SDA HLD

Cisco Software Defined Access (SDA)

High-Level Design (HLD)
An SDA HLD may be requested at any time by the Cisco TAC to troubleshoot an SDA
deployment. An HLD will be required for any assistance by the Enterprise Business
Unit TME Team (ENB-TME) for Technical Marketing or Escalation services. Inability to
produce a current HLD upon request covering the full scope of your SDA deployment
will delay the resolution of your problem. Even though SDA deployment does not
require an HLD, it is still recommended to submit an HLD for review by TME team.

Required preliminary information Provide your answers in this column

Customer Company Name

HLD Submitter’s Name and Contact Information

Lab Evaluation Exception Yes or No

Are the above Sales Order(s) for a Lab Evaluation or Proof of
Concept with <= 100 endpoints? If so, no further HLD details are
required however please state the anticipated length of the
evaluation. An HLD is still highly recommended for planning and
design purposes.

Optional information Provide your answers in this column

Partner Company Name

Partner Engineer’s Name, Email and Phone

That created or reviewed this HLD

Cisco Sales Order number(s),

If order has been placed

SDA HLD © 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 49
 Contents
Introduction..................................................................................................................................................................................................................... 4
SDA Partner Resource Center.................................................................................................................................................................................... 4
SDA Design Engineers.............................................................................................................................................................................................. 4
Document Purpose..................................................................................................................................................................................................... 4
Why is Completing the HLD is recommended Prior to Placing the Order?................................................................................................................4
Business Objectives......................................................................................................................................................................................................... 5
Customer’s Business Goals........................................................................................................................................................................................ 5
Estimated Timelines........................................................................................................................................................................................................ 6
Business Intent........................................................................................................................................................................................................... 7
Scope & Scale............................................................................................................................................................................................................ 8
Miscellaneous............................................................................................................................................................................................................ 9
Customer Network Overview........................................................................................................................................................................................ 10
Physical Network Topology..................................................................................................................................................................................... 10
Design Considerations and Scope................................................................................................................................................................................. 12
Cisco Software Defined Access solution.................................................................................................................................................................. 12
Cisco DNA Center 1.2.10.............................................................................................................................................................................................. 13
Network Connectivity................................................................................................................................................................................................... 15
Network Connectivity Services................................................................................................................................................................................ 15
Network Connectivity: Wired Connections..............................................................................................................................................................17
Network Connectivity: Underlay and Overlay......................................................................................................................................................... 20
Network Connectivity: Wireless.............................................................................................................................................................................. 22
Network Connectivity: Transit................................................................................................................................................................................. 23
Policy............................................................................................................................................................................................................................ 25
Policy: Overview..................................................................................................................................................................................................... 25
Policy: General........................................................................................................................................................................................................ 26
Policy: Macro and Micro Segmentation................................................................................................................................................................... 27
Policy: Cisco Identity Services Engine.................................................................................................................................................................... 28
Cisco SDA Design Guidance........................................................................................................................................................................................ 34
Very Small Design................................................................................................................................................................................................... 34
Small Design............................................................................................................................................................................................................ 36
Medium Design........................................................................................................................................................................................................ 36
Large Design............................................................................................................................................................................................................ 37
Cisco DNAC Ports........................................................................................................................................................................................................ 39
Cisco DNAC Node Communications.......................................................................................................................................................................39
Cisco DNA Center 1.2.10 Scale.................................................................................................................................................................................... 40
Cisco SDA Supported Latency...................................................................................................................................................................................... 41
Latency Requirements (RTT)................................................................................................................................................................................... 41
Cisco SDA Supported Wired Platforms........................................................................................................................................................................ 42
Fabric Edge, Border and Control Plane.................................................................................................................................................................... 42
Cisco SDA Supported Wireless Platforms..................................................................................................................................................................... 43
FEW and OTT......................................................................................................................................................................................................... 43

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 49
 Policy Details................................................................................................................................................................................................................ 44
Deployment Details....................................................................................................................................................................................................... 47
Unknowns................................................................................................................................................................................................................ 47
High Availability..................................................................................................................................................................................................... 47
Migration................................................................................................................................................................................................................. 47
ISE Node details...................................................................................................................................................................................................... 47
Bill of Materials (BOM)................................................................................................................................................................................................ 49
Appendix....................................................................................................................................................................................................................... 50
SDA Partner Resource Center.................................................................................................................................................................................. 50
SDA Ordering Guide............................................................................................................................................................................................... 50
SDA CVD Documents............................................................................................................................................................................................. 50

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 49
 Introduction

SDA Partner Resource Center

This SDA Resource Center is the central repository for partner focused SDA materials and open to current SDA partners. If not
already registered, click the request access link for access.

SDA Design Engineers

You are required to answer all questions, in full and with details. On the Menu Bar, please click on insert  new Comment to reply to
reviewer’s comments, and fill in the tables that are provided in the template for the design details. Please do not modify gray content
and examples.

Document Purpose
This document provides a template to be used when creating a high-level design (HLD) for the Cisco Software Define Access (SDA).
The Cisco TAC or Enterprise Business Unit representatives may request a copy of the HLD with any support or escalation case.

Why is Completing the HLD is recommended Prior to Placing the Order?

The Cisco Software Defined Acccess solution is a system architecture comprising of many components including network access
devices with programmable switches, Cisco DNA Center, Identity Services Engine, endpoints, identity stores, , and many APIs for
integrations to provide Segmentation, Encrypted Traffic Analysis (ETA), and AAA for all access user and device access control
needs. An engineer must consider the SDA solution holistically and consider immediate as well as future requirements prior to
deciding what equipment to purchase. This HLD template will step the engineer through what needs to be considered. If the engineer
is not intimately familiar with the proposed network, a network assessment may be necessary prior to completing the HLD.

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 49
 Business Objectives
Customer’s Business Goals
Describe the customer’s business goals. Consider the following example business goals:
●
Simplify my network operations by using automation, there are many challenges today in managing the network because of
manual configuration and fragmented tool offerings.
●
Faster change management, standard operational activities in running a network e.g. upgrade software and configurations
periodically
●
Provide faster resolution to current issues, whenever a failure occurs provide visibility for pinpointing and resolving the issue.
properly correlate collected data to understand the various contexts of network and user behaviors
●
Get visibility in to users and devices connecting to the network -- Profiling for visibility or inventory management
●
Implement a consistent policy for Wired and Wireless networks by providing role-based access control and segmentation for
East-West as well as North-South traffic.
●
Differentiation of service based on user identity, device type, location etc …
●
Regulatory compliance
●
Providing guest access
●
Managing employee-provided devices (e.g., iPads)
●
Port lockdown
●
Ensuring endpoint health or posture
●
Other

The details provided in later sections of this HLD should reflect the business objectives stated here.

Customer’s Business Goals

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 49
 Estimated Timelines
Number of
Phase endpoints Begin End Comments
Lab testing and qualification N/A
Final Design Review call with Cisco SME N/A Earliest target date for Latest target date for May also occur after
review call review call initial pilot/POC phase
Production phase 1 (pilot)
Production phase 2
Production phase 3

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 49
 Business Intent
Deployment Summary Response
What are the Top Priorities? Please check or add to the list to Network Automation
the right): Wired and Wireless Mobility
Policy and Segmentation
Assurance and Analytics
What types of Access Control? Identity (MS AD, LDAP, Duo, etc ..)
Access Control
Asset Visibility
Access Control (EAP, MSCHAP ..)
Guest Access
BYOD & Enterprise
Segmentation
Firewalls

What level of Application Visibility? Basic

FNF
Advanced
NBAR
SD-AVC
Any applications that use Multicast? YES (Internal Border + RP)
NO (No Considerations)
Any applications that use Layer 2? YES (Internal Border + L2 GW)
NO (No Considerations)

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 49
 Scope & Scale
Describe the Scope of the project, number and types of sites the customer has, while describing the scope, consider the following
items
●
Expansion plan
●
Sites which will participate in POC or Pilot
●
Overall coverage will help in designing Cisco DNAC and Cisco ISE design for the customer

Deployment Summary Response

Is this a Single Site or Multiple? Single Site (Basic Border)
Multiple Sites (Borders + Transit)
What types of Sites? Campus (Small, Medium, Large)
Branch (Very Small – FIAB. Small, Medium & Large)
How many Endpoints per Site? Very Small Site (< 2K Clients)
Small Site (< 10K Clients)
Medium Site (Dedicated CP’s)
Large (Dedicated Borders + Dedicated CP’s)
Details on endpoints per site?
●
Total endpoint count for entire deployment (endpoint count equals the
sum of user and non-user devices)
o Total concurrent user endpoints including guest devices per site
o Total concurrent non-user endpoints (Including IoT devices, IP
Phones, Wireless APs, Printers, etc.)
o Total Wiring closets with-in each site (if designing for survivability
and redundancy)

Are the Sites Existing or New? Incremental (Custom LAN, WLAN + SDA Overlay)

Parallel (LAN Automation + SDA Overlay)

Which Sites require Internet Access? Campus (Single Fabric)
Branch (Multiple Fabrics)
Are the Sites Business Critical? Link Redundancy ( 2 x links)
Device Redundancy ( 2 x Devices)

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 49
 Miscellaneous
Deployment Summary Response
Other Integrations ETA External Integrations
Radius Proxy Cisco Stealth Watch
Other Use Cases:

3rd Party Radius Servers

o Vendor name and version
o Deployment details
o Placement of Radius Server

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 49
 Customer Network Overview
Physical Network Topology
Insert a high-level network diagram showing the SDA Design, placement of Edge, Border and Control nodes, Wireless LAN
Controllers and show placement of network services such as DHCP Server, Active Directory/LDAP, DNS servers, NTP servers, and
VPN concentrators. This should include number of sites and/ or branch networks and data centers. Include the general number of
endpoint and types per location. Include placement of SDA components like Cisco DNAC, Cisco Identity Services Engine and others.
Include WAN bandwidth information.

Bandwidth and latency requirements between various components on the DSA architecture are outlined in the “Cisco SDA
Supported Latency” section of this document.

Note: When ISE is deployed in a distributed environment, the maximum latency between admin node and any other ISE node
including secondary admin, MnT, and PSN is 300ms. Here is link to the WAN bandwidth calculator for ISE deployment (May need to
copy & paste the url https://community.cisco.com/t5/security-documents/ise-latency-and-bandwidth-calculators/ta-p/3641112). This
calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN links.

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 49
 Customer’s Physical Network Topology

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 49
 Design Considerations and Scope
Cisco Software Defined Access solution

The recommended way to design an SDA Fabric is to logically separate the Network Connectivity with the Policy design. Customers
could be the same team for network design and policy design or could be separate team functions where running the network
operations is responsibility of the NetOps (network operations) team and Policy design is handled by the SecOps security operations)
team.

It is important to understand customer environment and be inclusive of all the stakeholders.

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 49
 Cisco DNA Center 1.2.10
Cisco DNA Center is the network management and command center for Cisco DNA, your intent-based network for the enterprise, your
overall solution scale is driven by Cisco DNAC.

Question Response
Cisco DNAC: Placement
Where is Cisco DNAC placed?

Local, Remote, across WAN

Cisco DNAC: Management IP’s and VRFs

What is the Cisco DNAC Mgmt IPs?

Are there any VRF’s?

DNAC now supports VIP (required), even if it’s a single Cisco DNAC server/
appliance

Cisco DNAC: Ports

Is Cisco DNAC behind a Firewall?

Please refer to the DNAC Ports requirements in this document “Cisco DNAC Node
Communications”

Cisco DNAC HA:

Is Cisco DNAC business Critical?

NO – Single Cisco DNAC appliance

YES – 3 Cisco DNAC appliances

Cisco DNAC HA: Automation vs Assurance

What is the HA plan?

DNAC HA requires 3-nodes. All DNAC should be in same DC, since the latency is
10ms (1-hop away)
SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 49
 Question Response
Automation vs Assurance: Automation can be Active-Active, whereas Assurance is
Active-Passive.

When running DNAC with 2 nodes, HA is not supported but the servers can be
deployed in a cold stand-by mode.

Cisco DNAC: Disaster recovery plan

Current Cisco DNAC Disaster Recovery offering is to restore the last known
configuration to the DR site

Brownfield Customers
Question Response
Prime
Is the customer using prime today?

Create new Sites or import from Prime?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 49
 Network Connectivity
Connection Network Services should be done first because the location of these services and how they are accessed will directly
impact the design of all of the subsequent stages.

Network Connectivity Services

Question Response
DHCP and DNS: Placement

Fabric enabled network requirement is for your DHCP Server to support Option 82.
In summary Option-82 Remote-ID Sub Option:Stringencodedas “SRLOCIPv4
address" and "VxLANL3 VNI ID" associated with Client segment

Where are DHCP & DNS?

Where are the servers located, what are the OS / Apps, Are there
VRFs, etc.?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 49
 Question Response
IPAM Model: IP address management

External or Manual, What are the IP Pools for Hosts, for Devices, Are there VRFs,
etc.?

What is the IPAM model?

IPAM Server (IPAM Integration + Site Reserve)

Manual IPAM (Global Pools + Site Reserve)

Global Routing Table vs VRF

Are Services in GRT or VRF?

Services in GRT (Fusion + Route Leaking)

Services in VRF (MP-BGP + VPN Routing)

Miscellaneous

What types of Network Services?

Multicast / Broadcast?
Voice / Video (Collaboration)?
Client Services (mDNS)?
Data Collection (SPAN/Netflow)?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 49
 Network Connectivity: Wired Connections

This stage is focused on building out the “wired” infrastructure, which will interconnect all of the other elements

Wired Connection should be done second because how the physical infrastructure is setup will directly impact the design of the
wireless & transit stages.

This includes question on Fabric Edges (access layer switches).

Question Response
Network Connections: LAN Switches

Are there 1-2-3 Tiers? Border, CP, Edge? What is the scale? Do we
need HA, etc.?

Network Connections: LAN Routers

What are the other domains? What protocols? What is the scale? Do
we need HA, etc.?

Network Connections: Firewalls

Are there VRFs? IP vs. SGT based rules? What is the scale? Do we

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 49
 Question Response
need HA, etc.?

Wired – Network Tiers

How many Network Tiers?

3-Tier – Refer to the “SDA Design Guidance” section

2-Tier – Refer to the “SDA Design Guidance” section

Wired – Core Device

What type of Core device(s)?

Refer to the “SDA Design Guidance” section

Wired – Distribution Device

What type of Distribution device(s)?

Refer to the “SDA Design Guidance” section

Wired - Access & Extension

Any Endpoints at the distribution?

YES – Edge capable device(s)

NO – Any device(s) allowed

Wired - Access & Extension

What type of Access device(s)?

Refer to the “SDA Design Guidance” section

Wired - Access & Extension

Any Fabric Extended node(s)?

YES – Connect to Edge Node(s)

NO – No considerations

Wired - Access & Extension

What type of Extended device(s)?

CDB -- Building - Outdoor

C3560-CX – Workspace
IE4K -- Industrial
IE5K -- Industrial

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 49
 Network Connectivity: Underlay and Overlay

This stage is focused on building Underlay and Overlay for the fabric. let’s look at a combined packet when it gets across the Fabric
i.e. underlay and overlay encapsulation.

We can also take a high-level look at the function for an overlay and underlay

Underlay Network Overlay Network

Routing ID (RLOC) – IP address of the LISP router Endpoint Identifier (EID) - IP address of a host
facing ISP VRF
Instance Id
Dynamic EID
VLAN

In summary, Overlay networks in data center fabrics are commonly used to provide Layer 2 and Layer 3 logical networks with virtual
machine mobility (examples: Cisco ACI™, VXLAN/EVPN, and FabricPath). Overlay networks are also used in wide-area networks
to provide secure tunneling from remote sites (examples: MPLS, DMVPN, and GRE).

Question Response
Wired - Underlay

What type of Underlay?

LAN -- Single Site

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 49
 Question Response
MAN – Multiple Sites

Wired - Underlay

What type of Underlay setup?

Manual -- Jumbo MTU, >100ms Latency

Automated – No considerations

Wired – Control Plane

Collocated or Distributed CP + Border?

Which nodes will be Control Plane?

Refer to the “SDA Design Guidance” section

Wired – Border Node

Which nodes will be Border Node?

Refer to the “SDA Design Guidance” section

Network Connections: Border Nodes

More than 2 Exit Points?

YES – Internal + External

NO – External Border

Network Connections: Border Nodes

Connected to Internal Subnets?

YES – Internal
NO – External Border

Network Connections: Border Nodes

How many Internal Exits?

2-4 – Internal + External

> 4 – 2 Internal per Exit

Network Connectivity: Wireless

This stage is focused on building the “wireless” on top of the wired infrastructure.

Wireless Connection should be done third because the placement of WLCs and APs will be based on the wired infrastructure and
client scale.

