Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
Automation & Programmability Foundational

SDN & Controller-Based Networking

Software-Defined Networking explained. Why control plane and data plane were separated, what a network controller actually does, and where Cisco DNA Center, ACI, and Meraki fit in the landscape.

TL;DR
  • SDN separates the control plane (decisions) from the data plane (forwarding). The controller is the centralized brain; switches and routers become the muscle.
  • Northbound APIs talk to applications (REST). Southbound APIs talk to devices (NETCONF, OpenFlow, gRPC, CLI).
  • Cisco-relevant SDN platforms: DNA Center (campus), ACI (data center), Meraki (cloud-managed). All built on the same separation principle.

Mental model

Traditional networks: every switch and router contains both the control plane (the brain making routing decisions, running OSPF, building forwarding tables) and the data plane (the hardware that moves packets in nanoseconds). Each device decides for itself.

This works but doesn’t scale into the “I want to change everything everywhere at once” world. Pushing a single policy change across 200 devices means logging into each.

Software-Defined Networking (SDN) moves the brains to a central controller. Devices keep their fast forwarding hardware but become “dumber” — they ask the controller (or are told by it) what to do. The controller has full visibility, applies policy from one place, and exposes APIs to applications and humans.

Apps & UI               ← REST API (northbound)

SDN Controller          ← centralized brain

Network Devices         ← NETCONF / OpenFlow / gRPC / CLI (southbound)

That’s it conceptually. The rest is variations on this separation.

Northbound vs Southbound APIs

What it isExamples
Northbound APIHow applications + humans talk to the controllerREST/JSON (“create a new VLAN everywhere”)
Southbound APIHow the controller talks to the devicesNETCONF, OpenFlow, gRPC, RESTCONF, sometimes CLI

For CCNA: know the directions (north = up to apps, south = down to devices) and at least one example of each.

Three Cisco SDN platforms you should recognize

Cisco DNA Center (campus / enterprise)

For campus networks — managing wired + wireless across an enterprise. Replaces the “log into each switch” workflow.

  • Northbound: REST API
  • Southbound: NETCONF, RESTCONF, SSH/CLI for legacy
  • Use cases: SD-Access (segmentation), policy automation, assurance/analytics
  • Replaces: APIC-EM (its predecessor)

Cisco ACI / APIC (data center)

For data centers. Different from DNA Center — uses Nexus 9000 switches and a different architecture (intent-based policy + ACI fabric).

  • APIC is the controller. Multiple APICs for HA.
  • Application-centric policy — describe what apps need, ACI figures out the network config.
  • Southbound: OpFlex protocol to leaf/spine switches.

Cisco Meraki (cloud-managed)

The controller lives in Meraki’s cloud — you manage everything through a web dashboard, with the controller hosted as SaaS.

  • No on-premises controller to manage.
  • Easy for small/distributed orgs.
  • Subscription model — controller is a service you pay for.
  • Limitations: less flexible than DNA Center / ACI for complex requirements.

For CCNA, recognize these names and the categories. Deep mastery isn’t expected at CCNA-level.

How SDN actually changes day-to-day work

Old way (per-device CLI):

ssh sw1
configure terminal
vlan 50
name USERS
exit
end
write memory
# repeat for sw2, sw3, sw4, ...

SDN way (push via controller):

POST /api/v1/networks/abc/vlans
{ "id": 50, "name": "USERS" }

One call, controller pushes to every relevant device, returns success/failure per device. Auditable, scriptable, idempotent (replay safe).

Intent vs imperative

Two styles of SDN configuration:

StyleWhat you sayExample
Imperative”Configure interface Gi0/1 with these exact commands”Traditional CLI / Ansible
Intent-based”Users in HR should be able to reach the file server”DNA Center / ACI

Intent-based is the long-term direction. You describe the desired outcome (“HR should reach file server, finance should not”). The controller figures out which ACLs, VLANs, and policies need to land on which devices to make that true. Continuously enforced.

OpenFlow — the original SDN southbound

You’ll hear about OpenFlow in textbooks. It was the protocol Stanford / ONF designed in the mid-2000s for pure SDN: the controller programs every flow-table entry on every switch.

