SD-Access… what the what is it? Day 2 at Cisco Live 2017

Hey everyone! I hope you’re having a great time this week during Cisco Live.  If you’re not following on Twitter, you should @paulmc3!

SD-Access, so what’s up?

Software Defined Access (SD-Access) is Cisco’s latest innovation that has been in the work for the past few years to completely redefine the campus through SDN and other innovations.  Think about your campus network architecture, do you have challenges with wireless mobility, overly complex spanning-tree, segmentation of traffic, and lack of visibility into the users/applications?  These are paramount tenants of SD-Access.

How do we accomplish this?

DNA Center will the central brain for all the DNA products to come, but for now let’s focus on SD-Access.  DNA center operates heirarchical with point solutions like ISE, APIC-EM, and Network Data Platform allowing the true single pain of glass.  So what does the framework of SD-Access look like? Truthfully, look at this post from me on twitter as the slide is perfect: here.

So what does SD-Access run on?

SD-Access will run on?  Not so simple, well it is… But let’s break it down by function:

Control plane: Catalyst 3850, Catalyst 9500, Catalyst 6800 (Sup2T/6T), CSRv, ASR 1000-X/HX, ISR 4430/50

Edge Nodes (the actual access fabric is comprised of these): Catalyst 3650/3850, Catalyst 9300/9400, Catalyst 4500 (Sup 8E/9E)

Border nodes (think translation, between the fabric and the external non-Fabric):  Catalyst 3850/9500/6800 (Sup 2T/6T), ASR 1000-X/HX, ISR 4430/50, Nexus7700

Are you familiar with ACI?  If so, these concepts won’t seem so foreign.  Control plane is similar to APIC and partial Spine nodes, Edge Nodes are Leaf, and Border nodes are the same as dedicated Border leaf.

Along with the above, wireless is integrated into SD-Access via the following: 3504, 5508, 8540 WLCs, Wave2 APs (1800/2800/3800) and Wave 1 APs with some caveats (1700/2700/3700)

So why separate everything?

Short version, this is the core of SDN, no matter who the manufacturer or solution is.  Separating control plane traffic from the forwarding plane is critical and has been for a while.  Where as a lot of systems separate these on the same box, all facets of SDN are segmenting them physically across a multitude of devices which allows for great economy of scale and affords immense resiliency with redundancy built in all over the place.

What is under the hood, how will I operate this?

When looking under the hood, which was a great session name by the way, I was reminded of ACI in many aspects.

Virtual Network maintains a separate Routing & Switching instance for each VN : Think about VRFs

Scalable Group is a logical ID object to “group” Users and/or Devices: Think of a way to tag the entirety of the network and users efficiently and quickly

Host Pool provides basic IP functions necessary for attached Endpoints: DHCP and other similar functions

Anycast GW provides a single L3 Default Gateway for IP capable endpoints: Same as ACI, the gateway lives at every single edge

Stretched Subnets allow an IP subnet to be “stretched” via the overlay: Don’t need OTV to stretch that IP subnet!

Layer2 Overlays allows Non-IP hosts to connect Broadcast & Multicast: Don’t need large STP domains to stretch that Layer 2 (if you have to).  Note: this isn’t an all or nothing, you can choose specific items to stretch.

Why should we care?

Taking all of the above concepts, you an start building policies on the network that dynamically identify endpoints and then apply appropriate policy.  Think about uSeg EPGs within ACI.  For example, your HVAC network connected systems shouldn’t be talking to the Accounting team, or vice versa, who might in legacy networks share the same IP subnet.  This is the power of micro segmentation and bringing the ability to control your data access as granular on the campus as you can in the data center.


There is a whole lot more than we could go into detail on with SD-Access, but I’m going to end it here.  I plan to do some deeper dives after Cisco Live.  Day 3 is on the horizon here we go!



    • Hey David, thanks for the question! Prime Infrastructure will still be relevant, for now! I see PI becoming absorbed by the upcoming software kings like DNA Center over time. Definitely not an immediate thing.

Leave a Reply

Your email address will not be published.