SDA LM 2 – Network Design

Posted on September 29, 2025January 27, 2026 by Anas
Category: 93. CCIE SDA, CCIE

Videos

RS0168 – DNAC 2.1 Network Design and Sites (Part 1)

RS0168 – DNAC 2.1 Network Design and Sites (Part 2)

RS0169 – DNAC 2.1 Discovery and Inventory (Part 1)

Network Design

An area represents the geographical location such as country, city or campus (regardless of the size of area), next level is building which represents physical structure, there cannot be buidling inside a building

Cisco recommends the hierarchy as Continent > Country > City > Campus > Buildings

This is how you are on safe side and covered for any future locations and changes with flexibility built in as it can difficult to adjust the hierarchy later on once everything is configured

For example, today you are domestic but tomorrow you might go international and open new offices in new country / continent

We will create 3 sites in EU > GB > London

Finsbury Circus Garden, 14 Finsbury Circus, London EC2M 7EB
2, 7 King Edward St, London EC1A 1HQ
Cardinal Place, 84 Victoria St, London SW1E 5JL

We should add HQ, BR2 and BR3

We can add floors and floors are mostly used for placing wireless access points but for SDA we can add ground floor, if customer had prime we can import APs on floor plans already from prime

for RF model on the floor just stick with default of “Cubes And Walled Offices”

see that when I changed width, dnac maintained the aspect ratio from the image I uploaded

Network contains common settings similar to what DHCP contains but more such as AAA server, DHCP server, DNS server, Image Distribution (used to download the Catalyst IOS XE image), NTP server, Time Zone and Message of the day but looking at it feels like that this configuration is for the switches because this is the configuration that will be pushed to devices as they get provisioned into DNAC

In DHCP servers section we will also specify ISE IP address because it is one of the ways for ISE to perform profiling based on DHCP request from device

Create DHCP scopes as shown below

AAA “Network” is for network device administration
and AAA “Client/Endpoint” is 802.1x, we will only configure 802.1x for now

When we click on lower network in hierarchy, for first time we see this symbol which when used in GUI means that configuration is being inherited but they can be overwritten on lower levels

Device credentials is where we feed DNAC with device login details for SSH, SNMPv3 and HTTPS (usually not used

for dnac credentials, try not to use admin as it can cause conflict instead use dnacadmin

IP address pool is where you define all the subnets that we need to deploy all across SDA, make sure to reserve the supernet at global level

Make sure that we carefully plan and deploy subnets because once it becomes part of SDA, it can be hard to remove it

You can only create IP pools at the global level, Add button is only available at global level and at lower hierarchy you simply reserve IP pools for use

IP address pool type for SDA will be generic

When defining IP address pools at Global level then we don’t need to define the gateway IP address, DHCP server and DNS server

Telemetry section is where DNAC configured devices to uses SNMP, netflow and Syslog to send telemetry information to DNAC

While configuring the Telemetry section, there are options to configure DNAC as SNMP Trap server, Syslog server and netflow collector also but under all these option there is an option also by dnac to configure other syslog and snmp trap server if desired such as SolarWinds

Enable DNA advantage license
Enable ip routing
Enable jumbo frame
Enable ospf on single vlan between switches (as configured below)
Enable CLI credentials from DNAC
Enable SNMP strings from DNAC
Enable ssh
Enable local authentication
Enable netconf-yang
Enable privilege level 15 on vty lines


conf t 
license boot level network-advantage addon dna-advantage
end
write memory
reload

conf t 
!
snmp-server community ciscoro RO
snmp-server community ciscorw RW
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
ip routing
!
license boot level network-advantage addon dna-advantage
!
system mtu 8978
!
enable secret 9 $9$WsbGbEnlY7ZnOE$8Y5qUmOgCatKFC2M/Kpmov7Dbd08QBhQlA8nlOXjnfA
!
username cisco privilege 15 secret 9 $9$K2c68lctCCR3v.$SgFneM9tcIGiIKFFsAsZDcBT/DX0ty2rJ01pQSVW5LU
username dnacadmin privilege 15 secret 9 $9$ss2NT8jXdGqUGU$QVfZV.IgKGnzd8GNy5oCLpfZvamjwuusTVNBK61XPMQ
!
interface GigabitEthernet1/0/x
description SDA-HQ-FXX-01
switchport access vlan 12
!
interface GigabitEthernet1/0/x
description SDA-HQ-FXX-01
switchport access vlan 12
!
interface Vlan1
no ip address
!
interface Vlan12
ip address 172.17.0.x 255.255.255.128
ip ospf mtu-ignore
!
router ospf 100
router-id 172.17.0.x
network 172.17.0.0 0.0.0.127 area 0
!
snmp-server community ciscoro RO
snmp-server community ciscorw RW
!
alias router show do show
alias interface show do show
alias configure show do show
!
line vty 0 98
privilege level 15
transport input ssh
!
netconf-yang
end
write mem

HQ-SW config

HQ-SW#show run
Building configuration...