Question Response
Wireless - WLAN Controllers

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 49
 Question Response
How many APs? How many SSIDs? Do we need HA? FEW vs.
OTT, etc.?

Wireless - Access Points

What is the latency from AP to WLC ?

Maximum supported is 20 ms
Refer to the “SDA Latency” Section

How many Clients? Wave1 or Wave2? Auth or No Auth? Guest

SSID, etc.?

11ac Wave2 -- No considerations

11n or ac Wave1 -- No IPv6 or AVC

Wireless - FEW vs. OTT

Do they want FEW? Do they need OTT or Mixed? Cisco or 3rd Party
OTT, etc.?

Wireless - FEW

Fabric Enabled Wireless?

YES -- Fabric capable WLC & Aps ?

NO – No considerations

Wireless - AirOS

Traditional Wireless (or Mixed)?

YES -- Border + WLC Subnet

NO – No considerations

Wireless - Guest

Guest Wireless?

Simple -- Guest VN
Dedicated -- Guest VN + Dedicated Border
NO – No considerations

Wireless – WLC Device type

What type of WLC device(s)?

CT8540 -- Large
CT5520 -- Medium
CT3540 – Small

Wireless – WLC High Availability

WLC High Availability?

YES -- LAN outside Border

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 49
 Question Response
NO – No considerations

Network Connectivity: Transit

This stage is focused on building the “transit” areas between sites, after you’ve completed more than one site

Transit Connection should be done last because the design and deployment of transit devices will be based on the location, number
and scale of the different sites.

Question Response
Network Connections: Transit WAN Routers

What is the MAN/WAN domain? What protocols? What is the

scale? Do we need HA, etc.?

Network Connections: Branch Switches

Part of WAN or a new SDA site? What is the scale? Do we need

HA, etc.?

Network Connections: SDA vs. IP

Do they need VN/SGT across sites? Direct Internet? Metro or

ISP, etc.?

Network Connections: Transit

Connected other Fabric Sites?

YES -- SD-Access Transit

NO – IP-based Transit

Network Connections: Transit

What type of Underlay?

MAN -- SD-Access Transit

WAN – IP-based Transit

Network Connections: Transit

What type of IP-based Connection?

Fusion -- L3 VRF-Lite Only

Firewall – L3 VRF-Lite + SXP

Network Connections: Transit

What is the outside Protocol?

BGP -- External MP-BGP + AF

EIGRP, OSPF, ISIS – IGP + AF + Distribute-List

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 49
 Question Response
Network Connections: Transit

Do you need VRF Transport?

YES -- VRF-Lite or MPLS-VPN

NO – No considerations

Network Connections: Transit

Do you need SGT Transport?

YES -- SXP or SGT Inline-Tagging

NO – No considerations

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 49
 Policy

Policy: Overview
List all security policies that are needed to implement the business requirements described above.

Macro/ Micro Segmentation: Provide details on device segmentation policy using Virtual networks (VN) for Macro Segmentation
and (if required) Scalable Groups (SG) for Micro Segmentation.

Recommendation is to use Macro Segmentation for users and devices which typically do not talk to each other, some of the Macro
segmentation use cases are
●
Virtual Network A = USERS
●
Virtual Network B = THINGS
●
Virtual Network C = GUESTS
Now, for segmentation with-in the VN, recommendation is to use Micro Segmentation.

Question Response
Segmentation: Macro vs Micro

List the customer segmentation use cases and requirements

Macro Segmentation – Virtual Networks (VN’s)

Micro Segmentation – Virtual Networks (VN’s) + SGT’s

 Please see SD-Access CVD for details on Micro and Macro Segmentation
 May need to copy and Paste URL
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-
Defined-Access-Design-Sol1dot2-2018DEC.pdf

Please explain if you are not planning on deploying the Micro Segmentation.
Policy: General
Question Response
Policy: General

What type of Policies?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 49
 Question Response
• Access Control?
• Quality of Service?
• Policy Routing?
• IDS/IPS

Policy: General

What types of Access Control?

• Basic Permit/Deny?
• Complex L4 Ports?
• Scale considerations?

Policy: General

What types of Quality of Service?

• Basic Queuing?
• Complex Classification?

Policy: General

What types of Policy Routing?

 Traffic Engineering/Steering?
 Redirect/Cache Services?
 Redundancy considerations?

Policy: General

What types of IDS/IPS?

 External System? Tap?
 Inline NaaS/NaaE?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 49
 Policy: Macro and Micro Segmentation
Question Response
Segmentation: Macro Segmentation

What area(s) need to be Isolated?

Separate Departments
Secure Areas
Partners/Contractors
Guest Network

Segmentation: Macro Segmentation

How many additional VN(s) ?

Refer to the “Cisco DNAC Scale” section

Segmentation: Macro Segmentation

Do VN(s) need Shared Services?

YES -- VRF to GRT Leaking

NO – VRF based Services

Segmentation: Macro Segmentation

Where are VRFs Managed?

Fusion -- VRF to GRT Leaking

Firewall/DMZ – VRF based Services

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 49
 Policy: Cisco Identity Services Engine
This section covers the AAA server (Authentication, Authorization & Accounting), there are many functions of a AAA Server in the
Fabric, some of which are:
●
Host on-boarding – Assigning users and endpoints VN’s and VN’s to land in the correct VN.
●
Authentication Policy – Secure connections for user and clients (802.1x, MAB, WebAuth etc …)
●
Authorization Policy – In addition to assigning VLANs, VN’s, this step can also assign a Scalable Group (SGT) to the endpoint
to enable Micro Segmentation with-in a VN.

Question Response
Topology Specifics -- Network Access Devices
Provide the general switch/controller model numbers/platforms deployed and Cisco
IOS and AireOS Software versions to be deployed to support ISE design.
 Please see ISE Component Compatibility Document for the recommended
IOS and AireOS versions
Please explain if you are not planning on deploying the versions listed in the
ISE compatibility document.

