BRKCRS 2810

#CLUS
BRKCRS-2810
Cisco Software-Defined Access
Under The Hood

Shawn Wargo
Principal Engineer - Technical Marketing
#CLUS
Software Defined Access
Session Abstract
What is Cisco Software Defined Access (SD-Access)?

Cisco SD-Access is the foundation for a new era of Intent Based Networking (IBN).
Cisco SD-Access is an innovative fabric-based network infrastructure, to provide:

• Automated network and policy configuration
• Dynamic host mobility for wired and wireless
• Identity-based macro and micro-segmentation
• Virtualized multicast and Layer 2 broadcast
This session focuses on the fundamentals of the Cisco SD-Access architecture,

including an introduction to each of the technologies that bring it to life! 
#CLUS BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Sessions are available Online @ CiscoLive.com
Cisco Software-Defined Access

Cisco Live San Diego - Session Map You Are Here
Monday (June 10) Tuesday (June 11) Wednesday (June 12) Thursday (June 13)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00
BRKCRS-2818 BRKCRS-2821 BRKCRS-2825 BRKCRS-1501 BRKNMS-2814

Connect SDWAN Integration Scaling Validated Design Assurance
BRKARC-2020 BRKARC-2009
Troubleshoot Why SDA
BRKCRS-2810 BRKCRS-2811 BRKCRS-2815 BRKCRS-2816 BRKCRS-2817 BRKCRS-3810

Fundamentals Connect Outside Connect Sites Underlay Extension Deep Dive
BRKCRS-2812 BRKSEC-2025 BRKCRS-2819

Migration Security Cross-Domain
BRKCRS-3811
Policy
BRKEWN-2021 BRKEWN-2020
Live Setup Wireless
#CLUS BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complex
3 4
Agenda 1 2 5
Time
1 Key Benefits
Why do you care?
2 Key Concepts
What is SD-Access?
3 Fabric Fundamentals
How does it work?
4 Controller Fundamentals
How does it work?
5 Take Away
Where to get started?
Complex
3 4
1 2 5
Time
Why do you care?
Key Benefits
New Requirements for the Digital Age
Insights & Automation Security &

Actions & Assurance Compliance
REDUCE
Innovate FASTER Cost & Complexity
LOWER Risk
Source: 2016 Cisco Study
Cisco Digital Network

#CLUS
Architecture (DNA)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
BRKCRS-2810
Cisco’s Intent-Based Network
Delivered by Cisco Software Defined Access SAAS
ACI
Data Center
LEARNING SD-Access
Cisco DNA Center
Policy Automation Analytics SD-WAN Wireless

Control
INTENT CONTEXT
Fabric
Border
Intent-Based Fabric
Network Infrastructure Control
SD-Access
Switch Route Wireless

Fabric
Edge
SECURITY
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco Software Defined Access
The Foundation for Cisco’s Intent-Based Network
Cisco DNA Center
One Automated
Network Fabric
Policy Automation Assurance Single fabric for Wired and
Wireless with full automation
Outside
B B
Identity-Based
C
Policy and Segmentation
Policy definition decoupled
from VLAN and IP address
AI-Driven
Insights and Telemetry
SD-Access
Extension Client Mobility Analytics and visibility into
User and Application experience
Policy follows User
IoT Network Employee Network #CLUS BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
sioning
Complex
3 4
1 2 5
Time
What is Software Defined Access?
Key
Concepts
What is SD-Access?
Campus Fabric + Cisco DNA Center (Automation & Assurance)
 SD-Access
APIC-EM
NCP
1.X
GUI approach provides automation &
ISE NDP
PI assurance of all Fabric configuration,
Cisco DNA
management and group-based policy
Center
Cisco DNA Center integrates multiple
management systems, to orchestrate
IP LAN, Wireless LAN and WAN access
B B
 Campus Fabric
C CLI or API approach to build a LISP +

VXLAN + CTS Fabric overlay for your
enterprise Campus networks
Campus CLI provides backward compatibility,
Fabric but management is box-by-box.
API provides some automation via
NETCONF/YANG, also box-by-box.
Separate management systems

Cisco DNA Cisco DNA Center
Enterprise Solution
Simple Workflows
DESIGN PROVISION POLICY ASSURANCE
DNA Center
Identity Services Engine Network Control Platform Network Data Platform
Routers Switches Wireless Controllers Wireless APs
Cisco Digital Network Architecture (DNA)
Powering the Intent Based Network
DNA Software Capabilities
Cisco DNA
Cloud Service Center
Management
Automation
& Assurance
Automation Analytics
Software Virtualization
Defined Access Security &
Compliance
Insights &
DNA-Ready Physical and Virtual infrastructure
Flexible Hardware & Software Actions
Catalyst 9000, IOS-XE, Access Points
Security
Cisco ISE
1. High-Level View
2. Roles & Platforms
3. Fabric Constructs
Roles &
Terminology
SD-Access
What exactly is a Fabric?
A Fabric is an Overlay
An Overlay network is a logical topology used to virtually connect devices,
built over an arbitrary physical Underlay topology.
An Overlay network often uses alternate forwarding attributes to provide
additional services, not provided by the Underlay.
Examples of Network Overlays

• GRE, mGRE • LISP
• MPLS, VPLS • OTV
• IPSec, DMVPN • DFA
• CAPWAP • ACI
SD-Access
Fabric Terminology
Overlay Network Overlay Control Plane
Encapsulation
Edge Device Edge Device
Hosts
(End-Points)
Underlay Network Underlay Control Plane
SD-Access
Why Overlays?
Separate the “Forwarding Plane” from the “Services Plane”
IT Challenge (Business): Network Uptime IT Challenge (Employee): New Services

The Boss YOU The User
Simple Transport Forwarding Flexible Virtual Services

• Redundant Devices and Paths • Mobility - Map Endpoints to Edges
• Keep It Simple and Manageable • Services - Deliver using Overlay
• Optimize Packet Handling • Scalability - Reduce Protocol State
• Maximize Network Reliability (HA) • Flexible and Programmable
SD-Access
Types of Overlays
Hybrid L2 + L3 Overlays are the Best of Both Worlds
Layer 2 Overlays Layer 3 Overlays

• Emulate a LAN segment • Abstract IP connectivity
• Transport Ethernet Frames (IP & Non-IP) • Transport IP Packets (IPv4 & IPv6)
• Single subnet mobility (L2 domain) • Full mobility regardless of Gateway
• Exposure to Layer 2 flooding • Contain network related failures (floods)
• Useful in emulating physical topologies • Useful to abstract connectivity and policy
SD-Access
Fabric Underlay – Manual vs. Automated
Manual Underlay LAN Automation

You can reuse your existing IP Fully automated prescriptive IP
network as the Fabric Underlay! network Underlay Provisioning!
• Key Requirements • Key Requirements
• IP reach from Edge to Edge/Border/CP • Leverages standard PNP for Bootstrap
• Can be L2 or L3 – We recommend L3 • Assumes New / Erased Configuration
• Can be any IGP – We recommend ISIS • Uses a Global “Underlay” Address Pool
• Key Considerations • Key Considerations

• MTU (Fabric Header adds 50B) • Seed Device pre-setup is required
• Latency (RTT of =/< 100ms) • 100% Prescriptive (No Custom)
Underlay Network
Would you like to know more?
Routed Underlay
Check out the following session:
BRKCRS-2812
SD-Access - Integrating with Existing Networks
This session covers:

• More details about Fabric Underlay & Overlay
• How to migrate legacy networks to SD-Access
• Various SD-Access design approaches
Routed Underlay
BRKCRS-2816
SD-Access - Building the Routed Underlay
• More details about Fabric Underlay
• How to automate Underlay setup
• Underlay best practices and tips
Cisco SD-Access
Fabric Roles & Terminology
 Network Automation – Simple GUI
Automation and APIs for intent-based Automation
Identity Cisco DNA Center of wired and wireless fabric devices
Cisco ISE
Services
 Network Assurance – Data Collectors
analyze Endpoint to Application flows
Assurance and monitor fabric device status
 Identity Services – NAC & ID Services
(e.g. ISE) for dynamic Endpoint to Group
Fabric Border IP Fabric Wireless mapping and Policy definition
Nodes Controllers
B B  Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate  Fabric Border Nodes – A fabric device
C Nodes
Nodes (Underlay)
(e.g. Core) that connects External L3
network(s) to the SD-Access fabric
Campus  Fabric Edge Nodes – A fabric device

(e.g. Access or Distribution) that connects
Fabric Edge
Nodes Fabric Fabric Wireless
Access Points
Wired Endpoints to the SD-Access fabric
 Fabric Wireless Controller – A fabric device
(WLC) that connects Fabric APs and
Wireless Endpoints to the SD-Access fabric
1. High-Level View
Roles &
Terminology
SD-Access Fabric
Control-Plane Nodes – A Closer Look
Control-Plane Node runs a Host Tracking Database to map location information

IP to RLOC MAC to RLOC Address Resolution
1.2.3.4  FE1 AA:BB:CC:DD  FE1 1.2.3.4  AA:BB:CC:DD
• A simple Host Database that maps Endpoint IDs to C

a current Location, along with other attributes
B B
• Host Database supports multiple types of Endpoint
ID lookup types (IPv4, IPv6 or MAC)
• Receives Endpoint ID map registrations from Edge

and/or Border Nodes for “known” IP prefixes
• Resolves lookup requests from Edge and/or Border FE1
Nodes, to locate destination Endpoint IDs IP - 1.2.3.4/32

MAC – AA:BB:CC:DD
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms The Channelco®
Fabric Control Plane CRN®

Products of the Year
2017, 2018
Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600
• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

• 1/mG RJ45 • Sup1XL • 40/100G QSFP • Sup1
• 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP • 9600 Cards
SD-Access Platforms
Fabric Control Plane
Catalyst 3K Catalyst 6K ISR 4K & ENCS ASR1K
• Catalyst 3650/3850 • Catalyst 6500/6800 • ISR 4430/4450 • ASR 1000-X

• 1/mG RJ45 • Sup2T/Sup6T • ISR 4330/4450 • ASR 1000-HX
• 1/10G SFP • C6800 Cards • ENCS 5400 • 1/10G RJ45
• 1/10/40G NM Cards • C6880/6840-X • ISRv / CSRv • 1/10G SFP
SD-Access @ Cisco DNA Center
Control-Plane Nodes
Fabric Control Plane - LISP Configuration
router lisp
site site_sda
description map-server configured from dna-center
authentication-key sda
eid-record instance-id 4097 0.0.0.0/0 accept-more-specifics
exit-site
!
ipv4 locator reachability exclude-default
!
service ipv4
map-server
map-resolver
exit-service-ipv4
!
service ethernet
map-server
map-resolver
exit-service-ethernet
!
exit-router-lisp
SD-Access Fabric
Edge Nodes – A Closer Look
Edge Node provides first-hop services for Users / Devices connected to a Fabric
IP to RLOC MAC to RLOC Address Resolution
1.2.3.4  FE1 AA:BB:CC:DD  FE1 1.2.3.4  AA:BB:CC:DD
• Responsible for Identifying and Authenticating C

Endpoints (e.g. Static, 802.1X, Active Directory)
Known Unknown
Networks Networks
B B
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)
• Provide an Anycast L3 Gateway for the connected

Endpoints (same IP address on all Edge nodes)
• Performs encapsulation / de-encapsulation of data FE1
traffic to and from all connected Endpoints IP - 1.2.3.4/32

MAC – AA:BB:CC:DD
Fabric Edge Node CRN®

2017, 2018
Catalyst 9200 Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600
• Catalyst 9200/L* • Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600
• 1/mG RJ45 • 1/mG RJ45 • Sup1/Sup1XL • 1/10/25G SFP • Sup1
• 1G SFP (Uplinks) • 10/25/40/mG NM • 9400 Cards • 40/100G QSFP • 9600 Cards
SD-Access Platforms
Fabric Edge Node
Catalyst 3K Catalyst 4500E Catalyst 6K
• Catalyst 3650/3850 • Catalyst 4500E • Catalyst 6500/6800

• 1/mG RJ45 • Sup8E/Sup9E (Uplink) • Sup2T/Sup6T
• 1/10G SFP • 4600/4700 Cards (Host) • C6800 Cards
• 1/10/40G NM Cards • C6880/6840-X
Edge Nodes
Fabric Edge - LISP Configuration
router lisp instance-id 4097
locator-table default remote-rloc-probe on-route-change
locator-set rloc<snip> service ipv4
IPv4-interface Loopback0 priority 10 weight 10 eid-table default
! map-cache 0.0.0.0/0 map-request
locator default-set rloc_e9eed690-<snip snip>f27 exit-service-ipv4
service ipv4 !
encapsulation vxlan exit-instance-id
map-cache-limit 25000 !
database-mapping limit dynamic 5000 instance-id 4098
itr map-resolver 192.168.1.3 remote-rloc-probe on-route-change
etr map-server 192.168.1.3 key uci service ipv4
etr map-server 192.168.1.3 proxy-reply eid-table vrf DEFAULT_VN
etr map-cache 0.0.0.0/0 map-request
sgt exit-service-ipv4
use-petr 192.168.1.3 !
proxy-itr 192.168.1.7 exit-instance-id
exit-service-ipv4 !
! instance-id 4099
service ethernet remote-rloc-probe on-route-change
map-cache-limit 25000 service ipv4
database-mapping limit dynamic 5000 eid-table vrf USERS
itr map-resolver 192.168.1.3 map-cache 0.0.0.0/0 map-request
itr exit-service-ipv4
etr map-server 192.168.1.3 key uci !
etr map-server 192.168.1.3 proxy-reply exit-instance-id
etr
exit-service-ethernet
SD-Access Fabric
Border Nodes
Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric
There are 3 Types of Border Node!
• Internal Border (Rest of Company)

• connects ONLY to the known areas of the company
• External Border (Outside)

• connects ONLY to unknown areas outside the company DNA Center
1.3
1.2
• Internal + External (Anywhere)

• connects transit areas AND known areas of the company
Fabric Control Plane CRN®

2017, 2018
Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600
• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

• 1/mG RJ45 • Sup1XL • 40/100G QSFP • Sup1
• 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP • 9600 Cards
SD-Access Platforms
Fabric Border Node
* EXTERNAL ONLY
Catalyst 3K Catalyst 6K Nexus 7K* ISR 4K ASR 1K
• Catalyst 3650/3850 • Catalyst 6500/6800 • Nexus 7700 • ISR 4300/4400 • ASR 1000-X/HX
• 1/mG RJ45 • Sup2T/Sup6T • Sup2E • AppX (AX) • AppX (AX)
• 1/10G SFP • C6800 Cards • M3 Cards • 1/10G RJ45 • 1/10G ELC/EPA
• 1/10/40G NM Cards • C6880/6840-X • LAN1K9 + MPLS • 1/10G SFP • 40G ELC/EPA
Border Nodes
Example: CP + Border (External)
Fabric Border - LISP Configuration
router lisp instance-id 4097
locator-table default remote-rloc-probe on-route-change
locator-set rloc<snip> service ipv4
ipv4-interface Loopback0 priority 10 weight 10 eid-table default
auto-discover-rlocs route-export site-registrations
exit-locator-set distance site-registrations 250
! map-cache site-registration
service ipv4 exit-service-ipv4
encapsulation vxlan !
map-cache-limit 25000 instance-id 4098
database-mapping limit dynamic 5000 remote-rloc-probe on-route-change
itr map-resolver 192.168.1.3 service ipv4
etr map-server 192.168.1.3 key sda eid-table vrf DEFAULT_VN
etr map-server 192.168.1.3 proxy-reply route-import database bgp 65001 route-map database locator-set rloc<snip>
etr route-export site-registrations
sgt distance site-registrations 250
proxy-etr map-cache site-registration
proxy-itr 192.168.1.3 exit-service-ipv4
map-server !
map-resolver instance-id 4099
exit-service-ipv4 remote-rloc-probe on-route-change
! service ipv4
service ethernet eid-table vrf USERS
map-server route-import database bgp 65001 route-map database locator-set rloc<snip>
map-resolver route-export site-registrations
exit-service-ethernet distance site-registrations 250
map-cache site-registration
exit-service-ipv4
Fabric Border - BGP Configuration
router bgp 65001
bgp router-id interface Loopback0
bgp log-neighbor-changes
neighbor 192.168.111.10 remote-as 65002
neighbor 192.168.111.10 update-source Vlan3003
!
address-family ipv4 address-family ipv4 vrf GUEST
network 192.168.1.3 mask 255.255.255.255 redistribute lisp metric 10
redistribute lisp metric 10 neighbor 192.168.111.2 remote-as 65002
neighbor 192.168.111.10 activate neighbor 192.168.111.2 update-source Vlan3001
neighbor 192.168.111.10 weight 65535 neighbor 192.168.111.2 activate
exit-address-family neighbor 192.168.111.2 weight 65535
! exit-address-family
address-family ipv4 vrf DEFAULT_VN !
redistribute lisp metric 10 address-family ipv4 vrf USERS
neighbor 192.168.111.14 remote-as 65002 redistribute lisp metric 10
neighbor 192.168.111.14 update-source Vlan3004 neighbor 192.168.111.6 remote-as 65002
neighbor 192.168.111.14 activate neighbor 192.168.111.6 update-source Vlan3002
neighbor 192.168.111.14 weight 65535 neighbor 192.168.111.6 activate
exit-address-family neighbor 192.168.111.6 weight 65535
exit-address-family
SD-Access Fabric
Border Nodes - Internal
Internal Border advertises Endpoints to outside, and known Subnets to inside
• Connects to any “known” IP subnets available from C

