DNAC and ISE Integration

Cisco software defined Access (SDA) architecture heavily uses Identity Services Engine (ISE) for device and user authentication, micro segmentation within Virtual networks and DNAC for design, policy building, provisioning and assurance, So let see the steps involved in integrating ISE and DNAC.

ISE must have Base and Plus license in order to enable all the features required for DNAC integration.

I am running ISE on version 2.3 with patch 4, which is current recommended for DNAC.

Enable all the required features and services on ISE

SXP Service – SDA architecture depends on 3 major technologies, VxLAN for L2, LISP for L3 and SGT for micro segmentation, SXP (Scalable group tag Exchange Protocol) enables L3 devices to subscribe to ISE and import SGT mappings.

Passive Identity Service – helps collects user identity information from AD using WMI (Winsows Management Instrumentation)

PxGrid Service – Helps publish information to DNAC, which is available to ISE, in turn DNAC can use these information to build policy on ISE without admin ever login onto ISE for creating policy.

ERS – DNAC can use External RESTful Services SDK for multiple purposes, there is a list of API available in the SDK. you can learn more and obtain full list from your ISE node, https://192.168.200.98:9060/ers/sdk, replace the IP with your ISE admin node. This admin group in required to use the API.

ISE depends on Radius and SNMP probe for profiling purposes, DNAC uses these profile for visibility.

Start Adding ISE on DNAC, this IP should be ISE PAN (primary) IP for distributed deployment.

some details are omitted.

track the progress

Once ISE is active, you will need to approve the DNAC on ISE

At this point DNAC is online and is a subscriber.

Verification

All the default scalable groups are imported on DNAC

I hope you enjoyed reading it as much as I enjoyed writing it.