Identity Services Engine Software Version

Please see CCO Download Software Page for the latest software release.

EndPoint Types
What are the general client types deployed (Please provide service pack details for
Windows and OS types for MacOSX)?

●
Will 3rd party Mobile Device Management (MDM) be integrated with ISE? 3rd party MDM Vendor:
●
If already using 3rd party Mobile Device Management (MDM) or planning to
use MDM please note the vendor and version as well as brief description on how Windows Versions
it will integrate with ISE Windows XP: Windows Vista:
◦ Please see Cisco ISE – MDM Partner Integration guide for supported MDM Windows 7: Windows 8/8.1:
vendor for integration and supported versions Supplicant Type
●
Are mobile devices corporate- or employee-owned assets? Windows Native AnyConnect NAM
●
Will user access policy be based on device type (for example, laptop versus 3rd Party supplicant:
iPad)? If so, will machine auth or profiling or static MAC assignments be used Other User EndPoint Types
to distinguish device types? Mac OSX: iDevice:
●
Please note how many of the concurrent endpoints will utilize MDM Android: Linux:
information during authorization from ISE Other EndPoint Types:
Non-User EndPoint Types
SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 49
 Question Response
Note: For domain joined Windows machines to function properly, machine Wireless AP: IP Phone:
authentication is recommended. Performing user only authentication may break Printer/Fax/Etc: HVAC:
critical functions such as machine GPO and other background services such as Medical: SCADA:
backup and software push. Other:
Note: State whether the customer is using machine or user authentication, or both. If
both machine and user authentication are planned, are Machine Access Restrictions
(MAR) planned? If so, review the Appendix information on MAR caveats.
For machine / user authentication details, please refer to 802.1X Authenticated
Wired and Wireless Access

Extensible Authentication Protocol (EAP) Types EAP Tunnel

Note: EAP-TTLS is not supported by ISE. PEAP EAP-FAST
Note: Cisco ISE version 1.1 supports FIPS 140-2 Level 1 Compliance, please see Inner EAP
the details in FIPS 140-2 Level 1 Compliance Page for more information. MSCHAPv2 EAP-TLS
Note: Cisco ISE 1.4 supports EAP chaining. When EAP Chaining is turned off, GTC EAP-Chainng
Cisco ISE performs usual EAP-FAST authentication.  Other EAP Types:

ID Stores
[EAP and ID Store Compatibility Reference]

List the internal and external ID stores the customer will use for different use cases.

Consider the following:

●
802.1X: AD
●
MAB: Internal EndPoint + AD
●
Web Authentication: Internal Guest + AD
●
VPN: SecurID
●
Guest Sponsors: AD
●
Oracle Access Manager
●
ISE GUI Admin: Certificate

Note: For Sponsored or Self-Service Guests, ID store is always ISE guest users
database

MS Active Directory Environment

●
How many AD forests are to be integrated with ISE with multi-AD feature?
●
ISE requires AD forest DNS consolidated into central DNS servers. What
method is used to consolidate DNS information for the separate AD forests?
●
What version of AD is in use?
●
Are there any Read-Only domains in place?

Note: AD Site & Services is recommended for ISE subnets for all forests. For more
information regarding multi-AD support, please refer to ISE 1.3 Multi-AD how-to
guide

Web Authentication
●
Will WebAuthuth be used?
●
Will WebAuth be used for wired, wireless, or both?
●
Will Local Web Auth (LWA) or Central Web Auth (CWA) be used?
●
Where will the web portal be hosted?
Note: If deploying CWA the portal must be hosted by ISE. If deploying LWA
the portal can be local to access device, or external (such as ISE).
●
Will web auth be used for guest access? Will web auth be used for non-guests
(for example, employees)?

Note: For more information on CWA and LWA support on different platforms,
please refer to ISE Component Compatibility Document

Authorization
Describe the enforcement types used. Consider the following options:
SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 49
 Question Response
●
VLANs
●
ACLs (dACL for wired /named ACL for wireless)
●
Security group tags/ACLs (SGTs/SGACLs)

dACL considerations:
●
Cisco Catalyst switches support the wire−rate access control list (ACL) with use
of the ternary content addressable memory (TCAM). If the TCAM is exhausted,
the packets may be forwarded via the CPU path, which can decrease
performance for those packets. It is recommended to limit the number of Access
Control Entries (ACE) to prevent potential TCAM exhaustion.
●
Using IP SourceGuard feature or QoS feature may also affect the TCAM
utilization

VLAN considerations:
●
Consider the use case for why VLAN enforcement is used and estimate the
number of VLANS required.
●
To authorize an endpoint using dynamic VLANs (dVLANs), the access device
must have that VLAN locally defined or else authorization will fail.
●
To reduce the number of unique authorization policy rules, access devices
should use consistent numbering, or case-sensitive naming if assign dVLANs by
VLAN name or VLAN Group name.
●
When using monitor mode of the phased deployment, VLAN assignment may
cause endpoints with wrong IP address
●
Some endpoints, such as non-user devices, may not refresh IP after VLAN
change
●
If devices are statically addressed, they may not be able to communicate on
assigned VLAN

Note: VLAN assignment is not supported with LWA (wired or wireless)

Note: When using dVLAN assignment to change VLANs between machine
authentication and user authentication or for remediation purpose on Windows
platform may result in delay in getting a new IP address

Posture
●
Which posture agents will be used? Consider: AnyConect 4.0 posture agent for
Windows or Mac, Web agent for Windows
●
If persistent posture agents deployed, how will they be provisioned? (e.g.
through ISE or other desktop software/patch management solution, via ASA, or
via ISE)

In the Posture Policy section below, explain the posture policy by OS type including
remediation policies.

