Hi Balaji,

1) The transit is IP based, I would like to have full understanding of the configuration and consideration needed in the transit, starting from my side (Borders and fusion) to the ISP side (I don't know if we should ask him to put any kind of config to support something specific or the WAN should stay agnostic about what we are doing in our side, it has only to provide reachability)

2)  Yes, I really want to have a deep understanding about Why and how we deploy SXP tunnels in the SD-access with IP transit, what is the workflow, what is done for reachability in the borders and what is done for SXP to transport SGTs... these are just the basics, I'm really looking for a deep understanding of every aspect in the architecture

3) I'm sorry, I didn't get "you can dd DNAC to ISE MNT to manage" : you mean monitoring DNA-C health in ISE? We are looking for deploying ISE centrally (in 2 DCs) for cost proposes, we can't afford PSNs in every site

4) So we are forced to implement a full cluster in a single site ? that's dangerous if the site somehow is not reachable or completely destroyed (well it's unlikely to happen but possible and should be taken in consideration), I'm aware that DNAC manages only config pushes to sites and check the health of different components / automation tasks as new deployments etc and doesn't effect control and dataplane, but sill.

Hi scott,

When you say E-BGP in transit, you mean in the external side of our borders only or even the ISP WAN routers? As far as I know, ISP side is agnostic about what we are doing regarding SD-Access, he can only provide connectivity using their usual protocols, do you think it's something that should be discussed with the WAN provider ? I will check the cisco live session thank you

Regarding ISE, I like the Idea of VIP and a load balancer but we can't afford it, we are thinking of having a cluster deployed over 2 DCs and that's it, I think I need to check latency requirements and bandwidth etc.

So we can't have geolocation redundancy, in case the whole DC is down somehow? As I said to Balaji, maybe the fact that DNAC doesn't affect Data plane and control plane process in case of Datacenter failure, where can I find such information I didn't see it mentioned in the cisco's failover 3 node cluster scenarios 

In the end, I would really like to understand more and more about SD-access but unfortunately I find it hard since we don't have a global guide pointing towards every piece and technical challenges and scenarios, not just the concepts but deep and detailed explanation, if you have any recommended library, video series or anything that could help (besides of CVD because it's really explaining general guidelines)

Thank you

I can only address some of the resources you looking, most SD-Access related resources are here : ( very helpfull) - since its new, you can get all in one place very handy, but eventually we get there once people are start using and use case become for our howto guides.

https://community.cisco.com/t5/networking-documents/cisco-sd-access-resources/ta-p/4196271#Design

Cisco Live presensentation are very very helpful to understand better of SD-Access.

Thank you Balaji, I hope that everything is explained there in details

TrickTrick,

E-BGP for IP Transit is only between the Border and the next hop device. As you state, the ISP side protocol is agnostic to SD-Access.

Documentation of the single-site deployment requirement can be be found here : https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-2-2/ha_guide/b_cisco_dna_center_ha_guide_2_2_2.html#concept_zfd_5px_zfb :

Multinode cluster deployments require all of the member nodes to be in the same network and at the same site. The Cisco DNA Center appliance does not support the distribution of nodes across multiple networks or sites.

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group

Regarding the cluster, there's then only one design validated by cisco which forces the installation of the 3 nodes in a single location.. otherwise maybe we can use a second cluster of 3 nodes in a 2nd DC (which is unlikely to be opted for for financial reasons)

Sorry for insisting, but when you say next hop device, it's still the Provider router, so he needs to adjust his config for us to support BGP (in case he doesn't use it already), if it's the case, is there any resources explaining what we can do in both sides (our side in the border and provider's side (next hop)) ?

I'm really curious how people already started deploying sd-access (even in labs) while there's almost no details explained step by step for example from Cisco... I'm missing something or there's other resources than Cisco's ones.. I'm lost ...not gonna lie 

Thank you again 

TrickTrick,

Sorry for any confusion. I will try to be more clear.

We support any routing protocol for handoff from the SDA Border. Our Best Practice is E-BGP, and this is orchestrated by DNA Center. If you use a protocol other than E-BGP, then you will have to configure it yourself and make sure that there are no loops between the Borders and next-hop devices. One reason we  have E-BGP as a Best Practice is because it has built-in loop prevention mechanisms. Any configuration done on the next-hop device has to be done outside DNA Center, as DNA Center will only configure the Border side of the handoff. This is also explained in more detail in the Cisco Live session I sent.

We do have deployment guides available that can walk you through step-by-step for different work flows related to SD-Access, and these are found at the link provided by Balaji. 

Cheers,
Scott Hodgdon

Senior Technical Marketing Engineer

Enterprise Networking and Cloud Group