Cisco SD-Access Connecting to the Data Center, Firewall, WAN and More !

BRKCRS-2821

Satish Kondalam Technical Marketing Engineer Session Abstract

This session introduces best practices for Design and Deployment when connecting to the external world/networks from the fabric along with decision criteria for different deployment models. The Cisco SD-Access Border node is responsible for connecting fabric to rest of the world and hence we will focus on the different connectivity models that will be provided by the border node and discuss the various designs along with scale and platform support. We will also include an demo for every design and deployment model that we will discuss during the presentation. This session focuses on how the Cisco SD-Access architecture connects your campus to the following and how we enforce end-to-end policy between them : Integration between Cisco SD-Access ( Campus network) to Cisco SD-WAN (Viptela) Data center ( ACI and Non ACI) Internet Connecting to remote branches Cloud across a WAN /Metro network. Layer 4 to 7 Service integration for the fabric network , etc.

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Sessions are available Online @ CiscoLive.com Cisco Software-Defined Access Cisco Live Barcelona - Session Map You Are Here Tuesday (Jan 29) Wednesday (Jan 30) Thursday (Jan 31) Friday (Feb 01)

08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00

BRKCRS-2821 BRKCRS-2825 BRKCRS-2812 SD-Access Integration SD-Access Scale SD-Access Migration

BRKCLD-2412 BRKCRS-3811 Cross-Domain Policy SD-Access Policy

BRKCRS-2810 BRKCRS-1449 BRKCRS-1501 SD-Access Solution ISE & SD-Access Validated Design

BRKCRS-3810 BRKCRS-2815 BRKCRS-2814 BRKARC-2020 SD-Access Connect SD-Access Troubleshoot Deep Dive SD-Access Sites Assurance SD-Access

LTRACI-2636 LTRCRS-2810 BRKEWN-2021 BRKEWN-2020 ACI + SD-Access Lab SD-Access Lab SD-Access Demo SD-Access Wireless

• This session assumes that there is a basic understanding of Cisco SD-Access and is recommended that you attend BRKCRS-2810 before this.

• To provide an understanding of the Cisco SD-Access Border architecture and the external Integration between Cisco SD-Access (Campus network) to SD-WAN (Viptela network), Data center (ACI and Non ACI), Internet Connecting to remote branches and Cloud across a WAN /Metro network, Layer 4 to 7 Service integration for the fabric network.

• Large & Medium Enterprise Network Design • Traditional vs Cisco SD-Access Network Design • Border Design Options

• Border Connectivity Models • Connecting to Internal networks like DC & WAN • Connecting to external networks like Internet & Cloud

• Small Enterprise Network Design • Traditional vs Cisco SD-Access Network Design • Border Design Options

• Cisco SD-Access Demo for Border Design

• Conclusion BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Fabric Roles and Constructs Cisco SD-Access Fabric Roles & Terminology Cisco DNA . Cisco DNA Automation – provides simple GUI management and intent based NCP Automation Identity automation (e.g. NCP) and context sharing Services ISE NDP . Cisco DNA Assurance – Data Collectors (e.g. NDP) analyze Endpoint to App flows Cisco DNA Cisco DNA Center Assurance and monitor fabric status . Identity Services – NAC & ID Systems (e.g. ISE) for dynamic Endpoint to Group Fabric Border Fabric Wireless mapping and Policy definition Nodes Controller B B . Control-Plane Nodes – Map System that manages Endpoint to Device relationships Intermediate Control-Plane C Nodes . Fabric Border Nodes – A Fabric device Nodes (Underlay) (e.g. Core) that connects External L3 network(s) to the SDA Fabric Campus . Fabric Edge Nodes – A Fabric device Fabric Edge (e.g. Access or Distribution) that connects Nodes Fabric Wired Endpoints to the SDA Fabric . Fabric Wireless Controller – A Fabric device (WLC) that connects APs and Wireless Endpoints to the SDA Fabric

Overlay Network Overlay Control Plane

Encapsulation

Edge Device Edge Device

Hosts (End-Points)

Underlay Network Underlay Control Plane

Control-Plane Node runs a Host Tracking Database to map location information

• A simple Host Database that maps Endpoint IDs to Known Unknown a current Location, along with other attributes Networks Networks B B • Host Database supports multiple types of Endpoint ID lookup types (IPv4, IPv6 or MAC)

• Receives Endpoint ID map registrations from Edge and/or Border Nodes for “known” IP prefixes

• Resolves lookup requests from Edge and/or Border Nodes, to locate destination Endpoint IDs

Edge Node provides first-hop services for Users / Devices connected to a Fabric

• Responsible for Identifying and Authenticating C Known Unknown Endpoints (e.g. Static, 802.1X, Active Directory) Networks Networks B B • Register specific Endpoint ID info (e.g. /32 or /128) with the Control-Plane Node(s)

• Provide an Anycast L3 Gateway for the connected Endpoints (same IP address on all Edge nodes)

• Performs encapsulation / de-encapsulation of data traffic to and from all connected Endpoints

Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric

C There are 3 Types of Border Node! Known Unknown Networks Networks B B • Rest of Company/Internal Border Used for “Known” Routes inside your company

• Outside World/External Border Used for “Unknown” Routes outside your company

• Anywhere/External + Internal Border Used for “Known” and “UnKnown” Routes for your company

Rest of Company/Internal Border advertises Endpoints to outside, and known Subnets to inside

• Connects to any “known” IP subnets available from C Known Unknown the outside network (e.g. DC, WLC, FW, etc.) Networks Networks B B • Exports all internal IP Pools to outside (as aggregate), using a traditional IP routing protocol(s).

• Imports and registers (known) IP subnets from outside, into the Control-Plane Map System except the default route.

• Hand-off requires mapping the context (VRF & SGT) from one domain to another.

3 EID-prefix: 192.1.1.0/24 Path Preference Mapping Locator-set: Controlled Entry 2.1.1.1, priority: 1, weight: 100 (D1) by Destination Site 192.1.1.0/24

Border 5.1.1.1

2.1.1.1 Control Plane 5 nodes 10.1.1.1  192.1.1.1 5.2.2.2 SDA Fabric 4 1.1.1.1  2.1.1.1

10.1.1.1  192.1.1.1 1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1 2

10.1.1.1  192.1.1.1 1 S Campus DNS Entry: Campus 10.1.1.0/24 10.3.0.0/24 Bldg 2 D.abc.com A 192.1.1.1 Bldg 1

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Cisco SD-Access Fabric Border Nodes – Forwarding from External to Fabric Domain 1 Routing Entry: 3 EID-prefix: 10.1.1.1/32 Path Preference Send traffic to exit point of Mapping Locator-set: domain(Internal Border) Controlled Entry 1.1.1.1, priority: 1, weight: 100 (D1) by Destination Site 192.1.1.0/24

Border 5.1.1.1

2.1.1.1 Control Plane 2 nodes 192.1.1.1  10.1.1.1 5.2.2.2

4 SDA Fabric 2.1.1.1  1.1.1.1

192.1.1.1  10.1.1.1 1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1 5

192.1.1.1  10.1.1.1 D Campus Campus 10.1.1.0/24 10.3.0.0/24 Bldg 2 Bldg 1

Outside World/External Border is a “Gateway of Last Resort” for any unknown destinations

• Connects to any “unknown” IP subnets, outside of C Known Unknown the network (e.g. Internet, Public Cloud) Networks Networks B B • Exports all internal IP Pools outside (as aggregate) into traditional IP routing protocol(s).

• Does NOT import any routes! It is a “default” exit, if no entry is available in Control-Plane.

• Hand-off requires mapping the context (VRF & SGT) from one domain to another.

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Cisco SD-Access Fabric Border Nodes – Forwarding from Fabric to External Domain 2 EID-Prefix: Not found , map-cache miss Mapping Locator-Set: ( use-petr) Entry 3.1.1.1, priority: 1, weight: 100 (D1) INTERNET

193.3.0.0/24 D 4 Border 10.2.0.1  193.3.0.1 3.1.1.1 5.1.1.1

Control Plane 3 nodes SDA Fabric 5.2.2.2 1.1.2.1  3.1.1.1 10.2.0.1  193.3.0.1

1.1.1.1 Edge 1.1.2.1 1.1.3.1 Edge 1.1.4.1

1 10.2.0.1  193.3.0.1

Campus S Campus Bldg 1 10.2.0.0/24 10.3.0.0/24 Bldg 2

Anywhere/ Internal + External Border is a “One all exit point” for any known and unknown destinations

• Connects to any “unknown” IP subnets, outside of Known Unknown the network (e.g. Internet, Public Cloud) and Networks Networks C “known” IP subnets available from the outside B network (e.g. DC, WLC, FW, etc.)

• Imports and registers (known) IP subnets from outside, into the Control-Plane Map System except the default route.

• Exports all internal IP Pools outside (as aggregate) into traditional IP routing protocol(s).

Virtual Network maintains a separate Routing & Switching table for each instance

• Control-Plane uses Instance ID to maintain separate C Known Unknown VRF topologies (“Default” VRF is Instance ID “4098”) Networks Networks B B • Nodes add a VNID to the Fabric encapsulation

• Endpoint ID prefixes (Host Pools) are routed and VN VN VN advertised within a Virtual Network Campus IOT Guest

• Uses standard “vrf definition” configuration, along with RD & RT for remote advertisement (Border Node)

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 Large and Medium Enterprise Network Design Traditional Network Design Cisco SD-Access Fabric 3-Tier Enterprise Network Design – Traditional Network

Traditional VXLAN/ACI DC Fabric Role Platform Access Node • Cat3K/9300 • Cat4K/9400 Guest WLCs Distribution • Cat3K/9300 Node • Cat4K/9500 • Cat6K/9500 Internet Edge Internet Core Node • Cat6K/9500 • NK7K Centralized • ASR1K-HX WLC OTT Centralized • 8540 WAN WLC • 5520 Shared Services • x800 APs Campus Core WAN WAN HR/MC • ASR1K Edge • ISR4K

Internet Edge • ASR1K • ISR4K

Distribution Nodes Data Center • N9K – NX-OS • N7K - NX-OS • N9K - ACI Access Nodes Security • ISE 2.3 • ASA 55xx Large Small • Windows AD Hybrid Hybrid WAN Site WAN Site

