Build a Software Defined Enterprise

with Cisco SD-WAN and Cisco SD-

Access

Markus Harbeck – Sr Solution Architect, CX

@mhgrisu

BRKCRS-2818

CCIE #8087
CCDE #20130015
Cisco Webex Teams

Questions?
Use Cisco Webex Teams to chat
with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot# BRKCRS-2818

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
 Cisco DNA Center

Policy Automation Analytics

Short Hint from Markus:

“My English might be bad
but although sexy”
Source: Henning Bornemann -
“Thank you for Deutsche Bahn”

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
 Who is Markus Harbeck ???
Personal:
§ Location: Eschborn, Germany (near Frankfurt) but lives in Bavaria
§ Other Interests: My family, 2 kids, Horse back riding, motor
cycling

My Background:
§ CLI Junkie since 1996 for all Routing and Switching
§ Joined CISCO October 2010
§ Before; 12 years, operations, engineering, application
engineering at Lufthansa Systems
§ Drives Cisco DNA Center, Automation and Analytics in EMEAR
and loops in the development team and Business Unit
§ Book Author – Cisco DNA Assurance 2018

Current Projects:
§ Cisco DNA Center since day1 in 2014
§ Analytics, Assurance

Copyright by Hanna
§ Multidomain
§ SDA, ITSM
My Kids view on Cisco DNA Center and
Network Design
Copyright by Saskia
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multidomain enables the network power of end
to end segmentation and policy

OT CAMPUS BRANCH DC CLOUD SP SECURITY

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda

• Why Multidomain and Integration

• SDA à some insights
• SD WAN à some insights
• Transit options
• What is needed for SDA – SD WAN integration?
• Policy across SDA and SD WAN
• How is the integration achieved?
• Bring Up a new Site?
• Summary

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
 Session expectations
Technical Level
High Level

Low Level t
Session progress

That is not a TCP Session! J Its a SDA & SD WAN Session!

We will first do an introduction in SD-Access and into SD-WAN. To

bring everyone on the same level!

Then share the details!

Note: TCP Slow Start is part of the congestion control algorithms put in place by
TCP to help control the amount of data flowing through to a network.
Source: https://www.keycdn.com/support/tcp-slow-start/

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Why Multidomain
and Integration
Software Defined Enterprise end-to-end network

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Why do we build Networks?

Users
(Consumers) Applications
(Providers)

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
It should be simple

1
1
11
11

1
1
Access/WAN Data Center
Users Network Network

(Consumers) Applications
(Providers)

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Access Network Domains

Cloud
Cisco SD-Access Cisco SD-WAN Edge

1
1
11
11

1
1
Data Center
Users Network

(Consumers) Applications
(Providers)

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
It’s a multi-cloud world

Data
Center

Public Cloud
Cisco SD-Access Cisco SD-WAN (IaaS)

1
1
11
11

1
1
SaaS

Users
(Consumers) Applications
Internet (Providers)

Direct Internet Access

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
… and a multi-access world

Branch
Data
Trust boundary Center

LTE
SD-WAN + SD-
Access
Public Cloud
(IaaS)

11
11
Campus
11

1
1
SaaS

Users
(Consumers)
Off-prem Applications
Internet (Providers)

Direct Internet Access

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Reeling things back in – the Integrated Access
Network

Data
Center

Public Cloud
(IaaS)

1
1
11
11

1
1 SaaS
Integrated
Users Cisco SD Access with

(Consumers)
Cisco SD-WAN Applications
Internet (Providers)

Direct Internet Access

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Each Domain Must Support Its Unique Role
SD-Access SD-WAN ACI
Cisco DNA Center Cisco vManage Cisco APIC

Campus Data Center

and IoT Branch/ WAN and Cloud

Users & Devices Hybrid Cloud Data & Applications

• Identify and onboard • Deliver application experience • Automate resources and
everything workloads
• Secure internet and cloud
• Authenticate and access • Prevent data breaches
authorize access

The domains must cooperate to meet business intent

Segmentation | App SLA | Security
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
SD-Access
à some insights
We know you may
have seen
BRKCRS-2810
with SDA Basics
but we need to get
everyone up to
speed!

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
What is a Fabric High Level view?

• Layer 3 based Underlay • Uses Overlay to

with Load Balancing transport different traffic
types
• Behaves as one big
Switch / Router for the • Offers Macro and Micro
endpoints Segmentation build in
• Hides complexity from • Treats packet the same
end user end to end
• A Packet in same packet • Preserves policy
out information
• Traffic independent (L2,
L3, Multicast etc.)

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Fabric Terminology (General)

Overlay Network Overlay Control Plane

Encapsulation

Edge Device Edge Device

Hosts
(End-Points)

Underlay Network Underlay Control Plane

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
What is Cisco SD-Access?
Campus Fabric + Cisco DNA Center (Automation & Assurance)
§ SD-Access
APIC-EM
Automation
1.X
GUI approach provides automation & assurance
ISE Analytics
PI of all Fabric configuration, management and
Cisco DNA group-based policy
Center
Cisco DNA Center integrates multiple
management systems, to orchestrate LAN,
Wireless LAN and WAN access

B B § Campus Fabric
CLI or API approach to build a LISP + VXLAN +
C C
CTS Fabric overlay for your enterprise Campus
networks
Campus CLI provides backwards compatibility, but
Fabric management is box-by-box. API provides
device automation via NETCONF/YANG

Separate management systems

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Campus Fabric - Key Components

1. Control-Plane based on LISP

2. Data-Plane based on VXLAN
3. Policy-Plane based on CTS
B B
Key Differences
C
• L2 + L3 Overlay -vs- L2 or L3 Only
• Host Mobility with Anycast Gateway
• Adds VRF + SGT into Data-Plane
• Virtual Tunnel Endpoints (Automatic)
• NO Topology Limitations (Basic IP)

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
SD-Access Fabric
Key Components – VXLAN

1. Control-Plane based on LISP

2. Data-Plane based on VXLAN
ORIGINAL
ETHERNET IP PAYLOAD
PACKET
Supports L3
Overlay Only
PACKET IN
ETHERNET IP UDP LISP IP PAYLOAD
LISP
Supports L2
& L3 Overlay
PACKET IN
ETHERNET IP UDP VXLAN ETHERNET IP PAYLOAD
VXLAN

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 Fabric Roles & Terminology
Cisco DNA § Cisco DNA Automation – provides simple
GUI management and intent based
Identity Automation Automation
automation (e.g. NCP) and context sharing
Services
ISE Analytics § Cisco DNA Assurance – Data Collectors
Cisco DNA (e.g. NDP) analyze Endpoint to App flows
Cisco DNA
Center Assurance and monitor fabric status
§ Identity Services – NAC & ID Systems
(e.g. ISE) for dynamic Endpoint to Group
Fabric Border Fabric Wireless mapping and Policy definition
Nodes Controller
B B § Control-Plane Nodes – Map System that
manages Endpoint to Device relationships
Intermediate Control-Plane
C C Nodes § Fabric Border Nodes – A Fabric device
Nodes (Underlay) (e.g. Core) that connects External L3
network(s) to the SDA Fabric

Campus § Fabric Edge Nodes – A Fabric device

(e.g. Access or Distribution) that connects
Fabric Edge
Nodes Fabric Wired Endpoints to the SDA Fabric

E E E E § Fabric Wireless Controller – A Fabric device

(WLC) that connects APs and Wireless
Endpoints to the SDA Fabric

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 Control-Plane Nodes – A Closer Look

Control-Plane Node runs a Host Tracking Database to map location information

à it behaves like DynDNS

• A simple Host Database that maps Endpoint IDs to C C

a current Location, along with other attributes
Known Unknown
Networks Networks

B B
• Host Database supports multiple types of Endpoint
ID lookup types (IPv4, IPv6 or MAC)

• Receives Endpoint ID map registrations from Edge

and/or Border Nodes for “known” IP prefixes E E E
• Resolves lookup requests from Edge and/or Border
Nodes, to locate destination Endpoint IDs

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
 Edge Nodes – A Closer Look

Edge Node provides first-hop services for Users / Devices connected to a Fabric

• Responsible for Identifying and Authenticating C C

Endpoints (e.g. Static, 802.1X, Active Directory) Known
Networks
Unknown
Networks

B B
• Register specific Endpoint ID info (e.g. /32 or /128)
with the Control-Plane Node(s)

• Provide an Anycast L3 Gateway for the connected

Endpoints (same IP address on all Edge nodes) E
E E
• Performs encapsulation / de-encapsulation of data
traffic to and from all connected Endpoints

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
 Border Nodes

Border Node is an Entry & Exit point for data traffic going Into & Out of a Fabric

There are 3 Types of Border Node! C C

Known Unknown
Networks Networks

B B
• Internal Border (Rest of Company)
• connects ONLY to the known areas of the company

• External Border (Outside)

• connects ONLY to unknown areas outside the company
E E E
• Internal + External (Anywhere)
• connects transit areas AND known areas of the company

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
 Virtual Network– A Closer Look

Virtual Network maintains a separate Routing & Switching table for each instance

• Control-Plane uses Instance ID to maintain separate C

VRF topologies (“Default” VRF is Instance ID “4098”) Known Unknown
Networks Networks

B B
• Nodes add a VNID to the Fabric encapsulation

• Endpoint ID prefixes (Host Pools) are routed and VN VN VN

advertised within a Virtual Network Campus IOT Guest
E E E
• Uses standard “vrf definition” configuration, along
with RD & RT for remote advertisement (Border Node)

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
 Control Plane Roles & Responsibilities
C Control plane (CP)
LISP Map Server & Map Resolver
§ EID to RLOC mappings
§ Can be distributed across B C
multiple LISP devices Lo0
8.8.8.8
Lo0
E Edge Node (EN) / Internal Border 9.9.9.9
LISP Tunnel Router xTR
§ Register EID with Map Server RLOC Space
§ Ingress / Egress (ITR / ETR)
External Border (BN) Lo0
B LISP Proxy Tunnel Router PxTR
Lo0 Lo0
2.2.2.2 3.3.3.3
E
1.1.1.1
E E
§ Provides a Default Gateway
when no mapping exists
§ Ingress / Egress (PITR / PETR)

EID = Endpoint Identifier

Host Address or Subnet 10.2.2.11 /16 10.2.2.22 /16 10.2.2.33 /16

RLOC = Routing Locator

Local Router Address = Loopback0 Subnet 10.2.0.0 255.255.0.0 stretched across
IID = Instance ID VRF demo1 = IID 4099

VRF / VN EID Space

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
 Control Plane Register
CP show lisp site
EID RLOC IID
10.2.2.11 /32 1.1.1.1 4099
172.16.1.100/ 24 B C
DHCP Server 10.2.2.22 /32 2.2.2.2 4099
Lo0
8.8.8.8
Lo0 10.2.2.33 /32 3.3.3.3 4099
9.9.9.9

Ma
p-
er

Re
i st
ter

g
eg
is

i st
eg

-R

er
p -R

ap
Ma

M
Lo0 Lo0 Lo0
2.2.2.2 3.3.3.3
E
1.1.1.1
E E
EN1 - 1.1.1.1 EN3 – 3.3.3.3
sh ip lisp eid-table vrf demo1 map-cache sh ip lisp eid-table vrf demo1 map-cache

EID RLOC IID EID RLOC IID

10.2.2.11 10.2.2.22 10.2.2.33

Subnet 10.2.0.0 255.255.0.0 (or /16) stretched across

VRF demo1 = IID 4099
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
 Control Plane Resolution
Where is 10.2.2.33? CP show lisp site
EID RLOC IID
10.2.2.11 /32 1.1.1.1 4099
172.16.1.100/ 24 B C
DHCP Server 10.2.2.22 /32 2.2.2.2 4099
Lo0
8.8.8.8
Lo0 10.2.2.33 /32 3.3.3.3 4099
9.9.9.9

ly .3)
ep
-R (3.3.3
est P
MA 33 –
e qu .
P-R .33 2.2
MA 0.2.2 10.
1
Lo0 Lo0 Lo0
2.2.2.2 3.3.3.3
E
1.1.1.1
E E
EN1 - 1.1.1.1 EN3 – 3.3.3.3
sh ip lisp eid-table vrf demo1 map-cache sh ip lisp eid-table vrf demo1 map-cache

EID RLOC IID EID RLOC IID

10.2.2.11 10.2.2.22 10.2.2.33
10.2.2.33 3.3.3.3 4099

Subnet 10.2.0.0 255.255.0.0 stretched across

VRF demo1 = IID 4099
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 Fabric Internal Forwarding (Edge to Edge)

3 EID-prefix: 10.2.2.33/32
Mapping Locator-set:
172.16.1.100/ 24 B C Entry 3.3.3.3, priority: 1, weight:100
DHCP Server
Lo0
8.8.8.8
Lo0
9.9.9.9

4
1.1.1.1 à 3.3.3.3 Lo0 Lo0 Lo0
2.2.2.2 3.3.3.3
10.2.2.11 à 10.2.2.33 E
1.1.1.1
E E

2 5
10.2.2.11 à 10.2.2.33 10.2.2.11 à 10.2.2.33
S D
1 10.2.2.11 10.2.2.22 10.2.2.33
DNS Entry:
D.abc.com A 10.2.2.33
Subnet 10.2.0.0 255.255.0.0 stretched across
VRF demo1 = IID 4099
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 Border Nodes – Anywhere/ Internal + External Border
(used for SD-WAN integration)

Anywhere/ Internal + External Border is a “One all exit point” for any known
and unknown destinations

• Connects to any “unknown” IP subnets, outside of

the network (e.g. Internet, Public Cloud) and Known Unknown

C
Networks Networks

“known” IP subnets available from the outside B

network (e.g. DC, WLC, FW, etc.)

• Imports and registers (known) IP subnets from

outside, into the Control-Plane Map System except
the default route.

• Exports all internal IP Pools outside (as aggregate)

into traditional IP routing protocol(s).

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 Border Control Plane Resolution
Where is 172.16.1.100 (off SDA)? CP
eBGP
iBGP Network Next Hop VRF
192.168.1.2
172.16.1.0 /24 192.168.1.2 demo1
172.16.1.100 /24 B C
External Entity
192.168.1.1 Lo0 sho ip lisp instance-id 4099 route-import database
8.8.8.8 Prefix Uptime Source
Lo0
9.9.9.9 172.16.1.0/24 6w3d bgp 65123
)
ply 8.8
t P - Re (8.8.
–
ues MA 0/24
R eq 100 . 1.
- .
P
MA 2.16.
1 .16
172
17 Lo0
Lo0 Lo0
2.2.2.2 3.3.3.3
E
1.1.1.1
E E
EN1 - 1.1.1.1
sh ip lisp eid-table vrf demo1 map-cache

EID RLOC IID

10.2.2.11 10.2.2.22 10.2.2.33
172.16.1.0/24 8.8.8.8 4099

Subnet 10.2.0.0 255.255.0.0 stretched across

VRF demo1 = IID 4099
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
 Fabric External Forwarding (Edge to Border)

192.168.1.2

172.16.1.100/ 24 B C
External Entity
192.168.1.1 Lo0
8.8.8.8
5 Lo0
10.2.2.11 à 172.16.1.100 9.9.9.9

3 EID-prefix: 172.16.1.0 /24

4 Mapping Locator-set:
1.1.1.1 à 8.8.8.8 Lo0 Entry
Lo0 Lo0
8.8.8.8, priority: 1, weight:100
2.2.2.2 3.3.3.3
10.2.2.11 à 172.16.1.100 E
1.1.1.1
E E

2
10.2.2.11 à 172.16.1.100
S D
1 10.2.2.11 10.2.2.22 10.2.2.33
DNS Entry:
D.abc.com A 172.16.1.100
Subnet 10.2.0.0 255.255.0.0 stretched across
VRF demo1 = IID 4099
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
 Fabric External Forwarding (Border to Edge)
2
sho ip route
Prefix NextHop
B 10.2.0.0/16 192.168.1.1
192.168.1.2

172.16.1.100/ 24 B C
External Entity
192.168.1.1 Lo0
1
8.8.8.8
172.16.1.100 à 10.2.2.11 Lo0
9.9.9.9 3 EID-prefix: 10.2.2.11 /32
Mapping Locator-set:
Entry 1.1.1.1 , priority: 1, weight:100
4
8.8.8.8 à 1.1.1.1
Lo0 Lo0 Lo0
2.2.2.2 3.3.3.3
172.16.1.100 à 10.2.2.11
E
1.1.1.1
E E

5
172.16.1.100 à 10.2.2.11 S D
10.2.2.11 10.2.2.22 10.2.2.33

Subnet 10.2.0.0 255.255.0.0 stretched across

VRF demo1 = IID 4099
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Internal Border routes advertised outside

10.2.2.1/24 1.1.1.1/32 8.8.8.8/32 192.168.1.1/24

E B C
IP Network 172.16.1.100/ 24
10.2.2.0/24 BGP External Entity

Host Pool 10 Edge Node 1

Border Node

• The Border node advertises the EID router lisp

locator-table default
prefix into external protocol of choice locator-set border
(eBGP). IPv4-interface Loopback0 priority 10 weight 10
!
• The advertisement is summarized so router bgp 65004
that /32 host routes are not exposed to !
address-family ipv4 vrf USER
the external domain. redistribue LISP metric 10
aggregate-address 10.2.2.0 255.255.255.0 summary-only
• Repeat for other IP Subnets and exit-address-family
VRF’s in Fabric a

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
External routes advertised inside

10.2.2.1/24 1.1.1.1/32 8.8.8.8/32 192.168.1.1/24

E B C
IP Network 172.16.1.100/ 24
10.2.2.0/24 BGP External Entity

Host Pool 10 Edge Node 1

• The Border also imports the external router lisp

locator-table default
prefixes into the Campus Fabric LISP locator-set border
domain. IPv4-interface Loopback0 priority 10 weight 10
!
• Repeat for other IP Subnets and VRF’s eid-table vrf USER instance-id 10
ipv4 route-import database bgp 65004 locator-set border
in Fabric exit
!

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Multidomain enables the network power of end
to end segmentation and policy

OT CAMPUS BRANCH DC CLOUD SP SECURITY

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco SD-WAN
à some insights
We know you may
have seen
BRKCRS-2110
with SD-WAN
Basics but we
need to get
everyone up to
speed!

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 Cisco SD-WAN Architecture Overview
Orchestration = vBond Orchestrator ZTP/PnP

vManage
Management = vManage APIs
(Multi-tenant or Dedicated)
vAnalytics vSmart

WAN Edge
Control Plane = vSmart
(Containers or VMs)

4G/LTE Internet

MPLS

Data Plane = Edge

(vEdge, Cisco ISR/ASR/ENCS,
Whitebox)
Data Center Campus Branch SOHO Cloud

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
 vBond is SD-WAN Orchestrator

• Orchestrates connectivity between

Orchestrator ZTP/PnP
management, control and data plane

• Serves as the first point of authentication

• Requires public IP Address

• All other components need to know the

vBond IP or FQDN 4G/LTE Internet

MPLS

• Authorizes all control connections

(white-list model) Data Center Campus Branch SOHO Cloud

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
 vManage is NMS for SD-WAN
• Single-tenant or Multitenant
Orchestrator ZTP/PnP
• Single pane of glass for Day 0, Day 1 and
Day 2 operations

• Enables centralized provisioning and

simplifies changes

• Supports REST API, CLI, Syslog, SNMP,

NETCONF 4G/LTE
MPLS
Internet

• Provides real time alerting

Data Center Campus Branch SOHO Cloud

• Role Based Access Control

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
 vSmart is Centralized Control Plane

Orchestrator ZTP/PnP
• Implements control plane policies, such
as service chaining, traffic engineering
and per-VPN topology

• Reduces complexity of the entire

network

• Establishes peering with all WAN Edges, 4G/LTE Internet

distributes connectivity and security MPLS

context
Data Center Campus Branch SOHO Cloud

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 WAN Edge is your SD-WAN Data Plane

• Provides secure data plane with remote Orchestrator ZTP/PnP

WAN Edge routers

• Establishes secure control plane with

vSmart controllers

• Implements data plane and application

aware routing policies
4G/LTE Internet

MPLS

• Exports performance statistics

• Physical or Virtual form factor Data Center Campus Branch SOHO Cloud

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 Unified Control Plane
vSmart • Overlay Management Protocol (OMP)
• TCP based extensible control plane protocol
• Runs between WAN Edge routers and vSmart
controllers and between the vSmart controllers
- Inside authenticated TLS/DTLS connections
• Advertises control plane context and policies
vSmart vSmart • Dramatically lowers control plane complexity and
raises overall solution scale
SD-WAN Traditional

WAN Edge WAN Edge

VS
Note: WAN Edge routers need not connect to all vSmart Controllers
O(n) Control Complexity O(n^2) Control Complexity
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Data Plane Establishment
vSmart
vSmarts advertise routes and
SD-WAN fabric encryption keys to WAN
between tunnel Edges in OMP updates
endpoints
IPsec Routes and encryption keys
IPsec are advertised to vSmarts in
WAN Edge
IPsec OMP updates

Local Routes
- Local prefixes (OSPF/BGP)
MPLS INET - SD-WAN tunnel endpoints (TLOCs)
WAN Edge Security Context
WAN Edge
- IPSec Encryption Keys

Fabric Routing:
<prefix> via
WAN Edge WAN Edge

Transport Locator (TLOC) OMP IPSec Tunnel

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
 Data Plane Liveliness and Quality
WAN Edge
• Bidirectional Forwarding Detection (BFD)
• Path liveliness and quality measurement
- Up/Down, loss/latency/jitter, IPSec tunnel MTU
• Runs between all WAN Edge routers in the topology
- Inside SD-WAN tunnels
- Across all transports
WAN Edge WAN Edge - Operates in echo mode
- Automatically invoked at SD-WAN tunnel
establishment
- Cannot be disabled

• Uses hello (up/down) interval, poll (app-aware)

WAN Edge WAN Edge interval and multiplier for detection
- Fully customizable per-WAN Edge, per-transport

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
 Common Data Plane Communication

Per-Session Load Sharing Per-Session Weighted Application Pinning Application Aware Routing
Active/Active Active/Active Active/Standby SLA Compliant

MPLS INET MPLS INET MPLS INET MPLS INET

SLA SLA

Default Device Policy Policy

Configurable Enforced Enforced

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
The Mapping between SD-Access and SD-WAN

Function SD-Access SD-WAN

vBond – UI
Management Cisco DNA Center
vManager – NMS

Control Plane LISP vSmart (OMP)

Data Plane Underlay Based on RLOC Based in TLOC

Data Plane Overlay VXLAN IPSec

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Transit options
available
 Existing Transit options
Manual Mapping & Routing of VNs
IP Transit e.g. MPLS from a Provider
between BN and WAN Edge, no SGT
Manual Mapping & Routing of VNs
DMVPN
between BN and Spoke – SGT support
End to End Automation, VN, SGT support
SDA Transit
– requires large MTU
C C

SD-Access Router Transit Router SD-Access

B B B B
Fabric Site Fabric Site
Border Border Border

1
SDA Transit SDA

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
 Multi-site with IP-based WAN Transit
Border Router

Control Plane

Edge

Cisco DNA Center

MANAGEMENT
&
POLICY

SGTs in SXP via ISE

C C

SD-Access Transit SD-Access

B B B B B B
Fabric Site (Separate WAN) Fabric Site
Border Border Border

BGP BGP
LISP MP-BGP / Other LISP CONTROL-PLANE
VRF-lite VRF-lite

1
VXLAN SGT (16 bits) 802.1Q MPLS 802.1Q VXLAN SGT (16 bits)
DATA-PLANE
Header VNID (24 bits) VLAN ID (12 bits) Labels VNID (24 bits) VLAN ID (12 bits) Header VNID (24 bits)

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
What is needed for
SDA – SD WAN
integration?
 SDA to SDWAN today
Cisco DNA Center vManage

cEdge Transit cEdge

(SD-WAN)
l Ma
anua nua
l
M
C SDA SD WAN Status C

VN VPN Ok
SD-Access SD-Access
B B B B
Fabric Site 1 SGT Not available lost Fabric Site 2
E E E E E E

1
User1 ENG
SGT 500 Subnet 10.2.2.0/24
1
User2 ENG
Subnet 10.2.3.0/24
SGT 500
10.2.2.11 /24 VRF empl = IID 4099 • Cisco DNA Center manages SDA Sites 10.2.3.11 /24 VRF empl = IID 4099

• vManage responsible for SD WAN devices

Subnet 10.3.3.0/24 • Handoff Manual between SDA BN and cEdge Subnet 10.3.4.0/16
VRF IOT = IID 4100 10.3.3.11 /24 VRF IOT = IID 4100 10.3.4.11 /24

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
What is needed?
Cisco DNA Center 1 vManage
API integration

2
cEdge Transit cEdge
3
C (SD-WAN)

B
IPSec CMD SGT MPLS VNID
4 Header Header (16 bits) Labels (24 bits)
SD-Access
Fabric Site 1 1. Integrate Cisco DNA Center and vManage
2. Remove requirement of 2/4 Router in a Branch
E E E
3. Enable cEdge plus SDA BN+CP
1
User1 ENG 4. Carry SGT in SD WAN
SGT 500 Subnet 10.2.2.0/24
10.2.2.11 /24 VRF empl = IID 4099

Subnet 10.3.3.0/24
VRF IOT = IID 4100 10.3.3.11 /24
*Phase1: Single box – greenfield only

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
What happens?
Cisco DNA Center vManage
API

cEdge Transit cEdge

C (SD-WAN)

B
IPSec CMD SGT MPLS VNID
Header Header (16 bits) Labels (24 bits)
SD-Access
Fabric Site 1 1. Cisco DNA Center learns cEdges from vManage
into it’s inventory
2. It learns VPN’s from vManage and maps them
E E E

1
User1 ENG
SGT 500 Subnet 10.2.2.0/24
into VN’s
10.2.2.11 /24 VRF empl = IID 4099
3. It adds “SD WAN” as Transit option
Subnet 10.3.3.0/24
VRF IOT = IID 4100 10.3.3.11 /24
4. It push all necessary SDA configuration (BN, CP
etc. to vManage which configures the cEdge
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
End to End view
Cisco DNA Center vManage
API

cEdge Transit cEdge

C (SD-WAN) C

B B
IPSec CMD SGT MPLS VNID
Header Header (16 bits) Labels (24 bits)
SD-Access SD-Access
Fabric Site 1 Fabric Site 2

E E E E E E

1
User1 ENG
SGT 500 Subnet 10.2.2.0/24
1
User2 ENG
Subnet 10.2.3.0/24
SGT 500
10.2.2.11 /24 VRF empl = IID 4099 10.2.3.11 /24 VRF empl = IID 4099

Subnet 10.3.3.0/24 Subnet 10.3.4.0/16

VRF IOT = IID 4100 10.3.3.11 /24 VRF IOT = IID 4100 10.3.4.11 /24

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Policy across SDA
and SD WAN
 Virtual Network– A Closer Look Re
ca p !!
!

Virtual Network maintains a separate Routing & Switching table for each instance

• Control-Plane uses Instance ID to maintain separate C

VRF topologies (“Default” VRF is Instance ID “4098”) Known Unknown
Networks Networks

B B
• Nodes add a VNID to the Fabric encapsulation

• Endpoint ID prefixes (Host Pools) are routed and VN VN VN

advertised within a Virtual Network Campus IOT Guest
E E E
• Uses standard “vrf definition” configuration, along
with RD & RT for remote advertisement (Border Node)

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
 Scalable Groups – A Closer Look
C
Scalable Group is a logical policy
Known Unknown
Networks Networks

B B
object to “group” Users and/or Devices
SGT
SGT SGT SGT
4
• Nodes use “Scalable Groups” to ID and assign a 17
SGT
8 25

19
unique Scalable Group Tag (SGT) to Endpoints SGT
3
SGT
23
SGT
11
SGT
12
E E E
• Nodes add a SGT to the Fabric encapsulation

• SGTs are used to manage address-independent

“Group-Based Policies”

• Edge or Border Nodes use SGT to enforce local

Scalable Group ACLs (SGACLs)

Campus Users
VN
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
 Transport of VN’s and SGT’s

• SGT Segments are carried in VNs VN1 maps to VPN 65528

‒ Nested hierarchy
SGT #1
‒ SGT mapped to VN at SDA Fabric Edge SGT #2
SGT #8

‒ SGT carried in SD-WAN VPN´s (DP) SGT #15

• Policy Decoupling
‒ VNs for network separation (forwarding plane) Virtual Network #2
‒ SGT are for user separation SGT #3
SGT #4

• Use Cases: SGT #6

SGT #10

‒ Closed user groups

‒ Business Entity separation

…
‒ Service Chaining via SDWAN VPNs
• Inspection, Security, Logging etc.
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Map Policy

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reference Topology for Policy integration
Cisco DNA Center vManage
API

cEdge Transit cEdge

C (SD-WAN) C

B B
IPSec CMD SGT MPLS VNID
Header Header (16 bits) Labels (24 bits)
SD-Access SD-Access
Fabric Site 1 Fabric Site 2

E E E E E E

VN + SGT VPN+SGT VN+SGT

Security and Segmentation

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
End to End Policy Src
Group
Dest
Group
Application Action

ENG ENG FTP Deny

Cisco DNA Center vManage
API (500) (500)

ENG ENG IP permit

(500) (500)
cEdge Transit cEdge

C (SD-WAN) C

B B
VN 4099 ßà VPN ID 10k
SD-Access SGT 500 ßà SGT 500 SD-Access
Fabric Site 1 Fabric Site 2

E E E E E E

User1 ENG Subnet 10.2.2.0/24 Subnet 10.2.3.0/24 User2 ENG

Enforcement
SGT 500 VRF empl = IID 4099
10.2.2.11 /24
VRF empl = IID 4099 SGT 500
10.2.3.11 /24

VXLAN SGT (16 bits) IPSec CMD SGT MPLS VNID VXLAN SGT (16 bits)
Header VNID (24 bits) Header Header (16 bits) Labels (24 bits) Header VNID (24 bits)

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Policy Mapping between SD-Access and SD-
WAN

Function SD-Access SD-WAN

Macro VN VPN
Segmentation Virtual Network Virtual Private Network

Micro SGT
Carries SGT
Segmentation Scalable Group Tag

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
 Our dog “Bessi” at break
Transforming from CLI to automation let
you focus on “what really matters”

Exhausted?
You need a break?
We still have cool things to see!
à And yes she sleeps only!
And transforms in her dreams J

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
How is the
integration
achieved?
Multidomain enables the network power of end
to end segmentation and policy

OT CAMPUS BRANCH DC CLOUD SP SECURITY

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
 Secure Productivity – Use Case

• User group engineering (ENG 500) needs access to the development servers

• User group marketing (MKT 600) needs access to Office365 and the Internet
• They are often exposed to malware

• Building automation systems must be air-gapped in their own separate network

Building
Facilities Automation
Application

Engineering Development
Servers

Marketing

Office 365
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
 Secure Productivity – SD-Access Identity &
Segmentation
• SD-Access identity services are critical to identifying users/things to deliver a trust
centric security layer
• SD-Access segmentation (macro/micro) prevents lateral movement of malware to
deliver the first layer a threat centric security model

Building
Facilities Automation
Application

Cisco DNA Center

Engineering Development
Servers

Marketing
SD-Access

Office 365
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
 Secure Productivity – WAN/Campus/Branch

• The segmentation initiated in Cisco DNA Center is seamlessly extended into the
SD-WAN
• Guarantee secure segmentation pervasively and up close to the applications

Normalized APIs

Building
Facilities Automation
Application

Cisco DNA Center Cisco vManage

Engineering Development
Servers

Marketing
SD-Access SD-WAN
Integrated Networking
Office 365
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
 Secure Productivity – Multi-domain experience
E2E
Experiences
Automation and Policy

Security and Segmentation

Normalized APIs

Building
Facilities Automation
Application

Cisco DNA Center Cisco vManage

Engineering Development
Servers

Marketing
SD-Access SD-WAN
Integrated Networking
Office 365
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
 End to End view
Cisco DNA Center vManage
API

cEdge Transit cEdge

C (SD-WAN) C

B B
IPSec CMD SGT MPLS VNID
Header Header (16 bits) Labels (24 bits)
SD-Access SD-Access
Fabric Site 1 Fabric Site 2

E E E E E E

LISP OMP LISP CONTROL-PLANE

1 VXLAN SGT (16 bits) IPSec CMD VXLAN SGT (16 bits)
SGT MPLS VNID DATA-PLANE
Header VNID (24 bits) Header Header (16 bits) Labels (24 bits) Header VNID (24 bits)

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
How is the
Multidomain
Integration
achieved
 C
Cisco SDA-SDWAN Integration Overview B
SDA Control
Plane

SDA Border

Cisco DNA Center SDA Edge

REST API SDWAN Fabric

vManage

SDA Fabric Site 1 cEdge Border SDA Fabric Site 2

cEdge Border
@ISR @ISR
vSmart vBond

C B B C

LISP OMP LISP

CONTROL-PLANE

VXLAN-GPO IPSec-MDATA (SGT) VXLAN-GPO

DATA + POLICY PLANE
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
 SD-Access Header Next-Hop MAC Address

Src VTEP MAC Address

MAC-in-IP with VN ID & Group ID Dest. MAC 48

Source MAC 48

VLAN Type 14 Bytes

16 IP Header
0x8100 (4 Bytes Optional) 72
Misc. Data
VLAN ID 16
Protocol 0x11 (UDP) 8
Ether Type
16 Header
0x0800 16 20 Bytes
Outer MAC Header
Underlay

Checksum

Source IP 32
Src RLOC IP Address
Outer IP Header Dest. IP 32
Source Port 16 Dst RLOC IP Address

UDP Header Dest Port 16

8 Bytes Hash of inner L2/L3/L4 headers of original frame.
UDP Length 16 Enables entropy for ECMP load balancing.
VXLAN Header
Checksum 0x0000 16 UDP 4789

Inner (Original) MAC Header

Allows 64K
Inner (Original) IP Header VXLAN Flags RRRRIRRR 8 possible SGTs
Overlay

Segment ID 16
8 Bytes
Original Payload VN ID 24
Allows 16M
Reserved 8 possible VRFs

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
 SDWAN Header Hash of inner L2/L3/L4
headers of original frame.
IP-in-IP with MDATA Field for VPN-ID and Group Tag
IP Header
Enables entropy for ECMP load
balancing.
72
Misc. Data
Outer MAC Header
Underlay

Protocol 0x11 (UDP) 8 Source Port 16

Header
Outer IP Header 16 20 Bytes Dest Port 16
Checksum
8 Bytes
Source IP 32 UDP Length 16
UDP Header Src TLOC UDP 500
Dest. IP 32 Checksum 0x0000 16
Dst TLOC
IPSec Header
SPI 32

MPLS Label 0x0 – IPv4

Sequence No. 32 8 Bytes
0x1 – IPv6 Supported Types
MDATA Header Initialization Vector 0
0x2 – MDATA XE 16.11
0x3 – FEC
Overlay

Inner (Client) IP Header

Reserved 12

Protocol 4 4 Bytes
DNAC
Original Payload VPN ID 16 SDA VNID Mapped to VPN ID Manages
(namespace translation) Translation
across sites
Flags 32
IPSec Trailer (18 Bytes) 8 Bytes
TLV 16 Type 0x1 == SGT

**IPSec AH also supported but not shown Data 16 SGT mapped Here

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
 Border Service Interface - Details

• Single Box that is the Border for the LAN and WAN Network.

• SDWAN border “service interface” is SDA fabric border interface

• On the SDWAN side of the border it is a routed port only.

• ON the SDA side of the border it can be a trunk port or sub interfaces.

• SDA LISP interface is anchored on a Loopback in an internal VRF (UNDERLAY VRF).

• SDA Fabric RLOCs are stored in this VRF.
• This is done to ensure that the RLOC’s can be carried over the SD-WAN as service routes top remote DC

LAN WAN
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Border Service I/F - Control Plane Interworking
vSMART

E B C
OMP
LISP SDA SDW
LISP Control Control
Plane Plane
Service Route (EID)
Advertisement with
VPN ID separation

Route LISP<->OMP
Import/Export

SDA-Edge
SD-WAN Border
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Internal Border routes advertised outside

10.2.2.1/16 1.1.1.1/32 8.8.8.8/32

E B C
IP Network SD-WAN
10.2.2.0/16 OMP

Host Pool 10 Edge Node 1

Border Node

• The Border node advertises the EID router lisp

locator-table default
prefix into external protocol of choice locator-set border
(OMP). IPv4-interface Loopback0 priority 10 weight 10
!
• The advertisement is summarized so omp
that /32 host routes are not exposed to no shutdown
address-family ipv4 vrf demo1
the external domain. advertise aggregate 10.2.0.0/16 aggregate-only
!
• Repeat for other IP Subnets and address-family ipv4
VRF’s in Fabric advertise connected
advertise lisp

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Internal Border routes advertised outside

10.2.2.1/16 1.1.1.1/32 8.8.8.8/32

E B C
IP Network SD-WAN
10.2.2.0/16 OMP

Host Pool 10 Edge Node 1

Border Node

• The Border also imports the external router lisp

locator-table default
prefixes into the Campus Fabric LISP locator-set border
domain. IPv4-interface Loopback0 priority 10 weight 10
!
• Repeat for other IP Subnets and VRF’s eid-table vrf USER instance-id 10
ipv4 route-import database omp locator-set border
in Fabric exit
!

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
 Border Service I/F - Data Plane Interworking vSMART

E B C
SDA SDW OMP
LISP
Control Control
Plane Plane

RIB

Index Adjacency
Lookup
SDA SDA SDA
Client Fabric Fabric WAN
VPNI
Ports Ports VNID Ports
Ports D

Encapsulate
Decapsulate
Translation

Encrypt
SGT SGT

Client Client
Packet Packet

SDA-Edge VXLAN-GPO SD-WAN Border SDWAN-MDATA

(SGT+VNID) (SGT+VPN ID)
BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
 Routing Architecture – Protocols and Peering
DNAC vManage

Supernet Prefix
• SDA EIDs (/32s)
Provisioning • SDWAN Subnets

NETCONF
• OMP aggregates /32s

B C SDA Aggregates Only

vSmart
SDWAN Prefixes
Lo0
Service
OMP
OMP Overlay Peers
LISP

LISP Routes VPNs

Service
Overlay Routes

SDA RLOCs
SDWAN
TLOCs
Underlay
LAN Peer (ISIS) SDA_UNDERLAY
VPN0
WAN Peer (BGP)
VN

LISP OMP

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
 Supported High Availability and Redundancy

MPLS INET MPLS INET

Via Via
vManage vManage

B B B B B
Active/Active
C B
C C C C C

Link TLOC Extension

SDA
Fabric Site
WAN Border Selection Policy
-Weight, Pref, ECMP
** From vManage

SDA Side SDWAN Side

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
 NOTE: cEdge must have

Management Model
no existing Service Side
configuration before it can
be designated as a border

Cisco DNA Center vManage

REST Calls

WAN Underlay
ip
ersh NETCONF/YANG
wn
eO
vic
SDA Side De
• vManage Credentials
• Service-level VN Configuration
• SDA Side Routing Configuration vSmart vBond WAN Side
– Interfaces, VXLAN
– Routing (LISP) OMP • All SDWAN configuration and
• Provision SDA LAN Automation policy except
Subnet Syslog/SNMP – No LAN side templates
• SDA VN to SD-WAN VPN mapping (greyed)
• Assurance: Syslog/SNMP config
– All Assurance
– Syslog/SNMP override (if
desired)

SDA Side WAN Side

Read Permission Write Permission

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Setup & Workflow – DAY 0
Cisco DNA Center and vManage
B C

Admin DNAC vManage cEdge

Bring-up SDWAN, Mark devices used for SDA borders

Configure vManage info & credentials

SDWAN Transit Establish trust with vManage: form-based auth

Object Created Entire list of: VPNs, SDA Marked devices

Map VNs in DNAC to VPNs from vManage Config Data: Underlay VN(VPN), Loopback IP,
per device credentials, etc Config Data Push: (enables DNAC’s
inventory collection)

Device discovery & Inventory collection using Loopback IP

Configure SDA connectivity for the device

Config Data: LAN, SDA configs,
SNMP, Logs collector, etc
Config Data Push

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
 Workflow – DAY 1 & N
B C

Admin DNAC vManage cEdge

Syslog & SNMP

Assurance State & Stats

Data
Get SDWAN Assurance Data
Collection
and Traps
SDWAN Assurance Data:
Health (Devices, vSmart, vBond) , Alarms

New VN Day#N config new VNs

Creation
Day#N config - New VNs

Push config rcvd from DNAC

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
 C

General Deployment Model

Control Plane

B
C-edge Router

Cisco DNA Center Edge

• On-Prem Local
• On-Prem Remote

vManage
• On-Prem • Redundant Pair (2 now)
• Public Cloud • Collocated Ctrl-Plane

B C B C
SD-Access SD-Access
Transit Fabric Site
Fabric Site
(SD-WAN)
B C B C

cEdge cEdge
LISP OMP LISP

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
 Deployment Models with Remote DC

DC Site Public Cloud

DC Site

WAN Underlay

Remote
DHCP DC Site SDA Site
Prefixes Aggregates

Host Routes Host Routes

DC Prefixes DC Prefixes
SD-Access SD-Access
Fabric Site B C Transit B C Fabric Site
(SD-WAN)
Underlay Prefixes Underlay Prefixes
**Border redundancy
not shown for C-edge C-edge
simplicity
LISP OMP LISP

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
 Deployment Models with Local DC Site

Public Cloud
DC Site

F
WAN Underlay
SDA Fabric Site SDA Site
VRF-lite Aggregates

Underlay
Prefixes

Underlay VN SD-Access
SD-Access B C Transit B C Fabric Site
Fabric Site (SD-WAN)

**Border redundancy cEdge cEdge

not shown for
simplicity LISP OMP LISP

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
 Deployment Models with Fabric Wireless

Public Cloud

WAN Underlay
SDA Fabric Site SDA Site
GRT Aggregates

Underlay
Prefixes

Underlay VN SD-Access
SD-Access B C Transit B C Fabric Site
Fabric Site (SD-WAN)

**Border redundancy cEdge cEdge

not shown for
simplicity LISP OMP LISP

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
 Device Interworking Compatibility
* = Refer to Frame Formats

New Frame Format* Legacy Frame Format

Packet To
SDWAN Border SDWAN cEdge SDWAN cEdge vEdge
Packet From post 16.12+ pre 16.12
SDWAN Border • SGT carried to SDA • SGT discarded
• Dropped • Dropped
• Interwork to SDA • Forward IPv4/IPv6
SDWAN cEdge • No SGT • No SGT • No SGT • No SGT
post 16.12+ • Interwork to SDA • Forward IPv4/IPv6 • Forward IPv4/6 • Forward IPv4/6
SDWAN cEdge • No SGT • No SGT • No SGT • No SGT
pre 16.12 • Interwork to SDA • Forward IPv4/IPv6 • Forward IPv4/6 • Forward IPv4/6
vEdge • No SGT • No SGT • No SGT • No SGT
• Interwork to SDA • Forward IPv4/IPv6 • Forward IPv4/6 • Forward IPv4/6
vEdge

SDA SDA
Site1 C B SDWAN B C Site2

cEdge cEdge

cEdge BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Border Element – Platform Support

ISR:
• ISR4221, ISR43xx, ISR-4431, ISR-4451
ASR:
• ASR1001-X, ASR1002-X, ASR 1001-HX, ASR 1002 –HX

Not Supported:

• No ISRv/CSRv (Future Phase)

• No vEdge (no plans)
• C11xx

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
SDA/SDWAN Demo
Demo Topology
Cisco DNA Center

API
vManage

B C B C
SD-Access Transit SD-Access
Fabric Site Fabric Site
(SD-WAN)
SFO 11 B C B C SJC 23

cEdge cEdge
SDA SDW SDA

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Bring up a new
Site
LAN Automation Principles for Multidomain
WAN

cEdge = Seed cEdge = secondary

Intermediate

Edge Node

§ Ease of new LAN network deployments for Campus or Branch networks

§ Automate underlay connectivity between the LAN and WAN Edge
§ Complete network automation to accelerate building Multidomain overlay
networks

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Reference Topology for fully automated new site
Cisco DNA Center
API
vManage Bring up new Fabric
Site 2
cEdge1 Transit cEdge2

C (SD-WAN) C

B B

SD-Access SD-Access
Fabric Site 1 Fabric Site 2

E E E E E E

VN + SGT VPN+SGT VN+SGT

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
LAN Automation setup

Select cEdge2 as Seed Node

In LAN Automation
(Inventory learned
from vManage)

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Reference Topology for fully automated new site
Cisco DNA Center vManage
API
1. All Switches in FS2 have no configuration
and DHCP for an IP in VLAN1
cEdge2
C 2. Cisco DNA Center pushes temp DHCP Pool
for VL1 via vManage into cEdge2
B

3. All Switches get an IP reachable for Cisco

SD-Access DNA Center and it will recognize the new
Fabric Site 2 Topology
4. Cisco DNA Center creates full ISIS based
E E
UNDERLAY in FS2
E

1
User1 ENG
SGT 500 Subnet 10.2.2.0/24 5. Once UP SDA Edge Nodes will be
10.2.2.11 /24 VRF empl = IID 4099
configured and cEdge enabled as CP+BN
Subnet 10.3.3.0/24 (Overlay)
VRF IOT = IID 4100 10.3.3.11 /24

6. Now SDA – SDWAN carries VNs and SGTs

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
LAN Automation result

cEdge

Edge Node

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary,
Conclusion &
Vision
Comprehensive Security Across All Domains
Cloud Access Security

Enterprise
Email
Security Mobility
Management
Threat intelligence Secure Secure
Internet SD-WAN/
Gateway Campus/ Routers
Branch
Identity and
Advanced
Event visibility with context Threat
Network
Access Control
DC &
WAN
Cloud
Web Switches and
Security Access Points

Automated policy
Next-Gen Cloud Workload
FW/IPS Protection

Network Traffic
Security Analytics

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
SDA / SDWAN integration

APIC

Data
vManage Center (ACI)
vManage

Cloud
Software Software Edge
Defined Defined Services Public
Access WAN Cloud
Users

1
1
1

1
SaaS

Devices
Internet

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
 Session close to the end…
Technical Level
High Level

Low Level t
Session progress
Have a drink on me !

After the long journey

BUT PLS
ONE MORE SLIDE!!!!

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multidomain enables the network power of end
to end segmentation and policy

OT CAMPUS BRANCH DC CLOUD SP SECURITY

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Complete your
online session
survey • Please complete your session survey
after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live t-shirt.
• All surveys can be taken in the Cisco Events
Mobile App or by logging in to the Content
Catalog on ciscolive.com/emea.

Cisco Live sessions will be available for viewing on

demand after the event at ciscolive.com.

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Continue your education

Demos in the
Walk-in labs
Cisco campus

Meet the engineer

Related sessions
1:1 meetings

BRKCRS-2818 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Thank you