Campus Fabric. How To Integrate With Your Existing Networks. Kedar Karmarkar - Technical Leader BRKCRS PDF Free Download

Campus Fabric How To Integrate With Your Existing Networks Kedar Karmarkar - Technical Leader

Campus Fabric Abstract Is your Campus network facing some, or all, of these challenges? Host Mobility (w/o stretching VLANs) Network Segmentation (w/o implementing MPLS) Role-based Access Control (w/o end-to-end TrustSec) Using Cisco technologies available today, you can overcome these challenges and build an Evolved Campus Network to better meet your business objectives. With this Evolution, a key challenge is to be able to support a Distributed Enterprise Infrastructure which is typically spread across Campus, Branch, DC and Cloud. This session focuses on how the Campus Fabric architecture connects campus, branch and DC s across a WAN network and how we enforce end to end policy. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Campus Fabric Related Sessions We recommend the following sessions: 1. BRKCRS-1800: DNA Campus Fabric An Introduction 21/02/17 (Tuesday) @ 11:15 1.5 hours 2. BRKCRS-3800: DNA Campus Fabric A Look Under the Hood 22/02/17 (Wednesday) @ 09:00 2 hours 3. : DNA Campus Fabric - How to Integrate with Your Existing Network 22/02/17 (Wednesday) @ 11:30 1.5 hours 4. BRKCRS-2802: DNA Campus Fabric Monitoring & Troubleshooting 22/02/17 (Wednesday) @ 14:30 1.5 hours 5. BRKCRS-2803: DNA Campus Fabric Connecting Outside the Fabric 22/02/17 (Wednesday) @ 16:30 1.5 hours 6. BRKACI-2400: DNA Campus Fabric Integration with Data Center Architectures 23/02/17 (Thursday) @ 14:30 1.5 hours 7. BRKEWN-2300: Virtualize Your Wired and Wireless Network (w/ Campus Fabric) 24/02/17 (Friday) @ 09:00 2 hours 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Agenda 1 2 3 4 5 Key Benefits Why do I care? Campus Fabric Overview What is a Fabric? Getting Started What are the Platform/Network considerations? Network Deployment Models Layer-2 Access Takeaway How do I get started?

Key Benefits Why do I care?

Cisco Digital Network Architecture Overview Network-enabled Applications Principles Cloud Service Management Open APIs Developers Environment Automation Abstraction & Policy Control from Core to Edge Policy Orchestration Analytics Network Data, Contextual Insights Insights & Experiences Automation & Assurance Open & Programmable Standards-Based Virtualization Physical & Virtual Infrastructure App Hosting Security & Compliance Cloud-enabled Software-delivered 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

What is Campus Fabric? Foundational Technologies Programmable Custom ASICs Converged Software Services Industry Leading Wired & Wireless Stacking TrustSec SDN Advanced Functionality Programmable Pipeline Flexibility Recirculation Optimized for Campus Integrated Stacking Visibility Security Future Proofed Long Life Cycle Investment Protection + Network Enabled Applications Collaboration Mobility IoT Security ` Automation and Analytics Controller Visible Programmable Open Virtualization Campus Fabric Segmentation L2 Flexibility Designed for Evolution Strong Foundational Capabilities HA Driving Innovation Through Technology Investment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Campus Fabric Overview What is a Fabric?

What exactly is a Fabric? A Fabric is an Overlay An Overlay is a logical topology used to virtually connect devices, built on top of an arbitrary physical Underlay topology. An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay. Examples of Network Overlays GRE or mgre LISP MPLS or VPLS OTV IPSec or DMVPN DFA CAPWAP ACI 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

What exactly is a Fabric? Overlay Terminology Overlay Network Overlay Control Plane Encapsulation Edge Device Edge Device Hosts (End-Points) Underlay Network Underlay Control Plane 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

What is unique about Campus Fabric? Key Components 1. Control-Plane based on LISP 2. Data-Plane based on VXLAN 3. Policy-Plane based on TrustSec Key Differences L2 + L3 Overlay -vs- L2 or L3 Only Host Mobility with Anycast Gateway Adds VRF + SGT into Data-Plane Virtual Tunnel Endpoints (No Static) No Topology Limitations (Basic IP) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

What is unique about Campus Fabric? Fabric Roles & Terminology User / Group Repository ISE / AD Host DB Control-Plane Nodes User / Group Repository External ID Store device (e.g. ISE or AD) can be leveraged to provide dynamic User / Device to Group mapping. Fabric Domain (Overlay) Fabric Border Nodes Control-Plane Nodes Map System that manages the Endpoint to Gateway (Edge or Border) relationship. Border Nodes The L3 Gateway device (Core), that connects External L3 network(s) to Fabric. Fabric Edge Nodes Fabric Intermediate Nodes (Underlay) Edge Nodes The L3 Gateway device (Access or Distribution), that connects Endpoints to Fabric. Intermediate Nodes Normal L3 (IP) Forwarders in the Underlay. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Campus Fabric Control-Plane Nodes A Closer Look Fabric Control-Plane Node is based on a LISP Map Server / Resolver Runs the LISP Host Tracking Database to provide overlay reachability information A simple Host Database, that tracks Endpoint ID to Edge Node bindings, along with other attributes Host Database supports multiple Endpoint ID lookup keys (IPv4 /32, IPv6 /128 or MAC) C Receives prefix registrations from Edge Nodes with local Endpoints Resolves lookup requests from remote Edge Nodes, to locate local Endpoints 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Campus Fabric Edge Nodes A Closer Look Fabric Edge Node is based on a LISP Tunnel Router Provides connectivity for Users and Devices connected to the Fabric Responsible for Identifying and Authenticating Endpoints Register Endpoint ID information with the Control-Plane Node(s) Provides Anycast L3 Gateway for connected Endpoints Must encapsulate / decapsulate host traffic to and from Endpoints connected to the Fabric E E E 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Campus Fabric Border Nodes A Closer Look Fabric Border Node is based on a LISP Tunnel Router All traffic entering or leaving the Fabric goes through this type of node Connects traditional L3 networks and / or different Fabric domains to the local domain Where two domains exchange Endpoint reachability and policy information Responsible for translation of context (VRF & SGT) from one domain to another B B Provides a domain exit point for all Edge Nodes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Getting Started Platform Considerations

Platform Support Fabric Edge Nodes - Options Catalyst 3K Catalyst 4K Catalyst 3K Fixed portfolio Catalyst 4500E Modular options Catalyst 3650 Catalyst 3850 RJ45 IOS-XE 16.3+ Catalyst 4500 Sup8E Sup Uplinks IOS-XE 3.9+ 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

Platform Support Fabric Border Nodes - Options Catalyst 3K Catalyst 6K ASR1K & ISR4K Nexus 7K Catalyst 3850 12/24 or 48XS 1/10G (Fiber) IOS-XE 16.3.1+ Catalyst 6800 Sup2T or 6T 6880 or 6840-X IOS 15.4.1SY+ ASR1000-X X or HX Series ISR4430 / 4450 IOS-XE 16.4.1+ Nexus 7700 Sup2E M3 Cards NXOS 7.3.2+ 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Platform Support Fabric Control-Plane - Options Catalyst 3K Catalyst 6K ASR1K & ISR4K Catalyst 3850 12/24 or 48XS 1/10G (Fiber) IOS-XE 16.3.1+ Catalyst 6800 Sup2T or 6T 6880 or 6840-X IOS 15.4.1SY+ ASR1000-X X or HX Series ISR4430 / 4450 IOS-XE 16.4.1+ 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Getting Started Network Considerations

Network Considerations - MTU MTU and Overlay VXLAN adds 50 bytes to the Original Ethernet Frame Avoid Fragmentation by adjusting the network MTU Ensure Jumbo Frame support on switches in the underlay network Underlay Network MTU 1500 + Encapsulation MTU 1500 Overlay Network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Underlay Networks Campus fabric runs over arbitrary topologies: Traditional 3-tier hierarchical network Collapsed core/aggregation designs Routed access U-topology Ensure that all switches have IP reachability to infrastructure elements Ideal design is routed access allows fabric to extend to very edge of campus network Strong recommendation to follow campus CVDs with routed access L3 L2 3-Tier Hierarchical L2 Collapsed Core L3 Routed Access L2 U-Topology 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Overlay Network Assumption is underlay network provides routing and IP connectivity Campus fabric configuration defines: Overlay IP space Segmentation context VRF and SGT Mobility (map database updates) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

IP Addressing for Overlay and Underlay Know your IP addressing and IP scale requirements Best to use single Aggregate for all Underlay Links and Loopbacks IPv4 only (today) Fabric uses Loopback as Source- Interface for Encapsulation 10.10.10.254/32 10.10.10.253/32 10.10.10.0/30 10.10.10.4/30 Overlay Network Underlay Network 10.10.10.252/32 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Virtual Networks RLOC/Underlay connectivity in Global Routing Table Loopback interfaces for management in their own VN (Default) Other VNs can be used for segmentation for users, devices, roles, and others Scalable Group Tags (SGTs) can be used for further access control within a VN The CORPORATE VN is being shown in this slide deck as an example. Similar steps can be followed for other VNs shown Fabric scope of management USERS #2 USERS #1 Management Access RLOC/Underlay Border USERS* USERS Default GRT 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29

Getting Started Services Location Considerations

Location of Shared Services Infrastructure Campus fabric leverages traditional infrastructure services IP reachability from underlay/overlay to DNS, DHCP, etc. required Services may be hosted inside or outside the campus fabric Other infrastructure services include AAA, LDAP/AD, syslog server, Netflow collector, 3 rd -party monitoring systems DHCP Server NTP Server 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Location of Shared Services Infrastructure Could be in campus distribution block or campus core for small commercial or enterprise deployments Larger deployments have infrastructure services hosted in Data Center Hybrid model also possible (mix of distribution/core/data Center) Infrastructure Services at Distribution Infrastructure Services at Core Infrastructure Services in Data Center Small Commercial / Enterprise Deployment Large Enterprise Deployment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Know What is Connecting to the Existing Network Deploy ISE and StealthWatch Turn on device sensor on switches, Flexible NetFlow Turn on profiling on ISE What devices connect to the network What should they be doing What are they actually doing From where do they connect into the network This data will be useful in determining Segmentation policy in Campus Fabric 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Deployments

Campus Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet WAN Block DC Block Internet Block Services Block Layer-2 Link Super Core Layer-3 Link Core Core Aggregation Layer Aggregation Layer Aggregation Layer 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Parallel Install Option Conditions and Advantages May work in Branch deployments Sufficient cable runs exist in the current networking plan Sufficient power and outlets exist in the current power plan Existing brownfield network has legacy hardware Upgrade most of the wired network Option of redesigning IP networks from scratch instead of continuing the complexities of legacy network Advantage lies in testing users on entire new network prior to full migration of entire site During migration, users with problems but immediate access needs can be moved back to old network allowing them to continue their work, while troubleshooting can be performed on the SDA network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Migrate One Switch At A Time Option Conditions and Advantages Works in both Campus and Branch deployments Needs an extra couple fiber runs to the distribution switch Sufficient power and couple outlets needed in the current power plan Existing brownfield network has legacy hardware Upgrade some of the wired network Switch by Switch upgrade of certain layers of the network is possible Legacy IP design has to be continued for reducing downtime During migration, users with problems but immediate access needs can be moved back to old network allowing them to continue their work, while troubleshooting can be performed on the SDA network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Hardware Refresh Software Reconfigure Two scenarios for migration to Campus Fabric Hardware Refresh: Existing network consists of switches that need hardware upgrade since they do not support Campus Fabric Example: 3750X, 2960X, 4500E SUP7-E in the access Software Reconfigure: Existing network consists of switches that are compatible with Campus Fabric and just need software upgrade and reconfiguration Example: 3850, 4500E SUP-8E in the access 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43

Access Network Designs

Layer-2 Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet WAN Block DC Block Internet Block Services Block Super Core 4 Core 3 Core Aggregation Layer 2 Aggregation Layer Aggregation Layer 1 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Connecting the Fabric External Border Current Core platform supports Fabric External Border functionality Convert one of the Core switches as External Border Current Core platform does not support Fabric functionality Strong desire not to touch the Core layer in the existing network Add a Border platform switch and connect it to the Core layer Choose a platform that will be re-purposed to a dedicated Control Plane Node (if needed) In this example, we will add a Fabric External Border switch and connect it to the Core layer 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Connecting the first Fabric Edge Depends on across which layer in the network the VLANs are being spanned Aggregation Core Or sometimes even SuperCore The Fabric Edge switch connects to where the VLANs are being aggregated Example If VLANs are NOT being spanned across Core layer, connect first Fabric Edge switch at Aggregation; if the VLANs ARE being spanned across Aggregation layer, connect the first Fabric Edge switch at Core, and so on. In this example, we will assume that VLANs are being spanned across Access layer, so Fabric Edge switch is attached to the aggregation switch 2 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Getting Started Steps 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network Connect a switch to the Core layer that will act as the External Border Host the Control Plane function on the External Border for simplicity Add a switch in the access layer that will act as the Fabric Edge Integrate the switch in the existing network in Routed Access design. IS-IS is the recommended option for Fabric networks, but any IGP could do. APIC-EM PnP can be used for Day Zero operations to integrate the switch. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Prepping the Switch 192.168.200.254/32 192.168.200.1/32 Edge Node IP Network External Network Do not forget to set following on the Edge node and other nodes in the underlay: Set MTU to 9100 on the switch and the existing network. Configure ip routing Set username and password for device access Configure VTY and console lines for device access Configure NTP Configure SNMP, syslog Configure Loopback0 (/32) for RLOC, another interface for Management and underlay IP addresses C Border/Control Plane Node 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Fabric Configuration on Edge node 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network router lisp encapsulation vxlan locator-table default locator-set rloc_sjc18 IPv4-interface Loopback0 priority 10 weight 10 exit! disable-ttl-propagate ipv4 sgt ipv4 use-petr 192.168.200.1 ipv4 itr map-resolver 192.168.200.1 ipv4 itr ipv4 etr map-server 192.168.200.1 key cisco ipv4 etr exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Border and Control Plane Configuration 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network router lisp encapsulation vxlan locator-table default locator-set border IPv4-interface Loopback0 priority 10 weight 10 exit! disable-ttl-propagate ipv4 map-server ipv4 map-resolver ipv4 sgt ipv4 proxy-etr ipv4 proxy-itr 192.168.200.1 ipv4 itr map-resolver 192.168.200.1 ipv4 etr map-server 192.168.200.1 key cisco ipv4 etr exit Border/Control Plane Node router lisp site site_uci authentication-key cisco exit ipv4 map-server ipv4 map-resolver exit External Network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

VRF Configuration on Edge and Border 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network ip vrf CORPORATE rd 1:1 route-target export 1:1 route-target import 1:1 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Configure L2 VLAN and SVI at Edge Node 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network vlan 3 name Corporate_Users! ip dhcp snooping ip dhcp snooping vlan 3! device-tracking tracking Border/Control Plane Node External Network interface Vlan3 ip vrf forwarding CORPORATE ip dhcp relay source-interface Loopback0 ip address 10.2.3.254 255.255.255.0 ip helper-address global 10.1.5.252 no ip redirects ip local-proxy-arp ip route-cache same-interface logging event link-status load-interval 30 lisp mobility CORPORATE_10_2_3_0 shutdown 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55

Adding EID space on Edge node 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default locator-set rloc_sjc18_01 eid-table vrf CORPORATE instance-id 10 dynamic-eid CORPORATE_10_2_3_0 database-mapping 10.2.3.0/24 locator-set rloc_sjc18 exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

Adding EID space on Border/Control Plane node 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network router lisp eid-table vrf CORPORATE instance-id 10 map-cache 10.2.3.0/24 map-request exit! site site_uci authentication-key cisco eid-prefix instance-id 10 10.2.3.0/24 accept-more-specifics exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

Exporting Fabric Prefixes to External Network 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network Only export Fabric prefixes (overlay) to the External network No need to import External prefixes into Fabric since Border acts as default to unknown destinations External network needs a route to direct traffic back to the Fabric prefixes. Recommended choice of exchanging routing information is BGP 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

Advertising Fabric Prefixes to External Network - OSPF 192.168.200.254/32 192.168.200.1/32 IP Network C Edge Node Border/Control Plane Node External Network router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 map-cache site-registration exit! router ospfv3 123! address-family ipv4 unicast vrf CORPORATE summary-prefix 10.2.3.0/24 redistribute lisp metric 10 exit-address-family interface Vlan4090 ip vrf forwarding CORPORATE ip address 192.168.1.253 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore ipv6 enable ospfv3 123 ipv4 area 0 end Use route-filter in the global instance to filter incoming fabric prefixes routes This will prevent underlay from learning fabric prefixes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Advertising Fabric Prefixes to External Network - OSPF 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network interface GigabitEthernet0/0/4.4090 encapsulation dot1q 4090 ip address 192.168.1.254 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore ipv6 enable ospfv3 123 ipv4 area 0 end! router ospfv3 123! address-family ipv4 unicast exit-address-family 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Advertising Fabric Prefixes to External Network - BGP 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 map-cache site-registration exit! router bgp 65001 address-family ipv4 vrf CORPORATE redistribute lisp metric 10 aggregate-address 10.2.3.0 255.255.255.0 summary-only neighbor 192.168.1.254 remote-as 65002 neighbor 192.168.1.254 activate exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Why BGP? BGP has built-in loop prevention features like AS_PATH to break loops Simple to keep routes distributed between Global Routing and Virtual Networks If IGP is used then route-maps, distribute-lists, IP ACLs need to be maintained Failure to maintain the above might cause routing loops in the network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric 192.168.200.254/32 192.168.200.1/32 Edge Node Distribution Switch IP Network C Border/Control Plane Node External Network Connect the Edge node and existing Distribution switch on a Trunk Port Allow only VLAN003 for now 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric 192.168.200.254/32 192.168.200.1/32 Edge Node Distribution Switch SVI X VLAN003 IP Network C Border/Control Plane Node External Network Shut down the SVI of VLAN003 on Aggregation switches in existing network. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric 192.168.200.254/32 192.168.200.1/32 Edge Node Distribution Switch SVI VLAN003 IP Network C Border/Control Plane Node External Network No shutdown on the SVI VLAN3 on Fabric Edge switch. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric 192.168.200.254/32 192.168.200.1/32 Edge Node Distribution Switch SVI VLAN003 IP Network C Border/Control Plane Node External Network L2 Network VLAN003 gets integrated into the fabric. All ingress traffic from endpoints in VLAN003 now enters the fabric via the Edge node and exits via the Border node. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66

Layer-2 Connection from Existing Network Layer-2 connection between existing VLAN and VLAN in Fabric 192.168.200.254/32 192.168.200.1/32 Edge Node Distribution Switch SVI VLAN X IP Network C Border/Control Plane Node External Network L2 Network Perform similar configuration of other VLANs, and SVIs on the Fabric Edge node Shutdown the SVI of the other VLANs in existing Distribution switches No shutdown the respective SVI on Fabric Edge to funnel all VLAN traffic to it 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

Layer-2 Connection from Existing Network 192.168.200.2/32 192.168.200.1/32 New Edge Node Distribution Switch C IP Network Border/Control Plane Node External Network Existing L2 switch Add a new Fabric Edge switch in the access layer Connect it to the Distribution layer with Routed Access with its own Loopback0 Copy the Fabric Edge configuration from previous Fabric Edge including the VLAN X/SVI X configuration as is, and paste onto the new Fabric Edge switch 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68

Layer-2 Connection from Existing Network 192.168.200.2/32 192.168.200.1/32 Edge Node Distribution Switch C X IP Network Border/Control Plane Node External Network Configure the access ports in their VLANs similar to the legacy switch Move all the physical connections from legacy switch to new Fabric Edge Decommission the legacy switch from existing network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

Add Second External Border/Control Plane node 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node 192.168.200.3/32 C External Network Border/Control Plane Node Add or upgrade a second switch or a router as the Border/Control Plane node for redundancy. Modify the configurations on all the Fabric Edge nodes to add the second Border/Control Plane node. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

