Documente Academic
Documente Profesional
Documente Cultură
Deep Dive
Campus Fabric + DNA Center
APIC-EM 2.0 + Assurance
APIC-EM
1.X
SD-Access
B B Campus Fabric
2
Campus Fabric
Deep Dive
What exactly is a Fabric?
A Fabric is an Overlay
• An Overlay network is a logical topology used to virtually connect devices, built on top of
some arbitrary physical Underlay topology.
• An Overlay network network often uses alternate forwarding attributes to provide
additional services, not provided by the Underlay.
15
SD-Access Underlay / Overlay
Overlay Network Overlay Control Plane
Encapsulation
Hosts
(End-Points)
5
SD-Access Underlay
Manual vs. Automated(Roadmap)
6
Key Components of SD-Access
1. Control Plane based on LISP
2. Data-Plane based on VXLAN
7
LISP Control Plane
Locator / ID Separation
Protocol
SD-Access Key Component – LISP
Host
1. Control Plane based on LISP Mobility
Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU
with Local L3 Gateway with Anycast L3 Gateway
BEFORE AFTER
IP Address = Location + Identity Separate Identity from Location
Prefix RLOC
192.58.28.128 ….....171.68.228.121
Prefix Next-hop 189.16.17.89
22.78.190.64
….....171.68.226.120
….....171.68.226.121
189.16.17.89 ….....171.68.226.120 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121 192.58.28.128 ….....171.68.228.121
172.16.19.90 ….....171.68.226.120 192.58.28.128 ….....171.68.228.121
192.58.28.128
189.16.17.89
…....171.68.228.121
…....171.68.226.120
Prefix Next-hop 189.16.17.89 ….....171.68.226.120
Mapping
189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120 192.58.28.128 ….....171.68.228.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89
22.78.190.64
172.16.19.90
192.58.28.128
…....171.68.226.120
….....171.68.226.121
…......171.68.226.120
…......171.68.228.121
Endpoint 192.58.28.128 …....171.68.228.121
Database
189.16.17.89 ….....171.68.226.120
22.78.190.64
172.16.19.90
192.58.28.128
…......171.68.226.121
….....171.68.226.120
….....171.68.228.121
Routes are
Consolidated
Prefix
189.16.17.89
22.78.190.64
Next-hop
…......171.68.226.120
….....171.68.226.121
to LISP DB
172.16.19.90 ….....171.68.226.120
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120 Prefix Next-hop
22.78.190.64 ….....171.68.226.121 189.16.17.89 ….....171.68.226.120
172.16.19.90 …......171.68.226.120 22.78.190.64 ….....171.68.226.121
192.58.28.128 ….....171.68.228.121 172.16.19.90 ….....171.68.226.120
189.16.17.89 …....171.68.226.120 192.58.28.128 …....171.68.228.121
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
189.16.17.89 ….....171.68.226.120
22.78.190.64 …......171.68.226.121
172.16.19.90 ….....171.68.226.120
192.58.28.128 ….....171.68.228.121
Prefix Next-hop
Prefix Next-hop 189.16.17.89 ….....171.68.226.120
189.16.17.89 ….....171.68.226.120 22.78.190.64 ….....171.68.226.121
22.78.190.64 ….....171.68.226.121 172.16.19.90 ….....171.68.226.120
172.16.19.90 ….....171.68.226.120 192.58.28.128 …....171.68.228.121
192.58.28.128 …....171.68.228.121
189.16.17.89 …....171.68.226.120
22.78.190.64 ….....171.68.226.121
172.16.19.90 …......171.68.226.120
192.58.28.128 ….....171.68.228.121
Endpoint Routes
9
Locator / ID Separation Protocol
LISP Mapping System
[ Who is lisp.cisco.com ] ?
DNS
DNS Name -to- IP
Host Server
URL Resolution
[ Address is 153.16.5.29, 2610:D0:110C:1::3 ]
‒ LISP resolves Locators for queried Identities Answers the “WHERE IS” question
[ Where is 2610:D0:110C:1::3 ] ?
10
LISP Roles & Responsibilities
Map System EID RLOC
a.a.a.0/24 w.x.y.1
b.b.b.0/24 x.y.w.2
c.c.c.0/24 z.q.r.5
d.d.0.0/16 z.q.r.5
EID RLOC
EID Space a.a.a.0/24
b.b.b.0/24
w.x.y.1
x.y.w.2
c.c.c.0/24 z.q.r.5
EID RLOC
ITR a.a.a.0/24 w.x.y.1
11
SD-Access Border and Default Border
Known Unknown
Networks
B B Networks
15
SD-Access Default Border
Forwarding to External Domain
2
EID-Prefix: Not found , map-cache miss
Mapping
Entry Locator-Set: ( use-petr)
Dest
193.3.0.0/24
4 Default
Border
10.2.0.1 193.3.0.1
3.1.1.1
5.1.1.1
Control Plane
nodes
3
1.1.2.1 3.1.1.1 SDA Fabric 5.2.2.2
10.2.0.1 193.3.0.1
1
10.2.0.1 193.3.0.1
Campus
Bldg 1
Src Campus
10.2.0.0/24 10.3.0.0/24 Bldg 2
16
SD-Access Border (Known Border)
Forwarding from Fabric Edge to External Domain
3 EID-prefix: 192.168.1.0/24
Mapping Locator-set: Note: Path Preference
Entry Controlled by Destination Site
2.1.1.1, priority: 1, weight: 100 (D1)
192.1.1.0/24
Branch
Dest
Border
5 5.1.1.1
4
2.1.1.1 1.1.1.1
SDA Fabric
10.1.1.1 192.1.1.1
1.1.1.1 1.1.2.1 1.1.3.1 1.1.4.1
2 Edge Edge
10.1.1.1 192.1.1.1
Src
1
DNS Entry: Campus
Campus
10.1.1.0/24 10.3.0.0/24 Bldg 2
branch.abc.com A 192.1.1.1 Bldg 1
17
VXLAN Data Plane
SD-Access Key Components – VXLAN
1. Control Plane based on LISP
2. Data-Plane based on VXLAN
ORIGINAL PACKET
ETHERNET IP PAYLOAD
Supports L3
Overlay
PACKET IN LISP
ETHERNET IP UDP LISP IP PAYLOAD
Supports L2
& L3 Overlay
PACKET IN VXLAN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
19
VXLAN Header
MAC-in-IP Encapsulation Next-Hop MAC Address
Source MAC 48
IP Header
14 Bytes 72
VLAN Type Misc. Data
16
0x8100 (4 Bytes Optional)
Protocol 0x11 (UDP) 8
VLAN ID 16
Header
16 20 Bytes
Outer MAC Header
Underlay
VXLAN Header
Checksum 0x0000 16 UDP 4789
Segment ID
Overlay
16
8 Bytes
Original Payload VN ID 24
Allows 16M
possible VRFs
Reserved 8
20
SD-Access Virtual Network
Virtual Network maintains a separate Routing & Switching instance for the devices
within it.
C
• Control Plane uses Instance ID to maintain
Known Unknown
separate VRF topologies Networks
B B Networks
21
SD-Access Scalable Group
Scalable Group is a logical ID object to “group” Users and/or Devices.
C
• CTS uses “Scalable Groups” to ID and assign a
unique Scalable Group Tag (SGT) to Host Pools Known Unknown
Networks
Networks
B B
• Nodes add SGT to the Fabric encapsulation
SGT
SGT SGT SGT
• CTS SGTs used to manage address- 17
4
8 25
SGT
independent “Group-Based Policies” SGT SGT SGT 19
SGT SGT
3 23 11 12 6
• Edge or Border Nodes use SGT to enforce
local Scalable Group ACLs (SGACLs)
22
VXLAN helps to preserve SGT/EPG and Context information while connecting with ACI/VxLAN networks
B
Enterprise Backbone
Border Border
APIC-EM
SGT
EVPN-AF
25
Cisco TrustSec
Simplified access control with Group Based Policy
Classification
Static or Dynamic Campus Switch Campus Switch DC switch receives policy
for only what is connected
SGT assignments
Employee Tag
Supplier Tag
Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag
VLAN A VLAN B
BRKCRS-3800 27
Cisco TrustSec
Identity Services Engine (ISE) enables CTS
NDAC
Network Device Admission
Control
NDAC authenticates
Network Devices for a Scalable Group ACL Scalable Group Tags
trusted CTS domain SGACL Cisco ISE SGT &
Destinations 3: Employee
Name Table SGT Names
✕✓✕✓✓✓ 4: Contractors
Sources
SGT & SGT Names ✓✓✕✓✕✕ 8: PCI_Servers
Centrally defined ✕✓✓✕✕✕ 9: App_Servers
Endpoint ID Groups
ISE dynamically
Rogue
authenticates endpoint Device(s) Dynamic SGT Static SGT
users and devices, and Assignment Assignment
assigns SGTs
802.1X
BRKCRS-3800 28 28
Anycast
What is Anycast?
•Just a configuration methodology.
•The routing infrastructure directs any packet to the topologically nearest instance of
the service.
Example :-
Client Router 1
34
Fabric Wireless
Centralized Unified Wireless Network Strengths
ISE / AD
WLC
CAPWAP (Control)
CAPWAP (Data) Network Overlay? CAPWAP
WLC as Mobility
L3 roaming across Campus? Anchor
WLC as mobility
Simplified IP addressing?
Anchor
Scalable and
Distributed Data Plane Reliable
Non-Fabric Fabric
WLC enabled WLC
CAPWAP
B B Cntrl plane B B
CAPWAP
Control & Data
VXLAN
C Data plane
C
SD-Access SD-Access
Fabric Fabric
CAPWAP for Control Plane and Data Plane CAPWAP Control Plane, VXLAN Data plane
SDA Fabric is just a transport WLC/APs integrated in Fabric, SD-Access advantages
Supported on any WLC/AP software and hardware Requires software upgrade (8.5+)
Migration step to full SDA Optimized for 802.11ac Wave 2 APs
SD-Access Architecture
Roles and Terminology DNA Controller – Enterprise SDN Controller
DNA provides GUI management abstraction via multiple
Group Controller Service Apps, which share information
Repository Group Repository – External ID Services (e.g. ISE)
ISE / AD NDP
is leveraged for dynamic User or Device to Group
Analytics mapping and policy definition
Engine Analytics Engine – Network Data Platform (NDP) is
Fabric Border leveraged to analyze User or Device to App flows
and monitor fabric status
Fabric Mode
WLC Control-Plane Nodes – Map System that manages
B B Endpoint ID to Device relationships
Border Nodes – A Fabric device (e.g. Core) that
Control-Plane
connects External L3 network(s) to the SDA Fabric
C Nodes
directly connected to FE
Networks
B B
• CAPWAP control plane goes to the WLC using Fabric
• Fabric is enabled per SSID:
• For Fabric enabled SSID, AP converts 802.11 traffic to
802.3 and encapsulates it into VXLAN encoding VNI and
SGT information of the client
• Forwards client traffic based on forwarding table as programmed
by the WLC. Usually VXLAN DST is first hop switch.
VXLAN
• AP applies all wireless specific feature like SSID policies, (Data)
AVC, QoS, etc.
SD-Access Wireless Architecture
Simplifying Policy and Segmentation
B
VXLAN C
(Data) FE A
FE B
SD Fabric
IP payload IP 802.11
AP removes the
1 802.11 header
EID underlay
IP payload 802.3 VXLAN UDP
IP IP
AP adds the
2 802.3/VXLAN/underlay IP
header
SD-Access Wireless Architecture
Simplifying Policy and Segmentation
B
VXLAN C
(Data) FE A
FE B
SD Fabric
Hierarchical Segmentation:
1. Virtual Network (VN) == VRF - isolated Control Plane + Data Plane
IP payload
EID
802.3 VXLAN UDP
underlay 2. Scalable Group Tag (SGT) – User Group identifier
IP IP
FE B
SD Fabric
EID underlay
IP payload 802.3 VXLAN UDP
IP IP
FE B
SD Fabric
Client Policy is
carried end to
end in the
SGT policy is applied
overlay
EID underlay
IP payload 802.3 VXLAN UDP
IP IP
Corporate VN
BYOD
L3 Switch SGT 200
Contractor
SGT 300
Touch Point
One SSID
Corporate VN
BYOD
L3 Switch SGT 200
Contractor
SGT 300
Touch Point
One SSID
50
SD-Access – Control Plane
Platform Support
51
SD-Access – Border Node
Platform Support
52
SD-Access – Fabric Wireless
Platform Support
*with Caveats
NEW
3504 WLC 5520 WLC 8540 WLC Wave 2 APs Wave 1 APs
Questions?
LAB Time
Design ,Policy and
Provision with SD-Access