Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

DNA Integrating With Existing Network - BRKCRS-2812

Download as pdf or txt
Download as pdf or txt
You are on page 1of 205

BRKCRS-2812

DNA Software Defined-Access


Integrating with Existing
Network

Kedar Karmarkar, Technical Leader


Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session

How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space

cs.co/ciscolivebot#BRKCRS-2812

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Software Defined - Access

Integrating with Existing Network


Session Overview and Objectives

What this session will cover:


This session’s main focus is how you integrate Cisco Software Defined-Access in the existing
network. We will discuss the considerations one needs to cover before starting the
integration; couple of approaches on how the integration can be achieved. Start small and
incrementally expand the fabric nodes to take over the existing network. We will also take a
brief look at the fundamentals just to get started and set the right context and dive right in,
into the migration.

Objectives of this session:


The audience will understand how the migration occurs incrementally in the existing network.
The session focuses primarily on the network migration from a control and data plane
perspective.
Migrate Existing Network to Cisco SD-Access

ISE DNA Center ISE DNA Center ISE DNA Center

C B C B C B

Cisco SD-Access
Fabric

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
• Key Benefits
• Technology Overview
• Considerations
• Migration
• New Subnets New Switches
• Wireless Integration
• Migrating Routed Access

• Proof of Concept to Production


• Key Takeaway
Cisco’s Intent-based Networking
Learning

DNA Center
The Network. Intuitive.
Policy Automation Analytics

Intent Context

Network Infrastructure
Powered by Intent.
Informed by Context.
Switching Routers Wireless

Security
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Software Defined Access
Networking at the speed of Software!

DNA Center

Identity-Based
Analytics
Policy & Segmentation
Policy Automation
Decoupled security policy from
VLAN and IP Address

B B
C Outside Automated
Network Fabric
Single Fabric for Wired & Wireless
with workflow Automation

Insights
SDA
Extension
& Telemetry
User Mobility

Policy stays
Analytics and Insights into
with user User and Application behavior
IoT Network Employee Network © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is SD-Access?
Fabric Roles & Terminology
DNA  DNA Controller – Enterprise SDN Controller
APIC-EM (e.g. DNA Center) provides GUI management
Identity Controller
and abstraction via Apps that share context
Services
ISE NDP  Identity Services – External ID System(s)
Analytics (e.g. ISE) are leveraged for dynamic Endpoint
to Group mapping and Policy definition
Engine
 Analytics Engine – External Data Collector(s)
(e.g. NDP) are leveraged to analyze Endpoint
Fabric Border Fabric Wireless to App flows and monitor fabric status
Nodes Controller
B B  Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Control-Plane
Intermediate  Fabric Border Nodes – A Fabric device (e.g.
C Nodes
Nodes (Underlay) Core) that connects External L3 network(s)
to the SDA Fabric
Campus  Fabric Edge Nodes – A Fabric device (e.g.
Fabric Edge Access or Distribution) that connects Wired
Nodes
Fabric Endpoints to the SDA Fabric
 Fabric Wireless Controller – A Fabric device
(WLC) that connects Wireless Endpoints to
the SDA Fabric

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Missed One? Sessions are available online @ CiscoLive.com

Software Defined Access


Cisco Live Barcelona - Session Map
You Are Here

Tuesday (Jan 30) Wednesday (Jan 31) Thursday (Feb 01) Friday (Feb 02)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00

BRKEWN-2021 BRKEWN-2020
SDA Wireless Setup Wireless Overview

BRKDCN-2489 BRKCRS-3811
DC Integration Policy Management

BRKCRS-2810 BRKCRS-2816 BRKCRS-2814


Solution Overview Routed Underlay Assurance

BRKCRS-2811 BRKCRS-2815 BRKCRS-2812


External Connect Design & Scale Migration

LTRCRS-2810 (1) LTRCRS-2810 (2)


Hands-On Lab Hands-On Lab

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Missed One? Sessions are available online @ CiscoLive.com

Software Defined Access


Cisco Live Barcelona - Session Map You Are Here

Tuesday (Jan 30) Wednesday (Jan 31) Thursday (Feb 01) Friday (Feb 02)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00

BRKEWN-2021 BRKEWN-2020
SDA Wireless Setup Wireless Overview

BRKDCN-2489 BRKCRS-3811
DC Integration Policy Management

BRKCRS-2810 BRKCRS-2816 BRKCRS-2814


Solution Overview Routed Underlay Assurance

BRKCRS-2811 BRKCRS-2815 BRKCRS-2812


External Connect Design & Scale Migration

LTRCRS-2810 (1) LTRCRS-2810 (2)


Hands-On Lab Hands-On Lab
SD-Access Support
Fabric ready platforms for your digital ready network

Switching Routing Wireless Extended


NEW Catalyst 9400
NEW
ASR-1000-X AIR-CT5520
NEW Catalyst 9300

NEW
AIR-CT8540 CDB
ASR-1000-HX NEW

Catalyst 9500
AIR-CT3504
ISR 4430 NEW

3560-CX
NEW
Wave 2 APs (1800,2800,3800)
Catalyst 4500E Catalyst 6800 Nexus 7700 ISR 4450

IE (2K/3K/4K/5K)
Catalyst 3650 and 3850 ISRv/CSRv Wave 1 APs* (1700,2700,3700)
* with Caveats
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
What to Do Next?

SD-Access DNA Cisco


Capable Center Services

Refresh your Deploy the Engage with


Hardware & Software DNA Center Cisco Services

Get SD-Access Capable Devices Get DNA Center Appliances Cisco Services can help you
with DNA Advantage OS License with DNA Center Software to Test - Migrate - Deploy

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Software Defined Access
Related Sessions

BRKCRS-2810 : Cisco SD-Access - A Look Under the Hood


• Shawn Wargo
• Tuesday, Jan 30, 11:15 a.m. - 01:15 p.m.
BRKCRS-2811 : Cisco SD-Access - Connecting the Fabric to External Networks
• Satish Kondalam
• Tuesday, Jan 30, 02:15 p.m. - 04:15 p.m.
BRKCRS-3811 : Cisco SD-Access - Policy Driven Manageability
• Victor Moreno
• Thursday, Feb 01, 02:30 p.m. - 04:00 p.m.
BRKCRS-2812 : Cisco SD-Access - Integrating with Your Existing Network
• Kedar Karmarkar
• Friday, Feb 02, 09:00 a.m. - 11:00 a.m.
BRKCRS-2814 : Cisco SD-Access - Assurance and Analytics
• Karthik Thatikonda
• Thursday, Feb 01, 02:30 p.m. - 04:00 p.m.
BRKCRS-2815 : Cisco SD-Access - How to Deploy a Fabric in Large Enterprises with Thousands of Sites
• Satish Kondalam
• Thursday, Feb 01, 11:30 a.m. - 01:00 p.m.
BRKCRS-2816 : Cisco SD-Access - Building the Routed Underlay
• Rahul Kachalia
• Wednesday, Jan 31, 04:30 p.m. - 06:00 p.m.

https://www.ciscolive.com/emea/learn/sessions/content-catalog/?search=SD-Access

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Software Defined Access
Related Sessions

BRKEWN-2020 : Cisco SD-Access - Wireless Integration


• Simone Arena
• Wednesday, Jan 31, 09:00 a.m. - 11:00 a.m.
BRKEWN-2021 : How to setup an SD-Access Wireless fabric from scratch
• Simone Arena, Ramses Smeyers
• Tuesday, Jan 30, 02:15 p.m. - 04:15 p.m.

