under the hood - koenig-solutions.comrms.koenig-solutions.com/sync_data/trainer/qms/824... · 2019....

Shawn WargoPrincipal Engineer - Technical Marketing

BRKCRS-2810

Cisco Software-Defined Access

Under The Hood

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session

Find this session in the Cisco Events Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

1

2

3

4

3

cs.co/ciscolivebot#BRKCRS-2810

BRKCRS-2810

Tuesday (Jan 29) Wednesday (Jan 30) Thursday (Jan 31) Friday (Feb 01)08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00

Cisco Software-Defined Access Cisco Live Barcelona - Session Map

Sessions are available Online @ CiscoLive.com

You Are Here

BRKCRS-2821SD-Access Integration

LTRACI-2636ACI + SD-Access Lab

BRKCRS-1449ISE & SD-Access

BRKCRS-2810SD-Access Solution

BRKCRS-1501Validated Design

BRKARC-2020Troubleshoot SD-Access

BRKCRS-3810SD-Access Deep Dive

BRKCLD-2412Cross-Domain Policy

BRKCRS-2812SD-Access Migration

BRKCRS-2825SD-Access Scale

BRKEWN-2021SD-Access Demo

BRKCRS-3811SD-Access Policy

BRKEWN-2020SD-Access Wireless

BRKCRS-2814SD-Access Assurance

BRKCRS-2815Connect

SD-Access Sites

LTRCRS-2810SD-Access Lab

Agenda

1

2

3

4

Take AwayWhere to get started?

5

Fabric FundamentalsHow does it work?

Controller FundamentalsHow does it work?

Key ConceptsWhat is SD-Access?

Key BenefitsWhy do you care?

Complex

Time

1 2

3 4

5

Key BenefitsWhy do you care?


Cisco’s Intent-Based NetworkDelivered by Cisco Software Defined Access

9BRKCRS-2810

Intent-BasedNetwork Infrastructure

Cisco DNA Center

AnalyticsPolicy Automation

WirelessSwitch Route

I N T E N T C O N T E X T

S E C U R I T Y

L E A R N I N G

SD-Access

Branch

Wireless Control

Fabric Control

ACI Data Center

SAAS

Fabric Border

Fabric Edge

SD-WAN

BRKCRS-2810

CB B

Cisco Software Defined AccessThe Foundation for Cisco’s Intent-Based Network

IoT Network Employee Network

User Mobility

Policy follows User

Outside

Cisco DNA Center

AssuranceAutomationPolicy

SD-AccessExtension

Automated Network Fabric

Single fabric for Wired and Wireless with full automation

Insights and Telemetry

Analytics and insights into User and Application experience

Identity-Based Policy and Segmentation

Policy definition decoupled from VLAN and IP address

What is Software Defined Access?

KeyConcepts


What is SD-Access?Campus Fabric + Cisco DNA Center (Automation & Assurance)

18BRKCRS-2810

Campus Fabric

CLI or API approach to build a LISP + VXLAN + CTS Fabric overlay for your enterprise Campus networks

CLI provides backwards compatibility, but management is box-by-box. API provides device automation via NETCONF/YANG

Separate management systems

APIC-EM

1.X

SD-Access

GUI approach provides automation & assurance of all Fabric configuration, management and group-based policy

Cisco DNA Center integrates multiple management systems, to orchestrate LAN, Wireless LAN and WAN access

Campus

Fabric

ISE PI

NCP

ISE NDP

Cisco DNA

Center

B

C

B

1.High-Level View

2.Roles & Platforms

3.Fabric Constructs


Roles & Terminology


SD-AccessWhat exactly is a Fabric?

22BRKCRS-2810

• GRE, mGRE

• MPLS, VPLS

• IPSec, DMVPN

• CAPWAP

• LISP

• OTV

• DFA

• ACI

Examples of Network Overlays

A Fabric is an OverlayAn Overlay network is a logical topology used to virtually connect devices, built over an arbitrary physical Underlay topology.

An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay.


SD-AccessFabric Terminology

23BRKCRS-2810

Overlay Control Plane

Underlay Control PlaneUnderlay Network

Hosts

(End-Points)

Edge DeviceEdge Device

Overlay Network

Encapsulation


SD-AccessFabric Underlay – Manual vs. Automated

26BRKCRS-2810

Fully automated prescriptive IP network Underlay Provisioning!

• Key Requirements

• Leverages standard PNP for Bootstrap

• Assumes New / Erased Configuration

• Uses a Global “Underlay” Address Pool

• Key Considerations

• Seed Device pre-setup is required

• 100% Prescriptive (No Custom)

LAN Automation

You can reuse your existing IP network as the Fabric Underlay!

• Key Requirements

• IP reach from Edge to Edge/Border/CP

• Can be L2 or L3 – We recommend L3

• Can be any IGP – We recommend ISIS

• Key Considerations• MTU (Fabric Header adds 50B)

• Latency (RTT of =/< 100ms)

Manual Underlay

Underlay Network


SD-AccessFabric Roles & Terminology

29BRKCRS-2810

NCP

ISE NDP

Control-Plane Nodes – Map System that manages Endpoint to Device relationships

Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SD-Access Fabric

Identity Services – NAC & ID Systems (e.g. ISE) for dynamic Endpoint to Group mapping and Policy definition

Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SD-Access Fabric

Identity Services

Intermediate Nodes (Underlay)

Fabric Border Nodes

Fabric Edge Nodes

Network Automation – Simple graphical user interface and intent based automation (e.g. NCP) of fabric devices

Automation

Network Assurance – Data Collectors (e.g. NDP) analyze Endpoint to App flows and monitor fabric status Assurance

Control-PlaneNodes

Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SD-Access Fabric

Fabric WirelessController

CampusFabric

B

C

B

Cisco DNA

Center

1.High-Level View

2.Roles & Platforms

3.Fabric Constructs


Roles & Terminology


SD-Access FabricControl-Plane Nodes – A Closer Look

31BRKCRS-2810

Control-Plane Node runs a Host Tracking Database to map location information

UnknownNetworks

KnownNetworks

• A simple Host Database that maps Endpoint IDs to a current Location, along with other attributes

• Host Database supports multiple types of Endpoint ID lookup types (IPv4, IPv6 or MAC)

• Receives Endpoint ID map registrations from Edge and/or Border Nodes for “known” IP prefixes

• Resolves lookup requests from Edge and/or Border Nodes, to locate destination Endpoint IDs

B

C

B


SD-Access PlatformsFabric Control Plane

32BRKCRS-2810

For more details:cs.co/sda-compatibility-matrix

Catalyst 9500Catalyst 9400Catalyst 9300

• Catalyst 9300

• 1/mG RJ45

• 10/25/40/mG NM

• Catalyst 9400

• Sup1/Sup1XL

• 9400 Cards

• Catalyst 9500

• 40/100G QSFP

• 1/10/25G SFP

The Channelco®

CRN®

Products of the Year

2017, 2018

http://cs.co/sda-compatibility-matrix


SD-Access PlatformsFabric Control Plane

33BRKCRS-2810


ISR 4K & ENCSCatalyst 3K Catalyst 6K ASR1K

• Catalyst 3650/3850

• 1/mG RJ45

• 1/10G SFP

• 1/10/40G NM Cards


• Sup2T/Sup6T

• C6800 Cards

• C6880/6840-X

• ISR 4430/4450

• ISR 4330/4450

• ENCS 5400

• ISRv / CSRv

• ASR 1000-X

• ASR 1000-HX

• 1/10G RJ45

• 1/10G SFP



SD-Access FabricEdge Nodes – A Closer Look

36BRKCRS-2810

Edge Node provides first-hop services for Users / Devices connected to a Fabric

UnknownNetworks

KnownNetworks

• Responsible for Identifying and Authenticating Endpoints (e.g. Static, 802.1X, Active Directory)

• Register specific Endpoint ID info (e.g. /32 or /128) with the Control-Plane Node(s)

• Provide an Anycast L3 Gateway for the connected Endpoints (same IP address on all Edge nodes)

• Performs encapsulation / de-encapsulation of data traffic to and from all connected Endpoints

B

C

B


SD-Access PlatformsFabric Edge Node

37BRKCRS-2810

• Catalyst 9400

• Sup1/Sup1XL

• 9400 Cards

Catalyst 9400

• Catalyst 9200/L*

• 1/mG RJ45

• 1G SFP (Uplinks)

Catalyst 9200

• Catalyst 9300

• 1/mG RJ45

• 10/25/40/mG NM

Catalyst 9300


• Catalyst 9500

• 1/10/25G SFP

• 40/100G QSFP

Catalyst 9500

The Channelco®

CRN®


2017, 2018




• Sup2T/Sup6T

• C6800 Cards

• C6880/6840-X

Catalyst 6K

• Catalyst 4500E

• Sup8E/Sup9E (Uplink)

• 4600/4700 Cards (Host)

Catalyst 4500E


• 1/mG RJ45

• 1/10G SFP


Catalyst 3K

SD-Access PlatformsFabric Edge Node

38BRKCRS-2810




SD-Access FabricBorder Nodes

42BRKCRS-2810

UnknownNetworks

KnownNetworks

B

C

B

Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric

There are 3 Types of Border Node!

