BRKENS-2810 SDA Fundamentals

Cisco Software-Defined
Access Solution Fundamentals

A Look Under the Hood
Jerome Dolphin, Technical Marketing Engineer

CCIE#17805 (R&S, SEC), CCDE#2013::3
BRKENS-2810
• Why Cisco SD-Access?
• Roles and Terminology
• Fabric Fundamentals
Agenda • Multiple Fabrics

• Conclusion
BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco SD-Access LISP Fabric
Industry Leading Campus Architecture
Deployments Momentum Key Use case Coverage

19K+ Sites
3674+ 30% 70%
YoY growth Wireless 1.7M+ Devices
Top Verticals: Government, Finance, Professional Services, & Manufacturing
EMEA: 52% Americas 28% APJC 20%
Modern, Open and Scalable Fabrics
IETF Standard based Protocols
Cisco Catalyst Center
Cisco SD-Access
Cisco Catalyst 9000

LISP Fabric* BGP EVPN Fabric
*Cisco's Lead Motion
Enterprise Healthcare Education Financial Public Sector Manufacturing Hospitality Media Transportation Retail
Flexible Fabric Options Tailored to Customer Outcomes!
Cisco SD-Access with C i s c o S D - Ac ces s w i t h
LISP Control Plane B G P E V PN C o n t ro l P l ane
VXLAN Data Plane V X L AN D a t a P l an e
Network Simplification One Fabric Architecture (Campus and DC)

Lightweight, extensible, massive scale with BGP EVPN Operational ease with a single familiar protocol
rapid convergence. Single overlay for wired
and wireless Fabric
Multi-vendor interoperability
Vendor-agnostic solution with unique Cisco
Mobility First Requirement differentiators
Fabric Integrated Wireless, L2 Mobility,
enhanced wireless performance
LISP Fabric
Segmentation
Zero-Trust Architecture with Unified Wired
and Wireless Policy
O n e I n f r a s t r u c t u r e | S i n g l e D a t a p l a n e | C o n s is t e n t Z e r o - T r u s t E x p e r i e n c e
Why Cisco
SD-Access?
Traditional Networking Challenges
Network Deployment Challenges Network Security Challenges
Resources
Network Infrastructure ✕✓✕✓✓✓
Devices
✓✓✕✓✕✕
✕✓✓✕✕✕
Switching Routers Wireless
Wireless and Wired Challenges Network Operations Challenges
Cisco Software-Defined Access
Intent-Based Networking
Cisco Catalyst
Center One Automated
Network Fabric
Policy Automation Assurance Single fabric for wired and wireless
with full automation
Outside
B B Identity-Based
C
Policy and Segmentation
Policy definition decoupled
from VLAN and IP address
E E E E E E
AI-Driven Insights and
Telemetry
SD-Access
Extension Client Mobility Analytics and visibility into
user and application experience
Policy follows User
Cisco Software-Defined Access
Zero Trust for Network and Cloud Security
Visibility Segmentation Containment
Grant the right level of Shrink zones of trust and Automate containment of
network access to users grant access based on questionable or malicious
and devices. least privilege. endpoints.
Visibility, Segmentation and Containment are explored further in BRKENS-2819.
Benefits of Cisco Software-Defined Access
Enhance Security and Compliance Deliver Consistent Experience
Boost Operational Effectiveness Gain Network Insights
Roles and
Terminology
1. Concepts
2. SD-Access Roles
3. Fabric Constructs
What is a Network Fabric?
• Transports data from source to

destination.
• Mesh of connections between network
devices.
• Usually refers to a virtualized,
automated lattice of overlay
connections.
• May (uncommonly) refer to physical
wiring of a network.
What is an Overlay?
• An Overlay network is a logical topology
used to virtually connect devices, built over
an arbitrary physical Underlay topology.
• Examples of overlay technologies:
• GRE • VXLAN
• MPLS • BGP EVPN
• IPsec • SD-WAN
• CAPWAP • ACI
• LISP • OTV
Why an Overlay?
• Underlay is simple and manageable.
• Maximize network reliability.
• Services - deliver using overlay.
• Mobility - map endpoints to edges.
• Scalability - reduce protocol state.
• Flexible and programmable.
What is Fabric Site?
Fabric Site 1 Fabric Site 2
• An instance of an SD-Access Fabric.
• Typically defined by disparate
geographical locations, but not always.
• Can also be defined by:
• Endpoint scale. Transit
• Failure domain scoping.
• RTT.
• Underlay connectivity attributes.
• Typically interconnected by a “Transit”.
Fabric Site N
Roles and
Terminology
1. Concepts
2. SD-Access Roles
Cisco SD-Access Roles
Mandatory Components
• Cisco Catalyst Center – GUI and APIs for intent-based
automation of wired and wireless fabric devices.
• Fabric Border Nodes – A fabric device that connects
external L3 and L2 networks to the Cisco SD-Access fabric.
• Edge Nodes – A fabric device that connects wired
endpoints to the Cisco SD-Access fabric and optionally
enforces micro-segmentation policy.
• Control Plane Node – Map System that tracks endpoint to
fabric node relationships.
(optional) (optional)
Optional Components
• Identity Services Engine – Highly recommended. NAC and
ID services for dynamic endpoint to Security Group Tag
mapping and policy distribution.
• Fabric Wireless Controller and Fabric APs – Highly
recommended. Connects wireless endpoints to the SD-
Access fabric.
(optional)
• Extended Node – A switch operating at Layer 2 that extends

fabric connectivity and optionally enforces micro-
segmentation policy.
• Intermediate Nodes – Moves data between fabric nodes.
Can be one or many hops.
(optional) (optional) (optional)
Some of the Supported Co-locations
Border Node and Control Plane Node.
Border Node, Control Plane Node, and Fabric Edge Node.
Border Node, Control Plane Node, and Embedded Wireless Controller.
Border Node, Control Plane Node, Fabric Edge Node, and Embedded Wireless
Controller.
SD-Access Design Aides
• Cisco Validated Design: https://cs.co/sda-cvd
• Design Tool (use Chrome): http://cs.co/sda-design-tool
• Compatibility Matrix: http://cs.co/sda-compatibility-matrix
Cisco SD-Access Fabric
Control Plane Node Maintains a Host and Network Tracking Database
• A simple Host Database that maps Endpoint

IP to RLOC MAC to RLOC Address Resolution
IDs to locations, along with other attributes.
1.2.3.4/32 → EN1 AA:BB:CC:DD → EN1 1.2.3.4 → AA:BB:CC:DD
• Host Database supports multiple types of

Endpoint ID lookup types (IPv4, IPv6 or
MAC).
• Receives Endpoint ID map registrations from
Edge Nodes, Border Nodes and Fabric
Wireless LAN Controllers.
• Publishes registrations to Subscribers
(Border Nodes).
• Resolves lookup requests from Edge Nodes EN1
and Border Nodes, to locate destination
Endpoint IDs. IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
Edge Node Provides First Hop Services for Endpoints

• Responsible for Authenticating and 1.2.3.4/32 → EN1 AA:BB:CC:DD → EN1 1.2.3.4 → AA:BB:CC:DD
Authorizing wired endpoints (e.g.
802.1X, MAB, static) in concert with ISE.
• Register Endpoint IDs (IPv4, IPv6, MAC)
with the Control Plane Nodes.
• Provide an Anycast Gateway for the
connected wired and wireless
endpoints.
• Performs VXLAN encapsulation and
decapsulation of traffic to and from all EN1
connected wired endpoints.
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
Border Node is the Fabric Site Entry and Exit for Network Traffic

• Subscribes to LISP Control Plane Node 1.2.3.4/32 → EN1 AA:BB:CC:DD → EN1 1.2.3.4 → AA:BB:CC:DD
IPv4 and IPv6 Tables.
• There are 4 types of Border Node:
• External Border Node.
• Internal Border Node.
• Internal + External Border Node.
• Layer 2 Border Node.
EN1
IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
• External Border Node:

• The most common configuration.
• Exports all fabric subnets to outside
the Fabric Site as eBGP summary
routes.
• Acts as a gateway of last resort for the
Fabric Site.
• Does not register eBGP prefixes from
outside the Fabric Site into the fabric
Control Plane.
• Internal Border Node:

routes.
• Imports and registers eBGP-learned
IPv4/IPv6 prefixes from outside the
Fabric Site, into the fabric Control
Plane.
• Does not act as a gateway of last
resort for the Fabric Site.
• Internal + External Border Node :

routes.
• Imports and registers eBGP-learned
IPv4/IPv6 prefixes from outside the
Fabric Site, into the fabric Control
Plane.
• Acts as a gateway of last resort for the
Fabric Site.
• Layer 2 Border Node:

• Acts as Layer 2 handoff for pure Layer
2 Overlays or Layer 2 + Layer 3
Overlays.
• Allows VLAN translation between SD-
Access network segments and non-
fabric VLAN IDs.
• Dual homing requires link aggregation;
STP it not tunneled within the SD-
Access Fabric.
• Ideally should be separate device from
the Layer 3 Border Node.
Fabric Enabled Wireless for Unified Management, Policy and Data Planes
• Fabric WLC accessible though a Fabric Border MAC – AA:BB:CC:DD

Ctrl: CAPWAP
IP – 1.2.3.4/32
Node (Underlay). Can be several hops away. Data: VXLAN
• Fabric Enabled APs reside in a dedicated IP

range and communicate with the Fabric WLC
(CAPWAP Control).
• Fabric WLC registers endpoints with the
Control Plane Node.
• Fabric APs switch endpoint traffic to the
adjacent Edge Node. No concentrator
bottleneck. Wi-Fi 6 up to 9.6 Gbps. Wi-Fi 7
up to 46 Gbps.
• Wireless endpoints use same data plane and
policy plane as wired endpoints.
MAC - AA:BB:CC:DD
IP - 1.2.3.4/32
Roles and
Terminology
1. Concepts
2. SD-Access Roles
Virtual Networks
• Layer 3 Virtual Networks use VRFs and LISP
Instance IDs to maintain separate routing
topologies.
• Endpoint IDs (IPv4/IPv6 addresses) are routed
within an L3VN.
• Layer 2 Virtual Networks use LISP Instance L3VN L2VN L3VN

IDs and VLANs to maintain separate Campus IOT Guest
switching topologies.
• Endpoint IDs (MAC addresses) are switched
within an L2VN.
• Edge Nodes, Border Nodes and Fabric APs

add a VNID (the LISP IID) to the fabric
encapsulation.
Layer 3 Virtual Networks
• User-Defined VNs can be added or

removed on demand.
Fabric Site
• INFRA_VN is only for Fabric Access
User-Defined L3VN1
Points and Extended Nodes in the
Global Routing Table. User-Defined L3VN2 VRF1
• Fabric Devices (Underlay) connectivity VRF2

INFRA_VN (for APs, Extended Nodes)
is in the Global Routing Table. GRT
Devices (Underlay)
GRT=Global Route Table
Per-Layer-3-Virtual-Network Layer 3 Handoff
• A “Peer Device” may leak external routes into SD-Access Layer 3 Virtual Networks.
• Alternatively, maintain VRF segmentation outside of the SD-Access Fabric with a VRF-aware
external routing domain.
• Peer Device is outside the fabric. Can be any platform (Router, Layer 3 switch, Firewall, etc.) with
appropriate capabilities.
VRF B
AF* VRF B G0/0/0.Z
LISP SVI Z
VRF A
VRF B
SVI Y AF* VRF A G0/0/0.Y
SVI B
GRT
G0/0/0.X
VRF A
SVI A
SVI X AF* IPv4
MP-BGP Peer Device
*AF = Address Family

Extranet Provider Virtual Network Layer 3 Handoff
• Use an Extranet Policy to allow communication between one Provider Virtual Network and one or
more Subscriber Virtual Networks.
• Extranet Policy is available from SD-Access 2.3.5.3. Requires LISP Pub/Sub Control Plane.
Extranet
Subscriber
Extranet
LISP Provider
VRF B
SVI B
VRF X
SVI X
G0/0/0
VRF A
SVI A
AF IPv4
MP-BGP Peer Device
Extranet
Subscriber
Layer 2 Handoff
• Ancient wisdom: Route whenever you

can, switch when you must. Fabric Site
VRF
• Layer 2 Virtual Networks handoff through
SVI
a user-defined VLAN.
User-Defined Anycast Gateway + L2VN
• Layer 2 Virtual Networks may implement VLAN
Broadcast, unknown-unicast and User-Defined L2VN
multicast flooding. Be mindful of loop
prevention. VLAN
User-Defined L2VN
VLAN
A Security Group Tag Assigns a “Group” to Each Endpoint
• Edge Nodes and Fabric APs assign a

unique Security Group Tag (SGT) to each
endpoint in concert with ISE.
• Edge Nodes and Fabric APs add an SGT
to the fabric encapsulation.
SGT SGT SGT
17 4 8
• SGTs are used to implement IP-address- SGT
SGT
independent traffic policies. SGT
3
SGT
23
SGT
3
19 SGT
3
25
• SGTs can be extended to numerous other

networking technologies e.g., Cisco
Secure Firewall, Cisco SD-WAN, some
third-party platforms, etc.
Host Pools Define a Default Gateway and Basic IP Services for Endpoints
• Edge Nodes instantiate an access VLAN

and a Switched Virtual Interface (SVI) with
user-defined IPv4/IPv6 addresses per
Host Pool.
• Host Pools assigned to endpoints
dynamically by AAA or statically per port. Pool
1
Pool
4
Pool
7
Pool
5
• Edge Nodes and Fabric WLCs register Pool
2
Pool
3
Pool
6
Pool
8
endpoint IDs (/32, /128 or MAC) with the
Control Plane, enabling IP mobility; any IP
address anywhere.
Anycast Gateway Provides a Default Gateway for IP-Capable Endpoints
• Similar principle and behavior to FHRP

with a shared virtual IPv4/IPv6 addresses
and MAC address.
• The same Switch Virtual Interface (SVI) is L3VN
present on all Edge Nodes with the same Campus
virtual IP and MAC.
• The wired or wireless endpoint can
connect to any switch or AP in the fabric GW GW GW
and communicate with the same Anycast 1.2.0.1/16 1.2.0.1/16 1.2.0.1/16
A.A.A A.A.A A.A.A
Gateway.
Host Pools are “stretched” via the Overlay IP to RLOC MAC to RLOC Address Resolution
1.2.0.22/32 → EN1 2:2:2 → EN1 1.2.0.22 → 2:2:2

1.2.255.33/32 → EN2 3:3:3 → EN2 1.2.255.33 → 3:3:3
• Endpoint IPv4/IPv6 traffic arrives on an Edge

Node and is then routed or switched by the
Edge Node.
• Fabric Dynamic EID mapping allows
endpoint-specific (/32, /128, MAC) L3VN
advertisement and mobility. Campus
• No longer need VLANs to interconnect
endpoints across Edge Nodes, this happens
in the Overlay without broadcast flooding.
GW GW GW
1.2.0.1/16 1.2.0.1/16 1.2.0.1/16
1.2.0.22/16 1.2.255.33/16
Accommodates any Physical Network Topology
• Overlays are agnostic to underlay

physical topology.
GW
• Any wired or wireless endpoint address 1.2.0.1/16
anywhere, including environments with

unusual cabling implementations. GW
• Routed underlay IGP takes care of load 1.2.0.1/16

GW
1.2.0.1/16
balancing and fast link/node fault
convergence. Obsoletes less robust
mechanisms like L2 Trunking and STP. GW
1.2.0.1/16
Layer 2 Virtual Networks
• By default, an L2VN is deployed with each C

Anycast Gateway and Layer 2 Flooding is
disabled. Layer 2 Flooding can be enabled, if
necessary, to service niche applications.
• L2VN can be deployed without an Anycast L2
Gateway, and Layer 2 Flooding cannot be Overlay
disabled.
• Often referred to as “Gateway Outside the VLAN VLAN VLAN
Fabric”.
• If Layer 2 Flooding is enabled, a Multicast
underlay P2MP tunnel is established between
MAC: 2.2.2
all Fabric Nodes. MAC: 3.3.3 MAC: 1.1.1
(Gateway Outside
the Fabric)
Fabric
Fundamentals
1. Control Plane
2. Data Plane
3. Policy Plane
• Control Plane: LISP
• Locator/ID Separation Protocol.
• IETF Standards Track RFC9299-RFC9306 and RFC9347.
• IETF LISP Drafts.
Lightweight, Efficient, Scalable and

Extensible
LISP in Cisco SD-Access
LISP/BGP LISP Pub/Sub

• Released circa 2017. • Released in 2022 with Cisco DNA Center*
• Reliable and stable. 2.2.3.x.
• BGP transport. • Reliable and stable.

• Native LISP transport.
• Less Control Plane load.
• Faster convergence.
• Highly extensible.
*Rebranded to Catalyst Center in late 2023

LISP Pub/Sub
A Brief Digression, before you ask…
• No plans to end support for LISP/BGP.
• LISP Pub/Sub is recommended for new deployments.
• In Cisco DNA Center* 2.2.3.x new Fabric Sites can be configured as
LISP/BGP or LISP Pub/Sub. Note minimum IOS XE versions.
• First phase of LISP/BGP to LISP Pub/Sub migration workflow is under
development now.
• Migrate IP-Based Transit Fabric Sites.
• Second phase of LISP/BGP to LISP Pub/Sub under planning.
• Migrate SD-Access Transit Fabric Sites.
*Rebranded to Catalyst Center in late 2023

Fabric Operation
Default ETR Registration
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.
Fabric Operation
Next
Default ETR Registration Destination IID
Hop
Default ETR 1001 --
Default ETR 1002 --
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 BGP
External Border Node
Etc. Static
Etc.
Fabric Operation
Next Next
Default ETR Registration Destination IID
Hop
Destination IID
Hop
Default ETR 1001 -- Default ETR 1001 BN1
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 BGP Register Default ETR per
Etc. Static L3VN (Gateway of last
Etc. resort)
Fabric Operation
Next Next
Edge Node Bootstrap Destination IID
Hop
Destination IID
Hop
0.0.0.0/0
10.0.0.0/8
Etc.
Default ETR
Fabric Operation
Next Next
Edge Node Bootstrap Destination IID
Hop
Destination IID
Hop
0.0.0.0/0
10.0.0.0/8
Etc.
Next Next Next

Destination IID Destination IID Destination IID
Hop Hop Hop
Default ETR 1001 BN1 Default ETR 1001 BN1 Default ETR 1001 BN1
Default ETR 1002 BN1 Default ETR 1002 BN1 Default ETR 1002 BN1
Fabric Operation
Edge Node Bootstrap
✓ ✓
0.0.0.0/0
10.0.0.0/8
Etc.
✓ ✓ ✓
✓ Default ETR
Fabric Operation
Endpoint Registration
✓ ✓
0.0.0.0/0
10.0.0.0/8
Etc.
✓ ✓ ✓
Next Next
Destination IID Destination IID
Hop Hop
2.2.2.2 1001 -- 1.1.1.1 1001 EN1
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
Fabric Operation
Next
✓ ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
Etc.
Register
✓ ✓ ✓
Next Next
Destination IID Destination IID
Hop Hop
2.2.2.2 1001 -- 1.1.1.1 1001 EN1
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
Fabric Operation
Next
✓ ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
Etc.
Notification
✓ ✓ ✓
Next Next Next

Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
Fabric Operation
Publish Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 Publish 2.2.2.2 1001 EN3
Etc.
✓ ✓ ✓
Next Next Next

Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
Fabric Operation
South to North Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
Etc.
✓ ✓ ✓
Next Next Next

Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
Dst: 8.8.8.8
Src: 2.2.2.2
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
Fabric Operation
Next
Hop
1.1.1.1 1001 EN1 Next
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
Etc.
Where is Negative Map Reply
8.8.8.8? 8.0.0.0/7
✓ ✓ ✓
Next Next Next

Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
Dst: 8.8.8.8
Src: 2.2.2.2
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
Fabric Operation
Next
Hop
1.1.1.1 1001 EN1 Next
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
Etc.
✓ ✓ ✓
Next Next Next

Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
8.0.0.0/7 1001 BN1
Dst: 8.8.8.8
Src: 2.2.2.2
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
Fabric Operation
East to West Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
Etc.
✓ ✓ ✓
Next Next Next

Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
8.0.0.0/7 1001 BN1 Dst: 1.1.1.1
Src: 2.2.2.2
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
Fabric Operation
Next
Hop
1.1.1.1 1001 EN1 Next
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
Etc.
Where is Map Reply
1.1.1.1? 1.1.1.1 is at EN1
✓ ✓ ✓
Next Next Next

Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
8.0.0.0/7 1001 BN1 Dst: 1.1.1.1
Src: 2.2.2.2
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
Fabric Operation
Next
Hop
1.1.1.1 1001 EN1 Next
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
Etc.
✓ ✓ ✓
Next Next Next

Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
8.0.0.0/7 1001 BN1 Dst: 1.1.1.1
1.1.1.1 1001 EN1
Src: 2.2.2.2
1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
BRKENS-2828
BRKENS-2833
Advantages of LISP
• Optimised resource usage on Edge Nodes:
• “Pull” only the information needed, like DNS. By comparison BGP pushes
all routing information to all Edge Nodes.
• Underlay network is simple and stable:
• IGP routing from Border Node to Edge Node. Maybe PIM. No L2, no
VLANs, no link bundling, no STP, no MPLS.
• Unified wired and wireless data plane and policy plane.
• No wireless concentrator bottleneck = higher throughput.
• Receive future innovations in later SD-Access + IOS XE releases.
Fabric
Fundamentals
1. Control Plane
2. Data Plane
3. Policy Plane
1. Control Plane: LISP
2. Data Plane: VXLAN
ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L2
and L3 Overlays
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN
Next-Hop MAC Address
VXLAN-GPO Header Dest. MAC 48

Src VTEP MAC Address
MAC-in-IP with VN ID and SGT ID Source MAC 48
VLAN Type 14 Bytes

16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type
16 Header
0x0800 16 20 Bytes
Outer MAC Header
Underlay
Checksum
Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address
UDP Header Dest Port 16

8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789
Inner (Original) MAC Header

Allows 64K
Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 possible SGTs
Overlay
Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs
Fabric
Fundamentals
1. Control Plane
2. Data Plane
3. Policy Plane
1. Control Plane: LISP
2. Data Plane: VXLAN
3. Policy Plane: Group-Based Policy
Virtual Routing & Forwarding

Security Group Tagging
VN + SGT
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
What is Security Group Tag and Group-Based
Policy?
Endpoints authenticated
and classified as:
Endpoint authenticated and Lighting (SGT 20)
classified as Camera (SGT 5) HVAC (SGT 30)
Destination = SGT 20
IP: 10.1.10.220 VXLAN overlay

IP: 10.1.100.52
SGT: 5 5 SGT: 20
SD-Access
SGT: 30
Underlay
SRC: 10.1.10.220
DST: 10.1.100.52
IP: 10.1.200.100
Group-
Based
Policy
DST ➔ Lighting HVAC
 SRC (20) (30)
Camera (5) Permit Deny
BYOD (7) Deny Permit
SD-Access Policy
Macro-Segmentation and Micro-Segmentation
Virtual Network (VN) Security Group Tag (SGT)

First-level segmentation ensures zero Second-level segmentation ensures Group-
communication between forwarding Based Access Control between groups in a VN.
domains. Ability to consolidate multiple Ability to segment per endpoint based on
networks into one physical network. minimum necessary access (Zero Trust).
SD-Access Policy
Access Contracts
Contract
Source Group Destination Group
Plant Operator Control System
Catalyst Center
and ISE CLASSIFIER: ACTION:
Classifier Types Action Type

Port Number Permit
Protocol Deny
Application Log
SD-Access Policy
Group-Based Access Control
1. Select Source Group(s)

2. Select Destination Group(s)
3. Select Access Contract(s)
Multiple Fabrics
Transits, VN and SGT Preservation
VN1 eBGP
VN2 eBGP
IP-Based Transit
VN3 eBGP • Per-Layer-3-Virtual-Network eBGP peering to external routing
domain, or LISP Extranet Provider VN eBGP peering to external
Fabric1 IP Fabric2 routing domain.
• SGT propagation outside of fabric requires suitable hardware and
software.
VN1 eBGP
VN2 eBGP
IP-Based Transit
software.
ASN1 ASN2 SD-Access Transit

IP • SD-Access LISP/VXLAN between Fabric Sites.
Fabric1 Fabric2
• Natively preserves Layer 3 Virtual Networks and SGTs.
• Capable of fabric as a transit between external routing domains.
FabricN
VN1 eBGP
VN2 eBGP
IP-Based Transit
software.
ASN1 ASN2 SD-Access Transit

IP • SD-Access LISP/VXLAN between Fabric Sites.
Fabric1 Fabric2
• Natively preserves Layer 3 Virtual Networks and SGTs.
• Capable of fabric as a transit between external routing domains.
FabricN
SD-WAN Transit
• Cisco SD-WAN between Fabric Sites.
Fabric1
IP • Capable of preserving Layer 3 Virtual Networks and SGTs.
Fabric2
• Dedicated SD-WAN Edge for design flexibility, Border Node port
densities and port speeds. See Independent Domains PDG.
FabricN
Conclusion
Conclusion
• Cisco SD-Access provides one interface for Fabric Automation,
Identity-Based Policy, Segmentation, AI-Driven Insights and
Assurance.
• Cisco SD-Access is a turnkey foundation for Zero Trust for the

Network: Visibility, Segmentation and Containment.
• BRKENS-2819 explores this further.
• LISP is at the core of Cisco SD-Access: Efficient, scalable, flexible

and evolving.
Cisco Live EMEA SD-Access Learning Map
Monday 5th Tuesday 6th Wednesday 7th Thursday 8th Friday 9th
TECENS-2349 BRKENS-2833 BRKENS-2818 BRKENS-2819 LTRENS-2419

Software-Defined LISP: Optimized Control Cisco SD-Access for the Cisco SD-Access and Cisco SD-Access Wired
Access for Industry Plane for Software- Sustainable Enterprise Multi-Domain Lab with Endpoint
Verticals Defined Access Segmentation Analytics
BRKENS-1800 BRKENS-2827
TECENS-3820 From Doubt to Cisco SD-Access BRKTRS-3820
Cisco SD-Access— BRKENS-2502 Confidence: A Step-by- Migration Tools and SD Access:
Architecture Deep Dive Step Approach to SD- Strategies Troubleshooting the
Cisco SD-Access Best
Practices - Design and Access Project BRKENS-2821 Fabric
Deployment Software-Defined
Access for Manufacturing
Verticals
BRKENT-2837
BRKENS-2811 GAME Time! Will You Be
Connecting Cisco SD- the Networker of the
TECENT-3688 Access to the World: Use Year?
Cases and Segmentation
Advanced SD-Access BRKENS-2820
Troubleshooting Demystifying IP Multicast
in SD-Access
CCP-1505
BRKENS-2810 Zero Trust Workplace
Cisco Software Defined with SD-Access
Access Solution
Fundamentals
BRKENS-2816
Cisco SD-Access
Transit: Advanced
Design Principles
Cisco SD-Access
LISP Fabric
Cisco SD-Access Collaterals
Cisco Software-Defined Access Cisco Software-Defined Access Cisco Solution Validated Profiles (CVPs)
for Industry Verticals Enabling intent-based networking
• Cisco Large Enterprise and Government Profile

• Healthcare Vertical
• Financial Vertical
• Healthcare Vertical
• Manufacturing Vertical
• Retail Vertical
• University Vertical
Cisco SD-Access YouTube Link
Multiple Cisco DNA Center to ISE

Cisco SD-Access Design Tool
EN&C Validated Designs
The Latest SD-Access
Guides
Thank you

BRKENS-2810 SDA Fundamentals

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKENS-2810 SDA Fundamentals

Uploaded by

Copyright:

Available Formats

Cisco Software-Defined

Access Solution Fundamentals

Jerome Dolphin, Technical Marketing Engineer

Agenda • Multiple Fabrics

Deployments Momentum Key Use case Coverage

Top Verticals: Government, Finance, Professional Services, & Manufacturing

EMEA: 52% Americas 28% APJC 20%

Cisco Catalyst 9000

Network Simplification One Fabric Architecture (Campus and DC)

Wireless and Wired Challenges Network Operations Challenges

Visibility Segmentation Containment

Visibility, Segmentation and Containment are explored further in BRKENS-2819.

Boost Operational Effectiveness Gain Network Insights

• Transports data from source to

• Maximize network reliability.

• Services - deliver using overlay.

• Mobility - map endpoints to edges.

• Scalability - reduce protocol state.

• Flexible and programmable.

• Extended Node – A switch operating at Layer 2 that extends

(optional) (optional) (optional)

Border Node and Control Plane Node.

Border Node, Control Plane Node, and Fabric Edge Node.

Border Node, Control Plane Node, and Embedded Wireless Controller.

• Compatibility Matrix: http://cs.co/sda-compatibility-matrix

• A simple Host Database that maps Endpoint

• Host Database supports multiple types of

IP to RLOC MAC to RLOC Address Resolution

IP to RLOC MAC to RLOC Address Resolution

• External Border Node:

• Internal Border Node:

• Internal + External Border Node :

• Layer 2 Border Node:

• Fabric WLC accessible though a Fabric Border MAC – AA:BB:CC:DD

• Fabric Enabled APs reside in a dedicated IP

• Layer 2 Virtual Networks use LISP Instance L3VN L2VN L3VN

• Edge Nodes, Border Nodes and Fabric APs

• User-Defined VNs can be added or

• Fabric Devices (Underlay) connectivity VRF2

GRT=Global Route Table

*AF = Address Family

• Ancient wisdom: Route whenever you

• Edge Nodes and Fabric APs assign a

• SGTs can be extended to numerous other

• Edge Nodes instantiate an access VLAN

• Similar principle and behavior to FHRP

1.2.0.22/32 → EN1 2:2:2 → EN1 1.2.0.22 → 2:2:2

• Endpoint IPv4/IPv6 traffic arrives on an Edge

• Overlays are agnostic to underlay

• Any wired or wireless endpoint address 1.2.0.1/16

anywhere, including environments with

• Routed underlay IGP takes care of load 1.2.0.1/16

• By default, an L2VN is deployed with each C

Gateway, and Layer 2 Flooding cannot be Overlay

Lightweight, Efficient, Scalable and

LISP/BGP LISP Pub/Sub

• BGP transport. • Reliable and stable.

*Rebranded to Catalyst Center in late 2023

*Rebranded to Catalyst Center in late 2023

Next Next Next

Next Next Next

Next Next Next

Next Next Next

Next Next Next