BRKCRS 2502

Best Practices for Design and
Deployment of Software
Defined Access (SDA)
Imran Bashir - Technical Marketing Engineer

Nidhi Pandey – Technical Marketing Engineer
BRKCRS-2502
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Your Presenters today
Nidhi Imran
Pandey Bashir
BRKCRS2502 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Assumptions
This session assumes you have received DNA Center & SD-Access Training
If not… please complete one or all of the following training materials:

• CiscoLive
• Learning@Cisco
• dCloud Lab
• SDA Design CVD
• SDA Deploy CVD
• DNAC Guides
This session is based

• Product Compatibility Matrix
For a list of current capabilities, restrictions, limitations & caveats refer to:
• DNAC Release Notes
Icons Used Throughout the BRKCRS-2502
For your
reference
 For Your Reference – These items will usually NOT be covered in
detail during the session
 Content enlarging – when something is not visible enough, we
highlight and enlarge this area.
 GUI navigation assistant – This special type of

1
highlighting is used to help you in navigation
in the Graphical User Interface of a product.
 Hidden Content – slides which won’t

be presented during the session.
Primarily, those slides are here to give
you more detailed information.
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Agenda
• Introduction
• Sample Customer Requirements
• General Design Considerations
• Best Practices for Wired and Wireless
• Segmentation and Policy Best Practices
• Migration Considerations
• Security Best Practice
• Designing Customer Network
• Demo (if time permits)
• Conclusion
Are New to SD-Access ?
Have deployed SD-Access in

lab or at customers place
Have design discussions with

your customer about SD-Access
TUE WED THU FRI
Keynote BRKCRS-2815 BRKCRS-2818 BRKCRS-2819

Cisco SD-Access – 08:30 Build a Software Defined Enterprise 08:30 Creating multi-domain architecture
09:00 Connecting Multiple Sites with Cisco SDWAN & SD-Access using Cisco SD-Access
in a Single Fabric 09:00
BRKCRS-2830 BRKCRS-3811
Cisco SD-Access – Lessons 09:45 Cisco SD-Access –
BRKCRS-2821 learned from Design & Deployment Policy Driven Manageability
BRKCRS-2810 Cisco SD-Access –
Cisco SD-Access –
A Look Under the Hood
11:00 Connecting to the DC,
FW, WAN and more! BRKCRS-2502 BRKCRS-2812
11:00 Best Practices for Design and Cisco SD-Access – Integrating
BRKCRS-2832 Deployment of Cisco SD-Access with your existing network
Extending Cisco
BRKCRS-2825
11:15 BRKARC-2020
SD-Access beyond
Cisco SD-Access - Scaling the Cisco SD Access - 11:30
Enterprise walls
BRKCRS-1400 Fabric to 100s of Sites Troubleshooting the fabric
Recipe for transforming 14:30 BRKCRS-2824

Enterprise Networks
with IBN
BRKCRS-3810 Intuitive Zero-Trust Design,
Migration When Securing
Cisco SD-Access deep dive 14:45
the SD-Access Workplace
BRKCRS-2823
BRKCRS-2811 Cisco SD-Access – 16:45
Keynote
Cisco SD-Access – 17:00 Firewall Integration Customer 17:00
IBN
Connecting the Fabric Appreciation 18:30
to External Networks
Cisco SD-Access
Technology
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Rethink networking, think intent-based
1. Network execution: High
security, high availability, normal
priority
Business intent: Deploy IoT
sensors
2. Automate: Translate intent to

policy and configure network
devices
4. Assure: Collect telemetry

data from network,
analyze, provide insights,
discover potential issues,
and remediate
3. Secure: Recognize IoT
devices and place into
appropriate network
segments as per policy
Assured
SD-Access Always-On Secure
Experiences
Enabling your Journey to next-gen Digital

Experiences
Everything is Possible With the Network

Cisco SD-Access Customer Momentum
Fastest Ramping SD-X Solution!
Network Services
Meet your
Customers
Cisco IT
www.cisco.com/c/en/us/solutions/enterprise-networks/network-architecture-customer-success-stories.html
Customer Requirement - Healthcare Vertical
Customer will be onboarding two new clinical facilities and is striving towards a unified architecture to minimize operational
overhead and to drive simplicity. Security is top of mind for the CIO.
Land & Layout

• 10,000 users/endpoints for facility 1 and 1000 users/endpoints in facility 2.
Existing Baseline Architecture

• Existing baseline architecture has VLAN based segmentation in place today (Corp users, ER, Medical Devices,
Printers, Guest, Building Management, Cameras etc)
• Port-Security for limiting mac-address.
• MPLS circuit to connect other branches/sites. Internet breakout at everysite.
• OSPF for Campus Routing.
• No VRF based routing in backbone today; relies on GRT.
• Long term strategy is to consider SD-WAN for branch/DC interconnect.
• Microsoft AD for User, Computer Accounts.
• IOT devices with ”static” ip address, which need to operate in Layer2 domain.
• Wireless Guest Anchor for Guest Access.
Customer Requirement - Manufacturing Vertical
A manufacturing customer has 15 facilities in a Metro Area Network, all interconnected via dark fiber. They all connect back
to Corporate HQ to access billing servers.
Local facilities have internet and DC breakouts.
Land & Layout

• Each local facilities have ~ 250 users
• HQ have ~1000 users.
Existing Baseline Architecture

• Uses ISE to profile headless endpoints - IOT, Printers, IP Phones.
• No VRF based routing in backbone today; relies on GRT.
• Local Guest Firewall at each facility
• Top of Mind
• Seamless policy propagation
• Seamless Mobility – wherever possible (Wired > Wired, Wired > Wireless) within a facility.
• Optimize Guest Traffic flow.
• Cross Domain policy propation/integration across sites.

Customer Requirement - Enterprise Vertical
Customer will be migrating the global centers to Fabric and also build fabric is few new sites.
Land & Layout

• Dual stack architecture, Datacenter and fabric integration
Top of Mind
• Existing baseline architecture has VLAN based segmentation in place today
• Port-Security for limiting mac-address.
• MPLS circuit to connect other branches/sites. Internet breakout at every site.
• Existing ISE and AD architecture
• Fabric wireless
• Seamless mobility
• Same subnet for static endpoints
The Challenge…
“I want to design and deploy a SD-Access network.”
Optimization Design options
On time Platform choices
Business Critical Software choices

Scale Endpoints
SDA Technology Review
Cisco Software Defined Access
The Foundation for Cisco’s Intent-Based Network
Cisco DNA Center
Identity-Based
Policy and Segmentation
Policy definition decoupled
Policy Automation Assurance
from VLAN and IP address
B B Outside Automated
C
Network Fabric
Single fabric for Wired and
Wireless with full automation
Insights and
SD-Access
Telemetry
Extension User Mobility
Analytics and insights into
Policy follows User User and Application experience
IoT Network Employee Network © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Architecture
Fabric Roles & Terminology
 Control-Plane Nodes – Map System that

ISE
NDP NCP manages Endpoint to Device relationships.
Cisco DNA This is a combination of the MS and MR.
Center
 Fabric Border Nodes – A Fabric device
(e.g. Core) that connects External L3
Fabric Border network(s) to the SD-Access Fabric
Fabric Wireless
Nodes Controller  Fabric Edge Nodes – A Fabric device
B B (e.g. Access or Distribution) that connects
Wired Endpoints to the SD-Access Fabric
Intermediate Control-Plane  Fabric Wireless Controller – A Fabric device
C Nodes
Nodes (Underlay) (WLC) that connects APs and Wireless
Endpoints to the SD-Access Fabric
Campus
Fabric Edge
Nodes Fabric
SD-Access
What exactly is a Fabric?
A Fabric is an Overlay
An Overlay network is a logical topology used to virtually connect devices,
built over an arbitrary physical Underlay topology.
An Overlay network often uses alternate forwarding attributes to provide
additional services, not provided by the Underlay.
SD-Access Fabric
Campus Fabric - Key Components
1. Control-Plane based on LISP

2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
B B
Key Differences
C
• L2 + L3 Overlay -vs- L2 or L3 Only

• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)
Cisco SD-Access
Fabric Roles & Terminology
 Network Automation – Simple GUI
Automation and APIs for intent-based Automation
Identity of wired and wireless fabric devices
Cisco ISE Cisco DNA Center
Services
 Network Assurance – Data Collectors
analyze Endpoint to Application flows
Assurance and monitor fabric network status
 Identity Services – NAC & ID Services
(e.g. ISE) for dynamic Endpoint to Group
Fabric Border IP Fabric Wireless mapping and Policy definition
Nodes Controllers
B B  Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate  Fabric Border Nodes – A fabric device
C Nodes
Nodes (Underlay) (e.g. Core) that connects External L3
network(s) to the SD-Access fabric
SD-Access  Fabric Edge Nodes – A fabric device

(e.g. Access or Distribution) that connects
Fabric Edge
Nodes Fabric Fabric Wireless
Access Points
Wired Endpoints to the SD-Access fabric
 Fabric Wireless Controller – A fabric device
(WLC) that connects Fabric APs and
Wireless Endpoints to the SD-Access fabric
SD-Access Fabric
Campus Fabric - Key Components
1. Control-Plane based
B B
on LISP
C
2. Data-Plane based on
VXLAN
3. Policy-Plane based on
CTS
SD-Access Fabric
LISP Control Plane
Cisco DNA Center ISE

Fabric nodes use LISP as a control plane for
Endpoint Identifier (EID) and Routing Locator
(RLOC) info Automation Analytics Policy
172.16.101.11/16 -> 192.168.1.11

Fabric Control Plane node acts as a Map
Server / Resolver for EID to RLOC mappings B B
172.16.101.12/16 -> 192.168.1.13
Fabric Edge and Internal Border devices

registers EIDs to the Map Server.
192.168.1.11/32 192.168.1.13/32
External Border node acts as PXTR (LISP
Database Mapping Entry
Proxy Tunnel Router) and provides default 172.16.101.11/16 -> 192.168.1.11
gateway when no mapping exists. Database Mapping Entry Employee Contractor
172.16.101.12/16 -> 192.168.1.13 SGT SGT
172.16.101.11/16 172.16.101.12/16
Corporate VN
SD-Access Fabric
VXLAN Data Plane
Fabric nodes use VXLAN (Ethernet Based) as Policy

Automation Analytics
the data plane which supports both L2 and L3
overlay.
B B
VXLAN header contains VNID (VXLAN Network C
Identifier) field which allows up to 16 million VNI
VXLAN
VXLAN header also has Group Policy ID for

Scalable Group Tags (SGTs) allowing 64,000
192.168.1.11/32 192.168.1.13/32
SGTs.
172.16.101.11 -> 172.16.101.12
Employee Contractor
SGT SGT
172.16.101.11/16 172.16.101.12/16
Corporate VN
Group-Based Policy
Ingress Classification & Egress Enforcement
Edge Node 1 IP Network

Edge Node 2
Encapsulation Decapsulation
VXLAN VXLAN
VN ID SGT ID
VN ID SGT ID
Classification Propagation Enforcement

Static or Dynamic VN Carry VN and Group Group Based Policies
and SGT assignments context across the network ACLs, Firewall Rules
SD-Access Fabric
Cisco TrustSec Policy Plane

Scalable Group Tag (SGT) is a logical
construct defined/identified based on the user
and/or device context. Automation Analytics Policy
ISE dynamically assign SGTs to the users and

devices coming to the network fabric. B B
C
Nodes add SGTs to the fabric encapsulation

when communicating between the users and
devices.
Edge and border nodes enforce the SGACL

policies and contracts for the SGTs they protect
locally. Employee Developer
Lighting Cameras Contractor Supplier
SGT SGT SGT SGT SGT SGT
IoT VN Corporate VN
SD-Access Fabric
How VNs work in SD-Access
• Fabric Devices (Underlay) connectivity

is in the Global Routing Table
Scope of Fabric
• INFRA_VN is only for Access Points User-Defined VN(s)

and Extended Nodes in GRT
User VN (for Default)
Border
• DEFAULT_VN is an actual “User VN”
provided by default VN (for APs, Extended Nodes)
USER VRF(s)
DEFAULT_VN
User-Defined VNs can be added or

INFRA_VN
• Devices (Underlay) GRT
removed on-demand
Fabric Roles
B C B C • Border, Control Plane, Edge are
1. B C fabric roles. One device can
2. perform more than one function.
E
• WLC can be embedded in the 9k

switches.
E E
C B C B
1. Co-located B/CP
3. 2. FIAB
3. Embedded WLC
E E
X X
SD-Access Support
For more details: cs.co/sda-compatibility-matrix
Digital Platforms for your Cisco Digital Network Architecture
Switching Routing Wireless Extended

BETA
Catalyst 9600 Catalyst 9400 ASR-1000-HX Catalyst 9800

NEW
NEW
ASR-1000-X
NEW
Catalyst 9500 Catalyst 9300 Cisco Digital Building

Catalyst 9100 APs
Catalyst 9200 AIR-CT8540

NEW
ISR 4451
ISR 4430 Catalyst 3560-CX

AIR-CT3504
AIR-CT5520
ISR 4330
NEW
Catalyst 4500E Catalyst 6800 Nexus 7700 NEW
Aironet Aironet
Catalyst 3850 & 3650 ENCS 5400 Wave 1 APs* Wave 2 APs Cisco IE 4K/5K
Designing your SD-Access enabled Network
SD-Access Deployment Lifecycle
Evaluation Design Implement

• Introduction to SD- • Scoping design • Lab validation
Access and it’s requirements
features • Production dry-runs
• Simulating and
• Foundational validating design • Go-Live and Day 2
knowledge in requirements Support
deploying SD-Access
• Review Design with
• Planning network Enterprise Networks
design TME
SDA Design Options
New Site Migrate
SD-Access General Design
Considerations
Drivers for Change
SDA Top Design Considerations
SD-Access
Campus
Wired Considerations Security and Segmentation
L2 > L3 - Architecture Change Policy Enforcement in Fabric

New Subnets for SDA East West & North South Segmentation
Fusion device Policy in Multi-Domain
Multicast - Native vs Underlay Multicast IP Transit vs SDA Transit
External Connectivity - Transit types Enforcement at Border, Fusion or Firewall
VoIP CUCM
Flooding
Border Services - Firewall, etc ..
Wireless
Embedded - MDNS support, Local WLC per site

OTT - Flex designs
Latency of AP > WLC (20 msec in fabric)
Design Questions - Requirements
Translating Business Intent into Technical Requirements
K
Key Questions
Focus on Business Intent & Global Scope
A B
Connect Questions Comply Questions
Focus on Topology & Features Focus on Access & App Policy
(Per Site + Transit) (Per Site + Transit)
Design Questions: Key Points For your
reference
Asking the right questions, to get things started
Is this a Single Site, or Multiple? What is More Important right now?

• Campus? Branch? • Automation or Policy? Both?
• WAN Considerations? • Visibility / Assurance?
Is Secure Network Access a top concern?

Is this a New or Existing Site?
• Access Control?
• Parallel? Incremental?
• Segmentation?
Is this a Small, Medium or Large Site? • Intra or Inter-Site?
• How many Users / Devices? What are the Main Services?
• Scale Considerations? • Centralized vs Distributed?
Is this Site “Business Critical”? • Policy Implications (VN/SGT)
• Redundancy Considerations?
Design Questions: Connect Topics For your
reference
Connectivity Services
Where are Connect Services located? What types of Network Services?

• Where is DNA Center? • Multicast / Broadcast?
• Where are DNS, DHCP, IPAM? • Voice / Video (Collaboration)?
• Where is NTP? • Client Services (mDNS)?
• What is the IP Addressing? • Data Collection (SPAN/Netflow)?
• Local? DC? Over WAN?
Are Services in GRT or VRF?

• VRF Leaking (Fusion) involved?
• Firewall Rules (DMZ) involved?
reference
Wired Considerations
How many Network Tiers? Which nodes will be Edge?
• What type(s) of Core/Border/CP node? • How many Edge nodes?
• What type(s) of Access/Edge node? • Any Edge @ Distribution?
• Are there any Distribution/Intermediate? Will there be Extended Nodes?
Which nodes will be Border? • How many Extended nodes?
• What type of Edge connection?
• What type of hand-off? L2/L3?
• What is the outside Protocol(s)? What is the Underlay?
• Redundant Borders? • What is the IP Addressing?
• Collocated or Distributed? • Automated Underlay?
• Manual Underlay? What Protocol?
Which nodes will be Control Plane?
• Switch/Router/CSR?
• Collocated or Distributed?
Design Questions: Connect Topics
For your
reference
Wireless Considerations
What type of Wireless? Which types of APs?
• Fabric Enabled Wireless? • How many Wireless APs?
• Overlay Wireless (OTT)? • What type of Edge connection?
• Mixed Mode (both)?
• Cisco or 3rd Party? What about Guest Wireless?
• Dedicated Guest VN?
Which types of WLC?
• Dedicated Guest CP/Border?
• How many Wireless Clients?
• Where is the WLC connected?
• Direct to Border? DC?
• Redundancy considerations?
reference
Transit Considerations
What type of Transit? Is VRF hand-off required?
• SDA Fabric Overlay? • All VRFs? Selective?
• SD-WAN (Viptela)? • 1:1? 1:N? M:N?
• DMVPN (IWAN)? • Redundancy considerations?
• Traditional IP/BGP?
Is Policy hand-off required?
What is the WAN/Edge node? • All SGTs? Selective?
• Inline SGT Tags? SXP?
• Cisco or 3rd Party?
• Direct Internet Access?
Design Questions - Policy Topics
B0 - Policy Services
• Where are Policy Services located? • What types of Policy Services?

• Where is Cisco ISE? • Identity Services?
• Other ID/NAC Services? • Firewall Services?
• Local? DC? Over WAN? • VPN/Encrypt Services?
• Cloud hosted? • IDS/IPS or NaaS/NaaE?
• Are Services in GRT or VRF?

• VRF Leaking (Fusion) involved?
• Firewall Rules (DMZ) involved?
• Is the Cisco ISE “Business Critical”?

• Scale Considerations?
• Redundancy Considerations?
NOTE: This is NOT an exhaustive list of questions. Add more of your own! 
B1 - Identity Considerations
• Do you need Static Assignment? • What type(s) of Authentication?

• Where/Why is Static Identity used? • 802.1X (EAPOL)?
• Which parts are Static? VLAN, IP? • MAC Address Bypass (MAB)?
• Will these migrate to Dynamic? • Web Authentication (CWA)?
• Easy Connect (AD Integration)?
• Do you need Dynamic Authentication?
• Wired? Wireless? Both?
• Where is Dynamic Identity used?
• Do you use Device Profiling?
Segmentation Considerations
• What areas need to be truly Isolated? • Where are VRFs Managed?

• Separate Departments? • VRF Routing?
• Secure Areas? • Firewalls? DMZ?
• Guest Network? • Local or End-2-End?
• Partners/Contractors? • Scale considerations?
Sample Network with Multiple Sites
SDA Design is driven by Customer requirements
Use Cases
Mobility Survivability Scale Segmentation and Policy
Building/ Floor Branch/ Campus Metro Region
WAN/Metro
Very Small Small Medium BRKCRS-2502 Large

Types of SDA Designs
Fabric Design Categories
FIAB - Fabric In a Box
• Single wiring closet (MDF) Small Site
• Border, CP & FE and Wireless in a box • Multiple wiring closets (MDF’s)
• No Survivability • 2 x (collocated Border & CP) (in a single box)
• No Redundancy • Limited Survivability for Border & CP
• Stack supported (up to 8) with redundancy • Limited Redundancy for Border & CP
and survivability for Control plane • Dedicated Edge (no stacking)
• Total endpoints < 2K (software limit) • Local WLC
• Standalone ISE
Very Small Small

Multiple Sites Site Site
• Multiple Sites is driven by customer
design requirement
• Multiple Fabrics
• MAN or WAN Underlay
• Site Borders & Transit Area
• Distributed ISE
Large Medium
Site Site Medium Site
• Dedicated CP’s for higher survivability (Site,
Large Site
building, floor)
• 2 dedicated CPs (w SDA Wireless) – 6 with
OR
Wired ONLY. Up to 4 Border nodes
• 2 x collocated Border & CP (in a single box)
• Full Survivability for Border & CP
• Full Survivability for CP
• Full Redundancy for Border & CP
• Limited Redundancy for Border
• Local WLC + HA
• Dedicated Edge (no stacking)
• ISE PAN - Local PSN
• Local WLC + HA
• ISE PAN - Local PSN
BRKCRS-2502 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Scale Considerations for Fabric Nodes
Border Nodes Control Plane Edge
• 4 CP for purely wired network • Stack considered as 1 fabric

• 4 external/anywhere borders device
• Mix of L2 and L3 border • 2 CP for network with wired and
wireless • Max 256 VNs supported
• Control plane nodes are active-
active
Network Infrastructure – Underlay
SD-Access underlay options
Manual Underlay Automated Underlay

• Any Routed Network • Discover Seed Device
• System MTU: 9100 • Input IP Address Pool
• Loopback 0 with /32 subnet • Start LAN Automation
• Resiliency – BFD, ECMP, NSF

Seed Device  Discover the network device
 Onboard the network device
• Multicast – ASM/SSM, sparse-mode
 Upgrade software
• CLI, SNMP credentials
• Stop LAN Automation
• Discover & Manage network device  Complete Configuration (L3 interface, IS-IS)
• Upgrade Software version  Manage Device in Cisco DNAC-Center
Automated Underlay- LAN Automation
CREATE CONFIGURE CONFIGURE
Network and device credentials Routing
SITE
1 2 3 4 5
Core CONFIGURE DISCOVER
Underlay pool Seed Device
ASSIGN TO
RUN AUTOMATION SITE
6
Sync and
provision
Peer
8 7
CLEAR CONFIGURATION
PnP Agent PnP Agent PnP Agent
Automated Underlay- LAN Automation
CREATE CONFIGURE CONFIGURE
Network and device credentials Routing
SITE
1 2 3 4 5
Core CONFIGURE DISCOVER
Underlay pool Seed Device
ASSIGN TO
RUN AUTOMATION SITE
6
Sync and
provision
Peer
8 7
CLEAR CONFIGURATION
PnP Agent PnP Agent PnP Agent
Overall Solution Scale is Driven by Cisco DNAC For your
reference
Cisco DNAC 1.3.1.0
DNA Center
Cisco DNAC Cisco DNAC DN1-HW-APL

(Overall Scale) (Per Fabric Scale) Cisco UCS C220 M5
Rack Server
No. of Endpoints
100,000 Same as overall 44 cores
Max concurrent endpoints
No. of Fabric Nodes
Inc all managed devices 1200 1200
DN2-HW-APL
Switches, Routers, WLC Cisco UCS C220 M5
Access Points Rack Server
12,000 Same as overall 56 cores
No of AP’s + Sensors
DNAC Sites
2000 N/A
No of Fabrics
Virtual Networks DN2-HW-APL-L
256 256
No of VN’s Cisco UCS C480 M5
Rack Server
IP Pools 112 cores
N/A 600
Max No. of IP Pools
Scale Numbers
* = Higher numbers with newer appliance
Border, Control
and Edge
Very Small Site End Points/Hosts

9300
< 2K
FIAB -- Fabric In A Box Max number of Endpoints
Fabric Nodes 1
CP B Overview Virtual Networks

<8
Maximum number of VN’s
FIAB - Fabric In a Box
FE W
• Total endpoints < 2K (software limit) IP Pools <8
• Border, CP & FE and Wireless in a single box
Very Small 200
• No Survivability for CP and Border Access Points
(eWLC limit)
B/ • Single wiring closet (MDF)
CP B, CP & FE
Note: Platforms numbers can be higher but
E E
consider these solution numbers for design
Benefits
Small Design
B/
• Reduces cost to deploy SDA for very small
B/
CP CP
sites DC ISP
Internet
• FE + FB + CP on same C9K DNAC
E E
Sample Topology 1 NCP + NDP
• Supports eWLC/ 9800 & Embedded-Wireless Cluster
ISE
Medium Design
in 1.2.10 (16.10.1e for C9300) 1 PAN + PXG
+ PSN
Services
1 DHCP + DNS IP
C + IPAM
B
C
B
E E E E
Large Design CP B
Site
FE W
Border, Control
and Edge
Very Small Site End Points/Hosts

9300
< 2K
Stacks of FIAB Max number of Endpoints
Fabric Nodes 1
CP B Overview Virtual Networks

<8
Stack of FIAB’s
FE W
• Total endpoints < 2K (software limit) IP Pools <8
• If a member of the Stack fails (with CP and
Very Small 200
Border), the next available member in the stack Access Points
(eWLC limit)
B/ taker over the CP and Border functionality
CP
• Limited Survivability for CP and Border B, CP & FE
Note: Platforms numbers can be higher but
E E • Single wiring closet (MDF)
consider these solution numbers for design
• Max of 8 boxes can be in a Stack
Small Design • All the stack members must be the same
platform Sample Topology
B/ B/
ISP
CP
CP
DC
Internet
E E DNAC
1 NCP + NDP
Benefits Cluster
ISE
Medium Design 1 PAN + PXG
• Get additional ports in a FIAB

+ PSN
Services
C
• Still reduced cost to deploy SDA for very small 1 DHCP + DNS IP
B + IPAM
C
B
sites
E E E E • FE + FB + CP on same C9K
• Supports eWLC/ 9800 & Embedded-Wireless
Large Design in 1.2.10 (16.10.1e for C9300) CP B
Site
FE W
● = Scale Numbers are currently being tested
Border, Control Fabric Edge
Small Site End Points/Hosts

9300 9500 9200 9300
Max number of Endpoints

< 10K < 10K ● < 10K
Fabric Nodes 2
(Collocated)
2
(Collocated) ● < 25
Overview Virtual Networks
●
CP B
< 64 < 64 < 64
• Multiple wiring closets or even single.
●
FE W
IP Pools
• Border and CP are collocated in a single box < 64 < 64 < 64
Very Small • Redundancy for Border or CP
• Limited Survivability
Access Points 200 200 ● 200
B/ CP • Total endpoints < 10K (recommendation, but B, CP FE
DNAC and platform scale can drive this Note: Platforms numbers can be higher but consider these solution
E E number) numbers for design
Small Design
B/ B/
Benefits Sample Topology DC
CP CP
• Small site design DNAC
1 NCP + NDP ISP
Intern
• Tends to be Building or Office with < 10,000 endpoints and <
Cluster
E E ISE et
1 PAN + PXG
100 IP Pools/Groups + PSN
Services IP
Medium Design • 1-2 Collocated CP + 1 DHCP + DNS
+ IPAM
C
External Border (Single Exit)
B
B
C • Tends to be local WLC connected to Border (e.g. Stack) + FEW
B CP
• Looking at <1000 dynamic authentications and <250 group
W
E E E E
based policies.
• FB + CP + eWLC (9300)with distributed Fabric Edges Site
Large Design
• Supports eWLC/ 9800 & Embedded-Wireless in 1.2.10
(16.10.1e for C9300)
Strategy for Cisco SD-Access in a small site
Design for a small site
Distribution Branch -- FIAB with Wireless

CP B
Border + CP
FE W + Fabric Edge
Very Small
B/ CP
E E
WAN Transit
Small Design
SD-Access and IP Transit
B/ B/
CP CP
E E
Enterprise Campus
Medium Design CP B CP B
C
B
C
Site
B
E E E E
Medium Site End Points/Hosts

