Scribd
Upload
511 views

Cisco Software Defined Access (SDA) : High-Level Design (HLD)

Uploaded by

Daniella Colmenares
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
511 views

Cisco Software Defined Access (SDA) : High-Level Design (HLD)

Uploaded by

Daniella Colmenares
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 49

SDA HLD

Cisco Software Defined Access (SDA)


High-Level Design (HLD)
An SDA HLD may be requested at any time by the Cisco TAC to troubleshoot an SDA
deployment. An HLD will be required for any assistance by the Enterprise Business
Unit TME Team (ENB-TME) for Technical Marketing or Escalation services. Inability to
produce a current HLD upon request covering the full scope of your SDA deployment
will delay the resolution of your problem. Even though SDA deployment does not
require an HLD, it is still recommended to submit an HLD for review by TME team.

Required preliminary information Provide your answers in this column


Customer Company Name

HLD Submitter’s Name and Contact Information

Lab Evaluation Exception Yes or No


Are the above Sales Order(s) for a Lab Evaluation or Proof of
Concept with <= 100 endpoints? If so, no further HLD details are
required however please state the anticipated length of the
evaluation. An HLD is still highly recommended for planning and
design purposes.

Optional information Provide your answers in this column


Partner Company Name

Partner Engineer’s Name, Email and Phone


That created or reviewed this HLD

Cisco Sales Order number(s),


If order has been placed

Content

SDA HLD © 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 49
Introduction..................................................................................................................................................................................................................... 4
SDA Partner Resource Center.................................................................................................................................................................................... 4
SDA Design Engineers.............................................................................................................................................................................................. 4
Document Purpose..................................................................................................................................................................................................... 4
Why is Completing the HLD is recommended Prior to Placing the Order?................................................................................................................4
Business Objectives......................................................................................................................................................................................................... 5
Customer’s Business Goals........................................................................................................................................................................................ 5
Estimated Timelines........................................................................................................................................................................................................ 6
Business Intent........................................................................................................................................................................................................... 7
Scope & Scale............................................................................................................................................................................................................ 8
Miscellaneous............................................................................................................................................................................................................ 9
Customer Network Overview........................................................................................................................................................................................ 10
Physical Network Topology..................................................................................................................................................................................... 10
Design Considerations and Scope................................................................................................................................................................................. 12
Cisco Software Defined Access solution.................................................................................................................................................................. 12
Cisco DNA Center 1.2.10.............................................................................................................................................................................................. 13
Network Connectivity................................................................................................................................................................................................... 15
Network Connectivity Services................................................................................................................................................................................ 15
Network Connectivity: Wired Connections..............................................................................................................................................................17
Network Connectivity: Underlay and Overlay......................................................................................................................................................... 20
Network Connectivity: Wireless.............................................................................................................................................................................. 22
Network Connectivity: Transit................................................................................................................................................................................. 23
Policy............................................................................................................................................................................................................................ 25
Policy: Overview..................................................................................................................................................................................................... 25
Policy: General........................................................................................................................................................................................................ 26
Policy: Macro and Micro Segmentation................................................................................................................................................................... 27
Policy: Cisco Identity Services Engine.................................................................................................................................................................... 28
Cisco SDA Design Guidance........................................................................................................................................................................................ 34
Very Small Design................................................................................................................................................................................................... 34
Small Design............................................................................................................................................................................................................ 36
Medium Design........................................................................................................................................................................................................ 36
Large Design............................................................................................................................................................................................................ 37
Cisco DNAC Ports........................................................................................................................................................................................................ 39
Cisco DNAC Node Communications.......................................................................................................................................................................39
Cisco DNA Center 1.2.10 Scale.................................................................................................................................................................................... 40
Cisco SDA Supported Latency...................................................................................................................................................................................... 41
Latency Requirements (RTT)................................................................................................................................................................................... 41
Cisco SDA Supported Wired Platforms........................................................................................................................................................................ 42
Fabric Edge, Border and Control Plane.................................................................................................................................................................... 42
Cisco SDA Supported Wireless Platforms..................................................................................................................................................................... 43

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 49
FEW and OTT......................................................................................................................................................................................................... 43
Policy Details................................................................................................................................................................................................................ 44
Deployment Details....................................................................................................................................................................................................... 47
Unknowns................................................................................................................................................................................................................ 47
High Availability..................................................................................................................................................................................................... 47
Migration................................................................................................................................................................................................................. 47
ISE Node details...................................................................................................................................................................................................... 47
Bill of Materials (BOM)................................................................................................................................................................................................ 49
Appendix....................................................................................................................................................................................................................... 50
SDA Partner Resource Center.................................................................................................................................................................................. 50
SDA Ordering Guide............................................................................................................................................................................................... 50
SDA CVD Documents............................................................................................................................................................................................. 50

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 49
Introduction

SDA Partner Resource Center


This SDA Resource Center is the central repository for partner focused SDA materials and open to current
SDA partners. If not already registered, click the request access link for access.

SDA Design Engineers


You are required to answer all questions, in full and with details. On the Menu Bar, please click on insert 
new Comment to reply to reviewer’s comments, and fill in the tables that are provided in the template for the
design details. Please do not modify gray content and examples.

Document Purpose
This document provides a template to be used when creating a high-level design (HLD) for the Cisco Software
Define Access (SDA). The Cisco TAC or Enterprise Business Unit representatives may request a copy of the
HLD with any support or escalation case.

Why is Completing the HLD is recommended Prior to Placing the Order?


The Cisco Software Defined Acccess solution is a system architecture comprising of many components
including network access devices with programmable switches, Cisco DNA Center, Identity Services Engine,
endpoints, identity stores, , and many APIs for integrations to provide Segmentation, Encrypted Traffic
Analysis (ETA), and AAA for all access user and device access control needs. An engineer must consider the
SDA solution holistically and consider immediate as well as future requirements prior to deciding what
equipment to purchase. This HLD template will step the engineer through what needs to be considered. If the
engineer is not intimately familiar with the proposed network, a network assessment may be necessary prior to
completing the HLD.

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 49
Business Objectives
Customer’s Business Goals
Describe the customer’s business goals. Consider the following example business goals:
● Simplify my network operations by using automation, there are many challenges today in managing the
network because of manual configuration and fragmented tool offerings.
● Faster change management, standard operational activities in running a network e.g. upgrade software and
configurations periodically
● Provide faster resolution to current issues, whenever a failure occurs provide visibility for pinpointing and
resolving the issue. properly correlate collected data to understand the various contexts of network and
user behaviors
● Get visibility in to users and devices connecting to the network -- Profiling for visibility or inventory
management
● Implement a consistent policy for Wired and Wireless networks by providing role-based access control
and segmentation for East-West as well as North-South traffic.
● Differentiation of service based on user identity, device type, location etc …
● Regulatory compliance
● Providing guest access
● Managing employee-provided devices (e.g., iPads)
● Port lockdown
● Ensuring endpoint health or posture
● Other

The details provided in later sections of this HLD should reflect the business objectives stated here.

Customer’s Business Goals

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 49
Estimated Timelines
Number of
Phase endpoints Begin End Comments
Lab testing and qualification N/A
Final Design Review call with Cisco SME N/A Earliest target date for Latest target date for May also occur after
review call review call initial pilot/POC phase
Production phase 1 (pilot)
Production phase 2
Production phase 3

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 49
Business Intent
Deployment Summary Response
What are the Top Priorities? Please check or add to the list to Network Automation
the right): Wired and Wireless Mobility
Policy and Segmentation
Assurance and Analytics
What types of Access Control? Identity (MS AD, LDAP, Duo, etc ..)
Access Control
Asset Visibility
Access Control (EAP, MSCHAP ..)
Guest Access
BYOD & Enterprise
Segmentation
Firewalls

What level of Application Visibility? Basic


FNF
Advanced
NBAR
SD-AVC
Any applications that use Multicast? YES (Internal Border + RP)
NO (No Considerations)
Any applications that use Layer 2? YES (Internal Border + L2 GW)
NO (No Considerations)

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 49
Scope & Scale
Describe the Scope of the project, number and types of sites the customer has, while describing the scope,
consider the following items
● Expansion plan
● Sites which will participate in POC or Pilot
● Overall coverage will help in designing Cisco DNAC and Cisco ISE design for the customer

Deployment Summary Response


Is this a Single Site or Multiple? Single Site (Basic Border)
Multiple Sites (Borders + Transit)
What types of Sites? Campus (Small, Medium, Large)
Branch (Very Small – FIAB. Small, Medium & Large)
How many Endpoints per Site? Very Small Site (< 2K Clients)
Small Site (< 10K Clients)
Medium Site (Dedicated CP’s)
Large (Dedicated Borders + Dedicated CP’s)
Details on endpoints per site?
● Total endpoint count for entire deployment (endpoint count equals the
sum of user and non-user devices)
o Total concurrent user endpoints including guest devices per site
o Total concurrent non-user endpoints (Including IoT devices, IP
Phones, Wireless APs, Printers, etc.)
o Total Wiring closets with-in each site (if designing for
survivability and redundancy)

Are the Sites Existing or New? Incremental (Custom LAN, WLAN + SDA Overlay)

Parallel (LAN Automation + SDA Overlay)


Which Sites require Internet Access? Campus (Single Fabric)
Branch (Multiple Fabrics)
Are the Sites Business Critical? Link Redundancy ( 2 x links)
Device Redundancy ( 2 x Devices)

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 49
Miscellaneous
Deployment Summary Response
Other Integrations ETA External Integrations
Radius Proxy Cisco Stealth Watch
Other Use Cases:

3rd Party Radius Servers


o Vendor name and version
o Deployment details
o Placement of Radius Server

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 49
Customer Network Overview
Physical Network Topology
Insert a high-level network diagram showing the SDA Design, placement of Edge, Border and Control nodes,
Wireless LAN Controllers and show placement of network services such as DHCP Server, Active
Directory/LDAP, DNS servers, NTP servers, and VPN concentrators. This should include number of sites and/
or branch networks and data centers. Include the general number of endpoint and types per location. Include
placement of SDA components like Cisco DNAC, Cisco Identity Services Engine and others. Include WAN
bandwidth information.
Bandwidth and latency requirements between various components on the DSA architecture are outlined in the
“Cisco SDA Supported Latency” section of this document.
Note: When ISE is deployed in a distributed environment, the maximum latency between admin node and any
other ISE node including secondary admin, MnT, and PSN is 300ms. Here is link to the WAN bandwidth
calculator for ISE deployment (May need to copy & paste the url https://community.cisco.com/t5/security-
documents/ise-latency-and-bandwidth-calculators/ta-p/3641112). This calculator can be used to find out how
much bandwidth needs to be reserved for ISE operation across WAN links.

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 49
Customer’s Physical Network Topology

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 49
Design Considerations and Scope
Cisco Software Defined Access solution

The recommended way to design an SDA Fabric is to logically separate the Network Connectivity with the Policy design. Customers
could be the same team for network design and policy design or could be separate team functions where running the network
operations is responsibility of the NetOps (network operations) team and Policy design is handled by the SecOps security operations)
team.

It is important to understand customer environment and be inclusive of all the stakeholders.

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 49
Cisco DNA Center 1.2.10
Cisco DNA Center is the network management and command center for Cisco DNA, your intent-based network for the enterprise, your
overall solution scale is driven by Cisco DNAC.

Question Response
Cisco DNAC: Placement
Where is Cisco DNAC placed?

Local, Remote, across WAN


Cisco DNAC: Management IP’s and VRFs

What is the Cisco DNAC Mgmt IPs?


Are there any VRF’s?

DNAC now supports VIP (required), even if it’s a single Cisco DNAC server/
appliance

Cisco DNAC: Ports

Is Cisco DNAC behind a Firewall?

Please refer to the DNAC Ports requirements in this document “Cisco DNAC Node
Communications”

Cisco DNAC HA:

Is Cisco DNAC business Critical?

NO – Single Cisco DNAC appliance


YES – 3 Cisco DNAC appliances

Cisco DNAC HA: Automation vs Assurance

What is the HA plan?

DNAC HA requires 3-nodes. All DNAC should be in same DC, since the latency is
10ms (1-hop away)
SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 49
Question Response
Automation vs Assurance: Automation can be Active-Active, whereas Assurance is
Active-Passive.

When running DNAC with 2 nodes, HA is not supported but the servers can be
deployed in a cold stand-by mode.

Cisco DNAC: Disaster recovery plan

Current Cisco DNAC Disaster Recovery offering is to restore the last known
configuration to the DR site

Brownfield Customers
Question Response
Prime
Is the customer using prime today?

Create new Sites or import from Prime?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 49
Network Connectivity
Connection Network Services should be done first because the location of these services and how they are accessed will directly
impact the design of all of the subsequent stages.

Network Connectivity Services


Question Response
DHCP and DNS: Placement

Fabric enabled network requirement is for your DHCP Server to support Option 82.
In summary Option-82 Remote-ID Sub Option:Stringencodedas “SRLOCIPv4
address" and "VxLANL3 VNI ID" associated with Client segment

Where are DHCP & DNS?

Where are the servers located, what are the OS / Apps, Are there
VRFs, etc.?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 49
Question Response
IPAM Model: IP address management

External or Manual, What are the IP Pools for Hosts, for Devices, Are there VRFs,
etc.?

What is the IPAM model?

IPAM Server (IPAM Integration + Site Reserve)


Manual IPAM (Global Pools + Site Reserve)

Global Routing Table vs VRF

Are Services in GRT or VRF?

Services in GRT (Fusion + Route Leaking)


Services in VRF (MP-BGP + VPN Routing)

Miscellaneous

What types of Network Services?

Multicast / Broadcast?
Voice / Video (Collaboration)?
Client Services (mDNS)?
Data Collection (SPAN/Netflow)?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 49
Network Connectivity: Wired Connections

This stage is focused on building out the “wired” infrastructure, which will interconnect all of the other
elements
Wired Connection should be done second because how the physical infrastructure is setup will directly impact
the design of the wireless & transit stages.
This includes question on Fabric Edges (access layer switches).

Question Response
Network Connections: LAN Switches

Are there 1-2-3 Tiers? Border, CP, Edge? What is the scale? Do we
need HA, etc.?

Network Connections: LAN Routers

What are the other domains? What protocols? What is the scale? Do
we need HA, etc.?

Network Connections: Firewalls

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 49
Question Response
Are there VRFs? IP vs. SGT based rules? What is the scale? Do we
need HA, etc.?

Wired – Network Tiers

How many Network Tiers?

3-Tier – Refer to the “SDA Design Guidance” section


2-Tier – Refer to the “SDA Design Guidance” section

Wired – Core Device

What type of Core device(s)?

Refer to the “SDA Design Guidance” section

Wired – Distribution Device

What type of Distribution device(s)?

Refer to the “SDA Design Guidance” section

Wired - Access & Extension

Any Endpoints at the distribution?

YES – Edge capable device(s)


NO – Any device(s) allowed

Wired - Access & Extension

What type of Access device(s)?

Refer to the “SDA Design Guidance” section

Wired - Access & Extension

Any Fabric Extended node(s)?

YES – Connect to Edge Node(s)


NO – No considerations

Wired - Access & Extension

What type of Extended device(s)?

CDB -- Building - Outdoor


C3560-CX – Workspace
IE4K -- Industrial
IE5K -- Industrial

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 49
Network Connectivity: Underlay and Overlay

This stage is focused on building Underlay and Overlay for the fabric. let’s look at a combined packet when it
gets across the Fabric i.e. underlay and overlay encapsulation.

We can also take a high-level look at the function for an overlay and underlay

Underlay Network Overlay Network


Routing ID (RLOC) – IP address of the LISP router Endpoint Identifier (EID) - IP address of a host
facing ISP VRF
Instance Id
Dynamic EID
VLAN

In summary, Overlay networks in data center fabrics are commonly used to provide Layer 2 and Layer 3 logical
networks with virtual machine mobility (examples: Cisco ACI™, VXLAN/EVPN, and FabricPath). Overlay
networks are also used in wide-area networks to provide secure tunneling from remote sites (examples: MPLS,
DMVPN, and GRE).

Question Response
Wired - Underlay

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 49
Question Response
What type of Underlay?

LAN -- Single Site


MAN – Multiple Sites

Wired - Underlay

What type of Underlay setup?

Manual -- Jumbo MTU, >100ms Latency


Automated – No considerations

Wired – Control Plane

Collocated or Distributed CP + Border?


Which nodes will be Control Plane?

Refer to the “SDA Design Guidance” section

Wired – Border Node

Which nodes will be Border Node?

Refer to the “SDA Design Guidance” section

Network Connections: Border Nodes

More than 2 Exit Points?

YES – Internal + External


NO – External Border

Network Connections: Border Nodes

Connected to Internal Subnets?

YES – Internal
NO – External Border

Network Connections: Border Nodes

How many Internal Exits?

2-4 – Internal + External


> 4 – 2 Internal per Exit

Network Connectivity: Wireless

This stage is focused on building the “wireless” on top of the wired infrastructure.
Wireless Connection should be done third because the placement of WLCs and APs will be based on the wired
infrastructure and client scale.

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 49
Question Response
Wireless - WLAN Controllers

How many APs? How many SSIDs? Do we need HA? FEW vs.
OTT, etc.?

Wireless - Access Points

What is the latency from AP to WLC ?

Maximum supported is 20 ms
Refer to the “SDA Latency” Section

How many Clients? Wave1 or Wave2? Auth or No Auth? Guest


SSID, etc.?

11ac Wave2 -- No considerations


11n or ac Wave1 -- No IPv6 or AVC

Wireless - FEW vs. OTT

Do they want FEW? Do they need OTT or Mixed? Cisco or 3rd Party
OTT, etc.?

Wireless - FEW

Fabric Enabled Wireless?

YES -- Fabric capable WLC & Aps ?


NO – No considerations

Wireless - AirOS

Traditional Wireless (or Mixed)?

YES -- Border + WLC Subnet


NO – No considerations

Wireless - Guest

Guest Wireless?

Simple -- Guest VN
Dedicated -- Guest VN + Dedicated Border
NO – No considerations

Wireless – WLC Device type

What type of WLC device(s)?

CT8540 -- Large
CT5520 -- Medium
CT3540 – Small

Wireless – WLC High Availability

WLC High Availability?


SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 49
Question Response
YES -- LAN outside Border
NO – No considerations

Network Connectivity: Transit


This stage is focused on building the “transit” areas between sites, after you’ve completed more than one site
Transit Connection should be done last because the design and deployment of transit devices will be based on
the location, number and scale of the different sites.
Question Response
Network Connections: Transit WAN Routers

What is the MAN/WAN domain? What protocols? What is the


scale? Do we need HA, etc.?

Network Connections: Branch Switches

Part of WAN or a new SDA site? What is the scale? Do we need


HA, etc.?

Network Connections: SDA vs. IP

Do they need VN/SGT across sites? Direct Internet? Metro or


ISP, etc.?

Network Connections: Transit

Connected other Fabric Sites?

YES -- SD-Access Transit


NO – IP-based Transit

Network Connections: Transit

What type of Underlay?

MAN -- SD-Access Transit


WAN – IP-based Transit

Network Connections: Transit

What type of IP-based Connection?

Fusion -- L3 VRF-Lite Only


Firewall – L3 VRF-Lite + SXP

Network Connections: Transit

What is the outside Protocol?

BGP -- External MP-BGP + AF

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 49
Question Response
EIGRP, OSPF, ISIS – IGP + AF + Distribute-List

Network Connections: Transit

Do you need VRF Transport?

YES -- VRF-Lite or MPLS-VPN


NO – No considerations

Network Connections: Transit

Do you need SGT Transport?

YES -- SXP or SGT Inline-Tagging


NO – No considerations

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 49
Policy

Policy: Overview
List all security policies that are needed to implement the business requirements described above.
Macro/ Micro Segmentation: Provide details on device segmentation policy using Virtual networks (VN) for
Macro Segmentation and (if required) Scalable Groups (SG) for Micro Segmentation.
Recommendation is to use Macro Segmentation for users and devices which typically do not talk to each other,
some of the Macro segmentation use cases are
●Virtual Network A = USERS
● Virtual Network B = THINGS
● Virtual Network C = GUESTS
Now, for segmentation with-in the VN, recommendation is to use Micro Segmentation.

Question Response
Segmentation: Macro vs Micro

List the customer segmentation use cases and requirements

Macro Segmentation – Virtual Networks (VN’s)


Micro Segmentation – Virtual Networks (VN’s) + SGT’s

 Please see SD-Access CVD for details on Micro and Macro Segmentation
 May need to copy and Paste URL
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-
Defined-Access-Design-Sol1dot2-2018DEC.pdf

Please explain if you are not planning on deploying the Micro Segmentation.
Policy: General
Question Response
Policy: General

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 49
Question Response
What type of Policies?
• Access Control?
• Quality of Service?
• Policy Routing?
• IDS/IPS

Policy: General

What types of Access Control?


• Basic Permit/Deny?
• Complex L4 Ports?
• Scale considerations?

Policy: General

What types of Quality of Service?


• Basic Queuing?
• Complex Classification?

Policy: General

What types of Policy Routing?


 Traffic Engineering/Steering?
 Redirect/Cache Services?
 Redundancy considerations?

Policy: General

What types of IDS/IPS?


 External System? Tap?
 Inline NaaS/NaaE?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 49
Policy: Macro and Micro Segmentation
Question Response
Segmentation: Macro Segmentation

What area(s) need to be Isolated?

Separate Departments
Secure Areas
Partners/Contractors
Guest Network

Segmentation: Macro Segmentation

How many additional VN(s) ?

Refer to the “Cisco DNAC Scale” section

Segmentation: Macro Segmentation

Do VN(s) need Shared Services?

YES -- VRF to GRT Leaking


NO – VRF based Services

Segmentation: Macro Segmentation

Where are VRFs Managed?

Fusion -- VRF to GRT Leaking


Firewall/DMZ – VRF based Services

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 49
Policy: Cisco Identity Services Engine
This section covers the AAA server (Authentication, Authorization & Accounting), there are many functions of
a AAA Server in the Fabric, some of which are:
● Host on-boarding – Assigning users and endpoints VN’s and VN’s to land in the correct VN.
● Authentication Policy – Secure connections for user and clients (802.1x, MAB, WebAuth etc …)
● Authorization Policy – In addition to assigning VLANs, VN’s, this step can also assign a Scalable Group
(SGT) to the endpoint to enable Micro Segmentation with-in a VN.

Question Response
Topology Specifics -- Network Access Devices
Provide the general switch/controller model numbers/platforms deployed and Cisco
IOS and AireOS Software versions to be deployed to support ISE design.
 Please see ISE Component Compatibility Document for the recommended
IOS and AireOS versions
Please explain if you are not planning on deploying the versions listed in the
ISE compatibility document.

Identity Services Engine Software Version


Please see CCO Download Software Page for the latest software release.

EndPoint Types
What are the general client types deployed (Please provide service pack details for
Windows and OS types for MacOSX)?

● Will 3rd party Mobile Device Management (MDM) be integrated with ISE? 3rd party MDM Vendor:
● If already using 3rd party Mobile Device Management (MDM) or planning to
use MDM please note the vendor and version as well as brief description on how Windows Versions
it will integrate with ISE Windows XP: Windows Vista:
◦ Please see Cisco ISE – MDM Partner Integration guide for supported MDM Windows 7: Windows 8/8.1:
vendor for integration and supported versions Supplicant Type
● Are mobile devices corporate- or employee-owned assets? Windows Native AnyConnect NAM
● Will user access policy be based on device type (for example, laptop versus 3rd Party supplicant:
iPad)? If so, will machine auth or profiling or static MAC assignments be used Other User EndPoint Types
to distinguish device types? Mac OSX: iDevice:
● Please note how many of the concurrent endpoints will utilize MDM Android: Linux:
information during authorization from ISE Other EndPoint Types:
SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 49
Question Response
Non-User EndPoint Types
Note: For domain joined Windows machines to function properly, machine Wireless AP: IP Phone:
authentication is recommended. Performing user only authentication may break Printer/Fax/Etc: HVAC:
critical functions such as machine GPO and other background services such as Medical: SCADA:
backup and software push. Other:
Note: State whether the customer is using machine or user authentication, or both. If
both machine and user authentication are planned, are Machine Access Restrictions
(MAR) planned? If so, review the Appendix information on MAR caveats.
For machine / user authentication details, please refer to 802.1X Authenticated
Wired and Wireless Access

Extensible Authentication Protocol (EAP) Types EAP Tunnel


Note: EAP-TTLS is not supported by ISE. PEAP EAP-FAST
Note: Cisco ISE version 1.1 supports FIPS 140-2 Level 1 Compliance, please see Inner EAP
the details in FIPS 140-2 Level 1 Compliance Page for more information. MSCHAPv2 EAP-TLS
Note: Cisco ISE 1.4 supports EAP chaining. When EAP Chaining is turned off, GTC EAP-Chainng
Cisco ISE performs usual EAP-FAST authentication.  Other EAP Types:

ID Stores
[EAP and ID Store Compatibility Reference]

List the internal and external ID stores the customer will use for different use cases.

Consider the following:


● 802.1X: AD
● MAB: Internal EndPoint + AD
● Web Authentication: Internal Guest + AD
● VPN: SecurID
● Guest Sponsors: AD
● Oracle Access Manager
● ISE GUI Admin: Certificate

Note: For Sponsored or Self-Service Guests, ID store is always ISE guest users
database

MS Active Directory Environment


● How many AD forests are to be integrated with ISE with multi-AD feature?
● ISE requires AD forest DNS consolidated into central DNS servers. What
method is used to consolidate DNS information for the separate AD forests?
● What version of AD is in use?
● Are there any Read-Only domains in place?

Note: AD Site & Services is recommended for ISE subnets for all forests. For more
information regarding multi-AD support, please refer to ISE 1.3 Multi-AD how-to
guide

Web Authentication
● Will WebAuthuth be used?
● Will WebAuth be used for wired, wireless, or both?
● Will Local Web Auth (LWA) or Central Web Auth (CWA) be used?
● Where will the web portal be hosted?
Note: If deploying CWA the portal must be hosted by ISE. If deploying LWA
the portal can be local to access device, or external (such as ISE).
● Will web auth be used for guest access? Will web auth be used for non-guests
(for example, employees)?

Note: For more information on CWA and LWA support on different platforms,
please refer to ISE Component Compatibility Document

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 49
Question Response
Authorization
Describe the enforcement types used. Consider the following options:
● VLANs
● ACLs (dACL for wired /named ACL for wireless)
● Security group tags/ACLs (SGTs/SGACLs)

dACL considerations:
● Cisco Catalyst switches support the wire−rate access control list (ACL) with use
of the ternary content addressable memory (TCAM). If the TCAM is exhausted,
the packets may be forwarded via the CPU path, which can decrease
performance for those packets. It is recommended to limit the number of Access
Control Entries (ACE) to prevent potential TCAM exhaustion.
● Using IP SourceGuard feature or QoS feature may also affect the TCAM
utilization

VLAN considerations:
● Consider the use case for why VLAN enforcement is used and estimate the
number of VLANS required.
● To authorize an endpoint using dynamic VLANs (dVLANs), the access device
must have that VLAN locally defined or else authorization will fail.
● To reduce the number of unique authorization policy rules, access devices
should use consistent numbering, or case-sensitive naming if assign dVLANs by
VLAN name or VLAN Group name.
● When using monitor mode of the phased deployment, VLAN assignment may
cause endpoints with wrong IP address
● Some endpoints, such as non-user devices, may not refresh IP after VLAN
change
● If devices are statically addressed, they may not be able to communicate on
assigned VLAN

Note: VLAN assignment is not supported with LWA (wired or wireless)


Note: When using dVLAN assignment to change VLANs between machine
authentication and user authentication or for remediation purpose on Windows
platform may result in delay in getting a new IP address

Posture
● Which posture agents will be used? Consider: AnyConect 4.0 posture agent for
Windows or Mac, Web agent for Windows
● If persistent posture agents deployed, how will they be provisioned? (e.g.
through ISE or other desktop software/patch management solution, via ASA, or
via ISE)

In the Posture Policy section below, explain the posture policy by OS type including
remediation policies.

