BRKARC-1003-SD-Access Deployment Gotchas and Lessons Learned PDF

#CLUS
Your Guides
Yousuf Hatami Syed F. Ahmed
• Systems Engineer • Systems Engineer
supporting Cisco supporting Cisco
Federal Federal
• Hobby • Hobby
• Soccer/Volleyball • Bowling/Swimming
• 2 Kids • 1 Kid
• Hiking • Biking
• Vacation Spots: Italy, • Vacation Spots: Tampa, Fl,
Greece, Morocco Cancun, Barcelona
yohatami@cisco.com syedah2@cisco.com
#CLUS BRKARC-1003 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
SD-Access
Deployment Gotchas and Lessons
Learned
Yousuf Hatami, Systems Engineer
Syed F. Ahmed, Systems Engineer
BRKARC-1003
#CLUS
Vacation Itinerary
• Plan, Plan, and Plan…
• Give yourself more time
• Open minded
• Don’t over think or over pack
Cisco WebEx Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKARC-1003

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
• Introduction
o SDA
• Our Story
o Customer Engagement
o SDA Education & Learning
o SDA Deployment Scenario’s
 Lessons Learned and Tips & Tricks
• Conclusion
• Wave I, II & III benefits
• Way Forward
Introduction
2019 Out with the Old, In with the New
2019 Out with the Old, In with the New
SolarWinds, Prime Infrastructure, DNA Center
OpManager, PRTG. WhatsUp
Policy Automation Analytics
B B
C
IoT Network Employee Network
Customer
Engagement
Customer Engagement
Greenfield/Refresh Presentation/Demo SDA Starter Kit

(Traditional or SDA) (Introduce SDA) (Set up lab)
ISE + AD/Other
PCIe 1 PCIe 2
SS
1 2
770W AC 770W AC
1 10G 2

Cisco DNS/DHCP
DNA Center
SDA Deployment Guide Wave I

Shared Services (Fabric Enabled &
(New or Existing) (Learn/Familiarize)
Macrosegmentation)
Customer Engagement
ISE
ISE ISE
Wave II Monitor Mode Closed Mode

(Network Access)
SDA Segmentation Guide Wave III Lab

(VN’s and SGT’s) (Microsegmentation) (Wired/Wireless)
Customer Engagement
Testing
(Wired/Wireless) Limited-Production Production
Education &
Learning
Nothing Like Hands-On Experience
Demo
Journey
Journey Begins Today
Fabric Enabled & Microsegmentation
Macrosegmentation
(Wave III)
(Wave I)
Network Access
(Wave II)
-Access Not Impacted (Wave A)

Monitor Mode
-Access Enforced (Wave B)
Closed Mode
Fabric Enabled &
Macrosegmentation
(Wave I)
Small Details Matter!!!
Fabric Enabled & Macrosegmentation (Wave I)
Integrate ISE
Shared Services Bring Up DNAC Integrate ISE
with DNAC
(AD/ISE/DHCP/NTP/DNS…) with AD
Provisioning Wireless Wired Design with DNAC

Wired Discovery Discovery
Fabric Enabled & Macrosegmentation (Wave I)
Test/Validate
Provisioning Connect to the Host Onboarding
Wireless Outside World
Shared Services (Tips & Tricks)
DHCP
AD Integration with ISE DNS Forward/Reverse Lookup (Windows Conflict Detection Attempts value 4)
(NTP) (ISE)
BRKARC-1003 29
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA Center (Tips & Tricks)
INTERNET/NTP/DNS Upgrade Time Image Size Full Install

/Time zone
Bootable USB
(Etcher Tool)
Integrate ISE with AD (Lessons Learned)
Microsoft Domain
NTP (Trust)
Integrate ISE with DNA Center (Tips & Tricks)
Host Name and ISE VM ISE VM ISE Licensing

Certificate (Reserve Resources) (Thin vs Thick) (PAK & Smart Licensing)
Site Design with DNA Center (Tips & Tricks)
Manual Discovery Device Role ISE as an

