top of page
  • Writer's pictureAnthony Evans

SD- Access a new era of networking... Part 1

This is a simple series of posts to try and explain how Cisco SD-Access works and what it means for the future of Networking

So what is it?

In short Software Defined Access (SDA) isn't using any brand new technologies. They have all been around for a while.






The key is that Cisco DNA Center provides a single pane of glass to orchestrate the intent-based policy, automation, and assurance for the "Campus Fabric" wired and wireless through a single pane of glass.

To start to understand what this is we should first take a look at the architecture that makes up SDA

• Physical layer: Contains the hardware elements, such as routers, switches

and wireless platforms, interfaces and links, and clusters or virtual switches,

as well as server appliances.

• Network layer: Contains the control plane, data plane, and policy plane

elements that make up the network underlay and fabric overlay.

• Controller layer: Contains the software system management and

orchestration elements and associated subsystems, such as automation,

identity, and analytics.

• Management layer: Contains the elements that users interact with, in

particular the Graphical User Interface (GUI), as well as APIs and Command-

Line Interfaces (CLIs) where applicable.

• Partner ecosystem: Contains all of the Cisco and third-party partner systems

that are capable of augmenting and/or leveraging services within SD-Access.

Physical Layer

As per traditional networks we have the Physical layer (Layer 1) this layer contains the hardware that allows DNA and the fabric to run on. For a compatibility matrix on which hardware and software release are supported please use the link

Network Layer

This can be broken down into two sections the "underlay" & "overlay"

The underlay can be considered to the physical devices which contain the protocols and routing tables etc. We will cover this in later blogs but the preferred routing protocol for the underlay is ISIS.

The Overly "fabric" can be considered to be a logical tunneled network that sits on top of the underlay. Policy and services are forwarded on this fabric.

The important part of this layer (from an architecture perspective) is that the two sub layers form the “access” and “fabric” aspects of the overall SD-Access solution (in a traditional networking sense). These two sub layers work together to deliver the data packets to and from the network devices participating in SD-Access.

Controller Layer

Managing the network layer is the controller layer and can be broken down into 3 sub layers

• Base and fabric automation: Contains the application settings, protocols, and tables to support the automation of network devices (underlay and overlay) and related services (Cisco Network Controller Platform [NCP]).

• Assurance and analytics: Contains the application settings, protocols, and tables to support the collection and analysis of user, network, and application states (Cisco Network Data Platform [NDP]).

• Identity and policy services: Contains the application settings, protocols, and tables to support endpoint

identification and policy enforcement services (Cisco Identity Services Engine [ISE]).

The important part of this layer (from an architecture perspective) is that these three subsystems form the “software defined” aspect of the overall SD-Access solution. Each subsystem is responsible for managing a part of the solution, and for exchanging contextual information with the others. These three subsystems work together to deliver a fully automated intent-driven, closed-loop management system for devices participating in Cisco SD-Access.

Management Layer

This layer is used to interact with the Controller layer

The important part of this layer (from an architecture perspective) is that these two app types are how the user interacts with the SD-Access solution, how Cisco DNA Center interacts with partner systems, and how it provides the “intent-based” aspect of Cisco DNA. This is a flexible and customizable user interface and user experience (UI/UX) system that will allow the solution to evolve in the future.

Partner Layer

This layer is used to interact with 3rd parties through the use of API's. The list of support vendors is ever increasing, a few examples are;

Firewalls: Share identity and policy content for group-based firewall rules

DNS, DHCP and IPAM: Share IP and name allocation of address pools.

-- Domain Name Services (DNS)

-- Dynamic Host Configuration Protocol (DHCP)

-- IP Address Management (IPAM)

Virtual Network Functions (VNFs): Share identity, policy and forwarding context for container-based applications

In this section I have detailed what makes up the SD-Access architecture in the next blog I will go through the roles of the devices.

194 views0 comments


bottom of page