BRKEWN-2020.pdf - Cisco Live

#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

Monday (June 10) Tuesday (June 11) Wednesday (June 12) Thursday (June 13)

08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00

Sessions are available Online @ CiscoLive.com

You Are Here

BRKCRS-2810Fundamentals

Cisco Software-Defined AccessCisco Live San Diego - Session Map

BRKCRS-2811Connect Outside

BRKCRS-2818Connect SDWAN

BRKCRS-1501Validated Design

BRKSEC-2025Security

BRKEWN-2021Live Setup

BRKCRS-2819Cross-Domain

BRKCRS-3811Policy

BRKCRS-2821Integration

BRKNMS-2814Assurance

BRKARC-2020Troubleshoot

BRKCRS-2812Migration

BRKCRS-2815Connect Sites

BRKEWN-2020Wireless

BRKCRS-2816Underlay

BRKCRS-3810Deep Dive

BRKCRS-2817Extension

BRKCRS-2825Scaling

BRKEWN-2020 2

#CLUS

Simone Arena, Principal TME

BRKEWN-2020

Why and how integrating wireless in SDA

SD-Access Wireless

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

Software Defined Access – Wireless IntegrationSession Objective

1 Why Fabric and why integrating wireless?

2 How does it really work?

BRKEWN-2020 4


SD-Access: why would you care?

SD-Access Wireless Architecture

Demo: Let’s make it real!

A look under the hood

SD-Access Wireless Design & Deploy

SD-Access Wireless Adoption/Migration

Key takeaways

Agenda

BRKEWN-2020 5


All the features introduced with Cisco DNAC 1.2.x and 1.3

Wireless Over The Top (OTT)

Multicast in SDA

SDA (wired) product support

But you do have these in the slides!

What I am not covering…

BRKEWN-2020 6

Questions? Use Cisco Webex Teams to chat with the speaker after the session

Find this session in the Cisco Live Mobile App

Click “Join the Discussion”

Install Webex Teams or go directly to the team space

Enter messages/questions in the team space

How

Webex Teams will be moderated by the speaker until June 16, 2019.

1

2

3

4


Cisco Webex Teams

cs.co/ciscolivebot#BRKEWN-2020

7


Cisco’s Intent-Based NetworkDelivered by Cisco Software Defined Access

Intent-BasedNetwork Infrastructure

Cisco DNA Center

AnalyticsPolicy Automation

WirelessSwitch Route

I N T E N T C O N T E X T

S E C U R I T Y

L E A R N I N G

SD-Access

Branch

Wireless Control

Fabric Control

ACI Data Center

SAAS

Fabric Border

Fabric Edge

SD-WAN

BRKEWN-2020 8


CB B

Cisco Software Defined AccessThe Foundation for Cisco’s Intent-Based Network

IoT Network Employee Network

Client Mobility

Policy follows User

Outside

Cisco DNA Center

AssuranceAutomationPolicy

SD-AccessExtension

Automated Network Fabric

Single fabric for Wired and Wireless with full automation

Insights and Telemetry

Analytics and insights into User and Application experience

Identity-Based Policy and Segmentation

Policy definition decoupled from VLAN and IP address

BRKEWN-2020 9


SD-Access TestimonialsLive Customer SD-Access Deployments

370+Production

Deployments

Cisco IT

Network Services

www.cisco.com/c/en/us/solutions/enterprise-networks/network-architecture-customer-success-stories.html

BRKEWN-2020 10

http://www.cisco.com/c/en/us/solutions/enterprise-networks/network-architecture-customer-success-stories.html


Cisco SD-Access @ CiscoLive USCisco DNA Center with SD-Access Fabric

Marriott Marquis San Diego

BRKEWN-2020 11

https://www.marriott.com/hotels/travel/sandt-marriott-marquis-san-diego-marina/


Cisco SD-Access @ CiscoLive USCisco DNA Center with SD-Access Fabric

Marriott Marquis San Diego

Monday Keynote

1600+ client peakSimone

BRKEWN-2020 12

https://www.marriott.com/hotels/travel/sandt-marriott-marquis-san-diego-marina/

SD-Access Fabric:Why Would You Care?


What is the Problem?Common requirements and challenges

How can SDA Fabric help?

WLC

DHCPDNSAAA

ADLDAP

Data Centre WLC

IoT device

IoT device

Challenges:

Secure onboarding for different type of devices

Simplify segmentation across wired and wireless

Reducing the complexity of managing the network

Root cause problems quickly

14


Enterprise Network

PAYLOAD DATA IP SRC IP DSTPROTDST

PORT

SRC

PORTDSCP

Policy is based on “5 Tuple”

• QoS

• Security

• Redirect/copy

• Traffic engineering

• etc.

Network Policy

What is the Problem?Policy Model Today

• Only Transitive information• Survives end to end

BRKEWN-2020 15


Enterprise Network

PAYLOAD DATA IP SRC IP DSTPROTDST

PORT

SRC

PORTDSCP

Network Policy

What is the Problem?Policy Model Today

IP

ADDRESSES

Locate you Identify you Drive “treatment” Constrain you

User/device info?VLAN 10

SSID B

SSID A

VLAN 20

VLAN 40

SSID D

SSID C

VLAN 30

access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384

BRKEWN-2020 16


What is the Problem?User Group policy rollout - Today

Customer Policy requirements:

Customer requirements

CustomerPolicy

Three user Groups One single SSID Differentiated policies per Group Guest segmentation (wired and

wireless)

Employee

BYOD

Contractor

Production Serv.

Developer Serv.

L2 Switch

L3 Switch

Trunks

Trunk

BYOD Employee Contractor

One SSID

ProductionServers

AAA

DHCP

AD

WLC

DeveloperServers

LAN core

NetworkTouch Points

BRKEWN-2020 17


What is the Problem?User Group policy rollout - Today

L2 Switch

L3 Switch

Trunks

Trunk


One SSID

ProductionServers

AAA

DHCP

AD

WLC

DeveloperServers

LAN core

NetworkTouch Points

1. Define Groups in AD

2. Define Policies VLAN/subnet based

3. Implement VLANs/Subnets Create VLANs Define DHCP scope Create subnets and L3 interfaces Routing for new subnets Map SSID to Interface/VLAN

4. Implement Policy Define ACLs Apply ACLs

5. Many different User Interfaces

AAA WLC Devices CLI

….

What if You Need to Add Another Group & Policy?

BRKEWN-2020 18


But What If …

If we could “break the dependence” between IP addressing and policy, we could greatly simplify networks – and make networks much more functional.

… we could make the IP address just be a LOCATOR for you, and provide other ways to group users / devices to apply POLICY?

Key Assertion

BRKEWN-2020 19


If we could “break the dependence” between IP addressing and policy, we could greatly simplify networks – and make networks much more functional.

… we could make the IP address just be a LOCATOR for you, and provide other ways to group users / devices to apply POLICY?

Key Assertion

WITH A FABRIC…

You could build and run your network in a simpler way …

Apply Policy irrespectively of network constructs (VLAN, subnet, IP address)

Easily implement Network Segmentation (w/o implementing MPLS)

Provide L2 and L3 flexibility (w/o stretching VLANs)

BRKEWN-2020 20


What exactly is a Fabric?

A Fabric provides an Overlay networkAn Overlay is a logical topology used to virtually connect devices, built on top of some arbitrary physical Underlay topology.

An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay.

• GRE or mGRE

• MPLS or VPLS

• IPSec or DMVPN

• CAPWAP

• LISP

• OTV

• DFA

• ACI

Examples of Network Overlays

BRKEWN-2020 21


What is unique about SDA Fabric?Key components

1. Control-Plane based on LISP

BRKEWN-2020 22


Locator / ID Separation ProtocolLocation and Identity separation

IP core

Device IPv4 or IPv6 Address represents both

Identity and Location

Traditional Behavior -Location + ID are “Combined”

192.158.28.101When the Device moves, it gets a

new IPv4 or IPv6 Address for its new Identity and Location

189.16.17.89

Device IPv4 or IPv6 Address represents Identity onlyEnd Point ID (EID) space

When the Device moves, it keeps the same IPv4 or IPv6 Address.

It has the Same Identity

Overlay Behavior -Location & ID are “Separated”

IP core

Only the Location Changes (Route Locator (RLOC)

192.158.28.101

192.158.28.101

Location is Here

171.68.228.121 171.68.226.120

Underlay addressing space

MappingDatabase

Prefix RLOC192.158.28.101 …...171.68.228.121189.16.17.89 ….....171.68.226.120

22.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121

192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.120

Prefix RLOC192.158.28.101 …...171.68.226.120189.16.17.89 ….....171.68.226.120

22.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121

192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.120

BRKEWN-2020 23


ORIGINAL

PACKETPAYLOADETHERNET IP

PACKET IN

LISPPAYLOADIPLISPUDPIPETHERNET

PAYLOADETHERNET IPVXLANUDPIPETHERNETPACKET IN

VXLAN

Supports L2

& L3 Overlay

Supports L3

Overlay

What is unique about SDA Fabric?Key Components - VXLAN


2. Data-Plane based on VXLAN

BRKEWN-2020 24



2. Data-Plane based on VXLAN

3. Policy-Plane with Cisco TrustSec (CTS)

What is unique about SDA Fabric?Key components

VRF + SGT

PAYLOADETHERNET IPVXLANUDPIPETHERNET

VRF + SGT

VRF = Virtual Routing & Forwarding

SGT = Scalable Group Tagging

25BRKEWN-2020 25


VLAN BVLAN A

Campus Switch

DC Switchor Firewall

ApplicationServers

ISE

EnterpriseBackbone

Enforcement

Campus Switch

Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant

SharedServices

Employee Tag

Supplier Tag

Non-Compliant Tag

DC switch receives policy for only what is connectedClassification

Static or Dynamic SGT assignments

PropagationCarry “Group” context through the network using only SGT

EnforcementGroup Based Policies ACLs, Firewall Rules

Cisco TrustSecSoftware Defined Segmentation

BRKEWN-2020 26


Overlay encapsulation (VXLAN)

Fabric Underlay – Forwarding plane• Connects the network elements to each other• Optimized for traffic forwarding (scalability, performance)• Networking constructs like IP, VLANs, live here

Overlay control plane

(LISP)

Underlay

Overlay

Employee

Supplier

Devices

Fabric breaks dependency between IP and Policy. Separation of Forwarding and Services planes. In Fabric Polices are tied to User/Device Identity

Fabric brings Policy Simplification

What is unique about SDA Fabric?

Cisco DNA Centre – Automation and Assurance• Single User Interface for Fabric Management & Orchestration• Policies definition based on User, Device or App Group• Design, Deploy and Monitoring and Troubleshooting

Fabric Overlay – Services plane• Dynamically connects Users/Devices/Things• IP is an ID not used for traffic forwarding• End to End Policies and Segmentation

You convinced me on Fabric…but still, why Integrate Wireless?


SD-Access Wireless brings you the best of both wireless and wired worlds

BRKEWN-2020 29


SD-Access Fabric ArchitectureRoles and Terminology

ISE / AD

Control-Plane (CP) Node – Map System that manages Endpoint ID to Location relationships. Also known as Host Tracking DB (HTDB)

Edge Nodes – A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric

Group Repository – External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition

Border Nodes – A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric

Group Repository

SD-Access Fabric

Intermediate Nodes (Underlay)

Fabric Mode WLC

Fabric Edge Nodes

Cisco DNA Controller – Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share information

Cisco DNA Centre

CControl-Plane

Nodes

B

Fabric Wireless Controller – Wireless Controller (WLC) fabric-enabled, participate in LISP control planeFabric Mode

APs Fabric Mode APs – Access Points that are

fabric-enabled. Wireless traffic is VXLAN encapsulated at AP

Fabric Border

B

DHCP

NCP

NDP

BRKEWN-2020 30


SD-Access Wireless ArchitectureBringing the best of both architectures by...

1

2

3

Simplifying the Control & Management Plane

Optimizing the Data Plane

Integrating Policy & Segmentation E2E

BRKEWN-2020 31


SD-Access Wireless ArchitectureSimplifying the Control Plane

ISE / AD

Cisco DNA Center

SD-AccessFabric

BB

Policy Abstraction

and Configuration Automation

Automation Cisco DNA Center simplifies the Fabric deployment, Including the wireless integration component

C

Fabric enabled WLC:WLC is part of LISP control plane

Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN

CAPWAPCntrl plane

LISPCntrl plane

1

LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP

BRKEWN-2020 32


SD-Access Wireless ArchitectureControl Plane Node – A Closer Look

A simple Host Database, that tracks Endpoint ID to Edge Node bindings (a.k.a. Route Locator or RLOCs)

Host Database supports multiple types of Endpoint ID (EID), such as IPv4 /32, IPv6 /128* or MAC/48

Receives prefix registrations from Edge Nodes for wired clients, and from Fabric mode WLCs for wireless clients

Resolves lookup requests from FE to locate Endpoints

Updates Fabric Edge nodes, Border nodes with wireless client mobility and RLOC information

Fabric Control-Plane Node is based on a LISP Map Server / Resolver

Runs the LISP Endpoint ID Database to provide overlay reachability information

1

CPEID VNI RLOC

10.1.1.20 10 192.168.1.1

C

10.1.1.20

192.168.1.1

FE1

(*) roadmapBRKEWN-2020 33


Fabric Mode WLC integrates with the LISP Control Plane

Control Plane is centralized at the WLC for all Wireless functions

SD-Access Wireless ArchitectureFabric WLC– A Closer Look

1

FabricWLCC

FE1

WLC is still responsible for : AP image/config, Radio Resource Management (RRM) and client session management and roaming

For Fabric integration:• For wireless, client MAC address is used as EID • WLC interacts with the Host Tracking DB on Control-Plane node for

Client MAC address registration with SGT and L2 VNI • The VN information is a Layer 2 VN (L2 VNID) information and it’s

mapped to a VLAN on the FEs• WLC is responsible for updating the Host Tracking DB with roaming

information for wireless clients• Fabric enabled WLC needs to be co-located at the same site with

APs (latency between AP and WLC needs to be < 20 ms)

ab:12:cd:34:2f.56

EID L2 VNI RLOC

ab:12:cd:34:2f.56 10 192.168.1.1

192.168.1.1

BRKEWN-2020 34


SD-Access Wireless ArchitectureOptimizing the Data Plane

ISE / AD

Cisco DNA Center

SD-AccessFabric

BB

Policy Abstraction

and Configuration Automation

Automation Cisco DNA Center simplifies the Fabric deployment, Including the wireless integration component

C

Fabric enabled WLC:WLC is part of LISP control plane

Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN

CAPWAPCntrl plane

LISPCntrl plane

2

LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP

VXLANData plane

VXLAN from the AP Carrying hierarchical policy segmentation starting from the

edge of the network

Optimized Distributed Data Plane Fabric overlay with Anycast GW + Stretched subnet VLAN extension with no complications All roaming is Layer 2Fabric enabled AP:

AP encapsulates Fabric SSID traffic in VXLAN

VXLAN

(Data Plane)

35


SD-Access Wireless ArchitectureOptimizing the Data Plane: Fabric Edge – A Closer Look

FabricWLCC

FE1

10.1.10.20

Fabric Edges (FE)

Fabric Edge Node is based on a LISP Tunnel Router

Provides connectivity for Users and Devices connected to the Fabric

2

Responsible for Identifying and Authenticating wired Endpoints

Registers Endpoint ID info with the Control-Plane Node(s)

Provide VN services for Wireless Clients (L3 VNID)

Onboard APs into fabric and form VXLAN tunnels with APs

Provides Anycast L3 Gateway for connected Endpoints

EID L3 VNI RLOC

10.1.1.20 100 192.168.1.1

192.168.1.1

BRKEWN-2020 36


SD-Access Wireless ArchitectureOptimizing the Data Plane: Anycast Gateway – A Closer Look

FabricWLCC

FE1

Fabric Edges (FE)

Anycast GW provides a single L3 Default Gateway

Based on Virtual IP address (VIP)

2

192.168.1.1

Similar principle and behavior as HSRP / VRRP with a shared Virtual IP and MAC address

The same Switched Virtual Interface (SVI) is present on every Edge, with the same Virtual IP and MAC

If (when) a Host moves from Edge A to Edge B, it does not need to change it’s (L3) Default Gateway!

GW GW GWIP 10.1.1.1

MAC ab:12:cd:34:ef:56

10.1.1.1 10.1.1.1

10.1.1.1010.1.1.10

BRKEWN-2020 37


SD-Access Wireless ArchitectureOptimizing the Data Plane: Stretched subnets – A Closer Look

FabricWLCC

FE1

Stretched subnets allow an IP subnet to be “stretched” via the overlay

Based on a Anycast GW + LISP Dynamic EID + VXLAN overlay

2

192.168.1.1

GW GW GW10.1.1.1 10.1.1.1

Host IP based traffic arrives on the local Fabric Edge SVI, and is then transferred by LISP

LISP Dynamic EID allows Host-specific (/32, /128, MAC) advertisement and mobility

No longer need to stretch a VLAN across access layer switches to connect Host 1 and 2 to get L2 adjacency

Client 1 connected to Fabric Edge 1 (FE1) can talk to client B on FE2 as they are on the same IP subnet.

Dynamic

EID

10.1.1.10 10.1.1.11

FE2

BRKEWN-2020 38


SD-Access Wireless ArchitectureOptimizing the Data Plane: Fabric Mode AP – A Closer Look

FabricWLCC

FE1

Fabric Mode AP integrates with the VXLAN Data Plane

Wireless Data Plane is distributed at the AP

2

192.168.1.1

GW GW GW10.1.1.1 10.1.1.1

FE2

Fabric mode AP is a local mode AP and needs to be directly connected to FE or to an extended node

CAPWAP control plane goes to the WLC using Fabric

Fabric is enabled per SSID:

• For Fabric enabled SSID, AP converts 802.11 traffic to 802.3 and encapsulates it into VXLAN encoding VNI and SGT info of the client

• Forwards client traffic based on forwarding table as programmed by the WLC. Usually VXLAN DST is first hop switch.

AP applies all wireless specific feature like SSID policies, AVC, QoS, etc.

VXLAN

(Data)

BRKEWN-2020 39


SD-Access Wireless ArchitectureSimplifying policy and Segmentation

SD Fabric

BC

IP payload 802.11IP

IP payload 802.3EID

IPVXLAN

SRC: APDST:FEA

UDP

AP removes the 802.11 header

AP adds the 802.3/VXLAN/underlay IP header

2

1

3

Client A

Client B

FE B

FE A

VXLAN

(Data)

ISE

SGT

BRKEWN-2020 40



SD Fabric

BC

IP payload 802.3EID

IPVXLAN

SRC: APDST:FEA

UDP

2

R Client SGT Client VN_ID R

APs embed the Policy information in the VXLAN header and forwards it

The client VRF is represented by the Layer 2 Virtual Network (L2 VNID)

Hierarchical Segmentation:1. Virtual Network (VN) == VRF - isolated routing Control Plane + Data Plane2. Scalable Group Tag (SGT) – User Group identifier

Client A

Client B

FE B

FE A

VXLAN

(Data)

3

BRKEWN-2020 41



SD Fabric

B

CVXLAN

(Data)

IP payload 802.3EID

IPVXLAN

SRC:AP

DST:FEAUDP

FE decapsulates the VXLAN header, looks at the L2 VNID and maps it to the VLAN and L2 LISP instance.

Then FE A does the lookup and rebuild the VXLAN encapsulates to the destination FE B

3

Client is placed in the right VRF

FEA does a lookup to CP to locate client B

Client A

Client BVRF Red

FE B

FE A

VXLAN

(Data)

SRC:FEADST:FEB

3

BRKEWN-2020 42



SD Fabric

B

C

IP payload 802.3EID

IPVXLAN

SRC:FEA

DST:FEBUDP

FE removes the outer IP header, looks at the VNID maps it to the VLAN.

Also looks at the SGT and apply the policy before forwarding the packet

4

Mapped to VRF

SGT policy is applied

Client Policy is carried end

to end in the

overlay

3

Client A

Client B

FE B

FE A

VXLAN

(Data)

BRKEWN-2020 43

Benefits of SD-Access Wireless


Benefit of SD-Access WirelessPolicy and Segmentation made easy

L2 Switch

L3 Switch

Trunks

Trunk


One SSID

ProductionServers

AAA

DHCP

AD

WLC

DeveloperServers

LAN core

NetworkTouch Points


2. Design and Deploy in Cisco DNA-C Create Virtual Network for Corporate Define Policies

• Role/Group based

Apply Policies• SGT based

3. Upon user authentication, Policy is automatically applied and carried end to end

Corporate VN

Employee

SGT 100

BYOD

SGT 200

Contractor

SGT 300

Production Serv.

SGT 10

Developer Serv.

SGT 20

Original packet

VNID

BYOD SGTVXN

HDR

Fabric

SRC

Fabric

DSTEmployeeContractor

BRKEWN-2020 45


Benefit of SD-Access WirelessPolicy and Segmentation made easy

L2 Switch

L3 Switch

Trunks

Trunk


One SSID

ProductionServers

AAA

DHCP

AD

WLC

DeveloperServers

LAN core

NetworkTouch Points


2. Design and Deploy in Cisco DNA-C Create Virtual Network for Corporate Define Policies

• Role/Group based

Apply Policies• SGT based

3. Upon user authentication, Policy is automatically applied and carried end to end

Corporate VN

Employee

SGT 100

BYOD

SGT 200

Contractor

SGT 300

Production Serv.

SGT 10

Developer Serv.

SGT 20

Guest Virtual Network

IoT/HVAC Virtual Network

One

Touch

Point

BRKEWN-2020 46

Product Support


SD-Access SupportDigital Platforms for your Cisco Digital Network Architecture

For more details:cs.co/sda-compatibility-matrix

BRKEWN-2020 48

http://cs.co/sda-compatibility-matrix


SD-Access PlatformsFabric Edge Node for SD-Access Wireless

• Catalyst 9400

• Sup1/Sup1XL

• 9400 Cards

Catalyst 9400

• Catalyst 9300

• 1/mG RJ45

• 10/25/40/mG NM

Catalyst 9300


• Catalyst 9500

• 1/10/25G SFP

• 40/100G QSFP

Catalyst 9500

• Catalyst 9200/L

• 1/mG RJ45

• 1G SFP (Uplinks)

Catalyst 9200

Catalyst 9200L is not supported as a Fabric Edge for SD-Access Wireless

Catalyst 9200 and 9200L do not support SD-Access Embedded Wireless controller

BRKEWN-2020 49



Wi-Fi 6, 11ac W2 and W1* APsAireOS WLC Catalyst 9800

• AIR-CT3504

• AIR-CT5520

• AIR-CT8540

• Catalyst 9800-40/80

• Catalyst 9800-CL

• C9K Embedded WLC

• 9100/1800/2800/3800and 4800 802.11ax and 11ac Wave2

• 1700/2700/3700 1540/1560 802.11ac Wave1

SD-Access PlatformsFabric Enabled Wireless


* No IPv6, AVC, FNF

Wi-Fi 6 APs: DNA Center 1.3 and 16.11s (IOS-XE)/8.9 AireOS

BRKEWN-2020 50



On ApplianceFor Private CloudFor Switch

• Catalyst 9800 for Private Cloud• 1k AP, 10k Clients• 3k AP, 32k Clients• 6k AP, 64k Clients

• Cisco IOS® XE Software

• Optimized for mobility

• Designed for IoT

• Always on Fabric with robust HA

• Scale on demand

• Catalyst 9800-40• 2k APs, 32k Clients

• Catalyst 9800-80• 6k APs, 64k Clients• Modular uplinks



• Designed for IoT


• Catalyst 9800 embedded wireless on Catalyst 9300

• 200 AP, 4k Clients

• Software Package activation

• Indirect AP Support



• Centralized Control Plane


Small and Medium Campus Medium and Large CampusOptimized for Distributed Braches

Catalyst 9800 for SD-Access Wireless

BRKEWN-2020 51


Catalyst 9800 SD-Access Embedded Wireless

Policy stays with user

Seamless Mobility

Support• Embedded wireless controller on Catalyst 9300/9400/9500 • Single switch stack supports up to 200 APs and 4000 clients• Stack SSO redundancy• Up to #2 controllers in a Mobility Group for more scale

Cisco DNA Center

AnalyticsPolicy Automation

Catalyst 9800 SD-Access Embedded WirelessOptimized for Branch & Small Campuses

Advantages:• Extend policy based segmentation to wireless branch• No WAN Link (AP to Controller) dependency • Extend rich C9K services like ETA to wireless• Lower TCO• Flexible Deployment - Multi-tier Campus and Branch• Simple/Intuitive multi-site workflows with Cisco DNA-C

BRKEWN-2020 52

Guest VNEmployee VN

E

B C

Internet

Fabric in a Box

with Cat9800 Embedded Wireless

Guest VNEmployee VN

E

Internet

B C

Cat9800 Embedded Wireless

on Fabric Edge

Guest VNEmployee VN

Internet

B C

E

Co-Located Border + CP with


9300, 9400, 9500DNA 1.3

9300, 9400, 9500DNA 1.3

9300, 9400DNA 1.4

SD-Access Embedded Wireless – deployments

Guest VNEmployee VN

Internet

B C

E

Co-Located Border + CP with


9300, 9400, 9500DNA 1.3 • You can have up to #2 for scale

to 400 APs

• The 9800 WLCs will be configured in the same Mobility Group for roaming

• SSO HA is supported within the stack but NOT across stacks

• N+1 is not supported yet, coming in 1.4

SD-Access Embedded Wireless – deployments

Guest VNEmployee VN

Internet

B C

E

Multiple Co-Located Border + CP with


9300, 9400, 9500DNA 1.3

B C

Demo time!

A look under the hood


• In Cisco DNA Center, first provision the WLC and then add it to the Fabric site

• Fabric configuration is pushed to WLC. WLC becomes Fabric aware. Most importantly WLC is configured with credentials to established a secure connection to CP

• WLC is ready to participate in SD-Access Wireless

SD-Access Wireless Basic Workflows Add WLC to Fabric

SDA Fabric

B

C

CiscoDNA Center

1

1

2

2

3

FE1

Fabric WLCControl Plane (CP)

BRKEWN-2020 57


SD-Access Wireless Basic Workflows Add WLC to Fabric – verify settings

Configuration > Wireless > Fabric

Fabric status is enabled

CP is correctly configured

BRKEWN-2020 58


SD-Access Wireless Basic Workflows AP Join

IP Network

B

C

1

1

FE1

Fabric WLC

Admin configures AP pool in Cisco DNA Center in INFRA_VN. Cisco DNA Center pre-provision a configuration macro on all the FEs

CiscoDNA Center

BRKEWN-2020 59


SD-Access Wireless Basic Workflows

INFRA_VN is introduced to easily onboard APs. APs are in the Fabric overlay but INFRA_VN is mapped to the global routing table

“AP pool type ” and “Layer 2 Extension” are automatically enabled on this special VN

AP Join - AP INFRA_VN

AP Pool type: triggers the AP pool automatic configuration in both FEs and WLC

Layer-2 Extension: turns on L2 service in LISP

BRKEWN-2020 60



By enabling AP type = AP and Layer-2 extension to ON, DNA Center connects to the Wireless Controller and set the Fabric interface to VNID mapping for the AP subnet for both L2 & L3 VNIDs

AP Join – WLC configuration

BRKEWN-2020 61



In Cisco DNA Center the CDP macro on the FEs for AP onboarding is pushed only if the switchport No Authentication template is selected:

If any other switchport Authentication template is selected, then use static assignment to map the APs’ switch ports to the right IP pool or use MAB and ISE profiling to assign the port to the right pool.

In Cisco DNAC 1.3 we use Autoconf interface templates and these are pushed also for dot1x/MAB authentication on the FE ports

AP Join - Automatic AP onboarding

BRKEWN-2020 62


SD-Access Wireless Basic Workflows AP Join – From Macros to Autoconf (IBNS2.0)

Fabric

any port template

show derived-config interface G1/0/1

interface GigabithEthernet 1/0/1switchport mode access...

interface GigabithEthernet 1/0/1switchport mode accessswitchport access vlan 1021

...

LAP_INTERFACE_TEMPLATE <<<built-in template

Template Definition: switchport mode accessswitchport block unicastswitchport port-security

switchport port-security aging time 2[…}exit

1. DNAC configures “autoconf enable” on all switches, which turns on Device Classifier

2. User configures AP Provisioning Pool in Onboarding page3. DNAC picks a predefined VLAN and modifies the

LAP_INTERFACE_TEMPLATE on FEs to add the AP VLAN 4. AP is plugged in (can happen before)5. Device Classifier classifies the AP using CDP, LLDP, etc6. Device Classifier applies the

LAP_INTERFACE_TEMPLATE7. The AP is placed in the right VLAN8. AP is removed, the configuration is removed

LAP_INTERFACE_TEMPLATE

Template Definition: switchport mode accessswitchport access vlan 1021switchport block unicast

switchport port-security{…}exit

New in 1.3

LAP_INTERFACE_TEMPLATE

BRKEWN-2020 63


SD-Access Wireless Basic Workflows Benefits of autoconf and templates

Benefit Templates Macros

Can be used with all the Port Authentication (Open/Closed/Easy/No auth) templates in DNAC YESNo

(only with No auth)

The configuration pushed is ephemeral, so valid only for the duration of the device “session” YES NO

The running configuration is not touched YES NO

Removing the “applied settings” restores the initial configuration YES NO

Leverages improved Device Classifier on the switch (can add TLVs to classify devices, so flexible) YES NO

Efficiently applies commands to an interface without parsing each command each time.YES

(Template are parsed once when defined)

NO

Template application is acknowledged, allowing for synchronization and performing remedial actions where failures occur.

YES NO

BRKEWN-2020 64



IP Network

B

C

1

1

2

FE1

Fabric WLCAP directly connected (*)

CDP

2

(*) AP can be connected also through an “Extended node” switch


AP is plugged in and powers up. FE discovers it’s an AP via CDP and applies the macro to assign the switch port the the right VLAN

CiscoDNA Center

BRKEWN-2020 65



IP Network

B

C

1

1

2

AP directly connected

CDP

3

3

FE1

Fabric WLC

2

DHCP

DHCP


AP is plugged in and powers up. FE discovers it’s an AP via CDP and applies the macro to assign the switch port the the right VLAN

AP gets an IP address via DHCP in the overlay

BRKEWN-2020 66


DHCP in SDA DHCP Relay - Edge to Border

7DHCP

Reply

4

B B

BE10.1.18.0/24

DHCP

SERVER

Shared Services

1 DHCP

Request

2

SVI

10.1.18.1

SVI

10.1.18.1

• DHCP Request unicast to Border w/ Option 82 + Circuit ID• Option 82 = “1.1.1.1” (RLOC Loopback) and “10” VN ID• Source DHCP request GIADDR = 10.1.18.1 (SVI address) 3

1.1.1.1

3.3.3.3

DHCP Request

sent to Server

C20.20.20.20

1.1.1.2 1.1.1.3

SVI

10.1.18.1

4

DHCP Reply

sent to Border

• DHCP pool selected using GIADDR = 10.1.18.1• DHCP reply sent to GIADDR = 10.1.18.1• Option82 / Circuit ID is returned unchanged

6DHCP Reply sent from Border to EdgeRLOC = 1.1.1.1 with VNI = 10

• RLOC + VNI is extracted from Option82 / Circuit ID• Border encapsulates DHCP reply in VXLAN with

destination RLOC = 1.1.1.1 and VNI = 10

5

DHCP Reply

punted to Border

BRKEWN-2020 67


Fabric Edge registers AP’s IP address and MAC (EID) and updates the Control Plane (CP)

AP learns WLC’s IP and joins using traditional methods. Fabric AP joins in Local mode

WLC checks if AP is fabric-capable (Wave 2 or Wave 1 APs)

If AP is supported, WLC queries the CP to know if AP is connected to Fabric

4


SDA Fabric

B

C

AP CheckAP RLOC?

