Cisco Campus Fabric Introduction. Vedran Hafner Systems engineer Cisco

Similar documents
Evolving your Campus Network with. Campus Fabric. Shawn Wargo. Technical Marketing Engineer BRKCRS-3800

Campus Fabric. How To Integrate With Your Existing Networks. Kedar Karmarkar - Technical Leader BRKCRS-2801

Tech Update Oktober Rene Andersen / Ib Hansen

SD-Access Wireless: why would you care?

Več kot SDN - SDA arhitektura v uporabniških omrežjih

DNA Campus Fabric. How to Migrate The Existing Network. Kedar Karmarkar - Technical Leader BRKCRS-2801

Software-Defined Access 1.0

Software-Defined Access 1.0

DNA SA Border Node Support

Software-Defined Access Design Guide

Cisco.Network.Intuitive FastLane IT Forum. Andreas Korn Systems Engineer

Cisco Software-Defined Access

Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

Campus Fabric Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 3650 Switches)

Software-Defined Access Wireless

Cisco SD-Access Policy Driven Manageability

Software-Defined Access Wireless

Locator ID Separation Protocol (LISP) Overview

Software-Defined Access Wireless

Cisco SD-Access Hands-on Lab

Network as an Enforcer (NaaE) Cisco Services. Network as an Enforcer Cisco and/or its affiliates. All rights reserved.

VXLAN Overview: Cisco Nexus 9000 Series Switches

Implementing VXLAN in DataCenter

INTRODUCTION 2 DOCUMENT USE PREREQUISITES 2

Cisco Software Defined Access (SDA)

Choice of Segmentation and Group Based Policies for Enterprise Networks

Deploying LISP Host Mobility with an Extended Subnet

TrustSec (NaaS / NaaE)

Location ID Separation Protocol. Gregory Johnson -

TTL Propagate Disable and Site-ID Qualification

Cisco IOS LISP Application Note Series: Lab Testing Guide

Implementing VXLAN. Prerequisites for implementing VXLANs. Information about Implementing VXLAN

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

Cisco SD-Access: Enterprise Networking Made Fast and Flexible. November 2017

SD-Access Wireless Design and Deployment Guide

Cisco IOS LISP Application Note Series: Access Control Lists

Cisco TrustSec 4.0:How to Create Campus and Branch-Office Segmentation

Cisco Trusted Security Enabling Switch Security Services

Data Center Configuration. 1. Configuring VXLAN

Cisco Software-Defined Access

IP Mobility Design Considerations

Cisco TrustSec How-To Guide: Central Web Authentication

P ART 3. Configuring the Infrastructure

Securing BYOD with Cisco TrustSec Security Group Firewalling

Demand-Based Control Planes for Switching Fabrics

Cisco Cloud Services Router 1000V with Cisco IOS XE Software Release 3.13

Virtual Security Gateway Overview

Introduction to External Connectivity

VXLAN Design with Cisco Nexus 9300 Platform Switches

CISCO EXAM QUESTIONS & ANSWERS

CertKiller q

THE NETWORK. INTUITIVE. Powered by intent, informed by context. Rajinder Singh Product Sales Specialist - ASEAN August 2017

IP Routing: LISP Configuration Guide, Cisco IOS Release 15M&T

Cisco Exam Questions & Answers

Mobility and Virtualization in the Data Center with LISP and OTV

OpenFlow: What s it Good for?

Identity Based Network Access

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Cisco Software-Defined Access

VXLAN Deployment Use Cases and Best Practices

PassTorrent. Pass your actual test with our latest and valid practice torrent at once

Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003

Cisco Exam Questions & Answers

Optimizing Layer 2 DCI with OTV between Multiple VXLAN EVPN Fabrics (Multifabric)

LISP Router IPv6 Configuration Commands

Borderless Networks. Tom Schepers, Director Systems Engineering

Policy Defined Segmentation with Cisco TrustSec

User-to-Data-Center Access Control Using TrustSec Design Guide

Intelligent WAN Multiple VRFs Deployment Guide

Cisco TrustSec Software-Defined Segmentation Platform and Capability Matrix Release 6.3

Troubleshooting sieci opartej na. Mariusz Kazmierski, CCIE #25082 (R&S, SP) TAC EMEAR Technical Leader Switching

Multi-site Datacenter Network Infrastructures

2012 Cisco and/or its affiliates. All rights reserved. 1

Mobility and Virtualization in the Data Center with LISP and OTV

Lecture 7 Advanced Networking Virtual LAN. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

Cisco SD-Access Building the Routed Underlay

Fundamentals and Deployment of Cisco SD-WAN Duration: 3 Days (24 hours) Prerequisites

Cisco ONE Software Overview. October 2017

Provisioning Overlay Networks

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

MPLS VPN over mgre. Finding Feature Information. Last Updated: November 1, 2012

Foreword xxiii Preface xxvii IPv6 Rationale and Features

Contents. Introduction. Prerequisites. Requirements. Components Used

Transforming the Network for the Digital Business

Configuring Cisco Nexus 7000 Series Switches

Cisco Actualanswers Exam

CCNA Routing and Switching (NI )

Exam Code: Exam Code: Exam Name: Advanced Borderless Network Architecture Systems Engineer test.

Cisco TrustSec How-To Guide: Phased Deployment Overview

Module 5: Cisco Nexus 7000 Series Switch Administration, Management and Troubleshooting

Cisco Nexus 7000 Series NX-OS LISP Configuration Guide

LISP. - innovative mobility w/ Cisco Architectures. Gerd Pflueger Consulting Systems Engineer Central Europe Version 0.

TEXTBOOK MAPPING CISCO COMPANION GUIDES

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

Configuring the Service Discovery Gateway

Cisco Configuring Cisco Nexus 7000 Switches v3.1 (DCNX7K)

LISP A Next-Generation Networking Architecture

Cisco Certified Network Associate ( )

LISP: What and Why. RIPE Berlin May, Vince Fuller (for Dino, Dave, Darrel, et al)

Cisco Group Based Policy Platform and Capability Matrix Release 6.4

Transcription:

Cisco Campus Fabric Introduction Vedran Hafner Systems engineer Cisco

Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network Segmentation (w/o implementing MPLS) Role-based Access Control (w/o end-to-end TrustSec) Using Cisco technologies available today, you can overcome these challenges and build an Evolved Campus Network to better meet your business objectives. 3

Agenda 1 2 3 4 5 Key Benefits Why do I care? Key Concepts What is a Fabric? Solution Overview What are the components? Putting It Together How do I build it? Use Case

Key Benefits Key Concepts Solution Overview Key Benefits Why do I care? Putting It Together Use Case

Cisco Digital Network Architecture Overview Network-enabled Applications Cloud Service Management Policy Orchestration Open APIs Developers Environment Insights & Experiences Principles Automation Abstraction & Policy Control from Core to Edge Analytics Network Data, Contextual Insights Automation & Assurance Open & Programmable Standards-Based Virtualization Security & Compliance Physical & Virtual Infrastructure App Hosting Cloud-enabled Software-delivered 6

Campus Fabric Foundational Technologies Programmable Custom ASICs Converged Software Services Industry Leading Wired and Wireless Stacking TrustSec SDN Advanced Functionality Programmable Pipeline Flexibility Recirculation Optimized for Campus Integrated Stacking Visibility Security Future Proofed Long Life Cycle Investment Protection + Network Enabled Applications Collaboration Mobility IoT Security ` Automation Programmable Open Virtualization Campus Fabric Segmentation L2 Flexibility Designed for Evolution Strong Foundational Capabilities HA Driving Innovation Through Technology Investment 7

Provision Simplified Provisioning Deploy devices using best practice configurations using models and Smart CLI 8 BRKCRS-1800

X Segmentation Security Simple Segmentation constructs to build Secure boundaries for users and things 9 BRKCRS-1800

Mobility Wired and Wireless Host Mobility because your address is no longer tied to your location 10 BRKCRS-1800

Intelligent Policy Network Wide Policy Enforcement based on your identity, not on your address 11 BRKCRS-1800

Key Benefits Key Concepts Solution Overview Key Concepts What is a Fabric? Putting It Together Use Case

What exactly is a Fabric? A Fabric is an Overlay An Overlay is a logical topology used to virtually connect devices, built on top of an arbitrary physical Underlay topology. An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay. Examples of Network Overlays GRE or mgre MPLS or VPLS IPSec or DMVPN CAPWAP LISP OTV DFA ACI 13

What exactly is a Fabric? Why Overlays? Separate the Forwarding Plane from the Services Plane Simple Transport Forwarding Physical Devices and Paths Intelligent Packet Handling Maximize Network Availability Simple and Manageable Flexible Virtual Services Mobility Track End-points at Edges Scalability Reduce core state Distribute state to network edge Flexibility and Programmability Reduced number of touch points 14

What exactly is a Fabric? Overlay Terminology Overlay Network Overlay Control Plane Encapsulation Edge Device Edge Device Hosts (End-Points) Underlay Network Underlay Control Plane 15

What exactly is a Fabric? Types of Overlays Hybrid L2 + L3 Overlays offer the Best of Both Worlds Layer 2 Overlays Emulates a LAN segment Transport Ethernet Frames (IP & Non-IP) Single subnet mobility (L2 domain) Exposure to Layer 2 flooding Useful in emulating physical topologies Layer 3 Overlays Abstract IP connectivity Transport IP Packets (IPv4 & IPv6) Full mobility regardless of Gateway Contain network related failures (floods) Useful to abstract connectivity and policy 16

What is unique about Campus Fabric? Key Differences 1. LISP based Control-Plane 2. VXLAN based Data-Plane 3. Integrated Cisco TrustSec Key Differences L2 + L3 Overlay -vs- L2 or L3 Only Host Mobility with Anycast Gateway Adds VRF + SGT into Data-Plane Virtual Tunnel Endpoints (No Static) No Topology Limitations (Basic IP) 17

Campus Fabric New Terminology Control-Plane Node LISP Map-Server Edge Node LISP Tunnel Router (xtr) Border Node LISP Proxy Tunnel Router (PxTR) Intermediate Node Non-LISP IP Forwarder 18

Campus Fabric Overview New Terminology Fabric Domain FD LISP Process Virtual Network VN LISP Instance VRF Endpoint ID Group EIG Segment SGT Host Pool Dynamic EID VLAN + IP Subnet 19

Key Benefits Key Concepts Solution Overview Solution Overview What are the components? Putting It Together Use Case Locator / ID Separation Protocol (LISP) VXLAN Encapsulation Cisco TrustSec

What is LISP? 21

Locator/ID Separation Protocol (LISP) A routing Architecture Separate address spaces for Identity and Location End-point Identifiers (EID) Routing locators (RLOC) A Control Plane Protocol EID EID RLOC Mapping System EID A system that maps end-point identities to their current location (RLOC) EID EID EID A Data Plane Protocol Encapsulates EID-addressed packets inside RLOC-addressed headers 22

Locator / ID Separation Protocol Location and Identity Separation 10.1.0.1 Device IPv4 or IPv6 Address represents both Identity and Location IP core 20.2.0.9 Traditional Behavior - Location + ID are Combined When the Device moves, it gets a new IPv4 or IPv6 Address for its new Identity and Location 10.1.0.1 Device IPv4 or IPv6 Address represents Identity only IP core 10.1.0.1 Overlay Behavior - Location & ID are Separated When the Device moves, it keeps the same IPv4 or IPv6 Address. It has the Same Identity Location Is Here Only the Location Changes 23

How is LISP used in Campus Fabric? 24

Campus Fabric Control-Plane Nodes A Closer Look Fabric Control-Plane Node is based on a LISP Map Server / Resolver Runs the LISP Host Tracking Database to provide overlay reachability information A simple Host Database, that tracks Endpoint ID to Edge Node bindings, along with other attributes C Host Database supports multiple Endpoint ID lookup keys (IPv4 /32, IPv6 /128 or MAC) Receives prefix registrations from Edge Nodes with local Endpoints Resolves lookup requests from remote Edge Nodes, to locate local Endpoints 25

Campus Fabric Edge Nodes A Closer Look Fabric Edge Node is based on a LISP Tunnel Router (xtr) Provides connectivity for Users and Devices connected to the Fabric Responsible for Identifying and Authenticating Endpoints Register Endpoint ID information with the Control-Plane Node(s) Provides Anycast L3 Gateway for connected Endpoints Must encapsulate / decapsulate host traffic to and from Endpoints connected to the Fabric E E E 26

