Introduction xvii Chapter 1 Today''s Networks and the Drivers for Change 1 Networks of Today 1 Common Business and IT Trends 4 Common Desired Benefits 5 High-Level Design Considerations 6 Cisco Digital Network Architecture 10 Past Solutions to Today''s Problems 12 Spanning-Tree and Layer 2-Based Networks 13 Introduction to Multidomain 16 Cloud Trends and Adoption 18 Summary 20 Chapter 2 Introduction to Cisco Software-Defined Access 21 Challenges with Today''s Networks 22 Software-Defined Networking 22 Cisco Software-Defined Access 23 Cisco Campus Fabric Architecture 24 Campus Fabric Fundamentals 25 Cisco SD-Access Roles 27 Network Access Control 30 Why Network Access Control? 31 Introduction to Cisco Identity Services Engine 32 Overview of Cisco Identity Services Engine 32 Cisco ISE Features 34 Secure Access 34 Device Administration 37 Guest Access 38 Profiling 40 Bring Your Own Device 45 Compliance 46 Integrations with pxGrid 48 Cisco ISE Design Considerations 50 Cisco ISE Architecture 50 Cisco ISE Deployment Options 51 Standalone Deployment 51 Distributed Deployment 51 Dedicated Distributed Deployment 52 Segmentation with Cisco TrustSec 54 Cisco TrustSec Functions 54 Classification 55 Propagation 55 Enforcement 57 Summary 58 Chapter 3 Introduction to Cisco DNA Center 59 Network Planning and Deployment Trends 59 History of Automation Tools 60 Cisco DNA Center Overview 62 Design and Visualization of the Network 64 Site Design and Layout 64 Network Settings 69 Wireless Deployments 70 Network Discovery and Inventory 72 Discovery Tool 72 Inventory 74 Device Configuration and Provisioning 77 Summary 79 Chapter 4 Cisco Software-Defined Access Fundamentals 81 Network Topologies 81 Cisco Software-Defined Access Underlay 82 Manual Underlay 83 Automated Underlay: LAN Automation 84 Wireless LAN Controllers and Access Points in Cisco Software-Defined Access 89 Shared Services 90 Transit Networks 91 IP-Based Transit 91 SD-Access Transit 92 Fabric Creation 92 Fabric Location 93 Fabric VNs 94 Fabric Device Roles 94 Control Plane 95 Fabric Borders 96 Border Automation 98 Border and Control Plane Collocation 99 Fabric Edge Nodes 100 Intermediate Nodes 103 External Connectivity 104 Fusion Router 104 Host Onboarding 105 Authentication Templates 105 VN to IP Pool Mapping 106 SSID to IP Pool Mapping 108 Switchport Override 109 Summary 110 References in This Chapter 110 Chapter 5 Cisco Identity Services Engine with Cisco DNA Center 111 Policy Management in Cisco DNA Center with Cisco ISE 112 Integration of Cisco DNA Center and ISE 113 Certificates in Cisco DNA Center 113 Certificates on Cisco Identity Services Engine 115 Cisco ISE and Cisco DNA Center Integration Process 116 Group-Based Access Control 122 Segmentation with Third-Party RADIUS Server 126 Secure Host Onboarding in Enterprise Networks 128 Endpoint Host Modes in 802.1X 128 Single-Host Mode 128 Multi-Host Mode 128 Multi-Domain Mode 129 Multi-Auth Mode 129 802.1X Phased Deployment 130 Why a Phased Approach? 131 Phase I: Monitor Mode (Visibility Mode) 132 Phase II: Low-Impact Mode 133 Phase II: Closed Mode 134 Host Onboarding with Cisco DNA Center 136 No Authentication Template 137 Open Authentication Template 138 Closed Authentication 140 Easy Connect 141 Security in Cisco Software-Defined Access Network 144 Macro-Segmentation in Cisco SD-Access 144 Micro-Segmentation in Cisco SD-Access 145 Policy Set Overview in Cisco ISE 146 Segmentation Policy Construction in Cisco SD-Access 148 Corporate Network Access Use Case 149 Guest Access Use Case 159 Segmentation Outside the Fabric 164 Summary 164 References in This Chapter 165 Chapter 6 Cisco Software-Defined Access Operation and Troubleshooting 167 Cisco SD-Access Under the Covers 167 Fabric Encapsulation 167 LISP 168 VXLAN 171 MTU Considerations 172 Host Operation and Packet Flow in Cisco SD-Access 172 DHCP in Cisco SD-Access 172 Wired Host Onboarding and Registration 175 Wired Host Operation 176 Intra-Subnet Traffic in the Fabric 176 Inter-Subnet Traffic in the Fabric 179 Traffic to Destinations Outside of the Fabric 180 Wireless Host Operation 180 Initial Onboarding and Registration 180 Cisco SD-Access Troubleshooting 181 Fabric Edge 182 Fabric Control Plane 186 Authentication/Policy Troubleshooting 188 Authentication 188 Policy 190 Scalable Group Tags 191 Summary 193 References in This Chapter 193 Chapter 7 Advanced Cisco Software-Defined Access Topics 195 Cisco Software-Defined Access Extension to IoT 196 Types of Extended Nodes 198 Extended Nodes 198 Policy Extended Nodes 198 Configuration of Extended Nodes 200 Onboarding the Extended Node 203 Packet Walk of Extended Cisco SD-Access Use Cases 205 Use Case: Hosts in Fabric Communicating with Hosts Connected Outside the Fabric 205 Use Case: Traffic from a Client Connected to a Policy Extended Node 206 Use Case: Traffic to a Client Connected to a Policy Extended Node 207 Use Case: Traffic Flow Within a Policy Extended Node 207 Multicast in Cisco SD-Access 208 Multicast Overview 209 IP Multicast Delivery Modes 210 Multicast Flows in Cisco SD-Access 210 Scenario 1: Multicast in PIM ASM with Head-End Replication (Fabric RP) 211 Scenario 2: Multicast in PIM SSM with Head-End Replication 213 Scenario 3: Cisco SD-Access Fabric Native Multicast 214 Cisco SD-Access Multicast Configuration in Cisco DNA Center 216 Layer 2 Flooding in Cisco SD-Access 218 Layer 2 Flooding Operation 219 Layer 2 Border in Cisco SD-Access 221 Layer 2 Intersite 224 Layer 2 Intersite Design and Traffic Flow 224 Fabric in a Box in Cisco SD-Access 227 Cisco SD-Access for Distributed Campus Deployments 228 Types of Transit 229 IP Transit 229 Fabric Multisite or Multidomain with IP Transit 230 Cisco SD-Access Transit 232 Cisco SD-WAN Transit 237 Policy Deployment Models in Cisco.