Solved: Re: SDA and SGT without ISE

o_unzueta · ‎12-29-2020

Good day,

A client wants to start a SDA implementation, but they have not adquired ISE licenses yet.

They will implement ISE in some time.

I wanted to know if its posible to implement SDA and manually configure SGTs to create 'some' policies for microsegmentation?

Even if this become a 'manual' procedure where they have to specicy ths VN and SGT for every Switch Port of wireless SSID.

Is this posible?

Thanks

OUnzueta

balaji.bandi · ‎12-29-2020

SDA (DNAC ) - more of replacement of Manual process to automate everything in seamless manner where manual mistake never take place.

I know people have hard time to get all solution built with all components and License models.

ISE does the main role for Scalable Group Tag (SGT) - to identify, who you are and what you can do in the network.

you can do VN, but i would strongly recommend to have SGT with ISE, if ISE not in in place, deploy when there is availability, rather complicate SDA or opt other ISE alternative options. (i still suggest to have basic ISE availability).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Jonathan Cuthbert · ‎01-05-2021

Before SD-Access, we had a solution called Campus Fabric. There are a number of Cisco Live sessions from the 2016 to 2017 time frame that discuss this earlier solution. Campus Fabric is a manual approach to network segmentation similar to what is provided by SD-Access. I say similar because we have come a long way since Campus Fabric and can do so many more things and have further features all provided through the Cisco DNA Center Automation. It's the Automation that truly differentiates Campus Fabric from SD-Access.

With regards to the SD-Access solution, it is composed of three parts:

* Identity Services Engine (ISE)
* Cisco DNA Center
* Supported Device Platforms (Routers, Switches, APs, WLCs)

All three of these pieces are REQUIRED for the SD-Access solution. If all three parts are not there, then the deployment is not SD-Access, it's something else.

ISE does provide some temporary licenses upon VM creation. (It was 90-days last time I checked, but please refer to the ISE collateral for authoritative certainty).

View solution in original post

balaji.bandi · ‎12-29-2020

SDA (DNAC ) - more of replacement of Manual process to automate everything in seamless manner where manual mistake never take place.

I know people have hard time to get all solution built with all components and License models.

ISE does the main role for Scalable Group Tag (SGT) - to identify, who you are and what you can do in the network.

you can do VN, but i would strongly recommend to have SGT with ISE, if ISE not in in place, deploy when there is availability, rather complicate SDA or opt other ISE alternative options. (i still suggest to have basic ISE availability).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jonathan Cuthbert · ‎01-05-2021

Before SD-Access, we had a solution called Campus Fabric. There are a number of Cisco Live sessions from the 2016 to 2017 time frame that discuss this earlier solution. Campus Fabric is a manual approach to network segmentation similar to what is provided by SD-Access. I say similar because we have come a long way since Campus Fabric and can do so many more things and have further features all provided through the Cisco DNA Center Automation. It's the Automation that truly differentiates Campus Fabric from SD-Access.

With regards to the SD-Access solution, it is composed of three parts:

* Identity Services Engine (ISE)
* Cisco DNA Center
* Supported Device Platforms (Routers, Switches, APs, WLCs)

All three of these pieces are REQUIRED for the SD-Access solution. If all three parts are not there, then the deployment is not SD-Access, it's something else.

ISE does provide some temporary licenses upon VM creation. (It was 90-days last time I checked, but please refer to the ISE collateral for authoritative certainty).