DNAC ( sd-access )

Integrate with Existing Network

Automated LAN
 Top Considerations
In the end, it is the small things that matter !!!
 Existing Network MTU
•

•
TCP
MSS
•

As of now, Jumbo MTU is mandatory on all

switches.
 Re-configuration of Access Layer

•
 Physical Network Topology

•
•
•
•

www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/routed-
ex.html
 IP Addressing for Underlay and Overlay

•
 Segmentation- Default schema
•

•
Location of Shared Services Infrastructure

DHCP NT
Server P
Server
 Location of Shared Services Infrastructure
•

•
 Features enabled today

•
 Move the features to different points in
the fabric network
•

•
QoS,
NetFlow
, IP
ACLs
 Two Basic Types of Deployments

 Campus Networks/(Large Sites)

 Branch Networks/ (Small Sites)

Typical Campus Networks
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet
Typical Branch Networks
MPLS I-NET
DDI
Branch IWAN

Collapsed
Core

Access
Layer
 Two Basic Approaches to Migration

 Parallel (all at once)

Deployment
 Incremental (one at a time)

Deployment
Migration Approaches: Parallel vs Incremental
IMPLEMENTATION RESOURCES
RESOURCES IMPLEMENTATION
Parallel Install not feasible for Campus
Networks
DDI
MPLS MPLS I-NET
Branch IWAN DC IWAN Internet
Parallel Install for Branch Networks
MPLS I-NET
DDI
Branch IWAN
Cisco SD-Access Migration

Using net new subnets

 Incremental Migration – High Level concept

C B

•
Considerations for using new subnets to transition
•

Before After
10.10.1.0/24 10.10.4.0/24 10.10.7.0/24

10.10.2.0/24 10.10.5.0/24 10.10.8.0/24 10.10.0.0/16

10.10.3.0/24 10.10.6.0/24 10.10.9.0/24
Reference Network Topology to begin
Migration
External

Network

L3 link

L2 Link
 Connecting Default Fabric Border
• Option 1: Reconfigure Existing Core

External
You can reuse an existing Core Network C B
switch if it supports Fabric
functionality

NOTE: This may require software

upgrade, and adding new fabric
overlay configurations
Connecting Default Border
• Option 2: Connect new switch to the existing core

External

Network

C B
 Prepping the Switch
C B

•
•
•
•
•
•
•
Getting Started Steps – ISIS as an IGP

C B

IP Network

router isis interface GigabitEthernet x/x

passive-interface Loopback0 ip router isis
net 49.0001.XXXX.XXXX.XXXX.00 isis network point-to-point
is-type level-2-only isis metric <metric> level-2
ispf level-2 isis circuit-type level-2-
log-adjacency-changes only
metric-style wide level- isis authentication mode md5 level-
2 no hello padding 2 isis authentication key-chain ON
authentication mode md5 level- carrier-delay ms 0
2 authentication key-chain ON dampening
Getting Started Steps – OSPF as an
IGP
C B

IP Network

interface GigabitEthernet1/1/1 router ospf 1

no switchport router-id 192.168.21.9
ip address 192.168.22.58 passive-interface default
255.255.255.252 no passive-interface GigabitEthernet1/1/1
! no passive-interface GigabitEthernet1/1/2
interface GigabitEthernet1/1/2 network 192.168.21.9 0.0.0.0 area 0
no switchport network 192.168.22.38 0.0.0.0 area 0
ip address 192.168.22.38 network 192.168.22.58 0.0.0.0 area 0
255.255.255.252
!
interface Loopback0
ip address 192.168.21.9
255.255.255.255
ip ospf network point-to-point
Graphical Migration
• Using Cisco DNA Center
Logging in to Cisco DNA Center
Discover Devices
New Discovery
1 5

3 4
Device Inventory: Assign Device Roles

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Network Topology

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Existing Network Topology
WAN Edge MERCURY POSEIDON

Core FIDDLER SANDY

TACAMO
Distribution PROWLER INTRUDER

Access
VAMPIRE-2 VAMPIRE-3
Design Module
Design Module
1

BRKCRS-2812
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Design Module: Network Settings

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Design Module: Network Settings

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Design Module: User Credentials Device
Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Minimum number of IP Pools

•
1

2
3
4

5
6

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 1

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Module
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Provision Module
 2

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
1
2

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Provision only the potential Fabric Nodes
MERCURY POSEIDON

SANDY FIDDLER

TACAMO
PROWLER INTRUDER

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Provision: Provision Potential Fabric Nodes

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Provision Network Nodes
1

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Provision Network Nodes

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Provision Network Nodes: Success

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add Fabric Domain
1

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Name Fabric Domain

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add IP Transit

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IP Transit Area Created

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add Fabric Site to Fabric Domain

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Site Added to Fabric Domain

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Site Topology Details

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Pre-Provision Checks

2 3

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Pre-Provision Checks

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Pre-Provisioning Checks

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add Fabric Edge Node

2
1

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Add Fabric Border, Co-located Control Plane node

1
2

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Border Node Provisioning

4 5

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Using External Interface automation @Border

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Select VNs To Extend outside fabric

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Second Interface, VNs to extend outside fabric
1

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Final Border Provisioning

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Provisioned at Site

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Edge Node Configuration
router lisp instance-id 4097
locator-table default remote-rloc-probe on-route-change
locator-set rloc_1daeaec6-1a9c-4579-9dad- service ipv4
762bac1d3723 eid-table default
IPv4-interface Loopback0 priority 10 weight 10 exit-service-
exit-locator-set ipv4 exit-
! instance-id
locator default-set rloc_1daeaec6-1a9c-4579- !
9dad-762bac1d3723 instance-id 4098
service ipv4 remote-rloc-probe
encapsulation vxlan on-route-change
itr map-resolver 192.168.1.10 service ipv4
etr map-server 192.168.1.10 key 7 03115802 eid-table vrf
etr map-server 192.168.1.10 proxy-reply DEFAULT_VN
etr map-cache
sgt 0.0.0.0/0 map-
no map-cache away-eids send-map-request request
use-petr 192.168.1.10 exit-service-
proxy-itr 192.168.1.7 ipv4
exit-service-ipv4 exit-instance-id
! !
service ethernet instance-id 4099
itr map-resolver 192.168.1.10 remote-rloc-probe
itr on-route-change
etr map-server 192.168.1.10 key 7 0106050D service ipv4
etr map-server 192.168.1.10 proxy-reply eid-table vrf
etr USERS
ipv4 source-locator Loopback0
exit-service-ethernet map-cache
exit-router-lisp
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Edge and Border Nodes VRF
Configuration
VAMPIRE-1#sh vrf
Name Default RD Protocols Interfaces
DEFAULT_VN <not set> ipv4 LI0.4098
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
USERS <not set> ipv4 LI0.4099

SANDY#sh vrf
Name Default RD Protocols Interfaces
DEFAULT_V 1:4098 ipv4 Vl3005
N Vl3001
LI0.4098
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
USERS 1:4099 ipv4 Vl3004
Vl3003
LI0.4099
Border Node Interface to External
Router Configuration

=================
SANDY#s int t1/0/7
SANDY#s int t1/0/7
Building configuration...
Building configuration...
Current configuration :
Current configuration : 41 bytes
64 bytes
!
!
interface TenGigabitEthernet1/0/7
interface
end
TenGigabitEthernet1/0/7
SANDY#s int t1/0/8
switchport mode trunk
Building configuration...
end
SANDY#s int t1/0/8
Current configuration : 41 bytes
Building configuration...
!
Current configuration : 64 bytes
interface
!
TenGigabitEthernet1/0/8
end interface TenGigabitEthernet1/0/8
switchport mode trunk
end
Fabric Border Node Interfaces to External Router
SANDY#s int vl3001 SANDY#s int vl3004
Building configuration... Building configuration...
Current configuration : 186 bytes Current configuration : 182 bytes
! !
interface Vlan3001 interface Vlan3004
description vrf interface to External router description vrf interface to External router
vrf forwarding DEFAULT_VN vrf forwarding USERS
ip address 172.16.0.1 255.255.255.252 ip address 172.16.0.13 255.255.255.252
no ip redirects no ip redirects
ip route-cache same-interface ip route-cache same-interface
end end

SANDY#s int vl3003 SANDY#s int vl3005

Building configuration... Building configuration...
Current configuration : 181 bytes Current configuration : 187 bytes
! !
interface Vlan3003 interface Vlan3005
description vrf interface to External router description vrf interface to External router
vrf forwarding USERS vrf forwarding DEFAULT_VN
ip address 172.16.0.9 255.255.255.252 ip address 172.16.0.17 255.255.255.252
no ip redirects no ip redirects
ip route-cache same-interface ip route-cache same-interface
end end
Fabric Border Node LISP Configuration
SANDY#s | sec lisp
router lisp
locator-table default
locator-set rloc_af80dd60-71be-4d19-8205-4d0213d0602d
IPv4-interface Loopback0 priority 10 weight 10
auto-discover-rlocs
exit-locator-set
!
service ipv4
encapsulation vxlan
itr map-resolver
192.168.1.10
etr map-server 192.168.1.10 key 7 0106050D
etr map-server 192.168.1.10 proxy-reply
etr
sgt
no map-cache away-eids send-map-request
proxy-etr
proxy-itr 192.168.1.10
map-server
map-resolver
exit-service-
ipv4
!
service
ethernet
itr map-
resolver
192.168.1.10
itr
etr map-server 192.168.1.10 key 7 03115802
etr map-server 192.168.1.10 proxy-reply
Fabric Border Node LISP Configuration
instance-id 4097
remote-rloc-probe on-route-change
service ipv4
eid-table default
route-export site-registrations
distance site-registrations
250 map-cache site-
registration exit-service-ipv4
exit-instance-id
!
instance-id 4098
remote-rloc-probe on-route-change
service ipv4
eid-table vrf DEFAULT_VN
route-export site-registrations
distance site-registrations
250 map-cache site-
registration exit-service-ipv4
exit-instance-id
!
instance-id 4099
remote-rloc-probe on-route-
change
service ipv4
eid-table vrf USERS
route-export site-registrations
distance site-registrations
250 map-cache site-
registration exit-service-ipv4
!
exit-instance-id
 Fabric Control Plane Node LISP
Configuration
SANDY#s | sec lisp
router lisp
<snip …… snip>
site site_uci
description map-server configured from apic-em
authentication-key 7 044E080F
eid-record instance-id 4097 0.0.0.0/0 accept-more-specifics
eid-record instance-id 4098 0.0.0.0/0 accept-more-specifics
eid-record instance-id 4099 0.0.0.0/0 accept-more-specifics
exit-site
!
ipv4 locator reachability exclude-default
ipv4 source-locator Loopback0
exit-router-lisp
Fabric Border Node Interfaces to External Router
SANDY#s int vl3002
Building configuration...
Current configuration : 159 bytes
!
interface Vlan3002
description vrf interface to External router
ip address 172.16.0.5 255.255.255.252
no ip redirects
ip route-cache same-interface
end

SANDY#s int vl3006

Building configuration...
Current configuration : 160 bytes
!
interface Vlan3006
description vrf interface to External router
ip address 172.16.0.21 255.255.255.252
no ip redirects
ip route-cache same-interface
end
 Fabric Border Node BGP Configuration
SANDY#s | sec bgp address-family ipv4 vrf DEFAULT_VN
router bgp 65001 redistribute lisp metric 10
bgp router-id interface Loopback0 neighbor 172.16.0.2 remote-as 65002
bgp log-neighbor-changes neighbor 172.16.0.2 update-source
bgp graceful-restart Vlan3001
neighbor 172.16.0.6 remote-as 65002 neighbor 172.16.0.2 activate
neighbor 172.16.0.6 update-source Vlan3002 neighbor 172.16.0.2 weight 65535
neighbor 172.16.0.22 remote-as 65002 neighbor 172.16.0.18 remote-as 65002
neighbor 172.16.0.22 update-source Vlan3006 neighbor 172.16.0.18 update-source Vlan3005
! neighbor 172.16.0.18 activate
address-family ipv4 neighbor 172.16.0.18 weight 65535
network 192.168.1.10 mask 255.255.255.255 exit-address-family
redistribute lisp metric 10 !
neighbor 172.16.0.6 activate address-family ipv4 vrf USERS
neighbor 172.16.0.6 weight 65535 redistribute lisp metric 10
neighbor 172.16.0.22 activate neighbor 172.16.0.10 remote-as 65002
neighbor 172.16.0.22 weight 65535 neighbor 172.16.0.10 update-source Vlan3003
exit-address-family neighbor 172.16.0.10 activate
neighbor 172.16.0.10 weight 65535
neighbor 172.16.0.14 remote-as 65002
neighbor 172.16.0.14 update-source Vlan3004
neighbor 172.16.0.14 activate
neighbor 172.16.0.14 weight 65535
exit-address-family
User Onboarding
Fabric Authentication Template

1 2

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Select VN for associating IP Pool

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
IP Pool association to VN

1 2 3 4

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
IP Pool associated to USERS
VN

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Fabric Provision: Configuration on Fabric
Edge
VAMPIRE-1#sh vrf
Name Default RD Protocols Interfaces
DEFAULT_VN <not set> ipv4 LI0.4098
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
USERS <not set> ipv4 LI0.4099
Vl1021
VAMPIRE-1#s int vl1021
Building configuration...
Current configuration : 285 bytes
!
interface Vlan1021
description Configured from apic-em
mac-address 0000.0c9f.f45c
vrf forwarding USERS
ip address 172.16.15.254 255.255.248.0
ip helper-address 192.168.4.1
no ip redirects
ip route-cache same-interface
no lisp mobility liveness test
lisp mobility USERS
end
 Fabric Provision: Configuration on Fabric Edge
VAMPIRE-1#s | sec lisp
no lisp mobility liveness test
lisp mobility USERS
router lisp
locator-table default
<snip …… snip>
exit-locator-set
!
instance-id 4099
remote-rloc-probe on-route-change
dynamic-eid USERS
database-mapping 172.16.8.0/21
locator-set rloc_1daeaec6-1a9c-
4579-9dad-762bac1d3723
exit-dynamic-eid
!
service ipv4
eid-table vrf USERS
map-cache 0.0.0.0/0 map-request
exit-service-ipv4
exit-instance-id
!
instance-id 8188
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 1021
database-mapping mac locator-set
rloc_1daeaec6-1a9c-4579-9dad-
762bac1d3723
Fabric Provision: Configuration on Control Plane Node

SANDY#s | sec lisp

router lisp
locator-table default
locator-set rloc_af80dd60-71be-4d19-8205-4d0213d0602d
IPv4-interface Loopback0 priority 10 weight 10
auto-discover-rlocs
exit-locator-set
!
site site_uci
description map-server configured from apic-em
authentication-key 7 14021102
eid-record instance-id 4099 172.16.8.0/21
accept-more-specifics
eid-record instance-id 8188 any-mac
exit-site
!
Fabric Provision: VRF Interfaces in USERS
VN
SANDY#sh vrf
Name Default RD Protocols Interfaces
DEFAULT_VN 1:4098 ipv4 Vl3005
Vl3001
LI0.4098
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
USERS 1:4099 ipv4 Vl3004
Vl3003
LI0.4099
Lo1021
SANDY#
SANDY#s int lo1021
Building configuration...