Unknown
the outside network (e.g. DC, WLC, FW, etc.)
Known
Networks Networks
B B
• Exports all internal IP Pools to outside (as
aggregate), using a traditional IP routing protocol(s).
• Imports and registers (known) IP subnets from

outside, into the Control-Plane Map System
• Hand-off requires mapping the context (VRF & SGT)

from one domain to another.
SD-Access - Border Deployment
Internal Border : Connecting to Known Networks
Data
C Center
B B
Branch
Office
Known Networks
Anywhere Border : SD-Access as a Transit Area
B B
External Domain 1 External Domain 2
SD-Access Fabric
SD-Access Fabric
Border Nodes - External
External Border is a “Gateway of Last Resort” for any unknown destinations
• Connects to any “unknown” IP subnets, outside of C

Unknown
the network (e.g. Internet, Public Cloud)
Known
Networks Networks
B B
• Exports all internal IP Pools outside (as aggregate)
into traditional IP routing protocol(s).
• Does NOT import unknown routes! It is a “default”

exit, if no entry is available in Control-Plane.
• Hand-off requires mapping the context (VRF & SGT)

from one domain to another.
External Border : Connecting to Unknown Networks
C Public Cloud
B B
Internet
SD-Access Fabric
Unknown Networks
Why? Internal Traffic with External Borders
Edge Node
IP Network B
External Border Internet
ALL non-fabric traffic MUST travel

to the External (Default) Border.
If other internal domains (e.g. WAN WAN Edge WAN/Branch

or DC) are only reachable via the
same IP network, traffic may follow
a sub-optimal path (e.g. hairpin).
DC Edge Data Center

Why? Internal Traffic with Internal Borders
Edge Node
IP Network B
External Border Internet
B
Traffic to internal domains will go
directly to the Internal Borders.
Any external traffic (e.g. Internet) Internal Border WAN/Branch

can still exit via the External Border.
Internal Border Data Center

External Connectivity
BRKCRS-2811
SD-Access - Connecting to External Networks
• More details about Fabric Border Nodes
• How Borders communicate to outside networks
• Various Fabric Border design approaches
External Connectivity
BRKCRS-2815
SD-Access - Deploy a Fabric in Large Enterprise
• More details about Fabric Border Nodes
• How multiple Fabrics communicate
• Various Multi-Site design approaches
SD-Access Fabric
Fabric Enabled Wireless – A Closer Look
Fabric Enabled WLC is integrated into Fabric for SD-Access Wireless clients
Ctrl: CAPWAP
Data: VXLAN
• Connects to Fabric via Border (Underlay) C

Known Unknown
Networks Networks
• Fabric Enabled APs connect to the WLC (CAPWAP)
B B
using a dedicated Host Pool (Overlay)
• Fabric Enabled APs connect to the Edge via VXLAN
• Wireless Clients (SSIDs) use regular Host Pools for

data traffic and policy (same as Wired)
• Fabric Enabled WLC registers Clients with the

Control-Plane (as located on local Edge + AP)
SD-Access Platforms
Fabric Enabled Wireless
* No IPv6, AVC, FNF
AireOS WLC Catalyst 9800 Wifi 6, 11ac Wave 2 Wave 1*AP
• AIR-CT3504 • Catalyst 9800-40/80 • Catalyst 9100 • AIR-CAP1700, 2700

• AIR-CT5520 • Catalyst 9800-CL • AIR-CAP1800, 2800, and 3700
• AIR-CT8540 • C9K Embedded WLC 3800 and 4800 • AIR-CAP1540, 1560
• 802.11ax, 11ac Wave2 • 802.11ac Wave1*
Fabric Wireless
Fabric Wireless
BRKEWN-2020
SD-Access - Wireless Integration
• More details about Fabric Wireless
• How Fabric WLC and APs communicate
• Various Fabric Wireless approaches
SD-Access Extension for IoT
Securely Consolidate IT and IOT
Beta in 1.2.5
DNA Center
Extended Node Portfolio
GA in 1.3
IE3300/3400 IE4000/4010 IE5000
Enterprise Campus
Catalyst Digital 3560-CX

Building Compact
 Operational IOT simplicity (Automation)

 IT designed and managed –or-
Enterprise
Extended
Extended Nodes  IT designed and OT managed

REP Ring
 Greater visibility of IoT devices (Assurance)
 Extended Segmentation & Policy (Security)
1. High-Level View
Roles &
Terminology
SD-Access Fabric
Virtual Network– A Closer Look
Virtual Network maintains a separate Routing & Switching table for each instance
• Control-Plane uses Instance ID to maintain separate C

Unknown
VRF topologies (“Default” VRF is Instance ID “4098”)
Known
Networks Networks
B B
• Nodes add a VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are routed and VN VN VN

advertised within a Virtual Network Campus IOT Guest
• Uses standard “vrf definition” configuration, along

with RD & RT for remote advertisement (Border Node)
SD-Access Fabric
How VNs work in SD-Access
• Fabric Devices (Underlay) connectivity Scope of Fabric
is in the Global Routing Table User-Defined VN(s)
• INFRA_VN is only for Access Points User VN (for Default)

Border
and Extended Nodes in GRT
USER VRF(s)
VN (for APs, Extended Nodes)
• DEFAULT_VN is an actual “User VN” DEFAULT_VN
provided by default
INFRA_VN
Devices (Underlay) GRT
• User-Defined VNs can be added or

removed on-demand
SD-Access Fabric
How VNs work in SD-Access
ip vrf USERS
rd 1:4099
route-target export 1:4099
route-target import 1:4099
SD-Access Designs connecting to existing Global Routing Table !

route-target import
ip vrf DEFAULT_VN
1:4097
should use a “Fusion” router with MP-BGP & VRF import/export. rd 1:4098
Control Plane ip vrf GLOBAL

rd 1:4097
C route-target export 1:4099
VRF B route-target export 1:4098
SVI B
AF VRF B
ISIS OSPF
B AF VRF A
AF IPv4
MP-BGP
Edge Node Border Node Fusion Router Switch
VRF A
SVI A GRT
Fabric Edge & Border - VRF Configuration
Edge-1# show vrf
Name Default RD Protocols Interfaces
DEFAULT_VN 1:4098 ipv4 LI0.4098
GUEST 1:4100 ipv4 LI0.4100
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
USERS 1:4099 ipv4 LI0.4099
CP-Border-1# show vrf

DEFAULT_VN 1:4098 ipv4 Vl3004
LI0.4098
GUEST 1:4100 ipv4 Vl3001
LI0.4100
USERS 1:4099 ipv4 Vl3002
LI0.4099
SD-Access Fabric
Scalable Groups – A Closer Look
Scalable Group is a logical policy object to “group” Users and/or Devices
• Nodes use “Scalable Groups” to ID and assign a C

Unknown
unique Scalable Group Tag (SGT) to Endpoints
Known
Networks Networks
B B
• Nodes add a SGT to the Fabric encapsulation
SGT
SGT SGT SGT
• SGTs are used to manage address-independent 17
4
SGT
8 25
“Group-Based Policies” SGT SGT SGT 19 SGT

3 23 11 12
• Edge or Border Nodes use SGT to enforce local

Scalable Group ACLs (SGACLs)
Virtual Networks and Scalable Groups
Group-Based Access Control Policy
Group-Based Access Control Policy
Fabric Policy
BRKCRS-3811
SD-Access - Policy Driven Manageability
• More details about Group-Based Policy
• How VNs and SGTs are related
• Various Fabric Policy design approaches
SD-Access Fabric
Host Pools – A Closer Look
Host Pool provides basic IP functions necessary for attached Endpoints
• Edge Nodes use a Switch Virtual Interface (SVI), C

Unknown
with IP Address /Mask, etc. per Host Pool
Known
Networks Networks
B B
• Fabric uses Dynamic EID mapping to advertise each
Host Pool (per Instance ID) Pool
Pool
Pool .4 Pool
.17 .8 .25
Pool
• Fabric Dynamic EID allows Host-specific (/32, /128 Pool Pool Pool .19 Pool
or MAC) advertisement and mobility

.13 .23 .11 .12
• Host Pools can be assigned Dynamically (via Host

Authentication) and/or Statically (per port)
SD-Access Fabric
Anycast Gateway – A Closer Look
Anycast GW provides a single L3 Default Gateway for IP capable endpoints
C
• Similar principle and behavior to HSRP / VRRP with Known Unknown
a shared “Virtual” IP and MAC address Networks Networks
B B
• The same Switch Virtual Interface (SVI) is present
on EVERY Edge with the SAME Virtual IP and MAC
• Control-Plane with Fabric Dynamic EID mapping

maintains the Host to Edge relationship
• When a Host moves from Edge 1 to Edge 2, it does GW GW GW GW GW
not need to change it’s Default Gateway 
SD-Access Fabric
Layer 3 Overlay – A Closer Look
Stretched Subnets allow an IP subnet to be “stretched” via the Overlay
• Host IP based traffic arrives on the local Fabric Edge C

Known Unknown
(SVI) and is then transferred by the Fabric Networks Networks
B B
• Fabric Dynamic EID mapping allows Host-specific
(/32, /128, MAC) advertisement and mobility
Dynamic
EID
• Host 1 connected to Edge A can now use the same
IP subnet to communicate with Host 2 on Edge B
• No longer need a VLAN to connect Host 1 and 2  GW GW GW GW GW
Host Pools & Layer-2 Extension
Fabric Edge - VN & Pool Configuration
Edge-1# show vrf
DEFAULT_VN 1:4098 ipv4 LI0.4098
GUEST 1:4100 ipv4 LI0.4100
USERS 1:4099 ipv4 LI0.4099
Vl1021
Edge-1# show interface vlan1021
Building configuration...
Current configuration : 315 bytes
!
interface Vlan1021
description Configured from apic-em
mac-address 0000.0c9f.f45c
vrf forwarding USERS
ip address 10.111.255.254 255.255.0.0
ip helper-address 192.168.4.1
no ip redirects
ip local-proxy-arp
ip route-cache same-interface
no lisp mobility liveness test
lisp mobility 10_111_0_0-USERS
Endpoint Registration
CP_Border-1# show lisp site instance 4099
LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport
Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
site_sda never no -- 4099 0.0.0.0/0
17:32:21 yes# 192.168.1.3 4099 10.111.0.0/16
01:40:00 yes# 192.168.1.7 4099 10.111.0.3/32
Edge-1# show lisp instance 4099 dynamic-eid summary

LISP Dynamic EID Summary for VRF "USERS"
^ = Dyn-EID learned by EID Notify
* = Dyn-EID learned by Site-Based Map-Notify
Dyn-EID Name Dynamic-EID Interface Uptime Last Pending
Packet Ping Count
10_111_0_0-USERS 10.111.0.3 Vl1021 01:38:42 01:38:42 0
SD-Access Fabric
Layer 2 Overlay – A Closer Look
Layer 2 Overlay allows Non-IP endpoints to use Broadcast & L2 Multicast
• Similar principle and behavior as Virtual Private LAN C

Known Unknown
Services (VPLS) P2MP Overlay Networks Networks
B B
• Uses a pre-built Multicast Underlay to setup a P2MP
tunnel between all Fabric Nodes.
L2
Overlay
• L2 Broadcast and Multicast traffic will be distributed
to all connected Fabric Nodes.
VLAN VLAN VLAN
• Can be enabled for specific Host Pools that require
L2 services (use Stretched Subnets for L3)
NOTE: L3 Integrated Routing and Bridging (IRB) is not supported at this time.
Layer-2 Flooding
SD-Access Multicast Overlay
PIM-SM: Receiver Join to Fabric RP
Multicast Source
non
 Multicast Clients (receivers) are in the Fabric Overlay
Fabric
 Multicast Sources can be in the Fabric Overlay (via FE)
B and/or outside the Fabric (via FB)
FB
Fabric RP
RP
 PIM-SM is enable to run in the Fabric Overlay
Underlay Overlay  A Fabric Rendezvous Point (RP) needs to be present in the
Overlay, as part of the Endpoint IP space
PIM Join
1. Client sends IGMP join for any-source multicast Group (*,G)
2. The Fabric Edge (FE) node receives the IGMP join on SVI
FE
3. The IGMP join triggers a new PIM join towards the Fabric RP
IGMP Join
Multicast Client
PIM-SM: Source Register to Fabric RP
Multicast Source
non
1. The Multicast Source sends the multicast traffic to the
Fabric interfaces connected to the Fabric Border (outside), or
Multicast Traffic
another Fabric Edge (inside), as the DR for that subnet.
B
FB
Fabric RP 2. The source node receives the multicast traffic and triggers
RP an any-source PIM Join (or a PIM register, if local) towards
Underlay Overlay the Fabric RP to establish the multicast tree.
PIM Join
3. The Fabric RP now has both the Source and Receiver
information for the multicast group (G).
FE
Multicast Client
PIM-SM: RPT Forwarding & Fabric Data-Plane
Multicast Source
1. From earlier: the Fabric RP now has both the Source and
non
Fabric Receiver information for the multicast group (G).
B 2. The source node (FB or FE) will unicast the multicast traffic
FB over a VXLAN tunnel to the Fabric RP.
Fabric RP
3. Then the RP will unicast that traffic to the receiver node
RP
Underlay Overlay over another VXLAN tunnel (RPT).

VXLAN 4. The receiver node (FB or FE) receives the VXLAN packets,
Tunnels
decapsulates, applies policy, and then sends the original IP
multicast packet to the port connected to the Client.
FE
Multicast Client
PIM-SM: SPT Switchover and Fabric Replications
Multicast Source
non
1. Once the first multicast packet arrives on the receiver
Fabric node, the shortest path tree (SPT) switchover occurs,
which triggers a new PIM join directly to the source node.
B
FB
Fabric RP 2. The source node now knows which receiver nodes have
RP clients attached, based on the received PIM joins for the
Underlay Overlay specific multicast Group.
VXLAN 3. The source node creates a copy of the original packet for
Tunnels PIM Join each remote node, VXLAN encapsulates the traffic, and
then unicasts it to each of the remote nodes (known as
head-end replication).
FE2 FE
FE1
4. Each receiver node receives the VXLAN packets,
decapsulates, applies policy, and then sends the original
Client 2 Client 1
multicast packet to the port connected to the Client
PIM-SM: Enable Fabric Rendezvous Point (RP)
PIM-SM: Assign Multicast Address Pool (per VN)
Complex
3 4
1. Control-Plane
1 2 5
Time 2. Data-Plane
3. Policy-Plane
What is Campus Fabric?
Fabric
Fundamentals
SD-Access Fabric
Campus Fabric - Key Components
1. Control-Plane based on LISP

2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
B B
Key Differences
C
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)
SD-Access Fabric
Key Components - LISP
Control-Plane based on LISP

Host
1. Mobility
Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU
with Local L3 Gateway with Anycast L3 Gateway
BEFORE AFTER
IP Address = Location + Identity Separate Identity from Location
Prefix RLOC
192.58.28.128 ….....171.68.228.121
Prefix Next-hop 189.16.17.89
22.78.190.64
….....171.68.226.120
….....171.68.226.121
189.16.17.89 ….....171.68.226.120 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 192.58.28.128 ….....171.68.228.121
172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121
192.58.28.128 …....171.68.228.121 Prefix Next-hop 189.16.17.89 ….....171.68.226.120
Mapping
189.16.17.89 …....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 189.16.17.89 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120
Endpoint
172.16.19.90 …......171.68.226.120 22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121
192.58.28.128 ….....171.68.228.121
189.16.17.89 …....171.68.226.120 192.58.28.128 …....171.68.228.121
Database
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
Routes are
192.58.28.128 …......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Consolidated
Prefix
189.16.17.89
22.78.190.64
Next-hop
…......171.68.226.120
….....171.68.226.121
to LISP DB
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121 Prefix Next-hop
172.16.19.90 …......171.68.226.120 189.16.17.89 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121 22.78.190.64 ….....171.68.226.121
189.16.17.89 …....171.68.226.120 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 192.58.28.128 …....171.68.228.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
Prefix Next-hop 189.16.17.89 ….....171.68.226.120
189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
Only Local Routes