BRKDCN-2489 : Cisco SD-Access - Integration with Data Center Architectures


• Karthik Thatikonda
• Wednesday, Jan 31, 11:30 a.m. - 01:00 p.m.

LTRCRS-2810 : Cisco SD-Access - Hands-on Lab


• Derek Huckaby, Larissa Overbey
• Thursday, Feb 01, 09:00 a.m. - 01:00 p.m.
• Friday, Feb 02, 09:00 a.m. - 01:00 p.m.

LTRACI-2636 : Cisco SD-Access and ACI Integration - Hands on Lab


• Solomon Rajkumar, Jaydeepsinh Parmar
• Wednesday, Jan 31, 09:00 a.m. - 01:00 p.m.

https://www.ciscolive.com/emea/learn/sessions/content-catalog/?search=SD-Access

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
CVDs on Cisco.com

cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Design-Guide-2017AUG.pdf

cisco.com/c/dam/en/us/td/docs/solutions/CVD/Oct2016/CVD-CampusFabricDesign-
2016OCT.pdf

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Considerations before you migrate ….
Existing Network MTU

MTU 1500

Underlay Network

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Existing Network MTU

MTU 1500 + Encapsulation

Overlay Network

Underlay Network

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Existing Network MTU

MTU 1500 + Encapsulation

• MTU and Overlay

Overlay Network

Underlay Network

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Existing Network MTU

MTU 1500 + Encapsulation

• MTU and Overlay


• VXLAN adds 50 bytes to the
Original Ethernet Frame
Overlay Network

Underlay Network

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Existing Network MTU

MTU 1500 + Encapsulation

• MTU and Overlay


• VXLAN adds 50 bytes to the
Original Ethernet Frame
• Avoid Fragmentation by adjusting Overlay Network
the network MTU
Underlay Network

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Existing Network MTU

MTU 1500 + Encapsulation

• MTU and Overlay


• VXLAN adds 50 bytes to the
Original Ethernet Frame
• Avoid Fragmentation by adjusting Overlay Network
the network MTU
Underlay Network
• Ensure Jumbo Frame support on
switches in the underlay network

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Access Layer Re-configure

L2 links to
• Layer-2 Switched Access today Distribution

• Routed Access tomorrow L3 links to


Distribution

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
L3

Network Physical Topology L2

3-Tier Hierarchical
• SD-Access fabric runs over arbitrary topologies:
• Traditional 3-tier hierarchical network
• Collapsed core/aggregation designs L2
• Routed access
• U-topology Collapsed Core

• Ideal design is routed access – allows fabric to


extend to very edge of campus network L3

• Ensure that all switches have IP reachability to Routed Access

infrastructure elements
Strong recommendation to follow campus CVDs with L2
routed access www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/routed-
ex.html
U-Topology

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
IP Addressing for Underlay and Overlay
192.168.1.2/32
192.168.1.1/32

• Know your IP addressing and


IP scale requirements 10.10.10.254/32 10.10.10.253/32

• IPv4 only (today)


Overlay Network
• Fabric uses Loopback as
Source-Interface for
Encapsulation
• Best to use single Aggregate for Underlay Network

all Underlay Links and


Loopbacks
10.10.10.252/32

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
IP Addressing for Underlay and Overlay
192.168.1.2/32
192.168.1.1/32

• Know your IP addressing and


IP scale requirements 10.10.10.254/32 10.10.10.253/32

10.10.10.0/30

• IPv4 only (today) 10.10.10.4/30

• Fabric uses Loopback as


Source-Interface for
Encapsulation
• Best to use single Aggregate for Underlay Network

all Underlay Links and


Loopbacks
10.10.10.252/32

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Segmentation Policy
• RLOC/Underlay connectivity is in
Global Routing Table
Scope of Fabric
• Access Points*, SDA Extended User-defined VN
Nodes in INFRA_VN Border
VN provided by default
• DEFAULT_VN is a VN provided by
USER VRF
default out-of-the-box VN for APs, Extended Nodes DEFAULT_VN
INFRA_VN
• User-defined VNs can be created RLOC/Underlay GRT
additionally
• Scalable Group Tags (SGTs) can be
used for access control within a VN
* For APs in centralized switching mode
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Location of Shared Services Infrastructure
• SD-Access fabric leverages traditional infrastructure
services
• IP reachability from underlay/overlay to DNS, DHCP, etc.
required
• Are the Shared Services in VRF or Global Routing Table?

DHCP NTP
Server Server

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Location of Shared Services Infrastructure
• Larger deployments have infrastructure services hosted in Data Centre
• Hybrid model also possible (mix of distribution/core/Data Centre)
• The Shared Services will be outside of the fabric in SD-Access

Infrastructure
Services Infrastructure
at Core Services
in Data Centre
Infrastructure
Services at
Distribution

Small Commercial / Enterprise


Deployment

Large Enterprise
Deployment
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Features Applied at Distribution
• Where are policies applied
today?
• For example features like QoS, QoS,
NetFlow, Policy-based Routing, NetFlow,
WCCP,
IP ACLs? IP ACLs

• Need to move the policy


enforcement point(s) down at
the Access layer or outside
the fabric

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Features Applied at Distribution IP ACLs,
WCCP,
PBR

• May need to move Policy


enforcement point(s) down to
the Access Layer
• For example, IP ACLs, QoS,
NetFlow can be applied at the
Access
• May need to move Policy QoS,
enforcement point(s) outside NetFlow,
IP ACLs
the SD-Access fabric
• For example, PBR, WCCP can
be applied at external router
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Two Basic Types of Deployments

 Campus Networks (Large Sites)

 Branch Networks (Small Sites)

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Typical Campus Networks
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet

DC Internet
WAN Block
Block Block

Services Block

Super

Layer-2 Link
Core Layer-3 Link

Core Core

Aggregation Aggregation Aggregation


Layer Layer Layer

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Typical Branch Networks
MPLS I-NET
DDI
Branch IWAN

Collapsed
Core

Access
Layer

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Two Basic Approaches to Migration

 Parallel Deployment (all at once)

 Incremental Deployment (one at a time)

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Migration Approaches: Parallel vs. Incremental
EASY EASY
Parallel CHANGE Incremental CHANGE

Best for Branch (small) deployments Best for Campus (any size)
Requires enough cable runs to create a Requires a couple of cables from new
new parallel network access and distribution switches
Power and outlets for a parallel network Incremental power and outlet requirement
Legacy hardware in existing network Legacy hardware in existing network
Upgrade most of the wired network Upgrade some of the wired network
Clean slate (leave behind any complexity in Must carry forward the constraints of the old
the old design) design in the underlay
Test users in a complete new network Test of functionality is partial
Easy Rollback of migrated users Easy Rollback of migrated users

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Parallel Install not feasible for Campus Networks
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Parallel Install not feasible for Campus Networks
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Parallel Install for Branch Networks
MPLS I-NET
DDI
Branch IWAN

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
SD-Access Migration
Using new subnets, New Switches
Incremental Migration - High Level concept
Virtual Network Existing Network
(new IP scope) (existing IP scope)
Route between IP
scopes

C B
Existing IP
Network
(underlay) Border/Control Plane
Existing Campus and
Edge Nodes Node External Network

• Deploy a Border/Control Plane node and an Edge node


• A virtual network with new address is formed over the existing network
• Incrementally add Fabric Edge nodes
• The virtual network connects to the existing/external network via the border
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Considerations for using New Subnets to transition

• Immediately realize the advantages of bigger subnets, but lesser subnets that
are optimized for SD-Access
• Design for the present and the future
• Add DHCP scope and size
• Update existing firewall rules for that one big subnet
• Not a big issue for endpoints with IP stacks that work well with DHCP

Before After
10.10.1.0/24 10.10.4.0/24 10.10.7.0/24

10.10.2.0/24 10.10.5.0/24 10.10.8.0/24 10.10.0.0/16


10.10.3.0/24 10.10.6.0/24 10.10.9.0/24

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Reference Network Topology to integrate SD-Access

External
Network

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Getting Started

C B
IP Network
Edge Node Border/Control Plane External Network
Node

• Re-configure one Core that will act as the Default Fabric Border
• Host the Control Plane on the Default Fabric Border for simplicity
• Add a switch in the access layer that will act as the Fabric Edge

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Connecting Default Fabric Border
Option 1 – Re-Configure existing Core
External
Network
You can reuse an existing C B
Core switch if it supports
SDA Fabric functionality
NOTE: This may require
software upgrade, and
adding new fabric overlay
configurations

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Insert Fabric Edge in Access

External
Network
C B
Connect a new switch
in the access layer and
connect to distribution
layer with Routed
Access

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Connecting Default Border
Option 2 – Connect new switch to the Core
External
Network

If the existing core does not


support Fabric functionality: C B
Insert a new switch (that will be
border, and control plane
node) and connect it to the
existing core layer

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Prepping the Switch
C B
IP Network
Edge Node Control Plane + External Network
Border Node

• Do not forget to set following on the Fabric nodes and other nodes in the underlay:
• Set MTU to 9100 on the switch and the existing network.
• Configure ‘ip routing’
• Set ‘username’ and ’password’ for device access
• Configure VTY and console lines for device access
• Configure NTP
• Configure SNMP, syslog
• Configure Loopback0 (/32) for RLOC, and underlay IP addresses
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Getting Started Steps

C B
IP Network
Edge Node Control Plane + External Network
Border Node

router isis interface GigabitEthernet x/x


passive-interface Loopback0 ip router isis
net 49.0001.XXXX.XXXX.XXXX.00 isis network point-to-point
is-type level-2-only isis metric <metric> level-2
ispf level-2 isis circuit-type level-2-only
log-adjacency-changes isis authentication mode md5 level-2
metric-style wide level-2 isis authentication key-chain ON
no hello padding carrier-delay ms 0
authentication mode md5 level-2 dampening
authentication key-chain ON

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Getting Started Steps

C B
IP Network
Edge Node Control Plane + External Network
Border Node

interface GigabitEthernet1/1/1 router ospf 1


no switchport router-id 192.168.21.9
ip address 192.168.22.58 255.255.255.252 passive-interface default
! no passive-interface GigabitEthernet1/1/1
interface GigabitEthernet1/1/2 no passive-interface GigabitEthernet1/1/2
no switchport network 192.168.21.9 0.0.0.0 area 0
ip address 192.168.22.38 255.255.255.252 network 192.168.22.38 0.0.0.0 area 0
! network 192.168.22.58 0.0.0.0 area 0
interface Loopback0
ip address 192.168.21.9 255.255.255.255
ip ospf network point-to-point

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Graphical Migration
Using DNA Center

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Logging in to DNA Center

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Discover Devices

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
New Discovery

1 5

3 4

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Existing Network Topology

WAN Edge MERCURY POSEIDON

SANDY ODD_RODS
Core SPOOKY JOLLY

WLC/SERVICE BLOCK

Distribution PROWLER INTRUDER

Access
VAMPIRE-2 VAMPIRE-3
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Design Module

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Design Module: Create Site hierarchy

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Design Module: Network Settings

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Design Module: Network Settings

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Design Module: User credentials for device access

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Minimum number of IP Pools to create

• Border Pool – for leveraging Border automation


• Client Pool – for onboarding clients (Wired)
• AP Pool – If APs are in the network, then create an IP Pool for APs
• Wireless endpoints – If you want different addresses for wireless endpoints

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Design Module: Add IP Pool details

1
2
3
4

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Design Module: IP Address Pools

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Policy Module

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Policy Module: Creating VNs and allocating SGTs

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Provision Module

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Provision Module: Assign Site to Devices

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Provision Module: Assign Site to Devices

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Provision Module: Assign Site to Devices
2

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Provision Module: Assign Site to Devices

2
1

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Provision only the potential Fabric Nodes
MERCURY POSEIDON

SANDY ODD_RODS
SPOOKY JOLLY

Potential
Fabric
Nodes PROWLER INTRUDER

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3


BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Provision Module: Provision potential Fabric Nodes

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Provision Module: Provision potential Fabric Nodes

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Provision Module: Provision potential Fabric Nodes

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Provision Module: Provision potential Fabric Nodes

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Provision Module: Provision potential Fabric Nodes

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Provision Module: Provision potential Fabric Nodes

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Provision Module: Provision success

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Provision Module: Provision SD-Access fabric

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Provision Module: Provision SD-Access fabric

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Provision Module: Provision Fabric Edge Node

1
2

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Provision Module: Provision Fabric Border/Control Plane Node

1
2

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Provision Fabric Border Node External connectivity

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Provision Fabric Border Node External connectivity

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Provision Fabric Border Node VN Handoff

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Provision Fabric Border Node VN Handoff

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Provision Fabric Border Node External connectivity

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Provision SD-Access success

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Fabric Edge Node Configuration
router lisp instance-id 4097
locator-table default remote-rloc-probe on-route-change
locator-set rloc_e9eed690-<snip snip>f27 service ipv4
IPv4-interface Loopback0 priority 10 weight 10 eid-table default
! map-cache 0.0.0.0/0 map-request
locator default-set rloc_e9eed690-<snip snip>f27 exit-service-ipv4
service ipv4 !
encapsulation vxlan exit-instance-id
map-cache-limit 25000 !
database-mapping limit dynamic 5000 instance-id 4098
itr map-resolver 192.168.1.3 remote-rloc-probe on-route-change
etr map-server 192.168.1.3 key uci service ipv4
etr map-server 192.168.1.3 proxy-reply eid-table vrf DEFAULT_VN
etr map-cache 0.0.0.0/0 map-request
sgt exit-service-ipv4
use-petr 192.168.1.3 !
proxy-itr 192.168.1.7 exit-instance-id
exit-service-ipv4 !
! instance-id 4099
service ethernet remote-rloc-probe on-route-change
map-cache-limit 25000 service ipv4
database-mapping limit dynamic 5000 eid-table vrf USERS
itr map-resolver 192.168.1.3 map-cache 0.0.0.0/0 map-request
itr exit-service-ipv4
etr map-server 192.168.1.3 key uci !
etr map-server 192.168.1.3 proxy-reply exit-instance-id
etr
exit-service-ethernet BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Fabric Edge and Border Nodes VRF Configuration
VAMPIRE-1#sh vrf
Name Default RD Protocols Interfaces
DEFAULT_VN 1:4098 ipv4 LI0.4098
GUEST 1:4100 ipv4 LI0.4100
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
USERS 1:4099 ipv4 LI0.4099

SPOOKY#sh vrf
Name Default RD Protocols Interfaces
DEFAULT_VN 1:4098 ipv4 Vl3004
LI0.4098
GUEST 1:4100 ipv4 Vl3001
LI0.4100
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
USERS 1:4099 ipv4 Vl3002
LI0.4099

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Fabric Border Node Interface to External Router Configuration
BEFORE Config Push
=================
SPOOKY#s int t1/0/1
Building configuration...
Current configuration : 41 bytes
!
interface TenGigabitEthernet1/0/1
end

AFTER Config Push


================
SPOOKY#s int t1/0/1
Building configuration...
Current configuration : 64 bytes
!
interface TenGigabitEthernet1/0/1
switchport mode trunk
end
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Fabric Border Node Interfaces to External Router
SPOOKY#s int vl3001 SPOOKY#s int vl3003
Building configuration... Building configuration...
Current configuration : 184 bytes Current configuration : 162 bytes
interface Vlan3001 interface Vlan3003
description vrf interface to External router description vrf interface to External router
vrf forwarding GUEST ip address 192.168.111.9 255.255.255.252
ip address 192.168.111.1 255.255.255.252 no ip redirects
no ip redirects ip route-cache same-interface
ip route-cache same-interface end
end
SPOOKY#s int vl3004
SPOOKY#s int vl3002 Building configuration...
Building configuration... Current configuration : 190 bytes
Current configuration : 184 bytes interface Vlan3004
interface Vlan3002 description vrf interface to External router
description vrf interface to External router vrf forwarding DEFAULT_VN
vrf forwarding USERS ip address 192.168.111.13 255.255.255.252
ip address 192.168.111.5 255.255.255.252 no ip redirects
no ip redirects ip route-cache same-interface
ip route-cache same-interface end
end

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Fabric Border Node LISP Configuration
SPOOKY#s | sec lisp
no lisp mobility liveness test
router lisp
locator-table default
locator-set rloc_f88e30ff<snip>
IPv4-interface Loopback0 priority 10 weight 10
auto-discover-rlocs
exit-locator-set
!
service ipv4
encapsulation vxlan
map-cache-limit 25000
database-mapping limit dynamic 5000
itr map-resolver 192.168.1.3
etr map-server 192.168.1.3 key uci
etr map-server 192.168.1.3 proxy-reply
etr L3 LISP
sgt
proxy-etr
proxy-itr 192.168.1.3
map-server
map-resolver
exit-service-ipv4
!
service ethernet
map-server
map-resolver L2 LISP
exit-service-ethernet

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Fabric Border Node LISP Configuration
instance-id 4097
remote-rloc-probe on-route-change
service ipv4
eid-table default
route-export site-registrations LISP Instance mapping
distance site-registrations 250
map-cache site-registration
exit-service-ipv4
!
instance-id 4098
remote-rloc-probe on-route-change
service ipv4
eid-table vrf DEFAULT_VN
route-import database bgp 65001 route-map database locator-set rloc_f88e30ff<snip>
route-export site-registrations
distance site-registrations 250
map-cache site-registration
exit-service-ipv4
!
instance-id 4099
remote-rloc-probe on-route-change
service ipv4
eid-table vrf USERS
route-import database bgp 65001 route-map database locator-set rloc_f88e30ff<snip>
route-export site-registrations
distance site-registrations 250
map-cache site-registration
exit-service-ipv4
!
exit-instance-id
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Fabric Control Plane Node LISP Configuration

SPOOKY#s | sec lisp


<snip …. ..... snip>
site site_uci
description map-server configured from apic-em
authentication-key uci
eid-record instance-id 4097 0.0.0.0/0 accept-more-specifics
eid-record instance-id 4098 0.0.0.0/0 accept-more-specifics
eid-record instance-id 4099 0.0.0.0/0 accept-more-specifics Control Plane configuration
eid-record instance-id 4100 0.0.0.0/0 accept-more-specifics
exit-site
!
ipv4 locator reachability exclude-default
exit-router-lisp

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Fabric Border Node BGP Configuration

router bgp 65001


bgp router-id interface Loopback0
bgp log-neighbor-changes
neighbor 192.168.111.10 remote-as 65002 address-family ipv4 vrf GUEST
neighbor 192.168.111.10 update-source Vlan3003 redistribute lisp metric 10
! neighbor 192.168.111.2 remote-as 65002
address-family ipv4 neighbor 192.168.111.2 update-source Vlan3001
network 192.168.1.3 mask 255.255.255.255 neighbor 192.168.111.2 activate
redistribute lisp metric 10 neighbor 192.168.111.2 weight 65535
neighbor 192.168.111.10 activate exit-address-family
neighbor 192.168.111.10 weight 65535 !
exit-address-family address-family ipv4 vrf USERS
! redistribute lisp metric 10
address-family ipv4 vrf DEFAULT_VN neighbor 192.168.111.6 remote-as 65002
redistribute lisp metric 10 neighbor 192.168.111.6 update-source Vlan3002
neighbor 192.168.111.14 remote-as 65002 neighbor 192.168.111.6 activate
neighbor 192.168.111.14 update-source Vlan3004 neighbor 192.168.111.6 weight 65535
neighbor 192.168.111.14 activate exit-address-family
neighbor 192.168.111.14 weight 65535
exit-address-family

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
User On-Boarding
Fabric Provision: Authentication template

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Fabric Provision: Associate IP Pool to VN

1
1

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Fabric Provision: Configuration on Fabric Edge

VAMPIRE-1#sh vrf
Name Default RD Protocols Interfaces
DEFAULT_VN 1:4098 ipv4 LI0.4098
GUEST 1:4100 ipv4 LI0.4100
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
USERS 1:4099 ipv4 LI0.4099
Vl1021
VAMPIRE-1#s int vl1021
Building configuration...
Current configuration : 315 bytes
interface Vlan1021
description Configured from apic-em
mac-address 0000.0c9f.f45c
vrf forwarding USERS
ip address 10.111.255.254 255.255.0.0
ip helper-address 192.168.4.1
no ip redirects
ip local-proxy-arp
ip route-cache same-interface
no lisp mobility liveness test
lisp mobility 10_111_0_0-USERS
end

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Fabric Provision: Configuration on Fabric Edge

VAMPIRE-1#s | b er li
router lisp
locator-table default
locator-set rloc_e9eed690-f1f8-400d-a388-8c956539ef27
IPv4-interface Loopback0 priority 10 weight 10
exit-locator-set
!
instance-id 4099
remote-rloc-probe on-route-change
dynamic-eid 10_111_0_0-USERS
database-mapping 10.111.0.0/16 locator-set rloc_e9eed690-f1f8-400d-a388-8c956539ef27
exit-dynamic-eid
!
service ipv4
eid-table vrf USERS
map-cache 0.0.0.0/0 map-request
exit-service-ipv4
!
exit-instance-id

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Fabric Provision: Configuration on Control Plane Node

SPOOKY#s | b er lis
router lisp
locator-table default
locator-set rloc_f88e30ff-4ad8-4bee-8ddb-1cb6176021a4
IPv4-interface Loopback0 priority 10 weight 10
auto-discover-rlocs
exit-locator-set
!
site site_uci
description map-server configured from apic-em
authentication-key uci
eid-record instance-id 4097 0.0.0.0/0 accept-more-specifics
eid-record instance-id 4098 0.0.0.0/0 accept-more-specifics
eid-record instance-id 4099 0.0.0.0/0 accept-more-specifics
eid-record instance-id 4099 10.111.0.0/16 accept-more-specifics
eid-record instance-id 4100 0.0.0.0/0 accept-more-specifics
exit-site
!

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Fabric Provision: BGP Configuration on Fabric Border

SPOOKY#s | b er bgp
router bgp 65001
bgp router-id interface Loopback0
bgp log-neighbor-changes
neighbor 192.168.111.10 remote-as 65002
neighbor 192.168.111.10 update-source Vlan3003
!
address-family ipv4 vrf USERS
network 10.111.255.254 mask 255.255.255.255
aggregate-address 10.111.0.0 255.255.0.0 summary-only
redistribute lisp metric 10
neighbor 192.168.111.6 remote-as 65002
neighbor 192.168.111.6 update-source Vlan3002
neighbor 192.168.111.6 activate
neighbor 192.168.111.6 weight 65535
exit-address-family

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Fabric Edge Node: Static Port-to-VN/SGT configuration

1 3
4

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Fabric Edge Node: Static Port-to-VN/SGT configuration

VAMPIRE-1#s int t1/0/1


Building configuration...
VAMPIRE-1#s int t1/0/1 Current configuration : 233 bytes
Building configuration... interface TenGigabitEthernet1/0/1
Current configuration : 84 bytes switchport access vlan 1021
interface TenGigabitEthernet1/0/1 switchport mode access
device-tracking attach-policy IPDT_MAX_10 device-tracking attach-policy IPDT_MAX_10
end load-interval 30
cts manual
policy static sgt 4
no propagate sgt
spanning-tree portfast
end

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
External Route Exchange
External Connectivity: Fusion Router Interface Configuration
MERCURY#s | b 0/0/0
interface GigabitEthernet0/0/0
no ip address
ip ospf mtu-ignore
negotiation auto
ipv6 enable
!
interface GigabitEthernet0/0/0.3001
encapsulation dot1Q 3001
ip address 192.168.111.2 255.255.255.252
!
interface GigabitEthernet0/0/0.3002
encapsulation dot1Q 3002
ip address 192.168.111.6 255.255.255.252
!
interface GigabitEthernet0/0/0.3003
encapsulation dot1Q 3003
ip address 192.168.111.10 255.255.255.252
!
interface GigabitEthernet0/0/0.3004
encapsulation dot1Q 3004
ip address 192.168.111.14 255.255.255.252

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
External Connectivity: Fusion Router BGP Configuration

MERCURY#s | sec bgp


router bgp 65002
bgp log-neighbor-changes
neighbor 192.168.111.1 remote-as 65001
neighbor 192.168.111.1 update-source GigabitEthernet0/0/0.3001
neighbor 192.168.111.5 remote-as 65001
neighbor 192.168.111.5 update-source GigabitEthernet0/0/0.3002
neighbor 192.168.111.9 remote-as 65001
neighbor 192.168.111.9 update-source GigabitEthernet0/0/0.3003
neighbor 192.168.111.13 remote-as 65001
neighbor 192.168.111.13 update-source GigabitEthernet0/0/0.3004
MERCURY#sh ip bgp summ
BGP router identifier 192.168.1.1, local AS number 65002
BGP table version is 3, main routing table version 3
<snip …. .... snip>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.111.1 4 65001 10 10 3 0 0 00:05:46 0
192.168.111.5 4 65001 9 10 3 0 0 00:04:12 1
192.168.111.9 4 65001 9 11 3 0 0 00:03:52 1
192.168.111.13 4 65001 6 9 3 0 0 00:02:07 0

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
External Connectivity: Advertise underlay to External network

MERCURY#sh ip bgp summ


BGP router identifier 192.168.1.1, local AS number 65002
<snip … ... snip>
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.111.1 4 65001 14 16 30 0 0 00:09:38 0
192.168.111.5 4 65001 13 15 30 0 0 00:08:03 1
192.168.111.9 4 65001 14 17 30 0 0 00:07:44 28 G0/0/0
192.168.111.13 4 65001 10 14 30 0 0 00:05:58 0

BGP

SPOOKY#conf t T1/0/1
Enter configuration commands, one per line. End with CNTL/Z. C
SPOOKY(config)#router bgp 65001
B
SPOOKY(config-router)#redistribute ospf 1 metric 10
SPOOKY(config-router)#^Z
SPOOKY#
Cisco SD-Access
OSPF
Fabric

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
SD-Access Fabric Endpoint Registration information

SPOOKY#sh lisp site instance 4099


LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport
Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
site_uci never no -- 4099 0.0.0.0/0
17:32:21 yes# 192.168.1.3 4099 10.111.0.0/16
01:40:00 yes# 192.168.1.7 4099 10.111.0.3/32

VAMPIRE-1#sh lisp instance 4099 dynamic-eid summary


LISP Dynamic EID Summary for VRF "USERS"
^ = Dyn-EID learned by EID Notify
* = Dyn-EID learned by Site-Based Map-Notify
Dyn-EID Name Dynamic-EID Interface Uptime Last Pending
Packet Ping Count
10_111_0_0-USERS 10.111.0.3 Vl1021 01:38:42 01:38:42 0

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Ping from Host in Fabric to Host outside Fabric

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Campus Communications in SD-Access Fabric
Fabric Border is the Exchange Point with the Fusion Router

Un-encapsulated packet
VXLAN encapsulated packet
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Campus Communications in SD-Access Fabric
North-South – End-point to Internet or destination external to SD-Access fabric

Un-encapsulated packet
VXLAN encapsulated packet
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Current State of Network
MERCURY POSEIDON

B C SANDY ODD_RODS
SPOOKY JOLLY

PROWLER INTRUDER

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3


BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Re-configure Links from Access Switch to Routed Links
MERCURY POSEIDON

B C SANDY ODD_RODS
SPOOKY JOLLY

PROWLER INTRUDER
Routed Links

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3


BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Configure Fabric Edge node functionality on Access switch
MERCURY POSEIDON

B C SANDY ODD_RODS
SPOOKY JOLLY

Configure PROWLER INTRUDER


Fabric Edge

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3


BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
Re-configure Core to be redundant Fabric Border/Control Plane
MERCURY POSEIDON

B C B C SANDY ODD_RODS
SPOOKY JOLLY

Configure second core


as Fabric
Border/Control Plane
for redundancy
PROWLER INTRUDER

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3


BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Re-configure Links from Access Switch to Routed Links
MERCURY POSEIDON

B C B C SANDY ODD_RODS
SPOOKY JOLLY

Routed Links
PROWLER INTRUDER

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3


BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Configure Fabric node functionality on Access/Distribution Sw
MERCURY POSEIDON

B C B C SANDY ODD_RODS
SPOOKY JOLLY

Optionally configure
as Fabric Border
PROWLER INTRUDER

Configure
Fabric Edge

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3


BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Distribute Control Plane nodes for Scale
MERCURY POSEIDON

B B SANDY ODD_RODS
SPOOKY JOLLY

C C
PROWLER INTRUDER

If scale demands
configure dedicated
Control Plane nodes
VAMPIRE-1 VAMPIRE-2 VAMPIRE-3
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Branch Design
MPLS I-NET
DDI
Branch IWAN

Advertise Routes from


Fabric to External
Router

Fabric
Borders*/Control
Nodes

Fabric Edge * Optionally advertise


Nodes external known networks
from Fabric Border
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Integrate Wireless
SD-Access Wireless Adoption
Greenfield building
DNAC Internet

ISE / AD

Fabric Guest Fabric node (FB)


