Cisco Featured Tech Note

Assure Network Security Policy and Compliance in the Data Center with Cisco Network Assurance Engine

  1. Verify, Or Die Trying: Observations on Change Management
  2. Assure Network Security Policy and Compliance in the Data Center with Cisco Network Assurance Engine
  3. Change Doesn’t Have To Be a Four Letter Word
  4. Configuration and Hardware Assurance in the Datacenter with Cisco Network Assurance Engine
  5. Hands On with Cisco Network Assurance Engine
  6. Cisco Network Assurance Engine: From Download to Value in 60 Minutes (or less)
  7. Networking Has Changed, Have You?

We, network engineers, are bombarded by many new terms: Intent-based networking, assurance, SDN, automation, and many more. The way we used to do networking a few years ago seems old and legacy today. Fortunately, mature products that match these promises of “modern” networking have recently reached the market. We must carefully examine these modern tools and embrace those that help us do our job better.

Let’s keep in mind that solutions are built upon each other and different approaches are tested over the years. Sometimes a new way to apply old concepts is successful because it arrives at the right time. It is successful only when technology and culture are ready to accept and use new paradigms.

The time for a better way to deploy and operate data centers and networks is mature now. New products in Cisco’s catalogue show a shared roadmap based on a common theme Cisco refers to as “Intent-Based Networking”.

Specific solutions that match different needs are already available including the Cisco Network Assurance Engine, Tetration, DNA Center, and Meraki Insight.

Cisco Network Assurance Engine (NAE) was publicly released at Cisco Live Barcelona this past January. NAE can provide configuration and state validation as well as security compliance testing for an ACI fabric. Let’s look at some of the details.

Network Assurance Engine

As a first step, NAE gathers data about the network, including metadata, configurations, policies, and state (tables, TCAM etc.). This information is used to build a ‘mathematical model’ of the current network state. What do I mean by a ‘mathematical model’? Let’s define it as an abstraction that represents the network in every detail. The mathematical model is updated continuously to reflect any changes in the infrastructure. It can then be used to run automated checks to identify potential errors, misconfigurations or unwanted behaviors.

Every network engineer knows their network isn’t a “snowflake”, i.e. entirely unique. Each network includes building blocks and configurations based on knowledge gathered over time. In practice, network engineers are “standing on the shoulders of giants”. The giants in this case are the expertise of other network engineers, lessons learned from numerous TAC cases, and best practices developed over time.  This vast pool of knowledge is what NAE uses to verify the mathematical model of the network.

The main idea behind NAE is to take advantage of all the aggregate knowledge of reliable sources and use it to ensure the network is properly configured and is behaving as expected. The very same concept shared with other Cisco products, from Cisco Wireless LAN Controllers to Intersight, sometimes referred to as the “expert in a box”.

More than five thousand checks and controls are available today out of the box with NAE. As this knowledge base grows, the number and quality of verifications will improve as a result of the accumulated experience. NAE functions as another pair of eyes, very trained and diligent, that help validate the network configuration and prevent errors.

Any control or check that fails generates a SmartEvent clearly visible on the NAE dashboard for further investigation. A SmartEvent is more than a simple alarm; it contains actionable information and advice on how to troubleshoot and fix the problem. More on that later.

Data Center Security

From a security perspective, there are two fundamental aspects to consider within a data center network: service availability and security compliance.

Service availability usually follows the well-known “break/fix model”. If the service is reachable, the network is in a “not-broken” state. If the service is not available, then something is broken. Assuming it is not a server or application problem, then it requires some action on the network to restore the desired state.

To notice the break after it occurs is a job of any monitoring solution. However, this is the old reactionary way of thinking.

The Cisco NAE offers a more proactive approach: The mathematical model of the network created by NAE allows network administrators to validate whether the new network state will meet the desired intent after the change is implemented.

Security Compliance

Network and data centers today are too complex to hold in any one person or team’s head. Even worse, they are almost impossible to document after the fact and hand off to the Operations team. Documenting security is an even bigger hassle, as it is a picture of a moving target. By the time the security state has been validated – it has already changed…

The Cisco Network Assurance Engine with its search and query capabilities allows network administrators to analyze policies and verify information such as:

  • All end point groups (EPGs) include the necessary policies
  • List all EGPs that a specific EPG can contact
  • All the expected contracts exist
  • All tenants are isolated wherever necessary
  • Examine details of each contract

Auditors and internal security teams can use NAE as a powerful tool to demonstrate there are not security paths between tenants or EPGs that must be isolated and that only the expected and compliant paths exist between other EPGs.  This verification is possible not only for the current network state but can also be done for historical data where available. This capability significantly increases the confidence in passing audits.

All these features are available via an intuitive and fast GUI that can answer the question with a few mouse clicks.

The continuous availability of instant verification of security compliance allows network administrators to ensure that all the policies are correct by design instead of relying on empirical testing after the implementation.

A quick example: how to ensure the web tier can communicate to application servers and applications servers can talk to the backend database? This is just a matter of clicking on each EPG and verifying a contract, expressed as a green line, connects the three of them. A click on the contract shows the details about what ports and protocols are permitted. This whole process doesn’t take more than a few seconds. But there’s more, so keep reading.

Cisco NAE provides validation that what the administrator intended is actually realized in the fabric – from the intent down to the programming of the actual hardware. The assurance tool makes sure the policy is enforced all the way down to the hardware level and if it is not, it generates SmartEvents telling why the policy was not enforced on the hardware and suggests the remediation steps.

About the author

Gian Paolo Boarina

Senior Network Engineer with multi-vendor experience on routing, switching, wireless, security. Passionate about scripting and automation.

He blogs at

Leave a Comment