SD-Access Architecture Overview

An Introduction
SD-Access Technical Marketing, Enterprise Networking

August 2024

Document Version: 1.00

Change Log

Version Date Notes

1.00 08 Aug 2024 SD-Access Architecture Overview version 1.00

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 • SD-Access Roles

Agenda
• SD-Access Constructs
• SD-Access Control Plane
• SD-Access Data Plane
• SD-Access Policy Plane
• Multiple Fabrics

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Traditional Networks Challenges
Network deployment challenges Network security challenges

Resources
Network Infrastructure ✕✓✕✓✓✓

Devices
✓✓✕✓✕✕
✕✓✓✕✕✕
Switching Routers Wireless

Wireless & wired network challenges Network operations challenges

© 2024 Cisco and/or its affiliates. All rights reserved.

4
Cisco Partner Confidential
Cisco Software Defined Access
The Foundation for Cisco’s Intent-Based Network
Cisco Catalyst Center
One Automated
Network Fabric
Policy Automation Assurance
Single Fabric for Wired and
Wireless with full automation

Identity-Based
Policy and Segmentation
Policy definition decoupled
from VLAN and IP address

AI-Driven
Insights and Telemetry
Analytics and visibility into
Mobility
User and Application experience
IoT Network
Policy follows User
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Benefits of SD-Access
Enhance Security and Compliance Deliver consistent Experience

Boost operational effectiveness Gain network insights

© 2024 Cisco and/or its affiliates. All rights reserved.

6
Cisco Partner Confidential
SD-Access Implements Intent for Campus Networks
Headquarters

SD-Access, residing on Catalyst Center, drives intent

and automation for wired and wireless campus networks.

A Campus Network could be:

• University
• Financial Institution
• Retail and Manufacturing
• Multinational Corporations
• Healthcare Organization
• Hospitality Industry

SD-Access caters to all. Branch 1 Branch 2 Branch N

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

What is Intent-Driven Automation?
Administrators define the intent, i.e., an objective or a goal, simply with a few clicks via
GUI which is then translated on to the devices via automation.

Routers, Switches, APs, WLC

Catalyst Center GUI Workflow

Best practice configurations curated and validated for each intent, aka workflow, is configured
on to hundreds of devices in one-go, achieving intent-driven automation at scale.
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Zero-Trust for Workplace with SD-Access

Establish custom zero-trust journey with

flexible paths and recommended steps
and measure percentage progress and
view statistics with the help of journey
circle on Catalyst Center.

This is an optional and purely explorative

step that can be modified at any stage.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Attribute-Based Policy and Segmentation

Catalyst Center
and ISE Integration

Trust

Configure

Context
ISE

• Catalyst Center and ISE integration facilitates automated configuration and segmentation at scale.

• This helps achieve consistent and centralized policy definitions for wired and wireless endpoints.

• Move away from traditional ACLs to IP-agnostic group-based approach of policy creation.

• Realize software-defined segmentation based on endpoint attributes.

• Enhance visibility into who or what is connecting to the network.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Insights and Telemetry
Get visibility into User and Application experience along with overall health of the network.

End user insights Network health and status Application Visibility & Performance

WAN

Onboarding, Connectivity, IPv4/v6, Site Health, System Health, Topology, Application Usage/Throughput, Business Relevant
Device Type, MAC, VLAN, Trust Score etc. Issues and Suggested Actions. Application Health, Integrations, Trends.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Underlay and Overlay

Underlay Network Overlay Network

Physical Infrastructure to provide IP Logical topology used to virtually connect devices,

reachability with redundancy and resiliency. built over an arbitrary physical Underlay topology.
Example: GRE, CAPWAP, IPSEC, LISP, VXLAN etc.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Why an Overlay?

Overlay: Flexible, Scalable and Extensible. Easy

to add, modify, and deliver services in virtualized
overlay topologies. Optimizes mobility events.

Underlay: Build and forget!

Reliable, manageable, and simple.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

SD-Access Overlay: LISP
Separation of identity and location through a mapping relationship: of an endpoint’s identity (EID) to its
routing locator (RLOC).
Mapping Database System
EID: IPv4/IPv6/MAC of an endpoint.
EID RLOC
Control Plane
1.1.1.1 2.2.2.2 RLOC: Loopback0 of the device that endpoints
e!) connect to.
to m
ne c ts
co n
.1 .1 Ac k!) RLOC registers endpoint information to its local
.1 i fy (
r (1 Not
RLOC: 2.2.2.2 s te
R eg i M ap database (EID table) for directly connected
(Routing Locator) M ap
EID endpoint and to its map-cache for LISP learnt
(Endpoint endpoints.
Identifier)
1.1.1.1
EID RLOC
LISP map-register message is used to inform the
1.1.1.1 ---
control plane node of the connected endpoint.
User/Device Identity =
IP address (EID 1.1.1.1) + RLOC (2.2.2.2)
A Control plane node, based on LISP Map-
Server and Map-Resolver functionality, tracks
EID-to-RLOC bindings for all endpoints across
the site.

Locator I dentity S eparation P rotocol

© 2024 Cisco and/or its affiliates. All rights reserved.Control Plane Protocol of choice. Lightweight, Extensible, and Scalable.
Supports Layer 3 Overlay. Pull Based Model. Scoped Signaling. Cisco Partner Confidential
 SD-Access Overlay: VXLAN
Encapsulation for data packets that supports Layer 2 and Layer 3 overlays and to carry additional
information to make policy decisions.

Depicting a post-lookup forwarding

Mapping Database System path here.
EID RLOC
I would like to talk
Control Plane Control plane is queried by RLOC to
1.1.1.1 2.2.2.2
to host 3.3.3.3 determine the routing locator
?) 3.3.3.3 4.4.4.4
is 3
.3 .3 .3
) associated with the destination
ere .4 .4 .4
u es
t (W h
RLO
C4 address (EID-to-RLOC mapping) and
RLOC: 2.2.2.2 eq hind RLOC EID
(Routing Locator) Ma
pR
R ep
ly (
Be
4.4.4.4 3.3.3.3 use that RLOC information as the
ap
EID M
traffic destination.
(Endpoint VXLAN Overlay Data Plane Encapsulation
Identifier)
1.1.1.1
EID RLOC EID RLOC Encapsulation is added to data packet,
1.1.1.1 --- 3.3.3.3 --- a VXLAN tunnel is created, and packet
3.3.3.3 4.4.4.4 sent to destination RLOC.

Virtual e X tensible L ocal A rea Network

Data Plane Protocol of choice. Supports Layer 3 and Layer 2 Overlay.
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

SD-Access Underlay
Accommodates any Physical Network Topology

• Overlays are agnostic to underlay physical topology.

• Any wired or wireless endpoint address anywhere,

including environments with unusual cabling
implementations.

• Routed underlay IGP takes care of load balancing

and fast link/node fault convergence. Obsoletes less
robust mechanisms like L2 Trunking and STP.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

SD-Access Underlay
Robust Underlay Infrastructure deployment

• Routed Access Network

• Any routing protocol
• Resilient and Redundant fast-converged connectivity with

ECMP, BFD, NSF enabled.

• Loopback 0 with /32 host prefix.
• Higher MTU to accommodate VXLAN encapsulation

• Underlay multicast to optimize overlay subnet

multicast/broadcast distribution.

Manual | Semi-Automated Underlay Automated Underlay

Device-by-Device onboarding and configuration either Turnkey solution to onboard multiple switches with
manually or through Catalyst Center Plug-and-Play. image management and best-practices configuration.
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

What is an SD-Access Fabric Site?

SD-Access Fabric Site offers programmable overlays

for wired and wireless campus networks, enabled on a
single physical infrastructure.

A single fabric site could be demarcated and defined

based upon:
• Geographical location.
• Endpoint scale. Transit
• Failure domain scoping.
• RTT.
• Underlay connectivity attributes.

Typically interconnected by a “Transit”.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

SD-Access Roles

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Roles
Key Roles for a Complete Wired and Wireless Campus Experience

Cisco Catalyst Center

GUI and APIs for intent-based automation of wired and
wireless fabric devices.
Identity Service Engine
NAC and ID services for dynamic endpoint to Security
Group Tag mapping and policy distribution.

Control Plane Node

Map System that tracks endpoint to fabric node
relationships.

Border Nodes
Connects external L3 and L2 networks to the Cisco SD-
Access fabric.

Edge Nodes
Connects wired endpoints to the Cisco SD-Access fabric
and optionally enforces micro-segmentation policy.
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Roles
Key Roles for a Complete Wired and Wireless Campus Experience

Control Plane Node

Map System that tracks endpoint to fabric node
relationships.

Border Nodes
Connects external L3 and L2 networks to the Cisco SD-
Access fabric.
Edge Nodes
Connects wired endpoints and Fabric APs to the Cisco SD-
Access fabric and optionally enforces micro-segmentation
policy.
Fabric Wireless Controller
Fabric WLC is integrated into the SD-Access Control Plane
(LISP) communication.

Fabric Access Point

Switches endpoint traffic to the adjacent Edge Node.
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Roles
Additional Roles for Reference

Extended Nodes
A switch operating at Layer 2 that extends fabric
connectivity and optionally enforces micro-
segmentation policy.

Transit Control Plane Nodes

Facilitates connectivity of multiple SD-Access fabric
sites while preserving end to end segmentation.

Intermediate Nodes
Moves data between fabric nodes. Can be one or
many hops. Part of the underlay.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Roles
Some of the Supported Colocations

Border Node and Control Plane Node.

Border Node, Control Plane Node, and Fabric Edge Node.

Border Node, Control Plane Node, and Embedded Wireless Controller.

Border Node, Control Plane Node, Fabric Edge Node, and Embedded Wireless
Controller.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Control Plane Node Maintains a Host Tracking Database to Map Location Information

IP to RLOC MAC to RLOC Address Resolution

• A simple Host Database that maps Endpoint IDs
to locations, along with other attributes. 1.2.3.4/32 à EN1 AA:BB:CC à EN1 1.2.3.4 à AA:BB:CC

• Host Database supports multiple types of

Endpoint ID lookup types (IPv4, IPv6 or MAC).

• Receives Endpoint ID map registrations from

Edge Nodes, Border Nodes and Fabric Wireless
LAN Controllers.
• Resolves lookup requests from Edge Nodes
and Border Nodes, to locate destination
Endpoint IDs.
EN1
• Publishes registrations to Subscribers (Border
Nodes).
IP - 1.2.3.4/32
MAC – AA:BB:CC
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Enable Control Plane Node
Go to Provision -> Fabric Site -> Select the node

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Border Node provides gateway between the SD-Access fabric site and the networks external

External Network

External Border Node Internal Border Node

P
s t o C g es
ibe an
u b s c r in g c h
S p
m ap
for

Anywhere Border Node Layer 2 Border Node

Border Nodes connect external L3 and L2 networks to the Cisco SD-Access fabric. As a
result, performs VXLAN encapsulation and decapsulation.
There are 4 types of Border Nodes.
© 2024 Cisco and/or its affiliates. All rights reserved.

26
Cisco Partner Confidential
Cisco SD-Access Fabric
External Border Node

Internet/
Rest of the network
• The most common configuration.

• Exports all fabric subnets to outside the

Fabric Site as eBGP summary routes.

• Does not register IP prefixes from outside

the Fabric Site into the fabric Control Plane. W
ho
ha
Ne s8
ga .8
.8
• Acts as a gateway of last resort for the tiv
e!
.8
?
Fabric Site.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Internal Border Node

Data Center
• Exports all fabric subnets to outside the 40.1.1.2 Shared Services
Fabric Site as eBGP summary routes.

• Imports and registers eBGP-learned r

ste
IPv4/IPv6 prefixes from outside the Fabric Regi P
and o C
Site, into the fabric Control Plane. port ixes t
Im ref
P
W
ho
ha
• Does not act as a gateway of last resort for iB
N
s4
0.
RL 1.
the Fabric Site. OC 1.
2?

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Internal + External Border Node

Internet
Data Center
Shared Services
• Exports all fabric subnets to outside the
Fabric Site as eBGP summary routes.

• Imports and registers eBGP-learned r

ste
IPv4/IPv6 prefixes from outside the Fabric Regi
P
and o C
ort es t
Site, into the fabric Control Plane. Imp refix
P

• Acts as a gateway of last resort for the

Fabric Site.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Layer 2 Border Node

Gateway outside
• Acts as Layer 2 handoff for pure Layer 2 Overlays the fabric
or Layer 2 + Layer 3 Overlays. 10.10.10.1/24 vlan 20

• Allows VLAN translation between Traditional

vlan 100
SD-Access network segments and non-fabric Switching Domain
VLAN IDs.

Layer
ya
erl
vlan 100

Ov

2+L
Overla
• Dual homing requires link aggregation; STP it not

r2
ye

ayer 3
tunneled within the SD-Access Fabric. Sam

La

y
20.20.20.30/32
CC:DD:EE/48
• Ideally should be separate device from the Layer
3 Border Node. vlan 20 vlan 10

John Kate
10.10.10.20/32 20.20.20.20/32
© 2024 Cisco and/or its affiliates. All rights reserved.
AA:BB:CC/48 BB:CC:DD/48

Cisco Partner Confidential

Enable Layer 3 Border Node
Go to Provision -> Fabric Site -> Select the node

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Enable Layer 2 Border Node
Go to Provision -> Fabric Site -> Select the node

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Edge Node Provides First Hop Services for Endpoints

• Responsible for Authenticating and IP to RLOC MAC to RLOC Address Resolution

Authorizing endpoints (e.g. 802.1X, MAB, 1.2.3.4/32 à EN1 AA:BB:CCà EN1 1.2.3.4 à AA:BB:CC

static) in concert with ISE.

• Register Endpoint IDs (IPv4, IPv6, MAC) with
the Control Plane Nodes.
• Provide an Anycast Gateway for the
connected wired and wireless endpoints.

• Performs VXLAN encapsulation and

decapsulation of traffic to and from all
connected wired endpoints.
EN1

IP - 1.2.3.4/32
MAC – AA:BB:CC
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Enable Edge Node
Go to Provision -> Fabric Site -> Select the node

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Fabric Enabled Wireless Unifies Wired and Wireless Management, Policy and Data Planes

MAC – AA:BB:CC
• Fabric WLC accessible though a Fabric Border Node Ctrl: CAPWAP

(Underlay). Can be several hops away. Data: VXLAN

• Fabric Enabled APs reside in a dedicated IP range

and communicate with the WLC (CAPWAP Control).
• Fabric WLC registers endpoints with the Control
Plane Node.
• Fabric APs switch endpoint traffic to the adjacent
Edge Node. No concentrator bottleneck. Wi-Fi 6 up
to 9.6Gbps. Wi-Fi 7 up to 46Gbps.
• Wireless endpoints use same data plane and policy
plane as wired endpoints.

MAC - AA:BB:CC
© 2024 Cisco and/or its affiliates. All rights reserved. IP - 1.2.3.4/32
Cisco Partner Confidential
SD-Access Constructs

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 Cisco SD-Access Fabric
Virtual Networks, also known as Macro-segmentation

• Layer 3 Virtual Networks use VRFs and LISP

Instance IDs to maintain separate routing
topologies.
• Endpoint IDs (IPv4/IPv6 addresses) are routed
within an L3VN.

• Layer 2 Virtual Networks use LISP Instance IDs Layer 2 VN: IOT
(VLAN and L2 LISP IID)
Layer 3 VN: CAMPUS
(VRF and L3 LISP IID)
Layer 3 VN: GUEST
(VRF and L3 LISP IID)
and VLANs to maintain separate switching
Layer 2 VN Layer 2 VN Layer 2 VN
topologies. (VLAN and L2 (VLAN and L2 (VLAN and L2
LISP IID) LISP IID) LISP IID)
• Endpoint IDs (MAC addresses) are switched within vlan 10
vlan 20 vlan 30
vlan 40

an L2VN.

• Edge Nodes, Border Nodes and Fabric APs add vlan 10 VN: CAMPUS VN: CAMPUS VN: GUEST
vlan 40
vlan 20 vlan 30
a VNID (the LISP IID) to the fabric encapsulation.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Layer 3 Virtual Networks

User-Defined VNs (Add or Remove on demand)

INFRA_VN (only for Fabric Access Points and Extended Nodes in

the Global Routing Table)

Global Routing Table (Fabric Devices (Underlay) connectivity )

GRT: RLOC (Lo0) GRT: RLOC (Lo0)

VN: INFRA_VN VN: USER VN: INFRA_VN

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 Cisco SD-Access Fabric
Layer 3 Virtual Network Handoff

• A “Peer Device” may leak external routes into SD-Access Layer 3 Virtual Networks.

• Alternatively, maintain VRF segmentation outside of the SD-Access Fabric with a VRF-aware external
routing domain.

• Peer Device is outside the fabric. Can be any platform (Router, Layer 3 switch, Firewall, etc.) with
appropriate capabilities.
Maintain VRF segmentation outside of SD-Access
VRF GUEST
AF VRF GUEST
SVI A
External Routing
VRF Campus AF VRF CAMPUS Domain
VN VN SVI B

GUEST CAMPUS VRF GRT

SVI 40 SVI 30 SVI C AF IPv4 MP-BGP

vlan 40 vlan 30 Peer Device external

to fabric

VN: GUEST VN: CAMPUS

vlan 40 vlan 30

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 Cisco SD-Access Fabric
Extranet Provider Virtual Network Layer 3 Handoff

• Use an Extranet Policy to allow communication between one Provider Virtual Network and one or more
Subscriber Virtual Networks.

• Extranet Policy is available from SD-Access 2.3.5.3. Requires LISP Pub/Sub Control Plane.

Extranet Policy to allow Only Handoff Provider VN

External
communication between
Routing
VRF INFRA_VN
1 Provider : N Subscriber SVI Z AF IPv4 BGP
Domain
VN
INFRA_VN
(Provider VN)
SVI 40 SVI 30 Peer Device
VN VN
GUEST vlan vlan CAMPUS external to fabric
(Subscriber VN) 40 30 (Subscriber VN)

VN: GUEST VN: CAMPUS

vlan 40 vlan 30

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Layer 2 Virtual Networks

Gateway Outside
the Fabric
• By default, an L2VN is deployed with each Anycast
Gateway and Layer 2 Flooding is disabled. Layer 2
VLAN
Flooding can be enabled, if necessary, to service
niche applications.

• L2VN can be deployed without an Anycast Layer 2 VN

Gateway, and Layer 2 Flooding cannot be disabled. IOT Layer 3 VN
CAMPUS
• Sometimes referred to as “Gateway Outside the Fabric”.
L2 LISP IID Layer 2 VN
(VLAN, L2 LISP IID)
• If Layer 2 Flooding is enabled, a Multicast Underlay
P2MP tunnel is established between all Fabric
Nodes. GW
VLAN VLAN

© 2024 Cisco and/or its affiliates. All rights reserved. MAC 1.1.1 MAC 2.2.2
BRKENS-2810 Cisco Partner Confidential
Layer 2 Handoff
• Layer 2 Virtual Networks handoff through a user-defined VLAN.

• Layer 2 Virtual Networks may implement Broadcast, unknown-unicast and multicast flooding. Be
mindful of loop prevention.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 Cisco SD-Access Fabric
Host Pools Provide a Default Gateway and Basic IP Services for Endpoints

• Edge Nodes instantiate an access VLAN and a

Switched Virtual Interface (SVI) with user-defined
IPv4/IPv6 addresses per Host Pool. ISE

Re
gi
st
er
EI
Ds
L3 VN CAMPUS
• Host Pools assigned to endpoints dynamically by
AAA or statically per port. R
Pool
(/3 egiste .64
Pool
2, / r
128 EIDs .128
or / to C
48 P
• Edge Nodes and Fabric WLCs register endpoint IDs MA
C)
(/32, /128 or MAC) with the Control Plane,
enabling IP mobility; any IP address anywhere.
USER A
Host Pools assigned to IP: 10.10.10.66/26
endpoints dynamically MAC: AA.BB.CC

© 2024 Cisco and/or its affiliates. All rights reserved.

BRKENS-2810 Cisco Partner Confidential

Cisco SD-Access Fabric
Anycast Gateway Provides a Default Gateway for IP-Capable Endpoints

• Similar principle and behavior to FHRP with a

shared virtual IPv4/IPv6 addresses and MAC
address.

• The same Switch Virtual Interface (SVI) is present

on all Edge Nodes with the same virtual IP and
MAC.
L3 VN CAMPUS

• The wired or wireless endpoint can connect to any

switch or AP in the fabric and communicate with
the same Anycast Gateway. GW GW GW
1.1.0.1/16 1.1.0.1/16 1.1.0.1/16
AA.BB.CC AA.BB.CC AA.BB.CC

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 Cisco SD-Access Fabric
Host Pools are “stretched” via the Overlay
IP to RLOC MAC to RLOC Address Resolution

1.1.1.66/32 à EN1 2:2:2 à EN1 1.1.1.66 à 2:2:2

1.1.2.66/32 à EN3 3:3:3 à EN3 1.1.2.66 à 3:3:3

• Endpoint IPv4/IPv6 traffic arrives on an Edge Node and

is then routed or switched by the Edge Node.

• Fabric Dynamic EID mapping allows endpoint-specific L3 VN CAMPUS

(/32, /128, MAC) advertisement and mobility.
VLAN 10

• No longer need VLANs to interconnect endpoints

VLAN 20
across Edge Nodes, this happens in the Overlay
without broadcast flooding.

GW GW GW
1.1.0.1/16 1.1.0.1/16
USER A USER B
1.1.1.66/16 1.1.2.66/16
MAC: 2.2.2 MAC:3.3.3
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Security Group Tag Assigns a “Group” to Each Endpoint

• Edge Nodes and Fabric APs assign a unique

Scalable Group Tag (SGT) to each end endpoint in
concert with ISE.

• Edge Nodes and Fabric APs add an SGT to the Layer 2 VN: IOT Layer 3 VN: CAMPUS
fabric encapsulation. SGT
9 SGT
SGT 4 SGT
• SGTs are used to implement IP-address- 8 5
independent traffic policies. SGT
10

• SGTs can be extended to numerous other Encap with SGT info

networking technologies e.g., Cisco Secure Encap with
Firewall, Cisco SD-WAN, some third-party USER C
SGT info

devices, etc. 1.1.1.2/24 USER B USER A

VN: IOT 2.2.2.2/24 3.3.3.2/24
SGT: 8 VN: CAMPUS VN: CAMPUS
SGT: 4 SGT: 5
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Adding Virtual Networks and Anycast Gateway
Go to Provision -> SD-Access -> Virtual Networks

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

SD-Access Control Plane

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 Cisco SD-Access Fabric
Control Plane: Locator/ID Separation Protocol (LISP)

User: John
IP: 4.4.4.4/32
VN: Campus

Where you are in a network

SGT: 25

RLOC:3.3.3.3
can change, but who you
are in the network remains RLOC:1.1.1.1 RLOC:2.2.2.2

the same.
User: John
IP: 4.4.4.4/32
VN: Campus User: John
SGT: 25 IP: 4.4.4.4/32
VN: Campus
SGT: 25
(IETF Standards Track RFC9300-RFC9305 and Informational RFC9299)
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 BRKENT-2077

Cisco SD-Access Fabric

Why LISP?

Pull model Wired and Wireless Unification

• No massive routing tables • WLC participates in LISP control plane communication.
• Creates ‘DNS’ for routing • Wired and Wireless endpoints have policy applied at same
• Conversational learning point in the network.

Scalability Host Mobility

• BGP and IGPs cannot scale like LISP • Native support for this capability
• Purpose-built for scale • Wired and Wireless

Address-Family Agnostic Extensibility

• Supports IPv4, IPv6, and MAC Address Families • LISP Canonical Address Format (LCAF) allows for encoding
of additional information beyond simply Address-Families.
• LISP has been actively developed, optimized, and enhanced
for the last ten years.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

LISP Pub/Sub Control Plane
Basic Definitions – Pub/Sub
Subscribers
• Border Nodes, Edge nodes
• Border is a IID subscriber
• Edge is a Policy subscriber

• The border nodes subscription is also known as LISP Instance-ID (IID) Table Subscription.
• The LISP device expresses interest in receiving updates for all registrations for given IID table.
• More specifically, the IID Table Subscriptions are per instance-ID and per address family (AF) within that instance-ID.

• The Fabric edge node subscription is known as policy-based subscription(the availability of a default
border)

Publishers

• Control Plane Nodes/Transit Control Plane

© 2024 Cisco and/or its affiliates. All rights reserved.

51
Cisco Partner Confidential
LISP in Cisco SD-Access

LISP/BGP LISP Pub/Sub

• Released circa 2017. • Released in 2022 with Cisco Catalyst Center*
• Reliable and stable. 2.2.3.x.
• BGP transport. • Reliable and stable.
• Pull model • Native LISP transport.
• Push model
• Less Control Plane load.
• Faster convergence.
• Highly extensible.
© 2024 Cisco and/or its affiliates. All rights reserved.
*Rebranded to Catalyst Center in late 2023

Cisco Partner Confidential

LISP Pub/Sub Control Plane

• No plans to end support for LISP/BGP.

• LISP Pub/Sub is recommended for new deployments.
• In Cisco Catalyst Center* 2.2.3.x new Fabric Sites can be configured as LISP/BGP or LISP
Pub/Sub. Note minimum IOS XE versions.
• LISP/BGP to LISP Pub/Sub migration workflow is under development now.

© 2024 Cisco and/or its affiliates. All rights reserved.

*Rebranded to Catalyst Center in late 2023

Cisco Partner Confidential

SD-Access Data Plane

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Data Plane: Virtual Extensible Local Area Network (VXLAN)

VXLAN extends Layer 2 and Layer 3 overlay networks

over a Layer 3 underlay network

IP Network

ü Scalability: 16 million unique identifiers. ü Handles broadcast, multicast, and unknown

ü Runs on top of L3, avoids need for STP. unicast traffic using multicast instead of flooding.
ü L2 traffic tunnelled over an L3 infrastructure. ü Carries segmentation information.
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Data Plane: Virtual Extensible Local Area Network (VXLAN)

1. Control Plane: LISP

2. Data Plane: VXLAN

ORIGINAL
ETHERNET IP PAYLOAD
PACKET

PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP

Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN

© 2024 Cisco and/or its affiliates. All rights reserved.

BRKENS-2810 Cisco Partner Confidential

 Next-Hop MAC Address

VXLAN-GPO Header
Src VTEP MAC Address
Dest. MAC 48

MAC-in-IP with VN ID and SGT ID Source MAC 48

VLAN Type 14 Bytes

16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8

Ether Type 16 Header

Outer MAC Header 0x0800 16 20 Bytes
Underlay

Checksum

Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address

UDP Header Dest Port 16

8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789

Inner (Original) MAC Header

Allows 64K
Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 possible SGTs
Overlay

Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

SD-Access Policy Plane

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Cisco SD-Access Fabric
Policy Plane: Group-Based Policy

1. Control Plane: LISP

2. Data Plane: VXLAN
3. Policy Plane: Group-Based Policy

VRF + SGT

ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 What is Security Group Tag and Group-Based
Policy?
Endpoints authenticated
and classified as:
Endpoint authenticated and Lighting (SGT 20)
classified as Camera (SGT 5) HVAC (SGT 30)
Destination = SGT 20

IP: 10.1.10.220 VXLAN overlay

IP: 10.1.100.52
SGT: 5 5 SGT: 20
SD-Access
SGT: 30
Underlay
SRC: 10.1.10.220
DST: 10.1.100.52
IP: 10.1.200.100
Group-
Based
Policy
DST è Lighting HVAC
ê SRC (20) (30)
Camera (5) Permit Deny

BYOD (7) Deny Permit

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

SD-Access Policy
Macro-Segmentation and Micro-segmentation

VN Campus
VN Campus

VN IOT
VN IOT

Virtual Network (VN) Security Group Tag (SGT)

First-level Segmentation ensures zero Second-level Segmentation ensures role-
communication between forwarding based access control between groups in
domains. Ability to consolidate multiple a VN. Ability to segment the network into
networks into one management plane. lines of business or functional blocks.
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 SD-Access Policy
Access Control Policies

Source Group Destination Group

Contract

Guest Users Web Server

ISE
Cisco Catalyst Center
CLASSIFIER: PORT ACTION: DENY

Classifier Type Action Type

Create and edit access
Port Number Permit contracts without
Protocol Name Deny knowing syntax for
Application Type Copy underlying SGACLs.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

SD-Access Policy
Group-Based Access Control Policy

1. Select Source Group(s)

2. Select Destination Group(s)
3. Select Access Contract(s)

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

Multiple Fabrics

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 Transits for VN and SGT Preservation
VN1 eBGP
VN2 eBGP IP-Based Transit
VN3 eBGP
• Per-Layer-3-Virtual-Network eBGP peering to external routing
domain, or LISP Extranet Provider VN eBGP peering to external routing
Fabric1 IP Fabric2
domain.
• SGT propagation outside of fabric requires suitable hardware and
software.

SD-Access Transit
ASN1 ASN2
• SD-Access LISP/VXLAN between Fabric Sites.
IP
Fabric1 Fabric2
• Preserves Layer 3 Virtual Networks and SGT.
• Fabric as a transit between external routing domains.
FabricN

© 2024 Cisco and/or its affiliates. All rights reserved.

Watch BRKENS-2816 for SD-Access Transit deep dive
Cisco Partner Confidential
Adding IP Transit and SD-Access Transit
Go to Provision -> SD-Access -> Transits

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential

 Cisco SD-Access Collaterals
Cisco Software-Defined Access Cisco Software-Defined Access Cisco Solution Validated Profiles (CVPs)
for Industry Verticals Enabling intent-based networking

• Cisco Large Enterprise and Government Profile

• Healthcare Vertical
• Financial Vertical
• Healthcare Vertical
• Manufacturing Vertical
• Retail Vertical
• University Vertical

Cisco SD-Access YouTube Link

Multiple Cisco Catalyst Center to ISE

Cisco SD-Access Design Tool
EN&C Validated Designs
The Latest SD-Access
Guides
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Partner Confidential