Cisco SD-Access

Border Operation
•Cisco SD-Access
Deployment Models
•Connecting the Fabric to
External Domains
Thank you!!!
Cisco SD-Access
Deployment
Models
Two Basic Types of Deployments
▪ Campus Networks (Large Sites)

▪ Fabric Site (Small Sites)

 Fabric site
A fabric site is a portion of the fabric which has its own set of control
plane nodes, border nodes, and edge nodes.

Key characteristics of a single fabric site are:

➢ A given IP subnet is part of a single fabric site

(except when VN anchoring is in use)

➢ L2 extension is only with in a fabric

➢ L2 / L3 mobility is only with in a fabric

➢ No context translation is necessary with in a fabric

A given fabric site can have different scale characteristics:

Large- scale fabric site: multiple horizontally- scaled devices, per fabric site

Fabric- in-a-box: all fabric functions are on a single device (site)

Fabric-in-a-box
SD- Access for distributed campus
➢ Multiple fabric sites corresponding to a single fabric will be interconnected by a transit network area.

➢ The transit network area may be defined as a portion of the fabric which interconnects the borders
of individual fabrics, and which has its own control plane nodes — but does not have edge nodes.

Transit Network -1
(IP Transit)
Thank you!!!
Cisco SD-Access
Transit Types
Cisco SD-Access Transit
Understanding Transit Types

• IP-Based Transit - Leverages a traditional IP-based (VRF-LITE,

MPLS) network, which requires remapping of VRFs and SGTs
between sites. This is typically used when connecting to Shared-
Services (WLC, DNS, DHCP, PSN…)

• Cisco SD-Access Transit - Enables a native Cisco SD-

Access (LISP,VXLAN,CTS) fabric, with a domain-wide Control Plane
node for inter-site communication.
IP Transit
Cisco SD-Access for Distributed Campus
Why IP Based Transit?
Cloud
Data Centre • MTU too small for VXLAN Header
• Service Insertion

Typical use cases

o Internet Handoff
LTE o P2P IPSEC encryption
INTERNET HQ o Policy Based Routing
MPLS
o WAN Accelerators
o Traffic engineering
o Mobile Backhaul LTE
Remote Branch 1

Remote Branch 2 Remote Branch 3

Cisco SD-Access for Distributed Campus
IP Transit
CONTROL-PLANE

LISP IGP/BGP LISP

C C

B B B B
IP Transit
Fabric Fabric
Site 1 Site 2

Cisco DNA-Center
DATA+POLICY-PLANE

VXLAN+SGT SXP with ISE VXLAN+SGT

SDA Fabric Site 1 SDA Fabric Site 2

IP Transit Border Hand off
CONTROL-PLANE

1
LISP BGP External Domain(BGP/IGP)

C
B
B External
Domain
B
IP Transit Border Hand off
DATA-PLANE

2
VXLAN VRF-LITE External Domain(IP/MPLS/VXLAN)

C
B
B External
Domain
B
IP Transit Border Hand off * Manual

POLICY-PLANE

3
SGT in VXLAN SGT Tagging External Domain ( IP ACL/SGT)

C
B
B External
Domain
B
Creating an IP Transit

IP-Transit
• Select the external handoff protocol
as BGP from the drop-down
• Specify the remote BGP AS number
Cisco SD-Access
Transit
Cisco SD-Access for Distributed Campus
Why Cisco SD-Access Transit?
Cloud
Data Centre • Fully Automated Site-to-Site Connection
• Seamless Policy Propagation

Typical use cases

Metro
o Sites in same Metro Area, Campus or
even Building
HQ
Metro Metro

Campus 1

Campus 2 Campus 3
Cisco SD-Access for Distributed Campus
Why Cisco SD-Access Transit?
Cloud
Data Center

• With Cisco SD-Access for distributed Campus, you

can achieve end-to-end segmentation with
consistent policy across sites

SD-Access • From the policy perspective, all sites behave as one

HQ
Transit

• Separate forwarding of packets in data plane

and control plane
Campus 1

Campus 2 Campus 3
Cisco SD-Access Transit
CONTROL-PLANE

LISP LISP LISP

C C
B B B B
Cisco SD-Access Transit
Border Border

Cisco DNA-Center
DATA+POLICY-PLANE

VXLAN+SGT VXLAN+SGT VXLAN+SGT

Cisco SD-Access Fabric Site 1 Cisco SD-Access Fabric Site 2

Thank you!!!
Border
Deployment
Use-Cases
SD-Access Border Deployment
Use Case 1 : Fabric Connecting to Unknown Networks

Public Cloud
C

B B

Internet
Fabric Edge Nodes
SD-Access Border
Use Case 1 : Fabric Connecting to Unknown Networks
Unknown

• Default Border is a “Gateway of Last Resort” for Networks

unknown destinations
• Connects to any “unknown” IP prefixes (e.g. Internet,
Public Cloud, 3 rd Party, etc.) C
Known
Networks

• Exports all internal IP Pools outside (as aggregate) B B

into traditional IP routing protocol(s).
• Default Border is a “default” domain exit point, if no
other (specific) entry present in Map System.
• Outside hand-off requires mapping the prefix
context (VRF & SGT) from one domain to another.

Fabric Edge Nodes

SD-Access Border Deployment Options
Use Case 1 : Fabric Connecting to Unknown Networks – Automation

Click on the Node and

add it as a Border
SD-Access Border Deployment Options
Use Case 1 : Fabric Connecting to Unknown Networks – Automation

Select the Node and

add as a Border
SD-Access Border Deployment Options
Use Case 1 : Fabric Connecting to Unknown Networks – Automation

Border role > Outside World (External)

IP Pool for eBGP handoff

Select the IP-Transit

Select the VN’s to extend

SD-Access Border Deployment Options
Use Case 1 : Fabric Connecting to Unknown Networks – Automation

IP Pool for eBGP handoff

Bo der role > Outside World (External)

r
Add the transi
t
Add the interface for handover
SD-Access Deployment Options
Use Case 2 : Fabric Connecting to Internal Networks

DC
C

B B

Branch

Fabric Edge Nodes

 SD-Access Border
Use Case 2 : Fabric Connecting to known Networks

• Border advertises Endpoints to outside, and known

Subnets to inside
Known
Networks

• Connects to any “known” IP subnets attached to the C

outside network (e.g. DC, WLC, FW, etc.) Unknown
Networks

B B
• Exports all internal IP Pools to outside (as aggregate),
using a traditional IP routing protocol(s).

• Imports and registers (known) IP subnets from outside,

into the Fabric Control Plane System

• Outside hand-off requires mapping the prefix context

(VRF & SGT) from one domain to another.
Fabric Edge Nodes
SD-Access Border Deployment Options
Use Case 2 : Fabric Connecting to known Networks – Automation

Click on the Node and

add it as a Border
SD-Access Border Deployment Options
Use Case 2 : Fabric Connecting to known Networks – Automation

Select the Node and

add as a Border
SD-Access Border Deployment Options
Use Case 2 : Fabric Connecting to known Networks – Automation

Border Role =
Rest of Company(Internal)

Local BGP AS#

IP Pool for eBGP handoff

Select IP Transit, External Interface

and VN’s to handoff
SD-Access Border Deployment Options
Use Case 2 : Fabric Connecting to known Networks – Automation

Select IP Transit, External Interface

and VN’s to handoff

Local BGP AS#

IP Pool for eBGP handoff

Border Role =Internal*(default)

* 1.3.0.5
SD-Access Border Deployment Options
Use Case 3 : Fabric Connecting to Known and Un-known Networks

Data Center
C
WAN
B B

Internet
Fabric Edge Nodes
SD-Access Border Deployment Options
Use Case 3 : Fabric Connecting to Everywhere– Automation
SD-Access Border Deployment Options
Use Case 3 : Fabric Connecting to Everywhere– Automation

Border Role = Anywhere

(Internal & external)
Local BGP AS#
IP Pool for BGP Handoff

IP Transit

Select the external interface,

VN’s to handoff
SD-Access Border Deployment Options
Use Case 3 : Fabric Connecting to Everywhere– Automation
Select IP Transit, External Interface
and VN’s to handoff

Local BGP AS#

IP Pool for eBGP handoff

Border Role =Internal+External(anywhere Border)

SD-Access Border Deployment
Connect to Internet ?

Connect to internet flag is only

applicable for SDA transit
Thank you!!!
Fabric Border
Packet Flow &
Deep Dive –
Internal Border
 SD-Access Border
Border - Forwarding from Fabric Domain to External Domain
3 EID-prefix: 192.1.1.0/24 Path Preference
Mapping Locator-set: Controlled
Entry by Destination Site
192.1.1.0/24 2.1.1.1, priority: 1, weight: 100 (D1)
Branch

Border 5.1.1.1

Control Plane
5 2.1.1.1
nodes

10.1.1.1  192.1.1.1 5.2.2.2

SDA Fabric
4
1.1.1.1 → 2.1.1.1

10.1.1.1 → 192.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1

2
10.1.1.1 → 192.1.1.1

1 S
DNS Entry: Campus
Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
D.abc.com A 192.1.1.1 Bldg 1
 SD-Access Border
Border - Forwarding from External Domain to Fabric Domain
1
Routing Entry: 3 EID-prefix: 10.1.1.1/32
Send traffic to exit point of Path Preference
Mapping Locator-set: Controlled
domain(Internal Border)
Entry 1.1.1.1, priority: 1, weight: 100 (D1) by Destination Site
192.1.1.0/24
Branch

Border 5.1.1.1

Control Plane
2 2.1.1.1
nodes

192.1.1.1  10.1.1.1 5.2.2.2

4 SDA Fabric
2.1.1.1 → 1.1.1.1

192.1.1.1 → 10.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1

5
192.1.1.1 → 10.1.1.1
D
Campus
Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
Bldg 1
SD-Access Border Config
Internal Border Node

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

IP Network
10.1.1.0/24 BGP 192.1.1.0/24

Host Pool 10 Edge Node 1 External Domain(

Border Node DC,WAN)

• The Border node advertises the EID router lisp

locator-table default
prefix into external protocol of locator-set border
choice(eBGP). IPv4-interface Loopback0 priority 10 weight 10
!
• The advertisement is summarized so router bgp 65004
!
that /32 host routes are not exposed to address-family ipv4 vrf USER
the external domain. redistribue LISP metric 10
aggregate-address 10.1.1.0 255.255.255.0 summary-only
• Repeat for other IP Subnets and exit-address-family
VRF’s in Fabric
SD-Access Border Config
Internal Border Node

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

IP Network
10.1.1.0/24 BGP 192.1.1.0/24

Host Pool 10 Edge Node 1 External Domain(

Border Node DC,WAN)
router lisp
• The Border also imports the external locator-table default
prefixes into the Campus Fabric LISP locator-set border
IPv4-interface Loopback0 priority 10 weight 10
domain.
!
• Repeat for other IP Subnets and VRF’s eid-table vrf USER instance-id 10
in Fabric ipv4 route-import database bgp 65004 locator-set border
exit
!
SD-Access Border Config
Internal Border Node

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

IP Network
10.1.1.0/24 BGP 192.1.1.0/24

Host Pool 10 Edge Node 1 External Domain(

Border Node DC,WAN)

router lisp
• Add a Map Cache + Map-Request for locator-table default
Dynamic EIDs locator-set border
IPv4-interface Loopback0 priority 10 weight 10
• trigger a lookup for traffic coming from outside !
eid-table vrf USER instance-id 10
• Repeat for other IP Subnets and ipv4 map-cache site-registration
VRF’s in Fabric exit
Border Node as LISP xTR - Control Plane Connectivity

xTR
Thank you!!!
Fabric Border
Packet Flow &
Deep Dive –
External Border
SD-Access Border
Default Border - Forwarding to ExternalDomain
2 EID-Prefix: Not found , map-cache miss
Mapping Locator-Set: ( use-petr)
Entry 3.1.1.1, priority: 1, weight: 100 (D1)
INTERNET

193.3.0.0/24 D
4 Default
Border
10.2.0.1 → 193.3.0.1
3.1.1.1
5.1.1.1

Control Plane
nodes
3 5.2.2.2
SDA Fabric
1.1.2.1 → 3.1.1.1
10.2.0.1 → 193.3.0.1

1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1

1
10.2.0.1 → 193.3.0.1

Campus S Campus
Bldg 1 10.2.0.0/24 10.3.0.0/24 Bldg 2
SD-Access Border Config
External Border Node

10.1.1.1/24 1.1.1.1/32 3.1.1.1/32 192.1.1.1/24

172.1.1.1/24

IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24

Host Pool 10 Edge Node 1 Default

Internet
Border Node
router lisp
• The EID prefixes are exported from locator-table default
locator-set border
Control plane node to the Default Border IPv4-interface Loopback0 priority 10 weight 10
node with AD of “250” !
eid-table vrf USER instance-id 10
• The Border node only advertises the EID route-export site-registrations
distance site-registration 250
prefix into external protocol of exit
choice(BGP) router bgp 65004
!
• Repeat for other IP Subnets and address-family ipv4 vrf USER
VRF’s in Fabric redistribue LISP metric 10
aggregate-address 10.1.1.0 255.255.255.0 summary-only
exit-address-family
SD-Access Border Config
External Border Node

10.1.1.1/24 1.1.1.1/32 3.1.1.1/32 192.1.1.1/24

172.1.1.1/24

IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24

Host Pool 10 Edge Node 1 Internet

Default
Border Node
• Add a Map Cache + Map-Request for router lisp
locator-table default
Dynamic EIDs locator-set border
• trigger a lookup for traffic coming from outside IPv4-interface Loopback0 priority 10 weight 10
!
• Repeat for for other IP Subnets and eid-table vrf USER instance-id 10
ipv4 map-cache site-registration
VRF’s in Fabric exit
!
SD-Access Border Config
External Border Node

10.1.1.1/24 1.1.1.1/32 3.1.1.1/32 172.1.1.1/24

IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24

Host Pool 10 Edge Node 1 Default Internet

Border Node

router lisp
• Fabric edge node has a default route to locator-table default
the External Border. locator-set edge
IPv4-interface Loopback0 priority 10 weight 10
!
ipv4 use-petr 3.1.1.1
Border Node as LISP PxTR - Control Plane Connectivity

xTR
Thank you!!!
Fabric Border
Packet Flow &
Deep Dive –
Anywhere Border
SD-Access Border Config
Anywhere Border Node

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

IP Network
10.1.1.0/24 BGP 192.1.1.0/24

Host Pool 10 Edge Node 1 Border + External Domain (Internet +

Default DC,WAN)
Border Node
• The Border imports the external router lisp
prefixes into the Campus Fabric except locator-table default
locator-set border
the default route LISP domain. IPv4-interface Loopback0 priority 10 weight 10
!
• Repeat for other IP Subnets and VRF’s eid-table vrf USER instance-id 10
in Fabric ipv4 route-import database bgp 65004 route-map deny_0.0.0.0/0
locator-set border
exit
!
route-map deny_0.0.0.0/0 deny 10
match ip address prefix-list deny_0.0.0.0/0
!
route-map deny_0.0.0.0/0 permit 20
!
ip prefix-list deny_0.0.0.0/0 permit 0.0.0.0/0
SD-Access Border Config
Anywhere Border Node

10.1.1.1/24 1.1.1.1/32 3.1.1.1/32 172.1.1.1/24

IP Network
10.1.1.0/24 150.1.1.0/24

Host Pool 10 Edge Node 1 Border + External Domain (Internet +

Default DC,WAN)
Border Node
router lisp
• Fabric edge node has a default route to locator-table default
the External Border. locator-set edge
IPv4-interface Loopback0 priority 10 weight 10
!
ipv4 use-petr 3.1.1.1
Thank you!!!
Shared
services
Connectivity
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) with Border

• Hosts in the fabric domain (in their respective Virtual Networks)

will need to have access to common “Shared Services”:
➢ Identity Services (e.g. AAA/RADIUS)
➢ Domain Name Services (DNS)
➢ Dynamic Host Configuration (DHCP)
➢ IP Address Management (IPAM)
➢ Monitoring tools (e.g. SNMP)
➢ Data Collectors (e.g. Netflow, Syslog)
➢ Other infrastructure elements
• These shared services will generally reside outside of the fabric domain.
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) with Border

• RLOC Underlay connectivity in Global Routing Table

• Access Points and Extended Nodes will be in their Fabric Scope
own VN – INFRA_ VN which is in the Global Routing
USER #2
Table Fabric
• Other VNs can be used for segmentation for users, USER #1 Border
devices, roles, and others
USER2
INFRA_VN USER1
• Scalable Group Tags (SGTs) can be used for further
access control within a VN RLOC Underlay GRT/INFRA

• The “USER” VN is being shown in this slide deck as

an example.
• Similar steps can be followed for other VNs shown
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) in Global Routing Table

B B DNA

Cisco DHCP/ IdentityService

DNA-Center DNS
GRT
Shared Services
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) in GRT
5.1.1.1/32 C
Control-Plane Node

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP BGP 172.10.10.0/24

Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services

ip vrf User1
• The Shared Services are in the Global rd 1:1
Routing Table route-target export 1:1
route-target import 1:1
• Will form a routing adjacency in import ipv4 unicast map Shared_Services
!
each Address Family. ip vrf User2
rd 2:2
• Use import ipv4 unicast map to route-target export 2:2
route-target import 2:2
”leak” routes import ipv4 unicast map Shared_Services

• An external Fusion router is used to route-map Shared_Services permit 10

exchange routes from the VRF’s in match ip address prefix-list Shared_Services

Campus fabric to the Services. ip prefix-list Shared_Services permit 172.10.10.0/24

Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) in a dedicated VRF

B B DNA

Cisco
VRF DNACenter
DHCP/ IdentityService
DNS
Fusion
Router Shared Services
Fabric Border Connectivity
Shared Services (DHCP, AAA, etc) in a dedicated VRF
5.1.1.1/32 C
Control-Plane Node

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP BGP 172.10.10.0/24

Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services

ip vrf User1
• The Shared Services are in a unique rd 1:1
dedicated VRF of their own. route-target export 1:1
route-target import 1:1
• Will form a routing adjacency in route-target import 3:3
!
each Address Family. ip vrf User2
rd 2:2
• Use route-target import / export route-target export 2:2
route-target import 2:2
(leaking) to ”share” routes route-target import 3:3

• An external Fusion router is used to ip vrf Services

exchange routes from the VRF’s in rd 3:3
route-target export 3:3
Campus fabric to the Services VRF. route-target import 3:3
route-target import 1:1
route-target import 2:2
Thank you!!!
Cisco SD-Access
Fabric
Troubleshooting –
External Domain
Fabric Troubleshooting
Reference Topology
8.8.8.8 20.20.20.0/24

• Data-Center prefix Data

20.20.20.0/24 is reachable Internet
Center
via a pair of Internal Border
C
• Unknown/Internet prefixes
B B
are reachable via External
Border B

• Dedicated Control-Plane in
use as the map-server/map-
resolver

70
Fabric Troubleshooting B C

Step 3: Verify BGP external prefixes are imported into LISP database
Control-Plane#show l i s p s i t e
LISP S i t e Registration Information
* = Some l o c a t o r s are down or unreachable
# = Some r e g i s t r a t i o n s are sourced by r e l i a b l e t r a n s p o rt

Site Name Last Up Who Last Inst EID Prefix

Register Registered ID
site_uci never no -- 4097 0.0.0.0/0
1w0d yes# 192.168.12.10:43636 4099 20.20.20.0/24
never no -- 4101 0.0.0.0/0 External Prefixes are reachable
1w0d yes# 192.168.12.11:23932 4099 20.20.20.0/24 via Border 1 & Border 2
Thank you!!!