Vendor reality: most enterprise SDN today uses NETCONF/gRPC instead. OpenFlow lingers in some research / academic contexts and a few specific products. Know the name and history; don’t expect to deploy it in production.

Common mistakes

  1. Thinking SDN = automation. They overlap but aren’t the same. You can automate without SDN (Ansible + traditional devices). You can have SDN without it being fully automated. SDN is about where the control plane lives; automation is about how config gets applied.

  2. Assuming SDN means OpenFlow. OpenFlow is one southbound protocol. Most enterprise SDN uses NETCONF, RESTCONF, gRPC, or hybrid CLI. “SDN” the concept is broader than “OpenFlow” the protocol.

  3. Expecting SDN to replace traditional skills. A senior network engineer still needs to understand BGP, OSPF, switching. SDN abstracts the work but doesn’t eliminate the need to understand what’s underneath when it breaks.

  4. Underestimating the controller as a single point of failure. A dead controller takes down policy management. Most platforms support HA controllers. Always check the controller’s failure mode in production planning.

  5. Treating Meraki as identical to DNA Center. Both are Cisco SDN, but their philosophies differ. Meraki = simple, cloud-managed, less flexible. DNA Center = on-prem, more powerful, steeper learning curve. Match to the use case.

  6. Skipping APIs because “I’m a network engineer, not a programmer.” Modern SDN demands API literacy. Curl + JSON + basic Python is the new RJ45 + console cable. Learn it — it’s not optional anymore.

Lab to try tonight

Use a Cisco DevNet Always-On DNA Center sandbox (no reservation required):

  1. Visit devnetsandbox.cisco.com, find the DNA Center Always-On sandbox. Note the URL and credentials.
  2. Open Postman or use curl. Authenticate to get a token:
curl -X POST https://sandboxdnac.cisco.com/dna/system/api/v1/auth/token \
  -u devnetuser:Cisco123! \
  -H "Content-Type: application/json"
  1. Use the token to list network devices:
curl -H "X-Auth-Token: <token>" \
  https://sandboxdnac.cisco.com/dna/intent/api/v1/network-device
  1. Get a JSON response listing every device DNA Center manages — model, serial, IOS version, uptime.
  2. Explore the API docs at developer.cisco.com/dnacenter — list interfaces, VLANs, etc.
  3. Bonus: write a Python script that pulls all device hostnames + IPs and prints a CSV report.

Cheat strip

ConceptPlain English
SDNSoftware-Defined Networking — separate control from data plane
ControllerThe brain — makes decisions, exposes APIs
Northbound APIApp/UI → controller — usually REST
Southbound APIController → devices — NETCONF, OpenFlow, gRPC, CLI
DNA CenterCisco’s campus / enterprise SDN platform
ACI / APICCisco’s data center SDN platform (Nexus + APIC)
MerakiCisco’s cloud-managed SDN — no on-prem controller
Intent-basedDescribe outcome, controller figures out config
OpenFlowOriginal SDN southbound — academic now
Single point of failureController HA matters in production
← Previous topic

Python for Network Engineers

Why Python is the de-facto language for network automation, plus the four libraries you'll actually use — Netmiko (SSH), NAPALM (vendor-agnostic), Nornir (parallel runner), and requests (REST APIs).
Next topic →

gRPC & gNMI — Streaming Telemetry

The modern alternative to SNMP polling. Devices stream structured data continuously to a collector over gRPC. Covers gNMI for config and monitoring, why streaming beats polling, and what's replacing SNMP in real networks.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

Automation & Programmability

Ansible for Network Engineers

Push configuration to dozens of Cisco devices from one YAML playbook. Covers inventory, modules, idempotency, and why Ansible became the default automation tool for network teams who don't want to write a custom Python script for every change.

 Automation & Programmability

NETCONF & YANG

The structured-data alternative to SSH-and-screen-scrape. Covers how NETCONF moves XML configs over SSH, what YANG models are, and where they fit alongside REST APIs in modern network automation.

 Automation & Programmability

REST APIs for Network Engineers

Modern Cisco devices expose REST APIs so you can configure them with HTTP requests and JSON instead of SSH and screen-scraping. Covers verbs (GET/POST/PUT/DELETE), authentication, data formats, and where REST fits in network automation.

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages