Transcription
Cisco SD-AccessConnecting to the Data Center, Firewall,WAN and More !Vedran Hafner, vehafner@cisco.comSystems Engineer Manager
AgendaIntroduction to Cisco SD-Access Fabric Roles and ConstructsEnterprise Network Design Traditional vs Cisco SD-Access Network Design Border Design OptionsBorder Connectivity Models Connecting to Internal networks like DC & WAN Connecting to external networks like Internet & CloudSmall Enterprise Network Design Traditional vs Cisco SD-Access Network Design Border Design OptionsConclusion2
Fabric Roles andConstructs
Cisco SD-AccessFabric Roles & TerminologyCisco DNAAutomationNCPIdentityServicesNDPISECisco DNAAssuranceCisco DNACenterFabric BorderNodesFabric WirelessControllerBFabric EdgeNodesCCampusFabricCisco DNA Assurance - Data Collectors(e.g. NDP) analyze Endpoint to App flowsand monitor fabric statusIdentity Services - NAC & ID Systems(e.g. ISE) for dynamic Endpoint to Groupmapping and Policy definitionControl-Plane Nodes - Map System thatmanages Endpoint to Device relationshipsBIntermediateNodes (Underlay)Cisco DNA Automation - provides simpleGUI management and intent basedautomation (e.g. NCP) and context sharingControl-PlaneNodesFabric Border Nodes - A Fabric device(e.g. Core) that connects External L3network(s) to the SDA FabricFabric Edge Nodes - A Fabric device(e.g. Access or Distribution) that connectsWired Endpoints to the SDA FabricFabric Wireless Controller - A Fabric device(WLC) that connects APs and WirelessEndpoints to the SDA Fabric4
Cisco SD-AccessFabric TerminologyOverlay NetworkOverlay Control PlaneEncapsulationEdge DeviceEdge DeviceHosts(End-Points)Underlay NetworkUnderlay Control Plane5
Cisco SD-Access FabricControl-Plane Nodes - A Closer LookControl-Plane Node runs a Host Tracking Database to map location information A simple Host Database that maps Endpoint IDs toa current Location, along with other attributesKnownNetworksUnknownNetworksB Host Database supports multiple types of EndpointID lookup types (IPv4, IPv6 or MAC) Receives Endpoint ID map registrations from Edgeand/or Border Nodes for “known” IP prefixes Resolves lookup requests from Edge and/or BorderNodes, to locate destination Endpoint IDsB6
Cisco SD-Access FabricEdge Nodes - A Closer LookEdge Node provides first-hop services for Users / Devices connected to a Fabric Responsible for Identifying and AuthenticatingEndpoints (e.g. Static, 802.1X, Active Directory)CKnownNetworksUnknownNetworksB Register specific Endpoint ID info (e.g. /32 or /128)with the Control-Plane Node(s) Provide an Anycast L3 Gateway for the connectedEndpoints (same IP address on all Edge nodes) Performs encapsulation / de-encapsulation of datatraffic to and from all connected EndpointsB7
Cisco SD-Access FabricBorder NodesBorder Node is an Entry & Exit point for data traffic going Into & Out of a FabricThere are 3 Types of Border Node! Rest of Company/Internal Border Used forCKnownNetworksUnknownNetworksBB“Known” Routes inside your company Outside World/External Border Used for“Unknown” Routes outside your company Anywhere/External Internal Border Usedfor “Known” and “UnKnown” Routes for your company8
Cisco SD-Access FabricBorder Nodes - Rest of Company/InternalRest of Company/Internal Border advertises Endpoints to outside, and knownSubnets to inside Connects to any “known” IP subnets available fromthe outside network (e.g. DC, WLC, FW, etc.)CKnownNetworksUnknownNetworksB Exports all internal IP Pools to outside (asaggregate), using a traditional IP routing protocol(s). Importsand registers (known) IP subnets fromoutside, into the Control-Plane Map System exceptthe default route. Hand-off requires mapping the context (VRF & SGT)from one domain to another.B9
Cisco SD-Access FabricBorder Nodes - Forwarding from Fabric to External Domain3EID-prefix: 192.1.1.0/242.1.1.1, priority: 1, weight: 100 (D1)Entry192.1.1.0/24Path PreferenceControlledby Destination .1.1Control Planenodes5.2.2.2192.1.1.1SDA .3.1Edge1.1.4.1210.1.1.11DNS Entry:D.abc.com A192.1.1.1S192.1.1.1CampusBldg 110.1.1.0/2410.3.0.0/24CampusBldg 210
Cisco SD-Access FabricBorder Nodes - Forwarding from External to Fabric Domain13Routing Entry:Send traffic to exit point ofdomain(Internal Border)EID-prefix: 10.1.1.1/32MappingEntry192.1.1.0/24Path PreferenceControlledLocator-set:1.1.1.1, priority: 1, weight: 100 (D1)by Destination SiteSBorder2192.1.1.1.1Control Planenodes5.2.2.210.1.1.1SDA .11.1.3.1Edge1.1.4.15192.1.1.110.1.1.1DCampusBldg 110.1.1.0/2410.3.0.0/24CampusBldg 211
Cisco SD-Access FabricBorder Nodes - Outside World/ExternalOutside World/External Border is a “Gateway of Last Resort” for any unknowndestinations Connects to any “unknown” IP subnets, outside ofthe network (e.g. Internet, Public Cloud)CKnownNetworksUnknownNetworksB Exports all internal IP Pools outside (as aggregate)into traditional IP routing protocol(s). Does NOT import any routes! It is a “default” exit, ifno entry is available in Control-Plane. Hand-off requires mapping the context (VRF & SGT)from one domain to another.B12
Cisco SD-Access FabricBorder Nodes - Forwarding from Fabric to External DomainEID-Prefix: Not found , map-cache .1.1.1Control Planenodes310.2.0.13.1.1.1, priority: 1, weight: 100 (D1)ERNETD41.1.2.1Locator-Set: ( use-petr)5.2.2.2A 93.3.0.1CampusBldg 1S10.2.0.0/2410.3.0.0/24CampusBldg 213
Cisco SD-Access FabricBorder Nodes - Anywhere/ Internal External BorderAnywhere/ Internal External Border is a “One all exit point” for any knownand unknown destinations Connects to any “unknown” IP subnets, outside ofthe network (e.g. Internet, Public Cloud) and“known” IP subnets available from the outsidenetwork (e.g. DC, WLC, FW, etc.) Imports and registers (known) IP subnets fromoutside, into the Control-Plane Map System exceptthe default route. Exports all internal IP Pools outside (as aggregate)into traditional IP routing protocol(s).KnownNetworksUnknownNetworksBC14
Cisco SD-Access FabricVirtual Network- A Closer LookVirtual Network maintains a separate Routing & Switching table for each instance Control-Plane uses Instance ID to maintain separateVRF topologies (“Default” VRF is Instance ID “4098”)CKnownNetworksUnknownNetworksB Nodes add a VNID to the Fabric encapsulation Endpoint ID prefixes (Host Pools) are routed andadvertised within a Virtual Network CampusBIOTGuestUses standard “vrf definition” configuration, alongwith RD & RT for remote advertisement (Border Node)15
Enterprise Network Design
Traditional NetworkDesign
Cisco SD-Access Fabric3-Tier Enterprise Network Design - Traditional et EdgeInternetCentralizedWLCOTTWANShared desLargeHybridWAN SiteSmallHybridWAN SiteRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows AD18
Cisco SD-Access FabricLarge Enterprise Network Design - Traditional NetworkTraditionalDCVXLAN/ACIFabricInternet EdgeRolePlatformAccess Node Cat3K/9300Cat4K/9400Collapsed Core Cat6K/9500N7KCentralizedWLC 55203504x800 APsWAN HR/MC ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows ADGuestWLCsInternetCentralizedWLCOTTShared ridWAN SiteSmallInternetWAN SiteLargeHybridWAN Site19
Cisco SD-AccessNetwork Design
Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabricInternet EdgeInternetCentralizedWLCOTTWANShared ServicesFusion RouterWANEdgeFABRICAccessNodesLargeHybridWAN SiteSmallHybridWAN SiteRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows AD21
Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabricInternet EdgeInternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICWANEdgeRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows ADCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site22
Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabricInternet EdgeInternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICDC &InternetBorderWANEdgeRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows ADCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site23
Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabricInternet EdgeInternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICDC &InternetBorderWANBorderRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows ADCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site24
Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access rnet EdgeInternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICDC &InternetBorderWANBorderRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows ADCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site25
Border ConnectivityModels
Connectivity to externalnetworks in thetraditional design
Cisco SD-Access FabricLarge Enterprise Network Design - Traditional NetworkTraditionalDCVXLAN/ACIFabric1Internet EdgeData Center routes are advertised to the Campus Corevia the DC Edge switch via BGP/IGP. Campus coreimports those routes into enterprise network.GuestWLCsInternetCentralizedWLCOTTShared ridWAN SiteSmallInternetWAN SiteLargeHybridWAN Site28
Cisco SD-Access FabricLarge Enterprise Network Design - Traditional NetworkTraditionalDCVXLAN/ACIFabric2Internet EdgeDefault route for internet is advertised to the CampusCore via the Internet Firewall. The campus core in returnadvertises the route to the enterprise network.GuestWLCsInternetCentralizedWLCOTTShared ridWAN SiteSmallInternetWAN SiteLargeHybridWAN Site29
Cisco SD-Access FabricLarge Enterprise Network Design - Traditional NetworkTraditionalDCVXLAN/ACIFabric3Internet EdgeWan routes are advertised to the Campus Core via theWan Edge router via BGP/IGP. Campus core importsthose routes into enterprise network.GuestWLCsInternetCentralizedWLCOTTShared ridWAN SiteSmallInternetWAN SiteLargeHybridWAN Site30
Cisco SD-Access FabricLarge Enterprise Network Design - Traditional NetworkTraditionalDCVXLAN/ACIFabric4Internet EdgeGuest Anchor WLC in the DMZ is responsible for guestwireless traffic since the traffic from the enterprisenetwork is directly anchored to it.GuestWLCsInternetCentralizedWLCOTTShared ridWAN SiteSmallInternetWAN SiteLargeHybridWAN Site31
Connectivity to externalnetworks in the CiscoSD-Access designusing the Border Node
Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabric1Internet EdgeData Center and Internet Border needs to be aAnywhere/ Internal External Border as it has toimport the DC routes into the fabric through the fusionrouter.InternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICDC &InternetBorderWANEdgeCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site33
Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabric2Internet EdgeData Center and Internet Border needs to be aAnywhere/ Internal External Border as it also is thedefault exit point out of the fabric aka “ Default route”.InternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICDC &InternetBorderWANEdgeCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site34
Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabric3Internet EdgeWan Border needs to be a Rest of the Company/Internal Border as it has to import the WAN routes intothe fabric.InternetWANBorderCentralizedWLCOTTWANShared ServicesFusion RouterFABRICWANEdgeCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site35
Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access ernet EdgeThere is a separate Guest Border in fabric for Guest VNtraffic only. This Border needs to be a Outsideworld/External border as it is the default exit point out ofthe fabric aka “ Default route” for the Guest VN.InternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICWANEdgeCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site36
Why Internal (Rest ofCompany) vs External(Outside World) Border
Cisco SD-Access - Border DeploymentWhy? Internal Traffic with External BordersEdge NodeIP NetworkBExternalBorderInternetWAN EdgeWAN/BranchDC EdgeData CenterALL non-fabric traffic MUST travelto the External (Default) Border.If otherinternal domains (e.g. WANor DC) are only reachable via thesame IP network, traffic may followa sub-optimal path (e.g. hairpin).38
Cisco SD-Access - Border DeploymentWhy? Internal Traffic with Internal BordersEdge NodeIP NetworkBExternal BorderTraffic to internal domains will godirectly to the Internal Borders.Any external traffic (e.g. Internet)can still exit via the External Border.InternetBInternal BorderWAN/BranchBInternal BorderData Center39
Cisco SD-Access PlatformsFor more details: cs.co/sda-compatibility-matrixFabric Control PlaneCatalyst 9300Catalyst 9400Catalyst 9500 Catalyst 9300 1/mG RJ45 10/25/40/mG NM Catalyst 9400 Sup1/Sup1XL 9400 Cards Catalyst 9500 40/100G QSFP 1/10/25G SFP40
For more details: cs.co/sda-compatibility-matrixCisco SD-Access PlatformsFabric Control PlaneCatalyst 3KCatalyst 6KISR 4K & ENCSASR1KNEW Catalyst 3650/3850 1/mG RJ45 1/10G SFP 1/10/40G NM Cards Catalyst 6500/6800 Sup2T/Sup6T C6800 Cards C6880/6840-X ISR 4430/4450ISR 4330/4450ENCS 5400ISRv / CSRv ASR 1000-XASR 1000-HX1/10G RJ451/10G SFP41
Cisco SD-Access PlatformsFor more details: cs.co/sda-compatibility-matrixFabric Border NodeCatalyst 9300Catalyst 9400Catalyst 9500 Catalyst 9300 1/mG RJ45 10/25/40/mG NM Catalyst 9400 Sup1/Sup1XL 9400 Cards Catalyst 9500 1/10/25G SFP 40/100G QSFP42
For more details: cs.co/sda-compatibility-matrixCisco SD-Access PlatformsFabric Border Node* EXTERNAL ONLYCatalyst 3KCatalyst 6K Catalyst 3650/3850 Catalyst 6500/6800 1/mG RJ45 1/10G SFP Sup2T/Sup6T C6800 Cards 1/10/40G NM Cards C6880/6840-XNexus 7*ISR 4KASR 1K Nexus 7700 ISR 4300/4400 ASR 1000-X/HX Sup2E AppX (AX) AppX (AX) M3 Cards LAN1K9 MPLS 1/10G RJ451/10G SFP1/10G ELC/EPA40G ELC/EPA43
Cisco SD-Access - Border DeploymentFabric Border usN7700ASR1K /ISR4KCSR1KvVirtual Networks642562562562565005004Kn.a.SGT/DGT Table4K8K8K8K8K30K16K62KSGACLs(Security ACEs)15005K18K18K18K12K30K (XL)16K64KSUP1 50KSUP1XL 80K25KNotSupported200K / 100K(16GB)100K / 50K(8GB)Control PlaneEntries withCo-LocatedBorder3K16KIPv4 FabricRoutes8K4KIPv4 FabricHost Entries16K16K80K80KSUP1 10KSUP1XL 20K48K48KSUP1 50KSUP1XL 80K96K96K256K1M (XL)500K32K4M (16GB)1M (8GB)n.a.n.a.200Kn.a.44
Cisco SD-Access - Border DeploymentWhich Border to pick ?Outside world(External)Connect to the unknown part of company likeinternet or is the only exit point from fabricRest of Company (Internal)Connect to known part of the company like DC,WAN etc.Anywhere(Internal External)Connect to the internet and also known part ofthe company like DC, WAN etc.45
Cisco SD-Access - Border DeploymentFabric Border Support MatrixSDA BorderNodeRest of Company(Internal)Outside World(External)Anywhere(Internal YESN7KNOYESNO46
Cisco SD-Access - Border DeploymentHow VNs work in SD-Access Fabric Devices (Underlay) connectivityis in the Global Routing Table INFRA VN is only for Access Pointsand Extended Nodes in GRT DEFAULT VN is an actual “User VN”provided by default Scope of FabricUser-Defined VN(s)User VN (for Default)VN (for APs, Extended Nodes)Devices (Underlay)BorderUSERVRF(s)DEFAULT VNINFRA VNGRTUser-Defined VNs can be added orremoved on-demand47
Connectivity to KnownNetworks like DC &WAN via theAnywhere/Rest ofCompany Border
Border Deployment OptionsAnywhere/Rest of Company for Shared Services and DC - VRF LITELISPCONTROL-PLANEBGPBGP/IGP/ACICBShared ServicesData CenterBFusion RouterDATA-PLANEVXLANVRF-LITEIP/MPLS/ACI50
Border Deployment OptionsAnywhere/Rest of Company Border WAN ConnectivityLISPCONTROL-PLANEOMP/MP-BGP/IGPB CBDATA-PLANECVXLANMPLS/IP/IPSEC/DMVPN51
Cisco SD-Access FabricBorder Nodes - One Box vs. Two BoxBOUTOne Box Design Internal and External domain routing is onthe same device Simple design, without any extraconfigurations between the Border andoutside routers The Border device will advertise routes toand from the Local Fabric domain to theExternalDomainOUTBTwo Box DesignInternal and External domain routing are ondifferent devicesRequires two Devices with BGP in betweento exchange connectivity and reachabilityinformationThis model is chosen if the Border does notsupport the functionality (This can due tohardware or software support on the device)to run the external domain on the samedevice (e.g. DMVPN, EVPN, etc.)52
Border Deployment OptionsAnywhere/Rest of Company Border53
Border Deployment OptionsAnywhere/Rest of Company Border54
Border Deployment OptionsShared Services (DHCP, AAA, etc) with Border Hosts in the fabric domain (in their respective Virtual Networks)will need to have access to common “Shared Services”:Identity Services (e.g. AAA/RADIUS)Domain Name Services (DNS)Dynamic Host Configuration (DHCP)IP Address Management (IPAM)Monitoring tools (e.g. SNMP)Data Collectors (e.g. Netflow, Syslog)Other infrastructure elements These shared services will generally reside outside of the fabric domain.55
Border Deployment OptionsShared Services (DHCP, AAA, etc.) with BorderCFusion RouterBBAPICEMAPIC-EMVRF/GRTDHCP/ Identity ServiceDNSShared Services56
Border Deployment OptionsData Center Connectivity With Border - Traditional DCCONTROL-PLANE1BGP/IGPLISPBBFusion RouterTraditional Data Center2DATA-PLANE2VXLAN SGTVRF-LITES5
Border Deployment OptionsPolicy Options for Shared Services and Traditional Data Center5.1.1.1/3210.1.1.1/241.1.1.1/32C Control-Plane Node2
Control-Plane Node runs a Host Tracking Database to map location information A simple Host Database that maps Endpoint IDs to a current Location, along with other attributes Host Database supports multiple types of Endpoint ID lookup types (IPv4, IPv6 o