Skip to Scheduled Dates
Course Overview
DNADDC is a 5-day course designed for Channel partners and Integrators that covers SD-Access, ACI, and SD-WAN fabric deployments and integration. The integration covers the policy plane synchronization between Cisco ISE, DNAC, Cisco APIC, and vManage controllers. This allows for seamless Secure Group Tags (SGTs) to End Point Groups (EPG) mapping, thereby stretching the micro-segmentation from the user all the way to the hosted application. Along with the inbuilt macro-segmentation, the course also walks through end-to-end micro-segmentation across WAN sites by leveraging the Cisco Trustsec Secure Group Tags (SGTs). The resulting SDA fabric can then be stretched across remote WAN sites.
Who Should Attend
- IP network designers
- IP network administrators
- System engineers
- NOC personnel and technical support personnel involved in IWAN and DNA deployment and administration
Course Objectives
- Understand the role and use of Cisco DNA-Center for Campus Automation and Assurance
- In-depth understanding of Cisco SD-Access Single and Multi-Fabric Site deployment
- Understand the Macro and Micro (SGTs) Policy Plane used for network segmentation within the SD-Access Fabric
- Fundamental knowledge of the Cisco ACI DC Overlay solution
- Integration between the Cisco SD-Access and Cisco ACI Fabrics (Control and Policy plane Integration)
- Thorough understanding of Cisco SD-WAN Fabric Overlay solution
- Integration between the Cisco SD-Access and Cisco SD-WAN Fabrics (Control and Data plane Integration)
Course Outline
Module 1: Understanding the Cisco SDX Portfolio
- Cisco Fabric Overlay Introduction:
- Overview of Cisco SD-Access for the Campus
- Overview of Cisco SD-WAN for the WAN
- Overview of Cisco ACI for the Data Center
- Understanding the Fabric Overlay Solutions
- Underlay vs Overlay
- The need for Fabric Overlay in the Campus, WAN and DC
- Introduction to Cisco SD-Access
- Cisco DNA-Center Overview
- Cisco DNA-Center and ISE Integration – Requirement and Process
- Cisco SD-Access components – Control Plane Node, Border Node, Fabric Edge Node
- Cisco Fabric Enabled Wireless Network – Deploying FEW WLC and Access Points
- Understanding Macro (Virtual Networks) and Micro (ISE SGTs & SGACLs) Segmentation in SD-Access
- Introduction to Cisco ACIv
- Cisco APIC for DC Overview
- Understanding the Cisco ACI Architecture – Spine and Leaf
- Understanding Tenants, Bridge Domains, End Point Groups and Contracts
- Understanding the Cisco ACI Fabric Operations and Forwarding
- Connecting the ACI Fabric to the outside networks – L3 Outs
- Introduction to Cisco SD-WAN
- Cisco SD-WAN Controllers – vManage, vSmart and vBond
- Understanding SD-WAN essentials – System IPs, Colors, Site IDs, Encapsulations
- Bringing up the Cisco SD-WAN Fabric Control and Data Plane – Understanding OMP, IPSec, BFD, TLOCs
- Deploying the Cisco SD-WAN Branch Sites – Cisco WAN Edge Routers
- Securing the Cisco SD-WAN Data Plane and leveraging End-to-End Segmentation (VPNs)
- Understanding Centralized and Localized Policies using the vManage
Module 2: Deploying Cisco SD-Access and Assurance using Cisco DNA-Center
- Reviewing the Cisco DNA-Center GUI
- Cisco DNA-Center Applications
- Cisco DNA-Center Tools
- Cisco DNA-Center System Settings
- Integrating the Cisco DNA-Center with Cisco ISE (using pxGrid) – Comprehensive Steps
- Using the Network Discovery and Inventory Application for Network Discovery
- Understanding the Cisco SD-Access Workflow
- Cisco DNA-Center Design Application
- Cisco DNA-Center Policy Application – In Depth review of the ACA Application
- Cisco DNA-Center Provision Application
- Cisco DNA-Center Assurance Application
- Reviewing the pre-deployed SD-Access HQ Fabric Site
- - Validating the Network Hierarchy, IP Address Pools, Device Credentials and Shared Services
- Reviewing the Device Inventory
- Reviewing the configured VNs, SGTs and Contracts
- Reviewing the provisioned Fabric Site and IP Transit for the HQ Site
- Reviewing the Extended VNs to the Traditional Network – SD-Access Border Configuration
- Reviewing the SD-Access Control Node Configuration
- Reviewing the SD-Access Fabric Edge Configuration – Host Onboarding
- Deploying the SD-Access Remote/Branch Fabric Site
- Cisco SD-Access Distributed Campus Overview
- Discovering the Branch Site Devices
- Reserving IP Pools for the new Branch
- Provisioning the Branch devices to a Site in the DNA-C Hierarchy
- Understanding and Provisioning the Cisco SD-Access Transit Control Plane Node
- Creating a new Branch Fabric Site and Branch Site Transit
- Adding devices to the Branch Fabric Site and Provisioning the Devices
- Branch Control Plane and Border Node
- Branch Fabric Edge
