Software Defined Access and ISE Integration for Policy Deployment and Enforcement

Anyone involved in the design or implementation of a SD-Access solution.

After completing this course you should be able to:

• Explain the role that ISE plays as part of the solution
• Configure AAA services and TrustSec Policy in ISE
• Explain ISE Integration with DNA Center for Policy enforcement
• Know and understand Cisco’s SD-Access concepts, features, benefits, terminology and the way this approach innovates common administrative tasks on today’s networks.
• Differentiate and explain each of the building blocks of SD-Access Solution
• Explain the concept of "Fabric" and the different node types that conform it (Fabric Edge Nodes, Control Plane Nodes, Border Nodes)
• Describe the role of LISP in Control Plane and VXLAN in Data Plane for SD-Access Solution
• Understand TrustSec concepts, deployment details and the way it is used as part of SD-Access Solution for segmentation and Policy Enforcement
• Understand the role of DNA Center as solution orchestrator and Intelligent GUI
• Be familiar with workflow approach in DNA Center - Design, Policy, Provision and Assurance

Module 1: Cisco ISE Integration for SD Access

• Introduction to Cisco ISE
• Using Cisco ISE as a Network Access Policy Engine
• Introducing Cisco ISE Deployment Models
• Introducing 802.1x and MAB Access: Wired and Wireless
• Introducing Identity Management
• Configuring Certificate Service
• Introducing Cisco ISE Policy
• Configuring Cisco ISE Policy Sets
• Introduction to Cisco TrustSec for segmentation
• The Concept of Security Group (SG) and Security Group Tag (SGT)
• Cisco TrustSec Phases - Classification, Propagation, Enforcement
• Methods for Classification - Static Classification, Dynamic Classification
• Methods for SGT tag propagation - Inline Tagging, SGT Exchange Protocol (SXP)

Module 2: Introduction to Cisco’s Software Defined Access (SD-Access)

• SD-Access Overview
• SD-Access Benefits
• SD-Access Key Concepts
• SD-Access Main Components - Campus Fabric, Wired and Wireless
• Nodes - Edge,Border,Control Plane
• DNA Controller (APIC-EM Controller)
• Introducing Cisco ISE 2.x px
• 2-level Hierarchy - Macro Level: Virtual Network (VN), Micro Level: Scalable Group (SG)

Module 3: DNA Center Workflow

• DNA Center Refresher
• Creating Enterprise and Sites Hierarchy
• Configuring General Network Settings
• Loading maps into the GUI
• IP Address Management
• Software Image Management
• Network Device Profiles
• Introduction to Analytics
• NDP Fundamentals
• Overview of DNA Assurance

Module 4: SD-Access Campus Fabric

• The concept of Fabric
• Node types (Breakdown)
• LISP as protocol for Control Plane
• VXLAN as protocol for Data Plane

Module 5: Campus Fabric External Connectivity for SD-Access

• Enterprise Sample Topology for SD-Access
• Role of Border Nodes
• Types of Border Nodes - Border, Default Border 
• Single Border vs. Multiple Border Designs
• Collocated Border and Control Plane Nodes
• Distributed (separated) Border and Control Plane Nodes

Module 6: Implementing WLAN in SD-Access Solution

• WLAN Integration Strategies in SD-Access Fabric - Fabric CUWN, SD-Access Wireless (Fabric enabled WLC and AP)
• SD-Access Wireless Architecture - Control Plane: LISP and WLC, Data Plane: VXLAN, Policy Plane and Segmentation: VN and SGT
• Sample Design for SD-Access Wireless

Labs

• Lab 1: ISE basic setup and Navigating GUI
• Lab 2: Configuring TrustSec in ISE
• Lab 3: Connecting and getting familiar with DNA Center GUI
• Lab 4: Performing SD-Access Design Step in DNA Center
• Lab 5: Integrating ISE and DNA Center for Policy Deployment and Enforcement
• Lab 6: Performing SD-Access Policy Step in DNA Center and ISE
• Lab 7: Performing SD-Access Provision Step in DNA Center
• Lab 8: Performing SD-Access Assurance Step in DNA Center
• Lab 9: Integrating WLAN services through SD-Wireless architecture
• Lab 10: Integrate ISE with Active Directory
• Lab 11: Achieving External Connectivity to remote locations through Border Node

Attendees should meet the following prerequisites:

• Knowledge level equivalent to Cisco CCNA Routing & Switching - ICND1, ICND2 or CCNABC
• Basic knowledge of Software Defined Networks
• Basic knowledge of network security including AAA, Access Control and ISE - IINS
• Basic knowledge and experience with Cisco IOS, IOS XE and CLI

Recommended as preparation for the following exams:

• There are currently no exams aligned to this course