Professional Documents
Culture Documents
Cisco SD-Access - Integrating With Your Existing Network - Vedran Hafner
Cisco SD-Access - Integrating With Your Existing Network - Vedran Hafner
External Networks
Learning
DNA Center
The Network. Intuitive.
Policy Automation Analytics
Intent Context
Network Infrastructure
Powered by Intent.
Informed by Context.
Switching Routers Wireless
Security
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 3
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia
What is SD-Access?
Campus Fabric + DNA Center (Automation & Assurance)
§ SD-Access – Available Aug 2017
DNAC
APIC-EM
1.X
GUI approach provides automation &
assurance of all Fabric configuration,
ISE NDP
management and group-based policy.
DNA Center Leverages DNA Center to integrate
external Service Apps, to orchestrate
your entire LAN, Wireless LAN and
WAN access network.
Known Unknown
Networks Networks
B B
Border Default Border
• Connects the Campus Fabric to • Connects the Campus Fabric to
Known networks. (Use case 2.1 Un-Known networks (Use case 1)
and 2.2) • not part of the company network
• part of your company network
• Un-known networks are generally the
• Known networks are generally WAN, Internet and/or Public Cloud.
DC, Shared Services, etc.
• Responsible for advertising prefixes only
• Responsible for advertising prefixes to from (export) the local fabric to external
(import) and from (export) the local domain.
fabric and external domain.
Edge Node
IP Network B
DC Edge Datacenter
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 10
SD-Access Fabric
Why Border vs Default Border?
Edge Node
IP Network B
Border WAN/Branch
Border Datacenter
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 11
SD-Access Border Deployment Options
Use Case 1 : SDA fabric Connecting to Unknown Networks
B B
Un-Known Networks
Public Cloud
C
B B
Internet
Fabric Edge Nodes
B B
Known Networks
DC
C
B B
Branch
B B
B B
• Exports all internal IP Pools to outside (as aggregate),
using a traditional IP routing protocol(s).
Data Center
C
WAN
B B
Internet
Fabric Edge Nodes
3 EID-prefix: 192.1.1.0/24
Path Preference
Mapping Locator-set: Controlled
Entry 2.1.1.1, priority: 1, weight: 100 (D1) by Destination Site
192.1.1.0/24
Branch
Border 5.1.1.1
Control Plane
5 2.1.1.1
nodes
10.1.1.1 à 192.1.1.1 5.2.2.2
SDA Fabric
4
1.1.1.1 à 2.1.1.1
10.1.1.1 à 192.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
2
10.1.1.1 à 192.1.1.1
1 S
Campus
DNS Entry: Campus
10.1.1.0/24 10.3.0.0/24
Bldg 1 Bldg 2
D.abc.com A 192.1.1.1
Border 5.1.1.1
Control Plane
2 2.1.1.1
nodes
192.1.1.1 à 10.1.1.1 5.2.2.2
SDA Fabric
4
2.1.1.1 à 1.1.1.1
192.1.1.1 à 10.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
5
192.1.1.1 à 10.1.1.1
D
Campus Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
Bldg 1
193.3.0.0/24 D
4 Default
Border
10.2.0.1 à 193.3.0.1
3.1.1.1
5.1.1.1
Control Plane
nodes
3 5.2.2.2
SDA Fabric
1.1.2.1 à 3.1.1.1
10.2.0.1 à 193.3.0.1
1
10.2.0.1 à 193.3.0.1
Campus S Campus
Bldg 1 10.2.0.0/24 10.3.0.0/24 Bldg 2
• Catalyst 3850 • Catalyst 9300 • Catalyst 6800 • ASR 1000-X/HX • Nexus 7700
• 1/10G SFP+ • Catalyst 9400 • Catalyst 6500 • ISR 4451/4431 • Sup2E
• 10/40G NM Cards • Catalyst 9500 • Sup2T/6T • 1/10G/40G • M3 Cards
• IOS-XE 16.6.1+ • 40G QSFP • 6880-X or 6840-X • IOS-XE 16.6.1+ • NXOS 7.3.2+
• 10/40G NM Cards • IOS 15.5.1SY+
• IOS-XE 16.6.1+
Catalyst
Catalyst3850
3K Catalyst 9500
Catalyst 9500 Catalyst
Catalyst 6K
6K ASR1K
ASR1K & ISR4K
ISR4K Nexus 7K
Nexus 7K
§ Virtual Networks: 64 § Virtual Networks: 256 § Virtual Networks: 512 § Virtual Networks: 4K § Virtual Networks: 500
§ SGT’s in Fabric: 4K § SGT’s in Fabric: 32K § SGT’s in Fabric: 30K § SGT’s in Fabric: 64K § SGT’s in Fabric: 64K
§ SGT ACL’s: 1350 § SGT ACL’s: 32K § SGT ACL’s: 30K § SGT ACL’s: 64K § SGT ACL’s: 64K
§ Security ACL’s: 3K § Security ACL’s: 18K § Security ACL’s: 32K § Security ACL’s: 4K § Security ACL’s: 128K
§ IPv4 TCAM: 16K/8K § IPv4 TCAM: 96K/48K § IPv4 TCAM: 256K § IPv4 TCAM: 1M § IPv4 TCAM: 1M
NOTE: Control Plane node scale is different on different platforms (select accordingly)
• The Border node and Control plane node are different devices
• Device 1 - Border node must perform export (and/or import) of routes between domains
• Device 2 - Control Plane node maintains the database of every prefix/subnet in the Fabric Domain
• Additional configurations are required
• Need additional protocol (iBGP) to share EID mapping information from Border to Control Plane node.
