https://community.cisco.com/t5/network-access-control/dnac-and-ise/m-p/4428181#M568318 <P>Honest question.</P><P>If I have a global ISE solution running (v2.7p3) 802.1X authentication with PKI certificates really well and want to develop an access-layer SDA policy using TrustSec SGT's to provide simple business entity level segmentation, why do I need DNAC?</P><P>&nbsp;</P><P>I have all of my access-layer switches and WLAN controllers in ISE already and the endpoint clients are running a TEAP/EAP-chain enabled supplicant.</P><P>&nbsp;</P><P>I'm not seeing the need here other than activity based policy assurance.&nbsp; I'm also running pxGrid that allows Tanium to quarantine endpoints that fail its compliance policy.&nbsp; All working well.</P><P>&nbsp;</P><P>Happy to be proved wrong, just need to understand the benefit of the investment.</P><P>&nbsp;</P><P>Cheers</P> Mon, 05 Jul 2021 16:34:39 GMT DaveHenderson22596 2021-07-05T16:34:39Z https://community.cisco.com/t5/network-access-control/dnac-and-ise/m-p/4428181#M568318 <P>Honest question.</P><P>If I have a global ISE solution running (v2.7p3) 802.1X authentication with PKI certificates really well and want to develop an access-layer SDA policy using TrustSec SGT's to provide simple business entity level segmentation, why do I need DNAC?</P><P>&nbsp;</P><P>I have all of my access-layer switches and WLAN controllers in ISE already and the endpoint clients are running a TEAP/EAP-chain enabled supplicant.</P><P>&nbsp;</P><P>I'm not seeing the need here other than activity based policy assurance.&nbsp; I'm also running pxGrid that allows Tanium to quarantine endpoints that fail its compliance policy.&nbsp; All working well.</P><P>&nbsp;</P><P>Happy to be proved wrong, just need to understand the benefit of the investment.</P><P>&nbsp;</P><P>Cheers</P> Mon, 05 Jul 2021 16:34:39 GMT https://community.cisco.com/t5/network-access-control/dnac-and-ise/m-p/4428181#M568318 DaveHenderson22596 2021-07-05T16:34:39Z https://community.cisco.com/t5/network-access-control/dnac-and-ise/m-p/4428295#M568330 <P>The Community is intended more for technical questions rather than a sales channel. I will say, however, that there are big differences between a traditional TrustSec network deployment where inline tagging must be used for every hop in the path and an SDA fabric which runs on top of the overlay and simplifies the Propagation of the SGT within the fabric. SDA without DNAC is not supported, likely due to the complexity of connecting all devices in the underlay (routing via IS-IS), building and maintaining the LISP and VXLAN overlays, etc.</P> <P>Some other key benefits can be found in the <A href="https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/solution-overview-c22-739012.html" target="_blank" rel="noopener">SDA Solution Overview</A>.</P> <P>You might also review some of the <A href="https://www.cisco.com/c/en/us/solutions/enterprise-networks/network-architecture-customer-success-stories.html?flt2_general-table0=Cisco%2520SD-Access&amp;flt3_general-table0=null#~case-studies" target="_blank" rel="noopener">Case Studies</A> from customers that have deployed DNAC/SDA as well as the various presentations available on <A href="https://www.ciscolive.com/" target="_blank" rel="noopener">ciscolive.com</A>.</P> <P>&nbsp;</P> Mon, 05 Jul 2021 23:43:07 GMT https://community.cisco.com/t5/network-access-control/dnac-and-ise/m-p/4428295#M568330 Greg Gibbs 2021-07-05T23:43:07Z https://community.cisco.com/t5/network-access-control/dnac-and-ise/m-p/4428559#M568343 <P>Adding additional information:&nbsp;<A href="https://community.cisco.com/t5/networking-documents/cisco-sd-access-resources/ta-p/4196271#Design" target="_blank">Cisco SD-Access Resources - Cisco Community</A></P> Tue, 06 Jul 2021 12:58:59 GMT https://community.cisco.com/t5/network-access-control/dnac-and-ise/m-p/4428559#M568343 Mike.Cifelli 2021-07-06T12:58:59Z