Showing results for 
Search instead for 
Did you mean: 
Cisco Employee
Cisco Employee

Here are some commonly asked questions and answers to help with your adoption of Cisco Software-Defined Access (SD-Access). Subscribe (how-toto this post to stay up-to-date with the latest Q&A and recommended Ask the Experts (ATXs) sessions to attend.


Q. If I consider to migrate my existing enterprise network to SD-Access to what are the different strategies we have?


Parallel — An SD-Access network is built next to an existing brownfield network. Switches are moved from the brownfield network to the SD-Access network by physically patching cables. This approach makes change management and rollback extremely simple. However, the parallel network requires additional rack space, power, and cabling infrastructure beyond what is currently consumed by the brownfield network. 

Incremental — This strategy moves a traditional switch from the brownfield network and converts it to an SD-Access fabric edge node. The Layer 2 Border handoff is a feature used to accomplish this incremental migration. This strategy is appropriate for networks that have equipment capable of supporting SD-Access already in place or where there are environmental constraints such as lack of space and power.

Hybrid—The hybrid approach uses a combination of parallel and incremental approaches.  For example, a new pair of core switches are configured as border nodes, control plane nodes are added and configured, and the existing brownfield access switches are converted to SD-Access fabric edge nodes incrementally.


Q. Is There way where I can create SDA fabric with just one physical device acting as Edge, Border and Control all in one?

A. Fabric in a Box is an SD-Access construct where the border node, control plane node, and edge node are running on the same fabric node. This may be a single switch, a switch with hardware stacking, or a StackWise Virtual deployment. The Fabric in a Box Site Reference Model should target less than 200 endpoints. 


Q. If I am having a brownfield deployment of SDA, how can I make sure during the migration, host in traditional network and host SDA can communicate with each other?

A. When a traditional network is migrating to an SD-Access network, the Layer 2 Border Handoff is a key strategic feature. Endpoints can remain in place in the traditional network while communication and interaction are tested with the endpoints in the fabric without needing to re-IP address these hosts.

The Layer 2 Border Handoff allows the fabric site and the traditional network VLAN segment to operate using the same subnet. Communication between the two is provided across the border bode with this handoff that provides a VLAN translation between fabric and non-fabric. Cisco DNA Center automates the LISP control plane configuration along with the VLAN translation, Switched Virtual Interface (SVI), and the trunk port connected to the traditional network on this border node. 


Q. Should I need Identity service engine (ISE) for SDA deployment?

A. Technically you might be able to create a SDA Fabric without ISE, but that won't be a complete SDA .ISE does the main role of Micro segmentation using SGT, which is one of the crucial features of SDA, you can do just Macro segmentation with VN but you will losing the biggest benefit on SDA .

With regards to the SD-Access solution, it is composed of three parts:

* Identity Services Engine (ISE)

* Cisco DNA Center

* Supported Device Platforms (Routers, Switches, APs, WLCs)


Q. What are the Latency requirement for SDA?

A. Latency in the network is an important consideration for performance, and the RTT between Cisco DNA Center and any network device it manages must be taken into strict account. The RTT should be equal to or less than 100 milliseconds to achieve optimal performance for all solutions provided by Cisco DNA Center including SD-Access. The maximum supported latency is 200ms RTT. Latency between 100ms and 200ms is supported, although longer execution times could be experienced for certain functions including Inventory Collection, Fabric Provisioning, SWIM, and other processes that involve interactions with the managed devices.


Q. Should I run SD-Access to use DNA Center?
A. No you need not run SD-Access to use DNA Center. You can add DNA Center to your traditional network and start using the Base Automation & Assurance feature. If you wish run SD-Access then DNA Center is mandatory but not vice versa.

Q. Will my SD-Access network be impacted if DNA Center goes down?
A. No. DNA Center is just a controller, even if the DNA Center goes down SD-Access network will still remain up and traffic will continue to flow. It just that you won’t be able to make any changes in to SD-Access network and you won’t be able to see the telemetry data.

Q. What are the steps needed to consider before starting LAN Automation for underlay?
A. Here are the steps:
  1. Before starting LAN automation, follow the steps in the Cisco DNA Center SD-Access LAN Automation Deployment Guide.
  2. If a LAN automated device is deleted from Cisco DNA Center, add it back via LAN automation. Do not add it back via the Inventory or Discovery pages.
  3. Do not modify the LAN automated interface configuration in the device manually, including Loopback0 or Loopback60000.  
  4. Do not move the LAN automated L3 interface configuration from one interface to another interface or from one device to another device manually.
  5. Do not use an IP address from the underlay pool for any other purpose in the network. Use a dedicated pool for the underlay
  6. Confirm that the PnP agent serial number does not already exist in the ISE NAD and in the PnP page. 
Q. Where should DHCP server reside in a SD-Access network?
A. The DHCP server must be outside of the SD-Access fabric, either multiple hops away (e.g. DC) or directly connected to the Fabric Border. In a Campus fabric network, DHCP server is deployed as a shared service located in a network that is different from the fabric endpoints. Every fabric edge is configured as a DHCP Relay agent to relay the DHCP traffic between fabric endpoints and DHCP server. DHCP server is located in the non-EID space in the enterprise fabric network and the fabric edge node uses the fabric border as Proxy Tunnel Router (PxTR) to communicate with the DHCP server.
Q. Should we use trunkports and Spanning Tree Protocols to propagate VLANs in the underlay of Cisco SD-Access? 
A. No, the underlay in SDA is a pure L3 routed network. VLANs will be present only on your edge devices at the access port level. Your intermediate devices will not need to know the VLANs of the End Hosts. 

Looking for more resources? Access the latest guides, recordings and more via Cisco SD-Access ATXs Resources. For more SD-Access FAQ, see Wireless in SD-Access. 
Want to learn more and get real-time Cisco expert advice? Through live Q&A and solution demos, Ask the Experts (ATXs) real-time sessions help you tackle deployment hurdles and learn advanced tips to maximize your use of Cisco technology. View and register for the upcoming Ask the Experts (ATXs) sessions today. [Pro tip: Subscribe to the event listing for new session updates.]
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: