Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
0
Helpful
4
Replies

Cisco SD-Access design when all gateways are external

Hashem1323
Frequent Visitor
Frequent Visitor

‎01-16-2026 04:13 AM

Hi all,

We are currently planning to deploy one catalyst center appliance in our office. However, the current gateways for all subnets are on firewall.

So, we proposed one of the below solutions:

First, keep the network as it is, we will only discover the devices on DNAC and in this case DNAC will work in monitoring mode and no other benefits.

Second, provision all devices and configure l2 VNs and l2 handoff, in this case all the traffic will be going the same way to their gatways.

These two solutions were proposed because the network security team is denying to remove the gateways from firewalls

Anyways, please suggest what can we do and If there's a third and better solution please advise.

 

Thank you 

Labels:
0 Helpful
4 Replies 4

Andrii Oliinyk
VIP
VIP

‎01-16-2026 05:17 AM - edited ‎01-16-2026 05:17 AM

i dont really get what is the showstopper. u have DNAC with its unisolated L3-intfs (e.g. Management, Enterprise, Cloud / Internet) connected to FW, just bring to the same FW INFRA_VN (GRT) & configure FW to pass traffic bw DNAC & managed devices according to requirements (you can easily find which ports must be open for any intf to operate as expected).
"First, keep the network as it is, we will only discover the devices on DNAC and in this case DNAC will work in monitoring mode and no other benefits." how r u going to provision devices from DNAC with monitoring (assurance) only?   
i didnt get 2nd option clearly.

0 Helpful

Hashem1323
Frequent Visitor
Frequent Visitor

‎01-16-2026 10:08 AM

perhaps i didn't explain my point correctly.

let's say in the current network design all end-users subnets gateways are through FW.

As I know, to have an SDA solution we need to change the gateways for these subnets to be through SDA and we can't do that.

to solve this we proposed that we will only discover the devices (no provisioning) to keep the config of SW as it is. using this DNAC will collect telemetry data and this is what i meant by monitoring mode.

my previous second point was to provision the devices and create L2 handoff so that everything will stay the same and gateway will still be FW for end-users subnets.

I haven't tested any of these points and would like to be corrected if this is wrong.

note that i need to know weather discovering the switches alone will give me some monitoring data at dnac or not. like through snmp or whatever.

0 Helpful

Andrii Oliinyk
VIP
VIP
In response to Hashem1323

‎01-16-2026 11:18 AM

L3-gw (FW) outside of the Fabic Site is classical case with 2 options as resolution: a) L2-BN terminating traffic on the FW (less preferred as requires L2-flood L2VNs) b) anycast GWs on the ENs with L3-handoffs (L3NB) to FW (1 handoff per isolation purpose in its separated VN) - recommended design 

0 Helpful

Andrii Oliinyk
VIP
VIP
In response to Hashem1323

‎01-16-2026 11:20 AM - edited ‎01-16-2026 11:52 PM

&, yeah, for OAM you doesnt need tenants VNs to be reachable from DNAC. Infra_VN(GRT) is for this purpose

0 Helpful
Customers Also Viewed These Support Documents