67

5

4

6

7

5

AP EID register

FE1

CAPWAP Join

exchange

CAPWAP in VXLAN

Fabric WLC

CAPWAP traffic

BRKEWN-2020 68



SDA Fabric

B

C

AP RLOC

9

8

AP L2 EID register

Control Plane (CP) replies to WLC with RLOC. This means AP is attached to Fabric and will

be shown as “Fabric enabled”

WLC does a L2 LISP registration for the AP in CP (a.k.a. AP “special” secure client

registration). This is used to pass important metadata information from WLC to the FE

8

9

FE1

Fabric WLC

BRKEWN-2020 69


• In response to this proxy registration, Control Plane (CP) notifies Fabric Edge and pass the metadata received from WLC (flag that says it’s an AP and the AP IP address)

• Fabric Edge processes the information, it learns it’s an AP and creates a VXLAN tunnel interface to the specified IP (optimization: switch side is ready for clients to join)


SDA Fabric

B

C

AP EID update

FE1

interface Tunnel

Fabric WLC

10

11

10

11

BRKEWN-2020 70





SDA Fabric

B

C

AP EID update

FE1

interface Tunnel

Fabric WLC

10

11

10

11

edge-2#sh access-tunnel summary

Access Tunnels General Statistics:Number of AccessTunnel Data Tunnels = 1

Name SrcIP SrcPort DestIP DstPort VrfId

------ --------------- ------- --------------- ------- ----Ac0 172.16.2.98 N/A 172.16.3.130 4789 0

Name IfId Uptime ------ ---------- --------------------

Ac0 0x0000003A 0 days, 15:20:47

BRKEWN-2020 71




• APs are now ready to be provisioned on Cisco DNA Center


SDA Fabric

B

C

AP EID update

FE1

interface Tunnel

Fabric WLC

10

11

10

11

edge-2#sh access-tunnel summary

Access Tunnels General Statistics:Number of AccessTunnel Data Tunnels = 1

Name SrcIP SrcPort DestIP DstPort VrfId

------ --------------- ------- --------------- ------- ----Ac0 172.16.2.98 N/A 172.16.3.130 4789 0

Name IfId Uptime ------ ---------- --------------------

Ac0 0x0000003A 0 days, 15:20:47

12

BRKEWN-2020 72


SD-Access Wireless Basic Workflows AP Join – AP Provisioning

Select the APs and click on Action > Provision

Assign them to the floor (you need to have floor created)

(optional) assign an RF profile

BRKEWN-2020 73


SD-Access Wireless Basic Workflows AP Join – AP Provisioning

Click on Deploy to apply these settings

APs will disconnect and reconnect

Note: with C9800 APs will not reboot but just a CAPWAP reset

BRKEWN-2020 74


SD-Access Wireless Basic Workflows AP Join – AP Provisioning- WLC config verification

APs are configured with the Policy and Site tags for Fabric

BRKEWN-2020 75


SD-Access Wireless Basic Workflows Client Onboarding

SDA Fabric

B

C

Fabric WLC

Admin user defines a Pool for wireless clients in Cisco DNA Center Design phase. The pool is then associated to a VN during “Host Onboarding” phase. For a wireless pool, L2 LISP needs to be enabled.

As soon as the SSID is mapped to the Pool, the WLAN will be enabled and clients will see the Fabric SSID

CiscoDNA Center

BRKEWN-2020 76



Make sure Layer-2 Extension toggle is ON to enable L2 LISP and Layer 2 subnet extension on the client Pool/subnet. The is required for wireless to work!

Client Onboarding

BRKEWN-2020 77



When the pool is assigned to the Virtual Network, the correspondent Fabric interface to VNID mapping is pushed to the controller. Note: these are all L2 VNIDs

Client Onboarding – WLC config verification

BRKEWN-2020 78



WLANs are mapped to the pool in the respective Virtual Networks

Client Onboarding

BRKEWN-2020 79



A Fabric Profile with the L2 VNID is added corresponding to the pool chosen:

The Policy Profile is mapped to the Fabric profile and it’s enabled for Fabric


BRKEWN-2020 80



The Fabric WLANs are now in enable state and clients can join


BRKEWN-2020 81


• Client authenticates to a Fabric enabled WLAN. WLC gets SGT from ISE, updates AP with client L2VNID and SGT


SDA Fabric

B

C

1

1

Client Join

Fabric WLC

Client SGT/VNID and RLOC

CAPWAP in VXLAN

FE1

ISE

BRKEWN-2020 82


• Client authenticates to a Fabric enabled WLAN. WLC gets SGT from ISE, updates AP with client L2VNID and SGT

• WLC knows RLOC of AP from internal DB . WLC proxy registers Client L2 info in CP; this is LISP modified message to pass additional info, like the client SGT

• FE gets notified by CP and knows it’s a client; FE adds client MAC in L2 forwarding table and go and fetch the client policy from ISE based on the client SGT


SDA Fabric

B

C

2Client MAC register

1

2

3

Client in FWD

table

3

Fabric WLC

FE1

BRKEWN-2020 83


• Client initiates DHCP Request

• AP encapsulates it in VXLAN with L2 VNI info (and SGT)

• Fabric Edge maps L2 VNID to the VLAN interface and forwards the DHCP packet in the overlay (same as for a wired Fabric client)


SDA Fabric

C

4

5

4

5

6

B

DHCP packet + L2 vnid

6

DHCP flow

Fabric WLC

DHCP

FE1

BRKEWN-2020 84


• Client receives an IP address from DHCP

• DHCP snooping triggers the client EID registration by the Fabric Edge to the CP. (If client has a static IP, then ARP or any other IP packet will trigger the registration)

This completes Client onboarding process


SDA Fabric

B

C8

Client IP, L3 VNI, RLOC IP

7

8

C

Fabric WLC

DHCP

7FE1

BRKEWN-2020 85


• Client roams to AP2 on FE2 (inter-switch roaming). WLC get’s notified by AP

• WLC updates forwarding table on AP with client info (SGT, L2VNID, RLOC)

• WLC updates the L2 MAC entry in CP with new RLOC FE2

SD-Access Wireless Basic Workflows Client Roams

1

SDA Fabric

B

C

FE1

FE2

2

C1

2

3

Client L2 MAC entry update

Fabric client info sent to AP

3

Fabric WLC

1AP1

AP2

BRKEWN-2020 86


• CP then notifies • Fabric Edge FE2 (”roam-to” switch) to add the client MAC to forwarding table pointing to VXLAN tunnel• Fabric Edge FE1 (”roam-from” switch) to do clean up for the wireless client

• FE will update the L3 entry (IP) in CP data base upon receiving traffic

• Roam is Layer 2 as FE2 has the same VLAN interface (Anycast GW)

SD-Access Wireless Basic Workflows Client Roams

4

SDA Fabric

B

FE1

FE2

AP1

AP2

4

5

5

Client IP, L3 VNI, RLOC IP

6

C

Fabric WLC

20.2.4.1/20Client SVI

20.2.4.1/20Client SVI

BRKEWN-2020 87

Wireless and SDA

Design and Deployment considerations


SD-Access Wireless ConnectivityWhat you need to know

WLC typically connect to a “shared services” Distribution Block

VSS is the preferred topology

Management IP address in Global Routing Table

Use a specific route to advertise WLC’s IP in the underlay

WLC can talk to only #2 CP nodes

Access Points connect to Fabric Edge

APs reside in INFRA_VN (GRT) and form CAPWAP connection to WLC. No need for VRF leaking

AP can be connected to an extended node

APs are connected in Local mode

Shared ServicesDistribution (VSS)

L2 MEC

Overlay and Underlay Network Connectivity

WirelessLAN Controller(s)

Border Node Border Node

IntermediateNode

IntermediateNode

Edge Node Edge Node

AP

SD-Access Fabric

BRKEWN-2020 89


SD-Access Wireless ConnectivityHow to connect an SSO pair of Fabric WLCs?

Shared ServicesDistribution (VSS)

L2 MEC

Outside Fabric Network Connectivity

SSO pair

Border Node Border Node

IntermediateNode

IntermediateNode

Edge Node Edge Node

AP

SD-Access Fabric

Outside Fabric Network

Connectivity

Border Node(HSRP active)

Border Node

IntermediateNode

IntermediateNode

Edge Node Edge Node

AP

SD-Access Fabric

L2 trunk with HSRP

Active Standby

Directly to the pair of FBs

To a shared Service block

BRKEWN-2020 90


Enterprise network

SD-Access Wireless ConnectivityCatalyst 9800 – HA pair connectivity to VSS pair

VSS pair

L2 port channel+ dot1q trunk

Active Standby

RP port RP port

Active and Standby should be connected in the same way

Single L2 port-channel on each box

Enable dot1q to carry multiple VLANs

Only LAG with mode ON is supported

IMPORTANT: connect RP port to the same VSS/stack member as the uplinks and not back to back

Make sure that switch can scale in terms of ARP and MAC table entries

Same applies if switch is a stack/VSL pair/modular switch

VSS is the recommended topology

C9800 only

BRKEWN-2020 91


SD-Access Wireless ConnectivityCatalyst 9800 – HA pair connectivity to pair of distribution switches

Enterprise network

L2 port channel+ dot1q trunk

Active Standby

RP port RP port

HSRP Active HSRP Standby

L2 link

For SSO HA, connect the Standby in the same way

Single L2 port-channel on each box

Enable dot1q to carry multiple VLANs

IMPORTANT: only LAG with mode ON is supported

IMPORTANT: connect RP port to the same switch as the uplinks and not back to back

Make sure that switch can scale in terms of ARP and MAC table entries

This is a supported topology

C9800 only

BRKEWN-2020 92


SD-Access Wireless ConnectivityWhy can’t I use the default route to reach the WLC?