WLC

B C B C
Full SD-Access Wireless value
VXLAN tunnel to
SD-Access Guest FB  DNA Center and NDP for Automation & Assurance
Fabric  Virtual Networks for Segmentation (ex Employee, IoT, Guest)
 ISE for SGT Access Control within VRF (ex. Contractor, BYOD,
VXLAN
(Data)
Employees)
 Subnet extension across Campus with distributed data plane
Fabric building
 Optimized path for Guest and no Anchor WLC
 And more…
Fabric APs
SSID
SSID
Blizzard
Guest

CAPWAP Control
BYOD Contractor Employee VXLAN
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
SD-Access Wireless Adoption
Greenfield building – requirements and migration steps
DNAC Internet

ISE / AD

Fabric Guest Fabric node (FB)


WLC

B C B C Requirements HW/SW: Adoption steps


• WLC 3504/5520/8540 with 8.5.110 • Deploy Fabric on the wired side first, including ISE
• Wave 2 or Wave 1 AP • Configure IP pools in DHCP server
• ISE 2.3 Patch 1 • Connect WLC external to Fabric
VXLAN tunnel to • 16.6.2s for FE/FB/CP nodes • Use DNA-C for Fabric configuration:
Guest FB
SD-Access Policy: Configure a site for your Fabric buildings
Fabric • Policy based on SGTs and VNIs Define the IP pools for the APs and clients
Guest Configure Virtual Networks (one for Guest)
VXLAN
(Data)
• Dedicated Fabric Domain for Guest Configure Policies within the VNs
Management/Automation Configure SSIDs and associated IP Pools
Fabric building • DNA-C Provision WLC to site and add to Fabric
Troubleshooting and Assurance Connect APs to Fabric Edges
Fabric APs • DNAC • Connect the APs and verify they join the WLC
SSID
Blizzard
SSID • Associate clients and verify the basic connectivity
Guest

CAPWAP Control
BYOD Contractor Employee VXLAN
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Migrating to SD-Access Wireless from CUWN
Datacenter
DHCP ISE

Non Fabric
Cisco Prime

Bldg 1

Bldg 2 WLC

Non Fabric

 Customer has a site with AireOS Centralized wireless


 Assumptions:
 Migration to Fabric happens in a single area (e.g. building) at the time and migration is in one shot
 No need for seamless roaming between new SDA area and the existing wireless deployment

BRKCRS-2810 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
SD-Access Wireless Adoption
• Migration for an existing CUWN deployment
DNA Center

DHCP ISE

Non Fabric
Cisco Prime

Bldg 1

Bldg 2 C WLC

CAPWAP B
SD Fabric

1  Migrate wired network to Fabric first

2  Add DNAC and ISE (if not present already)

3  Wireless is over the top


CAPWAP

BRKCRS-2810 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
SD-Access Wireless Adoption
• Migration for an existing CUWN deployment
DNA Center

DHCP ISE

Non Fabric
Cisco Prime

Bldg 1

Bldg 2 C

B
SD Fabric

SDA WLC

1  Add a dedicated WLC for SD-Access and configure it with same SSIDs

CAPWAP Control
VXLAN

BRKCRS-2810 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
SD-Access Wireless Adoption
• Migration for an existing CUWN deployment
DNA Center

DHCP ISE

Non Fabric
Cisco Prime

Bldg 1

Bldg 2 C

B
SD Fabric

SDA WLC

1  Add a dedicated WLC for SD-Access and configure it with same SSIDs

2  on CUWN WLC, configure the APs in the area to join the new Fabric WLC

CAPWAP Control
VXLAN

BRKCRS-2810 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 129
SD-Access Wireless Adoption
• Migration for an existing CUWN deployment
DNA Center

DHCP ISE

Non Fabric
Cisco Prime

Bldg 1

Bldg 2 C

CAPWAP Cntrl B
SD Fabric

SDA WLC

1  Add a dedicated WLC for SD-Access and configure it with same SSIDs

2  on CUWN WLC, configure the APs in the area to join the new Fabric WLC

CAPWAP Control
VXLAN

BRKCRS-2810 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
SD-Access Wireless Adoption
• Migration for an existing CUWN deployment
DNA Center

DHCP ISE

Non Fabric
Cisco Prime

Bldg 1

Bldg 2 C

CAPWAP Cntrl B
SD Fabric

SDA WLC

1  Add a dedicated WLC for SD-Access and configure it with same SSIDs

2  on CUWN WLC, configure the APs in the area to join the new Fabric WLC

CAPWAP Control
VXLAN

BRKCRS-2810 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
SD-Access Wireless Adoption
• Migration for an existing CUWN deployment
DNA Center

DHCP ISE

Non Fabric
Cisco Prime

Bldg 1
No seamless
roaming
Bldg 2 VXLAN C
(Data)

CAPWAP Cntrl B
SD Fabric

SDA WLC

1  Add a dedicated WLC for SD-Access and configure it with same SSIDs

2  on CUWN WLC, configure the APs in the area to join the new Fabric WLC

3  Traffic now goes through the Fabric


CAPWAP Control
VXLAN

BRKCRS-2810 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
SD-Access Wireless Adoption
• Migration for an existing CUWN deployment
DNA Center

DHCP ISE

Non Fabric
Cisco Prime

Bldg 1
No seamless
roaming
Bldg 2 VXLAN C WLC
(Data)

CAPWAP Cntrl B
SD Fabric

SDA WLC

Recommendations
 Prime for CUWN areas, DNAC for SDA areas  Same RF Groups for CUWN WLC and SDA WLC
 Dedicated WLC for SD-Access Wireless  WLCs in different Mobility Group (no seamless
roaming between areas)
 Same SSIDs on Fabric and non-Fabric

BRKCRS-2810 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Workflow
Add IP Pools for AP and clients
Design Module: Add IP Pool for APs

6
7

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Design Module: Add IP Pool for Wireless Clients
1

3
4
5

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Workflow
Create SSIDs
Design Module: Add SSID(s)

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 138
Design Module: Add SSID(s) with Fabric-capability enabled

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Design Module: Add SSID(s)

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Workflow
Associate IP Pools to VN
Host Onboarding: Associate AP Pool to INFRA_VN

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Host Onboarding: Associate AP Pool to INFRA_VN

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
Host Onboarding: Associate AP Pool to INFRA_VN

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Host Onboarding: Associate User IP Pool to USERS VN

4
1 2 3

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Host Onboarding: Associate User IP Pool to USERS VN

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Fabric Edge node configurations for AP onboarding
VAMPIRE-1#s | i macro
macro auto execute CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT builtin CISCO_LWAP_AUTO_SMARTPORT ACCESS_VLAN=1022
macro auto global processing
macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT
VAMPIRE-1#sh vrf
Name Default RD Protocols Interfaces
DEFAULT_VN 1:4098 ipv4 LI0.4098
GUEST 1:4100 ipv4 LI0.4100
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
USERS 1:4099 ipv4 LI0.4099
Vl1021
Vl1023

VAMPIRE-1#s int vl1023


VAMPIRE-1#s int vl1022 Building configuration...
Building configuration... interface Vlan1023
interface Vlan1022 description Configured from apic-em
description Configured from apic-em mac-address 0000.0c9f.f45e
mac-address 0000.0c9f.f45d vrf forwarding USERS
ip address 10.100.255.254 255.255.0.0 ip address 10.112.255.254 255.255.0.0
ip helper-address 192.168.4.1 ip helper-address 192.168.4.1
no ip redirects no ip redirects
ip route-cache same-interface ip route-cache same-interface
no lisp mobility liveness test no lisp mobility liveness test
lisp mobility 10_100_0_0-INFRA_VN lisp mobility 10_112_0_0-USERS
end end

