BRKCRS 2818

#CLUS
Build a Software Defined

Enterprise with Cisco SD-
WAN and Cisco SD-Access
Satish Kondalam - Technical Marketing Engineer
Markus Harbeck - Consulting Systems Engineer
BRKCRS-2818
#CLUS
Cisco DNA Center
Policy Automation Analytics
Short Hint from Markus:

“My English might be bad
but although sexy”
Source: Henning Bornemann –
“Thank you for Deutsche Bahn”
#CLUS BRKCRS-2818 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Who is Markus Harbeck ???
Personal:
 Location: Eschborn, Germany (near Frankfurt) but lives in Bavaria
 Other Interests: My family, 2 kids, Horse back riding, motor
cycling
My Background:
 CLI Junkie since 1996 for all Routing and Switching
 Joined CISCO October 2010
 Before; 12 years, operations, engineering, application
engineering at Lufthansa Systems
 Drives Cisco DNA Center, Automation and Analytics in EMEAR
and loops in the development team and Business Unit
 Book Author – Cisco DNA Assurance 2018
Current Projects:
 Cisco DNA Center since day1 in 2014
 Analytics, Assurance
Copyright by Hanna
 Network Transformation
 Network Automation
 SDA,
My Kids ITSM
view on Cisco DNA Center and
Network Design
Copyright by Saskia
Who is Satish Kondalam ???
Personal:
 Location: From India, but lives in San Jose, USA Now
 Other Information: Watching and Playing basketball (huge Lebron
My expression before we
James fan , Go Raptors ), Skiing, 8 Month old son
started working on Multi
Domain Integration 
My Background:
 Joined CISCO August 2010
 Drives Cisco DNA Center, Cisco SD-Access and Multi Domain
Architecture for the Business Unit
 Book Author – Cisco SD-Access 2018
Current Projects:
 Cisco SD-Access day1 in 2014
 Connecting Cisco’s Different Island’s together
Me, After working on the
Multi Domain Integration
Multidomain enables the network power of end
to end segmentation and policy
OT C A MPUS B R A NCH DC C L O UD SP S E C URITY
6
#CLUS BRKCRS-2818 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKCRS-2818

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Agenda
• Why is Cross Domain Integration Needed
• Multidomain Basics
• Introduction to Cisco SD-Access
• Introduction to Cisco SD-WAN
• End to End Segmentation and Policy
• What is Cross Domain Integration

• How is the Multidomain Integration Achieved
• Cisco SD-Access connectivity to Cisco
SD-WAN Demo
• Summary and Conclusion
#CLUS TECCRS-2812 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Session expectations
Technical Level
High Level
Low Level t
Session progress
That is not a TCP Session!  Its a SDA & SD WAN Session!
We will first do an introduction in SD-Access and into SD-WAN. To

bring everyone on the same level!
Then share the details around Multi Domain!
Note: TCP Slow Start is part of the congestion control algorithms put in place by
TCP to help control the amount of data flowing through to a network.
Source: https://www.keycdn.com/support/tcp-slow-start/
Why is Cross
Domain Integration
Needed
Software Defined Enterprise end-to-
end network
Why do we build Networks?
Users
(Consumers) Applications
(Providers)
It should be simple
Access/WAN Data Center

Users Network Network
(Providers)
Access Network Domains
Cloud
Cisco SD-Access Cisco SD-WAN Edge
Data Center
Users Network
(Providers)
It’s a multi-cloud world
Data
Center
Public Cloud
Cisco SD-Access Cisco SD-WAN (IaaS)
SaaS
Users
Internet (Providers)
Direct Internet Access
… and a multi-access world
Branch
Data
Trust boundary Center
LTE
SD-WAN + SD-
Access
Public Cloud
(IaaS)
Campus
SaaS
Users
(Consumers)
Off-prem Applications
Reeling things back in – the Integrated Access
Network
Data
Center
Public Cloud
(IaaS)
SaaS
Integrated
Users Cisco SD Access with
(Consumers)
Cisco SD-WAN Applications
Each Domain Must Support Its Unique Role
SD-Access SD-WAN ACI
C is c o DN A C e nt e r C is c o v M a na ge Ci s co APIC
Campus Data Center

and IoT Branch/ WAN and Cloud
Users & Devices Hybrid Cloud Data & Applications

• Identify and onboard • Deliver application experience • Automate resources and
everything workloads
• Secure internet and cloud
• Authenticate and access • Prevent data breaches
authorize access
The domains must cooperate to meet business intent

Segmentation | App SLA | Security
Multidomain Basics
What is a Fabric High Level view?
• Layer 3 based Underlay • Uses Overlay to
with Load Balancing transport different traffic
types
• Behaves as one big
Switch / Router for the • Offers Macro and Micro
endpoints Segmentation build in
• Hides complexity from • Treats packet the same
end user end to end
• A Packet in same packet • Preserves policy
out information
• Traffic independent (L2,
L3, Multicast etc.)
Fabric Terminology (General)
Overlay Network Overlay Control Plane
Encapsulation
Edge Device Edge Device
Hosts
(End-Points)
Underlay Network Underlay Control Plane
LAN Automation Principles for Multidomain
WAN
cEdge = Seed cEdge = secondary
Intermediate
Edge Node
 Ease of new LAN network deployments for Campus or Branch networks

