Co-authored by Justin Buchanan: Director of Product Management, Security Policy and Access

In this digital era, Enterprise IT Operations are beset with challenges such as security, seamless end-to-end connectivity and policy consistency. Dealing with campus environment itself is challenging because of the very nature of users bringing in their own devices as well as IoT requirements entering the network space. The solution is to go software-defined as much as they can. Cisco Software-Defined Access along with Cisco DNA Center and Cisco Identity Services Engine (ISE) provides a robust macro/micro-segmentation solution that helps with securing and segmenting the network. It also simplifies the campus network from an any-subnet-anywhere aspect without the cost of Spanning-Tree, HSRP (Hot Standby Routing Protocol) among others. Software-Defined Wide Area Network (SD-WAN) is a table-stake component of any modern network today. Cisco SD-WAN with vManage provides intelligent routing of application flows as well as simplifying cloud connectivity among its many other benefits. The above leaves the customers with a Cisco SD-Access domain primarily dealing with campus, and a SD-WAN domain primarily dealing with the WAN. Interworking Cisco SD-Access and Cisco SD-WAN then becomes a natural extension for network operators.

Integrated Domain solution integrates the domain controllers, Cisco DNA Center and Cisco SD-WAN vManage to provide both, seamless stitching of network connectivity between the two domains as well as ensuring policy consistency end-to-end. It also allows the consolidation of functions within the Cisco SD-Access domain to coexist with that of the Cisco SD-WAN domain on a single device. Consolidation of functions is a sought-after capability by customers especially at the low-end branch locations.

Implementation

The hand-off is a demarcation point between two domains where one domain ends and another domain begins. This is typically the LAN/WAN boundary. Integrated Domain approach consolidates the SDA border and control-plane functions on to the Cisco SD-WAN edge router. Cisco DNA-Center integrates with vManage to exchange information about Virtual Private Networks (VPNs) in SDWAN, and seamlessly map them to SDA Virtual Networks (VNs) on the LAN. Cisco DNA Center also configures the SD-Access portion of the configuration that is pushed on to the Cisco SD-WAN edge routers by vManage.

The advantages that this approach provides are:

• Automated handoff at the time of Cisco DNA Center and vManage integration
• OPEX cost savings due to consolidation of functions on a single network device
• Mapping of SD-WAN VPNs to Cisco SD-Access VNs are built-in in the workflow during creation of Cisco SD-Access fabric
• Scalable Group Tag (SGT) and the VN is seamlessly propagated end to end automatically ensuring group-based policy consistency and enforcement

Figure 1: Example of a network deployment using Integrated Domain solution

Figure 1 lays out the network design that customers can implement as part of the Integrated Domain solution. The Cisco DNA Center integrates with Cisco vManage. Cisco SD-Access Border and Control Plane functionalities are embedded on SD-WAN edge node thus simplifying the automation and orchestration capabilities. This automatically ensures end-to-end propagation of user context (SGT+VN) for policy enforcement.

Conclusion

Integrated Domain solution provides a significant step forward in the integration of two disparate domains, to provide end to end policy consistency and at the same time provide automated network connectivity while reducing OPEX costs.

 

Check out our Cisco Networking video channel

Subscribe to the Cisco Networking blog