under the hood - koenig-solutions.comrms.koenig-solutions.com/sync_data/trainer/qms/824... · 2019....
TRANSCRIPT
Shawn WargoPrincipal Engineer - Technical Marketing
BRKCRS-2810
Cisco Software-Defined Access
Under The Hood
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
3
cs.co/ciscolivebot#BRKCRS-2810
BRKCRS-2810
Tuesday (Jan 29) Wednesday (Jan 30) Thursday (Jan 31) Friday (Feb 01)08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00
Cisco Software-Defined Access Cisco Live Barcelona - Session Map
Sessions are available Online @ CiscoLive.com
You Are Here
BRKCRS-2821SD-Access Integration
LTRACI-2636ACI + SD-Access Lab
BRKCRS-1449ISE & SD-Access
BRKCRS-2810SD-Access Solution
BRKCRS-1501Validated Design
BRKARC-2020Troubleshoot SD-Access
BRKCRS-3810SD-Access Deep Dive
BRKCLD-2412Cross-Domain Policy
BRKCRS-2812SD-Access Migration
BRKCRS-2825SD-Access Scale
BRKEWN-2021SD-Access Demo
BRKCRS-3811SD-Access Policy
BRKEWN-2020SD-Access Wireless
BRKCRS-2814SD-Access Assurance
BRKCRS-2815Connect
SD-Access Sites
LTRCRS-2810SD-Access Lab
Agenda
1
2
3
4
Take AwayWhere to get started?
5
Fabric FundamentalsHow does it work?
Controller FundamentalsHow does it work?
Key ConceptsWhat is SD-Access?
Key BenefitsWhy do you care?
Complex
Time
1 2
3 4
5
Key BenefitsWhy do you care?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco’s Intent-Based NetworkDelivered by Cisco Software Defined Access
9BRKCRS-2810
Intent-BasedNetwork Infrastructure
Cisco DNA Center
AnalyticsPolicy Automation
WirelessSwitch Route
I N T E N T C O N T E X T
S E C U R I T Y
L E A R N I N G
SD-Access
Branch
Wireless Control
Fabric Control
ACI Data Center
SAAS
Fabric Border
Fabric Edge
SD-WAN
BRKCRS-2810
CB B
Cisco Software Defined AccessThe Foundation for Cisco’s Intent-Based Network
IoT Network Employee Network
User Mobility
Policy follows User
Outside
Cisco DNA Center
AssuranceAutomationPolicy
SD-AccessExtension
Automated Network Fabric
Single fabric for Wired and Wireless with full automation
Insights and Telemetry
Analytics and insights into User and Application experience
Identity-Based Policy and Segmentation
Policy definition decoupled from VLAN and IP address
What is Software Defined Access?
KeyConcepts
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKCRS-2810
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is SD-Access?Campus Fabric + Cisco DNA Center (Automation & Assurance)
18BRKCRS-2810
Campus Fabric
CLI or API approach to build a LISP + VXLAN + CTS Fabric overlay for your enterprise Campus networks
CLI provides backwards compatibility, but management is box-by-box. API provides device automation via NETCONF/YANG
Separate management systems
APIC-EM
1.X
SD-Access
GUI approach provides automation & assurance of all Fabric configuration, management and group-based policy
Cisco DNA Center integrates multiple management systems, to orchestrate LAN, Wireless LAN and WAN access
Campus
Fabric
ISE PI
NCP
ISE NDP
Cisco DNA
Center
B
C
B
1.High-Level View
2.Roles & Platforms
3.Fabric Constructs
What is Software Defined Access?
Roles & Terminology
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AccessWhat exactly is a Fabric?
22BRKCRS-2810
• GRE, mGRE
• MPLS, VPLS
• IPSec, DMVPN
• CAPWAP
• LISP
• OTV
• DFA
• ACI
Examples of Network Overlays
A Fabric is an OverlayAn Overlay network is a logical topology used to virtually connect devices, built over an arbitrary physical Underlay topology.
An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AccessFabric Terminology
23BRKCRS-2810
Overlay Control Plane
Underlay Control PlaneUnderlay Network
Hosts
(End-Points)
Edge DeviceEdge Device
Overlay Network
Encapsulation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AccessFabric Underlay – Manual vs. Automated
26BRKCRS-2810
Fully automated prescriptive IP network Underlay Provisioning!
• Key Requirements
• Leverages standard PNP for Bootstrap
• Assumes New / Erased Configuration
• Uses a Global “Underlay” Address Pool
• Key Considerations
• Seed Device pre-setup is required
• 100% Prescriptive (No Custom)
LAN Automation
You can reuse your existing IP network as the Fabric Underlay!
