Data Plane – SD-Access Design

By | 04/25/2024

The SD-Access fabric uses VXLAN encapsulation for the fabric data plane over the top of the underlay network. VXLAN encapsulations are IP/UDP based, using port 4789, which effectively creates the overlay within the SD-Access fabric. VXLAN is an IETF standard defined in RFC 7348 as a way to overlay a Layer 2 network over a Layer 3 network. Inside the VXLAN header is a VXLAN network identifier (VNI) that defines the virtual network that the data plane traffic is a part of. In addition, scalable group tags (SGTs) are defined in the Group ID field of the VXLAN header as part of the group-based policy option.

Figure 10-3 shows the VXLAN GPO header along with the packet payload and associated packet headers.

Figure 10-3 VXLAN GPO Header

Automation

The automation and orchestration features of the SD-Access solution are provided by Cisco DNA Center, which really brings to life the software-defined nature of the solution into the campus environment. The Cisco DNA Center appliance exposes all controller functionality through northbound REST APIs to enable automation and integration possibilities.

The SD-Access solution integrates with Cisco ISE through Cisco Platform Exchange Grid (pxGrid) and REST APIs for the exchange of client information and automation of fabric-related configurations. In addition, third-party IPAM solutions with Infoblox and BlueCat can be integrated with Cisco DNA Center.

Cisco DNA Center has a set of network underlay workflows and fabric overlay workflows related to automation:

  • Underlay
    • Global and site settings: Hierarchical structure for the management of network settings
    • Device discovery: Automated discovery and inventory of network devices
    • LAN automation: Automatic deployment of the underlay configurations of switches
  • Overlay
    • Fabric sites: Automated configuration of a group of fabric-enabled network devices with the same control/data plane
    • Fabric device roles: Automated configuration of network devices providing fabric functions (edge, border, and so on)
    • Virtual networks: Automated configuration for VRF segmentation
    • Transits: Connectivity between multiple SD-Access sites
    • Group-based policies: Automated configuration to enable group-based security policies

Wireless

There are two methods of integrating wireless into an SD-Access network. The preferred method, referred to as fabric mode wireless, extends the SD-Access benefits for wired users over to wireless users. The alternative method, over-the-top (OTT), uses the traditional Cisco Unified Wireless local-mode configurations for wireless access.

Fabric mode wireless requires fabric mode–enabled WLCs and fabric mode–enabled APs. The fabric mode APs are the latest 802.11ax Wifi 6 and 802.11ac Wave 2 and Wave 1 APs associated with the WLCs that are configured with fabric-enabled SSIDs. The WLCs configured for fabric mode communicate with the fabric control plane by registering MAC addresses, SGTs, and virtual networks. APs use a CAPWAP tunnel to the WLC for the control plane communication, much like traditional Cisco Unified Wireless. However, the client traffic in the data plane is VXLAN encapsulated and decapsulated by the fabric mode APs. The WLC integration within the SD-Access control plane supports wireless client roaming between APs in the fabric.

Figure 10-4 illustrates an SD-Access wireless fabric integration.

Figure 10-4 SD-Access Wireless

If you need to support older model APs, you still can use the over-the-top method of wireless integration with the SD-Access fabric. When you use this method, the control plane and data plane traffic from the APs continue to use CAPWAP-based tunnels. In this mode, the SD-Access fabric provides only a transport to the WLC. This method can also be used as a migration step to full SD-Access in the future.

Figure 10-5 depicts the over-the-top (OTT) wireless integration.

Figure 10-5 Over-the-Top (OTT) Wireless

Leave a Reply

Your email address will not be published. Required fields are marked *