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Fabric Edge node configurations for AP onboarding

VAMPIRE-1#s | sec lisp


router lisp
locator-table default
locator-set rloc_e9eed690-f1f8-400d-a388-8c956539ef27
IPv4-interface Loopback0 priority 10 weight 10
exit-locator-set
!
instance-id 4097
remote-rloc-probe on-route-change
dynamic-eid 10_100_0_0-INFRA_VN
database-mapping 10.100.0.0/16 locator-set rloc_e9eed690-f1f8-400d-a388-8c956539ef27
exit-dynamic-eid
!
service ipv4
eid-table default
map-cache 0.0.0.0/0 map-request
exit-service-ipv4
!
exit-instance-id

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Fabric Edge node configurations for User IP Pool onboarding

VAMPIRE-1#s | sec lisp


router lisp
!
instance-id 4099
remote-rloc-probe on-route-change
dynamic-eid 10_111_0_0-USERS
database-mapping 10.111.0.0/16 locator-set rloc_e9eed690-f1f8-400d-a388-8c956539ef27
exit-dynamic-eid
!
dynamic-eid 10_112_0_0-USERS
database-mapping 10.112.0.0/16 locator-set rloc_e9eed690-f1f8-400d-a388-8c956539ef27
exit-dynamic-eid
!
service ipv4
eid-table vrf USERS
map-cache 0.0.0.0/0 map-request
exit-service-ipv4
!
exit-instance-id

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
L2 VNI support enabled for AP and User Wireless IP Pools

VAMPIRE-1#s | sec lisp


router lisp
!
instance-id 8188
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 1022
database-mapping mac locator-set rloc_e9eed690-f1f8-400d-a388-8c956539ef27
exit-service-ethernet
!
exit-instance-id
!
instance-id 8189
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 1023
database-mapping mac locator-set rloc_e9eed690-f1f8-400d-a388-8c956539ef27
exit-service-ethernet
!
exit-instance-id

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
AP attachment to Fabric Edge node

VAMPIRE-1#sh cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
APCC16.7EF0.B09C Ten 1/0/3 176 R T AIR-AP280 Gig 0
AP0081.C46C.C7F4 Ten 1/0/2 132 R T AIR-AP280 Gig 0

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Best practice configuration on Access Port interface to AP

VAMPIRE-1#s int t1/0/2


Building configuration...
interface TenGigabitEthernet1/0/2
switchport access vlan 1022
switchport mode access
switchport block unicast
switchport port-security violation protect
switchport port-security aging time 1
switchport port-security aging type inactivity
load-interval 30
storm-control broadcast level pps 1k
storm-control multicast level pps 2k
storm-control action trap
auto qos trust dscp
macro description CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Trust-Dscp-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
ip dhcp snooping limit rate 15
end

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Ensure WLC subnet is learnt in underlay by Fabric Edge node

VAMPIRE-1#sh ip route 192.168.3.0


Routing entry for 192.168.3.0/24
Known via "ospf 1", distance 110, metric 4, type intra area
Last update from 192.168.12.102 on TenGigabitEthernet1/1/2, 3d19h ago
Routing Descriptor Blocks:
192.168.12.102, from 192.168.1.10, 3d19h ago, via TenGigabitEthernet1/1/2
Route metric is 4, traffic share count is 1
* 192.168.2.62, from 192.168.1.10, 3d19h ago, via TenGigabitEthernet1/1/1
Route metric is 4, traffic share count is 1
VAMPIRE-1#

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
Fabric Border Configuration

SPOOKY#sh vrf
Name Default RD Protocols Interfaces
USERS 1:4099 ipv4 Vl3002
LI0.4099
Lo1021
Lo1023
SPOOKY#s int lo1023
Building configuration...
interface Loopback1023
description Loopback Border
vrf forwarding USERS
ip address 10.112.255.254 255.255.255.255
end

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
LISP/BGP Configuration on Control Plane/Fabric Border
SPOOKY#sh run | b er lis
router lisp
site site_uci
description map-server configured from apic-em
authentication-key uci
eid-record instance-id 4097 10.100.0.0/16 accept-more-specifics
eid-record instance-id 4099 10.112.0.0/16 accept-more-specifics
eid-record instance-id 8188 any-mac
eid-record instance-id 8189 any-mac
exit-site

SPOOKY#s | b er bgp
router bgp 65001
address-family ipv4
network 10.100.255.254 mask 255.255.255.255
aggregate-address 10.100.0.0 255.255.0.0 summary-only
address-family ipv4 vrf USERS
network 10.112.255.254 mask 255.255.255.255
aggregate-address 10.112.0.0 255.255.0.0 summary-only

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
APs in Overlay joining the WLC – external to fabric

(ODD_RODS) >show ap summary

Number of APs.................................... 2
Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured

AP Name Slots AP Model Ethernet MAC IP Address


----------------------- ----- -------------------- ----------------- --------------
AP0081.C46C.C7F4 2 AIR-AP2802I-B-K9 00:81:c4:6c:c7:f4 10.100.0.1
APCC16.7EF0.B09C 2 AIR-AP2802I-B-K9 cc:16:7e:f0:b0:9c 10.100.0.2

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 156
AP Onboarding in SD-Access fabric

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Workflow
Provision WLC
Provision WLC with Site-specific settings

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Provision WLC with Site-specific settings

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Provision WLC with Site-specific settings

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 161
Provision WLC with Site-specific settings

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Before, and After Provisioning WLC

(ODD_RODS) >show wlan summary

Number of WLANs.................................. 0
WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility
------- -------------------------------- -------- -------------------- ---------------

(ODD_RODS) >show wlan summary

Number of WLANs.................................. 2
WLAN ID WLAN Profile Name / SSID Status Interface Name PMIPv6 Mobility
------- ------------------------------- -------- -------------------- ---------------
20 tornado_F_091c8 / tornado Disabled management none

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Fabric configuration before provisioning
(ODD_RODS) >show fabric summary
Fabric Support................................... disabled

Enterprise Control Plane MS config


--------------------------------------

Guest Control Plane MS config


-------------------------------

Fabric TCP keep alive config


----------------------------
Fabric MS TCP retry count configured ............ 3
Fabric MS TCP timeout configured ................ 10
Fabric MS TCP keep alive interval configured .... 10
Fabric Interface name configured .............. management
<snip ….. .... snip>
VNID Mappings configured: 0
Fabric Flex-Acl-tables Status
-------------------------------- -------
Fabric Enabled Wlan summary
WLAN ID SSID Type L2 Vnid SGT RLOC IP Clients VNID Name
------- ------------- ---- ---------- ------ --------------- ------- -----------

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Workflow
Add WLC to SD-Access Fabric
Adding WLC to SD-Access Fabric

1 2

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
Adding WLC to SD-Access Fabric

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Fabric configuration on WLC after integration

(ODD_RODS) >show fabric summary


Fabric Support................................... enabled SPOOKY#s | sec lisp
Enterprise Control Plane MS config no lisp mobility liveness test
-------------------------------------- router lisp
Primary Active MAP Server locator-table default
IP Address....................................... 192.168.1.3 locator-set WLC
Guest Control Plane MS config 192.168.3.1
------------------------------- exit-locator-set
Fabric TCP keep alive config
----------------------------

VNID Mappings configured: 3


Name L2-Vnid L3-Vnid IP Address/Subnet
-------------------------------- ---------- ---------- ---------------------------------
10_112_0_0-USERS 8189 0 0.0.0.0 / 0.0.0.0
10_100_0_0-INFRA_VN 8188 4097 10.100.0.0 / 255.255.0.0

Fabric Enabled Wlan summary


WLAN ID SSID Type L2 Vnid SGT RLOC IP Clients VNID Name
------- ---------------- ---- ---------- ------ --------- ------- ------------

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Integrate Wireless in Cisco SD-Access Fabric

WAN Edge MERCURY POSEIDON

B B SANDY ODD_RODS
Core SPOOKY JOLLY

WLC/SERVICE BLOCK

C C
Distribution PROWLER INTRUDER

Access
VAMPIRE-1 VAMPIRE-2 VAMPIRE-3
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Workflow
Assign APs to Site and Provision APs
Assign Site Locations to APs

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Choose specific locations like Floors

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Assign Site Locations to APs: Success

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Provision APs

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
Provision APs

1
2

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Provision APs: RF Profile selection

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 176
Provision APs

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
Provision APs: APs reboot

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
Provision APs: Success

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 179
VXLAN Tunnel formation between Fabric Edge and AP
Jan 22 05:19:36.635: %AUTOSMARTPORT-5-INSERT: Device Cisco-AIR-LAP detected on interface
TenGigabitEthernet1/0/2, executed CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT
Jan 22 05:19:43.818: %AUTOSMARTPORT-5-INSERT: Device Cisco-AIR-LAP detected on interface
TenGigabitEthernet1/0/3, executed CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT
VAMPIRE-1#
Jan 22 05:20:08.647: %LINK-3-UPDOWN: Interface Vlan1022, changed state to up
Jan 22 05:20:09.648: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1022, changed state to up
VAMPIRE-1#
Jan 22 05:21:02.102: %LINEPROTO-5-UPDOWN: Line protocol on Interface AccessTunnel1, changed state to up
Jan 22 05:21:10.221: %LINEPROTO-5-UPDOWN: Line protocol on Interface AccessTunnel0, changed state to up

VAMPIRE-1#sh access-tunnel summary


Access Tunnels General Statistics:
Number of AccessTunnel Data Tunnels = 2
Name SrcIP SrcPort DestIP DstPort VrfId
------ --------------- ------- --------------- ------- ----
Ac1 192.168.1.7 N/A 10.100.0.1 4789 0
Ac0 192.168.1.7 N/A 10.100.0.2 4789 0

Name IfId Uptime


------ ---------- --------------------
Ac1 0x0000003E 0 days, 00:01:38
Ac0 0x0000003D 0 days, 00:01:30

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
Workflow
Associate IP Pool to SSID
Map IP Pool to SSID

1
2

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Workflow
Wired/Wireless Communication
Wireless User in SD-Access Wireless

VAMPIRE-1#sh lisp instance 4099 dynamic-eid summary


LISP Dynamic EID Summary for VRF "USERS"
^ = Dyn-EID learned by EID Notify
* = Dyn-EID learned by Site-Based Map-Notify
Dyn-EID Name Dynamic-EID Interface Uptime Last Pending
Packet Ping Count
10_111_0_0-USERS 10.111.0.2 Vl1021 1d07h 1d07h 0
10_111_0_0-USERS 10.111.0.3 Vl1021 23:53:59 23:53:59 0
10_112_0_0-USERS 10.112.0.1 Vl1023 00:00:54 00:00:54 0
VAMPIRE-1#
VAMPIRE-1#
VAMPIRE-1#sh mac address-table dynamic vlan 1023
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1023 7018.8b45.079f CP_LEARN Ac0
Total Mac Addresses for this criterion: 1
VAMPIRE-1#
VAMPIRE-1#

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
Communications between Wired/Wireless in SD-Access

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Host in Existing Network and Wireless Client in SD-Access

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 186
End-State of Network with Wired/Wireless hosts

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
Communications in SD-Access
Wired Host and Wireless endpoint in SD-Access fabric

Un-encapsulated packet
VXLAN encapsulated packet
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
Communications in SD-Access
Wired host in existing network and Wireless client in SD-Access Fabric

Un-encapsulated packet
VXLAN encapsulated packet
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
Communications in SD-Access
Wireless Client in SD-Access fabric and host outside the Campus

Un-encapsulated packet
VXLAN encapsulated packet
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 190
Migrating Routed Access
Migrating Routed Access to Cisco SD-Access

External
Network

Core

Distribution

Access

10.1.1.0/24 10.1.2.0/24 10.1.3.0/24 10.1.4.0/24


VLAN 10 VLAN 20 VLAN 30 VLAN 40
BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 192
Routed Access Design Considerations

• Can re-use the existing subnets to migrate into SD-Access


• No changes to existing DHCP scope and subnet size
• No changes to existing firewall or other policies that are based on IP-
ACL
• Old network design is retained for familiarity
• Cannot realize the advantages of bigger subnets, but lesser subnets
that are optimized for SD-Access

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 193
Routed Access Migration to SD-Access
External
Network
• Shutdown existing SVI C B
(Vlan10 in this case)
• Provision existing subnet
from DNA-Center
(10.1.1.0/24 in this case)
• DNA-Center will provision
Vlan3000 with 10.1.1.0/24
• Move hosts to fabric-enabled
IP Pool
• Verify connectivity
10.1.1.0/24 10.1.2.0/24
VLAN 3000 VLAN 20

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 194
Routed Access Migration to SD-Access
External
Network
• Repeat the process for other
C B C B
VLANs on the Fabric Edge

• Repeat the same process on


other access switches in
converting them to Fabric Edge

• Migration is One-Switch—At-A-
Time – NOT – One-Vlan-At-A-
10.1.1.0/24 10.1.2.0/24
Time 10.1.2.0/24 10.1.1.0/24
VLAN 3001 VLAN 3000 VLAN 3000 VLAN 3001

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 195
Proof of Concept to Production
Ways to build a PoC

• Start in a lab – isolated, controlled environment

• How do I connect a lab to the production network if I want to


validate use cases

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 197
Connect a PoC to Production Network

External
Network B

B
Fusion
Router
C

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 198
Layer-3 Routing Protocol Normalization

External
Network B
Redistribute eBGP to
OSPF/EIGRP
C
eBGP ISIS/OSPF
B

EIGRP/OSPF C

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 199
Key Takeaways
Key Takeaways

• Can migrate existing network topologies to SD-Access


• Supports migration of
• Layer-2 as well as,
• Routed Access designs
• Automation support makes it easy for migration
• Considerations in migration
• PoC in labs
• Verify every use-case works as per requirement
• Start small, small/medium Campus/Branch locations

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 201
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session

How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space

cs.co/ciscolivebot#BRKCRS-2812

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Complete Your Online
Session Evaluations after each
session
Session Evaluation
• Complete 4 Session Evaluations
& the Overall Conference
Evaluation (available from
Thursday) to receive your Cisco
Live T-shirt
• All surveys can be completed via
the Cisco Live Mobile App or the
Communication Stations
Don’t forget: Cisco Live sessions will be available
for viewing on-demand after the event at
www.ciscolive.com/global/on-demand-library/.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Tech Circle
• Meet the Engineer 1:1 meetings
• Related sessions

BRKCRS-2812 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 204

You might also like