SD ACCESS Basics
Contents
Node Roles
- Control-Plane Node: runs a Host Tracking Database to map location information
- A Database that maps Endpoint IDs to a current Location, along with other attributes
- Host Database supports multiple types of Endpoint ID lookup types (IPv4, IPv6 or MAC)
- Receives Endpoint ID map registrations from Edge and/or Border Nodes for “known” IP prefixes
- Resolves lookup requests from Edge and/or Border Nodes, to locate destination Endpoint IDs
- Edge Node: provides first-hop services for Users / Devices connected to a Fabric.
- Responsible for Identifying and Authenticating Endpoints (e.g. Static, 802.1X, Active Directory)
- Register specific Endpoint ID info (e.g. /32 or /128) with the Control-Plane Node(s)
- Provide an Anycast L3 Gateway for the connected Endpoints (same IP address on all Edge nodes)
- Performs encapsulation / de-encapsulation of data traffic to and from all connected Endpoints
- Border Node:
- Internal Border advertises Endpoints to outside, and known Subnets to inside:
- Connects to any “known” IP subnets available from the outside network (e.g. DC, WLC, FW, etc.)
- Exports all internal IP Pools to outside (as aggregate), using a traditional IP routing protocol(s).
- Imports and registers (known) IP subnets from outside, into the Control-Plane Map System
- Hand-off requires mapping the context (VRF & SGT) from one domain to another.
- External Border is a “Gateway of Last Resort” for any unknown destinations
- Connects to any “unknown” IP subnets, outside of the network (e.g. Internet, Public Cloud)
- Exports all internal IP Pools outside (as aggregate) into traditional IP routing protocol(s).
- Does NOT import unknown routes. It is a “Default” Exit, if no entry is available in Control-Plane.
- Hand-off requires mapping the context (VRF & SGT) from one domain to another
- Internal Border advertises Endpoints to outside, and known Subnets to inside:
Terminologies
- Virtual Network (VN) maintains a separate Routing & Switching table for each instance
- Control-Plane uses Instance ID to maintain separate VRF topologies (“Default” VRF is Instance ID “4098”)
- Nodes add VNID to the Fabric encapsulation
- Endpoint ID prefixes (Host Pools) are routed and advertised within a Virtual Network
- Scalable Group is a logical policy object to “group” Users and/or Devices
- Nodes use “Scalable Groups” to ID and assign a unique Scalable Group Tag (SGT) to Endpoints
- Nodes add SGT to the Fabric encapsulation
- SGTs are used to manage address-independent “GroupBased Policies”
- Edge or Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs)
Control-Plane based on LISP
Data-Plane based on VXLAN
Policy-Plane based on CTS
Cisco TrustSec (CTS) decouples access that is based strictly on IP addresses and VLANs by using logical groupings in a method known as Group-Based Access Control (GBAC).
The goal of Cisco TrustSec technology is to assign an SGT value to the packet at its ingress point into the network. An access policy is then enforced based on this tag information on egress node.
Reference: Cisco Live