The database for identifying endpoints is the responsibility of the fabric control plane nodes in the SD-Access fabric. This is an important function for the fabric to operate well. If the control plane node were down for whatever reason, fabric endpoints would have to rely on the local database information for connectivity, which might or might not work.
Cisco DNA Center helps to automate the control plane functions in the SD-Access fabric. It is recommended when designing the control plane to deploy the functionality on two nodes for high availability. Each control plane node contains a copy of the control plane information in the database that can be used to respond to requests for endpoint location information.
You can colocate the fabric control functions within the border nodes if the border nodes can support the endpoint-scale requirements. Some border nodes that are core switches do not support the requirements, and additional control plane nodes such as physical or virtual routers need to be used.
SD-Access fabrics can support up to six control plane nodes in a wired deployment, and WLCs and can communicate with up to four control plane nodes.
Border Design
The border design for the SD-Access fabric involves connectivity to the outside or external networks. The next hop after the borders or the edge of the fabric for inter-VRF instance routing is to use a fusion router or firewall. These devices perform inter-VRF instance route leaking in order to fuse or tie the VRF instances together.
There are some design options to consider, depending on the locations of the shared services. DNA Center, AD, DHCP, and DNS are examples of shared services. These services can be in the global routing table (GRT) or can be in another separate VRF instance.
Shared services in the GRT include the following:
- The fabric border node exchanges GRT routes using External BGP (eBGP) with the fusion routers.
- The fabric border nodes handle the routing adjacencies for each VN/VRF instance.
- The fusion router fuses the SD-Access VNs into the GRT of the external network.
Shared services in separate VRF instances include the following:
- The fusion router establishes per-VN routing adjacencies with border nodes for each BGP address family.
- This design option comes with challenges such as manual configurations, loss of SGT context, and traffic hairpinning.