Current configuration : 3914 bytes
!
! Last configuration change at 03:22:03 UTC Mon Oct 6 2025
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname HQ-SW
!
boot-start-marker
boot-end-marker
!
!
!
username cisco privilege 15 secret 5 $1$SACq$2ExGwHsqUe3mKfho1B3AQ1
no aaa new-model
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description INTERNET
 no switchport
 ip address 1.1.1.11 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/1
 description WINSERVER
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/2
 description home.local network
 switchport access vlan 11
 media-type rj45
 negotiation auto
!
interface GigabitEthernet0/3
 description ISE01
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/0
 description SDA-HQ-FBS-01 HQ-DATA
 switchport access vlan 12
 switchport mode access
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/1
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/2
 media-type rj45
 negotiation auto
!
interface GigabitEthernet1/3
 media-type rj45
 negotiation auto
!
interface Vlan1
 description HQ-OOB network
 ip address 172.16.32.1 255.255.255.0
!
interface Vlan11
 description home.local network
 ip address 192.168.0.15 255.255.255.0
!
interface Vlan12
 ip address 172.17.0.3 255.255.255.128
 ip ospf mtu-ignore
!
router ospf 100
 router-id 172.17.0.3
 network 172.17.0.0 0.0.0.127 area 0
 default-information originate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 1.1.0.0 255.255.255.0 1.1.1.250
ip route 10.21.1.0 255.255.255.0 192.168.0.12
ip route 172.16.25.0 255.255.255.0 192.168.0.12
!
!
!
!
!
control-plane
!
banner exec ^CCC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner incoming ^CCC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
banner login ^CCC
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************^C
alias router show do show
alias interface show do show
alias configure show do show
!
line con 0
line aux 0
line vty 0 4
 login
!
!
netconf-yang
end

SDA-HQ-FBS-01 config

SDA-HQ-FBS-01#show run
Building configuration...

