Cisco SD-Access

There is no longer a need for an in-depth understanding of intricate, low-level configurations because SD-Access takes care of many of these details behind the scenes. Rather than configuring each network device individually, policies and rules are inherited and automatically applied across the network.

Simplicity extends to policy enforcement where Cisco SD-Access introduces a unified approach for both wired and wireless networks. Rather than the wireless policies defined on wireless LAN controllers, and wired policies defined on the switches, SD-Access centralises policies on ISE (Cisco Identity Services Engine) for both wired and wireless users.

SD-Access decouples IP addresses from location, making it possible to apply consistent security policies across diverse locations, regardless of the underlying physical infrastructure. This is achieved through the use of Security Group Tags and their associated use cases rather than IP addresses.

Before SD-Access, customers had to rely on VRF or MPLS VPNs to segment and secure the network. This inevitably led to VPN/VRF sprawl and almost insurmountable challenges when attempting to introduce micro-segmentation.

With SD-Access, every device, user, or entity connecting to the network is properly authenticated, authorised and assessed by ISE before being automatically placed into their designated virtual network group and the right security policies applied.

When it comes to enforcing policy within the virtual network for micro-segmentation, Cisco SD-Access uses identity and ISE to dynamically assign policies and access rules based on user and device attributes – in tags, not IP addresses.

When devices connect to the wireless network they join a specific wireless controller. When they roam across the network from one AP to another, that roam goes back and is anchored against the original controller, and then it’s communicated to the other switches. This can result in duplicate MAC address errors and suboptimal roaming, and the wireless access controller acts as a choke point.

An overlay was required to facilitate mobility.

Edge switches handle tunnelling

SD-Access takes a different approach by tunnelling traffic directly within the network fabric, eliminating the need for traffic to return to the Wireless LAN Controller. Instead, devices seamlessly connect to the network and communicate within the SD-Access fabric, enhancing scalability and performance.

SD-Access simplifies IoT device integration, treating these devices like users by employing MAC authentication bypass, certificates and device profiling methods to identify, authenticate, authorise and secure IoT devices. They are then placed in the right virtual network and isolated from the rest of the network without the need to use an 802.1x supplicant for authentication to the network.

 
It uses local device memory to track where hosts are located in the network.