DNA Campus Fabric. How to Migrate The Existing Network. Kedar Karmarkar - Technical Leader BRKCRS-2801

Transcription

1

2 DNA Campus Fabric How to Migrate The Existing Network Kedar Karmarkar - Technical Leader

3 Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network Segmentation (w/o implementing MPLS) Role-based Access Control (w/o end-to-end TrustSec) Using Cisco technologies available today, you can overcome these challenges and build an Evolved Campus Network to better meet your business objectives. With this Evolution, a key challenge is to be able to support a Distributed Enterprise Infrastructure which is typically spread across Campus, Branch, DC and Cloud. This session focuses on how do I migrate from my existing network today to Campus Fabric that provides all of the above.

4 Campus Fabric Related Sessions We recommend the following sessions: 1. BRKCRS-1800: DNA Campus Fabric An Introduction 21/02/17 11: hours 2. BRKCRS-3800: DNA Campus Fabric A Look Under the Hood 22/02/17 09:00 2 hours 3. : DNA Campus Fabric - How to Integrate with Your Existing Network 22/02/17 11: hours 4. BRKCRS-2802: DNA Campus Fabric Monitoring & Troubleshooting 22/02/17 14: hours 5. BRKCRS-2803: DNA Campus Fabric Connecting Outside the Fabric 22/02/17 16: hours 6. BRKACI-2400: DNA Campus Fabric Integration with Data Center Architectures 23/02/17 14: hours 7. BRKEWN-2300: Virtualize Your Wired and Wireless Network (w/ Campus Fabric) 24/02/17 09:00 2 hours

5 Agenda Key Benefits Why do I care? Campus Fabric Overview What is a Fabric? Getting Started What are the Platform/Network considerations? Network Deployment Models Layer-2 Access Takeaway How do I get started?

6 Key Benefits Why do I care?

7 Cisco Digital Network Architecture Overview Network-enabled Applications Principles Cloud Service Management Open APIs Developers Environment Automation Abstraction & Policy Control from Core to Edge Policy Orchestration Open & Programmable Standards-Based Virtualisation Analytics Network Data, Contextual Insights Physical & Virtual Infrastructure App Hosting Insights & Experiences Automation & Assurance Security & Compliance Cloud-enabled Software-delivered

8 What is Campus Fabric? Foundational Technologies Programmable Custom ASICs Converged Software Services Industry Leading Wired & Wireless Stacking TrustSec SDN Advanced Functionality Programmable Pipeline Flexibility Recirculation Optimised for Campus Integrated Stacking Visibility Security Future Proofed Long Life Cycle Investment Protection + Network Enabled Applications Collaboration Mobility IoT Security ` Automation and Analytics Controller Visible Programmable Open Virtualisation Campus Fabric Segmentation L2 Flexibility Designed for Evolution Strong Foundational Capabilities HA Driving Innovation Through Technology Investment

9 Provision Simplified Provisioning Deploy devices using best practice configurations using Smart CLI and Programmability models

10 Mobility Wired and Wireless Host Mobility Always connect to the same L3 gateway

11 X Segmentation Security Simple Segmentation constructs to build Secure boundaries for users and things

12 Intelligent Policy Network Wide Policy Enforcement Based on your Identity, not on your Address

13 Campus Fabric Overview What is a Fabric?

14 What exactly is a Fabric? A Fabric is an Overlay An Overlay is a logical topology used to virtually connect devices, built on top of an arbitrary physical Underlay topology. An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay. Examples of Network Overlays GRE or mgre LISP MPLS or VPLS OTV IPSec or DMVPN DFA CAPWAP ACI

15 What exactly is a Fabric? Overlay Terminology Overlay Network Overlay Control Plane Encapsulation Edge Device Edge Device Hosts (End-Points) Underlay Network Underlay Control Plane

16 What is unique about Campus Fabric? Key Components 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on TrustSec Key Differences L2 + L3 Overlay -vs- L2 or L3 Only Host Mobility with Anycast Gateway Adds VRF + SGT into Data-Plane Virtual Tunnel Endpoints (No Static) No Topology Limitations (Basic IP)

17 What is unique about Campus Fabric? Fabric Roles & Terminology User / Group Repository ISE / AD Host DB Control-Plane Nodes User / Group Repository External ID Store device (e.g. ISE or AD) can be leveraged to provide dynamic User / Device to Group mapping. Fabric Domain (Overlay) Fabric Border Nodes Control-Plane Nodes Map System that manages the Endpoint to Gateway (Edge or Border) relationship. Border Nodes The L3 Gateway device (Core), that connects External L3 network(s) to Fabric. Fabric Edge Nodes Fabric Intermediate Nodes (Underlay) Edge Nodes The L3 Gateway device (Access or Distribution), that connects Endpoints to Fabric. Intermediate Nodes Normal L3 (IP) Forwarders in the Underlay.

18 Campus Fabric Control-Plane Nodes A Closer Look Fabric Control-Plane Node is based on a LISP Map Server / Resolver Runs the LISP Host Tracking Database to provide overlay reachability information A simple Host Database, that tracks Endpoint ID to Edge Node bindings, along with other attributes Host Database supports multiple Endpoint ID lookup keys (IPv4 /32, IPv6 /128 or MAC) C Receives prefix registrations from Edge Nodes with local Endpoints Resolves lookup requests from remote Edge Nodes, to locate local Endpoints

19 Campus Fabric Edge Nodes A Closer Look Fabric Edge Node is based on a LISP Tunnel Router Provides connectivity for Users and Devices connected to the Fabric Responsible for Identifying and Authenticating Endpoints Register Endpoint ID information with the Control-Plane Node(s) Provides Anycast L3 Gateway for connected Endpoints Must encapsulate / decapsulate host traffic to and from Endpoints connected to the Fabric E E E

20 Campus Fabric Border Nodes A Closer Look Fabric Border Node is based on a LISP Tunnel Router All traffic entering or leaving the Fabric goes through this type of node Connects traditional L3 networks and / or different Fabric domains to the local domain Where two domains exchange Endpoint reachability and policy information Responsible for translation of context (VRF & SGT) from one domain to another B B Provides a domain exit point for all Edge Nodes

21 Getting Started Platform Considerations

22 Platform Support Fabric Edge Nodes - Options Catalyst 3K Catalyst 4K Catalyst 3K Fixed portfolio Catalyst 4500E Modular options Catalyst 3650 Catalyst 3850 RJ45 IOS-XE Catalyst 4500 Sup8E Sup Uplinks IOS-XE 3.9+

23 Platform Support Fabric Border Nodes - Options Catalyst 3K Catalyst 6K ASR1K & ISR4K Nexus 7K Catalyst /24 or 48XS 1/10G (Fibre) IOS-XE Catalyst 6800 Sup2T or 6T 6880 or 6840-X IOS SY+ ASR1000-X X or HX Series ISR4430 / 4450 IOS-XE Nexus 7700 Sup2E M3 Cards NXOS

24 Platform Support Fabric Control-Plane - Options Catalyst 3K Catalyst 6K ASR1K & ISR4K Catalyst /24 or 48XS 1/10G (Fibre) IOS-XE Catalyst 6800 Sup2T or 6T 6880 or 6840-X IOS SY+ ASR1000-X X or HX Series ISR4430 / 4450 IOS-XE

25 Getting Started Network Considerations

26 Network Considerations - MTU MTU and Overlay VXLAN adds 50 bytes to the Original Ethernet Frame Avoid Fragmentation by adjusting the network MTU Ensure Jumbo Frame support on switches in the underlay network Underlay Network MTU Encapsulation MTU 1500 Overlay Network

27 Underlay Networks Campus fabric runs over arbitrary topologies: Traditional 3-tier hierarchical network Collapsed core/aggregation designs Routed access U-topology Ensure that all switches have IP reachability to infrastructure elements Ideal design is routed access allows fabric to extend to very edge of campus network Strong recommendation to follow campus CVDs with routed access L3 L2 3-Tier Hierarchical L2 Collapsed Core L3 Routed Access L2 U-Topology

28 Overlay Network Assumption is underlay network provides routing and IP connectivity Campus fabric configuration defines: Overlay IP space Segmentation context VRF and SGT Mobility (map database updates)

29 IP Addressing for Overlay and Underlay Know your IP addressing and IP scale requirements Best to use single Aggregate for all Underlay Links and Loopbacks IPv4 only (today) Fabric uses Loopback as Source- Interface for Encapsulation / / / /30 Overlay Network / /32 Underlay Network /32

30 Virtual Networks RLOC/Underlay connectivity in Global Routing Table Loopback interfaces for management in their own VN (Default) Other VNs can be used for segmentation for users, devices, roles, and others Scalable Group Tags (SGTs) can be used for further access control within a VN The CORPORATE VN is being shown in this slide deck as an example. Similar steps can be followed for other VNs shown Fabric scope of management USERS #2 CORPORATE Management Access RLOC/Underlay Border USER VRF USER VRF Default GRT

31 Getting Started Services Location Considerations

32 Location of Shared Services Infrastructure Campus fabric leverages traditional infrastructure services IP reachability from underlay/overlay to DNS, DHCP, etc. required Services may be hosted inside or outside the campus fabric Other infrastructure services include AAA, LDAP/AD, syslog server, Netflow collector, 3 rd -party monitoring systems DHCP Server NTP Server

33 Location of Shared Services Infrastructure Could be in campus distribution block or campus core for small commercial or enterprise deployments Larger deployments have infrastructure services hosted in Data Centre Hybrid model also possible (mix of distribution/core/data Centre) Infrastructure Services at Distribution Infrastructure Services at Core Infrastructure Services in Data Centre Small Commercial / Enterprise Deployment Large Enterprise Deployment

34 Know What is Connecting to the Existing Network Deploy ISE and StealthWatch Turn on device sensor on switches, Flexible NetFlow Turn on profiling on ISE What devices connect to the network What should they be doing What are they actually doing From where do they connect into the network This data will be useful in determining Segmentation policy in Campus Fabric

35 Deployments

36 Deployments Campus Networks Branch Networks

37 Campus Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet WAN Block DC Block Internet Block Services Block Layer-2 Link Super Core Layer-3 Link Core Core Aggregation Layer Aggregation Layer Aggregation Layer