Current configuration : 8301 bytes
!
! Last configuration change at 03:40:18 UTC Mon Oct 6 2025
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
platform punt-keepalive disable-kernel-core
!
hostname SDA-HQ-FBS-01
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
switch 1 provision c9kv-uadp-8p
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
login on-success log
vtp version 1
!
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
 hash sha256
!
crypto pki trustpoint TP-self-signed-2070352050
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2070352050
 revocation-check none
 rsakeypair TP-self-signed-2070352050
 hash sha256
!
!
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
  D697DF7F 28
        quit
crypto pki certificate chain TP-self-signed-2070352050
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  31312F30 2D060355 04030C26 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32303730 33353230 3530301E 170D3235 30393231 32313439
  32315A17 0D333530 39323132 31343932 315A3031 312F302D 06035504 030C2649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30373033
  35323035 30308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100BE6B 15431B3C C2F339F8 E68ED232 38C6D054 26256330 1860898B
  3427C857 6F821274 0C5B8B21 D2B908B2 71205F22 E9E2D9EF CCCEF719 CB65D798
  620546BE 724EFEE4 B7D9026F E94D9B0C A1B7755C 33C13A5B 5803DE7F DABC513B
  17181601 AE98D442 44694CF2 57D1505F 3A119649 E0F7C524 A2C544D1 8C986BC2
  89C8FAF7 0E72811A AC4FDC69 D0A4DE17 BE69A40F F83E5BFD B16E894B 18830516
  06726E02 3E6F1A7F 3A202286 600059F0 CF9EC6A8 420946BD A0F70AFF CE386017
  44CB8032 55B22C27 E240440C 39D3EEF3 B887DF4B ECECD738 76C531B7 DC43AC1F
  38AAE8C1 A12B5574 0DCA1A63 88E12E80 62411882 573FBF7A 85DD348B 425A477E
  9AF7DAB7 D9EF0203 010001A3 53305130 1D060355 1D0E0416 0414864F 5DC3AA3D
  570D29AC 614578D3 7BCFD3AF 76D5301F 0603551D 23041830 16801486 4F5DC3AA
  3D570D29 AC614578 D37BCFD3 AF76D530 0F060355 1D130101 FF040530 030101FF
  300D0609 2A864886 F70D0101 0B050003 82010100 3037A0B0 4EE53529 F17F5DAF
  A4B8BF4C 1B0B63D3 2F5785E9 4A2FFE10 46890D5C 3A50C253 6AF15B6F 13FA2AC8
  EBF67CBD CFA8D7AE 756B2596 B554A972 40F4E277 98310DC0 9EA3EB9A B8CCD9BE
  C5332F30 4C6A7F5B D76CF4DF 69E29977 745B232E EC606EB5 CD6CA542 A425C5CC
  D307EE95 FBF9FE6A F0561077 83079168 0DEA031B 00D4D850 EFED9136 607A5F2F
  FB848029 6C2457A0 1AD24EBB A915E9DE F0F4BFD5 DA125681 55183EE5 D62333F9
  97EA23F6 F2925C1E 440888B7 34A5F17D 66245CF7 3D4C53EB 1E364B3F 9861630D
  31F4E67F 05F58704 E4D4238D 539144CC 70F0A6AB F51BAFE9 F47D3E14 72AABFB8
  F44C060A BE7D007B DA1DF7FB B73C8E9D 1B24F792
        quit
!
!
license boot level network-advantage addon dna-advantage
memory free low-watermark processor 74862
!
system mtu 8978
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
enable secret 9 $9$WsbGbEnlY7ZnOE$8Y5qUmOgCatKFC2M/Kpmov7Dbd08QBhQlA8nlOXjnfA
!
username cisco privilege 15 secret 9 $9$K2c68lctCCR3v.$SgFneM9tcIGiIKFFsAsZDcBT/DX0ty2rJ01pQSVW5LU
username dnacadmin privilege 15 secret 9 $9$ss2NT8jXdGqUGU$QVfZV.IgKGnzd8GNy5oCLpfZvamjwuusTVNBK61XPMQ
!
redundancy
 mode sso
!
!
!
!
!
!
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
  description EWLC control, EWLC data, Inter FED
class-map match-any system-cpp-police-sys-data
  description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
  description L2 LVX control packets
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-multicast
  description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
  description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
  description DHCP snooping
class-map match-any system-cpp-police-system-critical
  description System Critical and Gold Pkt
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 no ip address
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address dhcp
 negotiation auto
!
interface GigabitEthernet1/0/1
 description HQ-SW
 switchport access vlan 12
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
 description SDA-HQ-FIS-01
 switchport access vlan 12
!
interface GigabitEthernet1/0/8
 description SDA-HQ-FIS-01
 switchport access vlan 12
!
interface Vlan1
 no ip address
!
interface Vlan12
 ip address 172.17.0.4 255.255.255.128
 ip ospf mtu-ignore
!
router ospf 100
 router-id 172.17.0.4
 network 172.17.0.0 0.0.0.127 area 0
!
ip forward-protocol nd
ip tcp mss 1280
ip tcp window-size 212000
ip http server
ip http authentication local
ip http secure-server
ip ssh bulk-mode 131072
!
!
!
!
snmp-server community ciscoro RO
snmp-server community ciscorw RW
!
!
!
!
control-plane
 service-policy input system-cpp-policy
!
!
alias router show do show
alias interface show do show
alias configure show do show
!
line con 0
 stopbits 1
line vty 0 4
 privilege level 15
 transport input ssh
line vty 5 98
 privilege level 15
 transport input ssh
!
!
!
!
!
!
!
netconf-yang
end

SDA-HQ-FES-01 config

SDA-HQ-FES-01#show run
Building configuration...

Current configuration : 8213 bytes
!
! Last configuration change at 03:42:50 UTC Mon Oct 6 2025
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
platform punt-keepalive disable-kernel-core
!
hostname SDA-HQ-FES-01
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
switch 1 provision c9kv-uadp-8p
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
login on-success log
vtp version 1
!
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
 hash sha256
!
crypto pki trustpoint TP-self-signed-4128105830
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4128105830
 revocation-check none
 rsakeypair TP-self-signed-4128105830
 hash sha256
!
!
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
  D697DF7F 28
        quit
crypto pki certificate chain TP-self-signed-4128105830
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  31312F30 2D060355 04030C26 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313238 31303538 3330301E 170D3235 31303035 31393137
  30325A17 0D333531 30303531 39313730 325A3031 312F302D 06035504 030C2649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31323831
  30353833 30308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100B7B2 70B7BDF4 91177742 63220480 4899E262 C48CF80E B97F5343
  5BC116D2 EFE21CC5 7B2C5BDA 8A2A1397 D1BEE9BF 8EB1BF36 82F1AC35 C87B876D
  B59424B1 E20EEE3C 1C0B2AC9 B769A6C9 2704BE3F F6C0C75C 2815086C 917819AA
  82EF8509 92B044E2 48CA015B B7703328 A60A9DFF 27475FE8 C868CF1E 33037F41
  F6B54D71 BB26B172 BB07764C 0805B093 DA0B75CD 0FC332B8 9E421DEB 10EF4640
  E43766A7 32B8ACF5 8031B253 26AF5CFB 33520DCA 0E30F1E5 C9A63627 34440ACB
  3F0368DD 0B0E3F3A BE744597 4820D2B1 2AF9D788 606318A6 7FCD560B E6DA777B
  1EF3CE00 F1B9A366 B6D1D54A AD0388E2 DA333E0D 647E6CCB FF102702 917725FF
  2F63BDC2 6DF30203 010001A3 53305130 1D060355 1D0E0416 0414B90C B90FAFDA
  1F2782DC 146CA7D0 8D14E721 EF83301F 0603551D 23041830 168014B9 0CB90FAF
  DA1F2782 DC146CA7 D08D14E7 21EF8330 0F060355 1D130101 FF040530 030101FF
  300D0609 2A864886 F70D0101 0B050003 82010100 2C21E6F0 C64F7362 5B29B2FB
  B45BCA4D 6A8E2C8E E5EFA844 7D8FC72C 274D3DA4 012F8940 464A1DE5 EA3D0E0D
  37D92810 DC75FD6B 7160B76A 4FD75857 2DC18727 E2CFCB55 AA43C8E2 5A9AF302
  FABFEF84 BC3D5CD1 4A2AB3AC D42FD4D6 5F588A68 B8F0788B 75634E4F 37F5D64B
  33E533F5 79B81E64 D9232BBE 5F7CBB1A 7AF088CA 0BB04ADB 332680A1 E23F22A7
  4F39F12F 82A0D7F3 D00F451E 5A247ABB E333C470 3C0A67D9 3D6DD9A3 554A51B8
  DA59EEFD 621970F5 4958AB38 92CECECF 7AF08EE2 803B5F2B 3FB7195D BA49B4E0
  4EB859F8 366D1A48 74B86593 6812A3E2 27683CA0 7C7045ED FD45961A C888D693
  D75AF59C E28965D3 B2B7931B 3CD50C73 1E0D378A
        quit
!
!
license boot level network-advantage addon dna-advantage
memory free low-watermark processor 74862
!
system mtu 8978
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
enable secret 9 $9$WsbGbEnlY7ZnOE$8Y5qUmOgCatKFC2M/Kpmov7Dbd08QBhQlA8nlOXjnfA
!
username cisco privilege 15 secret 9 $9$K2c68lctCCR3v.$SgFneM9tcIGiIKFFsAsZDcBT/DX0ty2rJ01pQSVW5LU
username dnacadmin privilege 15 secret 9 $9$ss2NT8jXdGqUGU$QVfZV.IgKGnzd8GNy5oCLpfZvamjwuusTVNBK61XPMQ
!
redundancy
 mode sso
!
!
!
!
!
!
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
  description EWLC control, EWLC data, Inter FED
class-map match-any system-cpp-police-sys-data
  description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
  description L2 LVX control packets
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-multicast
  description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
  description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
  description DHCP snooping
class-map match-any system-cpp-police-system-critical
  description System Critical and Gold Pkt
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address dhcp
 negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
 description SDA-HQ-FIS-01
 switchport access vlan 12
!
interface GigabitEthernet1/0/6
 description SDA-HQ-FIS-01
 switchport access vlan 12
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface Vlan1
 no ip address
!
interface Vlan12
 ip address 172.17.0.6 255.255.255.128
 ip ospf mtu-ignore
!
router ospf 100
 router-id 172.17.0.6
 network 172.17.0.0 0.0.0.127 area 0
!
ip forward-protocol nd
ip tcp mss 1280
ip tcp window-size 212000
ip http server
ip http authentication local
ip http secure-server
ip ssh bulk-mode 131072
!
!
!
!
snmp-server community ciscoro RO
snmp-server community ciscorw RW
!
!
!
!
control-plane
 service-policy input system-cpp-policy
!
!
alias router show do show
alias interface show do show
alias configure show do show
!
line con 0
 stopbits 1
line vty 0 4
 privilege level 15
 transport input ssh
line vty 5 98
 privilege level 15
 transport input ssh
!
!
!
!
!
!
!
netconf-yang
end

SDA-HQ-FIS-01 config

SDA-HQ-FIS-01#show run
Building configuration...

Current configuration : 8321 bytes
!
! Last configuration change at 03:43:50 UTC Mon Oct 6 2025
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
platform punt-keepalive disable-kernel-core
!
hostname SDA-HQ-FIS-01
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
switch 1 provision c9kv-uadp-8p
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
login on-success log
vtp version 1
!
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
 hash sha256
!
crypto pki trustpoint TP-self-signed-3709873604
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3709873604
 revocation-check none
 rsakeypair TP-self-signed-3709873604
 hash sha256
!
!
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
  D697DF7F 28
        quit
crypto pki certificate chain TP-self-signed-3709873604
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  31312F30 2D060355 04030C26 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373039 38373336 3034301E 170D3235 31303035 31393137
  31335A17 0D333531 30303531 39313731 335A3031 312F302D 06035504 030C2649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37303938
  37333630 34308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100C759 F84AFB37 54B78EFF 9273D1C3 0D6C5070 A83E4D91 FCF8D23C
  448032EA 06A19825 5079D281 48A6864B B52DD90F 3B8D38FD A94746E0 2F704FE5
  9AEB1C6E 2641C6DE 7D8410A4 E9A7C403 F3C81746 2E68527D 3B7AD8DA 2CD42017
  5605E8A7 2F2A9F7B 9BDCC916 A305847B 10338575 99FCB13B C698BC10 0040FC1B
  008AC100 0CBE486E 2A3674F6 C3C29501 3225EB05 20948377 C5FB1B80 30B7C775
  059FC53D 43CDA2BC 4551028A C92B19AE 26A16499 2D95D48E 7BDD5B2B 499E9825
  A3355A37 BC1A0581 E5FAD1CD 9D71ED1F 394DCE1F 48BBB3B8 4B077745 385FE76D
  F2B90AC7 9F048D9E 29B83A57 022FBA37 4BADD628 D7DA69BA 9172BEDE 7518F3BB
  2E7878D3 A31F0203 010001A3 53305130 1D060355 1D0E0416 0414021D 7AFCBB5E
  378C9A0F 5864A7C3 A633ABE1 4517301F 0603551D 23041830 16801402 1D7AFCBB
  5E378C9A 0F5864A7 C3A633AB E1451730 0F060355 1D130101 FF040530 030101FF
  300D0609 2A864886 F70D0101 0B050003 82010100 95998C49 0D9ABEC9 1E1B1DE8
  54C08FCE 536685EB 9E3E8B44 FC13DDA4 658DD6D8 662DF08A 41749F88 891194E9
  AF06D23D 0980F173 4DDA2F20 3BC6751F 4BF45821 6C4071BE 9F9B24EA 47B224EB
  6E22FDA9 7B57181E 54691EFD DB0EC11D CBB42446 E4728F57 CA901250 A7C69207
  36DEDB9A 4B377903 92FC2684 AF2EAC79 5E45EB4C 29F8F083 77099D29 3877C84D
  CC7A28D8 2C1E8B2F 4E1361EE 2ABA2D60 A6DD101F 12560715 29439D98 AA1F3167
  404629FA D6CB1F8F 5A5A4C6E 181178BF 9500A404 1F3D13C8 22FE5BEA 8E8F247E
  BBCAE461 365EA67E DFF2F9F1 97AD52D2 8269E54F B4E63F25 797C2720 258F8505
  4ACCE8A9 6CC78BDA 532508B4 9D74C3A0 BE6F2A7B
        quit
!
!
license boot level network-advantage addon dna-advantage
memory free low-watermark processor 74862
!
system mtu 8978
diagnostic bootup level minimal
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
enable secret 9 $9$WsbGbEnlY7ZnOE$8Y5qUmOgCatKFC2M/Kpmov7Dbd08QBhQlA8nlOXjnfA
!
username cisco privilege 15 secret 9 $9$K2c68lctCCR3v.$SgFneM9tcIGiIKFFsAsZDcBT/DX0ty2rJ01pQSVW5LU
username dnacadmin privilege 15 secret 9 $9$ss2NT8jXdGqUGU$QVfZV.IgKGnzd8GNy5oCLpfZvamjwuusTVNBK61XPMQ
!
redundancy
 mode sso
!
!
!
!
!
!
class-map match-any system-cpp-police-topology-control
  description Topology control
class-map match-any system-cpp-police-sw-forward
  description Sw forwarding, L2 LVX data, LOGGING
class-map match-any system-cpp-default
  description EWLC control, EWLC data, Inter FED
