The tunnelling technology used in the fabric data plane is based on Virtual Extensible LAN (VXLAN).
VXLAN encapsulation is UDP/IP based so can be forwarded by any IP based network and can create the overlay network for SD-Access fabric.
Although Software Defined Access utilises LISP for the control plane traffic, it is not used for the data traffic. It uses VXLAN instead due to VXLAN being able to perform encapsulation of the original ethernet header to provide MAC-in-IP encapsulation.
Using VXLAN allows the software defined access fabric allows Software Defined access to support Layer 2 and Layer 3 virtual topologies and operate over any IP based network with built-in segmentation and group based policy. LISP only supports Layer 3 overlay only
The original VXLAN specification has been enhanced for software defined access to support Cisco TrustSec Scalable Group Tags (SGTs). This adds new fields to the first 4 bytes of the VXLAN header to allow transportation of up to 64,000 SGT tags.
This new VXLAN format is named VXLAN Group Policy Option (VXLAN-GPO).
VXLAN-GPO adds the following fields:
Group Policy ID – 16-bit identifier to carry the SGT tag
Group Based Policy Extension Bit (G Bit) – 1-bit field that when set to 1 indicates a SGT tag is being carried inside the Group Policy ID field
Don’t Learn Bit (D Bit) – 1 bit field that when set to 1 indicates the egress virtual tunnel endpoint must not learn the source address of the encapsulated frame
Policy Applied Bit (A Bit) – 1-bit field that when set to 1 indicates that the group policy has already been applied to this packet and no further policies should be applied. When set to 0, group policies must be applied to this packet if the G-Bit field is set to 1.