• Internal Border (Rest of Company)• connects ONLY to the known areas of the company

• External Border (Outside)• connects ONLY to unknown areas outside the company

• Internal + External (Anywhere)• connects transit areas AND known areas of the company


SD-Access PlatformsFabric Border Node

43BRKCRS-2810


Catalyst 9500Catalyst 9400Catalyst 9300

• Catalyst 9300

• 1/mG RJ45

• 10/25/40/mG NM

• Catalyst 9400

• Sup1/Sup1XL

• 9400 Cards

• Catalyst 9500

• 1/10/25G SFP

• 40/100G QSFP

The Channelco®

CRN®


2017, 2018

Winner



SD-Access PlatformsFabric Border Node

44BRKCRS-2810


Catalyst 3K Catalyst 6K ISR 4K ASR 1KNexus 7K*


• 1/mG RJ45

• 1/10G SFP



• Sup2T/Sup6T

• C6800 Cards

• C6880/6840-X

• ISR 4300/4400

• AppX (AX)

• 1/10G RJ45

• 1/10G SFP

• ASR 1000-X/HX

• AppX (AX)

• 1/10G ELC/EPA

• 40G ELC/EPA

* EXTERNAL ONLY

• Nexus 7700

• Sup2E

• M3 Cards

• LAN1K9 + MPLS



SD-Access FabricBorder Nodes - Internal

47BRKCRS-2810

Internal Border advertises Endpoints to outside, and known Subnets to inside

• Connects to any “known” IP subnets available from the outside network (e.g. DC, WLC, FW, etc.)

• Exports all internal IP Pools to outside (as aggregate), using a traditional IP routing protocol(s).

• Imports and registers (known) IP subnets from outside, into the Control-Plane Map System

• Hand-off requires mapping the context (VRF & SGT) from one domain to another.

UnknownNetworks

KnownNetworks

B

C

B


SD-Access FabricBorder Nodes - External

51BRKCRS-2810

External Border is a “Gateway of Last Resort” for any unknown destinations

• Connects to any “unknown” IP subnets, outside of the network (e.g. Internet, Public Cloud)

• Exports all internal IP Pools outside (as aggregate) into traditional IP routing protocol(s).

• Does NOT import unknown routes! It is a “default” exit, if no entry is available in Control-Plane.

• Hand-off requires mapping the context (VRF & SGT) from one domain to another.

UnknownNetworks

KnownNetworks

B

C

B


SD-Access Fabric Fabric Enabled Wireless – A Closer Look

60BRKCRS-2810

Fabric Enabled WLC is integrated into Fabric for SD-Access Wireless clients

UnknownNetworks

KnownNetworks

• Connects to Fabric via Border (Underlay)

• Fabric Enabled APs connect to the WLC (CAPWAP) using a dedicated Host Pool (Overlay)

• Fabric Enabled APs connect to the Edge via VXLAN

• Wireless Clients (SSIDs) use regular Host Pools for data traffic and policy (same as Wired)

• Fabric Enabled WLC registers Clients with the Control-Plane (as located on local Edge + AP)

Data: VXLAN

Ctrl: CAPWAP

B

C

B

Wave 2 APAireOS WLC Catalyst 9800* Wave 1 AP*

• AIR-CT3504

• AIR-CT5520

• AIR-CT8540

• Catalyst 9800-40/80

• Catalyst 9800-CL

• C9K Embedded WLC

• 1800/2800/38001500 and 4800

• 802.11ac Wave2

• 1G/mG RJ45 (Uplink)

• 1700/2700/3700

• 3600 with 11ac

• 802.11ac Wave1

• 1G/mG RJ45 (Uplink)

SD-Access PlatformsFabric Enabled Wireless


* No IPv6, AVC, FNF* COMING SOON

BRKCRS-2810 61© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public



Roles & Terminology

1.High-Level View

2.Roles & Platforms

3.Fabric Constructs


SD-Access FabricVirtual Network– A Closer Look

66BRKCRS-2810

Virtual Network maintains a separate Routing & Switching table for each instance

• Control-Plane uses Instance ID to maintain separate VRF topologies (“Default” VRF is Instance ID “4098”)

• Nodes add a VNID to the Fabric encapsulation

• Endpoint ID prefixes (Host Pools) are routed and advertised within a Virtual Network

• Uses standard “vrf definition” configuration, along with RD & RT for remote advertisement (Border Node)

VNCampus

VNIOT

VNGuest

UnknownNetworks

KnownNetworks

B

C

B


SD-Access FabricScalable Groups – A Closer Look

70BRKCRS-2810

Scalable Group is a logical policy object to “group” Users and/or Devices

• Nodes use “Scalable Groups” to ID and assign a unique Scalable Group Tag (SGT) to Endpoints

• Nodes add a SGT to the Fabric encapsulation

• SGTs are used to manage address-independent “Group-Based Policies”

• Edge or Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs)

UnknownNetworks

KnownNetworks

B

C

B

SGT

17

SGT

3SGT

23

SGT

4 SGT

8

SGT

12

SGT

11

SGT

19

SGT

25


SD-Access FabricHost Pools – A Closer Look

75BRKCRS-2810

Host Pool provides basic IP functions necessary for attached Endpoints

• Edge Nodes use a Switch Virtual Interface (SVI), with IP Address /Mask, etc. per Host Pool

• Fabric uses Dynamic EID mapping to advertise each Host Pool (per Instance ID)

• Fabric Dynamic EID allows Host-specific (/32, /128 or MAC) advertisement and mobility

• Host Pools can be assigned Dynamically (via Host Authentication) and/or Statically (per port)

UnknownNetworks

KnownNetworks

B

C

B

Pool

.17

Pool

.13Pool

.23

Pool

.4 Pool

.8

Pool

.12

Pool

.11

Pool

.19

Pool

.25


SD-Access FabricAnycast Gateway – A Closer Look

76BRKCRS-2810

Anycast GW provides a single L3 Default Gateway for IP capable endpoints

• Similar principle and behavior to HSRP / VRRP with a shared “Virtual” IP and MAC address

• The same Switch Virtual Interface (SVI) is present on EVERY Edge with the SAME Virtual IP and MAC

• Control-Plane with Fabric Dynamic EID mapping maintains the Host to Edge relationship

• When a Host moves from Edge 1 to Edge 2, it does not need to change it’s Default Gateway

GW GW GW

UnknownNetworks

KnownNetworks

B

C

B

GW GW


SD-Access Fabric Layer 3 Overlay – A Closer Look

77BRKCRS-2810

Stretched Subnets allow an IP subnet to be “stretched” via the Overlay

• Host IP based traffic arrives on the local Fabric Edge (SVI) and is then transferred by the Fabric

• Fabric Dynamic EID mapping allows Host-specific (/32, /128, MAC) advertisement and mobility

• Host 1 connected to Edge A can now use the same IP subnet to communicate with Host 2 on Edge B

• No longer need a VLAN to connect Host 1 and 2

DynamicEID

UnknownNetworks

KnownNetworks

B

C

B

GW GW GWGW GW


SD-Access FabricLayer 2 Overlay – A Closer Look

78BRKCRS-2810

Layer 2 Overlay allows Non-IP endpoints to use Broadcast & L2 Multicast

• Similar principle and behavior as Virtual Private LAN Services (VPLS) P2MP Overlay

• Uses a pre-built Multicast Underlay to setup a P2MP tunnel between all Fabric Nodes.

• L2 Broadcast and Multicast traffic will be distributed to all connected Fabric Nodes.

• Can be enabled for specific Host Pools that require L2 services (use Stretched Subnets for L3)

VLAN VLANVLAN

L2

Overlay

UnknownNetworks

KnownNetworks

B

C

B

NOTE: L3 Integrated Routing and Bridging (IRB) is not supported at this time.

What is Campus Fabric?

Fabric Fundamentals

1.Control-Plane

2.Data-Plane

3.Policy-Plane


SD-Access FabricCampus Fabric - Key Components

90BRKCRS-2810

1. Control-Plane based on LISP

2. Data-Plane based on VXLAN

3. Policy-Plane based on CTSKey Differences

• L2 + L3 Overlay -vs- L2 or L3 Only

• Host Mobility with Anycast Gateway

• Adds VRF + SGT into Data-Plane

• Virtual Tunnel Endpoints (Automatic)

• NO Topology Limitations (Basic IP)

CB B


SD-Access FabricKey Components - LISP

91BRKCRS-2810

Endpoint Routes are Consolidated to LISP DB

Topology + Endpoint Routes

BEFOREIP Address = Location + Identity

Prefix Next-hop189.16.17.89 …......171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 ….....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.12022.78.190.64 …......171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121

Prefix Next-hop189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 ….....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.12022.78.190.64 …......171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121

Prefix Next-hop189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 ….....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 …......171.68.228.121189.16.17.89 ….....171.68.226.12022.78.190.64 …......171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121

Routing Protocols = Big Tables & More CPUwith Local L3 Gateway

Host Mobility

MappingDatabase

Only Local Routes

Prefix RLOC192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121

Prefix Next-hop189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121

Prefix Next-hop189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121

Prefix Next-hop189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121

AFTERSeparate Identity from Location

Topology Routes

Endpoint Routes

LISP DB + Cache = Small Tables & Less CPUwith Anycast L3 Gateway



Fabric OperationControl-Plane Roles & Responsibilities

92BRKCRS-2810

LISP Map Server / Resolver(Control-Plane)

• EID to RLOC mappings

• Can be distributed acrossmultiple LISP devices

LISP Tunnel Router - XTR(Edge & Internal Border)

• Register EID with Map Server

• Ingress / Egress (ITR / ETR)

LISP Proxy Tunnel Router - PXTR(External Border)

• Provides a Default Gateway when no mapping exists

• Ingress / Egress (PITR / PETR)

• EID = Endpoint Identifier

• Host Address or Subnet

• RLOC = Routing Locator

• Local Router Address

Prefix Next-hopw.x.y.1 e.f.g.h

x.y.w.2 e.f.g.hz.q.r.5 e.f.g.hz.q.r.5 e.f.g.h

Non-LISP

RLOC Space

EID RLOCa.a.a.0/24 w.x.y.1b.b.b.0/24 x.y.w.2

c.c.c.0/24 z.q.r.5d.d.0.0/16 z.q.r.5


c.c.c.0/24 z.q.r.5d.d.0.0/16 z.q.r.5


c.c.c.0/24 z.q.r.5d.d.0.0/16 z.q.r.5

EID Space

Control-Plane

EID Space

Edge

Edge

Border


Fabric Operation Control Plane Register & Resolution

93BRKCRS-2810

Fabric Control Plane5.1.1.1

Branch

10.2.2.2/32 (2.1.2.1)

Cache Entry (on ITR)

Fabric Edge

Subnet 10.2.0.0 255.255.0.0 stretched across

2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1

10.2.2.2/32 ( 2.1.2.1)

Database Mapping Entry (on ETR)10.2.2.4/32 ( 3.1.2.1)

Database Mapping Entry (on ETR)Fabric Edges

10.2.2.2/1610.2.2.3/16 10.2.2.4/1610.2.2.5/16

Where is 10.2.2.2?


Fabric Operation Fabric Internal Forwarding (Edge to Edge)

94BRKCRS-2810

Branch

IP Network

1.1.1.1

10.1.0.0/24

Fabric EdgeS

DNS Entry:D.abc.com A 10.2.2.2

1

10.1.0.1 10.2.2.2

2

Path Preference Controlledby Destination Site

10.1.0.1 10.2.2.2

1.1.1.1 2.1.2.1

4 Mapping System

5.1.1.1

5.3.3.3

5.2.2.2

Non-Fabric Non-Fabric

Fabric Borders

EID-prefix: 10.2.2.2/32

Locator-set:

2.1.2.1, priority: 1, weight:100

MappingEntry

3

D

2.1.1.1 3.1.1.1 3.1.2.1

10.1.0.1 10.2.2.2

5 Fabric Edges

10.2.2.3/16 10.2.2.2/16 10.2.2.5/1610.2.2.4/16

2.1.2.1

Subnet 10.2.0.0 255.255.0.0 stretched across


Fabric Operation Host Mobility – Dynamic EID Migration

96BRKCRS-2810

Mapping System

1.1.1.1

2.1.1.1

3.1.1.1

12.2.2.1 12.2.2.212.1.1.1 12.1.1.2

1

Routing Table10.2.1.0/24 – Local 2

10.2.1.10/32 - Local

Fabric Control Plane10.10.0.0/16 – 12.0.0.1

10.2.1.10/32 – 12.2.2.1

34

10.2.1.10/32 – 12.1.1.1

10.2.1.10 10.2.1.10

Map RegisterEID: 10.17.1.10/32Node: 12.1.1.1

Campus

Bldg 1

Routing Table10.2.1.0/24 – Local

10.2.1.10/32 – LISP010.2.1.10/32 – Local

10.10.10.0/24

12.0.0.1 12.0.0.2

5

DC1

D

S

IP Network

Fabric Borders

Fabric Edges Campus

Bldg 2


SD-Access FabricUnique Control-Plane extensions compared to LISP

98BRKCRS-2810

Capability Traditional LISP SD-Access Fabric

Layer 2 Extension Limited Support Fabric Control Plane extended to support

MAC to IP binding and Layer 2 Overlays

Virtual Networks Layer-3 VN (VRF) only Both Layer-3 and Layer-2 VN (VRF)

support (using VXLAN)

