Professional Documents
Culture Documents
BRKCRS-3800 - Campus Fabric 2016
BRKCRS-3800 - Campus Fabric 2016
Campus Fabric
Shawn Wargo
Technical Marketing Engineer
BRKCRS-3800
Campus Fabric
Abstract
Is your Campus network facing some, or all, of these challenges?
Using Cisco technologies available today, you can overcome these challenges
and build an “Evolved” Campus Network to better meet your business objectives.
Come to this session to get a deeper insight into the Key Technologies, Designs and
Configurations (e.g. LISP with VXLAN, and TrustSec) that bring this evolution to life!
We highly recommend that attendees already be familiar with: Enterprise Campus Design
(BRKCRS-2031), Location ID Separation Protocol (BRKRST-3045), and Cisco Trust Security
(BRKCRS-2891).
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
1 Key Benefits
Why do I care?
2 Key Concepts
What is a Fabric?
3 Solution Overview
How does it work?
4 Putting It Together
Where do things go?
5 Take-Away
When to get started?
Key Benefits
Why do I care?
Cisco Digital Network Architecture
Overview
Network-enabled Applications
Cloud-enabled | Software-delivered
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Network Enabled Applications
Cisco Digital Network Architecture APIs
UNI UNI
GUI Customized
Prescriptive Service Definition & Orchestration Model-based
Telemetry Intent
Service
Instantiation Easy QoS
Enterprise Controller Plug & Play
Path Optimization
APIs
WAN / Branch Campus Data Center
PEP PEP
Apps
PEP Branch WAN Agg PEP
Localized or
network-wide
Network Function Virtualization
Service Chaining
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
What is Campus Fabric?
Foundational Technologies
Industry Leading
Wired & Wireless | Stacking | TrustSec | SDN + Network Enabled Applications
Collaboration | Mobility | IoT | Security
`
Advanced Functionality Automation and Analytics
Programmable Pipeline | Flexibility | Recirculation Controller | Visible | Programmable | Open
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wired and Wireless
Host Mobility
because your address is no longer tied to your location
Mobility
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Wide
Intelligent
Policy Enforcement
Policy based on your identity, not on your address
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key Concepts
What is a Fabric?
What exactly is a Fabric?
A Fabric is an Overlay
An “Overlay” is a logical topology used to virtually connect devices, built
on top of an arbitrary physical “Underlay” topology.
An “Overlay” network often uses alternate forwarding attributes to provide
additional services, not provided by the “Underlay”.
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
What exactly is a Fabric?
Why Overlays?
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
What exactly is a Fabric?
Overlay Terminology
Encapsulation
Hosts
(End-Points)
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
What exactly is a Fabric?
Types of Overlays
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
What is unique about Campus Fabric?
Key Components – LISP
BEFORE AFTER
IP Address = Location + Identity Separate Identity from Location Prefix
192.58.28.128
189.16.17.89
RLOC
….....171.68.228.121
….....171.68.226.120
22.78.190.64 ….....171.68.226.121
….....171.68.226.120
Flexible
172.16.19.90
Prefix Next-hop 192.58.28.128 ….....171.68.228.121
189.16.17.89 ….1 .........71.68.226.120 192.58.28.128 ….....171.68.228.121
22.78.190.64 ….....171.68.226.121 189.16.17.89 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
192.58.28.128
189.16.17.89
22.78.190.64
172.16.19.90
…....171.68.228.121
…....171.68.226.120
….....171.68.226.121
…......171.68.226.120
Prefix
189.16.17.89
22.78.190.64
172.16.19.90
Next-hop
….1 ...71.68.226.120
….....171.68.226.121
….....171.68.226.120
172.16.19.90
192.58.28.128
….....171.68.226.120
….....171.68.228.121
Mapping
192.58.28.128 ….....171.68.228.121
189.16.17.89
22.78.190.64
172.16.19.90
192.58.28.128
…....171.68.226.120
….....171.68.226.121
…......171.68.226.120
….......171.68.228.121
192.58.28.128 …....171.68.228.121
Database
189.16.17.89 ….....171.68.226.120
Endpoint
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Routes are
Prefix Next-hop
189.16.17.89
22.78.190.64
172.16.19.90
….1 .........71.68.226.120
….....171.68.226.121
….....171.68.226.120
Consolidated
192.58.28.128 …....171.68.228.121
189.16.17.89
22.78.190.64
172.16.19.90
192.58.28.128
189.16.17.89
…....171.68.226.120
….....171.68.226.121
…......171.68.226.120
….....171.68.228.121
…....171.68.226.120
to LISP DB Prefix
189.16.17.89
22.78.190.64
172.16.19.90
Next-hop
….1 ...71.68.226.120
….....171.68.226.121
….....171.68.226.120
192.58.28.128 …....171.68.228.121
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
Prefix Next-hop 189.16.17.89 ….1 ...71.68.226.120
189.16.17.89 ….1 .........71.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
Endpoint Routes
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
What is unique about Campus Fabric?
Key Components – VXLAN
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
What is unique about Campus Fabric?
Key Components – CTS
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
What is unique about Campus Fabric?
Key Differences
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Campus Fabric
Control-Plane Nodes – A Closer Look
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Campus Fabric
Edge Nodes – A Closer Look
E E E
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Campus Fabric
Border Nodes – A Closer Look
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Campus Fabric Overview
New Terminology
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Campus Fabric
Virtual Neighborhoods – A Closer Look
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Campus Fabric
Endpoint ID Groups – A Closer Look
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Campus Fabric
Host Pools – A Closer Look
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Technical Overview
How does it work?
Locator / ID VXLAN
Separation Protocol Encapsulation
Cisco
TrustSec
Locator / ID Separation Protocol
Location and Identity Separation
Traditional Behavior -
Location + ID are “Combined”
IP core
When the Device moves, it gets a
10.1.0.1
new IPv4 or IPv6 Address for its new
Device IPv4 or IPv6 Identity and Location
Address represents both 20.2.0.9
Identity and Location
Overlay Behavior -
Location & ID are “Separated”
IP core
10.1.0.1 When the Device moves, it keeps
the same IPv4 or IPv6 Address.
Device IPv4 or IPv6 It has the Same Identity
Address represents 10.1.0.1
Identity only
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Locator / ID Separation Protocol
LISP Mapping System
[ Who is lisp.cisco.com ] ?
DNS
DNS Name -to- IP
Host Server URL Resolution
[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]
‒ LISP resolves Locators for queried Identities Answers the “WHERE IS” question
[ Where is 2610:D0:110C:1::3 ] ?
LISP LISP Map
LISP
Router System ID -to- Locator
Map Resolution
[ Locator is 128.107.81.169, 128.107.81.170 ]
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Locator / ID Separation Protocol Map System
LISP Roles & Responsibilities EID
a.a.a.0/24
b.b.b.0/24
RLOC
w.x.y.1
x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
EID RLOC
EID Space a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2
EID RLOC
• EID to RLOC Mappings ITR a.a.a.0/24
b.b.b.0/24
c.c.c.0/24
w.x.y.1
x.y.w.2
z.q.r.5
d.d.0.0/16 z.q.r.5
Non-LISP
• Can be distributed across Prefix Next-hop
w.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Locator / ID Separation Protocol
Map Register & Resolution
Branch
Map-Reply
10.2.0.0/16 (2.1.1.1, 2.1.2.1)
Database Mapping Entry (on ETR) ETR ETR ETR ETR Database Mapping Entry (on ETR)
10.2.0.0/16 (2.1.1.1, 2.1.2.1) 10.3.0.0/16 (3.1.1.1, 3.1.2.1)
Campus DC
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Locator / ID Separation Protocol
Map Database Clustering (Redundancy)
Map-Reply
10.2.0.0/16 (2.1.1.1, 2.1.2.1)
Database Mapping Entry (on ETR) ETR ETR ETR ETR Database Mapping Entry (on ETR)
10.2.0.0/16 (2.1.1.1, 2.1.2.1) 10.3.0.0/16 (3.1.1.1, 3.1.2.1)
Campus DC
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Locator / ID Separation Protocol
How does LISP operate?
3 EID-prefix: 10.2.0.0/24
Mapping Locator-set:
Entry 2.1.1.1, priority: 1, weight: 50 (D1) Path Preference
1 Controlled
DNS Entry: 2.1.2.1, priority: 1, weight: 50 (D2)
Non-LISP Non-LISP by Destination Site
D.abc.com A 10.2.0.1
10.1.0.0/24
Branch PXTR
S ITR
2 1.1.1.1
5
10.1.0.1 10.2.0.1
D
Campus DC
10.2.0.0/24 10.3.0.0/24
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Locator / ID Separation Protocol
Forwarding from outside a LISP Domain 3 EID-Prefix: 10.2.0.0/24
Mapping Locator-Set:
Non-LISP
S
2
PXTR
192.3.0.1 10.2.0.1 4.4.4.4
4 5.3.3.3
4.4.4.4 2.1.2.1
IP Network 5.1.1.1 5.2.2.2
Mapping
192.3.0.1 10.2.0.1 System
5
192.3.0.1 10.2.0.1
D
Campus DC
10.2.0.0/24 10.3.0.0/24
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Mapping Database
Locator / ID Separation Protocol 10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility – Dynamic EID Migration 10.18.0.0/16 – 12.2.2.1
Map Register
EID: 10.17.1.10/32 10.17.1.10/32 – 12.1.1.1
RLOC: 12.1.1.1 10.17.1.10/32 – 12.2.2.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
S 1
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 10.17.1.10 Campus Bldg 2
10.17.1.10
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
1. ITRs / PITRs with cached mappings continue to send
encapsulated traffic to the old RLOCs, until updated
Locator / ID Separation Protocol 2. Old ETR sends Solicit Map Request (SMR) messages
to any ITRs / PITRs sending traffic to its RLOC for a
Host Mobility – Refreshing Map-Cache dynamic EID no longer present (data-triggered)
2
IP Network
4
12.1.1.1 xTR 12.1.1.2 12.2.2.1 xTR 12.2.2.2
D 1
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 10.17.1.10 Campus Bldg 2
10.17.1.10
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Locator / ID Separation Protocol (LISP)
Would you like to know more?
Suggested Reading:
BRKRST-3045 - LISP - A Next Generation Networking Architecture
BRKRST-3047 - Troubleshooting LISP
BRKCRS-3510 - LISP in Campus Networks
Other References:
Cisco LISP Site http://lisp.cisco.com
Cisco LISP Marketing Site http://www.cisco.com/go/lisp/
LISP Beta Network Site http://www.lisp4.net or http://www.lisp6.net
IETF LISP Working Group http://tools.ietf.org/wg/lisp/
Fundamentals of LISP https://www.youtube.com/watch?v=lKrV1qB8uqA
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Technical Overview
How does it work?
