Cisco CCNP Enterprise 300-420 ENSLD – SD Access Fabric Design Part 2

  1. DHCP and Security Solutions for the Fabric Domain

SD access does not require any changes to existing infrastructure services. Although fabric border devices have implement abilities to handle the DHCP relay functionality differences assisting fabric deployments depreachability in the fabric in a typical DHCP relay design the unique gateway IP address determine of net address assignment for an endpoint in addition to the location to which the DHCP server should direct the offered address in a fabric brick overlay network, that gateways not unique the same.

3Anycast IP address exists across all fabric edge devices within an overlay issues with DHCP in the fabric. The Anycast gateway provides a single L three default gateway for IP capable endpoints without special handling either at the border or DHCP server itself. The DHCP offer returning from the DHCP server through the border may not be relayed to the fabric edge switch where the DHCP request originated. There can be an issue when the same switch virtual INSV is present on every edge with the same virtual IP and Mac.

Same switch virtual interface is present on every edge with same virtual IP and Mac. When host moves from edge one to edge two, it does not need to change its default gateway. Sweep is also configured with any helper address for DHCP. This presents an issue as we do not know on which edge node a host is located as we do not have an IP address for it yet.

Once there is an IP address, control plane node will know where host is located. Control plane with fabric dynamic kidnapping maintains host to edge relationship to identify the specific DHCP relays. Cisco DNA Center automates the configuration of the relay agent at the fabric edge with DHCP option 82inning the information option for circuit ID insertion. Adding the information provides additional sub options to define the specific source relay agent. DHCP relay information embedded in the circuit ID is the destination for DHCP offer replies to the requester either by a fabric border with advanced DHCP border relay capabilities or by the DHCP server itself. The DHCP reply needs to come to the right edge niche.

Using a border with advanced DHCP border relay capability allows DHCP server scope configuration to remain unchanged. For scopes covering fabric endpoints versus standard no fabric scope creation, you are using border nods. With this additional DHCP capability, the borders inspect the DHCP offers to return DHCP server. DHCP servers that do not echo this option back must not be used.

The offers in the Rollo from fabric edge switch source of the original DHCP request preserved and returned in the offer. The border node receiving the DHCP offer references the embedded circuit ID with the Rollo information and direct EHCP offers back to the correct relay destination.

Security policy design considerations security policies vary by organization It is not possible to define one size fits all security design. Security designs are driven by information security policies and legal compliance.

The planning phase for already design is key to ensuring the right balance of security and user experience. A network segment strategy developed to enforce security policy in support of an organization’s business requirements is typically not limited a single location. It could be needed across a campus consisting of multiple buildings with thousands of divers, or across remote sites such as stores or branches, each with a handful of devices. A given network set and the policies it represents may be extended anywhere within an organization where one of the business relevant application functions reside. Historically, when implementing VRFs or Cisco Trust SEC manual, configuration of the network infrastructure is unavoidable.

Whether extending VRFs through VRF Lite or MPLSor enable propagation of the Cisco Trust SEC,VNS configuration must be completed manually, often ona hobby by hop basis. You should consider the following aspects when designing your security policy for the SD access network openness of the Network some organizations allow only organization issued devices in the network, and some support bring your own device approach. Alternatively, you can balance user choice and allow easier to manage endpoint security by deploying a choose your own device model in which a list of it approved endpoints is offered to the users for business use. An identity based approach is also possible in which the network security policies can be deployed dip on the device ownership.

For example, organization issued devices may get group based access, while no devices may get Internet access only. Identity Management in the simplest form, identity manage and be a username and password used for authenticating users. Adding embedded security functions and apps and visibility in the network devices provides telemetry for advanced policy definitions that can include additional contexts such as physical location, device used, type of access, network application used, and time of day. Authentication authorization and Accounting Policies Authentications the process of establishing and confirming the identity of a client requesting access to the network. Authorization is the process of authorizing the endpoint set of network resources.

Segmentation policies do not necessarily have Tobe enforced at the access and can be deployed in multiple locations. Policies are enforced with the use of Sgacls for segmentation within VNS and dynamic VLA. An assignment for mapping endpoints into VNS at the fabric edge node, vent logs, access control list, ACL headcounters and similar standard accounting tools are available to enhance visa endpoint security. Endpoints can be infected with malware compromising data and creating net disruptions, malware detection, endpoint management and data exports from the network. Devices provide insight into endpoint behavior. Tight integration of the network with security appliances and analytics platforms enable the network with the necessary intelligence to quarantine and help remediate compromised devices.

Data gritty and confidentiality network segmentation using Scan control access to applications such as setting employee transactions from Iota traffic. Encryption of the data path in the switching environment using IEEE 802. 1 Amasses is used to provide encryption at layer two to prevent eavesdropping and to ensure that the data pre. Modified network device security hardening the security of the network devices is essential because they are common targets for security attacks. The use of the most secure device management options such as an A device, authentication using TAC Capsules and disabling unnecessary services are best practices to ensure that work devices are secured. Enabling group based segmentation within each virtual network allows for simply hierarchical network policies.

Network level policy scopes of isolated control and data plane visible using virtual networks and group level policy scopes are possible using VNS within VNS enabling commonest application across the wired and wireless fabric. VNS provide the capability to tag endpoint traffic on a role or function within the network and subject to role based policies or Sac. Centrally defined. At is in many deployments. Active directory is used as the identity store for user accounts, credentials and Group Ship information. Upon successful authorization, endpoints can be classified based on that information and assign the appropriate scalable group assignments. These scalable groups can then be used to create segment policies and virtual network assignment rules.

Sgt information is carried across the networking SEVs inside the SD access network. The SD access fabric header transports Sgt information. Fabric. Edge nods and Border nods. Can enforce sacks to enforce the security policy. Side the fabric on a device with Cisco Trust SEC capability. Inline devices with Cisco Trust SEC carries GT information in a CMD header on the layer two frame. This is the recommended mode of transport outside the access network outside the fabric over devices without Cisco Trust SEC capability s expose the transport of VNS over a TCP connection. This can be used to bypass network devices that deport Sgt in line.

  1. Describe Sizing and Single Platform Scalability

It is important to understand how SD access and other technologies such as Sdvan interact with data centers based Oscoda and with infrastructure that has implemented either Cisco Trust SEC or VRFs. The important understanding how these technologies intersect and how policies are translated between environments cannot be overlooked. As August begin the process of migrating to a full Ibn model, existing segmentation strategies Varco, ACI, RFS or Cisco Trust SEC will influence decisions regarding how virtual networks at the macro segment level and scalable groups at a micro segmentation level should be organized and populated within an SD access.

Fabric centralized wireless control plane the Fabric wireless LAN controller integrates fabric control plane Both fabric WLCS and no fabric WLCS provide AP image and curation management, client session management and mobility services. Fabric WLCS provide Il services for fabric integration by registering Mac addresses of wireless clients into the host tracking database of the RC control plane during wireless client join events and by supplying fabric edge Rollo location updates during Chrome events. A key difference with non fabric WLC behavior is that fabric WLCS are not active participants in the data plan traffic forwarding role for the SSIDs that are fabric enabled fabric mode APS direct forward traffic to the fabric edges. Those SSIDs runs the Lisp Endpoint ID database to provide a reachability information.

A simple host database that tracks endpoint ID to edge node bindings. Host database supports multiple types of endpoint IDB such as IPV 430 sets IPV 6120, eighths Asterisk or Mac 48 receives prefix registrations from edge nodes for wired clients and from fabric mode WLCS for wireless clients. Resolves lookup request fee to locate endpoints updates. Fabric edge nodes border nods with wireless client mobility and RLO summation.

Typically, the fabric WLC devices connect to a shared services distribution or data are outside the fabric and fabric border, which means that their management IP address exists in the global routing table for the wireless APS. To establish a capwap tunnel for WLC management, the APS must be in a VM that has access to the external device in the SD access solution. Cisco DNA Center configures wireless APS to reside within the VRF named which maps to the global routing table, avoiding the need for route leaking or few outer multivrf router selectively sharing routing information services to establish connectivity, each fabric site has to have a WLC unique to that site. It is recommended to place the WLC in the local site itself because of latency requirements for SD access. Small to medium scale deployments of Cisco SD access can use the Cisco Catalyst 9800 embedded wireless controller. The controller is a way for the Catalyst 9300 switch as a software package update to provide wired and wireless fabric only infrastructure with consistent policy, segmentation security and seamless mobility while maintaining the ease of operation. Cisco unified wireless Network the wireless control plane remains unchanged using cap and, initiating on the APS and terminating on the Cisco Catalyst 9800 embedded wireless controller the data plane uses VXLAN encapsulation for the overlay traffic between the APS and the fabric edge.

The Catalyst 9800 embedded wireless controller for Catalyst 9300 series software package is wireless functionality only for Cisco SD access deployments with two supported topologies Cisco Catalyst 9300 series which is functioning as collocated border and control plane Cisco IST 9300 series which is functioning as a fabric in a box. The embedded controller only oats fabric mode access points fabric mode wireless LAN controller SD access fabric provides the best of the distributed, wired and centralized wireless architectures by providing a common overlay and extending the benefits to both wired and wireless users. Finally, with SD access fabric customers can have a common policy and unified experience for all their users independently of the access media. Fabric mode WLC integrates with the lisp control plane. Control plane is centralized at the WLC for all wireless functions.