class-map match-any system-cpp-police-sys-data
  description Learning cache ovfl, High Rate App, Exception, EGR Exception, NFL SAMPLED DATA, RPF Failed
class-map match-any system-cpp-police-punt-webauth
  description Punt Webauth
class-map match-any system-cpp-police-l2lvx-control
  description L2 LVX control packets
class-map match-any system-cpp-police-forus
  description Forus Address resolution and Forus traffic
class-map match-any system-cpp-police-multicast-end-station
  description MCAST END STATION
class-map match-any system-cpp-police-multicast
  description Transit Traffic and MCAST Data
class-map match-any system-cpp-police-l2-control
  description L2 control
class-map match-any system-cpp-police-dot1x-auth
  description DOT1X Auth
class-map match-any system-cpp-police-data
  description ICMP redirect, ICMP_GEN and BROADCAST
class-map match-any system-cpp-police-stackwise-virt-control
  description Stackwise Virtual
class-map match-any non-client-nrt-class
class-map match-any system-cpp-police-routing-control
  description Routing control and Low Latency
class-map match-any system-cpp-police-protocol-snooping
  description Protocol snooping
class-map match-any system-cpp-police-dhcp-snooping
  description DHCP snooping
class-map match-any system-cpp-police-system-critical
  description System Critical and Gold Pkt
!
policy-map system-cpp-policy
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 ip address dhcp
 negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
 description SDA-HQ-FIS-01
 switchport access vlan 12
!
interface GigabitEthernet1/0/6
 description SDA-HQ-FIS-01
 switchport access vlan 12
!
interface GigabitEthernet1/0/7
 description SDA-HQ-FBS-01
 switchport access vlan 12
!
interface GigabitEthernet1/0/8
 description SDA-HQ-FBS-01
 switchport access vlan 12
!
interface Vlan1
 no ip address
!
interface Vlan12
 ip address 172.17.0.5 255.255.255.128
 ip ospf mtu-ignore
!
router ospf 100
 router-id 172.17.0.5
 network 172.17.0.0 0.0.0.127 area 0
!
ip forward-protocol nd
ip tcp mss 1280
ip tcp window-size 212000
ip http server
ip http authentication local
ip http secure-server
ip ssh bulk-mode 131072
!
!
!
!
snmp-server community ciscoro RO
snmp-server community ciscorw RW
!
!
!
!
control-plane
 service-policy input system-cpp-policy
!
!
alias router show do show
alias interface show do show
alias configure show do show
!
line con 0
 stopbits 1
line vty 0 4
 privilege level 15
 transport input ssh
line vty 5 98
 privilege level 15
 transport input ssh
!
!
!
!
!
!
!
netconf-yang
end

show netconf-yang status

If you just want to use DNAC without SDA and take advantage of things such as image management and telemetry, you can use DNAC, but SDA changes the way LAN operates

one very important point to keep in mind is that we need is the latency requirements for SDA between DNAC and devices is 100ms and 200ms is kind of pushing

From ISE we only have 100ms to play with anyway

latency requirement between WLC and AP is 20ms

within the cluster of DNAC (which includes ISE as policy node) needs to be 10 msec

another requirement is that all devices be configured with SSH access with credentials that were configured in DNAC with full access and not just enable prompt

Device controllability during discovery means that configuration changes will be done during inventory / discovery or when device is associated to site, it is enabled by default

SDA LM 2 – Network Design

Videos

Network Design

Leave a Reply