9500 9600 9300 9400

< 25K < 25K ● < 25K
Overview 4
Fabric Nodes 4
(4 CP, 2 B)) (4 CP, 2 B) ● <250
Medium Site Virtual Networks
●
CP B
• Multiple wiring closets or even single. < 64 < 64 < 64
• Dedicated CP’s for higher survivability (Site, building, floor)
FE W
• 2 x collocated Border & CP (in a single box)
IP Pools < 64 < 64 ● < 64
Very Small
•
• Limited Redundancy for Border
Dedicated Edge (no stacking)
Access Points 200 200 ● 200
B/
CP • Recommended total endpoints < 10K (recommendation, but DNAC B, CP FE
and platform scale can drive this number). Note: Platforms numbers can be higher but consider these solution
E E
numbers for design
Small Design
Sample Topology ISP
B/ B/ DC Intern
Benefits
et
CP CP
Cisco DNAC
3 NCP + NDP
Cluster
IP
E E
• Next level up to a small design. ISE
•
2 PAN + PXG
Max Control Plane nodes = 6 (Wired Only); 4 with Wireless (2 2 PSN
Medium Design Enterprise and 2 Guest CP’s). DDI

1 DHCP + DNS
• Tends to be Multiple Buildings with < 25,000 endpoints 1 IPAM
CP B CP B
B
C
• Most likely a 3 Tier design, recommendation is to use 9400 & 9500 as
B
C
intermediate nodes. Site
• Can choose a Co-located or a Distributed/Dedicated CP +
E E E E
Border(Single Exit) design.
• Tends to be WLC + FEW via Services Block or a local Data Center
Large Design
• Looking at < 25,000 dynamic authentications and < 1000 group based
policies
Large Site End Points/Hosts

9500 9600 9300 9400

< 25K < 25K ● < 25K
Overview 6+4
Large Site
Fabric Nodes
(6 CP, 4 B)
6+4
(6 CP, 4 B) ● <1000
• Multiple wiring closets (most likely). Virtual Networks

●
CP B
• Max Control Plane nodes = 6 (Wired Only); 4 with Wireless (2 < 64 < 64 < 64
FE W
Enterprise and 2 Guest CP’s).
• Max Border nodes = 4 IP Pools < 64 < 64 ● < 64
Very Small • Dedicated CP’s for higher survivability (Site, building, floor)
• Dedicated Borders for site exits Access Points 200 200 ● 200
B/
CP • Full Redundancy for Border B, CP FE
E
• Dedicated Edge (no stacking) Note: Platforms numbers can be higher but consider these solution
E
• Recommended total endpoints < 25K (recommendation, but numbers for design
DNAC and platform scale can drive this number).
Small Design
DC WAN ISP
B/
Cisco DNAC
B/ Internet
CP CP ISE Inter Exte
DD nal rnal
E E
Benefits
• Dedicated borders can provide multiple exits to different DC’s or
Medium Design destinations.
• Tends to be Many Buildings with < 25,000 endpoints and < 500 B B B B
C
B IP Pools/Groups
C
B
• Most likely a 3 Tier design, recommendation is to use 9500 as Site
E E E E
intermediate nodes. CP CP
• Can choose a Co-located or a Distributed/Dedicated CP + 2-4

Large Design Borders (Multiple Exits)
• Looking at < 25,000 dynamic authentications and < 2000 group
based policies
Cisco SD-Access Network Requirements
Latency Requirements (RTT)
Control Access
DNAC ISE (PSN) Edge Border WLC Point
10msec 300msec
200 msec RTT
* longer execution time may be experienced for events with latency higher than 100 msec.
100 msec RTT
100 msec RTT
* currently all ISE to NAD communication (including TrustSec) is using Radius.

100 msec RTT
100 msec RTT
100 msec RTT
* RTT – Round-Trip Time

100 msec RTT
20 msec RTT
Cisco DNA Center Design- Where to Locate it
Local DC or Services Block Remote DC (Over MAN/WAN)
ISE + AD/Other ISE + AD/Other
DNA Center DNS/DHCP DNA Center DNS/DHCP
Internet Internet
DC
Metro
NOTE: DNAC requires access to Internet

Scaling Strategy for Fabric within a site
Cisco DNA Center Design- Three Node High Availability
1 or 3 appliance HA Cluster
- Odd number to achieve quorum
of distributed system
- Scale does not change
Seen as 1 logical Cisco DNAC instance
- Virtual (Cluster) IP
Cisco DNAC apps on Maglev cluster 2 nodes active/sharing + 1 redundant
- Some services run multiple copies
spread across nodes (e.g. databases)
Virtual IP
- Other services run single copy and
migrate from failed to redundant node
Cisco Identity Services Engine design
1:1 redundancy
 Applies to both physical and virtual
deployment
 Compatible with load balancers
Lab and Small HA Small Multi-node Large Deployment

Evaluatio Deployment Deployment 2 PAN, 2 MNT, <=50
PSN
n 2 x (PAN+MNT+PSN) 2 x (PAN+MNT), <= 5 PSN
35xx 100 Endpoints 20,000 Endpoints 500,000 Endpoints

36xx 100 Endpoints 50,000 Endpoints 2,000,000 Endpoints(3695-PAN&MnT)
Why Multiple Sites?
Basic Goal is for fewer, larger Fabric Sites Some Needs require split into Multiple Sites
S S
Large Transit
Medium M
(v)Small
L
S
S
Higher scale due to more number of sites

(Control plane per site)
Wireless Client Roaming (< 20ms Latency)
Direct Internet Access (@ Remote Sites)
Survivable Remote Sites (Local CP/Borders)
Scaling Strategy across Multiple Sites
Why single site vs multi site ?
Advantages:
 Smaller or isolated Failure Domains
 Helps scaling number of Endpoints
 Cisco DNAC provides Automation and

Single View of entire system
 Local breakout at each Site for Direct

Internet Access (DIA)
Why Multiple sites
Survivability or WAN separated networks
Hospital Site
WLC
Use Case Management
• I need high survivability for my ER department
CP WLC Edge
Fabric
Border
Fabric B
Controller
Hospital IT
Environment SD-Access Edge Edge
Border
Fabric Intermediate
Nodes (Underlay) Fabric
Edge
ER
Edge Edge
Why Multiple sites
Survivability or WAN separated networks
Hospital Site
WLC
Use Case Management
• I need high survivability for my ER department
CP WLC Edge
Fabric
Border
Fabric B
Controller
Hospital IT
Environment SD-Access Edge Edge
Fabric Intermediate
Nodes (Underlay) Fabric
Edge
CP
ER Site
Edge Edge
B
WLC
Multiple Sites
Wireless Controller Scale
Transit B
B
B B WAN/Metro
B
C C C C
 Latency 20 ms
 Each site has a WLC associated with its Control Plane WLC
 This will help scale the number of end points in the network
Sample Network with Multiple Sites
SDA Design is driven by Customer requirements
Mobility Survivability Scale Segmentation and Policy
Building/ Floor Branch/ Campus Metro Region
Transit B
B
B B WAN/Metro
B
C C C C C
Very Small Small Medium BRKCRS-2502 Large

Types of Transit
Transit Design – IP vs SDA transit
Cloud Cloud
Data Center Data Center
LTE Metro
Head Head
MPLS INTERNET Quarters Metro Quarters
Metro
Remote Campus 1
Branch 1
Remote Remote Campus 3
Branch 3 Campus 2
Branch 2
Why IP Transit Use-cases Why SDA Transit Use-cases

Consistent policy and end-to-end
Customers already using existing WAN Internet Handoff Smaller or isolated Failure Domains segmentation using VRFs and SGTs
or have adopted SD-WAN P2P IPSEC encryption Helps scaling number of Endpoints
Less than <1G circuits from Policy Based Routing DNAC provides Automation and Single Smaller and Isolated fault domains
Provider(s) WAN Accelerators View of entire system
Higher latencies because sites are in Traffic engineering VNs and SGTs gets pushed to all sites Resiliency and Scalability
different regions (many miles apart) Mobile Backhaul LTE (consistent policy)
Local breakout at each Site for Direct
Internet Access (DIA)
IP Transit
Design for a multi site with IP Transit Remote Branch 1
Remote Branch N
Site BN
Overview B E C
Site B1 Site B2
• Tends to be many remote branch offices connected
• Customers already using existing WAN
or have adopted SD-WAN
• Higher latencies because sites are in different regions
(many miles apart)
• Typical use cases IP

• Internet Handoff Transit WAN
• P2P IPSEC encryption
• Policy Based Routing
• WAN Accelerators
• Traffic engineering
• Mobile Backhaul LTE
Site HQ
HQ
Campus
Cisco SD-Access for Distributed Campus IP Based WAN Transit
Management and Policy
Cisco DNA-Center
SGTs in SXP
C C
SD-Access Transit SD-Access

B B B B
Fabric Site (WAN) Fabric Site
Border Border Border
BGP BGP
LISP MP-BGP / Other LISP CONTROL-PLANE
VRF-lite VRF-lite
1
VXLAN SGT (16 bits) 802.1Q 802.1Q VXLAN SGT (16 bits)
MPLS
DATA-PLANE
Header VNID (24 bits) VLAN ID (12 bits) Labels VNID (24 bits) VLAN ID (12 bits) Header VNID (24 bits)
SDA Transit
Design for a multi site with SDA Transit
Remote Building 1 Remote Building 2 Remote Building N
Overview
• Customers have multiple sites connect Site Site Site
via “Dark Fiber” links or DWDM links B1 B2 BN
• Sites are in same Metropolitan area

(a few hundred miles apart)
• Typical use cases

• Consistent policy and end-to-end SDA
segmentation using VRFs and SGTs Transit
T
MAN T
• Smaller and Isolated fault domains DNAC
• Resiliency and Scalability DC 5-7 NCP +

NDP
Cluster
ISE
2 PAN 2
PXG
5-10 PSN
DDI
1 DHCP 1
DNS
1 IPAM
AB AB EB EB
Site HQ
CP CP
HQ Campus
Cisco SD-Access Distributed Site Control Plane for Global Scale
Multiple SD-Access Fabric Sites
Use Case
• Each site only maintains state for in-site end-points.
• Off site traffic follows default to transit.
• Survivability, each site is a fully autonomous resiliency domain
• Each Site has its own unique subnets
West site Prefixes Only East + West East site Prefixes Only
Register west Register east

prefixes prefixes
West Site Cisco SD-Access East Site

Transit
BR-W BR-E
Native SD-Access Transit with Multi-Site Design
DNA-Center
Cisco ISE
MANAGEMENT
&
POLICY
C
C
C
SD-Access Transit SD-Access B

B
B
Fabric Site
B
(SD-Access) Fabric Site
E E
E E
1 1 LISP CONTROL-PLANE
LISP LISP
12 VXLAN SGT (16 bits) VXLAN SGT (16 bits) VXLAN SGT (16 bits)
Header VNID (24 bits) Header VNID (24 bits) Header VNID (24 bits) DATA-PLANE
Device Compatibility For your
reference
https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/compatibility-matrix.html
SD-Access Wired Design
Considerations
Fusion Configuration
Connecting Fabric to Traditional Infrastructure
Extend eBGP Route Leak iBGP

• Configure VRF • eBGP neighbors • Route-leak shared-services • iBGP neighbors for each VN
• Interfaces for for each VN between subnets to each VN between Border nodes
each VN Fusion and Border • Route-leak VN subnets into
matching Border Global
configuration
Shared-Services Fusion-1 Fusion-2
Fusion
Fusion
Fusion
VN_Campus
VN_Guest
INFRA_VN
VN_Campus
VN_Campus
VN_Guest
VN_IoT
INFRA_VN
VN_Guest
INFRA_VN
VN_IoT
VN_IoT
Border
Border-1 Border-2
Border Border
• If Border / Fusion network device is Routing platform, L3 sub-interfaces will be used to extend Virtual Networks
• If Border / Fusion network device is Switching platform, VLANs & Trunk will be used to extend Virtual Networks
L2 Intersite Handoff- 1.3.3
IP Transit • This feature can be used when inter site

communication for Layer 2 traffic such as ARP,
Broadcast, Link local multicast is needed for a
B C
subnet across fabric site.
B C
• This can be achieved by configuring a handoff on
Layer 2 Border across multiple fabric sites for a
Vlan 300 Trunk Vlan 300 specific VLAN.
Fabric Layer 2
Border
Layer 2
Border Fabric
Site 1 Site 2 • This creates a Trunk between both fabric sites on
a given interface.
• For Border which is doing L3 handoff towards IP

Transit, we export /32 routes for that VN that is
extended across fabric sites.
• Wireless hosts mobility is not possible with this

feature.
Host 1 – 172.16.8.10 – Vlan 1021
Host 2 - 172.16.8.20 – Vlan 1021
172.16.8.0/24
SD-Access Extension Platform Support
• Key Benefits for IoT and Business

Catalyst Digital Building
Cisco DNA
Center
Extending Wireless
• Outdoors areas like Parking , Warehouse etc. C Catalyst
3560-CX
• OT areas in Plants , Manufacturing etc.
B B
IE Series (4K/5K)
Benefits
 Operational IOT simplicity for
Fabric Edge
 IT designed and managed or
 IT designed and OT managed
 Greater visibility to wide set of IoT devices
Extended
 Improved threat detection and containment Nodes
Extended Nodes extend SD-Access beyond the Fabric edge

Edge Surveillance Camera Outdoor Wireless
Virtual Network Network
Policy Extended Node – 1.3.3
• Policy Extended Node will have
Cisco ISE 802.1x/MAB Authentication enabled to
C communicate with ISE to download the
VLAN and Scalable Group Tag attributes for
B B
B end points.
B
VLAN + SGT • Link connecting Edge to Secure Extended

Fabric node is configured with inline tagging so
VLAN that SGT is propagated.
Site
Fabric Edge *
E E • Secure Extended nodes performs SGACL
E
enforcement.
Fabric Edges
• Current Fabric Edge behavior of
downloading VLAN/SGT tag is now possible
Secure Extended with secure extended node.
Node
Host 1
Vlan 100
SGT 100
Supported Platform:
IE3400, IE3400H
Per Site Scale Factors to Consider in Fabric.
- Active traffic from border to edge

# Fabric # VxLAN consumes adjacency on border.
Impacts provisioning time. devices / Adjacency - This is dependent on the number
site @ Border of VRFs and edge nodes and
multicast groups
# IP Pools # Virtual - Impacts the adjacency calculation

/ fabric Network / - Impacts the device selection.
Impacts provisioning time.
- Not all platforms support the same
site Fabric
scale number.
Site
Adjacency calculation – (no of active VRF x edge nodes) + multicast

groups
A bit about your Speaker
• Nidhi Pandey
• Technical Marketing Engineer at Cisco
Systems.
• ~10 Years with Cisco Systems
• Focus on Enterprise & Security
• Ask me about : Indian History, Good Reads,
Bangalore and Bollywood
SD-Access Wireless Design
Considerations
SD-Access Wireless Architecture
DNAC
Automation
ISE / AD  DNAC simplifies the Fabric deployment,
Policy  Including the wireless integration component
Abstraction and
Configuration
CAPWAP Automation
Cntrl plane Centralized Wireless Control Plane
LISP  WLC still provides client session management
Cntrl plane  AP Mgmt, Mobility, RRM, etc.
VXLAN  Same operational advantages of CUWN
Data plane WLC
B B Fabric enabled WLC:
WLC is part of LISP control plane
LISP control plane Management
C  WLC integrates with LISP control plane
 WLC updates the CP for wireless clients
 Mobility is integrated in Fabric thanks to LISP CP
SD-Access
Fabric Optimized Distributed Data Plane
 Fabric overlay with Anycast GW + Stretched subnet
 VLAN extension with no complications
Fabric enabled AP:  All roaming is Layer 2
AP encapsulates Fabric
SSID traffic in VXLAN
VXLAN VXLAN from the AP
(Data Plane)
 Carrying hierarchical policy segmentation starting
from the edge of the network
CAPWAP
control Access Points
non  AP is directly connected to FE (or to an extended node switch)
Fabric
WLC  AP is part of Fabric overlay
 AP belongs to the INFRA_VN which is mapped to the global routing table (new
FB in DNAC 1.1)
INFRA_VN
 AP joins the WLC in Local mode
Underlay
WLC
VxLAN  WLC is connected outside Fabric (optionally directly to Border)
Fabric
 WLC needs to reside in global routing table – to talk to CP!
Overlay
 No need for inter-VRF leaking for AP to join the WLC
 WLC can only belong to one FD. WLC talks to one CP (two for HA)
FE
CAPWAP
control Design Notes:
Access point 1) Fabric AP is in local mode, need < 20ms latency between AP & WLC
2) If WLC is used also for non-Fabric (mixed mode), considered MAC and ARP
table scale of the directly-connected Border device
What are my Options for Wireless with SDA ?
Over the Top (OTT)
Fabric Enabled Wireless (FEW)
Mixed Mode
Design Consideration
Common for Greenfield & Brownfield
Network Hierarchy Site Location Mapping, ISE, IP Services
Scale Network Scale and Wireless
Underlay Readiness Global Routing Table, Infra VN & CAPWAP
Device Discovery WLC Discovery & Assurance, Brownfield Support, PnP
Cisco SD-Access Wireless Adoption
• Fabric Enabled Wireless
Cisco DNAC
ISE / AD
Fabric
WLC
B C B C
Full Cisco SD-Access Wireless value
 Cisco DNA Center with Automation & Assurance
SD-Access
 Virtual Networks for Segmentation (ex Employee, IoT, Guest)
Fabric
 ISE for SGT Access Control within VRF (ex. Contractor, BYOD, Employees)
VXLAN  Subnet extension across Campus with distributed data plane
(Data)
 Optimized path for Guest and no Anchor WLC
Fabric building  And more…
Fabric APs
SSID SSID
CORP Guest
CAPWAP Control
VXLAN
BYOD Contractor Employee

• Fabric Enabled Wireless with eWLC
Cisco DNAC
ISE / AD
B C B C
Full Cisco SD-Access Wireless value with eWLC
W W
 Cisco DNA Center with Automation & Assurance
SD-Access
 Virtual Networks for Segmentation (ex Employee, IoT, Guest)
Fabric
 ISE for SGT Access Control within VRF (ex. Contractor, BYOD, Employees)
VXLAN  Subnet extension across Campus with distributed data plane
(Data)
 Optimized path for Guest and no Anchor WLC
Fabric building  And more…
Fabric APs
SSID SSID
CORP Guest
CAPWAP Control
VXLAN

• Over the Top (OTT)
Cisco DNAC
ISE / AD
OTT Use Cases

Non Fabric
WLC  No SDA advantages for wireless
 Migration step to full SD-Access

B C B C
 Customer wants/need to first migrate wired (different Ops teams managing
wired and wireless, get familiar with Fabric, different buying cycles, etc.)
and leave wireless “as it is”
SD-Access
 Customer cannot migrate to Fabric yet (older APs, need to certify the new
Fabric
software, etc.)
Fabric building
Non Fabric
SSID APs SSID
CORP Guest
CAPWAP Control and Data
• Mixed Mode
Cisco DNAC
ISE / AD
Mix of Fabric and non-Fabric (centralized) SSIDs

