Cisco Software Defined Access- Wired and Wireless Networks

Today I am going to talk about the Cisco SD-Access for Wired and Wireless network both as now there are lot of enterprise networks moving the next generation wired and wireless campuses on Software defined technology which Cisco is providing now a days.

Let me talk about the components of the SD-Access which includes Wired and Wireless Campus network. You can go with the below links to understand the architecture of SD-Access in details.
Cisco SD-Access Introduction

Fig 1.1- Sample Topology for SD-Access

Wired Network:
If we talk about Wired Network, we have Access Layer, Core Layer, Centralised controller, AAA server and the Fusion router

  • Access Layer: In SD-Access environment, it is called as Edge nodes which is directly connected to the end devices
  • Core Layer: In SD-Access environment, it is called as Border nodes which is act as Core layer and connected to the WAN routers
  • Centralised controllerSD-Access terminology based on the fact of SDN where we separate the data plane with the control plane. All control plane will be handled by this controller. Here Cisco DNA will work as Controller.
  • AAA Server : For SD-Access requirement, Cisco ISE act as AAA server which can authenticate the end devices based on AD profile.
  • Fusion Router : Fusion router is basically a Layer 3 device ( Router or Layer 3 Switch) which can be used for VRF/VPN leaking between two virtual divided networks.
Wireless Network:
If we talk about Wireless Network, we have WLCs, Access Points, Core Layer, Centralised controller, AAA server and the Fusion router

  • Wireless Controller: In SD-Access environment, it is called as Edge nodes and connected with the Access points. Further Access points are connected with the end devices.
  • Core Layer: In SD-Access environment, it is called as Border nodes which is act as Core layer and connected to the WAN routers
  • Centralised controllerSD-Access terminology based on the fact of SDN where we separate the data plane with the control plane. All control plane will be handled by this controller. Here DNA center will work as Controller.
  • AAA Server : For SD-Access requirement, Cisco ISE act as AAA server which can authenticate the end devices based on AD profile.
  • Fusion Router : Fusion router is basically a Layer 3 device ( Router or Layer 3 Switch) which can be used for VRF/VPN leaking between two virtual divided networks.
To check which devices with IOS version is compatible to have SD-Access in your network. We are talking here the Cisco SD-Access 1.2 version. Below is the link from Cisco defining the Compatibility matrix for the devices.



Lets talk about the features on SD-Access Wired and Wireless networks.

  • Consistent Wired and Wireless Security Capabilities - Security capabilities should be consistent whether a user is connecting to a wired Ethernet port or connecting over the wireless LAN.
  • Network Assurance and Analytics - Proactively predict network- and security-related risks by using telemetry to improve the performance of the network, devices, and applications, even with encrypted traffic.
  • Identity services - Identifying users and devices connecting to the network provides the contextual information required to implement security policies for access control, network segmentation by using scalable group membership and mapping of devices into virtual networks.
  • Group-based policies - Creating security policies based on user group information provides a much easier and scalable way to deploy and manage security policies. Traditional access control lists (ACLs) can be difficult to implement, manage, and scale because they rely on network constructs such as IP addresses and subnets.
  • Software-defined segmentation - Scalable group tags (SGTs), also known as security group tags, assigned from group-based policies can be used to segment a network in order to achieve data plane isolation within physical and virtual networks.
  • Network virtualization - The capability to share a common infrastructure while supporting multiple VNs with isolated data and control planes enables multi-tenancy and security.
  • Simplified Deployment and Automation - Network device configuration and management through a centralized controller using open APIs allow for very fast, lower-risk deployment of network devices and services through UI and existing orchestration systems.
Cisco ISE Flow

So in SD-Access network, Cisco ISE is the important part to authenticate the devices in the network. ISE makes security in the network and integrated with the Cisco DNA center via PxGrid. We will discuss PxGrid in another article.

  • User and Machine both needs to be authenticated before the user is allowed on the network. Machine will be checked against the machine account in Active Directory (TBD)
  • Upon successful machine authentication, restricted access will be provided to the machine either by putting in a temporary VLAN or by associating a DACL on the port allowing only DHCP and Domain Controller traffic
  • User now enters AD user credentials, and upon successful user authentication, user will be logged in to the domain and will get the associated VLAN and SGT and network access will be granted as per ISE policy for that project