Fusion Border SDN

BRKCRS-2821
Cisco SD-Access
Connecting to the Data Center, Firewall,
WAN and More !
Satish Kondalam
Technical Marketing Engineer
Session Abstract
This session introduces best practices for Design and Deployment when connecting to the
external world/networks from the fabric along with decision criteria for different deployment
models. The Cisco SD-Access Border node is responsible for connecting fabric to rest of the
world and hence we will focus on the different connectivity models that will be provided by the
border node and discuss the various designs along with scale and platform support. We will
also include an demo for every design and deployment model that we will discuss during the
presentation. This session focuses on how the Cisco SD-Access architecture connects your
campus to the following and how we enforce end-to-end policy between them : Integration
between Cisco SD-Access ( Campus network) to Cisco SD-WAN (Viptela) Data center ( ACI
and Non ACI) Internet Connecting to remote branches Cloud across a WAN /Metro network.
Layer 4 to 7 Service integration for the fabric network , etc.
BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Sessions are available Online @ CiscoLive.com
Cisco Software-Defined Access

Cisco Live Barcelona - Session Map You Are Here
Tuesday (Jan 29) Wednesday (Jan 30) Thursday (Jan 31) Friday (Feb 01)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00
BRKCRS-2821 BRKCRS-2825 BRKCRS-2812

SD-Access Integration SD-Access Scale SD-Access Migration
BRKCLD-2412 BRKCRS-3811
Cross-Domain Policy SD-Access Policy
BRKCRS-2810 BRKCRS-1449 BRKCRS-1501

SD-Access Solution ISE & SD-Access Validated Design
BRKCRS-3810 BRKCRS-2815 BRKCRS-2814 BRKARC-2020

SD-Access Connect SD-Access Troubleshoot
Deep Dive SD-Access Sites Assurance SD-Access
LTRACI-2636 LTRCRS-2810 BRKEWN-2021 BRKEWN-2020

ACI + SD-Access Lab SD-Access Lab SD-Access Demo SD-Access Wireless
BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session Goals
• This session assumes that there is a basic understanding
of Cisco SD-Access and is recommended that you
attend BRKCRS-2810 before this.
• To provide an understanding of the Cisco SD-Access
Border architecture and the external Integration between
Cisco SD-Access (Campus network) to SD-WAN
(Viptela network), Data center (ACI and Non ACI),
Internet Connecting to remote branches and Cloud
across a WAN /Metro network, Layer 4 to 7 Service
integration for the fabric network.
• Introduction to Cisco SD-Access
Agenda • Fabric Roles and Constructs
• Large & Medium Enterprise Network Design

• Traditional vs Cisco SD-Access Network Design
• Border Design Options
• Border Connectivity Models

• Connecting to Internal networks like DC & WAN
• Connecting to external networks like Internet & Cloud
• Small Enterprise Network Design

• Traditional vs Cisco SD-Access Network Design
• Border Design Options
• Cisco SD-Access Demo for Border Design

• Conclusion BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Fabric Roles and
Constructs
Cisco SD-Access
Fabric Roles & Terminology
Cisco DNA  Cisco DNA Automation – provides simple
NCP Automation GUI management and intent based
Identity automation (e.g. NCP) and context sharing
Services
ISE NDP  Cisco DNA Assurance – Data Collectors
Cisco DNA (e.g. NDP) analyze Endpoint to App flows
Cisco DNA
Center Assurance and monitor fabric status
 Identity Services – NAC & ID Systems
(e.g. ISE) for dynamic Endpoint to Group
Fabric Border Fabric Wireless mapping and Policy definition
Nodes Controller
B B  Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Intermediate Control-Plane
C Nodes  Fabric Border Nodes – A Fabric device
Nodes (Underlay) (e.g. Core) that connects External L3
network(s) to the SDA Fabric
Campus  Fabric Edge Nodes – A Fabric device

(e.g. Access or Distribution) that connects
Fabric Edge
Nodes Fabric Wired Endpoints to the SDA Fabric
 Fabric Wireless Controller – A Fabric device
(WLC) that connects APs and Wireless
Endpoints to the SDA Fabric
Cisco SD-Access
Fabric Terminology
Overlay Network Overlay Control Plane
Encapsulation
Edge Device Edge Device
Hosts
(End-Points)
Underlay Network Underlay Control Plane
Cisco SD-Access Fabric
Control-Plane Nodes – A Closer Look
Control-Plane Node runs a Host Tracking Database to map location information
• A simple Host Database that maps Endpoint IDs to

Known Unknown
a current Location, along with other attributes Networks Networks
B B
• Host Database supports multiple types of Endpoint
ID lookup types (IPv4, IPv6 or MAC)
• Receives Endpoint ID map registrations from Edge

and/or Border Nodes for “known” IP prefixes
• Resolves lookup requests from Edge and/or Border

Nodes, to locate destination Endpoint IDs
Edge Nodes – A Closer Look
Edge Node provides first-hop services for Users / Devices connected to a Fabric
• Responsible for Identifying and Authenticating C

Endpoints (e.g. Static, 802.1X, Active Directory)
Known Unknown
Networks Networks
B B
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)
• Provide an Anycast L3 Gateway for the connected

Endpoints (same IP address on all Edge nodes)
• Performs encapsulation / de-encapsulation of data

traffic to and from all connected Endpoints
Border Nodes
Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric
There are 3 Types of Border Node! C

Known Unknown
Networks Networks
B B
• Rest of Company/Internal Border Used for
“Known” Routes inside your company
• Outside World/External Border Used for