FE

non Fabric

172.16.201.202

Access point

Fabric

Underlay

CAPWAPcontrol

In order to keep the LISP communication between nodes more reliable, the following configuration has been added: “ipv4 locator reachability exclude-default”

Fabric WLC acts a proxy ETR and talks LISP to the CP

The CP (or any other node) will not consider a message from a ITR/ETR if the only way to reach back to that node is via the default route; it requires a more specific route:

Reason: if the path to that ETR becomes unavailable, LISP will come to know from the undelay IGP as the specific route will disappear; but if it’s known via the default route, the route will always be there.

Sh run | s lisp

[..]

!

ipv4 locator reachability exclude-default

ipv4 source-locator Loopback0

exit-router-lisp

BGP session

WLC

B C

CAPWAPcontrol

BRKEWN-2020 93

SD-Access Wireless supported “modes”


SD-Access Wireless: true integration in Fabric

ISE / AD

SD-Access

Fabric

C

BB

APIC-EM

SD-Access Wireless

Fabric enabled

APs

Fabric

enabled WLC

CAPWAP Control Plane, VXLAN Data plane WLC/APs integrated in Fabric, SD-Access advantages

Requires software upgrade (8.5+)

Optimized for 802.11ac Wave 2 and 11ax APs

CAPWAP

Cntrl plane

VXLAN

Data plane

Cisco DNA Center True wireless integration with Fabric

Provides all the advantages of SDA for wireless clients:

Full automation with Cisco DNA Center

Hierarchical segmentation (VRF and SGT)

Same policy as wired

Distributed Data Plane with no drawbacks

Optimized traffic path for Guest

Recommended option

BRKEWN-2020 95


Wireless on top of SDA Fabric

ISE / AD

SD-Access

Fabric

C

BB

APIC-EM

CUWN wireless Over The Top (OTT)

Non-Fabric

WLC

Non-Fabric

APs

CAPWAP for Control Plane and Data Plane SDA Fabric is just a transport

Supported on any WLC/AP software and hardware

Only Centralized mode is supported today

CAPWAP

Control & Data

No SDA advantages for wireless

Migration step to full SD-Access

Customer wants/need to first migrate wired (different Ops teams managing wired and wireless, get familiar with Fabric, different buying cycles, etc.) and leave wireless “as it is”

Customer cannot migrate to Fabric yet (older APs, need to certify the new software, etc.)

Cisco DNA Center

BRKEWN-2020 96


FlexConnect local switching is not supported in SDA 1.2 (today)

Will it work? Probably yes but it has not been fully tested hence it is not officially supported

This applies also to 3rd party APs that bridge traffic at the AP

Wireless on top of SDA Fabric

ISE / AD

SD-Access

Fabric

C

BB

APIC-EM

FlexConnect Over The Top (OTT)

Non-Fabric

WLC

Flex APs

CAPWAP for Control Plane Data plane is locally switched. Wireless traffic is

treated like wired traffic.

Not supported today (1.2)

CAPWAP Control

Ethernet traffic

Cisco DNA Center

BRKEWN-2020 97


Wireless Integration in SDA Fabric

ISE / AD

SD-Access

Fabric

C

BB

APIC-EM

Mixed Mode

Fabric

WLC

non-Fabric SSID: client traffic is CAPWAP encapsulated to WLC

Fabric SSID: client traffic is VXLAN encapsulated

Supported in SDA 1.2 for brownfield deployments

CAPWAP

Control & Data

Fabric SSID

+

CUWN SSID

VXLAN

CAPWAP Control

Mixed mode: mix of Fabric and non-Fabric (centralized) SSIDs

Mixed mode is supported both on the same AP or different APs

With Cisco DNA Center 1.1 mixed mode is supported only for greenfield deployments

With Cisco DNA Center 1.2 mixed mode is supported also for brownfield deployments

Automation for Foreign-Anchor Guest SSID is supported in Cisco DNA Center 1.2

Cisco DNA Center

BRKEWN-2020 98

SD-Access Wireless

Adoption/Migration Scenarios


SD-Access Wireless AdoptionWhat You Need to Know

Brownfield: Cisco DNA Center can read an existing AireOS non-Fabric config from WLC – limited to the Design settings

Mixed mode is supported: Fabric and non-fabric SSIDs on same WLC and also on the same AP – Dedicated WLC for Fabric recommended

For Over The Top (SD-Access wired as transport) Cisco DNA Center 1.2 supports AP in Local mode only (no Flex or 3rd party APs)

Mix deployment of CUWN and SDA wireless: it works but keep in mind that seamless roaming is not supported (see next slides)

BRKEWN-2020 100


SD-Access Wireless AdoptionMigration for an existing CUWN deployment

Customer has a site with AireOS Centralized wireless

Assumptions: Migration to Fabric happens in a single area (e.g. building) at the time and migration is in one shot No need for seamless roaming between new SDA area and the existing wireless deployment

DHCP

Services Block

ISE

Cisco Prime

Non Fabric

Non Fabric

CAPWAP Control and Data

Area 1

Area 2

BRKEWN-2020 101


SD-Access Wireless AdoptionMigration for an existing CUWN deployment

DHCP

Services Block

ISE

Cisco Prime

Area 1

Area 2

Non Fabric

SD FabricB

C

CAPWAP

CAPWAP Control and Data

Add Cisco DNA Center and ISE (if not present already)

First, migrate wired network to SD-Access Fabric

Wireless is over the top of Fabric. APs are in INFRA_VN

1

2

3

Cisco DNA Center

BRKEWN-2020 102


SD-Access Wireless AdoptionMigration for an Existing CUWN Deployment

DHCP

Services Block

ISE

Cisco Prime

Area 1

Area 2

Non Fabric

SD FabricB

C

Fabric

WLC

VXLAN

(Data)

CAPWAP Cntrl

No seamless

roaming

Discover existing WLC to Cisco DNA Center – Learn configuration (e.g. SSIDs) and populate Cisco DNA Center

Add a dedicated WLC for SD-Access and provision it to the site (re-use the configuration inherited from old WLC)

on CUWN WLC, configure the APs in the area to join the new Fabric WLC

APs in the area will join Fabric WLC. From Cisco DNA Center provision APs to the Fabric site

1

2

3

CAPWAP Control

VXLAN

4

Cisco DNA Center

BRKEWN-2020 103


Traditional Campus

Guest Anchor

Shared WLC

EoIP

CAPWAP

Shared controller for SDA and CUWN

• Shared WLC can manage Fabric and non-Fabric

APs but needs an upgrade to 8.5 or 8.8

• New code = more risk for existing non-Fabric

deployment

Management considerations:• Cisco DNA Center 1.2 can manage non-Fabric

WLC in brownfield scenarios but not all wireless

settings are available

WLAN Design considerations:

• Fabric is enabled per SSID

• To have same SSID name in both areas:1. Need to have different WLAN IDs with same

SSID name but different profile

2. Need to define and apply AP Groups

3. APs need to be re-booted

Guest and Policy:• Can leverage existing Guest Anchor also for Fabric

area/building

• Can leverage ISE for both deployments

ISE

SD-Access Wireless AdoptionConsideration for Shared WLC for Fabric and non-Fabric

Internal

Fabric

APs

SD-Access

Fabric

B CP

CAPWAP

Control

VXLAN

Internal

Non-

Fabric

APs

No roaming

between

Fabric and

non-Fabric

Cisco Prime

Area 1Area 2

Cisco DNA Center

BRKEWN-2020 104

Before you leave…


CB B

Cisco Software Defined AccessThe Foundation for Cisco’s Intent-Based Network

IoT Network Employee Network

Client Mobility

Policy follows User

Outside

Cisco DNA Center

AssuranceAutomationPolicy

SD-AccessExtension

Automated Network Fabric

Single fabric for Wired and Wireless with full automation

Insights and Telemetry

Analytics and insights into User and Application experience

Identity-Based Policy and Segmentation

Policy definition decoupled from VLAN and IP address

BRKEWN-2020 106


Don’t miss the SD-Access book…

It’s an e-book and you can download it from herehttps://www.cisco.com/c/dam/en/us/products/se/2018/1/Collateral/nb-06-software-defined-access-ebook-en.pdf

BRKEWN-2020 107

https://www.cisco.com/c/dam/en/us/products/se/2018/1/Collateral/nb-06-software-defined-access-ebook-en.pdf


SD-Access ResourcesRelated Sessions

SD-Access Fabric

Cisco SD-Access - A Look Under the Hood - BRKCRS-2810• Monday, June 10 08:00 AM - 10:00 AM

Cisco SD-Access - Connect to External Networks - BRKCRS-2811• Monday, June 10 04:00 PM - 05:30 PM

Cisco SD-Access – Integrate Existing Network - BRKCRS-2812• Tuesday, June 11 08:00 AM - 10:00 AM

Cisco SD-Access - Connect Multiple Sites - BRKCRS-2815• Tuesday, June 11 01:00 PM - 03:00 PM

Cisco SD-Access – Building the Routed Underlay - BRKCRS-2816• Wednesday, June 12 04:00 PM - 05:30 PM

Cisco SD-Access - Extend Segmentation & Policy to IoT - BRKCRS-2817• Thursday, June 13 10:30 AM - 12:00 PM

Cisco SD-Access - Technology Deep Dive - BRKCRS-3810• Thursday, June 13 01:00 PM - 02:30 PM

SD-Access Wireless

How to Setup SD-Access Wireless from Scratch - BRKEWN-2021• Tuesday, June 11 01:00 PM - 03:00 PM

Cisco SD-Access - Wireless Integration - BRKEWN-2020• Thursday, June 13 08:00 AM - 10:00 AM

SD-Access Integration

Build an SD-Enterprise with Cisco SD-WAN and SD-Access - BRKCRS-2818• Tuesday, June 11 04:00 PM - 06:00 PM

Cisco SD-Access - Troubleshooting the Fabric - BRKARC-2020• Tuesday, June 11 04:00 PM - 05:30 PM

Cisco SD-Access - Connect to the DC, Firewall, WAN & More! - BRKCRS-2821• Wednesday, June 12 08:00 AM - 10:00 AM

Cisco SD-Access - Scaling to Hundreds of Sites - BRKCRS-2825• Wednesday, June 12 01:00 PM - 02:30 PM

Cisco SD-Access Campus Cisco Validated Design - BRKCRS-1501• Thursday, June 13 08:00 AM - 10:00 AM

Cisco SD-Access - Integrate with Data Center Architectures - BRKDCN-2489• Thursday, June 13 11:00 AM - 12:00 PM

Cisco SD-Access – Assurance and Analytics - BRKNMS-2814• Thursday, June 13 01:00 PM - 02:30 PM

SD-Access Policy

Cisco SD-Access - Policy Driven Manageability - BRKCRS-3811• Wednesday, June 12 04:00 PM - 05:30 PM

Create an End-to-End Software Defined Architecture - BRKCRS-2819• Thursday, June 13 08:00 AM - 10:00 AM

BRKEWN-2020 108


SD-Access ResourcesWould you like to know more?

cisco.com/go/cvd• SD-Access Design Guide

• SD-Access Deployment Guide

• SD-Access Segmentation Guide

cisco.com/go/dnacenter• Cisco DNA Center At-A-Glance

• Cisco DNA ROI Calculator

• Cisco DNA Center Data Sheet

• Cisco DNA Center 'How To' Video Resources

cisco.com/go/sdaccess• SD-Access At-A-Glance

• SD-Access Ordering Guide

• SD-Access Solution Data Sheet

• SD-Access Solution White Paper

cisco.com/go/dna

BRKEWN-2020 109

https://cisco.com/go/cvd

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Design-Guide-2018APR.pdf

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Deployment-Guide-2018APR.pdf

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/CVD-Software-Defined-Access-Segmentation-Design-Guide-2018MAY.pdf

https://cisco.com/go/dnacenter

https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/dna-center/at-a-glance-c45-739010.pdf?oid=aagen000249

https://dnaroi.cisco.com/go/cisco/dnaroi/index.html?lang=en-us&ccid=cc000006&oid=caten000241

https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/datasheet-c78-739052.html

https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/video-resources.html

https://cisco.com/go/sdaccess

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/software-defined-access/at-a-glance-c45-738181.pdf?oid=aagen000292

https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/guide-c07-739242.html

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/software-defined-access/solution-overview-c22-739012.pdf?oid=sowen000311

https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/white-paper-c11-739642.html

https://cisco.com/go/dna


SD-Access ResourcesRelated Labs

SD-Access Hands-On Labs

Cisco SD-Access & ACI Integration - Hands-on Lab - LTRACI-2636• Sunday, June 09 09:00 AM - 01:00 PM

SD-Access with Cisco ISE and Cisco DNA Center - LTRSEC-1571• Sunday, June 09 09:00 AM - 01:00 PM

Cisco SD-Access - Hands-on Lab - LTRCRS-2810• Thursday, June 13 08:00 AM - 12:00 PM

SD-Access WISP Labs

DNA Center: SD-Access Distributed Campus Lab - LABCRS-2003• Walk-In Self-Paced

DNA Center: SD-Access Fabric Enabled Wireless - LABCRS-2600• Walk-In Self-Paced

DNA Center: SD-Access/TrustSec/ACI Integration Lab - LABCRS-3000• Walk-In Self-Paced

BRKEWN-2020 110


SD-Access ResourcesLearning @ Cisco - On Demand Training

Provides a proven, cost-effective alternative to instructor-led training via a comprehensive library of high-definition video lectures available on a 12-month subscription basis.

Each license provides 24/7 access to a growing library of world-class technical courses ranging from product training and troubleshooting.

Planning and Deploying SD-Access Fundamentals (for Customers) - CUST-SDA-FUND

This course focuses on deploying the Cisco Software-Defined Access (SD-Access) solution from the ground up. It starts with how to integrate Cisco Identity Services Engine (ISE) and Cisco DNA Center and ends with end-to-end troubleshooting and using Cisco DNA Assurance to monitor and troubleshoot endpoint and fabric issues.

14 hours of Video Content

Preparing the ISE for SD-Access (for Customers) - CUST-SDA-ISE

This course provides a focused look at Cisco Identity Services Engine (ISE) operation and group-based policy configuration as they apply to Cisco Software-Defined Access (SD-Access).

5 hours of Video Content

1

2

www.cisco.com/c/en/us/training-events/resources/training-services.html

Earn up to 16 points for CCIE CEP!

BRKEWN-2020 111

https://www.cisco.com/c/dam/en_us/training-events/learning_services/courses/docs/cust-sda-fund-on-demand.pdf

https://www.cisco.com/c/dam/en_us/training-events/learning_services/courses/docs/cust-sda-ise-on-demand.pdf

http://www.cisco.com/c/en/us/training-events/resources/training-services.html

Complete your online session evaluation

• Please complete your session survey after each session. Your feedback is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.

• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKEWN-2020 112

http://ciscolive.cisco.com/us

https://ciscolive.cisco.com/


Continue your education

Related sessions

Walk-in labsDemos in the Cisco campus

Meet the engineer 1:1 meetings

BRKEWN-2020 113

Thank you

#CLUS

Additional material

New features in Cisco DNA Center 1.3


Cisco DNA Center 1.3 – Advanced SSIS settings

• These apply to both Enterprise and Guest SSIDs

BRKEWN-2020 117


Cisco DNA Center 1.3 – AAA per SSID

• Currently only two AAA Server [Primary and Secondary] per site/building/floor is supported .

• Only one ISE server can be mapped to particular site[building or floor].

• User can’t Map primary as ISE server and secondary as other AAA server(non ISE) to particular site[Building, Floor].

• Brownfield (learning multiple ISE servers from existing config) is not supported .

• Currently this feature supports only for AireOS platform.

BRKEWN-2020 118


Cisco DNA Center 1.3 – AAA per SSID

• Currently only two AAA Server [Primary and Secondary] per site/building/floor is supported .

• Only one ISE server can be mapped to particular site[building or floor].

• User can’t Map primary as ISE server and secondary as other AAA server(non ISE) to particular site[Building, Floor].

• Brownfield (learning multiple ISE servers from existing config) is not supported .

• Currently this feature supports only for AireOS platform.

BRKEWN-2020 119

New features in Cisco DNA Center 1.2


Cisco DNA Center 1.2 - Default RF Profile

• Admin can pick a custom RF profile to be the

Default one

Easier deployment: during AP provisioning,

Default RF profile is shown first

2

1

1

2

BRKEWN-2020 121


Cisco DNA Center 1.2 - Band Select

Create a SSID with “Dual band

operation with band select” for

the Dual band clients for

connecting to the WLAN.

Cisco DNA Center configures

band-select per-WLAN

Global default band select

values are not changed from

Cisco DNA Center.

BRKEWN-2020 122


Cisco DNA Center 1.2 - 5GHz only SSID

Radio Policy configuration

5GHz only will apply Radio policy 802.11a

only to the WLAN.

BRKEWN-2020 123


Cisco DNA Center 1.2 - Hidden SSID

Admin has the option to hide SSID so that

SSID is not broadcasted.

During SSID creation, there is a toggle button

for Broadcast SSID - On / Off. The same is

reflected on WLAN configuration at WLC

BRKEWN-2020 124


Cisco DNA Center 1.2 - Override PSK

In Cisco DNA Center 1.2, PSK for SSID can be

site specific. Each site can have different PSK

SSID.

Step 1 : Create a PSK SSID under Global

Step 2 : PSK SSID is created successfully, as

shown in below screenshot.

2

1

BRKEWN-2020 125


Cisco DNA Center 1.2 supports PnP for APs (AP sensor is there already in 1.1.x)

AP shows up in Provision -> Unclaimed Devices. AP will be in Initialized

Unclaimed status

1

Cisco DNA Center 1.2 - PnP for AP Provisioning

BRKEWN-2020 126


Select the AP and claim device

Claim the device which prompts to assign site and RF profile.

2

3

Cisco DNA Center 1.2 - PnP for AP Provisioning (Cont..)

BRKEWN-2020 127


AP gets the PnP config with WLC details from Cisco DNA Center and will be in

Onboarding state for a bit and the Success

4

Cisco DNA Center 1.2 - PnP for AP Provisioning (Cont..)

BRKEWN-2020 128


Cisco DNA Center 1.2.8 - Outdoor AP support

1540 and 1560 11ac wave2 Access Points managed by DNAC

WLC shows APs configured for Fabric in Local mode

BRKEWN-2020 129


Cisco DNA Center 1.2.8 - Hyperlocation with CMXAP neighborship, Client count and Health

BRKEWN-2020 130


Cisco DNA Center 1.2.8 - WGB Support

• Topology shows WGB host connected to SDA Fabric• Detail WGB client information viewable under Assurance

BRKEWN-2020 131

Additional use cases that SDA can help solving


Campus

What is the Problem?Workspace of the Future

You need a distributed Data Plane (DP) without the complications that normally comes along in terms of IP addressing, roaming, etc.

Is the

Centralized

WLC a

pb??

WLC

DHCPDNSAAA

ADLDAP

Data Centre WLC

What about…

Fully leveraging the speed of 802.11ac/ax?

Mobility everywhere

Handling east-west traffic from tools like Spark room? And Video, video and video…

Onbording Sensors and IoT devices securely

Leveraging great innovation at the switch level

etc...

What

about IP

addressing

design?

