cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco EN Validated Design and Deployment Guides

23381
Views
25
Helpful
13
Comments
image.png Announcement! Updated SD-Access Cisco Validated Design Guide Download Here!

header.jpg

 

What are Validated Design & Deployment Guides?

Simple, modular, use-case based design and deployment guidance to provide you with Validated designs and best practices,  Prescriptive, easy-to-follow deployment guides all with the intent to give you Confidence as you transform your network to meet your business goals.

 

SD-Access

SD-WAN

Security, Policy & Access

Infrastructure

 

Solution Design Guides (CVD)

Architecture-based guidance to design a technical solution.  Target audience are Network & Security Architects, Sr. Network Engineering and Security Analysts. Design guides provide Solution Recommendations and Design Considerations.  These guides are NOT Release-based and do not contain Screen Shots and/or Configurations

Prescriptive Deployment Guides (PDG)

Prescriptive, technical step-by-step guidance to solve a Use Case required in your network. Target Audience are Network & Security Engineering and Operations.  Deployment guides provide an easy template (DEFINE, DESIGN, DEPLOY & OPERATE) to provide step-by-step validated guidance complete with screenshots and configuration

Cisco Validated Profile (CVP) Guides

Cisco Validated Profile (CVP) guides provide validated configuration and testing details for profile topologies.Target Audience are Network & Security Engineering & Operations.  CVPs contain hardware and software features for end to end use cases. 

_____________________________________________________________________________________________

 

SD-Access

 

Design Guides

 

Software-Defined Access - Solution Design Guide

First Published August 2018 / Last Reviewed October 2019 | Author:  Jonathan Cuthbert

In this guide, you will learn deployment models, approaches and considerations along with recommended design practices for SDA fabric sites ranging from very small to very large in size that can be single independent sites or part of a larger, multi-site deployment

Software-Defined Access Segmentation Design Guide

First Published August 2018 / Last Reviewed April 2019 | Author: Mike Jessup

In this design guide, you will find background information around the need for segmentation in today’s networks to reduce the network attack surface. This document briefly looks at the history of segmentation and provides guidance around the use of macro-segmentation (VRFs/VNs) and/or micro-segmentation (SGTs) and how to determine which strategy is most applicable in different scenarios. Through several simple use cases in verticals such as education, healthcare, retail, manufacturing, and utilities, the reader will see how a combination of micro and macro-segmentation can be implemented to group network devices while minimizing the attack surface

Prescriptive Deployment Guides

Cisco DNA Center & ISE Management Infrastructure Deployment Guide

First Published May 2020  | Author:  Sum Nguyen

In this guide, you will learn how to install and bootstrap the management infrastructure for the Cisco Digital Network Architecture which includes Cisco DNA Center and ISE.

Catalyst 9800 Non-Fabric Deployment using Cisco DNA Center Deployment Guide

First Published October 2019 | Author: Roland Saville

In this guide, you will learn how to deploy a wireless local area network (WLAN) within a campus network, using Catalyst 9800 Series WLAN controllers (WLCs) with access points (APs) in centralized (local mode) operation, using Cisco DNA Center

 

Catalyst 9800 Non-Fabric FlexConnect Deployment using Cisco DNA Center

First Published October 2019 | Author:  Roland Saville

This guide focuses on how to deploy a wireless local area network (WLAN) within a branch network, using Catalyst 9800 Series WLAN controllers (WLCs) with access points (APs) in FlexConnect mode operation, using Cisco DNA Center.

 

Network Device Onboarding Using Cisco DNA Center Deployment Guide

First Published  October 2019 | Last Reviewed November 2019 | Author: Esrar Razvi

In this guide, you will learn how to automate Day-0 on-boarding of a single switch at branch/campus with Cisco DNA Center to reduce the overall cost and time by leveraging built-in PnP functionality and an on-boarding template.

 

Campus Software Image Management Using Cisco DNA Center Deployment Guide

Last Reviewed March 2020 | Author: Esrar Razvi

In this guide, you will learn how to leverage Cisco DNA Center to manage software images according to image type and version. You can view, import, and delete software images in the repository as well as standardize images per device family type by marking them as golden. The software images can then be pushed to target devices in your network for day 0-N use cases.

 

Enabling Cisco DNA Assurance on Existing Network Deployment Guide

First Published October 2019 | Author: Sum Nguyen

In this guide, you will learn how to leverage Cisco DNA Center to deploy Assurance in an existing brownfield network. This document covers both network and clients assurance.