“Unknown” Routes outside your company
• Anywhere/External + Internal Border Used

for “Known” and “UnKnown” Routes for your company
Border Nodes – Rest of Company/Internal
Rest of Company/Internal Border advertises Endpoints to outside, and known

Subnets to inside
• Connects to any “known” IP subnets available from C

Unknown
the outside network (e.g. DC, WLC, FW, etc.)
Known
Networks Networks
B B
• Exports all internal IP Pools to outside (as
aggregate), using a traditional IP routing protocol(s).
• Imports and registers (known) IP subnets from

outside, into the Control-Plane Map System except
the default route.
• Hand-off requires mapping the context (VRF & SGT)

from one domain to another.
Border Nodes – Forwarding from Fabric to External Domain
3 EID-prefix: 192.1.1.0/24
Path Preference
Mapping Locator-set: Controlled
Entry 2.1.1.1, priority: 1, weight: 100 (D1) by Destination Site
192.1.1.0/24
Border 5.1.1.1
Control Plane
5 2.1.1.1
nodes
10.1.1.1  192.1.1.1 5.2.2.2
SDA Fabric
4
1.1.1.1  2.1.1.1
10.1.1.1  192.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
2
10.1.1.1  192.1.1.1
1 S
DNS Entry: Campus
Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
D.abc.com A 192.1.1.1 Bldg 1
Border Nodes – Forwarding from External to Fabric Domain
1
Routing Entry: 3 EID-prefix: 10.1.1.1/32
Send traffic to exit point of Path Preference
Mapping Locator-set: Controlled
domain(Internal Border)
Entry 1.1.1.1, priority: 1, weight: 100 (D1) by Destination Site
192.1.1.0/24
Border 5.1.1.1
Control Plane
2 2.1.1.1
nodes
192.1.1.1  10.1.1.1 5.2.2.2
4 SDA Fabric
2.1.1.1  1.1.1.1
192.1.1.1  10.1.1.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
5
192.1.1.1  10.1.1.1
D
Campus
Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
Bldg 1
Border Nodes – Outside World/External
Outside World/External Border is a “Gateway of Last Resort” for any unknown

destinations
• Connects to any “unknown” IP subnets, outside of C

Unknown
the network (e.g. Internet, Public Cloud)
Known
Networks Networks
B B
• Exports all internal IP Pools outside (as aggregate)
into traditional IP routing protocol(s).
• Does NOT import any routes! It is a “default” exit, if

no entry is available in Control-Plane.
• Hand-off requires mapping the context (VRF & SGT)

from one domain to another.
Border Nodes – Forwarding from Fabric to External Domain
2 EID-Prefix: Not found , map-cache miss
Mapping Locator-Set: ( use-petr)
Entry 3.1.1.1, priority: 1, weight: 100 (D1)
INTERNET
193.3.0.0/24 D
4
Border
10.2.0.1  193.3.0.1
3.1.1.1
5.1.1.1
Control Plane
nodes
3 5.2.2.2
SDA Fabric
1.1.2.1  3.1.1.1
10.2.0.1  193.3.0.1
1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1
1
10.2.0.1  193.3.0.1
Campus S Campus
Bldg 1 10.2.0.0/24 10.3.0.0/24 Bldg 2
Border Nodes – Anywhere/ Internal + External Border
Anywhere/ Internal + External Border is a “One all exit point” for any known
and unknown destinations
• Connects to any “unknown” IP subnets, outside of

Unknown
the network (e.g. Internet, Public Cloud) and
Known
Networks Networks
C
“known” IP subnets available from the outside B
network (e.g. DC, WLC, FW, etc.)
• Imports and registers (known) IP subnets from

outside, into the Control-Plane Map System except
the default route.
• Exports all internal IP Pools outside (as aggregate)

into traditional IP routing protocol(s).
Virtual Network– A Closer Look
Virtual Network maintains a separate Routing & Switching table for each instance
• Control-Plane uses Instance ID to maintain separate C

Unknown
VRF topologies (“Default” VRF is Instance ID “4098”)
Known
Networks Networks
B B
• Nodes add a VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are routed and VN VN VN

advertised within a Virtual Network Campus IOT Guest
• Uses standard “vrf definition” configuration, along

with RD & RT for remote advertisement (Border Node)
Large and Medium
Enterprise Network Design
Traditional Network
Design
3-Tier Enterprise Network Design – Traditional Network
Traditional
DC
VXLAN/ACI
Fabric Role Platform
Access Node • Cat3K/9300
• Cat4K/9400
Guest
WLCs
Distribution • Cat3K/9300
Node • Cat4K/9500
• Cat6K/9500
Internet Edge Internet
Core Node • Cat6K/9500
• NK7K
Centralized • ASR1K-HX
WLC
OTT
Centralized • 8540
WAN
Shared Services
WLC • 5520
• x800 APs
Campus
Core WAN WAN HR/MC • ASR1K
Edge • ISR4K
Internet Edge • ASR1K

• ISR4K
Distribution
Nodes Data Center • N9K – NX-OS
• N7K - NX-OS
• N9K - ACI
Access
Nodes Security • ISE 2.3
• ASA 55xx
Large
Hybrid
Small • Windows AD
Hybrid
WAN Site WAN Site
Large Enterprise Network Design – Traditional Network
Role Platform
Traditional VXLAN/ACI
DC Fabric Access Node • Cat3K/9300
• Cat4K/9400
Internet Edge
Collapsed Core • Cat6K/9500
Guest
WLCs
• N7K
Internet
WLC • 3504
• x800 APs
Centralized WAN HR/MC • ASR1K

