Solved: DNAC must use VXLAN? ISE uses SGTs for device policing by default?

Mic_Jameson · ‎03-09-2022

Hello. I'm fresh off my CCNP Enterprise, so I appreciate SD-Access concepts.

Now that I'm in the real world I appreciate that clients are using all sorts of hybrid technology solutions, and often they don't understand what they are using.

My client had "no connectivity"...

"*TransferTask: Feb 21 08:53:18.073: %SSHPM-3-CA_CERT_TABLE_INVALID: [SA]sshpmcert.c:705 Accessing CA certificate table before initialization"

...to his WLC's, the he rebooted the AP's and the symptom vanished. He's asking for an explanation. He said he doesn't know if his network uses VXLAN.

Two question: If a client is using DNAC, does that imply that the network is using VXLAN?

If it is using VXLAN with ISE, does the default configuration implement SGTs for device authorization (such as APs, WLCs)?

Thank you.

Dan Rowe · ‎03-09-2022

Question: If a client is using DNAC, does that imply that the network is using VXLAN?

Answer: Not necessarily. Cisco DNA Center provides you the ability to implement SD-Access. SD-Access is what uses VXLAN for the campus fabric. If the client is connecting a wired client to a fabric edge node and authenticates to a fabric subnet, we will use VXLAN. If the client is connecting a wireless client to a Fabric-Enabled-Wireless (FEW) WLAN, we will use VXLAN. If the client is connecting a wireless client to an Over-the-top (OTT/ Non-FEW) WLAN, we do not use VXLAN as OTT WLANs are treated as traditional CUWN wireless traffic.

Question: If it is using VXLAN with ISE, does the default configuration implement SGTs for device authorization (such as APs, WLCs)?

Answer: No, the default configuration implemented for a SD-Access fabric does not implement SGTs for device authorization. It does implement SGTs for client authentication but there are still configurations that would need to be completed manually on ISE. When the client authenticates to the fabric network, it'll be assigned an authorization profile based on the authorization rule it hits in the list of policy rules. The SGT that the client gets assigned is based on the authorization policy rule that it hits. The fabric edge node will then encapsulate client traffic via VXLAN which will include the SGT of the client & VNID of the virtual network. Remember that an SD-Access fabric does both macro and micro-segmentation. Virtual networks/VRFs are used for macro-segmentation while the SGTs are used for micro-segmentation.

View solution in original post

Dan Rowe · ‎03-09-2022

Question: If a client is using DNAC, does that imply that the network is using VXLAN?

Answer: Not necessarily. Cisco DNA Center provides you the ability to implement SD-Access. SD-Access is what uses VXLAN for the campus fabric. If the client is connecting a wired client to a fabric edge node and authenticates to a fabric subnet, we will use VXLAN. If the client is connecting a wireless client to a Fabric-Enabled-Wireless (FEW) WLAN, we will use VXLAN. If the client is connecting a wireless client to an Over-the-top (OTT/ Non-FEW) WLAN, we do not use VXLAN as OTT WLANs are treated as traditional CUWN wireless traffic.

Question: If it is using VXLAN with ISE, does the default configuration implement SGTs for device authorization (such as APs, WLCs)?

Answer: No, the default configuration implemented for a SD-Access fabric does not implement SGTs for device authorization. It does implement SGTs for client authentication but there are still configurations that would need to be completed manually on ISE. When the client authenticates to the fabric network, it'll be assigned an authorization profile based on the authorization rule it hits in the list of policy rules. The SGT that the client gets assigned is based on the authorization policy rule that it hits. The fabric edge node will then encapsulate client traffic via VXLAN which will include the SGT of the client & VNID of the virtual network. Remember that an SD-Access fabric does both macro and micro-segmentation. Virtual networks/VRFs are used for macro-segmentation while the SGTs are used for micro-segmentation.