SDA – Endpoint Onboarding

These are self-study crib notes and may not be 100% accurate.

Traditional L3 networks are based on subnets have no problems onboarding new endpoints because the subnets are generally known. With SDA, new endpoints coming online is more complex as the network needs to know the EID of the new device and EID (Endpoint ID) to RLOC mappings.


  • Ingress Tunnel Router – ITR
  • Egress Tunnel Router – ETR

Traffic received by the router/switch where the new client is located is the ITR as this is where the packet is first received by the fabric. The policy is enforced on the router/switch where the destination is connected – this is the ETR.

Walkthrough process:

A new client connects, successfully authenticates and is issued an IP address. The IP address beings the EID (Endpoint Identifier). The switch the new client is connected to will be the ETR for any incoming traffic from elsewhere in the network to the new device.

The ETR sends a map-register notification to the control plane note to associate the new devices EID wtih the ETR’s RLOC.

A device elsewhere on the fabric trying to reach the new device will send a new request to the control plane node requesting the location of said new device – known as a map-request.

The default behaviour is for the control plane node forwards the request to the ETR that originally registered the EID mapping.

The ETR then responds directly with a map-reply to the requesting edge node (ITR).

The ITR stores the EID to RLOC mapping in a cache which clears out after 24 hours.

Wireless Access Points also need some attention.

A WAP will obtain an IP address via DHCP and then the fabric maps that AP to the network as though it were a normal endpoint using the map-register process. The AP can then form a CAPWAP tunnel out to a WLC outside of the fabric, usually on the other side of a border node. Only control traffic passes through the tunnel.

The connecting fabric edge node will form a direct VXLAN tunnel with the WAP and the client will traverse that tunnel.

When a new wireless client connects, the AP informs the WLC via CAPWAP. The WLC informs the control plane node of the EID (a layer 2 identifer i.e MAC address).

The is presented to the fabric as a normal edge node so it goes through the mac-register process again but this time using the clients IP address i.e. L3.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.