Security and ISE – SD-Access Design

Cisco ISE is a secure network access platform that enables control, visibility, and consistency for users and devices accessing the network. Within the SD-Access fabric, Cisco ISE provides all the identity and policy services. Cisco ISE is a critical component of SD-Access for policy enforcement; it allows for the dynamic mapping of users and endpoints… Read More »

SD-Access Fabric Design Considerations for Wired and Wireless Access – SD-Access Design

When you’re designing an SD-Access solution, in addition to the typical business requirements, there are a number of key technical factors that need to be considered before you develop your final design. This list is not exhaustive but should give you some design guidance to keep in mind: Overlay Design The overlay network within the… Read More »

Control Plane Design – SD-Access Design

The database for identifying endpoints is the responsibility of the fabric control plane nodes in the SD-Access fabric. This is an important function for the fabric to operate well. If the control plane node were down for whatever reason, fabric endpoints would have to rely on the local database information for connectivity, which might or… Read More »

Segmentation – SD-Access Design

Unified policy was a major driver in the SD-Access solution to allow for the same policy to be applied to both wired and wireless networks enforced at the access layer. Segmentation adds to unified policy by enabling VRF instance/VN (macro) and SGT (micro) segmentation to be deployed in the SD-Access fabric. VRF instance/VN segmentation involves… Read More »

Large Site Design Considerations – SD-Access Design

Typically, a large site is designed with a three-tier network that consists of separate core, distribution, and access layers. These larger site networks are designed to support up to 50,000 endpoints. Multiple service exit points with dedicated data center connections, a shared services block, and Internet services are common. In a multi-fabric deployment, the headquarters… Read More »

SD-WAN Architecture – SD-WAN Design

Cisco SD-WAN is an enterprise-grade WAN architecture overlay that enables digital and cloud transformation for enterprises. It fully integrates routing, security, centralized policy, and orchestration into large-scale networks. It is a multi-tenant, cloud-delivered, highly automated, secure, scalable, and application-aware solution with rich analytics. The Cisco SD-WAN technology addresses the problems and challenges of common WAN… Read More »

Control Plane – SD-WAN Design

The vSmart component resides in the control plane. vSmart controllers provide routing, enforce data plane policies, and enforce network-wide segmentation. Because policies are created on vManage, vSmart is the component responsible for enforcing these policies centrally. It is the “brains” of the architecture. vEdge routers communicate their routing information with the vSmart controllers, not to… Read More »

Onboarding and Provisioning – SD-WAN Design

vEdge devices can be onboarded via two methods: Zero Touch Provisioning (ZTP) or manual configuration. ZTP does require some initial steps on Cisco’s Plug and Play (PnP) Connect portal: Step 1. Use the PnP Connect portal, which is linked to Cisco Commerce Workspace (CCW), to place an order for SD-WAN devices with PnP licenses. Step… Read More »

Onboarding Cisco IOS XE SD-WAN Routers – SD-WAN Design

Cisco IOS XE devices can be onboarded in three different ways: SD-WAN Security Cisco’s SD-WAN solution provides security for the management plane, control plane, and data plane. The control plane uses a Zero Trust model, the management plane uses role-based access control (RBAC) and access control lists (ACLs), and the data plane has integrated on-premises… Read More »