Fabric Comparison

  • 27 March 2019
  • 6 replies

Userlevel 5
Hi Community

I am looking for an Extreme Document comparing the Extreme "Automated Campus Fabric" with Cisco's "SD Access Fabric" and Aruba's "Dynamic Segmentation Fabric".

Does Extreme have such an comparison available that can be shared with the community?
Would be very use full when positioning the solution against the others.


6 replies

Userlevel 5
Thx Paul

I will reach out to the local Extreme SE, If I do not come right I will DM you.

Userlevel 4

Competitive info like that is usually not public facing. But it does exist.

I recommend reaching out to your local Extreme sales team in the area you work out of. If you don't know them, send me a DM and I can point you in the right direction.
Userlevel 6
Hi Andre,

Have a look at SD Access Fabric Deployment Guide: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Deployment-Guide-Sol1dot2-2018OCT.pdf
For me it seems to be a bit overkill with tons of things around, but it's just a quick peek. I'd like to see it live though. From some old notes I remember they had root-bridge for Multicast approach, which is farther from optimal IMO. Also at a time it was just for L2 services.
I didn't see Aruba's 'Dynamic Segmentation Fabric', just 'Dynamic Segmentation' what seems to be something else...?
IMO SPB + Extreme's enhancements is really a gamechanger, but gotta evangelize on this. ;)

Hope that helps,

I have experience with both SDA and the Automated Campus. They can both pretty much accomplish the same things. The DNAC user interface is nice and easy to use, but you can only manage your user access with it. Anything done in your DC / server side will have to be managed with Prime or ACI. You will have to also jump back and forth between ISE and DNAC.

There is a lot of automation, but also a lot of manual work. When leaking routes between tenants / VRFs, DNA exposes each VRF through a VLAN and you have to do manual BGP route leaking. You can do this with accept policies in SPB. 

As mentioned earlier, the SDA fabric does not extend to your DC gear, let’s use Nexus switches as an example. The best practice is to use BGP and MPLS to segment the data and route across the two solutions. The nice thing about SPB here is its one fabric.

With most of the Catalyst switches, the overlay fabric (VXLAN, LISP) extends right to the edge. Some of the smaller switches work like Extreme Fabric Attach. The Extreme solution, the fabric ends at the core / aggregation and are using Fabric Attach / LLDP to automate VLAN segmentation / provisioning. Cisco automatically builds an underlay for you using point to point IP links with IS-IS routing, and VXLAN / LISP overlay with Anycast gateways. Extreme uses 802.1aq for everything, don’t know how much automation you get out of ZTP+, but the Cisco stuff is plug in and walk away.

The SDA solution uses Anycast gateways, so your first hop is always your gateway. With Automated campus, your aggregation is where everything is routed.

From a security policy perspective, they both do pretty much the same thing. Ex. IT staff in “x” AD group can SSH to “y” server group. HR employees can only access applications on servers “z”.  From a certificate management perspective for muti-domain systems, it seems like Cisco ISE can handle it better, but I understand Extreme has a way of doing it and will possibly be enhancing this based on a discussion on the “AAA / RADIUS” forum.

From a hardware requirements and cost perspective:


Extreme VOSS switches for the fabric core

Extreme EXOS switch for policy based edge

XMC for management

Analytics if you want the intelligence to feed into control

I don’t believe there is any cost associated with standing up NAC servers and adding them to XMC

Everything is virtualized on ESX or HyperV

Endpoint licensing for control and posture, as well as analytics.

Support costs



Catalyst switches for Border controller / control plane (prob. cat 9500)

Catalyst edge nodes (prob. Cat 9300s)

You can do a fabric in a box for small sites (Cat 9300 for border / control / edge)

Fusion Routers (ISRs used when integrating with your DC or extending across WAN)

DNAC controllers (require 3)

Cisco ISE (can be virtualized, but cost per ISE VM)

Stealtwatch for analytics

Endpoint licensing (I believe the DNAC licensing now includes your ISE licensing for endpoints)

Subscription cost per switch (3 years included with switch than you renew annually)

Support costs

Overall the Cisco UI is nicer and the ZTP / Lan Automation are nice. It’s still pretty new, so you will run into bugs, so make sure you use TAC and have a support contract. Not a single pane of glass solution. For Extreme, the SPBM fabric is rock solid, I haven’t had a single outage. True single pane of glass for entire solution. Would like to see the ZTP function enhanced and maybe cleanup the device maps because it just mashes everything together when you have too many devices.


This is my understanding and experience. I’m sure there are more knowledgeable people here who can correct some of my explanations.



Are there limitations on your SD Lan product when it comes to ISE integration? Already have ISE and ACI, would like to know if we would run into any functionality issues with your product.

Are there limitations on your SD Lan product when it comes to ISE integration? Already have ISE and ACI, would like to know if we would run into any functionality issues with your product.

You will be able to authenticate devices and Cisco has validated EXOS for everything but MDM and TrustSec ( https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/compatibility_doc/b_ise_sdt_27.html#thirdpartyaccessswitches ) 

What features were you planning on using?