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 Cisco SD-Access Fabric Large Enterprise Network Design – Traditional Network Role Platform Traditional VXLAN/ACI DC Fabric Access Node • Cat3K/9300 • Cat4K/9400 Internet Edge Collapsed Core • Cat6K/9500 Guest • N7K WLCs

Internet Centralized • 5520 WLC • 3504 • x800 APs

Centralized WAN HR/MC • ASR1K WLC OTT • ISR4K Data Center • N9K – NX-OS Shared Services WAN • N7K - NX-OS • N9K - ACI

Collapsed Security • ISE 2.3 Core WAN Edge • ASA 55xx • Windows AD

Access Nodes

Small Small Hybrid Internet WAN Site WAN Site Large Hybrid WAN Site

Traditional VXLAN/ACI DC Fabric Role Platform Access Node • Cat3K/9300 • Cat4K/9400

Distribution • Cat3K/9300 Node • Cat4K/9500 • Cat6K/9500 Internet Edge Internet Core Node • Cat6K/9500 • NK7K Centralized • ASR1K-HX WLC OTT Centralized • 8540 WAN WLC • 5520 Shared Services • x800 APs

Fusion Router WAN WAN HR/MC • ASR1K Edge • ISR4K

Internet Edge • ASR1K FABRIC • ISR4K

Data Center • N9K – NX-OS • N7K - NX-OS • N9K - ACI

Access Security • ISE 2.3 Nodes • ASA 55xx Large Small • Windows AD Hybrid Hybrid WAN Site WAN Site

Traditional VXLAN/ACI DC Fabric Role Platform Access Node • Cat3K/9300 • Cat4K/9400

Fusion Router WAN WAN HR/MC • ASR1K Edge • ISR4K

Internet Edge • ASR1K • ISR4K FABRIC C Data Center • N9K – NX-OS • N7K - NX-OS • N9K - ACI

Access Security • ISE 2.3 Nodes • ASA 55xx Large Small • Windows AD Hybrid Hybrid WAN Site WAN Site

Traditional VXLAN/ACI DC Fabric Role Platform Access Node • Cat3K/9300 • Cat4K/9400

Fusion Router WAN WAN HR/MC • ASR1K Edge • ISR4K

Internet Edge • ASR1K DC & • ISR4K FABRIC Internet C Border Data Center • N9K – NX-OS • N7K - NX-OS • N9K - ACI

Access Security • ISE 2.3 Nodes • ASA 55xx Large Small • Windows AD Hybrid Hybrid WAN Site WAN Site

Traditional VXLAN/ACI DC Fabric Role Platform Access Node • Cat3K/9300 • Cat4K/9400

Fusion Router WAN WAN HR/MC • ASR1K Border • ISR4K Internet Edge • ASR1K DC & • ISR4K FABRIC Internet C Border Data Center • N9K – NX-OS • N7K - NX-OS • N9K - ACI

Access Security • ISE 2.3 Nodes • ASA 55xx Large Small • Windows AD Hybrid Hybrid WAN Site WAN Site

Traditional VXLAN/ACI DC Fabric Role Platform

Guest Access Node • Cat3K/9300 Border • Cat4K/9400 Distribution • Cat3K/9300 Node • Cat4K/9500 • Cat6K/9500 Internet Edge Internet Core Node • Cat6K/9500 • NK7K Centralized • ASR1K-HX WLC OTT Centralized • 8540 WAN WLC • 5520 Shared Services • x800 APs

Fusion Router WAN WAN HR/MC • ASR1K Border • ISR4K Internet Edge • ASR1K DC & • ISR4K FABRIC Internet C Border Data Center • N9K – NX-OS • N7K - NX-OS • N9K - ACI

Access Security • ISE 2.3 Nodes • ASA 55xx Large Small • Windows AD Hybrid Hybrid WAN Site WAN Site

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Border Connectivity Models Connectivity to external networks in the traditional design Cisco SD-Access Fabric Large Enterprise Network Design – Traditional Network

Traditional VXLAN/ACI Data Center routes are advertised to the Campus Core DC Fabric 1 via the DC Edge switch via BGP/IGP. Campus core

Internet Edge imports those routes into enterprise network.

Guest WLCs

Internet

Centralized WLC OTT

Shared Services WAN

Collapsed Core WAN Edge

Access Nodes

Small Small Hybrid Internet WAN Site WAN Site Large Hybrid WAN Site

Traditional VXLAN/ACI Default route for internet is advertised to the Campus DC Fabric 2 Core via the Internet Firewall. The campus core in return

Internet Edge advertises the route to the enterprise network.

Guest WLCs

Internet

Centralized WLC OTT

Shared Services WAN

Collapsed Core WAN Edge

Access Nodes

Small Small Hybrid Internet WAN Site WAN Site Large Hybrid WAN Site

Traditional VXLAN/ACI Wan routes are advertised to the Campus Core via the DC Fabric 3 Wan Edge router via BGP/IGP. Campus core imports

Internet Edge those routes into enterprise network.