Cisco DNA Application Assurance Deployment Guide

First Published  October 2019 / Last Reviewed January 2020 | Author: Roland Saville

In this guide, you will learn how to deploy Cisco DNA Application Assurance within an enterprise network; and how to monitor and troubleshoot applications and their performance when the application traffic crosses the WAN, through Cisco DNA Application Assurance.

 

Software-Defined Access Medium and Large Site Fabric Provisioning Deployment Guide

First Published August 2018 / Last Reviewed October 2019 | Author: Jonathan Cuthbert

In this guide you will learn how to deploy medium and large fabric sites consisting of a multi-tier Hierarchical network model with dedicated shared services block and physical WLCs.

 

Software-Defined Access for Distributed Campus Deployment Guide

First Published May 2019  / Last Reviewed October 2019 | Author: Jonathan Cuthbert

This guide will show you how to deploy unified and consistent policy across a metro area SD-Access deployment consisting of multiple, independent fabric sites.  Both IP-based transits with fusion routers and SDA transits are discussed and deployed along with methods to provide Internet access to the deployment.  Finally, important considerations and recommended practices for the deployment of the key architecture component–transit control plane nodes–are discussed and deployed.  

 

Encrypted Traffic Analytics Non-Fabric Deployment Guide

First Published October 2019 | Author:  Bryan Brzezinski and Mike Jessup

This document provides guidance on deploying ETA and NaaS configuration to routers and switches without the assistance of Cisco DNA Center in a Non-Fabric environment.

 

 

Encrypted Traffic Analytics in Cisco SD-Access Fabrics Deployment Guide

First Published October 2019 | Author:  Bryan Brzezinski and Mike Jessup

In this guide, you will learn how to configure ETA using Cisco DNA Center’s SSA application which allows for simple and automated deployment in a SD-Access Fabric.

 

_____________________________________________________________________________________________

 

SD-WAN

 

Design Guides

SD-WAN Design Guide

First Published October 2018 / Updated:  May 2020 | Author:  Gina Cornett

In this guide, you will learn about the architecture and different aspects of the Cisco SD-WAN solution. A high-level discussion of components, on-boarding of WAN devices, controller connections, configuration templates, and policies is covered, in addition to deployment planning considerations.

 

First Published  May 2020 | Author:  Priyanka Sayinath

This design guide focuses on the design components, considerations, working and best practices of each of the security features listed in Table 1 for IOS-XE SD-WAN WAN Edge devices. However, the document is not meant to exhaustively cover all options.

 

 

Prescriptive Deployment Guides

 

SD-WAN: Secure Direct Cloud Access for Cisco IOS-XE SD-WAN Device Deployment Guide

First Published May 2020  | Author: Priyanka Sayinath

This document provides the design and deployment of the Cisco SD-WAN security policy specific to secure Direct Cloud Access (DCA) within remote sites running IOS-XE SD-WAN WAN Edge platforms. The security features leveraged within this guide include Enterprise Firewall with Application Awareness, Intrusion Prevention System (IPS), Advanced Malware Protection (AMP) and DNS/Web-layer Security with Umbrella Integration.

 

SD-WAN: Secure Direct Internet Access for Cisco IOS-XE SD-WAN Devices Deployment Guide

First Published May 2020  | Author: Priyanka Sayinath

This document provides the design and deployment of the Cisco SD-WAN security policy specific to secure Direct Internet Access (DIA) within remote sites running IOS-XE SD-WAN WAN Edge platforms. The security features leveraged within this guide include Enterprise Firewall with Application Awareness, Intrusion Prevention System (IPS), URL Filtering (URLF), Advanced Malware Protection (AMP) and DNS/Web-layer Security with Umbrella Integration.

 

SD-WAN: Secure Guest Access for Cisco IOS-XE SD-WAN Devices Deployment Guide

First Published May 2020  | Author: Priyanka Sayinath

This document provides the design and deployment of the Cisco SD-WAN security policy specific to secure guest access within remote sites running IOS-XE SD-WAN WAN Edge platforms. The security features leveraged within this guide include Enterprise Firewall with Application Awareness and URL Filtering (URLF).

 

Cisco SD-WAN: Application-Aware Routing Deployment Guide

First Published May 2020 | Author: Prashanth Davanager Honneshappa

This guide is intended to provide design and deployment guidance to deploy Application-Aware Routing on the Cisco SD-WAN solution providing Service Level Agreement (SLA) based routing for business-critical applications to optimize application performance. The guide focuses on the step-by-step procedures for defining the network characteristics requirements for an application and leveraging the calculated path liveness and quality measurement to influence the traffic path dynamically, providing the best experience for the applications at all times.