Add Internal Border nodes as necessary 192.168.200.2/32 192.168.200.22/32 IP Network Edge Node Internal Border/s WAN Branch 192.168.200.23/32 Internal Border/s Datacenter WAN Add or upgrade Internal Border nodes in the Fabric. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

Campus Fabric Border Nodes Internal Border: Connects Campus Fabric to Known networks i.e. other fabric or nonfabric domain in same company network. These known networks generally are the WAN, DC, Shared Services etc Responsible for advertising prefixes from and to the local fabric domain and external domain. External Border: Connects Campus Fabric to Un- Known networks. These Un-known networks generally is the Internet and Cloud. Responsible for only advertising prefixes from the local fabric domain to external domain. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

Why Internal Border? 192.168.200.2/32 192.168.200.1/32 Edge Node Distribution Switch C IP Network External Border Control Plane Node External Network WAN Branch Datacenter WAN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

Why Internal Border? 192.168.200.2/32 192.168.200.1/32 Edge Node Distribution Switch IP Network C External Border External Network Internal Border WAN Branch Internal Border Datacenter WAN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

Why Internal Border? Flexibility in designing different platforms for Border functionality different than External Border Can have any number of Internal borders than External borders (depends on network design) 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

Routing on the Internal Borders 192.168.200.2/32 192.168.200.22/32 IP Network Edge Node Internal Border/s WAN Branch Routing needs to be configured on the Internal Borders to Advertise Fabric overlay prefixes outside to the rest of the network Known network prefixes to be redistributed into the fabric Use route-filter in the global instance to filter incoming fabric prefixes routes This will prevent underlay from learning fabric prefixes or VRFs from learning other VRF s routes 192.168.200.23/32 Internal Border/s Datacenter WAN 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Internal Border Routing Importing from OSPF in LISP 192.168.200.2/32 192.168.200.22/32 IP Network Edge Node Internal Border/s WAN Branch router lisp locator-set int_border locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database ospfv3 123 locator-set int_border ipv4 distance site-registrations 250 exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78

Internal Border Routing Importing from EIGRP in LISP 192.168.200.2/32 192.168.200.22/32 IP Network Edge Node Internal Border/s WAN Branch router lisp locator-set int_border locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database eigrp 65535 locator-set int_border ipv4 distance site-registrations 250 exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79

Internal Border Routing Advertise from LISP into OSPF 192.168.200.2/32 192.168.200.22/32 IP Network Edge Node Internal Border/s WAN Branch router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit! router ospfv3 123! address-family ipv4 unicast vrf CORPORATE summary-prefix 10.2.3.0/24 redistribute lisp metric 10 distribute-list 2 in exit-address-family 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

Internal Border Routing Advertise from LISP into BGP 192.168.200.2/32 192.168.200.22/32 IP Network Edge Node Internal Border/s WAN Branch router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit! router bgp 65003 address-family ipv4 vrf CORPORATE redistribute LISP metric 10 aggregate-address 10.2.3.0 255.255.255.0 summary-only neighbor 192.168.2.254 remote-as 65004 neighbor 192.168.2.254 activate exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

Shared Resources 192.168.200.2/32 192.168.200.22/32 DDI IP Network Edge Node Internal Border/s ISE/AD router lisp encapsulation vxlan locator-set int_border exit! eid-table vrf CORPORATE instance-id 10 ipv4 route-import database eigrp 65535 locator-set border ipv4 route-export site-registrations ipv4 distance site-registrations 250 ipv4 map-cache site-registration exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

Shared Resources 192.168.200.2/32 192.168.200.22/32 DDI IP Network Edge Node Internal Border/s ISE/AD router eigrp 65535! address-family ipv4 vrf CORPORATE redistribute lisp metric 10000 1 255 1 9100 network 192.168.2.253 0.0.0.0 autonomous-system 65535 exit-address-family! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

Shared Resources 192.168.200.2/32 192.168.200.22/32 DDI IP Network Edge Node Internal Border/s ISE/AD router eigrp 65535! network 192.168.2.254 0.0.0.0 exit-address-family 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B Edge Node IP Network Control Plane 192.168.200.3/32 C External Border/s router lisp encapsulation vxlan locator-table default locator-set msmr IPv4-interface Loopback0 priority 10 weight 10 exit! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 distance site-registrations 250 exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B Edge Node IP Network Control Plane 192.168.200.3/32 C External Border/s site site_uci description map-server configured from apic-em authentication-key uci eid-prefix instance-id 10 0.0.0.0/0 accept-more-specifics eid-prefix instance-id 10 10.2.3.0/24 accept-more-specifics exit! ipv4 map-server ipv4 map-resolver exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 Edge Node 192.168.200.3/32 C IP Network Set up ibgp connection between the Control Plane node and External Border C 192.168.200.1/32 B External Border/s Control Plane router bgp 65002 bgp log-neighbor-changes neighbor 192.168.200.25 remote-as 65002 neighbor 192.168.200.25 update-source lo0! address-family vpnv4 neighbor 192.168.200.25 activate neighbor 192.168.200.25 send-community both exit-address-family! address-family ipv4 vrf CORPORATE aggregate-address 10.2.3.0 255.255.255.0 summary only redistribute lisp metric 10 exit-address-family 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B Edge Node IP Network Control Plane 192.168.200.3/32 C External Border/s router lisp encapsulation vxlan locator-set border IP-v4-interface Loopback 0 priority 10 weight 10 exit! eid-table vrf CORPORATE instance-id 10 ipv4 route-import map-cache bgp 65002 exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B Edge Node IP Network Control Plane 192.168.200.3/32 C External Border/s router lisp ipv4 proxy-etr ipv4 proxy-itr 192.168.200.25 ipv4 itr map-resolver 192.168.200.3 ipv4 itr-map-resolver 192.168.200.1 ipv4 map-server 192.168.200.3 key cisco ipv4 map-server 192.168.200.1 key cisco ipv4 etr exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 Edge Node 192.168.200.3/32 C IP Network Set up ibgp connection between the External Border and Control Plane nodes C 192.168.200.1/32 B External Border/s Control Plane router bgp 65002 bgp log-neighbor-changes neighbor 192.168.200.1 remote-as 65002 neighbor 192.168.200.1 update-source Loopback0 neighbor 192.168.200.3 remote-as 65002 neighbor 192.168.200.3 update-source Loopback0! address-family vpnv4 neighbor 192.168.200.1 activate neighbor 192.168.200.1 send-community both neighbor 192.168.200.3 activate neighbor 192.168.200.1 send-community both exit-address-family 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B Edge Node IP Network Control Plane C External Border/s 192.168.200.3/32 Redistribute BGP into IGP at the external router to advertise fabric prefixes to external network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

Distribute Control Plane Node from External Border Control 192.168.200.2/32 Plane 192.168.200.25/32 C 192.168.200.1/32 B Edge Node IP Network Control Plane C External Border/s B 192.168.200.3/32 192.168.200.26/32 If multiple Borders are used to redistribute fabric prefixes into external, recommend to use ebgp connection to break loops dynamically Else use distribute-lists, with IP ACLs that have a maintenance overhead 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

Redistribution From LISP to ibgp LISP Database Routing Information Base (RIB) Border Gateway Protocol (ibgp) Border Gateway Protocol (ibgp) Control Plane Node Border Node 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

Redistribution from ibgp to ebgp to IGP Border Gateway Protocol (ebgp) Border Gateway Protocol (ebgp) Routing Information Base (RIB) External Network Protocol Border Node External Router 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94

Redistribution from IGP to ebgp Internal Border Border Gateway Protocol (ebgp) Border Gateway Protocol (ebgp) Routing Information Base (RIB) External Network Protocol Border Node External Router 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95

Migration @ Work Simplified View DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Control Plane Node Control Plane Node Fabric Edge Nodes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

Replace Legacy Access Switches in the Network Use the same procedure outlined in the last three slides (67-68) to add Fabricenabled Edge switches While replacing legacy switches in the network After all the legacy switches in that Distribution block are replaced with Fabricenabled Edge switches, Remove the Fabric Edge connected to the Distribution switch, Use it to migrate the second Distribution block, Following the same procedure as outlined previously (61-66). 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98

Routed Access Designs

Considerations for Migrating Routed Access Easier to migrate Routed Access designs to Campus Fabric Supporting infrastructure (DHCP mainly) is already setup Routed Access is the building block for Campus Fabric Loopback subnet that forms the RLOC address needs to be factored in IS-IS is the preferred routing protocol, and can be cut-over later keeping existing IGP Opportunity exists to consolidate existing subnets into lesser larger subnets once Campus Fabric is deployed 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 102

Simplified View C 192.168.200.2/32 192.168.200.1/32 IP Network C Edge Node Border/Control Plane Node External Network Access switch as the Fabric Edge node Intermediate network reduced to IP Network Fabric Border node is the Router connecting to Internet services Control Plane node can be one of the network devices or a CSR1Kv, IPreachable 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105

Getting Started Steps 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network Upgrade software on one of the routers acting as Border node Co-locate the Control Plane node function on the Border for simplicity Upgrade software on the access switch IS-IS is the recommended option for Fabric networks, but any IGP could do. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106

Prepping the Switch 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network Do not forget to set following on the Edge node: Set MTU to 9100 on the switch and the existing network. Configure Loopback0 (/32), and underlay IP addresses 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107

Fabric Configuration on Edge node 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network router lisp encapsulation vxlan locator-table default locator-set rloc_sjc18 IPv4-interface Loopback0 priority 10 weight 10 exit! disable-ttl-propagate ipv4 sgt ipv4 use-petr 192.168.200.1 ipv4 itr map-resolver 192.168.200.1 ipv4 itr ipv4 etr map-server 192.168.200.1 key cisco ipv4 etr exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 108