Note: For latest AV/AS posture requirements, review the list of currently supported
packages for Windows and MacOSX

Profiling Profiling Probes

●
Identify the primary device types to be profiled NETFLOW DHCP
●
What is the profile data required to classify each device type? DHCPSPAN HTTP
●
Which probes will be deployed to collect the required data? RADIUS Device Sensor
●
If SPAN/RSPAN is to be used, does infrastructure support these technologies? DNS NMAP
Note: If SPAN/RSPAN used, a dedicated interface should be used on the Policy SNMPTRAP SNMPQUERY
Service Node for the DHCP SPAN or HTTP SPAN probe.
●
If RSPAN or Netflow is to be used, is there sufficient bandwidth between source
SPAN/Netflow exporter and ISE Policy Service node used for profiling?
●
Is profiling for visibility only or for use in authorization policy?
In the Profiling Policy section below, explain the profiling policy in detail.

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 49
 Question Response
ISE Nodes/Personas
●
Number and type (3315/3355/3395/3415/3495/VM) of each ISE appliance
(node)
●
Define the personas assigned to each node (e.g., Administration, Monitoring,
Policy Service, Inline Posture) including Primary and Secondary designations.

In the Deployment Details section below, provide information on the nodes

Note: Inline Posture node is only supported on physical appliances except 3495.
Note: Each Policy Service Node (PSN) supports limited endpoints. Please consider
the number of PSN as per the number of required endpoints.
Note: EOS and EOL was announced for 33x5 appliances. For more information
please refer to the EOL announcement.

Switch Identity Configuration

Describe the wired switch identity configuration
●
Multi-auth/multi-domain modes
●
Flexible authentication sequencing and priority for 802.1X, MAB, and web auth
●
Is Class-Based Policy Language (CPL) for 3850 switch to be used?
●
Is Failed-Auth or Guest VLANs to be used?

Note: These fallback mechanisms cannot be used with LWA/CWA

Note: Please refer to Cisco TrustSec 2.1 HowTo Guide in the Appendix for
configuration reference. We would recommend inputting the detailed switch
configurations here.

Wireless Configuration
Describe the wireless configuration
●
How many SSIDs does the deployment require?
●
Please provide SSID security settings.
●
Is wireless AP in FlexConnect mode or not?
●
For Guest wireless access, is the WLC configured as an anchor controller?

Note: Not all functionality of FlexConnect AP mode with ISE is officially

supported.
Note: For the WLANs, please configure the idle-timer to be more than 3600
seconds (1 hour) and session-timeout to be more than 7200 seconds (2 hours). Also,
please increase the RADIUS Authentication & Accounting server timeout to be 5
seconds.

Certificate Authority (CA) Integration CA Types

Describe the CA configuration Standalone
●
How will ISE integrate with 3rd party CA?
●
Will ISE be issuing certificates for BYOD? Joined to existing PKI infrastructure
SCEP

Bring Your Own Devices (BYOD)

Describe the detailed BYOD configuration
●
Is it Single SSID or Dual SSID?
●
Will Android be in the BYOD design? If so, please provide details of
provisioning authorization profile
●
What devices will be auto provisioned?
●
What supplicant will be used? Please provide detailed supplicant configuration
information.
●
What access will unsupported device get? (i.e. Blackberry, Windows phones,
Chromebooks)
●
Will MDM be integrated with BYOD design, If so, please provide details of
MDM policy below in the Authorization Policy section and whether or not
redirection will be used for MDM agent installation

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 49
 Question Response
Note: Please note that Dual SSID and CWA are only supported with WLC AireOS
7.2 and up. Please plan to use LWA if there is no plan to upgrade to the devices that
support CWA and MAB.
Note: With AireOS 7.6 and up, DNS based wireless ACL is supported which can
allow admin to create an ACL for Android devices have access to Google Play
Store.

Integration with 3rd party (Excluding MDM)

Describe the detailed integration with SIEM & Threat Defense products
●
What product and vendor for SIEM. Please see Cisco ISE – SIEM & Threat
Defense Eco System Integration guide for supported SIEM vendor for
integration and supported versions
●
What information will be forwarded to SIEM
●
Will pxGrid be used? If so, which devices will subscribe to ISE?
●
Will Endpoint Protection Services (EPS) be used?

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 49
 Cisco SDA Design Guidance
Cisco SDA design guidance can be in to 4 categories which are listed in the following picture, this is an high-level introduction
followed by individual design details.

Very Small Design

Overview for FIAB - Fabric in a Box

• Total endpoints < 2K (software limit)

• Border, CP & E and Wireless in a single box
• Limited Survivability for CP and Border
• Single wiring closet (MDF)

Benefits

• Reduces cost to deploy SDA for very small sites

• FE + FB + CP on same C9K
• Supports 9800 & Embedded-Wireless in 1.2.10 (16.10.1e for C9300)

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 49
 Stack of FIAB’s

• Total endpoints < 2K (software limit)

• If a member of the Stack fails (with CP and Border), the next available member in the stack taker over the CP and Border
functionality
Limited Survivability for CP and Border
• Single wiring closet (MDF)
• Max of 8 boxes can be in a Stack
• All the stack members must be the same platform
Benefits

• Get additional ports in a FIAB

• Still reduced cost to deploy SDA for very small sites
• FE + FB + CP on same C9K
• Supports 9800 & Embedded-Wireless in 1.2.10 (16.10.1e for C9300)
•

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 49
 Small Design
Overview

• Multiple wiring closets or even single.