 Automate underlay connectivity between the LAN and WAN Edge
 Complete network automation to accelerate building Multidomain overlay
networks
C
Reference Topology
Control Plane
B
C-edge Router
Why LAN Automation for Multidomain

DNA-Center Edge
vManage
B C B C
SD-Access SD-Access
Transit
Fabric Site Fabric Site
SFO 11
(SD-WAN) SJC 23
B C B C
cEdge cEdge
SDA SDW SDA
LAN Automation setup
LAN Automation result
cEdge
Edge Node
Future Brownfield Solution
DNA-Center
API
vManage
C C
SD-Access Transit SD-Access

B B B B
Fabric Site (SD-WAN) Fabric Site
Border Border Border
1
SDA SDWAN SDA
SD-Access
 some insights
We know you may
have seen
BRKCRS-2810
with SDA Basics
but we need to get
everyone up to
speed!
BRKCRS-2818 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
What is Cisco SD-Access?
Campus Fabric + Cisco DNA Center (Automation & Assurance)
 SD-Access
APIC-EM
NCP
1.X
GUI approach provides automation & assurance
ISE NDP
PI
of all Fabric configuration, management and
Cisco DNA group-based policy
Center
Cisco DNA Center integrates multiple
management systems, to orchestrate LAN,
Wireless LAN and WAN access
B B
 Campus Fabric
CLI or API approach to build a LISP + VXLAN +
C C
CTS Fabric overlay for your enterprise Campus
networks
Campus CLI provides backwards compatibility, but
Fabric management is box-by-box. API provides
device automation via NETCONF/YANG
Separate management systems
Campus Fabric - Key Components
1. Control-Plane based on LISP
2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
B B
Key Differences
C
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)
BRKCRS-2818 #CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
SD-Access Fabric
Key Components – VXLAN
1. Control-Plane based on LISP

2. Data-Plane based on VXLAN
ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay Only
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN
#CLUSBRKCRS-2818 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Fabric Roles & Terminology
Cisco DNA  Cisco DNA Automation – provides simple
NCP Automation GUI management and intent based
Identity automation (e.g. NCP) and context sharing
Services
ISE NDP  Cisco DNA Assurance – Data Collectors
Cisco DNA (e.g. NDP) analyze Endpoint to App flows
Cisco DNA
Center Assurance and monitor fabric status
 Identity Services – NAC & ID Systems
(e.g. ISE) for dynamic Endpoint to Group
Fabric Border Fabric Wireless mapping and Policy definition
Nodes Controller
B B  Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Intermediate Control-Plane
C C Nodes  Fabric Border Nodes – A Fabric device
Nodes (Underlay) (e.g. Core) that connects External L3
network(s) to the SDA Fabric
Campus  Fabric Edge Nodes – A Fabric device

(e.g. Access or Distribution) that connects
Fabric Edge
Nodes Fabric Wired Endpoints to the SDA Fabric
E E E E  Fabric Wireless Controller – A Fabric device

(WLC) that connects APs and Wireless
Endpoints to the SDA Fabric
#CLUSBRKCRS-2818 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Control-Plane Nodes – A Closer Look
Control-Plane Node runs a Host Tracking Database to map location information
 it behaves like DynDNS
• A simple Host Database that maps Endpoint IDs to C C

Known Unknown
a current Location, along with other attributes Networks Networks
B B
• Host Database supports multiple types of Endpoint
ID lookup types (IPv4, IPv6 or MAC)
• Receives Endpoint ID map registrations from Edge

and/or Border Nodes for “known” IP prefixes E E
E
• Resolves lookup requests from Edge and/or Border
Nodes, to locate destination Endpoint IDs
Edge Nodes – A Closer Look
Edge Node provides first-hop services for Users / Devices connected to a Fabric
• Responsible for Identifying and Authenticating C C

Endpoints (e.g. Static, 802.1X, Active Directory)
Known Unknown
Networks Networks
B B
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)
• Provide an Anycast L3 Gateway for the connected

Endpoints (same IP address on all Edge nodes) E
E E
• Performs encapsulation / de-encapsulation of data
traffic to and from all connected Endpoints
Border Nodes
Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric
There are 3 Types of Border Node! C C

Known Unknown
Networks Networks
B B
• Internal Border (Rest of Company)
• connects ONLY to the known areas of the company
• External Border (Outside)

• connects ONLY to unknown areas outside the company
E E E
• Internal + External (Anywhere)
• connects transit areas AND known areas of the company
Virtual Network– A Closer Look
Virtual Network maintains a separate Routing & Switching table for each instance
• Control-Plane uses Instance ID to maintain separate C

Unknown
VRF topologies (“Default” VRF is Instance ID “4098”)
Known
Networks Networks
B B
• Nodes add a VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are routed and VN VN VN

advertised within a Virtual Network Campus IOT Guest
E E E
• Uses standard “vrf definition” configuration, along
with RD & RT for remote advertisement (Border Node)
Control Plane Roles & Responsibilities
Controlplane (CP) C
LISP Map Server & Map Resolver
 EID to RLOC mappings B C
 Can be distributed across
Lo0
multiple LISP devices 8.8.8.8
Lo0
9.9.9.9
Edge Node (EN) E / Internal Border B
RLOC Space
LISP Tunnel Router xTR
 Register EID with Map Server
 Ingress / Egress (ITR / ETR)
Lo0 Lo0 Lo0
3.3.3.3
External Border (BN) B 1.1.1.1 2.2.2.2
E E E
LISP Proxy Tunnel Router PxTR
 Provides a Default Gateway
when no mapping exists
 Ingress / Egress (PITR / PETR)
EID = Endpoint Identifier

10.2.2.11 /16 10.2.2.22 /16 10.2.2.33 /16
Host Address or Subnet

Subnet 10.2.0.0 255.255.0.0 stretched across
RLOC = Routing Locator IID = Instance ID VRF demo1 = IID 4099
Local Router Address = Loopback0 VRF / VN EID Space
Control Plane Register CP show lisp site
EID RLOC IID
10.2.2.11 /32 1.1.1.1 4099
172.16.1.100/ 24 B C
DHCP Server 10.2.2.22 /32 2.2.2.2 4099
Lo0
8.8.8.8
Lo0 10.2.2.33 /32 3.3.3.3 4099
9.9.9.9
Lo0 Lo0 Lo0

1.1.1.1 2.2.2.2 3.3.3.3
E E E
EN1 - 1.1.1.1 EN3 – 3.3.3.3
sh ip lisp eid-table vrf demo1 map-cache sh ip lisp eid-table vrf demo1 map-cache
EID RLOC IID EID RLOC IID

10.2.2.11 10.2.2.22 10.2.2.33
Subnet 10.2.0.0 255.255.0.0 (or /16) stretched across

VRF demo1 = IID 4099
Control Plane Resolution
Where is 10.2.2.33? CP show lisp site
EID RLOC IID
10.2.2.11 /32 1.1.1.1 4099
172.16.1.100/ 24 B C
DHCP Server 10.2.2.22 /32 2.2.2.2 4099
Lo0
8.8.8.8
Lo0 10.2.2.33 /32 3.3.3.3 4099
9.9.9.9
Lo0 Lo0 Lo0

1.1.1.1 2.2.2.2 3.3.3.3
E E E
EN1 - 1.1.1.1 EN3 – 3.3.3.3
sh ip lisp eid-table vrf demo1 map-cache sh ip lisp eid-table vrf demo1 map-cache
EID RLOC IID EID RLOC IID

10.2.2.11 10.2.2.22 10.2.2.33
10.2.2.33 3.3.3.3 4099

Fabric Internal Forwarding (Edge to Edge)
3 EID-prefix: 10.2.2.33/32
Mapping Locator-set:
172.16.1.100/ 24 B C Entry 3.3.3.3, priority: 1, weight:100
DHCP Server
Lo0
8.8.8.8
Lo0
9.9.9.9
4
1.1.1.1  3.3.3.3 Lo0 Lo0 Lo0
1.1.1.1 2.2.2.2 3.3.3.3
10.2.2.11  10.2.2.33 E E E
2 5
10.2.2.11  10.2.2.33 10.2.2.11  10.2.2.33
S D
1 10.2.2.11 10.2.2.22 10.2.2.33
DNS Entry:
D.abc.com A 10.2.2.33
Border Nodes – Anywhere/ Internal + External
Border
(used for SD-WAN integration)
Anywhere/ Internal + External Border is a “One all exit point” for any known
and unknown destinations
• Connects to any “unknown” IP subnets, outside of

Unknown
the network (e.g. Internet, Public Cloud) and
Known
Networks Networks
C
“known” IP subnets available from the outside B
network (e.g. DC, WLC, FW, etc.)
• Imports and registers (known) IP subnets from

outside, into the Control-Plane Map System except
the default route.
• Exports all internal IP Pools outside (as aggregate)

into traditional IP routing protocol(s).
Border Control Plane Resolution
Where is 172.16.1.100 (off SDA)? CP
eBGP
iBGP Network Next Hop VRF
192.168.1.2
172.16.1.0 /24 192.168.1.2 demo1
172.16.1.100 /24 B C
External Entity
192.168.1.1 Lo0 sho ip lisp instance-id 4099 route-import database
8.8.8.8 Prefix Uptime Source
Lo0
9.9.9.9 172.16.1.0/24 6w3d bgp 65123
Lo0 Lo0 Lo0

1.1.1.1 2.2.2.2 3.3.3.3
E E E
EN1 - 1.1.1.1
sh ip lisp eid-table vrf demo1 map-cache
EID RLOC IID

10.2.2.11 10.2.2.22 10.2.2.33
172.16.1.0/24 8.8.8.8 4099

Fabric External Forwarding (Edge to Border)
192.168.1.2
172.16.1.100/ 24 B C
External Entity
192.168.1.1 Lo0
8.8.8.8
5 Lo0
10.2.2.11  172.16.1.100 9.9.9.9
3 EID-prefix: 172.16.1.0 /24

4 Mapping Locator-set:
1.1.1.1  8.8.8.8 Lo0 Entry
Lo0 Lo0
8.8.8.8, priority: 1, weight:100
1.1.1.1 2.2.2.2 3.3.3.3
10.2.2.11  172.16.1.100 E E E
2
10.2.2.11  172.16.1.100
S D
1 10.2.2.11 10.2.2.22 10.2.2.33
DNS Entry:
D.abc.com A 172.16.1.100
Fabric External Forwarding (Border to Edge)
2 sho ip route
Prefix NextHop
B 10.2.0.0/16 192.168.1.1
192.168.1.2
172.16.1.100/ 24 B C
External Entity
192.168.1.1 Lo0
1 8.8.8.8
172.16.1.100  10.2.2.11 Lo0
9.9.9.9 3 EID-prefix: 10.2.2.11 /32
Mapping Locator-set:
Entry 1.1.1.1 , priority: 1, weight:100
4
8.8.8.8  1.1.1.1
Lo0 Lo0 Lo0
172.16.1.100  10.2.2.11 1.1.1.1 2.2.2.2 3.3.3.3
E E E
5
172.16.1.100  10.2.2.11
S D
10.2.2.11 10.2.2.22 10.2.2.33

Internal Border routes advertised outside
10.2.2.1/24 1.1.1.1/32 8.8.8.8/32 192.168.1.1/24
E B C
IP Network 172.16.1.100/ 24
10.2.2.0/24 BGP External Entity
Host Pool 10 Edge Node 1

Border Node
• The Border node advertises the EID router lisp

locator-table default
prefix into external protocol of choice locator-set border
(eBGP). IPv4-interface Loopback0 priority 10 weight 10
!
• The advertisement is summarized so router bgp 65004
!
that /32 host routes are not exposed to address-family ipv4 vrf USER
the external domain. redistribue LISP metric 10
aggregate-address 10.2.2.0 255.255.255.0 summary-only
• Repeat for other IP Subnets and exit-address-family
VRF’s in Fabric a
External routes advertised inside
10.2.2.1/24 1.1.1.1/32 8.8.8.8/32 192.168.1.1/24
E B C
IP Network 172.16.1.100/ 24
10.2.2.0/24 BGP External Entity
• The Border also imports the external router lisp

prefixes into the Campus Fabric LISP locator-set border
domain. IPv4-interface Loopback0 priority 10 weight 10
!
• Repeat for other IP Subnets and VRF’s eid-table vrf USER instance-id 10
ipv4 route-import database bgp 65004 locator-set border
in Fabric exit
!
Cisco SD-WAN
 some insights
We know you may
have seen
BRKCRS-2110
with SD-WAN
Basics but we
need to get
everyone up to
speed!
BRKCRS-2818 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cisco SD-WAN Architecture Overview
Orchestration = vBond Orchestrator ZTP/PnP
vManage
Management = vManage APIs
(Multi-tenant or Dedicated)
vAnalytics vSmart
WAN Edge
Control Plane = vSmart
(Containers or VMs)
4G/LTE Internet
MPLS
Data Plane = Edge

(vEdge, Cisco ISR/ASR/ENCS,
Whitebox)
Data Center Campus Branch SOHO Cloud
vBond is SD-WAN Orchestrator
• Orchestrates connectivity between

Orchestrator ZTP/PnP
management, control and data plane
• Serves as the first point of authentication
• Requires public IP Address
• All other components need to know the

vBond IP or FQDN
4G/LTE Internet
MPLS
• Authorizes all control connections

(white-list model) Data Center Campus Branch SOHO Cloud
vManage is NMS for SD-WAN
• Single-tenant or Multitenant
• Single pane of glass for Day 0, Day 1 and
Day 2 operations
• Enables centralized provisioning and

simplifies changes
• Supports REST API, CLI, Syslog, SNMP,

NETCONF 4G/LTE
MPLS
Internet
• Provides real time alerting

• Role Based Access Control
vSmart is Centralized Control Plane
• Implements control plane policies, such
as service chaining, traffic engineering
and per-VPN topology
• Reduces complexity of the entire

network
• Establishes peering with all WAN Edges, 4G/LTE Internet
distributes connectivity and security

MPLS
context
WAN Edge is your SD-WAN Data Plane
• Provides secure data plane with remote Orchestrator ZTP/PnP
WAN Edge routers
• Establishes secure control plane with

vSmart controllers
• Implements data plane and application

aware routing policies
4G/LTE Internet
MPLS
• Exports performance statistics
• Physical or Virtual form factor Data Center Campus Branch SOHO Cloud
Unified Control Plane
vSmart • Overlay Management Protocol (OMP)
• TCP based extensible control plane protocol
• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside authenticated TLS/DTLS connections
• Advertises control plane context and policies
vSmart vSmart • Dramatically lowers control plane complexity and
raises overall solution scale
SD-WAN Traditional
WAN Edge WAN Edge

VS
Note: WAN Edge routers need not connect to all vSmart Controllers
O(n) Control Complexity O(n^2) Control Complexity
Data Plane Establishment
vSmart
vSmarts advertise routes and
SD-WAN fabric encryption keys to WAN
between tunnel Edges in OMP updates
endpoints
IPsec Routes and encryption keys
IPsec are advertised to vSmarts in
WAN Edge
IPsec OMP updates
Local Routes
- Local prefixes (OSPF/BGP)
MPLS INET - SD-WAN tunnel endpoints (TLOCs)
WAN Edge Security Context
WAN Edge
- IPSec Encryption Keys
Fabric Routing:
<prefix> via
WAN Edge WAN Edge
Transport Locator (TLOC) OMP IPSec Tunnel
Data Plane Liveliness and Quality
WAN Edge
• Bidirectional Forwarding Detection (BFD)
• Path liveliness and quality measurement
- Up/Down, loss/latency/jitter, IPSec tunnel MTU
• Runs between all WAN Edge routers in the topology
- Inside SD-WAN tunnels
- Across all transports
WAN Edge WAN Edge
- Operates in echo mode
- Automatically invoked at SD-WAN tunnel
establishment
- Cannot be disabled
• Uses hello (up/down) interval, poll (app-aware)

WAN Edge WAN Edge interval and multiplier for detection
- Fully customizable per-WAN Edge, per-transport
Common Data Plane Communication
Per-Session Load Sharing Per-Session Weighted Application Pinning Application Aware Routing
Active/Active Active/Active Active/Standby SLA Compliant
MPLS INET MPLS INET MPLS INET MPLS INET
SLA SLA
Default Device Policy Policy

Configurable Enforced Enforced
The Mapping between SD-Access and SD-WAN
Function SD-Access SD-WAN
vBond – UI
Management Cisco DNA Center
vManager – NMS
Control Plane LISP vSmart (OMP)
Data Plane Underlay Based on RLOC Based in TLOC
Data Plane Overlay VXLAN MPLS with IPSec
End to End
Segmentation &
Policy
Virtual Network– A Closer Look
Virtual Network maintains a separate Routing & Switching table for each instance
• Control-Plane uses Instance ID to maintain separate C

Unknown
VRF topologies (“Default” VRF is Instance ID “4098”)
Known
Networks Networks
B B
• Nodes add a VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are routed and VN VN VN

advertised within a Virtual Network Campus IOT Guest
E E E
• Uses standard “vrf definition” configuration, along
with RD & RT for remote advertisement (Border Node)
Scalable Groups – A Closer Look
C
Known Unknown
Scalable Group is a logical policy Networks Networks
B B
object to “group” Users and/or Devices
SGT
SGT SGT SGT
4
Nodes use “Scalable Groups” to ID and assign a
25
• 17
SGT
8
unique Scalable Group Tag (SGT) to Endpoints SGT SGT 19 SGT

SGT
3 23 11 12
E E E
• Nodes add a SGT to the Fabric encapsulation
• SGTs are used to manage address-independent

“Group-Based Policies”
• Edge or Border Nodes use SGT to enforce local

Scalable Group ACLs (SGACLs)
Campus Users
VN
Transport of VN’s and SGT’s
• SGT Segments are carried in VNs VN1 maps to VPN 65528
‒ Nested hierarchy
SGT #1
‒ SGT mapped to VN at SDA Fabric Edge SGT #2
SGT #8
‒ SGT carried in SD-WAN VPN´s (DP) SGT #15
• Policy Decoupling
‒ VNs for network separation (forwarding plane) Virtual Network #2
‒ SGT are for user separation SGT #3
SGT #4
• Use Cases:
SGT #6
SGT #10
‒ Closed user groups

‒ Business Entity separation
…
‒ Service Chaining via SDWAN VPNs
• Inspection, Security, Logging etc.
Map Policy
C
Reference Topology
Control Plane
B
C-edge Router
Why Policy integration for Multidomain

DNA-Center Edge
vManage
B C B C
SD-Access SD-Access
Transit
SFO 11
(SD-WAN) SJC 23
B C B C
cEdge cEdge
VN + SGT VPN+SGT VN+SGT
Security and Segmentation

C
Control Plane
End to End Policy

B
C-edge Router
DNA-Center Edge
vManage
B C B C
SD-Access SD-Access
VN 1  VPN 65528
SFO 11 B C
SGT 100  SGT 100
B C SJC 23
Enforcement
VN 1 VN 1
SGT 100 Host 1 SGT 200 Host 2
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Mapping between SD-Access and SD-WAN
Function SD-Access SD-WAN
Macro VN VPN
Segmentation Virtual Network Virtual Private Network
Micro SGT
Carries SGT
Segmentation Scalable Group Tag
Our dog “Bessi” at break
Transforming from CLI to automation let
you focus on “what really matters”
Exhausted?
You need a break?
We still have cool things to see!
 And yes she sleeps only!
And transforms in her dreams 
What is Cross
Domain Integration
Secure Productivity – Use Case
• User group engineering needs access to the development servers
• User group marketing needs access to Office365 and the Internet

• They are often exposed to malware
• Building automation systems must be air-gapped in their own separate network
Building
Facilities Automation
Application
Engineering Development
Servers
Marketing
Office 365
Secure Productivity – SD-Access Identity &
Segmentation
• SD-Access identity services are critical to identifying users/things to deliver a trust
centric security layer
• SD-Access segmentation (macro/micro) prevents lateral movement of malware to
deliver the first layer a threat centric security model
Building
Application
Cisco DNA Center
Servers
Marketing
SD-Access
Office 365
Secure Productivity – WAN/Campus/Branch
• The segmentation initiated in Cisco DNAC is seamlessly extended into the SD-WAN
• Guarantee secure segmentation pervasively and up close to the applications
Normalized APIs
Building
Application
Cisco DNA Center Cisco vManage
Servers
Marketing
SD-Access SD-WAN
Integrated Networking
Office 365
Secure Productivity – Multi-domain experience
E2E
Experiences
Automation and Policy
Security and Segmentation
Normalized APIs
Building
Application
Cisco DNA Center Cisco vManage
Servers
Marketing
SD-Access SD-WAN
Integrated Networking
Office 365
SD-Access site
One Fabric, multiple sites

Unified policy and e2e segmentation with survivability and failure
Control Plane
containment from Campus to Data Center Border Router
Edge
Private DC (ACI)
Transit Area(SD-WAN)
Extranet Partner A
Extranet Partner B
Transit DMZ or
Area Transit
(Metro)
vPC/VNET
Mega-site Cloud Edge

Private DC (ACI)
Building/Floor/Mini-site Branch/Campus/Mega-site (Secure access to

Extranet, DC/Cloud,
(SDA or Meraki) SaaS ZTN)
Intent Driven End-to-end
Mobility, Survivability, Scale,
#CLUS
Segmentation,
BRKCRS-2818
Policy
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Border Router
Control Plane
Multi-site with IP-based WAN Transit Edge
DNA-Center
MANAGEMENT
&
POLICY
SGTs in SXP via ISE
C C

B B B B B B
Fabric Site (Separate WAN) Fabric Site
Border Border Border
BGP BGP
LISP MP-BGP / Other LISP CONTROL-PLANE
VRF-lite VRF-lite
1
VXLAN SGT (16 bits) 802.1Q 802.1Q VXLAN SGT (16 bits)
MPLS
DATA-PLANE
Header VNID (24 bits) VLAN ID (12 bits) Labels VNID (24 bits) VLAN ID (12 bits) Header VNID (24 bits)
Border Router
Control Plane
Multi-site with Integrated SD-WAN Transit Edge
DNA-Center
MANAGEMENT
&
POLICY
API
vManage

B C B C
Fabric Site (SD-WAN) Fabric Site
Border Border
1
LISP OMP LISP CONTROL-PLANE
12
VXLAN SGT (16 bits) IPSec CMD SGT MPLS VNID VXLAN SGT (16 bits)
DATA-PLANE
Header VNID (24 bits) Header Header (16 bits) Labels (24 bits) Header VNID (24 bits)
How is the
Multidomain
Integration
achieved
C
Cisco SDA-SDWAN Integration Overview
SDA Control
Plane
B SDA Border
SDA Edge
DNA-Center
REST API
SDWAN Fabric
vManage
SDA Fabric Site 1 cEdge Border SDA Fabric Site 2

cEdge Border
@ISR @ISR
vSmart vBond
B C
C B
LISP OMP LISP

CONTROL-PLANE
VXLAN-GPO IPSec-MDATA (SGT) VXLAN-GPO

DATA + POLICY PLANE
SD-Access Header
Next-Hop MAC Address
Src VTEP MAC Address
MAC-in-IP with VN ID & Group ID

Dest. MAC 48
Source MAC 48
VLAN Type 14 Bytes

16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type
16 Header
0x0800 16 20 Bytes
Underlay
Outer MAC Header Checksum
Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address
UDP Header Dest Port 16

8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789
Inner (Original) MAC Header

Allows 64K
Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 possible SGTs
Overlay
Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs
SDWAN Header Hash of inner L2/L3/L4
IP-in-IP with MDATA Field for VPN-ID and Group Tag headers of original frame.
Enables entropy for ECMP load
IP Header balancing.
72
Misc. Data
Underlay
Outer MAC Header

Protocol 0x11 (UDP) 8 Source Port 16
Header
Outer IP Header Checksum
16 20 Bytes Dest Port 16
8 Bytes
Source IP 32 UDP Length 16
UDP Header Src TLOC UDP 500
Dest. IP 32 Checksum 0x0000 16
Dst TLOC
IPSec Header
SPI 32
MPLS Label 0x0 – IPv4

Sequence No. 32 8 Bytes
0x1 – IPv6 Supported Types
MDATA Header Initialization Vector 0 0x2 – MDATA XE 16.11
0x3 – FEC
Overlay
Inner (Client) IP Header

Reserved 12
Protocol 4 4 Bytes
DNAC
Original Payload VPN ID 16 SDA VNID Mapped to VPN ID Manages
(namespace translation) Translation
across sites
Flags 32
IPSec Trailer (18 Bytes) 8 Bytes
TLV 16 Type 0x1 == SGT
**IPSec AH also supported but not shown Data 16 SGT mapped Here
Border Service Interface - Details
• Single Box that is the Border for the LAN and WAN Network.
• SDWAN border “service interface” is SDA fabric border interface
• On the SDWAN side of the border it is a routed port only.
• ON the SDA side of the border it can be a trunk port or sub interfaces.
• SDA LISP interface is anchored on a Loopback in an internal VRF (UNDERLAY VRF).

• SDA Fabric RLOCs are stored in this VRF.
• This is done to ensure that the RLOC’s can be carried over the SD-WAN as service routes top remote DC
LAN WAN
Border Service I/F - Control Plane Interworking
vSMART
E B C
OMP
LISP SDA SDW
LISP Control Control
Plane Plane
Service Route (EID)
Advertisement with
VPN ID separation
Route LISP<->OMP
Import/Export
SDA-Edge
SD-WAN Border
10.2.2.1/16 1.1.1.1/32 8.8.8.8/32
E B C
IP Network SD-WAN
10.2.2.0/16 OMP
Border Node
• The Border node advertises the EID router lisp

prefix into external protocol of choice locator-set border
(OMP). IPv4-interface Loopback0 priority 10 weight 10
!
• The advertisement is summarized so omp
no shutdown
that /32 host routes are not exposed to address-family ipv4 vrf demo1
the external domain. advertise aggregate 10.2.0.0/16 aggregate-only
!
• Repeat for other IP Subnets and address-family ipv4
advertise connected
VRF’s in Fabric advertise lisp
10.2.2.1/16 1.1.1.1/32 8.8.8.8/32
E B C
IP Network SD-WAN
10.2.2.0/16 OMP
Border Node
• The Border also imports the external router lisp

prefixes into the Campus Fabric LISP locator-set border
domain. IPv4-interface Loopback0 priority 10 weight 10
!
• Repeat for other IP Subnets and VRF’s eid-table vrf USER instance-id 10
ipv4 route-import database omp locator-set border
in Fabric exit
!
Border Service I/F - Data Plane Interworking vSMART
E B C
SDA OMP
LISP
SDW
Control Control
Plane Plane
RIB
Index Adjacency
Lookup
SDA SDA SDA
Client Fabric Fabric VPNI
WAN
Ports Ports Ports VNID D Ports
Encapsulate
Decapsulate
Translation
Encrypt
SGT SGT
Client Client
Packet Packet
SDA-Edge VXLAN-GPO SD-WAN Border SDWAN-MDATA