Fabric
Mixed mode is supported both on the same AP or different
WLC APs
Non Fabric SSID : Client Traffic is CAPWAP encapsulated
B C B C Fabric SSID : Client Traffic is VXLAN encapsulated
SD-Access
Fabric
Fabric building
CAPWAP Control
and Data
CAPWAP Control
VxLAN
Fabric SSID
+
CUWN SSID
Guest Access Deployment
Internet
Guest as VN
Internet
Dedicated GB/GCP GB GCP
B
• A dedicated Border and Control
• Guest traffic using the same plane for Guest VN
Border /Control plane as like any
other VN • Deploy as co-located or distributed
nodes.
• Work flow automated from DNAC
• Manual work flows required
• Simplified design • Identical to traditional Guest Anchor
solution.
• External handoff via VRF-Lite
• Ideal for stringent compliance
requirements
Option1 : Guest as VN leveraging C Guest
Common CP/B User
SDA Fabric B User traffic
User VN Intranet
Guest VN
WLC DMZ Internet
• Common border /CP between user VN and Guest VN router lisp

locator-table default
• Traffic steering at the border for Guest into DMZ using locator-set edge
vrf-lite IPv4-interface Loopback0
priority 10 weight 10
• eBGP handoff workflow automated through DNAC
!
• Segmentation within fabric achieved by VNID(macro ipv4 use-petr 3.1.1.1
segementation)
Guest VN Border Handoff
Extend Guest VN
Option 2: Guest as VN with
Dedicated B/CP C
E B
SDA Fabric DMZ
GB GCP
WLC Internet
• Guest border RLOC should be reachable in the Underlay

router lisp
• End to End MTU of 9100
service ipv4
• Register Guest EIDs to Guest control plane(GCP) eid-table vrf GUEST
map-cache 0.0.0.0/0 map-request
• All Guest traffic terminated on a dedicated guest itr map-resolver 192.168.10.2
border(GB) etr map-server 192.168.10.2 key 7 02130752
etr map-server 192.168.10.2 proxy-reply
• East to west isolation can be achieved by micro etr
segmentation. sgt
use-petr 192.168.10.2
proxy-itr 192.168.41.5
exit-service-ipv4
SD-Access Wireless Guest Design
• Anchor-Foreign CUWN Solution
C
B
SDA Fabric
DMZ Internet
CAPWAP
10.10.10.40 CAPWAP/EoIP
Foreign WLC Anchor WLC
 Guest WLAN anchored at Guest Anchor in DMZ
 Well proven CUWN solution, protecting investment
 Separate solution for Wired Guest, Anchor WLC managed differently
For your
Fabric in a Box Scale and DNAC Scale reference
DNAC 1.3 Release
Parameters DN2-HW-APL DN2-HW-APL-L DN2-HW-APL-XL

No of Devices 1000 2000 5000
(Switch/Route/WLC)
No of Access Points 4000 6000 12000
No of Endpoints (Concurrent) 25,000 40,000 100,000
No of endpoints – wired: Any Any Wired: 40,000
wireless ratio Wireless: 60,000
Number of Site Elements 500 1000 2000
No of WLC 500 1000 2000
For your
Fabric Wireless Scale Fabric4 Fabric5
reference
C9800 WLC
B C Fabric2 Fabric3
C B C B
Fabric1
C B C B
E E
E E
C9300/9400/9500 C9300L
C9300/9400/9500 C9300L
C9300/9400/ C9300L C9200

9500
C9300L (with
C9300L as C9300/9400/9500 C9300L (with C9300/9400/9500
C9300/9400/ embedded
edge C9200 as edge (with embedded embedded (with embedded
9500 as edge wireless) as
wireless) FiAB wireless) FiAB wireless) as edge
edge
Access
200 50 25 100 50 200 50
Points
Clients 4000 1000 500 2000 1000 4000 1000
Wireless Controller Scale
For your
reference
Number of end
Platform Number of AP’s SDA Design
points
3504 150 3000 Small
5520 1500 20,000 Small or Medium
8504 6000 40,000 Medium or Large
Catalyst 9800 Up To 6000 Up To 64,000 Small, Medium or Large
Catalyst 9k (Embedded WLC)

200 4000 Small, Medium
*except cat92xx
Segmentation and Policy Best
Practices
Segmentation Overview
Employees
ISE
Marketing
IT
Finance
User : Bob Group : IT

Group : IT VN : Employees
VN : Employees
Contractors
Services
C
A
Default access between groups in a VN is Permit All

Access between groups across VNs can be achieved using a stateful device (i.e Firewall)
Getting Started
Identify assets to protect Map assets to policy groups Policy Enforcement

Users/Devices : Define dynamic • DC• segmentation
Define how(DC groups can
e.g., your Crown Jewels: SGT classification based on virtual/ physical
interact
Cardholder data context switches or
• Enforcement on
virtual/physical
Medical records automatically on Edge
Firewalls)
Intellectual Property Protected Apps/Resources:
• User Nodes for E-W
to DC access
Prod vs Dev Separation • Define DC resources • Choose other
control
Vulnerable systems • Learn from ACI DC • (Identify
enforcement
capable points
• Learn from Cloud switches or firewalls
based on the use-
Protect employees from in the path)
case
lateral movement of threats
New Policy View (post 1.3.1.0)
# of policies referencing
Contract name the contract
Minimum ISE versions

• ISE 2.4 patch 7
• ISE 2.6 patch 1
Better Utilization of VN and SGTs to
avoid the SGACL scale limitations.
# of VNs supported per site – 256 ( Cat 9500 )
If Each VLAN = variable <SGT>
Then
SGACL = {count <SGT>}2
Result = [ Large SGACL matrix ]

B
C
B
Recommendation-
• Combination of VN and SGTs to
limit the SGACLs
SDA • Considerations to be given for
VN and SGT constructs
E E E
• Start small
5 6 7 3 9 8 2 4
VN 1 VN 2 VN 1
Shared SGTs across VNs
Use Case:
• Scale for SGTs and VNs cross the supported limit.
• Access requirements across VNs
• Default access between VNs is deny.
C
B Recommendation- same SGTs in
different VNs
SDA Supported in single site and multi-

site designs
E E E
5 6 7 5 9 8 7 4
VN 1 VN 2 VN 1
Multi-Site Policy Considerations
Need for Multisite deployment
Same SGTs can be shared across sites
Inline tagging supported by default in SDA transit
Make use of SXP domains
B B
IP/SDA
C C
B B
SDA SDA
E E E E E E
5 6 7 5 9 8 7 4 5 6 7 5 9 8 7 4
VN 1 VN 2 VN 1 VN 1 VN 2 VN 1
Enforcement Scale: IP/Group Mappings
Employee SGT (5) Employee SGT (5)

10.1.100.1 10.2.200.6
Contractor SGT (10)

10.2.200.6
Scale C3850 C9300 C9400 C9500 C6800 N7700 ASR1K
IP-SGT 12,000 10,000 40,000 40,000 256,000 200,000 750,000
Policy Table Size
SGT, DGT table utilization = number

of populated cells downloaded to
individual fabric nodes
Blank cells (default policy) do not
consume table entries
DNAC/ISE shows populated cells for
whole environment
Max populated cells on switch/router
=SGT,DGT Table
Catalyst Catalyst Catalyst Catalyst Catalyst Nexus ASR1K/
Scale
3850 9300 9400 9500 6800 N7700 ISR4K
SGT/DGT Table 4K 8K 8K 8K 30K 16K 62K
SDA group based policy scale- 25000 Policies

Policy Entries
Key parameter for IOS
platforms is number of unique
permissions (Access Control
Entries)
When permissions reused in
multiple contracts with IOS - no
additional TCAM used/ACEs
counted
Number of unique permissions

used = ACE count
Catalyst Catalyst Catalyst Catalyst Catalyst Nexus ASR1K/
Scale
3850 9300 9400 9500 6800 N7700* ISR4K
SGT/DGT Table 4K 8K 8K 8K 30K 16K 62K
SGACLs 30K(XL)
1500 5K 18K 18K 128K 64K
(Security ACEs) 12K(non XL)
* N7700 does NOT reuse TCAM entries – permissions in multiple contracts use multiple TCAM entries
North/South Policy Enforcement (Border Nodes)
IT system
(SGT15)
• Enforcement not enabled

SXP
automatically on Borders currently VN1
(config template in DNAC available for
this) B VN2
C
• Static Classifications for destinations B
outside of fabric share with border

nodes using SXP protocol or manual
configuration on border. SDA
• SXP connection per VN E E E
5 6 7 5 9 8 7 4
Employee
VN 1 VNAll2rights reserved. Cisco Public
(SGT 5) © 2020 Cisco and/or its affiliates. VN 1
Firewall as Fusion
SXP or pxGrid shares IP/SGT mappings
SG-FIREWALL
• Comprehensive inter-VN policy, stateful
inspection, AVC
• Source SGT to Destination SGT policy B B
• Rich reporting in FTD C
• TrustSec policies not downloaded from
ISE to firewall
SDA
E E E
Border Scale Parameters For your
reference
Catalyst ASR1k/
Catalyst Catalyst Catalyst Catalyst Catalyst Catalyst Catalyst Nexus
Scale 3850 ISR4k CSR1KV
9300 9300L 9400 9500 9500 H 9600 6800 N7700
(XS)
Virtual Networks 64 256 256 256 256 256 1k 500 500 4k n.a
Group Tag
Table 4k 8k 8k 8K 8K 16K 32K 30K 16K 62K n.a
(SGT/DGT)
30K(XL)
SGACLs
1500 5K 5K 18K 18K 13K IPv4 27K 12K (LE) 1k 64K n.a
(Security ACEs)
IPv4 Fabric 1M (XL) 4M (16GB)

