Cisco SD-Access LISP Solution

Fundamentals

Ritika Singh
Technical Marketing Engineer
BRKENS-2810

#CiscoLive
Cisco Webex App
https://ciscolive.ciscoevents.com/
ciscolivebot/#BRKENS-2810

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space

4 Enter messages/questions in the Webex space

Webex spaces will be moderated Enter your personal notes here

by the speaker until June 7, 2024.

BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
 • Why Cisco SD-Access LISP?
• Roles and Terminology

Agenda • Fabric Fundamentals

• Multiple Fabric
• Conclusion

BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Why Cisco
SD-Access LISP?
 Intent-Driven Automation
Standardized templates for consistent implementation
Configuration workflows to drive intent

Easy for admins to configure and manage networks

… and many more!

BRKENS-2810 5
 Intent-Driven Automation
Automation with highly flexible scale

Best practice configurations curated Simple UI based guided workflow Configure multiple devices
and validated extensively for each for the administrator to deploy across or within a site in
workflow. with a few clicks. one-go!

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
 SD-Access Zero-Trust Workplace
Based on the Organization’s goal, explore 3 Pillars of SD-Access Zero Trust Workplace:
and achieve Zero Trust for workplace. Visibility, Segmentation, and Trust.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Attribute-Based Policy and Segmentation
Catalyst Center and ISE integration facilitates automated configuration and segmentation at
scale

Catalyst Center
and ISE Integration

Trust

Configure

Context ISE
Automated configuration and segmentation policies
paired with scalable onboarding of endpoints.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Attribute-Based Policy and Segmentation
Centralize policy definition on ISE for wired and wireless endpoints

Classification
Enforcement
Catalyst Center
and ISE Integration

Trust Policy Set → Authorization Policy →

Result → Security Group
Configure

Context

ISE Common policy definition and enforcement*

for wired and wireless users.

* Watch BRKENS-2814 for advance enforcement use-cases

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
 Attribute-Based Policy and Segmentation
Move away from IPs and ACLs to Group Based Access Control

Catalyst Center
802.1x, MAB, WebAuth
and ISE Integration

Trust
Dynamically onboard end users and devices,
Configure assign Security Group Tags, and create

ISE
policies aka Microsegmentation in
Context SD-Access.

Authentication Template SGT: 8

(IOT)
defined on Catalyst Center
SGT: 5
(Employee)

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Attribute-Based Policy and Segmentation Additional
Information

Analytics and Visibility with ISE

Catalyst Center
and ISE Integration
Use Group Based Policy
Trust Analytics application to model
Configure
policies and deploy to the

ISE
network when you are ready.
Context

Scanner
SGT: 8 (OT)

Group Based Policy Analytics

OT Machine User
SGT: 8 (OT) SGT: 5 (EMP)
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Attribute-Based Policy and Segmentation Additional
Information

Analytics and Visibility with ISE

Telemetry and Netflow

AAA

Profile, Trust
Score, ANC Policy

ISE
Unknown
Context, Auth Endpoint
status, Auth
EA profile, SGT
Known
Endpoint

Endpoint Analytics provides enhanced visibility

and aims to reduce unknown endpoints.
Watch BRKENS-2819 for more
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Tailormade for Campus Networks
Bringing together best of wired and wireless

Campus =
People + Things

University Large Corporations Banks

Healthcare Manufacturing

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 Tailormade for Campus Networks
Seamless and secure mobility of endpoints (Wired use-case)

Traditional Network Software-Defined Access

Add config for wired move

L3 ROUTED ACCESS

Add config for wired move

Consistent configuration

Wired Endpoint
Wired Endpoint

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Tailormade for Campus Networks
Seamless and secure mobility of endpoints (Wireless use-case)

Traditional Network Software-Defined Access

Only Control and

Control, Management AND Management traffic
Data traffic via CAPWAP via CAPWAP

Control via CAPWAP

Distributed Data Plane

Distributed Data Plane for Wireless

Seamless L2 Mobility
User A User B
User A User B
BRKENS-2810 15
Tailormade for Campus Networks
Example of traffic flow between wireless and wired endpoint

Traditional Network Software-Defined Access

Traffic backhauled all the

way to WLC

No hairpinning of
client traffic to
WLC

Wired user Wired user

Wireless user
Wireless user
BRKENS-2810 16
 AI-Driven Insights and Telemetry
The more you know!

End user insights Network health and status Application Visibility & Performance

WAN

Data Center / Cloud Hosted Apps

Onboarding, Connectivity, IPv4/v6, Site Health, System Health, Topology, Application Usage/Throughput, Business Relevant
Device Type, MAC, VLAN, Trust Score etc. Issues and Suggested Actions Application Health, Integrations, Trends

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Roles and
Terminology

1. Concepts
2. SD-Access Roles
3. Fabric Constructs
Underlay and Overlay
Generally Speaking

Destination Address

Source Address

Destination Address

Source Address

Underlay Network = Physical Infrastructure to provide IP reachability

with redundancy and resiliency.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Underlay and Overlay
Generally Speaking

Overlay Network = Logical topology used to virtually connect devices

to provide additional services, not delivered by the Underlay.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Underlay and Overlay
But why?

Overlay (Fabric): Flexible, Scalable and

Extensible. Easy to add/modify
services. Optimizes mobility events.

Underlay: Build and forget!

Reliable, manageable, and simple.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Underlay and Overlay
But why?

Would you rather configure Or simply carry the

network segmentation segmentation tags in the
hop-by-hop? overlay?

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Underlay and Overlay
But why?
Network
Segment C

Network
Segment B

Network
Segment A

Would you rather configure

network segmentation
hop-by-hop? Multiple segments in the overlay
that underlay is unaware of!

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Underlay and Overlay
In context of Cisco SD-Access
Mapping Database System

EID RLOC
Control Plane
1.1.1.1 2.2.2.2

RLOC: 2.2.2.2
(Routing Locator)
EID
(Endpoint
Identifier)
1.1.1.1
EID RLOC
1.1.1.1 ---

User/Device Identity =
IP address (EID 1.1.1.1) + RLOC (2.2.2.2)

Locator I dentity S eparation P rotocol

Control Plane Protocol of choice. Lightweight, Extensible, and Scalable.
Supports Layer 3 Overlay. Pull#CiscoLive
Based Model. Scoped©Signaling.
2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Underlay and Overlay
In context of Cisco SD-Access
Mapping Database System

EID RLOC
Control Plane
I would like to talk 1.1.1.1 2.2.2.2
to host 3.3.3.3
3.3.3.3 4.4.4.4

RLOC: 2.2.2.2 RLOC

(Routing Locator) 4.4.4.4
EID
(Endpoint VXLAN Overlay Data Plane Encapsulation
Identifier)
1.1.1.1 EID: 3.3.3.3
EID RLOC EID RLOC
1.1.1.1 --- 3.3.3.3 ---
3.3.3.3 4.4.4.4

Virtual e X tensible L ocal A rea Network

Data Plane Protocol of choice. Supports Layer 3 and Layer 2 Overlay.
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Underlay and Overlay
In context of SD-Access

What about our good friend Underlay?

IGP of your choice

that gets information
from Source RLOC to
Destination RLOC,
the best way it can.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
 What is an SD-Access Fabric Site?
Definition and more

SD-Access Fabric Site offers programmable overlays

for wired and wireless campus networks, enabled on a single
physical infrastructure.

A single fabric site could be demarcated and defined based upon:

• Geographical location.
• Endpoint scale. Transit
• Failure domain scoping.
• RTT.
• Underlay connectivity attributes.

Typically interconnected by a “Transit”.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Roles and
Terminology

1. Concepts
2. SD-Access Roles
3. Fabric Constructs
Cisco SD-Access Roles
Key Roles for a Complete Wired and Wireless Campus Experience

Cisco Catalyst Center

GUI and APIs for intent-based automation of wired and
wireless fabric devices.
Identity Service Engine
NAC and ID services for dynamic endpoint to Security
Group Tag mapping and policy distribution.

Control Plane Node

Map System that tracks endpoint to fabric node
relationships.

Border Nodes
Connects external L3 and L2 networks to the Cisco SD-
Access fabric.

Edge Nodes
Connects wired endpoints to the Cisco SD-Access fabric
and optionally enforces micro-segmentation policy.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Cisco SD-Access Roles
Key Roles for a Complete Wired and Wireless Campus Experience

Control Plane Node

Map System that tracks endpoint to fabric node
relationships.

Border Nodes
Connects external L3 and L2 networks to the Cisco SD-
Access fabric.
Edge Nodes
Connects wired endpoints and Fabric APs to the Cisco SD-
Access fabric and optionally enforces micro-segmentation
policy.
Fabric Wireless Controller
Fabric WLC is integrated into the SD-Access Control Plane
(LISP) communication.

Fabric Access Point

Switches endpoint traffic to the adjacent Edge Node.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Cisco SD-Access Roles Additional
Information

Additional Roles for Reference

Extended Nodes
A switch operating at Layer 2 that extends fabric
connectivity and optionally enforces micro-
segmentation policy.

Transit Control Plane Nodes

Facilitates connectivity of multiple SD-Access fabric
sites while preserving end to end segmentation.

Intermediate Nodes
Moves data between fabric nodes. Can be one or
many hops. Part of the underlay.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Cisco SD-Access Roles Additional
Information

Some of the Supported Colocations

Border Node and Control Plane Node.

Border Node, Control Plane Node, and Fabric Edge Node.

Border Node, Control Plane Node, and Embedded Wireless Controller.

Border Node, Control Plane Node, Fabric Edge Node, and Embedded Wireless
Controller.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Edge Node Host Tracking Database

MAC to RLOC Address Resolution

IPv4/v6 to RLOC
Provides First Hop Services for Endpoints AA:BB:CC→ EN1 10.10.10.20 → AA:BB:CC
10.10.10.20/32 → EN1

Map-Register to CP
Authenticate and RLOC (10.10.10.20/32 is
Authorize Endpoints 2.2.2.2 connected to me!)

Performs encap and decapsulation

Ethernet IP UDP VXLAN Ethernet IP Payload

Anycast Gateway
10.10.10.1/24 EID Table
VLAN 10
EID RLOC
10.10.10.20 ---
John Ethernet IP Payload
SGT: Employee AA:BB:CC ---
10.10.10.20/32
AA:BB:CC/48

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Cisco SD-Access Fabric Additional
Information

Edge Node Provides First Hop Services for Endpoints

IP to RLOC MAC to RLOC Address Resolution

• Responsible for Authenticating and 1.2.3.4/32 → EN1 AA:BB:CC→ EN1 1.2.3.4 → AA:BB:CC
Authorizing endpoints (e.g. 802.1X,
MAB, static) in concert with ISE.
• Register Endpoint IDs (IPv4, IPv6, MAC)
with the Control Plane Nodes.
• Provide an Anycast Gateway for the
connected wired and wireless
endpoints.
• Performs VXLAN encapsulation and
decapsulation of traffic to and from all EN1
connected wired endpoints.

IP - 1.2.3.4/32
MAC – AA:BB:CC

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Control Plane Node
Maintains Host Tracking Database containing Endpoint Attribute to Location Mapping
Host Tracking Database

IPv4/v6 to RLOC MAC to RLOC Address Resolution

10.10.10.20/32 → EN1 AA:BB:CC→ EN1 10.10.10.20 → AA:BB:CC

Data Center
Pub/Sub
Register/update
Wireless EID
Register EID

Internet

10.10.10.20/32
AA:BB:CC/48

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cisco SD-Access Fabric Additional
Information

Control Plane Node Maintains a Host Tracking Database to Map Location Information

• A simple Host Database that maps

IP to RLOC MAC to RLOC Address Resolution
Endpoint IDs to locations, along with
1.2.3.4/32 → EN1 AA:BB:CC:DD → EN1 1.2.3.4 → AA:BB:CC:DD
other attributes.
• Host Database supports multiple types
of Endpoint ID lookup types (IPv4, IPv6
or MAC).
• Receives Endpoint ID map registrations
from Edge Nodes, Border Nodes and
Fabric Wireless LAN Controllers.
• Resolves lookup requests from Edge
Nodes and Border Nodes, to locate
EN1
destination Endpoint IDs.
• Publishes registrations to Subscribers IP - 1.2.3.4/32
(Border Nodes). MAC –
AA:BB:CC:DD
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Border Node
Gateway between the SD-Access fabric site and the networks external to the fabric

External Network

External Border Node Internal Border Node

Anywhere Border Node Layer 2 Border Node

Border Nodes connect external L3 and L2 networks to the Cisco SD-Access fabric.
As a result, performs VXLAN encapsulation and decapsulation.
There are 4 types of Border Nodes.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cisco SD-Access Fabric
External Border Node

Internet/
Rest of the network
• The most common configuration.
• Exports all fabric subnets to outside
the Fabric Site as eBGP summary
routes.
• Does not register IP prefixes from
outside the Fabric Site into the
fabric Control Plane.
• Acts as a gateway of last resort for
the Fabric Site.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Cisco SD-Access Fabric
Internal Border Node

Data Center
Shared Services
• Exports all fabric subnets to outside
the Fabric Site as eBGP summary
routes.
• Imports and registers eBGP-learned
IPv4/IPv6 prefixes from outside the
Fabric Site, into the fabric Control
Plane.
• Does not act as a gateway of last
resort for the Fabric Site.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Cisco SD-Access Fabric
Internal + External Border Node
Internet
Data Center
Shared Services
• Exports all fabric subnets to outside
the Fabric Site as eBGP summary
routes.
• Imports and registers eBGP-learned
IPv4/IPv6 prefixes from outside the
Fabric Site, into the fabric Control
Plane.
• Acts as a gateway of last resort for
the Fabric Site.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Cisco SD-Access Fabric
Layer 2 Border Node

Gateway outside
the fabric
• Acts as Layer 2 handoff for pure Layer 2 10.10.10.1/24 vlan 20
Overlays or Layer 2 + Layer 3 Overlays.
• Allows VLAN translation between Traditional
vlan 100
SD-Access network segments and Switching Domain

non-fabric VLAN IDs.

vlan 100
• Dual homing requires link aggregation;
STP it not tunneled within the Sam
SD-Access Fabric. 20.20.20.30/32
CC:DD:EE/48
• Ideally should be separate device from
vlan 10
the Layer 3 Border Node. vlan 20

John Kate
10.10.10.20/32 20.20.20.20/32
AA:BB:CC/48 BB:CC:DD/48
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Cisco SD-Access Fabric
Fabric Enabled Wireless Unifies Wired and Wireless Management, Policy and Data Planes

MAC – AA:BB:CC
• Fabric WLC accessible though a Fabric Ctrl: CAPWAP

Border Node (Underlay). Can be several Data: VXLAN

hops away.
• Fabric Enabled APs reside in a dedicated IP
range and communicate with the WLC
(CAPWAP Control).
• Fabric WLC registers endpoints with the
Control Plane Node.
• Fabric APs switch endpoint traffic to the
adjacent Edge Node.
• Wireless endpoints use same data plane and
policy plane as wired endpoints.
MAC - AA:BB:CC
IP - 1.2.3.4/32
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Roles and
Terminology

1. Concepts
2. SD-Access Roles
3. Fabric Constructs
Virtual Networks
Overlay Network Virtualization, also known as Macro-segmentation.

