cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
540
Views
0
Helpful
4
Replies
Highlighted
Beginner

Design: Placing ISE and DNAC inside the ACI Fabric?

Dear community,

 

we are currently planning the implementation of SDA as a counterpart to our ACI Fabric. Right now we are asking ourselves the question where we can place the DNA Center and ISE? Would you place the appliance inside or outside the ACI Fabric?

 

Best regards,

Johannes

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

Ours is located in SDA and what we call our "Legacy" network. This allows us to keep the underlay traffic separate from our management traffic. That way any communication from the NAD's Loopback interface (RLOC) will talk to DNAC and ISE on the underlay network (and all other communication that needs to happen will stay there). Then for management of DNAC and ISE via web GUI that traffic can happen in our management networks in the SDA SGT Pool and the Legacy VLAN via SXP mapping. Our end goal for deploying this way was to ensure that we kept traffic from traversing the Fusion Routers if it didn't need to do so.

HTH,

Chuck McFadden

View solution in original post

Highlighted
Contributor

DNAC and ISE will be accessed by almost all network devices, so even if you put inside ACI fabric, you will have to keep them in separate group and configure special permission for them. I am inclined more towards keeping outside the ACI fabric, There is also a good cisco live lab session (LTRACI-2636) on this, see enclosed.

lets see what other community members have to say.

-Rate helpful posts-

View solution in original post

4 REPLIES 4
Highlighted
Beginner

Ours is located in SDA and what we call our "Legacy" network. This allows us to keep the underlay traffic separate from our management traffic. That way any communication from the NAD's Loopback interface (RLOC) will talk to DNAC and ISE on the underlay network (and all other communication that needs to happen will stay there). Then for management of DNAC and ISE via web GUI that traffic can happen in our management networks in the SDA SGT Pool and the Legacy VLAN via SXP mapping. Our end goal for deploying this way was to ensure that we kept traffic from traversing the Fusion Routers if it didn't need to do so.

HTH,

Chuck McFadden

View solution in original post

Highlighted
Contributor

DNAC and ISE will be accessed by almost all network devices, so even if you put inside ACI fabric, you will have to keep them in separate group and configure special permission for them. I am inclined more towards keeping outside the ACI fabric, There is also a good cisco live lab session (LTRACI-2636) on this, see enclosed.

lets see what other community members have to say.

-Rate helpful posts-

View solution in original post

Highlighted

Hi Chuck, hi Ammahend,

 

thank you very much for your views. There does not seem to be a "right" way here. We have decided to form a separate segment for Network Services outside of ACI and SDA Fabric.

 

In this way, we want to ensure that these central management components continue to function within the Fabric in the event of a fault. Especially the placement of a firewall between the two fabrics, which depends on the security tag information from each fabric for its functionality, made us take this step.

 

Best regards,

Johannes

 

 

Highlighted

You are correct in saying that there is no specific one way to implement a solution. One thing I love about the Cisco Community boards is that you can get an idea of how others have done it in the past and add in your specific needs to come up with the best solution for you. I'm glad we were able to help. Please feel free to update your how your implementation goes on this thread or start a new one so that others can see what you've done.

 

Have a great day,

Chuck McFadden

 

--please mark helpful posts as helpful--

Content for Community-Ad