• Key Requirements
• IP reach from Edge to Edge/Border/CP
• Can be L2 or L3 – We recommend L3
• Can be any IGP – We recommend ISIS
• Key Considerations• MTU (Fabric Header adds 50B)
• Latency (RTT of =/< 100ms)
Manual Underlay
Underlay Network
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AccessFabric Roles & Terminology
29BRKCRS-2810
NCP
ISE NDP
Control-Plane Nodes – Map System that manages Endpoint to Device relationships
Fabric Edge Nodes – A Fabric device (e.g. Access or Distribution) that connects Wired Endpoints to the SD-Access Fabric
Identity Services – NAC & ID Systems (e.g. ISE) for dynamic Endpoint to Group mapping and Policy definition
Fabric Border Nodes – A Fabric device (e.g. Core) that connects External L3 network(s) to the SD-Access Fabric
Identity Services
Intermediate Nodes (Underlay)
Fabric Border Nodes
Fabric Edge Nodes
Network Automation – Simple graphical user interface and intent based automation (e.g. NCP) of fabric devices
Automation
Network Assurance – Data Collectors (e.g. NDP) analyze Endpoint to App flows and monitor fabric status Assurance
Control-PlaneNodes
Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SD-Access Fabric
Fabric WirelessController
CampusFabric
B
C
B
Cisco DNA
Center
1.High-Level View
2.Roles & Platforms
3.Fabric Constructs
What is Software Defined Access?
Roles & Terminology
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricControl-Plane Nodes – A Closer Look
31BRKCRS-2810
Control-Plane Node runs a Host Tracking Database to map location information
UnknownNetworks
KnownNetworks
• A simple Host Database that maps Endpoint IDs to a current Location, along with other attributes
• Host Database supports multiple types of Endpoint ID lookup types (IPv4, IPv6 or MAC)
• Receives Endpoint ID map registrations from Edge and/or Border Nodes for “known” IP prefixes
• Resolves lookup requests from Edge and/or Border Nodes, to locate destination Endpoint IDs
B
C
B
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access PlatformsFabric Control Plane
32BRKCRS-2810
For more details:cs.co/sda-compatibility-matrix
Catalyst 9500Catalyst 9400Catalyst 9300
• Catalyst 9300
• 1/mG RJ45
• 10/25/40/mG NM
• Catalyst 9400
• Sup1/Sup1XL
• 9400 Cards
• Catalyst 9500
• 40/100G QSFP
• 1/10/25G SFP
The Channelco®
CRN®
Products of the Year
2017, 2018
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access PlatformsFabric Control Plane
33BRKCRS-2810
For more details:cs.co/sda-compatibility-matrix
ISR 4K & ENCSCatalyst 3K Catalyst 6K ASR1K
• Catalyst 3650/3850
• 1/mG RJ45
• 1/10G SFP
• 1/10/40G NM Cards
• Catalyst 6500/6800
• Sup2T/Sup6T
• C6800 Cards
• C6880/6840-X
• ISR 4430/4450
• ISR 4330/4450
• ENCS 5400
• ISRv / CSRv
• ASR 1000-X
• ASR 1000-HX
• 1/10G RJ45
• 1/10G SFP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricEdge Nodes – A Closer Look
36BRKCRS-2810
Edge Node provides first-hop services for Users / Devices connected to a Fabric
UnknownNetworks
KnownNetworks
• Responsible for Identifying and Authenticating Endpoints (e.g. Static, 802.1X, Active Directory)
• Register specific Endpoint ID info (e.g. /32 or /128) with the Control-Plane Node(s)
• Provide an Anycast L3 Gateway for the connected Endpoints (same IP address on all Edge nodes)
• Performs encapsulation / de-encapsulation of data traffic to and from all connected Endpoints
B
C
B
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access PlatformsFabric Edge Node
37BRKCRS-2810
• Catalyst 9400
• Sup1/Sup1XL
• 9400 Cards
Catalyst 9400
• Catalyst 9200/L*
• 1/mG RJ45
• 1G SFP (Uplinks)
Catalyst 9200
• Catalyst 9300
• 1/mG RJ45
• 10/25/40/mG NM
Catalyst 9300
For more details:cs.co/sda-compatibility-matrix
• Catalyst 9500
• 1/10/25G SFP
• 40/100G QSFP
Catalyst 9500
The Channelco®
CRN®
Products of the Year
2017, 2018
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Catalyst 6500/6800
• Sup2T/Sup6T
• C6800 Cards
• C6880/6840-X
Catalyst 6K
• Catalyst 4500E
• Sup8E/Sup9E (Uplink)
• 4600/4700 Cards (Host)
Catalyst 4500E
• Catalyst 3650/3850
• 1/mG RJ45
• 1/10G SFP
• 1/10/40G NM Cards
Catalyst 3K
SD-Access PlatformsFabric Edge Node
38BRKCRS-2810
For more details:cs.co/sda-compatibility-matrix
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricBorder Nodes
42BRKCRS-2810
UnknownNetworks
KnownNetworks
B
C
B
Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric
There are 3 Types of Border Node!
• Internal Border (Rest of Company)• connects ONLY to the known areas of the company
• External Border (Outside)• connects ONLY to unknown areas outside the company
• Internal + External (Anywhere)• connects transit areas AND known areas of the company
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access PlatformsFabric Border Node
43BRKCRS-2810
For more details:cs.co/sda-compatibility-matrix
Catalyst 9500Catalyst 9400Catalyst 9300
• Catalyst 9300
• 1/mG RJ45
• 10/25/40/mG NM
• Catalyst 9400
• Sup1/Sup1XL
• 9400 Cards
• Catalyst 9500
• 1/10/25G SFP
• 40/100G QSFP
The Channelco®
CRN®
Products of the Year
2017, 2018
Winner
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access PlatformsFabric Border Node
44BRKCRS-2810
For more details:cs.co/sda-compatibility-matrix
Catalyst 3K Catalyst 6K ISR 4K ASR 1KNexus 7K*
• Catalyst 3650/3850
• 1/mG RJ45
• 1/10G SFP
• 1/10/40G NM Cards
• Catalyst 6500/6800
• Sup2T/Sup6T
• C6800 Cards
• C6880/6840-X
• ISR 4300/4400
• AppX (AX)
• 1/10G RJ45
• 1/10G SFP
• ASR 1000-X/HX
• AppX (AX)
• 1/10G ELC/EPA
• 40G ELC/EPA
* EXTERNAL ONLY
• Nexus 7700
• Sup2E
• M3 Cards
• LAN1K9 + MPLS
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricBorder Nodes - Internal
47BRKCRS-2810
Internal Border advertises Endpoints to outside, and known Subnets to inside
• Connects to any “known” IP subnets available from the outside network (e.g. DC, WLC, FW, etc.)
• Exports all internal IP Pools to outside (as aggregate), using a traditional IP routing protocol(s).
• Imports and registers (known) IP subnets from outside, into the Control-Plane Map System
• Hand-off requires mapping the context (VRF & SGT) from one domain to another.
UnknownNetworks
KnownNetworks
B
C
B
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricBorder Nodes - External
51BRKCRS-2810
External Border is a “Gateway of Last Resort” for any unknown destinations
• Connects to any “unknown” IP subnets, outside of the network (e.g. Internet, Public Cloud)
• Exports all internal IP Pools outside (as aggregate) into traditional IP routing protocol(s).
• Does NOT import unknown routes! It is a “default” exit, if no entry is available in Control-Plane.
• Hand-off requires mapping the context (VRF & SGT) from one domain to another.
UnknownNetworks
KnownNetworks
B
C
B
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Fabric Fabric Enabled Wireless – A Closer Look
60BRKCRS-2810
Fabric Enabled WLC is integrated into Fabric for SD-Access Wireless clients
UnknownNetworks
KnownNetworks
• Connects to Fabric via Border (Underlay)
• Fabric Enabled APs connect to the WLC (CAPWAP) using a dedicated Host Pool (Overlay)
• Fabric Enabled APs connect to the Edge via VXLAN
• Wireless Clients (SSIDs) use regular Host Pools for data traffic and policy (same as Wired)
• Fabric Enabled WLC registers Clients with the Control-Plane (as located on local Edge + AP)
Data: VXLAN
Ctrl: CAPWAP
B
C
B
Wave 2 APAireOS WLC Catalyst 9800* Wave 1 AP*
• AIR-CT3504
• AIR-CT5520
• AIR-CT8540
• Catalyst 9800-40/80
• Catalyst 9800-CL
• C9K Embedded WLC
• 1800/2800/38001500 and 4800
• 802.11ac Wave2
• 1G/mG RJ45 (Uplink)
• 1700/2700/3700
• 3600 with 11ac
• 802.11ac Wave1
• 1G/mG RJ45 (Uplink)
SD-Access PlatformsFabric Enabled Wireless
For more details:cs.co/sda-compatibility-matrix
* No IPv6, AVC, FNF* COMING SOON
BRKCRS-2810 61© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Software Defined Access?
Roles & Terminology
1.High-Level View
2.Roles & Platforms
3.Fabric Constructs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricVirtual Network– A Closer Look
66BRKCRS-2810
Virtual Network maintains a separate Routing & Switching table for each instance
• Control-Plane uses Instance ID to maintain separate VRF topologies (“Default” VRF is Instance ID “4098”)
• Nodes add a VNID to the Fabric encapsulation
• Endpoint ID prefixes (Host Pools) are routed and advertised within a Virtual Network
• Uses standard “vrf definition” configuration, along with RD & RT for remote advertisement (Border Node)
VNCampus
VNIOT
VNGuest
UnknownNetworks
KnownNetworks
B
C
B
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricScalable Groups – A Closer Look
70BRKCRS-2810
Scalable Group is a logical policy object to “group” Users and/or Devices
• Nodes use “Scalable Groups” to ID and assign a unique Scalable Group Tag (SGT) to Endpoints
• Nodes add a SGT to the Fabric encapsulation
• SGTs are used to manage address-independent “Group-Based Policies”
• Edge or Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs)
UnknownNetworks
KnownNetworks
B
C
B
SGT
17
SGT
3SGT
23
SGT
4 SGT
8
SGT
12
SGT
11
SGT
19
SGT
25
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricHost Pools – A Closer Look
75BRKCRS-2810
Host Pool provides basic IP functions necessary for attached Endpoints
• Edge Nodes use a Switch Virtual Interface (SVI), with IP Address /Mask, etc. per Host Pool
• Fabric uses Dynamic EID mapping to advertise each Host Pool (per Instance ID)
• Fabric Dynamic EID allows Host-specific (/32, /128 or MAC) advertisement and mobility
• Host Pools can be assigned Dynamically (via Host Authentication) and/or Statically (per port)
UnknownNetworks
KnownNetworks
B
C
B
Pool
.17
Pool
.13Pool
.23
Pool
.4 Pool
.8
Pool
.12
Pool
.11
Pool
.19
Pool
.25
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricAnycast Gateway – A Closer Look
76BRKCRS-2810
Anycast GW provides a single L3 Default Gateway for IP capable endpoints
• Similar principle and behavior to HSRP / VRRP with a shared “Virtual” IP and MAC address
• The same Switch Virtual Interface (SVI) is present on EVERY Edge with the SAME Virtual IP and MAC
• Control-Plane with Fabric Dynamic EID mapping maintains the Host to Edge relationship
• When a Host moves from Edge 1 to Edge 2, it does not need to change it’s Default Gateway
GW GW GW
UnknownNetworks
KnownNetworks
B
C
B
GW GW
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Fabric Layer 3 Overlay – A Closer Look
77BRKCRS-2810
Stretched Subnets allow an IP subnet to be “stretched” via the Overlay
• Host IP based traffic arrives on the local Fabric Edge (SVI) and is then transferred by the Fabric
• Fabric Dynamic EID mapping allows Host-specific (/32, /128, MAC) advertisement and mobility
• Host 1 connected to Edge A can now use the same IP subnet to communicate with Host 2 on Edge B
• No longer need a VLAN to connect Host 1 and 2
DynamicEID
UnknownNetworks
KnownNetworks
B
C
B
GW GW GWGW GW
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricLayer 2 Overlay – A Closer Look
78BRKCRS-2810
Layer 2 Overlay allows Non-IP endpoints to use Broadcast & L2 Multicast
• Similar principle and behavior as Virtual Private LAN Services (VPLS) P2MP Overlay
• Uses a pre-built Multicast Underlay to setup a P2MP tunnel between all Fabric Nodes.
• L2 Broadcast and Multicast traffic will be distributed to all connected Fabric Nodes.
• Can be enabled for specific Host Pools that require L2 services (use Stretched Subnets for L3)
VLAN VLANVLAN
L2
Overlay
UnknownNetworks
KnownNetworks
B
C
B
NOTE: L3 Integrated Routing and Bridging (IRB) is not supported at this time.
What is Campus Fabric?
