Cisco SD-Access
2y ago
53 Views
1 Downloads
3.46 MB
80 Pages
Report/dmca
Download PDF

Transcription

Cisco SD-AccessConnecting to the Data Center, Firewall,WAN and More !Vedran Hafner, vehafner@cisco.comSystems Engineer Manager

AgendaIntroduction to Cisco SD-Access Fabric Roles and ConstructsEnterprise Network Design Traditional vs Cisco SD-Access Network Design Border Design OptionsBorder Connectivity Models Connecting to Internal networks like DC & WAN Connecting to external networks like Internet & CloudSmall Enterprise Network Design Traditional vs Cisco SD-Access Network Design Border Design OptionsConclusion2

Fabric Roles andConstructs

Cisco SD-AccessFabric Roles & TerminologyCisco DNAAutomationNCPIdentityServicesNDPISECisco DNAAssuranceCisco DNACenterFabric BorderNodesFabric WirelessControllerBFabric EdgeNodesCCampusFabricCisco DNA Assurance - Data Collectors(e.g. NDP) analyze Endpoint to App flowsand monitor fabric statusIdentity Services - NAC & ID Systems(e.g. ISE) for dynamic Endpoint to Groupmapping and Policy definitionControl-Plane Nodes - Map System thatmanages Endpoint to Device relationshipsBIntermediateNodes (Underlay)Cisco DNA Automation - provides simpleGUI management and intent basedautomation (e.g. NCP) and context sharingControl-PlaneNodesFabric Border Nodes - A Fabric device(e.g. Core) that connects External L3network(s) to the SDA FabricFabric Edge Nodes - A Fabric device(e.g. Access or Distribution) that connectsWired Endpoints to the SDA FabricFabric Wireless Controller - A Fabric device(WLC) that connects APs and WirelessEndpoints to the SDA Fabric4

Cisco SD-AccessFabric TerminologyOverlay NetworkOverlay Control PlaneEncapsulationEdge DeviceEdge DeviceHosts(End-Points)Underlay NetworkUnderlay Control Plane5

Cisco SD-Access FabricControl-Plane Nodes - A Closer LookControl-Plane Node runs a Host Tracking Database to map location information A simple Host Database that maps Endpoint IDs toa current Location, along with other attributesKnownNetworksUnknownNetworksB Host Database supports multiple types of EndpointID lookup types (IPv4, IPv6 or MAC) Receives Endpoint ID map registrations from Edgeand/or Border Nodes for “known” IP prefixes Resolves lookup requests from Edge and/or BorderNodes, to locate destination Endpoint IDsB6

Cisco SD-Access FabricEdge Nodes - A Closer LookEdge Node provides first-hop services for Users / Devices connected to a Fabric Responsible for Identifying and AuthenticatingEndpoints (e.g. Static, 802.1X, Active Directory)CKnownNetworksUnknownNetworksB Register specific Endpoint ID info (e.g. /32 or /128)with the Control-Plane Node(s) Provide an Anycast L3 Gateway for the connectedEndpoints (same IP address on all Edge nodes) Performs encapsulation / de-encapsulation of datatraffic to and from all connected EndpointsB7

Cisco SD-Access FabricBorder NodesBorder Node is an Entry & Exit point for data traffic going Into & Out of a FabricThere are 3 Types of Border Node! Rest of Company/Internal Border Used forCKnownNetworksUnknownNetworksBB“Known” Routes inside your company Outside World/External Border Used for“Unknown” Routes outside your company Anywhere/External Internal Border Usedfor “Known” and “UnKnown” Routes for your company8

Cisco SD-Access FabricBorder Nodes - Rest of Company/InternalRest of Company/Internal Border advertises Endpoints to outside, and knownSubnets to inside Connects to any “known” IP subnets available fromthe outside network (e.g. DC, WLC, FW, etc.)CKnownNetworksUnknownNetworksB Exports all internal IP Pools to outside (asaggregate), using a traditional IP routing protocol(s). Importsand registers (known) IP subnets fromoutside, into the Control-Plane Map System exceptthe default route. Hand-off requires mapping the context (VRF & SGT)from one domain to another.B9

Cisco SD-Access FabricBorder Nodes - Forwarding from Fabric to External Domain3EID-prefix: 192.1.1.0/242.1.1.1, priority: 1, weight: 100 (D1)Entry192.1.1.0/24Path PreferenceControlledby Destination .1.1Control Planenodes5.2.2.2192.1.1.1SDA .3.1Edge1.1.4.1210.1.1.11DNS Entry:D.abc.com A192.1.1.1S192.1.1.1CampusBldg 110.1.1.0/2410.3.0.0/24CampusBldg 210

Cisco SD-Access FabricBorder Nodes - Forwarding from External to Fabric Domain13Routing Entry:Send traffic to exit point ofdomain(Internal Border)EID-prefix: 10.1.1.1/32MappingEntry192.1.1.0/24Path PreferenceControlledLocator-set:1.1.1.1, priority: 1, weight: 100 (D1)by Destination SiteSBorder2192.1.1.1.1Control Planenodes5.2.2.210.1.1.1SDA .11.1.3.1Edge1.1.4.15192.1.1.110.1.1.1DCampusBldg 110.1.1.0/2410.3.0.0/24CampusBldg 211

Cisco SD-Access FabricBorder Nodes - Outside World/ExternalOutside World/External Border is a “Gateway of Last Resort” for any unknowndestinations Connects to any “unknown” IP subnets, outside ofthe network (e.g. Internet, Public Cloud)CKnownNetworksUnknownNetworksB Exports all internal IP Pools outside (as aggregate)into traditional IP routing protocol(s). Does NOT import any routes! It is a “default” exit, ifno entry is available in Control-Plane. Hand-off requires mapping the context (VRF & SGT)from one domain to another.B12

Cisco SD-Access FabricBorder Nodes - Forwarding from Fabric to External DomainEID-Prefix: Not found , map-cache .1.1.1Control Planenodes310.2.0.13.1.1.1, priority: 1, weight: 100 (D1)ERNETD41.1.2.1Locator-Set: ( use-petr)5.2.2.2A 93.3.0.1CampusBldg 1S10.2.0.0/2410.3.0.0/24CampusBldg 213

Cisco SD-Access FabricBorder Nodes - Anywhere/ Internal External BorderAnywhere/ Internal External Border is a “One all exit point” for any knownand unknown destinations Connects to any “unknown” IP subnets, outside ofthe network (e.g. Internet, Public Cloud) and“known” IP subnets available from the outsidenetwork (e.g. DC, WLC, FW, etc.) Imports and registers (known) IP subnets fromoutside, into the Control-Plane Map System exceptthe default route. Exports all internal IP Pools outside (as aggregate)into traditional IP routing protocol(s).KnownNetworksUnknownNetworksBC14

Cisco SD-Access FabricVirtual Network- A Closer LookVirtual Network maintains a separate Routing & Switching table for each instance Control-Plane uses Instance ID to maintain separateVRF topologies (“Default” VRF is Instance ID “4098”)CKnownNetworksUnknownNetworksB Nodes add a VNID to the Fabric encapsulation Endpoint ID prefixes (Host Pools) are routed andadvertised within a Virtual Network CampusBIOTGuestUses standard “vrf definition” configuration, alongwith RD & RT for remote advertisement (Border Node)15

Enterprise Network Design

Traditional NetworkDesign

Cisco SD-Access Fabric3-Tier Enterprise Network Design - Traditional et EdgeInternetCentralizedWLCOTTWANShared desLargeHybridWAN SiteSmallHybridWAN SiteRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows AD18

Cisco SD-Access FabricLarge Enterprise Network Design - Traditional NetworkTraditionalDCVXLAN/ACIFabricInternet EdgeRolePlatformAccess Node Cat3K/9300Cat4K/9400Collapsed Core Cat6K/9500N7KCentralizedWLC 55203504x800 APsWAN HR/MC ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows ADGuestWLCsInternetCentralizedWLCOTTShared ridWAN SiteSmallInternetWAN SiteLargeHybridWAN Site19

Cisco SD-AccessNetwork Design

Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabricInternet EdgeInternetCentralizedWLCOTTWANShared ServicesFusion RouterWANEdgeFABRICAccessNodesLargeHybridWAN SiteSmallHybridWAN SiteRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows AD21

Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabricInternet EdgeInternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICWANEdgeRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows ADCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site22

Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabricInternet EdgeInternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICDC &InternetBorderWANEdgeRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows ADCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site23

Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabricInternet EdgeInternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICDC &InternetBorderWANBorderRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows ADCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site24

Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access rnet EdgeInternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICDC &InternetBorderWANBorderRolePlatformAccess Node Cat3K/9300Cat4K/9400DistributionNode Cat3K/9300Cat4K/9500Cat6K/9500Core Node Cat6K/9500NK7KASR1K-HXCentralizedWLC 85405520x800 APsWAN HR/MC ASR1KISR4KInternet Edge ASR1KISR4KData Center N9K - NX-OSN7K - NX-OSN9K - ACISecurity ISE 2.3ASA 55xxWindows ADCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site25

Border ConnectivityModels

Connectivity to externalnetworks in thetraditional design

Cisco SD-Access FabricLarge Enterprise Network Design - Traditional NetworkTraditionalDCVXLAN/ACIFabric1Internet EdgeData Center routes are advertised to the Campus Corevia the DC Edge switch via BGP/IGP. Campus coreimports those routes into enterprise network.GuestWLCsInternetCentralizedWLCOTTShared ridWAN SiteSmallInternetWAN SiteLargeHybridWAN Site28

Cisco SD-Access FabricLarge Enterprise Network Design - Traditional NetworkTraditionalDCVXLAN/ACIFabric2Internet EdgeDefault route for internet is advertised to the CampusCore via the Internet Firewall. The campus core in returnadvertises the route to the enterprise network.GuestWLCsInternetCentralizedWLCOTTShared ridWAN SiteSmallInternetWAN SiteLargeHybridWAN Site29

Cisco SD-Access FabricLarge Enterprise Network Design - Traditional NetworkTraditionalDCVXLAN/ACIFabric3Internet EdgeWan routes are advertised to the Campus Core via theWan Edge router via BGP/IGP. Campus core importsthose routes into enterprise network.GuestWLCsInternetCentralizedWLCOTTShared ridWAN SiteSmallInternetWAN SiteLargeHybridWAN Site30

Cisco SD-Access FabricLarge Enterprise Network Design - Traditional NetworkTraditionalDCVXLAN/ACIFabric4Internet EdgeGuest Anchor WLC in the DMZ is responsible for guestwireless traffic since the traffic from the enterprisenetwork is directly anchored to it.GuestWLCsInternetCentralizedWLCOTTShared ridWAN SiteSmallInternetWAN SiteLargeHybridWAN Site31

Connectivity to externalnetworks in the CiscoSD-Access designusing the Border Node

Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabric1Internet EdgeData Center and Internet Border needs to be aAnywhere/ Internal External Border as it has toimport the DC routes into the fabric through the fusionrouter.InternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICDC &InternetBorderWANEdgeCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site33

Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabric2Internet EdgeData Center and Internet Border needs to be aAnywhere/ Internal External Border as it also is thedefault exit point out of the fabric aka “ Default route”.InternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICDC &InternetBorderWANEdgeCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site34

Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access NetworkTraditionalDCVXLAN/ACIFabric3Internet EdgeWan Border needs to be a Rest of the Company/Internal Border as it has to import the WAN routes intothe fabric.InternetWANBorderCentralizedWLCOTTWANShared ServicesFusion RouterFABRICWANEdgeCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site35

Cisco SD-Access FabricLarge Enterprise Network Design - Cisco SD-Access ernet EdgeThere is a separate Guest Border in fabric for Guest VNtraffic only. This Border needs to be a Outsideworld/External border as it is the default exit point out ofthe fabric aka “ Default route” for the Guest VN.InternetCentralizedWLCOTTWANShared ServicesFusion RouterFABRICWANEdgeCAccessNodesLargeHybridWAN SiteSmallHybridWAN Site36

Why Internal (Rest ofCompany) vs External(Outside World) Border

Cisco SD-Access - Border DeploymentWhy? Internal Traffic with External BordersEdge NodeIP NetworkBExternalBorderInternetWAN EdgeWAN/BranchDC EdgeData CenterALL non-fabric traffic MUST travelto the External (Default) Border.If otherinternal domains (e.g. WANor DC) are only reachable via thesame IP network, traffic may followa sub-optimal path (e.g. hairpin).38

