Cisco CCNP Enterprise 300-420 ENSLD – SD Access Fabric Design Part 1

1. SD Access Fabric Constructs

It is important to understand how SD access and other technologies such as Sdvan interact with data centers based Osco ACI and with infrastructure that has implemented either Cisco Trust SEC or VRFs. The important understanding how these technologies intersect and how policies are translated between environments cannot be overlooked. As August ions begin the process of migrating to a full Ibn model, existing segmentation strategies Varco, ACI, RFS or Cisco Trust SEC will influence decisions regarding how virtual networks at the macrosegment level and scalable groups at a micro segmentation level should be organized and populated within an SD access fabric.

SD Access Fabric Constructs with the introduction of Cisco software defined access, SD Access and more broadly, Cisco digital network architecture DNA, the means by which network segmentation can be implemented. Once again, evolving Intent based networking solutions enable conventional practices that require the end of manually derived individual network element configurations to be replaced by controller led and policy based actions that easily enable operators to express Intent desired outcome and then validate that the network is doing what of it. Virtual network NSGTs in SD Access virtual networks like VRF site complete isolation between traffic and devices in one VN and those in other VNS within the SD Access fabric.

Information identifying the virtual network is carried in the Vinland network Identifier in the Vilna header. When DNA center is implemented, Ice is still deployed as a separate appliance providing identity and policy services for the SD Access campus fabric. When creating scalable group tags through the DNIC user interface, the Ice user interface is cross launched and the task completed there. Ice maintained the scalable group information later used in DNIC for policy creation.

Although the policies and corresponding contracts are created at DNIC, both are communicated back to Ice through representational state transfer apply programming interface Rest API calls. Ice then serves as the single point of reference for Sgts policies and contracts, which are then dynamically distributed to the network infrastructure. Segmentation within SD Access is enabled through the combined use of both virtual networks VN which are synonymous ERFs and Cisco Trust SEC scalable group tags Sgts whereas segmentation can be accomplished through the use of intent driven or purpose built virtual networks alone, cisco Trust SEC Sgts provide logical segmentation based on group membership. Cisco Trust SEC provides an additional layer of granularity, allowing you to utilize Sgts within a single V and providing micro segmentation within the VN.

Cisco Trust SEC and Vs can be used together and are not mutually exclusive. When using Cisco Trust SEC and VRFs together, segmentation is possible by virtue of the isolation between VRFs, while further micro segmentation is then paused with the use of Cisco Trust SEC within the VRFs. SD Access key Components and Differences originally, network segmentation was aligned to a strategy for improving network stability and performance.

Over time, it has evolved to reflect a security strategy in which the network is segmented or compartmentalized to enforce a policy by enabling controls within and between segments. Today, while Volans and private VLAN’s delivered rudimentary layer Two segmentation of Layer Three IPC subnets for some organizations, many others have chosen to use FS or software defined segmentation via Cisco Trust SEC as the primary means of segmenting a network. RFS provide complete isolation of routing and switching environments, making VRF a common network segmentation technology for a substantial number of organizations, using VRF light through either 802 one Q trunks or gray, or often even MPLS as the underlying transport.

Aside from VRFs, however, an increasing number. They’re using Cisco Trust SEC to provide local group based segmentation without the need to support data plane Ozone along with the routing control plane considerations inherent to VRFs. Both approaches offer their own unique benefits, and some customers have decided to implement both technologies VRFs and Cisco Trust SEC Software Defined Segmentation will continue to be, both now and in the foreseeable future, extremely effective methods for segmenting the network and through this segmentation, whether virtual or logical. Extending a security policy complain based on Lisp in the past, Control Plane functionality relied on routing protocols that required larger and more CPUs. This solution was very expensive to maintain. Locator ID Separation is a routing architecture that provides new semantics for IP.

Addressing the current IP routing and addressing architecture uses a single numbering space. The IP address to express two pieces of information is a mapping systems. It uses a map server or Resolver, which is the equivalent of a control plane. It creates a database of the current location and identities. Lisp allows for smaller tables and less CP. Yen cast L Three gateway the Edge Nods keeps track of only what is connected to them. List Eight optimized On Demand Map protocol to locate a destination. The system will first check the cache. Destination is not found in the cachet. The system will then check with the map server. The Edge Nods implement the layer three access design with the addition of the following fabric functions endpoint Registration Each Edge node has Control Plane session to all Control Plane Nods after an endpoint is detected by the Fabric Edge added to a local host tracking database called the E Table.

The Edge device also issues a list map registers to inform the control plane node of the endpoint detected so that it can populate the host tracking database. Http mapping of user to Virtual network endpoints are placed into virtual networks. By assigning the endpoint to an associated with the Lisbon stance, the mapping of endpoints into VLANs can be done statically or dynamically using 802 one x. NSGT is also assigned, and NSGT can be used to provide segmentation and policy enforcement at the fabric edge. Anycast layer Three gateway A common gateway IMac addresses can be used at every node that shares a common Eat subnet, providing optimal forwarding and mobility across Nalos.

Lisp Forwarding Instead of a typical routing based decision, the Fabric Edge Nods query the map server to determine the RLLC associated with the destination E, then use that information as the traffic destination. In case of a failure to resolve the destination RLOC, the traffic is sent to the default fabric border in a global routing table is used for forwarding. The response received from the Map server is stored in the Lisp Map cache, which is merged to the Cisco Express forwarding table and installed in hardware. If traffic is received at the fabric edge for an endpoint not locally connected, a Lisp Solicit Map request is sent to the sending fabric edge to trigger a request. This addresses the case where the endpoint may be present on a different fabric edge switch. Vilna encapsulation the encapsulation. The fabric edge nodes use the RLOC associated with the destination IP address capsulate the traffic with VXLAN headers.

Similarly, Vinland traffic received at a destination RLO is the encapsulated. The encapsulation and the encapsulation of traffic enables the location of an endpoint to change and be encapsulated with a different edge node and RLOC in the network without the endpoint having to change its within the encapsulation. The fabric control plane list dramatically simplifies traditional routing MNS by removing the need for each router to process every possible IP destination address and route control plane registration and Resolution this is an example of the registration and the resolution process. It shows that this subnet has been stretched across these physical devices. The registration of the nodes is important. An endpoint is registered and another endpoint want to talk to that node. It sends it to the last device that registered the end.

In this example, the RLOC for ten two is 2121. The map server can reply to the request, but if the endpoint moves on some other switch, it communicates with the last swimunicated with the endpoint. The control plane controls the communication between routers. Example the network uses RLOC ten two map to 2121. It adds an additional IP header and encapsulates and they encapsulates the packet. A lookup of the cachet entry done. If the destination is not found, a DNS Map request is generated. The path preference rolled by the destination site when a destination is entered did the cachet. It will remain there for 24 hours. The path preference is controlled by the destination site and it sends it to the last entry in the database.

The slide shows the encapsulation of outside, then they encapsulates the packet. When SD access has been deployed, routing complexity within the fabric is eliminated. By virtue of the overlays VXLAN data plane and Lisp control, the routing considerations are moved to the edge of the fabric. At the border of the fabric, there will still be a need to either a fusion router or firewall for any necessary route leaking between SD access. Virtual networks and the external Network an example of when a separate virtual network would be useful is for PCI Data Security standard PCI DSS compliance where security controls must be implemented restricting all access to cardholder data and traditions. Placing all devices that will either collect stow or transmit credit card transactions within a will network will drastically reduce the scope of a PCI audit, providing limited access to that environment with the appropriate enforcement logging capabilities.

Unlike its legacy virtual routing and forwarding VRF counts, the SD access fabric does not require a separate routing table per virtual network. Within the SD access fabric is used to provide control plane forwarding information external to the SD access fabric. At the ISDS border, the virtual networks map directly to VRF instances which may be extended beyond the fabric path. Isolation techniques such as VRF light or MPLS may be used to maintain the isolation between VRFs. Additionally, SD access IP addressing information represented by the fabric endpoint identifier redistributed into a routing protocol such as BGP, EIGRP or OSPF for use in extending virtual networks. By default, DNI Center has a single virtual network the default underscore VN, all users and endpoints belong to upon DNA Center integration with is. The default virtual network is populated with scalable groups from is.

These scalable groups can be used in the default UNICCO VN or virtual networks can be defined. Fabric Operation DSD access fabric control plane node IST on the Lisp map server. MS and Map resolver functionality combined on the same node. Control plane database tracks all endpoints in the fabric site and associates the endpoints to fabric nodes decoupling the point IP address or Mac address from the location closest router in the network. The control plane node falsity can be colocated with a border node or can use dedicated Nods for scale and between two and six Nods for deployments only are used for resiliency fabric internal forwarding edge to Edge this slide show encapsulation of an IP packet with the source of ten 10 one destined to ten two. If no cachet entry exists, a DNS lookup is performed. Ten two has an entry to 2121. The source routing locator is forwarded to the destination RLOC. The network sees the outside network packet border and edge Nods register with and use all control plane nodes, so resilient Nods chosen should be of the same type for consistent performance. Control plane node enables the following functions host Tracking Database The host tracking database is a central repository of eat to fabric edge node bindings. Map Server the list PEMS is used to populate Http from registration messages from fabric edge devices. Map Resolver The list mister is used pawn to map queries from fabric edge devices requesting RLOC mapping information for destination eids if an endpoint is moved.

Host mobility with dynamic eid migration is used. Host Mobility Dynamic eid migration the client comes online and registers the node of twelve one. If this endpoint moves from campus building one to campus building two, the new switch has to register the endpoint. The new switch registers the endpoint and wipes out the old entry. It informs the previous switch. Now the endpoint appears as remote instead of local. The SD access Fabric Edge Nods are the equivalent of an S layer switch in a traditional campus land design. The Edge Nods implement the layer three access design the Fabric Data Plane When designing the fabric Data Plane and Control Plane, there are key requirements to consider control Plane design, fabric border design, and infrastructure services. The Fabric Data Plane prove the following underlay address advertisement and mapping automatic tunnel setup Virtual tunnel endpoints frame encapsulation between routing locators support for Lisp or VXLAN header format nearly the same with different fields and payload. Lisp header carries IP payload.

VXLAN header carries Mac Payload Mac in IP triggered by Lisp Control Plane events app or NDP learning on L gateways map reply or cachet on routing locators. SDA Access configures the overlay network for fabric data Plane encapsulation using the Virtual Extensible Land Velma technology framework. Vax encapsulates complete layer two frames for transport across the underlay with each overlay network identified by a Vex Network Identifier. The Vex land header also carries the Sgts required for microsegmation.

The Sgt access solution integrates Cisco Trust SEC by supporting group based policy end to end putting Sgt information in the VXLAN headers for data plane traffic while supporting multiple VNS using unique Vinemont’s groups. Policy Authentication, Authorization and Accounting Services endpoint profiling are driven by Eyes and orchestrated by Cisco DNA Center’s Policy Authoring Workflows.

2. Design Requirements of Underlay Network

Manual unlays allow variations from the automated underlay deployment. For example, a different IGP could be chosen, but we’ll see listed underlay design principles still apply. The Cisco DNA Center land automation feature is alternative to manual underlay deployments for new networks and uses an ISIS routed access design. Although there are many alternative routing protocols, these Is selection offers operational advantages such as neighbor a statement without IPB protocol, dependencies peering capability using loopback addresses, and agnostic treatment of IPO, IPV six and non IP traffic. Having a well designed underlay network will ensure the stability, commons and efficient utilization of the SD access network. Automation for deploying the underlay is available using Cisco DNA Center. Underlay networks for the fabric have the following design requirements layer Three Access Design The use of a layer three routed network for the fabric provides the highest level of availability without the knees, loop avoidance protocols or interface bundling techniques. Increased default MTU the VXLAN has 50 and optionally 54 bytes of encapsulation overhead.

Some Ethernet switches support a maximum transmission unit MTU of 9216, while others may have an MTU of 9106 or smaller. Given that server MTUs typically go up to 90 bytes, enabling a net wide MTU of 9100 ensures that Ethernet jumbo frames can be transported without any fragmentation in an outside of the fabric. Use point to point Links point to point links provide the quickest convergence because they eliminate the need to wait for the upper layer protocol timeouts. Typical of more complex topologies cunning, point to point links with the recommended physical topology design provides fast convergence after a link failure.

The fast convergence is a benefit of quick link failure detection, triggering immediate use of alternate topology entries preexisting in the routing and forwarding table. Implement the point to point links using optical technology and not because optical interfaces offer the fastest failure detection times to improve convergence. ECM equal cost multi part routing is a routing strategy where next top packet forwarding to a single destination can occur over pull. Best parts load balancing between these equal cost multi part paths is performed articulately using Cisco Express forwarding CEF ECMP aware IGP routing protocols choose to take advantage of the parallel cost links and to provide redundant forwarding paths for resiliency be bidirectional. Forwarding detection should be used to enhance fault detection and convergence characteristics of IGP. NSF nonstop forwarding works with SSO stateful switchover to provide continued forwarding of packets in the event of a root processor switch over NSF aware IGP routing protocols should be to minimize the amount of time that a network is unavailable following a switchover dedicated IGP’s for the fabric. The undelay network of the fabric only requires IP reachability from the fabric edge to the border node.

In a fabric deployment, a single area IGP design can be implemented with a dedicated IGP process implemented at the SD access fabric, typically using a link state protocol such as Xi Si S for performance advantage. While I si S is used for land automation. Other routing protocols such as Openshottest Pathfirst OSPF and Enhanced Internal Gateway Routing protocol are supported and are both ECMP and favour loop propagation. The loopac addresses assigned to the unelay devices need to propagate outside of the fabric to establish connectivity to infrastructure services such as fabric control, plane Nods, DNS, DHCP and AAA use 32 host masks as required for RLOC reachability, and the default cannot be used for this purpose.

Apply tags to the host routes as they are introduced into the network. Reference the tags to redistribute and propagate only the tag loopback roots. This is an easy way to select propagate routes outside of the fabric and avoid maintaining prefix lists. WLC Reachability connectivity to the WLC should be treated like the loopback addresses. A default route in the underlay canadbus by the APS. To reach the WLCS, a specific route to the WLC IP address must exist in the global routing table at each switch where the APS are physically connected. LAN Automation for deployment. You can order the configuration of the underlay by using LAN Automation Services in Cisco DNA Center. In non greenfield deployment cases, you manually create the undelay manual unlays allow variations from the automated undeleted depth. For example, a different IGP could be chosen, but the previously listed underlay design principles still apply. The Cisco DNA Center land automation feature is an alternative to manual underlay deployments for new networks and users.

An ISIS routed access design. Although there are many alternative routing protocols, the IA’s selection offers operational advantages such as neighbor establishment without IP protocol, dependencies peering capability using loopac addresses, and agnostic treatment of IPV four, IPV six, and noni traffic. In the latest versions of Cisco DNA Center. LAN Automation uses Cisco network plug and play features to both unicast and source specific multicast routing configuration in the undelay. Aiding traffic delivery efficiency for this is built on top using LAN Automation to automate the network, unelay provides orchestration of MTU, routed point to point links ECMP, NSF, BFD and routed access while also propagating the Lu addresses for the automated fabric nods. It also provisions clean SNMP credentials while using subgrade that device software to the desired version to automate the deployment of the undelay Cisco DNA sensors. IP to access a Cisco network plug and plays device directly connected to the new undelay devices. The remaining devices are accessed using hop by hop. CDP Discovery.