DNA Campus Fabric. How to Migrate The Existing Network. Kedar Karmarkar - Technical Leader BRKCRS PDF Free Download

DNA Campus Fabric How to Migrate The Existing Network Kedar Karmarkar - Technical Leader

Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network Segmentation (w/o implementing MPLS) Role-based Access Control (w/o end-to-end TrustSec) Using Cisco technologies available today, you can overcome these challenges and build an Evolved Campus Network to better meet your business objectives. With this Evolution, a key challenge is to be able to support a Distributed Enterprise Infrastructure which is typically spread across Campus, Branch, DC and Cloud. This session focuses on how do I migrate from my existing network today to Campus Fabric that provides all of the above.

Campus Fabric Related Sessions We recommend the following sessions: 1. BRKCRS-1800: DNA Campus Fabric An Introduction 21/02/17 (Tuesday) @ 11:15 1.5 hours 2. BRKCRS-3800: DNA Campus Fabric A Look Under the Hood 22/02/17 (Wednesday) @ 09:00 2 hours 3. : DNA Campus Fabric - How to Integrate with Your Existing Network 22/02/17 (Wednesday) @ 11:30 1.5 hours 4. BRKCRS-2802: DNA Campus Fabric Monitoring & Troubleshooting 22/02/17 (Wednesday) @ 14:30 1.5 hours 5. BRKCRS-2803: DNA Campus Fabric Connecting Outside the Fabric 22/02/17 (Wednesday) @ 16:30 1.5 hours 6. BRKACI-2400: DNA Campus Fabric Integration with Data Center Architectures 23/02/17 (Thursday) @ 14:30 1.5 hours 7. BRKEWN-2300: Virtualize Your Wired and Wireless Network (w/ Campus Fabric) 24/02/17 (Friday) @ 09:00 2 hours

Agenda 1 2 3 4 5 Key Benefits Why do I care? Campus Fabric Overview What is a Fabric? Getting Started What are the Platform/Network considerations? Network Deployment Models Layer-2 Access Takeaway How do I get started?

Key Benefits Why do I care?

Cisco Digital Network Architecture Overview Network-enabled Applications Principles Cloud Service Management Open APIs Developers Environment Automation Abstraction & Policy Control from Core to Edge Policy Orchestration Open & Programmable Standards-Based Virtualisation Analytics Network Data, Contextual Insights Physical & Virtual Infrastructure App Hosting Insights & Experiences Automation & Assurance Security & Compliance Cloud-enabled Software-delivered

What is Campus Fabric? Foundational Technologies Programmable Custom ASICs Converged Software Services Industry Leading Wired & Wireless Stacking TrustSec SDN Advanced Functionality Programmable Pipeline Flexibility Recirculation Optimised for Campus Integrated Stacking Visibility Security Future Proofed Long Life Cycle Investment Protection + Network Enabled Applications Collaboration Mobility IoT Security ` Automation and Analytics Controller Visible Programmable Open Virtualisation Campus Fabric Segmentation L2 Flexibility Designed for Evolution Strong Foundational Capabilities HA Driving Innovation Through Technology Investment

Provision Simplified Provisioning Deploy devices using best practice configurations using Smart CLI and Programmability models

Mobility Wired and Wireless Host Mobility Always connect to the same L3 gateway

X Segmentation Security Simple Segmentation constructs to build Secure boundaries for users and things

Intelligent Policy Network Wide Policy Enforcement Based on your Identity, not on your Address

Campus Fabric Overview What is a Fabric?

What exactly is a Fabric? A Fabric is an Overlay An Overlay is a logical topology used to virtually connect devices, built on top of an arbitrary physical Underlay topology. An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay. Examples of Network Overlays GRE or mgre LISP MPLS or VPLS OTV IPSec or DMVPN DFA CAPWAP ACI

What exactly is a Fabric? Overlay Terminology Overlay Network Overlay Control Plane Encapsulation Edge Device Edge Device Hosts (End-Points) Underlay Network Underlay Control Plane

What is unique about Campus Fabric? Key Components 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on TrustSec Key Differences L2 + L3 Overlay -vs- L2 or L3 Only Host Mobility with Anycast Gateway Adds VRF + SGT into Data-Plane Virtual Tunnel Endpoints (No Static) No Topology Limitations (Basic IP)

What is unique about Campus Fabric? Fabric Roles & Terminology User / Group Repository ISE / AD Host DB Control-Plane Nodes User / Group Repository External ID Store device (e.g. ISE or AD) can be leveraged to provide dynamic User / Device to Group mapping. Fabric Domain (Overlay) Fabric Border Nodes Control-Plane Nodes Map System that manages the Endpoint to Gateway (Edge or Border) relationship. Border Nodes The L3 Gateway device (Core), that connects External L3 network(s) to Fabric. Fabric Edge Nodes Fabric Intermediate Nodes (Underlay) Edge Nodes The L3 Gateway device (Access or Distribution), that connects Endpoints to Fabric. Intermediate Nodes Normal L3 (IP) Forwarders in the Underlay.

Campus Fabric Control-Plane Nodes A Closer Look Fabric Control-Plane Node is based on a LISP Map Server / Resolver Runs the LISP Host Tracking Database to provide overlay reachability information A simple Host Database, that tracks Endpoint ID to Edge Node bindings, along with other attributes Host Database supports multiple Endpoint ID lookup keys (IPv4 /32, IPv6 /128 or MAC) C Receives prefix registrations from Edge Nodes with local Endpoints Resolves lookup requests from remote Edge Nodes, to locate local Endpoints

Campus Fabric Edge Nodes A Closer Look Fabric Edge Node is based on a LISP Tunnel Router Provides connectivity for Users and Devices connected to the Fabric Responsible for Identifying and Authenticating Endpoints Register Endpoint ID information with the Control-Plane Node(s) Provides Anycast L3 Gateway for connected Endpoints Must encapsulate / decapsulate host traffic to and from Endpoints connected to the Fabric E E E

Campus Fabric Border Nodes A Closer Look Fabric Border Node is based on a LISP Tunnel Router All traffic entering or leaving the Fabric goes through this type of node Connects traditional L3 networks and / or different Fabric domains to the local domain Where two domains exchange Endpoint reachability and policy information Responsible for translation of context (VRF & SGT) from one domain to another B B Provides a domain exit point for all Edge Nodes

Getting Started Platform Considerations

Platform Support Fabric Edge Nodes - Options Catalyst 3K Catalyst 4K Catalyst 3K Fixed portfolio Catalyst 4500E Modular options Catalyst 3650 Catalyst 3850 RJ45 IOS-XE 16.3+ Catalyst 4500 Sup8E Sup Uplinks IOS-XE 3.9+

Platform Support Fabric Border Nodes - Options Catalyst 3K Catalyst 6K ASR1K & ISR4K Nexus 7K Catalyst 3850 12/24 or 48XS 1/10G (Fibre) IOS-XE 16.3.1+ Catalyst 6800 Sup2T or 6T 6880 or 6840-X IOS 15.4.1SY+ ASR1000-X X or HX Series ISR4430 / 4450 IOS-XE 16.4.1+ Nexus 7700 Sup2E M3 Cards NXOS 7.3.2+

Platform Support Fabric Control-Plane - Options Catalyst 3K Catalyst 6K ASR1K & ISR4K Catalyst 3850 12/24 or 48XS 1/10G (Fibre) IOS-XE 16.3.1+ Catalyst 6800 Sup2T or 6T 6880 or 6840-X IOS 15.4.1SY+ ASR1000-X X or HX Series ISR4430 / 4450 IOS-XE 16.4.1+

Getting Started Network Considerations

Network Considerations - MTU MTU and Overlay VXLAN adds 50 bytes to the Original Ethernet Frame Avoid Fragmentation by adjusting the network MTU Ensure Jumbo Frame support on switches in the underlay network Underlay Network MTU 1500 + Encapsulation MTU 1500 Overlay Network

Underlay Networks Campus fabric runs over arbitrary topologies: Traditional 3-tier hierarchical network Collapsed core/aggregation designs Routed access U-topology Ensure that all switches have IP reachability to infrastructure elements Ideal design is routed access allows fabric to extend to very edge of campus network Strong recommendation to follow campus CVDs with routed access L3 L2 3-Tier Hierarchical L2 Collapsed Core L3 Routed Access L2 U-Topology

Overlay Network Assumption is underlay network provides routing and IP connectivity Campus fabric configuration defines: Overlay IP space Segmentation context VRF and SGT Mobility (map database updates)

IP Addressing for Overlay and Underlay Know your IP addressing and IP scale requirements Best to use single Aggregate for all Underlay Links and Loopbacks IPv4 only (today) Fabric uses Loopback as Source- Interface for Encapsulation 192.168.1.1/32 10.10.10.254/32 10.10.10.0/30 10.10.10.4/30 Overlay Network 10.10.10.253/32 192.168.1.2/32 Underlay Network 10.10.10.252/32

Virtual Networks RLOC/Underlay connectivity in Global Routing Table Loopback interfaces for management in their own VN (Default) Other VNs can be used for segmentation for users, devices, roles, and others Scalable Group Tags (SGTs) can be used for further access control within a VN The CORPORATE VN is being shown in this slide deck as an example. Similar steps can be followed for other VNs shown Fabric scope of management USERS #2 CORPORATE Management Access RLOC/Underlay Border USER VRF USER VRF Default GRT

Getting Started Services Location Considerations

Location of Shared Services Infrastructure Campus fabric leverages traditional infrastructure services IP reachability from underlay/overlay to DNS, DHCP, etc. required Services may be hosted inside or outside the campus fabric Other infrastructure services include AAA, LDAP/AD, syslog server, Netflow collector, 3 rd -party monitoring systems DHCP Server NTP Server

Location of Shared Services Infrastructure Could be in campus distribution block or campus core for small commercial or enterprise deployments Larger deployments have infrastructure services hosted in Data Centre Hybrid model also possible (mix of distribution/core/data Centre) Infrastructure Services at Distribution Infrastructure Services at Core Infrastructure Services in Data Centre Small Commercial / Enterprise Deployment Large Enterprise Deployment

Know What is Connecting to the Existing Network Deploy ISE and StealthWatch Turn on device sensor on switches, Flexible NetFlow Turn on profiling on ISE What devices connect to the network What should they be doing What are they actually doing From where do they connect into the network This data will be useful in determining Segmentation policy in Campus Fabric

Deployments

Deployments Campus Networks Branch Networks

Campus Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet WAN Block DC Block Internet Block Services Block Layer-2 Link Super Core Layer-3 Link Core Core Aggregation Layer Aggregation Layer Aggregation Layer

Branch Network DDI MPLS I-NET Branch IWAN Collapsed Core Access Layer

Approaches to Migration 1. Parallel Install 2. Migrating One Switch at a time

Parallel Install Option Conditions and Advantages May work in Branch deployments Sufficient cable runs exist in the current networking plan Sufficient power and outlets exist in the current power plan Existing brownfield network has legacy hardware Upgrade most of the wired network Option of redesigning IP networks from scratch instead of continuing the complexities of legacy network Advantage lies in testing users on entire new network prior to full migration of entire site During migration, users with problems but immediate access needs can be moved back to old network allowing them to continue their work, while troubleshooting can be performed on the Campus Fabric network

Migrate One Switch At A Time Option Conditions and Advantages Works in both Campus and Branch deployments Needs an extra couple fibre runs to the distribution switch Sufficient power and couple outlets needed in the current power plan Existing brownfield network has legacy hardware Upgrade some of the wired network Switch by Switch upgrade of certain layers of the network is possible Legacy IP design has to be continued for reducing downtime During migration, users with problems but immediate access needs can be moved back to old network allowing them to continue their work, while troubleshooting can be performed on the Campus Fabric network

Parallel Install Option for Campus Networks DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet X

Parallel Network Option for Branch Networks DDI MPLS I-NET Branch IWAN

Hardware Refresh Software Reconfigure Two scenarios for migration to Campus Fabric Hardware Refresh: Existing network consists of switches that need hardware upgrade since they do not support Campus Fabric Example: 3750X, 2960X, 4500E SUP7-E in the access Software Reconfigure: Existing network consists of switches that are compatible with Campus Fabric and just need software upgrade and reconfiguration Example: 3850, 4500E SUP-8E in the access

Access Network Designs

Access Networks Designs Multi-layer L2 Access Will address hardware refresh scenario

Layer-2 Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet WAN Block DC Block Internet Block Services Block Super Core 4 Core 3 Core Aggregation Layer 2 Aggregation Layer Aggregation Layer 1

Connecting the Fabric External Border Current Core platform supports Fabric External Border functionality Convert one of the Core switches as External Border Current Core platform does not support Fabric functionality Strong desire not to touch the Core layer in the existing network Add a Border platform switch and connect it to the Core layer Choose a platform that will be re-purposed to a dedicated Control Plane Node (if needed) In this example, we will add a Fabric External Border switch and connect it to the SuperCore layer 4

Connecting the first Fabric Edge Depends on across which layer in the network the VLANs are being spanned Aggregation Core Or sometimes even SuperCore The first Fabric Edge switch connects to where the VLANs are being aggregated Example If VLANs are NOT being spanned across Core layer, connect first Fabric Edge switch at Aggregation; if the VLANs ARE being spanned across Aggregation layer, connect the first Fabric Edge switch at Core, and so on. In this example, we will assume that VLANs are being spanned across Access layer, so Fabric Edge switch is attached to the aggregation switch 2

Getting Started Steps 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network Connect a switch to the Core layer that will act as the External Border Host the Control Plane function on the External Border for simplicity Add a switch in the distribution layer that will act as the Fabric Edge Integrate the switch in the existing network in Routed Access design. IS-IS is the recommended option for Fabric networks, but any IGP could do. APIC-EM PnP can be used for Day Zero operations to integrate the switch.

Layer-2 Access Network Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet

Migration @ Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Fabric Edge Node Control/ External Border Node

Migration @ Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Fabric Edge Node Control/ External Border Node Control/ External Border Node

Migration @ Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders Control/ External Border Node Control/ External Border Node Fabric Edge Nodes

Migration @ Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Control Plane Node Control Plane Node Fabric Edge Nodes

Prepping the Switch 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network Do not forget to set following on the Fabric nodes and other nodes in the underlay: Set MTU to 9100 on the switch and the existing network. Configure ip routing Set username and password for device access Configure VTY and console lines for device access Configure NTP Configure SNMP, syslog Configure Loopback0 (/32) for RLOC, another interface for Management and underlay IP addresses

Getting Started Steps 192.168.200.254/32 192.168.200.1/32 C B Edge Node router isis passive-interface Loopback0 net 49.0001.XXXX.XXXX.XXXX.00 is-type level-2-only ispf level-2 log-adjacency-changes metric-style wide level-2 no hello padding authentication mode md5 level-2 authentication key-chain ON IP Network Border/Control Plane Node External Network interface GigabitEthernet x/x ip router isis isis network point-to-point isis metric <metric> level-2 isis circuit-type level-2-only isis authentication mode md5 level-2 isis authentication key-chain ON carrier-delay ms 0 dampening

Fabric Configuration on Edge node 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp encapsulation vxlan locator-table default locator-set rloc_sjc18 IPv4-interface Loopback0 priority 10 weight 10 exit! disable-ttl-propagate ipv4 sgt ipv4 use-petr 192.168.200.1 ipv4 itr map-resolver 192.168.200.1 ipv4 itr ipv4 etr map-server 192.168.200.1 key cisco ipv4 etr exit

Border and Control Plane Configuration 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network router lisp encapsulation vxlan locator-table default locator-set border IPv4-interface Loopback0 priority 10 weight 10 exit! disable-ttl-propagate ipv4 map-server ipv4 map-resolver ipv4 sgt ipv4 proxy-etr ipv4 proxy-itr 192.168.200.1 ipv4 itr map-resolver 192.168.200.1 ipv4 etr map-server 192.168.200.1 key cisco ipv4 etr exit Border/Control Plane Node router lisp site site_uci authentication-key cisco exit ipv4 map-server ipv4 map-resolver exit External Network

VRF Configuration on Edge and Border 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network ip vrf CORPORATE rd 1:1 route-target export 1:1 route-target import 1:1

Configure L2 VLAN and SVI at Edge Node 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network vlan 3 name Corporate_Users! ip dhcp snooping ip dhcp snooping vlan 3! device-tracking tracking Border/Control Plane Node External Network interface Vlan3 ip vrf forwarding CORPORATE ip dhcp relay source-interface Loopback0 ip address 10.2.3.254 255.255.255.0 ip helper-address global 10.1.5.252 no ip redirects ip local-proxy-arp ip route-cache same-interface logging event link-status load-interval 30 lisp mobility CORPORATE_10_2_3_0 shutdown

Adding EID space on Edge node 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default locator-set rloc_sjc18_01 eid-table vrf CORPORATE instance-id 10 dynamic-eid CORPORATE_10_2_3_0 database-mapping 10.2.3.0/24 locator-set rloc_sjc18 exit

Adding EID space on Border/Control Plane node 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp eid-table vrf CORPORATE instance-id 10 map-cache 10.2.3.0/24 map-request exit! site site_uci authentication-key cisco eid-prefix instance-id 10 10.2.3.0/24 accept-more-specifics exit

Exporting Fabric Prefixes to External Network 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network Only export Fabric prefixes (overlay) to the External network No need to import External prefixes into Fabric since Border acts as default to unknown destinations External network needs a route to direct traffic back to the Fabric prefixes. Recommended choice of exchanging routing information is ebgp

Why BGP? BGP has built-in loop prevention features like AS_PATH to break loops Simple to keep routes distributed between Global Routing and Virtual Networks If IGP is used then route-maps, distribute-lists, IP ACLs need to be maintained Failure to maintain the above might cause routing loops in the network

Advertising Fabric Prefixes to External Network - BGP 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 map-cache site-registration exit! router bgp 65001 address-family ipv4 vrf CORPORATE redistribute lisp metric 10 aggregate-address 10.2.3.0 255.255.255.0 summary-only neighbor 192.168.1.254 remote-as 65002 neighbor 192.168.1.254 activate exit

Advertising Fabric Prefixes to External Network - OSPF 192.168.200.254/32 192.168.200.1/32 C B IP Network Edge Node Border/Control Plane Node External Network router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 map-cache site-registration exit! router ospfv3 123! address-family ipv4 unicast vrf CORPORATE summary-prefix 10.2.3.0/24 redistribute lisp metric 10 exit-address-family interface Vlan4090 ip vrf forwarding CORPORATE ip address 192.168.1.253 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore ipv6 enable ospfv3 123 ipv4 area 0 end Use route-filter in the global instance to filter incoming fabric prefixes routes This will prevent underlay from learning fabric prefixes

Advertising Fabric Prefixes to External Network - OSPF 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network interface GigabitEthernet0/0/4.4090 encapsulation dot1q 4090 ip address 192.168.1.254 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore ipv6 enable ospfv3 123 ipv4 area 0 end! router ospfv3 123! address-family ipv4 unicast exit-address-family

Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric 192.168.200.254/32 192.168.200.1/32 Edge Node Distribution Switch IP Network C B Border/Control Plane Node External Network Connect the Edge node and existing Distribution switch on a Trunk Port Allow only VLAN003 for now

Moving the SVI from Distribution to Fabric Edge C B 192.168.200.1/32 Fabric Edge Funnel Node Border/Control Plane Node 192.168.200.254/32 SVI 003 IP Network SVI 003 SVI 003 Distribution Layer Access Layer Access Layer

Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric 192.168.200.254/32 192.168.200.1/32 Edge Node Distribution Switch SVI VLAN003 IP Network C B Border/Control Plane Node External Network L2 Network VLAN003 gets integrated into the fabric. All ingress traffic from endpoints in VLAN003 now enters the fabric via the Edge node and exits via the Border node.

Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric 192.168.200.254/32 192.168.200.1/32 Edge Node Distribution Switch SVI VLAN X IP Network C B Border/Control Plane Node External Network L2 Network Perform similar configuration of other VLANs, and SVIs on the Fabric Edge node Shutdown the SVI of the other VLANs in existing Distribution switches No shutdown the respective SVI on Fabric Edge to funnel all VLAN traffic to it

Layer-2 Connection from Existing Network 192.168.200.2/32 192.168.200.1/32 New Edge Node Distribution Switch C B IP Network Border/Control Plane Node External Network Existing L2 switch Add a new Fabric Edge switch in the access layer Connect it to the Distribution layer with Routed Access with its own Loopback0 Copy the Fabric Edge configuration from previous Fabric Edge including the VLAN X/SVI X configuration as is, and paste onto the new Fabric Edge switch 1

Layer-2 Connection from Existing Network 192.168.200.2/32 192.168.200.1/32 Edge Node Distribution Switch C B X IP Network Border/Control Plane Node External Network Configure the access ports in their VLANs similar to the legacy switch Move all the physical connections from legacy switch to new Fabric Edge Decommission the legacy switch from existing network

Add Second External Border/Control Plane node 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node 192.168.200.3/32 C B External Network Border/Control Plane Node Add or upgrade a second switch or a router as the Border/Control Plane node for redundancy. Modify the configurations on all the Fabric Edge nodes to add the second Border/Control Plane node.

