Professional Documents
Culture Documents
BRKCRS-2811
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Software-Defined Access
Sessions are available Online @ CiscoLive.com
Monday (June 10) Tuesday (June 11) Wednesday (June 12) Thursday (June 13)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00
BRKARC-2020 BRKARC-2009
Troubleshoot Why SDA
BRKCRS-3811
Policy
BRKEWN-2021 BRKEWN-2020
Live Setup Wireless
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco’s Intent-Based Networking
Delivered by Cisco Software Defined Access SAAS
ACI
Data Center
LEARNING Branch
SD-WAN Wireless
Policy Automation Analytics
Control
Fabric
SECURITY Edge
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Software Defined Access
Networking at the speed of Software!
Cisco DNA
Center
Identity-Based
Analytics
Policy & Segmentation
Policy Automation
Decoupled security policy from
VLAN and IP Address
B B
C Outside Automated
Network Fabric
Single Fabric for Wired & Wireless
with workflow Automation
Insights
SDA
Extension
& Telemetry
User Mobility
Policy stays
Analytics and Insights into
with user User and Application behavior
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
IoT Network Employee Network
What is Cisco SD-Access?
Campus Fabric + Cisco DNA Center (Automation and Assurance)
APIC-EM
NCP ▪ Cisco SD-Access
1.X
ISE NDP
PI GUI approach provides automation
and assurance of all Fabric
Cisco DNA configuration, management and
Center
group-based policy
▪ Campus Fabric
C
CLI or API approach to build a LISP +
VXLAN + CTS Fabric overlay for your
enterprise Campus networks
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Agenda
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Current State Topology of the Campus Network
VXLAN Fabric
ACI Fabric Role Platform
Access Node • Cat3K/9300
• Cat4K/9400
Internet Edge
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
End state Topology of the SD-Access Fabric
VXLAN Fabric
ACI Fabric
Internet Internet Edge
Edge/
Border Guest
WLCs
Internet
IWAN HR
VXLAN eBGP-
IPV4/ IWAN HR
Centralized EVPN MPLS
MPLS
WLCs
IWAN MC
WAN
edge
Shared Services VRF-Lite
/Border
DC and WAN
Services Edge
Border
Intermediate
Nodes CarrierE
IWAN Sites
Intermediate
Nodes
WAN
Sites
Edge
Nodes
FEW
WLC
SDA Fabric Domain BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
SDA Fabric
Border
What do customers need
to know about the Fabric
Border?
Cisco SD-Access Border
Border Nodes – A Closer Look
Border Node is an entry & exit point for all data traffic going in & out of the Fabric
There are 3 Types of Border Node! Known
&
• B Networks
B B
• Outside Word (External)
• Used for “Unknown” Routes outside your company
C
• Anywhere (Internal & External)
• Used to access ”Known & Unknown” destinations
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
SD-Access Border
Internal Border – Rest of the Company Data
Center
WAN
Internal Border
Shared Internet
• Connects the Fabric network to Services
known networks.
B
• Known networks are generally
WAN, DC, Shared Services, etc. B
B
• Advertising fabric prefixes to
external domain. C
• Imports external prefixes into
fabric domain.
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
SD-Access Border
External Border – Outside World Data
Center
WAN
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
SD-Access Border
Anywhere Border – Internal & External
Data
Center WAN
Edge Node
IP Network B
DC Edge Datacenter
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
SD-Access Fabric
When dedicated borders are used (Internal & External)
Edge Node
IP Network B
Border WAN/Branch
Border Datacenter
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Cisco SD-Access
Transit Types
Cisco SD-Access Transit
Understanding Transit Types
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
IP Transit
Cisco SD-Access for Distributed Campus
Why IP Based Transit?
Cloud
Data Centre • MTU too small for VXLAN Header
• Service Insertion
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Cisco SD-Access for Distributed Campus
Why Cisco SD-Access Transit?
Cloud
Data Centre • Fully Automated Site-to-Site Connection
• Seamless Policy Propagation
Campus 1
Campus 2 Campus 3
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Cisco SD-Access for Distributed Campus
IP Transit
CONTROL-PLANE
1
LISP IGP/BGP LISP
C C
B B B B
IP Transit
Fabric Fabric
Site 1 Site 2
Cisco DNA-Center
DATA+POLICY-PLANE
12
VXLAN+SGT SXP with ISE VXLAN+SGT
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
IP Transit Border Hand off
CONTROL-PLANE
11
LISP BGP External Domain(BGP/IGP)
C
B
B External
Domain
B
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
IP Transit Border Hand off
DATA-PLANE
12
VXLAN VRF-LITE External Domain(IP/MPLS/VXLAN)
C
B
B External
Domain
B
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
IP Transit Border Hand off * Manual
POLICY-PLANE
13
SGT in VXLAN SGT Tagging External Domain ( IP ACL/SGT)
C
B
B External
Domain
B
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Creating an IP Transit
IP-Transit
• Select the external handoff protocol
as BGP from the drop-down
• Specify the remote BGP AS number
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Cisco SD-Access
Transit
Cisco SD-Access for Distributed Campus
Why Cisco SD-Access Transit?
Cloud
Data Center
• With Cisco SD-Access for
distributed Campus, you can
achieve end-to-end segmentation
with consistent policy across sites
SD-Access HQ
Transit
• From the policy perspective,
all sites behave as one
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Cisco SD-Access Transit
CONTROL-PLANE
1
LISP LISP LISP
C C
B B B B
Cisco SD-Access Transit
Border Border
Cisco DNA-Center
DATA+POLICY-PLANE
12
VXLAN+SGT VXLAN+SGT VXLAN+SGT
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Would you like to know more?
Cisco SD-Access for Distributed Campus
BRKCRS-2815
Cisco SD-Access – How to deploy a fabric in a large enterprise with thousands of
sites.
This session covers:
• How to connect multiple fabrics
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Border Deployment
Use-Cases
SD-Access Border Deployment
Use Case 1 : Fabric Connecting to Unknown Networks
Public Cloud
C
B B
Internet
Fabric Edge Nodes
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
SD-Access Border
Use Case 1 : Fabric Connecting to Unknown Networks
Unknown
unknown destinations
• Connects to any “unknown” IP prefixes (e.g. Internet,
Public Cloud, 3rd Party, etc.) C
Known
Networks
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
SD-Access Border Deployment Options
Use Case 1 : Fabric Connecting to Unknown Networks – Automation
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
SD-Access Border Deployment Options
Use Case 1 : Fabric Connecting to Unknown Networks – Automation
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
SD-Access Border Deployment Options
Use Case 1 : Fabric Connecting to Unknown Networks – Automation
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
SD-Access Border Deployment Options
Use Case 1 : Fabric Connecting to Unknown Networks – Automation
DC
C
B B
Branch
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
SD-Access Border
Use Case 2 : Fabric Connecting to known Networks
B B
• Exports all internal IP Pools to outside (as aggregate),
using a traditional IP routing protocol(s).
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
SD-Access Border Deployment Options
Use Case 2 : Fabric Connecting to known Networks – Automation
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
SD-Access Border Deployment Options
Use Case 2 : Fabric Connecting to known Networks – Automation
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
SD-Access Border Deployment Options
Use Case 2 : Fabric Connecting to known Networks – Automation
Border Role =
Rest of Company(Internal)
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
SD-Access Border Deployment Options
Use Case 3 : Fabric Connecting to Known and Un-known Networks
Data Center
C
WAN
B B
Internet
Fabric Edge Nodes
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
SD-Access Border Deployment Options
Use Case 3 : Fabric Connecting to Everywhere– Automation
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
SD-Access Border Deployment Options
Use Case 3 : Fabric Connecting to Everywhere– Automation
IP Transit
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
SD-Access Border Deployment
Connect to Internet ?
Border 5.1.1.1
Control Plane
5 2.1.1.1
nodes
SDA Fabric
4
1.1.1.1 → 2.1.1.1
10.1.1.1 → 192.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
2
10.1.1.1 → 192.1.1.1
1 S
DNS Entry: Campus
Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
D.abc.com A 192.1.1.1 Bldg 1
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
SD-Access Border
Border - Forwarding from External Domain to Fabric Domain
1
Routing Entry: 3 EID-prefix: 10.1.1.1/32
Send traffic to exit point of Path Preference
Mapping Locator-set: Controlled
domain(Internal Border)
Entry 1.1.1.1, priority: 1, weight: 100 (D1) by Destination Site
192.1.1.0/24
Branch
Border 5.1.1.1
Control Plane
2 2.1.1.1
nodes
4 SDA Fabric
2.1.1.1 → 1.1.1.1
192.1.1.1 → 10.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
5
192.1.1.1 → 10.1.1.1
D
Campus
Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
Bldg 1
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
SD-Access Border Config
Internal Border Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
SD-Access Border Config
Internal Border Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
SD-Access Border Config
Internal Border Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
router lisp
• Add a Map Cache + Map-Request for locator-table default
Dynamic EIDs locator-set border
IPv4-interface Loopback0 priority 10 weight 10
• trigger a lookup for traffic coming from outside !
eid-table vrf USER instance-id 10
• Repeat for other IP Subnets and ipv4 map-cache site-registration
VRF’s in Fabric exit
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
External Border
SD-Access Border
Default Border - Forwarding to External Domain
2 EID-Prefix: Not found , map-cache miss
Mapping Locator-Set: ( use-petr)
Entry 3.1.1.1, priority: 1, weight: 100 (D1)
INTERNET
193.3.0.0/24 D
4 Default
Border
10.2.0.1 → 193.3.0.1
3.1.1.1
5.1.1.1
Control Plane
nodes
3 5.2.2.2
SDA Fabric
1.1.2.1 → 3.1.1.1
10.2.0.1 → 193.3.0.1
1
10.2.0.1 → 193.3.0.1
Campus S Campus
Bldg 1 10.2.0.0/24 10.3.0.0/24 Bldg 2
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
SD-Access Border Config
External Border Node
IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
SD-Access Border Config
External Border Node
IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
SD-Access Border Config
External Border Node
IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24
router lisp
• Fabric edge node has a default route to locator-table default
the External Border. locator-set edge
IPv4-interface Loopback0 priority 10 weight 10
!
ipv4 use-petr 3.1.1.1
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Anywhere Border
SD-Access Border Config
Anywhere Border Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SD-Access Border Config
Anywhere Border Node
IP Network
10.1.1.0/24 150.1.1.0/24
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Fabric
Border/Control-Plane
Platform Support
SD-Access Platforms
For more details: cs.co/sda-compatibility-matrix
The Channelco®
NEW
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
SD-Access Platforms
For more details: cs.co/sda-compatibility-matrix
• Catalyst 3650/3850 • Catalyst 6500/6800 • Nexus 7700 • ISR 4300/4400 • ASR 1000-X/HX
• 1/mG RJ45 • Sup2T/Sup6T • Sup2E • AppX (AX) • AppX (AX)
• 1/10G SFP • C6800 Cards • M3 Cards • 1/10G RJ45 • 1/10G ELC/EPA
• 1/10/40G NM Cards • C6880/6840-X • LAN1K9 + MPLS • 1/10G SFP • 40G ELC/EPA
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
SD-Access Platforms
For more details: cs.co/sda-compatibility-matrix
The Channelco®
NEW
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
SD-Access Platforms
For more details: cs.co/sda-compatibility-matrix
NEW
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Fabric Border
Design Considerations
SD-Access Fabric
Border Nodes – Collocated vs. Distributed
B C B C
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Fabric Border Design Considerations
Use case 1: Border with Collocated Control Plane Node
NOTE: Control Plane node scale is different on different platforms (select accordingly)
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Fabric Border Design Considerations
Use case 2: Border with Distributed Control Plane Node
C
5.1.1.1/32
Control-Plane Node
• The Border node and Control plane node are different devices
• Device 1 - Border node must perform export (and/or import) of routes between domains
• Device 2 - Control Plane node maintains the database of every prefix/subnet in the Fabric Domain
• Additional configurations are required
• Need additional protocol (iBGP) to share EID mapping information from Border to Control Plane node.
• Multiple Border nodes can connect to the same Control Plane nodes (single or set of)
NOTE: Control Plane node scale is different on different platforms (select accordingly)
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Border & Control-Plane
Co-located
SD-Access Border Automation
SD-Access simplifies Co-located Border and Control Plane provisioning with 1 steps
Add as CP + Border
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
SD-Access Fabric Config
Border - Collocated with Control Plane Node
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
SD-Access Fabric Config
Border - Collocated with Control Plane Node
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
SD-Access Fabric Config
Border - Collocated with Control Plane Node
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
SD-Access Fabric Config
Border - Collocated with Control Plane Node
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Border & Control-Plane
Distributed
SD-Access Border Automation
SD-Access simplifies Distributed Border and Control Plane provisioning with 2 steps
Add as CP
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
SD-Access Border Automation
SD-Access simplifies Distributed Border and Control Plane provisioning with 2 steps
Add as Border
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
SD-Access Fabric Config
Border with Distributed Control Plane Node
C
5.1.1.1/32
Control-Plane Node
router lisp
• Control Plane operates as an IPv4 locator-table default
LISP Map-server & Map-resolver locator-set control_node
IPv4-interface Loopback0 priority 10 weight 10
• Fabric EID prefixes are exported !
eid-table vrf USER instance-id 10
from Control plane node to its own RIB ipv4 route-export site-registrations
(routing information base) with AD of ipv4 distance site-registrations 250
“250” !
site Campus
• Add the IP prefixes to be mapped authentication-key cisco
eid-prefix instance-id 10 0.0.0.0/0 accept-more-specifics
• accept more-specific updates (e.g. /32) eid-prefix instance-id 10 10.1.1.0/24 accept-more-specifics
!
ipv4 map-server
ipv4 map-resolver
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
SD-Access Fabric Config
Border with Distributed Control Plane Node
C
5.1.1.1/32
Control-Plane Node
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
SD-Access Fabric Config
Border with Distributed Control Plane Node
C
5.1.1.1/32
Control-Plane Node
router lisp
• The Border receives the EID prefix locator-table default
information from the Control Plane node locator-set border
through the iBGP connection. IPv4-interface Loopback0 priority 10 weight 10
!
• Border also imports the external prefixes eid-table vrf USER instance-id 10
ipv4 route-import database bgp 65555 locator-set border
into the LISP domain. !
router bgp 65555
• Does not apply to Default Border !
neighbor 5.1.1.1 remote-as 65555
!
address-family vpvnv4
neighbor 5.1.1.1 activate
neighbor 5.1.1.1 send-community both
!
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
SD-Access Fabric Config
Border with Distributed Control Plane Node
C
5.1.1.1/32
Control-Plane Node
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
SD-Access Fabric Config
Border with Distributed Control Plane Node
C
5.1.1.1/32
Control-Plane Node
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
in·ter·mis·sion ?
Guest Access
Deployment Considerations
Guest Access Deployment
Guest as VN vs Dedicated GB/GCP
Internet
GB GCP
Internet
B
Guest as VN Dedicated GB/GCP
• Guest traffic using the • A dedicated Border and Control
same Border /Control plane for Guest VN
plane as like any other
• Deploy as co-located or distributed
VN nodes.
• Work flow automated from • Manual work flows required
DNAC
• Identical to traditional Guest Anchor
• Simplified design solution.
• External handoff via VRF- • Ideal for stringent compliance
Lite requirements
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Guest Access Design
Option1 : Guest as VN leveraging Common CP/B
C Guest
User
SDA Fabric B User traffic
User VN Intranet
Guest VN
10.10.10.40
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Guest VN border hand off config
Step 1: Assign border role to a device Step 2: Define the border parameters
BGP AS#
IP Pool for BGP
handoff
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Guest VN border hand off config ..Contd
Step4: Select the interface for transit Step5: Define the VN
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Guest Access Design
Option2 : Guest as VN leveraging dedicated CP/B
C
E B
SDA Fabric
DMZ Internet
10.10.10.40 GB GCP
WLC
• Guest border RLOC should be reachable in the
Underlay router lisp
• End to End MTU of 9100 service ipv4
eid-table vrf GUEST
• Register Guest EIDs to Guest control plane(GCP) map-cache 0.0.0.0/0 map-request
itr map-resolver 192.168.10.2
• All Guest traffic terminated on a dedicated guest etr map-server 192.168.10.2 key 7 02130752
border(GB) etr map-server 192.168.10.2 proxy-reply
etr
• East to west isolation can be achieved by micro sgt
use-petr 192.168.10.2
segmentation. proxy-itr 192.168.41.5
exit-service-ipv4
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Enabling Border/CP
Step1: Enable a Guest VN
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Enabling Border/CP
Step2: Create a Guest Border/CP
Select Guest CP and
Border role
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Border High-
Availability (HA)
Border High Availability
Multiple Borders = better ECMP load-balancing
Border Node
10.1.1.1/24
Edge B
10.1.1.0/24
eBGP
Host Pool 10
SDA FABRIC
10.1.1.1/24
eBGP
B
10.1.1.0/24
• Interconnecting multiple borders will require manual workflows for cross-border communication.
• Extend the IGP underlay between the borders for routed access connectivity.
• Overlay prefixes are maintained at the border on a per VN basis.
• These prefixes should be shared across border using iBGP in the case of an External/Anywhere border.
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Border High Availability Deployment
iBGP across borders 2.1.1.1/32
C B
192.1.1.1/24
10.1.1.1/24 1.1.1.1/32
3.1.1.1/32
10.1.1.0/24 C B 192.1.1.0/24
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Border Resiliency Options
Multiple Borders - Loop Prevention
10.1.1.1/24
B
10.1.1.0/24
Border Node eBGP
Host Pool 10 Edge Node 1
SDA FABRIC
192.1.1.0/24
10.1.1.1/24
B eBGP
Shared Services
10.1.1.0/24
• eBGP is preferred to break any loops caused by the bidirectional advertisement (redistribution) of routes
from the fabric to external domain (and vice-versa), when using multiple Internal Borders for redundancy.
• eBGP uses AS-Path loop prevention.
• If you are using any other protocol than eBGP, some appropriate loop prevention mechanism needs to be used
(distribute-list, prefix-list, or route tags with route-map, etc).
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Border Resiliency (HA)
Resiliency at the Border
Track or propagate events across domains
External
Border
Router
B IP Network
Border External
SDA Fabric Router External Domain
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Resiliency at the Border
Use Case 1 : Track failures in the External Domain
CONTROL-PLANE LISP IGP/MP-BGP/BGP-EVPN
External
Border
Router
B IP Network
Border External
SDA Fabric Router External Domain
VXLAN/+SGT IP/MPLS/VXLAN
DATA-PLANE
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Failures & Changes in the External Domain
External advertisements to reflect state of the External Domain
Border
B IP Network
Border
SDA Fabric External Domain
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Resiliency at the Border
Use Case 1 : Track failures in the External Domain
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Resiliency at the Border
Use Case 2.1 : Track failures in the Fabric Domain -Border & CP Co-located
CONTROL-PLANE LISP IGP/MP-BGP/BGP-EVPN
External
Border
Router
B IP Network
Border External
SDA Fabric Router External Domain
VXLAN/+SGT IP/MPLS/VXLAN
DATA-PLANE
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Failures & Changes in the SD-Access Fabric
Internal redistribution of Fabric state into External Domain @ Border and CP Co-
located
I. Border and Control plane Node Co-located
Border
B
IP Network
Border
SDA Fabric External Domain
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Failures & Changes in the SD-Access Fabric
Internal redistribution of Fabric state into External Domain @ Border and CP
Co-located
• Since Border and Control Plane node are Co-located, when a Failure happens the
state of the network needs to be tracked and informed to the control plane node so
that the fabric border can withdraw its route advertisements.
• To Track the state of the Network we can use either an EEM script or Object
tracking.
• Since above requires configuration's on the border nodes, a workaround to alleviate
this issue is explained in next slide.