Campus Fabric Border Nodes A Closer Look Fabric Border Node is based on a LISP Proxy Tunnel Router (PxTR) All traffic entering or leaving the Fabric goes through this type of node Connects traditional L3 networks and / or different Fabric domains to the local domain Where two domains exchange Endpoint reachability and policy information Responsible for translation of context (VRF and SGT) from one domain to another Provides a domain exit point for all Edge Nodes B B 27

LISP Mobility in Campus Fabric Host Pool is based on an IP Subnet + VLAN ID Provides the basic IP constructs, including Anycast Gateway for each Host Pool Edge Nodes maintain a Switch Virtual Interface (SVI), with IP Subnet, Gateway IP, etc. for each Host Pool LISP uses Dynamic EID to advertise each Host Pool (within each Instance ID) LISP Dynamic EID allows Host-specific (/32, /128, MAC) advertisement and mobility Pool 2 Pool 1 Pool 3 Pool 5 Pool 4 Pool 6 Pool 8 Pool 7 Pool 9 Host Pools can either be assigned Statically (per port) or Dynamically (using Host Authentication) 28

LISP Secure Segmentation in Campus Fabric Virtual Network (VN) based on Virtual Routing and Forwarding (VRF) Maintains a separate Routing and Switching instance for each Virtual Network LISP uses Instance ID to maintain independent VRF topologies ( Default VRF is Instance ID 0 ) LISP adds VNID to the LISP / VXLAN encapsulation Endpoint ID prefixes (Host Pools) are advertised within the LISP Instance ID VN A VN B VN C 29

How does LISP work? 30

Locator / ID Separation Protocol LISP Mapping System LISP Mapping System is analogous to a DNS lookup DNS resolves IP Addresses for queried Name Answers the WHO IS question Host [ Who is lisp.cisco.com ]? DNS Server [ Address is 153.16.5.29, 2610:D0:110C:1::3 ] DNS Name -to- IP URL Resolution LISP resolves Locators for queried Identities Answers the WHERE IS question LISP Router [ Where is 2610:D0:110C:1::3 ]? LISP Map System [ Locator is 128.107.81.169, 128.107.81.170 ] LISP ID -to- Locator Map Resolution 31

Want to know more about LISP? 32

Locator / ID Separation Protocol (LISP) Would you like to know more? At Cisco Live Berlin 2017 www.ciscolive.com BRKRST-3800 - DNA Campus Fabric A Look Under the Hood BRKRST-3045 - LISP - A Next Generation Networking Architecture BRKRST-3047 - Troubleshooting LISP LTRDCT-2224 - Enhancing VXLAN/EVPN Fabrics with LISP Other References Cisco LISP Site Cisco LISP Marketing Site LISP Beta Network Site IETF LISP Working Group Fundamentals of LISP http://lisp.cisco.com http://www.cisco.com/go/lisp/ http://www.lisp4.net or http://www.lisp6.net http://tools.ietf.org/wg/lisp/ https://www.youtube.com/watch?v=lkrv1qb8uqa 33

Key Benefits Key Concepts Solution Overview Solution Overview What are the components? Putting It Together Use Case Locator / ID Separation Protocol VXLAN Encapsulation Cisco TrustSec 3

What is Cisco TrustSec (CTS)? 35

Cisco TrustSec Traditional segmentation is extremely complex access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165 access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428 access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511 access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945 access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116 access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959 access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993 access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848 access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878 access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216 access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111 access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175 access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 Static ACL Routing Redundancy DHCP Scope Address VLAN Limits of Traditional Segmentation Security Policy based on Topology (Address) High cost and complex maintenance Non-Compliant Applications Voice Enterprise Backbone VACL Employee Aggregation Layer Access Layer Supplier BYOD Enforcement IP Based Policies - ACLs, Firewall Rules Propagation Carry Segment context through the network using VLAN, IP address, VRF Classification Static or Dynamic VLAN assignments Quarantine VLAN Voice VLAN Data VLAN Guest VLAN BYOD VLAN 36

Cisco TrustSec Simplified segmentation with Group Based Policy Enforcement Group Based Policies ACLs, Firewall Rules Shared Services Application Servers Propagation Carry Group context through the network using only SGT Enforcement Enterprise Backbone DC Switch or Firewall ISE Classification Static or Dynamic SGT assignments Campus Switch Campus Switch DC switch receives policy for only what is connected Employee Tag Supplier Tag Non-Compliant Employee Voice Voice Employee Supplier Non-Compliant Non-Compliant Tag VLAN A VLAN B 5-7 April 2017 Cisco Connect Pula, BRKCRS-1800 Croatia 37

