What is Cisco's Software Defined Access?
Everything seems to be “Software Defined” these days. A lot of organizations have deployed SD-WAN with great success. Cisco of course wants to sell us something new now and that’s SD-Access. We’ll cover what this is but before we get into it, let's first cover the way we would traditionally design and manage a network so that we can contrast this to Cisco’s new architecture.
Most likely, your company is running something similar to a three-tier architecture with a core layer, distribution layer, and access layer. You might also have seen a collapsed core architecture where the core and distribution are collocated in the same boxes. In this architecture, your users will be plugged directly into the access layer, with trunk ports connecting to the distribution layer. The gateways are located on the distribution layer and maybe we're running a first-hop redundancy protocol like HSRP or VRRP to maintain high availability. You could also accomplish this with a technology like Stackwise. The core layer is where we just maintain connectivity between distribution layer devices.
We may already know some of the inherent limitations with this network design like we're relying on spanning-tree to maintain a loop free network at the access layer and if we have multiple redundant links we have to use port-channels to trick spanning-tree into thinking those are a single link. By default, spanning-tree can take a while to converge unless we then configure rapid spanning-tree but there are still issues with relying on this too much.
We have an issue with IP mobility inherent in this architecture. And by that, I mean maybe there's a printer with a statically assigned IP address and it gets moved to another building. Now you have to have an administrator go and changes that IP address and maybe change configuration on all the computers that need to print to it.
Security in our 3-tier architecture essentially equates a set of users to a subnet and then uses that subnet to apply your security policy. The problem with this is that if a user is ever accidentally placed in the wrong subnet, they might have access to something they shouldn’t, or they might not have access to something they should. This necessitates more administrative overhead needed when a new device is added or moved to a different port on the switch.
Introducing SD-Access
SD-Access aims to solve all of these problems.
I've talked about intent-based networking and zero-trust networking before. Both of these concepts promise better network security and policies that can be defined once and reused throughout our network. SDA lets us implement both of these concepts completely from within DNA Center.
Cisco’s SD-Access is a network architecture that uses the following technologies to provide authentication, macro and micro-segmentation, and host mobility.
802.1X
Security Group Tags
VXLAN
LISP
Virtual Routing and Forwarding
IS-IS
BGP
Of course, the whole architecture is managed from DNA Center. DNA Center is an evolution of a Cisco's APIC-EM, Prime Infrastructure and more and is Cisco's latest Network Management platform. DNA Center automates everything from Plug-n-play, software upgrades, deploying the fabric configuration, network monitoring and troubleshooting.
The Architecture
The SD-Access network architecture is broken into two different parts, the underlay and the overlay.
The underlay is responsible for reachability between all network devices. The underlay routing is all in the default VRF, or in the SDA world, the "infrastructure VN". It's important to note that client subnets are generally not going to be in the infrastructure VN. IS-IS is the routing protocol of choice by default for the underlay but this can be changed to whatever you desire through DNA Center Templates. Of course, the big plus of using routing to all of our network devices lets us remove spanning-tree protocol and use all available links.
The overlay is the network that rides on top of the underlay network. This is the network that the clients will use. The overlay in our SD-Access network is VXLAN for end to end connectivity. VXLAN allows us to use anycast gateways on all fabric edge switches and extend layer 2 connectivity across the underlay.
LISP, Location/Identifier Separation Protocol, is used to signal to other fabric devices where a specific IP address is within the fabric. We have to identify at least one device in our fabric as a Control Plane (CP) node that acts as a server for these record lookups. Think of LISP similar to the way DNS works. It maps an Endpoint ID (EID) to a Routing Locator (RLOC) similar to how DNS maps a domain name to an IP address.
Fabric Border devices register a Proxy Egress Tunnel Router (PETR) record with the Control Plane node that acts as a sort-of "default-route" for the fabric.
DNA Center automates the implementation of 802.1X within the fabric. 802.1X is just one piece of our zero-trust goal. We want to verify the identity of our endpoints, and then use a RADIUS Change of Authorization message to set the VLAN and Security Group Tag for micro-segmentation. All of the AAA functions in this architecture are performed by Cisco Identity Services Engine. DNA Center and ISE have certain integrations that allows you to manage SGACLs from directly within DNA Center.
I'll be covering some of the pieces of SD-Access is far more depth later on and how to deploy and troubleshoot everything. I hope this helps you understand the various aspects of Cisco's Software Defined Access solution. There's a lot to learn and this is likely a pretty big shift in design from the networks you're used to managing but ultimately deploying SD-Access will make your network easier to scale, easier to upgrade and far more secure.