06-08-2022 03:22 AM
Our objective is to support segregation / policy management / distinct access policies on a per host basis inside a LAN (SD-Access type of solution)
The basic restriction we face is that the LAN isn’t segmented into multiple VLANs- there is one broadcast domain / FLAT VLAN and the customer has specifically requested to not perform re-addressing
It seems that one possible solution would be to rely on PRIVATE VLAN – PVLAN implementation shown in this link
“ Promiscuous port—A promiscuous port belongs to the primary VLAN. The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several promiscuous ports in a primary VLAN. Each promiscuous port can have several secondary VLANs or no secondary VLANs that are associated to that port…”
My question is the following:
Please provide info/insight
Best regards
Depy V
06-08-2022 05:50 AM
Hi
Considering SDA with DNAC. Nexus and Catalyst 1K seems not to be supported.
You can see all supported here:
https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/dnac_compatibility_matrix/index.html
About your requirement, I dont see as a problem, actually the opposite. I had a situation recently where it was necessary segmentation and the DNAC only allow contiguous segment on the DHCP. That was for wifi. I had to add one vlan per floor but DNAC supports only one scope per SSID which forced me to use one big network for the whole site.
For lan network it is different but I dont see problem on broadcast domain.
I dont see the concept of Isolated vlan on cisco SDA but you can rely on SGT for segmentation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide