NETWORK SEGMENTATION USING CISCO DIGITAL NETWORK ARCHITECTURE CENTER (DNAC)

by Metsi | February 03, 2021

February 03, 2021

Technology

The Cisco Digital Network Architecture Center (DNAC) helps implement the Software Defined Access (SD-Access) functionality in corporate networks. This solution provides policy-based automation with secure segmentation for users and devices that are onboarded onto a single network fabric. The platform helps create infrastructure which provides consistent polices and services for wired and wireless networks. It simplifies provisioning of new network services and provides complete visibility.

Challenge

Our customer who is government institution who wanted to upgrade their corporate network infrastructure. With the growth of their wired and wireless network and increasing number of corporate and personal devices brought onto the campus network it had become difficult to keep track of network users and access. Segregation of the network between different functions of the network was important as they are also responsible for providing services to schools which required managing different networks and implementing firewall policies at the edge of the network. They also desired to simplify the way wired and wireless networks are deployed and managed as well as making a secure guest network accessible for their visitors. They had made use of VLANs to segment different types of users at access layer but with the increase in number of sites, end users, and devices this was proving to be more challenging to scale, manage and support on a day to day basis.

Solution

Metsi proposed the use of Cisco Software Defined Access (SD-Access), which is a central part of DNAC. By using DNAC as a central controller, Metsi was able to demonstrate the benefits of using the SD-Access segmentation, which is enabled through combined use of Virtual Networks (VN) and Cisco TrustSec Scalable Group (SGs). Virtual Networks provided the first level of segmentation that ensured zero communication between different Virtual Networks, e.g., Corporate, Guest and Student VNs. The second level of segmentation ensured role-based access control between Scalable Groups within a Virtual Network. It provided the ability to segment the network into functional blocks. We were able to validate that same policies were in place when a device was onboarded on wired or wireless network. iSD-Access, DNAC, and Cisco ISE worked together in unison to provide automation for segmentation, identity, and policy services. DNAC helps to create the policies which are then pushed to network devices in the fabric via ISE, which made sure that there was no un-authorized access to the network.

Summary

Metsi provides network consultancy for the design and implementation of the Cisco DNAC platform, for Proof of Concepts (POC) and real-world rollouts, in both greenfield and brownfield deployments. Metsi DNAC engineers can facilitate the realization of all DNAC features for enterprise customers, including automation, segmentation and assurance. Automation helps to standardize repetitive network operations to reduce human error and save time and cost because of increased speed of delivery. Segmentation with DNAC and ISE helps to present one unified security policy to both wired and wireless users across a fabric with Software Defined Access (SDA). Assurance provides new insights to ensure that business intent is directly transferred to the network, and that it is delivering what is intended for business operations.