(SSH or Telnet) Labeling Additional Smart Licensing
DHCP Server (16.9.1)
Inject default-route ip http client source lo0

(ISIS, Smart License) (Firewall)
Wired Design (Tips & Tricks)
Username/Password LAN Automation Blank Password MTU

(cisco & admin) (ISIS) (ISIS) (ISIS)
Wired Design (Tips & Tricks)
Licensing Consistent Ports & Edge Device

Install Mode vs Bundle Mode (LAN Automation) Peer Seed Device Reachability
(SWIM) (LAN Automation) (IP Pool & DNAC)
Edge/Border/Control Switch Config Clean Up 1. (config)#crypto key zeroize

Version of Image (Steps) 2. (config)#no crypto pki certificate pool
3. delete /force vlan.dat
4. delete /force nvram:*.cer
5. delete /force nvram:pnp*
6. delete /force flash:pnp*
Provision Wired (Tips & Tricks)
Similar Devices Provision Device Fabric Existing

Status (View Device Info) Configuration
(LISP, AAA,VRF)
Provision Wireless (Tips & Tricks)
DHCP Scope
APs not Registering Switch Port (POE) Option 43
(WLC License) (F104, F108)
Multicast (Tips & Tricks)
Headend Replication Native Multicast IOS-XE 16.9.1s ASM/SSM

(DNAC 1.2.6) (Minimum for Multicast) (SSM Underlay)
Order of Implementation
(Underlay  Fabric  VN) Remote RP
(MSDP)
Connect to the Outside World (Tips & Tricks)
EBGP iBGP Between Rebuilding the

(Automatic) Borders Border
(Manual) (SVI/VLAN change)
Fusion Control Route

(Manual) Leaking
Host Onboarding (Tips & Tricks)
Authentication
Templates Port Provision Port Provision Port Provision
(Closed/Open/Easy/No (No AUTH, Manual) (Open AUTH, Manual) (Closed Auth, Automatic)
AUTH)
Test and Validate Fabric Enabled (Lessons Learned)
IOS-XE (16.6.5->16.9.2s) Windows or 3 rd Party

Physical Roaming Firewall
Network Access
(Wave II)
Network Access (Wave II)
ISE Monitor ISE Closed Mode Testing/Validating Fine Tuning Policies

Mode
ISE Monitor Mode (Wave A) (Tips & Tricks)
Network Access 802.1x -> MAB -> Access Monitor Mode VN ISE Logs
not Impacted
Auditing/Monitoring
Network
ISE Closed Mode (Wave B) (Tips & Tricks)
Enforcement Mode ISE Dynamic Policy Assignment

(802.1x) (Logs) (Test Users AUTH within
ISE)
ISE Closed Mode (Wave B) (Tips & Tricks)
Learn ISE Learning Youtube

Credits Channels
Cisco Support Forums Lab Minutes Web Proof of Value On site Test
and Communities Site (POV) Deployment
Testing/Validating Port Security (Lessons Learned)
MAC vs Windows Start Windows GPO to push

Services policies
Fine Tuning Policies (Tips & Tricks)
Placement of Profile Based

Specific Policies Policies
Microsegmentation
(Wave III)
Microsegmentation (Wave III)
Define TrustSec Build Security Build SGACL’s Test and Validate

Policy Groups
Microsegmentation (Tips & Tricks)
Love Some are Exploring Some are Hesitant

Microsegmentation
Learn ISE
Benefits of Fabric Enabled & Macrosegmentation
Macro-segmentation Mobility Sub-Second Network Convergence

(VRF) (Anycast Gateway & Policy) (Routed Ports & ECMP)
Centralized Management Software Management TCO, Lower Risk, Move Reporting

(Configuration) (Compliance) Faster, Simplify
Benefits Network Access Phase
Visibility Control
(Users/Groups, Devices) (Who, What, When & How)
Benefits Microsegmentation Phase
Virtualization Operational Efficiency Compliance

(Network) (ACL’s, F/W rules) (Security Policy)
Change
SDA
L2/L3 Switch 2017
Bridge
1990
1981
HUB
1980s
Router
Mid 1970s - 1980s
Change
2012
2010
1885 - 1886
1885
1817
Forward Thinking
Are you ready to bring change?
SD-Access Resources
Would you like to know more?
cisco.com/go/dna
cisco.com/go/sdaccess cisco.com/go/dnacenter
• SD-Access At-A-Glance • Cisco DNA Center At-A-Glance
•
•
SD-Access Ordering Guide
SD-Access Solution Data Sheet
cisco.com/go/cvd •
•
Cisco DNA ROI Calculator
Cisco DNA Center Data Sheet
• SD-Access Solution White Paper • SD-Access Design Guide • Cisco DNA Center 'How To' Video Resources
• SD-Access Deployment Guide
• SD-Access Segmentation Guide
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
NDA Roadmap Sessions at Cisco Live
Customer Connection Member Exclusive
Join Cisco’s online user group to …
Connect online with 29,000 peer and Cisco NETWORKING ROADMAPS SESSION ID DAY / TIME
experts in private community forums
Roadmap: SD-WAN and Routing CCP-1200 Mon 8:30 – 10:00
Roadmap: Machine Learning and

CCP-1201 Tues 3:30 – 5:00
Learn from experts and stay informed Artificial Intelligence
about product roadmaps Roadmap: Wireless and Mobility CCP-1202 Thurs 10:30 – 12:00
 Roadmap sessions at Cisco Live
 Monthly NDA briefings
Give feedback to Cisco product teams Join at the Customer Connection Booth
(in the Cisco Showcase)
 Product enhancement ideas
 Early adopter trials Member Perks at Cisco Live
 User experience insights • Attend NDA Roadmap Sessions
• Customer Connection Jacket
Join online: www.cisco.com/go/ccp • Member Lounge
Thank you
#CLUS
#CLUS

BRKARC-1003-SD-Access Deployment Gotchas and Lessons Learned PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

BRKARC-1003-SD-Access Deployment Gotchas and Lessons Learned PDF

Hochgeladen von

Copyright:

Verfügbare Formate

#CLUS

Webex Teams will be moderated cs.co/ciscolivebot#BRKARC-1003

Policy Automation Analytics

IoT Network Employee Network

Greenfield/Refresh Presentation/Demo SDA Starter Kit

SDA Deployment Guide Wave I

Wave II Monitor Mode Closed Mode

SDA Segmentation Guide Wave III Lab

-Access Not Impacted (Wave A)

Provisioning Wireless Wired Design with DNAC

INTERNET/NTP/DNS Upgrade Time Image Size Full Install

Host Name and ISE VM ISE VM ISE Licensing

Manual Discovery Device Role ISE as an

Inject default-route ip http client source lo0

Username/Password LAN Automation Blank Password MTU

Licensing Consistent Ports & Edge Device

Edge/Border/Control Switch Config Clean Up 1. (config)#crypto key zeroize

Similar Devices Provision Device Fabric Existing

Headend Replication Native Multicast IOS-XE 16.9.1s ASM/SSM

EBGP iBGP Between Rebuilding the

Fusion Control Route

IOS-XE (16.6.5->16.9.2s) Windows or 3 rd Party

ISE Monitor ISE Closed Mode Testing/Validating Fine Tuning Policies

Enforcement Mode ISE Dynamic Policy Assignment

Learn ISE Learning Youtube

MAC vs Windows Start Windows GPO to push

Placement of Profile Based

Define TrustSec Build Security Build SGACL’s Test and Validate

Love Some are Exploring Some are Hesitant

Macro-segmentation Mobility Sub-Second Network Convergence

Centralized Management Software Management TCO, Lower Risk, Move Reporting

Virtualization Operational Efficiency Compliance

L2/L3 Switch 2017

Mid 1970s - 1980s

Meet the engineer

Roadmap: Machine Learning and

Das könnte Ihnen auch gefallen