 

 

Zscaler Internet Access (ZIA) and Cisco SD-WAN Deployment Guide

First Published March 2020 | Author: Gina Cornett

This Deployment Guide document provides configuration guidance for integrating Zscaler Internet Access (ZIA) and Cisco SD-WAN successfully. There are examples to show how to provision a new service with ZIA and Cisco SD-WAN using GRE or Ipsec tunnels. For Cisco SD-WAN, configurations that use feature templates through vManage and CLI are both shown. All examples in this guide presumes the reader has a basic comprehension of IP Networking.

 

 

Cisco SD-WAN: WAN Edge Onboarding Deployment Guide

First Published December 2019 / Last Reviewed January 2020 | Author: Prashanth Davanager Honneshappa

This guide is intended to provide design and deployment guidance to onboard Cisco SD-WAN WAN Edge devices into the enterprise SD-WAN Infrastructure. The guide focuses on the step-by-step procedures to configure each of the onboarding options available, along with the use cases specific to WAN Edge deployment using default pre-installed certificates or enterprise root-ca certificates. The physical or virtual WAN Edge onboard options include manual, bootstrap or the automated deployment process, which is referred to as Zero Touch Provisioning (ZTP) for vEdge devices and Plug-and-Play (PnP) for IOS XE SD-WAN devices.

 

Cisco SD-WAN: Enabling Firewall and IPS for Compliance

First Published November 2019 | Author: Priyanka Sayinath

This document provides the design and deployment of the Cisco SD-WAN security infrastructure specific to the compliance use case within remote sites running IOS-XE SD-WAN WAN Edge platforms. The security features leveraged within this guide include Enterprise Firewall with Application Awareness and Intrusion Prevention System (IPS).

 

SD-WAN Controller Certificates and Whitelist Authorization File Deployment Guide

First Published October 2019 | Author:  Gina Cornett

In this guide, you will learn about the different certificate options available on the Cisco SD-WAN controller complex and how to deploy them, along with the whitelist authorization file. The guide also describes how to renew certificates, how to install certificates manually, and how to migrate to Cisco PKI certificates.

 

SD-WAN End-to-End Deployment Guide

First Published October 2018 / Last Reviewed April 2019 | Author: Gina Cornett

In this guide, you will learn how to deploy the Cisco SD-WAN solution from end to end. You will learn how to configure and deploy feature and device templates, how to onboard WAN Edge devices, and how to configure localized and centralized policies, QoS, and application-aware routing.

 

SD-WAN: Enabling Direct Internet Access Deployment Guide

First Published July 2019 | Author: Priyanka Sayinath

In this guide, you will learn to design and deploy direct internet access on both vEdge and SD-WAN XE platforms. The guide includes design considerations, configuration and troubleshooting steps to be adopted while deploying features such as NAT DIA route and Centralized Data Policy within your branch WAN Edge device to establish local internet exit.

 

SD-WAN: Enabling Cisco Cloud onramp for IaaS with AWS Deployment Guide

First Published January  2019 / Last Reviewed July 2019 | Author: Roland Saville

In this guide, you will learn how to deploy secure network connectivity from private network campus and branch locations to one or more AWS VPCs using Cisco SD-WAN Cloud onRamp for IaaS.

 

SD-WAN: Cloud onramp for SaaS Deployment Guide

First Published January 2019 / Last Reviewed July 2019 | Author: Gina Cornett

In this guide, you will learn about how Cisco SD-WAN Cloud onRamp for SaaS operates and how to deploy it successfully.

 

SD-WAN: Administrator-Triggered Cluster Failover Deployment Guide

First Published July 2020 | Authors: Priyanka Sayinath and Deepesh Deepesh Kumar

This document provides design and deployment information for vManage disaster recovery. It covers the different types of disaster recovery methods and reviews the steps for configuring disaster recovery and how to perform disaster recovery at the time of network disruption. Note that the first iteration of this guide covers only one use case, the administrator-triggered failover use case for a vManage cluster.

SD-WAN Validated Profiles

CVP- Enterprise SD-WAN Financial Profile

First Published October 2018


CVP - Enterprise Cisco SD-WAN Retail Profile

First Published October 2018

 

For additional SD-WAN resources refer to SD-WAN Community Resource page http://cs.co/sdwan-resources

_____________________________________________________________________________________________

Security, Policy & Access

Design Guides

Encrypted Traffic Analytics Design Guide

First Published October 2017 / Last Reviewed October 2019 | Author: Mike Jessup

In this guide, you will read about Encrypted Threat Analytics (ETA) design considerations for deploying this technology in either Cisco SD-Access fabrics or in traditional campus LANs or WANs. This document looks in depth at where and how to deploy this technology in conjunction with Flexible NetFlow on your network infrastructure to obtain the best results.

