LAN Automation is designed to onboard switches for use in an SD-Access network either in a fabric role or as an intermediate device between fabric nodes. The distribution and collapsed core layers are no longer required to service the Layer 2 adjacency and Layer 2 redundancy needs with the boundary shifted. Lab 8-5: testing mode: identify cabling standards and technologies for sale. Route-targets under the VRF configuration are used to leak between the fabric VNs and the shared services VRF. 0 introduced VRF-lite support. ● Border Node with MP-BGP Peer— A VRF is handed off via a VLAN to a peer supporting multiprotocol BGP such as MPLS provider.
The result is that there is little flexibility in controlling the configuration on the upstream infrastructure. SGTs can permit or deny this communication within a given VN. SSM—Source-Specific Multicast (PIM). SD-Access topologies should follow the same design principles and best practices associated with a hierarchical design, such splitting the network into modular blocks and distribution of function, as described in the Campus LAN and Wireless LAN Design Guide. Lab 8-5: testing mode: identify cabling standards and technologies used. High availability in this design is provided through StackWise-480 or StackWise Virtual which both combine multiple physical switches into a single logical switch. Border nodes of the same type, such as internal and external should be fully meshed. All Catalyst 9000 Series switches support the SD-Access Embedded Wireless functionality except for the Catalyst 9200, 9200L, and 9600 Series Switches. The access layer is the edge of the campus. Like security contexts, each VN in the fabric can be mapped to separate security zone to provide separation of traffic once it leaves the fabric site. The SD-Access fabric edge nodes are the equivalent of an access layer switch in a traditional campus LAN design.
This type of connection effectively merges the fabric VN routing tables onto a single table (generally GRT) on the peer device. Migration is done, at minimum, one switch at a time. Non-VRF aware means that peer router is not performing VRF-lite. NFV—Network Functions Virtualization. Unified policy is a primary driver for the SD-Access solution. The border node references the embedded option 82 information and directs the DHCP offer back to the correct fabric edge destination. These include contexts, interface-specific ACL, and security-levels (ASA), instances, and security zones (FTD). Fabric in a Box Design. The data plane traffic and control plane signaling are contained within each virtualized network, maintaining isolation among the networks and an independence from the underlay network. SXP—Scalable Group Tag Exchange Protocol. Lab 8-5: testing mode: identify cabling standards and technologies made. The External RP address must be reachable in the VN routing table on the border nodes. The relay agent sets the gateway address (giaddr field of the DHCP packet) as the IP address of the SVI the DHCP packet was received on. If enforcement is done at the routing infrastructure, CMD is used to carry the SGT information inline from the border node. For example, consider if the subnet assigned for development servers is also defined as the critical VLAN.
When designing for a multi-site fabric that uses an IP-based transit between sites, consideration must be taken if a unified policy is desired between the disparate locations. An RP can be active for multiple multicast groups, or multiple RPs can be deployed to each cover individual groups. In Centralized WLC deployment models, WLCs are placed at a central location in the enterprise network. The result is a simpler overall network configuration and operation, dynamic load balancing, faster convergence, and a single set of troubleshooting tools such as ping and traceroute. Implement the point-to-point links using optical technology as optical (fiber) interfaces are not subject to the same electromagnetic interference (EMI) as copper links.
For consistency with the interface automation of the discovered devices, BFD should be enabled on this cross-link between the seeds, CLNS MTU should be set to 1400, PIM sparse-mode should be enabled, and the system MTU set to 9100. CEF—Cisco Express Forwarding. A second source means another twenty-five unicast replications. The fabric encapsulation also carries scalable group information used for traffic segmentation inside the overlay VNs. The overlay or the underlay can be used as the transport for multicast as described in the Forwarding section. The selected platform should support the number of VNs used in the fabric site that will require access to shared services. SM—Spare-mode (multicast).
● NSF—Non-stop forwarding, or graceful restart, works with SSO (stateful switchover) to provide continued forwarding of packets in the event of a route processor (RP) switchover. DHCP—Dynamic Host Configuration Protocol. The SD-Access network platform should be chosen based on the capacity and capabilities required by the network, considering the recommended functional roles. Physical geography impacts the network design. The Enterprise Campus is traditionally defined with a three-tier hierarchy composed of the Core, Distribution, and Access Layers. IDF—Intermediate Distribution Frame; essentially a wiring closet. DORA—Discover, Offer, Request, ACK (DHCP Process).
SD-Access networks start with the foundation of a well-design, highly available Layer 3 routed access foundation. It is represented by a check box in the LAN Automation workflow as shown the following figure. As campus network designs utilize more application-based services, migrate to controller-based WLAN environments, and continue to integrate more sophisticated Unified Communications, it is essential to integrate these services into the campus smoothly while providing for the appropriate degree of operational change management and fault isolation. It is also recommended that ICMP Type 3, Code 4 is permitted end to end throughout the network to allow requisite application control communication to take place for non-TCP MTU reduction. Once the LAN Automation session is stopped, the IP address on VLAN 1 is removed. The assignment to this overlay virtual network allows management simplification by using a single subnet to cover the AP infrastructure at a fabric site. The multicast forwarding logic operates the same across the Layer 2 handoff border node as it does in the fabric, as described in the multicast Forwarding section, and the traditional network will flood multicast packets using common Layer 2 operations. Flexible Ethernet Foundation for Growth and Scale. In networking, an overlay (or tunnel) provides this logical full-mesh connection. Latency between 100ms and 200ms is supported, although longer execution times could be experienced for certain functions including Inventory Collection, Fabric Provisioning, SWIM, and other processes that involve interactions with the managed devices. Like VRFs, segmentation beyond the fabric site has multiple variations depending on the type of transit. 1 Design Guide, Chapter: Cisco Unified Wireless Technology and Architecture, Centralized WLC Deployment: Firepower Management Center Configuration Guide, Version 6. A patient's mobile device, when compromised by malware, can change network communication behavior to propagate and infect other endpoints.
VXLAN—Virtual Extensible LAN. Control Plane, Data Plane, Policy Plane, and Management Plane Technologies. While all of this can come together in an organized, deterministic, and accurate way, there is much overhead involved both in protocols and administration, and ultimately, spanning-tree is the protocol pulling all the desperate pieces together. ● Endpoint identifiers (EID)—The endpoint identifier is an address used for numbering or identifying an endpoint device in the network. LAG—Link Aggregation Group.
In Figure 26, if the seed devices are the core layer, then the Distribution 1 and Distribution 2 devices can be discovered and configured through LAN Automation. If this latency requirement is meant through dedicated dark fiber or other very low latency circuits between the physical sites and the WLCs deployed physically elsewhere such as in a centralized data center, WLCs and APs may be in different physical locations as shown later in Figure 42. PoE+—Power over Ethernet Plus (IEEE 802. The number of intermediate nodes is not limited to a single layer of devices. SD-Access Fabric Roles and Terminology. ● IGP process for the fabric—While IS-IS is recommended and required for LAN Automation, as described below, other classless routing protocols such as OSPF and EIGRP are supported and are both ECMP and NSF-aware. 11ac Wave 2 APs associated with the fabric WLC that have been configured with one or more fabric-enabled SSIDs. The external border nodes connect to the Internet and to the rest of the Campus network.
Design elements should be created that can be replicated throughout the network by using modular designs. One-box method designs require the border node to be a routing platform in order to support the applicable protocols. This ensures that phones will have network access whether the RADIUS server is available or not. The WLCs are connected to the services block using link aggregation. As discussed in the Fabric Overlay Design section, SD-Access creates segmentation in the network using two method: VRFs (Virtual networks) for macro-segmentation and SGTs (Group-Based Access Control) for micro-segmentation. The control plane node is used for LISP control plane queries, although it is not in the direct data forwarding path between devices. With this behavior, both PIM-SSM and PIM-ASM can be used in the overlay.
● Cisco ISE must be deployed with a version compatible with Cisco DNA Center. SD-Access LAN Automation Device Support. For example, Catalyst 6000 series switches are not supported as border nodes connected to SD-Access transits and do not support SD-Access Embedded Wireless. While it is technically feasible for this device to operate in multiple roles (such as a border node with Layer 3 handoff and control plane node), it is strongly recommended that a dedicated device be used. For redundancy, it is recommended to deploy two control plane nodes to ensure high availability of the fabric site, as each node contains a copy of control plane information acting in an Active/Active state. Avoid overlapping address space so that the additional operational complexity of adding a network address translation (NAT) device is not required for shared services communication. Consider what the cable is made of. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. In non-fabric wireless deployments, wired and wireless traffic have different enforcement points in the network. The headquarters (HQ) location has direct internet access, and one of the fabric sites (Fabric Site-A) has connections to the Data Center where shared services are deployed. This relationship is called an EID-to-RLOC mapping. Virtual networks, target fewer than. Any encapsulation method is going to create additional MTU (maximum transmission unit) overhead on the original packet. ● LAN Automation for deployment—The configuration of the underlay can be orchestrated by using LAN Automation services in Cisco DNA Center.
Firewall – Security-Levels. Inline tagging is the process where the SGT is carried within a special field known as CMD (Cisco Meta Data) that can be inserted in the header of the Ethernet frame. As a wired host, access points have a dedicated EID-space and are registered with the control plane node.