Tools

Tools: How Cisco SDA Actually Works: LISP Control Plane + VXLAN Data Plane + TrustSec Policy in One Fabric

2026-03-18 0 views admin
Tools: How Cisco SDA Actually Works: LISP Control Plane + VXLAN Data Plane + TrustSec Policy in One Fabric

The Problem: Why Traditional Campus Designs Hit a Wall

Plane 1: LISP Control Plane — DNS for Your Campus

Registration Flow

Why IS-IS for the Underlay?

Plane 2: VXLAN Data Plane — The Actual Packet Path

Packet Walk: Client → Server

Anycast Gateway: The HSRP Killer

Plane 3: TrustSec Policy — Zero Trust Segmentation

SGT Propagation via VXLAN-GPO

Two Segmentation Layers

Cross-VN Shared Services

Common Deployment Gotchas

1. Underlay MTU (The #1 Issue)

2. Point-to-Point Underlay Links

3. VN Scale Planning

4. Wireless: Not What You Think Cisco SD-Access (SDA) replaces the traditional campus stack — spanning tree, HSRP, manual VLAN trunking — with a three-plane overlay fabric. If you've ever wondered how LISP, VXLAN, and TrustSec fit together at the packet level (instead of just clicking through Catalyst Center), this deep dive is for you. Classic three-tier campus networks (access → distribution → core) carry a lot of baggage: SDA eliminates all of this with a Layer 3 routed access model. The default gateway lives at the fabric edge (access switch). Every link is routed with IS-IS. Spanning tree becomes irrelevant — there are no L2 loops in the underlay. The real value: a user plugs into any port on any floor and gets the same policy, gateway, and segmentation — without anyone touching the switch. LISP (Locator/ID Separation Protocol) is the overlay control plane. It tracks where every endpoint lives by separating identity from location: The Control Plane Node (CPN) runs LISP Map-Server/Map-Resolver. Think of it as DNS for your campus — mapping endpoint addresses to switch locations. Key detail: LISP is off-path. The CPN is NOT in the data forwarding path. After the initial lookup, the edge caches the RLOC and forwards directly via VXLAN. The CPN never becomes a traffic bottleneck. The underlay runs IS-IS (not OSPF) because: VXLAN carries endpoint traffic across the routed IS-IS underlay. SDA uses VXLAN-GPO (Group Policy Option) — a VXLAN extension that embeds the SGT tag in the header. The VNI maps to a Virtual Network → VRF. Two VNI ranges: Every fabric edge advertises the same gateway IP and MAC for each subnet. No active/standby — every edge IS the gateway. TrustSec is what makes SDA a zero trust architecture. In standalone TrustSec, SGTs travel via CMD headers or SXP. In SDA, the SGT rides inside the VXLAN-GPO header: Macro-segmentation (Virtual Networks/VRFs): Micro-segmentation (SGTs within a VN): How do IoT devices in a separate VN reach DNS/DHCP/NTP? Three options: VXLAN adds 50-54 bytes of overhead. If your underlay MTU is 1500, encapsulated frames get fragmented or dropped. Set underlay MTU to at least 9100. IS-IS underlay must use point-to-point links (no shared segments), equal-cost paths for ECMP, and loopback interfaces for RLOC addressing. 5 VNs × 200 edge switches = 1,000 VRF instances. Plan for: Fabric-mode APs don't tunnel data to the WLC. The AP switches client traffic directly to the local fabric edge via VXLAN. The WLC only handles: Wireless clients get the same SGT enforcement and anycast gateway as wired — true unified policy. Q: Can you run TrustSec without full SDA? Yes. TrustSec SGTs work standalone with ISE on Catalyst switches. SDA automates provisioning via Catalyst Center, but TrustSec is independent. Q: What switches support SDA fabric roles? Catalyst 9300/9400/9500/9600 for edge and border. CPN typically on 9500 or 9600. Older 3850/4500 can be extended nodes only. Q: Why not OSPF for the underlay? IS-IS runs over L2 directly (avoiding recursive routing issues), has better multi-topology support, and integrates cleanly with Catalyst Center's LAN Automation. Originally published at FirstPassLab. For more deep dives on enterprise networking and data center fabrics, visit firstpasslab.com. 🤖 AI Disclosure: This article was adapted from the original with AI assistance. Technical content has been reviewed for accuracy. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. as well , this person and/or

Code Block

Copy

! Verify LISP registrations on the control plane node show lisp site show lisp instance-id * ipv4 server show lisp instance-id * ethernet server ! Verify on fabric edge show lisp instance-id * ipv4 database show lisp instance-id * ethernet database CODE_BLOCK: ! Verify LISP registrations on the control plane node show lisp site show lisp instance-id * ipv4 server show lisp instance-id * ethernet server ! Verify on fabric edge show lisp instance-id * ipv4 database show lisp instance-id * ethernet database CODE_BLOCK: ! Verify LISP registrations on the control plane node show lisp site show lisp instance-id * ipv4 server show lisp instance-id * ethernet server ! Verify on fabric edge show lisp instance-id * ipv4 database show lisp instance-id * ethernet database CODE_BLOCK: 1. Client (10.10.10.50, SGT=5) → Server (10.20.20.100) 2. Fabric Edge receives frame 3. Edge does LISP Map-Request → CPN returns Border Node RLOC 4. Edge encapsulates in VXLAN: Outer IP: Src=172.16.1.10 (Edge) → Dst=172.16.1.1 (Border) VXLAN Header: VNI=8188 (L3 VN), SGT=5 (GPO extension) Inner IP: Src=10.10.10.50 → Dst=10.20.20.100 5. Packet routes across IS-IS underlay 6. Border decapsulates, checks SGT against SGACL policy 7. Border forwards to external network CODE_BLOCK: 1. Client (10.10.10.50, SGT=5) → Server (10.20.20.100) 2. Fabric Edge receives frame 3. Edge does LISP Map-Request → CPN returns Border Node RLOC 4. Edge encapsulates in VXLAN: Outer IP: Src=172.16.1.10 (Edge) → Dst=172.16.1.1 (Border) VXLAN Header: VNI=8188 (L3 VN), SGT=5 (GPO extension) Inner IP: Src=10.10.10.50 → Dst=10.20.20.100 5. Packet routes across IS-IS underlay 6. Border decapsulates, checks SGT against SGACL policy 7. Border forwards to external network CODE_BLOCK: 1. Client (10.10.10.50, SGT=5) → Server (10.20.20.100) 2. Fabric Edge receives frame 3. Edge does LISP Map-Request → CPN returns Border Node RLOC 4. Edge encapsulates in VXLAN: Outer IP: Src=172.16.1.10 (Edge) → Dst=172.16.1.1 (Border) VXLAN Header: VNI=8188 (L3 VN), SGT=5 (GPO extension) Inner IP: Src=10.10.10.50 → Dst=10.20.20.100 5. Packet routes across IS-IS underlay 6. Border decapsulates, checks SGT against SGACL policy 7. Border forwards to external network CODE_BLOCK: ! Verify VXLAN tunnels show vxlan tunnel show vxlan vni show nve peers show nve vni CODE_BLOCK: ! Verify VXLAN tunnels show vxlan tunnel show vxlan vni show nve peers show nve vni CODE_BLOCK: ! Verify VXLAN tunnels show vxlan tunnel show vxlan vni show nve peers show nve vni CODE_BLOCK: interface Vlan100 ip address 10.10.10.1 255.255.255.0 mac-address 0000.0c9f.f001 ! same on EVERY edge ip helper-address 10.1.1.50 lisp mobility dynamic CODE_BLOCK: interface Vlan100 ip address 10.10.10.1 255.255.255.0 mac-address 0000.0c9f.f001 ! same on EVERY edge ip helper-address 10.1.1.50 lisp mobility dynamic CODE_BLOCK: interface Vlan100 ip address 10.10.10.1 255.255.255.0 mac-address 0000.0c9f.f001 ! same on EVERY edge ip helper-address 10.1.1.50 lisp mobility dynamic CODE_BLOCK: ! Verify SGT assignment show cts role-based sgt-map all show authentication sessions interface Gi1/0/5 details ! Verify SGACL enforcement show cts role-based permissions show cts role-based counters CODE_BLOCK: ! Verify SGT assignment show cts role-based sgt-map all show authentication sessions interface Gi1/0/5 details ! Verify SGACL enforcement show cts role-based permissions show cts role-based counters CODE_BLOCK: ! Verify SGT assignment show cts role-based sgt-map all show authentication sessions interface Gi1/0/5 details ! Verify SGACL enforcement show cts role-based permissions show cts role-based counters - Spanning tree across every VLAN — blocking redundant paths, unpredictable failovers - HSRP/VRRP at distribution — 50% of gateway capacity wasted on standby - Manual VLAN trunking — extending L2 domains creates broadcast storms and kills mobility - Static ACLs for segmentation — thousands of lines tied to IPs that change when endpoints move - EID (Endpoint Identifier) — the endpoint's IP or MAC address - RLOC (Routing Locator) — the loopback IP of the fabric edge switch - Endpoint authenticates (802.1X or MAB via ISE) - Fabric edge sends LISP Map-Register → "EID 10.10.10.50 (SGT=5) is behind RLOC 172.16.1.10" - CPN stores the mapping, sends Map-Notify ack - When another fabric node needs that endpoint → Map-Request to CPN - CPN responds with Map-Reply containing the RLOC - Runs directly over L2 (not IP) — avoids recursive routing issues - Better multi-topology routing support - Simpler ECMP behavior for parallel fabric links - Catalyst Center auto-provisions IS-IS adjacencies via LAN Automation - L2 VNI (per VLAN segment) — intra-subnet traffic - L3 VNI (per VN/VRF) — inter-subnet traffic across the fabric - No HSRP/VRRP/GLBP — 100% uplink utilization - Local switching — nearest edge handles routing, no hair-pinning - Seamless mobility — same gateway regardless of which edge the endpoint connects to - No SXP needed — SGT propagates automatically with every VXLAN frame - No inline tagging hardware dependency — any VXLAN-capable switch carries SGTs - Consistent enforcement — SGT available at both source and destination edge - Separate VNs for corporate, IoT, guest - Full VRF isolation — no cross-VN traffic without fusion router or border extranet policy - Finance (SGT 20) reaches finance servers but not HR - Contractors (SGT 10) get internet but no internal resources - Fusion router — routes between VNs with firewall inspection - Extranet policy on border — selective route leaking via Catalyst Center (preferred in 2026) - Shared services VN — dedicated VN reachable by all others via policy - TCAM capacity (Cat 9300 vs 9500 limits) - Route table size per VRF - DHCP relay per VRF per subnet - CAPWAP control plane - Client auth coordination with ISE - LISP Map-Register on behalf of wireless clients

🏷️ Tags

toolsutilitiessecurity toolsciscoactuallyworkscontrolplanevxlantrustsec

More from Tools

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

Tools: Gas-Aware Trading: Execute Only When Gas Is Cheap (2026)

2026-03-30 0
Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

Tools: Grafana k6 Has a Free API That Load Tests Your APIs With JavaScript - Full Analysis

2026-03-30 0
Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

Tools: Caddy Has a Free API That Gives You Automatic HTTPS With Zero Configuration (2026)

2026-03-30 0
Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

Tools: Fly.io Has a Free API That Deploys Docker Apps Globally With Edge Hosting (2026)

2026-03-30 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views