Fundamentals of Cisco SD-Access : Underlay & Overlay Network

Fundamentals of Cisco SD-Access : Underlay & Overlay Network

SD-Access from Cisco allows you to segment traffic by user, device, and application without redesigning the network.

With Cisco SD-Access, organizations can automate user access policy, ensuring that the correct policies are established for all users and devices, irrespective of the application.

LAN and WLAN networks can be integrated into a single network fabric to provide a consistent user experience wherever they are without compromising security.

Cisco SD-Access : Underlay & Overlay Network
Fig 1.1- Cisco SD-Access : Underlay & Overlay Network

⚡ Cisco SD-Access Underlay Network

The actual network components, such as routers, switches, and wireless LAN controllers (WLCs), as well as a typical Layer 3 routing protocol, make up the SD-Access network underlay. This creates a simple, scalable, and durable framework for network device communication. Client traffic is handled by the fabric overlay, not the network underlay.

All network parts of the underlay must establish IP communication with one another. This implies that an existing IP network may be used as the network underlay. Although any topology and routing protocol might be used in the underlay, implementing a well-designed Layer 3 access topology is highly recommended to achieve consistent performance, scalability, and high availability.

This removes the requirement for VRRP, HSRP, VTP, STP, and so on. Furthermore, deploying, debugging, and managing the network is made easier when a logical fabric architecture is run on top of a prescriptive network underlay. This provides built-in capabilities for multi-pathing, optimized convergence, and other features.

In order to automatically find, configure, and install network equipment in accordance with Cisco Validated Design best practices, Cisco Catalyst Centre (DNA Centre) offers a prescriptive LAN automation solution. When the necessary protocol and IP address configurations are found, Plug and Play (PnP) is utilized by the automatic underlay provisioning.

The Cisco Catalyst Center (DNA Center) LAN Automation uses a best practice IS-IS routed access design. The main reasons for IS-IS are:

  • IS-IS is protocol agnostic, so it works with IPv4 and IPv6 addresses
  • IS-IS can work with only Loopback interfaces, and doesn't require an address on each L3 link
  • IS-IS supports an extensible TLV format for emerging use cases.

⚡ Cisco SD-Access Overlay Network

The logical, virtualized architecture constructed on top of the physical underlay is known as the SD-Access fabric overlay

SD-Access fabric overlay has 3 main building blocks:
  • Fabric data plane: the logical overlay is created by packet encapsulation using Virtual Extensible LAN (VXLAN), with Group Policy Option (GPO).
  • Fabric control plane: the logical mapping and resolving of users and devices (associated with VXLAN tunnel endpoints) is performed by Locator/ID Separation Protocol (LISP).
  • Fabric policy plane: where the business intent is translated into a network policy, using address-agnostic Scalable Group Tags (SGT) and group-based policies.
With built-in network segmentation (VRF/VN) and group-based policy (SGT), VXLAN-GPO offers several benefits to SD-Access, including support for Layer 2 and Layer 3 virtual topologies (overlays) and the ability to function over any IP-based network.

Continue Reading...

More on Cisco Catalyst Center...