Evolving your Campus Network with. Campus Fabric. Shawn Wargo. Technical Marketing Engineer BRKCRS-3800
|
|
- Lewis Woods
- 6 years ago
- Views:
Transcription
1
2 Evolving your Campus Network with Campus Fabric Shawn Wargo Technical Marketing Engineer BRKCRS-3800
3 Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network Segmentation (w/o implementing MPLS) Role-based Access Control (w/o end-to-end TrustSec) Using Cisco technologies available today, you can overcome these challenges and build an Evolved Campus Network to better meet your business objectives. Come to this session to get a deeper insight into the Key Technologies, Designs and Configurations (e.g. LISP with VXLAN, and TrustSec) that bring this evolution to life! We highly recommend that attendees already be familiar with: Enterprise Campus Design (BRKCRS-2031), Location ID Separation Protocol (BRKRST-3045), and Cisco Trust Security (BRKCRS-2891). BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 3
4 Agenda Key Benefits Why do I care? Key Concepts What is a Fabric? Solution Overview How does it work? Putting It Together Where do things go? Take-Away When to get started?
5 Key Benefits Why do I care?
6 Cisco Digital Network Architecture Overview Network-enabled Applications Principles Cloud Service Management Open APIs Developers Environment Automation Abstraction & Policy Control from Core to Edge Policy Orchestration Analytics Network Data, Contextual Insights Insights & Experiences Automation & Assurance Open & Programmable Standards-Based Virtualization Physical & Virtual Infrastructure App Hosting Security & Compliance Cloud-enabled Software-delivered BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 6
7 Cisco Digital Network Architecture APIs Network Enabled Applications UNI GUI Prescriptive Service Definition & Orchestration Model-based Customized UNI Telemetry Intent Service Instantiation Topology Easy QoS Enterprise Controller (Policy Determination) Plug & Play Path Optimization Analytics APIs PEP Branch WAN / Branch WAN Agg PEP Campus PEP Data Center PEP Apps PEP Branch SP PEP Apps Internet PEP PEP Segmentation 1 Segmentation 2 Int. Acc Segmentation 3 PEP Cloud PEP Apps WAN VNFs Campus VNFs DC VNFs Cloud VNFs Localized or network-wide Service Chaining Network Function Virtualization Network Interface (UNI) PEP: Policy Enforcement Point BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 7
8 What is Campus Fabric? Foundational Technologies Programmable Custom ASICs Converged Software Services Industry Leading Wired & Wireless Stacking TrustSec SDN Advanced Functionality Programmable Pipeline Flexibility Recirculation Optimized for Campus Integrated Stacking Visibility Security Future Proofed Long Life Cycle Investment Protection + Network Enabled Applications Collaboration Mobility IoT Security ` Automation and Analytics Controller Visible Programmable Open Virtualization Campus Fabric Segmentation L2 Flexibility Designed for Evolution Strong Foundational Capabilities HA Driving Innovation Through Technology Investment 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
9 Provision Simplified Provisioning Deploy devices using best practice configurations from a simple user interface 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
10 X Segmentation Security Simple Segmentation constructs to build Secure boundaries for users and things 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
11 Mobility Wired and Wireless Host Mobility because your address is no longer tied to your location 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
12 Intelligent Policy Network Wide Policy Enforcement based on your identity, not on your address 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
13 Key Concepts What is a Fabric?
14 What exactly is a Fabric? A Fabric is an Overlay An Overlay is a logical topology used to virtually connect devices, built on top of an arbitrary physical Underlay topology. An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay. Examples of Network Overlays GRE or mgre LISP MPLS or VPLS OTV IPSec or DMVPN DFA CAPWAP ACI BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 14
15 What exactly is a Fabric? Why Overlays? Separate the Forwarding Plane from the Services Plane Simple Transport Forwarding Physical Devices and Paths Intelligent Packet Handling Maximize Network Availability Simple and Manageable Flexible Virtual Services Mobility Track End-points at Edges Scalability Reduce core state Distribute state to network edge Flexibility & Programmability Reduced number of touch points BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 15
16 What exactly is a Fabric? Overlay Terminology Overlay Network Overlay Control Plane Encapsulation Edge Device Edge Device Hosts (End-Points) Underlay Network Underlay Control Plane BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 16
17 What exactly is a Fabric? Types of Overlays Hybrid L2 + L3 Overlays offer the Best of Both Worlds Layer 2 Overlays Emulates a LAN segment Transport Ethernet Frames (IP & Non-IP) Single subnet mobility (L2 domain) Exposure to Layer 2 flooding Useful in emulating physical topologies Layer 3 Overlays Abstract IP connectivity Transport IP Packets (IPv4 & IPv6) Full mobility regardless of Gateway Contain network related failures (floods) Useful to abstract connectivity and policy BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 17
18 What is unique about Campus Fabric? Key Components LISP 1. LISP based Control-Plane Routing Protocols = Big Tables & More CPU LISP DB + Cache = Small Tables & Less CPU BEFORE IP Address = Location + Identity Prefix Next-hop Topology + Endpoint Routes Prefix Next-hop Prefix Next-hop Endpoint Routes are Consolidated to LISP DB AFTER Separate Identity from Location Prefix Next-hop Prefix Next-hop Only Local Routes Prefix RLOC Prefix Next-hop Flexible Mapping Database Topology Routes Endpoint Routes BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 18
19 What is unique about Campus Fabric? Key Components VXLAN 1. LISP based Control-Plane 2. VXLAN based Data-Plane ETHERNET IP PAYLOAD ORIGINAL PACKET Supports L3 Overlay ETHERNET ETHERNET IP IP UDP UDP VXLAN LISP ETHERNET IP IP PAYLOAD PAYLOAD PACKET IN LISP PACKET IN VXLAN Supports L2 & L3 Overlay BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 19
20 What is unique about Campus Fabric? Key Components CTS 1. LISP based Control-Plane 2. VXLAN based Data-Plane 3. Integrated Cisco TrustSec VRF + SGT Virtual Routing & Forwarding Scalable Group Tagging ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 20
21 What is unique about Campus Fabric? Key Differences 1. LISP based Control-Plane 2. VXLAN based Data-Plane 3. Integrated Cisco TrustSec Key Differences L2 + L3 Overlay -vs- L2 or L3 Only Host Mobility with Anycast Gateway Adds VRF + SGT into Data-Plane Virtual Tunnel Endpoints (No Static) No Topology Limitations (Basic IP) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 21
22 Campus Fabric New Terminology Control-Plane Node LISP Map-Server Edge Node LISP Tunnel Router Border Node LISP Proxy Tunnel Router Intermediate Node Non-LISP IP Forwarder BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 22
23 Campus Fabric Control-Plane Nodes A Closer Look Fabric Control-Plane Node is based on a LISP Map Server / Resolver Runs the LISP Host Tracking Database to provide overlay reachability information A simple Host Database, that tracks Endpoint ID to Edge Node bindings, along with other attributes C Host Database supports multiple Endpoint ID lookup keys (IPv4 /32, IPv6 /128 or MAC) Receives prefix registrations from Edge Nodes with local Endpoints Resolves lookup requests from remote Edge Nodes, to locate local Endpoints BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 23
24 Campus Fabric Edge Nodes A Closer Look Fabric Edge Node is based on a LISP Tunnel Router Provides connectivity for Users and Devices connected to the Fabric Responsible for Identifying and Authenticating Endpoints Register Endpoint ID information with the Control-Plane Node(s) Provides Anycast L3 Gateway for connected Endpoints Must encapsulate / decapsulate host traffic to and from Endpoints connected to the Fabric E E E BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 24
25 Campus Fabric Border Nodes A Closer Look Fabric Border Node is based on a LISP Proxy Tunnel Router All traffic entering or leaving the Fabric goes through this type of node Connects traditional L3 networks and / or different Fabric domains to the local domain Where two domains exchange Endpoint reachability and policy information Responsible for translation of context (VRF & SGT) from one domain to another Provides a domain exit point for all Edge Nodes B B BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 25
26 Campus Fabric Overview New Terminology Fabric Domain FD LISP Process Virtual Neighborhood VN LISP Instance VRF Endpoint ID Group EIG Segment SGT Host Pool Dynamic EID VLAN + IP Subnet BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 26
27 Campus Fabric Virtual Neighborhoods A Closer Look Virtual Neighborhood is based on Virtual Routing & Forwarding (VRF) Maintains a separate Routing & Switching instance for each Virtual Neighborhood LISP uses Instance ID to maintain independent VRF topologies ( Default VRF is Instance ID 0 ) LISP adds VNID to the LISP / VXLAN encapsulation Endpoint ID prefixes (Host Pools) are advertised within one (or more) LISP Instance IDs Uses normal vrf definition configuration, along with RD & RT for remote advertisement (Border Node) VN A VN B VN C BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 27
28 Campus Fabric Endpoint ID Groups A Closer Look Endpoint ID Group is based on a Scalable Group Tag (SGT) Each User or Device is assigned to a unique Endpoint ID Group (EIG) CTS uses Endpoint ID Groups to assign a unique Scalable Group Tag (SGT) to Host Pools LISP adds SGT to the LISP / VXLAN encapsulation CTS EIGs are used to manage address-independent Group-Based Policies Individual Edge & Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs) EIG 2 EIG 1 EIG 3 EIG 5 EIG 4 EIG 6 EIG 8 EIG 7 EIG 9 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 28
29 Campus Fabric Host Pools A Closer Look Host Pool is based on an IP Subnet + VLAN ID Provides the basic IP constructs, including Anycast Gateway for each Host Pool Edge Nodes maintain a Switch Virtual Interface (SVI), with IP Subnet, Gateway IP, etc. for each Host Pool LISP uses Dynamic EID to advertise each Host Pool (within each Instance ID) LISP Dynamic EID allows Host-specific (/32, /128, MAC) advertisement and mobility Pool 2 Pool 1 Pool 3 Pool 5 Pool 4 Pool 6 Pool 8 Pool 7 Pool 9 Host Pools can either be assigned Statically (per port) or Dynamically (using Host Authentication) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 29
30 Technical Overview How does it work? Locator / ID Separation Protocol VXLAN Encapsulation Cisco TrustSec
31 Locator / ID Separation Protocol Location and Identity Separation Device IPv4 or IPv6 Address represents both Identity and Location IP core Traditional Behavior - Location + ID are Combined When the Device moves, it gets a new IPv4 or IPv6 Address for its new Identity and Location Device IPv4 or IPv6 Address represents Identity only IP core Overlay Behavior - Location & ID are Separated When the Device moves, it keeps the same IPv4 or IPv6 Address. It has the Same Identity Location Is Here Only the Location Changes BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 31
32 Locator / ID Separation Protocol LISP Mapping System LISP Mapping System is analogous to a DNS lookup DNS resolves IP Addresses for queried Name Answers the WHO IS question Host [ Who is lisp.cisco.com ]? DNS Server [ Address is , 2610:D0:110C:1::3 ] DNS Name -to- IP URL Resolution LISP resolves Locators for queried Identities Answers the WHERE IS question LISP Router [ Where is 2610:D0:110C:1::3 ]? LISP Map System [ Locator is , ] LISP ID -to- Locator Map Resolution BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 32
33 Locator / ID Separation Protocol LISP Roles & Responsibilities Map System EID a.a.a.0/24 b.b.b.0/24 c.c.c.0/24 d.d.0.0/16 RLOC w.x.y.1 x.y.w.2 z.q.r.5 z.q.r.5 Map Server / Resolver EID to RLOC Mappings Can be distributed across multiple LISP devices Tunnel Router - XTR Edge Devices Encap / Decap Ingress / Egress (ITR / ETR) Proxy Tunnel Router - PXTR Connects between LISP and non-lisp domains Ingress / Egress (PITR / PETR) Non-LISP PXTR EID Space ITR Prefix Next-hop w.x.y.1 e.f.g.h x.y.w.2 e.f.g.h z.q.r.5 e.f.g.h z.q.r.5 e.f.g.h ETR EID = End-point Identifier Host Address or Subnet RLOC = Routing Locator Local Router Address EID RLOC a.a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5 EID RLOC a.a.a.0/24 w.x.y.1 b.b.b.0/24 x.y.w.2 c.c.c.0/24 z.q.r.5 d.d.0.0/16 z.q.r.5 RLOC Space EID Space BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 33
34 Locator / ID Separation Protocol Map Register & Resolution Branch Mapping Cache Entry (on ITR) /16 ( , ) IT R Map Server / Resolver Map-Reply /16 ( , ) Database Mapping Entry (on ETR) /16 ( , ) ETR ETR ETR ETR Database Mapping Entry (on ETR) /16 ( , ) / /16 Campus DC BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 34
35 Locator / ID Separation Protocol Map Database Clustering (Redundancy) Mapping Cache Entry (on ITR) /16 ( , ) Branch IT R No Synchronization Between Map Servers ETRs Must Register with All Map Servers ITRs Anycast Map Requests Map Resolver: (Anycast) Map Server: Mapping DB Map Server: Node Cluster Map-Reply /16 ( , ) Database Mapping Entry (on ETR) /16 ( , ) ETR ETR ETR ETR Database Mapping Entry (on ETR) /16 ( , ) / /16 Campus DC BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 35
36 Locator / ID Separation Protocol How does LISP operate? 1 DNS Entry: D.abc.com A /24 3 Mapping Entry EID-prefix: /24 Locator-set: , priority: 1, weight: 50 (D1) , priority: 1, weight: 50 (D2) Non-LISP Non-LISP Path Preference Controlled by Destination Site 2 Branch S ITR PXTR IP Network Mapping System ETR ETR D Campus / /24 DC BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 36
37 Locator / ID Separation Protocol Forwarding from outside a LISP Domain 1 DNS Entry: D.abc.com A Mapping Entry EID-Prefix: /24 Locator-Set: , priority: 1, weight: 50 (D1) , priority: 1, weight: 50 (D2) S Non-LISP PXTR IP Network Mapping System ETR ETR Campus /24 D /24 DC BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 37
38 Locator / ID Separation Protocol Host Mobility Dynamic EID Migration DC1 D Map Register EID: /32 RLOC: Mapping Database / / / / / / Mapping System Routing Table /24 Local /32 Local /32 LISP0 5 xtr Routing Table /24 LISP /24 Local /32 - Local 3 24 IP Network xtr xtr S / / Campus Bldg 1 Campus Bldg 2 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 38
