Cisco SD-Access - Integrating With Your Existing Network - Vedran Hafner

Cisco SD-Access - Connecting the Fabric to
External Networks
Vedran Hafner, Systems Engineer

Cisco’s Intent-based Networking
Learning
DNA Center
The Network. Intuitive.
Policy Automation Analytics
Intent Context
Network Infrastructure
Powered by Intent.
Informed by Context.
Switching Routers Wireless
Security
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 3
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia
What is SD-Access?
Campus Fabric + DNA Center (Automation & Assurance)
§ SD-Access – Available Aug 2017
DNAC
APIC-EM
1.X
GUI approach provides automation &
assurance of all Fabric configuration,
ISE NDP
management and group-based policy.
DNA Center Leverages DNA Center to integrate
external Service Apps, to orchestrate
your entire LAN, Wireless LAN and
WAN access network.
B B § Campus Fabric – Shipping Now

CLI or API form of the new overlay
C Fabric solution for your enterprise
Campus access networks.
Campus CLI approach provides backwards

compatibility and customization,
Fabric Box-by-Box. API approach provides
automation via NETCONF / YANG.
APIC-EM, ISE, NDP are all separate.

What is SD-Access?
Fabric Roles & Terminology
DNA § DNA Controller – Enterprise SDN Controller
APIC-EM
DNAC (e.g. DNA Center) provides GUI management
Identity Controller
and abstraction via Apps that share context
Services
ISE
§ Identity Services – External ID System(s)
Analytics (e.g. ISE) are leveraged for dynamic Endpoint
Engine to Group mapping and Policy definition
§ Analytics Engine – External Data Collector(s)
(e.g. NDP) are leveraged to analyze Endpoint
Fabric Border Fabric Wireless to App flows and monitor fabric status
Nodes Controller
B B § Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate
C Nodes § Fabric Border Nodes – A Fabric device (e.g.
Nodes (Underlay) Core) that connects External L3 network(s)
to the SDA Fabric
Campus § Fabric Edge Nodes – A Fabric device (e.g.
Fabric Edge
Nodes
Fabric Access or Distribution) that connects Wired
Endpoints to the SDA Fabric
§ Fabric Wireless Controller – A Fabric device
(WLC) that connects Wireless Endpoints to
the SDA Fabric
SDA Fabric Border Functionality
What do customers need to know about the Fabric Border?
SD-Access Border
Border Nodes – Border and Default Border
Known Unknown
Networks Networks
B B
Border Default Border
• Connects the Campus Fabric to • Connects the Campus Fabric to
Known networks. (Use case 2.1 Un-Known networks (Use case 1)
and 2.2) • not part of the company network
• part of your company network
• Un-known networks are generally the
• Known networks are generally WAN, Internet and/or Public Cloud.
DC, Shared Services, etc.
• Responsible for advertising prefixes only
• Responsible for advertising prefixes to from (export) the local fabric to external
(import) and from (export) the local domain.
fabric and external domain.

Why Border Vs Default Border
SD-Access Fabric
Why Border vs Default Border?
Edge Node
IP Network B
Default Border External Network
Wan Edge WAN/Branch
DC Edge Datacenter
SD-Access Fabric
Why Border vs Default Border?
Edge Node
IP Network B
Default Border External Network
Border WAN/Branch
Border Datacenter
SD-Access Border Deployment Options
Use Case 1 : SDA fabric Connecting to Unknown Networks
B B
Un-Known Networks
Fabric Edge Nodes

Use Case 1: SDA fabric Connecting to Unknown Networks – A Closer Look
Public Cloud
C
B B
Internet
Fabric Edge Nodes

SD-Access Border
Use Case 1 : SDA fabric Connecting to Unknown Networks
• Default Border is a “Gateway of Last Resort” for

unknown destinations
• Connects to any “unknown” IP prefixes (e.g. Internet,

Public Cloud, 3rd Party, etc.) C
Known Unknown
Networks Networks
• Exports all internal IP Pools outside (as aggregate) into B B
traditional IP routing protocol(s).
• Default Border is a “default” domain exit point, if no
other (specific) entry present in Map System.
• Outside hand-off requires mapping the prefix context
(VRF & SGT) from one domain to another.
Fabric Edge Nodes

Use Case 1 : SDA fabric Connecting to Unknown Networks – Automation

Use Case 1 : SDA fabric Connecting to Unknown Networks – Automation

Use Case 2.1 : SDA fabric Connecting to known Networks
B B
Known Networks
Fabric Edge Nodes

SD-Access Deployment Options
Use Case 2.1 : SDA fabric Connecting to known Networks – A Closer Look
DC
C
B B
Branch
Fabric Edge Nodes

Use Case 2.2 : SDA fabric as a Transit Network
B B
External Domain 1 External Domain 2
Fabric Edge Nodes

SD-Access Border
Use Case 2 : SDA fabric Connecting to known Networks
• Border advertises Endpoints to outside, and known

Subnets to inside
• Connects to any “known” IP subnets attached to the C

outside network (e.g. DC, WLC, FW, etc.) Known
Networks
Unknown
Networks
B B
• Exports all internal IP Pools to outside (as aggregate),
using a traditional IP routing protocol(s).
• Imports and registers (known) IP subnets from outside,

into the Fabric Control Plane System
• Outside hand-off requires mapping the prefix context

(VRF & SGT) from one domain to another.
Fabric Edge Nodes

Use Case 2 : SDA fabric Connecting to known Networks – Automation

Use Case 2 : SDA fabric Connecting to known Networks – Automation

Use Case 3 : SDA fabric Connecting to known and Un-known Networks
Data Center
C
WAN
B B
Internet
Fabric Edge Nodes

Use Case 3 : SDA fabric Connecting to Everything– Automation

Fabric Border (Internal)
SD-Access Border
Border - Forwarding from Fabric Domain to External Domain
3 EID-prefix: 192.1.1.0/24
Path Preference
Mapping Locator-set: Controlled
Entry 2.1.1.1, priority: 1, weight: 100 (D1) by Destination Site
192.1.1.0/24
Branch
Border 5.1.1.1
Control Plane
5 2.1.1.1
nodes
10.1.1.1 à 192.1.1.1 5.2.2.2
SDA Fabric
4
1.1.1.1 à 2.1.1.1
10.1.1.1 à 192.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
2
10.1.1.1 à 192.1.1.1
1 S
Campus
DNS Entry: Campus
10.1.1.0/24 10.3.0.0/24
Bldg 1 Bldg 2
D.abc.com A 192.1.1.1

SD-Access Border
Border - Forwarding from External Domain to Fabric Domain
1
Routing Entry: 3 EID-prefix: 10.1.1.1/32
Send traffic to exit point of Path Preference
Mapping Locator-set: Controlled
domain(Internal Border)
Entry 1.1.1.1, priority: 1, weight: 100 (D1) by Destination Site
192.1.1.0/24
Branch
Border 5.1.1.1
Control Plane
2 2.1.1.1
nodes
192.1.1.1 à 10.1.1.1 5.2.2.2
SDA Fabric
4
2.1.1.1 à 1.1.1.1
192.1.1.1 à 10.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
5
192.1.1.1 à 10.1.1.1
D
Campus Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
Bldg 1

Default Border (External)
SD-Access Border
Default Border - Forwarding to External Domain
2 EID-Prefix: Not found , map-cache miss
Mapping Locator-Set: ( use-petr)
Entry 3.1.1.1, priority: 1, weight: 100 (D1)
INTERNET
193.3.0.0/24 D
4 Default
Border
10.2.0.1 à 193.3.0.1
3.1.1.1
5.1.1.1
Control Plane
nodes
3 5.2.2.2
SDA Fabric
1.1.2.1 à 3.1.1.1
10.2.0.1 à 193.3.0.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
1
10.2.0.1 à 193.3.0.1
Campus S Campus
Bldg 1 10.2.0.0/24 10.3.0.0/24 Bldg 2

SDA Fabric Border Design Considerations
Fabric Border Platform Support and Recommendations
SD-Access – Border Node
Platform Support
Catalyst 3K Catalyst 9K Catalyst 6K ASR1K & ISR4K Nexus 7K
• Catalyst 3850 • Catalyst 9300 • Catalyst 6800 • ASR 1000-X/HX • Nexus 7700
• 1/10G SFP+ • Catalyst 9400 • Catalyst 6500 • ISR 4451/4431 • Sup2E
• 10/40G NM Cards • Catalyst 9500 • Sup2T/6T • 1/10G/40G • M3 Cards
• IOS-XE 16.6.1+ • 40G QSFP • 6880-X or 6840-X • IOS-XE 16.6.1+ • NXOS 7.3.2+
• 10/40G NM Cards • IOS 15.5.1SY+
• IOS-XE 16.6.1+

SD-Access – Border Node Scale
Platform Scale
Catalyst
Catalyst3850
3K Catalyst 9500
Catalyst 9500 Catalyst
Catalyst 6K
6K ASR1K
ASR1K & ISR4K
ISR4K Nexus 7K
Nexus 7K
§ Virtual Networks: 64 § Virtual Networks: 256 § Virtual Networks: 512 § Virtual Networks: 4K § Virtual Networks: 500
§ SGT’s in Fabric: 4K § SGT’s in Fabric: 32K § SGT’s in Fabric: 30K § SGT’s in Fabric: 64K § SGT’s in Fabric: 64K
§ SGT ACL’s: 1350 § SGT ACL’s: 32K § SGT ACL’s: 30K § SGT ACL’s: 64K § SGT ACL’s: 64K
§ Security ACL’s: 3K § Security ACL’s: 18K § Security ACL’s: 32K § Security ACL’s: 4K § Security ACL’s: 128K
§ IPv4 TCAM: 16K/8K § IPv4 TCAM: 96K/48K § IPv4 TCAM: 256K § IPv4 TCAM: 1M § IPv4 TCAM: 1M
• Numbers listed are HW scale limits , SW numbers might be different

Fabric Border Design Options
Border Design Options
Use case 1: Border with Collocated Control Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B C
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
Host Pool 10 Edge Node 1 Border + External Domain

Control Plane (DC,WAN)
Node
• The Border and Control Plane node is on the same device

• Border node must perform export (and/or import) of routes between domains
• Control Plane node maintains the database of every prefix/subnet in the Fabric Domain
• Simplified Design (no additional configuration)
• No additional routing protocols needed to synch Border & Control Plane
• Best when only a few Border nodes are used (e.g. 2 to 4 per Domain)
NOTE: Control Plane node scale is different on different platforms (select accordingly)

Use case 2: Border with Distributed Control Plane Node
C
5.1.1.1/32
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
BGP
IP Network
10.1.1.0/24 OSPF 192.1.1.0/24
Host Pool 10 Edge Node 1 Border Node External Domain
• The Border node and Control plane node are different devices
• Device 1 - Border node must perform export (and/or import) of routes between domains
• Device 2 - Control Plane node maintains the database of every prefix/subnet in the Fabric Domain
• Additional configurations are required
• Need additional protocol (iBGP) to share EID mapping information from Border to Control Plane node.
• Multiple Border nodes can connect to the same Control Plane nodes (single or set of)
NOTE: Control Plane node scale is different on different platforms (select accordingly)

Border Resiliency Options
Multiple Borders - Loop Prevention
10.1.1.1/24
B
10.1.1.0/24
Border Node eBGP
Host Pool 10 Edge Node 1
SDA FABRIC
192.1.1.0/24
10.1.1.1/24
B eBGP
Shared Services
10.1.1.0/24
Host Pool 10 Edge Node 2 Border Node
• eBGP is preferred to break any loops caused by the bidirectional advertisement (redistribution) of routes
from the fabric to external domain (and vice-versa), when using multiple Internal Borders for redundancy.
• eBGP uses AS-Path loop prevention.
• If you are using any other protocol than eBGP, some appropriate loop prevention mechanism needs to be used
(distribute-list, prefix-list, or route tags with route-map, etc).

Fabric Border
One Box -vs- Two Box
SD-Access Fabric
Border Nodes – One Box vs. Two Box
OUT OUT
B
B
One Box Design IN
Two Box Design
IN
• Internal and External domain routing is on

the same device Internal and External domain routing are on
different devices
• Simple design, without any extra
configurations between the Border and Requires two Devices with BGP in between
to exchange connectivity and reachability
outside routers
information
• The Border device will advertise routes to
and from the Local Fabric domain to the This model is chosen if the Border does not
support the functionality (This can due to
External Domain
hardware or software support on the device)
to run the external domain on the same
device (e.g. DMVPN, EVPN, etc.)