Fast Roaming Not Supported Fabric Control Plane extended to support

fast roaming in =/< 50ms

Wireless Extensions Not Supported Fabric Control Plane extended to support

wireless extensions for:• AP Onboarding

• Wireless Guest

• AP VXLAN functionality

1.Control-Plane

2.Data-Plane

3.Policy-Plane


Fabric Fundamentals


SD-Access FabricKey Components – VXLAN

100BRKCRS-2810

ORIGINAL PACKET

PAYLOADETHERNET IP

PACKET IN LISP

PAYLOADIPLISPUDPIPETHERNET

PAYLOADETHERNET IPVXLANUDPIPETHERNETPACKET IN VXLAN

Supports L2

& L3 Overlay

Supports L3

Overlay Only




VXLAN-GPO Header MAC-in-IP with VN ID & Group ID

102BRKCRS-2810

Underlay

Outer IP Header

Outer MAC Header

UDP Header

VXLAN Header

Overlay

14 Bytes

(4 Bytes Optional)

Ether Type

0x0800

VLAN ID

VLAN Type

0x8100

Source MAC

Dest. MAC 48

48

16

16

1620 Bytes

Dest. IP

Source IP

Header

Checksum

Protocol 0x11 (UDP)

IP Header

Misc. Data72

8

16

32

32

8 Bytes

Checksum 0x0000

UDP Length

Dest Port

Source Port 16

16

16

16

8 Bytes

Reserved

VN ID

Segment ID

VXLAN Flags RRRRIRRR 8

16

24

8

Src VTEP MAC Address

Next-Hop MAC Address

Allows 16M possible VRFs

UDP 4789

Hash of inner L2/L3/L4 headers of original frame. Enables entropy for ECMP load balancing.

Inner (Original) IP Header

Original Payload

Inner (Original) MAC Header

Allows 64K possible SGTs

Dst RLOC IP Address

Src RLOC IP Address


Data-Plane OverviewFabric Header Encapsulation

104BRKCRS-2810

Fabric Data-Plane provides the following:• Underlay address advertisement & mapping

• Automatic tunnel setup (Virtual Tunnel End-Points)

• Frame encapsulation between Routing Locators

Support for LISP or VXLAN header format• Nearly the same, with different fields & payload

• LISP header carries IP payload (IP in IP)

• VXLAN header carries MAC payload (MAC in IP)

Triggered by LISP Control-Plane events• ARP or NDP Learning on L3 Gateways

• Map-Reply or Cache on Routing Locators

Decap

Encap

Inner

Inner

Oute

rIn

ner

Inner

Oute

r


SD-Access FabricUnique Data-Plane Extensions compared to VXLAN

106BRKCRS-2810

Capability Traditional LISP/VXLAN SD-Access Fabric

SGT Tag No SGT VXLAN-GPO uses Reserved field to

carry SGT

Layer 3 Extension

(VRF)

Yes Yes, by mapping VRF->VNI

Layer 2 Extension Not Supported Fabric supports Layer 2 extension by

mapping VLAN ->VNI

Wireless Not Supported AP to Fabric Edge uses VXLAN

Fabric Edge to Edge/Border uses VXLAN

for both Wired and Wireless (same)

1.Control-Plane

2.Data-Plane

3.Policy-Plane


Fabric Fundamentals


SD-Access FabricKey Components – Group Based Policy

108BRKCRS-2810

PAYLOADETHERNET IPVXLANUDPIPETHERNET

VRF + SGT



3. Policy-Plane based on CTSVirtual Routing & Forwarding

Scalable Group Tagging


SD-Access Policy Two Level Hierarchy - Macro Level

109BRKCRS-2810

Building Management VN

SD-AccessFabric

Campus Users VN

First level Segmentation ensures zero communication between forwarding domains. Ability to consolidate multiple networks into one management plane.

Virtual Network (VN)

Unknown

NetworksKnown

Networks

VN“A”

VN“B”

VN“C”


SD-Access Policy Two Level Hierarchy - Micro Level

110BRKCRS-2810

Building Management VN

Campus Users VN

Second level Segmentation ensures role based access control between two groups within a Virtual Network. Provides the ability to segment the network into either line of businesses or functional blocks.

Scalable Group (SG)

Unknown

NetworksKnown

Networks

SG1

SG2

SG3

SG4

SG5

SG6

SG7

SG8

SG9

SD-AccessFabric


SD-Access PolicyPolicy Types

111BRKCRS-2810

Application Policy

↓How to treat Traffic?