192.58.28.128 ….....171.68.228.121
Topology + Endpoint Routes

189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
Topology Routes
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Endpoint Routes
Fabric Operation
Control-Plane Roles & Responsibilities Control-Plane EID RLOC
a.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
LISP Map Server / Resolver EID Space

EID
a.a.a.0/24
RLOC
w.x.y.1
(Control-Plane) b.b.b.0/24
c.c.c.0/24
d.d.0.0/16
x.y.w.2
z.q.r.5
z.q.r.5
• EID to RLOC mappings EID RLOC

Edge a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2
• Can be distributed across c.c.c.0/24

d.d.0.0/16
z.q.r.5
z.q.r.5
Non-LISP
multiple LISP devices Prefix Next-hop
w.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h
z.q.r.5 e.f.g.h
z.q.r.5 e.f.g.h
LISP Tunnel Router - XTR Border RLOC Space

(Edge & Internal Border)
• Register EID with Map Server
• Ingress / Egress (ITR / ETR) Edge
LISP Proxy Tunnel Router - PXTR EID Space

(External Border)
• EID = Endpoint Identifier
• Provides a Default Gateway
• Host Address or Subnet
when no mapping exists
• RLOC = Routing Locator
• Ingress / Egress (PITR / PETR) • Local Router Address
Fabric Operation
Control Plane Register & Resolution
Branch
Where is 10.2.2.2?
Cache Entry (on ITR)
10.2.2.2/32  (2.1.2.1)
Fabric Edge
Fabric Control Plane

5.1.1.1
2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
Database Mapping Entry (on ETR) Fabric Edges Database Mapping Entry (on ETR)
10.2.2.4/32  ( 3.1.2.1)
10.2.2.2/32  ( 2.1.2.1)
10.2.2.3/16 10.2.2.2/16 10.2.2.5/16 10.2.2.4/16
Subnet 10.2.0.0 255.255.0.0 stretched across

Fabric Operation
Fabric Internal Forwarding (Edge to Edge)
3 EID-prefix: 10.2.2.2/32
Mapping Locator-set: Path Preference
Entry Controlled
2.1.2.1, priority: 1, weight:100
by Destination Site
1
DNS Entry:
Branch Non-Fabric Non-Fabric
D.abc.com A 10.2.2.2
10.1.0.0/24
Fabric Borders
S Fabric Edge
2
1.1.1.1
10.1.0.1  10.2.2.2 5.3.3.3
IP Network 5.1.1.1 5.2.2.2

4 Mapping
System
1.1.1.1  2.1.2.1
10.1.0.1  10.2.2.2 2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
5 Fabric Edges
10.1.0.1  10.2.2.2
D
10.2.2.3/16 10.2.2.2/16 10.2.2.4/16 10.2.2.5/16
Fabric Operation
Forwarding from Outside (Border to Edge) 3 EID-Prefix: 10.2.2.2/32
Mapping Locator-Set:
Entry 2.1.2.1, priority: 1, weight: 100
1
DNS Entry:
D.abc.com A 10.2.2.2 192.3.0.1
S
Non-Fabric
2
192.3.0.1  10.2.2.2 Fabric Borders
4.4.4.4
4 5.3.3.3
4.4.4.4  2.1.2.1 IP Network 5.1.1.1 5.2.2.2

Mapping
192.3.0.1  10.2.2.2 System
2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
5 Fabric Edges
192.3.0.1  10.2.2.2
D
10.2.2.3/16 10.2.2.2/16 10.2.2.4/16 10.2.2.5/16
Fabric Operation Fabric Control Plane
Host Mobility – Dynamic EID Migration Map Register 10.10.0.0/16 – 12.0.0.1
EID: 10.17.1.10/32
Node: 12.1.1.1 10.2.1.10/32 – 12.1.1.1
D 10.2.1.10/32 – 12.2.2.1
10.10.10.0/24
2.1.1.1
DC1 3.1.1.1
Fabric Borders 1.1.1.1
Mapping
System
Routing Table 12.0.0.1 12.0.0.2

5
10.2.1.0/24 – Local 3 Routing Table
10.2.1.10/32 – Local 10.2.1.0/24 – Local 4
2
10.2.1.10/32 – LISP0
10.2.1.10/32 - Local
IP Network
12.1.1.1 12.1.1.2 12.2.2.1 12.2.2.2
Campus Campus
Bldg 1
S Fabric Edges
1 Bldg 2
10.2.1.10 10.2.1.10
Locator / ID Separation Protocol (LISP)
Suggested Reading
• BRKRST-3045 - LISP - A Next Generation Networking Architecture
• BRKRST-3047 - Troubleshooting LISP
• BRKCRS-3510 - LISP in Campus Networks
Other References
• Cisco LISP Site http://lisp.cisco.com
• Cisco LISP Marketing Site http://www.cisco.com/go/lisp/
• LISP Beta Network Site http://www.lisp4.net or http://www.lisp6.net
• IETF LISP Working Group http://tools.ietf.org/wg/lisp/
• Fundamentals of LISP https://www.youtube.com/watch?v=lKrV1qB8uqA
SD-Access Fabric
Unique Control-Plane extensions compared to LISP
Capability Traditional LISP SD-Access Fabric

Layer 2 Extension Limited Support Fabric Control Plane extended to support
MAC to IP binding and Layer 2 Overlays
Virtual Networks Layer-3 VN (VRF) only Both Layer-3 and Layer-2 VN (VRF)
support (using VXLAN)
Fast Roaming Not Supported Fabric Control Plane extended to support

fast roaming in =/< 50ms
Wireless Extensions Not Supported Fabric Control Plane extended to support

wireless extensions for:
• AP Onboarding
• Wireless Guest
• AP VXLAN functionality
1. Control-Plane
2. Data-Plane
3. Policy-Plane
Fabric
Fundamentals
SD-Access Fabric
Key Components – VXLAN

ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay Only
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN
LISP & VXLAN Headers
Similar Format - Different Payload
LISP Header - IP based VXLAN Header - Ethernet based
OUTER
HEADER
4789
OVERLAY
HEADER
INNER
HEADER
VXLAN-GPO Header
Next-Hop MAC Address
Src VTEP MAC Address

MAC-in-IP with VN ID & Group ID Dest. MAC 48
Source MAC 48
VLAN Type 14 Bytes

16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type
16 Header
0x0800 16 20 Bytes
Underlay
Outer MAC Header Checksum
Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address
UDP Header Dest Port 16

8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789
Inner (Original) MAC Header

Allows 64K
Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 possible SGTs
Overlay
Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs
VXLAN-GPO Header
MAC-in-IP with VN ID & Group ID
What to look for in Frame 1: 192 bytes on wire (1536 bits), 192 bytes captured (1536 bits)
a packet capture?
Ethernet II, Src: CiscoInc_c5:db:47 (88:90:8d:c5:db:47), Dst: CiscoInc_5b:58:fb (0c:f5:a4:5b:58:fb)
Internet Protocol Version 4, Src: 10.2.120.1, Dst: 10.2.120.3
User Datagram Protocol, Src Port: 65354 (65354), Dst Port: 4789 (4789)
Source Port: 65354
Destination Port: 4789
OUTER
Length: 158 HEADER
Checksum: 0x0000 (none)
[Stream index: 0]
Virtual eXtensible Local Area Network

Flags: 0x0800, VXLAN Network ID (VNI)
OVERLAY
Group Policy ID: 50
VXLAN Network Identifier (VNI): 4098
HEADER
Reserved: 0
Ethernet II, Src: CiscoInc_c5:00:00 (88:90:8d:c5:00:00), Dst: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)

Destination: ba:25:cd:f4:ad:38 (ba:25:cd:f4:ad:38)
Source: CiscoInc_c5:00:00 (88:90:8d:c5:00:00) INNER
Type: IPv4 (0x0800) HEADER
Internet Protocol Version 4, Src: 10.2.1.89, Dst: 10.2.1.99
Internet Control Message Protocol
Data-Plane Overview
Fabric Header Encapsulation
Inner
Fabric Data-Plane provides the following:
Outer
• Underlay address advertisement & mapping
• Automatic tunnel setup (Virtual Tunnel End-Points)
• Frame encapsulation between Routing Locators
Support for LISP or VXLAN header format
Outer
• Nearly the same, with different fields & payload Encap
Inner
Inner
• LISP header carries IP payload (IP in IP)
• VXLAN header carries MAC payload (MAC in IP)
Decap
Triggered by LISP Control-Plane events
• ARP or NDP Learning on L3 Gateways
• Map-Reply or Cache on Routing Locators
Inner
Virtual eXtensible LAN (VXLAN)
Suggested Reading
• BRKRST-3045 - Intro to LISP and VXLAN - Scalable Technology Overlays for Switching
• BRKDCT-2404 - VXLAN Deployment Models - A practical perspective
Other References
• VXLAN-GPO IETF Draft https://tools.ietf.org/html/draft-smith-vxlan-group-policy-03
• VXLAN Wikipedia https://en.wikipedia.org/wiki/Virtual_Extensible_LAN
• VXLAN IETF RFC https://tools.ietf.org/html/rfc7348
• Fundamentals of VXLAN https://www.youtube.com/watch?v=j7on2iLk5ls
SD-Access Fabric
Unique Data-Plane Extensions compared to VXLAN
Capability Traditional LISP/VXLAN SD-Access Fabric

SGT Tag No SGT VXLAN-GPO uses Reserved field to
carry SGT
Layer 3 Extension Yes Yes, by mapping VRF->VNI

(VRF)
Layer 2 Extension Not Supported Fabric supports Layer 2 extension by

mapping VLAN ->VNI
Wireless Not Supported AP to Fabric Edge uses VXLAN

Fabric Edge to Edge/Border uses VXLAN
for both Wired and Wireless (same)
1. Control-Plane
2. Data-Plane
3. Policy-Plane
Fabric
Fundamentals
SD-Access Fabric
Key Components – Group Based Policy

3. Policy-Plane based on CTS
Virtual Routing & Forwarding
Scalable Group Tagging
VRF + SGT
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
SD-Access Policy
Two Level Hierarchy - Macro Segmentation
Known Unknown
Networks Networks
SD-Access
VN VN VN
Fabric
Virtual Network (VN)
“A” “B” “C”
First level Segmentation ensures zero
communication between forwarding
domains. Ability to consolidate multiple
networks into one management plane.
Building Management Campus Users

VN VN
SD-Access Policy
Two Level Hierarchy - Micro Segmentation
Known Unknown
Networks Networks
SG
SG
1
SG SG
SG
4
SG SG
SG
7
SG
SD-Access
Fabric
Scalable Group (SG)
2 3 5 6 8 9
Second level Segmentation ensures
role based access control between
two groups within a Virtual Network.
Provides the ability to segment the
network into either line of businesses
or functional blocks.
Building Management Campus Users

VN VN
SD-Access Policy
Policy Types
Access Control Application Traffic Copy

Policy Policy Policy
↓ ↓ ↓
Who can access What? How to treat Traffic? Need to Monitor Traffic?
Permit / Deny Rules QoS for Applications Enable SPAN Services

for Group-to-Group Access or Application Caching for specific Groups or Traffic
✓
Group Assignment
Two ways to assign SGT
Dynamic Classification Static Classification
L3 Interface (SVI) to SGT L2 Port to SGT
Campus
Access Distribution Core DC Core DC Access
MAB
Enterprise
Backbone
WLC Firewall Hypervisor SW
VLAN to SGT Subnet to SGT VM (Port Profile) to SGT
Cisco TrustSec
Security Group Tags in ISE
Define SGTs under ‘Components’ section in TrustSec Work Center (from ISE 2.0+)
Cisco TrustSec
Define Authorization Policies for Users and Devices in ISE
Create an 802.1X or
MAB or Web Auth
policy to assign the
SGTs to the Users
and Devices, after
client Authentication
& Authorization
SD-Access Policy
Access Control Policies
Source Group Destination Group

Contract
Guest Users Web Server
Cisco DNA Center Cisco APIC-DC

CLASSIFIER: PORT ACTION: DENY
Classifier Type Action Type

Port Number Permit
Protocol Name Deny
Application Type Copy
All groups in a Policy must belong to the same Virtual Network

Cisco TrustSec
Security Group ACLs in ISE
SGACLs are
referenced
under the
Egress policy
Policy Enforcement
Ingress Classification with Egress Enforcement
Destination Classification
CRM: SGT 20
Web: SGT 30
User Authenticated = FIB Lookup =
Classified as Marketing (5) Destination IP = SGT 20 ISE
Cat3850 Cat6800 Cat6800 Nexus 7000 Nexus 5500 Nexus 2248

CRM
Enterprise
5 Backbone 5 DST: 10.1.100.52
SRC: 10.1.10.220 SGT: 20
DST: 10.1.100.52
SRC: 10.1.10.220 SGT: 5 Web
DST: 10.1.200.100
Egress SGT: 30
Enforcement
(SGACL)
WLC5508
DST  CRM Web
 SRC (20) (30)
Marketing (5) Permit Deny
BYOD (7) Deny Permit
Cisco TrustSec
Ingress Classification & Group Tagging
Group Tag
cts role-based sgt-map 80.1.1.2 sgt 80 Static (CLI) or Dynamic (ISE)
Associated IP
Example Each SGT Binding consumes

1 1 IP Host entry
cts role-based sgt-map 80.1.1.2 sgt 80
cts role-based sgt-map 90.1.1.2 sgt 90 IP SGT Binding: <ip, vrf> sgt, null adj
cts role-based sgt-map 100.1.1.2 sgt 100 IP SGT Binding: 80.1.1.2, 80
.. IP SGT Binding: 80.1.1.2, 90 Host

Entries
.. IP SGT Binding: 80.1.1.2, 100
cts role-based sgt-map 110.1.1.2 sgt 200 …

IP SGT Binding: 80.1.1.2, 200
Hash Table – Host Entries
SGT to IP Binding is part of the Host Table (Not ACL Table)

Cisco TrustSec
Egress Enforcement - SGACL
Switch(config)# ip access role allow_webtraff SGACL
Switch(config-rb-acl)# 10 permit tcp dst eq 80
Switch(config-rb-acl)# 20 permit tcp dst eq 443
Switch(config-rb-acl)# 30 permit icmp
Switch(config-rb-acl)# 40 deny ip Source Group Tag (SGT) Dest. Group Tag (DGT)
Switch(config)# cts role-based permissions from 20 to 70 allow_webtraff
2 Each SGT,DGT set consumes Each SGACL can consume

1 ACL Label Entry 3 1+ Access Control Entries
PolicySGT/DGT
with SGT, DGT, SGACL Reference (Label) SGT/DGT
SGACL
Hash Table
cts role-based permissions from 20 to 70 allow_webtraff Hash Table
permit tcp dst eq 80
cts role-based permissions from SGT, DGT, SGACL Label permit tcp dst eq 443
SG ACL
SGT/DGT
Entries
Entries
permit icmp
… …
Hash Table – SGT/DGT ACL TCAM – ACEs
Group Propagation
VN & SGT in VXLAN-GPO Encapsulation
Encapsulation Decapsulation
IP Network
Edge Node 1 Edge Node 2
VXLAN VXLAN
VN ID SGT ID VN ID SGT ID
Classification Propagation Enforcement

Static or Dynamic VN Carry VN and Group Group Based Policies
and SGT assignments context across the network ACLs, Firewall Rules
Cisco TrustSec (CTS)
Suggested Reading
• BRKCRS-2891 - Enterprise Network Segmentation with Cisco TrustSec
• BRKSEC-2203 - Intermediate - Enabling TrustSec Software-Defined Segmentation
• BRKSEC-2044 - Building an Enterprise Access Control Architecture Using ISE and TrustSec
Other References
• Cisco TrustSec Marketing Site cisco.com/go/trustsec/
• Cisco TrustSec Config Guide cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html
• Cisco TrustSec Architecture cisco.com/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
• Cisco TrustSec Design Guide cisco.com/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf
• Fundamentals of TrustSec https://www.youtube.com/watch?v=78-GV7Pz18I
SD-Access Fabric
Unique Policy-Plane Extensions compared to CTS
Capability Traditional CTS SD-Access Policy

SGT Propagation Enabled hop-by-hop, or by Carried with the data traffic inside
Security-Group Exchange Protocol VXLAN-GPO (overlay) end-to-end
(SXP) sessions
VN Integration Not Supported VN + SGT-aware Firewalls
Access Control Policy Yes Yes
QoS (App) Policy Not Supported App based QoS policy, to optimize
application traffic priority
Traffic Copy Policy Not Supported SRC/DST based Copy policy (using
ERSPAN) to capture data traffic
Complex
3 4
1. Architecture
1 2 5
Time 2. User Interface

3. Workflows
What is Cisco DNA Center?
Controller
Fundamentals
Cisco DNA Center
SD-Access – Key Components
ISE Appliance DNA Center Appliance

SNS 3600 Series DN2-HW-APL
Cisco DNA Center
API API
Design | Policy | Provision | Assurance API API
API
Cisco ISE
Identity 2.3
& Policy Automation
NCP Assurance
NDP
API API
Identity Services Engine Network Control Platform Network Data Platform
NETCONF
SNMP
SSH
AAA
RADIUS
TACACS
Campus Fabric NetFlow
Syslog
HTTPS
Cisco Switches | Cisco Routers | Cisco Wireless
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/datasheet-listing.html
Cisco DNA Center

Overall “Solution Scale” is driven by Cisco DNAC
Cisco DNAC 1.2.10
Cisco DNA Center
Cisco DNAC DN1-HW-APL DN2-HW-APL DN2-HW-APL-L DN1-HW-APL
44 Core- UCS M4 44 Core- UCS M5 56 Core- UCS M5
44 Core - UCS M4
* End of Sale *
Switches,
1000 1000 2000
Routers & WLC
Access Points 4000 4000 6000

DN2-HW-APL
Endpoints 44 Core - UCS M5
5K+ 20K 5K+ 20K 10K+ 30K
Infrastructure
(Wired + Wireless)
Sites 500 500 1000
Fabric Nodes 500/Site 500/Site 600/Site

DN2-HW-APL-L
56 Core - UCS M5
IP Pools 100/Site 300/Site 1000/Site
Virtual Networks 64/Site 64/Site 64/Site
www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/datasheet-listing.html
Cisco DNA Center

Overall “Solution Scale” is driven by Cisco DNAC
Cisco DNAC 1.3
Cisco DNA Center
Cisco DNAC DN2-HW-APL DN2-HW-APL-L DN2-HW-APL-XL
44 Core- UCS M5 56 Core- UCS M5 112 Core- UCS M5
Switches,
1000 2000 5000
Routers & WLC
Access Points 4000 6000 12000
Endpoints
25K 40K 100K DN2-HW-APL-XL
Infrastructure
(Wired + Wireless)
112 Core - UCS M5
Sites 500 1000 2000
Fabric Nodes 500/Site 600/Site 1200/Site
IP Pools 300/Site 1000/Site 1000/Site
Virtual Networks 64/Site 64/Site 256/Site
Cisco DNA Center
High Availability Cluster
1 or 3 appliance HA Cluster (more in future)

- Odd number to achieve quorum
of distributed system
Seen as 1 logical DNAC instance
- Connect to Virtual (Cluster) IP
- Rare need to access individual nodes
Distributed Micro Services on Maglev cluster (e.g. SSH)
2 nodes active/sharing + 1 redundant
Virtual IP - Some services run multiple copies
spread across nodes (e.g. databases)
- Other services run single copy and
migrate from failed to redundant node
Single Appliance for Cisco DNA (Automation + Assurance)

Cisco DNA Center
Automated Provisioning and Telemetry Enrichment
Telemetry Intent
Alerts
Network Control Violations Network Data
Platform Inventory, Topology, Host, Group Platform
Network State changes
Path Trace information
Configuration Automation C Data Collection

Telemetry Configuration Telemetry Data
B B
Campus
Fabric
Cisco DNA Center
NDP System Components
Network Network Cost Network Segmentation & Change Impact Other 3rd party
Assurance Analytics app Vulnerability Detection app Analytics app analytics apps
Northbound(NB) APIs
Control
Network
NDP Extensions
Controller
Platform Inventory,
Topology NDP Core Analytics Platform
etc.
Infrastructure Services, Cluster Operations and Management
Configuration Telemetry
Distributed Processing
Network Elements
(Switches, Routers, Access Points, N/W Services, Identity providers)
Cisco DNA Center
NDP Analytics Architecture
Data collection and ingestion Data correlation and analysis Data visualization and action
Network Assurance
Router Switch WLC Sensor Complex

Network correlation
telemetry
Metadata
SNMP NetFlow Syslog Streaming extraction
telemetry
...
Collector and analytics pipeline SDK
ISE AAA Topology Location PxGrid Stream
processing Data models and restful APIs
DNS DHCP Inventory Policy IPAM Time series analysis
Contextual data Analytics Engine System management portal
Fabric Assurance
BRKNMS-2814
SD-Access - Integrating with Existing Networks
• More details about Fabric Assurance
• How Cisco DNA Center uses NDP
• Fabric Assurance best practices & tips
Cisco DNA Center and ISE integration
Identity and Policy Automation
Cisco Identity Services Engine
Authentication Groups and

Authorization Policies
Policies
PxGrid
Campus Fabric REST APIs
Fabric Policy
Management Authoring
Workflows
Cisco DNA Center
Cisco DNA Center and ISE integration
ISE roles in SD-Access
Admin/Operate
Network
Devices
DNA-Center
Devices REST pxGrid
Things
Config Sync Context
ISE-PSN ISE-PAN ISE-PXG

Users
Authorization Policy Exchange Topics
TrustSecMetaData
if Employee then SGT 10
SGT Name: Employee = SGT 10
Users SGT Name: Contractor = SGT 20
if Contractor then SGT 20
...
SessionDirectory*
if Things then SGT 30
Bob with Win10 on CorpSSID
ISE-MNT
* Roadmap
1. Architecture
2. User Interface
3. Workflows
Controller
Fundamentals
SD-Access
CLI and API vs. GUI
Campus Fabric SD Access
• Command Line (CLI) • Programmable APIs • DNA Center GUI

• Templates / Macros • NETCONF / YANG • Cross-App REST APIs
• Customized Workflows • Automated Workflows • Automated Workflows
• Box-by-Box Management • Box-by-Box Management • Centralized Management
Cisco DNA Center
4 Step Workflow
Design Policy Provision Assurance
• Global Settings • Virtual Networks • Fabric Domains • Health Dashboard

• Site Profiles • ISE, AAA, Radius • CP, Border, Edge • 360o Views
• DDI, SWIM, PNP • Endpoint Groups • Fabric WLC, AP • Net, Device, Client
• User Access • Group Policies • External Connect • Path Traces
System Settings & Integration
App Management & High Availability
Assure
Assure
1. Architecture
2. User Interface
3. Workflows
Controller
Fundamentals
Cisco DNA Center - Design 1
Setup Management & Underlay Reachability
1. Setup Sites, Buildings & Floors
• Organize your Regions, Cities & Buildings
• Import floorplans in CAD, PNG or JPG
• Virtual layout of Routers, Switches & APs
2. Setup Global & Site Network Settings
• Establish a common set of Global Servers
• Each Site inherits settings from level above
• Override Global settings with Site-Specific
3. Setup IP Address Pools or IPAM
• IP Address Management uses Site hierarchy
• Add or modify IP Pools manually
• You can also import from IPAM tools via APIs
4. Setup Wireless SSID Settings
• Manage Fabric Wireless WLANs per Site
• Associate the SSIDs with IP Pools
• Automated setup of the WLC & APs via APIs
Cisco DNA Center - Policy 2
Setup VNs & EIGs and Policies
1. Setup Virtual Networks
• Add Scalable Groups to a Virtual Network
• A “Default” Virtual Network created automatically
• Option to add / remove new Virtual Networks
• Enables VN ID on SD-Access enabled Devices*
2. Setup Scalable Groups
• Option to import Groups from ISE (or AD)
• Option to create Groups via Static Mapping
• Enables SGT ID on SD-Access enabled Devices*
3. Manage Group Policies
• Groups provide native SGT based segmentation
• Intra-VN policies set to Default Permit or Deny
• Create simple To / From Group-Based Policies
4. Manage VN Policies *
• VNs provide native VRF network segmentation
• Inter-VN policies mapped to Firewall instances*
* Firewall Connect requires manual configuration. Automation planned for a later release.
Cisco DNA Center - Provision 3
Setup Overlay Control & Data-Plane
1. Setup Fabric Domains

• Add Devices to one of the configured Sites
• A “Default” Fabric Domain created automatically
• Option to add / remove new Fabric Domains
2. Add Devices & Assign Roles
• Add SD-Access capable Devices to a Fabric Site
• Designate 1+ Devices as Border and Control
• All other Devices are configured as an Edge
3. Setup Host Onboarding
• Add various IP Pools to the Fabric Domain
• Designate IP Pools for Wired or Wireless
• Define the Host Authentication and options
• (Optional) Static Assignment of Pools to Ports
4. Advanced Settings
• (Optional) Enable Multicast in the Fabric Site
Cisco DNA Center - Assurance 4
Real-Time Data-Collection & Event Correlation
1. Assurance Dashboard
• Network Health Scores (based on 360 Views)
• Graphical status view of Health and Alarms
• Track common Network Issues & Trends
• Universal search for elements of the Network
2. Device 360 Views

• Summary and Real-time Device statistics
• Track Issues and Trends of each Device
• View connected Neighbors, Clients & Apps
3. Client 360 Views
• Summary and Real-time Client statistics
• Track Issues and Trends of each Client
• Initiate Pathtrace per Client Application
4. Application 360 Views
• Summary and Real-time App statistics
• Track Issues and Trends of each App
How about
a Live Demo?
• Design
• Policy
• Provision
• Assurance
Complex
3 4
1 2 5
Time
Take
Away
Things to Remember
Session Summary
SD-Access = Campus Fabric + Cisco DNA Center
B B
C Cisco DNA Center

Simple Workflows
Campus
Fabric DESIGN PROVISION POLICY ASSURANCE
SD-Access Support
Digital Platforms for your Cisco Digital Network Architecture
Cisco DNA Software Subscription
ESSENTIALS ADVANTAGE
Available for Current Catalyst 3K, 4K, 6K and Next Generation Catalyst 9K Series
Cisco ONE Suite – Essentials Includes ISE Base
Ongoing License Software Support OpEx Lower

Innovation Portability Included Preference Entry Costs
What’s New?
Introducing Cisco DNA Center 1.3
Optimized for Distribution Optimized for Expansion Optimized for Extension
SD-Access 1.2.6 SD-Access 1.2.10 SD-Access 1.3.0

October 2018 February 2019 June 2019
DNA Center 1.2.6, ISE 2.4 p1, DNA Center 1.2.10, ISE 2.4 p6, DNA Center 1.3.0, ISE 2.6 p1,
IOS-XE 16.9.1, AireOS 8.8 IOS-XE 16.9.2s, AireOS 8.8 IOS-XE 16.11.1s, AireOS 8.9
• Distributed Campus with SDA Transit • SD-Access Extension for IoT (Beta) • SD-Access Extension for IoT (FCS)
• Layer 2 Flooding • 3 node DNAC HA for Automation • IPv6 overlay support for
• Layer 2 Hand-Off for Migration • Catalyst 9800 Wireless Controller Wired + Wireless (AireOS) Endpoints
• Native Multicast • Fabric in a Box with Embedded Wireless • Fabric Edge and Fabric in a Box
• Fabric in a Box (FIAB) on Catalyst 9300 on Catalyst 9500
• Control Plane Resiliency (6 nodes) • Nexus 7700 Series with M3 as Border, • Fabric in a Box with Embedded Wireless
• Cisco DNAC CLI Templates without MPLS license on C9400, C9500
• Host On-boarding Enhancements • SDA-ACI Integration Improvements • SD-Access Border Simplification
• LAN Automation Enhancements • LAN Automation Enhancements • LAN Automation Enhancements
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Testimonials
Live Customer SD-Access Deployments
Network Services
375+ Production
Deployments
Cisco IT
www.cisco.com/c/en/us/solutions/enterprise-networks/network-architecture-customer-success-stories.html
Marriott Marquis San Diego
SD-Access @ CiscoLive US
What to Do Next?
SD-Access Cisco DNA Cisco

Capable Center Services
SD-Access Resources
cisco.com/go/dna
cisco.com/go/sdaccess cisco.com/go/dnacenter
• SD-Access At-A-Glance • Cisco DNA Center At-A-Glance
•
•
SD-Access
SD-Access
Ordering Guide
Solution Data Sheet
cisco.com/go/cvd •
•
Cisco
Cisco
DNA ROI Calculator
DNA Center Data Sheet
• SD-Access Solution White Paper • SD-Access Design Guide • Cisco DNA Center 'How To' Video Resources
• SD-Access Deployment Guide
• SD-Access Segmentation Guide
SD-Access Resources
cs.co/sda-resources
cs.co/sda-community
• Search from your Browser

• Indexed by Search Engines
• Discuss with experts & friends
• Supported by SDA TMEs
• 24-hour First Response
• Questions are marked Answered
Learn more with Learning@Cisco
http://digital-learning.cisco.com
SD-Access Fundamentals - Customer URL
Getting Started with Cisco DNAC Assurance (A-ADNAC-ASSUR) v1.0 https://digital-learning.cisco.com/course/60049

1
Installing Cisco DNA Center Overview, Setting Up Wireless Assurance
Preparing the Identity Services Engine (ISE) for SDA (CUST-SDA-ISE) v1.0
2 https://digital-learning.cisco.com/course/59741
TrustSec, ISE with DNAC, Device Profiling and Creating Groups and Policies
Planning and Deploying SDA Fundamentals (CUST-SDA-FUND) v1.0

3 https://digital-learning.cisco.com/course/59740
Campus Fabric, Wireless, Guest Access, Underlay, Micro Segmentation, Multicast
4
SDA 1.2 Update (A-SDA-12UPDT)
https://digital-learning.cisco.com/course/59933
SD-Access Extensions and SD-Access for Distributed Campus
Cisco DNA Center Fast Start Use Cases (A-SDA-FASTSTART)

5 Installing Cisco DNA Center Release 1.2.6, https://digital-learning.cisco.com/course/60874
Demos on Deploying Wireless Assurance and SD-Access
Special offering:  Curriculum is FREE to customers  Earn up to 25 Points for CCIE CEP!!  Over 33 hours of video instruction
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
#CLUS Session ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKCRS-2810

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Thank you
#CLUS

BRKCRS 2810

Uploaded by

Copyright:

Available Formats

BRKCRS 2810

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS 2810

Uploaded by

Copyright:

Available Formats

#CLUS

Cisco Software-Defined Access

Under The Hood

What is Cisco Software Defined Access (SD-Access)?

Cisco SD-Access is an innovative fabric-based network infrastructure, to provide:

This session focuses on the fundamentals of the Cisco SD-Access architecture,

Cisco Software-Defined Access

BRKCRS-2818 BRKCRS-2821 BRKCRS-2825 BRKCRS-1501 BRKNMS-2814

BRKCRS-2810 BRKCRS-2811 BRKCRS-2815 BRKCRS-2816 BRKCRS-2817 BRKCRS-3810

BRKCRS-2812 BRKSEC-2025 BRKCRS-2819

Why do you care?

Insights & Automation Security &

Cisco Digital Network

Cisco DNA Center

Policy Automation Analytics SD-WAN Wireless

Switch Route Wireless

What is Software Defined Access?

C CLI or API approach to build a LISP +

Separate management systems

DESIGN PROVISION POLICY ASSURANCE

Routers Switches Wireless Controllers Wireless APs

DNA Software Capabilities

What is Software Defined Access?

Examples of Network Overlays

Overlay Network Overlay Control Plane

Edge Device Edge Device

Underlay Network Underlay Control Plane

Separate the “Forwarding Plane” from the “Services Plane”

IT Challenge (Business): Network Uptime IT Challenge (Employee): New Services

Simple Transport Forwarding Flexible Virtual Services

Hybrid L2 + L3 Overlays are the Best of Both Worlds

Layer 2 Overlays Layer 3 Overlays

Manual Underlay LAN Automation

• Key Considerations • Key Considerations

Check out the following session:

This session covers:

Check out the following session:

• How to automate Underlay setup

• Underlay best practices and tips

Campus  Fabric Edge Nodes – A fabric device

What is Software Defined Access?

Control-Plane Node runs a Host Tracking Database to map location information

• A simple Host Database that maps Endpoint IDs to C

• Receives Endpoint ID map registrations from Edge

• Resolves lookup requests from Edge and/or Border FE1

Nodes, to locate destination Endpoint IDs IP - 1.2.3.4/32

Fabric Control Plane CRN®

Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600

• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

Catalyst 3K Catalyst 6K ISR 4K & ENCS ASR1K

• Catalyst 3650/3850 • Catalyst 6500/6800 • ISR 4430/4450 • ASR 1000-X

• Responsible for Identifying and Authenticating C

• Provide an Anycast L3 Gateway for the connected

• Performs encapsulation / de-encapsulation of data FE1

traffic to and from all connected Endpoints IP - 1.2.3.4/32

Fabric Edge Node CRN®

Catalyst 3K Catalyst 4500E Catalyst 6K

• Catalyst 3650/3850 • Catalyst 4500E • Catalyst 6500/6800

There are 3 Types of Border Node!