- Configuring the Host-Onboarding for the Branch Fabric Site and testing user connectivity between HQ and Branch users
Module 3: Understanding and Reviewing the Cisco ACI Fabric Deployment
- Overview of the Cisco APIC
- Review the pre-configured ACI Fabric:
- Single Tenant configuration review
- Bridge Domain and Internal EPG review
- Understanding the Application IP Pool and EPG assignment
- Reviewing the 3 different application servers deployed – App, Web and DB
- Configuring the L3 outs to communicate with
- The Cisco SD-Access HQ site Fabric
- The Cisco SD-WAN WAN Edge routers at the HQ site
- Configuring the Tenant WAN SLA policies and mapping to EPGs
Module 4: Understanding and Reviewing the Cisco SD-WAN Fabric Deployment
- Overview of the Cisco vManage GUI
- Reviewing the SD-WAN Controller deployment- vSmart and vBond
- Reviewing the existing SD-WAN Fabric deployment
- Understanding and reviewing the secure Control Plane between the HQ WAN Edges and the vSmart/vManage
- Understanding and reviewing the secure Data Plane between the WAN Edges at the HQ and the Branch Site
- Reviewing the Feature Templates pre-configured for the WAN Edges at the HQ and Branch sites
- Deploying the Branch Site WAN Edge
- Using ZTP to deploy the WAN Edge device and connecting to the SD-WAN Controllers
- Deploying a fundamental Centralized Control Plane Policy between the HQ and the Branch Site Reviewing the Final configuration
- IPSec and BFD establishment between the HQ and the Branch Sites
- Policy review from the vSmart
Module 5: Integrating the Cisco SD-Access and Cisco ACI Fabrics
- Understanding the Cisco Multi-Domain Architecture
- Declarative Intent based Automation
- End-to-End Policy Context and Domain Borders
- Cross Domain Policy Context
- Overview of Cisco SD-Access and Cisco ACI Integration
- Integrating the Control Plane – SDA Border to ACI Border L3 hand-off
- Integrating the Policy Plane – SGT to EPG
- Mapping for continued micro segmentation
- Configuring the Cisco SD-Access IP Transit
- Automating the BGP configuration on the SD-Access Border node to communicate with the ACI Fabric
- Leveraging the Cisco APIC to configure the L3 outs towards the Cisco SD-Access HQ Fabric site
- Sharing SGT from DNA-Center to Cisco ISE
- Using the DNA-Center Policy Application to create net-new SGTs in Cisco ISE
- Using the DNA-Center ACA Application to create contracts between the SGTs and pushing to Cisco ISE
- Integrating the Cisco ISE server with Cisco APIC
- Overview of ISE to APIC Integration – The need to exchange SGTs and EPGs
- Importing the Cisco APIC certificate into Cisco ISE
- Cisco ISE Security Exchange Protocol (SXP) Overview
- Learning the IP to EPG Mapping using Cisco SXP
- Adding ACI Settings on Cisco ISE under the TrustSec configuration
- Understanding the SXP Domain and configuring the SXP Propagation of IP-to-EPG mappings
- Configuring the SD-Access Border at the HQ Fabric site as a SXP Peer – To share EPG-to-SGT context between APIC and ISE
- Review Policy Configuration
- Cisco APIC Internal EPG converted to Cisco ISE SGT and propagated to Cisco SD-Access devices
- Cisco ISE SGTs converted to Cisco ACI External EPGs
- Cisco ACI Internal Endpoints show up as Cisco ISE IP Mappings
- Cisco ISE IP Mappings converted to External EPG Subnets
- Create Policy between Campus SGT and DC EPG using the Cisco DNA-Center ACA Application
- Verify Campus user to ACI hosted application connectivity
- Cisco SD-Access HQ Campus user connects to application on a block port
- Cisco SD-Access HQ Campus user connects to application on an allowed port
Module 6: Integrating the Cisco SD-Access and Cisco SD-WAN Fabrics
- Introduction to Cisco SD-Access and SD-WAN Integration
- What is currently possible? (As configured in the lab)
- What is in the pipeline? (Cisco DNA-C 2.x and above)
- Integrating the Cisco SD-WAN Edges with the SD-Access Border Node at HQ
- Configuring the SD-Access Ip Transit on the HQ Fabric site towards the WAN Edge Devices
- Mapping the SD-Access Virtual Network to the SD-WAN VPN at the HQ site
- Extending the Campus networks to the SD-WAN Edge using BGP Automation in the DNA-Center
- Configuring the SD-WAN Edge with the required BGP configuration using the vManage Feature Templates
- Integrating the Cisco SD-WAN Edges with the SD-Access Border Node at the Branch
- Configuring the SD-Access Ip Transit on the Branch Fabric site towards the WAN Edge Devices
- Mapping the SD-Access Virtual Network to the SD-WAN VPN at the Branch site
- Extending the Campus networks to the SD-WAN Edge using BGP Automation in the DNA-Center
- Configuring the SD-WAN Edge with the required BGP configuration using the vManage Feature Templates
- Configuring Application Aware Policies
- Configuring Centralized AAR SLA policies to ensure user to application connectivity