12-08-2019 12:36 PM
Hi all,
im a SD LAN newbie so please bare with me.
im looking at a Cisco ACI and DNA Center deployment for a all in SD solution.
im happy what ACI will do; but I’m looking at the access layers and trying to understand how users in tenants are handled. Ideally each tenant / customer will have a .1x cert authentication and then the result of this .1x challenge will determine with tenant they sit within.
so in effect a generic access layer is deployment to all sites. Then any customer from any tenant can plug into the access layer, they are identified by certificate and they can then only access the resources allowed by the tenant rules?
looking at 9000 series switching and controllers to achieve this?
Solved! Go to Solution.
12-08-2019 02:15 PM
yes, how you define those security tags based on the ISE.
12-08-2019 12:56 PM - edited 12-08-2019 12:57 PM
As per my understanding - SD-Access for Campus Lan, and more controlled by ISE here play a big role.
If anyone can plug into port and they are not part of your network or unauthorized access - based on the design ISE will decide what kind of resources will be allowed for this unknown rogue client in the network, or you can also configure to shut down the port and alerts can be sent over.
If you looking for each port as a tenant-based system, that should be carefully understood and design the network as per the needs.
Look at the SD-Access with Segmentation design guide :
12-08-2019 01:24 PM
Thank you - just so I understand at a high level; if designed properly, each switch port can dynamically represent any tenant?
So it’s not important where you plug into on the switch, only the 802.1x response will determine the tenant you are assigned to?
thanks
12-08-2019 02:15 PM
yes, how you define those security tags based on the ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide