Teccrs 3800
Teccrs 3800
Teccrs 3800
Technical Seminar
TECCRS-3800
Campus Fabric
Abstract
Using Cisco technologies available today, you can overcome these challenges
and build an “evolved” Campus Network to better meet your business objectives.
Come to this session to get a deeper insight into the Key Technologies, Designs and
Configurations (e.g. LISP, VXLAN, and TrustSec) that brings this evolution to life!
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Campus Fabric
Related Sessions
3. BRKCRS-2801: DNA Campus Fabric - How to Integrate with Your Existing Network
• 22/02/17 (Wednesday) @ 11:30 – 1.5 hours
7. BRKEWN-2300: Virtualize Your Wired and Wireless Network (w/ Campus Fabric)
• 24/02/17 (Friday) @ 09:00 – 2 hours
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Campus Fabric Team
Who are we?
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Campus Fabric
Agenda
09:00 – 09:30
1 09:30 – 11:00
30 min
90 min
Welcome and Introduction
Concepts and Fundamentals
14:15 – 15:15
3
60 min DC Integration
15:15 – 16:15 60 min Monitor and Troubleshoot
1 Key Benefits
Why do I care?
2 Key Concepts
What is a Fabric?
3 Solution Overview
How does it work?
4 Putting It Together
Where do things go?
5 Take-Away
When to get started?
Key Benefits
Why do I care?
Cisco Digital Network Architecture
Overview
Network-enabled Applications
Cloud-enabled | Software-delivered
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
What is Campus Fabric?
Foundational Technologies
Industry Leading
Wired & Wireless | Stacking | TrustSec | SDN + Network Enabled Applications
Collaboration | Mobility | IoT | Security
`
Advanced Functionality Automation and Analytics
Programmable Pipeline | Flexibility | Encapsulation Controller | Visible | Programmable | Open
Host Mobility
Always connect to the same L3 gateway
Mobility
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
X Simple Segmentation constructs
Segmentation Security to build Secure boundaries for “users and things”
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Network Wide
Intelligent
Policy Enforcement
Policy Based on your identity, not on your address
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Key Concepts
What is a Fabric?
What exactly is a Fabric?
A Fabric is an Overlay
An Overlay is a logical topology used to virtually connect devices, built
on top of an arbitrary physical Underlay topology.
An Overlay network often uses alternate forwarding attributes to provide
additional services, not provided by the Underlay.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
What exactly is a Fabric?
Overlay Terminology
Encapsulation
Hosts
(End-Points)
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
What exactly is a Fabric?
Why Overlays?
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
What is unique about Campus Fabric?
Key Components
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
What is unique about Campus Fabric?
Key Components – LISP
Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU
with Local L3 Gateway with Anycast L3 Gateway
BEFORE AFTER
IP Address = Location + Identity Separate Identity from Location
Prefix RLOC
192.58.28.128 ….....171.68.228.121
….....171.68.226.120
Prefix Next-hop 189.16.17.89
22.78.190.64 ….....171.68.226.121
189.16.17.89 ….....171.68.226.120 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 192.58.28.128 ….....171.68.228.121
172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121
192.58.28.128
189.16.17.89
…....171.68.228.121
…....171.68.226.120
Prefix Next-hop 189.16.17.89
22.78.190.64
….....171.68.226.120
….....171.68.226.121
22.78.190.64
172.16.19.90
192.58.28.128
189.16.17.89
….....171.68.226.121
…......171.68.226.120
….....171.68.228.121
…....171.68.226.120 Endpoint
189.16.17.89
22.78.190.64
172.16.19.90
192.58.28.128
….....171.68.226.120
….....171.68.226.121
….....171.68.226.120
…....171.68.228.121
172.16.19.90
192.58.28.128
….....171.68.226.120
….....171.68.228.121 Mapping
22.78.190.64
172.16.19.90
….....171.68.226.121
…......171.68.226.120
Database
192.58.28.128
189.16.17.89
22.78.190.64
172.16.19.90
192.58.28.128
…......171.68.228.121
….....171.68.226.120
…......171.68.226.121
….....171.68.226.120
….....171.68.228.121
Routes are
Consolidated
Prefix
189.16.17.89
Next-hop
…......171.68.226.120
to LISP DB
22.78.190.64 ….....171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120 Prefix Next-hop
22.78.190.64 ….....171.68.226.121 189.16.17.89 ….....171.68.226.120
172.16.19.90 …......171.68.226.120 22.78.190.64 ….....171.68.226.121
192.58.28.128 ….....171.68.228.121 172.16.19.90 ….....171.68.226.120
189.16.17.89 …....171.68.226.120 192.58.28.128 …....171.68.228.121
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
Prefix Next-hop 189.16.17.89 ….....171.68.226.120
189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
Endpoint Routes
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
What is unique about Campus Fabric?
Key Components – VXLAN
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
What is unique about Campus Fabric?
Key Components – CTS
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
What is unique about Campus Fabric?
Fabric Roles & Terminology
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Campus Fabric
New Terminology
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Campus Fabric
Control-Plane Nodes – A Closer Look
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Campus Fabric
Edge Nodes – A Closer Look
Edge Node provides first-hop services for Users & Devices connected to the Fabric
Based on a LISP XTR + Dynamic Endpoint Mapping
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Campus Fabric
Border Nodes – A Closer Look
Border Node is an entry & exit point for all data traffic going in & out of the Fabric
There are 2 Types of Border Node!
B B
• External Border based on PXTR
• Unknown Routes use External Border
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Campus Fabric
Border Nodes – A Closer Look
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Campus Fabric
Border Nodes – A Closer Look
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Campus Fabric
New Terminology
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Campus Fabric
Virtual Network– A Closer Look
Virtual Network maintains a separate Routing & Switching instance for each VN
Based on Virtual Routing & Forwarding (VRF)
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Campus Fabric
Endpoint ID Groups – A Closer Look
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Campus Fabric
Host Pools – A Closer Look
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Technical Overview
How does it work?
Locator / ID VXLAN
Separation Protocol Encapsulation
Cisco
TrustSec
Locator / ID Separation Protocol
Location and Identity Separation
Traditional Behavior -
Location + ID are “Combined”
IP core
When the Device moves, it gets a
10.1.0.1
new IPv4 or IPv6 Address for its new
Device IPv4 or IPv6 Identity and Location
Address represents both
20.2.0.9
Identity and Location
Overlay Behavior -
Location & ID are “Separated”
IP core
10.1.0.1 When the Device moves, it keeps
the same IPv4 or IPv6 Address.
Device IPv4 or IPv6 It has the Same Identity
Address represents 10.1.0.1
Identity only
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Locator / ID Separation Protocol
LISP Mapping System
[ Who is lisp.cisco.com ] ?
DNS
DNS Name -to- IP
Host Server URL Resolution
[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]
‒ LISP resolves Locators for queried Identities Answers the “WHERE IS” question
[ Where is 2610:D0:110C:1::3 ] ?
LISP LISP Map
LISP
Router System ID -to- Locator
Map Resolution
[ Locator is 128.107.81.169, 128.107.81.170 ]
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Locator / ID Separation Protocol Map System
LISP Roles & Responsibilities EID
a.a.a.0/24
b.b.b.0/24
RLOC
w.x.y.1
x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
EID RLOC
EID Space a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2
EID RLOC
• EID to RLOC Mappings ITR a.a.a.0/24
b.b.b.0/24
c.c.c.0/24
w.x.y.1
x.y.w.2
z.q.r.5
d.d.0.0/16 z.q.r.5
Non-LISP
• Can be distributed across Prefix Next-hop
w.x.y.1 e.f.g.h
x.y.w.2 e.f.g.h
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Locator / ID Separation Protocol
Map Register & Resolution
Branch
Map-Reply
10.2.0.0/16 (2.1.1.1, 2.1.2.1)
Database Mapping Entry (on ETR) ETR ETR ETR ETR Database Mapping Entry (on ETR)
10.2.0.0/16 (2.1.1.1, 2.1.2.1) 10.3.0.0/16 (3.1.1.1, 3.1.2.1)
Campus DC
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Locator / ID Separation Protocol
How does LISP operate?
3 EID-prefix: 10.2.0.0/24
Mapping Locator-set:
Entry 2.1.1.1, priority: 1, weight: 50 (D1) Path Preference
1 Controlled
DNS Entry: 2.1.2.1, priority: 1, weight: 50 (D2)
Non-LISP Non-LISP by Destination Site
D.abc.com A 10.2.0.1
10.1.0.0/24
Branch PXTR
S ITR
2 1.1.1.1
10.1.0.1 10.2.0.1
2.1.1.1 ETR 2.1.2.1 3.1.1.1 ETR 3.1.2.1
5
10.1.0.1 10.2.0.1
D
Campus 10.2.0.0/24 10.3.0.0/24
DC
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Locator / ID Separation Protocol
Forwarding from outside a LISP Domain 3 EID-Prefix: 10.2.0.0/24
Mapping Locator-Set:
Non-LISP
S
2
PXTR
192.3.0.1 10.2.0.1 4.4.4.4
4 5.3.3.3
5
192.3.0.1 10.2.0.1
D
Campus 10.2.0.0/24 10.3.0.0/24
DC
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Locator / ID Separation Protocol
Host Mobility – Dynamic EID Migration
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
IP Network
S
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
10.17.1.10
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Locator / ID Separation Protocol
Host Mobility – Dynamic EID Migration
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
IP Network
S
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Locator / ID Separation Protocol
Host Mobility – Dynamic EID Migration
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
10.17.1.0/24 – Local
10.17.1.10/32 – Local
IP Network
S
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Mapping Database
Locator / ID Separation Protocol 10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility – Dynamic EID Migration 10.18.0.0/16 – 12.2.2.1
Map Register
EID: 10.17.1.10/32 10.17.1.10/32 – 12.1.1.1
RLOC: 12.1.1.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
10.17.1.0/24 – Local
10.17.1.10/32 – Local
IP Network
S
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Mapping Database
Locator / ID Separation Protocol 10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility – Dynamic EID Migration 10.18.0.0/16 – 12.2.2.1
10.17.1.10/32 – 12.1.1.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
10.17.1.0/24 – Local
10.17.1.10/32 – Local
IP Network
S
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Mapping Database
Locator / ID Separation Protocol 10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility – Dynamic EID Migration 10.18.0.0/16 – 12.2.2.1
10.17.1.10/32 – 12.1.1.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
IP Network
S 1
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
10.17.1.10
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Mapping Database
Locator / ID Separation Protocol 10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility – Dynamic EID Migration 10.18.0.0/16 – 12.2.2.1
10.17.1.10/32 – 12.1.1.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
S
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
10.17.1.10
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Mapping Database
Locator / ID Separation Protocol 10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility – Dynamic EID Migration 10.18.0.0/16 – 12.2.2.1
10.17.1.10/32 – 12.2.2.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
S
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
10.17.1.10
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Mapping Database
Locator / ID Separation Protocol 10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility – Dynamic EID Migration 10.18.0.0/16 – 12.2.2.1
10.17.1.10/32 – 12.2.2.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
S
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
10.17.1.10
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Mapping Database
Locator / ID Separation Protocol 10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility – Dynamic EID Migration 10.18.0.0/16 – 12.2.2.1
10.17.1.10/32 – 12.2.2.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
S
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
10.17.1.10
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Mapping Database
Locator / ID Separation Protocol 10.10.0.0/16 – 12.0.0.1
10.17.0.0/16 – 12.1.1.1
Host Mobility – Dynamic EID Migration 10.18.0.0/16 – 12.2.2.1
10.17.1.10/32 – 12.2.2.1
D
2.1.1.1
DC1
10.10.10.0/24 1.1.1.1 3.1.1.1
Mapping
System
S
10.17.1.0/24 10.18.1.0/24
Campus Bldg 1 Campus Bldg 2
10.17.1.10
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Locator / ID Separation Protocol (LISP)
Would you like to know more?
Suggested Reading:
BRKRST-3045 - LISP - A Next Generation Networking Architecture
BRKRST-3047 - Troubleshooting LISP
BRKCRS-3510 - LISP in Campus Networks
Other References:
Cisco LISP Site http://lisp.cisco.com
Cisco LISP Marketing Site http://www.cisco.com/go/lisp/
LISP Beta Network Site http://www.lisp4.net or http://www.lisp6.net
IETF LISP Working Group http://tools.ietf.org/wg/lisp/
Fundamentals of LISP https://www.youtube.com/watch?v=lKrV1qB8uqA
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Technical Overview
How does it work?
Locator / ID VXLAN
Separation Protocol Encapsulation
Cisco
TrustSec
Cisco TrustSec
Traditional segmentation is extremely complex
Applications
Enforcement
access-list
access-list
102
102
deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165
deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428
IP Based Policies -
access-list
access-list
102
102
permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511
deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945
ACLs, Firewall Rules
access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116
access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959
access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993
access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848
access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878
access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 Propagation
Carry “Segment”
access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111
access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175
access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 Enterprise
access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
Backbone context through the
network using VLAN,
Aggregation Layer IP address, VRF
Limits of Traditional
Static ACL VACL
Routing Segmentation
Access Layer Classification
Redundancy • Security Policy based Static or Dynamic
DHCP Scope on Topology (Address) VLAN assignments
Address • High cost and
VLAN complex maintenance Non-Compliant Voice Employee Supplier BYOD
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Cisco TrustSec
Simplified segmentation with Group Based Policy
Classification
Static or Dynamic Campus Switch Campus Switch DC switch receives policy
for only what is connected
SGT assignments
Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag
VLAN A VLAN B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Cisco Trust Security
Identity Services Engine enables CTS
NDAC
Network Device
Admission Control
NDAC authenticates
Network Devices for a
Scalable Group ACL Cisco ISE Scalable Group Tags
trusted CTS domain
Destinations SGACL - SGT & 3: Employee
✕✓✕✓✓✓ Name Table SGT Names
Sources
4: Contractors
SGT & SGT Names
Centrally defined ✓✓✕✓✕✕ 8: PCI_Servers
Endpoint ID Groups ✕✓✓✕✕✕ 9: App_Servers
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Cisco Trust Security
Two ways to assign SGT
Campus
Access Distribution Core DC Core DC Access
MAB Enterprise
Backbone
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Cisco Trust Security
Ingress Classification with Egress Enforcement
Destination Classification
CRM: SGT 20
Web: SGT 30
User Authenticated = FIB Lookup =
Classified as Marketing (5) Destination MAC = SGT 20
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Cisco Trust Security
SGT Propagation & Enforcement Options
SXP SXP
Heterogeneous WAN
L2 / L3 Networks
User Switch Switch Router Router Firewall DC Switch Server
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Cisco Trust Security (CTS)
Would you like to know more?
Suggested Reading:
BRKCRS-2891 - Enterprise Network Segmentation with Cisco TrustSec
BRKSEC-2203 - Intermediate - Enabling TrustSec Software-Defined Segmentation
BRKSEC-2044 - Building an Enterprise Access Control Architecture Using ISE and TrustSec
Other References:
Cisco TrustSec Marketing Site http://www.cisco.com/go/trustsec/
Cisco TrustSec Config Guide cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html
Cisco TrustSec Architecture cisco.com/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
Cisco TrustSec Design Guide cisco.com/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf
Fundamentals of TrustSec https://www.youtube.com/watch?v=78-GV7Pz18I
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Technical Overview
How does it work?
Locator / ID VXLAN
Separation Protocol Encapsulation
Cisco
TrustSec
Data-Plane Overview
Fabric Header Encapsulation
Inner
Fabric Data-Plane provides the following:
• Underlay address advertisement & mapping
Outer
• Automatic tunnel setup (Virtual Tunnel End-Points)
• Frame encapsulation between Routing Locators
Outer
• Nearly the same, with different fields & payload
Inner
Inner
• LISP header carries IP payload (IP in IP)
• VXLAN header carries MAC payload (MAC in IP)
Encap
Triggered by LISP Control-Plane events
• ARP or NDP Learning on L3 Gateways
• Map-Reply or Cache on Routing Locators
Inner
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
LISP & VXLAN Headers
Similar Format - Different Payload
LISP Header - IP based VXLAN Header - Ethernet based
OUTER
HEADER
4789
OVERLAY
HEADER
INNER
HEADER
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
VXLAN Header
Next-Hop MAC Address
Checksum
Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address
Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Putting It Together
Where do things go?
Platform Support
Fabric Edge Nodes - Options
Catalyst 3K Catalyst 4K
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Platform Support
Fabric Border Nodes - Options
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Platform Support
Fabric Control-Plane - Options
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Campus Fabric Config Control-Plane Node
Control-Plane Nodes
5.1.1.1/32 C
IP Network
10.1.1.0/24 20.1.1.0/24
router lisp
• Organize networks into LISP Site
ipv4-interface Loopback0
• Configure the Authentication Key site San_Jose
authentication-key S3cr3t
• Add the IP prefixes to be mapped eid-prefix 10.1.1.0/24 accept-more-specifics
• accept more-specific updates (e.g. /32) eid-prefix 20.1.1.0/24 accept-more-specifics
exit
• Operate as IPv4 Map-Server !
ipv4 map-server
• Operate as IPv4 Map-Resolver ipv4 map-resolver
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Campus Fabric Config Control-Plane Node
Edge Nodes (1)
5.1.1.1/32 C
10.1.1.1/24 1.1.1.1/32
IP Network
10.1.1.0/24 20.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Campus Fabric Config Control-Plane Node
Edge Nodes (2)
5.1.1.1/32 C
2.1.1.1/32 20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Campus Fabric Config Control-Plane Node
Virtual Networks (VRFs)
C
10.1.1.0/24 20.1.1.0/24
ip vrf RED
• Create new VRF definition ip vrf BLUE
ip vrf GREEN
• add RD/RT info as necessary !
router lisp
• Enable VXLAN encapsulation locator-set campus_fabric
encapsulation vxlan
• Create a new LISP Instance ID !
eid-table vrf RED instance-id 10
dynamic-eid RED_20_1_1_0
• Add Dynamic EID mappings database-mapping 20.1.1.0/24 locator-set campus_fabric
!
• associate with VRF & Instance ID eid-table vrf BLUE instance-id 11
dynamic-eid BLUE_20_1_1_0
• Add local prefixes to Dynamic EID database-mapping 20.1.1.0/24 locator-set campus_fabric
!
• non-overlapping can be routed natively eid-table vrf GREEN instance-id 12
dynamic-eid GREEN_20_1_1_0
• overlapping prefixes require NAT/FW * database-mapping 20.1.1.0/24 locator-set campus_fabric
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Campus Fabric Config Control-Plane Node
Border Nodes - Internal
5.1.1.1/32 C
3.1.1.1/32 172.1.1.1/24
B
IP Network
10.1.1.0/24 BGP 172.0.0.0/8
router lisp
• Operate as an IPv4 ITR and ETR locator-table default
!
• Enable Export of inside prefixes eid-table vrf USER instance-id 10
ipv4 route-import database bgp 65004 locator-set campus_fabric
• from LISP to external Protocol (e.g. BGP) ipv4 route-export site-registrations
ipv4 map-cache site-registrations
• set a map-cache entry for internal registrations ipv4 distance site-registrations 250
exit
• set the LISP AD to 250 (> Protocol routes) !
ipv4 itr
• Configure External Routing ipv4 etr
!
• Enable Import of outside prefixes router bgp 65004
!
• from external Protocol(s) into LISP address-family ipv4 vrf USER
redistribue lisp metric 10
• * Repeat per VRF (AF) aggregate-address 10.1.1.0 255.255.255.0 summary-only
exit-address-family
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Campus Fabric Config Control-Plane Node
Border Nodes - External
5.1.1.1/32 C
3.1.1.1/32 172.1.1.1/24
B
IP Network
10.1.1.0/24 BGP 0.0.0.0/0
router lisp
• Operate as an IPv4 PITR and PETR locator-table default
!
• Same configuration as Internal Border, eid-table vrf USER instance-id 10
ipv4 route-export site-registrations
but EXPORT ONLY! ipv4 map-cache site-registrations
ipv4 distance site-registrations 250
• Used for Stub Routing and/or Internet exit
!
• Gateway of Last Resort ipv4 proxy-etr
ipv4 proxy-itr 3.1.1.1
!
router bgp 65004
!
address-family ipv4 vrf USER
redistribue lisp metric 10
aggregate-address 10.1.1.0 255.255.255.0 summary-only
exit-address-family
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Campus Fabric Config Identity
Endpoint ID Groups – Dynamic SGT Services Engine
172.26.204.150
IP Network
10.1.1.0/24 20.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Campus Fabric Config
Endpoint ID Groups – Static SGT
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Campus Fabric Config Identity
Host Pools – Dynamic Assignment Services Engine
172.26.204.150
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Campus Fabric Config
Host Pools – Static Assignment
20.1.1.1/24
IP Network
10.1.1.0/24 20.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Campus Fabric - Smart CLI
Provisioning & Troubleshooting Made Simple
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Smart CLI – Example
Adding a new Edge Node
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Smart CLI – Example
Show Fabric Domain
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Campus Fabric - Smart CLI
Provisioning & Troubleshooting Made Simple
More to Come!
• Underlay Network – Configure the Interfaces
and Protocols to bring up the Underlay network
• And More…
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
External Connectivity
Agenda
1 Border Functionality
• Internal Border
• External Border
• Platform Support
2 Border Design
• Collocated Border + C-Plane
• Separated Border / C-Plane
• One Box vs. Two Box
• Border Resiliency (HA)
3 Border Deployment
• Shared, WAN, DC @ Internal Border
• Service Chaining @ Internal Border
• Internet Connect @ External Border
Border Functionality
How does the Border work?
Campus Fabric
Border Nodes – Internal and External
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Internal Border
Campus Fabric
Border Nodes – Internal Border
Fabric Internal Border Node is based on a LISP Tunnel Router + IP
Subnet’s
All traffic entering or leaving the Fabric from and to a known destination goes
through this type of node
• Connects the DC ,WAN and any other known
network’s to the local fabric domain.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Campus Fabric
Border Nodes- Internal Border
Data center
Data Center
B B Border
WAN
WAN
Border
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Campus Fabric Config
Border Nodes- Internal Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Campus Fabric Config
Border Nodes- Internal Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Campus Fabric Config
Border Nodes- Internal Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Campus Fabric Config
Border Nodes- Internal Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Campus Fabric
Border Nodes- Forwarding on Internal Border ( Fabric to External Domain)
3 EID-prefix: 192.1.1.0/24
Path Preference
Mapping Locator-set: Controlled
Entry 2.1.1.1, priority: 1, weight: 100 (D1) by Destination Site
192.1.1.0/24
Branch
Internal
D Border
5 2.1.1.1
10.1.1.1 192.1.1.1
1.1.1.1 XTR 1.1.2.1 1.1.3.1 XTR 1.1.4.1
2
10.1.1.1 192.1.1.1
1 S
DNS Entry: Campus DC
10.1.1.0/24 10.3.0.0/24
D.abc.com A 192.1.1.1
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Campus Fabric
Border Nodes- Forwarding on Internal Border(External to fabric Domain)
3 EID-prefix: 10.1.1.1/32
Mapping Locator-set:
Entry 1.1.1.1, priority: 1, weight: 50 (D1) Path Preference
1 Controlled
Routing Entry: 1.1.2.1, priority: 1, weight: 50 (D2)
by Destination Site
Send traffic to exit point of
192.1.1.0/24
domain(Internal Border)
Branch
Internal
S Border
2 2.1.1.1
192.1.1.1 10.1.1.1
1.1.1.1 XTR 1.1.2.1 1.1.3.1 XTR 1.1.4.1
5
192.1.1.1 10.1.1.1
D
Campus 10.1.1.0/24 10.3.0.0/24
DC
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
External Border
Campus Fabric
Border Nodes – External Border
Fabric External Border Node is based on a LISP Proxy Tunnel
Router
All traffic leaving the Fabric to a un-known destination goes through this type of
node
• Connects the Internet, Cloud and any other Un-
known network’s to the local fabric domain.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Campus Fabric
Border Nodes- External Border
Cloud
Cloud
Border
B B
Internet
Internet
Border
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Campus Fabric Config
Border Nodes-External Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Campus Fabric Config
Border Nodes-External Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Campus Fabric Config
Border Nodes-External Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 150.1.1.0/24
192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Campus Fabric 2 EID-Prefix: Not found , map-cache miss
Mapping Locator-Set: ( use-petr)
Border Nodes- Forwarding on External Border
Entry 3.1.1.1, priority: 1, weight: 100 (D1)
192.3.0.0/24
INTERNET
D
4 External
Border
10.2.0.1 193.3.0.1 3.1.1.1
3 5.3.3.3
1
10.2.0.1 193.3.0.1
S
Campus 10.2.0.0/24 10.3.0.0/24
DC
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Fabric Border Platform Support and
Recommendations
Platform Support
Fabric Border Nodes - Options
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Platform Support
Fabric Control-Plane - Options
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
What is unique about Campus Fabric?
Fabric Roles & Terminology
Cisco ISE
N7K, C6K, C3K
Campus Fabric Components:
ASR1K, ISR4K
1. Control-Plane Nodes
a. LISP Map Server/Resolver
b. EID to RLOC Mapping
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Border Design Considerations
Where do things go?
Border with HTDB Co-Located
Campus Fabric- Border Design Options
Border Nodes- Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 192.1.1.0/24
• The Border node and Control plane node is on the same device
• The Control plane node maintains the database of every prefix/subnet in the Local Fabric
Domain.
• Simple Design and Configuration
• No additional protocols needed
• Every border(Internal and External) cannot be a control plane node.
• Control plane node scale is different on different platform’s.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Campus Fabric Config
Border Nodes- Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Campus Fabric Config
Border Nodes- Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
exit
!
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Campus Fabric Config
Border Nodes- Border Co-located with Control Plane Node
IP Network
10.1.1.0/24 BGP 192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Border with HTDB Non Co-Located
Campus Fabric- Border Design Options
Border Nodes- Border Non Co-located with Control Plane Node
IP Network
10.1.1.0/24 OSPF 192.1.1.0/24
• The Border node and Control plane node are different devices device
• The Control plane node maintains the database of every prefix/subnet in the Local Fabric
Domain and hence need an additional protocol(iBGP in this case) to share EID mapping
information from control plane node to border.
• Multiple Border nodes(Internal/External) can connect to single or multiple set of Control plane nodes.
• Detailed configuration is required
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Campus Fabric Config
Border Nodes- Border Non Co-located with Control Plane Node
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network OSPF
10.1.1.0/24 192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Campus Fabric Config
Border Nodes- Border Non Co-located with Control Plane Node
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network OSPF
10.1.1.0/24 192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Campus Fabric Config
Border Nodes- Border Non Co-located with Control Plane Node
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24
OSPF
192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Campus Fabric Config
Border Nodes- Border Non Co-located with Control Plane Node
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24
OSPF
192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Campus Fabric Config
Border Nodes- Border Non Co-located with Control Plane Node
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24
OSPF
192.1.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
Campus Fabric- Border Resiliency Options
Border Nodes- Loop Prevention
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
B
IP Network
10.1.1.0/24
192.1.1.0/24
10.1.1.1/24 1.1.2.1/32 3.1.1.1/32 192.1.1.5/24
External Domain
B
IP Network
10.1.1.0/24
• eBGP is used to break loops caused by the bidirectional advertisement of routes from fabric to external
domain when using multiple Internal Borders for redundancy/resiliency. This is done via AS-Path loop
prevention.
• When using any other protocol other than eBGP appropriate loop prevention methodology needs to
be sued (distribute lists , etc).
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Border Design Options
One Box vs Two Box
Campus Fabric- Border Design Options
One Box Border Design
• One Box solution is where the Border is the boundary between the external
domain and the Local fabric domain.
• The Border device will advertise routes to and from the Local Fabric domain
to the External Domain.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Campus Fabric- Border Design Options
One Box Border Design- Control Plane Interworking
CONTROL-PLANE
1
LISP External Domain(BGP/IGP)
B
B External
Domain
B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Campus Fabric- Border Design Options
One Box Border Design- Data Plane Interworking
DATA-PLANE
2
VXLAN External Domain(IP/MPLS/VXLAN)
B
B External
Domain
B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Campus Fabric- Border Design Options
One Box Border Design- Policy Plane Interworking
POLICY-PLANE
3
SGT in VXLAN External Domain(IP ACL/SGT)
B
B External
Domain
B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Campus Fabric- Border Design Options
Two Box Border Design
• Two Box solution is a normalized hand off solution where the Border is the
edge of the fabric domain and another device represents the edge of the
external domain.
• This solution requires two devices and BGP is the used between these two
domain edges for exchanging connectivity and reachability information.
• This design model is chosen when the Border does not support the
functionality needed to run the external domain on the same device. This can
due to hardware or software support on the device.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Campus Fabric- Border Design Options
Two Box Border Design- Control Plane Interworking
CONTROL-PLANE
1
LISP BGP External Domain(BGP/IGP)
B
B External
Domain
B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Campus Fabric- Border Design Options
Two Box Border Design- Data Plane Interworking
DATA-PLANE
12
VXLAN VRF-LITE External Domain(IP/MPLS/VXLAN)
B
B External
Domain
B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Campus Fabric- Border Design Options
Two Box Border Design- Policy Plane Interworking
POLICY-PLANE
13
SGT in VXLAN SGT Tagging External Domain ( IP ACL/SGT)
B
B External
Domain
B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Border Resiliency Options
Resiliency at the Border
Track or propagate events across domains
CONTROL-PLANE LISP IGP/MP-BGP/BGP-EVPN
External
Border
Router
Map Server B IP Network
Border External
Campus Fabric Router External Domain
VXLAN/+SGT IP/MPLS/VXLAN
DATA-PLANE
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Failures & Changes in the External Domain
External advertisements to reflect state of the External Domain
Border
Map Server B IP Network
Border
Campus Fabric External Domain
Host reachability
Border Routing from router lost
Tables updated or degraded
to remove faulty
router
Host
advertisements
from this router
withdrawn
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Failures & Changes in the Campus Fabric
Dynamic redistribution of LISP state into External Domain @ Border
CONTROL-PLANE LISP IGP/MP-BGP/BGP-EVPN
Border
B
IP Network
Border
Campus Fabric External Domain
Border connectivity
to Campus Fabric
Network degraded: Prefix
Registration advertisements Routing Tables
State Changes • Dynamic LISP from this border updated to route
Communicated to State updates withdrawn around failure
Border • Core Reachability
Tracking
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Failures & Changes in the Campus Fabric
LISP Control Plane Node Separate From Border
Border
Map Server
BFD
B
Adjacency
IP Network
Border
Campus Fabric External Domain
Campus fabric Prefixes are advertised in BGP from Control Plane Node to Border
The BGP adjacencies between Control Plane node and Border are monitored with BFD
Upon failure, the adjacency is broken, prefixes removed at the Border and withdrawn
Fast convergence (BFD 180ms)
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Border Deployment Models
How does things connect ?
Shared Services with Internal
Border
Campus Fabric- Border Deployment Options
Shared Services (DHCP,AAA etc) With Internal Border
• The hosts in their respective virtual networks in the local fabric domain will need to have access to
common shared services like
• These shared services will generally reside outside of the fabric domain.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Campus Fabric- Border Deployment Options
Shared Services (DHCP,AAA etc) With Internal Border
B B APIC
EM
Shared Services
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Campus Fabric Config
Shared Services (DHCP,AAA etc) With Internal Border in Global Routing Table
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24 EIGRP 172.10.10.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Campus Fabric Config
Shared Services (DHCP,AAA etc) With Internal Border in Global Routing Table
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.2.1.1/24
IP Network
10.1.1.0/24 EIGRP 172.10.10.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Campus Fabric- Border Deployment Options
Shared Services (DHCP,AAA etc) With Internal Border in a secure VRF
B B APIC
EM
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Campus Fabric Config
Shared Services (DHCP,AAA etc) With Internal Border in a secure VRF
5.1.1.1/32 C
Control-Plane Node
10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24
IP Network
10.1.1.0/24 BGP BGP
172.10.10.0/24
Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services
ip vrf Services
rd 3:3
route-target export 3:3
route-target import 3:3
route-target export 1:1
route-target export 2:2
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Wan Connectivity with Internal
Border
Campus Fabric- Border Deployment Options
Wan Connectivity With Internal Border
B B
IWAN 2.x/MPLS
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Campus Fabric – Border Deployment Options
WAN connectivity with Internal Border
CONTROL-PLANE
1
LISP IWAN 2.x (BGP/EIGRP)
BRANCH
B
B IWAN 2.x
HOST-H2
B
HOST-H1
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
Campus Fabric – Border Deployment Options
WAN connectivity with Internal Border
DATA-PLANE
12
VXLAN DMVPN
BRANCH
B
B IWAN 2.x
HOST-H2
B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Campus Fabric – Border Deployment Options
WAN connectivity with Internal Border
POLICY-PLANE
13
SGT in VXLAN SGT in DMVPN
BRANCH
B
B IWAN 2.x
HOST-H2
B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Campus Fabric – Border Deployment Options
WAN connectivity with Internal Border
CONTROL-PLANE
Campus Fabric
HTDB
Branch
BGP MPLS Domain
Border
BRANCH
Border Border
DATA+POLICY PLANE
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Service Chaining with Internal
Border
Campus Fabric – Border Deployment Options
Service Chaining with Internal Border
Non-Cisco Firewall: Cisco Firewall :
• Firewall is connected externally to the • Firewall is connected externally to the Campus Fabric.
Campus Fabric.
• The prefixes from the local Campus Fabric domain will be
advertised to the firewall with a routing protocol of choice.
• The prefixes from the local Campus
Fabric domain will be advertised to the
• SXP connection between ISE and Firewall needed for
firewall with a routing protocol of derivation of SGTs on the Firewall.
choice.
• Firewall policy is based on SGT’s and SG ACL’s ( Group
• Firewall policy is interface/subnet/IP based Policy).
based.
• SGACL’s are enforced on the egress direction in the
firewall and they are derived info from SGT’s & ISE
connection.
B
B
B
Firewall
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Campus Fabric – Border Deployment Options
Service Chaining with Internal Border
CONTROL-PLANE
1
LISP BGP/IGP
B
B
B
Firewall
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Campus Fabric – Border Deployment Options
Service Chaining with Internal Border
DATA-PLANE
2
VXLAN VRF-LITE
B
B
B
Firewall
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Campus Fabric – Border Deployment Options
Service Chaining with Internal Border
POLICY-PLANE
3
SGT in VXLAN VXLAN SGT in-line Tagging
B
B
B
Firewall
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Campus Fabric – Border Deployment Options
Service Chaining with Internal Border – Cisco Firewall
ISE
POLICY-PLANE
3
SGT in VXLAN VXLAN SGT in-line Tagging
Group Policy
SXP
B
B
B
Firewall
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Data Center Connectivity with
Internal Border
Campus Fabric- Border Deployment Options
Data Center Connectivity With Internal Border – ACI Fabric
CONTROL-PLANE
LISP EVNPN-BGP
N7K ASR1K
B ✔ ✔
Border
Campus Fabric
DATA-PLANE
VXLAN+SGT VXLAN+EPG
* N7K Roadmap
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Campus Fabric- Border Deployment Options
Data Center Connectivity With Internal Border – ACI Fabric
MP-BGP EVPN standard control plane between the Internal Border devices and the Cisco ACI fabric spine switches:
1 A single BGP session is required to exchange reachability information for multiple user contexts (VRF-1, VRF-2, and
VRF-3 etc.) thus removing the per-VRF session requirements of the traditional integration models.
B MP-BGP EVPN
Border
Campus Fabric
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Campus Fabric- Border Deployment Options
Data Center Connectivity With Internal Border – ACI Fabric
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Campus Fabric- Border Deployment Options
Data Center Connectivity With Internal Border – ACI Fabric
1) VRFs A,B and C are the Campus Fabric domain Internal Border – VRF stitching/mapping
VRF’s
Extranet
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Campus Fabric- Border Deployment Options
Data Center Connectivity With Internal Border – ACI Fabric
VXLAN data plane between Internal Border the Cisco ACI fabric to establish
3 communication with the different domains and also to carry the information
needed(SGT/EPG) for policy enforcement.
Campus Fabric
B
CONTROL-PLANE
1 LISP VXLAN-EVPN
MP-BGP EVPN
B
Border
IP/MPLS
Map Server B
Network
Border
Campus Fabric
DATA-PLANE
2
VXLAN+SGT VXLAN + (SGT)
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Campus Fabric- Border Deployment Options
Data Center Connectivity With Internal Border – Programmable Fabric Data Center
* Roadmap
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Campus Fabric- Border Deployment Options
Data Center Connectivity With Internal Border – Traditional Data Center
CONTROL-PLANE
1 LISP IGP/MP-BGP
Border
IP/MPLS Network
Map Server B
Border
Campus Fabric
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Campus Fabric- Border Deployment Options
Data Center Connectivity With Internal Border – Traditional Data Center
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
Internet Connectivity with External
Border
Campus Fabric- Border Deployment Options
Internet Connectivity With External Border
CONTROL-PLANE
1 LISP BGP
Border
Map Server B
Border
Campus Fabric Internet
DATA-PLANE
2 VXLAN+SGT IP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Cloud Connectivity with External
Border
Campus Fabric- Border Deployment Options
Cloud Connectivity With External Border
Cloud edge gets
ISE 3 group policy from
ISE
CONTROL-PLANE
1 LISP LISP
Group Policy
SXP
B
IP/MPLS
Border
Network CLOUD
Map Server B
Cloud Edge
CSR1Kv
Border
Campus Fabric ✔
DATA-PLANE
2 VXLAN+SGT VXLAN+SGT
* Roadmap
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
DC Integration
Agenda
1 Introduction
Why do I care?
3 Solution Demo
How does it work?
B
Campus Fabric Border Node APIC DC
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Today
Static Access Control
Need to allow Employees
talk to Webservers.
Deny access to Guests
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
Distinct Functionality, Distinct Domains
Network Operator
Data Center A
Network Operator
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
VXLAN and GBP extensions
Ethernet in IP with a shim for scalable segmentation and policy metadata
SGT = EPG
(Campus Fabric) (ACI)
VXLAN-GBP
VXLAN
FCS
Outer MAC Header Outer IP Header Outer UDP Header VXLAN Header Original Layer 2 Frame
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
More Good News
Campus Fabric ACI Fabric
• Underlay • Underlay
• Overlay • Overlay
• VNID • VNID
• SGT • EPG
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
Why integrate Campus Fabric and ACI?
ACI POLICY
ENDPOINT GROUPS
VM VM
USERS VM VM
WEB APP DB
CONTRACTS
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
Integration
Campus and ACI Fabric Policy Key Concepts, Benefits
Recap - ACI Fabric Integrated VXLAN Overlay
• Decoupled Identity, Location and Policy
ACI Fabric
VTEP VXLAN IP Payload
Forwarding within the Fabric is between VTEPs (ACI VXLAN tunnel endpoints) and leverages an
extended VXLAN header format referred to as the ACI VXLAN policy header
Any workload any where, Consistent Latency, Mapping of tenant MAC or Ip address to location is
performed by VTEP using distributed mapping database
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
What are SGTs?
How do they differ from EPGs?
Campus Fabric ACI Fabric
EPG is end point group in ACI
SGT is a security group tag assigned to user’s
or device’s traffic in campus networks based on fabric used to group servers that
their roles require similar treatment of policy
SGT is a 16 bit value that the Cisco ISE assigns EPG is hierarchical in nature
to the user or endpoint’s session upon login
SGT is globally unique
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
How can we achieve
normalized identity
between Campus
and ACI
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
Campus Fabric SGTs Provisioned in ACI
ACI
ISE
ISE dynamically provisions
SGTs and IP mappings
(SXP service) into APIC-
DC
EXT- EXT-
EPG1 EPG3
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
ACI EPGs Automatically Propagated into Campus Fabric
ACI
ISE
VM1
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 196
Enabling Group-based Policies in each Domain
DB DB
SG-FW
SG-ACL
Contract
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Sharing Context Across the Enterprise
Campus Fabric Policy Domain ACI Policy Domain
ISE
Campus
Fabric
Domain
Auditor Campus Fabric Border
10.1.10.220 Device ACI Spine (N9K)
(ASR 1K/N7K*)
PCI
10.1.100.52
* M3 Roadmap
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
Sharing Context Across the Enterprise
Campus Fabric Policy Domain ACI Policy Domain
ISE
5 Campus
Fabric
SRC:10.1.10.220 Domain
DST: 10.1.100.52
Auditor SGT: 5 Campus Fabric Border
10.1.10.220 Device ACI Spine (N9K)
(ASR 1K/N7K*)
PCI
10.1.100.52
* M3 Roadmap
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
Sharing Context Across the Enterprise
Campus Fabric Policy Domain ACI Policy Domain
ISE
Campus
Fabric 5
Domain SRC:10.1.10.220
Auditor DST: 10.1.100.52
Campus Fabric Border
10.1.10.220 SGT: 5
Device ACI Spine (N9K)
(ASR 1K/N7K*)
PCI
10.1.100.52
* M3 Roadmap
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 200
Sharing Context Across the Enterprise
Campus Fabric Policy Domain ACI Policy Domain
ISE SGT/EPG
Namespace Alignment
EPG #
SGT # to EPG #
Translation Table
Campus
Fabric 5
Domain SRC:10.1.10.220
Auditor DST: 10.1.100.52
Campus Fabric Border
10.1.10.220 SGT: 5
Device ACI Spine (N9K)
(ASR 1K/N7K*)
PCI
10.1.100.52
* M3 Roadmap
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Sharing Context Across the Enterprise
Campus Fabric Policy Domain ACI Policy Domain
ISE SGT/EPG
Namespace Alignment
EPG #
SGT # to EPG #
Translation Table
SRC:10.1.10.220
DST: 10.1.100.52
EPG :#
Campus #
Fabric
Domain
Auditor Campus Fabric Border
10.1.10.220 Device ACI Spine (N9K)
(ASR 1K/N7K*)
PCI
10.1.100.52
* M3 Roadmap
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 202
Sharing Context Across the Enterprise
Campus Fabric Policy Domain ACI Policy Domain
ISE SGT/EPG
Namespace Alignment
EPG #
SGT # to EPG #
Translation Table
SRC:10.1.10.220
DST: 10.1.100.52
EPG :#
Campus #
Fabric
Domain
Auditor Campus Fabric Border
10.1.10.220 Device ACI Spine (N9K)
(ASR 1K/N7K*)
PCI
10.1.100.52
* M3 Roadmap
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 203
Goal: Mapping Policy contents across domains
Web
DB
C
User-App User to App Contracts
Application Prioritization
Web1 App1 DB
Qo Qo
Se S
Filt
rvi
er
ce
User-User
Access Control: SG-ACL
App to App Contracts
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 204
It’s a
Journey …
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 205
Key Benefits with this integration
End to End security and segmentation
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 206
Key Benefits with this integration
Consistency with Group based policies across both domains
DB
DB
SG-ACL
SG-FW
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 207
Key Benefits cont’d
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 208
Connectivity
Deployment Models
Campus Fabric - ACI Policy Plane
Integration
How does it work?
Hardware and Software recommendations
Shipping
NOW!
ACI Fabric
ACI Software ISE APIC
Hardware
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 211
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
Controller Layer
Network Layer
Network Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 212
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
Controller Layer
PCI EPG
10.1.100.52
Network Layer
Network Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 213
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
ISE Retrieves:
Controller Layer
EPG Name: PCI EPG
EPG Binding = 10.1.100.52
Network Layer
Network Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 214
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
ISE Exchanges:
Controller Layer
SGT Name: Auditor
SGT Binding = 10.1.10.220
Network Layer
Network Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 215
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
ISE Exchanges:
Controller Layer
SGT Name: Auditor
SGT Binding = 10.1.10.220
Network Layer
Network Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 216
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
ISE Exchanges:
Controller Layer
SGT Name: Auditor
SGT Binding = 10.1.10.220
Network Layer
Network Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 217
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
ISE Exchanges:
Controller Layer
SGT Name: Auditor
SGT Binding = 10.1.10.220
Network Layer
Network Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 218
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
ISE Exchanges:
Controller Layer
SGT Name: Auditor
SGT Binding = 10.1.10.220
Network Layer
Network Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 219
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
ISE Exchanges:
Controller Layer
SGT Name: Auditor
SGT Binding = 10.1.10.220
Network Layer
Network Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 220
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
ISE Exchanges:
Controller Layer
SGT Name: Auditor
SGT Binding = 10.1.10.220
Network Layer
Network Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 221
Campus Fabric SGT Info Used in ACI Policies
ISE
Campus Fabric Policy Domain ACI Policy Domain
Controller Layer
ISE Exchanges:
Controller Layer
SGT Name: Auditor
SGT Binding = 10.1.10.220
Network Layer
Network Layer
17000
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 222
How to enable this integration?
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 223
ACI Settings in ISE
ACI Settings:
• Controller
• Credentials
• Tenant name defined in ACI
• L3 Routed Network defined
in ACI
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 224
ACI View
Campus Fabric Groups & Group Members
shared with ACI
SGTs appear as
External EPGs
Group
Members
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 225
ISE View
ACI Groups & Group Members shared with ISE
and APIC-EM EPGs appear as SGTs
Group members
learnt via SXP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 226
Campus Fabric and ACI Integration
Frequently Asked Questions
No, we are exchanging groups and
their membership information
Are the policy contents
being exchanged? Policy is applied in each domain. ACI
can enforce more granular policies
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 227
Campus Fabric -ACI Integration Deployment Models
Summary
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 228
Considerations of Policy Plane Integration
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 229
What is unique about Campus Fabric?
Fabric Roles & Terminology
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 230
Campus Fabric
Border Nodes – Border
Fabric Border Node is based on a LISP Tunnel Router + IP Subnet’s
All traffic entering or leaving the Fabric from and to a known destination goes
through this type of node
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 231
Connectivity High Level view
INTERNET Traditional L3
IWAN 2.x
E E
VXLAN-LISP
FABRIC
MANAGER
Recap: What is an L3Out?
L3Out is a logical construct defined to
allow L3 connectivity between the ACI
Fabric and the external network
One or more L3Outs can be defined for
each given tenant
L3Outs Container
L3 interfaces are used on specific ACI
Specific L3Out devices (named Border Leaf nodes) to
interconnect to the external routed network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 233
Campus Fabric to ACI
Campus Fabric Border connectivity with ACI Fabric
LISP COOP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 234
Campus Fabric - ACI Data Plane
Integration
ASR1K
Target
Higher Scale Data Plane Solution March 16.5.1
✔
Q2-CY17
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 237
What’s unique about this integration
Details
• Multi-tenancy at scale
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 239
What’s unique about this integration Details
Key Points • VXLAN based Data-Plane
• VXLAN GBP between ASR1K and N9K ACI Spine Border ACI Spine
• Trust the Group policy id field in GBP VXLAN header on
ingress
IP Network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 240
What’s unique about this integration Details
Key Points • Radius based Control-Plane
• Download SG-EPG translation table Border ACI Spine
• Using RADIUS environment data support, IP Network
download SG-EPG tables
• Existing trustsec based network devices will
include merge of SGs defined in ISE and IP Network
corresponding SGs assigned to EPGs learnt from
ACI / APIC controller
cts sg-epg translation
radius server ISE
address ipv4 172.26.204.150 auth-port 1812 acct-port 1813
pac key cisco Campus Fabric ACI Fabric
!
aaa server radius dynamic-author
client 172.26.204.150 server-key cisco
!
aaa authentication dot1x default group ISE
aaa accounting dot1x default start-stop group ISE
aaa authorization network cts-list group ISE
!
cts authorization list cts-list
cts role-based enforcement
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 241
Campus Fabric and ACI Integration
Frequently Asked Questions
Default is 24 Hrs same as
environment-data refresh timer.
How often does ISE However, timer is tunable in ISE
refresh translation table on
ASR periodically If you need to do manual refresh issue
“ cts refresh environment-data” cli
on Campus border
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 242
What’s unique about this integration
IETF
Details https://tools.ietf.org/html/draft-smith-OpFlex-00
IP Network
opflex agent
service vxlan-evpn
nve-id 1
bdi-ip 10.20.30.40 255.255.255.0
domain DCI identity dci-[10.4.254.115]
peer 1 ip-address 10.4.11.1 tcp-port 8009
src-ip-address 10.4.10.1
Campus
Fabric ACI Fabric
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 243
Where does the
enforcement happen
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 245
ASR1K
C VXLAN GBP
B SGT-EPG
Golf L3out
MS/MR
B
SGT <-> EPG
translation
E E E
VXLAN GBP
C
B
SGT-EPG Golf L3out
MS/MR
B
SGT <-> EPG
translation
E E E
SGACL Policy Applied
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 248
Key Benefits
Data Plane Integration
New Capabilities:
• Take current SGT propagation methods (DMVPN, GETVPN, SXP,
IPSEC, GRE, LISP/VXLAN (campus fabric) into ACI fabric
Benefits:
• Greater scale (remove IP/Group info from leaf)
• Seamless integration
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 251
Integration
Campus and non ACI Fabric
RADAR
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 253
Campus Fabric Connectivity to Programmable Fabric
Campus Fabric Policy Domain VTS/NFM/DCNM/CLI
Data-Plane Border
B
Enterprise Backbone
Border
BGP-EVPN
Control-Plane
Campus Fabric VXLAN Fabric
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 254
RADAR
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 255
Agenda
1 Troubleshooting
Where do I begin ?
2 Monitoring
What do i gain ?
3 Putting It Together
Where do things go?
Troubleshooting
Where do I begin?
Where do I begin ?
Overlay Network Overlay Control Plane
Hosts
(End-Points)
Edge Device
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 258
Our Playground
Fabric Border Control Plane Control-Plane(CP) Nodes – Map
Nodes Node
System that manages the Endpoint to
C Gateway (Edge or Border) relationship.
Fabric Edge
Nodes
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 259
More on our Playground
Underlay Network
C Routing ID (RLOC) – IP address of
the LISP router facing ISP
B B Overlay Network
10.2.100.1
Endpoint Identifier(EID) - IP address
of a host
10.2.100.2 10.2.100.2
VRF - Campus
Instance Id - 4098
10.2.120.1 10.2.120.2 10.2.120.3
Dynamic EID – Campus_10_2_1_0
10.2.1.99 10.2.1.89
Fabric Domain
(Overlay)
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 260
Terminology
• Egress Tunnel Router (ETR): An ETR is a device that is the tunnel endpoint; it accepts an IP packet where the
destination address in the "outer" IP header is one of its own RLOCs.
• Ingress Tunnel Router (ITR): An ITR is a device that is the tunnel start point; it receives IP packets from site end-
systems on one side and sends LISP-encapsulated IP packets, across the Internet to an ETR, on the other side.
• xTR: A xTR refers to a device which functions both as an ITR and an ETR (which is typical), when the direction of
data flow is not part of the context description
• Proxy xTR (PxTR): A PxTR is used for inter-networking between LISP and Non-LISP sites.
• Security Group (SG): Cisco TrustSec uses the device and user credentials acquired during authentication for
classifying the packets by security groups (SGs) as they enter the network
• Security Group Tag (SGT): Security group tag is the tag that is added in the packet to classify the security group.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 261
Using loopback as LISP source
Troubleshooting becomes simple when source and destination IP are predictable
interface TenGigabitEthernet1/1/1
...
ip lisp source-locator Loopback0
...
end SRC: 10.2.120.1
DST: 10.2.100.1
SRC: 10.2.120.1
DST: 10.2.100.1
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 262
Troubleshooting
Where do I begin?
Control Plane Policy Plane
Data Plane
What is new in the control plane ?
Control Plane based on LISP
BEFORE AFTER
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 265
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 266
Here is how you begin
DHCP Packet Flow Host Registration
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 267
Case: 1 – DHCP packet flow
C
DHCP
Server B B
ip dhcp relay information option
ip dhcp relay information option vpn
interface vlan 3000
ip dhcp relay source-interface Loopback0
FE1
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 268
DHCP packet flow in Campus Fabric
1 The DHCP client generates a
DHCP request and broadcasts it
on the network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 269
DHCP binding on FE
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 270
Case: 2 - Host Registration
10.2.100.1 CP
C
B B router lisp
site site_sjc
...
eid-prefix instance-id 4098 10.2.1.0/24 accept-more-specifics
exit
FE1
router lisp
...
10.2.1.99 eid-table Campus instance-id 4098
dynamic-eid Campus_10_2_1_0
database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 271
Case: 2 - Host Registration
10.2.100.1 CP
C
B B router lisp
site site_sjc
...
eid-prefix instance-id 4098 10.2.1.0/24 accept-more-specifics
exit
FE1
router lisp
...
10.2.1.99 eid-table Campus instance-id 4098
dynamic-eid Campus_10_2_1_0
database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 272
Case: 2 - Host Registration
10.2.100.1 CP
C
B B router lisp
site site_sjc
...
eid-prefix instance-id 4098 10.2.1.0/24 accept-more-specifics
exit
FE1
router lisp
...
10.2.1.99 eid-table Campus instance-id 4098
dynamic-eid Campus_10_2_1_0
database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 273
Case: 2 - Host Registration
10.2.100.1 CP
C
B B router lisp
site site_sjc
...
eid-prefix instance-id 4098 10.2.1.0/24 accept-more-specifics
exit
FE1
router lisp
...
10.2.1.99 eid-table Campus instance-id 4098
dynamic-eid Campus_10_2_1_0
database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 274
Client
Registration
1d 1f
Check Check
local registr
Enable LISP
1a LISP
debugs on FE msg to
DB CP?
Is ?
MAC
Silent Host
learnt
?
LISP process issue
on FE
1e 1g
Check
Check registr
1c 1b LISP
Client
Registration msg
DB on from
COMPLETE
If CP ? FE?
Check ARP
IPDT table
table ? has an
entry ?
Packet dropped on
FE
or on CP
Client
didnt get IP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 275
Client
Registration
1d 1f
Check Check
local registr
Enable LISP
1a LISP
debugs on FE msg to
DB CP?
Is ?
MAC
Silent Host
learnt
?
LISP process issue
on FE
1e 1g
Check
Check registr
1c 1b LISP
Client
Registration msg
DB on from
COMPLETE
If CP ? FE?
Check ARP
IPDT table
table ? has an
entry ?
Packet dropped on
FE
or on CP
Client
didnt get IP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 276
C
B B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 277
Client
Registration
1d 1f
Check Check
local registr
Enable LISP
1a LISP
debugs on FE msg to
DB CP?
Is ?
MAC
Silent Host
learnt
?
LISP process issue
on FE
m 1e 1g
Check
Check registr
1c 1b LISP
Client
Registration msg
DB on from
COMPLETE
If CP ? FE?
Check ARP
IPDT table
table ? has an
entry ?
Packet dropped on
FE
or on CP
Client
didnt get IP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 278
1d C
B B
Instance
ID
EID
FE1 RLOC Dynamic
EID
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 279
C
B B
Dynamic EID
FE1 RLOC EID
Instance
ID
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 280
1e
C
B B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 281
Client
Registration
1d 1f
Check Check
local registr
Enable LISP
1a LISP
debugs on FE msg to
DB CP?
Is ?
MAC
Silent Host
learnt
?
LISP process issue
on FE
1e 1g
Check
Check registr
1c 1b LISP
Client
Registration msg
DB on from
COMPLETE
If CP ? FE?
Check ARP
IPDT table
table ? has an
entry ?
Packet dropped on
FE
or on CP
Client
didnt get IP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 282
Registration Message flow
C Client send ARP, DHCP or DATA
1
pkt
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 283
1f
C
message ?
debug lisp control map-request
*Jan 17 01:56:01.045: LISP: Send map request for EID prefix IID 4098 10.2.1.99/32
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 284
1g
C
B B
FE1 RLOC B B
B B
Control
Plane
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 285
Case: 3 - Host Resolution
CP
C
B B router lisp
site site_sjc
10.2.100.1 ...
eid-prefix instance-id 4098 10.2.1.0/24 accept-more-specifics
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 286
Host
Resolution
2c
Check
on CP Case 2
?
2a
Check
Map
Complete cache 2e
on
FE1 ? Check
LISP process issue
on
on CP
FE1 ?
2d
2b Check
LISP process issue
on
on CP
Check FE3 ?
LISP process issue debug
on FE ON LISP process issue
FE1 ? on CP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 287
Host
Resolution
2c
Check
on CP Case 2
?
2a
Check
Map
Complete cache 2e
on
FE1 ? Check
LISP process issue
on
on CP
FE1 ?
2d
2b Check
LISP process issue
on
on CP
Check FE3 ?
LISP process issue debug
on FE ON LISP process issue
FE1 ? on CP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 288
2a C
B B
FE3 RLOC
Host 2 EID
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 289
Map Request Message flow
C 1 A client wants to establish
communication to a Host2
2 No local map-cache entry Host2
on FE1. Map-Request is sent to
1 the CP(Map-Resolver)
3 CP(Map Server) forwards the original
2 Map-Request to the FE3(ETR) that
last registered the EID subnet
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 290
2b C
control-plane ?
debug lisp control map-request
*Jan 18 16:12:57.741: LISP: Send map request for EID prefix IID 4098 10.2.1.89/32
*Jan 18 16:12:57.741: LISP-0: EID-AF IPv4, Sending map-request from 10.2.1.89 to 10.2.1.89
for EID 10.2.1.89 /32, ITR-RLOCs 1, nonce 0x0579975B-0x0823B8E4 (encap src 10.2.120.1, dst
10.2.100.1).
Host2
EID
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 291
Host
Resolution
2c
Check
on CP Case 2
?
2a
Check
Map
Complete cache 2e
on
FE1 ? Check
LISP process issue
on
on CP
FE1 ?
2d
2b Check
LISP process issue
on
on CP
Check FE3 ?
LISP process issue debug
on FE ON LISP process issue
FE1 ? on CP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 292
2c C
B B
FE3 RLOC
FE1 RLOC
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 293
2d
Verify map-request forwarded to the fabric B
C
edge?
debug lisp control map-request
Jan 18 16:12:58.531: LISP: Received map request for IID 4098 10.2.1.89/32, source_eid IID
4098 10.2.1.99, ITR-RLOCs: 10.2.120.1, records 1, nonce 0x0579975B-0x0823B8E4
Jan 18 16:12:58.531: LISP-0: Sending map-reply from 10.2.120.3 to 10.2.120.1.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 294
Host
Resolution
2c
Check
on CP Case 2
?
2a
Check
Map
Complete cache 2e
on
FE1 ? Check
LISP process issue
on
on CP
FE1 ?
2d
2b Check
LISP process issue
on
on CP
Check FE3 ?
LISP process issue debug
on FE ON LISP process issue
FE1 ? on CP
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 295
2e C
B B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 296
It is the same sequence if border is requesting
C
B B
Map Cache
10.2.1.99/32,
Locator 10.2.120.1
Local Database
10.2.1.99/32,
Locator 10.2.120.1
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 297
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 298
Recap
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 299
Case: 4 - External Connectivity
CP
C
router lisp
site site_sjc
...
B B eid-prefix instance-id 4098 10.2.1.0/24 accept-more-specifics
exit
10.2.100.1
BDR
10.2.100.2 router lisp
encapsulation vxlan
!
eid-table default instance-id 4098
map-cache 10.2.1.0/24 map-request exit
10.2.120.3
router lisp
FE3 ...
eid-table Campus instance-id 4098
dynamic-eid Campus_10_2_1_0
10.2.1.89 database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 300
Client
Traffic
Outside
3d
BDR
has
Look at routing
route
3a to
config for external
routes
dst IP
Is
Case Client
?
in
2 CP ?
3e
Is src
and
3b 3c dst in
Check if VRF
Leaking is working
Check BDR same
map has VRF?
cache entry
entry for
On client
FE3 ? ip ?
Either packet
Dropped in FE or
CP
Case
3
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 301
Client
Traffic
Outside
3d
BDR
has
Look at routing
route
3a to
config for external
routes
dst IP
Is
Case Client
?
in
2 CP ?
3e
Is src
and
3b 3c dst in
Check if VRF
Leaking is working
Check BDR same
map has VRF?
cache entry
entry for
On client
FE3 ? ip ?
Either packet
Dropped in FE or
CP
Case
3
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 302
3a
C
B B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 303
3b
Verification at the FE
FE3#show ip lisp map-cache instance-id 4098
LISP IPv4 Mapping Cache for EID-table vrf Campus (IID 4098), 5 entries
B B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 304
Encapsulation prefix
DST IP not in EID spaces
DST: 40
.1.1.40
0 0 1 0 1 0 0 0
32.0.0.0/4
0 0 1 0 0 0 0 0
128 64 32 16 8 4 2 1
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 305
Encapsulation prefix condt..
10.2.1.0/24 is the EID spaces and
hosts up till 10.2.1.99 have joined
DST:10.2.1. 200
1 1 0 0 1 0 0 0
10.2.1.128/25
1 0 0 0 0 0 0 0
128 64 32 16 8 4 2 1
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 306
3c B
B B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 307
Client
Traffic
Outside
3d
BDR
has
Look at routing
route
3a to
config for external
routes
dst IP
Is
Case Client
?
in
2 CP ?
3e
Is src
and
3b 3c dst in
Check if VRF
Leaking is working
Check BDR same
map has VRF?
cache entry
entry for
On client
FE3 ? ip ?
Either packet
Dropped in FE or
CP
Case
3
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 308
Types of Border Node
Border Nodes – A Closer Look
• Border Node is an entry & exit point for all data traffic going in & out of the Fabric
There are 2 Types of Border Node!
B B
• External Border based on PXTR
• “Unknown” Routes use External Border
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 309
In case of Internal Border
Verify the routes that are being imported
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 310
Case: 5 - East West Traffic
CP
C
router lisp
site site_sjc
B B ...
eid-prefix instance-id 4098 10.2.1.0/24 accept-more-specifics
exit
router lisp
...
eid-table Campus instance-id 4098
dynamic-eid Campus_10_2_1_0
database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
FE1 FE3
router lisp
...
eid-table Campus instance-id 4098
dynamic-eid Campus_10_2_1_0
Host1 Host2 database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 311
Client
Traffic
Inside
4b 4c
Check Check
Get the RLOC ip for
LISP LISP
SRC and DST
map Case map
cache cache
on 3 on
FE1 ? FE3 ?
4a
Check
Case if both
IP
2 are in
Find out where the
CP ?
packet is getting
Dropped
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 312
Client
Traffic
Inside
4b 4c
Check Check
Get the RLOC ip for
LISP LISP
SRC and DST
map Case map
cache cache
on 3 on
FE1 ? FE3 ?
4a
Check
Case if both
IP
2 are in
Find out where the
CP ?
packet is getting
Dropped
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 313
4a
C
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 314
Client
Traffic
Inside
4b 4c
Check Check
Get the RLOC ip for
LISP LISP
SRC and DST
map Case map
cache cache
on 3 on
FE1 ? FE3 ?
4a
Check
Case if both
IP
2 are in
Find out where the
CP ?
packet is getting
Dropped
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 315
Verification at the FEs
4b FE1#show ip lisp instance-id 4098 database 10.2.120.1
10.2.1.99/32, locator-set rloc_021a8c01-5c45-4529-addd-b0d626971a5f
Locator Pri/Wgt Source State
10.2.120.1 10/10 cfg-intf site-self, reachable
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 316
Case: 6 - Host Mobility
CP
C
B B
Host1 Host2
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 317
Map Request Message flow 1 Host1 moves from FE1 to FE2
C 2 FE2 saves the host info in local
database. Send the registration
message to control plane
3 The Map-Server adds to the
1 database the entry for the
specific EID, associated to the
RLOCs
2
4 The Map-Server sends a Map-
Notify message to the last FE1
3 that registered the 10.2.1.99/32
prefix
4 5 FE1 receives the Map-Notify
message from the CP and adds
route associated to the 10.2.1.99
5 EID to away table
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 318
Verification at the FEs
FE1#show ip lisp away instance-id 4098
LISP Away Table for router lisp 0 (Campus) IID 4098
Entries: 1
Prefix Producer
Host EID
10.2.1.99/32 local EID
FE2
FE1
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 319
1 The LISP process on FE1
receiving the first data packet
Map Request Message flow creates a control plane message
SMR and sends it to the remote
FE3(ITR) that generated the packet
C
2 Send a new Map-Request for the
desired destination (10.17.1.99) to
the Map-Server
1 3 Map-Request is forwarded by
the Map-Server to the FE2 that
registered last the /32 EID
address
2 4 FE2 replies with updated
mapping information to the
3 remote FE3
5 FE3 updates the information in
its map-cache, adding the
4 specific /32 EID address
5 associated to the xTRs deployed
in the East site (10.2.120.1 and
5
10.2.120.2)
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 320
Locator/ID Separation Protocol (LISP) Internet
Groper – “lig”
FE1#lig 18.18.18.18 instance-id 4098
Mapping information for EID 18.18.18.18 from 172.16.1.2 with RTT 7 msecs
18.18.18.18/32, uptime: 00:00:00, expires: 23:59:59, via map-reply, complete
Locator Uptime State Pri/Wgt
10.2.120.4 00:00:00 up 10/10
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 321
Troubleshooting
Where do I begin?
Control Plane Policy Plane
Data Plane
What is unique about Campus Fabric?
Key Components – VXLAN
ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 323
LISP & VXLAN Headers
Similar Format - Different Payload
LISP Header - IP based VXLAN Header - Ethernet based
OUTER
HEADER
4789
OVERLAY
HEADER
INNER
HEADER
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 325
VXLAN Header
Next-Hop MAC Address
Checksum
Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address
Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 326
Packet Flow in Fabric
Encapsulation Decapsulation
IP Network
VXLAN VXLAN
VN ID SGTag VN ID SGTag
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 327
What to look for in packet capture?
Frame 1: 192 bytes on wire (1536 bits), 192 bytes captured (1536 bits)
Ethernet II, Src: CiscoInc_c5:db:47 (88:90:8d:c5:db:47), Dst: CiscoInc_5b:58:fb (0c:f5:a4:5b:58:fb)
Internet Protocol Version 4, Src: 10.2.120.1, Dst: 10.2.120.3
User Datagram Protocol, Src Port: 65354 (65354), Dst Port: 4789 (4789)
Source Port: 65354 OUTER
Destination Port: 4789 HEADER
Length: 158
Checksum: 0x0000 (none)
[Stream index: 0]
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 328
Packet in Wireshark
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 329
Underlay MTU
FE1#ping 10.2.120.3 source 10.2.120.1 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.120.3, timeout is 2 seconds:
Packet sent with a source address of 10.2.120.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/5 ms
FE1# C
FE1#ping 10.2.120.3 source 10.2.120.1 size 1501 df-bit
Type escape sequence to abort. B B
Sending 5, 100-byte ICMP Echos to 10.2.120.3, timeout is 2 seconds:
Packet sent with a source address of 10.2.120.1
.....
Success rate is 0 percent (0/5)
FE1#
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 330
Default route in Underlay
If you have this config
router lisp
...
eid-table default instance-id <>
DON’T
...
router lisp
...
eid-table vrf Default instance-id <>
DO
...
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 331
Overlay EID Loopback
CP
C
router lisp
site site_sjc
...
B B eid-prefix instance-id 4098 20.20.20.20/32
eid-prefix instance-id 4098 21.21.21.21/32
exit
router lisp
...
eid-table Campus instance-id 4098
database-mapping 20.20.20.20/32 locator-set campus_fabric
interface Loopback20
ip vrf forwarding Campus
ip address 20.20.20.20 255.255.255.255
FE1 FE3
router lisp
...
eid-table Campus instance-id 4098
database-mapping 21.21.21.21/32 locator-set campus_fabric
Host1 Host2
interface Loopback21
ip vrf forwarding Campus
ip address 21.21.21.21 255.255.255.255
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 332
Fabric Edge Loopback Ping Test
FE1#ping vrf Campus 20.20.20.20 source 21.21.21.21 size 1500 df-bit
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.20, timeout is 2 seconds:
Packet sent with a source address of 21.21.21.21
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 3/3/5 ms
FE1# C
B B
Initial packets get dropped until Host Resolution is
complete
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 333
Embedded Packet Capture
FE#monitor capture lispcap interface te 1/0/1 both match any
limit file location flash:lispcap
1 0.000000000 172.16.1.2 -> 10.2.110.2 UDP 124 Source port: 65357 Destination port: vxlan
2 0.001160000 10.2.203.2 -> 10.2.120.4 UDP 124 Source port: 65351 Destination port: vxlan
3 0.114937000 172.16.1.1 -> 224.0.0.10 EIGRP 74 Hello
4 1.013745000 172.16.1.2 -> 10.2.110.2 UDP 124 Source port: 65357 Destination port: vxlan
5 1.017345000 10.2.203.2 -> 10.2.120.4 UDP 124 Source port: 65351 Destination port: vxlan
6 2.012271000 172.16.1.2 -> 10.2.110.2 UDP 124 Source port: 65357 Destination port: vxlan
7 2.014704000 10.2.203.2 -> 10.2.120.4 UDP 124 Source port: 65351 Destination port: vxlan
8 2.199264000 172.16.1.2 -> 10.2.110.1 UDP 116 Source port: 65474 Destination port: vxlan
9 2.202622000 10.2.200.2 -> 172.16.1.2 ICMP 70 Destination unreachable (Port unreachable)
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 334
Troubleshooting
Where do I begin?
Control Plane Policy Plane
Data Plane
Cisco TrustSec
Simplified segmentation with Group Based Policy
Classification
Static or Dynamic Campus Switch Campus Switch DC switch receives policy
for only what is connected
SGT assignments
Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag
VLAN A VLAN B
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 337
Cisco Trust Security
Two ways to assign SGT
Campus
Access Distribution Core DC Core DC Access
MAB Enterprise
Backbone
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 339
Verification on FEs
FE1#show authentication sessions mac 0050.5694.d054 details
Interface: GigabitEthernet1/0/2
IIF-ID: 0x100CBC000000088
MAC Address: 0050.5694.d054
IPv6 Address: Unknown
IPv4 Address: 10.2.1.99
User-Name: joe
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Session Uptime: 28127s
Host EID
Common Session ID: 0A04010300000FB00003640C
Acct Session ID: 0x00000FA5
Handle: 0x98000003
Current Policy: POLICY_Gi1/0/2 VLAN
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Vlan Group: Vlan: 3000
SGT Value: 5 SGT Tag
Method status list:
Method State
dot1x Authc Success Auth type
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 340
Cisco Trust Security
Ingress Classification with Egress Enforcement
Destination Classification
CRM: SGT 20
Web: SGT 30
User Authenticated = FIB Lookup =
Classified as Marketing (5) Destination MAC = SGT 20
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 341
Verification on FEs
FE1#show cts role-based sgt-map 10.2.1.99/32
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
10.2.1.99 5 L3IF
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 342
Cisco Trust Security (CTS)
Would you like to know more?
• Suggested Reading:
• BRKCRS-2891 - Enterprise Network Segmentation with Cisco TrustSec
• BRKSEC-2203 - Intermediate - Enabling TrustSec Software-Defined Segmentation
• BRKSEC-2044 - Building an Enterprise Access Control Architecture Using ISE and TrustSec
• Other References:
• Radius and AAA troubleshooting
cisco.com/c/en/us/td/docs/storage/san_switches/mds9000/sw/rel_3_x/troubleshooting/guide/trblgd/ts_aaa.pdf
• Cisco TrustSec Troubleshooting https://communities.cisco.com/docs/DOC-69479#jive_content_id_Debugging
• Cisco TrustSec Config Guide cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html
• CTS Architecture Overview cisco.com/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html
• CTS 2.0 Design Guide cisco.com/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf
• Fundamentals of TrustSec https://www.youtube.com/watch?v=78-GV7Pz18I
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 343
Monitoring
What do I gain ?
Data Plane
Control Plane Monitoring
• CLI
C
•Switch#show
YANG Modelslisp
Router-lisp ID: 0
B B Locator table: default
EID instance count: 3
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 345
Monitor via CLI Router# show ip lisp statistics
LISP Statistics - last cleared: never
Control Packets:
Map-Requests in/out: 76/35
Encapsulated Map-Requests in/out: 76/35
• Show lisp RLOC-probe Map-Requests in/out: 0/0
Map-Reply records in/out: 35/76
• Show ip lisp statistics Authoritative records in/out: 0/76
• Show ip lisp database Non-authoritative records in: 35
Negative records in: 35
• Show ip lisp map-cache RLOC-probe records in/out: 0/0
Map-Registers out: 626
• Show ip lisp route-import Errors:
Map-Request format errors: 0
Map-Reply format errors: 0
Map-Reply spoof alerts: 0
Mapping record TTL alerts: 0
Cache Related:
Cache entries created/deleted: 72/69
Number of EID-prefixes in map-cache: 3
Number of negative entries in map-cache: 3
Total number of RLOCs in map-cache: 0
Average RLOCs per EID-prefix: 0
Forwarding:
Number of data signals processed: 35 (+ dropped
0)
Number of reachability reports: 0 (+ dropped 0)
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 346
Operation Data Models (ODM)
Interface Model
definition
Interface Model Instances in XML
name: string
speed: string
duplex: string
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 347
EID space 1
EID Space Monitoring EID space 2
EID space 3
C 350
300
B B
250
200
Users
150
100
50
0
1 2 3 4 5
Months
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 348
Monitoring
What do I gain ?
Control Plane Policy Plane
Data Plane
Flexible Netflow—Input VRF
C
flow record Campus
match ipv4 source address
B match ipv4 destination address
B
match interface input
match routing vrf input
collect timestamp absolute first
collect timestamp absolute last
collect counter packets long
!
flow monitor Campus_mon
record Campus
!
interface Vlan3000
ip vrf forwarding Campus
ip address 172.16.2.2 255.255.255.252
ip flow monitor Campus_mon
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 350
Monitoring
What do I gain ?
Control Plane Policy Plane
Data Plane
SGACL Counter
FE#show cts role-based counters
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitted HW-Permitted
* * 0 0 4279066 432961
11
6 11 0 0 0 0
8 11 0 435 0 0
4 12 0 0 0 0
6 12 0 0 0 0
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 353
Putting It Together
Where do things go?
Campus Fabric Control-Plane Node
B
10.2.100.1/32 C
IP Network
10.2.1.0/24 10.2.1.0/24
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 355
Locator / ID Separation Protocol (LISP)
Would you like to know more?
Suggested Reading:
BRKRST-3045 - LISP - A Next Generation Networking Architecture
BRKRST-3047 - Troubleshooting LISP
BRKCRS-3510 - LISP in Campus Networks
Other References:
Cisco LISP Site http://lisp.cisco.com
Cisco LISP Marketing Site http://www.cisco.com/go/lisp/
LISP Beta Network Site http://www.lisp4.net or http://www.lisp6.net
IETF LISP Working Group http://tools.ietf.org/wg/lisp/
Fundamentals of LISP https://www.youtube.com/watch?v=lKrV1qB8uqA
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 356
Agenda
1 Key Benefits
Why do I care?
3 Getting Started
What are the Platform/Network considerations?
5 Wireless
How does Wireless work over Campus Fabric?
6 Takeaway
How do I get started?
Getting Started
Network Considerations
Network Considerations - MTU
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 359
L3
Underlay Networks L2
• U-topology
Collapsed Core
• Ensure that all switches have IP reachability to
infrastructure elements
L3
• Ideal design is routed access – allows fabric to extend
Routed Access
to very edge of campus network
Strong recommendation to follow campus CVDs with
routed access L2
U-Topology
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 360
Overlay Network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 361
IP Addressing for Overlay and Underlay
• Know your IP addressing and IP
scale requirements
• Best to use single Aggregate for all 10.10.10.254/32 10.10.10.253/32
10.10.10.4/30
Underlay Network
10.10.10.252/32
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 362
Virtual Networks
• RLOC/Underlay connectivity in Global
Routing Table
• Loopback interfaces for management in
their own VN (Default) Fabric scope of management
USERS #2
• Other VNs can be used for segmentation
Border
for users, devices, roles, and others USERS #1
DHCP NTP
Server Server
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 365
Location of Shared Services Infrastructure
• Could be in campus distribution block or campus core for small commercial or
enterprise deployments
• Larger deployments have infrastructure services hosted in Data Center
• Hybrid model also possible (mix of distribution/core/Data Center)
Infrastructure
Services Infrastructure
at Core Services
in Data Center
Infrastructure
Services at
Distribution
Large Enterprise
Deployment
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 366
Know What is Connecting to the Existing Network
• Deploy ISE
• Turn on device sensor on switches
• Turn on profiling on ISE
• This provides visibility into what types of endpoints are connecting into the
network
• Also provides data on from which part of the network are they connecting from
• This data will be useful in determining Segmentation policy in Campus Fabric
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 367
Deployments
Deployments
• Campus Networks
• Branch Networks
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 369
Campus Network
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet
DC Internet
WAN Block
Block Block
Services Block
Super
Core
Core Core
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 370
Branch Network
MPLS I-NET
DDI
Branch IWAN
Collapsed
Core
Access
Layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 371
Approaches to Migration
• Parallel Install
• Migrating One Switch at a time
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 372
Parallel Install Option
Conditions and Advantages
• May work in Branch deployments
• Sufficient cable runs exist in the current networking plan
• Sufficient power and outlets exist in the current power plan
• Existing brownfield network has legacy hardware
• Upgrade most of the wired network
• Option of redesigning IP networks from scratch instead of continuing the complexities of
legacy network
• Advantage lies in testing users on entire new network prior to full migration of entire site
• During migration, users with problems but immediate access needs can be moved back to
old network allowing them to continue their work, while troubleshooting can be performed
on the SDA network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 373
Migrate One Switch At A Time Option
Conditions and Advantages
• Works in both Campus and Branch deployments
• Needs an extra couple fiber runs to the distribution switch
• Sufficient power and couple outlets needed in the current power plan
• Existing brownfield network has legacy hardware
• Upgrade some of the wired network
• Switch by Switch upgrade of certain layers of the network is possible
• Legacy IP design has to be continued for reducing downtime
• During migration, users with problems but immediate access needs can be moved back to
old network allowing them to continue their work, while troubleshooting can be performed
on the SDA network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 374
Parallel Install Option for Campus Networks
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 375
Parallel Network Option for Branch Networks
MPLS I-NET
DDI
Branch IWAN
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 376
Hardware Refresh – Hardware Reconfigure
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 377
Access Network Designs
Access Networks Designs
• Multi-layer L2 Access – Will also address hardware refresh scenario
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 379
Layer-2 Access Network
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet
DC Internet
WAN Block
Block Block
Services Block
Super
Core
Core Core
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 380
Connecting the Fabric External Border
• Strong desire not to touch the Core layer in the existing network
• Current Core platform does not support Fabric functionality
• Add a Border platform switch and connect it to the Core layer
• Choose a platform that will be re-purposed to a dedicated Control Plane Node (if
needed)
• In this example, we will add a Fabric External Border switch and connect it to the
Core layer
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 381
Connecting the first Fabric Edge
• Depends on across which layer in the network the VLANs are being spanned –
• Aggregation
• Core
• Or sometimes even SuperCore
• The Fabric Edge switch connects to where the VLANs are being aggregated
• Example – If VLANs are NOT being spanned across Core layer, connect first
Fabric Edge switch at Aggregation; if the VLANs ARE being spanned across
Aggregation layer, connect the first Fabric Edge switch at Core, and so on.
• In this example, we will assume that VLANs are being spanned across Access
layer, so Fabric Edge switch is attached to the aggregation switch.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 382
Simplified View
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 383
Getting Started Steps
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
• Connect a switch to the Core layer that will act as the External Border
• Host the Control Plane function on the External Border for simplicity
• Add a switch in the access layer that will act as the Fabric Edge
• Integrate the switch in the existing network in Routed Access design.
• IS-IS is the recommended option for Fabric networks, but any IGP could do.
• APIC-EM PnP can be used for Day Zero operations to integrate the switch.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 384
Layer-2 Access Network – Simplified View
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 385
Prepping the Switch
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
• Do not forget to set following on the Edge node and other nodes in the underlay:
• Set MTU to 9100 on the switch and the existing network.
• Configure ‘ip routing’
• Set ‘username’ and ’password’ for device access
• Configure VTY and console lines for device access
• Configure NTP
• Configure SNMP, syslog
• Configure Loopback0 (/32) for RLOC, another interface for Management and underlay
IP addresses
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 386
Fabric Configuration on Edge node
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
router lisp
encapsulation vxlan
locator-table default
locator-set rloc_SJC18
IPv4-interface Loopback0 priority 10 weight 10
exit
!
disable-ttl-propagate
ipv4 sgt
ipv4 use-petr 192.168.200.1
ipv4 itr map-resolver 192.168.200.1
ipv4 itr
ipv4 etr map-server 192.168.200.1 key cisco
ipv4 etr
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 387
Border and Control Plane Configuration
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
router lisp
encapsulation vxlan
locator-table default
locator-set border
IPv4-interface Loopback0 priority 10 weight 10 router lisp
exit site site_uci
! authentication-key cisco
disable-ttl-propagate exit
ipv4 map-server ipv4 map-server
ipv4 map-resolver ipv4 map-resolver
ipv4 sgt exit
ipv4 proxy-etr
ipv4 proxy-itr 192.168.200.1
ipv4 itr map-resolver 192.168.200.1
ipv4 etr map-server 192.168.200.1 key cisco
ipv4 etr
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 388
VRF Configuration on Edge and Border
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
ip vrf CORPORATE
rd 1:1
route-target export 1:1
route-target import 1:1
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 389
Configure L2 VLAN and SVI at Edge Node
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
vlan 3
name Corporate_Users
!
ip dhcp snooping
ip dhcp snooping vlan 3 interface Vlan3
! ip vrf forwarding CORPORATE
device-tracking tracking ip dhcp relay source-interface Loopback0
ip address 10.2.3.254 255.255.255.0
ip helper-address global 10.1.5.252
no ip redirects
ip local-proxy-arp
ip route-cache same-interface
logging event link-status
load-interval 30
lisp mobility CORPORATE_10_2_3_0
shutdown
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 390
Adding EID space on Edge node
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
router lisp
locator-table default
locator-set rloc_SJC18_01
eid-table vrf CORPORATE instance-id 10
dynamic-eid CORPORATE_10_2_3_0
database-mapping 10.2.3.0/24 locator-set rloc_SJC18
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 391
Adding EID space on Border/Control Plane node
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
router lisp
eid-table vrf CORPORATE instance-id 10
map-cache 10.2.3.0/24 map-request
exit
!
site site_uci
authentication-key cisco
eid-prefix instance-id 10 10.2.3.0/24 accept-more-specifics
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 392
Exporting Fabric Prefixes to External Network
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 393
Advertising Fabric Prefixes to External Network - OSPF
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 394
Advertising Fabric Prefixes to External Network - OSPF
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 395
Advertising Fabric Prefixes to External Network - OSPF
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 396
Advertising Fabric Prefixes to External Network - BGP
192.168.200.254/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
router lisp
locator-table default
!
eid-table vrf CORPORATE instance-id 10
ipv4 route-export site-registrations
ipv4 map-cache site-registration
exit
!
router bgp 65001
address-family ipv4 vrf CORPORATE
redistribute lisp metric 10
aggregate-address 10.2.3.0 255.255.255.0 summary-only
neighbor 192.168.1.254 remote-as 65002
neighbor 192.168.1.254 activate
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 397
Why BGP?
• BGP has built-in loop prevention features like AS_PATH to break loops
• Simple to keep routes distributed between Global Routing and Virtual Networks
• If IGP is used then route-maps, distribute-lists, IP ACLs need to be maintained
• Failure to maintain the above might cause routing loops in the network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 398
Layer-2 Connection from Existing Network
192.168.200.254/32 192.168.200.1/32
Edge Node Distribution
Switch
Layer-2 C
connection
between existing
VLAN and VLAN IP Network
in Fabric
Border/Control External Network
Plane Node
• Connect the Edge node and existing Distribution switch on a Trunk Port
• Allow only VLAN003 for now
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 399
Layer-2 Connection from Existing Network
192.168.200.254/32 192.168.200.1/32
Edge Node Distribution
Switch
Layer-2 C
connection
between existing
VLAN and VLAN IP Network
in Fabric
X
Border/Control
SVI Plane Node
External Network
VLAN003
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 400
Layer-2 Connection from Existing Network
192.168.200.254/32 192.168.200.1/32
Edge Node Distribution
Switch
Layer-2 C
connection
between existing
VLAN and VLAN IP Network
in Fabric
Border/Control
SVI Plane Node
External Network
VLAN003
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 401
Layer-2 Connection from Existing Network
192.168.200.254/32 192.168.200.1/32
Edge Node Distribution
Switch
Layer-2 C
connection
between existing
VLAN and VLAN IP Network
in Fabric
Border/Control
SVI Plane Node
External Network
VLAN003
L2 Network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 402
Layer-2 Connection from Existing Network
192.168.200.254/32 192.168.200.1/32
Edge Node Distribution
Switch
Layer-2 C
connection
between existing
VLAN and VLAN IP Network
in Fabric
Border/Control
SVI Plane Node
External Network
VLAN X
L2 Network
• Perform similar configuration of other VLANs, and SVIs on the Fabric Edge node
• Shutdown the SVI of the other VLANs in existing Distribution switches
• No shutdown the respective SVI on Fabric Edge to funnel all VLAN traffic to it
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 403
Layer-2 Connection from Existing Network
192.168.200.2/32 192.168.200.1/32
Edge Node Distribution
Switch
C
IP Network
Border/Control External Network
Plane Node
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 404
Layer-2 Connection from Existing Network
192.168.200.2/32 192.168.200.1/32
Edge Node Distribution
Switch
C
IP Network
Border/Control External Network
Plane Node
X
• Configure the access ports in their VLANs similar to the legacy switch
• Move all the physical connections from legacy switch to new Fabric Edge
• Decommission the legacy switch from existing network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 405
Add Second External Border/Control Plane node
192.168.200.2/32 192.168.200.1/32
C
IP Network
Edge Node Border/Control External Network
Plane Node
192.168.200.3/32
Border/Control
Plane Node
• Add or upgrade a second switch or a router as the Border/Control Plane node for
redundancy.
• Modify the configurations on all the Fabric Edge nodes to add the second Border/Control
Plane node.
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 406
Migration @ Work – Simplified View
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 407
Add Internal Border nodes as necessary
192.168.200.2/32 192.168.200.22/32
IP Network
Edge Node Internal Border/s WAN Branch
192.168.200.23/32
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 408
Campus Fabric
Border Nodes
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 409
Why Internal Border?
• These prevent hair pinning at the External Border node for traffic destined for
known internal destinations like remote branches or datacenter.
• Flexibility in designing different platforms for Border functionality different than
External Border
• Can have any number of Internal borders than External borders (depends on
network design)
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 410
Routing on the Internal Borders
192.168.200.2/32 192.168.200.22/32
IP Network
Edge Node Internal Border/s WAN Branch
192.168.200.23/32
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 411
Internal Border Routing – Importing from OSPF in LISP
192.168.200.2/32 192.168.200.22/32
IP Network
Edge Node Internal Border/s WAN Branch
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 412
Internal Border Routing – Importing from EIGRP in LISP
192.168.200.2/32 192.168.200.22/32
IP Network
Edge Node Internal Border/s WAN Branch
router lisp
locator-set int_border
locator-table default
!
eid-table vrf CORPORATE instance-id 10
ipv4 route-import database eigrp 65535 locator-set int_border
ipv4 distance site-registrations 250
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 413
Internal Border Routing – Advertise from LISP into OSPF
192.168.200.2/32 192.168.200.22/32
IP Network
Edge Node Internal Border/s WAN Branch
router lisp
locator-table default
!
eid-table vrf CORPORATE instance-id 10
ipv4 route-export site-registrations
ipv4 map-cache site-registration Summarize exported LISP prefixes
exit
!
router ospfv3 123
! Use distribute-list to filter incoming routes
address-family ipv4 unicast vrf CORPORATE
summary-prefix 10.2.3.0/24
redistribute lisp metric 10
distribute-list 2 in
exit-address-family
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 414
Internal Border Routing – Advertise from LISP into BGP
192.168.200.2/32 192.168.200.22/32
IP Network
Edge Node Internal Border/s WAN Branch
router lisp
locator-table default
!
eid-table vrf CORPORATE instance-id 10
ipv4 route-export site-registrations
ipv4 map-cache site-registration
exit
!
router bgp 65003
address-family ipv4 vrf CORPORATE
redistribute LISP metric 10
aggregate-address 10.2.3.0 255.255.255.0 summary-only
neighbor 192.168.2.254 remote-as 65004
neighbor 192.168.2.254 activate
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 415
Shared Resources
192.168.200.2/32 192.168.200.22/32
DDI
IP Network
Edge Node Internal Border/s ISE/AD
router lisp
encapsulation vxlan
locator-set int_border
exit !
eid-table vrf CORPORATE instance-id 10
ipv4 route-import database eigrp 65535 locator-set border
ipv4 route-export site-registrations
ipv4 distance site-registrations 250
ipv4 map-cache site-registration exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 416
Shared Resources
192.168.200.2/32 192.168.200.22/32
DDI
IP Network
Edge Node Internal Border/s ISE/AD
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 417
Shared Resources
192.168.200.2/32 192.168.200.22/32
DDI
IP Network
Edge Node Internal Border/s ISE/AD
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 418
Distribute Control Plane Node from External Border
192.168.200.1/32
C
Control
192.168.200.2/32 Plane
192.168.200.25/32
B
IP Network
Edge Node External
Border/s
C
Control
Plane
router lisp
encapsulation vxlan
192.168.200.3/32 locator-table default
locator-set msmr
IPv4-interface Loopback0 priority 10 weight 10
exit
!
eid-table vrf CORPORATE instance-id 10
ipv4 route-export site-registrations
ipv4 distance site-registrations 250
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 419
Distribute Control Plane Node from External Border
192.168.200.1/32
C
Control
192.168.200.2/32 Plane
192.168.200.25/32
B
IP Network
Edge Node External
Border/s
C
Control
Plane
site site_uci
description map-server configured from apic-em
192.168.200.3/32 authentication-key uci
eid-prefix instance-id 10 0.0.0.0/0 accept-more-specifics
eid-prefix instance-id 10 10.2.3.0/24 accept-more-specifics
exit
!
ipv4 map-server
ipv4 map-resolver
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 420
Distribute Control Plane Node from External Border
192.168.200.1/32
C
Control
192.168.200.2/32 Plane
192.168.200.25/32
B
IP Network
Edge Node External
Border/s
C
Control
Plane router bgp 65002
bgp log-neighbor-changes
neighbor 192.168.200.25 remote-as 65002
192.168.200.3/32 neighbor 192.168.200.25 update-source lo0
!
address-family vpnv4
neighbor 192.168.200.25 activate
neighbor 192.168.200.25 send-community both
• Set up iBGP connection between exit-address-family
the Control Plane node and !
address-family ipv4 vrf CORPORATE
External Border aggregate-address 10.2.3.0 255.255.255.0 summary—only
redistribute lisp metric 10
exit-address-family
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 421
Distribute Control Plane Node from External Border
192.168.200.1/32
C
Control
192.168.200.2/32 Plane
192.168.200.25/32
B
IP Network
Edge Node External
Border/s
C
Control
Plane router lisp
encapsulation vxlan
locator-set border
192.168.200.3/32 IP-v4-interface Loopback 0 priority 10 weight 10
exit
!
eid-table vrf CORPORATE instance-id 10
ipv4 route-import map-cache bgp 65002
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 422
Distribute Control Plane Node from External Border
192.168.200.1/32
C
Control
192.168.200.2/32 Plane
192.168.200.25/32
B
IP Network
Edge Node External
Border/s
C
Control
Plane router lisp
ipv4 proxy-etr
ipv4 proxy-itr 192.168.200.25
192.168.200.3/32 ipv4 itr map-resolver 192.168.200.3
ipv4 itr-map-resolver 192.168.200.1
ipv4 map-server 192.168.200.3 key cisco
ipv4 map-server 192.168.200.1 key cisco
ipv4 etr
exit
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 423
Distribute Control Plane Node from External Border
192.168.200.1/32
C
Control
192.168.200.2/32 Plane
192.168.200.25/32
B
IP Network
Edge Node External
Border/s
C
Control
Plane router bgp 65002
bgp log-neighbor-changes
neighbor 192.168.200.1 remote-as 65002
192.168.200.3/32 neighbor 192.168.200.1 update-source Loopback0
neighbor 192.168.200.3 remote-as 65002
neighbor 192.168.200.3 update-source Loopback0
!
address-family vpnv4
• Set up iBGP connection between neighbor 192.168.200.1 activate
the External Border and Control neighbor 192.168.200.1 send-community both
neighbor 192.168.200.3 activate
Plane nodes neighbor 192.168.200.1 send-community both
exit-address-family
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 424
Distribute Control Plane Node from External Border
192.168.200.1/32
C
Control
192.168.200.2/32 Plane
192.168.200.25/32
B
IP Network
Edge Node External
Border/s
C
Control
Plane
192.168.200.3/32
• Redistribute BGP into IGP at the external router to advertise fabric prefixes to external
network – as mentioned previously (slides 58-61)
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 425
Migration @ Work – Simplified View
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet
Internal Borders
External
Borders
Control Control
Plane Node Plane Node
Fabric Edge
Nodes
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 426
Replace Legacy Access Switches in the Network
• Use the same procedure outlined in the last three slides (67-68) to add Fabric-
enabled Edge switches
• While replacing legacy switches in the network
• After all the legacy switches in that Distribution block are replaced with Fabric-
enabled Edge switches,
• Remove the Fabric Edge connected to the Distribution switch,
• Use it to migrate the second Distribution block,
• Following the same procedure as outlined previously (61-66).
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 427
Migration @ work
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet
Internal Borders
External
Borders
Campus Fabric
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 428
Wireless
Wireless Deployment models
• Cisco Unified Wireless Network (Centralized Wireless)
• Flex Connect
• Converged Access
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 430
Where do I connect WLCs and APs
• WLC connect outside the fabric to Internal Border
• APs can connect to in the overlay EID space in fabric
• Leverage stretched wired subnets to create one VLAN across fabric for all APs
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 431
Centralized Wireless and Campus Fabric
192.168.200.2/32 192.168.200.22/32
C
Management IP
192.168.1.253/24
Campus Fabric
Edge Node Internal Border/s
10.1.0.0/20
192.168.1.0/24
• WLCs connect behind Internal Border in the Underlay – still external to Fabric
• Internal Border advertises WLC Management subnet to the Fabric
• Internal Border advertises Fabric prefixes to the WLC Management network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 432
Centralized Wireless and Campus Fabric
192.168.200.2/32 192.168.200.22/32
C
Management IP
192.168.1.253/24
Campus Fabric
Edge Node Internal Border/s
10.2.7.254.1/21
Wireless Clients Subnet
• Wireless SSIDs are mapped to VLAN/Subnet at WLC in the form of dynamic interfaces
• Internal Border advertises Wireless client subnets to the Fabric
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 433
Centralized Wireless and Campus Fabric
192.168.200.2/32 192.168.200.22/32
AP VLAN C
10.1.15.254/20
Campus Fabric
Edge Node Internal Border/s
10.1.0.1/20 192.168.200.30/32
AP VLAN
10.1.15.254/20
Campus Fabric
Edge Node Internal Border/s
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 436
Centralized Wireless and Campus Fabric: AP Join
192.168.200.2/32 192.168.200.22/32
Management IP
192.168.1.253/24
Campus Fabric
Edge Node Internal Border/s
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 437
Centralized Wireless and Campus Fabric: AP Join
192.168.200.2/32 192.168.200.22/32
Management IP
192.168.1.253/24
Campus Fabric
Edge Node Internal Border/s
• Fabric Edge drops the packet and sends an ICMP error back to AP
• AP drops frame size to 576 bytes and Joins WLC successfully
• AP tries to find the optimum frame size by stepping up to 1000 bytes, 1300 bytes and 1485
bytes again
• Increase MTU to 9100 of existing network interfaces in the underlay to avoid fragmentation
challenges
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 438
Centralized Wireless and Campus Fabric
192.168.200.22/32 Client VLAN
AP VLAN 10.2.7.254.1/21
10.1.15.254/20
Campus Fabric
Internal Border/s
10.1.0.1/20
10.2.0.1/21
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 439
Centralized Wireless and Campus Fabric
192.168.200.22/32 Client VLAN
AP VLAN 10.2.7.254.1/21
10.1.15.254/20
Campus Fabric
Wired VLAN Internal Border/s
10.1.0.1/20 10.1.31.254/20
10.2.0.1/21 10.1.16.1/20
• Communication from a wired host in Fabric to Wireless Client outside fabric will occur
through Internal Border – JUST LIKE TODAY!!
• For the fabric, it is a fabric host communicating to a known destination external to the fabric
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 440
Centralized Wireless and Campus Fabric
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 441
Take Away
Session Summary
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 443
What to do next?
IP Network
3. Trial Deployments (Remember: its an Overlay)
• You can install new C-Plane, Border and Edge Nodes
without modifying your existing (Underlay) network
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 444
Campus Fabric CVD on Cisco.com
http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Oct2016/CVD-CampusFabricDesign-2016OCT.pdf
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 445
Coming Soon…
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 446
Campus Fabric
Related Sessions
3. BRKCRS-2801: DNA Campus Fabric - How to Integrate with Your Existing Network
• 22/02/17 (Wednesday) @ 11:30 – 1.5 hours
7. BRKEWN-2300: Virtualize Your Wired and Wireless Network (w/ Campus Fabric)
• 24/02/17 (Friday) @ 09:00 – 2 hours
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 447
Questions? Lunch and Learn!
During Lunch time on Tuesday,
Wednesday and Thursday, you
can join Cisco “subject matter experts”
and your peers in casual conversation
about topics of interest to you.
More Questions?
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 448
Complete Your Online Session Evaluation
• Please complete your
Online Session Evaluations
after each session
• Complete 4 Session Evaluations
+ Overall Conference Evaluation
(available from Thursday) to
receive your Cisco Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
Communication Stations CiscoLive.com/Online
TECCRS-3800 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 450
Thank You