BRKEWN-2020 133


What is the Problem?Workspace of the Future

Data plane is optimized without the complications (spanning tree, large broadcast domain, etc.) of locally distributing the traffic

WLC

DHCPDNSAAA

ADLDAP

Data Centre WLC

SDA Fabric

C B

CAPWAP

(Control)

VXLAN

(Data)

Interface VLAN

vrf forwarding Employee

ip address 10.10.10.1/24

Interface VLAN

vrf forwarding Employee

ip address 10.10.10.1/24

IoT device

IoT device

With SDA

Data Plane is distributed and optimized

Subnet is everywhere so sub-netting design is SIMPLE

Mobility is integrated in the Fabric

Layer 2 extension for IoT

The advantages of

distributed DP without

the associated

challenges

BRKEWN-2020 134

More on Product support


Common HW & SW - UADP & IOS-XECP, Border & Edge - All Platforms

Catalyst 9K Series

C3K Series C4500 + Sup8 C6800 + Sup6T N7700 + Sup2E

C9300 Series C9400 + Sup1/XL C9500 10/40G C9500 25/40/100G

Common HW & SW - QFP & IOS-XECP, Border & SD-WAN cEdge*

ISR 4K Series

ASR1000 X & HX Series

ISR 4300 & 4400


SD-Access SupportCatalyst 9K and ISR 4K Series

BRKEWN-2020 136



SD-Access PlatformsFabric Edge Node

• Catalyst 9400

• Sup1/Sup1XL

• 9400 Cards

Catalyst 9400

• Catalyst 9200/L

• 1/mG RJ45

• 1G SFP (Uplinks)

Catalyst 9200

• Catalyst 9300

• 1/mG RJ45

• 10/25/40/mG NM

Catalyst 9300


• Catalyst 9500

• 1/10/25G SFP

• 40/100G QSFP

Catalyst 9500

BRKEWN-2020 137



• Catalyst 6500/6800

• Sup2T/Sup6T

• C6800 Cards

• C6880/6840-X

Catalyst 6K

• Catalyst 4500E

• Sup8E/Sup9E (Uplink)

• 4600/4700 Cards (Host)

Catalyst 4500E


• 1/mG RJ45

• 1/10G SFP

• 1/10/40G NM Cards

Catalyst 3K

SD-Access PlatformsFabric Edge Node


BRKEWN-2020 138



SD-Access PlatformsFabric Control Plane


Catalyst 9500Catalyst 9400Catalyst 9300

• Catalyst 9300

• 1/mG RJ45

• 10/25/40/mG NM

• Catalyst 9400

• Sup1/Sup1XL

• 9400 Cards

• Catalyst 9500

• 1/10/25G SFP

• 40/100G QSFP

BRKEWN-2020 139



SD-Access PlatformsFabric Control Plane


ISR 4K & ENCSCatalyst 3K Catalyst 6K ASR1K


• 1/mG RJ45

• 1/10G SFP



• Sup2T/Sup6T

• C6800 Cards

• C6880/6840-X

• ISR 4300/4400

• AppX (AX)

• ENCS 5400

• ISRv / CSRv

• ASR 1000-X/HX

• AppX (AX)

• 1/10G ELC/EPA

• 40G ELC/EPA

BRKEWN-2020 140



SD-Access PlatformsFabric Border Node


Catalyst 9500Catalyst 9400Catalyst 9300

• Catalyst 9300

• 1/mG RJ45

• 10/25/40/mG NM

• Catalyst 9400

• Sup1/Sup1XL

• 9400 Cards

• Catalyst 9500

• 1/10/25G SFP

• 40/100G QSFP

BRKEWN-2020 141



SD-Access PlatformsFabric Border Node


Catalyst 3K Catalyst 6K ISR 4K ASR 1KNexus 7K*


• 1/mG RJ45

• 1/10G SFP



• Sup2T/Sup6T

• C6800 Cards

• C6880/6840-X

• ISR 4300/4400

• AppX (AX)

• 1/10G RJ45

• 1/10G SFP

• ASR 1000-X/HX

• AppX (AX)

• 1/10G ELC/EPA

• 40G ELC/EPA

* EXTERNAL ONLY

• Nexus 7700

• Sup2E

• M3 Cards

• LAN1K9 + MPLS

BRKEWN-2020 142



SD-Access PlatformsFabric Extended Node


Industrial EthernetCatalyst Digital BuildingCatalyst 3560-CX

• Catalyst 3560-CX

• 1/mG RJ45

• 1/10G SFP

• CDB-8U/8P

• 1/mG RJ45

• 1/10G SFP

• IE 4000/5000

• 1/mG RJ45

• 1/10G SFP

BRKEWN-2020 143



Scale and Specifications

DNA Appliance

SKU Specs Scale and Performance SDA Design

DN1-HW-APL

(Clusters with same SKU and DN2-HW-APL)

• Based on UCS M4• 44 cores• 256 GB RAM• 12 TB SSD• List Price: $77,160

5000 Devices

1000 Switches/Routers/WLC + 4000 APs

25,000 Clients

Small orMedium

DN2-HW-APL

(Clusters with same SKU and DN1-HW-APL)

• Based on UCS M5• 44 cores• 256 GB RAM• 16 TB SSD• List Price: $88,674

5000 Devices


25,000 Clients

Small or Medium

DN2-HW-APL-L

(Clusters with same SKU only)

• Based on UCS M5• 56 cores• 384 GB RAM• 16 TB SSD• List Price = $147,495

8000 Devices


40,000 Clients

Medium orLarge

BRKEWN-2020 144

High Availability in SD-Access Wireless


Stateful Redundancy with SSO:

WLC SSO pair is seen as one node in Cisco DNA Center

Only Active WLC interacts with CP node and CP state is synched between Active and Standby

Upon failure, new Active WLC will bulk update Fabric clients to the CP node (LISP refresh)

Wireless APs and Clients stay connected

WLC is connected outside Fabric, so normal best practices apply to connect the SSO pair

SD-Access Wireless HA

Fabric WLC fully supports SSO High Availability

WLC Redundancy with SSOActive Standby

SSO pair

B

C

B

BRKEWN-2020 146


Stateful Redundancy with SSO:

WLC SSO pair is seen as one node in Cisco DNA Center

Only Active WLC interacts with CP node and CP state is synched between Active and Standby

Upon failure, new Active WLC will bulk update Fabric clients to the CP node (LISP refresh)

Wireless APs and Clients stay connected

WLC is connected outside Fabric, so normal best practices apply to connect the SSO pair

• N+1 redundancy is not supported in Cisco DNA Center 1.2

SD-Access Wireless HA

Fabric WLC fully supports SSO High Availability

WLC Redundancy with SSOActive

SSO pair

B

C

B

Bulk update

BRKEWN-2020 147


SD-Access Wireless HAControl Plane Redundancy

Control Plane is based on a LISP Map Server / Resolver

Host Database, tracks Endpoint ID to Edge Node

bindings, along with other attributes (e.g.. SGT)

Redundancy is supported in Active / Active

configuration

WLC (and Fabric Edges) are configured with two CP

nodes and synch information to both

If one fails, all client information is available at the

other CP node

C

B

C

Client updates

BRKEWN-2020 148


SD-Access Wireless HACP Redundancy

Control Plane is based on a LISP Map Server / Resolver

C

B

C

Client updates

BRKEWN-2020 149

SD-Access Wireless Guest Design


SD-Access Wireless Guest

One touch Guest solution, Cisco DNA Center automated

Backend integration with ISE for Portal and Profiles configuration

BRKEWN-2020 151


SD-Access Wireless Guest

One touch Guest solution, Cisco DNA Center automated

Backend integration with ISE for Portal and Profiles configuration

In Cisco DNA Center 1.2 both Central Web Auth (CWA) with ISE and Local WebAuth (LWA) are supported

No wired Guest automation in Cisco DNA Center 1.2

BRKEWN-2020 152


SDA Fabric

SD-Access Wireless Guest DesignGuest as a dedicated Virtual Network

Internet

10.10.10.40

DMZ

B

WLC

C

Guest VRF

Guest and Enterprise clients share the same Enterprise CP node

Guest SSID is associated to a dedicated VN in Fabric leveraging Fabric segmentation (VNI, SGT) for guest traffic isolation

BRKEWN-2020 153


SD-Access Wireless Guest DesignGuest with dedicated Border and Control Plane nodes

InternetSDA Fabric DMZ

B

WLC Guest FB

C

BC

VXLAN to DMZ

Complete Control plane and Data plane separation from Enterprise traffic

No additional Anchor WLC: Guest traffic is optimized, sent directly to the DMZ

BRKEWN-2020 154


SDA Fabric

SD-Access Wireless Guest DesignAnchor-Foreign CUWN Solution

Internet

10.10.10.40

DMZ

B

Foreign WLC Anchor WLC

C

CAPWAP

CAPWAP/EoIP

Automated in

Cisco DNA

Center 1.2

Well proven CUWN solution, protecting investment

Guest WLAN anchored at Guest Anchor in DMZ

BRKEWN-2020 155


Guest SSID with Anchor WLC

Cisco DNA Center 1.2 and later supports Guest Anchor configuration for both Central Webauth (CWA) and Local WebAuth (LWA) with external portal

When provisioning the WLC now user has to option to choose Active (Foreign) or Anchor WLC

BRKEWN-2020 156

SD-Access Wireless

more on Design & Deploy


How to Connect WLC?

Recommended WLC Connection to Wired

WLC is connected outside Fabric to a switch in Service Block or DC

WLC side:

Use multiple ports for redundancy and group them in a LAG (Link Aggregation)

Use a pair of boxes and enable Stateful Switch Over – this will double the links to connect to the infrastructure

Leverage physical redundancy at the switch:

Single box solution: modular switch or switch stack and spread WLC links across line cards or stack members

Dual switch solution: use VSS and spread links across switches

non Fabric

B C

WLC

Fabric

OverlayLAG

Service Block switch

Shared Service Block

Stack or modular switch

Dual switch in VSS mode

BRKEWN-2020 158


AP to WLC ConnectionSouth-North Traffic Details

FE

non Fabric

172.16.201.202

Access point

Fabric

Underlay

CAPWAPcontrol

AP to WLC (South to North traffic)

Border Node redistributes the WLC route in the underlay (using the IGP of choice)

FE learns the route in the Global Routing Table

When FE receives CAPWAP packet from AP, the FE finds a match in the routing table and packet is forwarded directly with no VXLAN encapsulation

The AP to WLC traffic travels in the underlay

router isis

net 49.0001.0000.0000.0008.00

[..]

redistribute bgp 65002 route-map WLC_IP metric 10

route-map WLC_IP permit 10

match ip address prefix-list WLC_IP

!

ip prefix-list WLC_IP seq 5 permit 172.16.201.0/24

BGP session

WLC

B C

edge_1#sh ip route 172.16.201.0

Routing entry for 172.16.201.0/24

Known via "isis", distance 115, metric 10, type level-2

Redistributing via isis

Last update from 172.16.3.81 on GigabitEthernet1/0/1, 04:43:51 ago

Routing Descriptor Blocks:

* 172.16.3.81, from 172.16.3.254, 04:43:51 ago, via GigabitEthernet1/0/1

Route metric is 10, traffic share count is 1CAPWAP

control

BRKEWN-2020 159


WLC to AP (North to South traffic)

The AP subnet is registered in CP

Border exports AP local EID space from CP to the routing table and also import the AP routes into LISP map-cache entry

Border to advertise local AP EID space to the external domain

When Border receives CAPWAP packet from WLC, the LISP lookup happens and traffic is sent to FE with VXLAN encapsulation

The WLC to AP traffic travels in the overlay

AP to WLC ConnectionNorth-South Traffic Details

FE

Access point

172.16.3.7

CAPWAPcontrol

BGP session

Fabric

Overlay

router lisp

[…]

instance-id 4097

service ipv4

eid-table default

route-export site-registrations <exports into RIB

distance site-registrations 250

map-cache site-registration <install map-cache entries

exit-service-ipv4

!

site site_uci

[…]

eid-record instance-id 4097 172.16.3.0/24 accept-more-specifics

exit-site

B C

CAPWAPcontrol in VXLAN

non Fabric

172.16.201.202

WLC

BRKEWN-2020 160

SD-Access Wireless

Over the Top (OTT)


CUWN Over the Top (OTT)

Definition: Wireless Over the Top (OTT): traditional CAPWAP deployment connected on top

of a Fabric wired network. SD-Access Fabric is the transport for CAPWAP traffic

Why wireless OTT? As a migration step…

Customer wants/needs to first migrate wired (different Ops teams managing wired and wireless, get familiar with Fabric, different buying cycles, etc.)