QoS for Applicationsor Application Caching

Access Control Policy

↓Who can access What?

Permit / Deny Rules for Group-to-Group Access

✓

Traffic Copy Policy

↓Need to Monitor Traffic?

Enable SPAN Servicesfor specific Groups or Traffic


Group AssignmentTwo ways to assign SGT

112BRKCRS-2810

VLAN to SGT

L3 Interface (SVI) to SGT L2 Port to SGT

VM (Port Profile) to SGTSubnet to SGT

WLC Firewall Hypervisor SW

Campus Access Distribution Core DC Core DC Access

Enterprise Backbone

Static Classification

MAB

Dynamic Classification


SD-Access PolicyPolicy Contracts

115BRKCRS-2810 115

Source Group Destination Group

ACTION: DENY

Contract

Classifier Type Action Type

Port Number Permit

Protocol Name Deny

Application Type Copy

Guest Users Credit System

CLASSIFIER: PORT


Group PropagationVN & SGT in VXLAN-GPO Encapsulation

120BRKCRS-2810

IP Network

Edge Node 1 Edge Node 2

Encapsulation Decapsulation

VXLAN

VN ID SGT ID

VXLAN

VN ID SGT ID

PropagationCarry VN and Group context across the network

EnforcementGroup Based Policies ACLs, Firewall Rules

ClassificationStatic or Dynamic VN and SGT assignments


SD-Access FabricUnique Policy-Plane Extensions compared to CTS

122BRKCRS-2810

Capability Traditional CTS SD-Access Policy

SGT Propagation Enabled hop-by-hop, or by

Security-Group Exchange Protocol

(SXP) sessions

Carried with the data traffic inside

VXLAN-GPO (overlay) end-to-end

VN Integration Not Supported VN + SGT-aware Firewalls

Access Control Policy Yes Yes

QoS (App) Policy Not Supported App based QoS policy, to optimize

application traffic priority

Traffic Copy Policy Not Supported SRC/DST based Copy policy (using

ERSPAN) to capture data traffic

What is Cisco DNA Center?

Controller Fundamentals

1.Architecture

2.User Interface

3.Workflows


Cisco DNA CenterSD-Access – Key Components

124BRKCRS-2810

NCPNetwork Control Platform

Cisco ISE 2.3Identity Services Engine

NDPNetwork Data Platform

Cisco Switches | Cisco Routers | Cisco Wireless

Cisco DNA Center

AAARADIUSEAPoL

HTTPSNetFlowSyslogs

NETCONFSNMPSSH

API API

API

API

Campus Fabric

Design | Policy | Provision | Assurance

DN1-HW-APLDNA Center Appliance

API

SNS 3500 SeriesISE Appliance

AutomationIdentity & Policy Assurance


Cisco DNA CenterAppliance Models & Specifications

SKU Specs Scale and Performance SDA Design

DN1-HW-APL

(Clusters with same SKU and DN2-HW-APL)

• Based on UCS M4• 44 cores• 256 GB RAM• 12 TB SSD• List Price: $77,160

5000 Devices

1000 Switches/Routers/WLC + 4000 APs

25,000 Clients

Small orMedium

DN2-HW-APL

(Clusters with same SKU and DN1-HW-APL)

• Based on UCS M5• 44 cores• 256 GB RAM• 16 TB SSD• List Price: $88,674

5000 Devices


25,000 Clients

Small or Medium

DN2-HW-APL-L

(Clusters with same SKU only)

• Based on UCS M5• 56 cores• 384 GB RAM• 16 TB SSD• List Price = $147,495

8000 Devices


40,000 Clients

Medium orLarge

NEW

NEW

BRKCRS-2810 125

1 or 3 appliance HA Cluster (more in future)

- Odd number to achieve quorum of distributed system

Seen as 1 logical DNAC instance

- Connect to Virtual (Cluster) IP

- Rare need to access individual nodes (e.g. SSH)

2 nodes active/sharing + 1 redundant

- Some services run multiple copies spread across nodes (e.g. databases)

- Other services run single copy and migrate from failed to redundant node

Individual apps on Maglev cluster

Virtual IP

Single Appliance for Cisco DNA (Automation + Assurance)

