cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1376
Views
0
Helpful
4
Replies

Design: Placing ISE and DNAC inside the ACI Fabric?

Johannes_Grimm
Level 1
Level 1

Dear community,

 

we are currently planning the implementation of SDA as a counterpart to our ACI Fabric. Right now we are asking ourselves the question where we can place the DNA Center and ISE? Would you place the appliance inside or outside the ACI Fabric?

 

Best regards,

Johannes

2 Accepted Solutions

Accepted Solutions

ChuckMcF
Level 1
Level 1

Ours is located in SDA and what we call our "Legacy" network. This allows us to keep the underlay traffic separate from our management traffic. That way any communication from the NAD's Loopback interface (RLOC) will talk to DNAC and ISE on the underlay network (and all other communication that needs to happen will stay there). Then for management of DNAC and ISE via web GUI that traffic can happen in our management networks in the SDA SGT Pool and the Legacy VLAN via SXP mapping. Our end goal for deploying this way was to ensure that we kept traffic from traversing the Fusion Routers if it didn't need to do so.

HTH,

Chuck McFadden

View solution in original post

ammahend
VIP
VIP

DNAC and ISE will be accessed by almost all network devices, so even if you put inside ACI fabric, you will have to keep them in separate group and configure special permission for them. I am inclined more towards keeping outside the ACI fabric, There is also a good cisco live lab session (LTRACI-2636) on this, see enclosed.

lets see what other community members have to say.

-hope this helps-

View solution in original post

4 Replies 4

ChuckMcF
Level 1
Level 1

Ours is located in SDA and what we call our "Legacy" network. This allows us to keep the underlay traffic separate from our management traffic. That way any communication from the NAD's Loopback interface (RLOC) will talk to DNAC and ISE on the underlay network (and all other communication that needs to happen will stay there). Then for management of DNAC and ISE via web GUI that traffic can happen in our management networks in the SDA SGT Pool and the Legacy VLAN via SXP mapping. Our end goal for deploying this way was to ensure that we kept traffic from traversing the Fusion Routers if it didn't need to do so.

HTH,

Chuck McFadden

ammahend
VIP
VIP

DNAC and ISE will be accessed by almost all network devices, so even if you put inside ACI fabric, you will have to keep them in separate group and configure special permission for them. I am inclined more towards keeping outside the ACI fabric, There is also a good cisco live lab session (LTRACI-2636) on this, see enclosed.

lets see what other community members have to say.

-hope this helps-

Hi Chuck, hi Ammahend,

 

thank you very much for your views. There does not seem to be a "right" way here. We have decided to form a separate segment for Network Services outside of ACI and SDA Fabric.

 

In this way, we want to ensure that these central management components continue to function within the Fabric in the event of a fault. Especially the placement of a firewall between the two fabrics, which depends on the security tag information from each fabric for its functionality, made us take this step.

 

Best regards,

Johannes

 

 

You are correct in saying that there is no specific one way to implement a solution. One thing I love about the Cisco Community boards is that you can get an idea of how others have done it in the past and add in your specific needs to come up with the best solution for you. I'm glad we were able to help. Please feel free to update your how your implementation goes on this thread or start a new one so that others can see what you've done.

 

Have a great day,

Chuck McFadden

 

--please mark helpful posts as helpful--

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: