LISP VXLAN Control Plane Deep Dive
LISP VXLAN Control Plane Deep Dive
Introduction
SD-Access is built on a fabric architecture that separates the network into distinct planes: a control plane, a data plane, and a policy plane. Understanding how these planes work together is essential for anyone designing, deploying, or troubleshooting SD-Access environments. At the heart of the SD-Access control plane sits LISP (Locator/ID Separation Protocol), while VXLAN (Virtual Extensible LAN) handles the data plane. Together, they form the foundation that makes SD-Access fabric possible.
In this lesson, you will learn how LISP operates as the control plane protocol within an SD-Access fabric, how VXLAN encapsulates traffic in the data plane, and how the two work in concert to deliver overlay networking. You will also explore how these constructs compare to similar mechanisms in SD-WAN and ACI environments, how LISP Pub/Sub enhances fabric operations, and how macro and micro segmentation are achieved through Virtual Networks and Security Group Tags.
By the end of this lesson, you will be able to describe the role of LISP and VXLAN in an SD-Access fabric site, explain the differences between RLOC-based and TLOC-based underlays, and articulate how segmentation is carried across the data plane using VXLAN headers.
Key Concepts
The Three Planes of SD-Access
Every SD-Access fabric site is organized around three functional planes. Each plane has a specific job and uses a specific protocol or mechanism to accomplish it.
| Plane | Protocol/Mechanism | Purpose |
|---|---|---|
| Control Plane | LISP | Host registration, location resolution, endpoint tracking |
| Data Plane | VXLAN | Encapsulation of user traffic across the fabric overlay |
| Policy Plane | SGT (Security Group Tag) | Micro segmentation and policy enforcement |
LISP Fundamentals in SD-Access
LISP serves as the control plane for SD-Access. Its primary job is to maintain a mapping database that associates endpoint identifiers (such as MAC and IP addresses) with their network location. In SD-Access terminology, the underlay is based on the RLOC (Routing Locator), which operates within the Global Routing Table (GRT). This is a key distinction from SD-WAN, where the underlay is based on the TLOC (Transport Locator) operating in VN 0.
The Control Plane Node in an SD-Access fabric site runs the LISP Map-Server and Map-Resolver functions. Edge Nodes register their connected endpoints with the Control Plane Node, and Border Nodes query it when traffic needs to leave the fabric or reach endpoints in other parts of the network.
VXLAN Fundamentals in SD-Access
VXLAN is the data plane encapsulation protocol. It wraps original Ethernet frames inside UDP/IP packets, allowing Layer 2 and Layer 3 overlays to be extended across a routed underlay infrastructure. The VXLAN header includes a VNID (VXLAN Network Identifier), which is a 24-bit field that identifies the specific virtual network a frame belongs to. This VNID is what enables macro segmentation across the fabric.
Critically, the SD-Access VXLAN header also carries a 16-bit SGT field. This is how micro segmentation policy travels with the packet through the data plane, enabling inline tagging of security group information.
Comparing Constructs Across Domains
SD-Access does not exist in isolation. Many enterprise networks integrate SD-Access with SD-WAN for branch connectivity and ACI for data center connectivity. Understanding how the constructs map across these three domains is essential.
| Construct | SD-Access (SDA) | SD-WAN | ACI |
|---|---|---|---|
| Management | Catalyst Center | SD-WAN Manager | APIC |
| Control Plane | LISP | SD-WAN Controller (OMP) | COOP + BGP |
| Underlay | Based on RLOC (GRT) | Based on TLOC (VN 0) | ISIS + VTEP |
| Data Plane | VXLAN | IPSec / MPLS | VXLAN |
| Macro Segmentation | VN (Infra VN / GRT + User VN) | VPN (VN 512 OOB + VN #) | VRF + Tenant |
| Micro Segmentation | SGT (Security Group Tag) | SGT (Carries SGT) | EPG / ESG (End Point Groups) |
This table highlights a critical insight: while each domain uses different protocols, they all solve the same set of problems -- separating control from data, providing macro segmentation through network virtualization, and enabling micro segmentation through group-based policy.
How It Works
LISP Control Plane Operations
When an endpoint connects to an SD-Access Edge Node, the Edge Node detects the endpoint and registers it with the Control Plane Node using LISP. The registration includes the endpoint's identity (MAC address, IP address) and the RLOC of the Edge Node where the endpoint is attached. The Control Plane Node stores this mapping in its LISP map database.
When another Edge Node needs to send traffic to that endpoint, it queries the Control Plane Node to resolve the destination RLOC. Once it receives the mapping response, the source Edge Node encapsulates the traffic in a VXLAN header and sends it across the routed underlay to the destination Edge Node's RLOC.
LISP Pub/Sub Enhancement
Traditional LISP uses a pull model where nodes query the map database on demand. LISP Pub/Sub replaces this with a push-based model. With Pub/Sub, fabric nodes subscribe to mapping updates and receive notifications when changes occur. This enhancement, available starting with Catalyst Center 2.2.3.x and IOS-XE 17.6.2 or later, delivers several important benefits:
- Removes dependency on BGP -- the fabric no longer requires an additional iBGP session alongside the LISP session. Previously, both a LISP session and an additional iBGP session were needed. With Pub/Sub, only a LISP session and a LISP Pub/Sub session are required.
- Simplified Border Routing Designs -- fewer protocols to configure and troubleshoot at the border.
- Faster Border Convergence -- mapping change updates propagate more quickly through the push model.
- Traffic Path Optimization with Dynamic Default Border -- enables smarter forwarding decisions.
- Backup Internet Option -- supports failover scenarios for internet-bound traffic.
- Automated route leaking using LISP Extranet -- simplifies inter-VN communication without manual route-leak configuration.
VXLAN Data Plane Encapsulation
The VXLAN header structure in SD-Access is purpose-built for carrying both segmentation and policy information:
| Field | Size | Purpose |
|---|---|---|
| VNID | 24 bits | Identifies the Virtual Network (macro segmentation) |
| SGT | 16 bits | Carries the Security Group Tag (micro segmentation) |
This inline tagging approach means that policy information travels with every packet through the fabric. There is no need for a separate policy lookup at each hop because the SGT is embedded directly in the VXLAN encapsulation.
Macro and Micro Segmentation
Macro segmentation is achieved through Virtual Networks (VNs). Each VN maps to a unique VNID in the VXLAN header. Traffic in one VN is completely isolated from traffic in another VN at the data plane level.
Micro segmentation is achieved through Security Group Tags (SGTs). Within a single VN, different endpoints can be assigned different SGTs, and policy can be enforced based on source and destination SGT pairs. The 16-bit SGT field in the VXLAN header carries this tag across the fabric.
Configuration Example
Border Node Types and Fabric Site Design
SD-Access supports three types of border node deployments, each serving different connectivity requirements:
| Border Type | Maximum Count | Connectivity |
|---|---|---|
| Internal Border | No hard limit (N) | Connects to the rest of the company network |
| External Border | 4 maximum | Connects to outside networks |
| Internal + External Border | 4 maximum | Handles both internal and external connectivity |
Fabric Zones
Fabric Zones provide granular control over IP pool provisioning scope within a fabric site. Before Catalyst Center 2.2.3.x, the provisioning scope of an IP pool covered the entire fabric site. Fabric Zones change this by creating child sites within a parent fabric site.
Key rules for Fabric Zones:
- Edge Nodes (EN, EX, PEN) are added to Fabric Zones
- L3VNs and IP pools must be assigned to the parent fabric site before they can be assigned to one or more Fabric Zones
- Only Edge Nodes can be provisioned to a Fabric Zone -- collocated fabric roles (such as EN+Border or EN+Embedded WLC) cannot be provisioned to a Fabric Zone
- Extended Nodes (EX) and Policy Extended Nodes (PEN) must be in the same Fabric Zone as their parent Edge Node
Extended Node Types
SD-Access supports three types of extended nodes for reaching endpoints at the edge of the network:
| Node Type | Supported Platforms | Authentication |
|---|---|---|
| Extended Node (EX) | IE3200, IE3300, IE4000, IE4010, IE5000, Cat9K (Essential License), ESS-9300, CDB Series | N/A |
| Policy Extended Node (PEN) | IE3400, IE3400H, Cat9K (Advanced License), IE9300 | Closed Authentication, Supplicant-Based |
| Supplicant-Based Extended Node (SBEN) | C9200, C9300, C9400, C9500 | Enforcement |
Supported topologies for extended nodes include daisy chain (up to 18 IE switches or 3 Cat9K switches, EX and PEN only) and ring (up to 18 IE switches, like device type).
Important: Cat9600 is excluded from extended node support. When planning extended node deployments, verify that each platform meets the licensing requirements for the desired node type.
Real-World Application
SDA and SD-WAN Domain Integration
In production networks, SD-Access fabric sites frequently connect to SD-WAN for WAN transport. This integration operates across all three planes:
Data Plane Integration: The handoff interfaces connecting an SDA Border to an SD-WAN Edge use VRF-Lite. Separate 802.1Q encapsulation sub-interfaces are configured for every VRF that needs to be extended between the two domains.
Control Plane Integration: BGP peering is established for each VN/VRF on the handoff interfaces. Prefixes learned via BGP on the SD-WAN Edge and SDA Border are redistributed into OMP and LISP respectively, using a 1:1 mapping of a dedicated service VPN for each fabric VN.
The VN-to-VPN mapping follows a structured pattern:
| SDA Virtual Network | SD-WAN Service VPN |
|---|---|
| Infra VN (Underlay) | Service VPN 10 |
| Campus VN | Service VPN 20 |
| Guest VN | Service VPN 30 |
Policy Plane Integration: The SGT from the VXLAN header is placed into the CMD (Cisco Metadata) Header on the Ethernet frame. From the Ethernet CMD header, the SGT is then transferred to the IPSec header. This allows the SGT to be carried across the WAN transport to other SD-Access sites, maintaining consistent micro segmentation policy end to end.
Best Practice: The SDA Fabric underlay, which is part of the Global Routing Table (GRT), should be mapped to a dedicated Service VPN on the WAN Edge. Ensure the same MTU is configured on both ends for interfaces and sub-interfaces connecting the SDA Border and SD-WAN Edge. Validate platform support for inline tagging on both the SDA Border and the SD-WAN Edge, as well as any interim nodes in the path.
SDA and ACI Integration
For data center connectivity, SD-Access integrates with ACI. The policy plane integration between these two domains is managed through ISE:
- ISE uses REST API and pxGrid connections to APIC to retrieve and share context
- Granular control determines which SGTs are pushed to ACI and to which tenants
- Granular control also determines which EPGs and ESGs are pushed from ACI to ISE
- Policy enforcement can occur in the campus, in the data center, or on a transit firewall
- The integration supports multiple fabrics, multiple tenants/VRFs, and multiple L3Outs for policy enforcement on ACI
Summary
- LISP is the SD-Access control plane -- it maps endpoint identities to their RLOCs in the Global Routing Table, enabling location-independent communication across the fabric underlay.
- VXLAN is the SD-Access data plane -- its header carries both the 24-bit VNID for macro segmentation and the 16-bit SGT for micro segmentation through inline tagging.
- LISP Pub/Sub removes the BGP dependency at the border, delivers faster convergence, and enables automated route leaking via LISP Extranet, starting with Catalyst Center 2.2.3.x and IOS-XE 17.6.2 or later.
- Domain integration with SD-WAN uses VRF-Lite handoff with 802.1Q sub-interfaces, BGP peering redistributed into OMP and LISP, and SGT propagation from VXLAN to CMD to IPSec headers.
- Fabric Zones provide granular IP pool scoping within a fabric site, restricting provisioning to specific edge nodes rather than the entire site.
In the next lesson, we will explore SD-Access fabric data plane operations in greater detail, examining how VXLAN forwarding decisions are made and how Layer 2 and Layer 3 overlays handle known and unknown traffic within the fabric.