Introduction to SD-Access

Hello Oliver

Yes, your updated diagram looks correct. It corresponds with the high level description at the following Cisco web site as well:


I will let Rene know to see if he can update this information, or if he has a new lesson planned for this.

Thanks again!

Laz

Thank you Oliver, I’m going to fix this!

Rene

1 Like

Also in addition to the above (which isn’t fixed yet :smile: ) could you maybe do a lesson on how SD-Access interoperates with traditional campus networks?

It’s on the ENCOR blueprint.

DNA center seems to do the same thing as Vmanage. SD-ACCESS seems to have a lot of overlap with SD-WAN. Is the difference that you don’t use SD-ACCESS to connect remote sites?

1 Like

Hello Justin

Yes, these products are very similar as far as what they do. They are indeed products that conform to the Software Defined Infrastructure model where network management is implemented using a centralized Network Management System (NMS). Of course vManage is used for Viptela devices while DNA is used for Cisco.

Both SD-Access and SD-WAN are related in that they are technologies that use software as a method of centralized network management. One deals with the Access layer of a network while the other deals with the WAN. SD-anything is an umbrella term under which both SD-Access and SD-WAN fall under. Just like networking is an umbrella term under which access and WAN networks fall under. It’s the same relation but under different architectures.

So simply put, yes, the difference is that you don’t use SD-access to connect to remote sites, but SD-WAN instead.

I hope this has been helpful!

Laz

1 Like

Same observation here.

Hello Rene,

I am still not be able to clear myself on LISP role in control plane in SD-Access. Is it only to facilitate routing ?
VXLAN need VTEP IP and VNID to encapsulate data from source and send to destination. Is LISP will facilitate on mapping destination IP to VTEP IP? with the LISP , it need to send IP packet to RLOC and encapsulate original IP packets in the source and destination of RLOC IPs whereas in VXLAN it uses VTEP IP.

Are those VTEP IP considered as RLOC IP addresses while integrating LISP in SD access network? If there is an example on how it works , it would be easy to understand.

I am not able to understand how LISP work with VXLAN. Please help on this.

Hello Rupak

The combination of LISP and VXLAN within an SD-Access fabric can get quite involved. The lesson’s purpose was to give a general overview of the concepts involved. I suggest you take a look at this excellent content from a Cisco Live presentation:

Take a look starting from slide 39 which explains in detail the role of LISP in the control plane, and the role of VXLAN on the data plane.

I hope this has been helpful!

Laz

Hi, in the Cisco ENCOR 350-401 course, Unit 7.3.1 Cisco DNA, Introduction to SD-Access, you provide a username/password to access the Cisco sandbox that contains the DNA Center GUI.

Unfortunately, Cisco now requires an email address.

Please advise.

Hello Andrew

It is true that the login method has changed. You can choose to use several options including Google, Facebook, Github, or your Cisco ID if you have one. The access is stil free, but you simply must register to use the service. I will let @ReneMolenaar know to make the update to the lesson.

I hope this has been helpful!

Laz

Can I test SDA in a devnet sandbox?
I couldn’t find anything related to SDA in the sandbox.

Hello YongHun

SD-Access is implemented using several components as stated in the lesson. If you take a look at the following DevNet Sandbox list you will see an option called Cisco DNA Center with ISE. That option is essentially SD-Access in action.

I hope this has been helpful!

Laz

Why cisco recommends ISIS as the default underlay protocol in Cisco DNA Center ?

Hello Hassan

According to this Cisco SDA Design Guide, IS-IS is recommended and is required when implementing LAN Automation. LAN Automation is a plug-and-play zero-touch automation of the underlay network, which automatically builds a solid error-free underlay network foundation. Cisco DNA center automatically finds and adds switches to the underlay routing network, which is provisioned with an IS-IS configuration.

Even so, both OSPF and EIGRP are also suitable for use with Cisco DNA as stated in this section of the document mentioned above.

I hope this has been helpful!

Laz

Hey there,

When installing a DNAC virtual appliance on ESX, is it mandatory to get a licence for SD -Access lab, preparing CCIE infra practice ?

Thanks for yr help

Hello Rene and Laz.

The numbering on this lesson is a little out of place, for ex:

Kind regards,
David

Thanks @davidilles it has been fixed.

@lagapidis

which is the difference between :

4.ISE :

ISE is Cisco’s AAA product and has been out for a while now. ISE applies the policies you create through DNA center.

and

3.3 Provision

This is where we add new devices to the network and where we apply network policies to devices.

And also between :

3.4Assurance

Assurance is where you monitor the entire network. You can see an overview of all network devices, (wireless) clients, and applications. You can monitor the health status and an overview of all issues in the network.

5 NDP

This is a new Cisco product. NDP is the analytics engine that analyzes all your logging information, NetFlow, SNMP, etc. It collects metrics of everything in the fabric, including devices, users, and “things” (Internet of Things). You can monitor everything that NDP collects through DNA center.

I know by intuition that are subtle differences but i can’t differentiate roles/functions (remarked in bold) between them.

Thks in advance.

Hello Juan

Let me try to elaborate on all of these. First, take a look at the diagram Rene shared in the lesson once again:

Notice that Cisco ISE and NDP are two separate entities. These are actually separate software processes that are run on either dedicated hardware, or on virtual machines. In each case, each one serves a very specific purpose:

  • ISE is a security policy management platform that enables organizations to enforce security policies across their network infrastructure. This includes things like Network Access Control, Authentication and Authorization, Endpoint Compliance, Device Profiling, Security Intelligence Integration, and Policy Enforcement Across Wired, Wireless, and VPN. ISE can be used as a standalone solution, but or it can be integrated with DNA Center, where the policies defined in DNA can then be enforced by ISE. More about ISE can be found here.
  • Cisco Network Data Platform or NDP is a multipurpose real-time network data collection and analytics engine used to significantly increase the business potential of network data. It is essentially an analysis tool that “ingests” a multitude of logging and monitoring info and does data correlation analysis, visualization, and action through a whole series of APIs connected to the DNA system.

Now the provision and assurance sections, as they are described, are actually parts of the DNA center dashboard. The provision section essentially lists the network devices that are “registered” to the DNA center and are configured and prepared to receive commands and to be controlled by the DNA center. The assurance section essentially gives you an overview of the network where you can view various aspects and vitals. You don’t control anything there, you only view. Does that make sense?

I believe that the only way to be able to further and more deeply understand the various concepts and their inner workings is to gain hands-on experience with these systems. You can do a bit more reading about each one, but nothing can replace the benefit of real hands-on experience.

I hope this has been helpful!

Laz

Yes, i need real experience on this.

i’ll explore developer.cisco.com for some DNA lab.

1 Like