Cisco SD-Access Architecture : Control, Data & Policy Plane

 Today I am going to talk about the Cisco SD-Access Control, Data and Policy Plane and the protocol used in that architecture. Cisco SD-Access is the next generation networks technology based on software defined network in LAN environment.

As we know that SD-Access, provides wired and wireless campus networks with programmable overlays and easy-to-deploy network virtualization, permitting a physical network to host one or more logical networks to meet the design intent. 

In addition to network virtualization, fabric technology in the campus network enhances control of communications, providing software-defined segmentation and policy enforcement based on user identity and group membership.

Fig 1.1- Cisco SD-Access Design 

Control-Plane Overview
LISP is defined as a network architecture and set of protocols that implement a new semantic for IP addressing and forwarding. In traditional IP networks, the IP address is used to identify both an endpoint and its physical location as part of a subnet assignment on a router.

In a LISP-enabled network, an IP address is used as the endpoint identifier (EID) for a device, and an additional IP address is used as a routing locator (RLOC) to represent the physical location of that device (typically a loopback address of the router or switch to which the EID is attached).

The EID and RLOC combination provides the necessary information for traffic forwarding. The RLOC address is part of the routing domain, and the EID can be assigned independently of the location.

The LISP architecture requires a mapping system that stores and resolves EIDs to RLOCs. This is analogous to using DNS to resolve IP addresses for host names and also similar to the previously mentioned VTEP mapping in the VXLAN data plane.

EID prefixes (IPv4 addresses with /32 “host” masks) are registered into the map server along with their associated RLOCs. When sending traffic to an EID, a source RLOC queries the mapping system in order to identify the destination RLOC for traffic encapsulation.

Benefits that the LISP architecture provides for the branch fabric include: 

Network virtualization : A LISP Instance ID is used to maintain independent VRF topologies. From a data-plane perspective, the LISP Instance ID maps to the VNI. 

Subnet stretching : A single subnet can be extended to exist at multiple RLOCs. The separation of EID from RLOC enables the capability to extend subnets across different RLOCs. The RLOC in the LISP architecture represents the VTEP functionality in VXLAN as it is the ingress and egress tunnel used to encapsulate EID traffic over a Layer 3 network. 

Smaller routing tables : Only RLOCs need to be reachable in the global routing table. Local EIDs are cached at the local node while remote EIDs are learned through conversational learning. Conversational learning is the process of populating forwarding tables with only endpoints that are communicating through the node. This allows for efficient use of forwarding tables. 

Data-Plane Overview 
Virtual Extensible LAN (VXLAN) is defined as a way to overlay a Layer 2 network on top of a Layer 3 network. Using VXLAN, makes possible to tunnel the original Layer 2 frame using UDP/IP over the Layer 3 network. The tunnel interface at each node is called a VXLAN tunnel endpoint (VTEP).

VTEPs rely on data-plane learning or a control plane in order to determine the remote endpoint to VTEP mapping for traffic encapsulation. Each overlay network is called a VXLAN segment and is identified using a 24-bit VXLAN network identifier (VNI), which supports up to 16 million VXLAN segments. 

The SD-Access branch fabric uses the VXLAN data plane in order to provide transport of the full original Layer 2 frame and additionally uses Locator/ID Separation Protocol (LISP) as the control-plane in order to resolve endpoint-to-VTEP mappings.

The SD-Access branch fabric replaces 16 of the reserved bits in the VXLAN header in order to transport up to 64,000 Scalable Group Tags.

The VNI maps to virtual routing and forwarding (VRF) and provides the mechanism to isolate data and control plane across different virtual networks. The SGT carries user group membership information and is used to provide data-plane segmentation inside the virtualized network. 

Policy-Plane Overview 
Cisco TrustSec is defined as technology that provides software defined segmentation that balances demand on agility and security. With TrustSec, endpoints are classified into groups that can be used anywhere on the network. This allows to decouple the segmentation policies from the underlying network infrastructure.

Software defined segmentation is much easier to enable and manage than VLAN based segmentation and avoids the associated processing impact on network devices. Cisco TrustSec provides software defined segmentation with the help of Scalable Group Tags (SGT).

The use of SGTs provides the capability to tag endpoint traffic based on group membership policies in Cisco Identity Services Engine. 

Group assignments can be created based on job role, which can be used to create segmentation policies and virtual network assignment rules. SGT information is carried across the network in several forms:

Inside the branch fabric: The branch fabric header transports SGT information. Fabric edge nodes and border nodes can enforce SGACLs to enforce the security policy. 

Outside of the fabric on a TrustSec-capable device: Inline TrustSec-capable devices carry the SGT information in a CMD header on the Layer 2 frame. This is the recommended mode of transport outside of the branch fabric. 

Outside of the fabric over devices without TrustSec capability: SXP allows the transport of SGTs over a TCP connection. This can be used to bypass network devices that do not support SGT inline.