Guest WLCs

Internet

Centralized WLC OTT

Shared Services WAN

Collapsed Core WAN Edge

Access Nodes

Small Small Hybrid Internet WAN Site WAN Site Large Hybrid WAN Site

Traditional VXLAN/ACI Guest Anchor WLC in the DMZ is responsible for guest DC Fabric 4 wireless traffic since the traffic from the enterprise

Internet Edge network is directly anchored to it.

Guest WLCs

Internet

Centralized WLC OTT

Shared Services WAN

Collapsed Core WAN Edge

Access Nodes

Small Small Hybrid Internet WAN Site WAN Site Large Hybrid WAN Site

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35 Connectivity to external networks in the Cisco SD-Access design using the Border Node Cisco SD-Access Fabric Large Enterprise Network Design – Cisco SD-Access Network

Traditional VXLAN/ACI DC Fabric Data Center and Internet Border needs to be a 1 Anywhere/ Internal + External Border as it has to import the DC routes into the fabric through the fusion router.

Internet Edge Internet

Centralized WLC OTT WAN Shared Services

Fusion Router WAN Edge

DC & FABRIC Internet C Border

Access Nodes

Large Small Hybrid Hybrid WAN Site WAN Site

Traditional VXLAN/ACI DC Fabric Data Center and Internet Border needs to be a 2 Anywhere/ Internal + External Border as it also is the default exit point out of the fabric aka “ Default route”.

Internet Edge Internet

Centralized WLC OTT WAN Shared Services

Fusion Router WAN Edge

DC & FABRIC Internet C Border

Access Nodes

Large Small Hybrid Hybrid WAN Site WAN Site

Traditional VXLAN/ACI DC Fabric Wan Border needs to be a Rest of the Company/ 3 Internal Border as it has to import the WAN routes into the fabric.

Internet Edge Internet

WAN Centralized Border WLC OTT WAN Shared Services

Fusion Router WAN Edge

FABRIC C

Access Nodes

Large Small Hybrid Hybrid WAN Site WAN Site

Traditional VXLAN/ACI DC Fabric There is a separate Guest Border in fabric for Guest VN 4 traffic only. This Border needs to be a Outside Guest Border world/External border as it is the default exit point out of the fabric aka “ Default route” for the Guest VN.

Internet Edge Internet

Centralized WLC OTT WAN Shared Services

Fusion Router WAN Edge

FABRIC C

Access Nodes

Large Small Hybrid Hybrid WAN Site WAN Site

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Why Internal (Rest of Company) vs External (Outside World) Border Cisco SD-Access - Border Deployment Why? Internal Traffic with External Borders

Edge Node IP Network B

External Border Internet

ALL non-fabric traffic MUST travel to the External (Default) Border.

If other internal domains (e.g. WAN WAN Edge WAN/Branch or DC) are only reachable via the same IP network, traffic may follow a sub-optimal path (e.g. hairpin).

Edge Node IP Network B

External Border Internet

B Traffic to internal domains will go directly to the Internal Borders.

Any external traffic (e.g. Internet) Internal Border WAN/Branch can still exit via the External Border.

Internal Border Data Center

Catalyst 9300 Catalyst 9400 Catalyst 9500

• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • 1/mG RJ45 • Sup1/Sup1XL • 40/100G QSFP • 10/25/40/mG NM • 9400 Cards • 1/10/25G SFP

Catalyst 3K Catalyst 6K ISR 4K & ENCS ASR1K

• Catalyst 3650/3850 • Catalyst 6500/6800 • ISR 4430/4450 • ASR 1000-X • 1/mG RJ45 • Sup2T/Sup6T • ISR 4330/4450 • ASR 1000-HX • 1/10G SFP • C6800 Cards • ENCS 5400 • 1/10G RJ45 • 1/10/40G NM Cards • C6880/6840-X • ISRv / CSRv • 1/10G SFP

Catalyst 9300 Catalyst 9400 Catalyst 9500

• Catalyst 9300 • Catalyst 9400 • Catalyst 9500 • 1/mG RJ45 • Sup1/Sup1XL • 1/10/25G SFP • 10/25/40/mG NM • 9400 Cards • 40/100G QSFP

* EXTERNAL ONLY Catalyst 3K Catalyst 6K Nexus 7K* ISR 4K ASR 1K

• Catalyst 3650/3850 • Catalyst 6500/6800 • Nexus 7700 • ISR 4300/4400 • ASR 1000-X/HX • 1/mG RJ45 • Sup2T/Sup6T • Sup2E • AppX (AX) • AppX (AX) • 1/10G SFP • C6800 Cards • M3 Cards • 1/10G RJ45 • 1/10G ELC/EPA • 1/10/40G NM Cards • C6880/6840-X • LAN1K9 + MPLS • 1/10G SFP • 40G ELC/EPA

Fabric Catalyst Catalyst Catalyst Catalyst Catalyst Catalyst Nexus ASR1K / CSR1Kv Constructs 3850-XS 9300 9400 9500 9500H 6800 N7700 ISR4K

Virtual Networks 64 256 256 256 256 500 500 4K n.a.

n.a. SGT/DGT Table 4K 8K 8K 8K 8K 30K 16K 62K

SGACLs 12K n.a. 1500 5K 18K 18K 18K 16K 64K (Security ACEs) 30K (XL)

