements of a network as a platform to overall architecture. Figure 3 also shows that the main
drive digital transformation are many, but can be organized components of Cisco DNA—infrastructure, automation,
into a few key areas, primarily including: analytics platform, and cloud integration—collaborate as a
system to deliver the requirements of reducing complexity
- Cost reduction and costs, increasing the operational flexibility, and
- Risk mitigation enhancing security and compliance.
- Actionable insights
- Business agility

business intent needs to be expressed across the network,

the configurations of dozens, hundreds, or even thousands
of network devices may need to be updated in order to
deliver on the newly expressed intent. Therefore, to scale,
expedite, and minimize errors, these configuration
deployments need to be automated. Automation thus allows
a network operator to treat thousands of network devices as
a single software-enabled, programmable entity.
 device mobility, an increasing proliferation of device types,
and bandwidth demands. Similarly, the DC architectures of
the past were driven by connecting vast amounts of servers
hosting applications to the network. In Cisco DNA
however, a domain can also be created for all network
elements in Campus and WAN, under the governance of a
single controller instance.

Figure 3: Cisco DNA Concepts and Main Components

The infrastructure component in Cisco DNA represents all

those functions that participate in carrying network traffic
between users, devices, and applications. This building
block corresponds to the traditional data plane and control
plane functions needed to transport traffic across the
network to connect users, applications, and devices with
each other. The infrastructure component is made up of
both hardware and virtualized network elements.
Hardware-based network elements are enhanced in
functionality to accommodate the Cisco DNA principles of
software driven, programmability, and security.

Network elements in Cisco DNA leverage programmable

ASICs to this end. For example, transport protocol
developments or packet formats such as the recent rise of
the virtual extensible local area network (VxLAN) may not
require the re-spin of ASICs, triggering a forklift upgrade
of the installed base on the wish to introduce this Figure 4: Cisco DNA Infrastructure and Domains
technology into the network. While ASICs are continuing
to improve in speed and functionality, the hardware-based III. PROTOCOL
network elements can also be uplifted by a software
upgrade in Cisco DNA, extending the lifecycle of the In a nutshell, communications protocols basically govern
installed base. Hardware-based network elements in Cisco how systems, including devices, users, and applications,
DNA also allow high-bandwidth communication at speeds talk to each other. Networking protocols govern how the
up to 100 Gbps and beyond. network is created, how it is maintained, and how systems
communicate using it.
Traditionally, the enterprise infrastructure is composed of a
campus, data center, and WAN/branch domains that VXLAN: A Next-Generation Encapsulation Technology
connect users and devices to applications, along with their
Virtual Extensible LAN (VXLAN) encapsulation offers a
respective control functions. In Cisco DNA, while still
new method of data encapsulation in modern network
helpful from a conceptual architecture perspective, the
deployments. Encapsulation simply refers to “wrapping”
demarcations of these domains are less strict. But the
one packet format inside another. Many network
concept of “domains” can be more flexible in Cisco DNA
technologies such as Generic Routing Encapsulation
and be extended to “controller domains.” The traditional
(GRE), MPLS, etc. VXLAN is powerful in that, with a
separation of a network into campus, WAN/branch, and
single encapsulation type, it supports the transport of both
data center was partly motivated by different requirements,
Layer 2 and Layer 3 packet information. This allows
technologies, and organizational structures that
VXLAN to be used to encapsulate and transport any type of
characterized the domains. For example, the WAN domain
packet across the network—distinct, for example, from
traditionally had to contend with a variety of WAN
MPLS, which uses different methods to transport Layer 3
technologies (serial, frame relay, ATM, etc.), secure
packets (MPLS VPN) and Layer 2 packets (VPLS or
connectivity to the Internet, provide access to mobile or
EoMPLS).
nomadic users, and handle bandwidth-limited links to
connect sites that are geographically dispersed. The An overlay is simply a virtual network topology, built on
campus’s focus was on providing access ports to users and top of the underlying physical network (known as the
devices, and aggregating as many of these as possible underlay). Overlays might at first seem like a new concept.
efficiently—while dealing increasingly with user and However, overlay technologies have been used for many
years. For example, anyone using a Cisco centralized The Cisco ASAv also comes in various footprints. At the
Wireless LAN Controller (WLC) deployment (one in low end, one vCPU and 1 GB of RAM are required to
which the APs all tunnel their data back to a central WLC) deliver up to 100 Mbps of forwarding. The one-vCPU/2-
is using an overlay. In this case, the overlay is using the GB Cisco ASAv10 and four-vCPU/8-GB Cisco ASAv30
Control and Provisioning of Wireless Access Points offer intermediary footprints for throughputs of up to 1
(CAPWAP) protocol, running between the APs and the Gbps and 2 Gbps respectively. At the high end, the Cisco
central WLC. ASAv50 forwards up to 10 Gbps of traffic, requiring eight
vCPUs and 16 GB of RAM.

