Version 1.0

29/05/2018

SD-Access 1.2 Update

Rene Andersen

SDA 1.0 (Beta)July17

SDA 1.1December17

SDA 1.2May18

Identity-based Policy & Segmentation

Automated Network Fabric

Fabric-Enabled Wireless

Wireless Assurance (DNAC 1.1.1)

Network Health Monitoring

SD-Access for Distributed Campus (Beta)

SD-Access Extension for IoT (Beta)

IBNS 2.0

Usability Enhancements

Fabric Enabled Wireless Enhancements

Warehouses

Manufacturing

Transportation

Outdoor Spaces

Connected Lighting

Workspace Switches

Securely Consolidate IT and OT to One NetworkSD-Access Extension for IoT

REP Ring

Extended

Nodes

IE5000IE4010IE4000

Catalyst Digital

Building3560-CX Compact

Extended Node Portfolio

DNA Center

Operational simplicity for IT designed and

managed and IT designed and OT

managed

Greater visibility to broad set of IoT devices

Improved threat detection and containment

Exte

nd

ed

En

terp

rise

En

terp

rise

Ca

mp

us

Metro MetroHQ

Campus 2 Campus 3

Cloud

Data Center

Metro

Campus 1

End-to-end segmentation

Centralized Automation &

Assurance

Future Proof for SD-WAN

(Viptela SD-WAN Integration on Roadmap)

End-to-End Policy and Segmentation

Enhanced Resiliency & Local Isolation

Direct Internet Access per Site

Automated Inter-Site Connectivity

Scalable to 100+ sites

Flexible: 50-100,000 Users/Site

Enhanced Resiliency and Scale for Large Deployments

Automation and Assurance managed through DNA Center

Extend SD-Access Benefits Campus-wide

B

C

B

B BC

B B C

Site 1

Site 2 Site 3

DNA Center

ISE

Catalyst 3K/9K

Catalyst 4500

Catalyst 6800

Nexus 7700

ASR1K/ISR4K/CSR

Wireless LAN

DNAC 1.2

AireOS 8.5 MR3

TBD

15.5(1)SY1 es

IOS 3.10.2 es

IOS-XE 16.8.1s

IOS-XE 16.8.1s

8.2(1) SMUs CSCvg39911 CSCvh87828 CSCvg09282 CSCvh32898

* Minimum SW version needed for new features in SDA 1.2

DNA Center

ISE

Catalyst 3K/9K

Catalyst 4500

Catalyst 6800

Nexus 7700

ASR1K/ISR4K/CSR

Wireless LAN

DNAC 1.1.x

AireOS 8.5 MR2

ISE 2.3 Patch 2

15.4(1)SY4

IOS 3.10.0e

8.2(1) SMU

IOS-XE 16.6.3

IOS-XE 16.6.3

AireOS 8.5 MR1

ISE 2.3 Patch 1

IOS 3.10.0c

IOS-XE 16.6.2s

IOS-XE 16.6.2s

* DNACs releases will support backward compatibility In terms of device code versions

SD-Access 1.2 Scale

SD-Access1.2 Scale

Fabric ConstructsMaximum Supported on Single DNAC

Cluster

No of Fabric Domains per DNA Cluster 10

No of Fabric Sites across the Fabric Domains* 200

Total Endpoints (including APs) per DNA Cluster*

APs (Counted as Endpoints) per DNA Cluster *

25K

4000

Number of Virtual Networks 64

Fabric Nodes (Edge, Border, WLC) per DNA cluster * 500**

Non-Fabric Nodes( Intermediate, Subtended, Routers ) per DNA Cluster * 1000

Control Plane Nodes Per Fabric Site 2

Default Border Nodes Per Fabric Site 4

Above scale is split across all the configurable fabric domains (10) or can be

in one fabric domain

** A Stack of switches is considered as one Fabric Node

Single DNAC cluster = 3 DNAC appliances ( 2+1 in HA)

SD-Access 1.2 Edge Scale

Fabric

Constructs

Catalyst

3650

Catalyst

3850Catalyst 9300

Catalyst 4K

(Sup8E)Catalyst 9400 Catalyst 9500

Virtual Networks 64 64 256 64 256 256

Local End

Points/Hosts2K 4K 4K 4K 4K 4K

SGT/DGT Table4K 4K 8K 2K 8K 8K

SGACLs (Security

ACEs) 1350 1350 5K 1350 18K 18K

* These are 1D Platform numbers

SD-Access Border ScaleScale

Catalyst

3850(XS)

Catalyst

9300

Catalyst

9400

(*SUP1 XL)

Catalyst

9500

Catalyst

9500H

Catalyst

6800

Nexus

N7700

ASR1K/

ISR4KCSR1Kv

Virtual

Networks64 256 256 256 256 500 500 4K n.a.

