topic Re: Cisco SD-Access design when all gateways are external in Software-Defined Access (SD-Access)

Cisco SD-Access design when all gateways are external

Hashem1323 — Fri, 16 Jan 2026 12:13:18 GMT

Hi all,

We are currently planning to deploy one catalyst center appliance in our office. However, the current gateways for all subnets are on firewall.

So, we proposed one of the below solutions:

First, keep the network as it is, we will only discover the devices on DNAC and in this case DNAC will work in monitoring mode and no other benefits.

Second, provision all devices and configure l2 VNs and l2 handoff, in this case all the traffic will be going the same way to their gatways.

These two solutions were proposed because the network security team is denying to remove the gateways from firewalls

Anyways, please suggest what can we do and If there's a third and better solution please advise.

Thank you

Re: Cisco SD-Access design when all gateways are external

Andrii Oliinyk — Fri, 16 Jan 2026 13:17:47 GMT

i dont really get what is the showstopper. u have DNAC with its unisolated L3-intfs (e.g. Management, Enterprise, Cloud / Internet) connected to FW, just bring to the same FW INFRA_VN (GRT) & configure FW to pass traffic bw DNAC & managed devices according to requirements (you can easily find which ports must be open for any intf to operate as expected).
"First, keep the network as it is, we will only discover the devices on DNAC and in this case DNAC will work in monitoring mode and no other benefits." how r u going to provision devices from DNAC with monitoring (assurance) only?
i didnt get 2nd option clearly.

Re: Cisco SD-Access design when all gateways are external

Hashem1323 — Fri, 16 Jan 2026 18:08:32 GMT

perhaps i didn't explain my point correctly.

let's say in the current network design all end-users subnets gateways are through FW.

As I know, to have an SDA solution we need to change the gateways for these subnets to be through SDA and we can't do that.

to solve this we proposed that we will only discover the devices (no provisioning) to keep the config of SW as it is. using this DNAC will collect telemetry data and this is what i meant by monitoring mode.

my previous second point was to provision the devices and create L2 handoff so that everything will stay the same and gateway will still be FW for end-users subnets.

I haven't tested any of these points and would like to be corrected if this is wrong.

note that i need to know weather discovering the switches alone will give me some monitoring data at dnac or not. like through snmp or whatever.

Re: Cisco SD-Access design when all gateways are external

Andrii Oliinyk — Fri, 16 Jan 2026 19:18:27 GMT

L3-gw (FW) outside of the Fabic Site is classical case with 2 options as resolution: a) L2-BN terminating traffic on the FW (less preferred as requires L2-flood L2VNs) b) anycast GWs on the ENs with L3-handoffs (L3NB) to FW (1 handoff per isolation purpose in its separated VN) - recommended design

Re: Cisco SD-Access design when all gateways are external

Andrii Oliinyk — Sat, 17 Jan 2026 07:52:31 GMT

&, yeah, for OAM you doesnt need tenants VNs to be reachable from DNAC. Infra_VN(GRT) is for this purpose