38 Branch Network DDI MPLS I-NET Branch IWAN Collapsed Core Access Layer

39 Approaches to Migration 1. Parallel Install 2. Migrating One Switch at a time

40 Parallel Install Option Conditions and Advantages May work in Branch deployments Sufficient cable runs exist in the current networking plan Sufficient power and outlets exist in the current power plan Existing brownfield network has legacy hardware Upgrade most of the wired network Option of redesigning IP networks from scratch instead of continuing the complexities of legacy network Advantage lies in testing users on entire new network prior to full migration of entire site During migration, users with problems but immediate access needs can be moved back to old network allowing them to continue their work, while troubleshooting can be performed on the Campus Fabric network

41 Migrate One Switch At A Time Option Conditions and Advantages Works in both Campus and Branch deployments Needs an extra couple fibre runs to the distribution switch Sufficient power and couple outlets needed in the current power plan Existing brownfield network has legacy hardware Upgrade some of the wired network Switch by Switch upgrade of certain layers of the network is possible Legacy IP design has to be continued for reducing downtime During migration, users with problems but immediate access needs can be moved back to old network allowing them to continue their work, while troubleshooting can be performed on the Campus Fabric network

42 Parallel Install Option for Campus Networks DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet X

43 Parallel Network Option for Branch Networks DDI MPLS I-NET Branch IWAN

44 Hardware Refresh Software Reconfigure Two scenarios for migration to Campus Fabric Hardware Refresh: Existing network consists of switches that need hardware upgrade since they do not support Campus Fabric Example: 3750X, 2960X, 4500E SUP7-E in the access Software Reconfigure: Existing network consists of switches that are compatible with Campus Fabric and just need software upgrade and reconfiguration Example: 3850, 4500E SUP-8E in the access

45 Access Network Designs

46 Access Networks Designs Multi-layer L2 Access Will address hardware refresh scenario

47 Layer-2 Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet WAN Block DC Block Internet Block Services Block Super Core 4 Core 3 Core Aggregation Layer 2 Aggregation Layer Aggregation Layer 1

48 Connecting the Fabric External Border Current Core platform supports Fabric External Border functionality Convert one of the Core switches as External Border Current Core platform does not support Fabric functionality Strong desire not to touch the Core layer in the existing network Add a Border platform switch and connect it to the Core layer Choose a platform that will be re-purposed to a dedicated Control Plane Node (if needed) In this example, we will add a Fabric External Border switch and connect it to the SuperCore layer 4

49 Connecting the first Fabric Edge Depends on across which layer in the network the VLANs are being spanned Aggregation Core Or sometimes even SuperCore The first Fabric Edge switch connects to where the VLANs are being aggregated Example If VLANs are NOT being spanned across Core layer, connect first Fabric Edge switch at Aggregation; if the VLANs ARE being spanned across Aggregation layer, connect the first Fabric Edge switch at Core, and so on. In this example, we will assume that VLANs are being spanned across Access layer, so Fabric Edge switch is attached to the aggregation switch 2

50 Getting Started Steps / /32 C B Edge Node IP Network Border/Control Plane Node External Network Connect a switch to the Core layer that will act as the External Border Host the Control Plane function on the External Border for simplicity Add a switch in the distribution layer that will act as the Fabric Edge Integrate the switch in the existing network in Routed Access design. IS-IS is the recommended option for Fabric networks, but any IGP could do. APIC-EM PnP can be used for Day Zero operations to integrate the switch.

51 Layer-2 Access Network Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet

52 Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Fabric Edge Node Control/ External Border Node

53 Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Fabric Edge Node Control/ External Border Node

54 Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Fabric Edge Node Control/ External Border Node Control/ External Border Node

55 Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders Control/ External Border Node Control/ External Border Node Fabric Edge Nodes

56 Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Control Plane Node Control Plane Node Fabric Edge Nodes

57 Prepping the Switch / /32 C B Edge Node IP Network Border/Control Plane Node External Network Do not forget to set following on the Fabric nodes and other nodes in the underlay: Set MTU to 9100 on the switch and the existing network. Configure ip routing Set username and password for device access Configure VTY and console lines for device access Configure NTP Configure SNMP, syslog Configure Loopback0 (/32) for RLOC, another interface for Management and underlay IP addresses

58 Getting Started Steps / /32 C B Edge Node router isis passive-interface Loopback0 net XXXX.XXXX.XXXX.00 is-type level-2-only ispf level-2 log-adjacency-changes metric-style wide level-2 no hello padding authentication mode md5 level-2 authentication key-chain ON IP Network Border/Control Plane Node External Network interface GigabitEthernet x/x ip router isis isis network point-to-point isis metric <metric> level-2 isis circuit-type level-2-only isis authentication mode md5 level-2 isis authentication key-chain ON carrier-delay ms 0 dampening

59 Fabric Configuration on Edge node / /32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp encapsulation vxlan locator-table default locator-set rloc_sjc18 IPv4-interface Loopback0 priority 10 weight 10 exit! disable-ttl-propagate ipv4 sgt ipv4 use-petr ipv4 itr map-resolver ipv4 itr ipv4 etr map-server key cisco ipv4 etr exit

60 Border and Control Plane Configuration / /32 C B Edge Node IP Network router lisp encapsulation vxlan locator-table default locator-set border IPv4-interface Loopback0 priority 10 weight 10 exit! disable-ttl-propagate ipv4 map-server ipv4 map-resolver ipv4 sgt ipv4 proxy-etr ipv4 proxy-itr ipv4 itr map-resolver ipv4 etr map-server key cisco ipv4 etr exit Border/Control Plane Node router lisp site site_uci authentication-key cisco exit ipv4 map-server ipv4 map-resolver exit External Network

61 VRF Configuration on Edge and Border / /32 C B Edge Node IP Network Border/Control Plane Node External Network ip vrf CORPORATE rd 1:1 route-target export 1:1 route-target import 1:1

62 Configure L2 VLAN and SVI at Edge Node / /32 C B Edge Node IP Network vlan 3 name Corporate_Users! ip dhcp snooping ip dhcp snooping vlan 3! device-tracking tracking Border/Control Plane Node External Network interface Vlan3 ip vrf forwarding CORPORATE ip dhcp relay source-interface Loopback0 ip address ip helper-address global no ip redirects ip local-proxy-arp ip route-cache same-interface logging event link-status load-interval 30 lisp mobility CORPORATE_10_2_3_0 shutdown

63 Adding EID space on Edge node / /32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default locator-set rloc_sjc18_01 eid-table vrf CORPORATE instance-id 10 dynamic-eid CORPORATE_10_2_3_0 database-mapping /24 locator-set rloc_sjc18 exit

64 Adding EID space on Border/Control Plane node / /32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp eid-table vrf CORPORATE instance-id 10 map-cache /24 map-request exit! site site_uci authentication-key cisco eid-prefix instance-id /24 accept-more-specifics exit

65 Exporting Fabric Prefixes to External Network / /32 C B Edge Node IP Network Border/Control Plane Node External Network Only export Fabric prefixes (overlay) to the External network No need to import External prefixes into Fabric since Border acts as default to unknown destinations External network needs a route to direct traffic back to the Fabric prefixes. Recommended choice of exchanging routing information is ebgp

66 Why BGP? BGP has built-in loop prevention features like AS_PATH to break loops Simple to keep routes distributed between Global Routing and Virtual Networks If IGP is used then route-maps, distribute-lists, IP ACLs need to be maintained Failure to maintain the above might cause routing loops in the network

67 Advertising Fabric Prefixes to External Network - BGP / /32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 map-cache site-registration exit! router bgp address-family ipv4 vrf CORPORATE redistribute lisp metric 10 aggregate-address summary-only neighbor remote-as neighbor activate exit

68 Advertising Fabric Prefixes to External Network - OSPF / /32 C B IP Network Edge Node Border/Control Plane Node External Network router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 map-cache site-registration exit! router ospfv3 123! address-family ipv4 unicast vrf CORPORATE summary-prefix /24 redistribute lisp metric 10 exit-address-family interface Vlan4090 ip vrf forwarding CORPORATE ip address ip ospf network point-to-point ip ospf mtu-ignore ipv6 enable ospfv3 123 ipv4 area 0 end Use route-filter in the global instance to filter incoming fabric prefixes routes This will prevent underlay from learning fabric prefixes

69 Advertising Fabric Prefixes to External Network - OSPF / /32 C B Edge Node IP Network Border/Control Plane Node External Network interface GigabitEthernet0/0/ encapsulation dot1q 4090 ip address ip ospf network point-to-point ip ospf mtu-ignore ipv6 enable ospfv3 123 ipv4 area 0 end! router ospfv3 123! address-family ipv4 unicast exit-address-family

70 Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric / /32 Edge Node Distribution Switch IP Network C B Border/Control Plane Node External Network Connect the Edge node and existing Distribution switch on a Trunk Port Allow only VLAN003 for now

71 Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric / /32 Edge Node Distribution Switch SVI X VLAN003 IP Network C Border/Control Plane Node External Network Shut down the SVI of VLAN003 on Aggregation switches in existing network.

72 Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric / /32 Edge Node Distribution Switch SVI VLAN003 IP Network C B Border/Control Plane Node External Network No shutdown on the SVI VLAN3 on Fabric Edge switch.

73 Moving the SVI from Distribution to Fabric Edge C B /32 Fabric Edge Funnel Node Border/Control Plane Node /32 SVI 003 IP Network SVI 003 SVI 003 Distribution Layer Access Layer Access Layer

74 Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric / /32 Edge Node Distribution Switch SVI VLAN003 IP Network C B Border/Control Plane Node External Network L2 Network VLAN003 gets integrated into the fabric. All ingress traffic from endpoints in VLAN003 now enters the fabric via the Edge node and exits via the Border node.

75 Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric / /32 Edge Node Distribution Switch SVI VLAN X IP Network C B Border/Control Plane Node External Network L2 Network Perform similar configuration of other VLANs, and SVIs on the Fabric Edge node Shutdown the SVI of the other VLANs in existing Distribution switches No shutdown the respective SVI on Fabric Edge to funnel all VLAN traffic to it

76 Layer-2 Connection from Existing Network / /32 New Edge Node Distribution Switch C B IP Network Border/Control Plane Node External Network Existing L2 switch Add a new Fabric Edge switch in the access layer Connect it to the Distribution layer with Routed Access with its own Loopback0 Copy the Fabric Edge configuration from previous Fabric Edge including the VLAN X/SVI X configuration as is, and paste onto the new Fabric Edge switch 1

77 Layer-2 Connection from Existing Network / /32 Edge Node Distribution Switch C B X IP Network Border/Control Plane Node External Network Configure the access ports in their VLANs similar to the legacy switch Move all the physical connections from legacy switch to new Fabric Edge Decommission the legacy switch from existing network

78 Add Second External Border/Control Plane node / /32 C B Edge Node IP Network Border/Control Plane Node /32 C B External Network Border/Control Plane Node Add or upgrade a second switch or a router as the Border/Control Plane node for redundancy. Modify the configurations on all the Fabric Edge nodes to add the second Border/Control Plane node.

79 Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet

80 Add Internal Border nodes as necessary / /32 B IP Network Edge Node Internal Border/s /32 B WAN Branch Internal Border/s Datacentre WAN Add or upgrade Internal Border nodes in the Fabric.

81 Campus Fabric Border Nodes Internal Border: Connects Campus Fabric to Known networks i.e. other fabric or nonfabric domain in same company network. These known networks generally are the WAN, DC, Shared Services etc Responsible for advertising prefixes from and to the local fabric domain and external domain. External Border: Connects Campus Fabric to Un- Known networks. These Un-known networks generally is the Internet and Cloud. Responsible for only advertising prefixes from the local fabric domain to external domain.

82 Why Internal Border? / /32 Edge Node Distribution Switch C B IP Network External Border Control Plane Node External Network WAN Branch Datacentre WAN

83 Why Internal Border? / /32 Edge Node Distribution Switch C B IP Network External Border External Network B Internal Border WAN Branch B Internal Border Datacentre WAN

84 Why Internal Border? Flexibility in designing different platforms for Border functionality different than External Border Can have any number of Internal borders than External borders (depends on network design)

85 Routing on the Internal Borders / /32 IP Network B Edge Node Internal Border/s WAN Branch Routing needs to be configured on the Internal Borders to Advertise Fabric overlay prefixes outside to the rest of the network Known network prefixes to be redistributed into the fabric Use route-filter in the global instance to filter incoming fabric prefixes routes This will prevent underlay from learning fabric prefixes or VRFs from learning other VRF s routes /32 B Internal Border/s Datacentre WAN

86 Internal Border Routing Advertise from LISP into BGP / /32 IP Network B Edge Node Internal Border/s WAN Branch router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit! router bgp address-family ipv4 vrf CORPORATE redistribute LISP metric 10 aggregate-address summary-only neighbor remote-as neighbor activate exit

87 Internal Border Routing Advertise from BGP into LISP / /32 B IP Network Edge Node Internal Border/s WAN Branch router lisp locator-table default locator-set border IPv4-interface Loopback0 priority 10 weight 10! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database bgp locator-set border exit!

88 Internal Border Routing Advertise from LISP into OSPF / /32 B IP Network Edge Node Internal Border/s WAN Branch router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit! router ospfv3 123! address-family ipv4 unicast vrf CORPORATE summary-prefix /24 redistribute lisp metric 10 distribute-list 2 in exit-address-family

89 Internal Border Routing Importing from OSPF in LISP / /32 B IP Network Edge Node Internal Border/s WAN Branch router lisp locator-set int_border locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database ospfv3 123 locator-set int_border ipv4 distance site-registrations 250 exit

90 Internal Border Routing Importing from EIGRP in LISP / /32 B IP Network Edge Node Internal Border/s WAN Branch router lisp locator-set int_border locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database eigrp locator-set int_border ipv4 distance site-registrations 250 exit

91 Shared Resources / /32 B DDI IP Network Edge Node Internal Border/s ISE/AD router lisp encapsulation vxlan locator-set int_border exit! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database eigrp locator-set border ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit

92 Shared Resources / /32 B DDI IP Network Edge Node Internal Border/s ISE/AD router eigrp 65535! address-family ipv4 vrf CORPORATE redistribute lisp metric network autonomous-system exit-address-family!

93 Shared Resources / /32 B DDI IP Network Edge Node Internal Border/s ISE/AD router eigrp 65535! network exit-address-family

94 External Border for Single Entry/Exit Point DDI MPLS I-NET Branch IWAN Advertise Routes from Fabric to External Router External Border Node Fabric Edge Nodes

95 Distribute Control Plane Node from External Border Control /32 Plane /32 C /32 B Edge Node IP Network Control Plane /32 C External Border/s Internet Router router lisp encapsulation vxlan locator-table default locator-set msmr IPv4-interface Loopback0 priority 10 weight 10 exit! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 distance site-registrations 250 exit

96 Distribute Control Plane Node from External Border Control /32 Plane /32 C /32 B IP Network Edge Node Control Plane C External Border/s Internet Router /32 site site_uci description map-server configured from apic-em authentication-key uci eid-prefix instance-id /0 accept-more-specifics eid-prefix instance-id /24 accept-more-specifics exit! ipv4 map-server ipv4 map-resolver exit

97 Advertise LISP into BGP on Control Plane Node Control /32 Plane /32 Edge Node /32 C IP Network Set up ibgp connection between the Control Plane node and External Border C /32 B External Border/s Control Plane router bgp bgp log-neighbor-changes Internet Router neighbor remote-as neighbor update-source lo0! address-family vpnv4 neighbor activate neighbor send-community both exit-address-family! address-family ipv4 vrf CORPORATE aggregate-address summary only redistribute lisp metric 10 exit-address-family

98 Control Plane node definition on Border Control /32 Plane /32 C /32 B Edge Node IP Network Control Plane /32 C External Border/s router lisp ipv4 proxy-etr ipv4 proxy-itr ipv4 itr map-resolver ipv4 itr-map-resolver ipv4 map-server key cisco ipv4 map-server key cisco ipv4 etr exit Internet Router

99 ibgp with Control Plane Node on Border Control /32 Plane /32 Edge Node /32 C IP Network Set up ibgp connection between the External Border and Control Plane nodes C /32 B External Border/s Control Plane router bgp bgp log-neighbor-changes Internet Router neighbor remote-as neighbor update-source Loopback0 neighbor remote-as neighbor update-source Loopback0! address-family vpnv4 neighbor activate neighbor send-community both neighbor activate neighbor send-community both exit-address-family

100 Import LISP routes from ibgp on Border Control /32 Plane /32 C /32 B Edge Node IP Network Control Plane /32 C External Border/s Internet Router router lisp encapsulation vxlan locator-set border IP-v4-interface Loopback 0 priority 10 weight 10 exit! eid-table vrf CORPORATE instance-id 10 ipv4 route-import map-cache bgp exit

101 Distribute Control Plane Node from External Border Control /32 Plane /32 C /32 B IP Network Edge Node Control Plane C External Border/s Internet Router /32 Redistribute BGP into IGP at the external router to advertise fabric prefixes to external network

102 Distribute Control Plane Node from External Border Control /32 Plane /32 C /32 B IP Network Edge Node Control Plane C External Border/s B Internet Router / /32 If multiple Borders are used to redistribute fabric prefixes into external, recommend to use ebgp connection to break loops dynamically Else use distribute-lists, with IP ACLs that have a maintenance overhead

103 Redistribution From LISP to ibgp LISP Database Routing Information Base (RIB) Border Gateway Protocol (ibgp) Border Gateway Protocol (ibgp) Control Plane Node Border Node

104 Advertise from ibgp to ebgp to IGP Border Gateway Protocol (ebgp) Border Gateway Protocol (ebgp) Routing Information Base (RIB) External Network Protocol Border Node External Router

105 External Routes Exchange via ebgp on Border Border Gateway Protocol (ebgp) Border Gateway Protocol (ebgp) Routing Information Base (RIB) External Network Protocol Border Node External Router

106 Redistribution from IGP to ebgp Internal Border LISP Database Border Gateway Protocol (ibgp) Control Plane Node Border Node

107 Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Control Plane Node Control Plane Node Fabric Edge Nodes

108 Replace Legacy Access Switches in the Network Use the same procedure outlined in the last three slides (69-70) to add Fabricenabled Edge switches While replacing legacy switches in the network After all the legacy switches in that Distribution block are replaced with Fabricenabled Edge switches, Remove the Fabric Edge connected to the Distribution switch, Use it to migrate the second Distribution block, Following the same procedure as outlined previously (50-70).

109 work DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Campus Fabric

110 Routed Access Designs

111 Routed Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet

112 Considerations for Migrating Routed Access Easier to migrate Routed Access designs to Campus Fabric Supporting infrastructure (DHCP mainly) is already setup Routed Access is the building block for Campus Fabric Loopback subnet that forms the RLOC address needs to be factored in IS-IS is the preferred routing protocol, and can be cut-over later keeping existing IGP Opportunity exists to consolidate existing subnets into lesser larger subnets once Campus Fabric is deployed

113 Routed Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet

114 Routed Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet

115 Simplified View / /32 C C B Edge Node IP Network Border/Control Plane Node External Network Access switch as the Fabric Edge node Intermediate network reduced to IP Network Fabric Border node is the Router connecting to Internet services Control Plane node can be one of the network devices or a CSR1Kv, IPreachable

116 Getting Started Steps / /32 C B Edge Node IP Network Border/Control Plane Node External Network Upgrade software on one of the routers acting as Border node Co-locate the Control Plane node function on the Border for simplicity Upgrade software on the access switch IS-IS is the recommended option for Fabric networks, but any IGP could do.

117 Prepping the Switch / /32 C B Edge Node IP Network Border/Control Plane Node External Network Do not forget to set following on the Edge node: Set MTU to 9100 on the switch and the existing network. Configure Loopback0 (/32), and underlay IP addresses

118 Fabric Configuration on Edge node / /32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp encapsulation vxlan locator-table default locator-set rloc_sjc18 IPv4-interface Loopback0 priority 10 weight 10 exit! disable-ttl-propagate ipv4 sgt ipv4 use-petr ipv4 itr map-resolver ipv4 itr ipv4 etr map-server key cisco ipv4 etr exit

119 Border and Control Plane Configuration / /32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp encapsulation vxlan locator-table default exit! disable-ttl-propagate ipv4 map-server ipv4 map-resolver ipv4 sgt ipv4 proxy-etr ipv4 proxy-itr ipv4 itr map-resolver ipv4 etr map-server key cisco ipv4 etr exit router lisp site site_uci authentication-key cisco exit ipv4 map-server ipv4 map-resolver exit

120 VRF Configuration on Edge and Border / /32 C B Edge Node IP Network Border/Control Plane Node External Network ip vrf CORPORATE rd 1:1 route-target export 1:1 route-target import 1:1

121 Two options for defining Endpoint ID space / /32 C B Edge Node IP Network Border/Control Plane Node External Network Retain same subnets as of today Use net new subnets

122 Considerations of Retaining Existing EID structure / /32 C B Edge Node IP Network Border/Control Plane Node External Network No changes to existing DHCP scope and subnet size No changes to existing firewall or other policies that are based on IP-ACL Old network design is retained for familiarity Need to revert changes on existing interfaces (SVIs) if moving back to old network in case of issues

123 Considerations of Net new Endpoint ID structure / /32 C B Edge Node IP Network Border/Control Plane Node External Network Changes to existing DHCP scope and subnet size Changes to existing firewall or other policies that are based on IP-ACL Re-IP the network based on Fabric Campus design less, but larger subnets Reverting back to old network is as easy as re-assigning VLANs on Access ports less impacting

124 Configure L2 VLAN and SVI at Edge Node / /32 C B Edge Node IP Network Border/Control Plane Node External Network vlan 3 name Bldg18_1_Users! interface Vlan3 ip vrf forwarding CORPORATE ip dhcp relay source-interface Loopback0 ip address ip helper-address global no ip redirects ip local-proxy-arp ip route-cache same-interface logging event link-status load-interval 30 lisp mobility CORPORATE_10_2_3_0

125 Adding EID space on Edge node / /32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default eid-table vrf CORPORATE instance-id 10 dynamic-eid CORPORATE_10_2_3_0 database-mapping /24 locator-set rloc_sjc18 exit

126 Adding EID space on Border/Control Plane node / /32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default eid-table vrf CORPORATE instance-id 10 map-cache /24 map-request exit! site site_uci authentication-key cisco eid-prefix instance-id /24 accept-more-specifics exit

127 Considerations of Net new Endpoint ID structure / /32 C B Edge Node IP Network Border/Control Plane Node External Network Re-configure the other VLANs and SVIs as shown in previous slides Add those subnets as EIDs in Fabric Edge, and the Border/Control Plane node All VLANs on Edge node are now part of Campus Fabric

128 Exporting Fabric Prefixes to External Network / /32 C B Edge Node IP Network Border/Control Plane Node External Network Only export Fabric prefixes (overlay) to the External network No need to import External prefixes into Fabric since Border acts as default to unknown destinations External network needs a route to direct traffic back to the Fabric prefixes. Preferred choice of exchanging routing information is BGP

129 Advertising Fabric Prefixes to External Network - OSPF / /32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 map-cache site-registration exit! router ospfv3 123! address-family ipv4 unicast vrf CORPORATE summary-prefix /24 redistribute lisp metric 10 exit-address-family interface Vlan4090 ip vrf forwarding CORPORATE ip address ip ospf network point-to-point ip ospf mtu-ignore ipv6 enable ospfv3 123 ipv4 area 0 end

130 Advertising Fabric Prefixes to External Network - OSPF / /32 C B Edge Node IP Network Border/Control Plane Node External Network interface GigabitEthernet0/0/ encapsulation dot1q 4090 ip address ip ospf network point-to-point ip ospf mtu-ignore ipv6 enable ospfv3 123 ipv4 area 0 end! router ospfv3 123! address-family ipv4 unicast exit-address-family

131 Advertising Fabric Prefixes to External Network - BGP / /32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 map-cache site-registration exit! router bgp address-family ipv4 vrf CORPORATE redistribute lisp metric 10 aggregate-address summary-only neighbor remote-as neighbor activate exit

132 Repeat Slides Add second Control Plane/External Border node Add Internal Borders for WAN, Datacentre and Shared Resources connectivity Configure routing on Internal Borders to advertise fabric prefixes to external network; and register known external prefixes within the fabric Distribute Control Plane and External Border functions to respective switches

133 Routed Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Control Plane Node Control Plane Node Fabric Edge Nodes

134 Upgrade and provision other Fabric Edge nodes / / /32 Edge Node /32 Edge Node Control Plane Control Plane /32 C C IP Network IP Network External Border /32 External Border External Network Upgrade other switches in the access layer as Fabric-Edge nodes in a similar fashion Copy paste fabric (except Loopback and couple other) and EID space configuration from the first switch to the others B B

135 work DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Campus Fabric

136 Wireless

137 Wireless Deployment models Cisco Unified Wireless Network (Centralised Wireless) Flex Connect Converged Access

138 Where do I connect WLCs and APs WLC connect outside the fabric to Internal Border or outside the fabric APs can connect to in the overlay EID space in fabric Leverage stretched wired subnets to create one VLAN across fabric for all APs

139 Centralised Wireless and Campus Fabric / /32 Campus Fabric B IP Network Management IP /24 Edge Node Internal Border/s / /24 WLCs connect behind Internal Border in the Underlay Internal Border advertises WLC Management subnet to the Fabric Internal Border advertises Fabric prefixes to the WLC Management network

140 Centralised Wireless and Campus Fabric / /32 Campus Fabric B IP Network Management IP /24 Edge Node Internal Border/s /21 Wireless Clients Subnet Wireless SSIDs are mapped to VLAN/Subnet at WLC in the form of dynamic interfaces Internal Border advertises Wireless client subnets to the Fabric

141 Centralised Wireless and Campus Fabric AP VLAN / / /32 Campus Fabric B IP Network Edge Node / /32 AP VLAN /20 Internal Border/s /20 Edge Node Access Points are in overlay space on Fabric Edge switches One subnet for APs across the entire Fabric in Campus APs get registered in the Host Tracking Database (HTDB) running on Control node Simplified IP design for the network

142 Centralised Wireless and Campus Fabric / /32 Campus Fabric B IP Network Management IP /24 Edge Node Internal Border/s CAPWAP is built from the AP to the WLC When this traffic hits the Fabric Edge switch, it encapsulates CAPWAP in VXLAN and forwards it to Internal Border The outer VXLAN header is removed by the Internal Border, and underlying CAPWAP packet is forwarded to the WLC

143 Impact of Multiple Encapsulations to Frame size ETHERNET IP PAYLOAD ETHERNET IP UDP CAPWAP ETHERNET IP PAYLOAD ETHERNET IP UDP VXLAN ETHERNET IP UDP CAPWAP ETHERNET IP PAYLOAD

144 Centralised Wireless and Campus Fabric: AP Join / /32 Campus Fabric B IP Network Management IP /24 Edge Node Internal Border/s WLC discovery by AP happens the same as of today. Layer-3 CAPWAP, Locally configured Controller IP Address, DHCP Server discovery via Option 43, DNS Discovery AP sends a frame padded to 1485 bytes with DF=1 Edge encapsulates frame in VXLAN that takes it above 1500 bytes

145 Centralised Wireless and Campus Fabric: AP Join / /32 Campus Fabric B IP Network Management IP /24 Edge Node Internal Border/s Fabric Edge drops the packet and sends an ICMP error back to AP AP drops frame size to 576 bytes and Joins WLC successfully AP tries to find the optimum frame size by stepping up to 1000 bytes, 1300 bytes and 1485 bytes again Increase MTU to 9100 of existing network interfaces in the underlay to avoid fragmentation challenges

146 Centralised Wireless and Campus Fabric AP VLAN /20 Campus Fabric /32 B Client VLAN /21 IP Network /20 Internal Border/s /21 Clients are authenticated and on-boarded by WLC Wireless clients are external to fabric in this case

147 Centralised Wireless and Campus Fabric AP VLAN / /20 Wired VLAN /20 Campus Fabric /32 B Internal Border/s Client VLAN /21 IP Network / /20 Communication from a wired host in Fabric to Wireless Client outside fabric will occur through Internal Border JUST LIKE TODAY!! For the fabric, it is a fabric host communicating to a known destination external to the fabric

148 Centralised Wireless and Campus Fabric Over-The-Top (OTT) Wireless Consider increasing MTU on transit switches to prevent fragmentation issues Least impact to wireless since fabric is just a transport Supports all the APs that are supported by the WLC release software Leverage common subnet for AP across campus No changes to wireless roaming performance All the other features of Wireless such as AVC, Location services, QoS, Bonjour, mdns, RRM and others will work EXACTLY like they work today Managed by Cisco Prime Infrastructure

149 Take Away

150 Session Summary 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on TrustSec

151 What to do next? 1. Update your Hardware and Software! Catalyst 3650 or New IOS-XE Catalyst 4500 w/ Sup8E - New IOS-XE 3.9+ Catalyst 6807, 6880 or New IOS 15.4SY+ Nexus 7700 w/ M3 Cards - New NX-OS ASR1000-X or ISR New IOS-XE Try out Campus Fabric in your Lab! You only need 2 or 3 (+) switches to test this solution At least 1 Control-Plane + Border and 1 Fabric Edge 3. Trial Deployments (Remember: its an Overlay) IP Network You can install new C-Plane, Border and Edge Nodes without modifying your existing (Underlay) network

152 Campus Fabric CVD on Cisco.com

153 Coming Soon Secure, Policy-based Automation Complete Visibility and Assurance Faster Service Enablement Policy-based Automated Network Provisioning across ALL network domains. Monitor the entire Wired, Wireless and WAN network as a Single Entity. Quickly enable services using open APIs across a Services Ecosystem.

154 Campus Fabric Related Sessions We recommend the following sessions: 1. BRKCRS-1800: DNA Campus Fabric An Introduction 21/02/17 11: hours 2. BRKCRS-3800: DNA Campus Fabric A Look Under the Hood 22/02/17 09:00 2 hours 3. : DNA Campus Fabric - How to Integrate with Your Existing Network 22/02/17 11: hours 4. BRKCRS-2802: DNA Campus Fabric Monitoring & Troubleshooting 22/02/17 14: hours 5. BRKCRS-2803: DNA Campus Fabric Connecting Outside the Fabric 22/02/17 16: hours 6. BRKACI-2400: DNA Campus Fabric Integration with Data Center Architectures 23/02/17 14: hours 7. BRKEWN-2300: Virtualize Your Wired and Wireless Network (w/ Campus Fabric) 24/02/17 09:00 2 hours

155 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions

156 Q & A

157 Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2017 Cap by completing the overall event evaluation and 5 session evaluations. All evaluations can be completed via the Cisco Live Mobile App. Caps can be collected Friday 10 March at Registration. Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations

158 Thank you

159