Border and Control Plane Configuration 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network router lisp encapsulation vxlan locator-table default exit! disable-ttl-propagate ipv4 map-server ipv4 map-resolver ipv4 sgt ipv4 proxy-etr ipv4 proxy-itr 192.168.200.1 ipv4 itr map-resolver 192.168.200.1 ipv4 etr map-server 192.168.200.1 key cisco ipv4 etr exit router lisp site site_uci authentication-key cisco exit ipv4 map-server ipv4 map-resolver exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109

VRF Configuration on Edge and Border 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network ip vrf CORPORATE rd 1:1 route-target export 1:1 route-target import 1:1 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 110

Two options for defining Endpoint ID space 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network Retain same subnets as of today Use net new subnets 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 111

Considerations of Retaining Existing EID structure 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network No changes to existing DHCP scope and subnet size No changes to existing firewall or other policies that are based on IP-ACL Old network design is retained for familiarity Need to revert changes on existing interfaces (SVIs) if moving back to old network in case of issues 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 112

Considerations of Net new Endpoint ID structure 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network Changes to existing DHCP scope and subnet size Changes to existing firewall or other policies that are based on IP-ACL Re-IP the network based on Fabric Campus design less, but larger subnets Reverting back to old network is as easy as re-assigning VLANs on Access ports less impacting 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 113

Configure L2 VLAN and SVI at Edge Node 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network vlan 3 name Bldg18_1_Users! interface Vlan3 ip vrf forwarding CORPORATE ip dhcp relay source-interface Loopback0 ip address 10.2.3.254 255.255.255.0 ip helper-address global 10.1.5.252 no ip redirects ip local-proxy-arp ip route-cache same-interface logging event link-status load-interval 30 lisp mobility CORPORATE_10_2_3_0 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 114

Adding EID space on Edge node 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default eid-table vrf CORPORATE instance-id 10 dynamic-eid CORPORATE_10_2_3_0 database-mapping 10.2.3.0/24 locator-set rloc_sjc18 exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 115

Adding EID space on Border/Control Plane node 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default eid-table vrf CORPORATE instance-id 10 map-cache 10.2.3.0/24 map-request exit! site site_uci authentication-key cisco eid-prefix instance-id 10 10.2.3.0/24 accept-more-specifics exit 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116

Considerations of Net new Endpoint ID structure 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network Re-configure the other VLANs and SVIs as shown in previous slides Add those subnets are EIDs in Fabric Edge, and the Border/Control Plane node All VLANs on Edge node are now part of Campus Fabric 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117

Exporting Fabric Prefixes to External Network 192.168.200.2/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network Only export Fabric prefixes (overlay) to the External network No need to import External prefixes into Fabric since Border acts as default to unknown destinations External network needs a route to direct traffic back to the Fabric prefixes. Preferred choice of exchanging routing information is BGP 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118

Advertising Fabric Prefixes to External Network - OSPF 192.168.200.254/32 192.168.200.1/32 C Edge Node IP Network Border/Control Plane Node External Network router lisp locator-table default! eid-table vrf CORPORATE instance-id 10 ipv4 route-export site-registrations ipv4 map-cache site-registration exit! router ospfv3 123! address-family ipv4 unicast vrf CORPORATE summary-prefix 10.2.3.0/24 redistribute lisp metric 10 exit-address-family interface Vlan4090 ip vrf forwarding CORPORATE ip address 192.168.1.253 255.255.255.0 ip ospf network point-to-point ip ospf mtu-ignore ipv6 enable ospfv3 123 ipv4 area 0 end 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119

Repeat Slides 70-87 Add second Control Plane/External Border node Add Internal Borders for WAN, Datacenter and Shared Resources connectivity Configure routing on Internal Borders to advertise fabric prefixes to external network; and register known external prefixes within the fabric Distribute Control Plane and External Border functions to respective switches 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 122

Routed Access Network DDI MPLS MPLS I-NET Branch IWAN DC IWAN Internet Internal Borders External Borders Control Plane Node Control Plane Node Fabric Edge Nodes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123

Upgrade and provision other Fabric Edge nodes 192.168.200.2/32 192.168.200.1/32 192.168.200.1/32 Edge Node 192.168.200.5/32 Edge Node Control Plane Control Plane 192.168.200.3/32 C C IP Network IP Network External Border 192.168.200.4/32 External Border External Network Upgrade other switches in the access layer as Fabric-Edge nodes in a similar fashion Copy paste fabric (except Loopback and couple other) and EID space configuration from the first switch to the others B B 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124

Wireless

Where do I connect WLCs and APs WLC connect outside the fabric to Internal Border or outside the fabric APs can connect to in the overlay EID space in fabric Leverage stretched wired subnets to create one VLAN across fabric for all APs 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 128

Centralized Wireless and Campus Fabric 192.168.200.2/32 192.168.200.22/32 Management IP 192.168.1.253/24 Campus Fabric IP Network Edge Node Internal Border/s 10.1.0.0/20 192.168.1.0/24 WLCs connect behind Internal Border in the Underlay Internal Border advertises WLC Management subnet to the Fabric Internal Border advertises Fabric prefixes to the WLC Management network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 129