WLC is still responsible for AP image and confit radio resource management and client Session Manager and roaming for fabric integration. For wireless client Mac address is used as EB it’s with the host tracking DB on control plane node. For client mac address registration with Sgt and L two VNI. The VN information is layer two VN L two Void information and it is mapped to a VLAN on the feds responsible for updating the host tracking DB with roaming information. For wireless clients, fabric enabled WLC needs to be collected at the same site with APS.

Latency between AP and WLC needs to be lisp control plane management in SD access fabric wired and wireless are part of a single integrated infrastructure and behave the same way in terms of connectivity, mobility and policy enforcement. Brings a unified experience for users independently of the access media. In terms of control plane integrated, the fabric wireless Lang controller, notifies the fabric control plane node of all wireless client joins roams connects. In this way, the control plane node always has all the information about both the wired and wireless clients in the fabric and always serves as a single source of truth in terms of data plane integration abbey WLC instructs the fabric access points to form a VXLAN overlay tunnel to their adjacent fabric edge nodes.

This AP VXLAN tunnel carries the segmentation and policy information to from the edge node allowing connective functionality identical to that of a wired host. When a wireless client joins the fabric wire, a fabric AP the fabric WLC on boards the endpoint into the fabric and informs the control plane node of its Mac address. The WLC then instructs the AP to form a VXLAN overlay tunnel to its adjacent edge node. Next, the wireless client will obtain an IP address for itself via DHCP. Once that completes, the end will register the IP address of the wireless client to the control plane node to form a mapping between the client Mac and Impresses and traffic to from the wireless endpoint can begin to flow.

The fabric WLC is physically located outside the fabric external to a fabric border node. This can be in the same lane on the lay as SD access external to the fabric overlay. This is because the WLC may connect either directly to the border node or BMW IP hops of A-E-G-A local data center. The IP subnet prefix of the WLC must then be arise into the underlay routing domain for AP onboarding and management by a traditional cap AP control plane. The fabric APS are connected directly to the fabric edge nodes in the fabric overlay. Alternatively, the APS may be connected to SD. Axis extended Nods the APS leverage the stretched subnet KP and any cast gateway functionality on the fabric SD access. Fabric 49 Edge Nods this allows all the fabric APS throughout the campus to be on the same subnet.

The fabric WLC must be on a network that’s 20 milliseconds or less AP to WLC latency since fabric APS operate in local mode, lisp control plane Management runs the Lisp Endpoint ID database to provide overlay reachability information. A simple host database that tracks endpoint ID to Edge node bindings hosts database supports multiple types of endpoint ID such as IPV 430 seconds IPV 6120, Asterisk or Mac 48 receives prefix registrations from Edge nodes for wire clients and fabric mode WLCS for wireless clients. Resolves lookup requests from Fay to locate endpoints updates.

Fabric edge nodes. Border nods with wireless client mobility and RLOC information. Optimizing the data Plane The APS are responsible for communication with wireless endpoints and in the wired domain. This assists the VXLAN data plane by encapsulating and the encapsulating traffic at the connected edge node. Fabric Edge Node The fabric Edge node is based on a list tunnel router. It provides connectivity for users and devices connected to the fabric. The edge node is responsible for identifying and authenticating the wired endpoints. It registers the endpoint ID info with the control plane.

Nods It provides VN services for wireless clients and on boards APS into fabric. The fabric forms VXLAN tunnels with the APS and provides an end cast l three gateway for connected endpoints anycast Gateway the Anycast Gate wades a single L three default gateway based on a virtual IP address. VIP It is similar in principle and behavior to HSRP VRRP with a shared virtual IP and Mac address.

The same switched worker face is present on every edge with the same virtual IP and Mac. If a host moves from Edger to e, it does not need to change its L three default gateway. Stretched subnets. Stretched subnets allow a subnet to be stretched via the overlay and is based on an anycast plus lisp dynamic eat plus vela overlay the host IP based traffic arrives on the local fabric edge.

Sweep and is then transferred by Lisp lip dynamic Eat allows host specific 32 128 Mac advertisement and mobility it is no longer necessary to stretch a VLAN across access layer switches to connect host one and two to get l two adjacent C. The client one connected to Fabric Edge A can talk to client B as they are on the same IP subnet. Fabric mode AP The fabric mode AP integrates with the Vinland data plane. The wiretap plane is distributed across APS. The fabric mode AP is a local mode AP and needs to be directly connected to the fabric edge. The capwap control plane goes to the WLC using fabric.

The fabric is enabled per SSID. For a fabric enabled SSID, AP converts 811 traffic to 802 three and encapsulates it into VXLAN encoding VNI and Sgt infant of the client. It forwards client traffic based on a forwarding table that is programmed by the WLC. Usually Vilna SDT is the first hop switch. The AP applies all wireless specific features SSID policies, As, etc. Asterisk AP can be connected also through an extended switch. Simplify Policy and Segmentation Here is the AP process for Simplifying policy segmentation The AP removes the 800 and 211 header.

Hierarchical segmentation of the following virtual network VN equal to VRF minus isolated routing control plane plus data scalable group tag minus user group Identifier. Simplify Policy and Segmentation The APS embed the policy information in the Vilna header and forward it. The client RF is represented by the layered two. Virtual network feed does a lookup to CP to locate client B. Simplify Policy and Segmentation Faye encapsulates the Vilna header, looks at the L two ID and maps it to the VLA and an L two Lisp instance. Then Faye does the lookup and rebuild the VIX capsules to the destination. Fay b map to VR FSGT policy is applied. The client policy is carried end to end in the overlay. Simplify policy and segmentation. Fey removes the outer IP header. Lion ID maps it to the VLAN, also looks at the Sat and apply the policy before forwarding the path connecting APS to the WLC. To better understand common side designs, simple references are used.

The numbers are used as guidelines only and do not necessarily match the specific limits. Visas within a design access points AP is directly connected to Fay or to an extended node switch. AP is part of fabric overlay. AP belongs to the infra UNESCO VN, which is mapped to the full routing table. AP joins the WLC in local mode. WLC is connected outside fabric, optionally directly to border. WLC needs to reside in global routing table to talk to CP. No need for inter verve leaking for AP to join the WLC. WLC can only belong to one FD. WLC talks to one CP two for ETI fabric.

AP is in local mode. Need less than 20 milliseconds latency between AP and WLC. If WLC is also used for no fabric mixed mode, consider Mac and App table. Scale of the direct connected border device. Very small site. Uses fabric in a box to COVID a single wiring closet with resilience supported by switch stacking designed for less than 2000 endpoints fewer than eight VNS and fewer than 100 APS. The border, control plane, edge and wireless functions colocated on a single redundant platform. Small site covers a single office or building designed to support less than 10,000 endpoints, fewer than 32 VNS and fewer than 200 APS.

The border is collocated with the control plane function on one or two devices and a sense controller has an optional etch a configuration. Medium site covers a building with multiple viruses or multiple buildings designed to support less than 250 endpoints, fewer than 64 VNS and less than 1000 APS. The border is distributed from or collocated with the control plane function using redundant gated non stacking devices and a separate wireless controller has an etch a configuration. Large Cycle is a large building with multiple wiring closets or multiple buildings designed to support less than 500 endpoints, fewer than 64 VNS and less than 2000 APS.

Multiple border exits are distributed from or collocated with the control plane function on redundant devices with dedicated non stacking edge devices and a separate wireless controller has an edge A configuration. Each fabric site includes a supporting set of Control Plane Nods, Edge, Border Nods and wireless LAN controllers sized appropriately from the listed categories. Ice Policy Nods are also distributed across the sites to meet survivability requirements in a single physical net. Multiple fabrics can be deployed.

For this case, individual fabric elements, Control Plane Nods, Border Nods, Nodes and WLCS are assigned to a single fabric only. Each reference model takes the multi dimensional design considerations along with endpoint count to provide guidelines to stay within for similar site design sizes. These do not necessarily match specific limits for devices used in a design of the site size. Connecting the WLC to wired fabric access points operate in local mode. This requires an RTT of 20 milliseconds or less between the AP and the wireless LAN controllers.

This generally meant the WLC is deployed in the same physical site as the access points. If dedicated, dark fiber exit between the physical sites and the WLCS in the data center and the latency requirement is meant WLCS and APS in different physical locations. This is commonly seen in metro area networks and SD access for distribampers AP should not be deployed across the van from the WLCS fabric. AP local mode need less than 20 milliseconds latency between AP and WLC. If WLC so used for non fabric mixed mode, consider Mac and App. Table scale of the directly connected border device recommended WLC connection to wired WLC is connected outside fabric to a switch in service block or DC WLC side.

Use multiple ports for redundancy and group them in a lagged link aggregate. Use a pair of boxers and enable tasteful switchover. This will double the links to connect to the infrastructure lever bridge physical redundancy at the switch. Single box solution modular switch or switch stack and spread WLC links across line cards or stack members. Dual switch solution uses VSS and spread links across switches. An SD access fabric site can support up to six control plane nodes in a wired only deployment. Cisco, Aero, OS and Catalyst.

WLCS can communicate with four control plane nodes in a site to use four control plane nods in a site with an SD access wireless deployment, two control plane nods are dedicated to the guest and two are dedicated to local site traffic. If dedicated guest border control plane Nods feature is not used, WLC can only communicate with two control plane nods per fabric site. Cisco A center is key to enabling automation of device deployments into the network. Providing the speed and consistency require operational efficiency. Organizations using Cisco DNA Center benefit from lower cost and reduced when deploying and maintaining their networks.

img