Migration @ Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet

Add Internal Border nodes as necessary 192.168.200.2/32 192.168.200.22/32 B IP Network Edge Node Internal Border/s 192.168.200.23/32 B WAN Branch Internal Border/s Datacentre WAN Add or upgrade Internal Border nodes in the Fabric.

Campus Fabric Border Nodes Internal Border: Connects Campus Fabric to Known networks i.e. other fabric or nonfabric domain in same company network. These known networks generally are the WAN, DC, Shared Services etc Responsible for advertising prefixes from and to the local fabric domain and external domain. External Border: Connects Campus Fabric to Un- Known networks. These Un-known networks generally is the Internet and Cloud. Responsible for only advertising prefixes from the local fabric domain to external domain.

Why Internal Border? 192.168.200.2/32 192.168.200.1/32 Edge Node Distribution Switch C B IP Network External Border Control Plane Node External Network WAN Branch Datacentre WAN

Why Internal Border? 192.168.200.2/32 192.168.200.1/32 Edge Node Distribution Switch C B IP Network External Border External Network B Internal Border WAN Branch B Internal Border Datacentre WAN

Why Internal Border? Flexibility in designing different platforms for Border functionality different than External Border Can have any number of Internal borders than External borders (depends on network design)

Routing on the Internal Borders 192.168.200.2/32 192.168.200.22/32 IP Network B Edge Node Internal Border/s WAN Branch Routing needs to be configured on the Internal Borders to Advertise Fabric overlay prefixes outside to the rest of the network Known network prefixes to be redistributed into the fabric Use route-filter in the global instance to filter incoming fabric prefixes routes This will prevent underlay from learning fabric prefixes or VRFs from learning other VRF s routes 192.168.200.23/32 B Internal Border/s Datacentre WAN

Internal Border Routing Advertise from LISP into BGP 192.168.200.2/32 192.168.200.22/32 IP Network B Edge Node Internal Border/s WAN Branch router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit! router bgp 65003 address-family ipv4 vrf CORPORATE redistribute LISP metric 10 aggregate-address 10.2.3.0 255.255.255.0 summary-only neighbor 192.168.2.254 remote-as 65004 neighbor 192.168.2.254 activate exit

Internal Border Routing Advertise from BGP into LISP 192.168.200.2/32 192.168.200.22/32 B IP Network Edge Node Internal Border/s WAN Branch router lisp locator-table default locator-set border IPv4-interface Loopback0 priority 10 weight 10! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database bgp 65003 locator-set border exit!

Internal Border Routing Advertise from LISP into OSPF 192.168.200.2/32 192.168.200.22/32 B IP Network Edge Node Internal Border/s WAN Branch router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit! router ospfv3 123! address-family ipv4 unicast vrf CORPORATE summary-prefix 10.2.3.0/24 redistribute lisp metric 10 distribute-list 2 in exit-address-family

Internal Border Routing Importing from OSPF in LISP 192.168.200.2/32 192.168.200.22/32 B IP Network Edge Node Internal Border/s WAN Branch router lisp locator-set int_border locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database ospfv3 123 locator-set int_border ipv4 distance site-registrations 250 exit

Internal Border Routing Importing from EIGRP in LISP 192.168.200.2/32 192.168.200.22/32 B IP Network Edge Node Internal Border/s WAN Branch router lisp locator-set int_border locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database eigrp 65535 locator-set int_border ipv4 distance site-registrations 250 exit

Shared Resources 192.168.200.2/32 192.168.200.22/32 B DDI IP Network Edge Node Internal Border/s ISE/AD router lisp encapsulation vxlan locator-set int_border exit! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database eigrp 65535 locator-set border ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit

Shared Resources 192.168.200.2/32 192.168.200.22/32 B DDI IP Network Edge Node Internal Border/s ISE/AD router eigrp 65535! address-family ipv4 vrf CORPORATE redistribute lisp metric 10000 1 255 1 9100 network 192.168.2.253 0.0.0.0 autonomous-system 65535 exit-address-family!

Shared Resources 192.168.200.2/32 192.168.200.22/32 B DDI IP Network Edge Node Internal Border/s ISE/AD router eigrp 65535! network 192.168.2.254 0.0.0.0 exit-address-family

External Border for Single Entry/Exit Point DDI MPLS I-NET Branch IWAN Advertise Routes from Fabric to External Router External Border Node Fabric Edge Nodes

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B Edge Node IP Network Control Plane 192.168.200.3/32 C External Border/s Internet Router router lisp encapsulation vxlan locator-table default locator-set msmr IPv4-interface Loopback0 priority 10 weight 10 exit! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 distance site-registrations 250 exit

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B IP Network Edge Node Control Plane C External Border/s Internet Router 192.168.200.3/32 site site_uci description map-server configured from apic-em authentication-key uci eid-prefix instance-id 10 0.0.0.0/0 accept-more-specifics eid-prefix instance-id 10 10.2.3.0/24 accept-more-specifics exit! ipv4 map-server ipv4 map-resolver exit