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Resiliency at the Border
Use Case 2.1 : Track failures in the Fabric Domain-Border &CP Co-located
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Resiliency at the Border
Use Case 2.2 : Track failures in the Fabric Domain - Border and CP Distributed
CONTROL-PLANE LISP IGP/MP-BGP/BGP-EVPN
C Border External
Router
B IP Network
BFD
Adjacency
Border External
SDA Fabric Router External Domain
VXLAN/+SGT IP/MPLS/VXLAN
DATA-PLANE
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Failures & Changes in the SD-Access Fabric
Internal redistribution of Fabric state into External Domain -Border and CP Distributed
B
C
Border
BFD B
Adjacency IP Network
Border
SDA Fabric External Domain
• SDA fabric domain prefixes are advertised via BGP from Control Plane node to Border node
• BGP adjacencies between Control Plane and Border node are monitored with BFD
• Upon BFD adjacency failure, prefixes associated with the Border are withdrawn immediately
• Fast Convergence (150-200ms)
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Failures & Changes in the SD-Access Fabric
Border uplink failure for External border
B
C
Border
BFD B
Adjacency IP Network
Border
SDA Fabric External Domain
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Fabric Border Connectivity
Shared services
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) with Border
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) with Border
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) in Global Routing Table
B B DNA
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) in GRT
5.1.1.1/32 C
Control-Plane Node
Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) in a dedicated VRF
B B DNA
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) in a dedicated VRF
5.1.1.1/32 C
Control-Plane Node
Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Layer 2 Border
Layer 2 border *BRKCRS-2812 covers details on Migration
L2 Border highlights
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Layer 2 border
VXLAN VLAN
DATA-PLANE
B
B
Layer 2
Single or
Border * Dual-Homing requires
SDA Fabric port-channel* L2 MEC to prevent L2 loops
Trunk Port
• The layer 2 Border maps vlan 1024 in fabric to vlan 100 in non fabric, same subnet in
fabric and non-fabric
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Layer 2 border Configurations
Fabric Edge: Layer 2 Border:
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Layer 2 Border Platforms
Fabric Constructs Catalyst 3850 Catalyst 9300 Catalyst 9400 Catalyst 9500
C6K NO N/A
N7K NO N/A
ASR1K/ISR4K NO N/A
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Layer 2 Border Platforms
SD-Access Border Node Supported Software Release
C6K NO N/A
N7K NO N/A
ASR1K/ISR4K NO N/A
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Layer 2 Border automation
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Layer 2 Border automation
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Layer 2 Border deployment mode
Not Supported
Supported
BB
BB Layer 2
Border
Single or
port-channel*
SDA Fabric
SDA Fabric B Trunk Port
Layer 2
Border
Host Host
Host22 Host
Host33
Host11
IP: IP:
IP:10.1.1.0/24
IP:
IP:10.1.1.0/24
10.1.1.0/24 IP:10.1.1.0/24
10.1.1.0/24 10.1.1.0/24
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Policy Enforcement
at Border
Border SXP Peering
IP address SGT
• Enforcement in SD-Access fabric is done at the
egress interface. 192.168.10.0/24 Enterprise
APPS(10)
• Border needs to be configured as a SXP listener
192.168.20.0/24 IOT Server(20)
• Border learns Destination SGT tag via SXP
• SXP peering is done on a per VN basis. User VN
• Northbound traffic enforcement can be done at the
Border node. IOT VN
B
• Border inserts source SGT for southbound traffic
SD-Access
Fabric
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Border SXP Peering
SXP Border Configurations
Step 1: Create a Loop back interface
interface Loopback202
vrf forwarding User
ip address 100.100.100.1 255.255.255.255
end
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Border SXP Peering
Step 4: Configure SxP on the border node
cts sxp enable
cts sxp default password 7 096F471A1A0A333C2A4D
cts sxp connection peer 192.168.100.2 source 100.100.100.1 password default mode local listener hold-time 0 0
vrf campus
cts sxp connection peer 192.168.100.2 source 100.100.100.2 password default mode local listener hold-time 0 0
vrf IOT
cts role-based enforcement vlan-list all
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Border SXP Peering
Step 5: Verify SXP connections
sh cts sxp connections vrf corp
SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : 192.168.100.2
Source IP : 100.100.100.1
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Listener
Connection inst# : 4
TCP conn fd : 1
TCP conn password: default SXP password
Hold timer is running
Duration since last state change: 0:03:12:17 (dd:hr:mm:sec)
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Border SXP Peering
Step 6: verify SGTs are received through SXP
show cts role-based sgt-map vrf corp all
Active IPv4-SGT Bindings Information
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Cisco SD-Access
Fabric
Troubleshooting
Fabric Troubleshooting
Reference Topology
8.8.8.8 20.20.20.0/24
• Dedicated Control-Plane in
use as the map-server/map-
resolver
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Fabric Troubleshooting B C
Neighbor
Neighbor VV AS
AS MsgRcvd
MsgRcvd MsgSent
MsgSent TblVer
TblVer InQ
InQ OutQ
OutQ Up/Down
Up/Down State/PfxRcd
State/PfxRcd
10.10.9.6
10.10.9.2 44 65003
65003 11113
11371 11109
11370 121
104 00 00 1w0d
1w0d 11
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Fabric Troubleshooting
B C
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Fabric Troubleshooting
B C
Step 3: Verify BGP external prefixes are imported into LISP database
Control-Plane#show lisp site
LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Fabric Troubleshooting
B C
instance-id 4099
remote-rloc-probe on-route-change
dynamic-eid User-Wired
database-mapping 10.10.0.0/24 locator-set rloc_fd642169-db4b-48ae-b511-ab0b3db0f4cd
exit-dynamic-eid
!
