BRKCRS-3800 - Campus Fabric 2016

Evolving your Campus Network with
Campus Fabric
Shawn Wargo
Technical Marketing Engineer
BRKCRS-3800
Campus Fabric
Abstract
Is your Campus network facing some, or all, of these challenges?
• Host Mobility (w/o stretching VLANs)

• Network Segmentation (w/o implementing MPLS)
• Role-based Access Control (w/o end-to-end TrustSec)
Using Cisco technologies available today, you can overcome these challenges
and build an “Evolved” Campus Network to better meet your business objectives.
Come to this session to get a deeper insight into the Key Technologies, Designs and
Configurations (e.g. LISP with VXLAN, and TrustSec) that bring this evolution to life!
We highly recommend that attendees already be familiar with: Enterprise Campus Design
(BRKCRS-2031), Location ID Separation Protocol (BRKRST-3045), and Cisco Trust Security
(BRKCRS-2891).
BRKCRS-3800 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
1 Key Benefits
Why do I care?
2 Key Concepts
What is a Fabric?
3 Solution Overview
How does it work?
4 Putting It Together
Where do things go?
5 Take-Away
When to get started?
Key Benefits
Why do I care?
Cisco Digital Network Architecture
Overview
Network-enabled Applications
Cloud Service Management

Policy | Orchestration
Open APIs | Developers Environment Insights &

Experiences
Automation Analytics
Principles Automation
Abstraction & Policy Control Network Data,
from Core to Edge Contextual Insights & Assurance
Open & Programmable | Standards-Based

Security &
Virtualization Compliance
Physical & Virtual Infrastructure | App Hosting
Cloud-enabled | Software-delivered
Network Enabled Applications
Cisco Digital Network Architecture APIs
UNI UNI
GUI Customized
Prescriptive Service Definition & Orchestration Model-based
Telemetry Intent
Service
Instantiation Easy QoS
Enterprise Controller Plug & Play
Path Optimization
Topology (Policy Determination) Analytics
APIs
WAN / Branch Campus Data Center
PEP PEP
Apps
PEP Branch WAN Agg PEP
PEP Branch SP PEP Apps Internet

PEP Segmentation 1
Segmentation 2 Int. Acc PEP PEP Apps
PEP Segmentation 3
Cloud
WAN VNFs Campus VNFs DC VNFs Cloud VNFs
Localized or
network-wide
Network Function Virtualization
Service Chaining
Network Interface (UNI) PEP: Policy Enforcement Point
What is Campus Fabric?
Foundational Technologies
Programmable Custom ASICs Converged Software Services
Industry Leading
Wired & Wireless | Stacking | TrustSec | SDN + Network Enabled Applications
Collaboration | Mobility | IoT | Security
`
Advanced Functionality Automation and Analytics
Programmable Pipeline | Flexibility | Recirculation Controller | Visible | Programmable | Open
Optimized for Campus Virtualization

Integrated Stacking | Visibility | Security Campus Fabric | Segmentation | L2 Flexibility
Future Proofed Designed for Evolution

Long Life Cycle | Investment Protection Strong Foundational Capabilities | HA
Driving Innovation Through Technology Investment

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Simplified Provisioning
Provision Deploy devices using “best practice”
configurations from a simple user interface
X Simple Segmentation constructs
Segmentation Security to build Secure boundaries for “users and things”
Wired and Wireless
Host Mobility
because your address is no longer tied to your location
Mobility
Network Wide
Intelligent
Policy Enforcement
Policy based on your identity, not on your address
Key Concepts
What is a Fabric?
What exactly is a Fabric?
A Fabric is an Overlay
An “Overlay” is a logical topology used to virtually connect devices, built
on top of an arbitrary physical “Underlay” topology.
An “Overlay” network often uses alternate forwarding attributes to provide
additional services, not provided by the “Underlay”.
Examples of Network Overlays

• GRE or mGRE • LISP
• MPLS or VPLS • OTV
• IPSec or DMVPN • DFA
• CAPWAP • ACI
Why Overlays?
Separate the Forwarding Plane from the Services Plane
Simple Transport Forwarding Flexible Virtual Services

• Physical Devices and Paths • Mobility – Track End-points at Edges
• Intelligent Packet Handling • Scalability – Reduce core state
• Distribute state to network edge
• Maximize Network Availability
• Flexibility & Programmability
• Simple and Manageable
• Reduced number of touch points
Overlay Terminology
Overlay Network Overlay Control Plane
Encapsulation
Edge Device Edge Device
Hosts
(End-Points)
Underlay Network Underlay Control Plane
Types of Overlays
Hybrid L2 + L3 Overlays offer the Best of Both Worlds
Layer 2 Overlays Layer 3 Overlays

• Emulates a LAN segment • Abstract IP connectivity
• Transport Ethernet Frames (IP & Non-IP) • Transport IP Packets (IPv4 & IPv6)
• Single subnet mobility (L2 domain) • Full mobility regardless of Gateway
• Exposure to Layer 2 flooding • Contain network related failures (floods)
• Useful in emulating physical topologies • Useful to abstract connectivity and policy
What is unique about Campus Fabric?
Key Components – LISP
1. LISP based Control-Plane

Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU
BEFORE AFTER
IP Address = Location + Identity Separate Identity from Location Prefix
192.58.28.128
189.16.17.89
RLOC
….....171.68.228.121
….....171.68.226.120
22.78.190.64 ….....171.68.226.121
….....171.68.226.120
Flexible
172.16.19.90
Prefix Next-hop 192.58.28.128 ….....171.68.228.121
189.16.17.89 ….1 .........71.68.226.120 192.58.28.128 ….....171.68.228.121
22.78.190.64 ….....171.68.226.121 189.16.17.89 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
192.58.28.128
189.16.17.89
22.78.190.64
172.16.19.90
…....171.68.228.121
…....171.68.226.120
….....171.68.226.121
…......171.68.226.120
Prefix
189.16.17.89
22.78.190.64
172.16.19.90
Next-hop
….1 ...71.68.226.120
….....171.68.226.121
….....171.68.226.120
172.16.19.90
192.58.28.128
….....171.68.226.120
….....171.68.228.121
Mapping
192.58.28.128 ….....171.68.228.121
189.16.17.89
22.78.190.64
172.16.19.90
192.58.28.128
…....171.68.226.120
….....171.68.226.121
…......171.68.226.120
….......171.68.228.121
192.58.28.128 …....171.68.228.121
Database
189.16.17.89 ….....171.68.226.120
Endpoint
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Routes are
Prefix Next-hop
189.16.17.89
22.78.190.64
172.16.19.90
….1 .........71.68.226.120
….....171.68.226.121
….....171.68.226.120
Consolidated
192.58.28.128 …....171.68.228.121
189.16.17.89
22.78.190.64
172.16.19.90
192.58.28.128
189.16.17.89
…....171.68.226.120
….....171.68.226.121
…......171.68.226.120
….....171.68.228.121
…....171.68.226.120
to LISP DB Prefix
189.16.17.89
22.78.190.64
172.16.19.90
Next-hop
….1 ...71.68.226.120
….....171.68.226.121
….....171.68.226.120
192.58.28.128 …....171.68.228.121
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….......171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
Prefix Next-hop 189.16.17.89 ….1 ...71.68.226.120
189.16.17.89 ….1 .........71.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
Topology + Endpoint Routes

189.16.17.89
22.78.190.64
172.16.19.90
192.58.28.128
…....171.68.226.120
….....171.68.226.121
…......171.68.226.120
….......171.68.228.121
Only Local Routes
189.16.17.89
22.78.190.64
….....171.68.226.120
…......171.68.226.121
Topology Routes
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Endpoint Routes
Key Components – VXLAN

2. VXLAN based Data-Plane
ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN
Key Components – CTS

3. Integrated Cisco TrustSec
Virtual Routing & Forwarding
Scalable Group Tagging
VRF + SGT
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
Key Differences

Key Differences
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (No Static)
• No Topology Limitations (Basic IP)
Campus Fabric
New Terminology
• “Control-Plane Node” ≈ “LISP Map-Server”
• “Edge Node” ≈ “LISP Tunnel Router”
• “Border Node” ≈ “LISP Proxy Tunnel Router”
• “Intermediate Node” ≈ “Non-LISP IP Forwarder”
Campus Fabric
Control-Plane Nodes – A Closer Look
Fabric Control-Plane Node is based on a LISP Map Server / Resolver

Runs the LISP Host Tracking Database to provide overlay reachability information
• A simple Host Database, that tracks Endpoint ID to

Edge Node bindings, along with other attributes C
• Host Database supports multiple Endpoint ID lookup

keys (IPv4 /32, IPv6 /128 or MAC)
• Receives prefix registrations from Edge Nodes with

local Endpoints
• Resolves lookup requests from remote Edge Nodes,

to locate local Endpoints
Campus Fabric
Edge Nodes – A Closer Look
Fabric Edge Node is based on a LISP Tunnel Router

Provides connectivity for Users and Devices connected to the Fabric
• Responsible for Identifying and Authenticating Endpoints
• Register Endpoint ID information with the Control-Plane

Node(s)
• Provides Anycast L3 Gateway for connected Endpoints
• Must encapsulate / decapsulate host traffic to and from

Endpoints connected to the Fabric
E E E
Campus Fabric
Border Nodes – A Closer Look
Fabric Border Node is based on a LISP Proxy Tunnel Router

All traffic entering or leaving the Fabric goes through this type of node
• Connects traditional L3 networks and / or different

Fabric domains to the local domain
• Where two domains exchange Endpoint reachability B B

and policy information
• Responsible for translation of context (VRF & SGT)

from one domain to another
• Provides a domain exit point for all Edge Nodes
Campus Fabric Overview
New Terminology
• “Fabric Domain” ≈ “FD” ≈ “LISP Process”
• “Virtual Neighborhood” ≈ “VN” ≈ “LISP Instance” ≈ “VRF”
• “Endpoint ID Group” ≈ “EIG” ≈ “Segment” ≈ “SGT”
• “Host Pool” ≈ “Dynamic EID” ≈ “VLAN + IP Subnet”
Campus Fabric
Virtual Neighborhoods – A Closer Look
Virtual Neighborhood is based on Virtual Routing & Forwarding (VRF)

Maintains a separate Routing & Switching instance for each Virtual Neighborhood
• LISP uses Instance ID to maintain independent VRF

topologies (“Default” VRF is Instance ID “0”)
• LISP adds VNID to the LISP / VXLAN encapsulation
• Endpoint ID prefixes (Host Pools) are advertised

within one (or more) LISP Instance IDs VN VN VN
“A” “B” “C”
• Uses normal “vrf definition” configuration, along with
RD & RT for remote advertisement (Border Node)
Campus Fabric
Endpoint ID Groups – A Closer Look
Endpoint ID Group is based on a Scalable Group Tag (SGT)

Each User or Device is assigned to a unique Endpoint ID Group (EIG)
• CTS uses Endpoint ID “Groups” to assign a unique

Scalable Group Tag (SGT) to Host Pools
• LISP adds SGT to the LISP / VXLAN encapsulation
• CTS EIGs are used to manage address-independent EIG EIG EIG

“Group-Based Policies” 1 4 7
EIG EIG EIG EIG EIG EIG
2 3 5 6 8 9
• Individual Edge & Border Nodes use SGT to enforce
local Scalable Group ACLs (SGACLs)
Campus Fabric
Host Pools – A Closer Look
Host Pool is based on an IP Subnet + VLAN ID

Provides the basic IP constructs, including “Anycast Gateway” for each Host Pool
• Edge Nodes maintain a Switch Virtual Interface (SVI),

with IP Subnet, Gateway IP, etc. for each Host Pool
• LISP uses Dynamic EID to advertise each Host Pool

(within each Instance ID)
Pool Pool Pool
• LISP Dynamic EID allows Host-specific (/32, /128, 1 4 7
Pool Pool Pool Pool Pool Pool
MAC) advertisement and mobility 2 3 5 6 8 9
• Host Pools can either be assigned Statically (per port)

or Dynamically (using Host Authentication)
Technical Overview
How does it work?
Locator / ID VXLAN
Separation Protocol Encapsulation
Cisco
TrustSec
Locator / ID Separation Protocol
Location and Identity Separation
Traditional Behavior -
Location + ID are “Combined”
IP core
When the Device moves, it gets a
10.1.0.1
new IPv4 or IPv6 Address for its new
Device IPv4 or IPv6 Identity and Location
Address represents both 20.2.0.9
Identity and Location
Overlay Behavior -
Location & ID are “Separated”
IP core
10.1.0.1 When the Device moves, it keeps
the same IPv4 or IPv6 Address.
Device IPv4 or IPv6 It has the Same Identity
Address represents 10.1.0.1
Identity only
Location Is Here Only the Location Changes
LISP Mapping System
LISP “Mapping System” is analogous to a DNS lookup

‒ DNS resolves IP Addresses for queried Name Answers the “WHO IS” question
[ Who is lisp.cisco.com ] ?
DNS
DNS Name -to- IP
Host Server URL Resolution
[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]
‒ LISP resolves Locators for queried Identities Answers the “WHERE IS” question
[ Where is 2610:D0:110C:1::3 ] ?
LISP LISP Map
LISP
Router System ID -to- Locator
Map Resolution
[ Locator is 128.107.81.169, 128.107.81.170 ]
Locator / ID Separation Protocol Map System
LISP Roles & Responsibilities EID
a.a.a.0/24
b.b.b.0/24
RLOC
w.x.y.1
x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
EID RLOC
EID Space a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2
Map Server / Resolver c.c.c.0/24

d.d.0.0/16
z.q.r.5
z.q.r.5
EID RLOC
• EID to RLOC Mappings ITR a.a.a.0/24
b.b.b.0/24
c.c.c.0/24
w.x.y.1
x.y.w.2
z.q.r.5
d.d.0.0/16 z.q.r.5
Non-LISP
• Can be distributed across Prefix Next-hop
w.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h
multiple LISP devices z.q.r.5

z.q.r.5
e.f.g.h
e.f.g.h
PXTR RLOC Space

Tunnel Router - XTR
• Edge Devices Encap / Decap
ETR
• Ingress / Egress (ITR / ETR)
Proxy Tunnel Router - PXTR EID Space
• Connects between LISP • EID = End-point Identifier

and non-LISP domains • Host Address or Subnet
• Ingress / Egress (PITR / PETR) • RLOC = Routing Locator
• Local Router Address
Map Register & Resolution
Branch
Mapping Cache Entry (on ITR) IT

10.2.0.0/16  (2.1.1.1, 2.1.2.1) R Map Server / Resolver
5.1.1.1
Map-Reply
10.2.0.0/16  (2.1.1.1, 2.1.2.1)
2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
Database Mapping Entry (on ETR) ETR ETR ETR ETR Database Mapping Entry (on ETR)
10.2.0.0/16  (2.1.1.1, 2.1.2.1) 10.3.0.0/16  (3.1.1.1, 3.1.2.1)
10.2.0.0 /16 10.3.0.0/16
Campus DC
Map Database Clustering (Redundancy)
Branch • No Synchronization Between Map Servers

• ETRs Must Register with All Map Servers
Mapping Cache Entry (on ITR) IT • ITRs Anycast Map Requests
10.2.0.0/16  (2.1.1.1, 2.1.2.1) R
Map Resolver: 9.9.9.9 (Anycast)
Map Server: 5.1.1.1 Mapping DB Map Server: 5.2.2.2

Node Cluster
Map-Reply
10.2.0.0/16  (2.1.1.1, 2.1.2.1)
2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
Database Mapping Entry (on ETR) ETR ETR ETR ETR Database Mapping Entry (on ETR)
10.2.0.0/16  (2.1.1.1, 2.1.2.1) 10.3.0.0/16  (3.1.1.1, 3.1.2.1)
10.2.0.0 /16 10.3.0.0/16
Campus DC
How does LISP operate?
3 EID-prefix: 10.2.0.0/24
Mapping Locator-set:
Entry 2.1.1.1, priority: 1, weight: 50 (D1) Path Preference
1 Controlled
DNS Entry: 2.1.2.1, priority: 1, weight: 50 (D2)
Non-LISP Non-LISP by Destination Site
D.abc.com A 10.2.0.1
10.1.0.0/24
Branch PXTR
S ITR
2 1.1.1.1
10.1.0.1  10.2.0.1 5.3.3.3
IP Network 5.1.1.1 5.2.2.2

4 Mapping
System
1.1.1.1  2.1.1.1
10.1.0.1  10.2.0.1
2.1.1.1 ETR 2.1.2.1 3.1.1.1 ETR 3.1.2.1
5
10.1.0.1  10.2.0.1
D
Campus DC
10.2.0.0/24 10.3.0.0/24
Forwarding from outside a LISP Domain 3 EID-Prefix: 10.2.0.0/24
Mapping Locator-Set:
1 Entry 2.1.1.1, priority: 1, weight: 50 (D1)

DNS Entry:
2.1.2.1, priority: 1, weight: 50 (D2)
D.abc.com A 10.2.0.1
Non-LISP
S
2
PXTR
192.3.0.1  10.2.0.1 4.4.4.4
4 5.3.3.3
4.4.4.4  2.1.2.1
IP Network 5.1.1.1 5.2.2.2
Mapping
192.3.0.1  10.2.0.1 System
2.1.1.1 ETR 2.1.2.1 3.1.1.1 ETR 3.1.2.1
5
192.3.0.1  10.2.0.1
D
Campus DC
10.2.0.0/24 10.3.0.0/24
Mapping Database
Locator / ID Separation Protocol 10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility – Dynamic EID Migration 10.18.0.0/16 – 12.2.2.1
Map Register
EID: 10.17.1.10/32 10.17.1.10/32 – 12.1.1.1
RLOC: 12.1.1.1 10.17.1.10/32 – 12.2.2.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
Routing Table 12.0.0.1 xTR 12.0.0.2

5 Routing Table
10.17.1.0/24 – Local 3 2
4
10.17.1.10/32 – Local 10.17.1.0/24 – LISP0
10.18.0.0/24 – Local
10.17.1.10/32 – LISP0
10.17.1.10/32 - Local
IP Network
12.1.1.1 xTR 12.1.1.2 12.2.2.1 xTR 12.2.2.2
S 1
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 10.17.1.10 Campus Bldg 2
10.17.1.10
1. ITRs / PITRs with cached mappings continue to send
encapsulated traffic to the old RLOCs, until updated
Locator / ID Separation Protocol 2. Old ETR sends Solicit Map Request (SMR) messages
to any ITRs / PITRs sending traffic to its RLOC for a
Host Mobility – Refreshing Map-Cache dynamic EID no longer present (data-triggered)
3. SMR causes the ITR / PITR to initiate

a new Map-Request / Reply process
4 S 4. New ETR sends Map-Reply to update
Map Cache: 2.1.1.1 ITR / PITR map-cache with new location
10.17.0.0/16 – 12.1.1.1 DC1
10.18.0.0/16 – 12.2.2.1 10.10.10.0/24 1.1.1.1 3.1.1.1 5. Traffic now flows to the SAME
HOST at its NEW location
10.17.1.10/32 – 12.1.1.1 3 Mapping
System
10.17.1.10/32 – 12.2.2.1
12.0.0.1 xTR 12.0.0.2
1
3
2
IP Network
4
12.1.1.1 xTR 12.1.1.2 12.2.2.1 xTR 12.2.2.2
D 1
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 10.17.1.10 Campus Bldg 2
10.17.1.10
Locator / ID Separation Protocol (LISP)
Would you like to know more?
Suggested Reading:
BRKRST-3045 - LISP - A Next Generation Networking Architecture
BRKRST-3047 - Troubleshooting LISP
BRKCRS-3510 - LISP in Campus Networks
Other References:
Cisco LISP Site http://lisp.cisco.com
Cisco LISP Marketing Site http://www.cisco.com/go/lisp/
LISP Beta Network Site http://www.lisp4.net or http://www.lisp6.net
IETF LISP Working Group http://tools.ietf.org/wg/lisp/
Fundamentals of LISP https://www.youtube.com/watch?v=lKrV1qB8uqA
Technical Overview
How does it work?
Locator / ID VXLAN
Cisco
TrustSec
Cisco TrustSec
Traditional segmentation is extremely complex
Applications
Enforcement
access-list
access-list
102
102
deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
IP Based Policies -
access-list
access-list
102
102
permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
ACLs, Firewall Rules
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 Propagation
Carry “Segment”
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 Enterprise
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Backbone context through the
network using VLAN,
Aggregation Layer IP address, VRF
Limits of Traditional
Static ACL VACL
Routing Segmentation
Access Layer Classification
Redundancy • Security Policy based Static or Dynamic
DHCP Scope on Topology (Address) VLAN assignments
Address • High cost and
VLAN complex maintenance Non-Compliant Voice Employee Supplier BYOD
Quarantine Voice Data Guest BYOD

VLAN VLAN VLAN VLAN VLAN
Cisco TrustSec
Simplified segmentation with Group Based Policy
Enforcement
Shared Application
Group Based Policies Services Servers
ACLs, Firewall Rules
Enforcement DC Switch
or Firewall
Propagation
Carry “Group” context
through the network Enterprise
using only SGT Backbone
ISE
Classification
Static or Dynamic Campus Switch Campus Switch DC switch receives policy
for only what is connected
SGT assignments
Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag
VLAN A VLAN B
Cisco Trust Security
Identity Services Engine enables CTS
NDAC
Network Device
Admission Control
NDAC authenticates
Network Devices for a
Scalable Group ACL Cisco ISE Scalable Group Tags
trusted CTS domain
Destinations SGACL - SGT & 3: Employee
✕✓✕✓✓✓ Name Table SGT Names
Sources
4: Contractors
SGT & SGT Names
Centrally defined ✓✓✕✓✕✕ 8: PCI_Servers
Endpoint ID Groups ✕✓✓✕✕✕ 9: App_Servers
SGACL - Name Table

Policy matrix to be
pushed down to the
network devices
ISE dynamically Rogue

authenticates endpoint Device(s) 802.1X Dynamic SGT Static SGT
Assignment Assignment
users and devices,
and assigns SGTs
Two ways to assign SGT
Dynamic Classification Static Classification
L3 Interface (SVI) to SGT L2 Port to SGT
Campus
Access Distribution Core DC Core DC Access
MAB Enterprise
Backbone
WLC Firewall Hypervisor SW
VLAN to SGT Subnet to SGT VM (Port Profile) to SGT
Ingress Classification with Egress Enforcement
Destination Classification
CRM: SGT 20
Web: SGT 30
User Authenticated = FIB Lookup =
Classified as Marketing (5) Destination MAC = SGT 20
Cat3850 Cat6800 Cat6800 Nexus 7000 Nexus 5500 Nexus 2248

CRM
Enterprise
5 Backbone 5 DST: 10.1.100.52
SRC: 10.1.10.220 SGT: 20
DST: 10.1.100.52
SRC: 10.1.10.220 SGT: 5 Web
DST: 10.1.200.100
Egress SGT: 30
Enforcement
(SGACL)
WLC5508
DST  CRM Web
 SRC (20) (30)
Marketing (5) Permit Deny
BYOD (7) Deny Permit
SGT Propagation & Enforcement Options
SXP SXP
Heterogeneous WAN
L2 / L3 Networks
User Switch Switch Router Router Firewall DC Switch Server
Classification SGFW Classification
SGT over Fabric SGT over SGT over Fabric

VPN
TrustSec Capable WAN

(GETVPN, DMVPN
L2 / L3 Networks
User Switch Switch Router Router Firewall DC Switch Server
Classification SGACL SGACL SGACL SGFW SGACL Classification
Cisco Trust Security (CTS)
Would you like to know more?
Suggested Reading:
BRKCRS-2891 - Enterprise Network Segmentation with Cisco TrustSec
BRKSEC-2203 - Intermediate - Enabling TrustSec Software-Defined Segmentation
BRKSEC-2044 - Building an Enterprise Access Control Architecture Using ISE and TrustSec
Other References:
Cisco TrustSec Marketing Site http://www.cisco.com/go/trustsec/
Cisco TrustSec Config Guide cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html
CTS Architecture Overview cisco.com/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
CTS 2.0 Design Guide cisco.com/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf
Fundamentals of TrustSec https://www.youtube.com/watch?v=78-GV7Pz18I
Technical Overview
How does it work?
Locator / ID VXLAN
Cisco
TrustSec
Data-Plane Overview
Fabric Header Encapsulation
Inner
Fabric Data-Plane provides the following:
• Underlay address advertisement & mapping
Outer
• Automatic tunnel setup (Virtual Tunnel End-Points)
• Frame encapsulation between Routing Locators
Support for LISP or VXLAN header format Decap
Outer
• Nearly the same, with different fields & payload
Inner
Inner
• LISP header carries IP payload (IP in IP)
• VXLAN header carries MAC payload (MAC in IP)
Encap
Triggered by LISP Control-Plane events
• ARP or NDP Learning on L3 Gateways
• Map-Reply or Cache on Routing Locators
Inner
LISP & VXLAN Headers
Similar Format - Different Payload
LISP Header - IP based VXLAN Header - Ethernet based
OUTER
HEADER
4789
OVERLAY
HEADER
INNER
HEADER
VXLAN Header
Next-Hop MAC Address
Src VTEP MAC Address

Dest. MAC 48
MAC-in-IP Encapsulation
Source MAC 48
VLAN Type 14 Bytes

16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type
16 Header
0x0800 16 20 Bytes
Outer MAC Header
Underlay
Checksum
Source IP 32
Src RLOC IP
Outer IP Header Dest. IP 32 Address
Source Port 16 Dst RLOC IP Address
UDP Header Dest Port 16

8 Bytes Hash of inner L2/L3/L4 headers of original
UDP Length 16 frame.
VXLAN Header Enables entropy for ECMP load balancing.
Checksum 0x0000 16 UDP 4789
Inner (Original) MAC Header

Allows 64K
VXLAN Flags possible SGTs
Inner (Original) IP Header RRRRIRRR
8
Overlay
Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs
Putting It Together
Where do things go?
Platform Support
Multiple Edge, Border & C-Plane Options
Catalyst 3K Catalyst 4K Catalyst 6K Nexus 7K
• Catalyst 3650 • Catalyst 4500 • Catalyst 6800 • Nexus 7700

