1

Control plane: LISP

控制平面与控制平面节点

The Cisco SD-Access fabric control plane is based on LISP, which separates endpoint IDs (EIDs) from routing locators (RLOCs) to reduce routing table size.”——SD-Access Design Guide

#理解: SD-Access控制平面基于 LISP(Locator/ID Separation Protocol), 分离终端标识(EID)与路由位置(RLOC);

“Control plane nodes maintain a comprehensive database that tracks endpoints and networks in the fabric.”——SD-Access Design Guide

#理解: 控制平面节点负责维护LISP映射数据库, 跟踪Fabric内端点位置;

2

Data Plane: VXLAN

数据平面

“The SD-Access data plane uses VXLAN encapsulation to transport traffic within the fabric.”——SD-Access Design Guide

#理解: 数据平面基于VXLAN封装Fabric内流量以实现虚拟网络隔离;

3

Underlay & Overlay

“The underlay switches provide endpoint physical connectivity as part of the fabric’s physical infrastructure.”——SD-Access Design Guide

#理解: underlay network提供终端物理连接, 设计聚焦可靠IP连通性;

“The overlay network provides isolation among virtual networks and operates independently of the physical underlay.”——SD-Access Design Guide

#理解: overlay network提供虚拟网络隔离, 独立于物理网络, 承载L2/L3逻辑网络;

4

Intermediate Node

中间节点

“Intermediate nodes route packets within the fabric based on Layer 3 information in the packet header (e.g., RLOCs), enabling connectivity between edge and border nodes.”——SD-Access Design Guide

#理解: 在Fabric内基于三层头部信息(如 RLOC)路由数据包; (类似H3C ADDC中的spine)

5

Fabric Border Node

边界节点

“Fabric border nodes connect the SD-Access fabric to external Layer 3 networks or other fabrics, and support VXLAN encapsulation/decapsulation for traffic entering/exiting the fabric.”——SD-Access Design Guide

#理解: 连接Fabric到外部L3网络或其他Fabric, 支持VXLAN封装/解封装; (类似H3C ADDC中的border-leaf)

6

Fabric Edge Node

边缘节点

“Fabric edge nodes connect endpoints to the SD-Access fabric, forward traffic, and provide Anycast Gateway services for endpoints in their assigned virtual networks.”——SD-Access Design Guide

#理解: 连接终端到Fabric, 转发流量, 提供Anycast Gateway服务; (类似H3C ADDC中的server-leaf)

7

Extended Node

扩展节点

“Extended nodes extend the fabric by connecting to downstream non-fabric-enabled Layer 2 switches, using 802.1Q VLAN tagging for traffic segmentation.”——SD-Access Deployment Guide

#理解: 连接下游非Fabric纯二层交换机, 通过802.1Q(VLAN)实现流量分段;  (类似H3C ADDC中的access)

8

Fabric AP

“In a fabric-enabled SSID, the AP converts 802.11 frames to 802.3 and encapsulates them into VXLAN with VNI and SGT.”——Implementing and Operating Cisco Enterprise Network Core Technologies

#理解: AP将 802.11 帧 转换为以太网帧, 并封装为VXLAN(添加 VNI, 外层IP头)和SGT标签(若启用TrustSec);

“Wireless clients send traffic to APs, which encapsulate the traffic in VXLAN and forward it to fabric edge switches. The edge switches enforce policies and route the traffic to border nodes for external connectivity.”——SD-Access Solution Overview

#理解: AP作为VTEP, 封装的VXLAN帧必须先发给egde node, 如果访问外网的话也是先发给edge, 再由edge发给border; 不太理解为什么要这样做, 是因为控制平面上AP通过CAPWAP与WLC通信而不具有ITR的能力吗? 如果不是直接把AP作为wireless endpoint的edge不是更好吗?

“For fabric-enabled wireless, control plane traffic uses CAPWAP between APs and WLCs, while data plane traffic is encapsulated in VXLAN and sent from APs to fabric edge switches.”——SD-Access Wireless Guide

#理解: AP控制平面通过CAPWAP与WLC通信, 数据平面把所有流量封装成VXLAN帧发给edge;

9

其他补充

“SD-Access uses Plug-and-Play (PnP) to automatically discover and provision border and access switches, streamlining deployment.”——SD-Access Provisioning Guide
#理解: PnP(Plug-and-Play) 自动发现并配置边界/接入交换机;

“The recommended MTU for a Cisco SD-Access fabric is 9100 bytes to accommodate VXLAN encapsulation overhead and prevent packet fragmentation.”——SD-Access Deployment Guide

#理解: 推荐 9100 字节(容纳 VXLAN 头部开销, 避免分片);

“Routed access design facilitates migration from traditional campus networks to SD-Access by leveraging Layer 3 connectivity at the access layer.”——SD-Access Migration Guide

#理解: Routed Access(三层接入设计)简化传统园区到SD-Access的迁移;

“Cisco Identity Services Engine (ISE) enforces access policies to determine if a client has permission to access the network.”——SD-Access Security Guide

#理解: Cisco ISE 决定终端网络访问权限;

“Legacy VLANs can be mapped to virtual networks, allowing devices to join VNs based on their VLAN membership during migration to SD-Access.”——Cisco SD-Access Migration Guide

#理解: SD-Access支持VLAN-to-VN映射, 传统VLAN可关联到虚拟网络, 设备通过VLAN归属自动分配到对应VN;

“For the underlay network, access layer switches should connect to both upstream distribution and core devices to ensure redundancy and optimal path selection.”——Cisco SD-Access Design Guide

#理解: 接入层交换机双上联到分布层和核心层, 通过IGP实现多路径冗余(ECMP), 提升Underlay网络的可靠性和故障恢复能力;