Control Plane 200K / 100K SUP1 = 50K Entries with Not (16GB) 3K 16K SUP1XL=80K 80K 80K 25K 200K Co-Located Supported 100K / 50K Border (8GB) IPv4 Fabric SUP1 = 10K 8K 4K 48K 48K 500K Routes SUP1XL=20K 256K 4M (16GB) n.a. IPv4 Fabric SUP1 = 50K 1M (XL) 1M (8GB) 16K 16K 96K 96K 32K Host Entries SUP1XL=80K

Traditional VXLAN/ACI DC Fabric

Guest Border

Internet Edge Internet

Centralized WLC OTT WAN Shared Services

Fusion Router WAN Border

DC & FABRIC Internet C Border

Access Nodes

Large Small Hybrid Hybrid WAN Site WAN Site

Outside world(External) Connect to the unknown part of company like internet or is the only exit point from fabric

Rest of Company (Internal) Connect to known part of the company like DC, WAN etc.

Anywhere(Internal +External) Connect to the internet and also known part of the company like DC, WAN etc.

SDA Border Rest of Company Outside World Anywhere Node (Internal) (External) (Internal + External)

C9K YES YES YES

ASR1K/ISR4K YES YES YES

C6K YES YES YES

N7K NO YES NO

• Fabric Devices (Underlay) connectivity Scope of Fabric

is in the Global Routing Table User-Defined VN(s) • INFRA_VN Border is only for Access Points User VN (for Default) and Extended Nodes in GRT USER VRF(s) VN (for APs, Extended Nodes) • DEFAULT_VN is an actual “User VN” DEFAULT_VN INFRA_VN provided by default Devices (Underlay) GRT • User-Defined VNs can be added or removed on-demand

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52 Connectivity to Known Networks like DC & WAN via the Anywhere/Rest of Company Border Cisco SD-Access Fabric Large Enterprise Network Design – Cisco SD-Access Network

Traditional VXLAN/ACI DC Fabric

Centralized WLC OTT WAN Shared Services

Fusion Router WAN Border

DC & FABRIC Internet C Border

Access Nodes

Large Small Hybrid Hybrid WAN Site WAN Site

LISP BGP BGP/IGP/ACI CONTROL-PLANE C B

Shared Services Data Center B

Fusion Router

VXLAN VRF-LITE IP/MPLS/ACI DATA-PLANE

LISP OMP/MP-BGP/IGP CONTROL-PLANE

B C

WAN B C

VXLAN MPLS/IP/IPSEC/DMVPN DATA-PLANE

OUT OUT B

B IN One Box Design IN Two Box Design • Internal and External domain routing is on the same device Internal and External domain routing are on different devices • Simple design, without any extra configurations between the Border and Requires two Devices with BGP in between outside routers to exchange connectivity and reachability information • The Border device will advertise routes to and from the Local Fabric domain to the This model is chosen if the Border does not External Domain support the functionality (This can due to hardware or software support on the device) to run the external domain on the same device (e.g. DMVPN, EVPN, etc.)

3 Select the Layer 3 16.6.2 hand off

CORE

SJC22 1 Select the Border San_Jose Node role 4 Select the Type of Hand Off 7 Select Remote AS

5 Select Subnet for Hand off

2 Select the Connection 8 Select VRF type advertisement *

6 Select the External Interface(s)

• Hosts in the fabric domain (in their respective Virtual Networks) will need to have access to common “Shared Services”:

 Identity Services (e.g. AAA/RADIUS)  Domain Name Services (DNS)  Dynamic Host Configuration (DHCP)  IP Address Management (IPAM)  Monitoring tools (e.g. SNMP)  Data Collectors (e.g. Netflow, Syslog)  Other infrastructure elements • These shared services will generally reside outside of the fabric domain.

Fusion Router

B B APIC EM

APIC-EM DHCP/ Identity Service VRF/ DNS Shared Services GRT

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 Border Deployment Options Shared Services (DHCP, AAA, etc.) with Border ip vrf USERS rd 1:4099 route-target export 1:4099 route-target import 1:4099 route-target import 1:4097 Cisco SD-Access Border connecting External Domain with existing ! ip vrf DEFAULT_VN rd 1:4098 Global Routing Table should use a “Fusion” router with MP-BGP & route-target export 1:4098 route-target import 1:4098 VRF import/export. route-target import 1:4097 Control Plane ip vrf GLOBAL rd 1:4097 route-target export 1:4097 route-target import 1:4097 C route-target export 1:4099 VRF B route-target export 1:4098 SVI B ISIS AF VRF B BGP GRT/VRF B AF VRF A

AF IPv4 MP-BGP

Edge Node Border Node Fusion Router VRF A External SVI A Domain

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Border Deployment Options Shared Services (DHCP, AAA, etc) with Border in dedicated VRF C 5.1.1.1/32 Control-Plane Node

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24 B IP Network 10.1.1.0/24 BGP BGP 172.10.10.0/24 Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services in GRT

• The Shared Services are in the ip vrf User 1 rd 1:1 Global routing table route-target export 1:1 route-target import 1:1 • Will form a routing adjacency using the import ipv4 unicast map GRT to VRF Global routing table to the fusion router ! ip vrf User 2 • On Campus Fabric side we will form a rd 2:2 route-target export 2:2 routing adjacency using the VRF table of route-target import 2:2 the EID space from border to fusion import ipv4 unicast map GRT to VRF router ip vrf Services rd 3:3 • Fusion router will merge GRT to VRF route-target export 3:3 route-target import 3:3 using the import/export maps export ipv4 unicast map VRF User 1 to GRT export ipv4 unicast map VRF User 2 to GRT

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Border Deployment Options Shared Services (DHCP, AAA, etc) with Border in dedicated VRF C 5.1.1.1/32 Control-Plane Node

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24 B IP Network 10.1.1.0/24 BGP BGP 172.10.10.0/24 Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services in VRF

• The Shared Services are in a unique ip vrf User 1 rd 1:1 dedicated VRF of their own. route-target export 1:1 route-target import 1:1 • Will form a routing adjacency in route-target import 3:3 ! each Address Family. ip vrf User 2 rd 2:2 • Use route-target import / export route-target export 2:2 route-target import 2:2 (leaking) to ”share” routes route-target import 3:3

• An external Fusion router is used to ip vrf Services exchange routes from the VRF’s in rd 3:3 route-target export 3:3 Campus fabric to the Services VRF. route-target import 3:3 route-target export 1:1 route-target export 2:2

CONTROL-PLANE

1 LISP BGP/IGP

Fusion Router B B

Traditional Data Center

S1 S2

DATA-PLANE S3 S4 2 VXLAN+SGT VRF-LITE

10.1.1.1/24 1.1.1.1/32 2.1.1.1/32 192.1.1.1/24 B IP Network 10.1.1.0/24 BGP BGP 172.10.10.0/24 Host Pool 10 Edge Node 1 Border Node Fusion Router Shared Services Data Center • Destination IP subnets are statically mapped to SGT’s in ISE.

• SXP from ISE to fusion router to download the IP to SGT bindings for the destination IP subnets.

• SG ACLS’s are enforced at the Fusion router

CONTROL-PLANE

1 LISP BGP/IGP

Fusion Router B B ACI Fabric

Border Leaf’s

DATA-PLANE 2 VXLAN+SGT VRF-LITE

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 ip vrf CAMPUS rd 1:4099 Border Deployment Options route-target export 1:4099 route-target import 1:4099 route-target import 1:4098 ! Data Center Connectivity With Border – ACI Fabric ip vrf ACI rd 1:4098 route-target export 1:4098 User-Defined VN(s) route-target import 1:4098 route-target import 1:4097

User VN (for Default) Border Fusion Router ACI Fabric USER VRF(s) VN (for APs, Extended Nodes) DEFAULT_VN INFRA_VN Devices (Underlay) GRT

Border Leaf’s

• SD-Access Border merge the VRF’s A , B , C and so on to a common VRF D using a fusion router. • The Common VRF D will connect to ACI VRF on the other side. • We need access-lists/distribute lists on the fusion router to ensure that VRF A , B and C do not talk to each other. This can also be achieved using VRF import and export maps.

ACI Fabric VTEP VXLAN IP Payload

ACI Leaf Nodes

. Forwarding within the Fabric is between VTEPs (ACI VXLAN tunnel endpoints) and leverages an extended VXLAN header format referred to as the ACI VXLAN policy header

. Any workload any where, Consistent Latency, Mapping of tenant MAC or Ip address to location is performed by VTEP using distributed mapping database

. L3Out is a logical construct defined to allow L3 connectivity between the ACI Fabric and the external network . One or more L3Outs can be defined for each given tenant L3Outs Container . L3 interfaces are used on specific ACI Specific L3Out devices (named Border Leaf nodes) to interconnect to the external routed network

L3 Interface on . The external routed domain is modeled Border Leaf Node with one (or more) External EPGs Border Leaf (‘Networks’) Node A security policy (contract) is required to allow External EPG communication between External and Internal EPGs

ISE ACI

ISE dynamically provisions SGTs and IP mappings (SXP service) into APIC-DC

B B

EXT- EXT- Cisco SD-Access Domain EPG1 EPG3

Security Groups External (Outside Fabric) EPGs

ISE

ISE dynamically learns EPGs and VM Bindings from ACI fabric – shared to SXP

B B

VM1

Cisco SD-Access Domain VM25

Security Group from APIC-DC Internal (Inside Fabric) EPGs

ACI Fabric ACI Software ISE APIC Hardware

Nexus 9K* 12.1 2.4 2.1

* – Please check release notes for latest information * – (9396PX/TX, 9372PX/TX, 93120TX, 93128TX, 9736PQ LC, 9336PQ, 93108-EX, 93180-EX

ISE Cisco SD-Access ACI Policy Domain Policy Domain ISE Retrieves:ISE Exchanges: ControllerLayer EPG Name:SGT PCIName: EPG Auditor EPG Binding = 10.1.100.52

SGT Binding = 10.1.10.220 Controller Layer PCI EPG EPG Name = Auditor 10.1.100.52

Groups= 10.1.10.220 LayerNetwork Network Network Layer 5 17000 ACI Spine (N9K)

SRC:10.1.10.220 Cisco SRC:10.1.10.220 SRC:10.1.10.220 DST: 10.1.100.52 SD-Access DST: 10.1.100.52 DST: 10.1.100.52 SGT: 5 EPG 17000 VRF- ACI Border ACI Leaf PCI Auditor LITE Leaf (N9K) (N9K) 10.1.100.52 10.1.10.220 SGT Groups available in ACI Policies

Firewall

B B APIC EM

APIC-EM DHCP/ Identity Service VRF/ DNS GRT Shared Services/ Data Center

CONTROL-PLANE 1 LISP BGP/IGP C

B B

Firewall

DATA-PLANE 2 VXLAN VRF-LITE C

B B

Firewall

POLICY-PLANE 3 SGT in VXLAN SGT in-line Tagging C

B B

Firewall

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80 Border Deployment Options Firewall as fusion router ISE POLICY-PLANE 3 SGT in VXLAN SGT in-line Tagging Group Tags C SXP/PXGRID B B

Firewall

Firewall gets Group Based Tags from ISE

Traditional VXLAN/ACI DC Fabric

Internet

Centralized WLC OTT WAN Shared Services

Firewall WAN Guest Border Border DC & FABRIC Internet C Border

Access Nodes

Large Small Hybrid Hybrid WAN Site WAN Site

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82 WAN Connectivity with Rest of Company /Internal Border Border Deployment Options WAN Connectivity with Border- WAN (MPLS/DMVPN)

C B

WAN B

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86 Border Design Options WAN Connectivity with Border - Policy Plane POLICY-PLANE 13 SGT in VXLAN SGT in IPSEC/DMVPN C B

SD-WAN B

B Border Deployment Options Border Router

Policy Options for WAN Edge

Cisco DNA-Center

B C B C SD-Access SGT in data plane SD-Access Fabric Site B C B C Fabric Site WAN

Border Border 1 LISP MP-BGP LISP CONTROL-PLANE

12 VXLAN SGT (16 bits) IPSec/DMVPN CMD-SGT (16 bits) VXLAN SGT (16 bits) DATA-PLANE Header VNID (24 bits) Header VNID (24 bits) Header VNID (24 bits)

B Border Deployment Options Border Router

Policy Options for WAN Edge

Cisco DNA-Center

SXP for IP to SGT bindings and SG-ACL’s

B C B C SD-Access SD-Access

Fabric Site B C B C Fabric Site WAN

Border Border 1 LISP MP-BGP LISP CONTROL-PLANE

12 VXLAN SGT (16 bits) MPLS VXLAN SGT (16 bits) DATA-PLANE Header VNID (24 bits) Header Labels VRF (24 bits) Header VNID (24 bits)

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89 Connectivity to Un- Known Networks like Internet via the Anywhere Border Cisco SD-Access Fabric Large Enterprise Network Design – Cisco SD-Access Network

Guest Border

Internet Edge Internet

Fusion Router

DC & FABRIC Internet C Border

Access Nodes

LISP BGP BGP CONTROL-PLANE C B

Internet B SDA Fabric

Fusion Router/ Firewall

VXLAN VRF-LITE IP DATA-PLANE

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92 Small Enterprise Network Design Traditional Network Design Cisco SD-Access Fabric Small Enterprise Network Design – Traditional Network Role Platform Traditional DC VXLAN/ Access Node • Cat3K/9300 ACI Fabric • Cat4K/9400 Internet Edge Collapsed Core • Cat6K/9500 Guest • ISR4K (WAN) WLCs

Internet Centralized • 3504 WLC • x800 APs

Centralized Data Center • N9K – NX-OS WLC OTT • N7K - NX-OS • N9K - ACI WAN Shared Services Security • ISE 2.3 • ASA 55xx • Windows AD Core

Access Nodes

Small Small Hybrid Internet WAN Site WAN Site Large Hybrid WAN Site

Traditional VXLAN/ACI DC Fabric Role Platform Access Node • Cat3K/9300 • Cat4K/9400

Collapsed Core • Cat6K/9500 • ISR4K (WAN)

Internet Edge Internet Centralized • 3504 WLC • x800 APs Centralized WLC OTT WAN Data Center • N9K – NX-OS • N7K - NX-OS Shared Services • N9K - ACI

Fusion Router Security • ISE 2.3 • ASA 55xx • Windows AD FABRIC

Small Small Hybrid Internet WAN Site WAN Site Access Large Nodes Hybrid WAN Site

Traditional VXLAN/ACI DC Fabric Role Platform Access Node • Cat3K/9300 • Cat4K/9400

Collapsed Core • Cat6K/9500 • ISR4K (WAN)

Internet Edge Internet Centralized • 3504 WLC • x800 APs Centralized WLC OTT WAN Data Center • N9K – NX-OS • N7K - NX-OS Shared Services • N9K - ACI

Fusion Router Security • ISE 2.3 • ASA 55xx • Windows AD

FABRIC C

Small Small Hybrid Internet WAN Site WAN Site Access Large Nodes Hybrid WAN Site

Traditional VXLAN/ACI DC Fabric Role Platform Access Node • Cat3K/9300 • Cat4K/9400

Collapsed Core • Cat6K/9500 • ISR4K (WAN)

Internet Edge Internet Centralized • 3504 WLC • x800 APs Centralized WLC OTT WAN Data Center • N9K – NX-OS • N7K - NX-OS Shared Services • N9K - ACI

Fusion Router Security • ISE 2.3 • ASA 55xx • Windows AD FABRIC All In One Border C

Small Small Hybrid Internet WAN Site WAN Site Access Large Nodes Hybrid WAN Site

Traditional VXLAN/ACI DC Fabric 1 The Border needs to be a Outside world/external world border as there is only one exit point from the fabric to all external domains.