Note: For latest AV/AS posture requirements, review the list of currently supported
packages for Windows and MacOSX

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 49
Question Response
Profiling Profiling Probes
● Identify the primary device types to be profiled NETFLOW DHCP
● What is the profile data required to classify each device type? DHCPSPAN HTTP
● Which probes will be deployed to collect the required data? RADIUS Device Sensor
● If SPAN/RSPAN is to be used, does infrastructure support these technologies? DNS NMAP
Note: If SPAN/RSPAN used, a dedicated interface should be used on the Policy SNMPTRAP SNMPQUERY
Service Node for the DHCP SPAN or HTTP SPAN probe.
● If RSPAN or Netflow is to be used, is there sufficient bandwidth between source
SPAN/Netflow exporter and ISE Policy Service node used for profiling?
● Is profiling for visibility only or for use in authorization policy?
In the Profiling Policy section below, explain the profiling policy in detail.

ISE Nodes/Personas
● Number and type (3315/3355/3395/3415/3495/VM) of each ISE appliance
(node)
● Define the personas assigned to each node (e.g., Administration, Monitoring,
Policy Service, Inline Posture) including Primary and Secondary designations.

In the Deployment Details section below, provide information on the nodes


Note: Inline Posture node is only supported on physical appliances except 3495.
Note: Each Policy Service Node (PSN) supports limited endpoints. Please consider
the number of PSN as per the number of required endpoints.
Note: EOS and EOL was announced for 33x5 appliances. For more information
please refer to the EOL announcement.

Switch Identity Configuration


Describe the wired switch identity configuration
● Multi-auth/multi-domain modes
● Flexible authentication sequencing and priority for 802.1X, MAB, and web auth
● Is Class-Based Policy Language (CPL) for 3850 switch to be used?
● Is Failed-Auth or Guest VLANs to be used?

Note: These fallback mechanisms cannot be used with LWA/CWA


Note: Please refer to Cisco TrustSec 2.1 HowTo Guide in the Appendix for
configuration reference. We would recommend inputting the detailed switch
configurations here.

Wireless Configuration
Describe the wireless configuration
● How many SSIDs does the deployment require?
● Please provide SSID security settings.
● Is wireless AP in FlexConnect mode or not?
● For Guest wireless access, is the WLC configured as an anchor controller?

Note: Not all functionality of FlexConnect AP mode with ISE is officially


supported.
Note: For the WLANs, please configure the idle-timer to be more than 3600
seconds (1 hour) and session-timeout to be more than 7200 seconds (2 hours). Also,
please increase the RADIUS Authentication & Accounting server timeout to be 5
seconds.

Certificate Authority (CA) Integration CA Types


Describe the CA configuration Standalone
● How will ISE integrate with 3rd party CA?
● Will ISE be issuing certificates for BYOD? Joined to existing PKI infrastructure
SCEP

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 49
Question Response
Bring Your Own Devices (BYOD)
Describe the detailed BYOD configuration
● Is it Single SSID or Dual SSID?
● Will Android be in the BYOD design? If so, please provide details of
provisioning authorization profile
● What devices will be auto provisioned?
● What supplicant will be used? Please provide detailed supplicant configuration
information.
● What access will unsupported device get? (i.e. Blackberry, Windows phones,
Chromebooks)
● Will MDM be integrated with BYOD design, If so, please provide details of
MDM policy below in the Authorization Policy section and whether or not
redirection will be used for MDM agent installation

Note: Please note that Dual SSID and CWA are only supported with WLC AireOS
7.2 and up. Please plan to use LWA if there is no plan to upgrade to the devices that
support CWA and MAB.
Note: With AireOS 7.6 and up, DNS based wireless ACL is supported which can
allow admin to create an ACL for Android devices have access to Google Play
Store.

Integration with 3rd party (Excluding MDM)


Describe the detailed integration with SIEM & Threat Defense products
● What product and vendor for SIEM. Please see Cisco ISE – SIEM & Threat
Defense Eco System Integration guide for supported SIEM vendor for
integration and supported versions
● What information will be forwarded to SIEM
● Will pxGrid be used? If so, which devices will subscribe to ISE?
● Will Endpoint Protection Services (EPS) be used?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 49
Cisco SDA Design Guidance
Cisco SDA design guidance can be in to 4 categories which are listed in the following picture, this is an high-
level introduction followed by individual design details.

Very Small Design


Overview for FIAB - Fabric in a Box
• Total endpoints < 2K (software limit)
• Border, CP & E and Wireless in a single box
• Limited Survivability for CP and Border
• Single wiring closet (MDF)

Benefits
• Reduces cost to deploy SDA for very small sites
• FE + FB + CP on same C9K
• Supports 9800 & Embedded-Wireless in 1.2.10 (16.10.1e for C9300)

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 49
Stack of FIAB’s
• Total endpoints < 2K (software limit)
• If a member of the Stack fails (with CP and Border), the next available member in the stack taker over
the CP and Border functionality
Limited Survivability for CP and Border
• Single wiring closet (MDF)
• Max of 8 boxes can be in a Stack
• All the stack members must be the same platform
Benefits
• Get additional ports in a FIAB
• Still reduced cost to deploy SDA for very small sites
• FE + FB + CP on same C9K
• Supports 9800 & Embedded-Wireless in 1.2.10 (16.10.1e for C9300)

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 49
Small Design
Overview
• Multiple wiring closets or even single.
• Border and CP are collocated in a single box
• Redundancy for Border or CP
• Limited Survivability
• Total endpoints < 10K (recommendation, but DNAC and platform scale can drive this number)

