Demonstration Guide

Cisco dCloud

Cisco Extended Enterprise with DNA-C

Instant Demo v1.1

Last Updated: 17-SEPTEMBER-2019

About This Demonstration

Cisco customers are adopting IoT. They are introducing more and more ‘things’ into their enterprise networks. Quite often these
‘things’ are connected to the enterprise network in non-carpeted spaces (such as warehouses, and parking lots). The IT network
administrator is still responsible to manage and maintain the network infrastructure which provides connectivity to ‘things’ where
ever they may be.

Cisco has Industrial Switching, Routing, and Wireless networking products designed to be deployed in non-carpeted locations.
These industrial networking products run IOS or IOS-XE making it easy for customers to extend their enterprise network into
non-carpeted spaces, as well as use the same tools to manage and maintain networks with industrial products. This short
demonstration shows how to use Cisco DNA Center to manage industrial routing and switching products.

This guide for the preconfigured demonstration includes:

About This Demonstration

Customization Options

Requirements

About This Solution

Session Users

Get Started

Scenario 1. Cisco DNA Center - Managing the Extended Enterprise

Scenario 2. Intent Based Security for IOT using Cisco DNA Center

Conclusion

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 32
Demonstration Guide
Cisco dCloud

Limitations

• Certain features of Cisco DNA Center AND Cisco APIC 1.2 are outside the scope of this demonstration because the
demonstration uses a simulated fabric rather than a physical fabric

• All configuration is lost after a reboot of the Cisco DNA Center or APIC simulator

• No traffic will pass between devices connected to the simulated fabric

• Screen refresh may take slightly longer than expected

• Traceroute will only show from the Spines, not from each Leaf

• Assurance path trace will not work in this simulated environment because there are no physical devices

• IE4000 and IR1101 do not show in SW Image Management because the simulated database does not contain their SW
images

Customization Options
For streamlined client demos, the following customizations are suggested:

• Run Scenarios 1 and 2 (using either the manual or scripted options) and save the demo, then proceed with Scenario 3 at
client site

• Use the Xpress - Four Node Cluster Creation script in Scenario 2, and skip the Expand HX Cluster section of Scenario 3

• The sequence of steps in the demo guide is a just a suggestion

• Feel free to visit the tools within Cisco DNA Center in any order you choose

Requirements
The table below outlines the requirements for this preconfigured demonstration.

Requirements

Required Optional

PC or MAC running the Chrome browser in Firefox Browser in Private Window

incognito mode

About This Solution

Security is top of mind for many network administrators especially when it comes to IOT. To those network administrators, IOT
means end devices that don’t authenticate and pose a security risk. How to effectively secure your network while allowing
unauthenticated devices on? That is the dilemma. Today many network administrators are operating networks with IOT devices
attached and no security policy. They are just hoping and praying that nothing bad happens. They rely on badge access to the
building or badge access to the areas where the IOT devices are to be secure. But they can’t be sure about this in all cases. This
demo focuses on management of the Industrial Networking products as one part of the Extended Enterprise solution.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 32
Demonstration Guide
Cisco dCloud

What is Extended Enterprise? Use cases are a good way to help wrap your mind around Extended Enterprise. Customers will
extend their enterprise network into the parking lot to enable Wi-Fi access for employees, security cameras to ensure employee
safety, or network sensors to monitor open parking spots (common in multilevel garages). Warehouses or distribution centers
are buildings with a small office where standard Enterprise networking products are deployed, and a large uncarpeted space to
keep the wares.

Warehouses get hot or cold and are often dusty. They require fan-less industrial networking products to provide connectivity in
such environments. A third example is airports. Airports run an Enterprise network within the terminal. Nowadays there is a need
to provide Wi-Fi to the airplane when it is parked between flights. Cisco industrial Ethernet switching and Industrial wireless
access points enable this connectivity regardless of conditions at the end of the jetway where it can get very cold or very hot.

With those cases in mind, Cisco’s Enterprise customers also want to use the same tools and processes to manage the industrial
products as they do all their other products. Enter Cisco DNA Center. Cisco DNA Center is a single pane of glass for Enterprise
network administrators to manage all network assets. Cisco’s Industrial and ruggedized networking devices are no exception.
The Cisco DNA Center can manage the Industrial Ethernet and Ruggedized Industrial Routers as well normal Enterprise
networking equipment.

