Introduction to SD-Access Fusion Routers

Written By Ryan Harris

Cisco's software defined access architecture is meant to make your network easier to manage and at the same time as secure as you can make it. The SD-Access architecture makes use of VRFs to provide macro-segmentation and Security Group Tags to provide micro-segmentation.

While micro-segmentation can help keep your users from doing things they shouldn't be doing, macro-segmentation is useful for keeping your legitimate users separate from your guest users or IOT devices.

SD-access has the concept of a "Virtual Network" or VN. This is simply a VRF in legacy network terms. If you're unfamiliar with what a VRF is, it stands for Virtual Routing and Forwarding. It is essentially a wholly separates routing table from your default routing table. Once a VRF is created on a router, interfaces (physical or virtual) can then be assigned to the VRF. Generally, traffic in a VRF cannot pass to another VRF or the default VRF without transiting another device. You can think of this how traffic in a VLAN is kept separate from traffic in other VLANs unless they transit a router. VRFs take the same concept of a VLAN from layer 2 up to layer 3.

If you ever want traffic in separate VRFs to mix, you need to introduce a "fusion router". To put this simply, a fusion router connects to a VRF-aware router with the fusion router’s interfaces in a common VRF (typically the default VRF) while the VRF-aware router has interfaces in all of the VRFs it wishes to mix. Generally, these interfaces are going to be sub-interfaces or SVIs to keep the number of physical interfaces to a minimum. 

fusion.png

Often though, we would use a firewall at this connection to maintain some amount of security. Otherwise, there wouldn't be much of a purpose to use VRFs in the first place. You could use a firewall as your fusion router, or you could use a multi-context firewall deployment with a context per VRF and a separate fusion router.

As far as routing goes between a fabric border router and a fusion router, you can use just about any protocol you want, however, MPBGP may be your routing protocol of choice due to the fact that it can handle multiple VRFs without requiring multiple processes.

In SDA, our default VRF or "Infrastructure VN", is what provides end-to-end connectivity for fabric edge devices. If you wanted to access or manage any devices in the infrastructure VN from a client in another VN, you would have to implement a fusion router.

While you would generally use a fusion router to mix traffic from differing VNs into on single VRF, you could also simply extend one or more VRF using VRF-lite out to another device. This may be useful for routing guest traffic out to a separate internet breakout.

With SD-Access, once traffic has passed to a fusion router and left the fabric, the SGTs will be stripped off and you cannot maintain micro-segmentation across VNs.

For more information on configuring a fusion router, look to Cisco's documentation on the matter.

Ryan Harris

I’m Ryan and I’m a Senior Network Engineer for BlueAlly (formerly NetCraftsmen) in North Carolina doing routing, switching, and security. I’m very interested in IPv6 adoption, SD-Access, and Network Optimization. Multi-vendor with the majority of my work being with Cisco and Palo Alto.

Previous

Using RA Guard to block man-in-the-middle attacks in IPv6
Next

What is VXLAN and why is it being used EVERYWHERE?