• Multiple Border nodes can connect to the same Control Plane nodes (single or set of)
NOTE: Control Plane node scale is different on different platforms (select accordingly)
192.1.1.0/24
10.1.1.1/24
B eBGP
Shared Services
10.1.1.0/24
• eBGP is preferred to break any loops caused by the bidirectional advertisement (redistribution) of routes
from the fabric to external domain (and vice-versa), when using multiple Internal Borders for redundancy.
• eBGP uses AS-Path loop prevention.
• If you are using any other protocol than eBGP, some appropriate loop prevention mechanism needs to be used
(distribute-list, prefix-list, or route tags with route-map, etc).
CONTROL-PLANE
1
LISP External Domain(BGP/IGP)
C
B
B External
Domain
B
2 External Domain(IP/MPLS/VXLAN)
VXLAN
C
B
B External
Domain
B
POLICY-PLANE
3
SGT in VXLAN External Domain(IP ACL/SGT)
C
B
B External
Domain
B
11
LISP BGP External Domain(BGP/IGP)
C
B
B External
Domain
B
12
VXLAN VRF-LITE External Domain(IP/MPLS/VXLAN)
C
B
B External
Domain
B
13
SGT in VXLAN SGT Tagging External Domain ( IP ACL/SGT)
C
B
B External
Domain
B
External
Border
Router
B IP Network
Border External
SDA Fabric Router External Domain
External
Border
Router
B IP Network
Border External
SDA Fabric Router External Domain
VXLAN/+SGT IP/MPLS/VXLAN
DATA-PLANE
Border
B IP Network
Border
SDA Fabric External Domain
External
Border
Router
B IP Network
Border External
SDA Fabric Router External Domain
VXLAN/+SGT IP/MPLS/VXLAN
DATA-PLANE
Border
B
IP Network
q Since Border and Control Plane node are Co-located, when a Failure happens
the state of the network needs to be tracked and informed to the control plane
node so that the fabric border can withdraw its route advertisements.
q To Track the state of the Network we can use either an EEM script or Object
tracking.
C Border External
Router
B IP Network
BFD
Adjacency
Border External
SDA Fabric Router External Domain
VXLAN/+SGT IP/MPLS/VXLAN
DATA-PLANE
B
C
Border
BFD B
Adjacency IP Network
Border
SDA Fabric External Domain
• SDA fabric domain prefixes are advertised via BGP from Control Plane node to
Border node
• BGP adjacencies between Control Plane and Border node are monitored with
BFD
• Upon BFD adjacency fail, prefixes associated with the Border are withdrawn
immediately
• Fast Convergence (150-200ms)
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 56
Shared Services
with Border
Border Deployment Options
Shared Services (DHCP, AAA, etc) with Border
B B APIC
EM
B B APIC
EM
11
LISP BGP DMVPN
C
B
B iWAN 2.x
12
C
B
B iWAN 2.x
12
11
SGT in VXLAN SGT Tagging SGT in DMVPN
C
B
B iWAN 2.x
12
LISP VRF-LITE
Viptela Control Plane VRF-LITE
LISP
WAN App
C Border vEdge
vEdge Border C
B B B
B
SD-WAN
DNA Center
DATA+POLICY PLANE
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 65
Multiple Fabric Domains Connectivity with Border
Border Deployment Options
Multiple Fabric Domains
B B B B
VRF- LITE
11
LISP BGP/IGP LISP
B B B B
12
VXLAN VRF-LITE/IP/MPLS VXLAN
B B B B
12
SGT in VXLAN SGT Tagging/SXP SGT in VXLAN
B B B B
CONTROL-PLANE
1
LISP DMVPN/GRE LISP
c c
B B B B
IP Network
DATA+POLICY-PLANE
12
VXLAN+SGT IP+SGT inline tagging VXLAN+SGT
11 LISP LISP
c c
B N7K
B B
DATA+POLICY-PLANE
C9K
IOS-XE 16.8
East Site
West Site
Transit Site
Control Plane
Edge
West site Prefixes Only East + West East site Prefixes Only
West Site
Transit Site East Site
BR-W BR-E
Control Plane
Border Router
Edge
B
B
B
Firewall
CONTROL-PLANE
1
LISP BGP/IGP
B
B
B
Firewall
DATA-PLANE
2
VXLAN VRF-LITE
B
B
B
Firewall
POLICY-PLANE
3
SGT in VXLAN SGT in-line Tagging
B
B
B
Firewall
B SXP/PXGRID
B
B
Firewall
CONTROL-PLANE
BGP/IGP
1 LISP
B
ACI Fabric
Border
Map Server B
Border
SDA Fabric Border Leaf’s
DATA-PLANE
2
VXLAN+SGT VRF-LITE
EXT- EXT-
EPG1 EPG3
VM1
DB DB
SG-FW
SG-ACL
Contract
ISE
SD-Access Policy Domain ACI Policy Domain
ISE Retrieves:
Controller Layer
ISE Exchanges:
Controller Layer
EPG Name:
SGT PCI EPGAuditor
Name:
EPG Binding = 10.1.100.52
SGT Binding = 10.1.10.220
PCI EPG
EPG Name = Auditor 10.1.100.52
Groups= 10.1.10.220
Network Layer
Network Layer
NEW
AIR-CT8540 CDB
ASR-1000-HX NEW
Catalyst 9500
AIR-CT3504
ISR 4430 NEW
3560-CX
BRKCRS-
NEW
2811 Wave 2 APs (1800,2800,3800)
Catalyst 4500E Catalyst 6800 Nexus 7700 ISR 4450
IE (2K/3K/4K/5K)
Catalyst 3650 and 3850 ISRv/CSRv Wave 1 APs* (1700,2700,3700)
* with Caveats
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 89
The First Step…
#NewEra
#CiscoDNA
#NetworkIntuitive