SUP1XL=
Routes 8K 8K 8K 48K 48K 200K 256K (LE) 500k 1M (8GB) 200K
20K
(LPM IP/mask)
IPv4 Host
SUP1XL= 1M (XL) 1M(8 GB)
Entries 16K 16K 16K 80K 150k 150k 32k 100k
80K 512K (L) 4M(16 GB)
(Host /32)
Edge Scale Parameters For your
reference
Fabric Catalyst Catalyst Catalyst Catalyst Catalyst Catalyst Catalyst 4K Catalyst Catalyst
Constructs 3650 3850 9200L 9200 9300 9300L (Sup8E) 9400 9500
Virtual Networks 64 64 1* 4* 256 256 64 256 256
Local End
2K 4K 2k 4k 4K 4K 4K 4K 4K
Points/Hosts
SGT/DGT Table
4K 4K 2k 2k 8K 8K 2K 8K 8K
SGACLs
(Security ACEs)
1350 1350 1k 1k 5K 5K 1350 18K 18K
*9200L = 1 Default_VN + 1 Infra_VN (global routing table). No extra User VN possible

9200 = 3 User Configured VNs + 1 DEFAULT_VN + 1 INFRA_VN
Migration Best Practices
Migration Approaches: Parallel vs Incremental
IMPLEMENTATION RESOURCES
Parallel RESOURCES Incremental IMPLEMENTATION
Best for Branch (small) deployments Best for Campus (any size)
Requires enough cable runs to create a new parallel Requires a couple of cables from new access
network and distribution switches
Power and outlets for a parallel network Incremental power and outlet requirement
Legacy hardware in existing network Legacy hardware in existing network
Upgrade most of the wired network Upgrade some of the wired network
Clean slate (leave behind any complexity in the old Must carry forward the constraints of the old
design) design in the underlay
Test users in a complete new network Test of functionality is partial
Easy Rollback of migrated users Easy Rollback of migrated users
Integrating DNAC with existing ISE
• Benefit from the already

integrated systems
DNA-Center • Supplicant configuration
Existing Campus and External need not be changed
Network • Policies and rules can be
can be reused
• Check the compatibility matrix
• Integrate DNAC with Existing ISE preferably with no
existing trustsec configuration
• Make sure to take the backup of existing ISE cluster
• Group based access control with 1.3.1
Incremental Migration – High Level concept
Virtual Network Existing Network
(new IP scope) (existing IP scope)
Route between IP
scopes
C B
Existing IP
Network
(underlay) Border/Control Plane
Existing Campus and
Edge Nodes Node External Network
• Deploy a Border/Control Plane node and an Edge node

• A virtual network with new address is formed over the existing network
• Incrementally add Fabric Edge nodes
• The virtual network connects to the existing/external network via the border
Using New Subnets for Migration
• Immediately realize the advantages of bigger subnets, but lesser subnets that are
optimized for SD-Access
• Design for the present and the future
• Add DHCP scope and size
• Update existing firewall rules for that one big subnet
• Not a big issue for endpoints with IP stacks that work well with DHCP
Before After
10.10.1.0/24 10.10.4.0/24 10.10.7.0/24
10.10.2.0/24 10.10.5.0/24 10.10.8.0/24 10.10.0.0/16

10.10.3.0/24 10.10.6.0/24 10.10.9.0/24
Prerequisites
VN
C VRF/
B Zone
IP Network
Edge Node Control Plane + External Network
Border Node
Set following on the Fabric nodes and other nodes in

Understand the VN requirements
the underlay
• Understand the different domains needed.
• Set MTU to 9100 on the switch and the existing
network. • Understand the security mapping needed
• Configure ‘ip routing’ • Difficult to modify later
• Set ‘username’ and ’password’ for device access
• Configure VTY and console lines for device access
• Configure NTP
• Configure SNMP, syslog
• Configure Loopback0 (/32) for RLOC, and underlay IP
addresses BRKCRS2502 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Current State of the Network
• Now configure the rest of the External

access switches links from L2 to Network
L3 routed access C B
• Configure them as fabric edge
switches
• Also configure the secondary
core as the fabric
border/control plane for
redundancy
After the Migration
• Add border redundancy External

• Configure BFD Network
• Per-VRF BGP configuration C B
C B
• Configure eBGP for N-S traffic
• Recommended to have iBGP for E-
W traffic
• Test the fabric for critical
production traffic
• Test failover scenarios
• Test multiple paths
• Enable L2 flooding on need basis
• All link MTU should support VxLAN
header
Routed Access Design Considerations
B
• Shutdown existing SVI
B Layer 2
Border
• Provision existing subnet from DNA- SDA Fabric
Center (10.1.1.0/24 in this case) B
Layer 2
• Verify connectivity Border
• Use dedicated L2 border to avoid

issues from legacy network Host 1
IP: 10.1.1.0/24
Host 2 Host 3
• VLAN ID cannot overlap IP: 10.1.1.0/24 IP: 10.1.1.0/24
Hosts attached to SDA Fabric Hosts attached to traditional

Edge nodes in Address Pool (1024) Access switches in VLAN (300)
Multicast with RP outside the fabric – 1.3.3
External RP-1
External RP-2
• New multicast workflow support RP internal or external to
the fabric
• Configuration as part of the ASM workflow
non Fabric
B,RP • Maximum 2 RPs supported.
B,RP
SD-Access Fabric
E E E
What is the Best WLC/AP Migration model for You
Greenfield or Brownfield
Building From Scratch Migrate Existing Setup

Introduce New Compactable HW & Migrate the Existing HW to
build a new infrastructure. compactable HW models.
(Suitable for new Sites/Buildings) (Suitable for sites with devices
running out of support)
Parallel Build Split Existing Setup

Build a Infrastructure Parallel to Split the HA and use one WLC
the Traditional Infrastructure. for building new Infrastructure.
(Suitable for a migration from (Best approach for those who
different vendors) have compactable HW
available in existing
Infrastructure)
SD-Access Wireless Migration
Migration for an existing CUWN deployment
CAPWAP Control and Data
DHCP ISE
Non Fabric
Cisco Prime
Building 1 Cisco DNA Center
Building 2
Services Block
CAPWAP B
SD Fabric
1  Add Cisco DNA Center and ISE (if not present already)
2  First, Migrate wired network to SD-Access Fabric
3  Wireless is over the top of Fabric
SD-Access Wireless Migration
Migration for an Existing CUWN Deployment
DHCP ISE
Non Fabric
Cisco Prime
Building 1 Cisco DNA Center
CAPWAP Control
No seamless Fabric
roaming WLC
VXLAN
Building 2 VXLAN
(Data) Services Block
CAPWAP Cntrl B
SD Fabric
4  Discover existing WLC to Cisco DNA Center – Learn configuration (e.g. SSIDs) and populate Cisco DNA Center
5  Assign a separate WLC for SD-Access and provision it to the site (re-use the configuration inherited from old WLC)
6  on CUWN WLC, configure the APs in the area to join the new Fabric WLC
7  APs in the area will join Fabric WLC. From Cisco DNA Center provision APs to the Fabric site
Migration Scenario 1
Traditional to Pure Fabric Enabled Wireless (FEW)
AD/DNS/DHCP
Internet MPLS DC
ISE DNAC
GRT
Fabric
Campus Core
enabled WLC
B B
C C
S-T-S
MPLS_CUS COMMON
VPN_CUS VOICE PRINTER
H.POOLS H.POOLS H.POOLS H.POOLS
C C
C C C C 1 2
1 n 1 n
Internet
H.POOLS NON-PROD
IT CORP,NON- Untag
C C C CORP
1 2 n C C C C C
1 2 3 4 5
Wired/Wireless Users
Scenario One (All SSIDs are FEW) For your
reference
Migration Scenario 2 Shared controller for SDA and CUWN
Shared WLC for FEW & Non-FEW • Shared WLC can manage Fabric and non-Fabric
APs but needs upgrade to 8.5
• New code = more risk for existing non-Fabric
ISE
buildings
Cisco Prime
Cisco DNA-C Management:
• DNAC 1.2 can manage non-Fabric WLC in
brownfield scenarios
Guest Anchor
• But not all wireless settings are available
EoIP WLAN Design:

B CP
Area 1 • Fabric is enabled per SSID
Area 2 • To have same SSID name in both areas:
CAPWAP 1. Need to define and apply AP Groups
2. APs need to be re-booted
CAPWAP SD-Access Guest and Policy:

Control Fabric • Can leverage existing Guest Anchor also for Fabric
Shared WLC Traditional Campus area/building
• Can leverage ISE for both
VXLAN VXLAN
Non-
Fabric No roaming Fabric
APs between APs
Fabric and
Internal non-Fabric Internal
Scenario Two (FEW & Non-FEW) For your
reference
Migration Scenario Three
Onboarding Traditional Site using Cisco DNA-C
ISE
DMZ
Cisco Prime
Cisco DNA-C
Guest Anchor
EoIP
Non-FEW Site
WLC
CAPWAP
Traditional Campus
CAPWAP + Central Switching Data

