SD-Access

ISE - maintains identity of users, policies applied to users

Cisco Campus Fabric - VXLAN Tunnel, LISP, CTS (ISE)

Managed by DNA Center (DNA-C) - physical controller

Overlay - Logical

Underlay - Physical (Switches, Routers, WLC, APs)

4 layers

Physical

Network - overlay + underlay

Controllers

Management - GUI, REST-API, CLI

Fabric Edge Node - users connect

Control Plane Node (LISP) - mapping database

Fabric Border Node - connects to other networks (internal / external / hybrid)

Fabric WLC

Intermediate Node - forward at L3

DNC -C - physical appliance (single or 3 cluster)

ISE - physical or virtual

VXLAN - data plane tunnels

CTS - policy plane

Underlay - MTU increased by 50B

NCP (APIC-EM) Automation (overlay/underlay)

NDP - Assurance - collect data SNMP, Netflow, Telemetry

Workflow

Design

Policy

Provision

Assurance

LISP

Location Identifier Separation Protocol

Data plane only L3

ITR: Ingres Tunnel Router

ETR: Egress Tunnel Router

VXLAN

Virtual Extensible LAN

entire frame and adds VLXAN header + UDP, IP Ethernet

vnID = VLAN ID (24 bits 0-16 million)

SGT header (16 bits 64K values)

VTEPs (RLOC) - loopback interface on switch

Policy Plane - CTS

Cisco TrustSec (CTS)

SG - scaleable groups - within the same network

VN - virtual networks

tag on ingress, enforced on egress

Authentication Options

802.1X: Supplicant (Endpoint) > Network Authenticating Device (Switch) > RADIUS ISE (Access-Accept)

MAB: MAC Authentication Bypass

Web Auth

IP = EID

ETR sends map-register to control plane node

ITR sends map-request to control plane node, ETR sends map-reply to ITR

ITR stores EID-RLOC mapping in cache, 24 hour inactivity

Roaming Clients

New ETR sends map-register to control plane node

control plane node sends update to old ETR to remove device

old ETR will forward packet but send request for ITR to update cache

SD-Access Components

Catalyst 9000 switches

x86 CPU

IOS-XE

9200 - stackable, UADP-mini, low end (replaces Cat 2K) Edge

9300 - stackable, modular, standard (replaces Cat 3K) Edge

9400 - chassis, stackwise virtual (replaces Cat 4K) Edge

9500 - fixed, stackwise virtual (smaller core switches)

9600 - chassis, stackwise virtual (replaces Cat 6K) Core (only control plane or border node)

3850 and 3650

Routers

only control plane or border node

ISR 4300, 4000 (Features: VOIP, UCS)

ASR 1000 (Performance: Service Providers, bandwidth, table sizes)

ISRv - virtual runs on ENCS

CSRv - virtual runs on cloud

Wireless

Catalyst 9800 WLC

9880

9840

9800-L (replaces 3504)

Embedded - on IOSXE switch

9800-CL - cloud/virtual

3504/5520/8840

Catalyst 9100 APs

WiFi 6 802.11ax

DNA Center Appliance

Physical

Entry / Mid-Size / Large

UCS C220 M5 (1U)

UCS C480 M5 (4U)

ISE Appliance

virtual appliance

Secure Network Server 3615

Secure Network Server 3655

Secure Network Server 3695

Network Automation

Network Control Platform (NCP)

Automate configuration of network

reduce repetitive task / human error

Improve standardisation, same ios version

ZTP - zero touch provisioning

Network Analytics

Network Data Platform (NDP)

Big data

Analytics Engine on DNA Centre

SNMP, Syslog, Netflow, Streaming Telemetry

Database available by API or Assurance Engine

Network Assurance

Proactively monitor network

Visibility (Health Scores) LAN, WLAN, WAN

Device 360s

Path Trace Tool

Network Security

ISE

Visibility - Who, What, Where, Health

Segmentation - Macro (VRF), Micro (SGT)

Stop threats, isolate affected clients

pxGrid

Encrypted Traffic Analytics

visibility and malware detection without decryption

Stealthwatch, ISE, Cat 9K

Cognitive Intelligence cloud

Anomaly Detection

Malicious Events (what its is / what it has done)

Threat Analysis

Rating 1-10, NCP to block traffic with high ratings

Anycast Gateways

Any valid device

SVI on every edge node, same IP Address, same virtual MAC