• Catalyst 3850 • Sup8E / 8LE • Sup2T / 6T • Sup2E
• Copper / Fiber • Sup Uplinks • 6900 or Newer • M3 Only
• IOS-XE 16.3+ • IOS-XE 3.9+ • IOS 15.4SY+ • NXOS 7.3DX+
Campus Fabric Config Control-Plane Node
Control-Plane Nodes
5.1.1.1/32 C
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
Host Pool 10 Edge Node 1 Edge Node 2 Host Pool 20
• Organize networks into a LISP Site router lisp

site San_Jose
• Configure the Authentication Key authentication-key San_Jose
eid-prefix 10.1.1.0/24 accept-more-specifics
• Add the prefixes to be mapped eid-prefix 20.1.1.0/24 accept-more-specifics
• and accept more specific updates, e.g. /32 exit
!
• Operate as IPv4 Map-Server ipv4 map-server
ipv4 map-resolver
• Operate as IPv4 Map-Resolver exit
Edge Nodes (1)
5.1.1.1/32 C
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
• Organize XTRs into a Locator Set

router lisp
• Set LISP to use VXLAN encapsulation locator-set campus_fabric
ipv4-interface Loopback0
• Add a Dynamic EID group encapsulation vxlan
!
• and associate with an Instance ID eid-table default instance-id 0
dynamic-eid Default_10_1_1_0
• Add local prefixes to Dynamic EID database-mapping 10.1.1.0/24 locator-set campus_fabric
exit
• and associate with the Locator set
!
ipv4 sgt
• Add IPv4 SGT (to VXLAN) ipv4 itr map-resolver 5.1.1.1
ipv4 itr
• Operate as an IPv4 ITR & ETR ipv4 etr map-server 5.1.1.1 key San_Jose
ipv4 etr
• Designate a Map-Server & Resolver
Edge Nodes (2)
5.1.1.1/32 C
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
• Process is repeated on each XTR

router lisp
locator-set campus_fabric
• Configure any Local prefixes ipv4-interface Loopback0
encapsulation vxlan
!
• Or, you can simply Copy + Paste on eid-table default instance-id 0
all common XTRs dynamic-eid Default_20_1_1_0
database-mapping 20.1.1.0/24 locator-set campus_fabric
• For Host Pools that exist on all XTRs exit
!
• Uses Dynamic EID map updates ipv4 sgt
ipv4 itr map-resolver 5.1.1.1
ipv4 itr
ipv4 etr map-server 5.1.1.1 key San_Jose
ipv4 etr
Border Nodes
5.1.1.1/32 C
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24 192.1.1.0/24
Host Pool 10 Edge Node 1 Border Node External IP
• Set LISP to use VXLAN encapsulation router lisp

encapsulation vxlan
• Add a Map Cache + Map-Request !
for Dynamic EIDs eid-table default instance-id 0
map-cache 10.1.1.0/24 map-request
• trigger a lookup for traffic coming from outside map-cache 20.1.1.0/24 map-request
exit
• Add IPv4 SGT (to VXLAN) !
ipv4 sgt
• Operate as an IPv4 PITR & PETR ipv4 proxy-etr
ipv4 proxy-itr 2.1.1.1
• Designate a Map-Server & Resolver ipv4 itr map-resolver 5.1.1.1
ipv4 etr map-server 5.1.1.1 key San_Jose
• Configure External Routing * exit
!
ip route 192.1.1.0 255.255.255.0 192.1.1.2
Virtual Neighborhoods
5.1.1.1/32 C
10.1.1.0/24 10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 20.1.1.1/24 20.1.1.0/24
10.1.1.0/24 IP Network 20.1.1.0/24
Edge Node 1 Edge Node 2

10.1.1.0/24 20.1.1.0/24
ip vrf RED
• Create new VRFs ip vrf BLUE
ip vrf GREEN
• and add RD/RT if necessary !
router lisp
• Set LISP to use VXLAN encapsulation locator-set campus_fabric
encapsulation vxlan
• Create a new LISP Instance ID !
eid-table vrf RED instance-id 10
dynamic-eid RED_20_1_1_0
• Add a Dynamic EID group database-mapping 20.1.1.0/24 locator-set campus_fabric
!
• and associate with per-VRF Instance ID eid-table vrf BLUE instance-id 11
dynamic-eid BLUE_20_1_1_0
• Add local prefixes to Dynamic EID database-mapping 20.1.1.0/24 locator-set campus_fabric
!
• overlapping prefixes may require NAT/FW eid-table vrf GREEN instance-id 12
dynamic-eid GREEN_20_1_1_0
• non-overlapping can be advertised natively database-mapping 20.1.1.0/24 locator-set campus_fabric
exit
Campus Fabric Config Identity
Endpoint ID Groups – Dynamic SGT Services Engine
172.26.204.150
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
• Enable the AAA new-model aaa new-model

!
aaa group server radius ISE
• Create a RADIUS server group with server name ISE
one or more RADIUS server(s) !
radius server ISE
• Enable AAA dynamic-author address ipv4 172.26.204.150 auth-port 1812 acct-port 1813
key cisco
• Enable AAA authorization to use !
aaa server radius dynamic-author
CTS authorization client 172.26.204.150 server-key cisco
!
• Enable CTS Role-Based Enforcement aaa authentication dot1x default group ISE
aaa accounting dot1x default start-stop group ISE
aaa authorization network cts-list group ISE
!
cts authorization list cts-list
cts role-based enforcement
Campus Fabric Config
Endpoint ID Groups – Static SGT
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
• Enable CTS Role-Based Enforcement !

cts role-based enforcement
• Define a list of VLANs to be use for cts role-based enforcement vlan-list 1-4094
Role-Based Enforcement !
cts role-based sgt-map vlan-list 20 sgt 20
• Create a new Static SGT-MAP of a ! cts role-based sgt-map 20.1.1.0/24 sgt 20
VLAN list to SGT tag !
• Or, create a new Static SGT-MAP of a

IP Subnet to SGT tag
Campus Fabric Config Identity
Host Pools – Dynamic Assignment Services Engine
172.26.204.150
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
• Create a Host VLAN vlan 20

name Host_Pool_20
• Create a L3 VLAN Interface (SVI) with !
interface Vlan20
the Subnet IP address and mask ip address 20.1.1.1 255.255.255.0
lisp mobility Default_20_1_1_0
• Add LISP mobility (Dynamic EID group) !
interface GigabitEthernet1/0/1
• Configure AAA order + priority on Port switchport
switchport mode access
• Configure 802.1X and/or MAB on Port authentication open
authentication order dot1x mab
NOTE: Connected Host (User or Device) will be authentication priority dot1x mab
authentication port-control auto
dynamically associated with a VLAN (e.g. 20)
mab
after Authentication dot1x pae authenticator
spanning-tree portfast
Campus Fabric Config
Host Pools – Static Assignment
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
• Create a Host VLAN

vlan 20
• Create a L3 VLAN Interface (SVI) with name Host_Pool_20
the Subnet IP address and mask !
interface Vlan20
• Add LISP mobility (Dynamic EID group) ip address 20.1.1.1 255.255.255.0
lisp mobility Default_20_1_1_0
• Configure the VLAN number on Port !
interface GigabitEthernet1/0/1
switchport
switchport mode access
switchport access vlan 20
spanning-tree portfast
Campus Fabric - Smart CLI
Provisioning & Troubleshooting Made Simple
What is Smart CLI?

• Its a new configuration mode to simplify config
and management of Campus Fabric
• Invoked by a new Global command “fabric auto”

fabric_device(config)# fabric auto
• Provides a simple set of easy-to-understand CLI
• Auto-generates all of the equivalent (traditional)

LISP, VRF, IP, CTS, etc. CLI commands
Smart CLI
Enable Edge Node services
Class CLI Description

(config-fabric-auto)# [no] domain {default} Exists under (config-fabric-auto) mode
fabric-domain  Configure default domain
 Enters domain configuration mode (config-fabric-auto-domain)
(config-fabric-auto-domain)# [no] control-plane <ipv4_addr> auth-key <key> Exists under (config-fabric-auto-domain) mode
 Configures remote control-plane address and authentication key
(config-fabric-auto-domain)# [no] border <ipv4_addr> Exists under (config-fabric-auto-domain) mode

 Configures remote fabric border address
(config-fabric-auto-domain)# [no] neighborhood name <name> id <ID> Exists under (config-fabric-auto-domain) mode
neighborhood  (OPTIONAL) Creates a neighborhood by name and ID
(config-fabric-auto-domain)# [no] host-pool name <name> Exists under (config-fabric-auto-domain) mode

host-pool  Creates a host-pool by name
 Enters host-pool config mode (config-fabric-auto-domain-host-
pool)
(config-fabric-auto-domain-host-pool)# vlan <id> Exists under (config-fabric-auto-domain-host-pool) mode

 Configures VLAN ID
(config-fabric-auto-domain-host-pool)# [no] gateway <addr/mask> Exists under (config-fabric-auto-domain-host-pool) mode

(config-fabric-auto-domain-host-pool)# [no] neighborhood name <>  Gateway – Configures Gateway IP/mask (prefix).
 Neighborhood – Attaches host-pool to a neighborhood
(config-fabric-auto-domain-host-pool)# [no] use-dhcp <addr> Exists under (config-fabric-auto-domain-host-pool) mode

 (OPTIONAL) Configures dhcp server address
(config-fabric-auto-domain-host-pool)# exit exit sub-mode and apply configurations
Smart CLI
Enable Control-Plane Node services

(config-fabric-auto-domain)# [no] control-plane self auth-key <key> Exists under (config-fabric-auto-domain) mode
 Configures local control-plane address and authentication key
(config-fabric-auto-domain)# [no] host-prefix <prefix> [neighborhood name <name> Exists under (config-fabric-auto-domain) mode
host-prefix id <ID>]  Enables c-plane service (per-neighborhood) for host-prefix
 If “neighborhood” not configured, use default neighborhood
Smart CLI
Border Node Configuration

(config-fabric-auto-domain)# [no] control-plane <ipv4_addr> auth-key <key> Exists under (config-fabric-auto-domain) mode
 Configures remote control-plane address and authentication key
(config-fabric-auto-domain)# [no] border self Exists under (config-fabric-auto-domain) mode

 Configures local border address
(config-fabric-auto-domain)# [no] neighborhood name <name> id <ID> Exists under (config-fabric-auto-domain) mode
neighborhood  (OPTIONAL) Creates a neighborhood by name and ID
(config-fabric-auto-domain)# [no] host-prefix <prefix> [neighborhood name Exists under (config-fabric-auto-domain) mode
host-prefix <name> id <ID>]  Enables border services (per-neighborhood) for host prefix
 If “neighborhood” not configured, use default neighborhood
Smart CLI – Example
Adding a new Edge Node
 Generate all LISP XTR baseline configs

 Set up Loopback0 as locator address
 Creates default neighborhood as instance ID 0
 Enables VXLAN encapsulation
 Adds SGT to VXLAN encapsulation
Edge(config)# fabric auto

Edge(config-fabric-auto)# domain default
Edge(config-fabric-auto-domain)# control-plane 2.2.2.2 auth-key key1
Edge(config-fabric-auto-domain)# border 4.4.4.4
Edge(config-fabric-auto-domain)# exit
Smart CLI – Example
Show Fabric Domain
Edge# show fabric domain

Fabric Domain : "default"
Role : Edge
Control-Plane Service: Disabled
Border Service: Disabled
Number of Control-Plane Nodes: 1

IP Address Auth-key
---------------------------------
2.2.2.2 key1
Number of Border Nodes: 1

IP Address
---------------------------------  Shows current domain (default)
4.4.4.4  Shows current Role(s)
Number of Neighborhood(s): 4  Shows Control-Plane Node(s)
Name ID Host-pools
---------------------------------------------
 Shows Border Node(s)
default 0 2  Shows Neighborhood(s)
guest 50 1
pcie 60 1  Associated Host Pool(s)
cisco 70 *
Campus Fabric - Smart CLI
Provisioning & Troubleshooting Made Simple
More to Come! 
• Underlay Network – Configure the Interfaces
and Protocols to bring up the Underlay network
• Endpoint ID Groups – Configure the AAA and

CTS commands for Static & Dynamic ID
fabric_device(config)# fabric auto
• Group Based Policy – Configure SGT and

SGACL policies
• And More…
LIVE DEMO 
Take-Away
Session Summary

What to do next?
Get the necessary Hardware & Software!

Catalyst 3650 or 3850 - New IOS-XE 16.3+
Catalyst 4500 w/ Sup8E or 8LE - New IOS-XE 3.9+
Catalyst 6800 w/ Sup2T or 6T - New IOS 15.4SY+
Nexus 7700 w/ M3 Cards - New NXOS 7.3DX+
Try out “Campus Fabric” in the Lab!

You only need 2 or 3 (+) switches to test this solution
At least 1 Control-Plane / Border and 1 Fabric Edge
Trial Deployment (Remember: its an Overlay) IP Network

You can install new C-Plane / Border and Edge Nodes,
without modifying your existing (Underlay) network
This makes it very easy to deploy! 
Complete Your Online Session Evaluation
• Give us your session feedback

to be entered into a Daily
Survey Drawing.
• One daily winner will receive a
$750 Amazon gift card.
• Complete your session surveys
through the Cisco Live - Mobile
App, or the Session Catalog on
CiscoLive.com/us. Don’t Forget: Cisco Live sessions are available
for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
• Demos in the Cisco campus

• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions

BRKCRS-3800 - Campus Fabric 2016

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKCRS-3800 - Campus Fabric 2016

Uploaded by

Copyright:

Available Formats

Evolving your Campus Network with

• Host Mobility (w/o stretching VLANs)

Cloud Service Management

Open APIs | Developers Environment Insights &

Open & Programmable | Standards-Based

Topology (Policy Determination) Analytics

PEP Branch SP PEP Apps Internet

Network Interface (UNI) PEP: Policy Enforcement Point

Programmable Custom ASICs Converged Software Services

Optimized for Campus Virtualization

Future Proofed Designed for Evolution

Driving Innovation Through Technology Investment

Examples of Network Overlays

Separate the Forwarding Plane from the Services Plane

Simple Transport Forwarding Flexible Virtual Services

Overlay Network Overlay Control Plane

Edge Device Edge Device

Underlay Network Underlay Control Plane

Hybrid L2 + L3 Overlays offer the Best of Both Worlds

Layer 2 Overlays Layer 3 Overlays

1. LISP based Control-Plane

Topology + Endpoint Routes

1. LISP based Control-Plane

1. LISP based Control-Plane

ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD

1. LISP based Control-Plane

• “Control-Plane Node” ≈ “LISP Map-Server”

• “Edge Node” ≈ “LISP Tunnel Router”

• “Border Node” ≈ “LISP Proxy Tunnel Router”

• “Intermediate Node” ≈ “Non-LISP IP Forwarder”

Fabric Control-Plane Node is based on a LISP Map Server / Resolver

• A simple Host Database, that tracks Endpoint ID to

• Host Database supports multiple Endpoint ID lookup

• Receives prefix registrations from Edge Nodes with

• Resolves lookup requests from remote Edge Nodes,

Fabric Edge Node is based on a LISP Tunnel Router

• Responsible for Identifying and Authenticating Endpoints

• Register Endpoint ID information with the Control-Plane

• Provides Anycast L3 Gateway for connected Endpoints

• Must encapsulate / decapsulate host traffic to and from

Fabric Border Node is based on a LISP Proxy Tunnel Router

• Connects traditional L3 networks and / or different

• Where two domains exchange Endpoint reachability B B

• Responsible for translation of context (VRF & SGT)

• Provides a domain exit point for all Edge Nodes

• “Fabric Domain” ≈ “FD” ≈ “LISP Process”

• “Virtual Neighborhood” ≈ “VN” ≈ “LISP Instance” ≈ “VRF”

• “Endpoint ID Group” ≈ “EIG” ≈ “Segment” ≈ “SGT”

• “Host Pool” ≈ “Dynamic EID” ≈ “VLAN + IP Subnet”

Virtual Neighborhood is based on Virtual Routing & Forwarding (VRF)

• LISP uses Instance ID to maintain independent VRF

• LISP adds VNID to the LISP / VXLAN encapsulation

• Endpoint ID prefixes (Host Pools) are advertised

Endpoint ID Group is based on a Scalable Group Tag (SGT)

• CTS uses Endpoint ID “Groups” to assign a unique

• LISP adds SGT to the LISP / VXLAN encapsulation

• CTS EIGs are used to manage address-independent EIG EIG EIG

Host Pool is based on an IP Subnet + VLAN ID

• Edge Nodes maintain a Switch Virtual Interface (SVI),

• LISP uses Dynamic EID to advertise each Host Pool

• Host Pools can either be assigned Statically (per port)

Location Is Here Only the Location Changes

LISP “Mapping System” is analogous to a DNS lookup

Map Server / Resolver c.c.c.0/24