Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
5
Helpful
5
Replies

SD-Access DNA 2.2 - SGT policies without ISE

Go to solution
MaxSL
Level 1
Level 1

‎06-15-2022 01:57 PM

Hello, community

 

I'm having a hard time finding an answer to the following...

 

With 2.1 DNA Center got the ability to create SGT, as well as policies with contracts between SGTs, what I do not understand now is what is the role of Cisco ISE now, apart from 802.1x and auto-assignment of SGT to the endpoint ( not doing that, will be a manual assignment on a switch port)?

 

Does the DNA center now capable of pushing SGT policies to the NEtwork Devices w/o ISE ( Switches)?

 

Thank you all in advance for your responses.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to MaxSL

‎06-16-2022 08:35 PM - edited ‎06-16-2022 08:36 PM

Hi Max, DNA Center contains a UI for creating and managing  for Group-Based Policy, but the actual policy is stored in ISE. Switches download the policy (SGACLs) from ISE before they can enforce the policy. The means that even if ports have no authentication ISE is still required for policy download. Best regards, Jerome

View solution in original post

5 Replies 5

Go to solution
Flavio Miranda
VIP
VIP

‎06-15-2022 02:53 PM

Hi

  Works like this. You create the SGT, Scalable groups and Access Contract  on the DNAC but through API (PXGRID), DNAC sends this information to ISE and ISE is responsible for control everything.

 

0 Helpful

Go to solution
MaxSL
Level 1
Level 1
In response to Flavio Miranda

‎06-16-2022 10:55 AM

Thanks, Flavio.

 

The main question is does DNAC or ISE push SGT Access-Lists to the switch?

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-16-2022 12:09 AM

Now and in the Future - ISE (identity plays a major role in the network) - even if you push SGT and configure SGT, what part it was verified if you do not have any Identity engine in place.

 

DNAC is just an orchestration tool, ISE Play a big role in the network. So if this is a big network, consider that ISE Integration with DNAC will have more advantages.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MaxSL
Level 1
Level 1
In response to balaji.bandi

‎06-16-2022 10:58 AM

Thanks, Balaji

 

There is no 802.1x, the port on a switch will get its SGT assignment from DNA-C (manually), so I do not understand what ISE will verify there...

0 Helpful

Go to solution
jedolphi
Cisco Employee
Cisco Employee
In response to MaxSL

‎06-16-2022 08:35 PM - edited ‎06-16-2022 08:36 PM

Hi Max, DNA Center contains a UI for creating and managing  for Group-Based Policy, but the actual policy is stored in ISE. Switches download the policy (SGACLs) from ISE before they can enforce the policy. The means that even if ports have no authentication ISE is still required for policy download. Best regards, Jerome

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents