My CartLog in
Cisco
Technology
Networking
Integrating Cisco Multi-domain with SD-Access and ACI (SDAACI)

SDAACI is a 4-day course that covers SD-Access and ACI fabric deployments and subsequent pairwise integration. The integration covers the policy plane synchronization between Cisco ISE, DNAC, and the Cisco APIC controller. This allows for a seamless Secure Group Tags (SGTs) to End Point Groups (EPG) mapping, thereby stretching the micro-segmentation from the user all the way to the hosted application.

Download pdf
About the course

Prerequisites:

The knowledge and skills that a learner must have before attending this course are as follows:

  • The student is familiar with the Cisco Identity Services Engine features and functions
  • The student is familiar with DNA Center features and functions
  • The student is familiar with Scalable Group/SGT and SGACL functions
  • The student is familiar with ACI features and functions

Course Objectives:

Upon completing this course, the learner will be able to meet these overall objectives:

  • Understand the role and use of Cisco DNA-Center for Campus Automation and Assurance
  • In-depth understanding of Cisco SD-Access Single and Multi-Fabric Site deployment
  • Understand the Macro and Micro (SGTs) Policy Plane used for network segmentation within the SD-Access Fabric
  • Fundamental knowledge of the Cisco ACI DC Overlay solution
  • Integration between the Cisco SD-Access and Cisco ACI Fabrics (Control and Policy plane Integration)
Course content

Module 1: Understanding the Cisco SDX Portfolio

  • Cisco Fabric Overlay Introduction:
    • Overview of Cisco SD-Access for the Campus
    • Overview of Cisco SD-WAN for the WAN
    • Overview of Cisco ACI for the Data Center
  • Understanding the Fabric Overlay Solutions
    • Underlay vs Overlay
    • The need for Fabric Overlay in the Campus, WAN and DC
  • Introduction to Cisco SD-Access
    • Cisco DNA-Center Overview
    • Cisco DNA-Center and ISE Integration – Requirement and Process
    • Cisco SD-Access components – Control Plane Node, Border Node, Fabric Edge Node
    • Cisco Fabric Enabled Wireless Network – Deploying FEW WLC and Access Points
    • Understanding Macro (Virtual Networks) and Micro (ISE SGTs & SGACLs) Segmentation in SD-Access
  • Introduction to Cisco ACI
    • Cisco APIC for DC Overview
    • Understanding the Cisco ACI Architecture – Spine and Leaf
    • Understanding Tenants, Bridge Domains, End Point Groups and Contracts 
    • Understanding the Cisco ACI Fabric Operations and Forwarding
    • Connecting the ACI Fabric to the outside networks – L3 Outs

Module 2: Deploying Cisco SD-Access and Assurance using Cisco DNA-Center

  • Reviewing the Cisco DNA-Center GUI
    • Cisco DNA-Center Applications
    • Cisco DNA-Center Tools
    • Cisco DNA-Center System Settings
    • Integrating the Cisco DNA-Center with Cisco ISE (using pxGrid) – Comprehensive Steps
  • Using the Network Discovery and Inventory Application for Network Discovery
    • Understanding the Cisco SD-Access Workflow
    • Cisco DNA-Center Design Application
    • Cisco DNA-Center Policy Application – In Depth review of the ACA Application
    • Cisco DNA-Center Provision Application
    • Cisco DNA-Center Assurance Application
  • Reviewing the pre-deployed SD-Access HQ Fabric Site
    • Validating the Network Hierarchy, IP Address Pools, Device Credentials and Shared Services
    • Reviewing the Device Inventory
    • Reviewing the configured VNs, SGTs and Contracts
    • Reviewing the provisioned Fabric Site and IP Transit for the HQ Site
    • Reviewing the Extended VNs to the Traditional Network – SD-Access Border Configuration
    • Reviewing the SD-Access Control Node Configuration
    • Reviewing the SD-Access Fabric Edge Configuration – Host Onboarding
  • Deploying the SD-Access Remote/Branch Fabric Site
    • Cisco SD-Access Distributed Campus Overview
    • Discovering the Branch Site Devices
    • Reserving IP Pools for the new Branch
    • Provisioning the Branch devices to a Site in the DNA-C Hierarchy
    • Understanding and Provisioning the Cisco SD-Access Transit Control Plane Node
    • Creating a new Branch Fabric Site and Branch Site Transit
    • Adding devices to the Branch Fabric Site and Provisioning the Devices
    • Branch Control Plane and Border Node
    • Branch Fabric Edge
    • Configuring the Host-Onboarding for the Branch Fabric Site and testing user connectivity between HQ and Branch users

Module 3: Understanding and Reviewing the Cisco ACI Fabric Deployment

  • Overview of the Cisco APIC
  • Review the pre-configured ACI Fabric:
    • Single Tenant configuration review
    • Bridge Domain and Internal EPG review
    • Understanding the Application IP Pool and EPG assignment
    • Reviewing the 3 different application servers deployed – App, Web and DB
  • Configuring the L3 outs to communicate with
    • The Cisco SD-Access HQ site Fabric
    • The Cisco SD-WAN WAN Edge routers at the HQ site
  • Configuring the Tenant WAN SLA policies and mapping to EPGs

Module 4: Integrating the Cisco SD-Access and Cisco ACI Fabrics

  • Understanding the Cisco Multi-Domain Architecture
    • Declarative Intent based Automation
    • End-to-End Policy Context and Domain Borders
    • Cross Domain Policy Context
  • Overview of Cisco SD-Access and Cisco ACI Integration
    • Integrating the Control Plane – SDA Border to ACI Border L3 hand-off
    • Integrating the Policy Plane – SGT to EPG Mapping for continued micro segmentation
  • Configuring the Cisco SD-Access IP Transit
    • Automating the BGP configuration on the SD-Access Border node to communicate with the ACI Fabric
    • Leveraging the Cisco APIC to configure the L3 outs towards the Cisco SD-Access HQ Fabric site
  • Sharing SGT from DNA-Center to Cisco ISE
    • Using the DNA-Center Policy Application to create net-new SGTs in Cisco ISE
    • Using the DNA-Center ACA Application to create contracts between the SGTs and pushing to Cisco ISE
  • Integrating the Cisco ISE server with Cisco APIC
    • Overview of ISE to APIC Integration – The need to exchange SGTs and EPGs
    • Importing the Cisco APIC certificate into Cisco ISE
    • Cisco ISE Security Exchange Protocol (SXP) Overview
    • Learning the IP to EPG Mapping using Cisco SXP
    • Adding ACI Settings on Cisco ISE under the TrustSec configuration
    • Understanding the SXP Domain and configuring the SXP Propagation of IP-to-EPG mappings
    • Configuring the SD-Access Border at the HQ Fabric site as a SXP Peer – To share EPG-to-SGT context between APIC and ISE
  • Review Policy Configuration
    • Cisco APIC Internal EPG converted to Cisco ISE SGT and propagated to Cisco SD-Access devices
    • Cisco ISE SGTs converted to Cisco ACI External EPGs
    • Cisco ACI Internal Endpoints show up as Cisco ISE IP Mappings
    • Cisco ISE IP Mappings converted to External EPG Subnets
  • Create Policy between Campus SGT and DC EPG using the Cisco DNA-Center ACA Application
  • Verify Campus user to ACI hosted application connectivity
    • Cisco SD-Access HQ Campus user connects to application on a block port
    • Cisco SD-Access HQ Campus user connects to application on an allowed port