Locator / ID VXLAN
Separation Protocol Encapsulation
Cisco
TrustSec
Cisco TrustSec
Traditional segmentation is extremely complex
Applications
Enforcement
access-list
access-list
102
102
deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
IP Based Policies -
access-list
access-list
102
102
permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
ACLs, Firewall Rules
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 Propagation
Carry “Segment”
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 Enterprise
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Backbone context through the
network using VLAN,
Aggregation Layer IP address, VRF
Limits of Traditional
Static ACL VACL
Routing Segmentation
Access Layer Classification
Redundancy • Security Policy based Static or Dynamic
DHCP Scope on Topology (Address) VLAN assignments
Address • High cost and
VLAN complex maintenance Non-Compliant Voice Employee Supplier BYOD
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Cisco TrustSec
Simplified segmentation with Group Based Policy
Enforcement
Shared Application
Group Based Policies Services Servers
ACLs, Firewall Rules
Enforcement DC Switch
or Firewall
Propagation
Carry “Group” context
through the network Enterprise
using only SGT Backbone
ISE
Classification
Static or Dynamic Campus Switch Campus Switch DC switch receives policy
for only what is connected
SGT assignments
Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag
VLAN A VLAN B
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Cisco Trust Security
Identity Services Engine enables CTS
NDAC
Network Device
Admission Control
NDAC authenticates
Network Devices for a
Scalable Group ACL Cisco ISE Scalable Group Tags
trusted CTS domain
Destinations SGACL - SGT & 3: Employee
✕✓✕✓✓✓ Name Table SGT Names
Sources
4: Contractors
SGT & SGT Names
Centrally defined ✓✓✕✓✕✕ 8: PCI_Servers
Endpoint ID Groups ✕✓✓✕✕✕ 9: App_Servers
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cisco Trust Security
Two ways to assign SGT
Campus
Access Distribution Core DC Core DC Access
MAB Enterprise
Backbone
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Cisco Trust Security
Ingress Classification with Egress Enforcement
Destination Classification
CRM: SGT 20
Web: SGT 30
User Authenticated = FIB Lookup =
Classified as Marketing (5) Destination MAC = SGT 20
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Cisco Trust Security
SGT Propagation & Enforcement Options
SXP SXP
Heterogeneous WAN
L2 / L3 Networks
User Switch Switch Router Router Firewall DC Switch Server
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Cisco Trust Security (CTS)
Would you like to know more?
Suggested Reading:
BRKCRS-2891 - Enterprise Network Segmentation with Cisco TrustSec
BRKSEC-2203 - Intermediate - Enabling TrustSec Software-Defined Segmentation
BRKSEC-2044 - Building an Enterprise Access Control Architecture Using ISE and TrustSec
Other References:
Cisco TrustSec Marketing Site http://www.cisco.com/go/trustsec/
Cisco TrustSec Config Guide cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html
CTS Architecture Overview cisco.com/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
CTS 2.0 Design Guide cisco.com/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf
Fundamentals of TrustSec https://www.youtube.com/watch?v=78-GV7Pz18I
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Technical Overview
How does it work?
Locator / ID VXLAN
Separation Protocol Encapsulation
Cisco
TrustSec
Data-Plane Overview
Fabric Header Encapsulation
Inner
Fabric Data-Plane provides the following:
• Underlay address advertisement & mapping
Outer
• Automatic tunnel setup (Virtual Tunnel End-Points)
• Frame encapsulation between Routing Locators
Outer
• Nearly the same, with different fields & payload
Inner
Inner
• LISP header carries IP payload (IP in IP)
• VXLAN header carries MAC payload (MAC in IP)
Encap
Triggered by LISP Control-Plane events
• ARP or NDP Learning on L3 Gateways
• Map-Reply or Cache on Routing Locators
Inner
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
LISP & VXLAN Headers
Similar Format - Different Payload
LISP Header - IP based VXLAN Header - Ethernet based
OUTER
HEADER
4789
OVERLAY
HEADER
INNER
HEADER
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
VXLAN Header
Next-Hop MAC Address
Checksum
Source IP 32
Src RLOC IP
Outer IP Header Dest. IP 32 Address
Source Port 16 Dst RLOC IP Address
Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Putting It Together
Where do things go?
Platform Support
Multiple Edge, Border & C-Plane Options
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Campus Fabric Config Control-Plane Node
Control-Plane Nodes
5.1.1.1/32 C
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Campus Fabric Config Control-Plane Node
Edge Nodes (1)
5.1.1.1/32 C
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
IP Network
10.1.1.0/24 20.1.1.0/24
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Campus Fabric Config Control-Plane Node
Border Nodes
5.1.1.1/32 C
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24 192.1.1.0/24
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Campus Fabric Config Control-Plane Node
Virtual Neighborhoods
5.1.1.1/32 C
10.1.1.0/24 10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 20.1.1.1/24 20.1.1.0/24
ip vrf RED
• Create new VRFs ip vrf BLUE
ip vrf GREEN
• and add RD/RT if necessary !
router lisp
• Set LISP to use VXLAN encapsulation locator-set campus_fabric
encapsulation vxlan
• Create a new LISP Instance ID !
eid-table vrf RED instance-id 10
dynamic-eid RED_20_1_1_0
• Add a Dynamic EID group database-mapping 20.1.1.0/24 locator-set campus_fabric
!
• and associate with per-VRF Instance ID eid-table vrf BLUE instance-id 11
dynamic-eid BLUE_20_1_1_0
• Add local prefixes to Dynamic EID database-mapping 20.1.1.0/24 locator-set campus_fabric
!
• overlapping prefixes may require NAT/FW eid-table vrf GREEN instance-id 12
dynamic-eid GREEN_20_1_1_0
• non-overlapping can be advertised natively database-mapping 20.1.1.0/24 locator-set campus_fabric
exit
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Campus Fabric Config Identity
Endpoint ID Groups – Dynamic SGT Services Engine
172.26.204.150
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Campus Fabric Config
Endpoint ID Groups – Static SGT
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Campus Fabric Config Identity
Host Pools – Dynamic Assignment Services Engine
172.26.204.150
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Campus Fabric Config
Host Pools – Static Assignment
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Campus Fabric - Smart CLI
Provisioning & Troubleshooting Made Simple
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Smart CLI
Enable Edge Node services
(config-fabric-auto-domain)# [no] control-plane <ipv4_addr> auth-key <key> Exists under (config-fabric-auto-domain) mode
Configures remote control-plane address and authentication key
(config-fabric-auto-domain)# [no] neighborhood name <name> id <ID> Exists under (config-fabric-auto-domain) mode
neighborhood (OPTIONAL) Creates a neighborhood by name and ID
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Smart CLI
Enable Control-Plane Node services
(config-fabric-auto-domain)# [no] control-plane self auth-key <key> Exists under (config-fabric-auto-domain) mode
Configures local control-plane address and authentication key
(config-fabric-auto-domain)# [no] host-prefix <prefix> [neighborhood name <name> Exists under (config-fabric-auto-domain) mode
host-prefix id <ID>] Enables c-plane service (per-neighborhood) for host-prefix
If “neighborhood” not configured, use default neighborhood
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Smart CLI
Border Node Configuration
(config-fabric-auto-domain)# [no] control-plane <ipv4_addr> auth-key <key> Exists under (config-fabric-auto-domain) mode
Configures remote control-plane address and authentication key
(config-fabric-auto-domain)# [no] neighborhood name <name> id <ID> Exists under (config-fabric-auto-domain) mode
neighborhood (OPTIONAL) Creates a neighborhood by name and ID
(config-fabric-auto-domain)# [no] host-prefix <prefix> [neighborhood name Exists under (config-fabric-auto-domain) mode
host-prefix <name> id <ID>] Enables border services (per-neighborhood) for host prefix
If “neighborhood” not configured, use default neighborhood
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Smart CLI – Example
Adding a new Edge Node
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Smart CLI – Example
Show Fabric Domain
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Campus Fabric - Smart CLI
Provisioning & Troubleshooting Made Simple
More to Come!
• Underlay Network – Configure the Interfaces
and Protocols to bring up the Underlay network
• And More…
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
LIVE DEMO
Take-Away
Session Summary
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
What to do next?
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Continue Your Education
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 76