Policy Benefits & Architecture

Policy Benefits & Architecture

SD-Access automation and Assurance implements a policy driven model for Network operation that reduces network issue resolve time and also improves over all network performance.

Below are the Benefits as described.

Decouple policy from Infrastructure:

Decoupling Policy from network Infrastructure topology enforce policy more effectively which further makes Network operation more efficient. This decoupling enables new business services, enable seamless network mobility, and reduces overall efforts in configuration and day to day troubleshooting & administration.

Simplified Policy definition:

SD-Access provides simple management of all access control policies on the basis of business requirement, due to which it reduces efforts required to demonstrate compliance and simplifies audit process.

Policy Automation:

SD-Access identifies the endpoints to its groups based on it identity and apply the policy required for its communication dynamically. This work reduces operation overhead and ensures that endpoints are in correct network segments.

Policy based Enterprise Orchestration:

SD-Access policy model provides a platform which helps customer to develop a large number of application, use-cases like segmentation, security, compliance, real security threat response, etc.

DNA center in SD-Access provide large number of API, Policy based orchestration has been achieved and SD-Access can leverage Closed-Loop Model concept.

Policy Enforcement in SD-Access

SD-Access uses two segmentation construct for policy definition in any enterprise.

• VN – For Macro Segmentation
• SGT – End point Grouping for Micro Segmentation.

In SD-Access , Policy are defined based on grouping of users , devices, things, Applications and relations between groups and then further defines access control rules based on L3 and L4 classifiers.

Below figure defines the grouping of devices based on identity and policy Enforcement in SD-Access.

DNA Center is used for defining the wired and wireless policies centrally for SD-Access fabric. These policies defined at DNA Center are enforced at fabric Edge and border nodes based on User/Device identity.

Endpoint Grouping at Access:

Cisco ISE is used for Endpoint identification which is connected to network via verity of methods like 802.1X, MAC address, Profiling, AD and Captive Portals.