SkarpChapter 22 of 27
Software-Defined Networking and Controller-Based Architectures
Step into modern networking by separating control and data planes and seeing how controllers orchestrate large-scale networks.
From Traditional Networks to SDN
Why This Module Matters
You are moving from traditional CLI-per-device networking to modern controller-based and software-defined networking, where automation and central control are key.
Traditional Networks
In classic Cisco campus designs, each switch and router has its own control plane and is configured individually via CLI, forming a distributed control plane.
Scaling Problems
As networks grow to hundreds of devices, manual CLI configuration becomes slow, inconsistent, and error-prone, especially for ACLs, VLANs, and security policies.
Enter SDN and Controllers
Software-defined networking centralizes network intelligence in a controller, which programs devices via APIs instead of you touching every box directly.
CCNA Relevance
For CCNA, you must grasp SDN concepts, controller-based architectures, and how Cisco DNA Center fits into campus designs, not implement full solutions.
Control Plane vs Data Plane
The Data Plane
The data plane forwards user traffic: switches look up MAC addresses, routers match IP routes and ACLs, and packets are moved at high speed, often in hardware.
The Control Plane
The control plane builds the tables the data plane uses: routing protocols, STP, ARP, and management protocols all feed information into forwarding decisions.
Same Box in Traditional Networks
In classic designs, each device hosts its own control plane and data plane: the CPU runs control protocols, while ASICs implement fast, local forwarding.
Connecting to Prior Topics
ACLs define what the data plane permits or denies, while features like STP and DHCP snooping shape the control plane’s view of safe, valid paths and hosts.
Canonical Definition of SDN
Know This Definition
Software-defined networking (SDN) is an architectural approach that separates the control plane from the data plane, enabling centralized control via controllers and APIs.
Architectural Approach
SDN is a way of designing networks, not a single product. It changes where intelligence lives and how devices are programmed.
Centralized Control
Instead of each device deciding on its own, a controller with a global view decides paths and policies, then programs the devices.
APIs, Not Just CLI
Controllers use APIs to interact with devices. This allows automation tools and applications to manage the network programmatically.
Distributed vs Controller-Based Architectures
Distributed Control Plane
In traditional networks, each device runs OSPFv2, STP, and other protocols locally, and you configure ACLs and policies one box at a time.
Controller-Based Design
In controller-based architectures, a central controller has the global view and programs devices as fast forwarding engines.
Operational Differences
With a controller, you mainly use its GUI or APIs and templates, instead of logging into dozens of CLIs for every change.
Hybrid Reality
Modern Cisco networks often mix both: devices still run some control logic, but controllers overlay centralized policy and automation.
Practical Scenario: Rolling Out a New ACL Policy
Traditional ACL Rollout
To block HTTP from students to finance, you manually edit ACLs on multiple routers or switches, carefully ordering entries and applying them.
Controller-Based Rollout
With SDN, you define a central policy like "Students cannot access Finance over HTTP" and the controller pushes equivalent ACLs automatically.
Why This Matters
Controller-based deployment reduces human error, keeps policies consistent, and offers assurance views showing which flows are allowed or denied.
Cisco DNA Center: Where It Fits
What Is Cisco DNA Center?
Cisco DNA Center is Cisco’s enterprise campus controller and management platform for wired, wireless, and branch networks.
Core Functions
It provides Design, Policy, Provision, and Assurance: from site templates to automated deployment and continuous health monitoring.
Role in SD-Access
In Cisco SD-Access, DNA Center builds the fabric, manages overlays, and coordinates segmentation and policy enforcement across fabric nodes.
Think of It as the Brain
Admins express intent in DNA Center, which then programs underlying switches, routers, and APs via APIs instead of manual CLI.
APIs and REST: How Controllers Talk
REST API Definition
A Representational State Transfer (REST) API is a web-based interface using HTTP methods and resource URIs for programmatic access to devices and controllers.
Why APIs Matter
Controllers expose APIs so scripts and tools can read network state and apply changes without manual CLI on each device.
Northbound vs Southbound
Northbound APIs let your tools talk to the controller; southbound protocols let the controller program switches, routers, and APs.
CCNA Expectation
You should recognize HTTP verbs, JSON payloads, and the idea that a single API call can replace many manual CLI sessions.
Simple REST API Call to a Controller
This step gives you a feel for how a script might interact with a controller such as Cisco DNA Center using a REST API. You are not required to memorize syntax, but seeing it once makes exam questions less abstract.
Imagine you want to list all network devices known to the controller. A typical flow is:
- Authenticate and obtain a token.
- Use the token in an HTTP GET request to a resource such as `/network-device`.
Below is a simplified Python example using the `requests` library. It is conceptual, not production-ready.
```python
import requests
BASE_URL = "https://dnac.example.com/api/v1"
USERNAME = "admin"
PASSWORD = "Cisco123!"
1. Authenticate and get a token
auth_resp = requests.post(
f"{BASE_URL}/auth/token",
auth=(USERNAME, PASSWORD),
verify=False # do not do this in production
)
authresp.raisefor_status()
token = auth_resp.json()["Token"]
headers = {
"X-Auth-Token": token,
"Content-Type": "application/json"
}
2. Get the list of network devices
devices_resp = requests.get(
f"{BASE_URL}/network-device",
headers=headers,
verify=False
)
devicesresp.raisefor_status()
devices = devices_resp.json()["response"]
for dev in devices:
print(dev["hostname"], dev["managementIpAddress"])
```
Conceptual takeaways:
- You talk to the controller, not directly to every switch.
- You use HTTP methods (POST for auth, GET for data) and URIs.
- The response is JSON you can parse and loop over.
Exam questions may show small JSON snippets or API URLs and ask what they represent or which HTTP method is appropriate.
Thought Exercise: Mapping Old Concepts to SDN
Use this mental exercise to connect earlier topics (ACLs, VLANs, DHCP, wireless security) to SDN and controller-based networking.
Work through these questions in your head or jot short answers:
- VLANs and Segmentation
You know that "A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location."
- In a traditional network, how do you create and assign VLANs to access ports?
- In an SDN campus fabric (like Cisco SD-Access), how might you instead think in terms of “virtual networks” or “groups” that the controller maps to VLANs behind the scenes?
- ACLs and Policy
- Previously, you placed ACLs on specific interfaces and directions. In a controller-based design, where do you define the intent of the policy?
- Who decides where to enforce it: you, or the controller?
- DHCP and IP Addressing
Recall: "The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients."
- In a traditional network, how do you make sure the right DHCP scope is used for each VLAN?
- With a controller like Cisco DNA Center, how could centralized IP address pool management reduce misconfigurations?
- Wireless Security
- Think of features like WPA2-Enterprise and guest networks. How might a controller simplify creating consistent SSIDs and security policies across dozens of access points?
Pause and ensure you can explain, in your own words, how the same concepts (VLANs, ACLs, DHCP, wireless security) are still present, but the way you configure and manage them changes with SDN.
Quick Check: SDN and Control/Data Planes
Test your understanding of SDN fundamentals and control/data plane separation.
Which statement best describes software-defined networking (SDN) in the context of enterprise networks?
- SDN is a routing protocol that replaces OSPFv2 and EIGRP in large networks.
- SDN is an architectural approach that separates the control plane from the data plane, enabling centralized control of network behavior through software-based controllers and APIs.
- SDN is a security feature that automatically creates ACLs on routers based on observed traffic patterns.
- SDN is a wireless standard that defines how access points communicate with controllers.
Show Answer
Answer: B) SDN is an architectural approach that separates the control plane from the data plane, enabling centralized control of network behavior through software-based controllers and APIs.
The canonical definition of SDN is: "Software-defined networking (SDN) is an architectural approach that separates the control plane from the data plane, enabling centralized control of network behavior through software-based controllers and APIs." It is not a single routing protocol, a specific security feature, or a wireless standard.
Quiz: Traditional vs Controller-Based
Another short quiz to reinforce the difference between distributed and controller-based architectures.
In a controller-based architecture using Cisco DNA Center, which of the following is MOST accurate?
- Each switch independently runs its own control plane and never communicates with the controller.
- Policies are defined centrally on the controller, which then programs the underlying devices via APIs or other protocols.
- The controller replaces all switches and routers, so no physical forwarding devices are needed.
- You must still log in to each device individually; the controller is used only for monitoring.
Show Answer
Answer: B) Policies are defined centrally on the controller, which then programs the underlying devices via APIs or other protocols.
In controller-based designs like those using Cisco DNA Center, administrators define policies centrally. The controller then pushes configurations and forwarding rules to devices. Devices still exist and forward traffic, but they are programmed by the controller. You do not normally configure each device manually for routine tasks.
Key Term Flashcards: SDN and Controllers
Use these flashcards to solidify core terminology before moving on.
- software-defined networking (SDN)
- Software-defined networking (SDN) is an architectural approach that separates the control plane from the data plane, enabling centralized control of network behavior through software-based controllers and APIs.
- Control plane
- The part of a network device or system that builds and maintains forwarding information, using protocols like OSPFv2, STP, and ARP, and makes decisions about where traffic should go.
- Data plane
- The part of a network device that forwards actual user traffic (frames and packets) based on tables and rules created by the control plane, often implemented in hardware for speed.
- Controller-based architecture
- A network design where a central controller maintains a global view of the network and programs the forwarding behavior and policies of multiple devices, rather than configuring each device independently.
- Cisco DNA Center
- Cisco’s enterprise campus controller and management platform that provides design, policy, provisioning, and assurance for wired, wireless, and branch networks, acting as the SDN controller in Cisco SD-Access.
- REST API
- A Representational State Transfer (REST) API is a web-based interface that uses HTTP methods and resource-oriented URIs to enable programmatic access to network devices and controllers.
- Northbound API
- An API exposed by a controller to higher-level tools and applications, allowing them to retrieve network information and push intent or policies to the controller.
- Southbound interface
- The set of protocols and mechanisms a controller uses to communicate with and program underlying network devices, such as NETCONF, RESTCONF, or vendor-specific protocols.
Where SDN Appears in the CCNA Exam (Automation Domain)
SDN in the CCNA Automation Domain
You must distinguish traditional per-device management from controller-based designs and state the SDN definition accurately.
What You Should Recognize
Expect questions on what a controller does, how Cisco DNA Center fits in, and when to use APIs versus manual CLI.
Link to Your Study Path
You have learned ACLs and L2 security; now you see how controllers apply those concepts consistently across large networks.
Next Steps in Skarp
Upcoming diagnostics and mock exams will test these ideas, and spaced review will revisit any SDN or controller topics you find challenging.
Key Terms
- ACL
- An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
- DHCP
- The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients.
- VLAN
- A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
- REST API
- A Representational State Transfer (REST) API is a web-based interface that uses HTTP methods and resource-oriented URIs to enable programmatic access to network devices and controllers.
- Data plane
- The component of a network device that forwards user frames and packets based on rules and tables created by the control plane, typically implemented in hardware for high performance.
- Control plane
- The part of a network device or system that builds and maintains forwarding information using protocols like OSPFv2, STP, and ARP, deciding how traffic should be forwarded.
- Northbound API
- An interface exposed by a controller to higher-level applications and tools, allowing them to retrieve network information and push intent or policies to the controller.
- Cisco SD-Access
- Cisco’s software-defined access solution for campus networks that uses a fabric-based architecture managed by Cisco DNA Center to provide segmentation, policy, and automation.
- Cisco DNA Center
- Cisco’s enterprise campus controller and management platform that provides design, policy, provisioning, and assurance for wired, wireless, and branch networks, and acts as the SDN controller in Cisco SD-Access.
- Southbound interface
- The protocols and mechanisms a controller uses to communicate with and program underlying network devices, such as NETCONF, RESTCONF, or vendor-specific protocols.
- Controller-based architecture
- A network design where a central controller maintains a global view and programs multiple devices’ forwarding behavior and policies, instead of configuring each device independently.
- software-defined networking (SDN)
- Software-defined networking (SDN) is an architectural approach that separates the control plane from the data plane, enabling centralized control of network behavior through software-based controllers and APIs.