39 Locator / ID Separation Protocol Host Mobility Refreshing Map-Cache 1. ITRs / PITRs with cached mappings continue to send encapsulated traffic to the old RLOCs, until updated 2. Old ETR sends Solicit Map Request (SMR) messages to any ITRs / PITRs sending traffic to its RLOC for a dynamic EID no longer present (data-triggered) Map Cache: / / / / DC /24 S Mapping System 3. SMR causes the ITR / PITR to initiate a new Map-Request / Reply process 4. New ETR sends Map-Reply to update ITR / PITR map-cache with new location Traffic now flows to the SAME HOST at its NEW location 1 xtr xtr IP Network xtr D /24 Campus Bldg Campus Bldg /24 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 39
40 Locator / ID Separation Protocol (LISP) Would you like to know more? Suggested Reading: BRKRST LISP - A Next Generation Networking Architecture BRKRST Troubleshooting LISP BRKCRS LISP in Campus Networks Other References: Cisco LISP Site Cisco LISP Marketing Site LISP Beta Network Site or IETF LISP Working Group Fundamentals of LISP BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 40
41 Technical Overview How does it work? Locator / ID Separation Protocol VXLAN Encapsulation Cisco TrustSec
42 Cisco TrustSec Traditional segmentation is extremely complex access-list 102 deny udp gt eq 2165 access-list 102 deny udp lt gt 428 access-list 102 permit ip eq gt 1511 access-list 102 deny tcp gt gt 1945 access-list 102 permit icmp lt eq 116 access-list 102 deny udp eq eq 959 access-list 102 deny tcp eq lt 4993 access-list 102 deny tcp eq lt 848 access-list 102 deny ip eq gt 4878 access-list 102 permit icmp lt eq 1216 access-list 102 deny icmp gt gt 1111 access-list 102 deny ip eq eq 4175 access-list 102 permit tcp lt gt 1462 access-list 102 permit tcp gt lt 4384 Static ACL Routing Redundancy DHCP Scope Address VLAN Limits of Traditional Segmentation Security Policy based on Topology (Address) High cost and complex maintenance Non-Compliant Applications Voice Enterprise Backbone VACL Employee Aggregation Layer Access Layer Supplier BYOD Enforcement IP Based Policies - ACLs, Firewall Rules Propagation Carry Segment context through the network using VLAN, IP address, VRF Classification Static or Dynamic VLAN assignments Quarantine VLAN Voice VLAN Data VLAN Guest VLAN BYOD VLAN BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 42
43 Cisco TrustSec Simplified segmentation with Group Based Policy Enforcement Group Based Policies ACLs, Firewall Rules Shared Services Application Servers Propagation Carry Group context through the network using only SGT Enforcement Enterprise Backbone DC Switch or Firewall ISE Classification Static or Dynamic SGT assignments Campus Switch Campus Switch DC switch receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN A VLAN B BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 43
44 Sources Cisco Trust Security Identity Services Engine enables CTS NDAC authenticates Network Devices for a trusted CTS domain SGT & SGT Names Centrally defined Endpoint ID Groups Scalable Group ACL Destinations SGACL - Name Table NDAC Network Device Admission Control Cisco ISE SGT & SGT Names Scalable Group Tags 3: Employee 4: Contractors 8: PCI_Servers 9: App_Servers SGACL - Name Table Policy matrix to be pushed down to the network devices ISE dynamically authenticates endpoint users and devices, and assigns SGTs Rogue Device(s) 802.1X Dynamic SGT Assignment Static SGT Assignment BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 44
45 Cisco Trust Security Two ways to assign SGT Dynamic Classification Static Classification L3 Interface (SVI) to SGT L2 Port to SGT MAB Campus Access Distribution Core DC Core DC Access Enterprise Backbone WLC Firewall Hypervisor SW VLAN to SGT Subnet to SGT VM (Port Profile) to SGT BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 45
46 Cisco Trust Security Ingress Classification with Egress Enforcement User Authenticated = Classified as Marketing (5) FIB Lookup = Destination MAC = SGT 20 Destination Classification CRM: SGT 20 Web: SGT 30 SRC: Cat3850 Cat6800 Cat6800 Nexus 7000 Nexus 5500 Nexus 2248 SRC: DST: SGT: 5 WLC5508 Enterprise Backbone 5 5 DST SRC Egress Enforcement (SGACL) CRM (20) Web (30) Marketing (5) Permit Deny BYOD (7) Deny Permit CRM DST: SGT: 20 Web DST: SGT: 30 BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 46
47 Cisco Trust Security SGT Propagation & Enforcement Options SXP SXP Heterogeneous L2 / L3 Networks User WAN Switch Switch Router Router Firewall DC Switch Server Classification SGFW Classification SGT over Fabric SGT over VPN SGT over Fabric TrustSec Capable L2 / L3 Networks User WAN (GETVPN, DMVPN Switch Switch Router Router Firewall DC Switch Server Classification SGACL SGACL SGACL SGFW SGACL Classification BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 47
48 Cisco Trust Security (CTS) Would you like to know more? Suggested Reading: BRKCRS Enterprise Network Segmentation with Cisco TrustSec BRKSEC Intermediate - Enabling TrustSec Software-Defined Segmentation BRKSEC Building an Enterprise Access Control Architecture Using ISE and TrustSec Other References: Cisco TrustSec Marketing Site Cisco TrustSec Config Guide CTS Architecture Overview CTS 2.0 Design Guide Fundamentals of TrustSec cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html cisco.com/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html cisco.com/td/docs/solutions/enterprise/security/trustsec_2-0/trustsec_2-0_dig.pdf BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 48
49 Technical Overview How does it work? Locator / ID Separation Protocol VXLAN Encapsulation Cisco TrustSec
50 Inner Data-Plane Overview Fabric Header Encapsulation Fabric Data-Plane provides the following: Underlay address advertisement & mapping Automatic tunnel setup (Virtual Tunnel End-Points) Frame encapsulation between Routing Locators Support for LISP or VXLAN header format Nearly the same, with different fields & payload LISP header carries IP payload (IP in IP) VXLAN header carries MAC payload (MAC in IP) Inner Outer Inner Inner Outer Decap Triggered by LISP Control-Plane events ARP or NDP Learning on L3 Gateways Map-Reply or Cache on Routing Locators Encap BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 50
51 LISP & VXLAN Headers Similar Format - Different Payload LISP Header - IP based VXLAN Header - Ethernet based OUTER HEADER 4789 OVERLAY HEADER INNER HEADER BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 51
52 Overlay Underlay VXLAN Header MAC-in-IP Encapsulation Dest. MAC 48 Source MAC 48 Next-Hop MAC Address Src VTEP MAC Address VLAN Type 0x8100 VLAN ID Bytes (4 Bytes Optional) IP Header Misc. Data Protocol 0x11 (UDP) 72 8 Outer MAC Header Ether Type 0x Header Checksum Bytes Outer IP Header Source Port 16 Source IP Dest. IP Src RLOC IP Address Dst RLOC IP Address UDP Header VXLAN Header Dest Port UDP Length Checksum 0x Bytes Hash of inner L2/L3/L4 headers of original frame. Enables entropy for ECMP load balancing. UDP 4789 Inner (Original) MAC Header Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 Allows 64K possible SGTs Original Payload Segment ID VN ID Reserved Bytes Allows 16M possible VRFs BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 52
53 Putting It Together Where do things go?
54 Platform Support Multiple Edge, Border & C-Plane Options Catalyst 3K Catalyst 4K Catalyst 6K Nexus 7K Catalyst 3650 Catalyst 3850 Copper / Fiber IOS-XE Catalyst 4500 Sup8E / 8LE Sup Uplinks IOS-XE 3.9+ Catalyst 6800 Sup2T / 6T 6900 or Newer IOS 15.4SY+ Nexus 7700 Sup2E M3 Only NXOS 7.3DX+ BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 54
55 Campus Fabric Config Control-Plane Nodes /32 Control-Plane Node C / / / /24 IP Network / /24 Host Pool 10 Edge Node 1 Edge Node 2 Host Pool 20 Organize networks into a LISP Site Configure the Authentication Key Add the prefixes to be mapped and accept more specific updates, e.g. /32 Operate as IPv4 Map-Server Operate as IPv4 Map-Resolver router lisp site San_Jose authentication-key San_Jose eid-prefix /24 accept-more-specifics eid-prefix /24 accept-more-specifics exit! ipv4 map-server ipv4 map-resolver exit BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 55
56 Campus Fabric Config Edge Nodes (1) /32 Control-Plane Node C / / / /24 IP Network / /24 Host Pool 10 Edge Node 1 Edge Node 2 Host Pool 20 Organize XTRs into a Locator Set Set LISP to use VXLAN encapsulation Add a Dynamic EID group and associate with an Instance ID Add local prefixes to Dynamic EID and associate with the Locator set Add IPv4 SGT (to VXLAN) Operate as an IPv4 ITR & ETR Designate a Map-Server & Resolver router lisp locator-set campus_fabric ipv4-interface Loopback0 encapsulation vxlan! eid-table default instance-id 0 dynamic-eid Default_10_1_1_0 database-mapping /24 locator-set campus_fabric exit! ipv4 sgt ipv4 itr map-resolver ipv4 itr ipv4 etr map-server key San_Jose ipv4 etr BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 56
57 Campus Fabric Config Edge Nodes (2) /32 Control-Plane Node C / / / /24 IP Network / /24 Host Pool 10 Edge Node 1 Edge Node 2 Host Pool 20 Process is repeated on each XTR Configure any Local prefixes Or, you can simply Copy + Paste on all common XTRs For Host Pools that exist on all XTRs Uses Dynamic EID map updates router lisp locator-set campus_fabric ipv4-interface Loopback0 encapsulation vxlan! eid-table default instance-id 0 dynamic-eid Default_20_1_1_0 database-mapping /24 locator-set campus_fabric exit! ipv4 sgt ipv4 itr map-resolver ipv4 itr ipv4 etr map-server key San_Jose ipv4 etr BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 57
58 Campus Fabric Config Border Nodes /32 Control-Plane Node C / / / /24 IP Network / /24 Host Pool 10 Edge Node 1 Border Node External IP Set LISP to use VXLAN encapsulation Add a Map Cache + Map-Request for Dynamic EIDs trigger a lookup for traffic coming from outside Add IPv4 SGT (to VXLAN) Operate as an IPv4 PITR & PETR Designate a Map-Server & Resolver Configure External Routing * router lisp encapsulation vxlan! eid-table default instance-id 0 map-cache /24 map-request map-cache /24 map-request exit! ipv4 sgt ipv4 proxy-etr ipv4 proxy-itr ipv4 itr map-resolver ipv4 etr map-server key San_Jose exit! ip route BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 58
59 Campus Fabric Config Virtual Neighborhoods /32 Control-Plane Node C / / / / / / /24 IP Network / /24 Edge Node 1 Edge Node /24 Create new VRFs and add RD/RT if necessary Set LISP to use VXLAN encapsulation Create a new LISP Instance ID Add a Dynamic EID group and associate with per-vrf Instance ID Add local prefixes to Dynamic EID overlapping prefixes may require NAT/FW non-overlapping can be advertised natively ip vrf RED ip vrf BLUE ip vrf GREEN! router lisp locator-set campus_fabric encapsulation vxlan! eid-table vrf RED instance-id 10 dynamic-eid RED_20_1_1_0 database-mapping /24 locator-set campus_fabric! eid-table vrf BLUE instance-id 11 dynamic-eid BLUE_20_1_1_0 database-mapping /24 locator-set campus_fabric! eid-table vrf GREEN instance-id 12 dynamic-eid GREEN_20_1_1_0 database-mapping /24 locator-set campus_fabric exit BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 59
60 Campus Fabric Config Endpoint ID Groups Dynamic SGT Identity Services Engine /24 IP Network / /24 Host Pool 10 Edge Node 1 Edge Node 2 Host Pool 20 Enable the AAA new-model Create a RADIUS server group with one or more RADIUS server(s) Enable AAA dynamic-author Enable AAA authorization to use CTS authorization Enable CTS Role-Based Enforcement aaa new-model! aaa group server radius ISE server name ISE! radius server ISE address ipv auth-port 1812 acct-port 1813 key cisco! aaa server radius dynamic-author client server-key cisco! aaa authentication dot1x default group ISE aaa accounting dot1x default start-stop group ISE aaa authorization network cts-list group ISE! cts authorization list cts-list cts role-based enforcement BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 60
61 Campus Fabric Config Endpoint ID Groups Static SGT /24 IP Network / /24 Host Pool 10 Edge Node 1 Edge Node 2 Host Pool 20 Enable CTS Role-Based Enforcement Define a list of VLANs to be use for Role-Based Enforcement Create a new Static SGT-MAP of a VLAN list to SGT tag Or, create a new Static SGT-MAP of a IP Subnet to SGT tag! cts role-based enforcement cts role-based enforcement vlan-list ! cts role-based sgt-map vlan-list 20 sgt 20! cts role-based sgt-map /24 sgt 20! BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 61
62 Campus Fabric Config Host Pools Dynamic Assignment Identity Services Engine /24 IP Network / /24 Host Pool 10 Edge Node 1 Edge Node 2 Host Pool 20 Create a Host VLAN Create a L3 VLAN Interface (SVI) with the Subnet IP address and mask Add LISP mobility (Dynamic EID group) Configure AAA order + priority on Port Configure 802.1X and/or MAB on Port NOTE: Connected Host (User or Device) will be dynamically associated with a VLAN (e.g. 20) after Authentication vlan 20 name Host_Pool_20! interface Vlan20 ip address lisp mobility Default_20_1_1_0! interface GigabitEthernet1/0/1 switchport switchport mode access authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto mab dot1x pae authenticator spanning-tree portfast BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 62
63 Campus Fabric Config Host Pools Static Assignment /24 IP Network / /24 Host Pool 10 Edge Node 1 Edge Node 2 Host Pool 20 Create a Host VLAN Create a L3 VLAN Interface (SVI) with the Subnet IP address and mask Add LISP mobility (Dynamic EID group) Configure the VLAN number on Port vlan 20 name Host_Pool_20! interface Vlan20 ip address lisp mobility Default_20_1_1_0! interface GigabitEthernet1/0/1 switchport switchport mode access switchport access vlan 20 spanning-tree portfast BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 63
64 Campus Fabric - Smart CLI Provisioning & Troubleshooting Made Simple What is Smart CLI? Its a new configuration mode to simplify config and management of Campus Fabric Invoked by a new Global command fabric auto Provides a simple set of easy-to-understand CLI fabric_device(config)# fabric auto Auto-generates all of the equivalent (traditional) LISP, VRF, IP, CTS, etc. CLI commands BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 64
65 Smart CLI Enable Edge Node services Class CLI Description fabric-domain (config-fabric-auto)# [no] domain {default} Exists under (config-fabric-auto) mode Configure default domain Enters domain configuration mode (config-fabric-auto-domain) (config-fabric-auto-domain)# [no] control-plane <ipv4_addr> auth-key <key> (config-fabric-auto-domain)# [no] border <ipv4_addr> Exists under (config-fabric-auto-domain) mode Configures remote control-plane address and authentication key Exists under (config-fabric-auto-domain) mode Configures remote fabric border address neighborhood (config-fabric-auto-domain)# [no] neighborhood name <name> id <ID> Exists under (config-fabric-auto-domain) mode (OPTIONAL) Creates a neighborhood by name and ID host-pool (config-fabric-auto-domain)# [no] host-pool name <name> Exists under (config-fabric-auto-domain) mode Creates a host-pool by name Enters host-pool config mode (config-fabric-auto-domain-hostpool) (config-fabric-auto-domain-host-pool)# vlan <id> (config-fabric-auto-domain-host-pool)# [no] gateway <addr/mask> (config-fabric-auto-domain-host-pool)# [no] neighborhood name <> Exists under (config-fabric-auto-domain-host-pool) mode Configures VLAN ID Exists under (config-fabric-auto-domain-host-pool) mode Gateway Configures Gateway IP/mask (prefix). Neighborhood Attaches host-pool to a neighborhood (config-fabric-auto-domain-host-pool)# [no] use-dhcp <addr> (config-fabric-auto-domain-host-pool)# exit Exists under (config-fabric-auto-domain-host-pool) mode (OPTIONAL) Configures dhcp server address exit sub-mode and apply configurations BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 65
66 Smart CLI Enable Control-Plane Node services Class CLI Description fabric-domain (config-fabric-auto)# [no] domain {default} Exists under (config-fabric-auto) mode Configure default domain Enters domain configuration mode (config-fabric-auto-domain) host-prefix (config-fabric-auto-domain)# [no] control-plane self auth-key <key> (config-fabric-auto-domain)# [no] host-prefix <prefix> [neighborhood name <name> id <ID>] Exists under (config-fabric-auto-domain) mode Configures local control-plane address and authentication key Exists under (config-fabric-auto-domain) mode Enables c-plane service (per-neighborhood) for host-prefix If neighborhood not configured, use default neighborhood (config-fabric-auto-domain-host-pool)# exit exit sub-mode and apply configurations BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 66
67 Smart CLI Border Node Configuration Class CLI Description fabric-domain (config-fabric-auto)# [no] domain {default} Exists under (config-fabric-auto) mode Configure default domain Enters domain configuration mode (config-fabric-auto-domain) (config-fabric-auto-domain)# [no] control-plane <ipv4_addr> auth-key <key> (config-fabric-auto-domain)# [no] border self Exists under (config-fabric-auto-domain) mode Configures remote control-plane address and authentication key Exists under (config-fabric-auto-domain) mode Configures local border address neighborhood (config-fabric-auto-domain)# [no] neighborhood name <name> id <ID> Exists under (config-fabric-auto-domain) mode (OPTIONAL) Creates a neighborhood by name and ID host-prefix (config-fabric-auto-domain)# [no] host-prefix <prefix> [neighborhood name <name> id <ID>] Exists under (config-fabric-auto-domain) mode Enables border services (per-neighborhood) for host prefix If neighborhood not configured, use default neighborhood (config-fabric-auto-domain-host-pool)# exit exit sub-mode and apply configurations BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 67
68 Smart CLI Example Adding a new Edge Node Generate all LISP XTR baseline configs Set up Loopback0 as locator address Creates default neighborhood as instance ID 0 Enables VXLAN encapsulation Adds SGT to VXLAN encapsulation Edge(config)# fabric auto Edge(config-fabric-auto)# domain default Edge(config-fabric-auto-domain)# control-plane auth-key key1 Edge(config-fabric-auto-domain)# border Edge(config-fabric-auto-domain)# exit BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 68
69 Smart CLI Example Show Fabric Domain Edge# show fabric domain Fabric Domain : "default" Role : Edge Control-Plane Service: Disabled Border Service: Disabled Number of Control-Plane Nodes: 1 IP Address Auth-key key1 Number of Border Nodes: 1 IP Address Number of Neighborhood(s): 4 Name ID Host-pools default 0 2 guest 50 1 pcie 60 1 cisco 70 * Shows current domain (default) Shows current Role(s) Shows Control-Plane Node(s) Shows Border Node(s) Shows Neighborhood(s) Associated Host Pool(s) BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 69
70 Campus Fabric - Smart CLI Provisioning & Troubleshooting Made Simple More to Come! Underlay Network Configure the Interfaces and Protocols to bring up the Underlay network Endpoint ID Groups Configure the AAA and CTS commands for Static & Dynamic ID fabric_device(config)# fabric auto Group Based Policy Configure SGT and SGACL policies And More BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 70
71 LIVE DEMO
72 Take-Away
73 Session Summary 1. LISP based Control-Plane 2. VXLAN based Data-Plane 3. Integrated Cisco TrustSec BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 73
74 What to do next? Get the necessary Hardware & Software! Catalyst 3650 or New IOS-XE Catalyst 4500 w/ Sup8E or 8LE - New IOS-XE 3.9+ Catalyst 6800 w/ Sup2T or 6T - New IOS 15.4SY+ Nexus 7700 w/ M3 Cards - New NXOS 7.3DX+ Try out Campus Fabric in the Lab! You only need 2 or 3 (+) switches to test this solution At least 1 Control-Plane / Border and 1 Fabric Edge Trial Deployment (Remember: its an Overlay) You can install new C-Plane / Border and Edge Nodes, without modifying your existing (Underlay) network This makes it very easy to deploy! IP Network BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 74
75 Complete Your Online Session Evaluation Give us your session feedback to be entered into a Daily Survey Drawing. One daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live - Mobile App, or the Session Catalog on CiscoLive.com/us. Don t Forget: Cisco Live sessions are available for viewing on-demand after the event at CiscoLive.com/Online BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 75
76 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions BRKCRS Cisco and/or its affiliates. All rights reserved. Cisco Public 76
77
Cisco Campus Fabric Introduction. Vedran Hafner Systems engineer Cisco
Cisco Campus Fabric Introduction Vedran Hafner Systems engineer Cisco Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network
More informationCampus Fabric. How To Integrate With Your Existing Networks. Kedar Karmarkar - Technical Leader BRKCRS-2801
Campus Fabric How To Integrate With Your Existing Networks Kedar Karmarkar - Technical Leader Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o
More informationTech Update Oktober Rene Andersen / Ib Hansen
Tech Update 10 12 Oktober 2017 Rene Andersen / Ib Hansen DNA Solution Cisco Enterprise Portfolio DNA Center Simple Workflows DESIGN PROVISION POLICY ASSURANCE Identity Services Engine DNA Center APIC-EM
More informationSD-Access Wireless: why would you care?
SD-Access Wireless: why would you care? CUWN Architecture - Centralized Overview Policy Definition Enforcement Point for Wi-Fi clients Client keeps same IP address while roaming WLC Single point of Ingress
More informationVeč kot SDN - SDA arhitektura v uporabniških omrežjih
Več kot SDN - SDA arhitektura v uporabniških omrežjih Aleksander Kocelj SE Cisco Agenda - Introduction to Software Defined Access - Brief description on SDA - Cisco SDA Assurance - DEMO 2 New Requirements
More informationSoftware-Defined Access 1.0
Software-Defined Access 1.0 What is Cisco Software-Defined Access? The Cisco Software-Defined Access (SD-Access) solution uses Cisco DNA Center to provide intent-based policy, automation, and assurance
More informationMobility and Virtualization in the Data Center with LISP and OTV
Cisco Expo 2012 Mobility and Virtualization in the Data Center with LISP and OTV Tech DC2 Martin Diviš Cisco, CSE, mdivis@cisco.com Cisco Expo 2012 Cisco and/or its affiliates. All rights reserved. 1 Twitter
More informationDNA SA Border Node Support
Digital Network Architecture (DNA) Security Access (SA) is an Enterprise architecture that brings together multiple building blocks needed for a programmable, secure, and highly automated fabric. Secure
More informationCampus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)
Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches) First Published: 2017-07-31 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706
More informationCampus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 3650 Switches)
Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 3650 Switches) First Published: 2017-07-31 Last Modified: 2017-11-03 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive
More informationDNA Campus Fabric. How to Migrate The Existing Network. Kedar Karmarkar - Technical Leader BRKCRS-2801
DNA Campus Fabric How to Migrate The Existing Network Kedar Karmarkar - Technical Leader Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching
More informationCisco SD-Access Policy Driven Manageability
BRKCRS-3811 Cisco SD-Access Policy Driven Manageability Victor Moreno, Distinguished Engineer Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationImplementing VXLAN in DataCenter
Implementing VXLAN in DataCenter LTRDCT-1223 Lilian Quan Technical Marketing Engineering, INSBU Erum Frahim Technical Leader, ecats John Weston Technical Leader, ecats Why Overlays? Robust Underlay/Fabric
More informationLocation ID Separation Protocol. Gregory Johnson -
Location ID Separation Protocol Gregory Johnson - grjohnso@cisco.com LISP - Agenda LISP Overview LISP Operations LISP Use Cases LISP Status (Standards and in the Community) Summary 2 LISP Overview 2010
More informationINTRODUCTION 2 DOCUMENT USE PREREQUISITES 2
Table of Contents INTRODUCTION 2 DOCUMENT USE PREREQUISITES 2 LISP MOBILITY MODES OF OPERATION/CONSUMPTION SCENARIOS 3 LISP SINGLE HOP SCENARIO 3 LISP MULTI- HOP SCENARIO 3 LISP IGP ASSIT MODE 4 LISP INTEGRATION
More informationSoftware-Defined Access 1.0
White Paper Software-Defined Access 1.0 Solution White Paper Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA https://www.cisco.com/ Tel: 408 526-4000 800 553-NETS
More informationMobility and Virtualization in the Data Center with LISP and OTV
Mobility and Virtualization in the Data Center with LISP and OTV Agenda Mobility and Virtualization in the Data Center Introduction to LISP LISP Data Center Use Cases LAN Extensions: OTV LISP + OTV Deployment
More informationDeploying LISP Host Mobility with an Extended Subnet
CHAPTER 4 Deploying LISP Host Mobility with an Extended Subnet Figure 4-1 shows the Enterprise datacenter deployment topology where the 10.17.1.0/24 subnet in VLAN 1301 is extended between the West and
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Enabling SD-Access Wireless (GUI), page 8 Configuring SD-Access Wireless VNID (GUI), page 9 Configuring SD-Access Wireless WLAN (GUI),
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Introduction to The Enterprise Fabric provides end-to-end enterprise-wide segmentation, flexible subnet addressing, and controller-based
More informationSoftware-Defined Access Wireless
Introduction to, page 1 Configuring SD-Access Wireless (CLI), page 7 Enabling SD-Access Wireless (GUI), page 8 Configuring SD-Access Wireless VNID (GUI), page 9 Configuring SD-Access Wireless WLAN (GUI),
More informationNetwork as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.
Network as an Enforcer (NaaE) Cisco Services INTRODUCTION... 6 Overview of Network as an Enforcer... 6 Key Benefits... 6 Audience... 6 Scope... 6... 8 Guidelines and Limitations... 8 Configuring SGACL
More informationCisco SD-Access Hands-on Lab
LTRCRS-2810 Cisco SD-Access Hands-on Lab Larissa Overbey - Technical Marketing Engineer, Cisco Derek Huckaby - Technical Marketing Engineer, Cisco https://cisco.box.com/v/ltrcrs-2810-bcn2018 Password:
More informationLocator ID Separation Protocol (LISP) Overview
Locator ID Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address: Endpoint identifiers (EIDs) assigned to end hosts.
More informationImplementing VXLAN. Prerequisites for implementing VXLANs. Information about Implementing VXLAN
This module provides conceptual information for VXLAN in general and configuration information for layer 2 VXLAN on Cisco ASR 9000 Series Router. For configuration information of layer 3 VXLAN, see Implementing
More informationData Center Configuration. 1. Configuring VXLAN
Data Center Configuration 1. 1 1.1 Overview Virtual Extensible Local Area Network (VXLAN) is a virtual Ethernet based on the physical IP (overlay) network. It is a technology that encapsulates layer 2
More informationCisco.Network.Intuitive FastLane IT Forum. Andreas Korn Systems Engineer
Cisco.Network.Intuitive FastLane IT Forum Andreas Korn Systems Engineer 12.10.2017 Ziele dieser Session New Era of Networking - Was ist darunter zu verstehen? Software Defined Access Wie revolutioniert
More informationCisco Software-Defined Access
Migration Guide Cisco Software-Defined Access 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 31 Contents Cisco SD-Access... 3 Evolution of Networking
More informationSoftware-Defined Access Design Guide
Cisco Validated design Software-Defined Access Design Guide December 2017 Solution 1.1 Table of Contents Table of Contents Cisco Digital Network Architecture and Software-Defined Access Introduction...
More informationVXLAN Overview: Cisco Nexus 9000 Series Switches
White Paper VXLAN Overview: Cisco Nexus 9000 Series Switches What You Will Learn Traditional network segmentation has been provided by VLANs that are standardized under the IEEE 802.1Q group. VLANs provide
More informationCisco IOS LISP Application Note Series: Access Control Lists
Cisco IOS LISP Application Note Series: Access Control Lists Version 1.1 (28 April 2011) Background The LISP Application Note Series provides targeted information that focuses on the integration and configuration
More informationTTL Propagate Disable and Site-ID Qualification
The TTL Propagate Disable feature supports disabling of the TTL (Time-To-Live) propagation for implementing the traceroute tool in a LISP network when RLOC and EID belong to different address-family. The
More informationTrustSec (NaaS / NaaE)
TrustSec (NaaS / NaaE) per@cisco.com Security on top of the mind for our customers 60% 85% 54% of data is stolen in HOURS of point-of-sale intrusions aren t discovered for WEEKS of breaches remain undiscovered
More informationIP Mobility Design Considerations
CHAPTER 4 The Cisco Locator/ID Separation Protocol Technology in extended subnet mode with OTV L2 extension on the Cloud Services Router (CSR1000V) will be utilized in this DRaaS 2.0 System. This provides
More informationP ART 3. Configuring the Infrastructure
P ART 3 Configuring the Infrastructure CHAPTER 8 Summary of Configuring the Infrastructure Revised: August 7, 2013 This part of the CVD section discusses the different infrastructure components that are
More informationLISP Router IPv6 Configuration Commands
ipv6 alt-vrf, page 2 ipv6 etr, page 4 ipv6 etr accept-map-request-mapping, page 6 ipv6 etr map-cache-ttl, page 8 ipv6 etr map-server, page 10 ipv6 itr, page 13 ipv6 itr map-resolver, page 15 ipv6 map-cache-limit,
More informationMulti-site Datacenter Network Infrastructures
Multi-site Datacenter Network Infrastructures Petr Grygárek rek 2009 Petr Grygarek, Advanced Computer Networks Technologies 1 Why Multisite Datacenters? Resiliency against large-scale site failures (geodiversity)
More informationTroubleshooting sieci opartej na. Mariusz Kazmierski, CCIE #25082 (R&S, SP) TAC EMEAR Technical Leader Switching
Troubleshooting sieci opartej na architekturze SDA Mariusz Kazmierski, CCIE #25082 (R&S, SP) TAC EMEAR Technical Leader Switching What s on the Network? Overlay Network Control Plane based on LISP Policy
More informationVXLAN Deployment Use Cases and Best Practices
VXLAN Deployment Use Cases and Best Practices Azeem Suleman Solutions Architect Cisco Advanced Services Contributions Thanks to the team: Abhishek Saxena Mehak Mahajan Lilian Quan Bradley Wong Mike Herbert
More informationIP Routing: LISP Configuration Guide, Cisco IOS Release 15M&T
First Published: 2012-07-27 Last Modified: 2013-03-29 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationChoice of Segmentation and Group Based Policies for Enterprise Networks
Choice of Segmentation and Group Based Policies for Enterprise Networks Hari Holla Technical Marketing Engineer, Cisco ISE BRKCRS-2893 hari_holla /in/hariholla Cisco Spark How Questions? Use Cisco Spark
More informationAPIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks
APIC-EM / EasyQoS - End to End Orchestration of QoS in Enterprise Networks Saurav Prasad Technical Marketing Engineer CTHNMS-1002 Cisco Spark How Questions? Use Cisco Spark to chat with the speaker after
More informationCisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation
Ordering Guide TrustSec 4.0:How to Create Campus and Branch-Office Segmentation Ordering Guide November 2013 2013 and/or its affiliates. All rights reserved. This document is Public Information. Page 1
More informationLISP Generalized SMR
The feature enables LISP xtr (ITR and ETR) to update map cache when there is a change in database mapping. Note There is no configuration commands for this feature. This feature is turned on automatically.
More informationLISP. - innovative mobility w/ Cisco Architectures. Gerd Pflueger Consulting Systems Engineer Central Europe Version 0.
Version 0.2 22 March 2012 LISP - innovative mobility w/ Cisco Architectures Gerd Pflueger Consulting Systems Engineer Central Europe gerd@cisco.com 2012 Cisco and/or its affiliates. All rights reserved.
More informationMobility and Virtualization in the Data Center with LISP and OTV
Mobility and Virtualization in the Data Center with LISP and OTV Victor Moreno, Distinguished Engineer Agenda Mobility and Virtualization in the Data Center Introduction to LISP LISP Data Center Use Cases
More informationVRF, MPLS and MP-BGP Fundamentals
VRF, MPLS and MP-BGP Fundamentals Jason Gooley, CCIEx2 (RS, SP) #38759 Twitter: @ccie38759 LinkedIn: http://www.linkedin.com/in/jgooley Agenda Introduction to Virtualization VRF-Lite MPLS & BGP Free Core
More information2012 Cisco and/or its affiliates. All rights reserved. 1
2012 Cisco and/or its affiliates. All rights reserved. 1 Policy Access Control: Challenges and Architecture UA with Cisco ISE Onboarding demo (BYOD) Cisco Access Devices and Identity Security Group Access
More informationContents. Introduction
Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram ISE - Configuration Steps 1. SGT for Finance and Marketing 2. Security group ACL for traffic Marketing ->Finance
More informationGETVPN+LISP Lab Guide
GETVPN+LISP Lab Guide Developers and Lab Proctors This lab was created by: Gregg Schudel, TME LISP Development Team Version 1.0: Created by Gregg Schudel Lab proctor: Gregg Schudel (gschudel@cisco.com)
More informationCisco Trusted Security Enabling Switch Security Services
Cisco Trusted Security Enabling Switch Security Services Michal Remper, CCIE #8151 CSE/AM mremper@cisco.com 2009 Cisco Systems, Inc. All rights reserved. 1 Enter Identity & Access Management Strategic
More informationEnterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.
2 CHAPTER Cisco's Disaster Recovery as a Service (DRaaS) architecture supports virtual data centers that consist of a collection of geographically-dispersed data center locations. Since data centers are
More informationDemand-Based Control Planes for Switching Fabrics
Demand-Based Control Planes for Switching Fabrics Modern switching fabrics use virtual network overlays to support mobility, segmentation, and programmability at very large scale. Overlays are a key enabler
More informationRouting Underlay and NFV Automation with DNA Center
BRKRST-1888 Routing Underlay and NFV Automation with DNA Center Prakash Rajamani, Director, Product Management Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session
More informationLISP Parallel Model Virtualization
Finding Feature Information, page 1 Information About, page 1 How to Configure, page 6 Configuration Examples for, page 24 Additional References, page 25 Feature Information for, page 26 Finding Feature
More informationTrustSec Configuration Guides. TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points
TrustSec Configuration Guides TrustSec Capabilities on Wireless 8.4 Software-Defined Segmentation through SGACL Enforcement on Wireless Access Points Table of Contents TrustSec Capabilities on Wireless
More informationLISP A Next-Generation Networking Architecture
LISP A Next-Generation Networking Architecture LISP Disjointed RLOC Space Technical Details Version 0.8 30 October 2013 LISP Disjointed RLOC Space Details Agenda LISP Disjointed RLOC Space Technical Details
More informationFlexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLAN
Flexible Data Centre Fabric - FabricPath/TRILL, OTV, LISP and VXLAN Ron Fuller CCIE #5851 (R&S/Storage) Technical Marketing Engineer, Nexus 7000 rfuller@cisco.com Agenda The Evolving Data Centre Fabric
More informationIntelligent WAN Multiple VRFs Deployment Guide
Cisco Validated design Intelligent WAN Multiple VRFs Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deploying the Cisco IWAN Multiple VRFs...
More informationPolicy Defined Segmentation with Cisco TrustSec
Policy Defined Segmentation with Cisco TrustSec Session ID 18PT Rob Bleeker Consulting System Engineer CCIE #: 2926 Abstract This session will explain how TrustSec Security Group Tagging can be used to
More informationCisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller
Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table
More informationCisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003
Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003 Agenda ACI Introduction and Multi-Fabric Use Cases ACI Multi-Fabric Design Options ACI Stretched Fabric Overview
More informationCisco SD-Access Building the Routed Underlay
Cisco SD-Access Building the Routed Underlay Rahul Kachalia Sr. Technical Leader Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the
More informationCisco IOS LISP Application Note Series: Lab Testing Guide
Cisco IOS LISP Application Note Series: Lab Testing Guide Version 3.0 (28 April 2011) Background The LISP Application Note Series provides targeted information that focuses on the integration configuration
More informationLecture 7 Advanced Networking Virtual LAN. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it
Lecture 7 Advanced Networking Virtual LAN Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it Advanced Networking Scenario: Data Center Network Single Multiple, interconnected via Internet
More informationOpenFlow: What s it Good for?
OpenFlow: What s it Good for? Apricot 2016 Pete Moyer pmoyer@brocade.com Principal Solutions Architect Agenda SDN & OpenFlow Refresher How we got here SDN/OF Deployment Examples Other practical use cases
More informationCisco Software Defined Access (SDA)
Cisco Software Defined Access (SDA) Transformational Approach to Network Design & Provisioning Sanjay Kumar Regional Manager- ASEAN, Cisco Systems What is network about? Source: google.de images Security
More informationVirtual Security Gateway Overview
This chapter contains the following sections: Information About the Cisco Virtual Security Gateway, page 1 Cisco Virtual Security Gateway Configuration for the Network, page 10 Feature History for Overview,
More informationVXLAN Design with Cisco Nexus 9300 Platform Switches
Guide VXLAN Design with Cisco Nexus 9300 Platform Switches Guide October 2014 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 39 Contents What
More informationSecuring BYOD with Cisco TrustSec Security Group Firewalling
White Paper Securing BYOD with Cisco TrustSec Security Group Firewalling Getting Started with TrustSec What You Will Learn The bring-your-own-device (BYOD) trend can spur greater enterprise productivity
More informationCisco Exam Questions & Answers
Cisco 648-375 Exam Questions & Answers Number: 648-375 Passing Score: 800 Time Limit: 120 min File Version: 22.1 http://www.gratisexam.com/ Cisco 648-375 Exam Questions & Answers Exam Name: Cisco Express
More informationIntroduction to External Connectivity
Before you begin Ensure you know about Programmable Fabric. Conceptual information is covered in the Introduction to Cisco Programmable Fabric and Introducing Cisco Programmable Fabric (VXLAN/EVPN) chapters.
More informationCisco TrustSec How-To Guide: Central Web Authentication
Cisco TrustSec How-To Guide: Central Web Authentication For Comments, please email: howtoguides@external.cisco.com Current Document Version: 3.0 August 27, 2012 Table of Contents Table of Contents... 1
More informationCisco Nexus 7000 Series NX-OS LISP Command Reference
First Published: 2016-11-24 Last Modified: -- Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax:
More informationCisco SD-Access: Enterprise Networking Made Fast and Flexible. November 2017
Cisco SD-Access: Enterprise Networking Made Fast and Flexible November 2017 Executive Summary Enterprise networking remains a lot harder than it needs to be. For far too long, enterprises have wrestled
More informationPassTorrent. Pass your actual test with our latest and valid practice torrent at once
PassTorrent http://www.passtorrent.com Pass your actual test with our latest and valid practice torrent at once Exam : 352-011 Title : Cisco Certified Design Expert Practical Exam Vendor : Cisco Version
More informationCisco Tetration Analytics
Cisco Tetration Analytics Real-time application visibility and policy management using advanced analytics Yogesh Kaushik, Sr. Director Product Management PSOACI-2100 Agenda Market context Introduction:
More informationCisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13
Q&A Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13 Q. What is the Cisco Cloud Services Router 1000V? A. The Cisco Cloud Services Router 1000V (CSR 1000V) is a router in virtual
More informationIntuit Application Centric ACI Deployment Case Study
Intuit Application Centric ACI Deployment Case Study Joon Cho, Principal Network Engineer, Intuit Lawrence Zhu, Solutions Architect, Cisco Agenda Introduction Architecture / Principle Design Rollout Key
More informationCISCO EXAM QUESTIONS & ANSWERS
CISCO 648-385 EXAM QUESTIONS & ANSWERS Number: 648-385 Passing Score: 800 Time Limit: 120 min File Version: 41.0 http://www.gratisexam.com/ CISCO 648-385 EXAM QUESTIONS & ANSWERS Exam Name: CXFF - Cisco
More informationConfiguring MPLS and EoMPLS
37 CHAPTER This chapter describes how to configure multiprotocol label switching (MPLS) and Ethernet over MPLS (EoMPLS) on the Catalyst 3750 Metro switch. MPLS is a packet-switching technology that integrates
More informationCCNA Routing and Switching (NI )
CCNA Routing and Switching (NI400+401) 150 Hours ` Outline The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment that is
More informationServiceability of SD-WAN
BRKCRS-2112 Serviceability of SD-WAN Chandrabalaji Rajaram & Ali Shaikh Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live
More informationService Graph Design with Cisco Application Centric Infrastructure
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
More informationBorderless Networks. Tom Schepers, Director Systems Engineering
Borderless Networks Tom Schepers, Director Systems Engineering Agenda Introducing Enterprise Network Architecture Unified Access Cloud Intelligent Network & Unified Services Enterprise Networks in Action
More informationSD-Access Wireless Design and Deployment Guide
SD-Access Wireless Design and Deployment Guide Executive Summary 2 Software Defined Access 2 SD Access Wireless 3 SD Access Wireless Architecture 4 Setting up SD-Access Wireless with DNAC 13 SD Access
More informationCisco Software-Defined Access
Cisco Software-Defined Access Introducing an entirely new era in networking. What if you could give time back to IT? Provide network access in minutes for any user or device to any application-without
More informationTEXTBOOK MAPPING CISCO COMPANION GUIDES
TestOut Routing and Switching Pro - English 6.0.x TEXTBOOK MAPPING CISCO COMPANION GUIDES Modified 2018-08-20 Objective Mapping: Cisco 100-105 ICND1 Objective to LabSim Section # Exam Objective TestOut
More informationBuilding NFV Solutions with OpenStack and Cisco ACI
Building NFV Solutions with OpenStack and Cisco ACI Domenico Dastoli @domdastoli INSBU Technical Marketing Engineer Iftikhar Rathore - INSBU Technical Marketing Engineer Agenda Brief Introduction to Cisco
More informationLocator/ID Separation Protocol (LISP)
Locator/ID Separation Protocol (LISP) Damien Saucez* INRIA Sophia Antipolis FRNOG 18, December 2 th, 2011 * special thanks to Olivier Bonaventure, Luigi Iannone and Dino Farinacci Disclaimer Not a vendor
More informationCCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,
CCNA Cisco Certified Network Associate (200-125) Exam DescrIPtion: The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment
More informationCisco Certified Network Associate ( )
Cisco Certified Network Associate (200-125) Exam Description: The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment that
More informationConfiguring Web Cache Services By Using WCCP
CHAPTER 44 Configuring Web Cache Services By Using WCCP This chapter describes how to configure your Catalyst 3560 switch to redirect traffic to wide-area application engines (such as the Cisco Cache Engine
More informationHigher scalability to address more Layer 2 segments: up to 16 million VXLAN segments.
This chapter tells how to configure Virtual extensible LAN (VXLAN) interfaces. VXLANs act as Layer 2 virtual networks over Layer 3 physical networks to stretch Layer 2 networks. About VXLAN Encapsulation
More informationIdentity Based Network Access
Identity Based Network Access Identity Based Network Access - Agenda What are my issues Cisco ISE Power training What have I achieved What do I want to do What are the issues? Guest Student Staff Contractor
More informationCertKiller q
CertKiller.500-451.28q Number: 500-451 Passing Score: 800 Time Limit: 120 min File Version: 5.3 500-451 Cisco Unified Access Systems Engineer Exam I just passed today with 89%. My sole focus was the VCE.
More informationWe re ready. Are you?
We re ready. Are you? Network as a Sensor and Enforcer Matt Robertson, Technical Marketing Engineer BRKSEC-2026 Why are we here today? Insider Threats Leverage the network Identify and control policy,
More informationExam Topics Cross Reference
Appendix R Exam Topics Cross Reference This appendix lists the exam topics associated with the ICND1 100-105 exam and the CCNA 200-125 exam. Cisco lists the exam topics on its website. Even though changes
More informationLISP. Migration zu IPv6 mit LISP. Gerd Pflueger Version Feb. 2013
Version 0.7 24 Feb. 2013 LISP Migration zu IP mit LISP Gerd Pflueger gerd@cisco.com 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 2011 Cisco and/or its affiliates. All rights reserved.
More informationProvisioning Overlay Networks
This chapter has the following sections: Using Cisco Virtual Topology System, page 1 Creating Overlays, page 2 Creating Network using VMware, page 4 Creating Subnetwork using VMware, page 4 Creating Routers
More information