Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
415
Views
2
Helpful
3
Replies

LAN Segmentation and SD-Access

mt782c
Level 1
Level 1

‎09-13-2023 09:10 AM

I have a client that would like to migrate to SD-Access. Their currently LAN is mostly older 4K's that are slowly being replaced with 9300's and 9400's. Currently, they don't have consistent LAN segmentation across all sites (some sites are flat, some are segmented). From what I've read, each site needs to be move the 9000 series switches, WLC and APs before I can bring it into DNA-Center and enable Intent-based networking.

Is there any advantage to segmenting the network up into multiple VLANs for Users, IPT, IoT, Security, etc. before transitioning to SD-Access at each site? There will several years before all the sites will be migrated to the new hardware.

Does Macro-segmenting facilitate an easier transition to SD-Access down the road?

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎09-13-2023 09:23 AM

You have advantage based on the service segementing to different VN ( may be VRF kind) - If you have ISE that will be very good for 8021.x

 

so you can have secure policy which one need to have access, which one need to deny based on the polices.

check Migration guide :

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=web&cd=&ved=0CAIQw7AJahcKEwjQ-vvU_6eBAxUAAAAAHQAAAAAQAg&url=https%3A%2F%2Fcommunity.cisco.com%2Fkxiwq67737%2Fattachments%2Fkxiwq67737%2F5981-discussions-other-network-infra%2F197124%2F1%2FCisco%2...

 

 

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKENS-3822.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

mt782c
Level 1
Level 1
In response to balaji.bandi

‎09-13-2023 04:37 PM

OK, thank you for the links and after reading more I now see the tie in between VLANs and SGs.

When migrating to SD-Access, does moving the subnets from the VLAN/SG to the Virtual Network cause issues?

Administratively, it seems that it is creating more work than just identifying the user ports and putting them into SG at the time of migration, since there is no VLAN separation today.

0 Helpful

Preston Chilcote
Cisco Employee
Cisco Employee

‎09-13-2023 04:04 PM

The SDA migration will be easier if the network is already operating with some logical segmentation. So, if you don't already have ISE and dot1x in place, that could be a good place to start by assigning certain vlans to certain clients for macro segmentation.  Dot1x might expose which clients (usually old ones) will have to be treated specially so you can figure those things out sooner than later.

Also, I've always felt that from a configuration and troubleshooting perspective, things are easier when you know the config of each access port is exactly the same.  Dot1x helps make that a reality.  SDA goes steps farther to take care of almost all the config for you.

Customers Also Viewed These Support Documents