DNAC and ISE

DaveHenderson22596 · ‎07-05-2021

Honest question.

If I have a global ISE solution running (v2.7p3) 802.1X authentication with PKI certificates really well and want to develop an access-layer SDA policy using TrustSec SGT's to provide simple business entity level segmentation, why do I need DNAC?

I have all of my access-layer switches and WLAN controllers in ISE already and the endpoint clients are running a TEAP/EAP-chain enabled supplicant.

I'm not seeing the need here other than activity based policy assurance. I'm also running pxGrid that allows Tanium to quarantine endpoints that fail its compliance policy. All working well.

Happy to be proved wrong, just need to understand the benefit of the investment.

Cheers

Greg Gibbs · ‎07-05-2021

The Community is intended more for technical questions rather than a sales channel. I will say, however, that there are big differences between a traditional TrustSec network deployment where inline tagging must be used for every hop in the path and an SDA fabric which runs on top of the overlay and simplifies the Propagation of the SGT within the fabric. SDA without DNAC is not supported, likely due to the complexity of connecting all devices in the underlay (routing via IS-IS), building and maintaining the LISP and VXLAN overlays, etc.

Some other key benefits can be found in the SDA Solution Overview.

You might also review some of the Case Studies from customers that have deployed DNAC/SDA as well as the various presentations available on ciscolive.com.

Mike.Cifelli · ‎07-06-2021

Adding additional information: Cisco SD-Access Resources - Cisco Community