BRKEWN-2020.pdf - Cisco Live
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of BRKEWN-2020.pdf - Cisco Live
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Monday (June 10) Tuesday (June 11) Wednesday (June 12) Thursday (June 13)
08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00 08:00-11:00 11:00-13:00 13:00-15:00 15:00-18:00
Sessions are available Online @ CiscoLive.com
You Are Here
BRKCRS-2810Fundamentals
Cisco Software-Defined AccessCisco Live San Diego - Session Map
BRKCRS-2811Connect Outside
BRKCRS-2818Connect SDWAN
BRKCRS-1501Validated Design
BRKSEC-2025Security
BRKEWN-2021Live Setup
BRKCRS-2819Cross-Domain
BRKCRS-3811Policy
BRKCRS-2821Integration
BRKNMS-2814Assurance
BRKARC-2020Troubleshoot
BRKCRS-2812Migration
BRKCRS-2815Connect Sites
BRKEWN-2020Wireless
BRKCRS-2816Underlay
BRKCRS-3810Deep Dive
BRKCRS-2817Extension
BRKCRS-2825Scaling
BRKEWN-2020 2
#CLUS
Simone Arena, Principal TME
BRKEWN-2020
Why and how integrating wireless in SDA
SD-Access Wireless
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Software Defined Access – Wireless IntegrationSession Objective
1 Why Fabric and why integrating wireless?
2 How does it really work?
BRKEWN-2020 4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access: why would you care?
SD-Access Wireless Architecture
Demo: Let’s make it real!
A look under the hood
SD-Access Wireless Design & Deploy
SD-Access Wireless Adoption/Migration
Key takeaways
Agenda
BRKEWN-2020 5
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
All the features introduced with Cisco DNAC 1.2.x and 1.3
Wireless Over The Top (OTT)
Multicast in SDA
SDA (wired) product support
But you do have these in the slides!
What I am not covering…
BRKEWN-2020 6
Questions? Use Cisco Webex Teams to chat with the speaker after the session
Find this session in the Cisco Live Mobile App
Click “Join the Discussion”
Install Webex Teams or go directly to the team space
Enter messages/questions in the team space
How
Webex Teams will be moderated by the speaker until June 16, 2019.
1
2
3
4
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco Webex Teams
cs.co/ciscolivebot#BRKEWN-2020
7
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco’s Intent-Based NetworkDelivered by Cisco Software Defined Access
Intent-BasedNetwork Infrastructure
Cisco DNA Center
AnalyticsPolicy Automation
WirelessSwitch Route
I N T E N T C O N T E X T
S E C U R I T Y
L E A R N I N G
SD-Access
Branch
Wireless Control
Fabric Control
ACI Data Center
SAAS
Fabric Border
Fabric Edge
SD-WAN
BRKEWN-2020 8
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
CB B
Cisco Software Defined AccessThe Foundation for Cisco’s Intent-Based Network
IoT Network Employee Network
Client Mobility
Policy follows User
Outside
Cisco DNA Center
AssuranceAutomationPolicy
SD-AccessExtension
Automated Network Fabric
Single fabric for Wired and Wireless with full automation
Insights and Telemetry
Analytics and insights into User and Application experience
Identity-Based Policy and Segmentation
Policy definition decoupled from VLAN and IP address
BRKEWN-2020 9
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access TestimonialsLive Customer SD-Access Deployments
370+Production
Deployments
Cisco IT
Network Services
www.cisco.com/c/en/us/solutions/enterprise-networks/network-architecture-customer-success-stories.html
BRKEWN-2020 10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco SD-Access @ CiscoLive USCisco DNA Center with SD-Access Fabric
Marriott Marquis San Diego
BRKEWN-2020 11
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco SD-Access @ CiscoLive USCisco DNA Center with SD-Access Fabric
Marriott Marquis San Diego
Monday Keynote
1600+ client peakSimone
BRKEWN-2020 12
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What is the Problem?Common requirements and challenges
How can SDA Fabric help?
WLC
DHCPDNSAAA
ADLDAP
Data Centre WLC
IoT device
IoT device
Challenges:
Secure onboarding for different type of devices
Simplify segmentation across wired and wireless
Reducing the complexity of managing the network
Root cause problems quickly
14
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Enterprise Network
PAYLOAD DATA IP SRC IP DSTPROTDST
PORT
SRC
PORTDSCP
Policy is based on “5 Tuple”
• QoS
• Security
• Redirect/copy
• Traffic engineering
• etc.
Network Policy
What is the Problem?Policy Model Today
• Only Transitive information• Survives end to end
BRKEWN-2020 15
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Enterprise Network
PAYLOAD DATA IP SRC IP DSTPROTDST
PORT
SRC
PORTDSCP
Network Policy
What is the Problem?Policy Model Today
IP
ADDRESSES
Locate you Identify you Drive “treatment” Constrain you
User/device info?VLAN 10
SSID B
SSID A
VLAN 20
VLAN 40
SSID D
SSID C
VLAN 30
access-list 102 deny udp 167.160.188.162 0.0.0.255 gt 4230 248.11.187.246 0.255.255.255 eq 2165access-list 102 deny udp 32.124.217.1 255.255.255.255 lt 907 11.38.130.82 0.0.31.255 gt 428access-list 102 permit ip 64.98.77.248 0.0.0.127 eq 639 122.201.132.164 0.0.31.255 gt 1511access-list 102 deny tcp 247.54.117.116 0.0.0.127 gt 4437 136.68.158.104 0.0.1.255 gt 1945access-list 102 permit icmp 136.196.101.101 0.0.0.255 lt 2361 90.186.112.213 0.0.31.255 eq 116access-list 102 deny udp 242.4.189.142 0.0.1.255 eq 1112 19.94.101.166 0.0.0.127 eq 959access-list 102 deny tcp 82.1.221.1 255.255.255.255 eq 2587 174.222.14.125 0.0.31.255 lt 4993access-list 102 deny tcp 103.10.93.140 255.255.255.255 eq 970 71.103.141.91 0.0.0.127 lt 848access-list 102 deny ip 32.15.78.227 0.0.0.127 eq 1493 72.92.200.157 0.0.0.255 gt 4878access-list 102 permit icmp 100.211.144.227 0.0.1.255 lt 4962 94.127.214.49 0.255.255.255 eq 1216access-list 102 deny icmp 88.91.79.30 0.0.0.255 gt 26 207.4.250.132 0.0.1.255 gt 1111access-list 102 deny ip 167.17.174.35 0.0.1.255 eq 3914 140.119.154.142 255.255.255.255 eq 4175access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384
BRKEWN-2020 16
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What is the Problem?User Group policy rollout - Today
Customer Policy requirements:
Customer requirements
CustomerPolicy
Three user Groups One single SSID Differentiated policies per Group Guest segmentation (wired and
wireless)
Employee
BYOD
Contractor
Production Serv.
Developer Serv.
L2 Switch
L3 Switch
Trunks
Trunk
BYOD Employee Contractor
One SSID
ProductionServers
AAA
DHCP
AD
WLC
DeveloperServers
LAN core
NetworkTouch Points
BRKEWN-2020 17
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What is the Problem?User Group policy rollout - Today
L2 Switch
L3 Switch
Trunks
Trunk
BYOD Employee Contractor
One SSID
ProductionServers
AAA
DHCP
AD
WLC
DeveloperServers
LAN core
NetworkTouch Points
1. Define Groups in AD
2. Define Policies VLAN/subnet based
3. Implement VLANs/Subnets Create VLANs Define DHCP scope Create subnets and L3 interfaces Routing for new subnets Map SSID to Interface/VLAN
4. Implement Policy Define ACLs Apply ACLs
5. Many different User Interfaces
AAA WLC Devices CLI
….
What if You Need to Add Another Group & Policy?
BRKEWN-2020 18
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
But What If …
If we could “break the dependence” between IP addressing and policy, we could greatly simplify networks – and make networks much more functional.
… we could make the IP address just be a LOCATOR for you, and provide other ways to group users / devices to apply POLICY?
Key Assertion
BRKEWN-2020 19
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
If we could “break the dependence” between IP addressing and policy, we could greatly simplify networks – and make networks much more functional.
… we could make the IP address just be a LOCATOR for you, and provide other ways to group users / devices to apply POLICY?
Key Assertion
WITH A FABRIC…
You could build and run your network in a simpler way …
Apply Policy irrespectively of network constructs (VLAN, subnet, IP address)
Easily implement Network Segmentation (w/o implementing MPLS)
Provide L2 and L3 flexibility (w/o stretching VLANs)
BRKEWN-2020 20
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What exactly is a Fabric?
A Fabric provides an Overlay networkAn Overlay is a logical topology used to virtually connect devices, built on top of some arbitrary physical Underlay topology.
An Overlay network often uses alternate forwarding attributes to provide additional services, not provided by the Underlay.
• GRE or mGRE
• MPLS or VPLS
• IPSec or DMVPN
• CAPWAP
• LISP
• OTV
• DFA
• ACI
Examples of Network Overlays
BRKEWN-2020 21
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What is unique about SDA Fabric?Key components
1. Control-Plane based on LISP
BRKEWN-2020 22
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Locator / ID Separation ProtocolLocation and Identity separation
IP core
Device IPv4 or IPv6 Address represents both
Identity and Location
Traditional Behavior -Location + ID are “Combined”
192.158.28.101When the Device moves, it gets a
new IPv4 or IPv6 Address for its new Identity and Location
189.16.17.89
Device IPv4 or IPv6 Address represents Identity onlyEnd Point ID (EID) space
When the Device moves, it keeps the same IPv4 or IPv6 Address.
It has the Same Identity
Overlay Behavior -Location & ID are “Separated”
IP core
Only the Location Changes (Route Locator (RLOC)
192.158.28.101
192.158.28.101
Location is Here
171.68.228.121 171.68.226.120
Underlay addressing space
MappingDatabase
Prefix RLOC192.158.28.101 …...171.68.228.121189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121
192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.120
Prefix RLOC192.158.28.101 …...171.68.226.120189.16.17.89 ….....171.68.226.120
22.78.190.64 ….....171.68.226.121172.16.19.90 ….....171.68.226.120192.58.28.128 ….....171.68.228.121
192.58.28.128 ….....171.68.228.121189.16.17.89 ….....171.68.226.120
BRKEWN-2020 23
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
ORIGINAL
PACKETPAYLOADETHERNET IP
PACKET IN
LISPPAYLOADIPLISPUDPIPETHERNET
PAYLOADETHERNET IPVXLANUDPIPETHERNETPACKET IN
VXLAN
Supports L2
& L3 Overlay
Supports L3
Overlay
What is unique about SDA Fabric?Key Components - VXLAN
1. Control-Plane based on LISP
2. Data-Plane based on VXLAN
BRKEWN-2020 24
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
1. Control-Plane based on LISP
2. Data-Plane based on VXLAN
3. Policy-Plane with Cisco TrustSec (CTS)
What is unique about SDA Fabric?Key components
VRF + SGT
PAYLOADETHERNET IPVXLANUDPIPETHERNET
VRF + SGT
VRF = Virtual Routing & Forwarding
SGT = Scalable Group Tagging
25BRKEWN-2020 25
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
VLAN BVLAN A
Campus Switch
DC Switchor Firewall
ApplicationServers
ISE
EnterpriseBackbone
Enforcement
Campus Switch
Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant
SharedServices
Employee Tag
Supplier Tag
Non-Compliant Tag
DC switch receives policy for only what is connectedClassification
Static or Dynamic SGT assignments
PropagationCarry “Group” context through the network using only SGT
EnforcementGroup Based Policies ACLs, Firewall Rules
Cisco TrustSecSoftware Defined Segmentation
BRKEWN-2020 26
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Overlay encapsulation (VXLAN)
Fabric Underlay – Forwarding plane• Connects the network elements to each other• Optimized for traffic forwarding (scalability, performance)• Networking constructs like IP, VLANs, live here
Overlay control plane
(LISP)
Underlay
Overlay
Employee
Supplier
Devices
Fabric breaks dependency between IP and Policy. Separation of Forwarding and Services planes. In Fabric Polices are tied to User/Device Identity
Fabric brings Policy Simplification
What is unique about SDA Fabric?
Cisco DNA Centre – Automation and Assurance• Single User Interface for Fabric Management & Orchestration• Policies definition based on User, Device or App Group• Design, Deploy and Monitoring and Troubleshooting
Fabric Overlay – Services plane• Dynamically connects Users/Devices/Things• IP is an ID not used for traffic forwarding• End to End Policies and Segmentation
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless brings you the best of both wireless and wired worlds
BRKEWN-2020 29
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Fabric ArchitectureRoles and Terminology
ISE / AD
Control-Plane (CP) Node – Map System that manages Endpoint ID to Location relationships. Also known as Host Tracking DB (HTDB)
Edge Nodes – A Fabric device (e.g.. Access or Distribution) that connects wired endpoints to the SDA Fabric
Group Repository – External ID Services (e.g.. ISE) is leveraged for dynamic User or Device to Group mapping and policy definition
Border Nodes – A Fabric device (e.g.. Core) that connects External L3 network(s) to the SDA Fabric
Group Repository
SD-Access Fabric
Intermediate Nodes (Underlay)
Fabric Mode WLC
Fabric Edge Nodes
Cisco DNA Controller – Enterprise SDN Controller provides GUI management abstraction via multiple Service Apps, which share information
Cisco DNA Centre
CControl-Plane
Nodes
B
Fabric Wireless Controller – Wireless Controller (WLC) fabric-enabled, participate in LISP control planeFabric Mode
APs Fabric Mode APs – Access Points that are
fabric-enabled. Wireless traffic is VXLAN encapsulated at AP
Fabric Border
B
DHCP
NCP
NDP
BRKEWN-2020 30
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureBringing the best of both architectures by...
1
2
3
Simplifying the Control & Management Plane
Optimizing the Data Plane
Integrating Policy & Segmentation E2E
BRKEWN-2020 31
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureSimplifying the Control Plane
ISE / AD
Cisco DNA Center
SD-AccessFabric
BB
Policy Abstraction
and Configuration Automation
Automation Cisco DNA Center simplifies the Fabric deployment, Including the wireless integration component
C
Fabric enabled WLC:WLC is part of LISP control plane
Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN
CAPWAPCntrl plane
LISPCntrl plane
1
LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP
BRKEWN-2020 32
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureControl Plane Node – A Closer Look
A simple Host Database, that tracks Endpoint ID to Edge Node bindings (a.k.a. Route Locator or RLOCs)
Host Database supports multiple types of Endpoint ID (EID), such as IPv4 /32, IPv6 /128* or MAC/48
Receives prefix registrations from Edge Nodes for wired clients, and from Fabric mode WLCs for wireless clients
Resolves lookup requests from FE to locate Endpoints
Updates Fabric Edge nodes, Border nodes with wireless client mobility and RLOC information
Fabric Control-Plane Node is based on a LISP Map Server / Resolver
Runs the LISP Endpoint ID Database to provide overlay reachability information
1
CPEID VNI RLOC
10.1.1.20 10 192.168.1.1
C
10.1.1.20
192.168.1.1
FE1
(*) roadmapBRKEWN-2020 33
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Fabric Mode WLC integrates with the LISP Control Plane
Control Plane is centralized at the WLC for all Wireless functions
SD-Access Wireless ArchitectureFabric WLC– A Closer Look
1
FabricWLCC
FE1
WLC is still responsible for : AP image/config, Radio Resource Management (RRM) and client session management and roaming
For Fabric integration:• For wireless, client MAC address is used as EID • WLC interacts with the Host Tracking DB on Control-Plane node for
Client MAC address registration with SGT and L2 VNI • The VN information is a Layer 2 VN (L2 VNID) information and it’s
mapped to a VLAN on the FEs• WLC is responsible for updating the Host Tracking DB with roaming
information for wireless clients• Fabric enabled WLC needs to be co-located at the same site with
APs (latency between AP and WLC needs to be < 20 ms)
ab:12:cd:34:2f.56
EID L2 VNI RLOC
ab:12:cd:34:2f.56 10 192.168.1.1
192.168.1.1
BRKEWN-2020 34
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureOptimizing the Data Plane
ISE / AD
Cisco DNA Center
SD-AccessFabric
BB
Policy Abstraction
and Configuration Automation
Automation Cisco DNA Center simplifies the Fabric deployment, Including the wireless integration component
C
Fabric enabled WLC:WLC is part of LISP control plane
Centralized Wireless Control Plane WLC still provides client session management AP Mgmt, Mobility, RRM, etc. Same operational advantages of CUWN
CAPWAPCntrl plane
LISPCntrl plane
2
LISP control plane Management WLC integrates with LISP control plane WLC updates the CP for wireless clients Mobility is integrated in Fabric thanks to LISP CP
VXLANData plane
VXLAN from the AP Carrying hierarchical policy segmentation starting from the
edge of the network
Optimized Distributed Data Plane Fabric overlay with Anycast GW + Stretched subnet VLAN extension with no complications All roaming is Layer 2Fabric enabled AP:
AP encapsulates Fabric SSID traffic in VXLAN
VXLAN
(Data Plane)
35
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureOptimizing the Data Plane: Fabric Edge – A Closer Look
FabricWLCC
FE1
10.1.10.20
Fabric Edges (FE)
Fabric Edge Node is based on a LISP Tunnel Router
Provides connectivity for Users and Devices connected to the Fabric
2
Responsible for Identifying and Authenticating wired Endpoints
Registers Endpoint ID info with the Control-Plane Node(s)
Provide VN services for Wireless Clients (L3 VNID)
Onboard APs into fabric and form VXLAN tunnels with APs
Provides Anycast L3 Gateway for connected Endpoints
EID L3 VNI RLOC
10.1.1.20 100 192.168.1.1
192.168.1.1
BRKEWN-2020 36
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureOptimizing the Data Plane: Anycast Gateway – A Closer Look
FabricWLCC
FE1
Fabric Edges (FE)
Anycast GW provides a single L3 Default Gateway
Based on Virtual IP address (VIP)
2
192.168.1.1
Similar principle and behavior as HSRP / VRRP with a shared Virtual IP and MAC address
The same Switched Virtual Interface (SVI) is present on every Edge, with the same Virtual IP and MAC
If (when) a Host moves from Edge A to Edge B, it does not need to change it’s (L3) Default Gateway!
GW GW GWIP 10.1.1.1
MAC ab:12:cd:34:ef:56
10.1.1.1 10.1.1.1
10.1.1.1010.1.1.10
BRKEWN-2020 37
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureOptimizing the Data Plane: Stretched subnets – A Closer Look
FabricWLCC
FE1
Stretched subnets allow an IP subnet to be “stretched” via the overlay
Based on a Anycast GW + LISP Dynamic EID + VXLAN overlay
2
192.168.1.1
GW GW GW10.1.1.1 10.1.1.1
Host IP based traffic arrives on the local Fabric Edge SVI, and is then transferred by LISP
LISP Dynamic EID allows Host-specific (/32, /128, MAC) advertisement and mobility
No longer need to stretch a VLAN across access layer switches to connect Host 1 and 2 to get L2 adjacency
Client 1 connected to Fabric Edge 1 (FE1) can talk to client B on FE2 as they are on the same IP subnet.
Dynamic
EID
10.1.1.10 10.1.1.11
FE2
BRKEWN-2020 38
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureOptimizing the Data Plane: Fabric Mode AP – A Closer Look
FabricWLCC
FE1
Fabric Mode AP integrates with the VXLAN Data Plane
Wireless Data Plane is distributed at the AP
2
192.168.1.1
GW GW GW10.1.1.1 10.1.1.1
FE2
Fabric mode AP is a local mode AP and needs to be directly connected to FE or to an extended node
CAPWAP control plane goes to the WLC using Fabric
Fabric is enabled per SSID:
• For Fabric enabled SSID, AP converts 802.11 traffic to 802.3 and encapsulates it into VXLAN encoding VNI and SGT info of the client
• Forwards client traffic based on forwarding table as programmed by the WLC. Usually VXLAN DST is first hop switch.
AP applies all wireless specific feature like SSID policies, AVC, QoS, etc.
VXLAN
(Data)
BRKEWN-2020 39
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureSimplifying policy and Segmentation
SD Fabric
BC
IP payload 802.11IP
IP payload 802.3EID
IPVXLAN
SRC: APDST:FEA
UDP
AP removes the 802.11 header
AP adds the 802.3/VXLAN/underlay IP header
2
1
3
Client A
Client B
FE B
FE A
VXLAN
(Data)
ISE
SGT
BRKEWN-2020 40
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureSimplifying policy and Segmentation
SD Fabric
BC
IP payload 802.3EID
IPVXLAN
SRC: APDST:FEA
UDP
2
R Client SGT Client VN_ID R
APs embed the Policy information in the VXLAN header and forwards it
The client VRF is represented by the Layer 2 Virtual Network (L2 VNID)
Hierarchical Segmentation:1. Virtual Network (VN) == VRF - isolated routing Control Plane + Data Plane2. Scalable Group Tag (SGT) – User Group identifier
Client A
Client B
FE B
FE A
VXLAN
(Data)
3
BRKEWN-2020 41
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureSimplifying policy and Segmentation
SD Fabric
B
CVXLAN
(Data)
IP payload 802.3EID
IPVXLAN
SRC:AP
DST:FEAUDP
FE decapsulates the VXLAN header, looks at the L2 VNID and maps it to the VLAN and L2 LISP instance.
Then FE A does the lookup and rebuild the VXLAN encapsulates to the destination FE B
3
Client is placed in the right VRF
FEA does a lookup to CP to locate client B
Client A
Client BVRF Red
FE B
FE A
VXLAN
(Data)
SRC:FEADST:FEB
3
BRKEWN-2020 42
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ArchitectureSimplifying policy and Segmentation
SD Fabric
B
C
IP payload 802.3EID
IPVXLAN
SRC:FEA
DST:FEBUDP
FE removes the outer IP header, looks at the VNID maps it to the VLAN.
Also looks at the SGT and apply the policy before forwarding the packet
4
Mapped to VRF
SGT policy is applied
Client Policy is carried end
to end in the
overlay
3
Client A
Client B
FE B
FE A
VXLAN
(Data)
BRKEWN-2020 43
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Benefit of SD-Access WirelessPolicy and Segmentation made easy
L2 Switch
L3 Switch
Trunks
Trunk
BYOD Employee Contractor
One SSID
ProductionServers
AAA
DHCP
AD
WLC
DeveloperServers
LAN core
NetworkTouch Points
1. Define Groups in AD
2. Design and Deploy in Cisco DNA-C Create Virtual Network for Corporate Define Policies
• Role/Group based
Apply Policies• SGT based
3. Upon user authentication, Policy is automatically applied and carried end to end
Corporate VN
Employee
SGT 100
BYOD
SGT 200
Contractor
SGT 300
Production Serv.
SGT 10
Developer Serv.
SGT 20
Original packet
VNID
BYOD SGTVXN
HDR
Fabric
SRC
Fabric
DSTEmployeeContractor
BRKEWN-2020 45
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Benefit of SD-Access WirelessPolicy and Segmentation made easy
L2 Switch
L3 Switch
Trunks
Trunk
BYOD Employee Contractor
One SSID
ProductionServers
AAA
DHCP
AD
WLC
DeveloperServers
LAN core
NetworkTouch Points
1. Define Groups in AD
2. Design and Deploy in Cisco DNA-C Create Virtual Network for Corporate Define Policies
• Role/Group based
Apply Policies• SGT based
3. Upon user authentication, Policy is automatically applied and carried end to end
Corporate VN
Employee
SGT 100
BYOD
SGT 200
Contractor
SGT 300
Production Serv.
SGT 10
Developer Serv.
SGT 20
Guest Virtual Network
IoT/HVAC Virtual Network
One
Touch
Point
BRKEWN-2020 46
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access SupportDigital Platforms for your Cisco Digital Network Architecture
For more details:cs.co/sda-compatibility-matrix
BRKEWN-2020 48
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access PlatformsFabric Edge Node for SD-Access Wireless
• Catalyst 9400
• Sup1/Sup1XL
• 9400 Cards
Catalyst 9400
• Catalyst 9300
• 1/mG RJ45
• 10/25/40/mG NM
Catalyst 9300
For more details:cs.co/sda-compatibility-matrix
• Catalyst 9500
• 1/10/25G SFP
• 40/100G QSFP
Catalyst 9500
• Catalyst 9200/L
• 1/mG RJ45
• 1G SFP (Uplinks)
Catalyst 9200
Catalyst 9200L is not supported as a Fabric Edge for SD-Access Wireless
Catalyst 9200 and 9200L do not support SD-Access Embedded Wireless controller
BRKEWN-2020 49
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Wi-Fi 6, 11ac W2 and W1* APsAireOS WLC Catalyst 9800
• AIR-CT3504
• AIR-CT5520
• AIR-CT8540
• Catalyst 9800-40/80
• Catalyst 9800-CL
• C9K Embedded WLC
• 9100/1800/2800/3800and 4800 802.11ax and 11ac Wave2
• 1700/2700/3700 1540/1560 802.11ac Wave1
SD-Access PlatformsFabric Enabled Wireless
For more details:cs.co/sda-compatibility-matrix
* No IPv6, AVC, FNF
Wi-Fi 6 APs: DNA Center 1.3 and 16.11s (IOS-XE)/8.9 AireOS
BRKEWN-2020 50
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
On ApplianceFor Private CloudFor Switch
• Catalyst 9800 for Private Cloud• 1k AP, 10k Clients• 3k AP, 32k Clients• 6k AP, 64k Clients
• Cisco IOS® XE Software
• Optimized for mobility
• Designed for IoT
• Always on Fabric with robust HA
• Scale on demand
• Catalyst 9800-40• 2k APs, 32k Clients
• Catalyst 9800-80• 6k APs, 64k Clients• Modular uplinks
• Cisco IOS® XE Software
• Optimized for mobility
• Designed for IoT
• Always on Fabric with robust HA
• Catalyst 9800 embedded wireless on Catalyst 9300
• 200 AP, 4k Clients
• Software Package activation
• Indirect AP Support
• Cisco IOS® XE Software
• Optimized for mobility
• Centralized Control Plane
• Always on Fabric with robust HA
Small and Medium Campus Medium and Large CampusOptimized for Distributed Braches
Catalyst 9800 for SD-Access Wireless
BRKEWN-2020 51
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Catalyst 9800 SD-Access Embedded Wireless
Policy stays with user
Seamless Mobility
Support• Embedded wireless controller on Catalyst 9300/9400/9500 • Single switch stack supports up to 200 APs and 4000 clients• Stack SSO redundancy• Up to #2 controllers in a Mobility Group for more scale
Cisco DNA Center
AnalyticsPolicy Automation
Catalyst 9800 SD-Access Embedded WirelessOptimized for Branch & Small Campuses
Advantages:• Extend policy based segmentation to wireless branch• No WAN Link (AP to Controller) dependency • Extend rich C9K services like ETA to wireless• Lower TCO• Flexible Deployment - Multi-tier Campus and Branch• Simple/Intuitive multi-site workflows with Cisco DNA-C
BRKEWN-2020 52
Guest VNEmployee VN
E
B C
Internet
Fabric in a Box
with Cat9800 Embedded Wireless
Guest VNEmployee VN
E
Internet
B C
Cat9800 Embedded Wireless
on Fabric Edge
Guest VNEmployee VN
Internet
B C
E
Co-Located Border + CP with
Cat9800 Embedded Wireless
9300, 9400, 9500DNA 1.3
9300, 9400, 9500DNA 1.3
9300, 9400DNA 1.4
SD-Access Embedded Wireless – deployments
Guest VNEmployee VN
Internet
B C
E
Co-Located Border + CP with
Cat9800 Embedded Wireless
9300, 9400, 9500DNA 1.3 • You can have up to #2 for scale
to 400 APs
• The 9800 WLCs will be configured in the same Mobility Group for roaming
• SSO HA is supported within the stack but NOT across stacks
• N+1 is not supported yet, coming in 1.4
SD-Access Embedded Wireless – deployments
Guest VNEmployee VN
Internet
B C
E
Multiple Co-Located Border + CP with
Cat9800 Embedded Wireless
9300, 9400, 9500DNA 1.3
B C
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• In Cisco DNA Center, first provision the WLC and then add it to the Fabric site
• Fabric configuration is pushed to WLC. WLC becomes Fabric aware. Most importantly WLC is configured with credentials to established a secure connection to CP
• WLC is ready to participate in SD-Access Wireless
SD-Access Wireless Basic Workflows Add WLC to Fabric
SDA Fabric
B
C
CiscoDNA Center
1
1
2
2
3
FE1
Fabric WLCControl Plane (CP)
BRKEWN-2020 57
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows Add WLC to Fabric – verify settings
Configuration > Wireless > Fabric
Fabric status is enabled
CP is correctly configured
BRKEWN-2020 58
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows AP Join
IP Network
B
C
1
1
FE1
Fabric WLC
Admin configures AP pool in Cisco DNA Center in INFRA_VN. Cisco DNA Center pre-provision a configuration macro on all the FEs
CiscoDNA Center
BRKEWN-2020 59
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows
INFRA_VN is introduced to easily onboard APs. APs are in the Fabric overlay but INFRA_VN is mapped to the global routing table
“AP pool type ” and “Layer 2 Extension” are automatically enabled on this special VN
AP Join - AP INFRA_VN
AP Pool type: triggers the AP pool automatic configuration in both FEs and WLC
Layer-2 Extension: turns on L2 service in LISP
BRKEWN-2020 60
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows
By enabling AP type = AP and Layer-2 extension to ON, DNA Center connects to the Wireless Controller and set the Fabric interface to VNID mapping for the AP subnet for both L2 & L3 VNIDs
AP Join – WLC configuration
BRKEWN-2020 61
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows
In Cisco DNA Center the CDP macro on the FEs for AP onboarding is pushed only if the switchport No Authentication template is selected:
If any other switchport Authentication template is selected, then use static assignment to map the APs’ switch ports to the right IP pool or use MAB and ISE profiling to assign the port to the right pool.
In Cisco DNAC 1.3 we use Autoconf interface templates and these are pushed also for dot1x/MAB authentication on the FE ports
AP Join - Automatic AP onboarding
BRKEWN-2020 62
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows AP Join – From Macros to Autoconf (IBNS2.0)
Fabric
any port template
show derived-config interface G1/0/1
interface GigabithEthernet 1/0/1switchport mode access...
interface GigabithEthernet 1/0/1switchport mode accessswitchport access vlan 1021
...
LAP_INTERFACE_TEMPLATE <<<built-in template
Template Definition: switchport mode accessswitchport block unicastswitchport port-security
switchport port-security aging time 2[…}exit
1. DNAC configures “autoconf enable” on all switches, which turns on Device Classifier
2. User configures AP Provisioning Pool in Onboarding page3. DNAC picks a predefined VLAN and modifies the
LAP_INTERFACE_TEMPLATE on FEs to add the AP VLAN 4. AP is plugged in (can happen before)5. Device Classifier classifies the AP using CDP, LLDP, etc6. Device Classifier applies the
LAP_INTERFACE_TEMPLATE7. The AP is placed in the right VLAN8. AP is removed, the configuration is removed
LAP_INTERFACE_TEMPLATE
Template Definition: switchport mode accessswitchport access vlan 1021switchport block unicast
switchport port-security{…}exit
New in 1.3
LAP_INTERFACE_TEMPLATE
BRKEWN-2020 63
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows Benefits of autoconf and templates
Benefit Templates Macros
Can be used with all the Port Authentication (Open/Closed/Easy/No auth) templates in DNAC YESNo
(only with No auth)
The configuration pushed is ephemeral, so valid only for the duration of the device “session” YES NO
The running configuration is not touched YES NO
Removing the “applied settings” restores the initial configuration YES NO
Leverages improved Device Classifier on the switch (can add TLVs to classify devices, so flexible) YES NO
Efficiently applies commands to an interface without parsing each command each time.YES
(Template are parsed once when defined)
NO
Template application is acknowledged, allowing for synchronization and performing remedial actions where failures occur.
YES NO
BRKEWN-2020 64
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows AP Join
IP Network
B
C
1
1
2
FE1
Fabric WLCAP directly connected (*)
CDP
2
(*) AP can be connected also through an “Extended node” switch
Admin configures AP pool in Cisco DNA Center in INFRA_VN. Cisco DNA Center pre-provision a configuration macro on all the FEs
AP is plugged in and powers up. FE discovers it’s an AP via CDP and applies the macro to assign the switch port the the right VLAN
CiscoDNA Center
BRKEWN-2020 65
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows AP Join
IP Network
B
C
1
1
2
AP directly connected
CDP
3
3
FE1
Fabric WLC
2
DHCP
DHCP
Admin configures AP pool in Cisco DNA Center in INFRA_VN. Cisco DNA Center pre-provision a configuration macro on all the FEs
AP is plugged in and powers up. FE discovers it’s an AP via CDP and applies the macro to assign the switch port the the right VLAN
AP gets an IP address via DHCP in the overlay
BRKEWN-2020 66
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
DHCP in SDA DHCP Relay - Edge to Border
7DHCP
Reply
4
B B
BE10.1.18.0/24
DHCP
SERVER
Shared Services
1 DHCP
Request
2
SVI
10.1.18.1
SVI
10.1.18.1
• DHCP Request unicast to Border w/ Option 82 + Circuit ID• Option 82 = “1.1.1.1” (RLOC Loopback) and “10” VN ID• Source DHCP request GIADDR = 10.1.18.1 (SVI address) 3
1.1.1.1
3.3.3.3
DHCP Request
sent to Server
C20.20.20.20
1.1.1.2 1.1.1.3
SVI
10.1.18.1
4
DHCP Reply
sent to Border
• DHCP pool selected using GIADDR = 10.1.18.1• DHCP reply sent to GIADDR = 10.1.18.1• Option82 / Circuit ID is returned unchanged
6DHCP Reply sent from Border to EdgeRLOC = 1.1.1.1 with VNI = 10
• RLOC + VNI is extracted from Option82 / Circuit ID• Border encapsulates DHCP reply in VXLAN with
destination RLOC = 1.1.1.1 and VNI = 10
5
DHCP Reply
punted to Border
BRKEWN-2020 67
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Fabric Edge registers AP’s IP address and MAC (EID) and updates the Control Plane (CP)
AP learns WLC’s IP and joins using traditional methods. Fabric AP joins in Local mode
WLC checks if AP is fabric-capable (Wave 2 or Wave 1 APs)
If AP is supported, WLC queries the CP to know if AP is connected to Fabric
4
SD-Access Wireless Basic Workflows AP Join
SDA Fabric
B
C
AP CheckAP RLOC?
67
5
4
6
7
5
AP EID register
FE1
CAPWAP Join
exchange
CAPWAP in VXLAN
Fabric WLC
CAPWAP traffic
BRKEWN-2020 68
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows AP Join
SDA Fabric
B
C
AP RLOC
9
8
AP L2 EID register
Control Plane (CP) replies to WLC with RLOC. This means AP is attached to Fabric and will
be shown as “Fabric enabled”
WLC does a L2 LISP registration for the AP in CP (a.k.a. AP “special” secure client
registration). This is used to pass important metadata information from WLC to the FE
8
9
FE1
Fabric WLC
BRKEWN-2020 69
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• In response to this proxy registration, Control Plane (CP) notifies Fabric Edge and pass the metadata received from WLC (flag that says it’s an AP and the AP IP address)
• Fabric Edge processes the information, it learns it’s an AP and creates a VXLAN tunnel interface to the specified IP (optimization: switch side is ready for clients to join)
SD-Access Wireless Basic Workflows AP Join
SDA Fabric
B
C
AP EID update
FE1
interface Tunnel
Fabric WLC
10
11
10
11
BRKEWN-2020 70
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• In response to this proxy registration, Control Plane (CP) notifies Fabric Edge and pass the metadata received from WLC (flag that says it’s an AP and the AP IP address)
• Fabric Edge processes the information, it learns it’s an AP and creates a VXLAN tunnel interface to the specified IP (optimization: switch side is ready for clients to join)
SD-Access Wireless Basic Workflows AP Join
SDA Fabric
B
C
AP EID update
FE1
interface Tunnel
Fabric WLC
10
11
10
11
edge-2#sh access-tunnel summary
Access Tunnels General Statistics:Number of AccessTunnel Data Tunnels = 1
Name SrcIP SrcPort DestIP DstPort VrfId
------ --------------- ------- --------------- ------- ----Ac0 172.16.2.98 N/A 172.16.3.130 4789 0
Name IfId Uptime ------ ---------- --------------------
Ac0 0x0000003A 0 days, 15:20:47
BRKEWN-2020 71
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• In response to this proxy registration, Control Plane (CP) notifies Fabric Edge and pass the metadata received from WLC (flag that says it’s an AP and the AP IP address)
• Fabric Edge processes the information, it learns it’s an AP and creates a VXLAN tunnel interface to the specified IP (optimization: switch side is ready for clients to join)
• APs are now ready to be provisioned on Cisco DNA Center
SD-Access Wireless Basic Workflows AP Join
SDA Fabric
B
C
AP EID update
FE1
interface Tunnel
Fabric WLC
10
11
10
11
edge-2#sh access-tunnel summary
Access Tunnels General Statistics:Number of AccessTunnel Data Tunnels = 1
Name SrcIP SrcPort DestIP DstPort VrfId
------ --------------- ------- --------------- ------- ----Ac0 172.16.2.98 N/A 172.16.3.130 4789 0
Name IfId Uptime ------ ---------- --------------------
Ac0 0x0000003A 0 days, 15:20:47
12
BRKEWN-2020 72
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows AP Join – AP Provisioning
Select the APs and click on Action > Provision
Assign them to the floor (you need to have floor created)
(optional) assign an RF profile
BRKEWN-2020 73
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows AP Join – AP Provisioning
Click on Deploy to apply these settings
APs will disconnect and reconnect
Note: with C9800 APs will not reboot but just a CAPWAP reset
BRKEWN-2020 74
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows AP Join – AP Provisioning- WLC config verification
APs are configured with the Policy and Site tags for Fabric
BRKEWN-2020 75
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows Client Onboarding
SDA Fabric
B
C
Fabric WLC
Admin user defines a Pool for wireless clients in Cisco DNA Center Design phase. The pool is then associated to a VN during “Host Onboarding” phase. For a wireless pool, L2 LISP needs to be enabled.
As soon as the SSID is mapped to the Pool, the WLAN will be enabled and clients will see the Fabric SSID
CiscoDNA Center
BRKEWN-2020 76
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows
Make sure Layer-2 Extension toggle is ON to enable L2 LISP and Layer 2 subnet extension on the client Pool/subnet. The is required for wireless to work!
Client Onboarding
BRKEWN-2020 77
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows
When the pool is assigned to the Virtual Network, the correspondent Fabric interface to VNID mapping is pushed to the controller. Note: these are all L2 VNIDs
Client Onboarding – WLC config verification
BRKEWN-2020 78
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows
WLANs are mapped to the pool in the respective Virtual Networks
Client Onboarding
BRKEWN-2020 79
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows
A Fabric Profile with the L2 VNID is added corresponding to the pool chosen:
The Policy Profile is mapped to the Fabric profile and it’s enabled for Fabric
Client Onboarding – WLC config verification
BRKEWN-2020 80
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Basic Workflows
The Fabric WLANs are now in enable state and clients can join
Client Onboarding – WLC config verification
BRKEWN-2020 81
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Client authenticates to a Fabric enabled WLAN. WLC gets SGT from ISE, updates AP with client L2VNID and SGT
SD-Access Wireless Basic Workflows Client Onboarding
SDA Fabric
B
C
1
1
Client Join
Fabric WLC
Client SGT/VNID and RLOC
CAPWAP in VXLAN
FE1
ISE
BRKEWN-2020 82
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Client authenticates to a Fabric enabled WLAN. WLC gets SGT from ISE, updates AP with client L2VNID and SGT
• WLC knows RLOC of AP from internal DB . WLC proxy registers Client L2 info in CP; this is LISP modified message to pass additional info, like the client SGT
• FE gets notified by CP and knows it’s a client; FE adds client MAC in L2 forwarding table and go and fetch the client policy from ISE based on the client SGT
SD-Access Wireless Basic Workflows Client Onboarding
SDA Fabric
B
C
2Client MAC register
1
2
3
Client in FWD
table
3
Fabric WLC
FE1
BRKEWN-2020 83
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Client initiates DHCP Request
• AP encapsulates it in VXLAN with L2 VNI info (and SGT)
• Fabric Edge maps L2 VNID to the VLAN interface and forwards the DHCP packet in the overlay (same as for a wired Fabric client)
SD-Access Wireless Basic Workflows Client Onboarding
SDA Fabric
C
4
5
4
5
6
B
DHCP packet + L2 vnid
6
DHCP flow
Fabric WLC
DHCP
FE1
BRKEWN-2020 84
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Client receives an IP address from DHCP
• DHCP snooping triggers the client EID registration by the Fabric Edge to the CP. (If client has a static IP, then ARP or any other IP packet will trigger the registration)
This completes Client onboarding process
SD-Access Wireless Basic Workflows Client Onboarding
SDA Fabric
B
C8
Client IP, L3 VNI, RLOC IP
7
8
C
Fabric WLC
DHCP
7FE1
BRKEWN-2020 85
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Client roams to AP2 on FE2 (inter-switch roaming). WLC get’s notified by AP
• WLC updates forwarding table on AP with client info (SGT, L2VNID, RLOC)
• WLC updates the L2 MAC entry in CP with new RLOC FE2
SD-Access Wireless Basic Workflows Client Roams
1
SDA Fabric
B
C
FE1
FE2
2
C1
2
3
Client L2 MAC entry update
Fabric client info sent to AP
3
Fabric WLC
1AP1
AP2
BRKEWN-2020 86
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• CP then notifies • Fabric Edge FE2 (”roam-to” switch) to add the client MAC to forwarding table pointing to VXLAN tunnel• Fabric Edge FE1 (”roam-from” switch) to do clean up for the wireless client
• FE will update the L3 entry (IP) in CP data base upon receiving traffic
• Roam is Layer 2 as FE2 has the same VLAN interface (Anycast GW)
SD-Access Wireless Basic Workflows Client Roams
4
SDA Fabric
B
FE1
FE2
AP1
AP2
4
5
5
Client IP, L3 VNI, RLOC IP
6
C
Fabric WLC
20.2.4.1/20Client SVI
20.2.4.1/20Client SVI
BRKEWN-2020 87
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ConnectivityWhat you need to know
WLC typically connect to a “shared services” Distribution Block
VSS is the preferred topology
Management IP address in Global Routing Table
Use a specific route to advertise WLC’s IP in the underlay
WLC can talk to only #2 CP nodes
Access Points connect to Fabric Edge
APs reside in INFRA_VN (GRT) and form CAPWAP connection to WLC. No need for VRF leaking
AP can be connected to an extended node
APs are connected in Local mode
Shared ServicesDistribution (VSS)
L2 MEC
Overlay and Underlay Network Connectivity
WirelessLAN Controller(s)
Border Node Border Node
IntermediateNode
IntermediateNode
Edge Node Edge Node
AP
SD-Access Fabric
BRKEWN-2020 89
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ConnectivityHow to connect an SSO pair of Fabric WLCs?
Shared ServicesDistribution (VSS)
L2 MEC
Outside Fabric Network Connectivity
SSO pair
Border Node Border Node
IntermediateNode
IntermediateNode
Edge Node Edge Node
AP
SD-Access Fabric
Outside Fabric Network
Connectivity
Border Node(HSRP active)
Border Node
IntermediateNode
IntermediateNode
Edge Node Edge Node
AP
SD-Access Fabric
L2 trunk with HSRP
Active Standby
Directly to the pair of FBs
To a shared Service block
BRKEWN-2020 90
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Enterprise network
SD-Access Wireless ConnectivityCatalyst 9800 – HA pair connectivity to VSS pair
VSS pair
L2 port channel+ dot1q trunk
Active Standby
RP port RP port
Active and Standby should be connected in the same way
Single L2 port-channel on each box
Enable dot1q to carry multiple VLANs
Only LAG with mode ON is supported
IMPORTANT: connect RP port to the same VSS/stack member as the uplinks and not back to back
Make sure that switch can scale in terms of ARP and MAC table entries
Same applies if switch is a stack/VSL pair/modular switch
VSS is the recommended topology
C9800 only
BRKEWN-2020 91
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ConnectivityCatalyst 9800 – HA pair connectivity to pair of distribution switches
Enterprise network
L2 port channel+ dot1q trunk
Active Standby
RP port RP port
HSRP Active HSRP Standby
L2 link
For SSO HA, connect the Standby in the same way
Single L2 port-channel on each box
Enable dot1q to carry multiple VLANs
IMPORTANT: only LAG with mode ON is supported
IMPORTANT: connect RP port to the same switch as the uplinks and not back to back
Make sure that switch can scale in terms of ARP and MAC table entries
This is a supported topology
C9800 only
BRKEWN-2020 92
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless ConnectivityWhy can’t I use the default route to reach the WLC?
FE
non Fabric
172.16.201.202
Access point
Fabric
Underlay
CAPWAPcontrol
In order to keep the LISP communication between nodes more reliable, the following configuration has been added: “ipv4 locator reachability exclude-default”
Fabric WLC acts a proxy ETR and talks LISP to the CP
The CP (or any other node) will not consider a message from a ITR/ETR if the only way to reach back to that node is via the default route; it requires a more specific route:
Reason: if the path to that ETR becomes unavailable, LISP will come to know from the undelay IGP as the specific route will disappear; but if it’s known via the default route, the route will always be there.
Sh run | s lisp
[..]
!
ipv4 locator reachability exclude-default
ipv4 source-locator Loopback0
exit-router-lisp
BGP session
WLC
B C
CAPWAPcontrol
BRKEWN-2020 93
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless: true integration in Fabric
ISE / AD
SD-Access
Fabric
C
BB
APIC-EM
SD-Access Wireless
Fabric enabled
APs
Fabric
enabled WLC
CAPWAP Control Plane, VXLAN Data plane WLC/APs integrated in Fabric, SD-Access advantages
Requires software upgrade (8.5+)
Optimized for 802.11ac Wave 2 and 11ax APs
CAPWAP
Cntrl plane
VXLAN
Data plane
Cisco DNA Center True wireless integration with Fabric
Provides all the advantages of SDA for wireless clients:
Full automation with Cisco DNA Center
Hierarchical segmentation (VRF and SGT)
Same policy as wired
Distributed Data Plane with no drawbacks
Optimized traffic path for Guest
Recommended option
BRKEWN-2020 95
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Wireless on top of SDA Fabric
ISE / AD
SD-Access
Fabric
C
BB
APIC-EM
CUWN wireless Over The Top (OTT)
Non-Fabric
WLC
Non-Fabric
APs
CAPWAP for Control Plane and Data Plane SDA Fabric is just a transport
Supported on any WLC/AP software and hardware
Only Centralized mode is supported today
CAPWAP
Control & Data
No SDA advantages for wireless
Migration step to full SD-Access
Customer wants/need to first migrate wired (different Ops teams managing wired and wireless, get familiar with Fabric, different buying cycles, etc.) and leave wireless “as it is”
Customer cannot migrate to Fabric yet (older APs, need to certify the new software, etc.)
Cisco DNA Center
BRKEWN-2020 96
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
FlexConnect local switching is not supported in SDA 1.2 (today)
Will it work? Probably yes but it has not been fully tested hence it is not officially supported
This applies also to 3rd party APs that bridge traffic at the AP
Wireless on top of SDA Fabric
ISE / AD
SD-Access
Fabric
C
BB
APIC-EM
FlexConnect Over The Top (OTT)
Non-Fabric
WLC
Flex APs
CAPWAP for Control Plane Data plane is locally switched. Wireless traffic is
treated like wired traffic.
Not supported today (1.2)
CAPWAP Control
Ethernet traffic
Cisco DNA Center
BRKEWN-2020 97
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Wireless Integration in SDA Fabric
ISE / AD
SD-Access
Fabric
C
BB
APIC-EM
Mixed Mode
Fabric
WLC
non-Fabric SSID: client traffic is CAPWAP encapsulated to WLC
Fabric SSID: client traffic is VXLAN encapsulated
Supported in SDA 1.2 for brownfield deployments
CAPWAP
Control & Data
Fabric SSID
+
CUWN SSID
VXLAN
CAPWAP Control
Mixed mode: mix of Fabric and non-Fabric (centralized) SSIDs
Mixed mode is supported both on the same AP or different APs
With Cisco DNA Center 1.1 mixed mode is supported only for greenfield deployments
With Cisco DNA Center 1.2 mixed mode is supported also for brownfield deployments
Automation for Foreign-Anchor Guest SSID is supported in Cisco DNA Center 1.2
Cisco DNA Center
BRKEWN-2020 98
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless AdoptionWhat You Need to Know
Brownfield: Cisco DNA Center can read an existing AireOS non-Fabric config from WLC – limited to the Design settings
Mixed mode is supported: Fabric and non-fabric SSIDs on same WLC and also on the same AP – Dedicated WLC for Fabric recommended
For Over The Top (SD-Access wired as transport) Cisco DNA Center 1.2 supports AP in Local mode only (no Flex or 3rd party APs)
Mix deployment of CUWN and SDA wireless: it works but keep in mind that seamless roaming is not supported (see next slides)
BRKEWN-2020 100
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless AdoptionMigration for an existing CUWN deployment
Customer has a site with AireOS Centralized wireless
Assumptions: Migration to Fabric happens in a single area (e.g. building) at the time and migration is in one shot No need for seamless roaming between new SDA area and the existing wireless deployment
DHCP
Services Block
ISE
Cisco Prime
Non Fabric
Non Fabric
CAPWAP Control and Data
Area 1
Area 2
BRKEWN-2020 101
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless AdoptionMigration for an existing CUWN deployment
DHCP
Services Block
ISE
Cisco Prime
Area 1
Area 2
Non Fabric
SD FabricB
C
CAPWAP
CAPWAP Control and Data
Add Cisco DNA Center and ISE (if not present already)
First, migrate wired network to SD-Access Fabric
Wireless is over the top of Fabric. APs are in INFRA_VN
1
2
3
Cisco DNA Center
BRKEWN-2020 102
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless AdoptionMigration for an Existing CUWN Deployment
DHCP
Services Block
ISE
Cisco Prime
Area 1
Area 2
Non Fabric
SD FabricB
C
Fabric
WLC
VXLAN
(Data)
CAPWAP Cntrl
No seamless
roaming
Discover existing WLC to Cisco DNA Center – Learn configuration (e.g. SSIDs) and populate Cisco DNA Center
Add a dedicated WLC for SD-Access and provision it to the site (re-use the configuration inherited from old WLC)
on CUWN WLC, configure the APs in the area to join the new Fabric WLC
APs in the area will join Fabric WLC. From Cisco DNA Center provision APs to the Fabric site
1
2
3
CAPWAP Control
VXLAN
4
Cisco DNA Center
BRKEWN-2020 103
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Traditional Campus
Guest Anchor
Shared WLC
EoIP
CAPWAP
Shared controller for SDA and CUWN
• Shared WLC can manage Fabric and non-Fabric
APs but needs an upgrade to 8.5 or 8.8
• New code = more risk for existing non-Fabric
deployment
Management considerations:• Cisco DNA Center 1.2 can manage non-Fabric
WLC in brownfield scenarios but not all wireless
settings are available
WLAN Design considerations:
• Fabric is enabled per SSID
• To have same SSID name in both areas:1. Need to have different WLAN IDs with same
SSID name but different profile
2. Need to define and apply AP Groups
3. APs need to be re-booted
Guest and Policy:• Can leverage existing Guest Anchor also for Fabric
area/building
• Can leverage ISE for both deployments
ISE
SD-Access Wireless AdoptionConsideration for Shared WLC for Fabric and non-Fabric
Internal
Fabric
APs
SD-Access
Fabric
B CP
CAPWAP
Control
VXLAN
Internal
Non-
Fabric
APs
No roaming
between
Fabric and
non-Fabric
Cisco Prime
Area 1Area 2
Cisco DNA Center
BRKEWN-2020 104
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
CB B
Cisco Software Defined AccessThe Foundation for Cisco’s Intent-Based Network
IoT Network Employee Network
Client Mobility
Policy follows User
Outside
Cisco DNA Center
AssuranceAutomationPolicy
SD-AccessExtension
Automated Network Fabric
Single fabric for Wired and Wireless with full automation
Insights and Telemetry
Analytics and insights into User and Application experience
Identity-Based Policy and Segmentation
Policy definition decoupled from VLAN and IP address
BRKEWN-2020 106
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Don’t miss the SD-Access book…
It’s an e-book and you can download it from herehttps://www.cisco.com/c/dam/en/us/products/se/2018/1/Collateral/nb-06-software-defined-access-ebook-en.pdf
BRKEWN-2020 107
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access ResourcesRelated Sessions
SD-Access Fabric
Cisco SD-Access - A Look Under the Hood - BRKCRS-2810• Monday, June 10 08:00 AM - 10:00 AM
Cisco SD-Access - Connect to External Networks - BRKCRS-2811• Monday, June 10 04:00 PM - 05:30 PM
Cisco SD-Access – Integrate Existing Network - BRKCRS-2812• Tuesday, June 11 08:00 AM - 10:00 AM
Cisco SD-Access - Connect Multiple Sites - BRKCRS-2815• Tuesday, June 11 01:00 PM - 03:00 PM
Cisco SD-Access – Building the Routed Underlay - BRKCRS-2816• Wednesday, June 12 04:00 PM - 05:30 PM
Cisco SD-Access - Extend Segmentation & Policy to IoT - BRKCRS-2817• Thursday, June 13 10:30 AM - 12:00 PM
Cisco SD-Access - Technology Deep Dive - BRKCRS-3810• Thursday, June 13 01:00 PM - 02:30 PM
SD-Access Wireless
How to Setup SD-Access Wireless from Scratch - BRKEWN-2021• Tuesday, June 11 01:00 PM - 03:00 PM
Cisco SD-Access - Wireless Integration - BRKEWN-2020• Thursday, June 13 08:00 AM - 10:00 AM
SD-Access Integration
Build an SD-Enterprise with Cisco SD-WAN and SD-Access - BRKCRS-2818• Tuesday, June 11 04:00 PM - 06:00 PM
Cisco SD-Access - Troubleshooting the Fabric - BRKARC-2020• Tuesday, June 11 04:00 PM - 05:30 PM
Cisco SD-Access - Connect to the DC, Firewall, WAN & More! - BRKCRS-2821• Wednesday, June 12 08:00 AM - 10:00 AM
Cisco SD-Access - Scaling to Hundreds of Sites - BRKCRS-2825• Wednesday, June 12 01:00 PM - 02:30 PM
Cisco SD-Access Campus Cisco Validated Design - BRKCRS-1501• Thursday, June 13 08:00 AM - 10:00 AM
Cisco SD-Access - Integrate with Data Center Architectures - BRKDCN-2489• Thursday, June 13 11:00 AM - 12:00 PM
Cisco SD-Access – Assurance and Analytics - BRKNMS-2814• Thursday, June 13 01:00 PM - 02:30 PM
SD-Access Policy
Cisco SD-Access - Policy Driven Manageability - BRKCRS-3811• Wednesday, June 12 04:00 PM - 05:30 PM
Create an End-to-End Software Defined Architecture - BRKCRS-2819• Thursday, June 13 08:00 AM - 10:00 AM
BRKEWN-2020 108
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access ResourcesWould you like to know more?