Advertise LISP into BGP on Control Plane Node Control 192.168.200.2/32 Plane 192.168.200.25/32 Edge Node 192.168.200.3/32 C IP Network Set up ibgp connection between the Control Plane node and External Border C 192.168.200.1/32 B External Border/s Control Plane router bgp 65002 bgp log-neighbor-changes Internet Router neighbor 192.168.200.25 remote-as 65002 neighbor 192.168.200.25 update-source lo0! address-family vpnv4 neighbor 192.168.200.25 activate neighbor 192.168.200.25 send-community both exit-address-family! address-family ipv4 vrf CORPORATE aggregate-address 10.2.3.0 255.255.255.0 summary only redistribute lisp metric 10 exit-address-family

Control Plane node definition on Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B Edge Node IP Network Control Plane 192.168.200.3/32 C External Border/s router lisp ipv4 proxy-etr ipv4 proxy-itr 192.168.200.25 ipv4 itr map-resolver 192.168.200.3 ipv4 itr-map-resolver 192.168.200.1 ipv4 map-server 192.168.200.3 key cisco ipv4 map-server 192.168.200.1 key cisco ipv4 etr exit Internet Router

ibgp with Control Plane Node on Border Control 192.168.200.2/32 Plane 192.168.200.25/32 Edge Node 192.168.200.3/32 C IP Network Set up ibgp connection between the External Border and Control Plane nodes C 192.168.200.1/32 B External Border/s Control Plane router bgp 65002 bgp log-neighbor-changes Internet Router neighbor 192.168.200.1 remote-as 65002 neighbor 192.168.200.1 update-source Loopback0 neighbor 192.168.200.3 remote-as 65002 neighbor 192.168.200.3 update-source Loopback0! address-family vpnv4 neighbor 192.168.200.1 activate neighbor 192.168.200.1 send-community both neighbor 192.168.200.3 activate neighbor 192.168.200.1 send-community both exit-address-family

Import LISP routes from ibgp on Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B Edge Node IP Network Control Plane 192.168.200.3/32 C External Border/s Internet Router router lisp encapsulation vxlan locator-set border IP-v4-interface Loopback 0 priority 10 weight 10 exit! eid-table vrf CORPORATE instance-id 10 ipv4 route-import map-cache bgp 65002 exit

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B IP Network Edge Node Control Plane C External Border/s B Internet Router 192.168.200.3/32 192.168.200.26/32 If multiple Borders are used to redistribute fabric prefixes into external, recommend to use ebgp connection to break loops dynamically Else use distribute-lists, with IP ACLs that have a maintenance overhead

Redistribution From LISP to ibgp LISP Database Routing Information Base (RIB) Border Gateway Protocol (ibgp) Border Gateway Protocol (ibgp) Control Plane Node Border Node

Advertise from ibgp to ebgp to IGP Border Gateway Protocol (ebgp) Border Gateway Protocol (ebgp) Routing Information Base (RIB) External Network Protocol Border Node External Router

External Routes Exchange via ebgp on Border Border Gateway Protocol (ebgp) Border Gateway Protocol (ebgp) Routing Information Base (RIB) External Network Protocol Border Node External Router

Redistribution from IGP to ebgp Internal Border LISP Database Border Gateway Protocol (ibgp) Control Plane Node Border Node

Migration @ Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Control Plane Node Control Plane Node Fabric Edge Nodes

Replace Legacy Access Switches in the Network Use the same procedure outlined in the last three slides (69-70) to add Fabricenabled Edge switches While replacing legacy switches in the network After all the legacy switches in that Distribution block are replaced with Fabricenabled Edge switches, Remove the Fabric Edge connected to the Distribution switch, Use it to migrate the second Distribution block, Following the same procedure as outlined previously (50-70).

Migration @ work DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Campus Fabric

Routed Access Designs

Routed Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet

Considerations for Migrating Routed Access Easier to migrate Routed Access designs to Campus Fabric Supporting infrastructure (DHCP mainly) is already setup Routed Access is the building block for Campus Fabric Loopback subnet that forms the RLOC address needs to be factored in IS-IS is the preferred routing protocol, and can be cut-over later keeping existing IGP Opportunity exists to consolidate existing subnets into lesser larger subnets once Campus Fabric is deployed

Routed Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet

Simplified View 192.168.200.2/32 192.168.200.1/32 C C B Edge Node IP Network Border/Control Plane Node External Network Access switch as the Fabric Edge node Intermediate network reduced to IP Network Fabric Border node is the Router connecting to Internet services Control Plane node can be one of the network devices or a CSR1Kv, IPreachable

Getting Started Steps 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network Upgrade software on one of the routers acting as Border node Co-locate the Control Plane node function on the Border for simplicity Upgrade software on the access switch IS-IS is the recommended option for Fabric networks, but any IGP could do.

