SD ACCESS Basics


Node Roles

  • Control-Plane Node: runs a Host Tracking Database to map location information
    • A Database that maps Endpoint IDs to a current Location, along with other attributes
    • Host Database supports multiple types of Endpoint ID lookup types (IPv4, IPv6 or MAC)
    • Receives Endpoint ID map registrations from Edge and/or Border Nodes for “known” IP prefixes
    • Resolves lookup requests from Edge and/or Border Nodes, to locate destination Endpoint IDs


  • Edge Node: provides first-hop services for Users / Devices connected to a Fabric.
    • Responsible for Identifying and Authenticating Endpoints (e.g. Static, 802.1X, Active Directory)
    • Register specific Endpoint ID info (e.g. /32 or /128) with the Control-Plane Node(s)
    • Provide an Anycast L3 Gateway for the connected Endpoints (same IP address on all Edge nodes)
    • Performs encapsulation / de-encapsulation of data traffic to and from all connected Endpoints
  • Border Node:
    • Internal Border advertises Endpoints to outside, and known Subnets to inside:
      • Connects to any “known” IP subnets available from the outside network (e.g. DC, WLC, FW, etc.)
      • Exports all internal IP Pools to outside (as aggregate), using a traditional IP routing protocol(s).
      • Imports and registers (known) IP subnets from outside, into the Control-Plane Map System
      • Hand-off requires mapping the context (VRF & SGT) from one domain to another.
    • External Border is a “Gateway of Last Resort” for any unknown destinations
      • Connects to any “unknown” IP subnets, outside of the network (e.g. Internet, Public Cloud)
      • Exports all internal IP Pools outside (as aggregate) into traditional IP routing protocol(s).
      • Does NOT import unknown routes. It is a “Default” Exit, if no entry is available in Control-Plane.
      • Hand-off requires mapping the context (VRF & SGT) from one domain to another


Terminologies

  • Virtual Network (VN) maintains a separate Routing & Switching table for each instance
    • Control-Plane uses Instance ID to maintain separate VRF topologies (“Default” VRF is Instance ID “4098”)
    • Nodes add VNID to the Fabric encapsulation
    • Endpoint ID prefixes (Host Pools) are routed and advertised within a Virtual Network


  • Scalable Group is a logical policy object to “group” Users and/or Devices
    • Nodes use “Scalable Groups” to ID and assign a unique Scalable Group Tag (SGT) to Endpoints
    • Nodes add SGT to the Fabric encapsulation
    • SGTs are used to manage address-independent “GroupBased Policies”
    • Edge or Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs)


Control-Plane based on LISP


Data-Plane based on VXLAN


Policy-Plane based on CTS

Cisco TrustSec (CTS) decouples access that is based strictly on IP addresses and VLANs by using logical groupings in a method known as Group-Based Access Control (GBAC).

The goal of Cisco TrustSec technology is to assign an SGT value to the packet at its ingress point into the network. An access policy is then enforced based on this tag information on egress node.


Reference: Cisco Live

Bilel Ameur

Enthusiastic Network Engineer specializing in Cisco ACI, passionate about solving challenges. A lifelong learner who loves gaining and sharing knowledge. Profile: https://www.linkedin.com/in/bilel-ameur-71116b2b5
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x