Prescriptive Deployment Guides

Encrypted Traffic Analytics Non-Fabric Deployment Guide

First Published October 2019 | Author: Bryan Brzezinski  and Mike Jessup

This document provides guidance on deploying ETA and NaaS configuration to routers and switches without the assistance of Cisco DNA Center in a Non-Fabric environment.

 

Encrypted Traffic Analytics in Cisco SD-Access Fabrics Deployment Guide

First Published August 2018 / Last Reviewed October 2019 | Author:  Bryan Brzezinski and Mike Jessup

In this guide, you will learn how to configure ETA using Cisco DNA Center’s SSA application which allows for simple and automated deployment in a SD-Access Fabric.

 

_____________________________________________________________________________________________

 

Campus / Branch Infrastructure

 

Design Guides

Campus LAN and Wireless LAN Design Guide

First Published August 2018 / Last Reviewed May  2020| Author:  Roland Saville and Bryan Brzezinski

In this guide, you will learn how to design Campus LAN and Wireless LAN for High-density, Medium-Density and Small Site campuses.  Design fundamentals for each layer in a campus (Access, Distribution and Core) for wired are discussed along with best practices.  Campus WLAN design fundamentals such as controllers, deployment models and key features are discussed along with a best practices check list.  In addition, management, ISE and QoS guidance is given.

Prescriptive Deployment Guides

Campus LAN L2 Access with Simplified Distribution Deployment Guide

First Published October 2015 / Last Reviewed January 2019 | Author: Stephenie Chastain

In this guide, guidance is given around Layer 2 Access layer wiring closets of varying port sizes along with platform configurations for this layer.  Simplified Layer 2 distribution layer deployment guidance along with platform configurations are discussed.

 

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

 

Pink Vector Social Media Technology Presentation.jpg

 

Comments
Cisco Employee

If you have any feedback or question regarding any of the above guides, please kindly leave your comment here, and we will get back to you as soon as possible.

Cisco Employee

Somebody please correct the SWIM deployment guide for DNAC here (top of page 6):

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/dnac-swim-deployment-guide-2019oct.pdf

It suggests that ISE has to be installed before doing SWIM.  I'm 99.999% sure that SWIM can be done without DNAC-ISE integration.  Please correct me if I'm wrong. 

Cisco Employee

@pmerlitt Thanks for your feedback. We will review the doc and fix it asap.

Cisco Employee

Are there any translated versions of this content?

Cisco Employee

@jamari Sorry we do not have these translated except for just one or two that were done in Chinese. What language are you looking for?

Beginner

Hi Guys,

 

I am on process to build the SD_WAN home lab hosted on my EVE-NG home server. My question is, how to add cEdge and vedge routers in the vMange without having licenses, and if this process require me to have licenses how can I get them? Please help me out to address this issue.

Cisco Employee

@Moadmin

Please refer to the  WAN Edge onboarding guide for steps to add cEdge and vEdge to vManage.

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sd-wan-wan-edge-onboarding-deploy-guide-2020jan.pdf

Beginner

@ pdavanag

 

Thank you for taking time to read my question, I have read this document WAN Edge onboarding guide before, but this is not my question, my question was how can I get provisioning file just for testing purposes from Cisco without having smart account. I need just to LAB SD-WAN nothing else.

 

Cisco Employee

@Moadmin 

I don't think there is any other way to add the devices in vManage other than leveraging the provisioning file from the Network Plug-and-Play portal, which requires a smart account. 

Beginner

@ pdavanag

 

 So in this case I am not able to learn SD-WAN, because I do not have provisioning file. That is really very sad news.

Cisco Employee
You can request a smart/virtual account and add the device to the Network Plug-and-Play portal and get the provisioning file to play in the lab.
Log into the Cisco Software Central > Administration and request Manage Smart Account.
Cisco Employee

Hello, I have a questions around the guide: "Encrypted Traffic Analytics Design Guide"

 

The guide seems to indicate that ETA is able to be enabled on a L2 (trunk/access) interface. However, the template (IDP) captures IP addresses. I know that with NetFlow if it is applied to a L2 interface, it cannot capture those field elements that would be read in the L3 PDU. Can you clarify what information is captured on a L2 interface? Is it somehow able to read the information from the L3 portion of the packet?

Cisco Employee

@ahengst So Flexible NetFlow (NetFlow v9) which is what ETA is based on can match IP Addresses on L2 interfaces. As a matter of fact, the recommendation for ETA is to configure it on the switch access port.

This widget could not be displayed.