routeprotocol.com

SD-Access: Fabric Concepts

Virtual Network (VN)

The virtual network provides virtualisation at a device level using VRF instances to create multiple Layer 3 routing tables.

The VRF instances provide segmentation across IP addresses to allow for overlapped address space and segmentation from other routing tables.

In the control plane, LISP instance IDs are used to maintain separate VRF instances.

In the data plane, edge nodes add a VXLAN NVID to the fabric encapsulation.

Host Pool

The host pool is a group of endpoints assigned to an IP pool subnet in the software defined access fabric.

Fabric edge nodes have Switched Virtual Interfaces (SVI) for each host pool to be used by endpoints and users as their default gateway

The software defined access fabric uses EID mappings to advertise each host pool (per instance ID) which allows for host specific advertisement and mobility.

Host pools can be assigned dynamically using host authentication and 802.1x or statically per port.

Scalable Group

The scalable group is a group of endpoints with similar policies.

The SD-Access policy plane assigns every endpoint to a scalable group using TrustSec SGT tags.

The assignment to a scalable group can be done statically per fabric edge port or dynamically through the authentication via the AAA or RADIUS.

The same scalable group is configured on all fabric edge and border ndoes

Scalable groups can be defined in Cisco DNA Center or Cisco ISE and are advertised through Cisco TrustSec.

There is a one to one relationship with Scalable Groups and Host Pools. The scalable groups operate within a virtual network byt default.

The fabric edge and border nodes include the SGT ID in each VXLAN header which is carried across the fabric data plane.

This keeps scalable groups separate and allows SGACL policy and enforcement

Anycast Gateway

The anycast gateway provides a pervasive Layer 3 gateway where the same SVI is provisioned on every edge node with the same SVI IP and MAC addresses.

This allows a subnet to stretched across the SD-Access fabric.

The subnet being stretched across the fabric allows a host to located and move around anywhere geographically but maintain the same default gateway IP address and MAC address.

Posted

in

, ,

by

routeprotocol

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.