Current configuration : 123 bytes

!
interface Loopback1021
description Loopback Border
vrf forwarding USERS
ip address 172.16.15.254 255.255.255.255
end
Fabric Provision: BGP Configuration on Fabric Border
SANDY#s | b er bgp
router bgp 65001
bgp router-id interface Loopback0
bgp log-neighbor-changes
!
address-family ipv4 vrf USERS
bgp aggregate-timer 0
network 172.16.15.254 mask 255.255.255.255
aggregate-address 172.16.8.0 255.255.248.0 summary-only
redistribute lisp metric 10
neighbor 172.16.0.10 remote-as 65002
neighbor 172.16.0.10 update-source Vlan3003
neighbor 172.16.0.10 activate
neighbor 172.16.0.10 weight 65535
neighbor 172.16.0.14 remote-as 65002
neighbor 172.16.0.14 update-source Vlan3004
neighbor 172.16.0.14 activate
neighbor 172.16.0.14 weight 65535
exit-address-family
Fabric Edge Node: Static Port-to-VN/SGT

1 2

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Fabric Edge Node: Static Port-to-VN/SGT

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Fabric Edge Node: Static
Port-to-VN/SGT

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
 Fabric Edge Node: Static Port-to-VN/SGT

VAMPIRE-1#s int t1/0/1

Building configuration...
Current configuration : 259 bytes
!
VAMPIRE-1#s int t1/0/1 interface TenGigabitEthernet1/0/1
Building configuration... switchport access vlan 1021
Current configuration : 84 bytes switchport mode access
! device-tracking attach-policy
interface TenGigabitEthernet1/0/1 IPDT_MAX_10
device-tracking attach-policy IPDT_MAX_10 load-interval 30
end cts manual
policy static sgt 4
no propagate sgt
no macro auto processing
spanning-tree portfast
end
External Route Exchange ( Fusion Router )
 Mapping of Interfaces, VN, Subnets

VLAN # VN IP Address Interface (B) Hostname (F) Interface (F)

3001 DEFAULT_VN 172.16.0.1 T1/0/7 POSEIDON G0/0/0

3002 GRT 172.16.0.5 T1/0/7 POSEIDON G0/0/0

3003 USERS 172.16.0.9 T1/0/7 POSEIDON G0/0/0

3004 USERS 172.16.0.13 T1/0/8 MERCURY G0/0/1

3005 DEFAULT_VN 172.16.0.17 T1/0/8 MERCURY G0/0/1

100

3006 GRT 172.16.0.21 T1/0/8 MERCURY G0/0/1

External Connectivity: Fusion Router Interface
Config
POSEIDON#s | b 0/0/0
MERCURY#s | b 0/0/1
interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/1
mtu 9100
mtu 9100
no ip address
no ip address
ip ospf mtu-ignore
ip ospf mtu-ignore
load-interval 30
negotiation auto
negotiation auto
ipv6 enable
!
!
interface GigabitEthernet0/0/0.3004
interface
encapsulation dot1Q 3004
GigabitEthernet0/0/
1.3001 ip address 172.16.0.14 255.255.255.252
encapsulation !
dot1Q 3001 interface GigabitEthernet0/0/0.3005
ip address encapsulation dot1Q 3005
172.16.0.2 ip address 172.16.0.18 255.255.255.252
255.255.255.252 !
! interface GigabitEthernet0/0/0.3006
interface GigabitEthernet0/0/1.3002 encapsulation dot1Q 3006
encapsulation dot1Q 3002 ip address 172.16.0.22 255.255.255.252
ip address 172.16.0.6
255.255.255.252
!
interface GigabitEthernet0/0/1.3003
 External Connectivity: Fusion Router BGP
Config
POSEIDON#s | b er bg
router bgp 65002
bgp log-neighbor-changes
neighbor 172.16.0.13 remote-as 65001
neighbor 172.16.0.13 update-source GigabitEthernet0/0/0.3004
neighbor 172.16.0.17 remote-as 65001
neighbor 172.16.0.17 update-source GigabitEthernet0/0/0.3005
neighbor 172.16.0.21 remote-as 65001
neighbor 172.16.0.21 update-source GigabitEthernet0/0/0.3006

POSEIDON#sh ip bgp su
BGP router identifier 192.168.1.2, local AS number 65002
<snip …. snip>
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

172.16.0.13 4 65001 17 16 3 0 0 00:10:32 1
172.16.0.17 4 65001 13 18 3 0 0 00:10:16 0
172.16.0.21 4 65001 16 18 3 0 0 00:09:31 1
External Connectivity: Advertise underlay to External
MERCURY#sh ip bgp sum
BGP router identifier 192.168.1.1, local AS number 65002
BGP using 6240 total bytes of memory
BGP activity 14/0 prefixes, 14/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.0.1 4 65001 38 40 15 0 0 00:31:26 0
172.16.0.5 4 65001 39 40 15 0 0 00:30:58 13
172.16.0.9 4 65001 38 42 15 0 0 00:30:24 1
SANDY#s
ip access-list standard rlocs
permit 192.168.1.0 0.0.0.255
!
route-map allow-rlocs permit 1
match ip address rlocs
!
route-map allow-rlocs deny 2
! B C
router bgp 65001
bgp router-id interface Loopback0
bgp log-neighbor-changes
!
address-family ipv4 Cisco SD-Access
network 192.168.1.10 mask 255.255.255.255 Fabric
redistribute ospf 1 metric 10 route-map allow-rlocs
Cisco SD-Access Fabric Endpoint
Registration information
SANDY#sh lisp site inst 4099
LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport

Site Name Last Up Who Last Inst EID Prefix

Register Registered ID
site_uci never no -- 4099 172.16.8.0/21
01:04:12 yes# 192.168.1.7:21461 4099 172.16.8.1/32

VAMPIRE-1#sh lisp ins 4099 dyna sum

LISP Dynamic EID Summary for VRF "USERS"
^ = Dyn-EID learned by EID Notify
* = Dyn-EID learned by Site-Based Map-Notify
Dyn-EID Name Dynamic-EID Interface Uptime Last Pending
Packet Ping Count
USERS 172.16.8.1 Vl1021 01:03:33 01:03:33 0
Ping between Hosts in and out of Fabric

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Host Details in Traditional Network

INTRUDER#sh arp vlan 30

Protocol Address Age (min) Hardware Addr Type Interface
Internet 83 000c.298b.7435 ARPA Vlan30
10.1.51.2

VAMPIRE-3#sh mac addr dyn vlan 30

Mac Address Table

Vlan Mac Address Type Ports

- -
30 000c.298b.7435 DYNAMIC Gi1/0/3
 Host Details in Cisco SD-Access
Network
VAMPIRE-1#sh mac addr dyn vlan 1021
Mac Address Table

Vlan Mac Address Type Ports

- -
1021 000c.2949.0249 DYNAMIC Te1/0/1
Total Mac Addresses for this criterion: 1

VAMPIRE-1#sh arp vrf USERS

Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.8.1 3 000c.2949.0249 ARPA
109
Vlan1021
Internet 172.16.15.254 - 0000.0c9f.f45c ARPA Vlan1021
VAMPIRE-1#
East-West Communication: Fabric Border is
Exchange Point with Fusion Router

10.1.51.2
Current State of the Network & Future
MERCURY POSEIDON

B C
SANDY FIDDLER

TACAMO
PROWLER INTRUDER

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3

Re-configure Links: L2 to L3 Routed Links
MERCURY POSEIDON

B C
SANDY FIDDLER

TACAMO
PROWLER INTRUDER

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3

Configure Fabric Edge on Access Switch
MERCURY POSEIDON

B C
SANDY FIDDLER

TACAMO
PROWLER INTRUDER

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3

Redundant Fabric Border/Control Plane
node
MERCURY POSEIDON

B C B C
SANDY FIDDLER

TACAMO
PROWLER INTRUDER

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3

Reconfigure Links: L2 to L3 Routed links
MERCURY POSEIDON

B C B C
SANDY FIDDLER

TACAMO
PROWLER INTRUDER
Configure Fabric Edge on Access
MERCURY POSEIDON

B C B C
SANDY FIDDLER

TACAMO
PROWLER INTRUDER

VAMPIRE-1
Distribute Control Plane node for Scale
MERCURY POSEIDON

B B
SANDY FIDDLER

TACAMO C C
PROWLER INTRUDER

VAMPIRE-1 VAMPIRE-2 VAMPIRE-3

Branch Design
MPLS I-NET
Cisco SD-Access Migration:
Retain existing subnets
 Incremental Migration – High Level concept
Virtual Network Existing Network (existing IP
scope) (existing IP scope)
Switch between
IP scopes

C B
Existing IP
Network
Edge
(underlay) Border/Control Existing Campus
Plane Node and External
Nodes
Network

• Deploy a Border node and incrementally add Edge Nodes

• A virtual network is formed over the existing (underlay) network
• The virtual network(s) uses same subnet address as existing network
• The virtual network connects to the external network through the border
Migrating to Cisco SD-Access retaining existing
subnets
External

Network B
C B C

10.1.1.0/24
10.1.1.0/24 VLAN 1021 L2 VNI = 8188 VLAN10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migrating to Cisco SD-Access retaining existing
subnets
External

Network B
C B C
Map Vlan10 to same L2 VNI as
8188 on Fabric Border node

10.1.1.0/24
10.1.1.0/24 VLAN 1021 L2 VNI = 8188 VLAN10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migrating to Cisco SD-Access retaining
existing subnets
External

Network
C B C B Internal + External
L2 L2 Handoff
In-system
redundancy
only

10.1.1.0/24
10.1.1.0/24 VLAN 1021 L2 VNI = 8188 VLAN10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migrating to SD-Access retaining existing subnet
External

Network B
C B C Local EID scale of 4K Endpoints
L2
Border can only onboard 4K
Endpoints in Legacy Network

10.1.1.0/24
10.1.1.0/24 VLAN 1021 L2 VNI = 8188 VLAN10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Migrating to SD-Access retaining existing subnets
External

Network B
C B C
L2 /20, /21 subnets – maybe a couple We can bunch up a
VLANs can be onboarded PER lot with /24 VLANs
Border

10.1.1.0/24
10.1.1.0/24 VLAN 1021 L2 VNI = 8188 VLAN10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Separate L2 Border recommendation
External

Network B
C B C

L2
L2 Border (separate)
for smaller impact
domain, and scale

10.1.1.0/24
10.1.1.0/24 VLAN 1021 L2 VNI = 8188 VLAN10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Separate L2 Border recommendation
External

Network B L2
C B C 10.1.0.0/20
4K EIDs from VLAN10
VLAN10

L2
10.2.0.0/20 4K EIDs from VLAN20
VLAN20

10.1.0.0/20 VLAN 1021 L2 VNI = 8188 10.1.0.0/20 10.2.0.0/20

10.2.0.0/20 VLAN 1022 L2 VNI = 8189 VLAN10 VLAN20
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Flash-cut Existing Access to Fabric Edge
External

Network B
C B C

L2
10.1.0.0/20
VLAN10

10.1.0.0/20
10.1.0.0/20 VLAN 1021 L2 VNI = 8188
VLAN10
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
End-to-End SD-Access, Repurpose L2 Border
External

Network B
C B C

131

10.1.0.0/20 VLAN 1021 L2 VNI = 8188

 Intermediate Node to L2 Border
Connectivity
INTRUDER#s int t1/0/7 PROWLER#s int t1/0/7
Building configuration... Building configuration...
Current configuration : 133 bytes Current configuration : 133 bytes
! !
interface TenGigabitEthernet1/0/7 interface TenGigabitEthernet1/0/7
description Link to TACAMO T1/0/4 description Link to TACAMO T1/0/3
switchport trunk allowed vlan 30 switchport trunk allowed vlan 30
switchport mode trunk switchport mode trunk
end end

INTRUDER#s int t1/0/6 PROWLER#s int t1/0/6

Building configuration... Building configuration...
Current configuration : 152 bytes Current configuration : 152 bytes
! !
interface TenGigabitEthernet1/0/6 interface TenGigabitEthernet1/0/6
description Link to TACAMO T1/0/2 description Link to TACAMO T1/0/1
132

no switchport no switchport
ip address 192.168.2.82 255.255.255.252 ip address 192.168.2.78 255.255.255.252
ip pim sparse-mode ip pim sparse-mode
end end
 L2 Border Connectivity to Intermediate Node
TACAMO#s int t1/0/1
interface TenGigabitEthernet1/0/1
no switchport
ip address 192.168.2.77 255.255.255.252
TACAMO#s int t1/0/3
ip pim sparse-mode
interface TenGigabitEthernet1/0/3
ip ospf mtu-ignore
switchport trunk allowed vlan 30*
logging event link-status
switchport mode trunk
load-interval 30
end
end
TACAMO#s int t1/0/4
TACAMO#s int t1/0/2
Building configuration...
interface TenGigabitEthernet1/0/2
interface
no switchport
TenGigabitEthernet1/0/4
ip address 192.168.2.81 255.255.255.252
switchport trunk allowed
ip pim sparse-mode
vlan 30*
ip ospf mtu-ignore switchport mode trunk
logging event link-status
end
load-interval 30
end
Design: Define Existing Subnet as an IP
Pool

2
3

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
Design: Reserve the IP Pool at Site Level

2
3

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
Site-Level IP
Pool

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Provision L2 Border

2
1

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
This has to be simultaneous from here on…..

SINGLE PHASE

FROM NOW ON
HERE
 Shutdown Existing SVI on Intermediate
Nodes
PROWLER#sh standby br
Interface Grp Pri P State Active Standby Virtual IP
Vl10 1 110 P Active local 10.1.49.253 10.1.49.254
Vl20 1 110 P Active local 10.1.50.253 10.1.50.254
Vl30 1 110 P Active local 10.1.51.253 10.1.51.254
PROWLER#conf t
Enter configuration commands, one per line. End with CNTL/Z.
PROWLER(config)#int ra vl20, vl30
PROWLER(config-if-range)#shut
PROWLER(config-if-range)#

Sep 29 00:29:42.945: %PIM-5-NBRCHG: neighbor 10.1.50.253 DOWN on interface Vlan20 DR

Sep 29 00:29:42.952: %HSRP-5-STATECHANGE: Vlan20 Grp 1 state Active -> Init
Sep 29 00:29:42.965: %PIM-5-NBRCHG: neighbor 10.1.51.253 DOWN on interface Vlan30 DR
Sep 29 00:29:42.970: %HSRP-5-STATECHANGE: Vlan30 Grp 1 state Active -> Init
PROWLER(config-if-range)#
Sep 29 00:29:44.947: %LINK-5-CHANGED: Interface Vlan20, changed state to administratively down
Sep 29 00:29:44.966: %LINK-5-CHANGED: Interface Vlan30, changed state to administratively down
Sep 29 00:29:45.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down
PROWLER(config-if-range)#
Sep 29 00:29:45.967: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan30, changed state to down
PROWLER(config-if-range)#^Z
PROWLER#
 Shutdown Existing SVI on Intermediate Nodes
INTRUDER#conf t
Enter configuration commands, one per line. End with CNTL/Z.
INTRUDER(config)#int ra vl20, vl30
INTRUDER(config-if-range)#shut
INTRUDER(config-if-range)#

Sep 29 00:29:42.949: %HSRP-5-STATECHANGE: Vlan20 Grp 1 state Standby -> Active

Sep 29 00:29:42.969: %HSRP-5-STATECHANGE: Vlan30 Grp 1 state Standby -> Active
Sep 29 00:29:43.786: %PIM-5-NBRCHG: neighbor 10.1.50.252 DOWN on interface Vlan20 non DR
Sep 29 00:29:43.791: %HSRP-5-STATECHANGE: Vlan20 Grp 1 state Active -> Init
Sep 29 00:29:43.801: %PIM-5-NBRCHG: neighbor 10.1.51.252 DOWN on interface Vlan30 non DR
Sep 29 00:29:43.805: %HSRP-5-STATECHANGE: Vlan30 Grp 1 state Active -> Init
INTRUDER(config-if-range)#^Z
INTRUDER#
Sep 29 00:29:45.787: %LINK-5-CHANGED: Interface Vlan20, changed state to administratively down Sep
29 00:29:45.803: %LINK-5-CHANGED: Interface Vlan30, changed state to administratively down Sep 29
00:29:46.788: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down Sep 29
00:29:46.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan30, changed state to down
INTRUDER#
Add Existing Subnet to VN

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Add Existing subnet to USERS VN

1 2 3

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
 Legacy Subnet Provisioning on Fabric Edge
VAMPIRE-1#sh vrf
Name Default RD Protocols Interfaces
USERS <not set> ipv4 LI0.4099
Vl1021
Vl1022
VAMPIRE-1#s int vl1022
Building configuration...
Current configuration : 293 bytes
!
interface Vlan1022
description Configured from apic-em
mac-address 0000.0c9f.f45d
vrf forwarding USERS
ip address 10.1.51.254 255.255.255.0
ip helper-address 192.168.4.1
no ip redirects
ip route-cache same-interface
no lisp mobility liveness test
lisp mobility PHNX_TEMP_USERS
end
 Fabric Edge Configuration modification
VAMPIRE-1#s | sec lisp
router lisp
locator-table default
instance-id 4099
remote-rloc-probe on-route-change
dynamic-eid PHNX_TEMP_USERS
database-mapping 10.1.51.0/24 locator-set rloc_1daeaec6-1a9c-4579-9dad-762bac1d3723
exit-dynamic-eid
!
exit-instance-id
!
instance-id 8189
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 1022
database-mapping mac locator-set rloc_1daeaec6-1a9c-4579-9dad-762bac1d3723
exit-service-ethernet
!
exit-instance-id
 Fabric Border Configuration modification
SANDY#s | sec lisp
router lisp
locator-table default
!
instance-id 4099
remote-rloc-probe on-route-change
service ipv4 router bgp 65001
eid-table vrf USERS bgp router-id interface Loopback0
route-export site-registrations !
distance site-registrations address-family ipv4 vrf USERS
250 map-cache site- bgp aggregate-timer 0
network 10.1.51.254 mask
registration
255.255.255.255
exit-service-ipv4 aggregate-address 10.1.51.0
! 255.255.255.0 summary-only
exit-instance-id
!
site site_uci
description map-server
configured
eid-record from
instance-id
apic-em4099 10.1.51.0/24 accept-more-specifics
authentication-key 7 06130C28
eid-record instance-id 8189 any-mac
exit-site
Add L2 Border into SD-Access fabric

