Co-Author Sanjay Hooda, Cisco Distinguished Engineer

As the world starts recovering from the COVID pandemic, returning to the workplace poses new challenges for IT. The workforce has come to enjoy the benefits of being mobile, and IT must prepare for a hybrid workspace that delivers an inclusive and immersive experience without compromising access, convenience, or security.

Campus networks are at the heart of the modern enterprise, and these networks must be interconnected in a manner that enables them to meet the requirements of the digital enterprise. Many organizations—including finance, healthcare, event management, and manufacturing—have very large campuses that span multiple sites across geographies. Further increasing the challenge is the need to support more people using multiple devices as well as the increasing number of IoT device—such as motion sensors, cameras, and physical security controls—being deployed. More devices mean more applications both on premise and in multiple clouds, branch offices, and retail outlet connections. Consider the difficulty of preserving security while providing greater mobility. Segmentation and policy requirements become much more complex to handle. The result of connecting everything and everyone is continuously increasing the complexity of networks.

Cisco SD-Access Multisite Campus Fabric Architecture

Network Fabrics are the foundation for next-generation enterprise network architectures that can easily carry segmentation and policy constructs to support a hybrid workforce across multiple sites. Cisco SD-Access Multisite is the leading Campus Fabric Architecture, enabling large enterprises to successfully deliver a secure, mobile experience. Not only does Cisco SD-Access Multisite apply consistent segmentation and policy throughout the campus, it does so across the whole enterprise.

Multisite Campus Fabric Architecture is built on Cisco DNA Center’s SD-Access, a networking fabric that provides simplified IP addressing, policy-based segmentation, and an intelligent, automated network fabric. Cisco SD-Access establishes a virtualization layer so that the network appears like a “single” large virtual switch to connecting workforce and devices. Virtualizing the network also enables agility and flexibility that has not been available in enterprise networks.

Cisco SD-Access Multisite utilizes a flexible interconnect “Transit Network” fabric. As a transit network, it does not have any “hosts”, and summarization is enabled by default. This helps scale the architecture to span multiple geographies and encompass even very large enterprises.

Cisco SD-Access Multisite Fabric
Figure 1: Cisco SD-Access Multisite Fabric

Figure 1 shows the Cisco SD-Access transit network fabric spanning multiple sites. Note that the transit network simply provides the interconnection to different networks and doesn’t have “hosts” of its own. The main tasks of the transit network fabric are to:

  • Summarize the individual site fabric.
  • Scale horizontally using the summarization so IT can use preset designs for each site as the network grows.
  • Secure operations by breaking the fabric into smaller sites/fault domains in case there is a security breach or network instability.

The Cisco SD-Access Multisite Architecture provides flexibility to connect multiple transits at the same time such as site-to-site connectivity and connectivity to data center or the Internet. SD-Access Multisite also gives network administrators the flexibility to determine site size depending upon on requirements such as fast roaming, fault domain, geographic location, latency, cost, and so on.

The general recommendation is for each physical location—such as large floor, building, or collection of buildings—to be part of one fabric site. Three types of transit networks are available:

  • Cisco SD-Access Transit
  • Cisco SD-WAN Transit
  • IP Transit

Cisco SD-Access Transit

The core component enabling Cisco SD-Access is transit control plane nodes. This new architectural construct tracks summarized reachability information across sites such as all aggregate routes for the Cisco SD-Access fabric across multiple sites. When traffic from an endpoint in one fabric site needs to be sent to an endpoint in another fabric site, the transit control plane node is queried by the border in the first site to determine to which site’s border node traffic should be sent. Transit control plane nodes dynamically learn from site borders, such as which prefixes are associated with each fabric site and how to direct traffic to these sites across the SD-Access transit using control plane signaling.

The Cisco SD-Access transit is generally used within the physical metro area connection between fabric sites in the same city, metropolitan area, or between buildings in a large enterprise campus. Physical connectivity can via be direct fiber connections, leased dark fiber, Ethernet over wavelengths on a WDM system, or metro-Ethernet systems (VPLS, etc.) supporting similar bandwidth, port rate, delay, and MTU connectivity capabilities.

For data transport, the Cisco SD-Access transit uses the same encapsulation as the Cisco SD-Access fabric (VxLAN), supporting the native transport of segment and group information.

Cisco SD-WAN Transit

Cisco SD-Access Multisite also interoperates with the Cisco SD-WAN transit. In addition, the VPN information Cisco SD-WAN transit is enhanced to carry “group” information across fabric sites. The Cisco SD-WAN transit is used across the WAN network across multiple fabric sites and to the cloud. Incorporating group information into Cisco SD-WAN allows policy to be applied without the need for additional methods of transporting group information.

IP Transit

To connect traditional networks, Cisco SD-Access provides connectivity to any external network using an IP handoff. The IP-based transit represents the remote BGP autonomous system (AS). The local BGP AS is configured as part of the fabric border provisioning. The IP-based transits can be used to automate border connectivity between fabric sites and data centers, as well as between fabric sites and the Enterprise edge (Internet edge) respectively.

Span Multiple Campus Sites with Security and Operational Simplicity

As the workforce returns to the physical office, IT needs to deliver hybrid workspace capabilities that span multiple sites with security and operational simplicity. Cisco SD-Access Multisite provides seamless and scalable interconnectivity across multiple fabric sites as well as connectivity to data centers, Clouds, and the Internet. In addition, connecting multiple fabric sites using Cisco SD-Access Transit or Cisco SD-WAN Transit enables the enterprise to carry virtual network-based segmentation as well as group-based segmentation across the network to achieve consistent global segmentation and policy.

For more information, visit the Cisco SD-Access web site and read our previous blog post “Campus Segmentation Using Cisco SD-Access for the Enterprise“.


Check out our Cisco Networking video channel

Subscribe to the Cisco Networking blog



Shyam Maniyar

Vice President, Engineering

Enterprise Switching