Cisco SD-Access is a solution within Cisco DNA, which is built on intent-based networking principles. Cisco SD-Access provides visibility-based, automated end-to-end segmentation to separate user, device, and application traffic without redesigning the underlying physical network1. Cisco SD-Access also enables programmable overlays that allow network virtualization across the campus,branch, data center, and cloud2. Cisco SD-Access has two main components: the fabric and the policy3.
The fabric is the network overlay that consists of interconnected nodes that provide a consistent and scalable way of delivering network services and functions. The fabric nodes are classified into four types: edge nodes, border nodes, control plane nodes, and intermediate nodes. The edge nodes are the access switches or wireless controllers that connect to the end devices. The border nodes are the routers or switches that connect the fabric to external networks, such as the Internet, WAN, or data center. The control plane nodes are the routers or switches that maintain the mapping between the endpoint identifiers and the network locators. The intermediate nodes are the routers or switches that provide transit services within the fabric3.
The policy is the network configuration that defines the network behavior and outcomes, based on the business intent and requirements. The policy is composed of three elements: the endpoint groups, the contracts, and the virtual networks. The endpoint groups are the logical containers that group the endpoints based on their attributes, such as user identity, device type, or application. The contracts are the rules that specify the allowed interactions between the endpoint groups, such as the protocols, ports, and quality of service. The virtual networks are the logical partitions that isolate the endpoint groups and contracts from each other, based on the network scope and security3.
Cisco SD-Access addresses the following challenges and benefits:
* It simplifies the network design and management, as it reduces the complexity and variability of the network elements and interfaces.
* It enhances the network security and compliance, as it enforces granular and dynamic policies based on the endpoint identity and context, rather than the network topology and IP addresses.
* It improves the network performance and user experience, as it optimizes the network path, load balancing, and traffic engineering based on the network conditions and application requirements.
* It enables the network agility and scalability, as it supports the rapid deployment and integration of new devices, applications, and services, without affecting the existing network operations.
References:
* Cisco Software-Defined Access - Cisco Software-Defined Access Solution Overview
* What Is Software-Defined Access? - SD-Access - Cisco
* Cisco SD-Access Architecture Overview

Cisco ISE use cases can be classified into four categories: device management, asset visibility, software-defined segmentation, and software-defined access. Each of these use cases has a different level of implementation complexity, depending on the network size, topology, security requirements, and integration with other technologies. Among these use cases, software-defined segmentation and software-defined access typically involve the highest level of implementation complexity, because they require:
* A thorough understanding of the network architecture and design principles, such as hierarchical, modular, and scalable design.
* A comprehensive assessment of the network devices, endpoints, users, applications, and policies, and their interdependencies and interactions.
* A careful planning and testing of the network segmentation and access policies, using tools such as Cisco TrustSec, Cisco DNA Center, Cisco SD-Access, and Cisco ISE .
* A smooth and secure migration from the existing network to the software-defined network, with minimal disruption and downtime.
* A continuous monitoring and optimization of the network performance, security, and compliance, using tools such as Cisco Stealthwatch, Cisco Tetration, and Cisco ISE .
References:
Cisco Identity Services Engine (ISE) Use Cases,
https://www.cisco.com/c/en/us/products/security/identity-services-engine/use-cases.html : Cisco Enterprise Network Architecture and Design,
https://www.cisco.com/c/en/us/solutions/design-zone/networking-design-guides/enterprise-networking-design.ht: Cisco ISE Network Discovery,
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide: Cisco TrustSec, https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html : Cisco DNA Center, https://www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/index.html :
Cisco SD-Access,
https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/index.html : Cisco ISE Software-Defined Access,
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide: Cisco SD-Access Migration Guide,
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/sda-migration-guide.html : Cisco Stealthwatch, https://www.cisco.com/c/en/us/products/security/stealthwatch/index.html : Cisco Tetration,
https://www.cisco.com/c/en/us/products/data-center-analytics/tetration/index.html : Cisco ISE Monitoring and Troubleshooting,
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide

Cisco ISE is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations1. Two of the primary functions of Cisco ISE are:
* Enforcing endpoint compliance with network security policies: Cisco ISE can assess the posture of all endpoints that access the network, including 802.1X environments, and enforce the appropriate policies based on the device type, identity, location, and other attributes. Cisco ISE can also provide comprehensive client provisioning measures to ensure that the endpoints are compliant with the network security policies before granting them access. Cisco ISE can also quarantine or remediate non-compliant endpoints to prevent potential threats or vulnerabilities12.
* Providing information about every device that touches the network: Cisco ISE can gather real-time contextual information from networks, users, and devices, and use that information to make governance decisions and apply policies. Cisco ISE can also discover, profile, and monitor the endpoint devices on the network, and classify them according to their associated policies and identity groups. Cisco ISE can also leverage the pxGrid framework to share the contextual information with other security tools and platforms, and enhance the network visibility and security13.
The other options are not primary functions of Cisco ISE, because:
* Allocating resources: Cisco ISE does not allocate resources to the endpoints or the network devices. Cisco ISE can assign services or access levels based on the policies, but not resources such as bandwidth, memory, or CPU1.
* Enabling WAN deployment over any type of connection: Cisco ISE does not enable WAN deployment over any type of connection. Cisco ISE can support VPN access for remote endpoints, but not WAN deployment for the network infrastructure1.
* Automatically enabling, disabling, or reducing allocated power to certain devices: Cisco ISE does
* not automatically enable, disable, or reduce allocated power to certain devices. Cisco ISE can control the access and authorization of the devices, but not their power consumption or management1.
* Providing VPN access for any type of device: Cisco ISE does not provide VPN access for any type of device. Cisco ISE can authenticate and authorize the VPN access for the endpoints, but not provide the VPN service or connection itself. Cisco ISE relies on other network devices, such as VPN gateways or routers, to provide the VPN access1.
References:
1: Cisco Content Hub - Cisco ISE Features 2: Cisco ISE Posture Service Overview 3: [Cisco ISE Profiler Service Overview]

= Border nodes are the component of the SD-Access fabric that is responsible for communicating with networks that are external to the fabric. Border nodes serve as the gateway between the fabric domain and the network outside of the fabric. Border nodes are responsible for network virtualization inter-working and SGT propagation from the fabric to the rest of the network1. Border nodes also perform LISP Proxy Tunnel Router (PxTR) functions, which convert policy and reachability information, such as SGT and VRF information, from one domain to another2. Border nodes can connect to internal networks, such as data center or WAN, or external networks, such as internet or cloud3.
Edge nodes, control plane nodes, and intermediate nodes are not responsible for communicating with networks that are external to the fabric. Edge nodes are the access-layer switches where all of the endpoints reside. Edge nodes detect clients and register them with the control plane nodes. Edge nodes also providean anycast L3 gateway for the connected endpoints and perform encapsulation and de-encapsulation of data traffic4. Control plane nodes are the devices that run a host tracking database to map location information. Control plane nodes receive endpoint ID map registrations from edge and/or border nodes and resolve lookup requests from edge and/or border nodes to locate destination endpoint IDs5. Intermediate nodes are the devices that provide underlay connectivity between edge nodes and border nodes. Intermediate nodes do not participate in the fabric overlay and do not have any fabric roles6.
References :=
* Role of Fabric Border Node & IS-IS protocol in Cisco SD-Access
* Software Defined Access Network Fabric Roles - Study CCNP
* Cisco SD-Access
* SD-Access Fabric Troubleshooting Guide - Cisco
* Cisco SD-Access Solution Design Guide (CVD) - Cisco
* Cisco SD-Access Solution Design Guide (CVD) - Cisco
* Cisco SD-Access Solution Design Guide (CVD) - Cisco