Centralized Wireless and Campus Fabric 192.168.200.2/32 192.168.200.22/32 Management IP 192.168.1.253/24 Campus Fabric IP Network Edge Node Internal Border/s 10.2.7.254.1/21 Wireless Clients Subnet Wireless SSIDs are mapped to VLAN/Subnet at WLC in the form of dynamic interfaces Internal Border advertises Wireless client subnets to the Fabric 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 130

Centralized Wireless and Campus Fabric AP VLAN 10.1.15.254/20 192.168.200.2/32 192.168.200.22/32 Campus Fabric IP Network Edge Node 10.1.0.1/20 192.168.200.30/32 AP VLAN 10.1.15.254/20 Internal Border/s 10.1.0.2/20 Edge Node Access Points are in overlay space on Fabric Edge switches One subnet for APs across the entire Fabric in Campus APs get registered in the Host Tracking Database (HTDB) running on Control node Simplified IP design for the network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 131

Centralized Wireless and Campus Fabric 192.168.200.2/32 192.168.200.22/32 Management IP 192.168.1.253/24 Campus Fabric IP Network Edge Node Internal Border/s CAPWAP is built from the AP to the WLC When this traffic hits the Fabric Edge switch, it encapsulates CAPWAP in VXLAN and forwards it to Internal Border The outer VXLAN header is removed by the Internal Border, and underlying CAPWAP packet is forwarded to the WLC 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 132

Impact of Multiple Encapsulations to Frame size ETHERNET 802.11 IP PAYLOAD ETHERNET IP UDP CAPWAP ETHERNET 802.11 IP PAYLOAD ETHERNET IP UDP VXLAN ETHERNET IP UDP CAPWAP ETHERNET 802.11 IP PAYLOAD 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 133

Centralized Wireless and Campus Fabric: AP Join 192.168.200.2/32 192.168.200.22/32 Management IP 192.168.1.253/24 Campus Fabric IP Network Edge Node Internal Border/s WLC discovery by AP happens the same as of today. Layer-3 CAPWAP, Locally configured Controller IP Address, DHCP Server discovery via Option 43, DNS Discovery AP sends a frame padded to 1485 bytes with DF=1 Edge encapsulates frame in VXLAN that takes it above 1500 bytes 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 134

Centralized Wireless and Campus Fabric: AP Join 192.168.200.2/32 192.168.200.22/32 Management IP 192.168.1.253/24 Campus Fabric IP Network Edge Node Internal Border/s Fabric Edge drops the packet and sends an ICMP error back to AP AP drops frame size to 576 bytes and Joins WLC successfully AP tries to find the optimum frame size by stepping up to 1000 bytes, 1300 bytes and 1485 bytes again Increase MTU to 9100 of existing network interfaces in the underlay to avoid fragmentation challenges 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 135

Centralized Wireless and Campus Fabric AP VLAN 10.1.15.254/20 192.168.200.22/32 Client VLAN 10.2.7.254.1/21 Campus Fabric IP Network 10.1.0.1/20 Internal Border/s 10.2.0.1/21 Clients are authenticated and on-boarded by WLC Wireless clients are external to fabric in this case 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 136

Centralized Wireless and Campus Fabric AP VLAN 10.1.15.254/20 192.168.200.22/32 Client VLAN 10.2.7.254.1/21 Campus Fabric IP Network 10.1.0.1/20 Wired VLAN 10.1.31.254/20 Internal Border/s 10.2.0.1/21 10.1.16.1/20 Communication from a wired host in Fabric to Wireless Client outside fabric will occur through Internal Border JUST LIKE TODAY!! For the fabric, it is a fabric host communicating to a known destination external to the fabric 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 137

Centralized Wireless and Campus Fabric Over-The-Top (OTT) Wireless Consider increasing MTU on transit switches to prevent fragmentation issues Least impact to wireless since fabric is just a transport Supports all the APs that are supported by the WLC release software Leverage common subnet for AP across campus No changes to wireless roaming performance All the other features of Wireless such as AVC, Location services, QoS, Bonjour, mdns, RRM and others will work EXACTLY like they work today Managed by Cisco Prime Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 138

Take Away

What to do next? 1. Update your Hardware and Software! Catalyst 3650 or 3850 - New IOS-XE 16.3+ Catalyst 4500 w/ Sup8E - New IOS-XE 3.9+ Catalyst 6807, 6880 or 6840 - New IOS 15.4SY+ Nexus 7700 w/ M3 Cards - New NX-OS 7.3.2+ ASR1000-X or ISR4400 - New IOS-XE 16.4+ 2. Try out Campus Fabric in your Lab! You only need 2 or 3 (+) switches to test this solution At least 1 Control-Plane + Border and 1 Fabric Edge 3. Trial Deployments (Remember: its an Overlay) You can install new C-Plane, Border and Edge Nodes without modifying your existing (Underlay) network IP Network 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 141

Coming Soon Secure, Policy-based Automation Complete Visibility and Assurance Faster Service Enablement Policy-based Automated Network Provisioning across ALL network domains. Monitor the entire Wired, Wireless and WAN network as a Single Entity. Quickly enable services using open APIs across a Services Ecosystem. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 143

Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 145

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 146

Q & A

Thank You

Campus Fabric. How To Integrate With Your Existing Networks. Kedar Karmarkar - Technical Leader BRKCRS-2801