%20(1)%20(1).jpg)
The whole is more than the sum of its parts! This also and especially applies to networks. Until now, you connected a device with its IP address to a network and had to laboriously integrate each new component manually. That required manpower and time, a lot of time! Or the new device simply got all the rights that were there - regardless of whether the device or its user had them at all. Until now, networks have been really complex - both in terms of construction and management. The solution is actually quite simple: We just have to get away from the way of thinking of a network with individual components and towards the network as a unified system that gets its intelligence from the applications. Then this intelligence, the controller, recognises what kind of device it is and what it is allowed to do in the network. Instead of configuring devices individually, roles for device types only have to be assigned in a central application - fast, almost self-explanatory and always compliant. The network then does the rest itself.
With Cisco Software-defined (SD) Access (SDA for short), the IT world has finally got that. It gives the network a central intelligence that automatically recognises devices, their users and their access rights, i.e. their identity and not just the IP address. In the past, you simply plugged your laptop into an unprotected network socket in the CEO's office and got as many rights as the CEO - that changes with Cisco SD-Access.
Cisco DNA Center: Automatic detection, assignment and authentication
Cisco SD-Access is built as a unified system with a central controller, the Cisco DNA Center (DNAC for short) - the brain of the network. The controller can be virtualised, set up via software or as hardware. If each component in the network previously made its own decision, the Cisco controller recognises who is allowed to do what. Honestly: If a company had as many bosses as there are components in the network - there would be an unholy mess. The Cisco DNA Center, on the other hand, provides a meaningful answer to the devices on the network instead of individual hints, segments them and isolates the users from each other. The result is an easy-to-create micro-segmentation that allows employees and devices to do only what they are allowed to do - automatically.
ISE: The intelligence of the Cisco network
The most important component here is the Cisco Identity Services Engine (ISE), which queries roles. If I connect a device to such a controlled network, the network sends a request to ISE to identify the device and to query what the device is allowed to do after authentication. This way the controller always knows where which device is on the network and finds the best path through the network. ISE profiles and authenticates the devices. For this, IP address, time, manufacturer, login data and more are taken into account. ISE then assigns the appropriate access rights according to the results.
Assigning properties with pxGrid: information exchange among manufacturers
But how does the Cisco network with Cisco SDA know and know the vulnerabilities of the many end devices that exist on the market worldwide? New end devices and their new vulnerabilities are added every day, new security threats emerge and everything is in constant flux. The ISE has platform-fed "intelligence" for this: it receives daily updates from the Cisco Platform Exchange Grid (pxGrid). In this cloud platform, many manufacturers make their context-related information available anonymously. For example, if a manufacturer's device is attacked by a security hole in a virus blocker, the manufacturer publishes this on pxGrid. Cisco SD-Access automatically receives the information - worldwide, the problem is thus discovered within a few minutes and one can react accordingly.
Everything in one dashboard, everything automatic
It is also made easier by the Cisco SDA Dashboard. Instead of the seven to eleven dashboards used on average, the Cisco SDA dashboard with ISE intelligence lets you see in just a few minutes where which devices are on the network, what access rights they have and which devices are not compliant. Whereas it used to take hours to commission a new switch, with Cisco SDA all you have to do is connect it to the network and it is automatically provisioned. Cisco calls this Zero Touch Provisioning (ZTP for short) because you no longer have to touch the switch. It only needs power and two to three clicks in DNAC, and it is automatically provisioned, configured and integrated into the system.
Distribute roles easily with just a few clicks, detect problems
This saves an enormous amount of money and time, even with larger rollouts! New roles for iPads in meeting rooms, for example, only have to be created once in the DNA Centre, and then all iPads are automatically ready for use. The network loses its complexity because it is tunneled in terms of roles. The role only needs to be created in the DNA Centre - this is also done with a few clicks. In the dashboard, you can see the end devices with their applications and any problems they may have. You can see all the logged-in users and their connections. Problems and their origins are quickly identified, localised and resolved. The tedious search for the source of the problem via CLI access is no longer necessary. The dashboard also presents the problem in a humanly pleasant language. It simply reports: "User has entered the password incorrectly." It could hardly be quicker or more straightforward.
Cisco SD-Access for large or small companies?
I'm often asked if you couldn't get the same result with Cisco Meraki. I think for small companies it really is the more suitable solution. But the decisive factors are costs and the required know-how. If Cisco is already in use, it is certainly worthwhile to use Cisco SD-Access. Then the relevant expertise is available.
At Bechtle, we always find the right solution for all customers. Sign up today for a no-obligation exchange with one of our experts. We look forward to meeting you.