Non-Fabric
EoIP Local
Mode APs
Scenario Three: Non-FEW & Local Mode AP For your
reference
Migration Example
Requirement :
Customer would want to utilize existing network infrastructure while moving specific ODCs to
SDA. User count is 5000 users. Fabric enabled wireless for the ODC in SDA.
Plan :
1. Use a pair of Border+Control plane node (Catalyst 9500)
2. 3 tier architecture
3. DNAC appliance - DN2-HW-APL
4. ISE – 4 node hybrid deployment (3655)
5. Manual underlay
6. Add 2 WLC to SDA ( platform)
7. Campus core switches to be used for Fusion
Security Best Practices
Firewall Integration for Inter-VN Policy
Requirement for Inter-VN policy enforcement
SXP or pxGrid always needed to enable group-

based FW rules SXP or pxGrid shares IP/SGT mappings
SGT/VXLAN to SGT/Eth is optional

SG-FIREWALL
C B
SDA
Mappings can be Src SGT Dest SGT Action
shared with SXP Peers E E E
SecOps Cameras Permit
Note: FTD 6.5 on needed to use SGT as Dest Criteria

Cisco DNA Center Automates ETA/Netflow
Using the Stealthwatch Security Analytics App
Integrate Stealthwatch SMC Select Flow Collector

with Cisco DNA Center Select the Site to enable ETA from drop-down list
Deploy ETA or NetFlow to all

capable devices within the
Site
The “system” for ETA
Cisco Validated Design document

Consistent Policies Across the Enterprise
Identity Services Engine / DNA Center Security APIC-DC, Controller for ACI
Common Policy Groups

Campus & Branch Networks Security Apps ACI DC/Cloud
ASA
ASA NGFWv
WSA
• Consistent Security Policy Groups in SDA and ACI domains

• Groups from SDA used in ACI policies, groups from ACI available in SDA policies
Groups from SDA Used in ACI
SDA Policy Domain ACI 3.2 Policy Domain

ISE ISE Exchanges:
SGT Name: Auditor
SGT Binding = 10.1.10.220 PCI EPG
10.1.100.52
EPG Name = Auditor

SDA Groups= 10.1.10.220
Border
Nodes
ACI Spine (N9K)

x
SRC:10.1.10.220 SRC:10.1.10.220
DST: 10.1.100.52 DST: 10.1.100.52
ACIEPG
Border ACI Border PCI
Auditor Leaf (N9K) Leaf (N9K) 10.1.100.52
10.1.10.220
SGTs available in ACI Policies
ACI Groups Used in SDA (Border or Fusion)
SDA Policy Domain ISE

ACI Policy Domain
ISE Retrieves:
EPG Name: PCI EPG PCI EPG
Endpoint= 10.1.100.52 Endpoint = 10.1.100.52
Propagated with SXP or

pxGrid:
Auditor = 10.1.10.220
PCI EPG = 10.1.100.52
Retrieved Groups: Fusion

Auditor, PCI EPG Firewall
ACI Spine (N9K)
SRC:10.1.10.220
DST: 10.1.100.52
SGT (Optional) ACI Border ACI Border PCI
Auditor Leaf (N9K)
Leaf (N9K) 10.1.100.52
10.1.10.220
Endpoint Groups available in SGT-based Policies
How Did Our Customers Deploy
Requirement:
Healthcare • Port Security,

• 2 new facilities. 10K ep in site 1
and 1K in site2
Label Name
Internet HV HVAC Guest VN • Static endpoints
SE Security • Guest Anchor solution
IT admin IM,PHR,BE,
Guest/wifi CO Contractor Clinical VN Design:
router RE Research • DNAC-L appliance
DO Doctor NU,SE,IT,DO,R
HR HR E,PHR • Border – 9300 (2 for redundancy)
Nu nurse Employee VN • Edge – 9300 Stack
IM Imaging
• IP Pools – 20
SE,HV,PCI VN
PHR patient Heath record
• Fusion – ASR
FPR 2130 BE bedside Monitor
Default VN
• Border type –
WO workstation
internal+external,eBGP
WLC C9800L
• Underlay – LAN Automation
• Wireless – OTT
SDA
B+CP (Cat 9300 )
Transit
B+CP (Cat 9500 ) • Transit- SDA
Clinic 1 Clinic 2 • Policy – Mix of VN and SGT
• Security - Stealthwatch
Cat 9K Cat 9K
Guest
Static Static
Doctors/Nurse
Label Name Guest VN
Manufacturing HV
SE
PL
HVAC
Security
Plant Operation
EM,AP,PT
Enterprise VN
DC
EM Employee
HV,SE
SU Supplier
Building VN
AP Industrial Application
Internet OP Operators OP,BA,PL
BA Base Control Factory VN
PR Process
PT Printer Default VN
GB+GCP
Requirement:
C
C B B GB+GCP • 15 facilities
• 250 users per facility
Factory • Existing Ise deployment
Office • Seemless mobility and policy
SDA propagation
Transit • Cross domain policy
• Optimize guest traffic
Design:
• DNAC XL for multisite
B C • Latency consideration
B • Border -9500, CP -9300
GB+GCP 9500
C E • Smaller sites have FiAB (9500)
office2
• WLC- 9800 per site
Warehouse • Separate border and control plane for
Mobility requirement
• GB and GCP for optimizing Guest traffic
• Firewall connecting the sites for interVN
traffic
Enterprise
Fabric Requirements
1 Existing
Subnet (3000
130 Buildings (3 floors each average) Fusion
Hosts)
L2 Overlays
Integration with ACI Corp
Internet
Multi-Site with SD-Access Transit IntB B
B
L2 WAN
5 Virtual Networks
DNA Center Cluster C T
IntB B
B
L2 WLC 5520 DNAC Cluster
Common VLAN Name Across Sites Catalyst 9500-24Q
Subnet SVI (Standard Scale
Appliances)
25,000 Clients (Inc v4/v6 .. V6 with 3 C T ACI Data
Center 2
ACI Data
Center 1
addresses per device) Catalyst 9500-24Q
2ms RTT
WLC 5520
Targeted Code Releases
Fabric Edge
Catalyst *
3850 Catalyst 9300 Catalyst 9200
DNAC 1.3.1
IOS XE 16.9.3s Fusion
ISE 2.6 patch 1 25ms RTT

AP 3802
1ce:c01d:bee2:15:a5:900d:a5:11fe Extended
AP 3802
Node
Catalyst 2960x Compact IE 3000

3560-CX
AP 3802
Take aways
• Understand the requirements before

getting started
• Consider the scale requirements
• Choose the right platforms for fabric
devices
• Start small, then expand
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Please fill out the survey
Thank you

BRKCRS 2502

Uploaded by

Copyright:

Available Formats

BRKCRS 2502

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS 2502

Uploaded by

Copyright:

Available Formats

Best Practices for Design and

Imran Bashir - Technical Marketing Engineer

If not… please complete one or all of the following training materials:

This session is based

 GUI navigation assistant – This special type of

 Hidden Content – slides which won’t

Have deployed SD-Access in

Have design discussions with

Keynote BRKCRS-2815 BRKCRS-2818 BRKCRS-2819

Recipe for transforming 14:30 BRKCRS-2824

2. Automate: Translate intent to

4. Assure: Collect telemetry

Enabling your Journey to next-gen Digital

Everything is Possible With the Network

Land & Layout

Existing Baseline Architecture

Local facilities have internet and DC breakouts.

Land & Layout

Existing Baseline Architecture

• Seamless policy propagation

• Optimize Guest Traffic flow.

• Cross Domain policy propation/integration across sites.

Land & Layout

Optimization Design options

On time Platform choices

Business Critical Software choices

 Control-Plane Nodes – Map System that

1. Control-Plane based on LISP

• L2 + L3 Overlay -vs- L2 or L3 Only

SD-Access  Fabric Edge Nodes – A fabric device

Cisco DNA Center ISE

172.16.101.11/16 -> 192.168.1.11

Fabric Edge and Internal Border devices

Cisco DNA Center ISE

Fabric nodes use VXLAN (Ethernet Based) as Policy

VXLAN header also has Group Policy ID for

Edge Node 1 IP Network

Classification Propagation Enforcement

Cisco DNA Center ISE

ISE dynamically assign SGTs to the users and

Nodes add SGTs to the fabric encapsulation

Edge and border nodes enforce the SGACL

• Fabric Devices (Underlay) connectivity

• INFRA_VN is only for Access Points User-Defined VN(s)

User-Defined VNs can be added or

• WLC can be embedded in the 9k

Digital Platforms for your Cisco Digital Network Architecture

Switching Routing Wireless Extended

Catalyst 9600 Catalyst 9400 ASR-1000-HX Catalyst 9800

Catalyst 9500 Catalyst 9300 Cisco Digital Building

Catalyst 9200 AIR-CT8540

ISR 4430 Catalyst 3560-CX

Evaluation Design Implement

New Site Migrate

Wired Considerations Security and Segmentation

L2 > L3 - Architecture Change Policy Enforcement in Fabric

Embedded - MDNS support, Local WLC per site

Asking the right questions, to get things started

Is this a Single Site, or Multiple? What is More Important right now?