Campus Segmentation Using Cisco SD-Access for the Enterprise

Co-Author Shyam Maniyar, Vice President, Engineering

How can enterprise networks meet the requirements for the digital enterprise? As new network extensions like the Internet of Things, more people using multiple devices, and more applications—both on premise and in multiple clouds, branch offices, and retail outlets—the complexity of networks has grown exponentially.

The importance and criticality of network connectivity was clearly shown during the pandemic. Despite the lockdowns, technology companies kept on producing more devices, more software, and more ways of staying in touch even as the workforce worked remotely. Hundreds of millions of workers and students relied on the internet to be stay productive and keep learning.

Traditionally, campus networks have been open and have employed constructs including VLANs, VACLs, ACLs, VRFs etc. to enhance their security posture. These traditional methods are very manual and require hop-by-hop configurations. As businesses look ahead to the return of workers to offices, they are looking at ways to introduce a simplified zero trust security experience. To do so, they are looking at network fabrics, a recent addition to campus networks in the enterprise.

Cisco SD-Access is an intelligent network fabric that provides simplified IP addressing and policy-based segmentation. It is an automated feature of Cisco DNA Center. Cisco SD-Access establishes a layer of virtualization for end users and network nodes, displaying the network as a single, virtual switch connected to users, devices, and IoT end points. By virtualizing the network, Cisco SD-Access enables agility and flexibility in ways that have been unavailable before it in the enterprise networks.

The infrastructure enabled mobility for wired and wireless is another aspect of Cisco SD-Access which simplifies the network deployment as the administrator does not need to worry about location specific policies. Any user/device anywhere getting the same treatment is one of the key tenants of deploying SD-Access in the campus. A Cisco SD-Access fabric with its associated components is shown in Figure 1.

Fabric Control Plane

The fabric control plane node serves as a central database, tracking all users and devices as they attach to the fabric network and roam the campus. The fabric control plane allows network components—such as switches, routers, and wireless LAN controllers (WLC)—to query the database to determine the location of any user or device attached to the fabric instead of using a flood and learn mechanism. Thus, the fabric control plane serves as a single source of truth about the location of every endpoint attached to the fabric.

Fabric Border

Fabric border nodes connect the Cisco SD-Access fabric to traditional Layer 3 or Layer 2 networks or to different fabric sites. These border nodes are responsible for the translation of context—for example, user and device mapping and identity—from one fabric site to another or to a traditional network. The fabric border is where you handoff to your fabric site to your existing networks or to other fabric sites.

Fabric Edge

Fabric edge nodes are responsible for connecting endpoints to the fabric and encapsulating, decapsulating, and forwarding traffic from endpoints to and from the fabric.

In addition to these three main components of Cisco SD-Access, other components, including Cisco WLC, Cisco ISE, and Cisco DNA Controller, play an important role in the overall fabric experience.

With Cisco SD-Access providing a “single large virtual switch” experience for dozens, hundreds, or thousands of switches, simplified network management and assurance has arrived. This concept of a single large switch can be correlated with the SoC (system on a chip) model, which hides complexity by standardizing the complex while exposing simplified interfaces, making the system easier to manage and work with. Another important aspect of Cisco SD-Access is its ability to provide hierarchical segmentation for both wired and wireless networks. The hierarchical segmentation of such a network is shown in Figure 2.

Cisco SD-Access provides a modern fabric technology with flexible IP addressing and hierarchical segmentation that scales as the enterprise grows. The ability to seamlessly create a virtual network helps reduce the attack surface, assisting network teams in executing a segmentation strategy that meets corporate INFOSEC requirements. By keeping up with changing market requirements, Cisco SD-Access provides flexibility and agility to enterprise networks.

Additional information:

• Establish, Enforce, and Continuously Verify Trust with SD-Access in Simple Steps
• Cisco Software-Defined Access
• Cisco SD-Access Visibility Driven Segmentation At-a-Glance
• Cisco Software-Define Access Success stories
• Cisco SD-Access Case Studies

 

Check out our Cisco Networking video channel

Subscribe to the Cisco Networking blog