Overview: SD-Access Control and Data Planes Elements


  • End-to end segmentations
  • Improved workforce experience
  • Operational effectiveness

Cisco SD-Access Solution Components

  • SD-Access Fabric
  • Cisco DNA Center with SD-Access
  • Cisco Identity Service Engine

  1. SD-Access Fabric

A Fabric is an Overlay network used to virtually connect devices build over physical underlay network. It used alternate forwarding attributes to provide additional services, thst is not provided by the underlay network.

  • Routers
    • ASR-1000-X, ASR-1000-HX, ASR1006, ASR1006-X, ASR1009-X, ISR 4461, ISR 4451, ISR 4431, ISR 4351, ISR 4331, ISR 4321, and CSR 1000v supports Cisco SD-Access
  • Switches
    • Fabric Edge – Catalyst 9200, 9300, 9400 (SUP-1, SUP-1XL, SUP-1XL-Y), 9500, 3850 and 3650 series switches.
    • Fabric Border – Nexus 7700 Switch (Sup 2E, Sup 3E, M3 line cards only) – Default/External Border Only
    • Fabric border and control plane – Catalyst 9200, 9300, 9400 (SUP-1, SUP-1XL, SUP-1XL-Y), 9500, 3850 Series, Catalyst 6807-XL Switch (Sup6T, Sup2T) Cisco Catalyst 6500 Series Switches, Catalyst 6880-X Switch Cisco Catalyst 6840-X Switch and  Cisco 4400 and 4300 Series Integrated Services Routers Cisco ASR 1000 Series Aggregation Services Routers.
    • Fabric-in-a-box – Catalyst 9200, 9300, 9400 (SUP-1, SUP-1XL, SUP-1XL-Y), 9500  Series.
    • Cisco SD-Access Extended Node – Catalyst 3560-CX Series, Catalyst Digital Building Series Switches, Industrial Ethernet 3300, 4000, 4010, 5000 Series
  • Wireless LAN controllers and Access Points
    • Cisco SD-Access Wireless  LAN Controllers– Catalyst 9800-40, 9800-80 and 9800-CL Series Wireless Controllers, 3504, 5520 and 8540 Series Wireless Controllers, Catalyst 9800-L Wireless Controller
    • Cisco SD-Access Wireless  Access Points – WiFi 6 Access Points: Cisco Catalyst 9105 AX, Cisco Catalyst 9115 AX, Cisco Catalyst 9117 AX, Cisco Catalyst 9120 AX, Cisco Catalyst 9130 AX, 802.11 Wave 2 access points: Cisco Aironet® 1800, 2800, 3800, 4800, 1540 and 1560 Series, Cisco Catalyst IW6300 Heavy Duty Series Access Points.

Fabric consists of Three Key Components:

  • Control Plane
    • based on Locator Identity Separator Protocol or LISP
  • Data Plane
    • based on Virtual Extensible LAN or VXLAN
  • Policy Plane
    • based on Cisco TrustSec or CTS

2. Cisco DNA Center with SD-Access

Cisco DNA Center is a centralized fabric management. DNA Center Software must be installed on a physical DNA Center Appliance which is based on Cisco UCS C-series Servers.

SD-Access application package runs on Cisco DNA Center hardware appliance.

DNA Center Software is a centralized manager running a collections of applications and services.

  • Design – Configures device global settings, network site profiles for physical device inventory, DNS, DHCP, IP addressing, SWIM repository, device templates, and telemetry configurations such as Syslog, SNMP, and NetFlow.
  • Policy – Defines business intent including creation of virtual networks, assignment of endpoints to virtual networks, policy contract definitions for groups, and configures application policies (QoS).
  • Provision – Provisions devices and adds them to inventory for management, supports Cisco Plug and Play, creates fabric sites along with other SD-Access components, and provides service catalogs such as Stealthwatch Security Analytics and Application Hosting on the Cisco Catalyst 9000 Series Switches. 
  • Assurance – Enables proactive monitoring and insights to confirm user experience meets configured intent, using network, client, and application health dashboards, issue management, sensor-driven testing, and Cisco AI Network Analytics
  • Platform – Allows programmatic access to the network and system integration with third-party systems via APIs by using feature set bundles, configurations, a runtime dashboard, and a developer toolkit.

3. Identity Services Engine (ISE)

Identity Services Engine Personas:

  • Policy Administration Node (PAN) – Administration persona allows performs all administrative operations on Cisco ISE.
  • Monitoring and Troubleshooting Node (MnT) – Monitoring persona functions as the log collector and stores log messages from all the administration and Policy Service nodes in the network.
  • Policy Service Node (PSN) – Policy Service persona provides network access, posture, guest access, client provisioning, and profiling services.
  • Platform Exchange Grid (PxGrid) – A Cisco ISE node with pxGrid persona shares the context-sensitive information from Cisco ISE session directory with other network systems such as ISE ecosystem partner systems and Cisco platforms.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s