Customer cannot migrate wireless to Fabric (new software, no 802.11n, wireless too critical to make changes)

SD-Access

Fabric

Non Fabric APNon Fabric WLC

CAPWAP tunnel

BRKEWN-2020 162


CUWN Over the Top (OTT)Design and Deploy considerations

WLCs connect external to fabric

Border advertises WLC Management subnet into the Fabric

Border advertises Fabric prefix for AP to the outside IP network

EID prefix 172.16.18.0/24

192.168.1.0/24

WLC Mgmt subnet

IP Network

BSDA Fabric

172.16.18.x

192.168.1.5

Mgmt InterfaceC

SSO WLC

BRKEWN-2020 163


IP Network

BSDA Fabric

172.16.18.24

Access Points are in overlay space on Fabric Edge switches. APs get

registered in the host tracking database (CP) as wired clients

One subnet for APs across the entire Fabric in Campus => Simplified IP

design for AP onboarding

Use pool in INFRA_VN to onboard OTT APs (*)

172.16.18.254/24

AP VLAN

172.16.18.254/24

AP VLAN

172.16.18.32

C

CAPWAP tunnel

SSO WLC


(*) assuming whole deployment is OTTBRKEWN-2020 164



IP Network

BSDA Fabric

10.2.7.254.35

OTT Wireless SSID is mapped to VLAN/subnet at WLC using dynamic interfaces

Border advertises wireless client subnets to the Fabric

10.2.7.254.0/21

Wireless Clients Subnet

10.2.7.5/21

Dynamic InterfaceC

SSO WLC CAPWAP tunnel

BRKEWN-2020 165



IP Network

BSDA Fabric

CAPWAP is built from the AP to the WLC

If APs are in the INFRA_VN, CAPWAP traffic travels in the underlay from AP to the WLC, and it’s not VXLAN encapsulated.

The return traffic, from WLC to AP, is encapsulated at the Border as with Fabric APs

10.2.7.5/21

Dynamic Interface

CAPWAP CAPWAP in VXLAN CAPWAP

C

BRKEWN-2020 166



IP Network

BSDA Fabric

10.2.7.254.35

Clients are authenticated and on-boarded by WLC

Wireless clients are external to fabric in this case

10.2.7.5/21

Dynamic Interface

CAPWAP CAPWAP in VXLAN CAPWAP

active WLC

C

BRKEWN-2020 167



IP Network

BSDA Fabric

10.2.7.254.35

Communication from a wired host in Fabric to Wireless Client outside fabric will occur through the Fabric Border – JUST LIKE TODAY!!

For the Fabric, it is like a Fabric host communicating to a known destination external to the Fabric

10.2.7.5/21

Dynamic Interface

active WLC

Fabric wired host

10.1.18.24

C

BRKEWN-2020 168



IP Network

B

SDA Fabric

CAPWAP CAPWAP in VXLAN OTT WLC

C

Common subnet for

APs – ease AP

deployment

All APs model are

supported

Increase MTU along

the path to prevent

fragmentation

External to Fabric.

No need to upgrade

code. All features

work as today

Cisco Prime

Can use Cisco Prime

or GUI to manage

BRKEWN-2020 169



IP Network

B

SDA Fabric

CAPWAP CAPWAP in VXLAN OTT WLC

C

Common subnet for

APs – ease AP

deployment

All APs model are

supported

Increase MTU along

the path to prevent

fragmentation

External to Fabric.

No need to upgrade

code. All features

work as today

you can manage it

using Cisco DNA

Center

BRKEWN-2020 170

SD-Access Wireless

More on Design & Deploy


SDA Fabric

SD-Access WirelessDesign and Deploy considerations

WLCs connect external to fabric

Fabric AP joins in Local WLC local to the Site – no support for Flex or WLC over WAN

Latency between AP and WLC < 20 ms

Border advertises WLC Management subnet to the Fabric

Border advertises Fabric prefixes to the WLC Management network

APs’ EID prefix 172.16.3.0/24

172.16.201.0/24

WLC Mgmt subnet

IP Network

B

C

Fabric WLC

BRKEWN-2020 172


SDA Fabric


B

172.16.3.110

Access Points are directly connected to the Fabric Edge APs are in overlay space on Fabric Edges One subnet for APs across the entire Fabric APs get registered in the CP database Simplified IP design for AP onboarding (one subnet)

172.16.3.1/24AP VLAN

172.16.3.1/24

AP VLAN

172.16.3.201

EID prefix 172.16.3/24

C

Fabric WLC

IP Network

BRKEWN-2020 173



BSDA Fabric

Client subnets are distributed on Fabric Edge switches No need to define client subnets on WLC Client subnets are mapped to VLAN with Anycast Gateway on all Fabric Edge switches All roams are Layer-2 Roams

192.168.103.1

Client VLAN

EID prefix 192.168.103.0/24

192.168.103.1

Client VLAN

192.168.103.77

192.168.103.71

C

Fabric WLC

IP Network

BRKEWN-2020 174


SDA Fabric


B

192.168.18.0/24

Client VLAN

192.168.103./24

Client VLAN

192.168.103.77

wired host

192.168.18.12

C

Fabric WLC

Wireless client traffic is distributed No hair-pinning to centralized controller Communication to wired clients is directly through Fabric

IP Network

BRKEWN-2020 175

Multicast


SD-Access Fabric

Important things to know:

Multicast traffic is transported in the overlay, in the EID space, for both wired and wireless clients

To enable multicast for wireless, Global Multicast mode and IGMP snooping need to to be enabled globally on the WLC

At FCS, multicast traffic leverages head-end replication to forward traffic to the Fabric multicast destination

Multicast

non

Fabric

FE1

Multicast source

Overlay

VXLAN tunnels

B

FE2

VXLAN

FB

Fabric RP

BRKEWN-2020 177


SD-Access FabricHow Multicast Works – Multicast Receiver to RP

non

Fabric

FE

Multicast source

Multicast client (receiver) is in the overlay, multicast source can be outside Fabric or in the overlay as well

PIM-SM/PIM-SSM needs to be running in the Overlay

The client sends IGMP join for a specific multicast Group (G)

AP encapsulates it in VXLAN and send it to the upstream switch.

The Fabric Edge node (FE) receives it and does a PIM Join towards the Fabric Rendezvous Point RP (assuming PIM-SM is used)

The RP needs to be present in the Overlay as part of the End point IP space. IGMP join

Underlay

VXLAN

PIM join

B

FB

Fabric RP

BRKEWN-2020 178


SD-Access FabricHow Multicast Works – Multicast Source to RP

non

Fabric

FE

Multicast source

The Multicast source will send the multicast traffic on the interfaces towards the Fabric Border(FB) as it’s the DR for that segment.

The FB receives it and does a PIM Join towards the RP (assuming PIM-SM is used)

The RP now has the source and receiver information for that multicast group.

Underlay

VXLAN

PIM join

B Multicast traffic

FB

Fabric RP

BRKEWN-2020 179


SD-Access FabricHow Multicast Works – Data Plane

non

Fabric

FE

Multicast source

From Earlier, The RP now has the source and receiver information for a particular multicast group.

The FB will send the multicast source traffic over a VXLAN tunnel to the RP and the RP will forward that traffic to the FE over another VXLAN tunnel.

FE receives the VXLAN packets, decapsulates, applies policy and then forwards it again to the AP over an VXLAN tunnel.

The AP removes the VXLAN header and send the original IP multicast packet into the air.

Underlay

VXLAN

B

VXLAN tunnels

FB

Fabric RP

BRKEWN-2020 180


SD-Access Fabric Once the first multicast packet is delivered to the FE the

shortest path failover (SPT) happens and the traffic is forwarded between the FB and the FE directly.

The FE knows that the FB owns the multicast source based on the first multicast packet received and send a PIM join directly to the FB for that multicast group.

FB now knows which FEs have clients that requested the specific multicast Group.

It performs headend replication and VXLAN encapsulates the multicast traffic and unicasts it to the interested FEs

The multicast traffic is sent in the overlay

FE receives the VXLAN packets, decapsulates, apply policy and then forwards it again to the AP.

The AP removes the VXLAN header and send the original IP multicast packet into the air

How Multicast Works

non

Fabric

FE1

Multicast source

Overlay

VXLAN tunnels

B

FE2

VXLAN

FB

Fabric RP

BRKEWN-2020 181


Cisco DNA Center 1.2 - Override PSK

Step 3 : When traversed to Building or

site in the hierarchy, PSK SSIDs are

listed and the passphrase for the SSID

can be modified.

Step 4 : Passphrase updated PSK

SSID is shown below in the screenshot

and the inheritance is not seen for the

updated SSID.

3

4

BRKEWN-2020 182

SD-Access Wireless IPV6 support


IPv6 support for clients in Fabric

IPv6 support is enabled in the overlay of the fabric. Underlay continues to be IPv4.

Endpoints can have IPv4 addresses or dual-stack (IPv4+IPv6) addresses.

IPv6 address assignment can be static IP, using SLAAC and/or DHCP. SLAAC can be enabled only if CIDR is /64

IPv6 DHCP and DNS needed for pool with IPv6. ISE, Syslog and SNMP server still IPv4.

First create IPv4 and IPv6 pools at global level

Then reserve pools (IPv4 or dual-stack) at site level

BRKEWN-2020 185


IPv6 DHCP and DNS

BRKEWN-2020 186


IPv4 and IPv6 Pools at Global level

•

BRKEWN-2020 187


Reserve Pools (IPv4 or Dual stack) at Site level

•

BRKEWN-2020 188


Reserving a Pool (IPv4 or Dual stack)

•

BRKEWN-2020 189


Pool upgrade: edit pool

BRKEWN-2020 190


Warning on site: need to re-provision Fabric

BRKEWN-2020 191

BRKEWN-2020.pdf - Cisco Live

Documents

Transcript of BRKEWN-2020.pdf - Cisco Live