DNA Center - When it's good, it's really good... where it's bad, it's really bad
Updated July 25, 2023
DNA Center - When it's good, it's really good... where it's bad, it's really bad
Score 8 out of 10
Vetted Review
Overall Satisfaction with Cisco DNA Center
We, as a Cisco partner, install Cisco DNA Center for our customers as well as in our lab. We have been with it since the earlier 1.1 on the M4 server (we got our server after the issue with the partitioning on the hard drives), and dealt with many of the bugs throughout 1.2, and are currently on 1.2.8. We have evaluates the auto-provision and PnP functionality, SD-Access with fabric at a single site, API and API integrations with custom software, and Assurance modules both within DNA Center and integrated into ticketing systems.
- PnP is absolutely amazing. The idea that the server need only boot up and get a DHCP address (with DNS or Option 43) greatly increases the deployment speeds, especially tying to golden standard images and configuration templates.
- API documentation and integration is better than any other Cisco product I have seen, and in the top 3 of any product I have worked with. The Developer toolkit was able to not only show configuration examples, but also show you the actual feedback from that call to assist in quality testing.
- ISE integration with the auto-provisioning makes a zero-touch deployment seemless across multiple platforms. Having the DNA Center contact the ISE environment greatly assists in speed-to-deployment of new gear.
- The overall UI is very intuitive and walks you through each piece of a new deployment. Whereas in products like ISE, I always talk about working backwards (define the result, the conditions, and then add to policy - but the tabs are listed in reverse order), DNA Center provides the step-by-step boxes to take a new deployment to a fabric-enabled campus to assurance and monitoring.
- The configuration templates, with ability to add variables, allow engineers to create the one golden standard configuration for a particular switch type, and supply the variables to that particular switch. This has been a large limiting factors with many customers, as the templates were not dynamic enough.
- The PnP holding area for switches allows the switches to boot up and contact DNA Center, but will sit in an unprovisioned state until ready.
- Allowing templates to only be available for particular network devices or line of network devices prevents engineers clicking without thinking.
- The DNA Center provides a dot1X configuration to the switch that I have never seen before. It seems overly complex and may be hard to troubleshoot from the CLI.
- Documentation needs to be much more available through the Cisco website. Contacting TAC for every issue and upgrade is quite honestly unacceptable. Calling TAC undermines the trust of a product and I have had customers steer away from DNAC for that exact reason.
- Explaining the DNA Center "magic" to CLI needs to be documented in much greater detail. When I hit the bug in 1.2.6 which evaporated my fabric, I was desperate to get it back up. It was an issue with my LISP underlay, but unfortunately, I didn't know LISP at the time. Again, this is increasing the fear with the customer base (especially the senior engineers), who need to know "what happens when DNAC goes down".
- Cisco continues to push customers to their in-house resources with their seeding programs. This makes it difficult as a partner to sell services with DNA Center to assist. In one instance, we worked with the customer for 3 days on their DNA Center, and when we went to make a service sales attempt, we were cut short by the Cisco SE saying "don't forget you get a free X number of hours with our team". What is our motivation for being so invested if Cisco seeds the device and the services? We are not making any money on the deals.
- I am hopeful about the 1.3 train, but 1.2 was so plagued with bugs that customers were jumping minor releases way too often. The same problem happened with Firepower. I am not sure if these were not unit tested because there wasn't enough resources or time, but jumping from failed minor release to failed minor release is a great way for customers to lose faith in the product.
- The documentation of what the initial set-up *does* needs to be better documented. There are 4 ports, but only 2 are necessary (cluster and enterprise). This needs to be better explained that only one interface can get a default route, so that needs to be taken into account. Also, why the service subnets exist needs to be better explained. I have dealt with way too many customers who fumble past the address space needed for DNA Center because no one puts on the web site "these are tunneled IPs used by Docker." Again - very poor public documentation is available.
- DNA Center needs to be advertised as what it is. It is an absolutely amazing product, which needs ISE for the SDA. For ETA, Stealthwatch can report back to ISE. That has nothing to do with DNA Center. This is only causing confusion. When I finally de-tangle the Cisco products for a customer, they generally are willing to sign off on more of the products than the campaign of DNAC, ISE, Stealthwatch, Threat-Grid, Firepower, and Cat9K -or- nothing.
- ROI is difficult to answer as we are providing this to customers. We have certainly had more opportunities staying on top of this emerging technology.
- Our business objective to be a value-add partner has had a strain, as Cisco Sales has often times cut us at the knees as we try to push the product to customers.
- DNA Center has been a great "toy" to play with, but until Cisco let's the partners do the work, we are severely hindered.
Meraki does what should be expected at it's price point, but it is geared to SMB. When it comes to enterprise networks, DNA Center is the clear path forward. It allows for more devices than just the ones it configures, it provides more customization and on boarding options, and the control stays within the organization. The DNA Center telemetry provides a more robust reporting than the Meraki dashboard, and again, the data stays on site. I see both being important in their own ways, but Meraki falls short in larger enterprises, and that is where DNA Center shines the most.
Cisco Hybrid Work
- Webex Meetings
- Webex App
- Webex Calling
- Cisco Webex Desk Pro
- Cisco Webex DX80
- Cisco AnyConnect
- Cisco Secure Access by Duo
- Working from anywhere (e.g., coffee shop, airport)
- Working from an office or other company space
- Working from home
We built the hybrid work solution as part of our company culture. Our remote workers stretch across the continental US and Hawaii, so it was important that we have a way to collaborate as we grow. The Webex suite is what provides us the ability to have meetings, chats, and calls to collaborate across these large geographic areas. Most of our resources are cloud hosted, so there is little need to remote into our main office, but when necessary, we use certificate-based authentication with the Cisco Secure Client (AnyConnect) which provides users easy access to approved resources.
The largest challenges were supporting a mixed endpoint environment of both Windows and Mac users. A lot of endpoint management tools were either only for Windows, only for Mac, or only worked somewhat on the other, so we had to use 2 separate products for endpoint management. To protect our infrastructure, we would use Cisco ISE to check the presence of required IT tools using the posture assessment whether onboarding via wired, wireless, or VPN. For critical systems and sensitive data, we would authenticate the system via certificate, posture, and MDM querying, and then authenticate the user via username/password and Cisco DUO. This gives the machine and user 2FA to ensure proper identification prior to authorization. The last challenge was more related to the culture than the technology. Training users to collaborate on video and not simply voice, training management to leverage the office for collaboration, and training users on how to use the necessary tools, while not a challenge, was necessary for our current state.
Providing OS-agnostic options was vital to our implementation, as we do not dictate cell phone or computer manufacturer or operating system. Having Cisco ISE investigate the posture of all clients, profile the device, and make a decision based on these data points allows it to be the centerpiece or our secure hybrid environment.
Cisco Webex one click options for call, meeting, or simple chat, and able to be installed on all platforms of our ecosystem - iPhone, Android, Windows, and Mac. This let us communicate and distribute information during the transition and was vital to our successful roll out.
Cisco Webex one click options for call, meeting, or simple chat, and able to be installed on all platforms of our ecosystem - iPhone, Android, Windows, and Mac. This let us communicate and distribute information during the transition and was vital to our successful roll out.
The most noticeable result of hybrid work is staff morale. Staff appreciates going into the office as necessary, but also greatly appreciates the ability to work from home as necessary. This generally yields a better work/life balance for both the employee and employer as work may also be done during non-traditional office hours. The BYOD ability also allowed users to collaborate on their preferred platform which also raised morale. The end result of which was increased productivity, customer satisfaction, and a better company culture.