Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1129
Views
5
Helpful
3
Replies

ISE, DNA Center, SGT and Posture - Concept questions

Go to solution
davidfield
Level 3
Level 3

‎11-21-2022 07:38 AM

Hello All,

Starting to get into ISE and DNA and a couple of queries if someone can point me in the right direction.  There is a lot of content on both subjects and I cant quite piece together where DNA Center is necessary when it comes to SDA.  For example do I need DNA Center to implement Trustsec, SGT's and Posture?  From what I can determine ISE covers this and DNA Center is more monitoring along with some Admin integration or am I miss-understanding.

Also, from a licensing perspective if I were to use Cisco 9200's in my lab for my edge switches to achieve SGT and Posture I just need the Network Essential's or is it necessary to have Network Advantage licensing?  I appreciate I'll need the DNA Advantage term license but not be needed if DNA Center not used.

Has anyone a link that explains in more detail or a brief summary?

Thanks in advance


Dave

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎11-21-2022 01:44 PM

Hi Dave. Manually (by hand on the CLI, without DNA Center) deployed wired and wireless Cisco infra with ISE will give you capability to implement Group-Based Policy (aka TrustSec), SGT and posture.

Network Advantage and DNA Advantage is required for GBP in C9K switches.

If you choose to proceed with DNA Center and SD-Access you will get automation of the fabric (no manual deployment) which natively support GBP and Network Virtualisaiton, Assurance, Endpoint Analytics, Trust Analytics and Group-Based Policy Analytics. If you're not sure what those things are then searching some of the most recent presentations on ciscolive.com would be a good way to learn.

In short: deployment and visibility of campus networks, GBP and SGT is easier with DNA Center.

View solution in original post

3 Replies 3

Go to solution
jedolphi
Cisco Employee
Cisco Employee

‎11-21-2022 01:44 PM

Hi Dave. Manually (by hand on the CLI, without DNA Center) deployed wired and wireless Cisco infra with ISE will give you capability to implement Group-Based Policy (aka TrustSec), SGT and posture.

Network Advantage and DNA Advantage is required for GBP in C9K switches.

If you choose to proceed with DNA Center and SD-Access you will get automation of the fabric (no manual deployment) which natively support GBP and Network Virtualisaiton, Assurance, Endpoint Analytics, Trust Analytics and Group-Based Policy Analytics. If you're not sure what those things are then searching some of the most recent presentations on ciscolive.com would be a good way to learn.

In short: deployment and visibility of campus networks, GBP and SGT is easier with DNA Center.

Go to solution
davidfield
Level 3
Level 3
In response to jedolphi

‎11-22-2022 11:18 PM

Thanks jedolphi

I appreciate you providing some clarity which is very helpful.
0 Helpful

Go to solution
davidfield
Level 3
Level 3
In response to jedolphi

‎04-17-2023 12:41 AM

Hello again a bit more on this query if I may.  

We are proposing to have a Core switch stack with Advantage licensing and Access Switch stacks with Essentials licensing.  The Access Switches would be configured with SXP to ISE to maintain the IP to SGT mapping.  The nature of the site is that the Access switch traffic is primarily to/via the core.  My thinking is that I can use SXP to ISE for the Access Switches to apply the SGT tag to the packet and the core switches become the enforcement point.  

What are the issues with this approach?  I appreciate I'm not enforcing at the Access Switch port but there is a big difference in Advantage vs Essentials costs which is proving to be a blocker for the client.  Am I missing something or miss-interpreted a concept here?

Any input on why not to go down this route would appreciated.

Best Regards

David

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents