Cisco SD-Access is a SDN system for automating campus LANs. The central SDN controller of SD-Access is Cisco DNA (Digital Network Architecture) Center.

SD-Access Underlay

There are three different roles for switches in SD-Access:

  • Edge nodes: connect to end hosts
  • Border nodes: Connect to devices outside of the SD-access domain (WAN routers)
  • Control nodes: Use LISP (Locator ID Separation Protocol) to perform various control plane functions

You can use AD-Access on top of an existing network (unceremoniously dubbed brownfield deployment) if the network hardware and software supports it. However, in this case DNA Center won’t configure the Underlay so as not to risk breaking the currently working network.


You can check if a particular Cisco device supports SD-Access mode using the Cisco SD-Access Compatibility Matrix.

Ideally, SD-Access will be used in entirely new purpose-built deployments (greenfield deployment) so that DNA Center can use an optimal SD-Access underlay. A true greenfield deployment has a few requirements:

  • All switches be Layer 3 and use IS-IS1 as their dynamic routing protocol.
  • All links between switches are routed ports (meaning that STP is not needed).
  • Edge nodes (access switches) act as the default gateway of end hosts (a routed access layer).

SD-Access Underlay

LISP provides the control plane of SD-Access.

  • A list of mappings of EIDs (Endpoint IDentifiers) to RLOCs (Routing LOCations) is kept.
  • EIDs identify end hosts connected to edge switches, and RLOCs identify the edge switch which can be used to reach the end host.

Cisco TrustSec (CTS) provides policy control (QoS, security policy, etc.)

VXLAN provides the data plane.

Cisco DNA Center

DNA Center can serve one of two primary functions: as the SDN controller in a SD-Access network, or as network manager in a traditional (non SD-Access) network.

DNA Center itself is an application installed on Cisco UCS server hardware.

DNA Center has a REST API which can be used to interact with it. Its SBI supports protocols like NETCONF and RESTCONF (and traditional protocols like SSH, Telnet, SNMP, etc.).

DNA Center supposedly enables “Intent-Based Networking (IBN)” which supposedly makes network configuration easier by allowing the engineer to somehow give DNA Center their intent for the final network’s function and ability, which will then be automatically translated into real configurations for the downstream devices. Basically, engineers only need to tell it the broad strokes, DNA Center handles the details and annoying/tedious tasks of actually configuring devices.

  • For example, security policies using ACLs are extremely tedious to create and deploy, as a single ACL can have thousands of entries. Manual configuration is also prone to error. Perhaps even more problematic; over time as engineers leave the company and new ones are hired, the original purpose (the intent) of the entries may be lost.
  • DNA Center allows engineers to plainly state the intent of a policy (this group can’t talk to that group, for example) and the actual details of implementation are handled automatically.

DNA Center Vs. Traditional Management

Don’t tell Cisco I said this, but… you should keep in mind that they have a direct financial incentive to make people think their products are superior to any alternative (a competing product or abstaining from a type of service entirely).

Here, we’re really only looking at how DNA Center is better than traditional methods of management, and none of the benefits of the latter. It’s also worth considering that many of these benefits can be had via an alternative product or multiple products.

I’m not saying you should or shouldn’t use it; only that you should consider all available options before committing to a particular network management scheme.

Traditional Management:

  • Devices are configured one-by-one via SSH or console line
  • Devices are manually configured via console connection before being deployed
  • Configurations & policies are managed per-device (distributed).
  • New network deployments take a long time due to manual labor.
  • Errors and failures are more likely due to human error.

DNA Center Management:

  • Devices are centrally managed and monitored from the DNA Center GUI or other applications using its REST API.
  • The administrator communicates their intended network behavior to DNA Center, which changes those intentions into configurations on the managed devices.
  • Configurations and policies are centrally managed-.
  • Software versions are also centrally managed. New versions can be automatically downloaded and pushed to devices.
  • Network deployments are much quicker. New devices can automatically receive their configurations from DNA Center without manual configuration.


  1. IS-IS: Intermediate System to Intermediate System; a Link-State Dynamic Routing protocol. It’s not very commonly used outside of Cisco SD-Access.