cisco.com/go/cvd• SD-Access Design Guide
• SD-Access Deployment Guide
• SD-Access Segmentation Guide
cisco.com/go/dnacenter• Cisco DNA Center At-A-Glance
• Cisco DNA ROI Calculator
• Cisco DNA Center Data Sheet
• Cisco DNA Center 'How To' Video Resources
cisco.com/go/sdaccess• SD-Access At-A-Glance
• SD-Access Ordering Guide
• SD-Access Solution Data Sheet
• SD-Access Solution White Paper
cisco.com/go/dna
BRKEWN-2020 109
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access ResourcesRelated Labs
SD-Access Hands-On Labs
Cisco SD-Access & ACI Integration - Hands-on Lab - LTRACI-2636• Sunday, June 09 09:00 AM - 01:00 PM
SD-Access with Cisco ISE and Cisco DNA Center - LTRSEC-1571• Sunday, June 09 09:00 AM - 01:00 PM
Cisco SD-Access - Hands-on Lab - LTRCRS-2810• Thursday, June 13 08:00 AM - 12:00 PM
SD-Access WISP Labs
DNA Center: SD-Access Distributed Campus Lab - LABCRS-2003• Walk-In Self-Paced
DNA Center: SD-Access Fabric Enabled Wireless - LABCRS-2600• Walk-In Self-Paced
DNA Center: SD-Access/TrustSec/ACI Integration Lab - LABCRS-3000• Walk-In Self-Paced
BRKEWN-2020 110
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access ResourcesLearning @ Cisco - On Demand Training
Provides a proven, cost-effective alternative to instructor-led training via a comprehensive library of high-definition video lectures available on a 12-month subscription basis.
Each license provides 24/7 access to a growing library of world-class technical courses ranging from product training and troubleshooting.
Planning and Deploying SD-Access Fundamentals (for Customers) - CUST-SDA-FUND
This course focuses on deploying the Cisco Software-Defined Access (SD-Access) solution from the ground up. It starts with how to integrate Cisco Identity Services Engine (ISE) and Cisco DNA Center and ends with end-to-end troubleshooting and using Cisco DNA Assurance to monitor and troubleshoot endpoint and fabric issues.
14 hours of Video Content
Preparing the ISE for SD-Access (for Customers) - CUST-SDA-ISE
This course provides a focused look at Cisco Identity Services Engine (ISE) operation and group-based policy configuration as they apply to Cisco Software-Defined Access (SD-Access).
5 hours of Video Content
1
2
www.cisco.com/c/en/us/training-events/resources/training-services.html
Earn up to 16 points for CCIE CEP!
BRKEWN-2020 111
Complete your online session evaluation
• Please complete your session survey after each session. Your feedback is very important.
• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS BRKEWN-2020 112
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Continue your education
Related sessions
Walk-in labsDemos in the Cisco campus
Meet the engineer 1:1 meetings
BRKEWN-2020 113
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.3 – Advanced SSIS settings
• These apply to both Enterprise and Guest SSIDs
BRKEWN-2020 117
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.3 – AAA per SSID
• Currently only two AAA Server [Primary and Secondary] per site/building/floor is supported .
• Only one ISE server can be mapped to particular site[building or floor].
• User can’t Map primary as ISE server and secondary as other AAA server(non ISE) to particular site[Building, Floor].
• Brownfield (learning multiple ISE servers from existing config) is not supported .
• Currently this feature supports only for AireOS platform.
BRKEWN-2020 118
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.3 – AAA per SSID
• Currently only two AAA Server [Primary and Secondary] per site/building/floor is supported .
• Only one ISE server can be mapped to particular site[building or floor].
• User can’t Map primary as ISE server and secondary as other AAA server(non ISE) to particular site[Building, Floor].
• Brownfield (learning multiple ISE servers from existing config) is not supported .
• Currently this feature supports only for AireOS platform.
BRKEWN-2020 119
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.2 - Default RF Profile
• Admin can pick a custom RF profile to be the
Default one
Easier deployment: during AP provisioning,
Default RF profile is shown first
2
1
1
2
BRKEWN-2020 121
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.2 - Band Select
Create a SSID with “Dual band
operation with band select” for
the Dual band clients for
connecting to the WLAN.
Cisco DNA Center configures
band-select per-WLAN
Global default band select
values are not changed from
Cisco DNA Center.
BRKEWN-2020 122
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.2 - 5GHz only SSID
Radio Policy configuration
5GHz only will apply Radio policy 802.11a
only to the WLAN.
BRKEWN-2020 123
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.2 - Hidden SSID
Admin has the option to hide SSID so that
SSID is not broadcasted.
During SSID creation, there is a toggle button
for Broadcast SSID - On / Off. The same is
reflected on WLAN configuration at WLC
BRKEWN-2020 124
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.2 - Override PSK
In Cisco DNA Center 1.2, PSK for SSID can be
site specific. Each site can have different PSK
SSID.
Step 1 : Create a PSK SSID under Global
Step 2 : PSK SSID is created successfully, as
shown in below screenshot.
2
1
BRKEWN-2020 125
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.2 supports PnP for APs (AP sensor is there already in 1.1.x)
AP shows up in Provision -> Unclaimed Devices. AP will be in Initialized
Unclaimed status
1
Cisco DNA Center 1.2 - PnP for AP Provisioning
BRKEWN-2020 126
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Select the AP and claim device
Claim the device which prompts to assign site and RF profile.
2
3
Cisco DNA Center 1.2 - PnP for AP Provisioning (Cont..)
BRKEWN-2020 127
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
AP gets the PnP config with WLC details from Cisco DNA Center and will be in
Onboarding state for a bit and the Success
4
Cisco DNA Center 1.2 - PnP for AP Provisioning (Cont..)
BRKEWN-2020 128
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.2.8 - Outdoor AP support
1540 and 1560 11ac wave2 Access Points managed by DNAC
WLC shows APs configured for Fabric in Local mode
BRKEWN-2020 129
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.2.8 - Hyperlocation with CMXAP neighborship, Client count and Health
BRKEWN-2020 130
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.2.8 - WGB Support
• Topology shows WGB host connected to SDA Fabric• Detail WGB client information viewable under Assurance
BRKEWN-2020 131
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Campus
What is the Problem?Workspace of the Future
You need a distributed Data Plane (DP) without the complications that normally comes along in terms of IP addressing, roaming, etc.
Is the
Centralized
WLC a
pb??
WLC
DHCPDNSAAA
ADLDAP
Data Centre WLC
What about…
Fully leveraging the speed of 802.11ac/ax?
Mobility everywhere
Handling east-west traffic from tools like Spark room? And Video, video and video…
Onbording Sensors and IoT devices securely
Leveraging great innovation at the switch level
etc...
What
about IP
addressing
design?
BRKEWN-2020 133
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
What is the Problem?Workspace of the Future
Data plane is optimized without the complications (spanning tree, large broadcast domain, etc.) of locally distributing the traffic
WLC
DHCPDNSAAA
ADLDAP
Data Centre WLC
SDA Fabric
C B
CAPWAP
(Control)
VXLAN
(Data)
Interface VLAN
vrf forwarding Employee
ip address 10.10.10.1/24
Interface VLAN
vrf forwarding Employee
ip address 10.10.10.1/24
IoT device
IoT device
With SDA
Data Plane is distributed and optimized
Subnet is everywhere so sub-netting design is SIMPLE
Mobility is integrated in the Fabric
Layer 2 extension for IoT
The advantages of
distributed DP without
the associated
challenges
BRKEWN-2020 134
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Common HW & SW - UADP & IOS-XECP, Border & Edge - All Platforms
Catalyst 9K Series
C3K Series C4500 + Sup8 C6800 + Sup6T N7700 + Sup2E
C9300 Series C9400 + Sup1/XL C9500 10/40G C9500 25/40/100G
Common HW & SW - QFP & IOS-XECP, Border & SD-WAN cEdge*
ISR 4K Series
ASR1000 X & HX Series
ISR 4300 & 4400
For more details:cs.co/sda-compatibility-matrix
SD-Access SupportCatalyst 9K and ISR 4K Series
BRKEWN-2020 136
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access PlatformsFabric Edge Node
• Catalyst 9400
• Sup1/Sup1XL
• 9400 Cards
Catalyst 9400
• Catalyst 9200/L
• 1/mG RJ45
• 1G SFP (Uplinks)
Catalyst 9200
• Catalyst 9300
• 1/mG RJ45
• 10/25/40/mG NM
Catalyst 9300
For more details:cs.co/sda-compatibility-matrix
• Catalyst 9500
• 1/10/25G SFP
• 40/100G QSFP
Catalyst 9500
BRKEWN-2020 137
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
• Catalyst 6500/6800
• Sup2T/Sup6T
• C6800 Cards
• C6880/6840-X
Catalyst 6K
• Catalyst 4500E
• Sup8E/Sup9E (Uplink)
• 4600/4700 Cards (Host)
Catalyst 4500E
• Catalyst 3650/3850
• 1/mG RJ45
• 1/10G SFP
• 1/10/40G NM Cards
Catalyst 3K
SD-Access PlatformsFabric Edge Node
For more details:cs.co/sda-compatibility-matrix
BRKEWN-2020 138
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access PlatformsFabric Control Plane
For more details:cs.co/sda-compatibility-matrix
Catalyst 9500Catalyst 9400Catalyst 9300
• Catalyst 9300
• 1/mG RJ45
• 10/25/40/mG NM
• Catalyst 9400
• Sup1/Sup1XL
• 9400 Cards
• Catalyst 9500
• 1/10/25G SFP
• 40/100G QSFP
BRKEWN-2020 139
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access PlatformsFabric Control Plane
For more details:cs.co/sda-compatibility-matrix
ISR 4K & ENCSCatalyst 3K Catalyst 6K ASR1K
• Catalyst 3650/3850
• 1/mG RJ45
• 1/10G SFP
• 1/10/40G NM Cards
• Catalyst 6500/6800
• Sup2T/Sup6T
• C6800 Cards
• C6880/6840-X
• ISR 4300/4400
• AppX (AX)
• ENCS 5400
• ISRv / CSRv
• ASR 1000-X/HX
• AppX (AX)
• 1/10G ELC/EPA
• 40G ELC/EPA
BRKEWN-2020 140
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access PlatformsFabric Border Node
For more details:cs.co/sda-compatibility-matrix
Catalyst 9500Catalyst 9400Catalyst 9300
• Catalyst 9300
• 1/mG RJ45
• 10/25/40/mG NM
• Catalyst 9400
• Sup1/Sup1XL
• 9400 Cards
• Catalyst 9500
• 1/10/25G SFP
• 40/100G QSFP
BRKEWN-2020 141
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access PlatformsFabric Border Node
For more details:cs.co/sda-compatibility-matrix
Catalyst 3K Catalyst 6K ISR 4K ASR 1KNexus 7K*
• Catalyst 3650/3850
• 1/mG RJ45
• 1/10G SFP
• 1/10/40G NM Cards
• Catalyst 6500/6800
• Sup2T/Sup6T
• C6800 Cards
• C6880/6840-X
• ISR 4300/4400
• AppX (AX)
• 1/10G RJ45
• 1/10G SFP
• ASR 1000-X/HX
• AppX (AX)
• 1/10G ELC/EPA
• 40G ELC/EPA
* EXTERNAL ONLY
• Nexus 7700
• Sup2E
• M3 Cards
• LAN1K9 + MPLS
BRKEWN-2020 142
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access PlatformsFabric Extended Node
For more details:cs.co/sda-compatibility-matrix
Industrial EthernetCatalyst Digital BuildingCatalyst 3560-CX
• Catalyst 3560-CX
• 1/mG RJ45
• 1/10G SFP
• CDB-8U/8P
• 1/mG RJ45
• 1/10G SFP
• IE 4000/5000
• 1/mG RJ45
• 1/10G SFP
BRKEWN-2020 143
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Scale and Specifications
DNA Appliance
SKU Specs Scale and Performance SDA Design
DN1-HW-APL
(Clusters with same SKU and DN2-HW-APL)
• Based on UCS M4• 44 cores• 256 GB RAM• 12 TB SSD• List Price: $77,160
5000 Devices
1000 Switches/Routers/WLC + 4000 APs
25,000 Clients
Small orMedium
DN2-HW-APL
(Clusters with same SKU and DN1-HW-APL)
• Based on UCS M5• 44 cores• 256 GB RAM• 16 TB SSD• List Price: $88,674
5000 Devices
1000 Switches/Routers/WLC + 4000 APs
25,000 Clients
Small or Medium
DN2-HW-APL-L
(Clusters with same SKU only)
• Based on UCS M5• 56 cores• 384 GB RAM• 16 TB SSD• List Price = $147,495
8000 Devices
2000 Switches/Routers/WLC + 6000 APs
40,000 Clients
Medium orLarge
BRKEWN-2020 144
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Stateful Redundancy with SSO:
WLC SSO pair is seen as one node in Cisco DNA Center
Only Active WLC interacts with CP node and CP state is synched between Active and Standby
Upon failure, new Active WLC will bulk update Fabric clients to the CP node (LISP refresh)
Wireless APs and Clients stay connected
WLC is connected outside Fabric, so normal best practices apply to connect the SSO pair
SD-Access Wireless HA
Fabric WLC fully supports SSO High Availability
WLC Redundancy with SSOActive Standby
SSO pair
B
C
B
BRKEWN-2020 146
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Stateful Redundancy with SSO:
WLC SSO pair is seen as one node in Cisco DNA Center
Only Active WLC interacts with CP node and CP state is synched between Active and Standby
Upon failure, new Active WLC will bulk update Fabric clients to the CP node (LISP refresh)
Wireless APs and Clients stay connected
WLC is connected outside Fabric, so normal best practices apply to connect the SSO pair
• N+1 redundancy is not supported in Cisco DNA Center 1.2
SD-Access Wireless HA
Fabric WLC fully supports SSO High Availability
WLC Redundancy with SSOActive
SSO pair
B
C
B
Bulk update
BRKEWN-2020 147
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless HAControl Plane Redundancy
Control Plane is based on a LISP Map Server / Resolver
Host Database, tracks Endpoint ID to Edge Node
bindings, along with other attributes (e.g.. SGT)
Redundancy is supported in Active / Active
configuration
WLC (and Fabric Edges) are configured with two CP
nodes and synch information to both
If one fails, all client information is available at the
other CP node
C
B
C
Client updates
BRKEWN-2020 148
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless HACP Redundancy
Control Plane is based on a LISP Map Server / Resolver
C
B
C
Client updates
BRKEWN-2020 149
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Guest
One touch Guest solution, Cisco DNA Center automated
Backend integration with ISE for Portal and Profiles configuration
BRKEWN-2020 151
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Guest
One touch Guest solution, Cisco DNA Center automated
Backend integration with ISE for Portal and Profiles configuration
In Cisco DNA Center 1.2 both Central Web Auth (CWA) with ISE and Local WebAuth (LWA) are supported
No wired Guest automation in Cisco DNA Center 1.2
BRKEWN-2020 152
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SDA Fabric
SD-Access Wireless Guest DesignGuest as a dedicated Virtual Network
Internet
10.10.10.40
DMZ
B
WLC
C
Guest VRF
Guest and Enterprise clients share the same Enterprise CP node
Guest SSID is associated to a dedicated VN in Fabric leveraging Fabric segmentation (VNI, SGT) for guest traffic isolation
BRKEWN-2020 153
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Wireless Guest DesignGuest with dedicated Border and Control Plane nodes
InternetSDA Fabric DMZ
B
WLC Guest FB
C
BC
VXLAN to DMZ
Complete Control plane and Data plane separation from Enterprise traffic
No additional Anchor WLC: Guest traffic is optimized, sent directly to the DMZ
BRKEWN-2020 154
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SDA Fabric
SD-Access Wireless Guest DesignAnchor-Foreign CUWN Solution
Internet
10.10.10.40
DMZ
B
Foreign WLC Anchor WLC
C
CAPWAP
CAPWAP/EoIP
Automated in
Cisco DNA
Center 1.2
Well proven CUWN solution, protecting investment
Guest WLAN anchored at Guest Anchor in DMZ
BRKEWN-2020 155
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Guest SSID with Anchor WLC
Cisco DNA Center 1.2 and later supports Guest Anchor configuration for both Central Webauth (CWA) and Local WebAuth (LWA) with external portal
When provisioning the WLC now user has to option to choose Active (Foreign) or Anchor WLC
BRKEWN-2020 156
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
How to Connect WLC?
Recommended WLC Connection to Wired
WLC is connected outside Fabric to a switch in Service Block or DC
WLC side:
Use multiple ports for redundancy and group them in a LAG (Link Aggregation)
Use a pair of boxes and enable Stateful Switch Over – this will double the links to connect to the infrastructure
Leverage physical redundancy at the switch:
Single box solution: modular switch or switch stack and spread WLC links across line cards or stack members
Dual switch solution: use VSS and spread links across switches
non Fabric
B C
WLC
Fabric
OverlayLAG
Service Block switch
Shared Service Block
Stack or modular switch
Dual switch in VSS mode
BRKEWN-2020 158
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
AP to WLC ConnectionSouth-North Traffic Details
FE
non Fabric
172.16.201.202
Access point
Fabric
Underlay
CAPWAPcontrol
AP to WLC (South to North traffic)
Border Node redistributes the WLC route in the underlay (using the IGP of choice)
FE learns the route in the Global Routing Table
When FE receives CAPWAP packet from AP, the FE finds a match in the routing table and packet is forwarded directly with no VXLAN encapsulation
The AP to WLC traffic travels in the underlay
router isis
net 49.0001.0000.0000.0008.00
[..]
redistribute bgp 65002 route-map WLC_IP metric 10
route-map WLC_IP permit 10
match ip address prefix-list WLC_IP
!
ip prefix-list WLC_IP seq 5 permit 172.16.201.0/24
BGP session
WLC
B C
edge_1#sh ip route 172.16.201.0
Routing entry for 172.16.201.0/24
Known via "isis", distance 115, metric 10, type level-2
Redistributing via isis
Last update from 172.16.3.81 on GigabitEthernet1/0/1, 04:43:51 ago
Routing Descriptor Blocks:
* 172.16.3.81, from 172.16.3.254, 04:43:51 ago, via GigabitEthernet1/0/1
Route metric is 10, traffic share count is 1CAPWAP
control
BRKEWN-2020 159
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
WLC to AP (North to South traffic)
The AP subnet is registered in CP
Border exports AP local EID space from CP to the routing table and also import the AP routes into LISP map-cache entry
Border to advertise local AP EID space to the external domain
When Border receives CAPWAP packet from WLC, the LISP lookup happens and traffic is sent to FE with VXLAN encapsulation
The WLC to AP traffic travels in the overlay
AP to WLC ConnectionNorth-South Traffic Details
FE
Access point
172.16.3.7
CAPWAPcontrol
BGP session
Fabric
Overlay
router lisp
[…]
instance-id 4097
service ipv4
eid-table default
route-export site-registrations <exports into RIB
distance site-registrations 250
map-cache site-registration <install map-cache entries
exit-service-ipv4
!
site site_uci
[…]
eid-record instance-id 4097 172.16.3.0/24 accept-more-specifics
exit-site
B C
CAPWAPcontrol in VXLAN
non Fabric
172.16.201.202
WLC
BRKEWN-2020 160
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
CUWN Over the Top (OTT)
Definition: Wireless Over the Top (OTT): traditional CAPWAP deployment connected on top
of a Fabric wired network. SD-Access Fabric is the transport for CAPWAP traffic
Why wireless OTT? As a migration step…
Customer wants/needs to first migrate wired (different Ops teams managing wired and wireless, get familiar with Fabric, different buying cycles, etc.)
Customer cannot migrate wireless to Fabric (new software, no 802.11n, wireless too critical to make changes)
SD-Access
Fabric
Non Fabric APNon Fabric WLC
CAPWAP tunnel
BRKEWN-2020 162
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
CUWN Over the Top (OTT)Design and Deploy considerations
WLCs connect external to fabric
Border advertises WLC Management subnet into the Fabric
Border advertises Fabric prefix for AP to the outside IP network
EID prefix 172.16.18.0/24
192.168.1.0/24
WLC Mgmt subnet
IP Network
BSDA Fabric
172.16.18.x
192.168.1.5
Mgmt InterfaceC
SSO WLC
BRKEWN-2020 163
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
IP Network
BSDA Fabric
172.16.18.24
Access Points are in overlay space on Fabric Edge switches. APs get
registered in the host tracking database (CP) as wired clients
One subnet for APs across the entire Fabric in Campus => Simplified IP
design for AP onboarding
Use pool in INFRA_VN to onboard OTT APs (*)
172.16.18.254/24
AP VLAN
172.16.18.254/24
AP VLAN
172.16.18.32
C
CAPWAP tunnel
SSO WLC
CUWN Over the Top (OTT)Design and Deploy considerations
(*) assuming whole deployment is OTTBRKEWN-2020 164
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
CUWN Over the Top (OTT)Design and Deploy considerations
IP Network
BSDA Fabric
10.2.7.254.35
OTT Wireless SSID is mapped to VLAN/subnet at WLC using dynamic interfaces
Border advertises wireless client subnets to the Fabric
10.2.7.254.0/21
Wireless Clients Subnet
10.2.7.5/21
Dynamic InterfaceC
SSO WLC CAPWAP tunnel
BRKEWN-2020 165
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
CUWN Over the Top (OTT)Design and Deploy considerations
IP Network
BSDA Fabric
CAPWAP is built from the AP to the WLC
If APs are in the INFRA_VN, CAPWAP traffic travels in the underlay from AP to the WLC, and it’s not VXLAN encapsulated.
The return traffic, from WLC to AP, is encapsulated at the Border as with Fabric APs
10.2.7.5/21
Dynamic Interface
CAPWAP CAPWAP in VXLAN CAPWAP
C
BRKEWN-2020 166
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
CUWN Over the Top (OTT)Design and Deploy considerations
IP Network
BSDA Fabric
10.2.7.254.35
Clients are authenticated and on-boarded by WLC
Wireless clients are external to fabric in this case
10.2.7.5/21
Dynamic Interface
CAPWAP CAPWAP in VXLAN CAPWAP
active WLC
C
BRKEWN-2020 167
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
CUWN Over the Top (OTT)Design and Deploy considerations
IP Network
BSDA Fabric
10.2.7.254.35
Communication from a wired host in Fabric to Wireless Client outside fabric will occur through the Fabric Border – JUST LIKE TODAY!!
For the Fabric, it is like a Fabric host communicating to a known destination external to the Fabric
10.2.7.5/21
Dynamic Interface
active WLC
Fabric wired host
10.1.18.24
C
BRKEWN-2020 168
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
CUWN Over the Top (OTT)Design and Deploy considerations
IP Network
B
SDA Fabric
CAPWAP CAPWAP in VXLAN OTT WLC
C
Common subnet for
APs – ease AP
deployment
All APs model are
supported
Increase MTU along
the path to prevent
fragmentation
External to Fabric.
No need to upgrade
code. All features
work as today
Cisco Prime
Can use Cisco Prime
or GUI to manage
BRKEWN-2020 169
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
CUWN Over the Top (OTT)Design and Deploy considerations
IP Network
B
SDA Fabric
CAPWAP CAPWAP in VXLAN OTT WLC
C
Common subnet for
APs – ease AP
deployment
All APs model are
supported
Increase MTU along
the path to prevent
fragmentation
External to Fabric.
No need to upgrade
code. All features
work as today
you can manage it
using Cisco DNA
Center
BRKEWN-2020 170
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SDA Fabric
SD-Access WirelessDesign and Deploy considerations
WLCs connect external to fabric
Fabric AP joins in Local WLC local to the Site – no support for Flex or WLC over WAN
Latency between AP and WLC < 20 ms
Border advertises WLC Management subnet to the Fabric
Border advertises Fabric prefixes to the WLC Management network
APs’ EID prefix 172.16.3.0/24
172.16.201.0/24
WLC Mgmt subnet
IP Network
B
C
Fabric WLC
BRKEWN-2020 172
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SDA Fabric
SD-Access WirelessDesign and Deploy considerations
B
172.16.3.110
Access Points are directly connected to the Fabric Edge APs are in overlay space on Fabric Edges One subnet for APs across the entire Fabric APs get registered in the CP database Simplified IP design for AP onboarding (one subnet)
172.16.3.1/24AP VLAN
172.16.3.1/24
AP VLAN
172.16.3.201
EID prefix 172.16.3/24
C
Fabric WLC
IP Network
BRKEWN-2020 173
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access WirelessDesign and Deploy considerations
BSDA Fabric
Client subnets are distributed on Fabric Edge switches No need to define client subnets on WLC Client subnets are mapped to VLAN with Anycast Gateway on all Fabric Edge switches All roams are Layer-2 Roams
192.168.103.1
Client VLAN
EID prefix 192.168.103.0/24
192.168.103.1
Client VLAN
192.168.103.77
192.168.103.71
C
Fabric WLC
IP Network
BRKEWN-2020 174
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SDA Fabric
SD-Access WirelessDesign and Deploy considerations
B
192.168.18.0/24
Client VLAN
192.168.103./24
Client VLAN
192.168.103.77
wired host
192.168.18.12
C
Fabric WLC
Wireless client traffic is distributed No hair-pinning to centralized controller Communication to wired clients is directly through Fabric
IP Network
BRKEWN-2020 175
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Fabric
Important things to know:
Multicast traffic is transported in the overlay, in the EID space, for both wired and wireless clients
To enable multicast for wireless, Global Multicast mode and IGMP snooping need to to be enabled globally on the WLC
At FCS, multicast traffic leverages head-end replication to forward traffic to the Fabric multicast destination
Multicast
non
Fabric
FE1
Multicast source
Overlay
VXLAN tunnels
B
FE2
VXLAN
FB
Fabric RP
BRKEWN-2020 177
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access FabricHow Multicast Works – Multicast Receiver to RP
non
Fabric
FE
Multicast source
Multicast client (receiver) is in the overlay, multicast source can be outside Fabric or in the overlay as well
PIM-SM/PIM-SSM needs to be running in the Overlay
The client sends IGMP join for a specific multicast Group (G)
AP encapsulates it in VXLAN and send it to the upstream switch.
The Fabric Edge node (FE) receives it and does a PIM Join towards the Fabric Rendezvous Point RP (assuming PIM-SM is used)
The RP needs to be present in the Overlay as part of the End point IP space. IGMP join
Underlay
VXLAN
PIM join
B
FB
Fabric RP
BRKEWN-2020 178
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access FabricHow Multicast Works – Multicast Source to RP
non
Fabric
FE
Multicast source
The Multicast source will send the multicast traffic on the interfaces towards the Fabric Border(FB) as it’s the DR for that segment.
The FB receives it and does a PIM Join towards the RP (assuming PIM-SM is used)
The RP now has the source and receiver information for that multicast group.
Underlay
VXLAN
PIM join
B Multicast traffic
FB
Fabric RP
BRKEWN-2020 179
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access FabricHow Multicast Works – Data Plane
non
Fabric
FE
Multicast source
From Earlier, The RP now has the source and receiver information for a particular multicast group.
The FB will send the multicast source traffic over a VXLAN tunnel to the RP and the RP will forward that traffic to the FE over another VXLAN tunnel.
FE receives the VXLAN packets, decapsulates, applies policy and then forwards it again to the AP over an VXLAN tunnel.
The AP removes the VXLAN header and send the original IP multicast packet into the air.
Underlay
VXLAN
B
VXLAN tunnels
FB
Fabric RP
BRKEWN-2020 180
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
SD-Access Fabric Once the first multicast packet is delivered to the FE the
shortest path failover (SPT) happens and the traffic is forwarded between the FB and the FE directly.
The FE knows that the FB owns the multicast source based on the first multicast packet received and send a PIM join directly to the FB for that multicast group.
FB now knows which FEs have clients that requested the specific multicast Group.
It performs headend replication and VXLAN encapsulates the multicast traffic and unicasts it to the interested FEs
The multicast traffic is sent in the overlay
FE receives the VXLAN packets, decapsulates, apply policy and then forwards it again to the AP.
The AP removes the VXLAN header and send the original IP multicast packet into the air
How Multicast Works
non
Fabric
FE1
Multicast source
Overlay
VXLAN tunnels
B
FE2
VXLAN
FB
Fabric RP
BRKEWN-2020 181
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Cisco DNA Center 1.2 - Override PSK
Step 3 : When traversed to Building or
site in the hierarchy, PSK SSIDs are
listed and the passphrase for the SSID
can be modified.
Step 4 : Passphrase updated PSK
SSID is shown below in the screenshot
and the inheritance is not seen for the
updated SSID.
3
4
BRKEWN-2020 182
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
IPv6 support for clients in Fabric
IPv6 support is enabled in the overlay of the fabric. Underlay continues to be IPv4.
Endpoints can have IPv4 addresses or dual-stack (IPv4+IPv6) addresses.
IPv6 address assignment can be static IP, using SLAAC and/or DHCP. SLAAC can be enabled only if CIDR is /64
IPv6 DHCP and DNS needed for pool with IPv6. ISE, Syslog and SNMP server still IPv4.
First create IPv4 and IPv6 pools at global level
Then reserve pools (IPv4 or dual-stack) at site level
BRKEWN-2020 185
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
IPv6 DHCP and DNS
BRKEWN-2020 186
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
IPv4 and IPv6 Pools at Global level
•
BRKEWN-2020 187
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Reserve Pools (IPv4 or Dual stack) at Site level
•
BRKEWN-2020 188
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Reserving a Pool (IPv4 or Dual stack)
•
BRKEWN-2020 189
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
Pool upgrade: edit pool
BRKEWN-2020 190