SGT/DGT Table 4K 8K 8K 8K 8K 30K 16K 62Kn.a.

SGACLs

(Security

ACEs)

1500 5K 18K 18K 18K30K(XL)

12K(non XL)16K 64K

n.a.

Fabric Control

Plane Entries

with Border

Co-Located on

Same Device

3K 16K80K

80K 80K 25KNot

Supported

200K/100K

(16GB)

100K/50K

(8GB)

200K

IPv4 Fabric

Routes8K 4K 20K 48K 48K

1M (XL)/

256K

500K4M (16GB)

1M (8GB)

n.a.

IPv4 Fabric

Host Entries16K 16K 80K 96K 96K 32K

* SUP1 XL is only supported as Border node

* These are 1D Platform numbers

SD-Access 1.2 Features

SDA 1.2 FeaturesBelow are the new features that are being introduced with DNAC/SD-Access 1.2

SD-Access Extension for IOT ( Requires IOS-XE 16.8.1s)

SD-Access for Distributed Campus ( Requires IOS-XE 16.8.1s)

Host On-Boarding Enhancements including IBNS 2.0

Lan Automation Enhancements

Wireless Enhancements

SD-Access Extension for IOT

Introducing SD-Access ExtensionExtending the Fabric Edge for IoT and Business

Users, Device and IoTSegmentation

Policy based Automation

Purpose Built Switches for IoT

Catalyst Digital Building

Catalyst 3560-CX

IE Series (4K/5K)

Platform Support

C

B B

IoT Network Employee Network

Extended

Node

DNA Center

AnalyticsPolicy Automation

Extended

NodeAP Extension

SD-Access ExtensionKey Benefits for IoT and Business

DNA Center

Surveillance Camera

Virtual NetworkOutdoor Wireless

Virtual Network

Extended

Nodes

DUAL

MEDIA

CONSOLE

COM

IN2

REF

IN1

EXPR ESS

SETUP

-

DC-A

+

!+ 12-54V3.4-3.0A

-

DC-B

+

OUT

IN2

IN1

SYS

EXP

USB

AL

AR

M SD

CA

RD

SP

EE

D

DU

PL

EX

Po

E

SY

NC

E

HS

R/P

RP

DISPLAY

MODE

1

2

3

4

2

3

1

4

13

14

15

16

17

18

19

20

X

5

6

7

8

9

10

11

12

X

Easy automated Device install and setup

Stretched subnets for ease of endpoint connections

Workflow based policy automation

Segment Applications with separate Virtual Networks

Single pane of glass for management

Inventory, Topology, Image management

Automate Day 1 Installation

Network Assurance Device 360

Fabric Edge

Extended Nodes extend SD-Access beyond the Fabric edge

Edge

Traditional SD-Access Extended Node

Day 1 Design

and Installation

Manual box by box configuration

Networking expertise required to

provision and deploy devices

Automated device deployment decreases time to operation

Zero touch configuration enables non-networking personnel to install

Day N Operations

and Updates

Network additions are complex

No automated workflows

Changes / Adds require manual

configuration of multiple devices

Operation monitoring limited

Deployment flexibility with fabric enabled technologies

i.e. Stretched Subnets

Intent-based workflow uses automation for fabric and service

configuration removes complexity of new service additions

Intent drives network updates are centrally administered, removing

manual reconfiguration and reducing downtime

Network operational assurance with device 360 shows performance

and pin points operational issues

Security Static L2 L4 ACLs

Address based segmentation

Changes / Adds require manual

configurations of multiple devices

Continuous auditing required to

maintain security rule sets

Group based security policy auto configured in the fabric separating

policy from addressing simplifies security enforcement and

maintenance

Fabric provides site-wide segmentation enables intent-based security

Integrated threat defense, with suspicious users or devices

easily quarantined

Traditional vs SD-Access Extension

SD-Access Extended Node

Extended node connects to a single Edge node using an 802.1Q Trunk port (single or multiple VLANs) using static assignment

Switchports on the Extended node can then be statically assigned to an appropriate IP Pool (in DNA Center)

SGT tagging (or mapping) is accomplished by Pool to Group mapping (in DNA Center) on the connected Edge node

Traffic policy enforcement based on SGTs (SGACLs) is performed at the Edge node

DNA Center

Fabric Edge

Extended

Nodes

SDA Extended Node C3850 C4500 C9300/9400/9500

3560CX No No Yes

IE switches No No Yes

CDB No No Yes

SD-Access ExtensionFabric Edge Support Matrix

Catalyst Digital Building

Catalyst 3560-CX

IE Series (4K/5K)

Platform Support

15.2(6)E1

15.2(6)E1

15.2(6)E1 Link to IE4000