1
2

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Layer 2 Handoff on L2 Border (Internal)
1

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 147
Map Existing VLAN to Subnet in SD-
Access

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Configure L2 Border

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Current State of Network

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
 VN, VLAN creation on L2 Border
TACAMO#sh vrf
Name Default RD Protocols Interfaces
DEFAULT_VN 1:4098 ipv4 LI0.4098
Mgmt-vrf <not set> ipv4,ipv6 Gi0/0
USERS 1:4099 ipv4 Vl30
Lo1023
Lo1021
LI0.4099
TACAMO#s int vl30
interface Vlan30
description Configured from apic-em
mac-address 0000.0c9f.f45d
vrf forwarding USERS
ip address 10.1.51.254 255.255.255.0
ip helper-address 192.168.4.1
no ip redirects
ip route-cache same-interface
no lisp mobility liveness test
lisp mobility PHNX_TEMP_USERS
end
Fabric Configuration on L2 Border
TACAMO#s | sec lisp
router lisp
locator-table default
locator-set rloc_0d8b4ebb-e80e-4e2b-84b1-b2e1330d9f3e
IPv4-interface Loopback0 priority 10 weight 10
auto-discover-
rlocs exit-
locator-set
!
service ipv4
encapsulation vxlan
itr map-resolver
192.168.1.10
etr map-server
192.168.1.10 key 7
1310141B
etr map-server
192.168.1.10 proxy-
reply
etr
sgt
no map-cache away-eids send-map-request
use-petr 192.168.1.10
proxy-itr 192.168.1.15
exit-service-ipv4
!
service ethernet
itr map-resolver 192.168.1.10
Map VLAN to L2 VNI on L2 Border
instance-id 4097
remote-rloc-probe on-route-change
service ipv4
eid-table default
route-import map-cache bgp 65001 route-map permit-all-eids
exit-service-ipv4
<snip ……… snip>
instance-id 4099
remote-rloc-
probe on-route-
change
dynamic-eid
PHNX_TEMP_USERS
database-
mapping
10.1.51.0/24
locator-set
rloc_0d8b4ebb-
e80e-4e2b-
84b1-
b2e1330d9f3e
exit-dynamic-
eid
!
service ipv4
eid-table vrf
USERS
map-cache
0.0.0.0/0 map-
exit-instance-id
 Endpoint (Legacy) Registration in Host Database
SANDY#sh lisp site instance 4099
LISP Site Registration Information
Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
site_uci never no -- 4099 0.0.0.0/0
never no -- 4099 10.1.50.0/24
never no -- 4099 10.1.51.0/24
00:09:40 yes# 192.168.1.15:15912 4099 10.1.51.2/32
never no -- 4099 172.16.8.0/21

TACAMO#sh lisp instance 4099 dynamic-eid summary

LISP Dynamic EID Summary for VRF "USERS"
^ = Dyn-EID learned by EID Notify
* = Dyn-EID learned by Site-Based Map-Notify
Dyn-EID Name Dynamic-EID Interface Uptime Last Pending
Packet Ping Count
PHNX_TEMP_USERS 10.1.51.2 Vl30 00:09:25 00:09:25 0
Static Port Assignment to Existing Subnet

1
2
3

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Fabric Edge Configuration for Host On-
boarding
VAMPIRE-1#s int t1/0/1 VAMPIRE-1#s int vl1022
Building configuration... Building configuration...

Current configuration : 259 bytes Current configuration : 293 bytes

! !
interface TenGigabitEthernet1/0/1 interface Vlan1022
switchport access vlan 1022 description Configured from apic-em
switchport mode access mac-address 0000.0c9f.f45d
device-tracking attach-policy vrf forwarding USERS
IPDT_MAX_10 ip address 10.1.51.254 255.255.255.0
load-interval 30 ip helper-address 192.168.4.1
cts manual no ip redirects
policy static sgt 4 ip route-cache same-interface
no propagate sgt no lisp mobility liveness test
no macro auto processing lisp mobility PHNX_TEMP_USERS
spanning-tree portfast end
end
Comms between Hosts in fabric and Legacy

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
East-West: Hosts in same subnet, inside
and outside fabric

10.1.51.2

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hosts on Fabric Edge, and L2 Border
VAMPIRE-1#sh lisp ins 4099 dyna summ
Dyn-EID Name Dynamic-EID Interface Uptime Last Pending
Packet Ping Count
PHNX_TEMP_USERS 10.1.51.3 Vl1022 00:06:39 00:06:39 0

VAMPIRE-1#sh lisp ins 8189 ethernet map-cac

LISP MAC Mapping Cache for EID-table Vlan 1022 (IID 8189), 3 entries

000c.298b.7435/48, uptime: 00:04:25, expires: 23:55:34, via map-reply, complete

Locator Uptime State Pri/Wgt Encap-IID
192.168.1.15 00:04:25 up 10/10 -

TACAMO#sh lisp instance 4099 dynamic-eid summary

Dyn-EID Name Dynamic-EID Interface Uptime Last Pending
Packet Ping Count
PHNX_TEMP_USER 10.1.51.2 Vl30 00:30:19 00:30:19 0
S
TACAMO#sh lisp ins 8189 ethernet map-cac
LISP MAC Mapping Cache for EID-table Vlan 30 (IID 8189), 2 entries

000c.2949.0249/48, uptime: 00:05:11, expires: 23:54:48, via map-reply, complete

Locator Uptime State Pri/Wgt Encap-
192.168.1.7 00:05:11 up IID
10/10 -
Host Comms to External destinations

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
East-West: Hosts in same subnet, inside and outside
fabric

10.1.51.2
Enable Layer 2 Flooding
between Legacy and
fabric
Pre-requisite: ASM in underlay (Manual)
interface Loopback0
ip address 192.168.1.15 255.255.255.255
ip pim sparse-mode
ip ospf network point-to-point
!
interface TenGigabitEthernet1/0/1
no switchport
ip address 192.168.2.77 255.255.255.252
ip pim sparse-mode
ip ospf mtu-ignore
logging event link-status
load-interval 30
!
interface TenGigabitEthernet1/0/2
no switchport
ip address 192.168.2.81 255.255.255.252
ip pim sparse-mode
ip ospf mtu-ignore
logging event link-status
load-interval 30
end
!
ip pim rp-address
192.168.100.1
Multicast RP Configuration in Underlay
(Manual)

RP RP

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
Enable Layer 2 flooding

Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
 Configuration for Layer 2 flooding
Fabric Edge
instance-id 8189
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 1022
broadcast-underlay 239.0.0.2
database-mapping mac locator-set rloc_1daeaec<snip>1d3723
exit-service-ethernet

Layer 2 Border
instance-id 8189
remote-rloc-probe on-route-change
service ethernet
eid-table vlan 30 166

broadcast-underlay 239.0.0.2
database-mapping mac locator-set rloc_0d8b4ebb<snip>30d9f3e
exit-service-ethernet
Multicast Outputs – Default
State
TACAMO#sh ip pim rp
Group: 239.0.0.2, RP: 192.168.100.1, uptime 5d21h, expires never

VAMPIRE-1#sh ip pim rp
Group: 239.0.0.2, RP: 192.168.100.1, uptime 5d21h, expires never

VAMPIRE-1#mr 239.0.0.2
(*, 239.0.0.2), 5d21h/stopped, RP 192.168.100.1, flags: SJC
Incoming interface: TenGigabitEthernet1/1/1, RPF nbr 192.168.2.62
Outgoing interface list:
Tunnel0, Forward/Sparse-Dense, 5d21h/00:01:53

PROWLER#mr 239.0.0.2
(*, 239.0.0.2), 5d19h/00:03:17, RP 192.168.100.1, flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
TenGigabitEthernet1/0/8, Forward/Sparse, 5d19h/00:03:17
Multicast Outputs – Broadcast traffic ON -
Source
• VAMPIRE-1#mr 239.0.0.2
• (*, 239.0.0.2), 5d21h/stopped, RP 192.168.100.1, flags: SJCF
• Incoming interface: TenGigabitEthernet1/1/1, RPF nbr 192.168.2.62 Outgoing
interface list:
• Tunnel0, Forward/Sparse-Dense, 5d21h/00:02:02

• (192.168.1.7, 239.0.0.2), 00:00:12/00:03:17, flags: FT

• Incoming interface: Null0, RPF nbr 0.0.0.0
Outgoing interface list:
• TenGigabitEthernet1/1/1,
Forward/Sparse, 00:00:12/00:03:17
• TenGigabitEthernet1/1/2,
Forward/Sparse, 00:00:12/00:03:17
Multicast Outputs – Broadcast traffic ON - RP

INTRUDER#mr 239.0.0.2
(*, 239.0.0.2), 5d22h/00:03:20, RP 192.168.100.1, flags: S
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
TenGigabitEthernet1/0/6, Forward/Sparse, 5d22h/00:03:20

(192.168.1.7, 239.0.0.2), 02:40:03/00:03:23, flags: TA

Incoming interface: TenGigabitEthernet1/0/8, RPF nbr 192.168.2.37
Outgoing interface list:
TenGigabitEthernet1/0/6, Forward/Sparse, 02:40:03/00:03:20
169
 Multicast Outputs – Broadcast traffic ON -
Rcvr
• TACAMO#mr 239.0.0.2
• (*, 239.0.0.2), 5d21h/stopped, RP 192.168.100.1, flags: SJC Incoming interface:
TenGigabitEthernet1/0/2, RPF nbr 192.168.2.82 Outgoing interface list:
• Tunnel0, Forward/Sparse-Dense, 5d21h/00:01:50

• (192.168.1.7, 239.0.0.2), 00:00:23/00:02:36, flags: JT

• Incoming interface: TenGigabitEthernet1/0/2, RPF nbr 192.168.2.82 Outgoing
interface list:
• Tunnel0, Forward/Sparse-Dense, 00:00:23/00:02:36
 L2 Flooding at L2 Border
• Flooding of ARP Request, Link-Local Multicast, and Broadcast between subnets in
fabric and legacy
• BPDUs are not forwarded between fabric edges and L2 border

• Wake-on-LAN should work if server connected locally to fabric edge.

• If Fabric Border doubles up as L2 Border, then Loopback with anycast gateway is

replaced with the VLAN interface of the legacy world.
Cisco SD-Access
Migration: Routed
Access with existing
subnets, existing
switches
 Routed Access Design Considerations

•
174
 Routed Access Migration to Cisco SD-Access
External
• Network
C B

•
175

•
10.1.1.0/24 10.1.2.0/24
VLAN 1021 VLAN 20
 Routed Access Migration to Cisco SD-
Access
External
• Network
C B C B

176

•
10.1.2.0/24 10.1.1.0/24 10.1.1.0/24 10.1.2.0/24
VLAN 1022 VLAN 1021 VLAN 1021 VLAN 1022
Migrating Wireless into
Cisco SD-Access
 Cisco SD-Access Wireless Adoption
• Greenfield Building

Cisco DNAC Internet

ISE / AD

Fabric Guest Fabric node (FB)

W LC

B C B C
Full Cisco SD-Access Wireless value
VXLAN tunnel to
 Cisco DNA Center and NDP for Automation & Assurance
SD-Access Guest FB  Virtual Networks for Segmentation (ex Employee, IoT, Guest)
Fabric  ISE for SGT Access Control within VRF (ex. Contractor, BYOD,
VXLAN
Employees)
(Data)  Subnet extension across Campus with distributed data plane
Fabric building  Optimized path for Guest and no Anchor WLC
 And more…
Fabric APs
SSID
SSID
Blizzard
Guest
CAPWAP Control
VXLAN
BYOD Contractor Employee
Migrating to Cisco SD-Access Wireless
from CUWN
Datacente
r DHCP ISE

Non Fabric
Cisco Prime

W LC

Non Fabric




 Cisco SD-Access Wireless Adoption
• Migration for an existing CUWN deployment

Non Fabric

Bldg 1

Bldg 2 C W LC

CAPW AP B
SD Fabric

1  Migrate wired network to Fabric first

2 Add Cisco DNAC and ISE (if not present already)

3  Wireless is over the top CAPW AP

 Cisco SD-Access Wireless Adoption
• Migration for an existing CUWN deployment

Non Fabric

Bldg 1
No seamless
roaming
Bldg 2 VXLAN C
(Data)

CAPWAP Cntrl B
SD Fabric

SDA WLC

181

1  Add a dedicated WLC for Cisco SD-Access and configure it with same SSIDs

2 on CUWN WLC, configure the APs in the area to join the new Fabric WLC

3  Traffic now goes through the Fabric CAPWAP Control

VXLAN
 Cisco SD-Access Wireless Adoption
• Migration for an Existing CUWN deployment

Non Fabric

Bldg 1
No seamless
roaming
Bldg 2 VXLAN C W LC
(Data)

CAPWAP Cntrl B
SD Fabric

SDA WLC

Recommendations
 Prime for CUWN areas, Cisco DNAC for SDA areas  Same RF Groups for CUWN WLC and SDA WLC
 Dedicated WLC for Cisco SD-Access Wireless  WLCs in different Mobility Group (no seamless
roaming between areas)
 Same SSIDs on Fabric and non-Fabric
Proof of Concept,
Production roll-out
 Ways to build a PoC

• 184
Connect PoC to
Production
External
Network B

B
Fusion
Router
C

185
Layer-3 Routing Protocol Normalization to
IGP
External
B
Network
Redistribute eBGP to
OSPF/EIGRP
C
eBGP ISIS/OSPF
B

EIGRP/OSPF C
Key Takeaways
 Key
•
Takeaways
•

•
•
•

•
•
•
•
Agenda
• LAN Automation Overview
• Network Planning
• Underlay Network Design
• Underlay Network Provisioning
• Conclusion
LAN Automation
Software Defined Access

Session Overview and Objectives

What this session will cover:

This session introduces the zero-configuration LAN Automation to enable new SD-
Access solution. The simplified procedure builds the solid error-free underlay network
foundation to seamlessly start building an SD-Access overlay networks.
This session divides in four simple steps to successfully complete step-by-step Underlay
Automation – Plan | Design | Discover | Provision. This LAN Automation capability helps
accelerating building SD-Access overlay networks without traditional network planning
and implementation process.
LAN Automation Overview
What is LAN Network?
Traditional Networks
Core

Core

Dist

Access

 Traditional LAN and WLAN network infrastructure and designs

 Variable network size – Three-Tier or Collapsed models
 Traditional network designs – Multilayer or Routed Access providing reachability
What is LAN Automation
Automating Traditional Networks

Core

Core

Dist

Access

 Ease of new LAN network deployments for Campus or Branch networks

 Complete network automation to accelerate building SDA overlay networks
 Flexible software design to on-board new switch during network expansion
LAN Automation Overview
Simplified Procedure

Plan Design Discover Provision

✅
✅
✅

Verify Network Design Sites across geographic Discover Network devices Dynamic automation
Verify System support Global network services Physical Topology Optimized routing design
Prepare IP Services Design IP Address Pools Network Readiness Resilient underlay settings

4 Step Process
SDA Ready Network
LAN Automation
Step – 1 : Plan
 Plan Design Discover Provision

Plan – Understanding Device Roles

Cisco DNA Center Cisco DNA Center

Core Core

Seed Seed Seed

Seed Seed

PnP Agent
PnP-Agent
PnP Agent
LAN Automation Block

PnP Agent PnP Agent PnP Agent

PnP-Agent Device
Seed Device
Catalyst switch with factory-default
Intermediate system(s) between Core and settings and waiting at startup-wizard
new network block state
Key system to discover, automate and on- Interconnect between Seed and
board new Catalyst switches in network another
PnP-Agent device in the network
 Plan Design Discover Provision

Plan – LAN Automation Boundary

Cisco DNA Center

Core

2 Tier – Collapsed Core Design 3 Tier – Campus Design Extended Campus Design

Seed Seed Seed

P n P A g ent P n P A g ent P n P A g ent

P n P A g ent P n P A g ent

P n P A g ent

Underlay Automation Boundary

Maximum Automation boundary limited to 2
hop count from Seed Device
Layer 3
Supporting common hierarchical and structured
Layer 2
Enterprise network designs
LAN Automation Boundary
 Plan Design Discover Provision

Plan – Network Support

Cisco DNA Center

Core
2 Tier – Collapsed Core 3 Tier – Campus Design
Design

Seed Seed Core

Seed Seed PnP Agent PnP Agent Dist

PnP Agent PnP Agent PnP Agent PnP Agent PnP Agent PnP Agent
Access
Underlay Network Discovery Flexible Discovery Support
Dynamic and on-demand network discovery Flexible Multi-tier network topologies support
process – Two or Three-Tier Designs
Seed system programmed to on-board new Day-2 LAN Automation support for new
Catalyst switches with zero configurations systems in P2P topologies
Layer 3
Layer 2
LAN Automation Boundary
 Plan Design Discover Provision

Plan – Catalyst Switch Role Support

Cisco DNA Center

Core
2 Tier – Collapsed Core Design 3 Tier – Campus Design

Seed Seed Core

Seed Seed PnP Agent PnP Agent Dist

PnP Agent PnP Agent PnP Agent PnP Agent PnP Agent PnP Agent
Access

Layer Role Supported Switch Layer Role Supported Switch

Distribution Seed Catalyst 9500 | 9400 | 3850 | 6800 Core Seed Catalyst 9500 | 9400 | 3850 | 6800

Access PnP Agent Catalyst 9400 | 9300 | 4500E | 3850 | 3650 Distribution PnP Agent Catalyst 9000 | 4500E | 3850 | 3650
Access PnP Agent Catalyst 9400 | 9300 | 4500E | 3850 | 3650

Release Notes
https://
www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/software-defined-access/guide-c07-739242.html
 Plan Design Discover Provision

Plan – IP Address Plan

Cisco DNA Center

Seed-1 Seed-2
Core
S1(config)# interface Loopback 0 S2(config)# interface Loopback 0
S1(config-if)# ip address <ip> <mask> S2(config-if)# ip address <ip> <mask>
! !

Seed Seed

10.128.0.0/16 IS-IS Routing Domain

PnP Agent PnP Agent

PnP Agent PnP Agent PnP Agent

IP Address Plan Interface Address Plan

Plan and identify Network Address range for Leverage existing Loopback interface
20
1 or create new
LAN Automation network if required
Manually configure IP subnet on inter-seed Loopback IP could be outside of domain Network
switch interfaces from Underlay network address address range, but must be reachable to DNA-C
range if there is interconnection Seed devices must not use LAN Automation address
pool
 Plan Design Discover Provision

Plan – Seed Switch IP Routing Configurations

Cisco DNA Center

Seed-1 OSPF
Core
Seed-2 OSPF

S1(config)# router isis OSPF EIGRP S2(config)# router isis

S1(config-router)# redistribute ospf <id> metric <count> S2(config-router)# redistribute ospf <id> metric <count>
! !
S1(config)# router ospf <id> S2(config)# router ospf <id>
S1(config-router)# redistribute connected route-map <name> S2(config-router)# redistribute connected route-map <name>
S1(config-router)# summary-address 10.128.0.0 255.255.0.0 S2(config-router)# summary-address 10.128.0.0 255.255.0.0
Seed Seed

10.128.0.0/16 IS-IS Routing Domain

EIGR EIGR
P P
PnP Agent PnP Agent
S2(config)# router isis
S1(config)# router isis S2(config-router)# redistribute eigrp <id> metric <count>
S1(config-router)# redistribute eigrp <id> metric <count> !
! S2(config)# interface <id>
S1(config)# interface <id> S2(config-if)# description CONNECTED TO CORE
S1(config-if)# description CONNECTED TO CORE S2(config-if)# ip summary-address eigrp <AS> 10.128.0.0 255.255.0.0
S1(config-if)# ip summary-address eigrp <AS> 10.128.0.0 255.255.0.0

PnP Agent PnP Agent PnP Agent

Automated IS-IS Routing Configuration Manual IP Routing Configuration

20
Optional if IS-IS routing protocol in Core Manually create IS-IS*
2 routing instance without area
tag and mutually redistribute between any routing
Automates IS-IS routing process configurations
domains – OSPF | EIGRP | BGP etc. No additional
on Seed and each PnP-Agent systems. No
IS- IS routing configurations required.
manual configuration required.
Programs default-route injection on selected Summarize LAN Pool Network range to Core
Seed
Device for global network reachability * = DNA-C 1.2 Pre-Releases
 Plan Design Discover Provision

Plan – DNA-C IP Routing Configurations

Single-Home Multi-Home

DNA-C Cisco DNA Cisco DNA Center DNA- C

Center
Eth-0 Management Interface : Eth-0 Management Interface :
Eth-0
IP Address : <IP_Address> IP Address : <IP_Address_1>
Core Core
Netmask : <Mask> Eth- 0 Netmask : <Mask>
Gateway : <Default_Gateway> Eth- 1 Gateway : <Default_Gateway>

Seed Seed

10.128.0.0/16 IS-IS Routing Domain

Eth-1 Interface :

IP Address : <IP_Address_2>
PnP Agent PnP Agent Netmask : <Mask>
Gateway : <Skip>
Static Route :
<LAN_Automation
-Net>/<mask>/G
PnP Agent PnP Agent PnP Agent
W

DNA-C IP Routing Configuration

DNA-C must have end-to-end IP reachability
In Single-Home design the DNA-C performs host
function with Default Gateway providing IP
routing.
In Multi-Home design, the DNA-C must have
static route to LAN Automation network(s) via
secondary interface.
 Plan Design Discover Provision

Plan – Endpoint Connections

Cisco DNA Center

Core

Endpoint Integration
Seed Seed
The PnP Agent may contend for DHCP
10.128.0.0/16 IS-IS Routing Domain
address with attached Endpoints
LAN automation process may fail if the
PnP Agent PnP Agent LAN Pool is consumed by the Endpoints
connected to PnP Agents
Recommended to connect Endpoints
post successful LAN Automation
procedure
PnP Agent PnP Agent PnP Agent

Before LAN Automation After LAN Automation

Not Recommended Recommended
 Plan Design Discover Provision

Plan – Seed Switch Feature Validation

✅ Verify no conflicting Spanning-Tree CLI is present, i.e. ”spanning-tree portfast default”

✅ Verify Seed devices do not have any network address belonging to LAN Automation IP Pool
Pre-configure IS-IS routing without Area Tag. Mutual route-redistribution. No additional
✅
IS-IS routing configuration implemented.

✅ Verify SSH configuration on Seed devices is present for terminal access. Telnet is
unsupported
LAN Automation
Step – 2 : Design
 Plan Design Discover Provision

Design – Overview

#CLU BRKCRS-2816 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco
20
S Public 7
 Plan Design Discover Provision

Design – Overview
Plan Design Discover Provision
 Plan Design Discover Provision

Design – Configure Global Network Services

1 Add and Configure Server Address

Network Services Configurations Configuration Compliance

Add all required network services Provision step configures systems 2 Save Configuration
Multiple servers can be added for Updates can re-provisioned for Day-2
load operation
sharing and redundancy
 Plan Design Discover Provision

Design – Configure Global Device Credentials

1 Configure and Select Credentials

2 Configure and Select SNMP

CLI Credential Configurations SNMP Credentials

Common login credentials for all Automate SNMP community configuration.
devices under selected Multiple SNMP community possible. Only
hierarchy
one active 3 Save Configuration
Multiple local login accounts can
be
created and automated
 Plan Design Discover Provision

Design – Configure Global Network Range

1 Assign unique IP Pool

Network Range for specific Area 2

Classful Network Mask 3

Gateway IP Address 4

Save to create new entry 5

Global Network Range Global IP Pool

Structured Enterprise IP network design IP address repository for multi-function
distribution purpose to Area, Site etc.
Planned and divided regionally for optimal
network communications Reserve IP Pool from Area to automate
network intent for various operations
 Plan Design Discover Provision

Design – Configure LAN Pool at Site

Assign unique LAN Pool Name 1

Select LAN from menu 2

Select Area Network Range 3

Assign LAN Pool Address 4

and Mask

Reserve to create new entry 5

Reserve LAN IP Pool LAN IP Assignments

Configure Pool Name and Type = LAN Supported Netmask Range – 8 – 24
One Fabric Domain = One LAN Pool Dynamic IP address assignment from the LAN
pool
Select Parent Pool to reserve Network
Address Range Add more as network grow
 Plan Design Discover Provision

Design – Configuration Summary

Step- 1 Build Network Hierarchy based on geographic locations

Step- 2 Configure Network Services – Global | Area | Site level

Step- 3 Configure Network Address Range – Global | Area | Site level

Step- 4 Configure LAN IP Pool from Parent – Global | Area | Site level
LAN Automation
Step – 3 : Discovery
 Plan Design Discover Provision

Discovery – Overview
Cisco DNA Center

Core

2 Tier – Collapsed Core Design 3 Tier – Campus Design

Core
Seed Seed

Dist
Seed Seed PnP Agent PnP Agent

Access
PnP Agent PnP Agent PnP Agent PnP Agent PnP Agent PnP Agent

Underlay Network Discovery Flexible Discovery Support

Dynamic and on-demand network Flexible network topologies with Dual
discovery process or Single Seed system
Seed system programmed to on- Day-2 LAN Automation support for
board new Catalyst switches new systems Layer 3
with zeroconf Layer 2
LAN Automation Boundary
 Plan Design Discover Provision

Discovery – Seed System Discovery

 Plan Design Discover Provision

Discovery – Seed System Discovery

1 Assign Discovery Profile Name

Seed-1-Loopback IP
2 Assign Seed System IP Range
Seed-2-Loopback IP

3 Retain Global Settings unless unique

Seed System Discovery

Initial automation step to add Seed system
in DNA-C inventory
4 Start Discovery
Assign Seed system Loopback IP range to
initiate SNMP-based discovery
 Plan Design Discover Provision

Discovery – Seed System Discovery

1 Verify successful discovery

 Plan Design Discover Provision

Discovery – Seed System Inventory

 Plan Design Discover Provision

Discovery – Seed System Inventory

✅
✅

Seed System Discovery

Seed device automatically added in Inventory.
Discovers system information
Prepares for Underlay network infrastructure
discovery and automation
 Plan Design Discover Provision

Discovery – Configuration Summary

Step- 1 Build Discovery Profile

Step- 2 Assign Primary and Secondary Seed System IP address to discover

Step- 3 Retain remaining parameters unless unique value

LAN Automation
Step – 4 : Provision
 Plan Design Discover Provision

Provision – LAN Automation

LAN Automation Provision

DNA-C Provision supports Underlay and Overlay

network automation
All systems under Seed are dynamically discovered
and programmed using PnP function
 Plan Design Discover Provision

Provision – Add Seed Systems to Site

1 Add Seed system to Site

↻
2 Update Software if needed

LAN Automation Provision Upgrade Software Automation

After successful Step-2 discovery the Auto-Upgrade PnP-Agent switch with
Seed systems are automatically added in “Golden Tag” if mismatch
Provision table Manual upgrade Cisco IOS software
Add Seed systems to a Building of an on
Site Seed device(s) if new version required
where deployed for logical grouping Optional step to proceed further on
LAN
 Plan Design Discover Provision

Provision – Device Inventory Views

1 Select LAN Automation

✅ ✅
✅ ✅

LAN Automation Provision

Seed devices must be successfully discovered
and reached ”Managed” state.
Site assignment to Seed devices helps
inherited to common location
Single LAN Automation Instance supported
 Plan Design Discover Provision

Provision – Start LAN Automation

1 Select Seed Device Site

2 Select Seed Devices

3 Select Downstream Ports

LAN Automation Provision

Seed and PnP-Agent discovered can be in
common or different Site/Area
Layer 2 Ports used for discovery and 4 Select PnP Device Location
automation. Layer 3 interface remains intact
5 Select LAN Pool
Custom automation parameters support
6 Configure ISIS Password

7 Hostname Settings
See Notes for more details
8 Start LAN Automation
 Plan Design Discover Provision

Provision – Start LAN Automation

LAN Automation CSV Template
! PnP-Agent – Standalone Mode
<hostname>,<serial number>
9500-Core-1, ABCD1111
Example : 9400-Dist-1, ABCD1112
9300-Access-1, ABCD1113

! PnP-Agent – StackWise-480 Mode

<hostname>,<SW1-serial number> , <SW2-serial number>…
Example : 9300-Access-2, ABCD2221, ABCD2222

LAN Automation Hostname Provision

Simple CSV file to automate Hostname
Map Hostname with Serial Number of PnP-
Agent switches
Standalone and StackWise-480 support
 Plan Design Discover Provision

Provision – Stop LAN Automation

✅
✅

✅
✅ ✅ ✅✅

✅
1 Check Discovery Status

Stop Automation Process

All discovered and automated Switches must

reach to Completed status. Process time may
2 Stop LAN Automation
vary on network size
Stop the automation. This action completes
process and transitions all switches to final
state
See Notes for more details
 Plan Design Discover Provision

Provision – Global Network Services

✅ ✅

✅ ✅

✅ ✅

✅ ✅

Global Service Provision

Provision all Global or Area configured
services to newly discovered switches
The services configuration are supported
over non-Mgmt Core network
infrastructure
 Plan Design Discover Provision

Provision – Global Network Services

 Plan Design Discover Provision

Provision – Global Network Services

 Plan Design Discover Provision

Provision – Global Network Services

✅
 Plan Design Discover Provision

Provision – Define System Roles

 Plan Design Discover Provision

Provision – Define System Roles

Adjust System Role

Administrator can adjust default System role
as needed
Helps building hierarchical network topology
No network automation performed for role
assignment
 Plan Design Discover Provision

Provision – Configuration Summary

Step- 1 Add Seed systems to Site

Step- 2 Start Underlay Network discovery and automation

Step- 3 Stop Underlay Network discovery and automation

Step- 4 Provision Global Network services

Step- 5 Designate System role to build structure network topology

 Plan Design Discover Provision

Provision – Network Expansion

Cisco DNA Center

Core

Access Network Expansion Distribution Network Expansion

Seed Seed

PnP A g e n t PnP A g e n t PnP Agent

PnP A g e n t PnP A g e n t PnP A g e n t

PnP A g e n t PnP Agent

Access Network Expansion Distribution Network Expansion

Automate from Parent Seed device as Automate new network block from Parent
Access network expands. Seed device. Reuse or create new LAN Pool.
Transparent process with existing switches Use Distribution as Seed if Access expands
sharing same or different LAN Pool
 Plan Design Discover Provision

Un-Provisioning Network Devices

Cisco DNA Center Network Device

Cisco DNA Center Network Device

Remove Device from Fabric Remove PnP Profile and Certificates
Remove Device from Network PnP App Remove System Configurations
Remove Device from Inventory Erase Startup Configurations
Reload System
See Notes for more details
Conclusion

✅ Accelerate SD-Access deployment with Zero configuration LAN Automation

• 25
✅ Underlay networks are optimized, resilient with integrated Cisco Best Practices
32
• 50 50
44 20
• 30 30

✅ • 34
Four simplified steps to rapidly automate large network infrastructure
• 28
✅ Automate Global or Area local system
•
24 services for consistency
•5and network
• 10 11

• 19

✅ Flexible Automated solution for Day-0 or Day-2 network deployments

SD-Access
Resources
Would you like to know more?

cisco.com/go/dna
cisco.com/go/sdaccess cisco.com/go/dnacenter
• SD-Access At-A-Glance • DNA Center At-A-Glance
•
•
SD-Access Ordering Guide
SD-Access Solution Data Sheet
cisco.com/go/cvd •
•
DNA ROI Calculator
DNA Center Data Sheet
• SD-Access Solution White Paper • SD-Access Design Guide • DNA Center 'How To' Video Resources
• SD-Access Deployment Guide
• SD-Access Segmentation Guide