One Box Border - Control Plane
CONTROL-PLANE
1
LISP External Domain(BGP/IGP)
C
B
B External
Domain
B

One Box Border - Data Plane
DATA-PLANE
2 External Domain(IP/MPLS/VXLAN)
VXLAN
C
B
B External
Domain
B

One Box Border - Policy Plane
POLICY-PLANE
3
SGT in VXLAN External Domain(IP ACL/SGT)
C
B
B External
Domain
B

Two Box Border - Control Plane
CONTROL-PLANE
11
LISP BGP External Domain(BGP/IGP)
C
B
B External
Domain
B

Two Box Border - Data Plane
DATA-PLANE
12
VXLAN VRF-LITE External Domain(IP/MPLS/VXLAN)
C
B
B External
Domain
B

Two Box Border - Policy Plane
POLICY-PLANE
13
SGT in VXLAN SGT Tagging External Domain ( IP ACL/SGT)
C
B
B External
Domain
B

Border Resiliency (HA)
Resiliency at the Border
Track or propagate events across domains
External
Border
Router
B IP Network
Border External
SDA Fabric Router External Domain

Use Case 1 : Track failures in the External Domain
CONTROL-PLANE LISP IGP/MP-BGP/BGP-EVPN
External
Border
Router
B IP Network
Border External
VXLAN/+SGT IP/MPLS/VXLAN
DATA-PLANE

Failures & Changes in the External Domain
External advertisements to reflect state of the External Domain
Border
B IP Network
Border
SDA Fabric External Domain
Border Routing Tables updated Host reachability from

to remove the faulty route(s) router is lost or degraded
Host advertisements from
this router are withdrawn

Use Case 1 : Track failures in the External Domain
q No additional configuration is needed on the fabric border to achieve resiliency.
q Traffic is re-routed away from the failure point based on routing

protocols configured on the fabric border.
q Convergence depends on the routing protocols convergence times.

Use Case 2.1: Track failures in the Fabric Domain @ Border and CP Co-located
External
Border
Router
B IP Network
Border External
DATA-PLANE

Failures & Changes in the SD-Access Fabric
Internal redistribution of Fabric state into External Domain @ Border and CP Co-located
I. Border and Control plane Node Co-located
Border
B
IP Network
SDA Fabric Border

External Domain
Registration State Border connectivity to Campus Prefix Routing Tables

Changes Communicated Fabric network is degraded – advertisements from updated to route
to Border this border withdrawn around failure
• How can this be tracked ?

Internal redistribution of Fabric state into External Domain @ Border and CP Co-located
q Since Border and Control Plane node are Co-located, when a Failure happens
the state of the network needs to be tracked and informed to the control plane
node so that the fabric border can withdraw its route advertisements.
q To Track the state of the Network we can use either an EEM script or Object
tracking.
q Since above requires configuration's on the border nodes an workaround to

alleviate this issue is explained in next slide.

Use Case 2.1 : Track failures in the Fabric Domain @ Border and CP Co-located
q As a workaround the border node’s can be Connected via

a Layer 3 link.
B B q This Layer 3 link/’s will have lesser cost to reach the

fabric edge nodes than the underlay , meaning when
underlay is available this direct connect link is not used.
q If one of the border’s connectivity to the underlay is

degraded then the traffic from external domain will come
to that border and using the Layer 3 link will flow to the
other border node and then on to the fabric edge nodes.
q Convergence times depends on routing protocol between

the border nodes

Use Case 2.2 : Track failures in the Fabric Domain @ Border and CP Distributed
C Border External
Router
B IP Network
BFD
Adjacency
Border External
DATA-PLANE

Internal redistribution of Fabric state into External Domain @ Border and CP Distributed
B
C
Border
BFD B
Adjacency IP Network
Border
SDA Fabric External Domain
• SDA fabric domain prefixes are advertised via BGP from Control Plane node to
Border node
• BGP adjacencies between Control Plane and Border node are monitored with
BFD
• Upon BFD adjacency fail, prefixes associated with the Border are withdrawn
immediately
• Fast Convergence (150-200ms)
Shared Services
with Border
Border Deployment Options
Shared Services (DHCP, AAA, etc) with Border
• Hosts in the fabric domain (in their respective Virtual Networks)

will need to have access to common “Shared Services”:
Ø Identity Services (e.g. AAA/RADIUS)
Ø Domain Name Services (DNS)
Ø Dynamic Host Configuration (DHCP)
Ø IP Address Management (IPAM)
Ø Monitoring tools (e.g. SNMP)
Ø Data Collectors (e.g. Netflow, Syslog)
Ø Other infrastructure elements
• These shared services will generally reside outside of the fabric domain.