WLC
OTT
• ISR4K
Data Center • N9K – NX-OS

Shared Services
WAN • N7K - NX-OS
• N9K - ACI
Collapsed
Core
Security • ISE 2.3
WAN
Edge • ASA 55xx
• Windows AD
Access
Nodes
Small Small
Hybrid Internet
WAN Site WAN Site
Large
Hybrid
WAN Site
Cisco SD-Access
Network Design
Large Enterprise Network Design – Cisco SD-Access Network
Traditional
DC
VXLAN/ACI
• Cat4K/9400
Node • Cat4K/9500
• Cat6K/9500
• NK7K
WLC
OTT
WAN
Shared Services
WLC • 5520
• x800 APs
Fusion Router WAN HR/MC • ASR1K
WAN
Edge • ISR4K

FABRIC • ISR4K

• N7K - NX-OS
• N9K - ACI
Access
Nodes
• ASA 55xx
Large
Hybrid
Hybrid
WAN Site WAN Site
Traditional
DC
VXLAN/ACI
• Cat4K/9400
Node • Cat4K/9500
• Cat6K/9500
• NK7K
WLC
OTT
WAN
Shared Services
WLC • 5520
• x800 APs
WAN
Edge • ISR4K

FABRIC C
• ISR4K

• N7K - NX-OS
• N9K - ACI
Access
Nodes
• ASA 55xx
Large
Hybrid
Hybrid
WAN Site WAN Site
Traditional
DC
VXLAN/ACI
• Cat4K/9400
Node • Cat4K/9500
• Cat6K/9500
• NK7K
WLC
OTT
WAN
Shared Services
WLC • 5520
• x800 APs
WAN
Edge • ISR4K

FABRIC DC &
Internet C
• ISR4K
Border
• N7K - NX-OS
• N9K - ACI
Access
Nodes
• ASA 55xx
Large
Hybrid
Hybrid
WAN Site WAN Site
Traditional
DC
VXLAN/ACI
• Cat4K/9400
Node • Cat4K/9500
• Cat6K/9500
• NK7K
WLC
OTT
WAN
Shared Services
WLC • 5520
• x800 APs
WAN
Border • ISR4K

FABRIC DC &
Internet C
• ISR4K
Border
• N7K - NX-OS
• N9K - ACI
Access
Nodes
• ASA 55xx
Large
Hybrid
Hybrid
WAN Site WAN Site
Traditional
DC
VXLAN/ACI
Guest Access Node • Cat3K/9300
Border • Cat4K/9400
Node • Cat4K/9500
• Cat6K/9500
• NK7K
WLC
OTT
WAN
Shared Services
WLC • 5520
• x800 APs
WAN
Border • ISR4K

FABRIC DC &
Internet C
• ISR4K
Border
• N7K - NX-OS
• N9K - ACI
Access
Nodes
• ASA 55xx
Large
Hybrid
Hybrid
WAN Site WAN Site
Border Connectivity
Models
Connectivity to external
networks in the
traditional design
Data Center routes are advertised to the Campus Core
DC Fabric 1 via the DC Edge switch via BGP/IGP. Campus core
Internet Edge imports those routes into enterprise network.
Guest
WLCs
Internet
Centralized
WLC
OTT
Shared Services
WAN
Collapsed
Core WAN
Edge
Access
Nodes
Small Small
Hybrid Internet
WAN Site WAN Site
Large
Hybrid
WAN Site
Traditional VXLAN/ACI Default route for internet is advertised to the Campus
DC Fabric 2 Core via the Internet Firewall. The campus core in return
Internet Edge advertises the route to the enterprise network.
Guest
WLCs
Internet
Centralized
WLC
OTT
Shared Services
WAN
Collapsed
Core WAN
Edge
Access
Nodes
Small Small
Hybrid Internet
WAN Site WAN Site
Large
Hybrid
WAN Site
Traditional VXLAN/ACI Wan routes are advertised to the Campus Core via the
DC Fabric 3 Wan Edge router via BGP/IGP. Campus core imports
Internet Edge those routes into enterprise network.
Guest
WLCs
Internet
Centralized
WLC
OTT
Shared Services
WAN
Collapsed
Core WAN
Edge
Access
Nodes
Small Small
Hybrid Internet
WAN Site WAN Site
Large
Hybrid
WAN Site
Traditional VXLAN/ACI Guest Anchor WLC in the DMZ is responsible for guest
DC Fabric 4 wireless traffic since the traffic from the enterprise
Internet Edge network is directly anchored to it.
Guest
WLCs
Internet
Centralized
WLC
OTT
Shared Services
WAN
Collapsed
Core WAN
Edge
Access
Nodes
Small Small
Hybrid Internet
WAN Site WAN Site
Large
Hybrid
WAN Site
Connectivity to external
networks in the Cisco
SD-Access design
using the Border Node
DC Fabric Data Center and Internet Border needs to be a
1 Anywhere/ Internal + External Border as it has to
import the DC routes into the fabric through the fusion
router.
Centralized
WLC
OTT
WAN
Shared Services
Fusion Router
WAN
Edge
FABRIC DC &
Internet C
Border
Access
Nodes
Large Small
Hybrid Hybrid
WAN Site WAN Site
DC Fabric Data Center and Internet Border needs to be a
2 Anywhere/ Internal + External Border as it also is the
default exit point out of the fabric aka “ Default route”.
Centralized
WLC
OTT
WAN
Shared Services
Fusion Router
WAN
Edge
FABRIC DC &
Internet C
Border
Access
Nodes
Large Small
Hybrid Hybrid
WAN Site WAN Site
DC Fabric Wan Border needs to be a Rest of the Company/
3 Internal Border as it has to import the WAN routes into
the fabric.
WAN
Centralized Border
WLC
OTT
WAN
Shared Services
Fusion Router
WAN
Edge
FABRIC C
Access
Nodes
Large Small
Hybrid Hybrid
WAN Site WAN Site
DC Fabric There is a separate Guest Border in fabric for Guest VN
4 traffic only. This Border needs to be a Outside
Guest
Border world/External border as it is the default exit point out of
the fabric aka “ Default route” for the Guest VN.
Centralized
WLC
OTT
WAN
Shared Services
Fusion Router
WAN
Edge
FABRIC C
Access
Nodes
Large Small
Hybrid Hybrid
WAN Site WAN Site
Why Internal (Rest of
Company) vs External
(Outside World) Border
Cisco SD-Access - Border Deployment
Why? Internal Traffic with External Borders
Edge Node
IP Network B
External Border Internet
ALL non-fabric traffic MUST travel

to the External (Default) Border.
If other internal domains (e.g. WAN WAN Edge WAN/Branch

or DC) are only reachable via the
same IP network, traffic may follow
a sub-optimal path (e.g. hairpin).
DC Edge Data Center

Why? Internal Traffic with Internal Borders
Edge Node
IP Network B
External Border Internet
B
Traffic to internal domains will go
directly to the Internal Borders.
Any external traffic (e.g. Internet) Internal Border WAN/Branch

can still exit via the External Border.
Internal Border Data Center

For more details: cs.co/sda-compatibility-matrix
Cisco SD-Access Platforms
Fabric Control Plane
Catalyst 9300 Catalyst 9400 Catalyst 9500
• Catalyst 9300 • Catalyst 9400 • Catalyst 9500

• 1/mG RJ45 • Sup1/Sup1XL • 40/100G QSFP
• 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP
Fabric Control Plane
Catalyst 3K Catalyst 6K ISR 4K & ENCS ASR1K
• Catalyst 3650/3850 • Catalyst 6500/6800 • ISR 4430/4450 • ASR 1000-X

• 1/mG RJ45 • Sup2T/Sup6T • ISR 4330/4450 • ASR 1000-HX
• 1/10G SFP • C6800 Cards • ENCS 5400 • 1/10G RJ45
• 1/10/40G NM Cards • C6880/6840-X • ISRv / CSRv • 1/10G SFP
Fabric Border Node
Catalyst 9300 Catalyst 9400 Catalyst 9500
• Catalyst 9300 • Catalyst 9400 • Catalyst 9500

• 1/mG RJ45 • Sup1/Sup1XL • 1/10/25G SFP
• 10/25/40/mG NM • 9400 Cards • 40/100G QSFP
Fabric Border Node
* EXTERNAL ONLY
Catalyst 3K Catalyst 6K Nexus 7K* ISR 4K ASR 1K
• Catalyst 3650/3850 • Catalyst 6500/6800 • Nexus 7700 • ISR 4300/4400 • ASR 1000-X/HX
• 1/mG RJ45 • Sup2T/Sup6T • Sup2E • AppX (AX) • AppX (AX)
• 1/10G SFP • C6800 Cards • M3 Cards • 1/10G RJ45 • 1/10G ELC/EPA
• 1/10/40G NM Cards • C6880/6840-X • LAN1K9 + MPLS • 1/10G SFP • 40G ELC/EPA
Fabric Border Scale
Fabric Catalyst Catalyst Catalyst Catalyst Catalyst Catalyst Nexus ASR1K /

CSR1Kv
Constructs 3850-XS 9300 9400 9500 9500H 6800 N7700 ISR4K
Virtual Networks 64 256 256 256 256 500 500 4K n.a.
n.a.
SGT/DGT Table 4K 8K 8K 8K 8K 30K 16K 62K
SGACLs 12K n.a.

1500 5K 18K 18K 18K 16K 64K
(Security ACEs) 30K (XL)
Control Plane 200K / 100K

SUP1 = 50K
Entries with Not (16GB)
3K 16K SUP1XL=80K 80K 80K 25K 200K
Co-Located Supported 100K / 50K
Border (8GB)
IPv4 Fabric SUP1 = 10K
8K 4K 48K 48K 500K
Routes SUP1XL=20K 256K 4M (16GB) n.a.
IPv4 Fabric SUP1 = 50K 1M (XL) 1M (8GB)
16K 16K 96K 96K 32K
Host Entries SUP1XL=80K
DC Fabric
Guest
Border
Centralized
WLC
OTT
WAN
Shared Services
Fusion Router
WAN
Border
FABRIC DC &
Internet C
Border
Access
Nodes
Large Small
Hybrid Hybrid
WAN Site WAN Site
Which Border to pick ?
Outside world(External) Connect to the unknown part of company like

internet or is the only exit point from fabric
Rest of Company (Internal) Connect to known part of the company like DC,
WAN etc.
Anywhere(Internal +External) Connect to the internet and also known part of

the company like DC, WAN etc.
Fabric Border Support Matrix
SDA Border Rest of Company Outside World Anywhere

Node (Internal) (External) (Internal + External)
C9K YES YES YES
ASR1K/ISR4K YES YES YES
C6K YES YES YES
N7K NO YES NO
Cisco SD-Access – Border Deployment
How VNs work in SD-Access
• Fabric Devices (Underlay) connectivity Scope of Fabric
is in the Global Routing Table User-Defined VN(s)
• INFRA_VN is only for Access Points User VN (for Default)

Border
and Extended Nodes in GRT
USER VRF(s)
VN (for APs, Extended Nodes)
• DEFAULT_VN is an actual “User VN” DEFAULT_VN
provided by default
INFRA_VN
Devices (Underlay) GRT
• User-Defined VNs can be added or

removed on-demand
Connectivity to Known
Networks like DC &
WAN via the
Anywhere/Rest of
Company Border
DC Fabric
Centralized
WLC
OTT
WAN
Shared Services
Fusion Router
WAN
Border
FABRIC DC &
Internet C
Border
Access
Nodes
Large Small
Hybrid Hybrid
WAN Site WAN Site
Border Deployment Options
Anywhere/Rest of Company for Shared Services and DC – VRF LITE
LISP BGP BGP/IGP/ACI

CONTROL-PLANE
C
B
Shared Services
Data Center
B
Fusion Router
VXLAN VRF-LITE IP/MPLS/ACI

DATA-PLANE
Anywhere/Rest of Company Border WAN Connectivity
LISP OMP/MP-BGP/IGP
CONTROL-PLANE
B C
WAN
B C
VXLAN MPLS/IP/IPSEC/DMVPN
DATA-PLANE
Border Nodes – One Box vs. Two Box
OUT OUT
B
B
One Box Design IN
Two Box Design
IN
• Internal and External domain routing is on

the same device Internal and External domain routing are on
different devices
• Simple design, without any extra
configurations between the Border and Requires two Devices with BGP in between
outside routers to exchange connectivity and reachability
information
• The Border device will advertise routes to
and from the Local Fabric domain to the This model is chosen if the Border does not
External Domain support the functionality (This can due to
hardware or software support on the device)
to run the external domain on the same
device (e.g. DMVPN, EVPN, etc.)
Anywhere/Rest of Company Border
3 Select the Layer 3

16.6.2 hand off
CORE
SJC22
San_Jose 1 Select the Border

Node role
4 Select the Type of Hand Off
7 Select Remote AS
5 Select Subnet for Hand off
2 Select the Connection Select VRF

type 8 advertisement *
6 Select the External

Interface(s)
Shared Services (DHCP, AAA, etc) with Border
• Hosts in the fabric domain (in their respective Virtual Networks)

will need to have access to common “Shared Services”:
 Identity Services (e.g. AAA/RADIUS)
 Domain Name Services (DNS)
 Dynamic Host Configuration (DHCP)
 IP Address Management (IPAM)
 Monitoring tools (e.g. SNMP)
 Data Collectors (e.g. Netflow, Syslog)
 Other infrastructure elements
• These shared services will generally reside outside of the fabric domain.
Shared Services (DHCP, AAA, etc.) with Border
C
Fusion Router
B B APIC
EM
APIC-EM DHCP/ Identity Service

DNS
VRF/
Shared Services
GRT
Shared Services (DHCP, AAA, etc.) with Border ip vrf USERS
rd 1:4099
route-target export 1:4099
route-target import 1:4099
Cisco SD-Access Border connecting External Domain with existing !

route-target import
ip vrf DEFAULT_VN
1:4097
Global Routing Table should use a “Fusion” router with MP-BGP & rd 1:4098
VRF import/export.
Control Plane ip vrf GLOBAL

rd 1:4097
C route-target export 1:4099
VRF B route-target export 1:4098
SVI B
AF VRF B
ISIS BGP
GRT/VRF
B AF VRF A
AF IPv4
MP-BGP
Edge Node Border Node Fusion Router
VRF A External
SVI A Domain
Shared Services (DHCP, AAA, etc) with Border in dedicated VRF
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP BGP 172.10.10.0/24
Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services in GRT
• The Shared Services are in the ip vrf User 1

rd 1:1
Global routing table route-target export 1:1
• Will form a routing adjacency using the import ipv4 unicast map GRT to VRF
Global routing table to the fusion router !
ip vrf User 2
rd 2:2
• On Campus Fabric side we will form a route-target export 2:2
routing adjacency using the VRF table of route-target import 2:2
import ipv4 unicast map GRT to VRF
the EID space from border to fusion
router ip vrf Services
rd 3:3
• Fusion router will merge GRT to VRF route-target export 3:3
using the import/export maps export ipv4 unicast map VRF User 1 to GRT
export ipv4 unicast map VRF User 2 to GRT
Shared Services (DHCP, AAA, etc) with Border in dedicated VRF
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP BGP 172.10.10.0/24
Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services in VRF
• The Shared Services are in a unique ip vrf User 1

rd 1:1
dedicated VRF of their own. route-target export 1:1
• Will form a routing adjacency in route-target import 3:3
!
each Address Family. ip vrf User 2
rd 2:2
• Use route-target import / export route-target export 2:2
(leaking) to ”share” routes route-target import 3:3
• An external Fusion router is used to ip vrf Services

exchange routes from the VRF’s in rd 3:3
Campus fabric to the Services VRF. route-target import 3:3
Data Center Connectivity With Border – Traditional DC
CONTROL-PLANE
1 LISP BGP/IGP
Fusion Router
B B
Traditional Data Center
S1 S2
DATA-PLANE
S3 S4
2
VXLAN+SGT VRF-LITE
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
S5
Policy Options for Shared Services and Traditional Data Center
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24

B
IP Network
10.1.1.0/24 BGP BGP 172.10.10.0/24
Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services
Data Center
• Destination IP subnets are statically
mapped to SGT’s in ISE.
• SXP from ISE to fusion router to

download the IP to SGT bindings for the
destination IP subnets.
• SG ACLS’s are enforced at the Fusion

router
Data Center Connectivity With Border – VXLAN/ACI Fabric
CONTROL-PLANE
1 LISP BGP/IGP
Fusion Router
B B ACI Fabric
Border Leaf’s
DATA-PLANE
2
VXLAN+SGT VRF-LITE
ip vrf CAMPUS
rd 1:4099
Data Center Connectivity With Border – ACI Fabric

!
ip vrf ACI
rd 1:4098
User-Defined VN(s) route-target import 1:4098
User VN (for Default) Border

Fusion Router
ACI Fabric
USER VRF(s)
VN (for APs, Extended Nodes)
DEFAULT_VN
INFRA_VN
Devices (Underlay)
GRT
Border Leaf’s
• SD-Access Border merge the VRF’s A , B , C and so on to a common VRF D using a fusion router.
• The Common VRF D will connect to ACI VRF on the other side.
• We need access-lists/distribute lists on the fusion router to ensure that VRF A , B and C do not talk
to each other. This can also be achieved using VRF import and export maps.
Primer - ACI Fabric Integrated VXLAN Overlay
Decoupled Identity, Location and Policy
ACI Spine Nodes
ACI Fabric
VTEP VXLAN IP Payload
ACI Leaf Nodes
 Forwarding within the Fabric is between VTEPs (ACI VXLAN tunnel endpoints) and leverages an
extended VXLAN header format referred to as the ACI VXLAN policy header
 Any workload any where, Consistent Latency, Mapping of tenant MAC or Ip address to location is
performed by VTEP using distributed mapping database
Primer :What is an L3Out?
 L3Out is a logical construct defined to
allow L3 connectivity between the ACI
Fabric and the external network
 One or more L3Outs can be defined for
L3Outs Container
each given tenant
 L3 interfaces are used on specific ACI
Specific L3Out devices (named Border Leaf nodes) to
interconnect to the external routed network
L3 Interface on  The external routed domain is modeled
Border Leaf Node with one (or more) External EPGs
Border Leaf (‘Networks’)
Node
A security policy (contract) is required to allow
External EPG communication between External and Internal
EPGs
Cisco SD-Access SGTs Provisioned in ACI
ISE ACI
ISE dynamically provisions

SGTs and IP mappings (SXP
service) into APIC-DC
B B
EXT- EXT-
Cisco SD-Access Domain EPG1 EPG3
Security Groups External (Outside Fabric) EPGs
ACI EPGs Automatically Propagated into Cisco
SD-Access ACI
ISE
ISE dynamically learns EPGs

and VM Bindings from ACI
fabric – shared to SXP
B B
VM1
Cisco SD-Access Domain VM25
Security Group from APIC-DC Internal (Inside Fabric) EPGs
Hardware and Software recommendations
ACI Fabric
ACI Software ISE APIC
Hardware
Nexus 9K* 12.1 2.4 2.1
* – Please check release notes for latest information

* – (9396PX/TX, 9372PX/TX, 93120TX, 93128TX, 9736PQ LC, 9336PQ, 93108-EX, 93180-EX
Cisco SD-Access SGT Info Used in ACI Policies
ISE
Cisco SD-Access ACI Policy Domain
Policy Domain
ISE Retrieves:
Controller Layer
ISE Exchanges:
Controller Layer
EPG Name:
SGT PCI EPG
Name: Auditor
EPG Binding = 10.1.100.52
SGT Binding = 10.1.10.220
PCI EPG
EPG Name = Auditor 10.1.100.52
Groups= 10.1.10.220
Network Layer
Network Layer
17000 ACI Spine (N9K)

5
SRC:10.1.10.220 Cisco SRC:10.1.10.220 SRC:10.1.10.220
DST: 10.1.100.52 DST: 10.1.100.52 DST: 10.1.100.52
SD-Access
SGT: 5
VRF- EPG 17000
ACI Border ACI Leaf PCI
Auditor LITE Leaf (N9K) (N9K) 10.1.100.52
10.1.10.220
SGT Groups available in ACI Policies
Alternate Design Option
for fusion Router
Firewall as fusion router
C
Firewall
B B APIC
EM
APIC-EM DHCP/ Identity Service

DNS
VRF/
GRT Shared Services/
Data Center
CONTROL-PLANE
1
LISP BGP/IGP
B B
Firewall
DATA-PLANE
2
VXLAN VRF-LITE
B B
Firewall
POLICY-PLANE
3
SGT in VXLAN SGT in-line Tagging
B B
Firewall
Firewall as fusion router ISE
POLICY-PLANE
3
SGT in VXLAN SGT in-line Tagging
Group Tags
C
SXP/PXGRID
B B
Firewall
Firewall gets Group

Based Tags from ISE
DC Fabric
Internet
Centralized
WLC
OTT
WAN
Shared Services
Firewall
WAN
Guest Border
Border
FABRIC DC &
Internet C
Border
Access
Nodes
Large Small
Hybrid Hybrid
WAN Site WAN Site
WAN Connectivity
with Rest of Company
/Internal Border
WAN Connectivity with Border- WAN (MPLS/DMVPN)
C
B
WAN
B
Border Design Options
WAN Connectivity with Border - Control Plane
CONTROL-PLANE
11
LISP MP-BGP/IGP
C
B
WAN
B
WAN Connectivity with Border
DATA-PLANE
- Data Plane
12
VXLAN IPSEC/IP/MPLS
C
B
WAN
B
12
WAN Connectivity with Border
POLICY-PLANE
- Policy Plane
13
SGT in VXLAN SGT in IPSEC/DMVPN
C
B
SD-WAN
B
12
C
Control Plane
Border Deployment Options B

Border Router
Policy Options for WAN Edge
Cisco
DNA-Center
B C B C
SD-Access SGT in data plane
SD-Access
Fabric Site B C B C Fabric Site
WAN
Border Border
1
LISP MP-BGP LISP CONTROL-PLANE
12
VXLAN SGT (16 bits) IPSec/DMVPN CMD-SGT (16 bits) VXLAN SGT (16 bits)
DATA-PLANE
Header VNID (24 bits) Header VNID (24 bits) Header VNID (24 bits)
C
Control Plane
Border Deployment Options B

Border Router
Policy Options for WAN Edge
Cisco
DNA-Center
SXP for IP to SGT bindings

and SG-ACL’s
B C B C
SD-Access SD-Access
Fabric Site B C B C Fabric Site
WAN
Border Border
1
LISP MP-BGP LISP CONTROL-PLANE
12
VXLAN SGT (16 bits) MPLS VXLAN SGT (16 bits)
DATA-PLANE
Header VNID (24 bits) Header Labels VRF (24 bits) Header VNID (24 bits)
Connectivity to Un-
Known Networks like
Internet via the
Anywhere Border
Guest
Border
Fusion Router
FABRIC DC &
Internet C
Border
Access
Nodes
Anywhere Border for Internet – VRF LITE
LISP BGP BGP

CONTROL-PLANE
C
B
Internet
SDA Fabric
B
Fusion Router/
Firewall
VXLAN VRF-LITE IP
DATA-PLANE
Small Enterprise
Network Design
Traditional Network
Design
Small Enterprise Network Design – Traditional Network
Role Platform
Traditional
DC VXLAN/
ACI Fabric
• Cat4K/9400
Internet Edge
Guest
WLCs
• ISR4K (WAN)
Internet
WLC • x800 APs
Centralized Data Center • N9K – NX-OS

WLC
OTT
• N7K - NX-OS
• N9K - ACI
WAN
Shared Services
• ASA 55xx
• Windows AD
Core
Access
Nodes
Small Small
Hybrid Internet
WAN Site WAN Site
Large
Hybrid
WAN Site
Cisco SD-Access
Network Design
Traditional
DC
VXLAN/ACI
• Cat4K/9400

• ISR4K (WAN)

WLC • x800 APs
Centralized
WLC
OTT
WAN Data Center • N9K – NX-OS
• N7K - NX-OS
Shared Services
• N9K - ACI
Fusion Router Security • ISE 2.3
• ASA 55xx
• Windows AD
FABRIC
Small Small
Hybrid Internet
WAN Site WAN Site
Access Large
Nodes Hybrid
WAN Site
Traditional
DC
VXLAN/ACI
• Cat4K/9400

• ISR4K (WAN)

WLC • x800 APs
Centralized
WLC
OTT
• N7K - NX-OS
Shared Services
• N9K - ACI
• ASA 55xx
• Windows AD
FABRIC C
Small Small
Hybrid Internet
WAN Site WAN Site
Access Large
Nodes Hybrid
WAN Site
Traditional
DC
VXLAN/ACI
• Cat4K/9400

• ISR4K (WAN)

WLC • x800 APs
Centralized
WLC
OTT
• N7K - NX-OS
Shared Services
• N9K - ACI
• ASA 55xx
• Windows AD
FABRIC All In One

Border C
Small Small
Hybrid Internet
WAN Site WAN Site
Access Large
Nodes Hybrid
WAN Site
DC Fabric
1 The Border needs to be a Outside world/external
world border as there is only one exit point from the
fabric to all external domains.
Centralized
WLC
OTT
WAN
Shared Services
Fusion Router
FABRIC All In One

Border C
Small Small
Hybrid Internet
WAN Site WAN Site
Access Large
Nodes Hybrid
WAN Site
Which Border to pick ?
Outside world(External) Connect to the unknown part of company like

internet or is the only exit point from fabric
Rest of Company (Internal) Connect to known part of the company like DC,
WAN etc.
Anywhere(Internal +External) Connect to the internet and also known part of

the company like DC, WAN etc.
Outside World/External Border
Select the Layer 3 hand

3 off
16.6.2
CORE
SJC22
Select the Border Node

San_Jose
1 role
Select the Type of Hand Off
4
Select Remote AS
7
Select Subnet for Hand off

5
Select the Connection

2 type 8 Select VRF advertisement
*
Select the External Interface(s)

6
DEMO TIME 
Conclusion
Session Summary
Cisco DNA Center B B

Simple Workflows
C
DESIGN PROVISION POLICY ASSURANCE
Cisco SD-
Access
Fabric
Cisco SD-Access Support

Digital Platforms for your Cisco Digital Network Architecture
What to Do Next?
Cisco SD-Access Resources
Related Sessions
Cisco SD-Access - 8H Technical Seminar - TECCRS-3810
• Monday, Jan 28 8:30 AM - 6:45 PM
Cisco SD-Access Fabric Cisco SD-Access Integration

Cisco SD-Access - A Look Under the Hood - BRKCRS-2810 Cisco SD-Access - Connecting to the DC, Firewall, WAN & More! - BRKCRS-2821
• Tuesday, Jan 29 11:00 AM - 1:00 PM • Wednesday, Jan 30 8:30 AM - 10:30 AM
Cisco SD-Access - Technology Deep Dive - BRKCRS-3810 Cisco SD-Access - Scaling to Hundreds of Sites - BRKCRS-2825
• Tuesday, Jan 29 2:30 PM - 4:00 PM • Wednesday, Jan 30 2:30 PM - 4:00 PM
Cisco SD-Access - Connecting Multiple Sites - BRKCRS-2815 Cisco SD-Access – Integrating Existing Network - BRKCRS-2812
• Wednesday, Jan 30 11:00 AM - 1:00 PM • Friday, Feb 01 11:30 AM - 1:30 PM
Cisco SD-Access – Assurance and Analytics - BRKCRS-2814 Cisco SD-Access Policy

• Wednesday, Jan 30 4:30 PM - 6:00 PM
Simplifying and Securing the Cisco Digital Network Architecture - BRKCRS-1449
Cisco SD-Access - Troubleshooting the Fabric - BRKARC-2020 • Tuesday, Jan 29 5:00 PM - 6:30 PM
• Thursday, Jan 31 2:30 PM - 4:00 PM
Group-Based Policy for On-Prem, Hybrid & Cloud with Cisco DNA - BRKCLD-2412
• Wednesday, Jan 30 2:30 PM - 4:00 PM
Cisco SD-Access Campus Cisco Validated Design - BRKCRS-1501
• Friday, Feb 01 9:00 AM - 11:00 AM Cisco SD-Access - Policy Driven Manageability - BRKCRS-3811
• Thursday, Jan 31 2:30 PM - 4:00 PM
Cisco SD-Access Wireless Cisco SD-Access Labs

How to Setup SD-Access Wireless from Scratch - BRKEWN-2021 Cisco SD-Access & ACI Integration - Hands-on Lab - LTRACI-2636
• Thursday, Jan 31 8:30 AM - 10:30 AM • Tuesday, Jan 29 2:15 PM - 6:15 PM
Cisco SD-Access - Wireless Integration - BRKEWN-2020 Cisco SD-Access - Hands-on Lab - LTRCRS-2810
• Friday, Feb 01 9:00 AM - 11:00 AM • Wednesday, Jan 30 9:00 AM - 1:00 PM
Cisco SD-Access Resources
Would you like to know more?
cisco.com/go/dna
cisco.com/go/sdaccess cisco.com/go/dnacenter
• SD-Access At-A-Glance • Cisco DNA Center At-A-Glance
•
•
SD-Access Ordering Guide
SD-Access Solution Data Sheet
cisco.com/go/cvd •
•
Cisco DNA ROI Calculator
Cisco DNA Center Data Sheet
• SD-Access Solution White Paper • SD-Access Design Guide • Cisco DNA Center 'How To' Video Resources
• SD-Access Deployment Guide
• SD-Access Segmentation Guide
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKCRS-2821
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you

Fusion Border SDN

Uploaded by

Copyright:

Available Formats

You might also like

Fusion Border SDN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fusion Border SDN

Uploaded by

Copyright:

Available Formats

BRKCRS-2821

Cisco Software-Defined Access

BRKCRS-2821 BRKCRS-2825 BRKCRS-2812

BRKCRS-2810 BRKCRS-1449 BRKCRS-1501

BRKCRS-3810 BRKCRS-2815 BRKCRS-2814 BRKARC-2020

LTRACI-2636 LTRCRS-2810 BRKEWN-2021 BRKEWN-2020

Agenda • Fabric Roles and Constructs

• Large & Medium Enterprise Network Design

• Border Connectivity Models

• Small Enterprise Network Design

• Cisco SD-Access Demo for Border Design

Campus  Fabric Edge Nodes – A Fabric device

Overlay Network Overlay Control Plane

Edge Device Edge Device

Underlay Network Underlay Control Plane

Control-Plane Node runs a Host Tracking Database to map location information

• A simple Host Database that maps Endpoint IDs to

• Receives Endpoint ID map registrations from Edge

• Resolves lookup requests from Edge and/or Border

• Responsible for Identifying and Authenticating C

• Provide an Anycast L3 Gateway for the connected

• Performs encapsulation / de-encapsulation of data

There are 3 Types of Border Node! C

• Outside World/External Border Used for

• Anywhere/External + Internal Border Used

Rest of Company/Internal Border advertises Endpoints to outside, and known

• Connects to any “known” IP subnets available from C

• Imports and registers (known) IP subnets from

• Hand-off requires mapping the context (VRF & SGT)

10.1.1.1  192.1.1.1 5.2.2.2

192.1.1.1  10.1.1.1 5.2.2.2

Outside World/External Border is a “Gateway of Last Resort” for any unknown

• Connects to any “unknown” IP subnets, outside of C

• Does NOT import any routes! It is a “default” exit, if

• Hand-off requires mapping the context (VRF & SGT)

1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1

• Connects to any “unknown” IP subnets, outside of

• Imports and registers (known) IP subnets from

• Exports all internal IP Pools outside (as aggregate)

• Control-Plane uses Instance ID to maintain separate C

• Endpoint ID prefixes (Host Pools) are routed and VN VN VN

• Uses standard “vrf definition” configuration, along

Internet Edge • ASR1K

Centralized WAN HR/MC • ASR1K

Data Center • N9K – NX-OS

Internet Edge • ASR1K

Data Center • N9K – NX-OS

Internet Edge • ASR1K

Data Center • N9K – NX-OS

Internet Edge • ASR1K

Internet Edge • ASR1K

Internet Edge • ASR1K

Internet Edge Internet

Internet Edge Internet

Internet Edge Internet

Internet Edge Internet

External Border Internet

ALL non-fabric traffic MUST travel