Layer 2 VN: IOT Layer 3 VN: CAMPUS Layer 3 VN: GUEST

(VLAN and L2 LISP IID) (VRF and L3 LISP IID) (VRF and L3 LISP IID)

Layer 2 VN Layer 2 VN Layer 2 VN

(VLAN and L2 (VLAN and L2 (VLAN and L2
LISP IID) LISP IID) LISP IID)
vlan 10
vlan 20 vlan 30 vlan 40

vlan 10 VN: CAMPUS VN: CAMPUS VN: GUEST

vlan 20 vlan 30 vlan 40

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cisco SD-Access Fabric Additional
Information

Virtual Networks
• Layer 3 Virtual Networks use VRFs and LISP
Instance IDs to maintain separate routing
topologies.
• Endpoint IDs (IPv4/IPv6 addresses) are routed
within an L3VN.

• Layer 2 Virtual Networks use LISP Instance L3VN L2VN L3VN

IDs and VLANs to maintain separate Campus IOT Guest
switching topologies.
• Endpoint IDs (MAC addresses) are switched
within an L2VN.

• Edge Nodes, Border Nodes and Fabric APs

add a VNID (the LISP IID) to the fabric
encapsulation.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Layer 3 Virtual Networks
Overlay Network Virtualization, also known as Macro-segmentation.

User-Defined VNs (Add or Remove on demand)

INFRA_VN (Fabric Access Points and Extended Nodes in the

Global Routing Table)

Global Routing Table (Fabric Devices (Underlay) connectivity )

GRT: RLOC (Lo0) GRT: RLOC (Lo0)

VN: INFRA_VN
VN: USER VN: INFRA_VN

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Cisco SD-Access Fabric
Host Pools Provide a Default Gateway and Basic IP Services for Endpoints

• Edge Nodes instantiate an access VLAN

and a Switched Virtual Interface (SVI)
with user-defined IPv4/IPv6 addresses ISE
per Host Pool.
• Host Pools assigned to endpoints L3 VN CAMPUS

dynamically by AAA or statically per port. Pool

.64
Pool
• Edge Nodes and Fabric WLCs register .128

endpoint IDs (/32, /128 or MAC) with the

Control Plane, enabling IP mobility; any IP
address anywhere. USER A
Host Pools assigned to IP: 10.10.10.66/26
endpoints dynamically MAC: AA.BB.CC

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Cisco SD-Access Fabric
Anycast Gateway Provides a Default Gateway for IP-Capable Endpoints

• Similar principle and behavior to FHRP

with a shared virtual IPv4/IPv6 addresses
and MAC address.
• The same Switch Virtual Interface (SVI) is
present on all Edge Nodes with the same
virtual IP and MAC.
• The wired or wireless endpoint can L3 VN CAMPUS
connect to any switch or AP in the fabric
and communicate with the same Anycast
Gateway. GW GW GW
1.1.0.1/16 1.1.0.1/16 1.1.0.1/16
AA.BB.CC AA.BB.CC AA.BB.CC

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Cisco SD-Access Fabric
Host Pools are “stretched” via the Overlay IP to RLOC MAC to RLOC Address Resolution

1.1.1.66/32 → EN1 2:2:2 → EN1 1.1.1.66 → 2:2:2

1.1.2.66/32 → EN3 3:3:3 → EN3 1.1.2.66 → 3:3:3

• Endpoint IPv4/IPv6 traffic arrives on an Edge

Node and is then routed or switched by the
Edge Node.
• Fabric Dynamic EID mapping allows
endpoint-specific (/32, /128, MAC) L3 VN CAMPUS
advertisement and mobility. VLAN 10

• No longer need VLANs to interconnect VLAN 20

endpoints across Edge Nodes, this
happens in the Overlay without broadcast
flooding. GW GW GW
1.1.0.1/16 1.1.0.1/16
USER A USER B
1.1.1.66/16 1.1.2.66/16
MAC: 2.2.2 MAC:3.3.3

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Layer 3 Handoff
Per-Layer-3-Virtual-Network Layer 3 Handoff using Peer Device

Maintain VRF segmentation outside of SD-Access

VRF GUEST
SVI A
AF VRF GUEST
External
VRF Campus AF VRF CAMPUS Routing
VN
SVI B Domain
VN
GUEST CAMPUS VRF GRT
SVI 40 SVI 30 SVI C AF IPv4 MP-BGP

vlan 40 vlan 30 Peer Device external

to fabric

VN: GUEST VN: CAMPUS

vlan 40 vlan 30

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
 Extranet Layer 3 Handoff
Helps achieve route-leaking natively in LISP SD-Access Fabric

Extranet Policy to allow

communication between
1 Provider : N Subscriber Only Handoff Provider VN
External
VRF INFRA_VN
SVI Z AF IPv4 BGP Routing
Domain

VN
INFRA_VN
(Provider VN) SVI 30
SVI 40 Peer Device external
VN VN
GUEST CAMPUS to fabric
vlan vlan
(Subscriber VN) 40 30 (Subscriber VN)

VN: GUEST VN: CAMPUS

vlan 40 vlan 30

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Cisco SD-Access Fabric
Layer 2 Virtual Networks
Gateway
Outside the
• By default, an L2VN is deployed with each Fabric
Anycast Gateway and Layer 2 Flooding is
disabled. Layer 2 Flooding can be enabled, if VLAN

necessary, to service niche applications.

• L2VN can be deployed without an Anycast
Gateway, and Layer 2 Flooding cannot be Layer 2 VN
IOT Layer 3 VN
disabled. CAMPUS

• Sometimes referred to as “Gateway Outside L2 LISP IID Layer 2 VN

(VLAN, L2 LISP IID)
the Fabric”.
• If Layer 2 Flooding is enabled, a Multicast GW
VLAN
Underlay P2MP tunnel is established between VLAN

all Fabric Nodes.

MAC 1.1.1 MAC 2.2.2
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Layer 2 Handoff
Layer 2 Virtual Networks handoff through a user-defined VLAN

Specialist
use-case
Gateway outside
vlan10 the fabric
VRF CAMPUS 10.10.10.1/24
SVI

Layer 3 VN: CAMPUS

(VRF (SVI) and L3 LISP IID) Traditional
vlan 300 Switching
Layer 2 VN (VLAN Domain
Layer 2 VN: IOT
and L2 LISP IID)
(VLAN and L2 LISP IID)

vlan 10 vlan 30

vlan 10 USER A
vlan 30 USER B
3.3.3.3/24 vlan 300
3.3.3.5/24

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Cisco SD-Access Fabric
A Security Group Tag Assigns a “Group” to Each Endpoint

• Edge Nodes and Fabric APs assign a

unique Scalable Group Tag (SGT) to each
end endpoint in concert with ISE.
• Edge Nodes and Fabric APs add an SGT
to the fabric encapsulation. Layer 2 VN: IOT Layer 3 VN: CAMPUS
SGT
• SGTs are used to implement IP-address- SGT 9 SGT
4 SGT
8
independent traffic policies. SGT
5

10
• SGTs can be extended to numerous other
Encap with SGT info
networking technologies e.g., Cisco Encap with
Secure Firewall, Cisco SD-WAN, some USER C
SGT info

third-party devices, etc. 1.1.1.2/24

VN: IOT
USER B USER A
2.2.2.2/24 3.3.3.2/24
SGT: 8 VN: CAMPUS VN: CAMPUS
SGT: 4 SGT: 5
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Fabric
Fundamentals

1. Control Plane
2. Data Plane
3. Policy Plane
 Cisco SD-Access Fabric
Control Plane: Locator/ID Separation Protocol (LISP)

User: John
IP: 4.4.4.4/32
VN: Campus

Where you are in a network

SGT: 25

RLOC:3.3.3.3
can change, but who you
are in the network remains RLOC:1.1.1.1 RLOC:2.2.2.2

the same.
User: John
IP: 4.4.4.4/32
VN: Campus User: John
SGT: 25 IP: 4.4.4.4/32
VN: Campus
(IETF Standards Track RFC9300-RFC9305 and Informational RFC9299) SGT: 25
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
 Cisco SD-Access Fabric
Why LISP?

Scalable Pull model • No massive routing tables • Creates ‘DNS’ for routing •
Conversational learning Massive Scalability • BGP and IGPs cannot scale like LISP • Purpose-built for
scale (DFZ was the impetuous for LISP)
Efficient Address-Family Agnostic • Supports
IPv4, IPv6, and MAC Address Families • Wired and Wireless Unification • WLC participates in LISP
control plane communication. • Wired and Wireless endpoints have policy applied at same point in the
network. Host Mobility • Native support for this capability • Wired and Wireless Extensibility • LISP
Canonical Address Format (LCAF) allows for encoding of additional information beyond simply
Address-Families.
Extensible
enhanced for the last ten years.
LISP has been actively developed, optimized, and

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Cisco SD-Access Fabric Additional
Information

Why LISP?
• Optimised resource usage on Edge Nodes:
• “Pull” only the information needed, like DNS. By comparison BGP pushes
all routing information to all Edge Nodes.
• Underlay network is simple and stable:
• IGP routing from Border Node to Edge Node. Maybe PIM. No L2, no
VLANs, no link bundling, no STP, no MPLS.
• Unified wired and wireless data plane and policy plane.
• No wireless concentrator bottleneck = higher throughput.
• Receive future innovations in later SD-Access + IOS XE releases.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Cisco SD-Access Fabric
Control Plane: Locator/ID Separation Protocol (LISP)

LISP Pub/Sub
Released with Catalyst Center 2.2.3.x.
Reliable and stable.
2022 Native LISP transport.
Less Control Plane load.
Faster convergence.
Highly extensible.

LISP/BGP
Reliable and stable. Subscribe
BGP transport.
Publish Publisher
Subscriber
2017 (IID)
Other
EID RLOC Attributes

Subscriber 1.1.1.1/32 EN1 AF, IID etc.

(Policy)
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Fabric Operation
LISP Pub/Sub Walkthrough

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Fabric Operation
Default ETR Registration

0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Fabric Operation
Next
Default ETR Registration Destination IID
Hop
Default ETR 1001 --
Default ETR 1002 --
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 BGP
External Border Node
Etc. Static
Etc.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Fabric Operation
Next Next
Default ETR Registration Destination IID
Hop
Destination IID
Hop
Default ETR 1001 -- Default ETR 1001 BN1
Default ETR 1002 -- Default ETR 1002 BN1
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 BGP Register Default ETR per
Etc. Static L3VN (Gateway of last
Etc. resort)

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Fabric Operation
Next Next
Edge Node Bootstrap Destination IID
Hop
Destination IID
Hop
Default ETR 1001 -- Default ETR 1001 BN1
Default ETR 1002 -- Default ETR 1002 BN1
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.

Default ETR

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
 Fabric Operation
Next Next
Edge Node Bootstrap Destination IID
Hop
Destination IID
Hop
Default ETR 1001 -- Default ETR 1001 BN1
Default ETR 1002 -- Default ETR 1002 BN1
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.

Next Next Next

Destination IID Destination IID Destination IID
Hop Hop Hop
Default ETR 1001 BN1 Default ETR 1001 BN1 Default ETR 1001 BN1
Default ETR 1002 BN1 Default ETR 1002 BN1 Default ETR 1002 BN1

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Fabric Operation
Edge Node Bootstrap
✓ ✓
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.

✓ ✓ ✓

✓ Default ETR
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Fabric Operation
Endpoint Registration
✓ ✓
0.0.0.0/0
10.0.0.0/8
192.168.0.0/16 External Border Node
Etc.

✓ ✓ ✓

Next Next
Destination IID Destination IID
Hop Hop
2.2.2.2 1001 -- 1.1.1.1 1001 EN1

1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Fabric Operation
Endpoint Registration
Next
✓ ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.

Register

✓ ✓ ✓

Next Next
Destination IID Destination IID
Hop Hop
2.2.2.2 1001 -- 1.1.1.1 1001 EN1

1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
 Fabric Operation
Endpoint Registration
Next
✓ ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.

Notification

✓ ✓ ✓

Next Next Next

Destination IID Destination IID Destination IID
Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1

1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
 Fabric Operation
Publish Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 Publish 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.

✓ ✓ ✓

Next Next Next

Destination IID Destination IID Destination IID
Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1

1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
 Fabric Operation
South to North Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 Destination IID
1001 EN3 Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
Where is Negative Map Reply
8.8.8.8? 8.0.0.0/7

✓ ✓ ✓

Next Next Next

Destination IID Destination IID Destination IID
Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1

Dst: 8.8.8.8
Src: 2.2.2.2

1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
 Fabric Operation
South to North Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.

✓ ✓ ✓

Next Next Next

Destination IID Destination IID Destination IID
Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
8.0.0.0/7 1001 BN1
Dst: 8.8.8.8
Src: 2.2.2.2

1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
 Fabric Operation
East to West Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.
Where is Map Reply
1.1.1.1? 1.1.1.1 is at EN1

✓ ✓ ✓

Next Next Next

Destination IID Destination IID Destination IID
Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
8.0.0.0/7 1001 BN1 Dst: 1.1.1.1
Src: 2.2.2.2

1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
 Fabric Operation
East to West Traffic Destination IID
Next
Hop
1.1.1.1 1001 EN1 Next
✓ 2.2.2.2 1001 EN3 ✓ Destination IID
Hop
0.0.0.0/0 1.1.1.1 1001 EN1
10.0.0.0/8 2.2.2.2 1001 EN3
192.168.0.0/16 External Border Node
Etc.

✓ ✓ ✓

Next Next Next

Destination IID Destination IID Destination IID
Hop Hop Hop
1.1.1.1 1001 -- 2.2.2.2 1001 -- 1.1.1.1 1001 EN1
8.0.0.0/7 1001 BN1 Dst: 1.1.1.1
1.1.1.1 1001 EN1
Src: 2.2.2.2

1.1.1.1 2.2.2.2
2001::1 2001::2 ✓ Default ETR
MAC: A MAC: B
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
LISP Pub/Sub Additional
For Your Information Information

• No plans to end support for LISP/BGP.

• LISP Pub/Sub is recommended for new deployments.
• In Catalyst Center 2.2.3.x new Fabric Sites can be configured as
LISP/BGP or LISP Pub/Sub. Note minimum IOS XE versions.
• LISP/BGP to LISP Pub/Sub migration workflow is under development
now.
• Migrate IP-Based and SD-Access Transit Fabric Sites.
• ETA CY2024.
• Official release collateral will explain functionality.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Fabric
Fundamentals

1. Control Plane
2. Data Plane
3. Policy Plane
Cisco SD-Access Fabric Additional
Information
Data Plane: Virtual Extensible Local Area Network (VXLAN)

Traditional Layer 2 Networks Challenges

Spanning Tree Protocol No ECMP

• Single active path • No load-balancing
• Under-utilization • Suboptimal traffic flow
• Broadcast storms

vlan 10 20 30
Mobility & Multitenancy
• Restricted to L2 domain
• Geographical limitation
• 12-bit VLAN ID = 4000 VLANs

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Cisco SD-Access Fabric
Data Plane: Virtual Extensible Local Area Network (VXLAN)

VXLAN extends Layer 2 and Layer 3 overlay

networks over a Layer 3 underlay network

IP Network

✓ Scalability: 16 million unique identifiers. ✓ Handles broadcast, multicast, and unknown

✓ Runs on top of L3, avoids need for STP. unicast traffic using multicast instead of flooding.
✓ L2 traffic tunnelled over an L3 infrastructure. ✓ Carries segmentation information.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Cisco SD-Access Fabric
Data Plane: VXLAN

1. Control Plane: LISP

2. Data Plane: VXLAN

ORIGINAL
ETHERNET IP PAYLOAD
PACKET

PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP

Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
 Next-Hop MAC Address

Src VTEP MAC Address

VXLAN-GPO Header
Dest. MAC 48

Source MAC 48

MAC-in-IP with VN ID and SGT ID VLAN Type

0x8100
16
14 Bytes
(4 Bytes Optional)
IP Header
72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type
16 Header
0x0800 16 20 Bytes
Outer MAC Header
Underlay

Checksum

Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address

UDP Header Dest Port 16

8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789

Inner (Original) MAC Header

Allows 64K
Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 possible SGTs
Overlay

Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Fabric
Fundamentals

1. Control Plane
2. Data Plane
3. Policy Plane
Cisco SD-Access Fabric
Policy Plane: Group-Based Policy
1. Control Plane: LISP
2. Data Plane: VXLAN
3. Policy Plane: Group-Based Policy

VRF + SGT

ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
 What is Security Group Tag and Group-Based
Policy?
Endpoints authenticated
and classified as:
Endpoint authenticated and Lighting (SGT 20)
classified as Camera (SGT 5) HVAC (SGT 30)
Destination = SGT 20

IP: 10.1.10.220 VXLAN overlay

IP: 10.1.100.52
SGT: 5 5 SGT: 20
SD-Access
SGT: 30
Underlay
SRC: 10.1.10.220
DST: 10.1.100.52
IP: 10.1.200.100
Group-
Based
Policy
DST ➔ Lighting HVAC
 SRC (20) (30)
Camera (5) Permit Deny
BYOD (7) Deny Permit

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
SD-Access Policy Additional

Macro-Segmentation and Micro-segmentation

Information

VN Campus
VN Campus

VN IOT
VN IOT

Virtual Network (VN) Security Group Tag (SGT)

First-level Segmentation ensures zero Second-level Segmentation ensures role-
communication between forwarding based access control between groups in
domains. Ability to consolidate multiple a VN. Ability to segment the network into
networks into one management plane. lines of business or functional blocks.
#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
 SD-Access Policy
Access Control Policies
Source Group Destination Group
Contract

Guest Users Web Server

ISE
Cisco Catalyst Center
CLASSIFIER: PORT ACTION: DENY

Classifier Type Action Type

Create and edit access
Port Number Permit
contracts without
Protocol Name Deny knowing syntax for
Application Type Copy underlying SGACLs.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
SD-Access Policy
Group-Based Access Control Policy

1. Select Source Group(s)

2. Select Destination Group(s)
3. Select Access Contract(s)

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Multiple Fabrics
Transits for VN and SGT Preservation
VN1 eBGP
VN2 eBGP IP-Based Transit
VN3 eBGP
• Per-Layer-3-Virtual-Network eBGP peering to external routing
Fabric1 IP Fabric2
domain, or LISP Extranet Provider VN eBGP peering to external
routing domain.

• SGT propagation outside of fabric requires suitable hardware and

software.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Transits for VN and SGT Preservation
VN1 eBGP
VN2 eBGP IP-Based Transit
VN3 eBGP
• Per-Layer-3-Virtual-Network eBGP peering to external routing
Fabric1 IP Fabric2
domain, or LISP Extranet Provider VN eBGP peering to external
routing domain.

• SGT propagation outside of fabric requires suitable hardware and

software.

SD-Access Transit
ASN1 ASN2
• SD-Access LISP/VXLAN between Fabric Sites.
IP
Fabric1 Fabric2
• Preserves Layer 3 Virtual Networks and SGT.
• Fabric as a transit between external routing domains.
FabricN

Watch BRKENS-2816 for SD-Access Transit deep dive

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Conclusion
Cisco’s SD-Access LISP provides
a secure, flexible, and automated
way to meet the security and
operational challenges faced by
an ever-changing environment.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Global Partner Solution Advisors
NEW - Fully Virtualized, SD-Access Secure Campus Lab
Virtualized SD-Access Lab CTF Mission Contact
• Fully Customizable Topology with • Experience the SD-Access Virtual • GPSA is your source for no-
virtualized 9kv’s and 8kv’s Lab at Capture the Flag in The World cost, partner enabment and
• Access on dCloud or build on your of Solutions practice building!
existing Data Center • Use Cases – Fabric Sites and Virtual • Visit the Global Partner
• Fraction of the cost Network Provisioning, Fusion Experience booth (4227) across
• GPSA mentored lab buildout Automation, Extranet, Micro from Capture the Flag, for more
support available! Segmentation, and more! information.

Virtual SD-Access GPSA Sales CTF at Cisco Live

Lab on dCloud Connect Page Check out Secure
Campus Section

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
 Effortlessly Deploy Your Fabric of Choice
LISP Fabric is the leading choice for Enterprise customers!

