This June, Cisco announced an ambitious initiative, called SD-Access, which is designed to automate common networking tasks in a campus network.
SD-Access encompasses the wired and wireless infrastructure that lets users connect to corporate resources, as well as the management and monitoring software that provisions access and services and enforces policies.
SD-Access is a sprawling effort, and to get there Cisco has had to integrate a variety of new and existing products, both hardware and software.
I was recently briefed by Cisco on SD-Access. Here’s all the pieces you’ll need if you want to put it all together.
The Network Gear
Cisco’s hardware is an integral part of SD-Access. SD-Access creates a campus fabric, similar to a data center fabric, with both an overlay and underlay. The overlay serves as a software abstraction layer that lets operators use a single interface to deploy services and set policies. The software then uses APIs to configure the necessary hardware to create services and enforce requested policies.
Supported hardware includes parts of the Catalyst and Nexus switching lines, ISR and ASR routers, and Aironet APs and controllers.
According to Cisco, the following hardware supports SD-Access:
- Catalyst 3650 and 3850 (all models)
- Catalyst 4500-E + Sup8E/9E and 4700 Cards
- Catalyst 6807-XL + Sup2T/6T and 6800 Cards
- Catalyst 6880-X or C6840-X (all models)
- Catalyst 9300, 9400 and 9500 (all models)
- Nexus 7700 + Sup2E and M3 Cards
- ASR 1000-X or 1000-HX (all models)
- ISR 4430 or 4450 (all models)
- Cisco WLC 3504, 5520 or 8540
- Cisco AP 1800/2800/3800 (Wave 2)
Note that Cisco Meraki APs are not currently included in the SD-Access fabric.
The Software & Appliance Stack
Administrators and operators will interact with SD-Access primarily through DNA Center, a new dashboard announced by Cisco as part of the SD-Access launch. “It’s like Meraki,” said Prashanth Shenoy, VP of marketing at Cisco. “Everything in the dashboard.”
Underneath DNA Center are three additional pieces: APIC-EM, the Identity Services Engine (ISE), and the Network Data Platform. Each component has its own role in the broader platform.
APIC-EM, which predates SD-Access, is an SDN controller that sits between DNA Center and the network equipment in the fabric. The controller takes service and policy requests from DNA Center and the configures the ACLs, VLANs, QoS settings, and other elements in the network hardware required for provisioning and policy enforcement.
Cisco recommends running APIC-EM on its UCS servers because Cisco can pre-package and validate the software on that platform.
That said, a virtual edition is available that can run on a vanilla server, but Cisco won’t provide validation on third-party hardware. Shenoy also noted that a SaaS version of APIC-EM will be available in which the controller will run in a Cisco-operated cloud service.
ISE, which also pre-dates SD-Access, is being drafted as the identity management and AAA engine for SD-Access and is a critical component of the platform. ISE acquires user and device profiles via LDAP or Active Directory and populates them into DNA Center. From DNA Center, administrators can set access policies for users and devices using a drag-and-drop interface.
ISE is also deployed on UCS servers or as a virtual appliance.
Network Data Platform (NDP) is a brand new product. Delivered as an appliance it collects, correlates, and analyzes data such as logs, NetFlow, and SNMP. Administrators can configure NDP to pull data from devices, or for devices to push data to NDP.
The goal is to provide useful operational data, collect statistics to help operators set baselines and thresholds to get a clearer picture of normal and anomalous performance, get real-time alerts on problems, and assist in troubleshooting.
Information from NDP can be surfaced up to DNA. Cisco also provides a set of APIs to allow third-party systems to extract data.
Cisco also plans to offer NDP as a SaaS application.
What About Prime?
Cisco customers may have noticed that Prime Infrastructure, Cisco’s unified wired and wireless management software, isn’t included in SD-Access. Cisco’s Shenoy says all the key capabilities of Prime are already in DNA Center, and the long-term goal for Prime is to be subsumed into DNA Center.
Shenoy said Cisco will continue to support Prime as a standalone offering for now, though customers should watch for a timeline from Cisco on an eventual migration off of Prime and onto DNA Center.
Cisco sponsored a Tech Field Day to provide details about its SD-Access rollout. You can see it here.
Lee Badman, who blogs at WiredNot and is a long-time Cisco and Meraki customer, offers some kudos and cautions regarding SD-Access.