Fabric Fundamentals
1.Control-Plane
2.Data-Plane
3.Policy-Plane
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricCampus Fabric - Key Components
90BRKCRS-2810
1. Control-Plane based on LISP
2. Data-Plane based on VXLAN
3. Policy-Plane based on CTSKey Differences
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)
CB B
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricKey Components - LISP
91BRKCRS-2810
Endpoint Routes are Consolidated to LISP DB
Topology + Endpoint Routes
BEFOREIP Address = Location + Identity
Prefix Next-hop189.16.17.89 …......171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 ….....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.12022.78.190.64 …......171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121
Prefix Next-hop189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 ….....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.12022.78.190.64 …......171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121
Prefix Next-hop189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 ….....171.68.228.121189.16.17.89 …....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 …......171.68.226.120192.58.28.128 …......171.68.228.121189.16.17.89 ….....171.68.226.12022.78.190.64 …......171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121
Routing Protocols = Big Tables & More CPUwith Local L3 Gateway
Host Mobility
MappingDatabase
Only Local Routes
Prefix RLOC192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121
Prefix Next-hop189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121
Prefix Next-hop189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121
Prefix Next-hop189.16.17.89 ….....171.68.226.12022.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 …....171.68.228.121
AFTERSeparate Identity from Location
Topology Routes
Endpoint Routes
LISP DB + Cache = Small Tables & Less CPUwith Anycast L3 Gateway
1. Control-Plane based on LISP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric OperationControl-Plane Roles & Responsibilities
92BRKCRS-2810
LISP Map Server / Resolver(Control-Plane)
• EID to RLOC mappings
• Can be distributed acrossmultiple LISP devices
LISP Tunnel Router - XTR(Edge & Internal Border)
• Register EID with Map Server
• Ingress / Egress (ITR / ETR)
LISP Proxy Tunnel Router - PXTR(External Border)
• Provides a Default Gateway when no mapping exists
• Ingress / Egress (PITR / PETR)
• EID = Endpoint Identifier
• Host Address or Subnet
• RLOC = Routing Locator
• Local Router Address
Prefix Next-hopw.x.y.1 e.f.g.h
x.y.w.2 e.f.g.hz.q.r.5 e.f.g.hz.q.r.5 e.f.g.h
Non-LISP
RLOC Space
EID RLOCa.a.a.0/24 w.x.y.1b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5d.d.0.0/16 z.q.r.5
EID RLOCa.a.a.0/24 w.x.y.1b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5d.d.0.0/16 z.q.r.5
EID RLOCa.a.a.0/24 w.x.y.1b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5d.d.0.0/16 z.q.r.5
EID Space
Control-Plane
EID Space
Edge
Edge
Border
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Operation Control Plane Register & Resolution
93BRKCRS-2810
Fabric Control Plane5.1.1.1
Branch
10.2.2.2/32 (2.1.2.1)
Cache Entry (on ITR)
Fabric Edge
Subnet 10.2.0.0 255.255.0.0 stretched across
2.1.1.1 2.1.2.1 3.1.1.1 3.1.2.1
10.2.2.2/32 ( 2.1.2.1)
Database Mapping Entry (on ETR)10.2.2.4/32 ( 3.1.2.1)
Database Mapping Entry (on ETR)Fabric Edges
10.2.2.2/1610.2.2.3/16 10.2.2.4/1610.2.2.5/16
Where is 10.2.2.2?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Operation Fabric Internal Forwarding (Edge to Edge)
94BRKCRS-2810
Branch
IP Network
1.1.1.1
10.1.0.0/24
Fabric EdgeS
DNS Entry:D.abc.com A 10.2.2.2
1
10.1.0.1 10.2.2.2
2
Path Preference Controlledby Destination Site
10.1.0.1 10.2.2.2
1.1.1.1 2.1.2.1
4 Mapping System
5.1.1.1
5.3.3.3
5.2.2.2
Non-Fabric Non-Fabric
Fabric Borders
EID-prefix: 10.2.2.2/32
Locator-set:
2.1.2.1, priority: 1, weight:100
MappingEntry
3
D
2.1.1.1 3.1.1.1 3.1.2.1
10.1.0.1 10.2.2.2
5 Fabric Edges
10.2.2.3/16 10.2.2.2/16 10.2.2.5/1610.2.2.4/16
2.1.2.1
Subnet 10.2.0.0 255.255.0.0 stretched across
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Operation Host Mobility – Dynamic EID Migration
96BRKCRS-2810
Mapping System
1.1.1.1
2.1.1.1
3.1.1.1
12.2.2.1 12.2.2.212.1.1.1 12.1.1.2
1
Routing Table10.2.1.0/24 – Local 2
10.2.1.10/32 - Local
Fabric Control Plane10.10.0.0/16 – 12.0.0.1
10.2.1.10/32 – 12.2.2.1
34
10.2.1.10/32 – 12.1.1.1
10.2.1.10 10.2.1.10
Map RegisterEID: 10.17.1.10/32Node: 12.1.1.1
Campus
Bldg 1
Routing Table10.2.1.0/24 – Local
10.2.1.10/32 – LISP010.2.1.10/32 – Local
10.10.10.0/24
12.0.0.1 12.0.0.2
5
DC1
D
S
IP Network
Fabric Borders
Fabric Edges Campus
Bldg 2
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricUnique Control-Plane extensions compared to LISP
98BRKCRS-2810
Capability Traditional LISP SD-Access Fabric
Layer 2 Extension Limited Support Fabric Control Plane extended to support
MAC to IP binding and Layer 2 Overlays
Virtual Networks Layer-3 VN (VRF) only Both Layer-3 and Layer-2 VN (VRF)
support (using VXLAN)
Fast Roaming Not Supported Fabric Control Plane extended to support
fast roaming in =/< 50ms
Wireless Extensions Not Supported Fabric Control Plane extended to support
wireless extensions for:• AP Onboarding
• Wireless Guest
• AP VXLAN functionality
1.Control-Plane
2.Data-Plane
3.Policy-Plane
What is Campus Fabric?
Fabric Fundamentals
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricKey Components – VXLAN
100BRKCRS-2810
ORIGINAL PACKET
PAYLOADETHERNET IP
PACKET IN LISP
PAYLOADIPLISPUDPIPETHERNET
PAYLOADETHERNET IPVXLANUDPIPETHERNETPACKET IN VXLAN
Supports L2
& L3 Overlay
Supports L3
Overlay Only
1. Control-Plane based on LISP
2. Data-Plane based on VXLAN
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
VXLAN-GPO Header MAC-in-IP with VN ID & Group ID
102BRKCRS-2810
Underlay
Outer IP Header
Outer MAC Header
UDP Header
VXLAN Header
Overlay
14 Bytes
(4 Bytes Optional)
Ether Type
0x0800
VLAN ID
VLAN Type
0x8100
Source MAC
Dest. MAC 48
48
16
16
1620 Bytes
Dest. IP
Source IP
Header
Checksum
Protocol 0x11 (UDP)
IP Header
Misc. Data72
8
16
32
32
8 Bytes
Checksum 0x0000
UDP Length
Dest Port
Source Port 16
16
16
16
8 Bytes
Reserved
VN ID
Segment ID
VXLAN Flags RRRRIRRR 8
16
24
8
Src VTEP MAC Address
Next-Hop MAC Address
Allows 16M possible VRFs
UDP 4789
Hash of inner L2/L3/L4 headers of original frame. Enables entropy for ECMP load balancing.
Inner (Original) IP Header
Original Payload
Inner (Original) MAC Header
Allows 64K possible SGTs
Dst RLOC IP Address
Src RLOC IP Address
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data-Plane OverviewFabric Header Encapsulation
104BRKCRS-2810
Fabric Data-Plane provides the following:• Underlay address advertisement & mapping
• Automatic tunnel setup (Virtual Tunnel End-Points)
• Frame encapsulation between Routing Locators
Support for LISP or VXLAN header format• Nearly the same, with different fields & payload
• LISP header carries IP payload (IP in IP)
• VXLAN header carries MAC payload (MAC in IP)
Triggered by LISP Control-Plane events• ARP or NDP Learning on L3 Gateways
• Map-Reply or Cache on Routing Locators
Decap
Encap
Inner
Inner
Oute
rIn
ner
Inner
Oute
r
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricUnique Data-Plane Extensions compared to VXLAN
106BRKCRS-2810
Capability Traditional LISP/VXLAN SD-Access Fabric
SGT Tag No SGT VXLAN-GPO uses Reserved field to
carry SGT
Layer 3 Extension
(VRF)
Yes Yes, by mapping VRF->VNI
Layer 2 Extension Not Supported Fabric supports Layer 2 extension by
mapping VLAN ->VNI
Wireless Not Supported AP to Fabric Edge uses VXLAN
Fabric Edge to Edge/Border uses VXLAN
for both Wired and Wireless (same)
1.Control-Plane
2.Data-Plane
3.Policy-Plane
What is Campus Fabric?
Fabric Fundamentals
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricKey Components – Group Based Policy
108BRKCRS-2810
PAYLOADETHERNET IPVXLANUDPIPETHERNET
VRF + SGT
1. Control-Plane based on LISP
2. Data-Plane based on VXLAN
3. Policy-Plane based on CTSVirtual Routing & Forwarding
Scalable Group Tagging
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Policy Two Level Hierarchy - Macro Level
109BRKCRS-2810
Building Management VN
SD-AccessFabric
Campus Users VN
First level Segmentation ensures zero communication between forwarding domains. Ability to consolidate multiple networks into one management plane.
Virtual Network (VN)
Unknown
NetworksKnown
Networks
VN“A”
VN“B”
VN“C”
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access Policy Two Level Hierarchy - Micro Level
110BRKCRS-2810
Building Management VN
Campus Users VN
Second level Segmentation ensures role based access control between two groups within a Virtual Network. Provides the ability to segment the network into either line of businesses or functional blocks.
Scalable Group (SG)
Unknown
NetworksKnown
Networks
SG1
SG2
SG3
SG4
SG5
SG6
SG7
SG8
SG9
SD-AccessFabric
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access PolicyPolicy Types
111BRKCRS-2810
Application Policy
↓How to treat Traffic?
QoS for Applicationsor Application Caching
Access Control Policy
↓Who can access What?
Permit / Deny Rules for Group-to-Group Access
✓
Traffic Copy Policy
↓Need to Monitor Traffic?
Enable SPAN Servicesfor specific Groups or Traffic
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Group AssignmentTwo ways to assign SGT
112BRKCRS-2810
VLAN to SGT
L3 Interface (SVI) to SGT L2 Port to SGT
VM (Port Profile) to SGTSubnet to SGT
WLC Firewall Hypervisor SW
Campus Access Distribution Core DC Core DC Access
Enterprise Backbone
Static Classification
MAB
Dynamic Classification
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access PolicyPolicy Contracts
115BRKCRS-2810 115
Source Group Destination Group
ACTION: DENY
Contract
Classifier Type Action Type
Port Number Permit
Protocol Name Deny
Application Type Copy
Guest Users Credit System
CLASSIFIER: PORT
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Group PropagationVN & SGT in VXLAN-GPO Encapsulation
120BRKCRS-2810
IP Network
Edge Node 1 Edge Node 2
Encapsulation Decapsulation
VXLAN
VN ID SGT ID
VXLAN
VN ID SGT ID
PropagationCarry VN and Group context across the network
EnforcementGroup Based Policies ACLs, Firewall Rules
ClassificationStatic or Dynamic VN and SGT assignments
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access FabricUnique Policy-Plane Extensions compared to CTS
122BRKCRS-2810
Capability Traditional CTS SD-Access Policy
SGT Propagation Enabled hop-by-hop, or by
Security-Group Exchange Protocol
(SXP) sessions
Carried with the data traffic inside
VXLAN-GPO (overlay) end-to-end
VN Integration Not Supported VN + SGT-aware Firewalls
Access Control Policy Yes Yes
QoS (App) Policy Not Supported App based QoS policy, to optimize
application traffic priority
Traffic Copy Policy Not Supported SRC/DST based Copy policy (using
ERSPAN) to capture data traffic
What is Cisco DNA Center?
Controller Fundamentals
1.Architecture
2.User Interface
3.Workflows
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA CenterSD-Access – Key Components
124BRKCRS-2810
NCPNetwork Control Platform
Cisco ISE 2.3Identity Services Engine
NDPNetwork Data Platform
Cisco Switches | Cisco Routers | Cisco Wireless
Cisco DNA Center
AAARADIUSEAPoL
HTTPSNetFlowSyslogs
NETCONFSNMPSSH
API API
API
API
Campus Fabric
Design | Policy | Provision | Assurance
DN1-HW-APLDNA Center Appliance
API
SNS 3500 SeriesISE Appliance
AutomationIdentity & Policy Assurance
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA CenterAppliance Models & Specifications
SKU Specs Scale and Performance SDA Design
DN1-HW-APL
(Clusters with same SKU and DN2-HW-APL)
• Based on UCS M4• 44 cores• 256 GB RAM• 12 TB SSD• List Price: $77,160
5000 Devices
1000 Switches/Routers/WLC + 4000 APs
25,000 Clients
Small orMedium
DN2-HW-APL
(Clusters with same SKU and DN1-HW-APL)
• Based on UCS M5• 44 cores• 256 GB RAM• 16 TB SSD• List Price: $88,674
5000 Devices
1000 Switches/Routers/WLC + 4000 APs
25,000 Clients
Small or Medium
DN2-HW-APL-L
(Clusters with same SKU only)
• Based on UCS M5• 56 cores• 384 GB RAM• 16 TB SSD• List Price = $147,495
8000 Devices
2000 Switches/Routers/WLC + 6000 APs
40,000 Clients
Medium orLarge
NEW
NEW
BRKCRS-2810 125
1 or 3 appliance HA Cluster (more in future)
- Odd number to achieve quorum of distributed system
Seen as 1 logical DNAC instance
- Connect to Virtual (Cluster) IP
- Rare need to access individual nodes (e.g. SSH)
2 nodes active/sharing + 1 redundant
- Some services run multiple copies spread across nodes (e.g. databases)
- Other services run single copy and migrate from failed to redundant node
Individual apps on Maglev cluster
Virtual IP