(SGT+VNID) (SGT+VPN ID)
Routing Architecture – Protocols and Peering
DNAC vManage
Supernet Prefix
• SDA EIDs (/32s)
Provisioning • SDWAN Subnets
NETCONF
• OMP aggregates /32s
B C SDA Aggregates Only

SDWAN Prefixes
vSmart
Lo0
Service
OMP
OMP Overlay Peers
LISP
LISP Routes VPNs

Service
Overlay Routes
SDA RLOCs
SDWAN
TLOCs
Underlay
LAN Peer (ISIS) SDA_UNDERLAY
VPN0
WAN Peer (BGP)
VN
LISP OMP
Supported High Availability and Redundancy
MPLS INET MPLS INET

Via Via
vManage vManage
B B B B B
Active/Active
C B
C C C C C
Link TLOC Extension

SDA
Fabric Site
WAN Border Selection Policy
-Weight, Pref, ECMP
** From vManage
SDA Side SDWAN Side

NOTE: cEdge must have
no existing Service Side
configuration before it can
Management Model be designated as a border
DNA-Center vManage
REST Calls
WAN Underlay
NETCONF/YANG
SDA Side
• vManage Credentials
• Service-level VN Configuration
• SDA Side Routing Configuration vSmart vBond
– Interfaces, VXLAN WAN Side
– Routing (LISP) OMP • All SDWAN configuration and
• Provision SDA LAN Automation
policy except
Subnet Syslog/SNMP – No LAN side templates
• SDA VN to SD-WAN VPN mapping
(greyed)
• Assurance: Syslog/SNMP config
– All Assurance
– Syslog/SNMP override (if
desired)
SDA Side WAN Side

Read Permission Write Permission
Setup & Workflow – DAY 0 B C
Admin DNAC vManage cEdge

Bring-up SDWAN, Mark devices used for SDA borders
Configure vManage info & credentials
SDWAN Transit Establish trust with vManage: form-based auth

Object Created Entire list of: VPNs, SDA Marked devices
Map VNs in DNAC to VPNs from vManage Config Data: Underlay VN(VPN), Loopback IP,
per device credentials, etc Config Data Push: (enables DNAC’s
inventory collection)
Device discovery & Inventory collection using Loopback IP
Configure SDA connectivity for the device

Config Data: LAN, SDA configs,
SNMP, Logs collector, etc Config Data Push
Workflow – DAY 1 & N B C
Admin DNAC vManage cEdge
Syslog & SNMP
Assurance State & Stats

Data
Get SDWAN Assurance Data
Collection
and Traps SDWAN Assurance Data:
Health (Devices, vSmart, vBond) , Alarms
New VN Day#N config new VNs

Creation
Day#N config - New VNs
Push config rcvd from DNAC
C
Control Plane
General Deployment Model B

C-edge Router
DNA-Center Edge
• On-Prem Local
• On-Prem Remote
vManage
• On-Prem • Redundant Pair (2 now)
• Public Cloud • Collocated Ctrl-Plane
B C B C
SD-Access SD-Access
Fabric Site
Transit Fabric Site
(SD-WAN)
B C B C
cEdge cEdge
LISP OMP LISP
Deployment Models with Remote DC
DC Site
DC Site Public Cloud
WAN Underlay
Remote
DHCP DC Site SDA Site
Prefixes Aggregates
Host Routes Host Routes

DC Prefixes DC Prefixes
SD-Access SD-Access
Fabric Site B C Transit B C Fabric Site
(SD-WAN)
Underlay Prefixes Underlay Prefixes
**Border redundancy
not shown for C-edge C-edge
simplicity
LISP OMP LISP
Deployment Models with Local DC Site
Public Cloud
DC Site
F
WAN Underlay
SDA Fabric Site SDA Site
VRF-lite Aggregates
Underlay
Prefixes
Underlay VN SD-Access
SD-Access B C Transit B C Fabric Site
Fabric Site (SD-WAN)
**Border redundancy cEdge cEdge

not shown for
simplicity LISP OMP LISP
Deployment Models with Fabric Wireless
Public Cloud
WAN Underlay
SDA Fabric Site SDA Site
GRT Aggregates
Underlay
Prefixes
Underlay VN SD-Access
SD-Access B C Transit B C Fabric Site
Fabric Site (SD-WAN)
**Border redundancy cEdge cEdge

not shown for
simplicity LISP OMP LISP
* = Refer to Frame Formats
Device Interworking Compatibility
New Frame Format* Legacy Frame Format
Packet To
SDWAN Border SDWAN cEdge SDWAN cEdge vEdge
Packet From post 16.12+ pre 16.12
SDWAN Border • SGT carried to SDA • SGT discarded
• Dropped • Dropped
• Interwork to SDA • Forward IPv4/IPv6
SDWAN cEdge • No SGT • No SGT • No SGT • No SGT
post 16.12+ • Interwork to SDA • Forward IPv4/IPv6 • Forward IPv4/6 • Forward IPv4/6
SDWAN cEdge • No SGT • No SGT • No SGT • No SGT
pre 16.12 • Interwork to SDA • Forward IPv4/IPv6 • Forward IPv4/6 • Forward IPv4/6
vEdge • No SGT • No SGT • No SGT • No SGT
• Interwork to SDA • Forward IPv4/IPv6 • Forward IPv4/6 • Forward IPv4/6
vEdge
SDA SDA
Site1 C B
SDWAN B C Site2
cEdge cEdge
#CLUS
cEdge BRKCRS-2818 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Border Element – Platform Support
ISR:
• ISR4221, ISR43xx, ISR-4431, ISR-4451
ASR:
• ASR1001-X, ASR1002-X, ASR 1001-HX, ASR 1002 –HX
Not Supported:
• No ISRv/CSRv (Future Phase)

• No vEdge (no plans)
• C11xx
SDA/SDWAN
Demo
C
Control Plane
Demo Topology
B
C-edge Router
DNA-Center Edge
API
vManage
B C B C
SD-Access SD-Access
Transit
SFO 11
(SD-WAN) SJC 23
B C B C
cEdge cEdge
SDA SDW SDA
Demo Topology
DNA-Center
API
vManage
B C B C
(SD-WAN) SJC 23
SFO 11 B C B C
cEdge cEdge
SDA SDW SDA
Summary,
Conclusion &
Vision
Comprehensive Security Across All Domains
Cloud Access Security
Email Enterprise
Mobility
Security
Management
Threat intelligence Secure Secure
Internet SD-WAN/
Gateway Campus/ Routers
Branch
Identity and
Advanced
Event visibility with context Threat
Network
Access Control
DC &
WAN Cloud
Web Switches and
Security Access Points
Automated policy
Next-Gen Cloud Workload
FW/IPS Protection
Network Traffic
Security Analytics
SDA / SDWAN integration
APIC
Data
vManage Center (ACI)
vManage
Cloud
Software Software Edge
Defined Defined Services Public
Access WAN Cloud
Users
1
1
1
1
SaaS
Devices
Internet
Session close to the end…
Technical Level
High Level
Low Level t
Session progress
Have a drink on me !
After the long journey
BUT PLS
ONE MORE SLIDE!!!!
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you
#CLUS
#CLUS

BRKCRS 2818

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS 2818

Uploaded by

Copyright:

Available Formats

#CLUS

Build a Software Defined

Policy Automation Analytics

Short Hint from Markus:

OT C A MPUS B R A NCH DC C L O UD SP S E C URITY

Webex Teams will be moderated cs.co/ciscolivebot#BRKCRS-2818

• What is Cross Domain Integration

That is not a TCP Session!  Its a SDA & SD WAN Session!

We will first do an introduction in SD-Access and into SD-WAN. To

Then share the details around Multi Domain!

Access/WAN Data Center

Direct Internet Access

Direct Internet Access

Direct Internet Access

Campus Data Center

Users & Devices Hybrid Cloud Data & Applications

The domains must cooperate to meet business intent

Edge Device Edge Device

Underlay Network Underlay Control Plane

cEdge = Seed cEdge = secondary

 Ease of new LAN network deployments for Campus or Branch networks

Why LAN Automation for Multidomain

SD-Access Transit SD-Access

Separate management systems

1. Control-Plane based on LISP

Campus  Fabric Edge Nodes – A Fabric device

E E E E  Fabric Wireless Controller – A Fabric device

• A simple Host Database that maps Endpoint IDs to C C

• Receives Endpoint ID map registrations from Edge

• Responsible for Identifying and Authenticating C C

• Provide an Anycast L3 Gateway for the connected

There are 3 Types of Border Node! C C

• External Border (Outside)

• Control-Plane uses Instance ID to maintain separate C

• Endpoint ID prefixes (Host Pools) are routed and VN VN VN

EID = Endpoint Identifier

Host Address or Subnet

RLOC = Routing Locator IID = Instance ID VRF demo1 = IID 4099

Local Router Address = Loopback0 VRF / VN EID Space

Lo0 Lo0 Lo0

EID RLOC IID EID RLOC IID

Subnet 10.2.0.0 255.255.0.0 (or /16) stretched across

Lo0 Lo0 Lo0

EID RLOC IID EID RLOC IID

10.2.2.33 3.3.3.3 4099

Subnet 10.2.0.0 255.255.0.0 stretched across

• Connects to any “unknown” IP subnets, outside of

• Imports and registers (known) IP subnets from

• Exports all internal IP Pools outside (as aggregate)

Lo0 Lo0 Lo0

EID RLOC IID

Subnet 10.2.0.0 255.255.0.0 stretched across

3 EID-prefix: 172.16.1.0 /24

Subnet 10.2.0.0 255.255.0.0 stretched across

Host Pool 10 Edge Node 1

• The Border node advertises the EID router lisp

Host Pool 10 Edge Node 1

• The Border also imports the external router lisp

OT C A MPUS B R A NCH DC C L O UD SP S E C URITY

Data Plane = Edge

• Orchestrates connectivity between

• Serves as the first point of authentication

• Requires public IP Address