Segmentation – SD-Access Design

By | 11/12/2023

Unified policy was a major driver in the SD-Access solution to allow for the same policy to be applied to both wired and wireless networks enforced at the access layer. Segmentation adds to unified policy by enabling VRF instance/VN (macro) and SGT (micro) segmentation to be deployed in the SD-Access fabric.

VRF instance/VN segmentation involves creation of a separate VRF instance for each group of devices/users contained inside it. To extend segmentation beyond the single fabric site, transits are used. SD-Access can use distributed campus and SD-WAN transits, which allow for the VN information to be natively carried inside the packets. On the other hand, IP transits allow for WAN connectivity, but the packets are decapsulated into native IP packets, which causes a loss of SGT/VN policy information.

SGT segmentation uses metadata to assign tags in order to enforce group policy. In SD-Access fabrics, edge and border nodes get security group access control lists (SGACLs) downloaded from ISE to enforce policy based on SGTs. Within DNA Center, SGTs are referred to as scalable groups (SGs).

Figure 10-8 provides an example of microsegmentation within the SD-Access fabric. Although Sales and Marketing security groups coexist on the same fabric, they are restricted from talking to each other.

Figure 10-8 Microsegmentation in SD-Access

Virtual Networks

A virtual network (VN) is a separate VRF instance that provides isolation for host pools or IP subnets. VNs serve the same basic purpose as VRF instances in traditional networks. Within SD-Access, the LISP control plane assigns to every endpoint a VN. Any communication between endpoints in different VNs must go through a fusion router or firewall. VN assignment is based on the attached host pool.

VNs are configured on all of the border and edge nodes in the SD-Access fabric. In addition, a default VN is used for any pools that are not assigned specific VNs. Inside the VXLAN header is a field that includes the VN identifier (VNI), which is used for traffic inside the fabric. There are 16 million VNI segments possible, so the VNs can be separate from one another, and VRF-based routing or firewall policy enforcement is possible.

Figure 10-9 shows the use of three VNs for macrosegmentation along with scalable groups/SGTs for microsegmentation.

Figure 10-9 Virtual Networks and Scalable Groups

Scalability

Site reference models can be leveraged to scale the SD-Access fabric from very small to large site sizes. The following scaling numbers are to be used as guidelines only and are not intended to be size limits for SD-Access:

  • Very small site: A single switch stack covering one wiring closet with fewer than 2000 endpoints, up to 8 VNs, and up to 100 APs. All border, control plane, edge, and WLC nodes are in a single platform.
  • Small site: A single office building to support fewer than 10,000 endpoints, up to 32 VNs, and up to 200 APs. The border and control plane nodes are in one or two nodes, and a WLC has an optional redundancy node.
  • Medium site: A medium-size building with many wiring closets or multiple buildings to support fewer than 25,000 endpoints, up to 64 VNs, and up to 1000 APs. All border, control plane, and WLC nodes are on distributed devices with high availability configurations.
  • Large site: A large building with many wiring closets or multiple buildings to support fewer than 50,000 endpoints, up to 64 VNs, and up to 2000 APs. All border, control plane, and WLC nodes are on distributed devices with high availability configurations along with multiple border exits.

Leave a Reply

Your email address will not be published. Required fields are marked *