Components on SD-ACCESS

Cisco Software-Defined Access is driving evolution for normal campus network designs. It is a software application that is used to automate wired and wireless campus networks. There are many benefits to deploying SD-Access, some of these being: simplified deployment and automation, network assurance, consistent wired and wireless security capabilities, etc. Catalyst Center and ISE make up Cisco SD-Access. Catalyst Center is a centralized manager running a lot of applications and services. It is a great appliance but also is resource-intensive. We also have Identity Services Engine (ISE). ISE is a secure network access platform for enabling increased management awareness, control, and consistency for users and devices accessing an organization’s network. It is a key part of SD-Access when it comes to implementing network access control policy.

SD-Access can be broken down into four planes. We have the control plane, data plane, policy plane, and management plane. The control plane is used for communication protocol between devices in the fabric using LISP. The data plane uses VXLAN to encapsulate data packets. For the policy plane, which is used for security and segmentation, we have Cisco TrustSec. Lastly, the management plane focuses on assurance, management, orchestration, and visibility through Cisco Catalyst Center. I could go much more in-depth on all of these, but those would need a separate post. The main thing I want to talk about is the nodes in SD-Access.

The nodes I want to talk about are: Control Plane Node, Edge Node, Intermediate Node, Border Node, and the Fabric WLC.

Control Plane Node
The control plane node, as I mentioned earlier, is based on LISP. I will keep this brief, but here are all of the functions:

  • Host Tracking Database (HTDB): Central repository for EID-to-RLOC bindings.
  • Endpoint Identifier (EID): Address used for identifying an endpoint device in the network. The EID supports IPv4 addresses, IPv6, and MAC addresses.
  • Map Server: Receives endpoint registrations indicating the associated RLOC used to populate the HTDB.
  • Map Resolver: Responds to queries from fabric devices requesting RLOC mapping information from the HTDB.

Edge Node
An edge node is equivalent to an access layer switch in the traditional campus LAN design. Its functionality is based on the ingress and egress tunnel routers in LISP (xTR). One thing that is important to note is that these edge nodes must be implemented using a Layer 3 routed access design. There are many things it can do:

  • Endpoint Registration: Edge node detects and registers endpoints in the EID table.
  • Anycast Layer 3 Gateway: All edge nodes use the same IP and MAC for the gateway SVI for optimal routing.
  • Layer 2 Bridging: Edge nodes bridge intra-VLAN traffic using Layer 2 VNIs.
  • Mapping of User to Virtual Network: Endpoints are assigned to VLANs tied to SVIs and VRFs.
  • AAA Authenticator: Edge nodes act as a device to access the network and authenticate endpoints through 802.1X and assign VLANs based on policy.
  • VXLAN Encapsulation/De-Encapsulation: Edge nodes encapsulate endpoint traffic in VXLAN for transport and de-encapsulate incoming traffic for delivery.

Intermediate Node
The intermediate node is very simple. It is a part of the Layer 3 network and used for interconnections among devices operating in the fabric. The intermediate node’s primary purpose is to route and transport IP traffic.

Border Node
The border node serves as a gateway between the fabric site and the networks that are external to the fabric. It is responsible for network virtualization and SGT propagation to the rest of the network. Border nodes do the following functions:

  • Advertisement of EID Subnets: BGP will advertise fabric endpoint prefixes externally to make sure inbound traffic is routed to border nodes.
  • Fabric Site Exit Point: The border node will act as the default gateway for traffic leaving or entering the fabric.
  • Network Virtualization Extension to the External World: The border node will use VRF-lite and VRF-aware routing to maintain segmentation beyond the fabric.
  • Policy Mapping: Border nodes preserve and map SGTs using SXP or inline tagging when traffic exits the fabric.
  • VXLAN Encapsulation/De-Encapsulation: Border nodes encapsulate incoming traffic into VXLAN and de-encapsulate outgoing fabric traffic to nonfabric networks.

Fabric Wireless Controller (WLC)
The last thing I wanted to talk about was the Fabric Wireless Controller. The fabric WLC manages APs and client sessions like a normal WLC would. It also integrates with the fabric by updating the Host Tracking Database (HTDB) during client events. These WLCs typically reside within the local fabric site.

Read more