How is Cisco TrustSec used in Campus Fabric? 38

Cisco Trust Security Identity Services Engine enables CTS NDAC authenticates Network Devices for a trusted CTS domain SGT and SGT Names Centrally defined Endpoint ID Groups Scalable Group ACL Sources Destinations SGACL - Name Table NDAC Network Device Admission Control Cisco ISE SGT and SGT Names Scalable Group Tags 3: Employee 4: Contractors 8: PCI_Servers 9: App_Servers SGACL - Name Table Policy matrix to be pushed down to the network devices ISE dynamically authenticates endpoint users and devices, and assigns SGTs Rogue Device(s) 802.1X Dynamic SGT Assignment Static SGT Assignment 39

Campus Fabric Endpoint ID Groups A Closer Look Endpoint ID Group is based on a Scalable Group Tag (SGT) Each User or Device is assigned to a unique Endpoint ID Group (EIG) CTS uses Endpoint ID Groups to assign a unique Scalable Group Tag (SGT) to Host Pools LISP adds SGT to the LISP / VXLAN encapsulation CTS EIGs are used to manage address-independent Group-Based Policies Individual Edge and Border Nodes use SGT to enforce local Scalable Group ACLs (SGACLs) EIG 2 EIG 1 EIG 3 EIG 5 EIG 4 EIG 6 EIG 8 EIG 7 EIG 9 40

Want to know more about TrustSec? 41

Cisco Trust Security (CTS) Would you like to know more? At Cisco Live Berlin 2017 www.ciscolive.com BRKCOC-2255 - Inside Cisco IT: How Cisco deployed ISE and TrustSec, globally BRKSEC-2203 - Intermediate - Enabling TrustSec Software-Defined Segmentation TECSEC-2222 - Securing Networks with Cisco TrustSec Other References Cisco TrustSec Marketing Site Cisco TrustSec Config Guide CTS Architecture Overview CTS 2.0 Design Guide Fundamentals of TrustSec http://www.cisco.com/go/trustsec/ cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec.html cisco.com/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.html cisco.com/td/docs/solutions/enterprise/security/trustsec_2-0/trustsec_2-0_dig.pdf https://www.youtube.com/watch?v=78-gv7pz18i 5-7 April 2017 Cisco Connect Pula, BRKCRS-1800 Croatia 42

Key Benefits Key Concepts Solution Overview Putting It Together Solution Overview What are the components? Use Case Locator / ID Separation Protocol Virtual Extenible LAN (VXLAN) Encapsulation Cisco TrustSec

What is Virtual Extensible LAN (VXLAN) Encapsulation? 44

VXLAN Encapsulation VXLAN is the Data Plane ETHERNET IP PAYLOAD ORIGINAL PACKET Supports L3 Overlay ETHERNET IP UDP LISP IP PAYLOAD PACKET IN LISP ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD PACKET IN VXLAN Supports L2 and L3 Overlay 5-7 April 2017 Cisco Connect Pula, BRKCRS-1800 Croatia 45

Data-Plane Overview Fabric Header Encapsulation Fabric Data-Plane provides the following: Underlay address advertisement and mapping Automatic tunnel setup (Virtual Tunnel End-Points) Frame encapsulation between Routing Locators Support for LISP or VXLAN header format Nearly the same, with different fields and payload LISP header carries IP payload (IP in IP) VXLAN header carries MAC payload (MAC in IP) Inner Outer Inner Inner Outer Decap Triggered by LISP Control-Plane events ARP or NDP Learning on L3 Gateways Map-Reply or Cache on Routing Locators Inner Encap 46

Key Benefits Key Concepts Putting It Together How do I build it? Solution Overview Putting It Together Use Case

What Cisco switches support Campus fabric? 48

Platform Support Fabric Edge Nodes - Options Catalyst 3K Catalyst 4K Catalyst 3650 Catalyst 3850 1G/MGIG (Copper) IOS-XE 16.3.1+ Catalyst 4500 Sup8E (Uplinks) 4700 Cards IOS-XE 3.9.1+