Benefits
• Small site design
• Tends to be Building or Office with < 10,000 endpoints and < 100 IP Pools/Groups
• 1-2 Collocated CP +
External Border (Single Exit)
• Tends to be local WLC connected to Border (e.g. Stack) + FEW
• Looking at <1000 dynamic authentications and <250 group based policies.
• FB + CP + Wireless (9300)with distributed Fabric Edges
• Supports 9800 & Embedded-Wireless in 1.2.10 (16.10.1e for C9300)

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 49
Medium Design
Overview
• Multiple wiring closets or even single.
• Dedicated CP’s for higher survivability (Site, building, floor)
• 2 x collocated Border & CP (in a single box)
• Full Survivability for CP
• Limited Redundancy for Border
• Dedicated Edge (no stacking)
• Recommended total endpoints < 10K (recommendation, but DNAC and platform scale can drive this
number).

Benefits
• Next level up to a small design.
• Max Control Plane nodes = 6 (Wired Only); 4 with Wireless (2 Enterprise and 2 Guest CP’s).
• Tends to be Multiple Buildings with < 25,000 endpoints
• Most likely a 3 Tier design, recommendation is to use 9400 & 9500 as intermediate nodes.
• Can choose a Co-located or a Distributed/Dedicated CP + Border(Single Exit) design.
• Tends to be WLC + FEW via Services Block or a local Data Center
• Looking at < 25,000 dynamic authentications and < 1000 group based policies

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 49
Large Design
Overview
• Multiple wiring closets (most likely).
• Max Control Plane nodes = 6 (Wired Only); 4 with Wireless.
• Max Border nodes = 4
• Dedicated CP’s for higher survivability (Site, building, floor)
• Dedicated Borders for site exits
• Full Survivability for CP
• Full Redundancy for Border
• Dedicated Edge (no stacking)
• Recommended total endpoints < 25K (recommendation, but DNAC and platform scale can drive this
number).

Benefits
• Dedicated borders can provide multiple exits to different DC’s or destinations.
• Tends to be Many Buildings with < 25,000 endpoints and < 500 IP Pools/Groups
• Most likely a 3 Tier design, recommendation is to use 9500 as intermediate nodes.
• Can choose a Co-located or a Distributed/Dedicated CP + 2-4 Borders (Multiple Exits)
• Looking at < 25,000 dynamic authentications and < 2000 group based policies
SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 49
SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 49
Cisco DNAC Ports
Cisco DNA-Center needs access to below URLs & FQDNs

download System & Application package *.ciscoconnectdna.com:443


software

Integrate with cisco.com and Cisco Smart *.cisco.com:443


Licensing

Integrate with Cisco Meraki *.meraki.com:443

Render accurate information in site & www.mapbox.com


location maps
*.tiles.mapbox.com/* :443.

Cisco DNAC Node Communications

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 49
Cisco DNA Center 1.2.10 Scale

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 49
Cisco SDA Supported Latency
Latency Requirements (RTT)

Latency between SDA fabric components

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 49
Cisco SDA Supported Wired Platforms
Fabric Edge, Border and Control Plane

Link to the Platform support and Scale Numbers

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 49
Cisco SDA Supported Wireless Platforms
FEW and OTT

Link to the Platform support and Scale Numbers

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 49
Policy Details

Host On-boarding: For each use case (wired, wireless, VPN), describe the ISE authentication policies that will
on-board users and endpoints to the fabric, whether managed or unmanaged.
Cisco ISE Authentication Policy Example:
Rule Name Condition Allowed Protocols ID Store / ID Sequence
Device Access Wired_MAB Default Network Access Internal EndPoints
802.1X Access Wired_802.1X Default Network Access AD_then_Local
VPN NAS-Port-Type = Virtual Default Network Access AD
Default - Default Network Access Internal Users

Customer Authentication Policy:


Rule Name Condition Allowed Protocols ID Store / ID Sequence

Cisco ISE Authorization Policy: For each use case (wired, wireless, VPN), describe the authorization policies
that will be implemented for all users and endpoints whether managed or unmanaged.
Authorization Policy Example:
Rule Name Identity Groups Other Conditions Permissions SGT
BYOD Unknown Mobile Devices Logical EAP Tunnel = PEAP NSP dACL BYOD
Group EAP Type = MSCHAPv2 NSP Redirect
BYOD Registered Registered EAP Type = EAP-TLS Registered dACL BYOD-Registered
SAN = Calling-StationID
IP_Phones Cisco-IP-Phones - Voice VLAN IP-Phone
Authz VVID
Printers Managed-Printers - Printer VLAN Printer
Cameras Managed-Cameras - Camera VLAN Camera
Workstation_Access Any Domain PC AD Access dACL AD-Access
User_Role_1_Access Any Domain Member Role1 Role1 dACL Role1
User_Role_2_Access Any Domain Member Role2 Role2 dACL Role2
Guest_Access Guest - Internet Only dACL Internet-Only
Default - - Web Auth Default

Customer Authorization Policy:


Rule Name Identity Groups Other Conditions Permissions

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 49
Guest Access: For each use case (wired or wireless), describe guest access policy. Provide information on how
guest will access the network including information on guest provisioning, sponsors, and whether custom guest
portal pages need to be created. Please fill details in the forms below if the answer yes applies to you. Put no if
the scenario does not apply to you.
Services Wired (yes or no) Wireless (yes or no)
Guest

