Professional Documents
Culture Documents
BRKENS-2810 SDA Fundamentals
BRKENS-2810 SDA Fundamentals
BRKENS-2810
• Why Cisco SD-Access?
• Roles and Terminology
• Fabric Fundamentals
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco SD-Access LISP Fabric
Industry Leading Campus Architecture
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Modern, Open and Scalable Fabrics
IETF Standard based Protocols
Cisco Catalyst Center
Cisco SD-Access
Enterprise Healthcare Education Financial Public Sector Manufacturing Hospitality Media Transportation Retail
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Flexible Fabric Options Tailored to Customer Outcomes!
Cisco SD-Access with C i s c o S D - Ac ces s w i t h
LISP Control Plane B G P E V PN C o n t ro l P l ane
VXLAN Data Plane V X L AN D a t a P l an e
O n e I n f r a s t r u c t u r e | S i n g l e D a t a p l a n e | C o n s is t e n t Z e r o - T r u s t E x p e r i e n c e
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Why Cisco
SD-Access?
Traditional Networking Challenges
Network Deployment Challenges Network Security Challenges
Resources
Network Infrastructure ✕✓✕✓✓✓
Devices
✓✓✕✓✕✕
✕✓✓✕✕✕
Switching Routers Wireless
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco Software-Defined Access
Intent-Based Networking
Cisco Catalyst
Center One Automated
Network Fabric
Policy Automation Assurance Single fabric for wired and wireless
with full automation
Outside
B B Identity-Based
C
Policy and Segmentation
Policy definition decoupled
from VLAN and IP address
E E E E E E
AI-Driven Insights and
Telemetry
SD-Access
Extension Client Mobility Analytics and visibility into
user and application experience
Policy follows User
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cisco Software-Defined Access
Zero Trust for Network and Cloud Security
Grant the right level of Shrink zones of trust and Automate containment of
network access to users grant access based on questionable or malicious
and devices. least privilege. endpoints.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Benefits of Cisco Software-Defined Access
Enhance Security and Compliance Deliver Consistent Experience
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Roles and
Terminology
1. Concepts
2. SD-Access Roles
3. Fabric Constructs
What is a Network Fabric?
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
What is an Overlay?
• An Overlay network is a logical topology
used to virtually connect devices, built over
an arbitrary physical Underlay topology.
• Examples of overlay technologies:
• GRE • VXLAN
• MPLS • BGP EVPN
• IPsec • SD-WAN
• CAPWAP • ACI
• LISP • OTV
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Why an Overlay?
• Underlay is simple and manageable.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
What is Fabric Site?
Fabric Site 1 Fabric Site 2
• An instance of an SD-Access Fabric.
• Typically defined by disparate
geographical locations, but not always.
• Can also be defined by:
• Endpoint scale. Transit
• Failure domain scoping.
• RTT.
• Underlay connectivity attributes.
• Typically interconnected by a “Transit”.
Fabric Site N
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Roles and
Terminology
1. Concepts
2. SD-Access Roles
3. Fabric Constructs
Cisco SD-Access Roles
Mandatory Components
• Cisco Catalyst Center – GUI and APIs for intent-based
automation of wired and wireless fabric devices.
• Fabric Border Nodes – A fabric device that connects
external L3 and L2 networks to the Cisco SD-Access fabric.
• Edge Nodes – A fabric device that connects wired
endpoints to the Cisco SD-Access fabric and optionally
enforces micro-segmentation policy.
• Control Plane Node – Map System that tracks endpoint to
fabric node relationships.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Cisco SD-Access Roles
(optional) (optional)
Optional Components
• Identity Services Engine – Highly recommended. NAC and
ID services for dynamic endpoint to Security Group Tag
mapping and policy distribution.
• Fabric Wireless Controller and Fabric APs – Highly
recommended. Connects wireless endpoints to the SD-
Access fabric.
(optional)
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Cisco SD-Access Roles
Some of the Supported Co-locations
Border Node, Control Plane Node, Fabric Edge Node, and Embedded Wireless
Controller.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
SD-Access Design Aides
• Cisco Validated Design: https://cs.co/sda-cvd
• Design Tool (use Chrome): http://cs.co/sda-design-tool
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Cisco SD-Access Fabric
Control Plane Node Maintains a Host and Network Tracking Database
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Cisco SD-Access Fabric
Edge Node Provides First Hop Services for Endpoints
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Cisco SD-Access Fabric
Border Node is the Fabric Site Entry and Exit for Network Traffic
EN1
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Cisco SD-Access Fabric
Border Node is the Fabric Site Entry and Exit for Network Traffic
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Cisco SD-Access Fabric
Border Node is the Fabric Site Entry and Exit for Network Traffic
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Cisco SD-Access Fabric
Border Node is the Fabric Site Entry and Exit for Network Traffic
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Cisco SD-Access Fabric
Border Node is the Fabric Site Entry and Exit for Network Traffic
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cisco SD-Access Fabric
Fabric Enabled Wireless for Unified Management, Policy and Data Planes
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Roles and
Terminology
1. Concepts
2. SD-Access Roles
3. Fabric Constructs
Cisco SD-Access Fabric
Virtual Networks
• Layer 3 Virtual Networks use VRFs and LISP
Instance IDs to maintain separate routing
topologies.
• Endpoint IDs (IPv4/IPv6 addresses) are routed
within an L3VN.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Cisco SD-Access Fabric
Layer 3 Virtual Networks
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Cisco SD-Access Fabric
Per-Layer-3-Virtual-Network Layer 3 Handoff
• A “Peer Device” may leak external routes into SD-Access Layer 3 Virtual Networks.
• Alternatively, maintain VRF segmentation outside of the SD-Access Fabric with a VRF-aware
external routing domain.
• Peer Device is outside the fabric. Can be any platform (Router, Layer 3 switch, Firewall, etc.) with
appropriate capabilities.
VRF B
AF* VRF B G0/0/0.Z
LISP SVI Z
VRF A
VRF B
SVI Y AF* VRF A G0/0/0.Y
SVI B
GRT
G0/0/0.X
VRF A
SVI A
SVI X AF* IPv4
MP-BGP Peer Device
Extranet
Subscriber
Extranet
LISP Provider
VRF B
SVI B
VRF X
SVI X
G0/0/0
VRF A
SVI A
AF IPv4
MP-BGP Peer Device
Extranet
Subscriber
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Cisco SD-Access Fabric
Layer 2 Handoff
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cisco SD-Access Fabric
A Security Group Tag Assigns a “Group” to Each Endpoint
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Cisco SD-Access Fabric
Host Pools Define a Default Gateway and Basic IP Services for Endpoints
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cisco SD-Access Fabric
Anycast Gateway Provides a Default Gateway for IP-Capable Endpoints
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Cisco SD-Access Fabric
Host Pools are “stretched” via the Overlay IP to RLOC MAC to RLOC Address Resolution
1.2.0.22/16 1.2.255.33/16
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Cisco SD-Access Fabric
Accommodates any Physical Network Topology
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Cisco SD-Access Fabric
Layer 2 Virtual Networks
disabled.
• Often referred to as “Gateway Outside the VLAN VLAN VLAN
Fabric”.
• If Layer 2 Flooding is enabled, a Multicast
underlay P2MP tunnel is established between
MAC: 2.2.2
all Fabric Nodes. MAC: 3.3.3 MAC: 1.1.1
(Gateway Outside
the Fabric)
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Fabric
Fundamentals
1. Control Plane
2. Data Plane
3. Policy Plane
Cisco SD-Access Fabric
• Control Plane: LISP
• Locator/ID Separation Protocol.
• IETF Standards Track RFC9299-RFC9306 and RFC9347.
• IETF LISP Drafts.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
LISP in Cisco SD-Access
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Fabric Operation
Next
Default ETR Registration Destination IID
Hop
Default ETR 1001 --
Default ETR 1002 --
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 BGP
External Border Node
Etc. Static
Etc.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Fabric Operation
Next Next
Default ETR Registration Destination IID
Hop
Destination IID
Hop
Default ETR 1001 -- Default ETR 1001 BN1
Default ETR 1002 -- Default ETR 1002 BN1
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 BGP Register Default ETR per
Etc. Static L3VN (Gateway of last
Etc. resort)
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Fabric Operation
Next Next
Edge Node Bootstrap Destination IID
Hop
Destination IID
Hop
Default ETR 1001 -- Default ETR 1001 BN1
Default ETR 1002 -- Default ETR 1002 BN1
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.
Default ETR
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Fabric Operation
Next Next
Edge Node Bootstrap Destination IID
Hop
Destination IID
Hop
Default ETR 1001 -- Default ETR 1001 BN1
Default ETR 1002 -- Default ETR 1002 BN1
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Fabric Operation
Edge Node Bootstrap
✓ ✓
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.
✓ ✓ ✓
✓ Default ETR
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Fabric Operation
Endpoint Registration
✓ ✓
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.
✓ ✓ ✓
Next Next
Destination IID Destination IID
Hop Hop
2.2.2.2 1001 -- 1.1.1.1 1001 EN1
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Fabric Operation
Endpoint Registration
Next
✓ ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
Register
✓ ✓ ✓
Next Next
Destination IID Destination IID
Hop Hop
2.2.2.2 1001 -- 1.1.1.1 1001 EN1
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Fabric Operation
Endpoint Registration
Next
✓ ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
Notification
✓ ✓ ✓
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Fabric Operation
Publish Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 Publish 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
✓ ✓ ✓
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Fabric Operation
South to North Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
✓ ✓ ✓
Dst: 8.8.8.8
Src: 2.2.2.2
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Fabric Operation
South to North Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
Where is Negative Map Reply
8.8.8.8? 8.0.0.0/7
✓ ✓ ✓
Dst: 8.8.8.8
Src: 2.2.2.2
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Fabric Operation
South to North Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
✓ ✓ ✓
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Fabric Operation
East to West Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
✓ ✓ ✓
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Fabric Operation
East to West Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
Where is Map Reply
1.1.1.1? 1.1.1.1 is at EN1
✓ ✓ ✓
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Fabric Operation
East to West Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
✓ ✓ ✓
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
BRKENS-2828
BRKENS-2833
Advantages of LISP
• Optimised resource usage on Edge Nodes:
• “Pull” only the information needed, like DNS. By comparison BGP pushes
all routing information to all Edge Nodes.
• Underlay network is simple and stable:
• IGP routing from Border Node to Edge Node. Maybe PIM. No L2, no
VLANs, no link bundling, no STP, no MPLS.
• Unified wired and wireless data plane and policy plane.
• No wireless concentrator bottleneck = higher throughput.
• Receive future innovations in later SD-Access + IOS XE releases.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Fabric
Fundamentals
1. Control Plane
2. Data Plane
3. Policy Plane
Cisco SD-Access Fabric
1. Control Plane: LISP
2. Data Plane: VXLAN
ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L2
and L3 Overlays
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Next-Hop MAC Address
Checksum
Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address
Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Fabric
Fundamentals
1. Control Plane
2. Data Plane
3. Policy Plane
Cisco SD-Access Fabric
1. Control Plane: LISP
2. Data Plane: VXLAN
3. Policy Plane: Group-Based Policy
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
What is Security Group Tag and Group-Based
Policy?
Endpoints authenticated
and classified as:
Endpoint authenticated and Lighting (SGT 20)
classified as Camera (SGT 5) HVAC (SGT 30)
Destination = SGT 20
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
SD-Access Policy
Macro-Segmentation and Micro-Segmentation
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
SD-Access Policy
Access Contracts
Contract
Source Group Destination Group
Catalyst Center
and ISE CLASSIFIER: ACTION:
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SD-Access Policy
Group-Based Access Control
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Multiple Fabrics
Transits, VN and SGT Preservation
VN1 eBGP
VN2 eBGP
IP-Based Transit
VN3 eBGP • Per-Layer-3-Virtual-Network eBGP peering to external routing
domain, or LISP Extranet Provider VN eBGP peering to external
Fabric1 IP Fabric2 routing domain.
• SGT propagation outside of fabric requires suitable hardware and
software.
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Transits, VN and SGT Preservation
VN1 eBGP
VN2 eBGP
IP-Based Transit
VN3 eBGP • Per-Layer-3-Virtual-Network eBGP peering to external routing
domain, or LISP Extranet Provider VN eBGP peering to external
Fabric1 IP Fabric2 routing domain.
• SGT propagation outside of fabric requires suitable hardware and
software.
FabricN
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Transits, VN and SGT Preservation
VN1 eBGP
VN2 eBGP
IP-Based Transit
VN3 eBGP • Per-Layer-3-Virtual-Network eBGP peering to external routing
domain, or LISP Extranet Provider VN eBGP peering to external
Fabric1 IP Fabric2 routing domain.
• SGT propagation outside of fabric requires suitable hardware and
software.
FabricN
SD-WAN Transit
• Cisco SD-WAN between Fabric Sites.
Fabric1
IP • Capable of preserving Layer 3 Virtual Networks and SGTs.
Fabric2
• Dedicated SD-WAN Edge for design flexibility, Border Node port
densities and port speeds. See Independent Domains PDG.
FabricN
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Conclusion
Conclusion
• Cisco SD-Access provides one interface for Fabric Automation,
Identity-Based Policy, Segmentation, AI-Driven Insights and
Assurance.
Monday 5th Tuesday 6th Wednesday 7th Thursday 8th Friday 9th
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Thank you