BRKCRS-2810 (2020) - Fundamental

Cisco Software-Defined
Access
Solution Fundamentals
“A Look Under The Hood”
Shawn Wargo
Principal Engineer - Technical Marketing
BRKCRS-2810
Cisco Software-Defined
Access
Solution Fundamentals
“A Look Under The Hood”
Shawn Wargo
Principal Engineer - Technical Marketing
BRKCRS-2810
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKCRS-2810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
TUE WED THU FRI
Keynote BRKCRS-2815 BRKCRS-2818 BRKCRS-2819

Cisco SD-Access – 08:30 Build a Software Defined Enterprise 08:30 Creating multi-domain architecture
09:00 Connecting Multiple Sites with Cisco SDWAN & SD-Access using Cisco SD-Access
in a Single Fabric 09:00
BRKCRS-2830 BRKCRS-3811
Cisco SD-Access – Lessons Cisco SD-Access –
BRKCRS-2821 learned from Design & Deployment
09:45
Policy Driven Manageability
BRKCRS-2810 Cisco SD-Access –
Cisco SD-Access –
A Look Under the Hood
11:00 Connecting to the DC,
FW, WAN and more! BRKCRS-2502 BRKCRS-2812
11:00 Best Practices for Design and Cisco SD-Access – Integrating
BRKCRS-2832 Deployment of Cisco SD-Access with your existing network
Extending Cisco
BRKCRS-2825
11:15 BRKARC-2020
SD-Access beyond Cisco SD Access - 11:30
Enterprise walls Cisco SD-Access - Scaling the
BRKCRS-1400 Fabric to 100s of Sites Troubleshooting the fabric
Recipe for transforming 14:30 BRKCRS-2824

Enterprise Networks
with IBN
BRKCRS-3810 Intuitive Zero-Trust Design,
Migration When Securing
Cisco SD-Access deep dive 14:45
the SD-Access Workplace
BRKCRS-2823
BRKCRS-2811 Cisco SD-Access – 16:45
Keynote
Cisco SD-Access – 17:00 Firewall Integration Customer 17:00
Connecting the Fabric Appreciation 18:30
to External Networks
IBN
Technology
Cisco SD-Access © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
Complex
3 4
1 2 5
Time
1 Key Benefits
Why do you care?
2 Key Concepts
What is SD-Access?
3 Fabric Fundamentals
How does it work?
4 Controller Fundamentals
How does it work?
5 Take Away
Where to get started?
Complex
3 4
1 2 5
Time
Why do you care?
Key Benefits
Cisco’s Intent-Based Network
Delivered by Cisco Software Defined Access SAAS
ACI
Data Center
LEARNING SD-Access
Cisco DNA Center
Policy Automation Analytics SD-WAN Wireless

Control
INTENT CONTEXT
Fabric
Border
Intent-Based Fabric
Network Infrastructure Control
SD-Access
Switch Route Wireless

Fabric
Edge
SECURITY
Cisco Software Defined Access
The Foundation for Cisco’s Intent-Based Network
Cisco DNA Center
One Automated
Network Fabric
Policy Automation Assurance Single fabric for Wired and
Wireless with full automation
Outside
B B
Identity-Based
C
Policy and Segmentation
Policy definition decoupled
from VLAN and IP address
AI-Driven
Insights and Telemetry
SD-Access
Extension Client Mobility Analytics and visibility into
User and Application experience
Policy follows User
IoT Network Employee Network © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complex
3 4
1 2 5
Time
What is Software Defined Access?
Key
Concepts
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is SD-Access?
Campus Fabric + Cisco DNA Center (Automation & Assurance)
APIC-EM
NCP ▪ SD-Access
1.X
ISE NDP
PI GUI approach provides automation &
assurance of all Fabric configuration,
Cisco DNA
Center management and group-based policy
Cisco DNA Center integrates multiple

IP management systems, to orchestrate
LAN, Wireless LAN and WAN access
B B
▪ Campus Fabric
C
CLI or API approach to build a LISP +
VXLAN + CTS Fabric overlay for your
enterprise Campus networks
Campus
CLI provides backward compatibility,
Fabric but management is box-by-box.
API provides some automation via
NETCONF/YANG, also box-by-box.
Separate management systems

1. High-Level View
2. Roles & Platforms
3. Fabric Constructs
Roles &
Terminology
SD-Access
What exactly is a Fabric?
A Fabric is an Overlay
An Overlay network is a logical topology used to virtually connect devices,
built over an arbitrary physical Underlay topology.
An Overlay network often uses alternate forwarding attributes to provide
additional services, not provided by the Underlay.
Examples of Network Overlays

• GRE, mGRE • LISP
• MPLS, VPLS • OTV
• IPSec, DMVPN • DFA
• CAPWAP • ACI
SD-Access
Fabric Terminology
Overlay Network Overlay Control Plane
Encapsulation
Edge Device Edge Device
Hosts
(End-Points)
Underlay Network Underlay Control Plane
SD-Access
Fabric Underlay – Manual vs. Automated
Manual Underlay LAN Automation

You can reuse your existing IP Fully automated prescriptive IP
network as the Fabric Underlay! network Underlay Provisioning!
• Key Requirements • Key Requirements
• IP reach from Edge to Edge/Border/CP • Leverages standard PNP for Bootstrap
• Can be L2 or L3 – We recommend L3 • Assumes New / Erased Configuration
• Can be any IGP – We recommend ISIS • Uses a Global “Underlay” Address Pool
• Key Considerations • Key Considerations

• MTU (Fabric Header adds 50B) • Seed Device pre-setup is required
• Latency (RTT of =/< 100ms) • 100% Prescriptive (No Custom)
Underlay Network
Cisco SD-Access
Fabric Roles & Terminology
▪ Network Automation – Simple GUI
Automation and APIs for intent-based Automation
Identity
Cisco ISE Cisco DNA Center of wired and wireless fabric devices
Services
▪ Network Assurance – Data Collectors
analyze Endpoint to Application flows
Assurance and monitor fabric device status
▪ Identity Services – NAC & ID Services
Fabric Border IP
(e.g. ISE) for dynamic Endpoint to Group
Fabric Wireless mapping and Policy definition
Nodes Controllers
B B ▪ Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate
C Nodes ▪ Fabric Border Nodes – A fabric device
Nodes (Underlay)
(e.g. Core) that connects External L3
network(s) to the SD-Access fabric
Campus ▪ Fabric Edge Nodes – A fabric device
Fabric Edge (e.g. Access or Distribution) that connects
Nodes Fabric Fabric Wireless
Access Points
Wired Endpoints to the SD-Access fabric
▪ Fabric Wireless Controller – A fabric device
(WLC) that connects Fabric APs and
Wireless Endpoints to the SD-Access fabric
1. High-Level View
Roles &
Terminology
SD-Access Fabric
Control-Plane Nodes – A Closer Look
Control-Plane Node runs a Host Tracking Database to map location information

IP to RLOC MAC to RLOC Address Resolution
1.2.3.4 → FE1 AA:BB:CC:DD → FE1 1.2.3.4 → AA:BB:CC:DD
• A simple Host Database that maps Endpoint IDs to C

a current Location, along with other attributes
B B
• Host Database supports multiple types of Endpoint
ID lookup types (IPv4, IPv6 or MAC)
• Receives Endpoint ID map registrations from Edge

and/or Border Nodes for “known” IP prefixes
• Resolves lookup requests from Edge and/or Border FE1
Nodes, to locate destination Endpoint IDs IP - 1.2.3.4/32

MAC – AA:BB:CC:DD
SD-Access Platforms
For more details: cs.co/sda-compatibility-matrix
The Channelco®
Fabric Control Plane CRN®

Products of the Year
2017, 2018
NEW
Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600
• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

• 1/mG RJ45 • Sup1XL • 40/100G QSFP • Sup1
• 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP • 9600 Cards
SD-Access Platforms
Fabric Control Plane
Catalyst 3K Catalyst 6K ISR 4K & ENCS ASR1K
NEW
• Catalyst 3650/3850 • Catalyst 6500/6800 • ISR 4430/4450 • ASR 1000-X

• 1/mG RJ45 • Sup2T/Sup6T • ISR 4330/4450 • ASR 1000-HX
• 1/10G SFP • C6800 Cards • ENCS 5400 • 1/10G RJ45
C6880/6840-X • ISRv / CSRv • 1/10G SFP
• 1/10/40G NM Cards •
SD-Access Fabric
Edge Nodes – A Closer Look
Edge Node provides first-hop services for Users / Devices connected to a Fabric
IP to RLOC MAC to RLOC Address Resolution
1.2.3.4 → FE1 AA:BB:CC:DD → FE1 1.2.3.4 → AA:BB:CC:DD
• Responsible for Identifying and Authenticating C

Endpoints (e.g. Static, 802.1X, Active Directory)
B B
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)
• Provide an Anycast L3 Gateway for the connected

Endpoints (same IP address on all Edge nodes)
• Performs encapsulation / de-encapsulation of data FE1
traffic to and from all connected Endpoints IP - 1.2.3.4/32

MAC – AA:BB:CC:DD
SD-Access Platforms
The Channelco®
Fabric Edge Node CRN®

2017, 2018
NEW NEW
Catalyst 9200 Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600
• Catalyst 9200/L* • Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600
• 1/mG RJ45 • 1/mG RJ45 • Sup1/Sup1XL • 1/10/25G SFP • Sup1
• 1G SFP (Uplinks) • 10/25/40/mG NM • 9400 Cards • 40/100G QSFP • 9600 Cards
SD-Access Platforms
Fabric Edge Node
NEW
Catalyst 3K Catalyst 4500E Catalyst 6K
• Catalyst 3650/3850 • Catalyst 4500E • Catalyst 6500/6800

• 1/mG RJ45 • Sup8E/Sup9E (Uplink) • Sup2T/Sup6T
• 1/10G SFP • 4600/4700 Cards (Host) • C6800 Cards
• 1/10/40G NM Cards • C6880/6840-X
SD-Access Fabric
Border Nodes
Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric
There are 3 Types of Border Node!
• Internal Border (Rest of Company)

• connects ONLY to the known areas of the company
• External Border (Outside)

• connects ONLY to unknown areas outside the company
DNA Center
• Internal + External (Anywhere) 1.3

1.2
• connects transit areas AND known areas of the company
SD-Access Platforms
The Channelco®
Fabric Control Plane CRN®

2017, 2018
NEW
Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600
• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

• 1/mG RJ45 • Sup1XL • 40/100G QSFP • Sup1
• 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP • 9600 Cards
SD-Access Platforms
Fabric Border Node

* EXTERNAL ONLY
Catalyst 3K Catalyst 6K Nexus 7K* ISR 4K ASR 1K
• Catalyst 3650/3850 • Catalyst 6500/6800 • Nexus 7700 • ISR 4300/4400 • ASR 1000-X/HX
• 1/mG RJ45 • Sup2T/Sup6T • Sup2E • AppX (AX) • AppX (AX)
• 1/10G SFP • C6800 Cards • M3 Cards • 1/10G RJ45 • 1/10G ELC/EPA
• 1/10/40G NM Cards • C6880/6840-X • LAN1K9 + MPLS • 1/10G SFP • 40G ELC/EPA
SD-Access Fabric
Border Nodes - Internal
Internal Border advertises Endpoints to outside, and known Subnets to inside
IP - 1.2.3.0/24
• Connects to any “known” IP subnets available from C
the outside network (e.g. DC, WLC, FW, etc.)
Known Unknown
Networks Networks
B B
• Exports all internal IP Pools to outside (as
aggregate), using a traditional IP routing protocol(s).
• Imports and registers (known) IP subnets from

outside, into the Control-Plane Map System
• Hand-off requires mapping the context (VRF & SGT)

from one domain to another. IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
SD-Access Fabric
Border Nodes - External
External Border is a “Gateway of Last Resort” for any unknown destinations
IP - 0.0.0.0/0
• Connects to any “unknown” IP subnets, outside of C
the network (e.g. Internet, Public Cloud)
Known Unknown
Networks Networks
B B
• Exports all internal IP Pools outside (as aggregate)
into traditional IP routing protocol(s).
• Does NOT import unknown routes! It is a “default”

exit, if no entry is available in Control-Plane.
• Hand-off requires mapping the context (VRF & SGT)

from one domain to another. IP - 1.2.3.4/32
MAC – AA:BB:CC:DD
SD-Access Fabric
Fabric Enabled Wireless – A Closer Look
Fabric Enabled WLC is integrated into Fabric for SD-Access Wireless clients
Ctrl: CAPWAP
MAC – AA:BB:CC:DD
Data: VXLAN
• Connects to Fabric via Border (Underlay) C

Known Unknown
Networks Networks
• Fabric Enabled APs connect to the WLC (CAPWAP)
B B
using a dedicated Host Pool (Overlay)
• Fabric Enabled APs connect to the Edge via VXLAN
• Wireless Clients (SSIDs) use regular Host Pools for

data traffic and policy (same as Wired)
IP - 1.2.3.4/32
• Fabric Enabled WLC registers Clients with the
Control-Plane (as located on local Edge + AP)
SD-Access Platforms
Fabric Enabled Wireless

* No IPv6, AVC, FNF
NEW NEW
Catalyst 9800 Catalyst 9100 AireOS WLC AireOS AP
• Catalyst 9800-L • Catalyst 9130 • AIR-CT3504 • 1800/2800/3800/4800

• Catalyst 9800-40 • Catalyst 9120/9115 • AIR-CT5520 • 1700/2700/3700*
• Catalyst 9800-80 • 1G/mG RJ45 (Uplink) • AIR-CT8540 • 1G/mG RJ45 (Uplink)
• Catalyst 9800-CL
SD-Access Extension for IoT
Securely Consolidate IT and IOT
Beta in 1.2.5
DNA Center
Extended Node Portfolio
GA in 1.3.1
IE3300/3400 IE4000/4010 IE5000
Enterprise Campus
Catalyst Digital 3560-CX

Building Compact
▪ Operational IOT simplicity (Automation)

▪ IT designed and managed –or-
Enterprise
Extended
Extended Nodes ▪ IT designed and OT managed

REP Ring
▪ Greater visibility of IoT devices (Assurance)
▪ Extended Segmentation & Policy (Security)
1. High-Level View
Roles &
Terminology
SD-Access Fabric
Virtual Network– A Closer Look
Virtual Network maintains a separate Routing & Switching table for each instance
• Control-Plane uses Instance ID to maintain separate C

VRF topologies (“Default” VRF is Instance ID “4098”)
Known Unknown
Networks Networks
B B
• Nodes add a VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are routed and VN VN VN

advertised within a Virtual Network Campus IOT Guest
• Uses standard “vrf definition” configuration, along

with RD & RT for remote advertisement (Border Node)
SD-Access Fabric
Scalable Groups – A Closer Look
Scalable Group is a logical policy object to “group” Users and/or Devices
• Nodes use “Scalable Groups” to ID and assign a C

unique Scalable Group Tag (SGT) to Endpoints
Known Unknown
Networks Networks
B B
• Nodes add a SGT to the Fabric encapsulation
SGT
SGT SGT SGT
• SGTs are used to manage address-independent 17
4
SGT
8 25
“Group-Based Policies” SGT SGT SGT 19 SGT

3 23 11 12
• Edge or Border Nodes use SGT to enforce local

Scalable Group ACLs (SGACLs)
SD-Access Fabric
Host Pools – A Closer Look
Host Pool provides basic IP functions necessary for attached Endpoints
• Edge Nodes use a Switch Virtual Interface (SVI), C

with IP Address /Mask, etc. per Host Pool
Known Unknown
Networks Networks
B B
• Fabric uses Dynamic EID mapping to advertise each
Host Pool (per Instance ID) Pool
Pool
Pool .4 Pool
.17 .8 .25
Pool
• Fabric Dynamic EID allows Host-specific (/32, /128 Pool Pool Pool .19 Pool
or MAC) advertisement and mobility

.13 .23 .11 .12
• Host Pools can be assigned Dynamically (via Host

Authentication) and/or Statically (per port)
SD-Access Fabric
Anycast Gateway – A Closer Look
Anycast GW provides a single L3 Default Gateway for IP capable endpoints
C
• Similar principle and behavior to HSRP / VRRP with Known Unknown
a shared “Virtual” IP and MAC address Networks Networks
B B
• The same Switch Virtual Interface (SVI) is present
on EVERY Edge with the SAME Virtual IP and MAC
• Control-Plane with Fabric Dynamic EID mapping

maintains the Host to Edge relationship
• When a Host moves from Edge 1 to Edge 2, it does GW GW GW GW GW

1.2.3.1/24 1.2.3.1/24 1.2.3.1/24 1.2.3.1/24 1.2.3.1/24
not need to change it’s Default Gateway ☺
SD-Access Fabric
Layer 3 Overlay – A Closer Look
Stretched Subnets allow an IP subnet to be “stretched” via the Overlay
• Host IP based traffic arrives on the local Fabric Edge C

Known Unknown
(SVI) and is then transferred by the Fabric Networks Networks
B B
• Fabric Dynamic EID mapping allows Host-specific
(/32, /128, MAC) advertisement and mobility
Dynamic
EID
• Host 1 connected to Edge A can now use the same
IP subnet to communicate with Host 2 on Edge B
• No longer need a VLAN to connect Host 1 and 2 ☺ GW GW GW GW GW
SD-Access Fabric
Layer 2 Overlay – A Closer Look
Layer 2 Overlay allows Non-IP endpoints to use Broadcast & L2 Multicast
• Similar principle and behavior as Virtual Private LAN C

Known Unknown
Services (VPLS) P2MP Overlay Networks Networks
B B
• Uses a pre-built Multicast Underlay to setup a P2MP
tunnel between all Fabric Nodes.
L2
Overlay
• L2 Broadcast and Multicast traffic will be distributed
to all connected Fabric Nodes.
VLAN VLAN VLAN
• Can be enabled for specific Host Pools that require
L2 services (use Stretched Subnets for L3)
NOTE: L3 Integrated Routing and Bridging (IRB) is not supported at this time.
Complex
3 4
1. Control-Plane
1 2 5
Time 2. Data-Plane
3. Policy-Plane
What is Campus Fabric?
Fabric
Fundamentals
SD-Access Fabric
Campus Fabric - Key Components
1. Control-Plane based on LISP

2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
B B
Key Differences
C
• L2 + L3 Overlay -vs- L2 or L3 Only

• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)
SD-Access Fabric
Key Components - LISP
Control-Plane based on LISP

Host
1. Mobility
Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU
with Local L3 Gateway with Anycast L3 Gateway
BEFORE AFTER
IP Address = Location + Identity Separate Identity from Location
Prefix RLOC
192.58.28.128 ….....171.68.228.121
Prefix Next-hop 189.16.17.89

22.78.190.64
….....171.68.226.120
….....171.68.226.121
189.16.17.89 ….....171.68.226.120 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 192.58.28.128 ….....171.68.228.121
172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121
192.58.28.128 …....171.68.228.121 Prefix Next-hop 189.16.17.89 ….....171.68.226.120
Mapping
189.16.17.89 …....171.68.226.120 22.78.190.64 ….....171.68.226.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
Endpoint
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120 192.58.28.128 ….....171.68.228.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
Database
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
Routes are
192.58.28.128 …......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Consolidated
Prefix
189.16.17.89
22.78.190.64
Next-hop
…......171.68.226.120
….....171.68.226.121
to LISP DB
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121 Prefix Next-hop
172.16.19.90 …......171.68.226.120 189.16.17.89 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121 22.78.190.64 ….....171.68.226.121
189.16.17.89 …....171.68.226.120 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 192.58.28.128 …....171.68.228.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
Prefix Next-hop 189.16.17.89 ….....171.68.226.120
189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
Only Local Routes

192.58.28.128 ….....171.68.228.121
Topology + Endpoint Routes

189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
Topology Routes
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Endpoint Routes
Fabric Operation
Control-Plane Roles & Responsibilities Control-Plane EID RLOC
a.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
LISP Map Server / Resolver EID Space

EID
a.a.a.0/24
RLOC
w.x.y.1
(Control-Plane) b.b.b.0/24
c.c.c.0/24
d.d.0.0/16
x.y.w.2
z.q.r.5
z.q.r.5
• EID to RLOC mappings EID RLOC

Edge a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2
• Can be distributed across Non-LISP

c.c.c.0/24
d.d.0.0/16
z.q.r.5
z.q.r.5
multiple LISP devices Prefix Next-hop

w.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h
z.q.r.5 e.f.g.h
LISP Tunnel Router - XTR

z.q.r.5 e.f.g.h
Border RLOC Space

(Edge & Internal Border)
• Register EID with Map Server
• Ingress / Egress (ITR / ETR) Edge
LISP Proxy Tunnel Router - PXTR EID Space

(External Border)
• EID = Endpoint Identifier
• Provides a Default Gateway
• Host Address or Subnet
when no mapping exists
• RLOC = Routing Locator
• Ingress / Egress (PITR / PETR) • Local Router Address
Fabric Operation
Control Plane Register & Resolution
Branch
Where is 10.2.2.2?
Cache Entry (on ITR)
10.2.2.2/32 → (2.1.2.1)
Fabric Edge

5.1.1.1
2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
Database Mapping Entry (on ETR) Fabric Edges Database Mapping Entry (on ETR)
10.2.2.4/32 → ( 3.1.2.1)
10.2.2.2/32 → ( 2.1.2.1)
10.2.2.3/16 10.2.2.2/16 10.2.2.5/16 10.2.2.4/16
Subnet 10.2.0.0 255.255.0.0 stretched across

Fabric Operation
Fabric Internal Forwarding (Edge to Edge)
3 EID-prefix: 10.2.2.2/32
Mapping Locator-set: Path Preference
Entry Controlled
2.1.2.1, priority: 1, weight:100
by Destination Site
1
DNS Entry:
Branch Non-Fabric Non-Fabric
D.abc.com A 10.2.2.2
10.1.0.0/24
Fabric Borders
S Fabric Edge
2
1.1.1.1
10.1.0.1 → 10.2.2.2 5.3.3.3
IP Network 5.1.1.1 5.2.2.2

4 Mapping
System
1.1.1.1 → 2.1.2.1
10.1.0.1 → 10.2.2.2 2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
5 Fabric Edges
10.1.0.1 → 10.2.2.2
D
10.2.2.3/16 10.2.2.2/16 10.2.2.4/16 10.2.2.5/16
Subnet 10.2.0.0 255.255.0.0 stretched across
Fabric Operation
Host Mobility – Dynamic EID Migration Map Register 10.10.0.0/16 – 12.0.0.1
EID: 10.17.1.10/32
Node: 12.1.1.1 10.2.1.10/32 – 12.1.1.1
D 10.2.1.10/32 – 12.2.2.1
10.10.10.0/24
2.1.1.1
DC1 3.1.1.1
Fabric Borders 1.1.1.1
Mapping
System
Routing Table 12.0.0.1 12.0.0.2

5
10.2.1.0/24 – Local 3 Routing Table
10.2.1.10/32 – Local 10.2.1.0/24 – Local 4
2
10.2.1.10/32 – LISP0
10.2.1.10/32 - Local
IP Network
12.1.1.1 12.1.1.2 12.2.2.1 12.2.2.2
Campus Campus
Bldg 1
S Fabric Edges
1 Bldg 2
10.2.1.10 10.2.1.10
SD-Access Fabric
Unique Control-Plane extensions compared to LISP
Capability Traditional LISP SD-Access Fabric

Layer 2 Extension Limited Support Fabric Control Plane extended to support
MAC to IP binding and Layer 2 Overlays
Virtual Networks Layer-3 VN (VRF) only Both Layer-3 and Layer-2 VN (VRF)
support (using VXLAN)
Fast Roaming Not Supported Fabric Control Plane extended to support

fast roaming in =/< 50ms
Wireless Extensions Not Supported Fabric Control Plane extended to support

wireless extensions for:
• AP Onboarding
• Wireless Guest
• AP VXLAN functionality
1. Control-Plane
2. Data-Plane
3. Policy-Plane
Fabric
Fundamentals
SD-Access Fabric
Key Components – VXLAN

ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay Only
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN
VXLAN-GPO Header Next-Hop MAC Address
Src VTEP MAC Address

MAC-in-IP with VN ID & Group ID Dest. MAC 48
Source MAC 48
VLAN Type 14 Bytes

16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type
16 Header
Outer MAC Header
0x0800 16 20 Bytes
Underlay
Checksum
Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address
UDP Header Dest Port 16

8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789
Inner (Original) MAC Header

Allows 64K
Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 possible SGTs
Overlay
Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs
Data-Plane Overview
Fabric Header Encapsulation
Inner
Fabric Data-Plane provides the following:
Outer
• Underlay address advertisement & mapping
• Automatic tunnel setup (Virtual Tunnel End-Points)
• Frame encapsulation between Routing Locators
Support for LISP or VXLAN header format
Outer
• Nearly the same, with different fields & payload Encap
Inner
Inner
• LISP header carries IP payload (IP in IP)
• VXLAN header carries MAC payload (MAC in IP)
Decap
Triggered by LISP Control-Plane events
• ARP or NDP Learning on L3 Gateways
• Map-Reply or Cache on Routing Locators
Inner
SD-Access Fabric
Unique Data-Plane Extensions compared to VXLAN
Capability Traditional LISP/VXLAN SD-Access Fabric

SGT Tag No SGT VXLAN-GPO uses Reserved field to
carry SGT
Layer 3 Extension Yes Yes, by mapping VRF->VNI

(VRF)
Layer 2 Extension Not Supported Fabric supports Layer 2 extension by

mapping VLAN ->VNI
Wireless Not Supported AP to Fabric Edge uses VXLAN

Fabric Edge to Edge/Border uses VXLAN
for both Wired and Wireless (same)
1. Control-Plane
2. Data-Plane
3. Policy-Plane
Fabric
Fundamentals
SD-Access Fabric
Key Components – Group Based Policy

3. Policy-Plane based on CTS
Virtual Routing & Forwarding
Scalable Group Tagging
VRF + SGT
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
SD-Access Policy
Two Level Hierarchy - Macro Segmentation
Known Unknown
Networks Networks
SD-Access
VN VN VN
Fabric
Virtual Network (VN)
“A” “B” “C”
First level Segmentation ensures zero
communication between forwarding
domains. Ability to consolidate multiple
networks into one management plane.
Building Management Campus Users

VN VN
SD-Access Policy
Two Level Hierarchy - Micro Segmentation
Known Unknown
Networks Networks
SG
1
SG
4
SG
7
SD-Access Scalable Group (SG)
SG
2
SG
3
SG
5
SG
6
SG
8
SG
9 Fabric
Second level Segmentation ensures
role based access control between
two groups within a Virtual Network.
Provides the ability to segment the
network into either line of businesses
or functional blocks.
Building Management Campus Users

VN VN
SD-Access Policy
Policy Types
Access Control Application Traffic Copy

Policy Policy Policy
↓ ↓ ↓
Who can access What? How to treat Traffic? Need to Monitor Traffic?
Permit / Deny Rules QoS for Applications Enable SPAN Services

for Group-to-Group Access or Application Caching for specific Groups or Traffic
✓
Group Assignment
Two ways to assign SGT
Dynamic Classification Static Classification
L3 Interface (SVI) to SGT L2 Port to SGT
Campus
Access Distribution Core DC Core DC Access
MAB
Enterprise
Backbone
WLC Firewall Hypervisor SW
VLAN to SGT Subnet to SGT VM (Port Profile) to SGT
SD-Access Policy
Access Control Policies
Source Group Destination Group

Contract
Guest Users Web Server
Cisco DNA Center Cisco APIC-DC

CLASSIFIER: PORT ACTION: DENY
Classifier Type Action Type

Port Number Permit
Protocol Name Deny
Application Type Copy
All groups in a Policy must belong to the same Virtual Network
Group Propagation
VN & SGT in VXLAN-GPO Encapsulation
Encapsulation Decapsulation
IP Network
Edge Node 1 Edge Node 2
VXLAN VXLAN
VN ID SGT ID VN ID SGT ID
Classification Propagation Enforcement

Static or Dynamic VN Carry VN and Group Group Based Policies
and SGT assignments context across the network ACLs, Firewall Rules
SD-Access Fabric
Unique Policy-Plane Extensions compared to CTS
Capability Traditional CTS SD-Access Policy

SGT Propagation Enabled hop-by-hop, or by Carried with the data traffic inside
Security-Group Exchange Protocol VXLAN-GPO (overlay) end-to-end
(SXP) sessions
VN Integration Not Supported VN + SGT-aware Firewalls
Access Control Policy Yes Yes
QoS (App) Policy Not Supported App based QoS policy, to optimize
application traffic priority
Traffic Copy Policy Not Supported SRC/DST based Copy policy (using
ERSPAN) to capture data traffic
Complex
3 4
1. Architecture
1 2 5
Time 2. User Interface

3. Workflows
What is Cisco DNA Center?
Controller
Fundamentals
Cisco DNA Center
SD-Access – Key Components
ISE Appliance DNA Center Appliance

SNS 3600 Series DN2-HW-APL
Cisco DNA Center
API API
Design | Policy | Provision | Assurance API API
API
Cisco ISE
Identity 2.3
& Policy Automation
NCP Assurance
NDP
API API
Identity Services Engine Network Control Platform Network Data Platform
NETCONF
SNMP
SSH
AAA
RADIUS
TACACS
Campus Fabric NetFlow
Syslog
HTTPS
Cisco Switches | Cisco Routers | Cisco Wireless
www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/datasheet-listing.html
Cisco DNA Center

Overall “Solution Scale” is Driven by Cisco DNAC
Cisco DNAC 1.3 Cisco DNA Center

DN2-HW-APL DN2-HW-APL-L DN2-HW-APL-XL
44 Core- UCS M5 56 Core- UCS M5 112 Core- UCS M5
DN2-HW-APL
44 Core - UCS M5
Switches,
1000 2000 5000
Routers & WLC
Access Points 4000 6000 12000
Endpoints
25K 40K 100K DN2-HW-APL-L
(Wired + Wireless)
56 Core - UCS M5
Infrastructure
Sites 500 1000 2000
Fabric Nodes 500/Site 600/Site 1000/Site
IP Pools 300/Site 500/Site 600/Site DN2-HW-APL-XL

112 Core - UCS M5
Virtual Networks 64/Site 64/Site 256/Site
Access Policies 5K 10K 25K
Cisco DNA Center
High Availability Cluster
1 or 3 appliance HA Cluster (more in future)

- Odd number to achieve quorum
of distributed system
Seen as 1 logical DNAC instance
- Connect to Virtual (Cluster) IP
- Rare need to access individual nodes
Distributed Micro Services on Maglev cluster (e.g. SSH)
2 nodes active/sharing + 1 redundant
Virtual IP - Some services run multiple copies
spread across nodes (e.g. databases)
- Other services run single copy and
migrate from failed to redundant node
Single Appliance for Cisco DNA (Automation + Assurance) BRKCRS-2810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Cisco DNA Center
Automated Provisioning and Telemetry Enrichment
Telemetry Intent
Alerts
Network Control Violations Network Data

Platform Inventory, Topology, Host, Group Platform
Network State changes
Path Trace information
Configuration Automation C Data Collection

Telemetry Configuration Telemetry Data
B B
Campus
Fabric
Cisco DNA Center and ISE integration
Identity and Policy Automation
Cisco Identity Services Engine
Authentication Groups and

Authorization Policies
Policies
PxGrid
Campus Fabric REST APIs
Fabric Policy
Management Authoring
Workflows
Cisco DNA Center
Cisco DNA Center and ISE integration
ISE roles in SD-Access
Admin/Operate
Network
Devices
DNA-Center
Devices REST pxGrid
Things
Config Sync Context
ISE-PSN ISE-PAN ISE-PXG

Users
Authorization Policy Exchange Topics
TrustSecMetaData
if Employee then SGT 10
SGT Name: Employee = SGT 10
Users SGT Name: Contractor = SGT 20
if Contractor then SGT 20
...
SessionDirectory*
if Things then SGT 30
Bob with Win10 on CorpSSID
ISE-MNT
* Roadmap
1. Architecture
2. User Interface
3. Workflows
What is Cisco DNA Center?
Controller
Fundamentals
Cisco DNA Center
4 Step Workflow
Design Policy Provision Assurance
• Global Settings • Virtual Networks • Fabric Domains • Health Dashboard

• Site Profiles • ISE, AAA, Radius • CP, Border, Edge • 360o Views
• DDI, SWIM, PNP • Endpoint Groups • Fabric WLC, AP • Net, Device, Client
• User Access • Group Policies • External Connect • Path Traces
System Settings & Integration
App Management & High Availability
Assure
How about a
LIVE DEMO?
• Design
• Policy
• Provision
• Assurance
Complex
3 4
1 2 5
Time
Take
Away
Things to Remember
Session Summary
SD-Access = Campus Fabric + Cisco DNA Center
B B
C Cisco DNA Center

Simple Workflows
Campus
Fabric DESIGN PROVISION POLICY ASSURANCE
SD-Access Support
Digital Platforms for your Cisco Digital Network Architecture

BETA
Switching Routing Wireless Extended
Catalyst 9600 Catalyst 9400 ASR-1000-HX Catalyst 9800
NEW
NEW
ASR-1000-X
NEW
Catalyst 9500 Catalyst 9300 Cisco Digital Building

Catalyst 9100 APs
Catalyst 9200 AIR-CT8540

NEW
ISR 4451
ISR 4430 Catalyst 3560-CX

AIR-CT3504
AIR-CT5520
ISR 4330
NEW
Catalyst 6800 NEW
Catalyst 4500E Nexus 7700
Aironet Aironet
Catalyst 3850 & 3650 ENCS 5400 Wave 1 APs* Wave 2 APs Cisco IE 3K/4K/5K
What’s New?
Cisco DNA Center 1.3
Optimized for Distribution Optimized for Extension Optimized for Policy
SD-Access 1.2.10 SD-Access 1.3.0 SD-Access 1.3.3

February 2019 June 2019 January 2020
DNA Center 1.2.10, ISE 2.4 p6, DNA Center 1.3.0, ISE 2.6 p1, DNA Center 1.3.3, ISE 2.6 p2,
IOS-XE 16.9.2s, AireOS 8.8 IOS-XE 16.11.1s, AireOS 8.9 IOS-XE 16.12.2s, AireOS 8.10
• SD-Access Extension for IoT (Beta) • SD-Access Extension for IoT (FCS) • Group-Based Access Control App (ACA)
• 3 node DNAC HA for Automation • IPv6 overlay support for • Application Visibility on Switches & WLCs
• Catalyst 9800 Wireless Controller Wired + Wireless (AireOS) Endpoints • Stealthwatch Security Analytics Service
• Fabric in a Box with Embedded Wireless • Fabric Edge and Fabric in a Box • Cisco DNA Bonjour Service
on Catalyst 9300 on Catalyst 9500
• Firewall (ASA) support
• Nexus 7700 Series with M3 as Border, • Fabric in a Box with Embedded Wireless
• StackWise Virtual support
without MPLS license on C9400, C9500
• L2 and Multicast Enhancements
• SDA-ACI Integration Improvements • SD-Access Border Simplification
• FiaB and eWLC Enhancements
• LAN Automation Enhancements • LAN Automation Enhancements
• Intent APIs for SD-Access
SD-Access Resources
Would you like to know more?
cisco.com/go/dna
cisco.com/go/sdaccess cisco.com/go/dnacenter
• SD-Access At-A-Glance • Cisco DNA Center At-A-Glance
•
•
SD-Access
SD-Access
Ordering Guide
Solution Data Sheet
cisco.com/go/cvd •
•
Cisco
Cisco
DNA
DNA
ROI Calculator
Center Data Sheet
• SD-Access Solution White Paper • SD-Access Design Guide • Cisco DNA Center 'How To' Video Resources
• SD-Access Deployment Guide
• SD-Access Segmentation Guide
SD-Access Resources
Would you like to know more?
cs.co/sda-resources
cs.co/sda-community
• Search from your Browser

• Indexed by Search Engines
• Discuss with experts & friends
• Supported by SDA TMEs
• 24-hour First Response
• Questions are marked Answered
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you

BRKCRS-2810 (2020) - Fundamental

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS-2810 (2020) - Fundamental

Uploaded by

Copyright:

Available Formats

Cisco Software-Defined

Keynote BRKCRS-2815 BRKCRS-2818 BRKCRS-2819

Recipe for transforming 14:30 BRKCRS-2824

Why do you care?

Cisco DNA Center

Policy Automation Analytics SD-WAN Wireless

Switch Route Wireless

What is Software Defined Access?

Cisco DNA Center integrates multiple

Separate management systems

What is Software Defined Access?

Examples of Network Overlays

Overlay Network Overlay Control Plane

Edge Device Edge Device

Underlay Network Underlay Control Plane

Manual Underlay LAN Automation

• Key Considerations • Key Considerations

What is Software Defined Access?

Control-Plane Node runs a Host Tracking Database to map location information

• A simple Host Database that maps Endpoint IDs to C

• Receives Endpoint ID map registrations from Edge

• Resolves lookup requests from Edge and/or Border FE1

Nodes, to locate destination Endpoint IDs IP - 1.2.3.4/32

Fabric Control Plane CRN®

Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600

• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

Fabric Control Plane

Catalyst 3K Catalyst 6K ISR 4K & ENCS ASR1K

• Catalyst 3650/3850 • Catalyst 6500/6800 • ISR 4430/4450 • ASR 1000-X

• Responsible for Identifying and Authenticating C

• Provide an Anycast L3 Gateway for the connected

• Performs encapsulation / de-encapsulation of data FE1

traffic to and from all connected Endpoints IP - 1.2.3.4/32

Fabric Edge Node CRN®

Fabric Edge Node

Catalyst 3K Catalyst 4500E Catalyst 6K

• Catalyst 3650/3850 • Catalyst 4500E • Catalyst 6500/6800

There are 3 Types of Border Node!

• Internal Border (Rest of Company)

• External Border (Outside)

• Internal + External (Anywhere) 1.3

• connects transit areas AND known areas of the company

Fabric Control Plane CRN®

Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600

• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

Fabric Border Node

Catalyst 3K Catalyst 6K Nexus 7K* ISR 4K ASR 1K

Internal Border advertises Endpoints to outside, and known Subnets to inside

• Imports and registers (known) IP subnets from

• Hand-off requires mapping the context (VRF & SGT)

External Border is a “Gateway of Last Resort” for any unknown destinations

• Does NOT import unknown routes! It is a “default”

• Hand-off requires mapping the context (VRF & SGT)

• Connects to Fabric via Border (Underlay) C

• Fabric Enabled APs connect to the Edge via VXLAN

• Wireless Clients (SSIDs) use regular Host Pools for

Fabric Enabled Wireless

Catalyst 9800 Catalyst 9100 AireOS WLC AireOS AP

• Catalyst 9800-L • Catalyst 9130 • AIR-CT3504 • 1800/2800/3800/4800

Catalyst Digital 3560-CX

▪ Operational IOT simplicity (Automation)

Extended Nodes ▪ IT designed and OT managed

What is Software Defined Access?

• Control-Plane uses Instance ID to maintain separate C