Cisco DNA CenterHigh Availability Cluster


Cisco DNA CenterAutomated Provisioning and Telemetry Enrichment

127BRKCRS-2810

Network Data

Platform

Telemetry Data

Data Collection

Telemetry Configuration

Configuration Automation

Telemetry Intent

Alerts

Violations

Inventory, Topology, Host, Group

Network State changes

Path Trace information

Network Control

Platform

CampusFabric

B

C

B


Cisco DNA Center and ISE integration Identity and Policy Automation

131BRKCRS-2810

Campus Fabric

Authentication Authorization

Policies

Fabric Management

Policy Authoring Workflows

Groups and Policies

PxGridREST APIs

Cisco Identity Services Engine

Cisco DNA Center


Cisco DNA Center and ISE integration ISE roles in SD-Access

132BRKCRS-2810

ISE-PAN ISE-PXG

ISE-MNT

ISE-PSN

Employee SGT 10if then

Contractor SGT 20if then

Things SGT 30if then

Authorization Policy Exchange Topics

TrustSecMetaData

SessionDirectory*

SGT Name: Employee = SGT 10SGT Name: Contractor = SGT 20...

Bob with Win10 on CorpSSID

* Future Plan

Network Devices

Users

Config Sync Context

DNA-Center

REST pxGrid

Admin/Operate

Users

Devices

Things

1.Architecture

2.User Interface

3.Workflows

What is Cisco DNA Center?

Controller Fundamentals


SD-AccessCLI and API vs. GUI

134BRKCRS-2810

Campus Fabric SD Access

• DNA Center GUI• Cross-App REST APIs• Automated Workflows• Centralized Management

• Programmable APIs• NETCONF / YANG• Automated Workflows• Box-by-Box Management

• Command Line (CLI)• Templates / Macros• Customized Workflows• Box-by-Box Management


Cisco DNA Center 4 Step Workflow

135BRKCRS-2810

System Settings & Integration

App Management & High Availability

Design

• Global Settings• Site Profiles• DDI, SWIM, PNP

• User Access

Policy

• Virtual Networks• ISE, AAA, Radius• Endpoint Groups• Group Policies

Provision

• Fabric Domains• CP, Border, Edge• Fabric WLC, AP• External Connect

Assurance

• Health Dashboard• 360o Views• Net, Device, Client• Path Traces


Assure

Take AwayThings to Remember


Session Summary

147

SD-Access = Campus Fabric + Cisco DNA Center

BB

Campus

Fabric

C

DESIGN PROVISION POLICY ASSURANCE

Cisco DNA Center Simple Workflows

BRKCRS-2810


SD-Access SupportDigital Platforms for your Cisco Digital Network Architecture


BRKCRS-2810 149



What to Do Next?

152BRKCRS-2810


SD-Access ResourcesWould you like to know more?

153BRKCRS-2810

cisco.com/go/cvd• SD-Access Design Guide

• SD-Access Deployment Guide

• SD-Access Segmentation Guide

cisco.com/go/dnacenter• Cisco DNA Center At-A-Glance

• Cisco DNA ROI Calculator

• Cisco DNA Center Data Sheet

• Cisco DNA Center 'How To' Video Resources

cisco.com/go/sdaccess• SD-Access At-A-Glance

• SD-Access Ordering Guide

• SD-Access Solution Data Sheet

• SD-Access Solution White Paper

cisco.com/go/dna

https://cisco.com/go/cvd

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Design-Guide-2018APR.pdf

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Deployment-Guide-2018APR.pdf

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Segmentation-Design-Guide-2018MAY.pdf

https://cisco.com/go/dnacenter

https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/dna-center/at-a-glance-c45-739010.pdf?oid=aagen000249

https://dnaroi.cisco.com/go/cisco/dnaroi/index.html?lang=en-us&ccid=cc000006&oid=caten000241

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/datasheet-c78-739052.html

https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/video-resources.html

https://cisco.com/go/sdaccess

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/software-defined-access/at-a-glance-c45-738181.pdf?oid=aagen000292

https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/guide-c07-739242.html

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/software-defined-access/solution-overview-c22-739012.pdf?oid=sowen000311

https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/white-paper-c11-739642.html

https://cisco.com/go/dna


Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session

Find this session in the Cisco Events Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

1

2

3

4

155

cs.co/ciscolivebot#BRKCRS-2810

BRKCRS-2810


Don’t forget: Cisco Live sessions will be available on demand after the event at ciscolive.cisco.com

• Please complete your Online Survey immediately after each Session

• Complete 4 Session Surveys AND the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Complete your online Session Survey

156BRKCRS-2810


Demos in the Cisco

Campus

Walk-In Self-Paced

labs

Meet The Engineer

1:1 meetings

Related TrainingSessions

Continue Your Education

157BRKCRS-2810

Thank You

under the hood - koenig-solutions.comrms.koenig-solutions.com/sync_data/trainer/qms/824... · 2019....

Documents