Prepping the Switch 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network Do not forget to set following on the Edge node: Set MTU to 9100 on the switch and the existing network. Configure Loopback0 (/32), and underlay IP addresses

Fabric Configuration on Edge node 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp encapsulation vxlan locator-table default locator-set rloc_sjc18 IPv4-interface Loopback0 priority 10 weight 10 exit! disable-ttl-propagate ipv4 sgt ipv4 use-petr 192.168.200.1 ipv4 itr map-resolver 192.168.200.1 ipv4 itr ipv4 etr map-server 192.168.200.1 key cisco ipv4 etr exit

Border and Control Plane Configuration 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp encapsulation vxlan locator-table default exit! disable-ttl-propagate ipv4 map-server ipv4 map-resolver ipv4 sgt ipv4 proxy-etr ipv4 proxy-itr 192.168.200.1 ipv4 itr map-resolver 192.168.200.1 ipv4 etr map-server 192.168.200.1 key cisco ipv4 etr exit router lisp site site_uci authentication-key cisco exit ipv4 map-server ipv4 map-resolver exit

VRF Configuration on Edge and Border 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network ip vrf CORPORATE rd 1:1 route-target export 1:1 route-target import 1:1

Two options for defining Endpoint ID space 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network Retain same subnets as of today Use net new subnets

Considerations of Retaining Existing EID structure 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network No changes to existing DHCP scope and subnet size No changes to existing firewall or other policies that are based on IP-ACL Old network design is retained for familiarity Need to revert changes on existing interfaces (SVIs) if moving back to old network in case of issues

Considerations of Net new Endpoint ID structure 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network Changes to existing DHCP scope and subnet size Changes to existing firewall or other policies that are based on IP-ACL Re-IP the network based on Fabric Campus design less, but larger subnets Reverting back to old network is as easy as re-assigning VLANs on Access ports less impacting

Configure L2 VLAN and SVI at Edge Node 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network vlan 3 name Bldg18_1_Users! interface Vlan3 ip vrf forwarding CORPORATE ip dhcp relay source-interface Loopback0 ip address 10.2.3.254 255.255.255.0 ip helper-address global 10.1.5.252 no ip redirects ip local-proxy-arp ip route-cache same-interface logging event link-status load-interval 30 lisp mobility CORPORATE_10_2_3_0

Adding EID space on Edge node 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default eid-table vrf CORPORATE instance-id 10 dynamic-eid CORPORATE_10_2_3_0 database-mapping 10.2.3.0/24 locator-set rloc_sjc18 exit

Adding EID space on Border/Control Plane node 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default eid-table vrf CORPORATE instance-id 10 map-cache 10.2.3.0/24 map-request exit! site site_uci authentication-key cisco eid-prefix instance-id 10 10.2.3.0/24 accept-more-specifics exit

Considerations of Net new Endpoint ID structure 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network Re-configure the other VLANs and SVIs as shown in previous slides Add those subnets as EIDs in Fabric Edge, and the Border/Control Plane node All VLANs on Edge node are now part of Campus Fabric

Exporting Fabric Prefixes to External Network 192.168.200.2/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network Only export Fabric prefixes (overlay) to the External network No need to import External prefixes into Fabric since Border acts as default to unknown destinations External network needs a route to direct traffic back to the Fabric prefixes. Preferred choice of exchanging routing information is BGP

Advertising Fabric Prefixes to External Network - OSPF 192.168.200.254/32 192.168.200.1/32 C B Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 map-cache site-registration exit! router ospfv3 123! address-family ipv4 unicast vrf CORPORATE summary-prefix 10.2.3.0/24 redistribute lisp metric 10 exit-address-family interface Vlan4090 ip vrf forwarding CORPORATE ip address 192.168.1.253 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore ipv6 enable ospfv3 123 ipv4 area 0 end

Repeat Slides 71-95 Add second Control Plane/External Border node Add Internal Borders for WAN, Datacentre and Shared Resources connectivity Configure routing on Internal Borders to advertise fabric prefixes to external network; and register known external prefixes within the fabric Distribute Control Plane and External Border functions to respective switches

Routed Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Control Plane Node Control Plane Node Fabric Edge Nodes

Upgrade and provision other Fabric Edge nodes 192.168.200.2/32 192.168.200.1/32 192.168.200.1/32 Edge Node 192.168.200.5/32 Edge Node Control Plane Control Plane 192.168.200.3/32 C C IP Network IP Network External Border 192.168.200.4/32 External Border External Network Upgrade other switches in the access layer as Fabric-Edge nodes in a similar fashion Copy paste fabric (except Loopback and couple other) and EID space configuration from the first switch to the others B B

Migration @ work DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Campus Fabric

Wireless

Wireless Deployment models Cisco Unified Wireless Network (Centralised Wireless) Flex Connect Converged Access

Where do I connect WLCs and APs WLC connect outside the fabric to Internal Border or outside the fabric APs can connect to in the overlay EID space in fabric Leverage stretched wired subnets to create one VLAN across fabric for all APs

Centralised Wireless and Campus Fabric 192.168.200.2/32 192.168.200.22/32 Campus Fabric B IP Network Management IP 192.168.1.253/24 Edge Node Internal Border/s 10.1.0.0/20 192.168.1.0/24 WLCs connect behind Internal Border in the Underlay Internal Border advertises WLC Management subnet to the Fabric Internal Border advertises Fabric prefixes to the WLC Management network

Centralised Wireless and Campus Fabric 192.168.200.2/32 192.168.200.22/32 Campus Fabric B IP Network Management IP 192.168.1.253/24 Edge Node Internal Border/s 10.2.7.254.1/21 Wireless Clients Subnet Wireless SSIDs are mapped to VLAN/Subnet at WLC in the form of dynamic interfaces Internal Border advertises Wireless client subnets to the Fabric

Centralised Wireless and Campus Fabric AP VLAN 10.1.15.254/20 192.168.200.2/32 192.168.200.22/32 Campus Fabric B IP Network Edge Node 10.1.0.1/20 192.168.200.30/32 AP VLAN 10.1.15.254/20 Internal Border/s 10.1.0.2/20 Edge Node Access Points are in overlay space on Fabric Edge switches One subnet for APs across the entire Fabric in Campus APs get registered in the Host Tracking Database (HTDB) running on Control node Simplified IP design for the network

Centralised Wireless and Campus Fabric 192.168.200.2/32 192.168.200.22/32 Campus Fabric B IP Network Management IP 192.168.1.253/24 Edge Node Internal Border/s CAPWAP is built from the AP to the WLC When this traffic hits the Fabric Edge switch, it encapsulates CAPWAP in VXLAN and forwards it to Internal Border The outer VXLAN header is removed by the Internal Border, and underlying CAPWAP packet is forwarded to the WLC

Impact of Multiple Encapsulations to Frame size ETHERNET 802.11 IP PAYLOAD ETHERNET IP UDP CAPWAP ETHERNET 802.11 IP PAYLOAD ETHERNET IP UDP VXLAN ETHERNET IP UDP CAPWAP ETHERNET 802.11 IP PAYLOAD

Centralised Wireless and Campus Fabric: AP Join 192.168.200.2/32 192.168.200.22/32 Campus Fabric B IP Network Management IP 192.168.1.253/24 Edge Node Internal Border/s WLC discovery by AP happens the same as of today. Layer-3 CAPWAP, Locally configured Controller IP Address, DHCP Server discovery via Option 43, DNS Discovery AP sends a frame padded to 1485 bytes with DF=1 Edge encapsulates frame in VXLAN that takes it above 1500 bytes

Centralised Wireless and Campus Fabric: AP Join 192.168.200.2/32 192.168.200.22/32 Campus Fabric B IP Network Management IP 192.168.1.253/24 Edge Node Internal Border/s Fabric Edge drops the packet and sends an ICMP error back to AP AP drops frame size to 576 bytes and Joins WLC successfully AP tries to find the optimum frame size by stepping up to 1000 bytes, 1300 bytes and 1485 bytes again Increase MTU to 9100 of existing network interfaces in the underlay to avoid fragmentation challenges

Centralised Wireless and Campus Fabric AP VLAN 10.1.15.254/20 Campus Fabric 192.168.200.22/32 B Client VLAN 10.2.7.254.1/21 IP Network 10.1.0.1/20 Internal Border/s 10.2.0.1/21 Clients are authenticated and on-boarded by WLC Wireless clients are external to fabric in this case

Centralised Wireless and Campus Fabric AP VLAN 10.1.15.254/20 10.1.0.1/20 Wired VLAN 10.1.31.254/20 Campus Fabric 192.168.200.22/32 B Internal Border/s Client VLAN 10.2.7.254.1/21 IP Network 10.2.0.1/21 10.1.16.1/20 Communication from a wired host in Fabric to Wireless Client outside fabric will occur through Internal Border JUST LIKE TODAY!! For the fabric, it is a fabric host communicating to a known destination external to the fabric

Centralised Wireless and Campus Fabric Over-The-Top (OTT) Wireless Consider increasing MTU on transit switches to prevent fragmentation issues Least impact to wireless since fabric is just a transport Supports all the APs that are supported by the WLC release software Leverage common subnet for AP across campus No changes to wireless roaming performance All the other features of Wireless such as AVC, Location services, QoS, Bonjour, mdns, RRM and others will work EXACTLY like they work today Managed by Cisco Prime Infrastructure

Take Away

Session Summary 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on TrustSec

What to do next? 1. Update your Hardware and Software! Catalyst 3650 or 3850 - New IOS-XE 16.3+ Catalyst 4500 w/ Sup8E - New IOS-XE 3.9+ Catalyst 6807, 6880 or 6840 - New IOS 15.4SY+ Nexus 7700 w/ M3 Cards - New NX-OS 7.3.2+ ASR1000-X or ISR4400 - New IOS-XE 16.4+ 2. Try out Campus Fabric in your Lab! You only need 2 or 3 (+) switches to test this solution At least 1 Control-Plane + Border and 1 Fabric Edge 3. Trial Deployments (Remember: its an Overlay) IP Network You can install new C-Plane, Border and Edge Nodes without modifying your existing (Underlay) network

Campus Fabric CVD on Cisco.com http://www.cisco.com/c/dam/en/us/td/docs/solutions/cvd/oct2016/cvd-campusfabricdesign-2016oct.pdf

Coming Soon Secure, Policy-based Automation Complete Visibility and Assurance Faster Service Enablement Policy-based Automated Network Provisioning across ALL network domains. Monitor the entire Wired, Wireless and WAN network as a Single Entity. Quickly enable services using open APIs across a Services Ecosystem.

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions

Q & A

Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2017 Cap by completing the overall event evaluation and 5 session evaluations. All evaluations can be completed via the Cisco Live Mobile App. Caps can be collected Friday 10 March at Registration. Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.ciscoliveapac.com 157

Thank you

DNA Campus Fabric. How to Migrate The Existing Network. Kedar Karmarkar - Technical Leader BRKCRS-2801