I have been reading about DNA-Center for some days now, and I guess that TrustSec is a strong requirement to use the Policy feature, and I did not find it clearly stated. Without this, DNA-Center just creates an insecure, flat single-VLAN LAN.
In DNA-Center, the Policy app make sense only on a SD-Access LAN, correct me if not. From what I see, Policy definitions need ISE to be fully integrated, fully configured to the TrustSec level (groups created, SGT Tags). So I can see 4 cases, please correct me if I missed something:
If the LAN is legacy, no TrustSec, then the only thing DNA-Center will do is put all SW access ports to the site VLAN, and that is it. Not even default ACL on ports, or 801.X authentication on SWports.
If the traditional (not SD-Access) LAN is TrustSec-ready, then I will have an ISE properly prepared and DNA-Center will ease the task of creating the policies, but I can do already this without DNA-Center. Will DNA-Center import also the defined policies from ISE, or only the group definitions?
In case of an SD-Access LAN, if there is no TrustSec ISE prepared (policies, groups, pxGrid, etc), then my LAN cannot have any policies, so back to single VLAN LAN.
Only in the case of SD-Access with a fully powered TrustSec-ready ISE, only then the LAN can enforce the security policies.
I know, lots of questions... but not having DNA-Center to play with, relying only on videos/pres/marketing material ... I sincerely felt I had to work out the guts of DNA-Center out of a bunch of marketing talk.
I would like to have this clear to make a solid business-case (a real one, with design architecture and process behind), that will choose the correct elements and appliances for the specific client needs. Perhaps SD-Access makes sense only for companies using or willing to fully integrate ISE and TrustSec (DNA-Center has its own benefits alone, of course)