You are on page 1of 83

BRKCRS-2810

Cisco Software-Defined Access

Under The Hood

Shawn Wargo
Principal Engineer - Technical Marketing
Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKCRS-2810

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Sessions are available Online @ CiscoLive.com

Cisco Software-Defined Access


Cisco Live Barcelona - Session Map You Are Here

Tuesday (Jan 29) Wednesday (Jan 30) Thursday (Jan 31) Friday (Feb 01)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00

BRKCRS-2821 BRKCRS-2825 BRKCRS-2812


SD-Access Integration SD-Access Scale SD-Access Migration

BRKCLD-2412 BRKCRS-3811
Cross-Domain Policy SD-Access Policy

BRKCRS-2810 BRKCRS-1449 BRKCRS-1501


SD-Access Solution ISE & SD-Access Validated Design

BRKCRS-3810 BRKCRS-2815 BRKCRS-2814 BRKARC-2020


SD-Access Connect SD-Access Troubleshoot
Deep Dive SD-Access Sites Assurance SD-Access

LTRACI-2636 LTRCRS-2810 BRKEWN-2021 BRKEWN-2020


ACI + SD-Access Lab SD-Access Lab SD-Access Demo SD-Access Wireless
Agenda
1 Key Benefits
Why do you care?

2 Key Concepts
What is SD-Access?

3 Fabric Fundamentals
How does it work?

4 Controller Fundamentals
How does it work?

5 Take Away
Where to get started?

3 4
Complex

1 2 5
Time
Key Benefits
Why do you care?
Cisco’s Intent-Based Network
Delivered by Cisco Software Defined Access
SAAS

ACI
Data Center

LEARNING Branch

Cisco DNA Center

SD-WAN Wireless
Policy Automation Analytics
Control

INTENT CONTEXT Fabric


Border
Fabric
Intent-Based Control
Network Infrastructure
SD-Access
Fabric
Switch Route Wireless Edge

SECURITY

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cisco Software Defined Access
The Foundation for Cisco’s Intent-Based Network
Cisco DNA Center
Identity-Based
Policy and Segmentation
Policy definition decoupled
Policy Automation Assurance
from VLAN and IP address

B B Outside Automated
C
Network Fabric
Single fabric for Wired and
Wireless with full automation

Insights and
SD-Access
Telemetry
Extension User Mobility
Analytics and insights into
Policy follows User User and Application experience
IoT Network Employee Network BRKCRS-2810
What is Software Defined Access?

Key
Concepts
#CLUS BRKCRS-2810 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is SD-Access?
Campus Fabric + Cisco DNA Center (Automation & Assurance)
 SD-Access
APIC-EM
NCP
1.X GUI approach provides automation &
ISE NDP
PI assurance of all Fabric configuration,
management and group-based policy
Cisco DNA
Center Cisco DNA Center integrates multiple
management systems, to orchestrate
LAN, Wireless LAN and WAN access

B B
 Campus Fabric
CLI or API approach to build a LISP +
C
VXLAN + CTS Fabric overlay for your
enterprise Campus networks
Campus CLI provides backwards compatibility,
Fabric but management is box-by-box.
API provides device automation via
NETCONF/YANG

Separate management systems

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
What is Software Defined Access?

Roles &
Terminology
1. High-Level View
2. Roles & Platforms
3. Fabric Constructs
SD-Access
What exactly is a Fabric?

A Fabric is an Overlay
An Overlay network is a logical topology used to virtually connect devices,
built over an arbitrary physical Underlay topology.
An Overlay network often uses alternate forwarding attributes to provide
additional services, not provided by the Underlay.

Examples of Network Overlays


• GRE, mGRE • LISP
• MPLS, VPLS • OTV
• IPSec, DMVPN • DFA
• CAPWAP • ACI

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
SD-Access
Fabric Terminology

Overlay Network Overlay Control Plane

Encapsulation

Edge Device Edge Device

Hosts
(End-Points)

Underlay Network Underlay Control Plane

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
SD-Access
Fabric Underlay – Manual vs. Automated

Manual Underlay LAN Automation


You can reuse your existing IP Fully automated prescriptive IP
network as the Fabric Underlay! network Underlay Provisioning!
• Key Requirements • Key Requirements
• IP reach from Edge to Edge/Border/CP • Leverages standard PNP for Bootstrap
• Can be L2 or L3 – We recommend L3 • Assumes New / Erased Configuration
• Can be any IGP – We recommend ISIS • Uses a Global “Underlay” Address Pool

• Key Considerations • Key Considerations


• MTU (Fabric Header adds 50B) • Seed Device pre-setup is required
• Latency (RTT of =/< 100ms) • 100% Prescriptive (No Custom)

Underlay Network
BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
SD-Access
Fabric Roles & Terminology
 Network Automation – Simple graphical
Automation user interface and intent based automation
NCP
Identity (e.g. NCP) of fabric devices
Services
ISE NDP  Network Assurance – Data Collectors
(e.g. NDP) analyze Endpoint to App flows
Cisco DNA
Assurance and monitor fabric status
Center
 Identity Services – NAC & ID Systems
(e.g. ISE) for dynamic Endpoint to Group
Fabric Border Fabric Wireless mapping and Policy definition
Nodes Controller
B B  Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Intermediate Control-Plane
C Nodes  Fabric Border Nodes – A Fabric device
Nodes (Underlay) (e.g. Core) that connects External L3
network(s) to the SD-Access Fabric

Campus  Fabric Edge Nodes – A Fabric device


(e.g. Access or Distribution) that connects
Fabric Edge
Nodes Fabric Wired Endpoints to the SD-Access Fabric
 Fabric Wireless Controller – A Fabric device
(WLC) that connects APs and Wireless
Endpoints to the SD-Access Fabric

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
What is Software Defined Access?

Roles &
Terminology
1. High-Level View
2. Roles & Platforms
3. Fabric Constructs
SD-Access Fabric
Control-Plane Nodes – A Closer Look

Control-Plane Node runs a Host Tracking Database to map location information

• A simple Host Database that maps Endpoint IDs to C


Known Unknown
a current Location, along with other attributes Networks Networks

B B
• Host Database supports multiple types of Endpoint
ID lookup types (IPv4, IPv6 or MAC)

• Receives Endpoint ID map registrations from Edge


and/or Border Nodes for “known” IP prefixes

• Resolves lookup requests from Edge and/or Border


Nodes, to locate destination Endpoint IDs

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms The Channelco®

Fabric Control Plane CRN®


Products of the Year
2017, 2018

Catalyst 9300 Catalyst 9400 Catalyst 9500

• Catalyst 9300 • Catalyst 9400 • Catalyst 9500


• 1/mG RJ45 • Sup1/Sup1XL • 40/100G QSFP
• 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms
Fabric Control Plane

Catalyst 3K Catalyst 6K ISR 4K & ENCS ASR1K

• Catalyst 3650/3850 • Catalyst 6500/6800 • ISR 4430/4450 • ASR 1000-X


• 1/mG RJ45 • Sup2T/Sup6T • ISR 4330/4450 • ASR 1000-HX
• 1/10G SFP • C6800 Cards • ENCS 5400 • 1/10G RJ45
• 1/10/40G NM Cards • C6880/6840-X • ISRv / CSRv • 1/10G SFP

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
SD-Access Fabric
Edge Nodes – A Closer Look

Edge Node provides first-hop services for Users / Devices connected to a Fabric

• Responsible for Identifying and Authenticating C


Endpoints (e.g. Static, 802.1X, Active Directory)
Known Unknown
Networks Networks

B B
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)

• Provide an Anycast L3 Gateway for the connected


Endpoints (same IP address on all Edge nodes)

• Performs encapsulation / de-encapsulation of data


traffic to and from all connected Endpoints

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms The Channelco®

Fabric Edge Node CRN®


Products of the Year
2017, 2018

Catalyst 9200 Catalyst 9300 Catalyst 9400 Catalyst 9500

• Catalyst 9200/L* • Catalyst 9300 • Catalyst 9400 • Catalyst 9500


• 1/mG RJ45 • 1/mG RJ45 • Sup1/Sup1XL • 1/10/25G SFP
• 1G SFP (Uplinks) • 10/25/40/mG NM • 9400 Cards • 40/100G QSFP

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms
Fabric Edge Node

Catalyst 3K Catalyst 4500E Catalyst 6K

• Catalyst 3650/3850 • Catalyst 4500E • Catalyst 6500/6800


• 1/mG RJ45 • Sup8E/Sup9E (Uplink) • Sup2T/Sup6T
• 1/10G SFP • 4600/4700 Cards (Host) • C6800 Cards
• 1/10/40G NM Cards • C6880/6840-X

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
SD-Access Fabric
Border Nodes

Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric

There are 3 Types of Border Node! C


Known Unknown
Networks Networks

B B
• Internal Border (Rest of Company)
• connects ONLY to the known areas of the company

• External Border (Outside)


• connects ONLY to unknown areas outside the company

• Internal + External (Anywhere)


• connects transit areas AND known areas of the company

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms Winner
The Channelco®

Fabric Border Node CRN®


Products of the Year
2017, 2018

Catalyst 9300 Catalyst 9400 Catalyst 9500

• Catalyst 9300 • Catalyst 9400 • Catalyst 9500


• 1/mG RJ45 • Sup1/Sup1XL • 1/10/25G SFP
• 10/25/40/mG NM • 9400 Cards • 40/100G QSFP

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
For more details: cs.co/sda-compatibility-matrix
SD-Access Platforms
Fabric Border Node
* EXTERNAL ONLY

Catalyst 3K Catalyst 6K Nexus 7K* ISR 4K ASR 1K

• Catalyst 3650/3850 • Catalyst 6500/6800 • Nexus 7700 • ISR 4300/4400 • ASR 1000-X/HX
• 1/mG RJ45 • Sup2T/Sup6T • Sup2E • AppX (AX) • AppX (AX)
• 1/10G SFP • C6800 Cards • M3 Cards • 1/10G RJ45 • 1/10G ELC/EPA
• 1/10/40G NM Cards • C6880/6840-X • LAN1K9 + MPLS • 1/10G SFP • 40G ELC/EPA

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
SD-Access Fabric
Border Nodes - Internal

Internal Border advertises Endpoints to outside, and known Subnets to inside

• Connects to any “known” IP subnets available from C


Unknown
the outside network (e.g. DC, WLC, FW, etc.)
Known
Networks Networks

B B
• Exports all internal IP Pools to outside (as
aggregate), using a traditional IP routing protocol(s).

• Imports and registers (known) IP subnets from


outside, into the Control-Plane Map System

• Hand-off requires mapping the context (VRF & SGT)


from one domain to another.

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
SD-Access Fabric
Border Nodes - External

External Border is a “Gateway of Last Resort” for any unknown destinations

• Connects to any “unknown” IP subnets, outside of C


Unknown
the network (e.g. Internet, Public Cloud)
Known
Networks Networks

B B
• Exports all internal IP Pools outside (as aggregate)
into traditional IP routing protocol(s).

• Does NOT import unknown routes! It is a “default”


exit, if no entry is available in Control-Plane.

• Hand-off requires mapping the context (VRF & SGT)


from one domain to another.

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
SD-Access Fabric
Fabric Enabled Wireless – A Closer Look

Fabric Enabled WLC is integrated into Fabric for SD-Access Wireless clients
Ctrl: CAPWAP

Data: VXLAN

• Connects to Fabric via Border (Underlay) C


Known Unknown
Networks Networks
• Fabric Enabled APs connect to the WLC (CAPWAP)
B B
using a dedicated Host Pool (Overlay)

• Fabric Enabled APs connect to the Edge via VXLAN

• Wireless Clients (SSIDs) use regular Host Pools for


data traffic and policy (same as Wired)

• Fabric Enabled WLC registers Clients with the


Control-Plane (as located on local Edge + AP)

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
For more details: cs.co/sda-compatibility-matrix

SD-Access Platforms
Fabric Enabled Wireless
* COMING SOON * No IPv6, AVC, FNF

AireOS WLC Catalyst 9800* Wave 2 AP Wave 1 AP*

• AIR-CT3504 • Catalyst 9800-40/80 • 1800/2800/3800 • 1700/2700/3700


• AIR-CT5520 • Catalyst 9800-CL 1500 and 4800 • 3600 with 11ac
• AIR-CT8540 • C9K Embedded WLC • 802.11ac Wave2 • 802.11ac Wave1
• 1G/mG RJ45 (Uplink) • 1G/mG RJ45 (Uplink)

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
What is Software Defined Access?

Roles &
Terminology
1. High-Level View
2. Roles & Platforms
3. Fabric Constructs
SD-Access Fabric
Virtual Network– A Closer Look

Virtual Network maintains a separate Routing & Switching table for each instance

• Control-Plane uses Instance ID to maintain separate C


Unknown
VRF topologies (“Default” VRF is Instance ID “4098”)
Known
Networks Networks

B B
• Nodes add a VNID to the Fabric encapsulation

• Endpoint ID prefixes (Host Pools) are routed and VN VN VN


advertised within a Virtual Network Campus IOT Guest

• Uses standard “vrf definition” configuration, along


with RD & RT for remote advertisement (Border Node)

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
SD-Access Fabric
Scalable Groups – A Closer Look

Scalable Group is a logical policy object to “group” Users and/or Devices

• Nodes use “Scalable Groups” to ID and assign a C


Unknown
unique Scalable Group Tag (SGT) to Endpoints
Known
Networks Networks

B B
• Nodes add a SGT to the Fabric encapsulation
SGT
SGT SGT SGT
• SGTs are used to manage address-independent 17
4
SGT
8 25

“Group-Based Policies” SGT SGT SGT 19 SGT


3 23 11 12

• Edge or Border Nodes use SGT to enforce local


Scalable Group ACLs (SGACLs)

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SD-Access Fabric
Host Pools – A Closer Look

Host Pool provides basic IP functions necessary for attached Endpoints

• Edge Nodes use a Switch Virtual Interface (SVI), C


Unknown
with IP Address /Mask, etc. per Host Pool
Known
Networks Networks

B B
• Fabric uses Dynamic EID mapping to advertise each
Host Pool (per Instance ID) Pool
Pool
Pool .4 Pool
.17 .8 .25
Pool
• Fabric Dynamic EID allows Host-specific (/32, /128 Pool Pool Pool .19 Pool

or MAC) advertisement and mobility


.13 .23 .11 .12

• Host Pools can be assigned Dynamically (via Host


Authentication) and/or Statically (per port)

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
SD-Access Fabric
Anycast Gateway – A Closer Look

Anycast GW provides a single L3 Default Gateway for IP capable endpoints

C
• Similar principle and behavior to HSRP / VRRP with Known Unknown

a shared “Virtual” IP and MAC address Networks Networks

B B
• The same Switch Virtual Interface (SVI) is present
on EVERY Edge with the SAME Virtual IP and MAC

• Control-Plane with Fabric Dynamic EID mapping


maintains the Host to Edge relationship

• When a Host moves from Edge 1 to Edge 2, it does GW GW GW GW GW

not need to change it’s Default Gateway 

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
SD-Access Fabric
Layer 3 Overlay – A Closer Look

Stretched Subnets allow an IP subnet to be “stretched” via the Overlay

• Host IP based traffic arrives on the local Fabric Edge C


Known Unknown
(SVI) and is then transferred by the Fabric Networks Networks

B B
• Fabric Dynamic EID mapping allows Host-specific
(/32, /128, MAC) advertisement and mobility
Dynamic
EID
• Host 1 connected to Edge A can now use the same
IP subnet to communicate with Host 2 on Edge B

• No longer need a VLAN to connect Host 1 and 2  GW GW GW GW GW

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
SD-Access Fabric
Layer 2 Overlay – A Closer Look

Layer 2 Overlay allows Non-IP endpoints to use Broadcast & L2 Multicast

• Similar principle and behavior as Virtual Private LAN C


Known Unknown
Services (VPLS) P2MP Overlay Networks Networks

B B
• Uses a pre-built Multicast Underlay to setup a P2MP
tunnel between all Fabric Nodes.
L2
Overlay
• L2 Broadcast and Multicast traffic will be distributed
to all connected Fabric Nodes.
VLAN VLAN VLAN
• Can be enabled for specific Host Pools that require
L2 services (use Stretched Subnets for L3)
NOTE: L3 Integrated Routing and Bridging (IRB) is not supported at this time.

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
What is Campus Fabric?

Fabric
Fundamentals
1. Control-Plane
2. Data-Plane
3. Policy-Plane
SD-Access Fabric
Campus Fabric - Key Components

1. Control-Plane based on LISP


2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
B B
Key Differences
C
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
SD-Access Fabric
Key Components - LISP

Control-Plane based on LISP


Host
1. Mobility

Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU
with Local L3 Gateway with Anycast L3 Gateway

BEFORE AFTER
IP Address = Location + Identity Separate Identity from Location
Prefix RLOC
192.58.28.128 ….....171.68.228.121
Prefix Next-hop 189.16.17.89
22.78.190.64
….....171.68.226.120
….....171.68.226.121
189.16.17.89 ….....171.68.226.120 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 192.58.28.128 ….....171.68.228.121
172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121
192.58.28.128 …....171.68.228.121 Prefix Next-hop 189.16.17.89 ….....171.68.226.120

Mapping
189.16.17.89 …....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 189.16.17.89 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120

Endpoint
172.16.19.90 …......171.68.226.120 22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121
192.58.28.128 ….....171.68.228.121
189.16.17.89 …....171.68.226.120 192.58.28.128 …....171.68.228.121

Database
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120

Routes are
192.58.28.128 …......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121

Consolidated
Prefix
189.16.17.89
22.78.190.64
Next-hop
…......171.68.226.120
….....171.68.226.121
to LISP DB
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121 Prefix Next-hop
172.16.19.90 …......171.68.226.120 189.16.17.89 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121 22.78.190.64 ….....171.68.226.121
189.16.17.89 …....171.68.226.120 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 192.58.28.128 …....171.68.228.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
Prefix Next-hop 189.16.17.89 ….....171.68.226.120
189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120

Only Local Routes


192.58.28.128 ….....171.68.228.121

Topology + Endpoint Routes


189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120

Topology Routes
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121

Endpoint Routes

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Fabric Operation
Control-Plane Roles & Responsibilities Control-Plane EID RLOC
a.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5

LISP Map Server / Resolver EID Space


EID
a.a.a.0/24
RLOC
w.x.y.1

(Control-Plane) b.b.b.0/24
c.c.c.0/24
d.d.0.0/16
x.y.w.2
z.q.r.5
z.q.r.5

• EID to RLOC mappings EID RLOC


Edge a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2

• Can be distributed across c.c.c.0/24


d.d.0.0/16
z.q.r.5
z.q.r.5
Non-LISP
multiple LISP devices Prefix Next-hop
w.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h
z.q.r.5 e.f.g.h
z.q.r.5 e.f.g.h

LISP Tunnel Router - XTR Border RLOC Space


(Edge & Internal Border)
• Register EID with Map Server
• Ingress / Egress (ITR / ETR) Edge

LISP Proxy Tunnel Router - PXTR EID Space


(External Border)
• EID = Endpoint Identifier
• Provides a Default Gateway
• Host Address or Subnet
when no mapping exists
• RLOC = Routing Locator
• Ingress / Egress (PITR / PETR) • Local Router Address

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Fabric Operation
Control Plane Register & Resolution

Branch

Fabric Edge
Cache Entry (on ITR) Where is 10.2.2.2?
10.2.2.2/32  (2.1.2.1) Fabric Control Plane
5.1.1.1

2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1

Database Mapping Entry (on ETR) Fabric Edges Database Mapping Entry (on ETR)
10.2.2.4/32  ( 3.1.2.1)
10.2.2.2/32  ( 2.1.2.1)

10.2.2.3/16 10.2.2.2/16 10.2.2.5/16 10.2.2.4/16

Subnet 10.2.0.0 255.255.0.0 stretched across


BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Fabric Operation
Fabric Internal Forwarding (Edge to Edge)

3 EID-prefix: 10.2.2.2/32
Mapping Locator-set: Path Preference
Entry Controlled
2.1.2.1, priority: 1, weight:100
by Destination Site
1
DNS Entry:
Branch Non-Fabric Non-Fabric
D.abc.com A 10.2.2.2
10.1.0.0/24

Fabric Borders
S Fabric Edge
2
1.1.1.1
10.1.0.1  10.2.2.2 5.3.3.3

IP Network 5.1.1.1 5.2.2.2


4 Mapping
System
1.1.1.1  2.1.2.1

10.1.0.1  10.2.2.2 2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1

5 Fabric Edges

10.1.0.1  10.2.2.2
D
10.2.2.3/16 10.2.2.2/16 10.2.2.4/16 10.2.2.5/16

Subnet 10.2.0.0 255.255.0.0 stretched across

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Fabric Operation Fabric Control Plane
Host Mobility – Dynamic EID Migration Map Register 10.10.0.0/16 – 12.0.0.1
EID: 10.17.1.10/32
Node: 12.1.1.1 10.2.1.10/32 – 12.1.1.1
D 10.2.1.10/32 – 12.2.2.1
10.10.10.0/24
2.1.1.1

DC1 3.1.1.1
Fabric Borders 1.1.1.1

Mapping
System

Routing Table 12.0.0.1 12.0.0.2


5
10.2.1.0/24 – Local 3 Routing Table
10.2.1.10/32 – Local 10.2.1.0/24 – Local 4
2

10.2.1.10/32 – LISP0
10.2.1.10/32 - Local
IP Network

12.1.1.1 12.1.1.2 12.2.2.1 12.2.2.2

Campus Fabric Edges Campus


Bldg 1
S 1 Bldg 2

10.2.1.10 10.2.1.10

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
SD-Access Fabric
Unique Control-Plane extensions compared to LISP

Capability Traditional LISP SD-Access Fabric


Layer 2 Extension Limited Support Fabric Control Plane extended to support
MAC to IP binding and Layer 2 Overlays

Virtual Networks Layer-3 VN (VRF) only Both Layer-3 and Layer-2 VN (VRF)
support (using VXLAN)

Fast Roaming Not Supported Fabric Control Plane extended to support


fast roaming in =/< 50ms

Wireless Extensions Not Supported Fabric Control Plane extended to support


wireless extensions for:
• AP Onboarding
• Wireless Guest
• AP VXLAN functionality

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
What is Campus Fabric?

Fabric
Fundamentals
1. Control-Plane
2. Data-Plane
3. Policy-Plane
SD-Access Fabric
Key Components – VXLAN

1. Control-Plane based on LISP


2. Data-Plane based on VXLAN
ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay Only
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
VXLAN-GPO Header
Next-Hop MAC Address

Src VTEP MAC Address


MAC-in-IP with VN ID & Group ID Dest. MAC 48

Source MAC 48

VLAN Type 14 Bytes


16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type
16 Header
0x0800 16 20 Bytes
Underlay

Outer MAC Header Checksum

Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address

UDP Header Dest Port 16


8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789

Inner (Original) MAC Header


Allows 64K
Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 possible SGTs
Overlay

Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Data-Plane Overview
Fabric Header Encapsulation

Inner
Fabric Data-Plane provides the following:

Outer
• Underlay address advertisement & mapping
• Automatic tunnel setup (Virtual Tunnel End-Points)
• Frame encapsulation between Routing Locators

Support for LISP or VXLAN header format

Outer
• Nearly the same, with different fields & payload Encap

Inner

Inner
• LISP header carries IP payload (IP in IP)
• VXLAN header carries MAC payload (MAC in IP)
Decap
Triggered by LISP Control-Plane events
• ARP or NDP Learning on L3 Gateways
• Map-Reply or Cache on Routing Locators

Inner
BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
SD-Access Fabric
Unique Data-Plane Extensions compared to VXLAN

Capability Traditional LISP/VXLAN SD-Access Fabric


SGT Tag No SGT VXLAN-GPO uses Reserved field to
carry SGT

Layer 3 Extension Yes Yes, by mapping VRF->VNI


(VRF)

Layer 2 Extension Not Supported Fabric supports Layer 2 extension by


mapping VLAN ->VNI

Wireless Not Supported AP to Fabric Edge uses VXLAN


Fabric Edge to Edge/Border uses VXLAN
for both Wired and Wireless (same)

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
What is Campus Fabric?

Fabric
Fundamentals
1. Control-Plane
2. Data-Plane
3. Policy-Plane
SD-Access Fabric
Key Components – Group Based Policy

1. Control-Plane based on LISP


2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
Virtual Routing & Forwarding
Scalable Group Tagging
VRF + SGT

ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
SD-Access Policy
Two Level Hierarchy - Macro Level

Known Unknown
Networks Networks

SD-Access
VN VN VN
Fabric
Virtual Network (VN)
“A” “B” “C”
First level Segmentation ensures zero
communication between forwarding
domains. Ability to consolidate multiple
networks into one management plane.

Building Management Campus Users


VN VN

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
SD-Access Policy
Two Level Hierarchy - Micro Level

Known Unknown
Networks Networks

SG
SG
1
SG SG
SG
4
SG SG
SG
7
SG
SD-Access
Fabric
Scalable Group (SG)
2 3 5 6 8 9
Second level Segmentation ensures
role based access control between
two groups within a Virtual Network.
Provides the ability to segment the
network into either line of businesses
or functional blocks.

Building Management Campus Users


VN VN

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
SD-Access Policy
Policy Types

Access Control Application Traffic Copy


Policy Policy Policy
↓ ↓ ↓
Who can access What? How to treat Traffic? Need to Monitor Traffic?

Permit / Deny Rules QoS for Applications Enable SPAN Services


for Group-to-Group Access or Application Caching for specific Groups or Traffic


BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Group Assignment
Two ways to assign SGT

Dynamic Classification Static Classification

L3 Interface (SVI) to SGT L2 Port to SGT

Campus
Access Distribution Core DC Core DC Access

MAB
Enterprise
Backbone

WLC Firewall Hypervisor SW

VLAN to SGT Subnet to SGT VM (Port Profile) to SGT

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
SD-Access Policy
Policy Contracts

Source Group Contract Destination Group

Guest Users Credit System

CLASSIFIER: PORT ACTION: DENY

Classifier Type Action Type


Port Number Permit
Protocol Name Deny
Application Type Copy

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Group Propagation
VN & SGT in VXLAN-GPO Encapsulation

Encapsulation Decapsulation
IP Network

Edge Node 1 Edge Node 2

VXLAN VXLAN

VN ID SGT ID VN ID SGT ID

Classification Propagation Enforcement


Static or Dynamic VN Carry VN and Group Group Based Policies
and SGT assignments context across the network ACLs, Firewall Rules

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
SD-Access Fabric
Unique Policy-Plane Extensions compared to CTS

Capability Traditional CTS SD-Access Policy


SGT Propagation Enabled hop-by-hop, or by Carried with the data traffic inside
Security-Group Exchange Protocol VXLAN-GPO (overlay) end-to-end
(SXP) sessions

VN Integration Not Supported VN + SGT-aware Firewalls

Access Control Policy Yes Yes

QoS (App) Policy Not Supported App based QoS policy, to optimize
application traffic priority

Traffic Copy Policy Not Supported SRC/DST based Copy policy (using
ERSPAN) to capture data traffic

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
What is Cisco DNA Center?

Controller
Fundamentals
1. Architecture
2. User Interface
3. Workflows
Cisco DNA Center
SD-Access – Key Components

SNS 3500 Series DN1-HW-APL


ISE Appliance DNA Center Appliance
API Cisco DNA Center API

Design | Policy | Provision | Assurance

API

Cisco ISE
Identity 2.3
& Policy Automation
NCP Assurance
NDP
API API
Identity Services Engine Network Control Platform Network Data Platform

NETCONF
SNMP
SSH

AAA
RADIUS
EAPoL
Campus Fabric HTTPS
NetFlow
Syslogs

Cisco Switches | Cisco Routers | Cisco Wireless

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Cisco DNA Center
Appliance Models & Specifications

SKU Specs Scale and Performance SDA Design

DN1-HW-APL • Based on UCS M4 5000 Devices Small or


• 44 cores Medium
1000 Switches/Routers/WLC + 4000 APs
(Clusters with • 256 GB RAM
same SKU and • 12 TB SSD
25,000 Clients
DN2-HW-APL) • List Price: $77,160

DN2-HW-APL • Based on UCS M5 5000 Devices Small or


• 44 cores Medium
1000 Switches/Routers/WLC + 4000 APs
(Clusters with • 256 GB RAM NEW
same SKU and • 16 TB SSD
25,000 Clients
DN1-HW-APL) • List Price: $88,674

DN2-HW-APL-L • Based on UCS M5 8000 Devices Medium or


• 56 cores Large
2000 Switches/Routers/WLC + 6000 APs NEW
(Clusters with • 384 GB RAM
same SKU only) • 16 TB SSD 40,000 Clients
• List Price = $147,495

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Cisco DNA Center
High Availability Cluster

1 or 3 appliance HA Cluster (more in future)


- Odd number to achieve quorum
of distributed system
Seen as 1 logical DNAC instance
- Connect to Virtual (Cluster) IP
- Rare need to access individual nodes
(e.g. SSH)
Individual apps on Maglev cluster
2 nodes active/sharing + 1 redundant
- Some services run multiple copies
Virtual IP spread across nodes (e.g. databases)
- Other services run single copy and
migrate from failed to redundant node

Single Appliance for Cisco DNA (Automation + Assurance)


Cisco DNA Center
Automated Provisioning and Telemetry Enrichment

Telemetry Intent
Alerts
Network Control Violations Network Data
Platform Inventory, Topology, Host, Group Platform
Network State changes
Path Trace information

Configuration Automation C Data Collection


Telemetry Configuration Telemetry Data
B B

Campus
Fabric

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Cisco DNA Center and ISE integration
Identity and Policy Automation

Cisco Identity Services Engine

Authentication Groups and


Authorization Policies
Policies

PxGrid
Campus Fabric REST APIs

Fabric Policy
Management Authoring
Workflows

Cisco DNA Center

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Cisco DNA Center and ISE integration
ISE roles in SD-Access

Admin/Operate

Network
Devices
DNA-Center

Devices REST pxGrid

Things
Config Sync Context

ISE-PSN ISE-PAN ISE-PXG


Users
Authorization Policy Exchange Topics
TrustSecMetaData
if Employee then SGT 10
SGT Name: Employee = SGT 10
Users SGT Name: Contractor = SGT 20
if Contractor then SGT 20
...
SessionDirectory*
if Things then SGT 30
Bob with Win10 on CorpSSID
ISE-MNT
* Future Plan

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
What is Cisco DNA Center?

Controller
Fundamentals
1. Architecture
2. User Interface
3. Workflows
SD-Access
CLI and API vs. GUI

Campus Fabric SD Access

• Command Line (CLI) • Programmable APIs • DNA Center GUI


• Templates / Macros • NETCONF / YANG • Cross-App REST APIs
• Customized Workflows • Automated Workflows • Automated Workflows
• Box-by-Box Management • Box-by-Box Management • Centralized Management

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Cisco DNA Center
4 Step Workflow

Design Policy Provision Assurance

• Global Settings • Virtual Networks • Fabric Domains • Health Dashboard


• Site Profiles • ISE, AAA, Radius • CP, Border, Edge • 360o Views
• DDI, SWIM, PNP • Endpoint Groups • Fabric WLC, AP • Net, Device, Client
• User Access • Group Policies • External Connect • Path Traces

System Settings & Integration

App Management & High Availability

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Assure

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Assure

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Take Away
Things to Remember
Session Summary

SD-Access = Campus Fabric + Cisco DNA Center

B B

C Cisco DNA Center


Simple Workflows

Campus
Fabric DESIGN PROVISION POLICY ASSURANCE

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
For more details: cs.co/sda-compatibility-matrix

SD-Access Support
Digital Platforms for your Cisco Digital Network Architecture

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
What to Do Next?

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
SD-Access Resources
Would you like to know more?

cisco.com/go/dna
cisco.com/go/sdaccess cisco.com/go/dnacenter
• SD-Access At-A-Glance • Cisco DNA Center At-A-Glance


SD-Access Ordering Guide
SD-Access Solution Data Sheet
cisco.com/go/cvd •

Cisco DNA ROI Calculator
Cisco DNA Center Data Sheet
• SD-Access Solution White Paper • SD-Access Design Guide • Cisco DNA Center 'How To' Video Resources
• SD-Access Deployment Guide
• SD-Access Segmentation Guide

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKCRS-2810

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Complete your online
Session Survey
• Please complete your Online Survey
immediately after each Session
• Complete 4 Session Surveys AND
the Overall Conference Survey
(available from Thursday)
to receive your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Events Mobile App or
the Communication Stations
Don’t forget: Cisco Live sessions will be available
on demand after the event at ciscolive.cisco.com

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Continue
Your
Education Demos
in the
Walk-In
Self-Paced
Meet The
Engineer
Related
Training
Cisco labs 1:1 Sessions
Campus meetings

BRKCRS-2810 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Thank You

You might also like