cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2207
Views
11
Helpful
6
Replies

What do you honestly think of SD Access w/ DNA Center?

ropery22
Level 1
Level 1

We are currently using Prime, and we had a demo by Cisco about DNA center. Cisco is saying that it automates the administration of the network through a new architecture (L3 VxLAN, Secure Group Tags, Virtual networks etc.), erasing the need to manage VLANs, ACLs, IPs etc.

What is the caveat? Why do so few customers, even those who already have a DNA center, go full SDA? Please tell me about your honest experience about this approach/solution, as our company is currently evaluating such option.

6 Replies 6

Hi @ropery22 

 Maybe the point is: Do you/we have alternative?

I mean, if you want to keep with Cisco?

Prime is going to die, so,  for management now we have DNAC. To keep using Cisco either you buy DNAC or you dont have monitoring tool.

Fabric is interesting but Fabric only does not justify the investiment

SGT (group tag) is maybe the most important, if security is a big concern, but actually you can enforce SGT with ISE only. You dont need SDA only for this.

Honestly, SDA on the currently stage may not justify the investiment.

It is very complex to deploy,  create many gaps. For example, last year I was deploying a hude SDA Project and the WLAN on DNAC could handle only one DHCP scope. Which is rediculous.  Any Cisco WLC can handle multiples DHCP scopes, which gives you a lot of flexbility

 Maybe with the evolution Csico will fill the gaps and increase the value of SDA to the point that worth it the investiment but at this point, I dont believe so

 

Claudia de Luna
Spotlight
Spotlight

This is an incredibly relevant question. I have several clients struggling with the exact same question.

The only way to obtain an meaningful answer is to step back and understand what you are trying to accomplish.

What problem are you solving with Prime? What additional capabilities do you need for your infrastructure?

Yes, dare I say it. Requirements!

I'm a huge fan of the promise of SDA. I always envisioned it as ACI for the Campus. I've helped clients roll our ACI in their data centers to great benefit.
1. Your data center becomes a fabric, a single logical entity to manage consistently, rather than some number of discreet switches to manage individually
2. It immediately sets up an automation platform.
3. With direct ties to virtualization, it helps to break down silos.
4. It achieves the security "holy grail". I don't care about the IP (when dealing with security posture, anyway).

For the Campus its is 1, 2, and 4 that are most relevant as Clients struggle with this question.
- Fabric
- Automation
- Security

Fabric
In a greenfield environment, a "turnkey" fabric is a wonderful thing (just like it is in the data center with ACI).
Given a Campus with, for example one layer 3 core and 25 access stacks, what could be operationally better than being able to mange the campus as a single entity rather than 26 discreet logical devices. One point of management minimizing configuration drift and ensuring configuration consistency. Potentially easier zero touch provisioning/plug & play. Comprehensive end to end visibility for your fabric. All kinds of goodness here particularly when you multiply that by say 50 or 100 or more different locations.

Can this be achieved via other means? Sure.
You can roll out your own underlay and overlay and you can automate that as well with Cisco tools or with other automation frameworks such as Ansible, Nornir, or other commercial products.
Products like SuzieQ (open source and commercial) can give you that fabric like visibility now with your existing hardware and with your new hardware.

Automation
If the only thing you are looking for is automation, the solution field is wide and varied.  I'll leave it at that.


Security
This is where SDA could really shine. As @Flavio Miranda  stated, TrustSec/SGTs can also help in this space but with just ISE it can be a heavy lift. The hope was that SDA would make that easier and that is the big question.

Today there is not a single client I am working with that is not struggling with improving security across their IT landscape and especially at the user endpoint/device layer. The ability to do so without re-addressing is a game changer. Today SDA is a heavy lift in terms of hardware and licensing. If you had a chance to go to Cisco Live, you probably noticed that there are many other vendors in this space looking to leverage Cisco technologies like ISE and SGTs to more easily secure environments.  Some let you use ISE and SGTs where available and can bring other solutions in other areas including showing you not just the traffic flows between devices but also a way to more easily manage policy based on those flows.

Why am I bothering you with all of this?
These three functional areas are each incredibly broad themselves and could have many differing requirements within based on your needs.
I just wanted to show a way to start thinking about how to answer your question more discreetly and in a way that gets you actionable answers. With the right requirements defined you have a way to test and assess solutions to get you the one that best meets your needs.

If I had categorize where I think some of my Cisco clients are going to wind up with what I know today they would fall into these categories:

  • Piloting SDA in greenfield campus during hardware refresh
  • Piloting SDA in a brownfield campus (hardware refresh underway)
  • DNAC Only (no SDA) plus 3rd party tools to address immediate automation, visibility, and security needs on existing hardware
  • To soon to tell/No requirements

One problem I see @Claudia de Luna  is that if DNAC   does not take off commercially speaking, soon we will see Cisco turning the wheels in other direction.  For Data Center solution, it may justify a very expensive solution like ACI, although I am about to say there are many companies out there re-considering this solution. But for campus, It don't know. 

 They need to make progress in lightweight DNAC servers and virtualization and make it easier to deploy. The way I see it today, I personally dont recommend.

 

 

 

I share that very same concern @Flavio Miranda!  ...and you are 100% correct, over the last 3 years I've seen competitors moving into the ACI/data center space successfully with solutions that are almost as elegant.  

SDA has so much promise and could be a real game changer but its been hampered by issues to be sure and its just recently that global companies could seriously consider it.   Not only is a lightweight DNAC solution key but I really think not being able to run a simulator (yes like ACI) easily and from day 1 has really hindered uptake and familiarity.  Lets face it, every network engineer I know is going to want to kick the tires and start getting some familiarity.  Not being able to do that I truly believe has hurt.  Sure I can go to DevNet and while that is great, and a necessary first step, there is nothing like getting it in my lab and kicking the tires on it myself.  Thats where true learning begins (for me at any rate).  What if there was a lightweight free version that say just supported PnP for a limited set of devices like the old Enterprise APIC?  Talk about a great foot in the door.  
Anyway,  more good points and I could not agree more!

 

ammahend
VIP
VIP

If Cisco is serious about enterprise networking, i think in few years everything will be in Meraki dashboard, and everything which can not be will be pulled into meraki with APIs and we already are seeing trend. 

We will be able to automate and manage things much better, and run macro and micro segmentation on top with something like adaptive policy. 

Personally i will take that approach better than SDA any given day. 

SDA concept and vision is great but execution is not as smooth. 

-hope this helps-

 


@ammahend wrote:

If Cisco is serious about enterprise networking, i think in few years everything will be in Meraki dashboard, and everything which can not be will be pulled into meraki with APIs and we already are seeing trend. 

We will be able to automate and manage things much better, and run macro and micro segmentation on top with something like adaptive policy. 

Personally i will take that approach better than SDA any given day. 

SDA concept and vision is great but execution is not as smooth. 


Beautifully stated @ammahend 

Review Cisco Networking for a $25 gift card