Single Appliance for Cisco DNA (Automation + Assurance)
Cisco DNA CenterHigh Availability Cluster
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA CenterAutomated Provisioning and Telemetry Enrichment
127BRKCRS-2810
Network Data
Platform
Telemetry Data
Data Collection
Telemetry Configuration
Configuration Automation
Telemetry Intent
Alerts
Violations
Inventory, Topology, Host, Group
Network State changes
Path Trace information
Network Control
Platform
CampusFabric
B
C
B
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA Center and ISE integration Identity and Policy Automation
131BRKCRS-2810
Campus Fabric
Authentication Authorization
Policies
Fabric Management
Policy Authoring Workflows
Groups and Policies
PxGridREST APIs
Cisco Identity Services Engine
Cisco DNA Center
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA Center and ISE integration ISE roles in SD-Access
132BRKCRS-2810
ISE-PAN ISE-PXG
ISE-MNT
ISE-PSN
Employee SGT 10if then
Contractor SGT 20if then
Things SGT 30if then
Authorization Policy Exchange Topics
TrustSecMetaData
SessionDirectory*
SGT Name: Employee = SGT 10SGT Name: Contractor = SGT 20...
Bob with Win10 on CorpSSID
* Future Plan
Network Devices
Users
Config Sync Context
DNA-Center
REST pxGrid
Admin/Operate
Users
Devices
Things
1.Architecture
2.User Interface
3.Workflows
What is Cisco DNA Center?
Controller Fundamentals
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-AccessCLI and API vs. GUI
134BRKCRS-2810
Campus Fabric SD Access
• DNA Center GUI• Cross-App REST APIs• Automated Workflows• Centralized Management
• Programmable APIs• NETCONF / YANG• Automated Workflows• Box-by-Box Management
• Command Line (CLI)• Templates / Macros• Customized Workflows• Box-by-Box Management
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA Center 4 Step Workflow
135BRKCRS-2810
System Settings & Integration
App Management & High Availability
Design
• Global Settings• Site Profiles• DDI, SWIM, PNP
• User Access
Policy
• Virtual Networks• ISE, AAA, Radius• Endpoint Groups• Group Policies
Provision
• Fabric Domains• CP, Border, Edge• Fabric WLC, AP• External Connect
Assurance
• Health Dashboard• 360o Views• Net, Device, Client• Path Traces
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Assure
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Assure
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Take AwayThings to Remember
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Session Summary
147
SD-Access = Campus Fabric + Cisco DNA Center
BB
Campus
Fabric
C
DESIGN PROVISION POLICY ASSURANCE
Cisco DNA Center Simple Workflows
BRKCRS-2810
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access SupportDigital Platforms for your Cisco Digital Network Architecture
For more details:cs.co/sda-compatibility-matrix
BRKCRS-2810 149
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What to Do Next?
152BRKCRS-2810
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SD-Access ResourcesWould you like to know more?
153BRKCRS-2810
cisco.com/go/cvd• SD-Access Design Guide
• SD-Access Deployment Guide
• SD-Access Segmentation Guide
cisco.com/go/dnacenter• Cisco DNA Center At-A-Glance
• Cisco DNA ROI Calculator
• Cisco DNA Center Data Sheet
• Cisco DNA Center 'How To' Video Resources
cisco.com/go/sdaccess• SD-Access At-A-Glance
• SD-Access Ordering Guide
• SD-Access Solution Data Sheet
• SD-Access Solution White Paper
cisco.com/go/dna
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Webex Teams
Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session
Find this session in the Cisco Events Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
1
2
3
4
155
cs.co/ciscolivebot#BRKCRS-2810
BRKCRS-2810
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Don’t forget: Cisco Live sessions will be available on demand after the event at ciscolive.cisco.com
• Please complete your Online Survey immediately after each Session
• Complete 4 Session Surveys AND the Overall Conference Survey (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations
Complete your online Session Survey
156BRKCRS-2810
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Demos in the Cisco
Campus
Walk-In Self-Paced
labs
Meet The Engineer
1:1 meetings
Related TrainingSessions
Continue Your Education
157BRKCRS-2810
Thank You