Why Migrate to Cisco SDA Fabric? 

At IPTel, we've been working with Cisco Software-Defined Access (SDA) more and more over the last few years. You might have heard of it and be keen on seeing it in your network. But here is the problem: you like the idea, but how do you get there? You might not have Cisco ISE in your network, you might not have layer 3 to your access layer, or you just don't know what migration to SDA looks like. 

 The benefits of SDA Fabric are primarily in these two areas:

• Network Automation: Cisco SDA Fabric is all about providing a much more secure and well understood network environment:
  • Profiling users means they can connect and get the access they need without someone manually configuring that access
  • Network Automation applies to both how the network is setup and configured, and how the users themselves can interact with the network
  • The bottom line is that networking at scale can be made much easier than it is today
• Zero Trust: Zero Trust describes a key security concept: users can only access what they have been explicitly configured to be allowed access to:
  • This is a much tighter security framework than the traditional VLAN style network
  • Zero Trust is key to containing and preventing malicious across from penetrating far and wide in your network - even if they gain access, the resources they can connect to are limited
  
  

We've covered this more in our free eBook: The CIOs Guide to SDA Fabric.

 ASSOCIATED BLOGS:

• Cisco SDA
• Cisco SD-Access Lab
• Software Defined Networking Explained

Cisco SDA Fabric: New and Existing Networks 

Migration from traditional (or legacy, depending on which term you prefer) networking to software-controlled controlled SDA Fabric is not straightforward.

What we've seen is there is much more front-end planning with SDA Fabric than with legacy networking - but once you have the network up and running it is quicker to configure and expand.  

The initial design phase is critical - you need to know much more about the clients on your network and how you want to treat those than with traditional networking.  

Why is that? We will be configuring a much more granular set of security policies than traditional networking allows - right up to the edge port if you want to configure micro-segmentation.

The image below explains the options we have and is split between a new network (greenfield install) versus existing networks (brownfield install):

• Choose how granular you'd like your security:
  • Macro Segmentation - equivalent to a VLAN, or
  • Micro Segmentation - equivalent to a firewall at the edge port
• Select Option 1: Immediate Full New Deployment: (Faster - but more risk): Go straight to Macro and Micro Segmentation on day 1, or
• Select Option 2: Staged New Deployment: (Slower- but less risk):  Start with Macro Segmentation and work on the journey to Micro Segmentation

 The option you pick (Option 1 or 2), depends on your comfort level and how quickly you'd like to deploy. 

Image Courtesy of Cisco

 For existing networks, there's a slightly different choice, which is more around how much up-front time you want to spend figuring out what is using your network before you migrate.

 Existing Network SDA Options:

• Choose how much up-front time you'd like to spend determining what clients are on your network and what access they need:
  
  • Select Option 3: Determine what is on the Network first: Once all clients are known, roll into Macro and Micro Segmentation
  • Select Option 4: Mimic a Traditional Network First: Start with Macro Segmentation to mimic VLANs and then monitor and rollout Micro Segmentation

In the case of existing networks neither option is better or worse - it's more a case of preference to find out up front what's on your network, or rollout the first stages of the Macro Segmentation, then do that monitoring. 

• Cisco SD Access Micro Segmentation Explained
• Software Defined Networking: Explained

Cisco SDA Migration: Pre-Requisites

For the existing installations, there is an order for how we prepare for migrations. There are some specific pre-requisites:

• Cisco Catalyst Center: (Formerly Cisco DNA Center): This is used to configure and monitor the SDA Fabric - this is a must have

•  Cisco ISE: ( ISE: This is used to identify and send policy to the Fabric

A typical migration scenario we would see is an enterprise network with core, distribution and access layer switching.

 Image Courtesy of Cisco 

 In the SDA migration process, we can convert in stages:

• Stage 1: Convert the existing hardware (providing it is SDA compatible):

  • Retain existing VLAN IDs and layer 2 access.

• Stage 2: Add in Cisco Catalyst Center to monitor and manage the network

• Stage 3: Add Cisco ISE for the end-client policy management

The network is now ready for the migration options (see section above - Option 3 or 4)

 ASSOCIATED BLOGS:

• Zero Trust Architecture (ZTA) Introduction
• Zero Trust Architecture (ZTA) Deployment

Cisco SDA Migration: Summary

• Zero Trust Architecture
• Deploying Zero Trust Architecture