Skip Navigation
image Running Womanimage Peopleimage Monitors

train | consult | mentor

View all courses

SD-ACCESS: Software Defined Access and ISE Integration for Policy Deployment and Enforcement

There are many challenges today in managing the network because of manual configuration and fragmented tool offerings. Manual operations are slow and error-prone and these issues will be exacerbated due to the constantly changing environment with more users, devices, and applications. With the growth of users and different device types coming into the network, it is more complex to configure user credentials and maintain a consistent policy across the network. If your policy is not consistent, there is the added complexity of maintaining separate policies between wired and wireless. As users move around the network, it also becomes difficult to locate users and troubleshoot issues. The bottom line is that the networks of today do not address today's network needs.

Software-Defined Access (SD-Access) is the industry's first intent-based networking solution for the Enterprise build on the principles of Cisco's Digital Network Architecture (DNA). SD-Access provides automated end-to-end segmentation to separate user, device, and application traffic without redesigning the network. SD-Access automates user access policy so organizations can make sure the right policies are established for any user or device with any application across the network. This is accomplished with a single network fabric across LAN and WLAN which creates a consistent user experience anywhere without compromising on security.

Course Objectives

After completing this course the student should be able to:

  • Know and understand Cisco's SD-Access concepts, features, benefits, terminology along with the way this approach innovates common administrative tasks on today's networks
  • Differentiate and explain each of the building blocks of SD-Access Solution
  • Explain the concept of "Fabric" and the different node types that conform it (Fabric Edge Nodes, Control Plane Nodes, Border Nodes)
  • Describe the role of LISP in Control Plane and VXLAn in Data Plane for SD-Access Solution
  • Understand TrustSec concepts, deployment details and the way TrustSec is used as part of SD-Access Solution for segmentation and Policy Enforcement
  • Understand the role of DNA Center as solution orchestrator and Intelligent GUI
  • Be familiar with workflow approach in DNA Center and its Four Steps:  Design, Policy, Provision, and Assurance
  • Explain the role that ISE and NDP play as part of the solution
  • Configure AAA services and TrustSec Policy in ISE
  • Integrate ISE with DNA Center for Policy enforcement

Course Content

Module 1: Introduction to Cisco’s Software Defined Access (SD-Access) 

  • SD-Access Overview
  • SD-Access Benefits
  • SD-Access Key Concepts
  • SD-Access Main Components

Module 2: SD-Access Campus Fabric 

  • The concept of Fabric
  • Node types
  • Fabric Edge Nodes
  • Control Plane Nodes
  • Border Nodes
  • LISP as protocol for Control Plane
  • VXLAN as protocol for Data Plane
  • Concept of Virtual Network
  • Fabric-enabled WLAN

Module 3: DNA Center and Workflow for SD-Access 

  • Introduction to DNA Center
  • Workflow for SD-Access in DNA Center
  • Integration with Cisco ISE for Policy Enforcement
  • Integration with Cisco NDP for Analytics and Assurance
  • Relationship with APIC-EM controller

Module 4: Implementing Policy Plane using Cisco TrustSec for Segmentation 

  • Need for users and groups Segmentation on SD-Access
  • Limitations of traditional segmentation methods
  • Introduction to Cisco TrustSec for segmentation
  • The Concept of Security Group (SG) and Security Group Tag (SGT)
  • Cisco TrustSec phases
  • Methods for Classification
  • Methods for SGT tag propagation
  • Enforcement

Module 5: Using Cisco ISE for TrustSec and Policy Enforcement 

  • Introduction to Cisco ISE
  • Using Cisco ISE as a Network Access Policy Engine
  • Introducing Cisco ISE Deployment Models
  • Introducing 802.1x and MAB Access: Wired and Wireless
  • Introducing Identity Management
  • Configuring Certificate Service
  • Introducing Cisco ISE Policy
  • Configuring Cisco ISE Policy Sets
  • Introducing Cisco TrustSec in ISE
  • Cisco ISE as controller for Software-defined segmentation (groups and policies)
  • Introducing Cisco ISE 2.x pxGrid
  • Preparing ISE for Integration with DNA Center for SD-Access

Module 6: DNA Center Workflow First Step - Design 

  • Creating Enterprise and Sites Hierarchy
  • Configuring General Network Settings
  • Loading maps into the GUI
  • IP Address Management
  • Software Image Management
  • Network Device Profiles

Module 7: DNA Center Workflow Second Step - Policy 

  • 2-level Hierarchy
  • Policy Types
  • ISE Integration with DNA Center
  • Cross Domain Policies

Module 8: DNA Center Workflow Third Step - Provision 

  • Devices Onboarding
  • Fabric Domains
  • Adding Nodes

Module 9: DNA Center Workflow Fourth Step – Assurance 

  • Introduction to Analytics
  • NDP Fundamentals
  • Overview of DNA Assurance
  • Components of DNA Assurance
  • DNA Center Assurance Dashboard

Module 10: Implementing WLAN in SD-Access Solution 

  • WLAN Integration Strategies in SD-Access Fabric
  • SD-Access Wireless Architecture
  • Sample Design for SD-Access Wireless

Module 11: Campus Fabric External Connectivity for SD-Access 

  • Enterprise Sample Topology for SD-Access
  • Role of Border Nodes
  • Types of Border Nodes
  • Single Border vs. Multiple Border Designs
  • Collocated Border and Control Plane Nodes
  • Distributed (separated) Border and Control Plane Nodes

Lab Outline 

  • ISE basic setup and Navigating GUI
  • Configuring TrustSec in ISE
  • Connecting and getting familiar with DNA Center GUI
  • Performing SD-Access Design Step in DNA Center
  • Integrating ISE and DNA Center for Policy Deployment and Enforcement
  • Performing SD-Access Policy Step in DNA Center and ISE
  • Performing SD-Access Provision Step in DNA Center
  • Performing SD-Access Assurance Step in DNA Center
  • Integrating WLAN services through SD-Wireless architecture
  • Achieving External Connectivity to remote locations through Border Node

Target Audience

  • Anyone interested in knowing about SD-Access
  • Personnel involved in SD-Access Design and Implementation
  • Network Operations teams with SD-Access solution

Course Duration

3 days

Suggested Pre-requisites

The knowledge and skills that a student must have before attending this course are as follows:

  • Knowledge level equivalent to Cisco CCNA Routing & Switching
  • Basic knowledge of Software Defined Networks
  • Basic knowledge of network security including AAA, Access Control, and ISE
  • Basic knowledge and experience with Cisco IOS, IOS XE, and CLI

Need a quote or have a question about this class?

ask us here

Subscribe to Course Updates