Cisco Firepower NGFW Virtual

The Cisco Firepower NGFW Virtual (NGFWv) extends the

firewall capabilities of the Cisco ASAv to also offer a
stateful next-generation firewall, supporting IPS/IDS
capabilities. URL Filtering, Cisco Advanced Malware
Protection (AMP), and Cisco Application Visibility and
Control (AVC) are some of the key capabilities that
NGFWv offers above and beyond the standard firewall
functions. Network traffic is inspected with content
Figure 5: Network Overlays—Overview awareness (files and file types) and correlated with context,
such as user or applications, to detect malware or other
Essentially, an overlay creates a logical topology used to intrusions.The Cisco NGFWv is available in a four-vCPU
virtually connect devices built on top of the arbitrary footprint requiring 8 GB of RAM and 50 GB of disk space.
physical network topology (the underlay). Examples of
network overlays include:

- GRE or Multipoint GRE (mGRE) V. TRABLESHOOTING

- MPLS or VPLS
- IPsec or Dynamic Multipoint Virtual Private Managing network operations manually is becoming
Network (DMVPN) increasingly untenable for IT departments, a challenge that
- CAPWAP is exacerbated by the myriad of inconsistent and
- VXLAN incompatible hardware and software systems and devices in
- LISP (Location/ID Separation Protocol) the enterprise. Furthermore, troubleshooting network,
- Cisco Overlay Transport Virtualization (OTV) client, or application issues is a complex end-to-end
- Cisco Application Centric Infrastructure (ACI) problem, which can often involve over 100 points of failure
between the user and the application.
VXLAN is a User Datagram Protocol (UDP)-based
encapsulation. The outermost portion of the packet is a Network troubleshooting challenges include the following:
standard UDP format, and thus is routable by any IP-
Data collection challenge: Network operators spend four
speaking device.
times more time collecting data than
IV. SECURITY analyzing/troubleshooting based on the insights revealed by
the collected data.
Cisco Adaptive Security Virtual Appliance
Replication challenge: It’s impossible as a network
The Cisco ASAv offers virtual firewall capabilities for operator to troubleshoot issues that are not manifest at the
branch deployments. Again, the software is carrying same time begining troubleshooting (which may be
forward the functionality from the corresponding hardware- minutes, hours, or even days after the reported event);
based appliance. With the exception of clustering and unless you can detect and/or replicate the issue, these are
multicontext support, all of the stateful firewall inspection simply unable to investigate it any further.
capabilities are available inside a Cisco ASAv virtual
machine. Examples are flow- or connection-based Time to resolution: Most network quality issues take
inspections, high-speed NAT support, unicast and multicast hours (or even longer) to find the root cause and to
routing (including IPv6), Authentication Authorization, and ultimately resolve.
Accounting (AAA) functionality, Cisco TrustSec, mobile
network inspection (Diameter, Stream Control
Transmission Protocol [SCTP], GPRS Tunneling Protocol The network is to blame by default: Per customer data
[GTPv2]), remote-access VPNs, etc. (as discussed in Chapter 3, “Designing for Humans”), the
network is often blamed first as the cause of any given
problem, but usually, this is incorrect; as such, spending
considerable cycles simply proving the network’s primary service level attributes, per the industry de facto
innocence. standard, IETF RFC 4594:2

While Cisco DNA Center is the platform that introduces

automation and analytics into the enterprise network, an
entire architecture is required to deliver intent-based - Loss
networking, with the ultimate goal of the self-healing - Latency
network. In other words, while Cisco DNA Assurance - Jitter
provides the user interface to visualize network analytics
VII. REFERENCES
data, a tremendous amount of functionality is required of
the infrastructure hardware, software, and protocols—in “Configuration Guidelines for DiffServ Service Classes,”
addition to the analytics platform—to deliver this complex https://tools.ietf.org/html/rfc4594.
solution. Combined, these architectural functions include
Further details on the Cisco NGFWv |
- Instrumentation https://www.cisco.com/c/en/us/products/collateral/security/
- On-device analytics firepower-ngfw/datasheet-c78-736661.pdf
- Telemetry
- Scalable storage https://www.cisco.com/c/en/us/products/collateral/security/
- Analytics engine adaptive-security-virtual-appliance-asav/datasheet-c78-
- Machine learning 733399.html
- Guided troubleshooting remediation
- Automated troubleshooting and remediation

Analytics and machine learning help identify an issue or

potential issue, but often additional troubleshooting
procedures are needed to achieve root-cause analysis.

These procedures typically begin with pulling in additional

information from the suspected devices. This is similar to
opening a case with Cisco Technical Assistance Center
(TAC), where typically the first step in troubleshooting a
reported issue is to supply the TAC engineer with a show
tech command output from the device, which reports on
virtually every monitored metric.

Figure 6: Self-Healing Network—Architectural

Requirement #7: Guided Troubleshooting and Remediation

The guided troubleshooting system needs to monitor its

own effectiveness. Sometimes the recommended action
does not, in fact, remediate the root cause. In such cases,
the guided troubleshooting algorithm needs to learn and
adapt its troubleshooting approach.

VI. QUALITY OF SERVICE

Network QoS is a reflection of how well the application is
transported across the network, and is composed of three