BRKCRS 2812

Integrate with Existing
Network
Software Defined Access
Meghna Muralinath
Technical Marketing Engineer
BRKCRS-2812
A little bit about me ……
I love travelling and I am an adrenaline junkie . These two passions of mine

help me unwind doing heart racing activities in different corners of the
world.
I have been a TME with Cisco for 4 years with expertise on switching and
SD Access. Before this I was with Cisco TAC handling customer
escalations on Cisco Switching.
TECCRS-3810 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot# BRKCRS-2812
BRKCRS-2812 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Introduction
• Migration strategies
• Prepare for migration
• Wireless network migration
• DNA Center upgrade
• Key takeaways
Level set
• Today I am here to share a couple of
interesting snippets of what the Cisco DNA
Center automates so you will have the tools
to be able to plan your migration
• These are tips I know because either me or

some of my colleagues / customers have
faced it
• There is no one size fits all when it comes to
migration
Cis
co
DN
ISE AC
Ins Ins
tal
tal
l/ l
R e
Pre ad
pN y
etw
ork
Ad De
dd vic
ev es
ice
st
La oi
Wi nA nv
red uto en
ma tor
an Tr a tio y-
Vis d W de slan n or
Dis
co
ibi irel
lity es vic te Pn ve
s es net P ry
wo
rk
int
en
t to
So ne
ftw tw
are ork
Mi U pd
cro ate
Se (SW
gm IM
Ma en )&
cro tat
Se io n
Lic
en
SD gm se
Ac Fa
ce bri en mg
ss cP tat mt
rov ion
Fa isio
bri nin
c Cl i g
e
Vis nt a En
ibi nd dP
lity Ho oin
BRKCRS-2812
st tO
nb
oa
rdi
ng
Intent based networking journey Map
Security
Analytics
Threat
Containment
ETA
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Assurance
Automation
7
Not mandatory
Security / Policy
A brownfields migration philosophy
May be not Testing,

worth the effort Planning
Defer until later Start here
Source :https://medium.com/@ank.mahajan/value-vs-complexity-a-prioritisation-tool-4a2a1ba08eda
Lowest complexity brownfields migration scenario
L3 switch /
(OTT) E Router
B
CP
Internet
eBGP
GRT GRT
or
eBGP
VRF VRF
• recommended code • One exit point out of the network • No network transit over fabric site
• Single fabric site • L3 Routed access Underlay • No redundancy
• OTT local mode wifi • One SDA VN • No inter-border iBGP
• < 20ms RTT (for wifi) • No inter-VN security • New IP ranges in SDA
• No end point authentication • No SGACLs • No L2 flooding in SDA
• No multicast • No SGTs • No SDA L2 border
• Jumbo MTU everywhere
Layer on high business value features
Install DNAC and integrate with ISE

1. SDA to brownfields L3 connectivity
2. Border redundancy / resiliency
3. TrustSec
4. Micro & Macro-segmentation
5. Multicast over fabric
6. Broadcast in the fabric
7. Different Borders to exit out to internet, DC ..
8. Inter-VN policy based communication
9. L2 border for static IP hosts
10. Fabric wireless
11. Application visibility
12. Multiple sites and so on
Migration strategies
Parallel vs Incremental
IMPLEMENTATION RESOURCES
Parallel RESOURCES
Incremental IMPLEMENTATION
New cable runs to create a new parallel May require a couple of cables from new
network access or distribution switches
Power and rack space to accommodate Incremental power and incremental rack
the parallel network space
Additional hardware required Existing hardware can be re-used
Clean slate, new configurations automated Will need to workaround and carry over
by Cisco DNA-Center existing configuration hacks
Plug and play users into the new network Move users one group at a time
Can be rolled back by moving end points Roll back will need re-configuration of the
network devices
BRKCRS-2812
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Hybrid of Parallel and Incremental when planning
a network re-fresh
• Backup configurations from the old network devices
• Replace network with new refreshed hardware, ensure they are upgraded
to software that is supported on a fabric
• Restore old configurations to the new switches.
---------- Ensure the network is restored and the end hosts can onboard ------------
• Convert the core and one edges at a time fabric enabled

• Onboard clients to the fabric one group at a time
----- Ensure the network is restored and the end hosts can onboard to the fabric -----
Presentation © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Add B/CP to DNA Center inventory
• You can add the brownfield device chosen as B/CP to the Cisco DNA
Center inventory by running a discovery for it from the Cisco DNA Center
• For the discovery to be successful the brownfield device should be

configured with SNMP-RW, SSH/telnet, local username and password,
enable password
• Once device is discovered, Cisco DNA Center configures the switch with
IP device tracking on access ports (access PIDs like 9300, 9200,
3850,3650)
Incremental Migration – High Level concept
Fabric network Traditional network Network
(new IP scope) (existing IP scope)
Route between
IP scopes
C B
Existing IP
distribution network
(underlay)
Edge Border/Control Rest of
Nodes Plane Node the
Network
• Deploy a Border/Control Plane node. Cisco DNA Center adds on Border

configuration
• Incrementally add Fabric Edge nodes
• The virtual network connects to the existing/external network via the border
Converting a brownfield switch to a fabric switch
Rebuild the switch:
• Upgrade IOS-XE version in compliance with SD-Access

compatibility matrix
• License level / subscription level insufficient
• Factory reset the switch (wr erase insufficient)
1 2
LAN Automation
Manual Underlay
1. Default seed downlink
interface config 1. Configure the L3 underlay manually
2. Start Lan Automation 2. Modify the upstream links to routed links
3. Provision the device to site 3. Discover the device via the DNA Center
4. Add to fabric as an Edge 4. Provision device to site
5. Add the switch to fabric as an edge
switch
Provisioning devices to site
• Once devices are added to Cisco DNA Center inventory, they have
to be provisioned.
• This step assigns the devices to a specific site in the hierarchy. This
step ensures all the network intent defined by the network
administrator is added to the network devices.
• If the devices are brownfield devices, ensure there is no conflicting

configs between the network intent defined and what already exists
on the device.
Communication between fabric enabled and non
fabric hosts
Fusion • Traffic from the traditional network gets
routed up to the fusion router
CP B • The fusion router has the routes for the

Core Fabric B+CP fabric network, pointing back to the
core/B+CP in the user VN
Existing IP distribution network
(underlay) • The Border encapsulates the traffic in
VxLAN and forwards the traffic to the
Edge
Edge/RLOC registered for the edge
Access
Switches Switch
- Traffic path for hosts in the traditional network
- Traffic path for hosts in the fabric
Presentation © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Prepare for migration
New IP scopes for fabric
• Keep your underlay separated from your
overlay. Underlay can be ipV4 only
10.10.10.254/
10.10.10.253/32 • Dual stack support for overlay
32
192.168.1.2/32
For onboarding edge devices if you use Lan

192.168.1.1/3
2 + VxLAN encap •
Automation – use large IP pool to begin with.
Network Overlay
A /25 subnet will only allow you to run lan
automation once
Network Underlay
• Use large IP pools, use SGT for

segmentation of hosts when possible
10.10.10.4/30
10.10.10.0/30
• Limit on number of IP pools per fabric, leave
room to grow
LAN Automation
When building a parallel network for SD Access,
Lan Automation can be used to simplify building
Fusion
the underlay.
When building an incremental SD Access

CP B
Core network
Seed
1. Core device on which configurations cannot
Interface to be changed can be selected as the Seed.
Start Lan Automation
2. The access switch once ready to be
Access configured as an edge switch, restore the
Switches switch to factory default and begin Lan
Edge
Automation.
Switch
On the existing core

- Ensure vlan1 is not being used
- DHCP snooping is not already enabled
Reusing the brownfield network as underlay
• Underlay interconnects must be L3
• having L2 in the underlay with spanning tree instability and STP blocked links
only makes the overlay more unstable – this is unsupported
• Any IGP protocol is supported
• If you decide to use LAN automation to onboard edge switches, IS-IS routing
protocol must be configured
• Ensure MTU on all underlay devices are set to 9100
Why is underlay MTU important ?
ICMP T3C4 to IP addr – 2 in GRT
Destination unreachable,
Fragmentation required
IP Addr=1
Lo0 IP Addr=22 IP Addr=2
Lo0 IP Addr=11
E10,
MTU1500
+VXLAN
Dest IP=11 Source IP=2

Source IP=22 Dest IP=1
DF=1 Packet 1500B
Packet 1550B Frame 1514B
Frame 1564B
• The T3C4 is sent in the underlay and never makes it back to the host
• Use TCP re-adjust MSS , this will not help with UDP packets
Relocate point of application of features
User traffic will be encapsulated with VxLAN at the Edge/Broder
• Move policy enforcement to the edge or on

the Border on the non fabric interface
• Features Span, NetFlow collection, IP ACL to
QoS,
the access switches NetFlow
, WCCP,
IP ACLs
• Features like PBR, WCCP outside the fabric
• QoS enforcement at the access switch
• QoS values are copied to the VxLAN header
automatically.
Extend fabric subnets outside
• If there are IoT devices that cannot be re-ip when migrating to fabric
use L2 border to extended the subnet into the fabric
• Fabric SVI replace the gateway on the traditional network
• Vlan in the traditional network has to be different from the one in

fabric. The L2 Broder bridges the vlans.
Reserved vlan list: 2046 – critical vlan voice
2047 – critical vlan for data
3000– 3500 - fabric vlans
VXLAN VLAN
DATA-PLANE
Layer 2
Border
Multi-chasis
B EtherChannel
Single or
SDA Fabric port-
channel*
Trunk Port
Host 1 Host 2 Host 3

IP: 10.1.1.0/24 IP: 10.1.1.0/24 IP: 10.1.1.0/24
Hosts attached to SDA Fabric Hosts attached to traditional

Edge nodes in Vlan 1024 Access switches in VLAN (10)
• It is recommended to keep L2 border separated from the L3 border.

Storm in traditional network =Storm on the L2 border
• can be configured, only 1 per vlan.
• Scale of hosts in the traditional network that can be bridged on an L2

border depends on the platform chosen
• Cat9k, cat6k, cat3k as L2 Border
• Only In chassis HA is supported on the L2 Border. Multiple L2 Borders
B STP ro
o t port
B STP
bloc
king
Layer 2
Border
SDA Fabric

IP: 10.1.1.0/24 IP: 10.1.1.0/24 IP: 10.1.1.0/24

Edge nodes in Address Pool (1024) Access switches in VLAN (300)
B
B
Layer 2
Border Single or
port-channel*
SDA Fabric Trunk Port

IP: 10.1.1.0/24 IP: 10.1.1.0/24 IP: 10.1.1.0/24

Edge nodes in Address Pool (1024) Access switches in VLAN (300)
L3 VNs in Cisco SD Access
• Pick the right devices – the number of VNs

the fabric can support falls to its lowest
common denominator
User-Defined VN(s)
Border • The underlay should be in the GRT
User VN (for Default)
Infra_VN = GRT. This is only APs and

USER VRF(s)
VN (for APs, Extended Nodes) DEFAULT_VN
•
INFRA_VN extended nodes
Devices (Underlay) GRT
• The default_VN is a user VN
Multi-VN border route peering scenarios
• 1:1
B GRT GRT B GRT Zone
Brownfields
VN1 VRF1 / fusion VN1 Zone
VN2 VRF2 VN2 Zone
• 1:n and n:1 are also possible

VRF VRF or Zone
VRF VRF or Zone
VRF VRF or Zone
• Capture connectivity and security requirements, they will dictate the ‘right’
answer. Define and agree on these early
Firewall as fusion
• Comprehensive inter-VN policy, stateful inspection, AVC
• ASA: Source SGT to Destination SGT policy
Note: SGT can be derived from ACI EPG. Review latest BRKDCN-2489
• Rich reporting in FTD: Top blocks, top malwares top hosts effected by malware,
network risk, customized, etc.
• Firewall grade logging

**IOS/IOS-XE SGACL logging not guaranteed Action Source IP Source SGT Source username
Example: Firepower logging. FMC + ISE integration + AD integration
Firewall as fusion – other considerations
• TrustSec policies not downloaded from ISE to firewall
• Size appropriately:
• Max throughput
• Max connections per second
• Average packet sizes
• Interfaces
• Enable features (IPS, AMP, URL Filtering, IPSec)
Border switch redundancy S
E
SVI or sub-int
eBGP+BFD
I iBGP+BFD
Physical
Could be a
Sub interface
Logical: GRT
Brownfields if it’s a router repeat per SDA VN
VRF VRF
S S E E S S
E E
S S S S
B B
VRF S S VRF
I
Only for VN, not GRT
• Per-VRF BGP recommended. Best route control features. Other protocols allowed but not recommended
• BFD optional, still recommended if other side capable. SVI can stay up when physical link fails. Configure
Manually on CLI or with template
• N-S and E-W port-channel optional/permitted as it reduces BGP peering to 5x per VRF
Border router redundancy S
E
SVI or sub-int
eBGP+BFD
Physical
could be routed sub- Logical: GRT then
interface, depending repeat per SDA VN
Brownfields
on brownfields switch
model / router VRF VRF
S S E E S S
E E
B B Si Si Si Si
VRF Si Si VRF
I
Only for VN, not GRT
Border handoff Automation
• Cisco DNA Center Automates the configurations on the Border for the
North bound interface. Brownfield device connecting to it has to be
manually configured
• The automation vlan starts with VLAN 3001 and counts across all fabric
sites.
• No control on vlan allocation so once the automation is complete, look at

the UI to see vlan to VN mapping
• If the VN handoff is deleted and re-added it does not get the same vlan
back. The brownfield device will need to be re-configured
• No BFD automation, can be configured manually if the brownfield device

supports BFD
L2 Broadcast
• In a fabric L2 broadcast is disabled by default. It can be selectively enabled
only for hosts that send/receive broadcast, also floods link local multicast in
the overlay
• Silent hosts need the broadcast (ARP) flooded to it, so they can respond
and in turn get registered in the edge’s lisp database
• Manually add hosts into the edge’s sisf table - ‘device tracking binding vlan
vlan_no ip_addr int gix/y mac_addr ’
• Wake On LAN with server and hosts in the same subnet is supported
• Support for directed broadcast in roadmap
Native multicast
• Fabric supports propagating multicast in
CP RP
two ways
• Head end replication
B B • Native multicast
Multicast
Replicator
• Enabling native multicast distributes the
load of replication of multicast streams
(S,G)
• For native multicast to function, multicast

Multicast
must be enabled in the underlay. This is
Multicast
Sender
Receiver automated during Lan automation.
During migration this will need to be
enabled manually
Native multicast
Native multicast uses SSM to transmit multicast in the underlay. It does not
require an RP in the underlay.
Ensure multicast is enabled in the underlay and ssm is configured on the

loopback and L3 interconnects.
Native multicast uses 232.0.0.1-232.0.3.232 in the underlay to transmit

multicast
Broadcast in fabric- L2 flooding uses multicast in the underlay. ASM is used,

that requires and RP. Configure RP in the underlay manually. 239.0.0.1-
239.0.1.246 multicast groups are used to transmit broadcast
If any of these groups are being used in the intermediate network, this will
mix up the streams
Integrating fabric multicast with traditional
network pre 1.3.3
• Fabric has to have its own RP
External RP
• Cisco DNA Center automates the MSDP

sessions between the fabric RPs
non Fabric
B,RP • Set up manual MSDP peering with RP

B,RP outside and each fabric RP
ip msdp vrf <vrf_name> peer External_RP_ip

SD-Access Fabric connect-source
Loopback<Lo_created_for_multicast_VN>
network pre 1.3.3
Fusion router
External RP-1
External RP-3
External RP-2
non Fabric
• Peer the external RP with the other external RPs

B,RP
(2) , (3)
B,RP
• Peer the fabric RPs with external RP (1)
SD-Access Fabric • This will limit the number of MSDP peering needed
E E E on the Fabric RPs
ip msdp vrf <vrf_name> peer External_RP_ip
connect-source Loopback<lo_created_for_multicast_VN>
ip msdp vrf <vrf_name> mesh-group <mesh_group> External_RP_ip
network post 1.3.3
• The fabric devices can directly peer with the external RP
• Ensure there is IP reachability between the fabric devices and external RP
Software and hardware support for native
multicast
Platform Min IOS needed for Native Multicast
9k 16.9.1.s
3k 16.9.1.s
6k 15.5.(1)SY2
ASR1k,ISR4k,CSR 16.9.1.s
Cat4k,N7k No support
Pick the right border
Router Switch
B B
Lower port density- Patch FEs to intermediate Higher port density - Patch FEs directly to
switches border switch
Higher scale. CP, SGT, SGACL, adjacency etc. L2 handoff support on C3K, C9K and C6K
Standalone Multi-chassis
Back-stack
Stackwise Virtual
Test your configuration before production
• Routing convergence is dependent on correct
brownfields routing configuration
• Building 1-2 fabric edges does not impact Brownfields
existing network and can be used for testing of
endpoints
• Before adding critical production traffic, test
failure scenarios:
• Fabric endpoint PING to hosts external to fabric
• ECMP. Run multiple parallel PINGs B B
• Fail links
• Reload borders
• Fix anomalies
• Repeat tests
• Get a sampling of all the exotic endpoints and test
on this fabric edge – if it works here, it will work
99.999% elsewhere E
• Once the borders are right, the whole fabric can
leverage this. Correct border routing is the same
for fabric of 1x FE or 250x FE
Extended node policy enforcement – IoTswitch
migration - pre 1.3.3
• SGT mapping for traffic originated from the
Extended node is done on the Edge Node.
C
B
B
B
B • Policy enforcement for traffic originated from
the Extended node is done on the Edge node
• To map traffic from hosts connected behind

Extended node to SGT, map vlan to SGT.
--------anycast gateway--------
• Supported on the IE family (IE3300, IE4000,

IE4010, IE5000, IE3400 and IE3400H).
Host-2 Host-1
Policy Extended node – 1.3.3 IoT switch
migration
ISE • Switches like the IE3400/IE3400H with release
17.1.1 are capable of inline SGT.
C
• Once the End Host connected to the Policy
B B
B
B extended node will be authenticated via ISE
Fabric SGT
Site • the ISE as an authorization result sends an
--------anycast gateway--------
SGT tag to the policy extended node
Inline tagging
• Policy extended node sends the SGT tag to
via CMD the edge node via CMD
• Once the Edge sees the host traffic, it

Host-1 encapsulates the traffic in VxLAN and inserts
the SGT tag
Wireless migration
Fabric Enabled Wireless (FEW)
• Realize the true power of Cisco SD
Access with single policy for wired
and wireless
• APs are fabric enabled and build a

VxLAN tunnel with the fabric edge
nodes
• All control traffic is encapsulated by

CAPWAP and VxLAN and sent to
controller
• Data traffic is encapsulated by VxLAN

and forwarded to edge where policy
enforcement happens.
Wireless Over The Top
• It is possible sometimes because
of roaming constraints or not
wanting to upgrade WLC to IOS
supported by fabric or Wireless
hardware unsupported by Cisco
SD Access or may be just a
migration step.
• The traditional wireless is left as is

and the wired network is migrated
to SD Access
• All traffic data and control is

encapped in CAPWAP and VxLAN
before forwarding to the controller
Mixed mode for migration
• Mixed mode: mix of Fabric and non-
Fabric (centralized) SSIDs
• Mixed mode is supported both on the

same AP or different APs
• With Cisco DNA Center 1.1 mixed

mode is supported only for greenfield
deployments
• With Cisco DNA Center 1.2 mixed

mode is supported also for
brownfield deployments
• Automation for Foreign-Anchor

Guest SSID is supported in Cisco
DNA Center 1.2
Migrating Flex connect architecture
WLC C • Max latency between the WLC and AP

supported is 20ms
B
• Multiple sites cannot share WLCs today

E E
• eWLC on the cat9k* switches can be used for
fabric enabled wireless
• Cisco DNA-Center will automate configuration

of the WLC.
Users and Things
*eWLC supported on 9600,9500H,9500,9400,9300
Policy
Integrating Cisco DNA Center with existing ISE
• Supplicants on endpoints don’t need to change
• Profiling policies can be reused
• Existing AD integrations can be reused
• Existing posturing rules can be reused
• AuthZ rules can be reused, but with different results profile
If you do decide to use a new ISE cluster for the fabric network for POC or
because the production ISE version cannot be upgraded, the policies can
be backed up from the old ISE and restored on the new ISE.
Integrating Cisco DNA Center with Existing ISE
• Take a backup of ISE before integrating Cisco DNA Center to

production ISE
• The credentials used on Cisco DNA Center for ISE should the root
credentials. The ISE should have same root and UI password for the
integration to be successful.
• Post 1.3.1 when ISE is integrated with Cisco DNA Center via PxGrid the
integration is for both automation and assurance.
Integrating Cisco DNA Center with Existing ISE
• If you have existing SGACL policies on the brownfield ISE consider using
Cisco DNA Center 1.3.1 or later
• The ISE version should be minimum version 2.4.0.357 patch 7
• Once the migration is successful, the policy matrix is now available on

Cisco DNA Center
• The DNA Center now controls all the policy creation and definitions
DNA Center upgrade
SD-Access 1.3 Migration Matrix
Challenge question
• When upgrading Cisco DNA Center for new feature support, should you
upgrade the fabric network devices be upgraded first or should the Cisco
DNA Center be upgraded first ?
Migrating Cisco DNA Center appliance
DN2-HW-APL
DN2-HW-APL-L
(entry)
(mid-size)
44 Core DN2-HW-APL-XL
56K Core
25K endpoints (large)
40K endpoints
112 Core
100K endpoints
• Take a backup from the old appliance

• Install the new appliance and match the DNA Center software version
• Restore the configs and data from the backup to the new cluster
Key takeaways
• Most traditional topologies can be migrated to SD Access architecture
• Double/triple check to make sure the software on ISE, Cisco DNA Center , network
elements are all compatible
• Keep in mind the max RTT between different fabric elements
• It will help to know your Network
• Traffic patterns and types
• Network devices connecting in
• Exotic end points
• Security policies
• Test before going into production

• DO NOT change any configuration pushed by DNA Center
A special thank you to my colleagues
Jerome Dolphin
Jonathan Cuthbert
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.
Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.
Continue your education
Demos in the
Walk-In Labs
Cisco Showcase
Meet the Engineer

Related sessions
1:1 meetings
Thank you

BRKCRS 2812

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS 2812

Uploaded by

Copyright:

Available Formats

Integrate with Existing

I love travelling and I am an adrenaline junkie . These two passions of mine

• These are tips I know because either me or

May be not Testing,

Defer until later Start here

Install DNAC and integrate with ISE

• Convert the core and one edges at a time fabric enabled

• For the discovery to be successful the brownfield device should be

• Deploy a Border/Control Plane node. Cisco DNA Center adds on Border

• Incrementally add Fabric Edge nodes

• Upgrade IOS-XE version in compliance with SD-Access

• If the devices are brownfield devices, ensure there is no conflicting

CP B • The fusion router has the routes for the

- Traffic path for hosts in the fabric

For onboarding edge devices if you use Lan

• Use large IP pools, use SGT for

When building an incremental SD Access

On the existing core

• Any IGP protocol is supported

• Ensure MTU on all underlay devices are set to 9100

Dest IP=11 Source IP=2

• Move policy enforcement to the edge or on

• Fabric SVI replace the gateway on the traditional network

• Vlan in the traditional network has to be different from the one in

Host 1 Host 2 Host 3

Hosts attached to SDA Fabric Hosts attached to traditional

• It is recommended to keep L2 border separated from the L3 border.

• can be configured, only 1 per vlan.

• Scale of hosts in the traditional network that can be bridged on an L2

• Cat9k, cat6k, cat3k as L2 Border

• Only In chassis HA is supported on the L2 Border. Multiple L2 Borders

Host 1 Host 2 Host 3

Hosts attached to SDA Fabric Hosts attached to traditional

Host 1 Host 2 Host 3

Hosts attached to SDA Fabric Hosts attached to traditional

• Pick the right devices – the number of VNs

Infra_VN = GRT. This is only APs and

• The default_VN is a user VN

• 1:n and n:1 are also possible

• ASA: Source SGT to Destination SGT policy

• Firewall grade logging

Example: Firepower logging. FMC + ISE integration + AD integration

• TrustSec policies not downloaded from ISE to firewall

Only for VN, not GRT

• No control on vlan allocation so once the automation is complete, look at

• No BFD automation, can be configured manually if the brownfield device

• Support for directed broadcast in roadmap

• For native multicast to function, multicast

Ensure multicast is enabled in the underlay and ssm is configured on the

Native multicast uses 232.0.0.1-232.0.3.232 in the underlay to transmit

Broadcast in fabric- L2 flooding uses multicast in the underlay. ASM is used,

• Cisco DNA Center automates the MSDP

B,RP • Set up manual MSDP peering with RP

ip msdp vrf <vrf_name> peer External_RP_ip

• Peer the external RP with the other external RPs

• Peer the fabric RPs with external RP (1)

ip msdp vrf <vrf_name> mesh-group <mesh_group> External_RP_ip

• Ensure there is IP reachability between the fabric devices and external RP

• To map traffic from hosts connected behind

• Supported on the IE family (IE3300, IE4000,

• Once the Edge sees the host traffic, it

• APs are fabric enabled and build a

• All control traffic is encapsulated by