Platform Support Fabric Border Nodes - Options Catalyst 3K Catalyst 6K ASR1K & ISR4K Nexus 7K Catalyst 3850 12/24 or 48XS 1/10G (Fiber) IOS-XE 16.3.1+ Catalyst 6800 Sup2T or 6T 6880 or 6840-X IOS 15.4.1SY+ ASR1000-X ISR4430/4450 X or HX Series IOS-XE 16.4.1+ Nexus 7700 Sup2E M3 Cards NXOS 7.3.2+

Platform Support Fabric Control-Plane - Options Catalyst 3K Catalyst 6K ASR1K & ISR4K Catalyst 3850 12/24 or 48XS 1/10G (Fiber) IOS-XE 16.3.1+ Catalyst 6800 Sup2T or 6T 6880 or 6840-X IOS 15.4.1SY+ ASR1000-X ISR4430/4450 X or HX Series IOS-XE 16.4.1+

How do I configure Campus Fabric? 52

Campus Fabric - Smart CLI Provisioning and Troubleshooting Made Simple What is Smart CLI? Its a new configuration mode to simplify config and management of Campus Fabric Invoked by a new Global command fabric auto Provides a simple set of easy-to-understand CLI fabric_device(config)# fabric auto Auto-generates all of the equivalent (traditional) LISP, VRF, IP, CTS, etc. CLI commands 53

Smart CLI Example Adding a new Edge Node Generate all LISP XTR baseline configs Set up Loopback0 as locator address Creates default neighborhood as instance ID 0 Enables VXLAN encapsulation Adds SGT to VXLAN encapsulation Edge(config)# fabric auto Edge(config-fabric-auto)# domain default Edge(config-fabric-auto-domain)# control-plane 2.2.2.2 auth-key key1 Edge(config-fabric-auto-domain)# border 4.4.4.4 Edge(config-fabric-auto-domain)# exit 54

Smart CLI Example Show Fabric Domain Edge# show fabric domain Fabric Domain : "default" Role : Edge Control-Plane Service: Disabled Border Service: Disabled Number of Control-Plane Nodes: 1 IP Address Auth-key --------------------------------- 2.2.2.2 key1 Number of Border Nodes: 1 IP Address --------------------------------- 4.4.4.4 Number of Neighborhood(s): 4 Name ID Host-pools --------------------------------------------- default 0 2 guest 50 1 pcie 60 1 cisco 70 * Shows current domain (default) Shows current Role(s) Shows Control-Plane Node(s) Shows Border Node(s) Shows Virtual Network(s) Associated Host Pool(s) 55

Campus Fabric - Smart CLI Provisioning and Troubleshooting Made Simple More to Come! J Underlay Network Configure the Interfaces and Protocols to bring up the Underlay network Endpoint ID Groups Configure the AAA and CTS commands for Static & Dynamic ID fabric_device(config)# fabric auto Group Based Policy Configure SGT and SGACL policies And More 56

Key Benefits Key Concepts Solution Overview Putting It Together Use Case Use Case

OK, now that I ve seen all this, why might I use this in my network? 58

EU Regulatory Compliance -GDPR 5-7 April 2017 Cisco Connect Pula, Croatia 59

Use Case Comply with GDPR VLAN 1 VLAN 2 VLAN 3 HQ 60

Use Case Comply with GDPR VN Corp VN IoT VN Guest 61

Take-Away

What to do next? 1. Update your Hardware and Software! Catalyst 3650 or 3850 - New IOS-XE 16.3+ Catalyst 4500 w/ Sup8E - New IOS-XE 3.9+ Catalyst 6807, 6880 or 6840 - New IOS 15.4SY+ Nexus 7700 w/ M3 Cards - New NX-OS 7.3.2+ ASR1000-X or ISR4400 - New IOS-XE 16.4+ 2. Try out Campus Fabric in your Lab! You only need 2 or 3 (+) switches to test this solution At least 1 Control-Plane + Border and 1 Fabric Edge 3. Trial Deployments (Remember: its an Overlay) You can install new C-Plane, Border and Edge Nodes without modifying your existing (Underlay) network 5-7 April 2017 Cisco Connect Pula, Croatia IP Network

Campus Fabric CVD on Cisco.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback