CCNP Enterprise Core (350-401)
-
SD-Access: Fabric Concepts
Virtual Network (VN) The virtual network provides virtualisation at a device level using VRF instances to create multiple Layer 3 routing tables. The VRF instances provide segmentation across IP addresses to allow for overlapped address space and segmentation from other routing tables. In the control plane, LISP instance IDs are used to maintain separate VRF…
-
SD-Access: Fabric Wireless Controller (WLC)
A wireless LAN controller that is fabric enabled can connect access points and wireless endpoints to the SD-Access fabric. The wireless LAN controller is external to the fabric and connects to the SD-Access fabric through an internal border node. The WLC node provides onboarding and mobility services for wireless users and endpoints connected to the…
-
SD-Access: Fabric Border Nodes
Fabric border notes are LISP proxy tunnel routers (PxTRs) that connect external Layer 3 networks to the SD-Access fabric and translate reachability and policy information from one domain to another. There are three types of Fabric Border Nodes: Internal Border (Rest of the enterprise network) Default Border (Outside) Internal Border and Default Border (Anywhere) Internal…
-
SD-Access: Fabric Control Plane Node
The fabric console plane node is a LISP map server/resolver (MS/MR) with enhanced functions for software defined access including fabric wireless and scalable group tag mapping. It maintains a simple host tracking database to map endpoint identifiers to routing locators. The control plane maps all endpoint identifiers location to current fabric edge or border nodes,…
-
SD-Access: Fabric Edge Nodes
The fabric edge node provides onboarding and mobility services for wired users and devices connected to the fabric. It is a LISP tunnel router that provides the anycast gateway, endpoint authentication and assignment to overlay host pools along with group policy enforcement. The fabric edge identifies and authenticates wired endpoints through 802.1x in order to…
-
Software Defined Access Roles and Components
The software defined access fabric requires multiple roles and components to operate. Each software defined access enabled device must be configured with at least one of these roles. The five basic roles in a fabric overlay are: Control Plane Node The control plane node contains the settings, protocols and mapping tables to provide the EID-to-RLOC…
-
Software Defined Access Policy Plane
The fabric policy plane is based on Cisco TrustSec. Cisco TrustSec Scalable Group Tags are assigned to authenticated groups of users and end devices. Network policy, such as ACLs and QOS are applied throughout the software defined access fabric based on the Scalable Group Tag rather than an IP address or MAC address. This means…
-
Software Defined Access Data Plane
The tunnelling technology used in the fabric data plane is based on Virtual Extensible LAN (VXLAN). VXLAN encapsulation is UDP/IP based so can be forwarded by any IP based network and can create the overlay network for SD-Access fabric. Although Software Defined Access utilises LISP for the control plane traffic, it is not used for…
-
Software Defined Access Control Plane
The software defined access control plane is based on the Locator/ID Separation Protocol (LISP). LISP is a IETF standard protocol defined in RFC 6830 that is based on simple endpoint ID (EID) to Routing Locator (RLOC) mapping system to separate the identity (endpoint IP address) from it’s current location (network edge or border router IP…
-
SD-Access: Overlay Network
The software defined access fabric is the overlay network, providing policy based network segmentation, host mobility, and enhanced security beyond the normal capabilities of a traditionally switched network. The software defined access overlay is fully automated regardless of the underlay mode used. It automatically includes all overlay control plane protocols and addressing required. The Cisco…