Profiling: For each use case (wired or wireless), describe how the profile data will be collected by each probe
required to classify each device type to be profiled. For example, will SPAN or RSPAN be used to carry data
from the network to the Identity Services Engine? If so, what is the SPAN design? Will dedicated ISE
interfaces be used? If HTTP probe used, will SPAN or redirection be used to capture user agent attributes?
Please note that the number of events per second a platform can safely process per the Platform Performance
Spec table below. For example, if IPAD traffic is to be profiled by probing http traffic for the User Agent
attribute, then the design must assure the Policy Services node is not inspecting more than 1200 http events per
second (3395 spec). Consider profiling strategies that reduce overall load on Policy Service node such use of
HTTP redirect at connect time to capture the User Agent attribute, or the use of IP Helper statements for DHCP
capture versus the use of SPAN.
Profiling Policy / Requirements Example:
Device Profile Unique Attributes Probes Used Collection Method
Cisco IP Phone OUI RADIUS RADIUS Authentication
CDP SNMP Query Triggered by RADIUS Start
IP Camera OUI RADIUS RADIUS Authentication
CDP SNMP Query Triggered by RADIUS Start
Printer OUI RADIUS RADIUS Authentication
DHCP Class Identifier DHCP
POS Station MAC Address RADIUS (MAC RADIUS Authentication
(static IP) Address discovery)
ARP Cache for MAC to IP SNMP Query Triggered by RADIUS Start
mapping
DNS name DNS Triggered by IP Discovery
Apple iPad/iPhone OUI RADIUS RADIUS Authentication
Browser User Agent HTTP Authorization Policy posture redirect to
central Policy Service node cluster
DHCP Class Identifier + MAC DHCP IP Helper from local L3 switch SVI
to IP mapping
NMAP Scan Result NMAP Active Scanning
Device X MAC Address RADIUS (MAC RADIUS Authentication
Address discovery)
Requested IP Address for DHCP RSPAN of DHCP Server ports to local
MAC to IP mapping Policy Service node
Optional to acquire ARP Cache SNMP Query Triggered by RADIUS Start
for MAC to IP mapping
Port # traffic to Destination IP Netflow Netflow export from Distribution 6500
switch to central Policy Service node

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 49
Customer Profiling Policy / Requirements:
Device Profile Unique Attributes Probes Used Collection Method

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 49
Deployment Details
Unknowns
What are the key unknowns or concerns about this deployment? For instance, the information that was required
but not received from the customer, please list it here. (E.g. My customer uses IE3000 series switches. Is this
supported? Customer is using 3rd party NAD. Or the customer is currently using IPv6)

High Availability
Discuss high availability considerations.
 High availability for ISE, each persona and node should be part of design to ensure that no single
persona/appliance failure results in total loss of a service. Please confirm persona/node redundancy
design and explain reason if HA not planned for any component.

Migration
If migrating this deployment from traditional network architecture to SDA provide details on the current
deployment and how you're going to address migration of licensing, existing policy, NAD configurations, etc.
802.1X Phasing
● Deployment modes (Please refer to DIG in Appendix for Mode details):
o Will Monitor mode be enabled for a period of time on the 802.1X-enabled routers and switches?
o Will Authenticated or Enforcement mode (formerly known as “Low Impact mode”) be deployed?
o Will Closed Mode (formerly known as “High Security mode”) be deployed?

ISE Node details


For customers deploying VMs:
The VM host should be sized comparably with the ISE appliance. See platform hardware specs below for CPU
specification of the various appliances. For example, if the performance characteristics required are similar to a
3615 appliance, then per platform performance specs, please refer to the following link
https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/data_sheet_c78-
726524.html
Note: Hard disks with 10K or higher RPM are required. Average IO Write performance for the disk should be
higher than 300MB/sec and IO Write performance should be higher than 50MB/sec. VMotion is supported
since ISE 1.3. Please make sure to reserve the RAM and CPU cycles for the ISE node deployed as VM.
Note: If disk size needs to be resized, the node will need to be re-imaged from the ISO
Note: The resources need to be reserved for each ISE node and cannot be shared among different ISE nodes or
other guest VMs on the host.
Note: Only VMFS formatted file system is supported currently

Example:
Host Name (FQDN) Persona IP Address VM/HW CPU RAM Storage
ise1.example.com Admin/Mn 1.1.1.1 VM Intel Xeon E5-2609 @ 2.4 32GB 600GB
SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 49
T GHZ X 8 Core
ise2.example.com PSN 2.2.2.2 VM Intel Xeon E5-2609 @ 2.4 32GB 300GB
GHZ X 8 Core

Host Name (FQDN) Persona IP Address VM/HW CPU RAM Storage

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 49
Bill of Materials (BOM)
Insert as part of this document, or in a separate attachment, the list of equipment to be ordered for the SDA
deployment that matches the design. If Sales Order already placed, then be sure to include the order details
here.
Please include SmartNet/SAU or explain its omission (for example, included as part of another order, support
agreement, or deliberate acknowledgement that support refused).
Note: Please only include the information of the products that are related SDA.
Example BOM:
Line Product Qty List Price Contract Discount Unit Price Extended Price
1 Cat 9k 1
2 ISE 1
3 DNAC 3

Customer BOM details:


Line Product Qty List Price Contract Discount Unit Price Extended Price

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 49
Appendix
SDA Partner Resource Center
Please visit SDA, for additional SDA resources (Login required).
SDA Ordering Guide
The SDA Ordering Guide located at
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/software-defined-access/guide-
C07-739242.pdf
General Support links for SDA
cisco.com/go/sdaccess
• SD-Access At-A-Glance
• SD-Access Ordering Guide
• SD-Access Solution Data Sheet 
• SD-Access Solution White Paper

General Support links for Cisco DNAC


cisco.com/go/dnacenter
• DNA Center At-A-Glance
• DNA ROI Calculator
• DNA Center Data Sheet
• DNA Center 'How To' Video Resources

SDA CVD Documents


cisco.com/go/cvd/campus

Printed in USA C07-676884-01


SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 09/11 Page 49 of 49

You might also like