Cisco Software-Defined Access (SD-Access)

Cisco Software-Defined Access (SD-Access) is a solution within Cisco Digital Network Architecture (Cisco DNA). It is a newer method of network access control in an enterprise network that is built on intent-based networking technology that solves the implementation and administration of the traditional network.

SD-Access provides automated end-to-end segmentation to separate user, device and application traffic without redesigning the network. Cisco SD-Access automates user access policy so organizations can make sure the right policies are established for any user

SD-Access provides a transformational shift in building, managing, and securing the entire network, making it faster and easier to operate and improving efficiency.
 It is an all-in-one product that provides another vital layer of security and privacy protection. 
 the DNA Center controller, 

1.  the Network

1.  the Cisco Identity Services Engine, and 

1. the DNA Advantage License.

1. SD-Access uses VXLAN data encapsulation instead of LISP data encapsulation. It uses VXLAN encapsulation because it is capable of encapsulating the original Ethernet header, and this allows SD-Access to support Layer 2 and Layer 3 overlays.

1. vxlan use overlay and underlay network

• It's the next generation of policy enforcement

• 
  

• Security Group Access Control List SGACL

• 
  

• Cisco's Software-Defined Access (SD-Access) provides automated end-to-end segmentation to separate user, device and application traffic without redesigning the network. Cisco SD-Access automates user access policy so organizations can make sure the right policies are established for any user

• Policies are based on identities rather than IP address

 it provides an additional layer of analysis, controls over access policies, network segmentation, and endpoint monitoring.

The four major components related to SD Access include

 All these components work together to create a software-defined layer of access.

The original VXLAN specification was enhanced for SD-Access to support Cisco TrustSec Scalable Group Tags (SGTs). This was accomplished by adding new fields to the first 4 bytes of the VXLAN header in order to transport up to 64,000 SGTs. The new VXLAN format is called VXLAN Group Policy Option (GPO), 

• 

SD-Access vs SD-WAN

Both are the ways to approach SDN terminology by taking DNA architecture. 

• SD-Access as name suggested Software defined Access for changing the architecture of the LAN networks 
•  SD-WAN as software defined WAN which can automate and may be next generation networks over the MPLS/VPLS.

you can watch a video of Cisco SD-Wan at www.cisco.com/go/sdwandemos

SD-Access have two parts: Cisco DNA Center and Cisco Fabrics

Cisco DNA center 

Cisco DNA Center is a powerful network controller and management dashboard for secure access to networks and applications. It lets you take charge of your network, optimize your Cisco investment, and lower your IT spending.

We are making a transition to Cisco DNA Center for all network management activity. Cisco Networking changes the perspective for network management because it moves away from standalone network products to elements that are tightly coupled with automation controllers and assurance engines. 

This change is reflected in Cisco DNA Center, which integrates the network with IT processes, allowing us to automate workflows across disparate systems and streamline operations across Cisco domains.

Cisco Campus Fabric

Campus Fabric provides the basic infrastructure for building virtual networks based on policy-based segmentation constructs. Fabric Overlay provides services such as host mobility and enhanced security, which are additional to normal switching and routing capabilities.

1. They are the virtual overlay network 
2. Ideally to use with Cisco DNA center
3. NETCONF/YANG management
4. Overcome limitations found on traditional networks

Campus Fabric Overlay provisioning consists of three main components:

• Control-Plane

• Data-Plane

• Policy-Plane

The Campus Fabric is an instance of a "Network Fabric". A Network Fabric describes a network topology where data traffic is passed through interconnecting switches, while providing the abstraction of a single Layer-2 and/or Layer-3 device.

As we mentioned before, A SD-Access fabric site consists of fabric edge node, Control plane node, and Intermediate node and border nodes. When wireless integration is required, fabric WLC and Fabric AP also becomes part of this SD-Access. SD-Access site can also be connected to SD-Access transit network to create larger fabric domain.

Control plane node:

SD-Access Control plane node provides functions of LISP Map server & MAP resolver. Control plane nodes register all the EID that are connected to fabric Edge node. Control plane node and border node function can also be configured on same fabric node.

Edge Node:

Fabric Edge node are the node where Endpoints, AP are connected to SD-Access fabric. 

Intermediate Node:

These node works on Layer 3 and provides interconnection between edge node and border nodes. These nodes routes IP traffic inside fabric and on these nodes there are no VXLAN encapsulation and Decapsulation. Only requirement is to maintain MTU requirement to accommodate large-size VXLAN encapsulated packets.

Border Node:

These node acts as a gateway between SD-Access fabric site and External network. These border nodes can be used as internal border ( acts as a gateway for specific subnets such as shared services , Datacenter network , ) or External Border ( acts as exit point from fabric to rest of enterprise). These two roles can be combined to single router named as anywhere border.

In  the sd-access fabric your wireless Access Point has a vxlan tunnel (capwap) to the wireless controller  only for network traffic