• Simple: Standards-based, Campus optimized

LISP BU recommended Control Plane

• Efficient: Lightweight, unparalleled scale & high

Ongoing EFT VXLAN performance due to rapid convergence time
• Extend fabric across DC & Fabric • Extensible: Highly extensible to drive innovation
Campus BGP (PubSub, Multi-site, Extranet)

• Multi-vendor deployment EVPN • Robust: Integrated wireless w/ L2 mobility

• Wireless over the top

Fabric support campus wide

• Network segmentation

One Infrastructure | Single Data Plane | Consistent Zero-Trust Experience

SD-Access LISP Industry Leading Campus
Architecture

Deployments Momentum Key use case Usage

4050+ 40% 70% 24K+
YoY growth in customers Wireless Sites

+ 66% 1.8M+
API (YoY) Devices

Top verticals: Government, Finance, Adopted by 31% of U.S. Fortune 100

Professional services, and Manufacturing Companies

EMEA: 52% Americas 29% APJC 19%

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
 SD-Access LISP Customer Success
Healthcare Education + Energy Manufacturing
SCALE

5300 devices 6200 devices 6500 devices 5300 devices 4500 devices 16k devices
15K+endpoints 10K+endpoints 66K+endpoints 57K+endpoints 10K+endpoints 98K+endpoints
REQUIREMENTS

Segmentation at scale
Secure, Highly available network
Zero-Trust Network Access Automated operations
Hi performance scalable WI-FI
HIPAA Compliance APIs for Automation & Tool Integration

Segmentation at Scale | Unified Wired/Wireless Policy | IT/OT Integration Experience

BRKENS 1801, BRKENS 1802, CIUG-1003 Speaking at this Cisco Live

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
 New Feature

Catalyst Leadership in Enterprise Networks

Enhanced

A Platform based Approach

Catalyst Center and Meraki Dashboard Secure Networking Digital Experience Operational Simplicity

Common Cloud Managed

28M Network Devices Managed

Campus Automation
Policy Catalyst

50% Y/Y 19M APs | 6M Switches | 2.5M Routers | 830M Clients

Secure Equipment AI Endpoint Infrastructure
Access Analytics as a Code

13M 15.3M SD-Access Digital Experience S3 & CloudWatch

Devices on Devices on (LISP & EVPN) ThousandEyes Integration
Catalyst Center Meraki Dashboard
High-speed Visibility, Control
AI Ops & Assurance
Encryption & Rollback

Catalyst 9000 Family

100,000+ Customers, Millions of Switches

Catalyst 9K continues to be the fastest

ramping product in the company's
history - Chuck Robbins, CEO Cisco Systems
Cisco Validated Profiles Industry Industry Cisco Modeling
(CVP) Validated Reports Certifications Labs

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
 Cisco Live US SD-Access and ISE Learning Map

Sunday—2nd Monday—3rd Tuesday—4th Wednesday—5th

TECENS-2820 9AM BRKENS-2810 8AM
BRKSEC-2100 10:30AM BRKENS-2502 10:30AM
BRKENS-2833 10:30AM
Cisco Software-Defined Cisco Software-Defined Cisco SD-Access LISP
ISE Your Meraki Network LISP: Optimized Control
Access LISP: Architecture Access LISP Solution VXLAN Fabric Best
with Group Based Adaptive Plane for Software-Defined
Overview Fundamentals Practices: Design and
Policy Access
Deployment
BRKENS-2800 9:30AM
Cisco SD-Access Zero-
Touch Provisioning Using BRKENS-2819 2:30PM
BRKENS-1802 2:30PM BRKENS-1801 4PM
LAN Automation Cisco SD-Access and
SD-Access Success SD-Access Success
Multi-Domain
Stories: Concept to Reality
BRKENS-2811 1PM Stories: Concept to Reality
by Stanford Health and
Segmentation
Connecting Cisco SD-Access by Petrobras and Ford
Yale University
LISP to the World: Use Cases Motor
and Segmentation BRKENS-2821 4:00PM
BRKSEC-2091 3PM
Cisco SD-Access LISP
Cisco ISE Performance, VXLAN Fabric for
Scalability and Best Manufacturing Verticals
BRKENS-2816 3PM Practices
Cisco SD-Access Transit:
Advanced Design Principles
BRKENS-1852 4PM
TrustSec Refresh
Reinforced with Latest
LTRENS-2419 1PM Segmentation Innovations
SD-Access LISP
Pub/Sub Wired Lab

BU-led sessions

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
 Cisco SD-Access Collaterals
Cisco Software-Defined Access Cisco Software-Defined Access Cisco Solution Validated Profiles (CVPs)
for Industry Verticals Enabling intent-based networking

• Cisco Large Enterprise and Government Profile

• Healthcare Vertical
• Financial Vertical
• Healthcare Vertical
• Manufacturing Vertical
• Retail Vertical
• University Vertical

Cisco SD-Access YouTube Link

Multiple Cisco Catalyst Center to ISE

Cisco SD-Access Design Tool
EN&C Validated Designs
The Latest SD-Access Guides

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Complete Your Session Evaluations

Complete a minimum of 4 session surveys and the Overall Event Survey to be

entered in a drawing to win 1 of 5 full conference passes to Cisco Live 2025.

Earn 100 points per survey completed and compete on the Cisco Live
Challenge leaderboard.

Level up and earn exclusive prizes!

Complete your surveys in the Cisco Live mobile app.

#CiscoLive BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting

Continue • Attend the interactive education

with DevNet, Capture the Flag,
your education and Walk-in Labs

• Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand

BRKENS-2810 © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Thank you

#CiscoLive