• Border and CP are collocated in a single box
• Redundancy for Border or CP
• Limited Survivability
• Total endpoints < 10K (recommendation, but DNAC and platform scale can drive this number)

Benefits
• Small site design
• Tends to be Building or Office with < 10,000 endpoints and < 100 IP Pools/Groups
• 1-2 Collocated CP +
External Border (Single Exit)
• Tends to be local WLC connected to Border (e.g. Stack) + FEW
• Looking at <1000 dynamic authentications and <250 group based policies.
• FB + CP + Wireless (9300)with distributed Fabric Edges
• Supports 9800 & Embedded-Wireless in 1.2.10 (16.10.1e for C9300)

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 49
 Medium Design
Overview

• Multiple wiring closets or even single.

• Dedicated CP’s for higher survivability (Site, building, floor)
• 2 x collocated Border & CP (in a single box)
• Full Survivability for CP
• Limited Redundancy for Border
• Dedicated Edge (no stacking)
• Recommended total endpoints < 10K (recommendation, but DNAC and platform scale can drive this number).

Benefits
• Next level up to a small design.
• Max Control Plane nodes = 6 (Wired Only); 4 with Wireless (2 Enterprise and 2 Guest CP’s).
• Tends to be Multiple Buildings with < 25,000 endpoints
• Most likely a 3 Tier design, recommendation is to use 9400 & 9500 as intermediate nodes.
• Can choose a Co-located or a Distributed/Dedicated CP + Border(Single Exit) design.
• Tends to be WLC + FEW via Services Block or a local Data Center
• Looking at < 25,000 dynamic authentications and < 1000 group based policies

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 49
 Large Design
Overview

• Multiple wiring closets (most likely).

• Max Control Plane nodes = 6 (Wired Only); 4 with Wireless.
• Max Border nodes = 4
• Dedicated CP’s for higher survivability (Site, building, floor)
• Dedicated Borders for site exits
• Full Survivability for CP
• Full Redundancy for Border
• Dedicated Edge (no stacking)
• Recommended total endpoints < 25K (recommendation, but DNAC and platform scale can drive this number).

Benefits
• Dedicated borders can provide multiple exits to different DC’s or destinations.
• Tends to be Many Buildings with < 25,000 endpoints and < 500 IP Pools/Groups
• Most likely a 3 Tier design, recommendation is to use 9500 as intermediate nodes.
• Can choose a Co-located or a Distributed/Dedicated CP + 2-4 Borders (Multiple Exits)
• Looking at < 25,000 dynamic authentications and < 2000 group based policies

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 49
SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 49
 Cisco DNAC Ports
Cisco DNA-Center needs access to below URLs & FQDNs

download System & Application package software *.ciscoconnectdna.com:443

Integrate with cisco.com and Cisco Smart Licensing *.cisco.com:443

Integrate with Cisco Meraki *.meraki.com:443

Render accurate information in site & location maps www.mapbox.com

*.tiles.mapbox.com/* :443.

Cisco DNAC Node Communications

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 49
 Cisco DNA Center 1.2.10 Scale

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 49
 Cisco SDA Supported Latency
Latency Requirements (RTT)

Latency between SDA fabric components

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 49
 Cisco SDA Supported Wired Platforms
Fabric Edge, Border and Control Plane

Link to the Platform support and Scale Numbers

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 49
 Cisco SDA Supported Wireless Platforms
FEW and OTT

Link to the Platform support and Scale Numbers

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 49
 Policy Details

Host On-boarding: For each use case (wired, wireless, VPN), describe the ISE authentication policies that will on-board users and
endpoints to the fabric, whether managed or unmanaged.

Cisco ISE Authentication Policy Example:

Rule Name Condition Allowed Protocols ID Store / ID Sequence
Device Access Wired_MAB Default Network Access Internal EndPoints
802.1X Access Wired_802.1X Default Network Access AD_then_Local
VPN NAS-Port-Type = Virtual Default Network Access AD
Default - Default Network Access Internal Users

Customer Authentication Policy:

Rule Name Condition Allowed Protocols ID Store / ID Sequence

Cisco ISE Authorization Policy: For each use case (wired, wireless, VPN), describe the authorization policies that will be
implemented for all users and endpoints whether managed or unmanaged.

Authorization Policy Example:

Rule Name Identity Groups Other Conditions Permissions SGT
BYOD Unknown Mobile Devices Logical EAP Tunnel = PEAP NSP dACL BYOD
Group EAP Type = MSCHAPv2 NSP Redirect
BYOD Registered Registered EAP Type = EAP-TLS Registered dACL BYOD-Registered
SAN = Calling-StationID
IP_Phones Cisco-IP-Phones - Voice VLAN IP-Phone
Authz VVID
Printers Managed-Printers - Printer VLAN Printer
Cameras Managed-Cameras - Camera VLAN Camera
Workstation_Access Any Domain PC AD Access dACL AD-Access
User_Role_1_Access Any Domain Member Role1 Role1 dACL Role1
User_Role_2_Access Any Domain Member Role2 Role2 dACL Role2
Guest_Access Guest - Internet Only dACL Internet-Only
Default - - Web Auth Default

Customer Authorization Policy:

Rule Name Identity Groups Other Conditions Permissions

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 49
 Guest Access: For each use case (wired or wireless), describe guest access policy. Provide information on how guest will access the
network including information on guest provisioning, sponsors, and whether custom guest portal pages need to be created. Please fill
details in the forms below if the answer yes applies to you. Put no if the scenario does not apply to you.
Services Wired (yes or no) Wireless (yes or no)
Guest

Profiling: For each use case (wired or wireless), describe how the profile data will be collected by each probe required to classify
each device type to be profiled. For example, will SPAN or RSPAN be used to carry data from the network to the Identity Services
Engine? If so, what is the SPAN design? Will dedicated ISE interfaces be used? If HTTP probe used, will SPAN or redirection be
used to capture user agent attributes?

Please note that the number of events per second a platform can safely process per the Platform Performance Spec table below. For
example, if IPAD traffic is to be profiled by probing http traffic for the User Agent attribute, then the design must assure the Policy
Services node is not inspecting more than 1200 http events per second (3395 spec). Consider profiling strategies that reduce overall
load on Policy Service node such use of HTTP redirect at connect time to capture the User Agent attribute, or the use of IP Helper
statements for DHCP capture versus the use of SPAN.

Profiling Policy / Requirements Example:

Device Profile Unique Attributes Probes Used Collection Method
Cisco IP Phone OUI RADIUS RADIUS Authentication
CDP SNMP Query Triggered by RADIUS Start
IP Camera OUI RADIUS RADIUS Authentication
CDP SNMP Query Triggered by RADIUS Start
Printer OUI RADIUS RADIUS Authentication
DHCP Class Identifier DHCP
POS Station MAC Address RADIUS (MAC RADIUS Authentication
(static IP) Address discovery)
ARP Cache for MAC to IP SNMP Query Triggered by RADIUS Start
mapping
DNS name DNS Triggered by IP Discovery
Apple iPad/iPhone OUI RADIUS RADIUS Authentication
Browser User Agent HTTP Authorization Policy posture redirect to
central Policy Service node cluster
DHCP Class Identifier + MAC DHCP IP Helper from local L3 switch SVI
to IP mapping
NMAP Scan Result NMAP Active Scanning
Device X MAC Address RADIUS (MAC RADIUS Authentication
Address discovery)
Requested IP Address for DHCP RSPAN of DHCP Server ports to local
MAC to IP mapping Policy Service node
Optional to acquire ARP Cache SNMP Query Triggered by RADIUS Start
for MAC to IP mapping
Port # traffic to Destination IP Netflow Netflow export from Distribution 6500
switch to central Policy Service node

Customer Profiling Policy / Requirements:

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 49
 Device Profile Unique Attributes Probes Used Collection Method

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 49
 Deployment Details
Unknowns
What are the key unknowns or concerns about this deployment? For instance, the information that was required but not received from
the customer, please list it here. (E.g. My customer uses IE3000 series switches. Is this supported? Customer is using 3 rd party NAD.
Or the customer is currently using IPv6)

High Availability
Discuss high availability considerations.

 High availability for ISE, each persona and node should be part of design to ensure that no single persona/appliance failure
results in total loss of a service. Please confirm persona/node redundancy design and explain reason if HA not planned for
any component.

Migration
If migrating this deployment from traditional network architecture to SDA provide details on the current deployment and how you're
going to address migration of licensing, existing policy, NAD configurations, etc.

802.1X Phasing
●
Deployment modes (Please refer to DIG in Appendix for Mode details):
o Will Monitor mode be enabled for a period of time on the 802.1X-enabled routers and switches?
o Will Authenticated or Enforcement mode (formerly known as “Low Impact mode”) be deployed?
o Will Closed Mode (formerly known as “High Security mode”) be deployed?

ISE Node details

For customers deploying VMs:

The VM host should be sized comparably with the ISE appliance. See platform hardware specs below for CPU specification of the
various appliances. For example, if the performance characteristics required are similar to a 3615 appliance, then per platform
performance specs, please refer to the following link https://www.cisco.com/c/en/us/products/collateral/security/identity-services-
engine/data_sheet_c78-726524.html
Note: Hard disks with 10K or higher RPM are required. Average IO Write performance for the disk should be higher than 300MB/sec
and IO Write performance should be higher than 50MB/sec. VMotion is supported since ISE 1.3. Please make sure to reserve the
RAM and CPU cycles for the ISE node deployed as VM.

Note: If disk size needs to be resized, the node will need to be re-imaged from the ISO

Note: The resources need to be reserved for each ISE node and cannot be shared among different ISE nodes or other guest VMs on the
host.

Note: Only VMFS formatted file system is supported currently

Example:

Host Name (FQDN) Persona IP Address VM/HW CPU RAM Storage

ise1.example.com Admin/MnT 1.1.1.1 VM Intel Xeon E5-2609 @ 2.4 GHZ X 8 32GB 600GB
Core

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 49
 ise2.example.com PSN 2.2.2.2 VM Intel Xeon E5-2609 @ 2.4 GHZ X 8 32GB 300GB
Core

Host Name (FQDN) Persona IP Address VM/HW CPU RAM Storage

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 49
 Bill of Materials (BOM)
Insert as part of this document, or in a separate attachment, the list of equipment to be ordered for the SDA deployment that matches
the design. If Sales Order already placed, then be sure to include the order details here.

Please include SmartNet/SAU or explain its omission (for example, included as part of another order, support agreement, or deliberate
acknowledgement that support refused).

Note: Please only include the information of the products that are related SDA.

Example BOM:
Line Product Qty List Price Contract Discount Unit Price Extended Price
1 Cat 9k 1
2 ISE 1
3 DNAC 3

Customer BOM details:

Line Product Qty List Price Contract Discount Unit Price Extended Price

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 49
 Appendix
SDA Partner Resource Center
Please visit SDA, for additional SDA resources (Login required).
SDA Ordering Guide
The SDA Ordering Guide located at

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/software-defined-access/guide-C07-739242.pdf

General Support links for SDA

cisco.com/go/sdaccess
• SD-Access At-A-Glance
• SD-Access Ordering Guide
• SD-Access Solution Data Sheet 
• SD-Access Solution White Paper

General Support links for Cisco DNAC

cisco.com/go/dnacenter
• DNA Center At-A-Glance
• DNA ROI Calculator
• DNA Center Data Sheet
• DNA Center 'How To' Video Resources

SDA CVD Documents

cisco.com/go/cvd/campus

Printed in USA C07-676884-01

SDA HLD © 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 09/11 Page 49 of 49