Cisco SD-Access - Border DeploymentWhy? Internal Traffic with Internal BordersEdge NodeIP NetworkBExternal BorderTraffic to internal domains will godirectly to the Internal Borders.Any external traffic (e.g. Internet)can still exit via the External Border.InternetBInternal BorderWAN/BranchBInternal BorderData Center39

Cisco SD-Access PlatformsFor more details: cs.co/sda-compatibility-matrixFabric Control PlaneCatalyst 9300Catalyst 9400Catalyst 9500 Catalyst 9300 1/mG RJ45 10/25/40/mG NM Catalyst 9400 Sup1/Sup1XL 9400 Cards Catalyst 9500 40/100G QSFP 1/10/25G SFP40

For more details: cs.co/sda-compatibility-matrixCisco SD-Access PlatformsFabric Control PlaneCatalyst 3KCatalyst 6KISR 4K & ENCSASR1KNEW Catalyst 3650/3850 1/mG RJ45 1/10G SFP 1/10/40G NM Cards Catalyst 6500/6800 Sup2T/Sup6T C6800 Cards C6880/6840-X ISR 4430/4450ISR 4330/4450ENCS 5400ISRv / CSRv ASR 1000-XASR 1000-HX1/10G RJ451/10G SFP41

Cisco SD-Access PlatformsFor more details: cs.co/sda-compatibility-matrixFabric Border NodeCatalyst 9300Catalyst 9400Catalyst 9500 Catalyst 9300 1/mG RJ45 10/25/40/mG NM Catalyst 9400 Sup1/Sup1XL 9400 Cards Catalyst 9500 1/10/25G SFP 40/100G QSFP42

For more details: cs.co/sda-compatibility-matrixCisco SD-Access PlatformsFabric Border Node* EXTERNAL ONLYCatalyst 3KCatalyst 6K Catalyst 3650/3850 Catalyst 6500/6800 1/mG RJ45 1/10G SFP Sup2T/Sup6T C6800 Cards 1/10/40G NM Cards C6880/6840-XNexus 7*ISR 4KASR 1K Nexus 7700 ISR 4300/4400 ASR 1000-X/HX Sup2E AppX (AX) AppX (AX) M3 Cards LAN1K9 MPLS 1/10G RJ451/10G SFP1/10G ELC/EPA40G ELC/EPA43

Cisco SD-Access - Border DeploymentFabric Border usN7700ASR1K /ISR4KCSR1KvVirtual Networks642562562562565005004Kn.a.SGT/DGT Table4K8K8K8K8K30K16K62KSGACLs(Security ACEs)15005K18K18K18K12K30K (XL)16K64KSUP1 50KSUP1XL 80K25KNotSupported200K / 100K(16GB)100K / 50K(8GB)Control PlaneEntries withCo-LocatedBorder3K16KIPv4 FabricRoutes8K4KIPv4 FabricHost Entries16K16K80K80KSUP1 10KSUP1XL 20K48K48KSUP1 50KSUP1XL 80K96K96K256K1M (XL)500K32K4M (16GB)1M (8GB)n.a.n.a.200Kn.a.44

Cisco SD-Access - Border DeploymentWhich Border to pick ?Outside world(External)Connect to the unknown part of company likeinternet or is the only exit point from fabricRest of Company (Internal)Connect to known part of the company like DC,WAN etc.Anywhere(Internal External)Connect to the internet and also known part ofthe company like DC, WAN etc.45

Cisco SD-Access - Border DeploymentFabric Border Support MatrixSDA BorderNodeRest of Company(Internal)Outside World(External)Anywhere(Internal YESN7KNOYESNO46

Cisco SD-Access - Border DeploymentHow VNs work in SD-Access Fabric Devices (Underlay) connectivityis in the Global Routing Table INFRA VN is only for Access Pointsand Extended Nodes in GRT DEFAULT VN is an actual “User VN”provided by default Scope of FabricUser-Defined VN(s)User VN (for Default)VN (for APs, Extended Nodes)Devices (Underlay)BorderUSERVRF(s)DEFAULT VNINFRA VNGRTUser-Defined VNs can be added orremoved on-demand47

Connectivity to KnownNetworks like DC &WAN via theAnywhere/Rest ofCompany Border

Border Deployment OptionsAnywhere/Rest of Company for Shared Services and DC - VRF LITELISPCONTROL-PLANEBGPBGP/IGP/ACICBShared ServicesData CenterBFusion RouterDATA-PLANEVXLANVRF-LITEIP/MPLS/ACI50

Border Deployment OptionsAnywhere/Rest of Company Border WAN ConnectivityLISPCONTROL-PLANEOMP/MP-BGP/IGPB CBDATA-PLANECVXLANMPLS/IP/IPSEC/DMVPN51

Cisco SD-Access FabricBorder Nodes - One Box vs. Two BoxBOUTOne Box Design Internal and External domain routing is onthe same device Simple design, without any extraconfigurations between the Border andoutside routers The Border device will advertise routes toand from the Local Fabric domain to theExternalDomainOUTBTwo Box DesignInternal and External domain routing are ondifferent devicesRequires two Devices with BGP in betweento exchange connectivity and reachabilityinformationThis model is chosen if the Border does notsupport the functionality (This can due tohardware or software support on the device)to run the external domain on the samedevice (e.g. DMVPN, EVPN, etc.)52

Border Deployment OptionsAnywhere/Rest of Company Border53

Border Deployment OptionsAnywhere/Rest of Company Border54

Border Deployment OptionsShared Services (DHCP, AAA, etc) with Border Hosts in the fabric domain (in their respective Virtual Networks)will need to have access to common “Shared Services”:Identity Services (e.g. AAA/RADIUS)Domain Name Services (DNS)Dynamic Host Configuration (DHCP)IP Address Management (IPAM)Monitoring tools (e.g. SNMP)Data Collectors (e.g. Netflow, Syslog)Other infrastructure elements These shared services will generally reside outside of the fabric domain.55

Border Deployment OptionsShared Services (DHCP, AAA, etc.) with BorderCFusion RouterBBAPICEMAPIC-EMVRF/GRTDHCP/ Identity ServiceDNSShared Services56

Border Deployment OptionsData Center Connectivity With Border - Traditional DCCONTROL-PLANE1BGP/IGPLISPBBFusion RouterTraditional Data Center2DATA-PLANE2VXLAN SGTVRF-LITES5

Border Deployment OptionsPolicy Options for Shared Services and Traditional Data Center5.1.1.1/3210.1.1.1/241.1.1.1/32C Control-Plane Node2

Control-Plane Node runs a Host Tracking Database to map location information A simple Host Database that maps Endpoint IDs to a current Location, along with other attributes Host Database supports multiple types of Endpoint ID lookup types (IPv4, IPv6 o

Related Books

Cisco 1700 Series Modular Access Routers Cisco 1721 and .

Cisco 1700 Series Modular Access Routers Cisco 1721 and .

Privileged User Access with BIG-IP Access Policy Manager

Privileged User Access with BIG-IP Access Policy Manager

The RSCCD Remote Access Portal to allows access to .

The RSCCD Remote Access Portal to allows access to .

Cisco ME 3400 Series Ethernet Access Switches Technical .

Cisco ME 3400 Series Ethernet Access Switches Technical .

Cisco ME 3400 Series Ethernet Access Switches

Cisco ME 3400 Series Ethernet Access Switches

Cisco ONE for Access Wireless Data Sheet

Cisco ONE for Access Wireless Data Sheet

Cloud Managed Access Switches - Cisco Meraki

Cloud Managed Access Switches - Cisco Meraki

MS Cloud Managed Access Switches - Cisco

MS Cloud Managed Access Switches - Cisco

Cisco SD-Access, ISE, & DNA Center - Skyline ATS

Cisco SD-Access, ISE, & DNA Center - Skyline ATS

Integrate Cisco HyperFlex Systems and Cisco UCS M5 Servers .

Integrate Cisco HyperFlex Systems and Cisco UCS M5 Servers .

Cisco Router and Security Device Manager Cisco WebVPN

Cisco Router and Security Device Manager Cisco WebVPN

Cisco - Cisco Secure Desktop (CSD) on IOS Configuration .

Cisco - Cisco Secure Desktop (CSD) on IOS Configuration .

PopularTags

Recent Views