service ipv4
eid-table vrf User
map-cache 0.0.0.0/0 map-request
exit-service-ipv4
!
exit-instance-id
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Fabric Troubleshooting
B C
Step 5: Initiate traffic from Fabric Edge and verify LISP map-cache entry
Edge#lig instance-id 4099 20.20.20.1 Destination prefix in
Mapping information for EID 20.20.20.1 from 192.168.12.11 with RTT 142 msecs
20.20.20.0/24, uptime: 00:00:00, expires: 1d00h, via map-reply, complete
BGP table
Locator Uptime State Pri/Wgt Encap-IID
192.168.12.10 00:00:00 up 10/10 -
192.168.12.11 00:00:00 up 10/10 -
Reachable via
Border1 & Border2
Proxy ETR =
External Border
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Fabric Troubleshooting
Step 7: Verifying CEF entries
8.8.8.8 20.20.20.0/24
Data
Internet
Edge#show ip cef vrf User 20.20.20.1
Center
20.20.20.0/24
nexthop 192.168.12.10 LISP0.4099 C
nexthop 192.168.12.11 LISP0.4099
B B
Edge#show ip cef vrf User 8.8.8.8
8.0.0.0/7
B
nexthop 192.168.8.10 LISP0.4099
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Take Away
When to get started?
SD-Access Support
For more details: cs.co/sda-compatibility-matrix
NEW
ASR-1000-X
NEW
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
What to Do Next?
Get SD-Access Capable Devices Get DNA Center Appliances Cisco Services can help you
with DNA Advantage OS License with DNA Center Software to Test - Migrate - Deploy
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
SD-Access - Cisco on Cisco
Live SD-Access Deployment @ Cisco Systems
750
Wired & Wireless
SJC23 users
2 7 24
Fabric Border Fabric Fabric
Control-Plane Edge Access
Nodes Nodes Points
3 Virtual
Networks
16 Scalable
Groups
2 Wireless
SSIDs
8 Address
Pools
Built and managed by the Cisco Engineering team, in conjunction with Cisco IT Services
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
SD-Access Testimonials
Live Customer SD-Access Deployments
Network Services
375+ Production
Deployments
Cisco IT
www.cisco.com/c/en/us/solutions/enterprise-networks/network-architecture-customer-success-stories.html
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
SD-Access Resources
Would you like to know more?
cisco.com/go/dna
cisco.com/go/sdaccess cisco.com/go/dnacenter
• SD-Access At-A-Glance • Cisco DNA Center At-A-Glance
•
•
SD-Access
SD-Access
Ordering Guide
Solution Data Sheet
cisco.com/go/cvd •
•
Cisco
Cisco
DNA
DNA
ROI Calculator
Center Data Sheet
• SD-Access Solution White Paper • SD-Access Design Guide • Cisco DNA Center 'How To' Video Resources
• SD-Access Deployment Guide
• SD-Access Segmentation Guide
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
SD-Access Resources
Would you like to know more?
cs.co/sda-resources
cs.co/sda-community
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Continue your education
Demos in the
Walk-in labs
Cisco campus
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Thank you