Internet Edge Internet

Centralized WLC OTT WAN

Shared Services

Fusion Router

FABRIC All In One Border C

Small Small Hybrid Internet WAN Site WAN Site Access Large Nodes Hybrid WAN Site

Outside world(External) Connect to the unknown part of company like internet or is the only exit point from fabric

Rest of Company (Internal) Connect to known part of the company like DC, WAN etc.

Anywhere(Internal +External) Connect to the internet and also known part of the company like DC, WAN etc.

3 Select the Layer 3 hand 16.6.2 off

CORE

SJC22 1 Select the Border Node San_Jose role 4 Select the Type of Hand Off 7 Select Remote AS

5 Select Subnet for Hand off

2 Select the Connection Select VRF advertisement type 8 *

6 Select the External Interface(s)

Cisco DNA Center B B Simple Workflows C

DESIGN PROVISION POLICY ASSURANCE Cisco SD- Access Fabric

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107 For more details:cs.co/sda-compatibility-matrix Cisco SD-Access Support Digital Platforms for your Cisco Digital Network Architecture

BRKCRS-2821 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109 Cisco SD-Access Resources Related Sessions Cisco SD-Access - 8H Technical Seminar - TECCRS-3810 • Monday, Jan 28 8:30 AM - 6:45 PM

Cisco SD-Access Fabric Cisco SD-Access Integration

Cisco SD-Access - A Look Under the Hood - BRKCRS-2810 Cisco SD-Access - Connecting to the DC, Firewall, WAN & More! - BRKCRS-2821 • Tuesday, Jan 29 11:00 AM - 1:00 PM • Wednesday, Jan 30 8:30 AM - 10:30 AM

Cisco SD-Access - Technology Deep Dive - BRKCRS-3810 Cisco SD-Access - Scaling to Hundreds of Sites - BRKCRS-2825 • Tuesday, Jan 29 2:30 PM - 4:00 PM • Wednesday, Jan 30 2:30 PM - 4:00 PM Cisco SD-Access - Connecting Multiple Sites - BRKCRS-2815 Cisco SD-Access – Integrating Existing Network - BRKCRS-2812 • Wednesday, Jan 30 11:00 AM - 1:00 PM • Friday, Feb 01 11:30 AM - 1:30 PM Cisco SD-Access – Assurance and Analytics - BRKCRS-2814 Cisco SD-Access Policy • Wednesday, Jan 30 4:30 PM - 6:00 PM Simplifying and Securing the Cisco Digital Network Architecture - BRKCRS-1449 Cisco SD-Access - Troubleshooting the Fabric - BRKARC-2020 • Tuesday, Jan 29 5:00 PM - 6:30 PM • Thursday, Jan 31 2:30 PM - 4:00 PM Group-Based Policy for On-Prem, Hybrid & Cloud with Cisco DNA - BRKCLD-2412 Cisco SD-Access Campus Cisco Validated Design - BRKCRS-1501 • Wednesday, Jan 30 2:30 PM - 4:00 PM • Friday, Feb 01 9:00 AM - 11:00 AM Cisco SD-Access - Policy Driven Manageability - BRKCRS-3811 • Thursday, Jan 31 2:30 PM - 4:00 PM

Cisco SD-Access Wireless Cisco SD-Access Labs How to Setup SD-Access Wireless from Scratch - BRKEWN-2021 Cisco SD-Access & ACI Integration - Hands-on Lab - LTRACI-2636 • Thursday, Jan 31 8:30 AM - 10:30 AM • Tuesday, Jan 29 2:15 PM - 6:15 PM Cisco SD-Access - Wireless Integration - BRKEWN-2020 Cisco SD-Access - Hands-on Lab - LTRCRS-2810 • Friday, Feb 01 9:00 AM - 11:00 AM • Wednesday, Jan 30 9:00 AM - 1:00 PM

cisco.com/go/dna cisco.com/go/sdaccess cisco.com/go/dnacenter • SD-Access At-A-Glance • Cisco DNA Center At-A-Glance • SD-Access Ordering Guide cisco.com/go/cvd • Cisco DNA ROI Calculator • SD-Access Solution Data Sheet • Cisco DNA Center Data Sheet • SD-Access Solution White Paper • SD-Access Design Guide • Cisco DNA Center 'How To' Video Resources • SD-Access Deployment Guide • SD-Access Segmentation Guide

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKCRS-2821

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T- shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

Related Demos in Walk-in Meet the sessions the Cisco self-paced engineer Showcase labs 1:1 meetings