Shared Services (DHCP, AAA, etc) with Border in Global Routing Table
B B APIC
EM
APIC-EM DHCP/ Identity Service

DNS
GRT
Shared Services

Shared Services (DHCP, AAA, etc) with Border in dedicated VRF
B B APIC
EM
APIC-EM DHCP/ Identity Service

VRF DNS
Fusion
Router Shared Services

WAN Connectivity
with Border
IWAN2.x Connectivity with Border - Control Plane
CONTROL-PLANE
11
LISP BGP DMVPN
C
B
B iWAN 2.x
12

IWAN2.x Connectivity with Border - Data Plane
DATA-PLANE * Recap
11
VXLAN VRF-LITE DMVPN
C
B
B iWAN 2.x
12

IWAN2.x Connectivity with Border - Policy Plane
POLICY-PLANE
11
SGT in VXLAN SGT Tagging SGT in DMVPN
C
B
B iWAN 2.x
12

Viptela SD-WAN hand off CONTROL-PLANE
LISP VRF-LITE
Viptela Control Plane VRF-LITE
LISP
WAN App
C Border vEdge
vEdge Border C
B B B
B
SD-WAN
DNA Center
SXP with ISE

SDA Fabric Site 1 SDA Fabric Site 2
DOT 1Q DOT 1Q
VXLAN+SGT Viptela Data Plane VXLAN + SGT
DATA+POLICY PLANE
Multiple Fabric Domains Connectivity with Border
Multiple Fabric Domains
B B B B
VRF- LITE

CONTROL-PLANE
11
LISP BGP/IGP LISP
B B B B

DATA-PLANE
12
VXLAN VRF-LITE/IP/MPLS VXLAN
B B B B

POLICY-PLANE
12
SGT in VXLAN SGT Tagging/SXP SGT in VXLAN
B B B B
SXP Connection between the Border’s

for SGT information exchange
* Check Platform support if using the SXP Model

CONTROL-PLANE
1
LISP DMVPN/GRE LISP
c c
B B B B
IP Network
DATA+POLICY-PLANE
12
VXLAN+SGT IP+SGT inline tagging VXLAN+SGT

CONTROL-PLANE
11 LISP LISP
c c
B N7K
B B
1 Fabric Domain 1 Fabric Domain 2

VXLAN+SGT
12 VXLAN+SGT
DATA+POLICY-PLANE

SD-Access Multi-Site
C9K
IOS-XE 16.8
East Site
West Site
Transit Site
Control Plane
South Site Border Router
Edge

SD-Access Multi-Site
West site Prefixes Only East + West East site Prefixes Only
Register west Register east

prefixes prefixes
West Site
Transit Site East Site
BR-W BR-E
Control Plane
Border Router
Edge

Service Chaining
with Border
Service Chaining with Border
Non-Cisco Firewall: Cisco Firewall :

• Firewall is connected externally to the • Firewall is connected externally to the Campus Fabric.
Campus Fabric.
• The prefixes from the local Campus Fabric domain will
• The prefixes from the local Campus be advertised to the firewall with a routing protocol of
Fabric domain will be advertised to the choice.
firewall with a routing protocol of choice.
• SXP connection between ISE and Firewall used for
• Firewall policy is based Interface or derivation of SGTs on the Firewall.
Subnet IP/mask and IP ACL’s.
• Firewall policy is based on SGT’s and SG ACL’s
(Group based Policy).
• Firewall also has Interface or Subnet IP based policy,

for brownfield integration
Service Chaining with Border - Firewall
B
B
B
Firewall

Service Chaining with Border - Firewall
CONTROL-PLANE
1
LISP BGP/IGP
B
B
B
Firewall

Service Chaining with Border – Data-Plane (Routed firewall)
DATA-PLANE
2
VXLAN VRF-LITE
B
B
B
Firewall

Service Chaining with Border – Policy Plane
POLICY-PLANE
3
SGT in VXLAN SGT in-line Tagging
B
B
B
Firewall

Service Chaining with Internal Border – Cisco Firewall, Checkpoint
ISE
POLICY-PLANE
3
SGT in VXLAN SGT in-line Tagging
Group Tags
B SXP/PXGRID
B
B
Firewall
Firewall gets Group

Based Tags from ISE

Data Center Connectivity
with Border
Data Center Connectivity With Border – ACI Fabric
CONTROL-PLANE
BGP/IGP
1 LISP
B
ACI Fabric
Border
Map Server B
Border
SDA Fabric Border Leaf’s
DATA-PLANE
2
VXLAN+SGT VRF-LITE

SD-Access SGTs Provisioned in ACI
SD-Access Domain ISE ACI

ISE dynamically provisions
SGTs and IP mappings
(SXP service) into APIC-
DC
EXT- EXT-
EPG1 EPG3
Security Groups External (Outside Fabric) EPGs

ACI EPGs Automatically Propagated into SD-Access
ACI
ISE
ISE dynamically learns
EPGs and VM Bindings
from ACI fabric – shared to
SXP
VM1
SD-Access Domain VM25
Security Group from APIC-DC Internal (Inside Fabric) EPGs

Enabling Group-based Policy in each Domain
DB DB
SG-FW
SG-ACL
Contract
Campus / Branch Data Center

SD-Access Policy Domain APIC
APIC Policy Domain
Voice Employee Supplier BYOD

Web App DB
Voice Data
VLAN VLAN SD-Access ACI Fabric

SD-Access SGT Info Used in ACI Policies
ISE
SD-Access Policy Domain ACI Policy Domain
ISE Retrieves:
Controller Layer
ISE Exchanges:
Controller Layer
EPG Name:
SGT PCI EPGAuditor
Name:
EPG Binding = 10.1.100.52
SGT Binding = 10.1.10.220
PCI EPG
EPG Name = Auditor 10.1.100.52
Groups= 10.1.10.220
Network Layer
Network Layer
17000 ACI Spine (N9K)

5 Plain
SRC:10.1.10.220 SRC:10.1.10.220
SRC:10.1.10.220 SD-Access Ethernet DST: 10.1.100.52
DST: 10.1.100.52
DST: 10.1.100.52
SGT: 5 (no CMD) EPG
ACI Leaf
ACI Border PCI
Auditor Leaf (N9K) (N9K) 10.1.100.52
10.1.10.220
SGT Groups available in ACI Policies

BRKCRS-2811 87
Take Away
When to get started?
SD-Access Support
Fabric ready platforms for your digital ready network
Switching Routing Wireless Extended

NEW Catalyst 9400
ASR-1000-X AIR-CT5520 NEW
NEW Catalyst 9300
NEW
AIR-CT8540 CDB
ASR-1000-HX NEW
Catalyst 9500
AIR-CT3504
ISR 4430 NEW
3560-CX
BRKCRS-
NEW
2811 Wave 2 APs (1800,2800,3800)
Catalyst 4500E Catalyst 6800 Nexus 7700 ISR 4450
IE (2K/3K/4K/5K)
Catalyst 3650 and 3850 ISRv/CSRv Wave 1 APs* (1700,2700,3700)
* with Caveats
The First Step…
#NewEra
#CiscoDNA
#NetworkIntuitive

Cisco SD-Access - Integrating With Your Existing Network - Vedran Hafner

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco SD-Access - Integrating With Your Existing Network - Vedran Hafner

Uploaded by

Copyright:

Available Formats

Cisco SD-Access - Connecting the Fabric to

Vedran Hafner, Systems Engineer

B B § Campus Fabric – Shipping Now

Campus CLI approach provides backwards

APIC-EM, ISE, NDP are all separate.

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 8

Default Border External Network

Wan Edge WAN/Branch

Default Border External Network

Fabric Edge Nodes

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 12

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 13

• Default Border is a “Gateway of Last Resort” for

• Connects to any “unknown” IP prefixes (e.g. Internet,

Fabric Edge Nodes

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 14

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 15

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 16

Fabric Edge Nodes

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 17

Fabric Edge Nodes

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 18

External Domain 1 External Domain 2

Fabric Edge Nodes

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 19

• Border advertises Endpoints to outside, and known

• Connects to any “known” IP subnets attached to the C

• Imports and registers (known) IP subnets from outside,

• Outside hand-off requires mapping the prefix context

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 20

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 21

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 22

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 23

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 24

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 26

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 27

1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 29

Catalyst 3K Catalyst 9K Catalyst 6K ASR1K & ISR4K Nexus 7K

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 32

• Numbers listed are HW scale limits , SW numbers might be different

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

Host Pool 10 Edge Node 1 Border + External Domain

• The Border and Control Plane node is on the same device

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 35

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

Host Pool 10 Edge Node 1 Border Node External Domain

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 36

Host Pool 10 Edge Node 2 Border Node

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 37

• Internal and External domain routing is on

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 39

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 40

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 41

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 42

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 43

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 44

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 45

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 47

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 48

Border Routing Tables updated Host reachability from

19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 49