Cisco DNA Center is the preferred management tool for Cisco Enterprise. Its capabilities are being expanded with every release.
Starting with version 1.2.x, the tool can manage Industrial Networking products. It has a solution that allows network
administrators to deploy a simple and effective security policy for IOT devices. It does not involve multiple firewalls deployed in
the network. Cisco’s DNA Center security solution allows the network administrator to push Intent into the network, and the
network implements the security policy. It's simple and effective.

This demo leads the user through a series of steps showing Cisco DNA Center capabilities to manage the industrialized
networking products. This includes topology, inventory, and SW image management. Other tools such as PNP and Assurance
can be explored at the users’ discretion. This demo also leads the user through a series of steps showing Cisco DNA Center’s
Intent-based security feature. A security policy for IOT Devices is defined, and then shows how a network administrator could
implement this policy through intent. It shows how Cisco’s DNA Center can be used to segment devices that do not authenticate
from those end users and devices that authenticate. Finally, it demonstrate how to define detailed security policy within in each
segment.

Session Users
The table below contains details on preconfigured users available for your session.

User Details

User ID Password

demo demo1234!

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 32
Demonstration Guide
Cisco dCloud

Get Started

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Click Catalog.

2. Under the Solutions tab select IoT; under Content Producers select Instant Demo. This lists all the dCloud IoT instant
demos.

3. Scroll down and find the entry Cisco DNA Center - Managing the Extended Enterprise Instant Demo v1 and then click the
View button.

NOTE: Alternatively, you can use the Search Catalog box to search for the Instant Demo name.

IoT Instant Demo Listing

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 32
Demonstration Guide
Cisco dCloud

Scenario 1. Cisco DNA Center - Managing the Extended Enterprise

VALUE PROPOSITION: Using Cisco DNA Center as a single pane of glass to manage all networking devices in the
Enterprise including the Extended Enterprise saves networking administration time. The Cisco DNA Center provides
all the necessary tools for network management.

Steps

Step Dialog Demonstration Steps

1 To get started click View on the right-side of As explained in the Demo Preparation section, you should already
the dcloud demo web page to launch the have a Chrome window open in Incognito Mode.
DNA Center demo.
You should be connected to the SDA Instant Demo server.

After connecting to the SDA Instant Demo server, log in as demo /

demo1234!

2 DNA Center is a system for centralized

deployment, policy management and
assurance of the digital infrastructure.

After a successful login, you will see the DNA

Center home page.

A quick tour of the home page. The home

page shows basic information about the
network and devices under management.

The top shows Overall Health. Scroll down to

get a Network snapshot. Scroll a bit more to
see the DNA Center tools for implementing
SDA. Design, Policy, and Provision are tools
used for SDA. SDA is not in scope for this
demo today.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

3 When you have a job to discover new Scroll to the bottom of the home page.
network devices or to view the topology the
Here you will see the Network Administrator tools.
tools to complete that job are found at the
bottom of the home page.

This demo focuses on a few of these network

admin tools.

4 Lets start with Inventory. Inventory shows all To see the inventory, select Provision on the top of the home
devices under management by the DNAC. page.

5 This brings up the page with a list of Assets

in inventory of the DNA Center.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

6 Assets can be viewed by geographic Expand the Global >> North America >> USA tabs and then click
location. See the filter on the left-side of the Washington (2). The two networking devices under management
inventory page. You can select different that are located in the state of Washington are shown.
locations. In this case all the assets are in
North America, and in the USA, but in split
across multiple states.

7 To see all the assets again, select Global, or
North America, or USA. Since all assets are
in the USA, any of these three Geo location
filters will show the entire list of assets under
management.
Expand the USA tab and scroll down the list, trying to find the
Device names of Industrial Assets (i.e. the ones circled in Red in
the below picture):

The industrial networking assets are in this

list too.

As you scroll through the list can you spot

them by Device Name?

In the demonstration steps window on the

right are the Industrial devices under
management.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

8 To find specific types of devices it is easier to The list of fields available for viewing in Inventory tab appear on
view the product series. when you click the 3-vertical dots icon.

This brings up a list of fields that can be viewed in the inventory.

Select Device Series if not already selected and then click Apply.

9 DNA Center allows you in fact to view
specific types of products by Device Series.
Scroll down again until you find the Industrial Networking assets.
This time look at the right-side of the DNAC inventory window for
industrial product series. Slide the horizontal scroll bar all the way
to the right to see Device Series.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

10 Also, on the GUI you can find the site While the Industrial products are in the Inventory window, slide the
where the asset is located. horizontal scroll back to the left. Stop when the column Site is
readable.

Take note of the site where the Industrial products are deployed (in
this case …/SJC06). This information will be handy in the next
steps.

Also look for the IR1101 industrial router. Note its location as well.

...

11 An easy way to access the Administrator Return to the top of the home page and look in the upper-right
tools at any time is to use the cube like icon side of the page where you will see multiple icons. Click the 9-
on the top-right of the page. cubes icon (found to the right of the magnifying glass icon).

This will bring up the list of Administrator tools.

Click on Topology.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

12 If you remember from Inventory there were On the left-side of the Topology view, expand the accordion filter
only a few states in North America where NorthAmerica >> USA >> California >> San Jose and then select
DNAC has assets under management, and SJC06.
the Industrial networking products were in
You can scroll the topology around by clicking down on blank
SJC06. That is the code for San Jose
space, hold and then move your mouse. On the bottom-right, you
Building 6. San Jose is in California.
can zoom in or out.
In the Topology page, DNA-C allows you to
see the networking devices in that site.

Here you can see connectivity. In this case

you can see the Industrial Ethernet switches
are connected to a Cat 9300 called SJC06-
C9300-01.

13 Also, you can get basic information for each Mouse over any networking icon to see the very basic information.
device. For example, see the output related to the IE4k industrial switch.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

14 If you wish, you can also get more detailed Click on any networking icon to bring up yet more details in a
info about each device and perform some window on the right. From this window you can execute
administrative tasks. administrative tasks such as assigning the network role to a
device.

Click outside the popup window to make it disappear.

15 Remember the location of the IR1101 On the left-side select San Antonio or SA01. You will see the
Industrial Router from several steps ago? IR1101 connect to the Internet.

SA: San Antonio.

The IR1101 is remote. It’s used for small

remote locations where ‘things’ are
connecting. Even so, its managed by DNAC.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

16 Another useful tool in the DNA Center is the
SW Version. All network management tools
manage installed SW for the devices under
management. The same is true for Cisco
DNA Center.
To navigate to the SW Version management screen, click on the
Cisco DNA Center logo on the top-left and then select Provision.
This brings up the inventory page.
Now pull down the menu under Inventory and select Software
Images.

17 Cisco DNA Center manages the SW versions
for the Industrial devices same as for all the
networking devices under management.
The page updates to show the inventory but with different fields.
When you collapse the hierarchy on the left-side you can see SW
version details for each.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

18 There are many devices under management.
To shorten the list, you can filter it to only
those products you are interested in.
You can also filter on a SW Version if you
know it, to show all devices running a
specific version.
Choose filter in the top left-side of the table to bring up a list of
fields to filter on.
In this case choose Site. Scroll down until you see Global/North
America/USA/California/San Jose/SJC06, and then click Apply.
This shows the devices in a site.

Play with the filter to see to limit the number

of devices shown to only those you would
like to manage.

You can have multiple filters working.

The filters being used are shown in the grey

box above the column headers.

19 There is a mix of device types in SJC06. Continue with a single filter for the devices in SJC06.

The IE-4000’s are not running IOS-XE; The smaller list of network devices after the filter is easier to
instead they are running IOS Classic. They manage.
are treated differently by DNAC because of
this.

The network devices running IOS Classic do

not have the APIs and hooks that DNAC uses
to get details of devices.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

20 If you were going to update the SW Version Select the IE-3300_6 device to be updated by clicking in the box
on a single network device or family of on the left. Then go to Actions >> Software Image >> Update
devices you would do it from this window. Image.

21 How does Cisco DNA Center know which A window appears saying the device does not require an update.
image is preferred or golden? That’s because its already running 16.11.1a.

There’s a golden image / version picked for
each product type under management. If the
SW version of a device matches the golden
image, then an update is not needed.
Bit of a tease, but this demo is not going to update the SW image
on the device. The physical devices in this demo are simulated. No
SW version update is possible, and this task would fail.
Click the X on the top-right corner to remove the popup.

22 What are the Golden Images and where are On the top menu, click Design and then choose Image Repository
those defined?
Here you see the IE-3300 in the list along with other product
That is determined by Image Repository families. The SW Version for IE-3300 is 16.11.1.a. The gold star
management page. means it is a Golden image.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

23 There is only one instance of IE-3300 in the
demo, and it is running the Golden Image
already so that does not make for a good
demo.
There is at least 1 C9300 not running the
golden image, and other images in the
repository not actively installed on any
C9300.
To see how the golden image is set, click the > next to Cisco
Catalyst 9300 Switch.
When there are multiple SW versions for a product to choose from,
this is where the network admin can change the designated
Golden image for a product family.
If you wanted to kick off a SW update, select a golden image for a
family, and then jump back to the previous page to start a job to
update the S#W image.

As with other devices, Industrial network devices managed by

DNAC can be updated using the same tool and processes.

24 This concludes the demo on Cisco DNA Click Cisco DNA Center on the top-left to go back to the home
Center for managing Industrial Networking screen.
Devices in a single pane of glass.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 32
Demonstration Guide
Cisco dCloud

Scenario 2. Intent Based Security for IOT using Cisco DNA Center
VALUE PROPOSITION: Creating a virtual network for devices that do not authenticate is an easy way to provide
security. Virtual networks naturally segment devices based on the virtual network assigned. Virtual networks in the
SDA segment the devices from in one virtual network from another.

Steps

Step Dialog Demonstration Steps

1 Devices in one virtual network cannot
communicate with devices in another unless
the network admin adds routing rules outside
the SDA fabric. Virtual networks consist of
one or more subnets. Subnets allocated to
one virtual network cannot be allocated to
another.
As explained in the Demo Preparation section, you should
already have a Chrome window open in Incognito Mode.
You should be connected to the SDA Instant Demo server.
After connecting to the SDA Instant Demo server, log in as
demo / demo1234!

As IP traffic leaves the fabric from the border

node router, the network admin can establish
routing rules for each virtual network to allow
or block Internet access.

To start the demo, you’ll need to follow the

steps in the Demo Preparation section and
login with Username/password provided.

2 DNA Center is a system for centralized Scroll down to Network Configuration and Operations
deployment, policy management and portion of the main page.
assurance of the digital infrastructure.
Click Policy on the main DNA Center web page.
This demo is security focused and will start
with the Policy feature within DNA Center.

While many customers have access to tools

for visualizing the current operational state of
the network, what they often lack is the
ability to visualize and understand the users,
devices, applications and suboptimal
conditions that impact productivity and
performance.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

3 The Policy dashboard provides an overview Click the Virtual Networks box to open this Policy page.
of existing:

• Existing Virtual Networks

• Group Based Access Control

• IP Based Access Control

• Traffic Copy Policies

• Scalable Groups (imported from ISE)

• IP Network Groups.

Use of Virtual Networks is one way to create

macro segmentation. Group Based Access
Control and IP Based Access Control are
ways to create micro segmentation within a
Virtual network.

This demo shows you how and why to create

each of these entities as way to implement
security policy.

4 As stated above, the ‘intent’ is to create You will land on the Virtual Network page:
Macro Segmentation for devices and things
that do not authenticate.

You do that in Virtual Networks page.

At this point, the network admin has not

created any virtual networks for end user
services. The two virtual networks that exist
are the Infra VN which is for infrastructure
network devices such as Extended Nodes,
and the default VN.
Note on the left the two pre-configured VNs: Infra VN and
Notice the Scalable Groups on the right are default VN.
present. These were created in ISE already
and imported by DNA Center.

All the Scalable Groups are in the Default VN

virtual network.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

5 To implement a Macro Segmentation policy,

start by creating a new virtual network.

In this demo, create a new Virtual network for

‘Things’.

In the top-left corner, click the Blue circle with the +.

6 Give the new VN a purposeful name. A name After clicking the blue plus sign, a field opens for you to
should represent its purpose. enter a name for the new field.

In the example to the right, the new VN is

called ‘NoAuth Devices’.

After entering the name click Save on the top-right of the

page.

NOTE: Do not select Guest Virtual Network.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

7 The new VN appears on the left-hand side. The DNAC creates the new VN. It appears on the left side.
And it’s automatically chosen. The vertical
green bar means it’s the ‘active’ VN.

It’s ready for the network admin to finish the

definition of the new virtual network.

Because it’s new, there are no Scalable

Groups associated with the new virtual
network. The groups section of the screen
should be empty.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

8 Assign scalable Groups to the NoAuth The Groups in the Virtual Network is empty first.
Devices VN.

This where the network administrator

implements the ‘intent’ to separate ‘things’
from other users and devices to do
authenticate.

For demo purposes, there are multiple

scalable groups already created that
represent things or devices that do not
authenticate. These were created in ISE.
After dragging the three groups Badge Readers, HVAC, and
There are 3 Scalable Groups that belong on
NoAuth Devices:
the NoAuth Devices VN.

• Badge Readers

• HVAC

• NoAuth Devices

You can see all Available Scalable Groups

on the left.

On the right-hand side, the Groups in the

Virtual Network is empty.

Populate Groups in the Virtual Network by Click Save in the top-right.

dragging Groups from section left into the
section on the right. This action adds When successful, the screen refreshes to show the NoAuth

Scalable Groups to the new VN. Devices has three Scalable Groups assigned. The number 3
appears in the parenthesis next to the VN name.
This step implements the intent to segregate
these groups from other groups by
associating them from the other.

This completes the Macro Segmentation

policy implementation. This should appear to
be easy.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

9 The next steps are about creating micro Click Group-Based Access Control:
segmentation. This is done in the Group-
Based Access Control page.

The Group-based Access Control page

appears across the top next to Dashboard.

10 This brings up the window to create/edit There should be some Micro Segmentation policies already
micro segmentation policy. defined:

Micro segmentation is a marketing term. It

refers to the ability to create detailed security
policies to allow or deny end devices or
applications from communicating with each
other. The policy can be very blunt where
entire groups of devices are blocked from
other groups. It can also be surgical, where
certain applications are permitted while
denying other applications.

For this demo, you will create blunt type

policies to block the three Scalable groups
added to the NoAuth Devices VN from
communicating with each other. A benefit to
implementing security policies this way is the
IP Addressing scheme is still not needed.
These policies work regardless of the IP
subnet the end devices are a part of.

Macro and Micro segmentation policy is

implemented Fabric wide and is not
dependent upon any IP subnet of the end
devices. There are no firewalls to maintain in
the fabric.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

11 Let's then create our first policy in order to In the top-right find the Add Policy button with the + sign to
achieve the results we want. add an additional policy:

12 Creating a new Group-Based Access Control

Policy requires a unique name, a contract,
and an optional description.

13 First we enter the name. In the example below, the name Protect_Badge_Reader is
used. This is an easy to understand name. It’s an open text
The Description field is optional.
field, so just enter a unique and meaningful name.

14 The Contract field is required. Click Add Contract on the right side to add a new contract.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

15 Deny and Permit are the built in contracts. Select deny and then click OK.
You can create additional contracts. Those
additional contracts shown were added by
the Network admin.

For this demo, only ‘deny’ contracts are

used.

16 This returns to the Group-Based Access

Control Policies page.

The new Policy should show on the top along

with the ‘deny’ as the contract type.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

17 To complete this step, you will drag groups Drag the Scalable groups HVAC and NoAuth Devices to the
from the available section on the left, to the top ‘source’ section.
Destination section on the right.
Drag the Badge-Readers scalable group to the Destination
The destination section has two parts. On the section.
top is the source. This is the groups of
In the top-right, click Save:
devices that are the source of traffic that will
be ‘denied.’

On the bottom is the destination group. This

is the group of devices to be protected.

In this case the Source groups are HVAC and

NoAuth Devices.

The destination group is Badge Readers.

And then click Yes to the popup:

18 Next, do the same thing for HVAC group. Same steps as before.

Click Add Policy in the top-right.

Enter the name Protect_HVAC, and a brief description.

Click Add contract. In the popup select deny and then OK.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

19 In the new policy, we now have instead
Badge Readers and NoAuth Devices as the
source groups, and HVAC the destination
group
Just as before, from the left side drag Badge-Readers and
No-Auth-Devices to the ‘source’ section of the right-hand
side.
Then drag HVAC from left to the ‘destination’ group on the
right-hand side.

When finished with the those steps, the UI should look like
this.

To save the policy, click Save in top-right corner.

Then click Yes in the pop-up.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

20 There are three Micro-Segmentation policies. The steps again are:

The third is to protect NoAuth Devices from 1. In the top-right click Add Policy.
HVAC and Badge Readers.
2. Enter a unique name such as Protect_NoAuth, and an
optional comment.

3. Click Add Contract.

4. Select deny and then click OK.

5. In the updated UI, drag HVAC and Badge Readers from

the left side to the ‘source’ section on the right-hand
side.

6. Drag NoAuth-Devices from the left-hand side to the

‘destination’ group on the right hand side.

7. To save the policy, click Save in top-right corner. Then

click Yes in the pop-up.

21 There could be multiple micro segmentation After the three policies are built, scroll down and move to
policies already. They are listed alphabetical the next page(s) in order to see them:
order by policy name. Scroll down or even
skip to the next page to see the policies in
the list.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

22 To make the new Virtual Network active, you Click Provision in the tabs on the top:
will need to associate at least one IP pool to
the new Virtual Network ‘NoAuth Devices’.

The creation of IP Pools was done ahead of

time during the network design phase. It is
not part of this demo.

23 There’s a few clicks you need to make within The first page in Provision is displayed.
Provision tab to get to IP Address to VN
association.

From this view, click Fabric.

24 The list of SDA Fabric domains is shown. As Click SanJose_Fabric to select the Fabric domain. Within
part of the design phase, the fabric domains, this domain, the NoAuth Devices VN will be associated to.
and the fabric that comprise the domain was
already created for the demo.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

25 There are multiple Fabrics within the At the bottom, select SJC06.
SanJose_Fabric domain. Let's review the
SDA Fabric topology for SJC06.

26 The devices in blue are in the fabric and To continue, click the Host Onboarding tab just above the
managed by Cisco DNA Center. topology.

You can move the devices around to make a

view that makes sense to you.

This topology view is specific to devices in

SJC06. It’s a subset of all the devices under
management by Cisco DNA Center.

If you’re curious view the ‘topology’ for Cisco

DNA Center to see everything. There are
many more devices in that view.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 32
Demonstration Guide
Cisco dCloud

27 Host Onboarding tab is where VN and Fabric The below figure shows the initial image the SJC06 fabric
Specific configuration is completed. when it first appears.

In this case, the SJC06 fabric is relatively

new, without much configuration. And the
authentication template has not been
configured yet.

The same three VNs present in the Policy

configuration are present here. The Virtual
Networks do not have any IP Pools
associated yet. You can tell because all the
boxes for the VNs are grey. When at least
one IP Pool has been associated
successfully, the box for the VN turns blue.

If you scroll down, you’ll see wireless SSID

configuration. Click No Authentication and Save. And then Apply to the
pop-up window from the right. Below is the small change
At the bottom of the page is the ability to
after selecting the Authentication template:
actually configure interfaces on the Fabric
Edge and Extended Node devices.

For this demo, you will stick to assigning an

IP Pool the to NoAuth Devices VN.

But first, you have to select the

Authentication template.

Click the grey box for the Virtual Network NoAuth Devices
to bring up the window to assign IP Pools.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 32
Demonstration Guide
Cisco dCloud

28 The network admin created a pool called An IP Pool can be added by clicking the Add button and
InsideThings_Pool_SJC06_Sub for the filling the requested information, as we see here:
NoAuth Devices VN.

In general, the configuration of a device pool

follows the below steps:

1. Select a pool.

2. Choose the traffic type.

3. Enable L2 and L3 flooding.

4. Choose a default Scalable group.

5. We'll apply the above steps to our Look for the pool InsideThings_Pool_SJC06_Sub.
scenario.
1. Check the box on the left of
InsideThings_Pool_SJC06_Sub.

2. The traffic type is data; there is no voice VLAN for this

pool.

3. You can have multiple IP Pools per VN. If this VN was for
authenticated users then there would 1 Data IP Pool and
1 Voice IP Pool.

4. Enable Layer-2 Flooding for this VN.

5. The default group is No-Auth-Devices.

Also if you have trouble seeing the traffic type pull-down,

click show more, scroll down, and then click Update:

and the list will be updated accordingly:

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 32
Demonstration Guide
Cisco dCloud

Step Dialog Demonstration Steps

A message will appear confirming the changes made:

29 Once completed, notice that the VN for The host on boarding view returns:
NoAuth Devices is blue because it has an IP
Pool associated with it.

Conclusion
This concludes our demo use cases for managing the Industrial Networking Devices with Cisco DNA Center, the tool to manage
your assets for the complete lifecycle. In the Intent Based Security for IOT using Cisco DNA Center scenario you saw how
Cisco’s DNA Center was used to segment devices that do not authenticate from those end users and devices that authenticate.
You also saw how to define detailed security policy within in each segment.

What’s Next?
Learn more about the benefits of intent-based networking
https://www.cisco.com/c/en/us/solutions/enterprise-networks/benefits-of-intent-based-networking-for-
networking-management.html

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 32
Demonstration Guide
Cisco dCloud

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 32