BRKCRS-2811 (2020) - Connecting The Fabric To External Networks

Cisco SD-Access
Connecting the Fabric to External Networks
Sandeep Joseph - Technical Marketing Engineer
BRKCRS-2811
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Software-Defined Access
Sessions are available Online @ CiscoLive.com
Cisco Live San Diego - Session Map You Are Here
Monday (June 10) Tuesday (June 11) Wednesday (June 12) Thursday (June 13)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00
BRKCRS-2818 BRKCRS-2821 BRKCRS-2825 BRKCRS-1501 BRKNMS-2814

Connect SDWAN Integration Scaling Validated Design Assurance
BRKARC-2020 BRKARC-2009
Troubleshoot Why SDA
BRKCRS-2810 BRKCRS-2811 BRKCRS-2815 BRKCRS-2816 BRKCRS-2817 BRKCRS-3810

Fundamentals Connect Outside Connect Sites Underlay Extension Deep Dive
BRKCRS-2812 BRKSEC-2025 BRKCRS-2819

Migration Security Cross-Domain
BRKCRS-3811
Policy
BRKEWN-2021 BRKEWN-2020
Live Setup Wireless
Cisco’s Intent-Based Networking
Delivered by Cisco Software Defined Access SAAS
ACI
Data Center
LEARNING Branch
Cisco DNA Center
SD-WAN Wireless
Policy Automation Analytics
Control
INTENT CONTEXT Fabric

Border
Fabric
Intent-Based Control
Network Infrastructure Cisco SD-
Access
Switch Route Wireless
Fabric
SECURITY Edge
Software Defined Access
Networking at the speed of Software!
Cisco DNA
Center
Identity-Based
Analytics
Policy & Segmentation
Policy Automation
Decoupled security policy from
VLAN and IP Address
B B
C Outside Automated
Network Fabric
Single Fabric for Wired & Wireless
with workflow Automation
Insights
SDA
Extension
& Telemetry
User Mobility
Policy stays
Analytics and Insights into
with user User and Application behavior
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
IoT Network Employee Network
What is Cisco SD-Access?
Campus Fabric + Cisco DNA Center (Automation and Assurance)
APIC-EM
NCP ▪ Cisco SD-Access
1.X
ISE NDP
PI GUI approach provides automation
and assurance of all Fabric
Cisco DNA configuration, management and
Center
group-based policy
Cisco DNA Center integrates multiple

management systems, to orchestrate
LAN, Wireless LAN and WAN access
B B
▪ Campus Fabric
C
CLI or API approach to build a LISP +
VXLAN + CTS Fabric overlay for your
enterprise Campus networks
Cisco SD-Access CLI provides backwards compatibility,

but management is box-by-box.
Fabric API provides device automation via
NETCONF/YANG
Separated management systems

Roles & Terminology
What is Software Defined
Access?
Cisco SD-Access
Fabric Roles & Terminology
▪ Network Automation – Simple GUI
Automation
Identity and APIs for intent-based Automation
Cisco ISE Cisco DNA Center of wired and wireless fabric devices
Services
▪ Network Assurance – Data Collectors
analyze Endpoint to Application flows
Assurance and monitor fabric network status
▪ Identity Services – NAC & ID Services
Fabric Border IP
(e.g. ISE) for dynamic Endpoint to Group
Fabric Wireless mapping and Policy definition
Nodes Controllers
B B ▪ Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate
C Nodes ▪ Fabric Border Nodes – A fabric device
Nodes (Underlay)
(e.g. Core) that connects External L3
network(s) to the SD-Access fabric
SD-Access ▪ Fabric Edge Nodes – A fabric device
Fabric Edge (e.g. Access or Distribution) that connects
Nodes Fabric Fabric Wireless
Access Points Wired Endpoints to the SD-Access fabric
▪ Fabric Wireless Controller – A fabric device
(WLC) that connects Fabric APs and
Wireless Endpoints to the SD-Access fabric
Agenda
1 SDA Fabric Border Functionality

• Different use cases for the SDA Border
• Border Automation models
2 SDA Fabric Border Deep Dive

• Rest of the Company ( Internal)
• Outside World ( External )
• Anywhere ( Internal & External)
• Border Layer 3 Hand off with VRF-Lite
3 SDA Fabric Border Design

• Collocated Border + C-Plane
• Distributed Border + C-Plane
4 SDA Fabric Border External Connectivity

• Shared Services
Current State Topology of the Campus Network
VXLAN Fabric
ACI Fabric Role Platform
Access Node • Cat3K/9300
• Cat4K/9400
Internet Edge
Guest Distribution • Cat3K/9300

WLCs Node • Cat4K/9500
• Cat6K/9500
Internet
Core Node • Cat6K/9500
• NK7K
Centralized WAN
WLC Agg
IWAN HR
• ASR1K-HX
OTT
IWAN HR
IWAN Centralized • 8540
Shared Services WLC • 5520
WAN
IWAN MC
• x800 APs
Edge
IWAN HR/MC • ASR1K
CarrierE • ISR4K
WAN
Campus Internet Edge • ASR9K
Core
• ASR1K
• ISR4K
WAN
Site Data Center • N9K – NX-OS
Small Small • N7K - NX-OS
Hybrid Internet
Distribution IWAN Site IWAN Site • N9K - ACI
Nodes
Large
Hybrid Security • ISE 2.1
IWAN Site • ASA 55xx
Access • Windows AD
Nodes
End state Topology of the SD-Access Fabric
VXLAN Fabric
ACI Fabric
Internet Internet Edge
Edge/
Border Guest
WLCs
Internet
IWAN HR
VXLAN eBGP-
IPV4/ IWAN HR
Centralized EVPN MPLS
MPLS
WLCs
IWAN MC
WAN
edge
Shared Services VRF-Lite
/Border
DC and WAN
Services Edge
Border
Intermediate
Nodes CarrierE
IWAN Sites
Intermediate
Nodes
WAN
Sites
Edge
Nodes
FEW
WLC
SDA Fabric Domain BRKCRS-2811 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
SDA Fabric
Border
What do customers need
to know about the Fabric
Border?
Cisco SD-Access Border
Border Nodes – A Closer Look
Border Node is an entry & exit point for all data traffic going in & out of the Fabric
There are 3 Types of Border Node! Known
&
Rest of the Company (Internal)

Unknown
• B Networks
• Used for “Known” Routes in your company Known

Networks Unknown
Networks
B B
• Outside Word (External)
• Used for “Unknown” Routes outside your company
C
• Anywhere (Internal & External)
• Used to access ”Known & Unknown” destinations
Fabric Edge Nodes
SD-Access Border
Internal Border – Rest of the Company Data
Center
WAN
Internal Border
Shared Internet
• Connects the Fabric network to Services
known networks.
B
• Known networks are generally
WAN, DC, Shared Services, etc. B
B
• Advertising fabric prefixes to
external domain. C
• Imports external prefixes into
fabric domain.
SD-Access Border
External Border – Outside World Data
Center
WAN
External Border Shared Internet

Services
• Connects the Fabric network to
Unknown networks.
B
• Unknown networks are generally
Internet prefixes or used to B
B
connect Cisco SD-Access transit.
• Advertising fabric prefixes to C
external domain.
• Does Not imports external
prefixes into fabric domain.
SD-Access Border
Anywhere Border – Internal & External
Data
Center WAN
Anywhere Border Shared

Services
Internet
• Connects to both Known and

Unknown networks.
B
• Typically used when you have a B
common egress point to all
destinations.
C
• Exports fabric prefixes to external
domain.
• Imports external prefixes into
fabric domain except default-
route.
Why use
dedicated border
nodes ?
SD-Access Fabric
Traffic hair pinning with Anywhere Border
Edge Node
IP Network B
Anywhere External Network

Border
Wan Edge WAN/Branch
DC Edge Datacenter
SD-Access Fabric
When dedicated borders are used (Internal & External)
Edge Node
IP Network B
External Border External Network
Border WAN/Branch
Border Datacenter
Cisco SD-Access
Transit Types
Cisco SD-Access Transit
Understanding Transit Types
• IP-Based Transit - Leverages a traditional IP-based (VRF-LITE,

MPLS) network, which requires remapping of VRFs and SGTs
between sites. This is typically used when connecting to Shared-
Services (WLC, DNS, DHCP, PSN…)
• Cisco SD-Access Transit - Enables a native Cisco SD-

Access (LISP,VXLAN,CTS) fabric, with a domain-wide Control Plane
node for inter-site communication.
IP Transit
Cisco SD-Access for Distributed Campus
Why IP Based Transit?
Cloud
Data Centre • MTU too small for VXLAN Header
• Service Insertion
Typical use cases

o Internet Handoff
LTE o P2P IPSEC encryption
INTERNET HQ o Policy Based Routing
MPLS
o WAN Accelerators
o Traffic engineering
o Mobile Backhaul LTE
Remote Branch 1
Remote Branch 2 Remote Branch 3
Why Cisco SD-Access Transit?
Cloud
Data Centre • Fully Automated Site-to-Site Connection
• Seamless Policy Propagation
Typical use cases

Metro o Sites in same Metro Area, Campus or
even Building
HQ
Metro Metro
Campus 1
Campus 2 Campus 3
IP Transit
CONTROL-PLANE
1
LISP IGP/BGP LISP
C C
B B B B
IP Transit
Fabric Fabric
Site 1 Site 2
Cisco DNA-Center
DATA+POLICY-PLANE
12
VXLAN+SGT SXP with ISE VXLAN+SGT
SDA Fabric Site 1 SDA Fabric Site 2
IP Transit Border Hand off
CONTROL-PLANE
11
LISP BGP External Domain(BGP/IGP)
C
B
B External
Domain
B
IP Transit Border Hand off
DATA-PLANE
12
VXLAN VRF-LITE External Domain(IP/MPLS/VXLAN)
C
B
B External
Domain
B
IP Transit Border Hand off * Manual
POLICY-PLANE
13
SGT in VXLAN SGT Tagging External Domain ( IP ACL/SGT)
C
B
B External
Domain
B
Creating an IP Transit
IP-Transit
• Select the external handoff protocol
as BGP from the drop-down
• Specify the remote BGP AS number
Cisco SD-Access
Transit
Why Cisco SD-Access Transit?
Cloud
Data Center
• With Cisco SD-Access for
distributed Campus, you can
achieve end-to-end segmentation
with consistent policy across sites
SD-Access HQ
Transit
• From the policy perspective,
all sites behave as one
Campus 1 • Separate forwarding of packets

Campus 2 Campus 3
in data plane and control plane
CONTROL-PLANE
1
LISP LISP LISP
C C
B B B B
Border Border
Cisco DNA-Center
DATA+POLICY-PLANE
12
VXLAN+SGT VXLAN+SGT VXLAN+SGT
Cisco SD-Access Fabric Site 1 Cisco SD-Access Fabric Site 2
Would you like to know more?
Check out the following session:
BRKCRS-2815
Cisco SD-Access – How to deploy a fabric in a large enterprise with thousands of
sites.
This session covers:
• How to connect multiple fabrics
• How VNs and SGTs are related
• Fabric Transit design approaches
Border Deployment
Use-Cases
SD-Access Border Deployment
Use Case 1 : Fabric Connecting to Unknown Networks
Public Cloud
C
B B
Internet
Fabric Edge Nodes
SD-Access Border
Use Case 1 : Fabric Connecting to Unknown Networks
Unknown
• Default Border is a “Gateway of Last Resort” for Networks
unknown destinations
• Connects to any “unknown” IP prefixes (e.g. Internet,
Public Cloud, 3rd Party, etc.) C
Known
Networks
• Exports all internal IP Pools outside (as aggregate) B B

into traditional IP routing protocol(s).
• Default Border is a “default” domain exit point, if no
other (specific) entry present in Map System.
• Outside hand-off requires mapping the prefix
context (VRF & SGT) from one domain to another.
Fabric Edge Nodes
SD-Access Border Deployment Options
Use Case 1 : Fabric Connecting to Unknown Networks – Automation
Click on the Node and

add it as a Border
Select the Node and

add as a Border
Border role > Outside World (External)
IP Pool for eBGP handoff
Select the IP-Transit
Select the external interface for eBGP

Select the VN’s to extend
automation
Border role > Outside World (External)
Add the transit
Add the interface for handover

SD-Access Deployment Options
Use Case 2 : Fabric Connecting to Internal Networks
DC
C
B B
Branch
Fabric Edge Nodes
SD-Access Border
Use Case 2 : Fabric Connecting to known Networks
• Border advertises Endpoints to outside, and known

Subnets to inside
Known
Networks
• Connects to any “known” IP subnets attached to the C

outside network (e.g. DC, WLC, FW, etc.) Unknown
Networks
B B
• Exports all internal IP Pools to outside (as aggregate),
using a traditional IP routing protocol(s).
• Imports and registers (known) IP subnets from outside,

into the Fabric Control Plane System
• Outside hand-off requires mapping the prefix context

(VRF & SGT) from one domain to another.
Fabric Edge Nodes
Use Case 2 : Fabric Connecting to known Networks – Automation
Click on the Node and

add it as a Border
Select the Node and

add as a Border
Border Role =
Rest of Company(Internal)
Local BGP AS#
Select IP Transit, External Interface

and VN’s to handoff

Local BGP AS#
Border Role =Internal*(default)

* 1.3.0.5
Use Case 3 : Fabric Connecting to Known and Un-known Networks
Data Center
C
WAN
B B
Internet
Fabric Edge Nodes
Use Case 3 : Fabric Connecting to Everywhere– Automation
Border Role = Anywhere

(Internal & external)
Local BGP AS#
IP Pool for BGP Handoff
IP Transit
Select the external interface,

VN’s to handoff
Local BGP AS#
Border Role =Internal+External(anywhere Border)
SD-Access Border Deployment
Connect to Internet ?
Connect to internet flag is only

applicable for SDA transit
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Fabric Border
Packet Flow & Deep Dive
Internal Border
SD-Access Border
Border - Forwarding from Fabric Domain to External Domain
3 EID-prefix: 192.1.1.0/24 Path Preference
Mapping Locator-set: Controlled
Entry by Destination Site
192.1.1.0/24 2.1.1.1, priority: 1, weight: 100 (D1)
Branch
Border 5.1.1.1
Control Plane
5 2.1.1.1
nodes
10.1.1.1 → 192.1.1.1 5.2.2.2
SDA Fabric
4
1.1.1.1 → 2.1.1.1
10.1.1.1 → 192.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
2
10.1.1.1 → 192.1.1.1
1 S
DNS Entry: Campus
Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
D.abc.com A 192.1.1.1 Bldg 1
SD-Access Border
Border - Forwarding from External Domain to Fabric Domain
1
Routing Entry: 3 EID-prefix: 10.1.1.1/32
Send traffic to exit point of Path Preference
Mapping Locator-set: Controlled
domain(Internal Border)
Entry 1.1.1.1, priority: 1, weight: 100 (D1) by Destination Site
192.1.1.0/24
Branch
Border 5.1.1.1
Control Plane
2 2.1.1.1
nodes
192.1.1.1 → 10.1.1.1 5.2.2.2
4 SDA Fabric
2.1.1.1 → 1.1.1.1
192.1.1.1 → 10.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
5
192.1.1.1 → 10.1.1.1
D
Campus
Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
Bldg 1
SD-Access Border Config
Internal Border Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
Host Pool 10 Edge Node 1 External Domain(

Border Node
DC,WAN)
• The Border node advertises the EID router lisp

locator-table default
prefix into external protocol of locator-set border
choice(eBGP). IPv4-interface Loopback0 priority 10 weight 10
!
• The advertisement is summarized so router bgp 65004
!
that /32 host routes are not exposed to address-family ipv4 vrf USER
the external domain. redistribue LISP metric 10
aggregate-address 10.1.1.0 255.255.255.0 summary-only
• Repeat for other IP Subnets and exit-address-family
VRF’s in Fabric
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24 BGP 192.1.1.0/24

Border Node
DC,WAN)
router lisp
• The Border also imports the external locator-table default
prefixes into the Campus Fabric LISP locator-set border
IPv4-interface Loopback0 priority 10 weight 10
domain.
!
• Repeat for other IP Subnets and VRF’s eid-table vrf USER instance-id 10
in Fabric ipv4 route-import database bgp 65004 locator-set border
exit
!
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24 BGP 192.1.1.0/24

Border Node
DC,WAN)
router lisp
• Add a Map Cache + Map-Request for locator-table default
Dynamic EIDs locator-set border
• trigger a lookup for traffic coming from outside !
eid-table vrf USER instance-id 10
• Repeat for other IP Subnets and ipv4 map-cache site-registration
VRF’s in Fabric exit
External Border
SD-Access Border
Default Border - Forwarding to External Domain
2 EID-Prefix: Not found , map-cache miss
Mapping Locator-Set: ( use-petr)
Entry 3.1.1.1, priority: 1, weight: 100 (D1)
INTERNET
193.3.0.0/24 D
4 Default
Border
10.2.0.1 → 193.3.0.1
3.1.1.1
5.1.1.1
Control Plane
nodes
3 5.2.2.2
SDA Fabric
1.1.2.1 → 3.1.1.1
10.2.0.1 → 193.3.0.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
1
10.2.0.1 → 193.3.0.1
Campus S Campus
Bldg 1 10.2.0.0/24 10.3.0.0/24 Bldg 2
External Border Node
10.1.1.1/24 1.1.1.1/32 3.1.1.1/32 192.1.1.1/24

172.1.1.1/24
IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24
Host Pool 10 Edge Node 1 Default Internet

Border Node
router lisp
• The EID prefixes are exported from locator-table default
Control plane node to the Default Border locator-set border
node with AD of “250” !
• The Border node only advertises the EID route-export site-registrations
distance site-registration 250
prefix into external protocol of exit
choice(BGP)
router bgp 65004
!
• Repeat for other IP Subnets and address-family ipv4 vrf USER
VRF’s in Fabric redistribue LISP metric 10
exit-address-family
10.1.1.1/24 1.1.1.1/32 3.1.1.1/32 192.1.1.1/24

172.1.1.1/24
IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24

Border Node
• Add a Map Cache + Map-Request for router lisp
Dynamic EIDs locator-set border
• trigger a lookup for traffic coming from outside IPv4-interface Loopback0 priority 10 weight 10
!
• Repeat for for other IP Subnets and eid-table vrf USER instance-id 10
ipv4 map-cache site-registration
VRF’s in Fabric exit
!
10.1.1.1/24 1.1.1.1/32 3.1.1.1/32 172.1.1.1/24
IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24

Border Node
router lisp
• Fabric edge node has a default route to locator-table default
the External Border. locator-set edge
!
ipv4 use-petr 3.1.1.1
Anywhere Border
Anywhere Border Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
Host Pool 10 Edge Node 1 Border + External Domain (Internet +

Default DC,WAN)
Border Node
• The Border imports the external router lisp
prefixes into the Campus Fabric except locator-table default
locator-set border
the default route LISP domain. IPv4-interface Loopback0 priority 10 weight 10
!
• Repeat for other IP Subnets and VRF’s eid-table vrf USER instance-id 10
in Fabric ipv4 route-import database bgp 65004 route-map deny_0.0.0.0/0
locator-set border
exit
!
route-map deny_0.0.0.0/0 deny 10
match ip address prefix-list deny_0.0.0.0/0
!
route-map deny_0.0.0.0/0 permit 20
!
ip prefix-list deny_0.0.0.0/0 permit 0.0.0.0/0
Anywhere Border Node
10.1.1.1/24 1.1.1.1/32 3.1.1.1/32 172.1.1.1/24
IP Network
10.1.1.0/24 150.1.1.0/24
Host Pool 10 Edge Node 1 Border +

External Domain (Internet +
Default
DC,WAN)
Border Node
router lisp
• Fabric edge node has a default route to locator-table default
the External Border. locator-set edge
!
ipv4 use-petr 3.1.1.1
Fabric
Border/Control-Plane
Platform Support
SD-Access Platforms
For more details: cs.co/sda-compatibility-matrix
The Channelco®
Fabric Border Node CRN®

Products of the Year
2017, 2018
NEW
Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600
• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

• 1/mG RJ45 • Sup1XL • 40/100G QSFP • Sup1
• 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP • 9600 Cards
SD-Access Platforms
Fabric Border Node

* EXTERNAL ONLY
Catalyst 3K Catalyst 6K Nexus 7K* ISR 4K ASR 1K
• Catalyst 3650/3850 • Catalyst 6500/6800 • Nexus 7700 • ISR 4300/4400 • ASR 1000-X/HX
• 1/mG RJ45 • Sup2T/Sup6T • Sup2E • AppX (AX) • AppX (AX)
• 1/10G SFP • C6800 Cards • M3 Cards • 1/10G RJ45 • 1/10G ELC/EPA
• 1/10/40G NM Cards • C6880/6840-X • LAN1K9 + MPLS • 1/10G SFP • 40G ELC/EPA
SD-Access Platforms
The Channelco®
Fabric Control Plane CRN®

Products of the Year
2017, 2018
NEW
Catalyst 9300 Catalyst 9400 Catalyst 9500 Catalyst 9600
• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • Catalyst 9600

• 1/mG RJ45 • Sup1XL • 40/100G QSFP • Sup1
• 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP • 9600 Cards
SD-Access Platforms
Fabric Control Plane
Catalyst 3K Catalyst 6K ISR 4K & ENCS ASR1K
NEW
• Catalyst 3650/3850 • Catalyst 6500/6800 • ISR 4430/4450 • ASR 1000-X

• 1/mG RJ45 • Sup2T/Sup6T • ISR 4330/4450 • ASR 1000-HX
• 1/10G SFP • C6800 Cards • ENCS 5400 • 1/10G RJ45
C6880/6840-X • ISRv / CSRv • 1/10G SFP
• 1/10/40G NM Cards •
Fabric Border
Design Considerations
SD-Access Fabric
Border Nodes – Collocated vs. Distributed
B C B C
Collocated Design Distributed Design

• Border and Control Plane node Border and Control Plane node
is on the same device are on different devices
• Simple Design, without any extra Additional configurations required to
configurations between Border and share EID mapping from Border to
Control Plane node Control Plane node
• Best when only a few (e.g. 2) Multiple Border nodes can all
Collocated Border + Control Plane connect to the same (single or set
nodes are used of) Control Plane nodes
Fabric Border Design Considerations
Use case 1: Border with Collocated Control Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B C
IP Network
10.1.1.0/24 BGP 192.1.1.0/24

External Domain
Control Plane
(DC,WAN)
Node
• The Border and Control Plane node is on the same device

• Border node must perform export (and/or import) of routes between domains
• Control Plane node maintains the database of every prefix/subnet in the Fabric Domain
• Simplified Design (no additional configuration)
• No additional routing protocols needed to synch Border & Control Plane
• Best when only a few Border nodes are used (e.g. 2 to 4 per Domain)
NOTE: Control Plane node scale is different on different platforms (select accordingly)
Fabric Border Design Considerations
Use case 2: Border with Distributed Control Plane Node
C
5.1.1.1/32
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
BGP
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
Host Pool 10 Edge Node 1 Border Node External Domain
• The Border node and Control plane node are different devices
• Device 1 - Border node must perform export (and/or import) of routes between domains
• Device 2 - Control Plane node maintains the database of every prefix/subnet in the Fabric Domain
• Additional configurations are required
• Need additional protocol (iBGP) to share EID mapping information from Border to Control Plane node.
• Multiple Border nodes can connect to the same Control Plane nodes (single or set of)
NOTE: Control Plane node scale is different on different platforms (select accordingly)
Border & Control-Plane
Co-located
SD-Access Border Automation
SD-Access simplifies Co-located Border and Control Plane provisioning with 1 steps
Add as CP + Border
SD-Access Fabric Config
Border - Collocated with Control Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B C
IP Network
10.1.1.0/24 BGP 192.1.1.0/24

External Domain
Control Plane
(DC,WAN)
Node
router lisp
• Control Plane operates as an LISP Map- locator-table default
server & Map-resolver locator-set border
• Fabric EID prefixes are exported !
from Control plane node (internally) to eid-table vrf USER instance-id 10
ipv4 route-export site-registrations
the Border node. ipv4 distance site-registrations 250
!
• Use Admin Distance of “250” to site Campus
prefer the existing RIB/FIB route. authentication-key cisco
eid-prefix instance-id 10 0.0.0.0/0 accept-more-specifics
!
ipv4 map-server
ipv4 map-resolver
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B C
IP Network
10.1.1.0/24 BGP 192.1.1.0/24

External Domain
Control Plane
(DC,WAN)
Node

all registered Dynamic EIDs locator-table default
locator-set border
• used for traffic coming from outside IPv4-interface Loopback0 priority 10 weight 10
!
• triggers a map-server lookup to locate eid-table vrf USER instance-id 10
destinations in the fabric ipv4 map-cache site-registration
exit
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B C
IP Network
10.1.1.0/24 BGP 192.1.1.0/24

External Domain
Control Plane
(DC,WAN)
Node
• The Border node advertises the EID router lisp
prefix into external protocol of choice locator-set border
(e.g. eBGP). IPv4-interface Loopback0 priority 10 weight 10
!
• The advertisement is summarized so router bgp 65535
!
that /32 host routes are not exposed to address-family ipv4 vrf USER
the external domain. redistribue LISP metric 10
exit-address-family
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B C
IP Network
10.1.1.0/24 BGP 192.1.1.0/24

External Domain
Control Plane
(DC,WAN)
Node
• Border also imports the external router lisp
prefixes into the Campus Fabric LISP locator-set border
domain. ( This is not done for a default IPv4-interface Loopback0 priority 10 weight 10
Border node) !
ipv4 route-import database bgp 65004 locator-set border
exit
!
Border & Control-Plane
Distributed
SD-Access simplifies Distributed Border and Control Plane provisioning with 2 steps
Add as CP
SD-Access simplifies Distributed Border and Control Plane provisioning with 2 steps
Add as Border
Border with Distributed Control Plane Node
C
5.1.1.1/32
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP BGP 192.1.1.0/24
router lisp
• Control Plane operates as an IPv4 locator-table default
LISP Map-server & Map-resolver locator-set control_node
• Fabric EID prefixes are exported !
from Control plane node to its own RIB ipv4 route-export site-registrations
(routing information base) with AD of ipv4 distance site-registrations 250
“250” !
site Campus
• Add the IP prefixes to be mapped authentication-key cisco
• accept more-specific updates (e.g. /32) eid-prefix instance-id 10 10.1.1.0/24 accept-more-specifics
!
ipv4 map-server
ipv4 map-resolver
C
5.1.1.1/32
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP BGP 192.1.1.0/24
router bgp 65555

• The Control plane uses an iBGP !
connection to the Border node to neighbor 2.1.1.1 remote-as 65555
advertise the EID prefix into BGP !
address-family vpvnv4
• The advertisement is summarized so neighbor 2.1.1.1 activate
neighbor 2.1.1.1 send-community both
that /32 host routes are not exposed to !
the external domain. address-family ipv4 vrf USER
redistribue LISP metric 10
• Border node learns the EID prefixes aggregate-address 10.1.1.0 255.255.255.0 summary-only
exit-address-family
in the Local Fabric domain from the
Control Plane node.
C
5.1.1.1/32
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP BGP 192.1.1.0/24
router lisp
• The Border receives the EID prefix locator-table default
information from the Control Plane node locator-set border
through the iBGP connection. IPv4-interface Loopback0 priority 10 weight 10
!
• Border also imports the external prefixes eid-table vrf USER instance-id 10
into the LISP domain. !
router bgp 65555
• Does not apply to Default Border !
neighbor 5.1.1.1 remote-as 65555
!
address-family vpvnv4
neighbor 5.1.1.1 activate
neighbor 5.1.1.1 send-community both
!
C
5.1.1.1/32
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP OSPF 192.1.1.0/24
• The Border advertises the EID prefix to router lisp

the external domain via BGP. locator-set border
• Learnt earlier from the Control Plane !
node via iBGP eid-table vrf USER instance-id 10
exit
!
C
5.1.1.1/32
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP OSPF 192.1.1.0/24

all registered Dynamic EIDs locator-set border
• used for traffic coming from outside IPv4-interface Loopback0 priority 10 weight 10
!
• triggers a map-server lookup to locate eid-table vrf USER instance-id 10
destinations in the fabric ipv4 map-cache site-registration
exit
in·ter·mis·sion ?
Guest Access
Deployment Considerations
Guest Access Deployment
Guest as VN vs Dedicated GB/GCP
Internet
GB GCP
Internet
B
Guest as VN Dedicated GB/GCP
• Guest traffic using the • A dedicated Border and Control
same Border /Control plane for Guest VN
plane as like any other
• Deploy as co-located or distributed
VN nodes.
• Work flow automated from • Manual work flows required
DNAC
• Identical to traditional Guest Anchor
• Simplified design solution.
• External handoff via VRF- • Ideal for stringent compliance
Lite requirements
Guest Access Design
Option1 : Guest as VN leveraging Common CP/B
C Guest
User
SDA Fabric B User traffic
User VN Intranet
Guest VN
10.10.10.40
WLC DMZ Internet

10.20.10.40
• Common border /CP between user VN and
router lisp
Guest VN locator-table default
• Traffic steering at the border for Guest into locator-set edge
DMZ using vrf-lite !
• eBGP handoff workflow automated through ipv4 use-petr 3.1.1.1
DNAC
• Segmentation within fabric achieved by
VNID(macro segementation)
Guest VN border hand off config
Step 1: Assign border role to a device Step 2: Define the border parameters
BGP AS#
IP Pool for BGP
handoff
Select the border type
Choose the IP Transit
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Guest VN border hand off config ..Contd
Step4: Select the interface for transit Step5: Define the VN
Select the Interface
Extend the Guest VN
Guest Access Design
Option2 : Guest as VN leveraging dedicated CP/B
C
E B
SDA Fabric
DMZ Internet
10.10.10.40 GB GCP
WLC
• Guest border RLOC should be reachable in the
Underlay router lisp
• End to End MTU of 9100 service ipv4
eid-table vrf GUEST
• Register Guest EIDs to Guest control plane(GCP) map-cache 0.0.0.0/0 map-request
itr map-resolver 192.168.10.2
• All Guest traffic terminated on a dedicated guest etr map-server 192.168.10.2 key 7 02130752
border(GB) etr map-server 192.168.10.2 proxy-reply
etr
• East to west isolation can be achieved by micro sgt
use-petr 192.168.10.2
segmentation. proxy-itr 192.168.41.5
exit-service-ipv4
Enabling Border/CP
Step1: Enable a Guest VN
Enabling Border/CP
Step2: Create a Guest Border/CP
Select Guest CP and
Border role
• BGP AS number required only if GB and

GCP are not co-located .
• External handoff from Guest Border is not
automated through a workflow .
Select the Guest VN
Border High-
Availability (HA)
Border High Availability
Multiple Borders = better ECMP load-balancing
Border Node
10.1.1.1/24
Edge B
10.1.1.0/24
eBGP
Host Pool 10
SDA FABRIC
10.1.1.1/24
eBGP
B
10.1.1.0/24
Host Pool 10 Edge Border Node
• Interconnecting multiple borders will require manual workflows for cross-border communication.
• Extend the IGP underlay between the borders for routed access connectivity.
• Overlay prefixes are maintained at the border on a per VN basis.
• These prefixes should be shared across border using iBGP in the case of an External/Anywhere border.
Border High Availability Deployment
iBGP across borders 2.1.1.1/32
C B
192.1.1.1/24
10.1.1.1/24 1.1.1.1/32
3.1.1.1/32
10.1.1.0/24 C B 192.1.1.0/24
Host Pool 10 Edge Node 1 External Domain

(DC,WAN)
vlan 200 vlan 200

name User name User
interface vlan 200 interface vlan 200

vrf forwarding User vrf forwarding User
ip address 192.168.200.1 255.255.255.252 ip address 192.168.200.2 255.255.255.252
router bgp 65004 router bgp 65004

address-family ipv4 vrf User address-family ipv4 vrf User
neighbor 192.168.200.2 remote-as 65004 neighbor 192.168.200.1 remote-as 65004
neighbor 192.168.200.2 update-source Vlan200 neighbor 192.168.200.1 update-source Vlan200
neighbor 192.168.200.2 activate neighbor 192.168.200.1 activate
Border Resiliency Options
Multiple Borders - Loop Prevention
10.1.1.1/24
B
10.1.1.0/24
Border Node eBGP
Host Pool 10 Edge Node 1
SDA FABRIC
192.1.1.0/24
10.1.1.1/24
B eBGP
Shared Services
10.1.1.0/24
Host Pool 10 Edge Node 2 Border Node
• eBGP is preferred to break any loops caused by the bidirectional advertisement (redistribution) of routes
from the fabric to external domain (and vice-versa), when using multiple Internal Borders for redundancy.
• eBGP uses AS-Path loop prevention.
• If you are using any other protocol than eBGP, some appropriate loop prevention mechanism needs to be used
(distribute-list, prefix-list, or route tags with route-map, etc).
Border Resiliency (HA)
Resiliency at the Border
Track or propagate events across domains
External
Border
Router
B IP Network
Border External
SDA Fabric Router External Domain
Use Case 1 : Track failures in the External Domain
CONTROL-PLANE LISP IGP/MP-BGP/BGP-EVPN
External
Border
Router
B IP Network
Border External
VXLAN/+SGT IP/MPLS/VXLAN
DATA-PLANE
Failures & Changes in the External Domain
External advertisements to reflect state of the External Domain
Border
B IP Network
Border
SDA Fabric External Domain
Border Routing Tables updated Host reachability from

to remove the faulty route(s) router is lost or degraded
Host advertisements from
this router are withdrawn
Use Case 1 : Track failures in the External Domain
❑ No additional configuration is needed on the fabric border to achieve resiliency.
❑ Traffic is re-routed away from the failure point based on routing

protocols configured on the fabric border.
❑ Convergence depends on the routing protocols convergence times.
Use Case 2.1 : Track failures in the Fabric Domain -Border & CP Co-located
External
Border
Router
B IP Network
Border External
DATA-PLANE
Failures & Changes in the SD-Access Fabric
Internal redistribution of Fabric state into External Domain @ Border and CP Co-
located
I. Border and Control plane Node Co-located
Border
B
IP Network
Border
Registration State Border connectivity to Campus Prefix Routing Tables

Changes Communicated Fabric network is degraded – advertisements from updated to route
to Border this border withdrawn around failure
• How can this be tracked ?
Internal redistribution of Fabric state into External Domain @ Border and CP
Co-located
• Since Border and Control Plane node are Co-located, when a Failure happens the
state of the network needs to be tracked and informed to the control plane node so
that the fabric border can withdraw its route advertisements.
• To Track the state of the Network we can use either an EEM script or Object
tracking.
• Since above requires configuration's on the border nodes, a workaround to alleviate
this issue is explained in next slide.
Use Case 2.1 : Track failures in the Fabric Domain-Border &CP Co-located
❑As a workaround the border node’s can be Connected via

a Layer 3 link.
B B ❑This Layer 3 link/’s will have lesser cost to reach the

fabric edge nodes than the underlay , meaning when
underlay is available this direct connect link is not used.
❑If one of the border’s connectivity to the underlay is

degraded then the traffic from external domain will come
to that border and using the Layer 3 link will flow to the
other border node and then on to the fabric edge nodes.
❑Convergence times depends on routing protocol between

the border nodes
Use Case 2.2 : Track failures in the Fabric Domain - Border and CP Distributed
C Border External
Router
B IP Network
BFD
Adjacency
Border External
DATA-PLANE
Internal redistribution of Fabric state into External Domain -Border and CP Distributed
B
C
Border
BFD B
Adjacency IP Network
Border
• SDA fabric domain prefixes are advertised via BGP from Control Plane node to Border node
• BGP adjacencies between Control Plane and Border node are monitored with BFD
• Upon BFD adjacency failure, prefixes associated with the Border are withdrawn immediately
• Fast Convergence (150-200ms)
Border uplink failure for External border
B
C
Border
BFD B
Adjacency IP Network
Border
• IBGP between border helps re-route traffic between the borders

• EEM scripts an be deployed alternatively to do the re-routing
Fabric Border Connectivity
Shared services
Shared Services (DHCP, AAA, etc) with Border
• Hosts in the fabric domain (in their respective Virtual Networks)

will need to have access to common “Shared Services”:
➢ Identity Services (e.g. AAA/RADIUS)
➢ Domain Name Services (DNS)
➢ Dynamic Host Configuration (DHCP)
➢ IP Address Management (IPAM)
➢ Monitoring tools (e.g. SNMP)
➢ Data Collectors (e.g. Netflow, Syslog)
➢ Other infrastructure elements
• These shared services will generally reside outside of the fabric domain.
Shared Services (DHCP, AAA, etc) with Border
• RLOC Underlay connectivity in Global Routing Table

• Access Points and Extended Nodes will be in their Fabric Scope
own VN – INFRA_ VN which is in the Global Routing
USER #2
Table Fabric
USER #1 Border
• Other VNs can be used for segmentation for users,
devices, roles, and others
USER2
INFRA_VN USER1
• Scalable Group Tags (SGTs) can be used for further
access control within a VN RLOC Underlay GRT/INFRA
• The “USER” VN is being shown in this slide deck as

an example.
• Similar steps can be followed for other VNs shown
Shared Services (DHCP, AAA, etc) in Global Routing Table
B B DNA
Cisco DHCP/ Identity Service

DNA-Center DNS
GRT
Shared Services
Shared Services (DHCP, AAA, etc) in GRT
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP BGP 172.10.10.0/24
Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services
• The Shared Services are in the Global ip vrf User1

rd 1:1
Routing Table route-target export 1:1
route-target import 1:1
• Will form a routing adjacency in import ipv4 unicast map Shared_Services
!
each Address Family. ip vrf User2
rd 2:2
• Use import ipv4 unicast map to route-target export 2:2
”leak” routes import ipv4 unicast map Shared_Services
• An external Fusion router is used to route-map Shared_Services permit 10

exchange routes from the VRF’s in match ip address prefix-list Shared_Services
Campus fabric to the Services. ip prefix-list Shared_Services permit 172.10.10.0/24
Shared Services (DHCP, AAA, etc) in a dedicated VRF
B B DNA
Cisco DHCP/ Identity Service

VRF DNA Center DNS
Fusion
Router Shared Services
Shared Services (DHCP, AAA, etc) in a dedicated VRF
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP BGP 172.10.10.0/24
Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services
• The Shared Services are in a unique ip vrf User1

rd 1:1
dedicated VRF of their own. route-target export 1:1
• Will form a routing adjacency in route-target import 3:3
!
each Address Family. ip vrf User2
rd 2:2
• Use route-target import / export route-target export 2:2
(leaking) to ”share” routes route-target import 3:3
• An external Fusion router is used to ip vrf Services

exchange routes from the VRF’s in rd 3:3
route-target export 3:3
Campus fabric to the Services VRF. route-target import 3:3
Layer 2 Border
Layer 2 border *BRKCRS-2812 covers details on Migration
L2 Border highlights
• Migration a traditional VLAN to fabric

• Coexistence of the same subnet in fabric and traditional n/w
• All the end points from the non fabric side is registered to the CP
node by the Layer 2 Border.
• Supports 8k end points in a tradition network
• Layer 2 border translates the traditional VLAN to the VLAN within
the fabric
• For provisioning a layer 2 border , a site should have CP/BN
configured
• Supported on C3k and 9K platforms – IOS – 16.9.1s
Layer 2 border
VXLAN VLAN
DATA-PLANE
B
B
Layer 2
Single or
Border * Dual-Homing requires
SDA Fabric port-channel* L2 MEC to prevent L2 loops
Trunk Port
Host 1 Host 2 Host 3

IP: 10.1.1.0/24 IP: 10.1.1.0/24 IP: 10.1.1.0/24
Hosts attached to SDA Fabric Hosts attached to traditional

Edge nodes in Address Pool (1024) Access switches in VLAN (100)
• The layer 2 Border maps vlan 1024 in fabric to vlan 100 in non fabric, same subnet in
fabric and non-fabric
Layer 2 border Configurations
Fabric Edge: Layer 2 Border:
service ethernet service ethernet

encapsulation vxlan encapsulation vxlan
database-mapping limit dynamic 5000 database-mapping limit dynamic 5000
itr map-resolver x.x.x.x itr map-resolver x.x.x.x
etr map-server x.x.x.x key 7 09594D00 etr map-server x.x.x.x key 7 09594D00
etr map-server x.x.x.x proxy-reply etr map-server x.x.x.x proxy-reply
exit-service-ethernet exit-service-ethernet
! !
instance-id 8188 instance-id 8188
remote-rloc-probe on-route-change remote-rloc-probe on-route-change
service ethernet service ethernet
eid-table vlan 1024 eid-table vlan 100
broadcast-underlay 239.0.0.1 broadcast-underlay 239.0.0.1
database-mapping mac locator-set xxx database-mapping mac locator-set xxx
exit-service-ethernet exit-service-ethernet
exit-instance-id exit-instance-id
! !
interface Vlan1024 interface Vlan100
description Configured from apic-em description Configured from apic-em
mac-address 0000.0c9f.f45c mac-address 0000.0c9f.f45c
vrf forwarding Corp vrf forwarding Corp
ip address 8.6.53.0 255.255.255.0 ip address 8.6.53.0 255.255.255.0
ip helper-address 10.121.128.101 ip helper-address 10.121.128.101
no ip redirects no ip redirects
ip route-cache same-interface ip route-cache same-interface
no lisp mobility liveness test no lisp mobility liveness test
lisp mobility 8_6_53_0-Corp
lisp mobility 8_6_53_0-Corp
Layer 2 Border Platforms
Fabric Constructs Catalyst 3850 Catalyst 9300 Catalyst 9400 Catalyst 9500
Local End Points/Hosts 4K 4K 4K 4K
SD-Access Border Node Supported Software Release
C3K YES 16.9.1s
C9K YES 16.9.1s
C6K NO N/A
N7K NO N/A
ASR1K/ISR4K NO N/A
Layer 2 Border Platforms
SD-Access Border Node Supported Software Release
C3K YES 16.9.1s
C9K YES 16.9.1s
c9500H Yes 16.12.1s
C6K NO N/A
N7K NO N/A
ASR1K/ISR4K NO N/A
Layer 2 Border automation
Layer 2 Border automation
Layer 2 Border deployment mode
Not Supported
Supported
BB
BB Layer 2
Border
Single or
port-channel*
SDA Fabric
SDA Fabric B Trunk Port
Layer 2
Border
Host Host
Host22 Host
Host33
Host11
IP: IP:
IP:10.1.1.0/24
IP:
IP:10.1.1.0/24
10.1.1.0/24 IP:10.1.1.0/24
10.1.1.0/24 10.1.1.0/24
Hosts attached to SDA Fabric Hosts attached to traditional

Edge nodes in Address Pool (1024) Access switches in VLAN (100)
Policy Enforcement
at Border
Border SXP Peering
IP address SGT
• Enforcement in SD-Access fabric is done at the
egress interface. 192.168.10.0/24 Enterprise
APPS(10)
• Border needs to be configured as a SXP listener
192.168.20.0/24 IOT Server(20)
• Border learns Destination SGT tag via SXP
• SXP peering is done on a per VN basis. User VN
• Northbound traffic enforcement can be done at the
Border node. IOT VN
B
• Border inserts source SGT for southbound traffic
SD-Access
Fabric
Border SXP Peering
SXP Border Configurations
Step 1: Create a Loop back interface
interface Loopback202
vrf forwarding User
ip address 100.100.100.1 255.255.255.255
end
Step2:Advertise the loopbacks via BGP.
router bgp 65002

address-family ipv4 vrf User
network 100.100.100.1 mask 255.255.255.255
Step3: Verify connectivity to ISE from loopback
Border#ping vrf User 192.168.100.2 source lo202

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.2, timeout is 2 seconds:
Packet sent with a source address of 100.100.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Border SXP Peering
Step 4: Configure SxP on the border node
cts sxp enable
cts sxp default password 7 096F471A1A0A333C2A4D
cts sxp connection peer 192.168.100.2 source 100.100.100.1 password default mode local listener hold-time 0 0
vrf campus
cts sxp connection peer 192.168.100.2 source 100.100.100.2 password default mode local listener hold-time 0 0
vrf IOT
cts role-based enforcement vlan-list all
Step5: Configure the ISE for SxP Peering
Border SXP Peering
Step 5: Verify SXP connections
sh cts sxp connections vrf corp
SXP : Enabled
Highest Version Supported: 4
Default Password : Set
Default Source IP: Not Set
Connection retry open period: 120 secs
Reconcile period: 120 secs
Retry open timer is not running
Peer-Sequence traverse limit for export: Not Set
Peer-Sequence traverse limit for import: Not Set
----------------------------------------------
Peer IP : 192.168.100.2
Source IP : 100.100.100.1
Conn status : On
Conn version : 4
Conn capability : IPv4-IPv6-Subnet
Conn hold time : 120 seconds
Local mode : SXP Listener
Connection inst# : 4
TCP conn fd : 1
TCP conn password: default SXP password
Hold timer is running
Duration since last state change: 0:03:12:17 (dd:hr:mm:sec)
Total num of SXP Connections = 1
Border SXP Peering
Step 6: verify SGTs are received through SXP
show cts role-based sgt-map vrf corp all
Active IPv4-SGT Bindings Information
IP Address SGT Source

============================================
9.10.60.1 17 SXP
192.168.200.0/24 255 SXP
192.168.200.1 255 SXP
192.168.201.0/24 13 SXP
IP-SGT Active Bindings Summary

============================================
Total number of SXP bindings = 4
Total number of active bindings = 4
Cisco SD-Access
Fabric
Troubleshooting
Fabric Troubleshooting
Reference Topology
8.8.8.8 20.20.20.0/24
• Data-Center prefix Data

20.20.20.0/24 is reachable Internet
Center
via a pair of Internal Border
C
• Unknown/Internet prefixes
B B
are reachable via External
Border B
• Dedicated Control-Plane in
use as the map-server/map-
resolver
Fabric Troubleshooting B C
Step 1: Verify External Connectivity from the Border

Border#show
Border# showipipbgpbgpsummary
vpnv4 vrf User summary
BGP
BGP router identifier 192.168.12.11,
router identifier 192.168.12.11, local
local ASAS number
number 65002
65002
BGP
BGP table
table version
version is
is 121,
104, main
main routing
routing table
table version
version 121
104
16 network entries
8 network entries using
using 2048
3968 bytes
bytes of
of memory
memory
17
14 path
path entries
entries using
using 2312
1904 bytes
bytes of
of memory
memory
5/4
10/6 BGP path/bestpath attribute entriesusing
BGP path/bestpath attribute entries using1400
2960bytes
bytesofofmemory
memory
44 BGP
BGP rrinfo
22 BGP
rrinfo entries
BGP AS-PATH
entries using
AS-PATH entries
using 160
entries using
160 bytes
using 48
bytes of
48 bytes
of memory
bytes of
memory
of memory
memory
INFRA_VN
11 BGP
BGP community entries using 24 bytes of memory
22 BGP
community
BGP extended
entries
extended community
using
community entries
24 bytes
entries using
of
using 48
memory
48 bytes
bytes of
of memory
memory
User VN
00 BGP
BGP route-map
route-map cache
cache entries
entries using
using 00 bytes
bytes of
of memory
memory
00 BGP
BGP filter-list
filter-list cache
cache entries
entries using
using 00 bytes
bytes ofof memory
memory
BGP
BGP using
using 7960
7192 total
total bytes
bytes of
of memory
memory
BGP
BGP activity
activity 45/19
45/19 prefixes,
prefixes, 180/144
180/144 paths,
paths, scan
scan interval
interval 60
60 secs
secs
Neighbor
Neighbor VV AS
AS MsgRcvd
MsgRcvd MsgSent
MsgSent TblVer
TblVer InQ
InQ OutQ
OutQ Up/Down
Up/Down State/PfxRcd
State/PfxRcd
10.10.9.6
10.10.9.2 44 65003
65003 11113
11371 11109
11370 121
104 00 00 1w0d
1w0d 11
B C
Step 2: Verify External Routes

Border#show ip route vrf User bgp
Border#show ip route bgp
Routing
Codes: LTable: UserC - connected, S - static, R - RIP, M - mobile, B - BGP
- local,
Codes: LD -- local,
EIGRP, CEX- -connected, S - static,
EIGRP external, R - RIP,
O - OSPF, IA - MOSPF
- mobile, B - BGP
inter area
DN1- -EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter
OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 area
N1
E1 -- OSPF
OSPF NSSA external
external type type
1, E21,- N2 - OSPF
OSPF NSSA type
external external
2 type 2
E1
i -- IS-IS,
OSPF external typesummary,
su - IS-IS 1, E2 - L1OSPF external
- IS-IS type 2L2 - IS-IS level-2
level-1,
iia- -IS-IS, su - IS-IS summary, L1 - IS-IS level-1,
IS-IS inter area, * - candidate default, U - per-userL2 - IS-IS level-2
static route
ia
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP route
- IS-IS inter area, * - candidate default, U - per-user static
oa -- ODR, P - periodic
application route downloaded static route, H - NHRP, l - LISP
a+ -- application route
replicated route, % - next hop override, p - overrides from PfR
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
Gateway of last resort is 192.168.8.10 to network 0.0.0.0
INFRA_VN
User requires
VN requires connectivity
connectivity to to
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
B*
B 0.0.0.0/0 [200/0][200/0]
10.10.4.0/24 via 192.168.8.10, 1w0d
via 192.168.9.10, 1w0d DHCP subnets
Internal server and
andWLC.
default-route for
10.0.0.0/8
20.0.0.0/24isisvariably subnetted, 8 subnets, 3 masks
BB 10.10.0.0/24
subnetted,
[200/0]via
1 subnets
via10.10.9.6,
192.168.9.10,
Internet Access.
20.20.20.0 [20/20] 1w0d 1w0d
B 10.10.1.0/24 [200/0] via 192.168.9.10, 1w0d
B 10.10.3.0/24 [200/0] via 192.168.9.10, 1w0d
20.0.0.0/24 is subnetted, 1 subnets
B 20.20.20.0 [20/20] via 10.10.9.2, 1w0d
B C
Step 3: Verify BGP external prefixes are imported into LISP database
Control-Plane#show lisp site
LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport
Site Name Last Up Who Last Inst EID Prefix

Register Registered ID
site_uci never no -- 4097 0.0.0.0/0
1w0d yes# 192.168.12.10:43636 4099 20.20.20.0/24
External Prefixes are reachable
never no -- 4101 0.0.0.0/0
1w0d yes# 192.168.12.11:23932 4099 20.20.20.0/24 via Border 1 & Border 2
B C
Step 4: Locate the LISP instance-id for the VN

Edge#show vrf
Name Default RD Protocols Interfaces
User <not set> ipv4 Vl1022
Vl1023
LI0.4099 LISP
Vl1026
instance id
Edge#show run | section router lisp
instance-id 4099
remote-rloc-probe on-route-change
dynamic-eid User-Wired
database-mapping 10.10.0.0/24 locator-set rloc_fd642169-db4b-48ae-b511-ab0b3db0f4cd
exit-dynamic-eid
!
service ipv4
eid-table vrf User
map-cache 0.0.0.0/0 map-request
exit-service-ipv4
!
exit-instance-id
B C
Step 5: Initiate traffic from Fabric Edge and verify LISP map-cache entry
Edge#lig instance-id 4099 20.20.20.1 Destination prefix in
Mapping information for EID 20.20.20.1 from 192.168.12.11 with RTT 142 msecs
20.20.20.0/24, uptime: 00:00:00, expires: 1d00h, via map-reply, complete
BGP table
Locator Uptime State Pri/Wgt Encap-IID
192.168.12.10 00:00:00 up 10/10 -
192.168.12.11 00:00:00 up 10/10 -
Reachable via
Border1 & Border2
Edge#lig instance-id 4099 8.8.8.8

Destination prefix
Mapping information for EID 8.8.8.8 from 192.168.9.10 with RTT 2 msecs not in BGP table
8.0.0.0/7, uptime: 00:00:00, expires: 00:14:59, via map-reply, forward-native
Encapsulating to proxy ETR
Proxy ETR =
External Border
Step 7: Verifying CEF entries
8.8.8.8 20.20.20.0/24
Data
Internet
Edge#show ip cef vrf User 20.20.20.1
Center
20.20.20.0/24
nexthop 192.168.12.10 LISP0.4099 C
nexthop 192.168.12.11 LISP0.4099
B B
Edge#show ip cef vrf User 8.8.8.8
8.0.0.0/7
B
nexthop 192.168.8.10 LISP0.4099
Take Away
When to get started?
SD-Access Support
Digital Platforms for your Cisco Digital Network Architecture

BETA
Switching Routing Wireless Extended
Catalyst 9600 Catalyst 9400 ASR-1000-HX Catalyst 9800
NEW
NEW
ASR-1000-X
NEW
Catalyst 9500 Catalyst 9300 Cisco Digital Building

Catalyst 9100 APs
Catalyst 9200 AIR-CT8540

NEW
ISR 4451
ISR 4430 Catalyst 3560-CX

AIR-CT3504
AIR-CT5520
ISR 4330
NEW
Catalyst 6800 NEW
Catalyst 4500E Nexus 7700
Aironet Aironet
Catalyst 3850 & 3650 ENCS 5400 Wave 1 APs* Wave 2 APs Cisco IE 4K/5K
What to Do Next?
SD-Access DNA Cisco

Capable Center Services
Refresh your Deploy the Engage with

Hardware & Software DNA Center Cisco Services
Get SD-Access Capable Devices Get DNA Center Appliances Cisco Services can help you
with DNA Advantage OS License with DNA Center Software to Test - Migrate - Deploy
SD-Access - Cisco on Cisco
Live SD-Access Deployment @ Cisco Systems
750
Wired & Wireless
SJC23 users
2 7 24
Fabric Border Fabric Fabric
Control-Plane Edge Access
Nodes Nodes Points
3 Virtual
Networks
16 Scalable
Groups
2 Wireless
SSIDs
8 Address
Pools
Built and managed by the Cisco Engineering team, in conjunction with Cisco IT Services
SD-Access Testimonials
Live Customer SD-Access Deployments
Network Services
375+ Production
Deployments
Cisco IT
www.cisco.com/c/en/us/solutions/enterprise-networks/network-architecture-customer-success-stories.html
SD-Access Resources
cisco.com/go/dna
cisco.com/go/sdaccess cisco.com/go/dnacenter
• SD-Access At-A-Glance • Cisco DNA Center At-A-Glance
•
•
SD-Access
SD-Access
Ordering Guide
Solution Data Sheet
cisco.com/go/cvd •
•
Cisco
Cisco
DNA
DNA
ROI Calculator
Center Data Sheet
• SD-Access Solution White Paper • SD-Access Design Guide • Cisco DNA Center 'How To' Video Resources
• SD-Access Deployment Guide
• SD-Access Segmentation Guide
SD-Access Resources
cs.co/sda-resources
cs.co/sda-community
• Search from your Browser

• Indexed by Search Engines
• Discuss with experts & friends
• Supported by SDA TMEs
• 24-hour First Response
• Questions are marked Answered
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you

BRKCRS-2811 (2020) - Connecting The Fabric To External Networks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS-2811 (2020) - Connecting The Fabric To External Networks

Uploaded by

Copyright:

Available Formats

Cisco SD-Access

Connecting the Fabric to External Networks

Sandeep Joseph - Technical Marketing Engineer

Cisco Live San Diego - Session Map You Are Here

BRKCRS-2818 BRKCRS-2821 BRKCRS-2825 BRKCRS-1501 BRKNMS-2814

BRKCRS-2810 BRKCRS-2811 BRKCRS-2815 BRKCRS-2816 BRKCRS-2817 BRKCRS-3810

BRKCRS-2812 BRKSEC-2025 BRKCRS-2819

Cisco DNA Center

INTENT CONTEXT Fabric

Cisco DNA Center integrates multiple

Cisco SD-Access CLI provides backwards compatibility,

Separated management systems

1 SDA Fabric Border Functionality

2 SDA Fabric Border Deep Dive

3 SDA Fabric Border Design

4 SDA Fabric Border External Connectivity

Guest Distribution • Cat3K/9300

Rest of the Company (Internal)

• Used for “Known” Routes in your company Known

Fabric Edge Nodes

External Border Shared Internet

Anywhere Border Shared

• Connects to both Known and

Anywhere External Network

Wan Edge WAN/Branch

External Border External Network

• IP-Based Transit - Leverages a traditional IP-based (VRF-LITE,

• Cisco SD-Access Transit - Enables a native Cisco SD-

Typical use cases

Remote Branch 2 Remote Branch 3

Typical use cases

SDA Fabric Site 1 SDA Fabric Site 2

Campus 1 • Separate forwarding of packets

Cisco SD-Access Fabric Site 1 Cisco SD-Access Fabric Site 2

Check out the following session:

• How VNs and SGTs are related

• Fabric Transit design approaches

• Default Border is a “Gateway of Last Resort” for Networks

• Exports all internal IP Pools outside (as aggregate) B B

Fabric Edge Nodes

Click on the Node and

Select the Node and

Border role > Outside World (External)

IP Pool for eBGP handoff

Select the IP-Transit

Select the external interface for eBGP

IP Pool for eBGP handoff

Border role > Outside World (External)

Add the transit

Add the interface for handover

Fabric Edge Nodes

• Border advertises Endpoints to outside, and known

• Connects to any “known” IP subnets attached to the C

• Imports and registers (known) IP subnets from outside,

• Outside hand-off requires mapping the prefix context

Click on the Node and

Select the Node and

Local BGP AS#

IP Pool for eBGP handoff

Select IP Transit, External Interface

Select IP Transit, External Interface

Local BGP AS#

IP Pool for eBGP handoff